This chapter covers how to configure the Sun Java System Directory Server and the Solaris Management Console for use with Solaris Trusted Extensions. The Directory Server provides LDAP services. LDAP is the supported naming service for Trusted Extensions. The Solaris Management Console is the administrative GUI for local and LDAP databases.You have two options when configuring the Directory Server. You can configure an LDAP server on a Trusted Extensions system, or you can use an existing server and connect to it by using a Trusted Extensions proxy server. Follow the instructions in one of the following task maps:Configuring an LDAP Server on a Trusted Extensions Host (Task Map) Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map) tasks and task mapsConfiguring an LDAP Server on a Trusted Extensions Host (Task Map) Configuring an LDAP Server on a Trusted Extensions Host (Task Map) Task Description For Instructions Set up a Trusted Extensions LDAP server. If you do not have an existing Sun Java System Directory Server, make your first Trusted Extensions system the Directory Server. The other Trusted Extensions systems are clients of this server. Collect Information for the Directory Server for LDAPInstall the Sun Java System Directory ServerConfigure the Logs for the Sun Java System Directory Server Add Trusted Extensions databases to the server. Populate the LDAP server with data from the Trusted Extensions system files. Populate the Sun Java System Directory Server Configure the Solaris Management Console to work with the Directory Server. Manually set up an LDAP toolbox for the Solaris Management Console. The toolbox can be used to modify Trusted Extensions attributes on network objects. Configuring the Solaris Management Console for LDAP (Task Map) Configure all other Trusted Extensions systems as clients of this server. When you configure another system with Trusted Extensions, make the system a client of this LDAP server. Make the Global Zone an LDAP Client in Trusted Extensions tasks and task mapsConfiguring an LDAP Proxy Server on a Trusted Extensions Host (Task Map) Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map) Use this task map if you have an existing Sun Java System Directory Server that is running on a Solaris system.Task Description For Instructions Add Trusted Extensions databases to the server. The Trusted Extensions network databases, tnrhdb and tnrhtp, need to be added to the LDAP server. Populate the Sun Java System Directory Server Set up an LDAP proxy server. Make one Trusted Extensions system the proxy server for the other Trusted Extensions systems. The other Trusted Extensions systems use this proxy server to reach the LDAP server. Create an LDAP Proxy Server Configure the proxy server to have a multilevel port for LDAP. Enable the Trusted Extensions proxy server to communicate with the LDAP server at specific labels. Configure a Multilevel Port for the Sun Java System Directory Server Configure the Solaris Management Console to work with the LDAP proxy server. You manually set up an LDAP toolbox for the Solaris Management Console. The toolbox can be used to modify Trusted Extensions attributes on network objects. Configuring the Solaris Management Console for LDAP (Task Map) Configure all other Trusted Extensions systems as clients of the LDAP proxy server. When you configure another system with Trusted Extensions, make the system a client of the LDAP proxy server. Make the Global Zone an LDAP Client in Trusted Extensions Sun Java System Directory ServerLDAP server installingSun Java System Directory Server Trusted Extensions configurationLDAP LDAP configurationfor Trusted Extensions configuringLDAP for Trusted Extensions Trusted Extensions configurationdatabases for LDAP The LDAP naming service is the supported naming service for Trusted Extensions. If your site is not yet running the LDAP naming service, configure a Sun Java System Directory Server (Directory Server) on a system that is configured with Trusted Extensions. If your site is already running a Directory Server, then you need to add the Trusted Extensions databases to the server. To access the Directory Server, you then set up an LDAP proxy on a Trusted Extensions system.If you do not use this LDAP server as an NFS server or as a server for Sun Ray clients, then you do not need to install any labeled zones on this server. LDAP servercollecting information for collecting informationfor LDAP service Determine the values for the following items.The items are listed in the order of their appearance in the Sun Java Enterprise System Install Wizard.Install Wizard Prompt Action or Information Sun Java System Directory Server version Administrator User ID The default value is admin. Administrator Password Create a password, such as admin123. Directory Manager DN The default value is cn=Directory Manager. Directory Manager Password Create a password, such as dirmgr89. Directory Server Root The default value is /var/Sun/mps. This path is also used later if the proxy software is installed. Server Identifier The default value is the local system. Server Port If you plan to use the Directory Server to provide standard LDAP naming services to client systems, use the default value, 389.If you plan to use the Directory Server to support a subsequent installation of a proxy server, enter a nonstandard port, such as 10389. Suffix Include your domain component, as in dc=example-domain,dc=com. Administration Domain Construct to correspond to the Suffix, as in, example-domain.com. System User The default value is root. System Group The default value is root. Data Storage Location The default value is Store configuration data on this server. Data Storage Location The default value is Store user data and group data on this server. Administration Port The default value is the Server Port. A suggested convention for changing the default is software-version TIMES 1000. For software version 5.2, this convention would result in port 5200. LDAP serverinstalling in Trusted Extensions LDAP serverconfiguring naming service The Directory Server packages are available from the Sun Software Gateway web site. Find the Sun Java System Directory Server packages on the Sun web site.On the Sun Software Gateway page, click the Get It tab. Click the checkbox for the Sun Java Identity Management Suite. Click the Submit button. If you are not registered, register. Log in to download the software. Click the Download Center at the upper left of the screen. Under Identity Management, download the most recent software that is appropriate for your platform. In the /etc/hosts file, add the FQDN to your system's hostname entry.The FQDN is the Fully Qualified Domain Name. This name is a combination of the host name and the administration domain, as in:192.168.5.5 myhost myhost.example-domain.com Install the Directory Server packages.Answer the questions by using the information from Collect Information for the Directory Server for LDAP. Ensure that the Directory Server starts at every boot.service management framework (SMF)dsadmdsadm serviceenablingdsadm serviceTemplates for the SMF services for the Directory Server are in the Sun Java System Directory Server packages. For a Trusted Extensions Directory Server, enable the service.# dsadm stop /export/home/ds/instances/your-instance # dsadm enable-service -T SMF /export/home/ds/instances/your-instance # dsadm start /export/home/ds/instances/your-instanceFor information about the dsadm command, see the dsadm(1M) man page. service management framework (SMF)dpadmdpadm serviceenablingdpadm serviceFor a proxy Directory Server, enable the service.# dpadm stop /export/home/ds/instances/your-instance # dpadm enable-service -T SMF /export/home/ds/instances/your-instance # dpadm start /export/home/ds/instances/your-instanceFor information about the dpadm command, see the dpadm(1M) man page. Verify your installation.# dsadm info /export/home/ds/instances/your-instance Instance Path: /export/home/ds/instances/your-instance Owner: root(root) Non-secure port: 389 Secure port: 636 Bit format: 32-bit State: Running Server PID: 298 DSCC url: - SMF application name: ds--export-home-ds-instances-your-instance Instance version: D-A00 For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). LDAP serverprotecting log files log filesprotecting Directory Server logs This procedure configures three types of logs: access logs, audit logs, and error logs. The following default settings are not changed:All logs are enabled and buffered. Logs are placed in the appropriate /export/home/ds/instances/your-instance/logs/LOG_TYPE directory. Events are logged at log level 256. Logs are protected with 600 file permissions. Access logs are rotated daily. Error logs are rotated weekly. The settings in this procedure meet the following requirements:Audit logs are rotated daily. Log files that are older than 3 months expire. All log files use a maximum of 20,000 MBytes of disk space. A maximum of 100 log files is kept, and each file is at most 500 MBytes. The oldest logs are deleted if less than 500 MBytes free disk space is available. Additional information is collected in the error logs. Configure the access logs.The LOG_TYPE for access is ACCESS. The syntax for configuring logs is the following:dsconf set-log-prop LOG_TYPE property:value# dsconf set-log-prop ACCESS max-age:3M # dsconf set-log-prop ACCESS max-disk-space-size:20000M # dsconf set-log-prop ACCESS max-file-count:100 # dsconf set-log-prop ACCESS max-size:500M # dsconf set-log-prop ACCESS min-free-disk-space:500M Configure the audit logs.# dsconf set-log-prop AUDIT max-age:3M # dsconf set-log-prop AUDIT max-disk-space-size:20000M # dsconf set-log-prop AUDIT max-file-count:100 # dsconf set-log-prop AUDIT max-size:500M # dsconf set-log-prop AUDIT min-free-disk-space:500M # dsconf set-log-prop AUDIT rotation-interval:1dBy default, the rotation interval for audit logs is one week. Configure the error logs.In this configuration, you specify additional data to be collected in the error log.# dsconf set-log-prop ERROR max-age:3M # dsconf set-log-prop ERROR max-disk-space-size:20000M # dsconf set-log-prop ERROR max-file-count:30 # dsconf set-log-prop ERROR max-size:500M # dsconf set-log-prop ERROR min-free-disk-space:500M # dsconf set-log-prop ERROR verbose-enabled:on Further configure the logs.You can also configure the following settings for each log:# dsconf set-log-prop LOG_TYPE rotation-min-file-size:undefined # dsconf set-log-prop LOG_TYPE rotation-time:undefinedFor information about the dsconf command, see the dsconf(1M) man page. LDAP serverconfiguring multilevel port To work in Trusted Extensions, the server port of the Directory Server must be configured as a multilevel port (MLP) in the global zone. Start the Solaris Management Console.# /usr/sbin/smc & Select the This Computer (this-host: Scope=Files, Policy=TSOL) toolbox. Click System Configuration, then click Computers and Networks.You are prompted for your password. Type the appropriate password. Double-click Trusted Network Zones. Double-click the global zone. Add a multilevel port for the TCP protocol:Click Add for the Multilevel Ports for Zone's IP Addresses. Type 389 for the port number, and click OK. Add a multilevel port for the UDP protocol:Click Add for the Multilevel Ports for Zone's IP Addresses. Type 389 for the port number. Choose the udp protocol, and click OK. Click OK to save the settings. Update the kernel.# tnctl -fz /etc/security/tsol/tnzonecfg Trusted Extensions configurationadding network databases to LDAP server addingnetwork databases to LDAP server Several LDAP databases have been created or modified to hold Trusted Extensions data about label configuration, users, and remote systems. In this procedure, you populate the Directory Server databases with Trusted Extensions information. separation of dutyplanning for LDAPLDAP serverplanning for separation of dutyIf site security requires separation of duty, complete the following before populating the Directory server:Create Rights Profiles That Enforce Separation of Duty Create the Security Administrator Role in Trusted Extensions Create a Restricted System Administrator Role directoriesfor naming service setupCreate a staging area for files that you plan to use to populate the naming service databases.# mkdir -p /setup/files Copy the sample /etc files into the staging area.# cd /etc # cp aliases group networks netmasks protocols /setup/files # cp rpc services auto_master /setup/files # cd /etc/security # cp auth_attr prof_attr exec_attr /setup/files/ # # cd /etc/security/tsol # cp tnrhdb tnrhtp /setup/files# cd /etc/inet # cp ipnodes /setup/files Remove the +auto_master entry from the /setup/files/auto_master file. Remove the ?:::::? entry from the /setup/files/auth_attr file. Remove the :::: entry from the /setup/files/prof_attr file. Create the zone automaps in the staging area.In the following list of automaps, the first of each pair of lines shows the name of the file. The second line of each pair shows the file contents. The zone names identify labels from the default label_encodings file that is included with the Trusted Extensions software.Substitute your zone names for the zone names in these lines. myNFSserver identifies the NFS server for the home directories. /setup/files/auto_home_public * myNFSserver_FQDN:/zone/public/root/export/home/& /setup/files/auto_home_internal * myNFSserver_FQDN:/zone/internal/root/export/home/& /setup/files/auto_home_needtoknow * myNFSserver_FQDN:/zone/needtoknow/root/export/home/& /setup/files/auto_home_restricted * myNFSserver_FQDN:/zone/restricted/root/export/home/& Add every system on the network to the /setup/files/tnrhdb file. No wildcard mechanism can be used here. The IP address of every system to be contacted, including the IP addresses of labeled zones, must be in this file.Open the trusted editor and edit /setup/files/tnrhdb. Add every IP address on a labeled system in the Trusted Extensions domain.Labeled systems are of type cipso. Also, the name of the security template for labeled systems is cipso. Therefore, in the default configuration, a cipso entry is similar to the following:192.168.25.2:cipsoThis list includes the IP addresses of global zones and labeled zones. Add every unlabeled system with which the domain can communicate.Unlabeled systems are of type unlabeled. The name of the security template for unlabeled systems is admin_low. Therefore, in the default configuration, an entry for an unlabeled system is similar to the following:192.168.35.2:admin_low Save the file, and exit the editor. Check the syntax of the file.# tnchkdb -h /setup/files/tnrhdb Fix any errors before continuing. Copy the /setup/files/tnrhdb file to the /etc/security/tsol/tnrhdb file. Use the ldapaddent command to populate every file in the staging area.# /usr/sbin/ldapaddent -D "cn=directory manager" \ -w dirmgr123 -a simple -f /setup/files/hosts hosts LDAP serverconfiguring proxy for Trusted Extensions clients configuringLDAP proxy server for Trusted Extensions clients First, you need to add the Trusted Extensions databases to the existing Directory Server on a Solaris system. Second, to enable Trusted Extensions systems to access the Directory Server, you then need to configure a Trusted Extensions system to be the LDAP proxy server.LDAP servercreating proxy for Trusted Extensions clients creatingLDAP proxy server for Trusted Extensions clients If an LDAP server already exists at your site, create a proxy server on a Trusted Extensions system. You have added the databases that contain Trusted Extensions information to the LDAP server. For details, see Populate the Sun Java System Directory Server. On a system that is configured with Trusted Extensions, create a proxy server.For details, see Chapter 12, Setting Up LDAP Clients (Tasks), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). Verify that the Trusted Extensions databases can be viewed by the proxy server.# ldaplist -l database For strategies to solve LDAP configuration problems, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). Solaris Management Consoleworking with Sun Java System Directory Server Solaris Management Consoleconfiguring for LDAP configuringSolaris Management Console for LDAP tasks and task mapsConfiguring the Solaris Management Console for LDAP (Task Map) Configuring the Solaris Management Console for LDAP (Task Map) The Solaris Management Console is the GUI for administering the network of systems that are running Trusted Extensions.Task Description For Instructions Initialize the Solaris Management Console. Initialize the Solaris Management Console. This procedure is performed once per system in the global zone. Initialize the Solaris Management Console Server in Trusted Extensions Register credentials. Authenticate the Solaris Management Console with the LDAP server. Register LDAP Credentials With the Solaris Management Console Enable remote administration on a system. By default, a Solaris Management Console client cannot communicate with a Console server on another system. You must explicitly enable remote administration. Enable the Solaris Management Console to Accept Network Communications Create the LDAP toolbox. Create the LDAP toolbox in the Solaris Management Console for Trusted Extensions. Edit the LDAP Toolbox in the Solaris Management Console Verify communications. Verify that Trusted Extensions hosts can become LDAP clients. Verify That the Solaris Management Console Contains Trusted Extensions Information credentialsregistering LDAP with the Solaris Management Console registeringLDAP credentials with the Solaris Management Console Solaris Management Consoleregistering LDAP credentials LDAP serverregistering credentials with Solaris Management Console toolboxesScope=LDAP You must be the root user on an LDAP server that is running Trusted Extensions. The server can be a proxy server.Your Sun Java System Directory Server must be configured. You have completed one of the following configurations:Configuring an LDAP Server on a Trusted Extensions Host (Task Map) Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map) Register the LDAP administrative credentials.LDAP-Server # /usr/sadm/bin/dtsetup storeCred Administrator DN:Type the value for cn on your system Password:Type the Directory Manager password Password (confirm):Retype the password List the scopes on the Directory Server.LDAP-Server # /usr/sadm/bin/dtsetup scopes Getting list of manageable scopes... Scope 1 file:Displays name of file scope Scope 2 ldap:Displays name of ldap scopeYour LDAP server setup determines the scopes that are listed. The LDAP scope is not listed until the LDAP toolbox is edited. The toolbox cannot be edited until after the server is registered. In this example, the name of the LDAP server is LDAP1 and the value for cn is the default, Directory Manager.# /usr/sadm/bin/dtsetup storeCred Administrator DN:cn=Directory Manager Password:abcde1;! Password (confirm):abcde1;! # /usr/sadm/bin/dtsetup scopes Getting list of manageable scopes... Scope 1 file:/LDAP1/LDAP1 Scope 2 ldap:/LDAP1/cd=LDAP1,dc=example,dc=com LDAPenabling administration from a client enablingLDAP administration from a client tcp_listen=true LDAP setting Solaris Management Consoleenabling LDAP toolbox to be used By default, Solaris systems are not configured to listen on ports that present security risks. Therefore, you must explicitly configure any system that you plan to administer remotely to accept network communications. For example, to administer network databases on the LDAP server from a client, the Solaris Management Console server on the LDAP server must accept network communications.For an illustration of the Solaris Management Console configuration requirements for a network with an LDAP server, see Client-Server Communication With the Solaris Management Console. You must be superuser in the global zone on the Solaris Management Console server system. In this procedure, that system is called the remote system. Also, you must have command line access to the client system as superuser. On the remote system, enable the system to accept remote connections.The smc daemon is controlled by the wbem service. If the options/tcp_listen property to the wbem service is set to true, the Solaris Management Console server accepts remote connections.# /usr/sbin/svcprop -p options wbem options/tcp_listen boolean false # svccfg -s wbem setprop options/tcp_listen=true Refresh and restart the wbem service.# svcadm refresh wbem # svcadm restart wbem Verify that the wbem service is set to accept remote connections.# svcprop -p options wbem options/tcp_listen boolean true On the remote system and on any client that needs to access the Solaris Management Console, ensure that remote connections are enabled in the smcserver.config file.Open the smcserver.config file in the trusted editor.# /usr/dt/bin/trusted_edit /etc/smc/smcserver.config Set the remote.connections parameter to true.## remote.connections=false remote.connections=true Save the file and exit the trusted editor. If you restart or enable the wbem service, you must ensure that the remote.connections parameter in the smcserver.config file remains set to true. toolboxesadding LDAP server to tsol_ldap.tbx addingLDAP toolbox creatingLDAP toolbox tsol_ldap.tbx file Solaris Management Consoleconfiguring LDAP toolbox You must be superuser on the LDAP server. The LDAP credentials must be registered with the Solaris Management Console, and you must know the output of the /usr/sadm/bin/dtsetup scopes command. For details, see Register LDAP Credentials With the Solaris Management Console. Find the LDAP toolbox.# cd /var/sadm/smc/toolboxes/tsol_ldap # ls *tbx tsol_ldap.tbx Provide the LDAP server name.Open the trusted editor. Copy and paste the full pathname of the tsol_ldap.tbx toolbox as the argument to the editor.For example, the following path is the default location of the LDAP toolbox:/var/sadm/smc/toolboxes/tsol_ldap/tsol_ldap.tbx Replace the scope information.Replace the server tags between the <Scope> and </Scope> tags with the output of the ldap:/...... line from the /usr/sadm/bin/dtsetup scopes command.<Scope>ldap:/<ldap-server-name>/<dc=domain,dc=suffix></Scope> Replace every instance of <?server?> or <?server ?> with the LDAP server.<Name>This Computer (ldap-server-name: Scope=ldap, Policy=TSOL)</Name> services and configuration of ldap-server-name.</Description> and configuring ldap-server-name.</Description> ... Save the file, and exit the editor. Refresh and restart the wbem service.# svcadm refresh wbem # svcadm restart wbem In this example, the name of the LDAP server is LDAP1. To configure the toolbox, the administrator replaces the instances of <?server ?> with LDAP1.# cd /var/sadm/smc/toolboxes/tsol_ldap # /usr/dt/bin/trusted_edit /tsol_ldap.tbx <Scope>ldap:/LDAP1/cd=LDAP1,dc=example,dc=com</Scope ... <Name>This Computer (LDAP1: Scope=ldap, Policy=TSOL)</Name> services and configuration of LDAP1.</Description> and configuring LDAP1.</Description> ... For an illustration of the Solaris Management Console configuration requirements for a network with an LDAP server and for a network without an LDAP server, see Client-Server Communication With the Solaris Management Console. You must be logged in to an LDAP client in an administrative role, or as superuser. To make a system an LDAP client, see Make the Global Zone an LDAP Client in Trusted Extensions.To administer the local system, you must have completed Initialize the Solaris Management Console Server in Trusted Extensions.To connect to a Console server on a remote system from the local system, you must have completed Initialize the Solaris Management Console Server in Trusted Extensions on both systems. Also, on the remote system, you must have completed Enable the Solaris Management Console to Accept Network Communications.To administer the databases in the LDAP naming service from the LDAP client, on the LDAP server you must have completed Edit the LDAP Toolbox in the Solaris Management Console, in addition to the preceding procedures. Start the Solaris Management Console.# /usr/sbin/smc & Open a Trusted Extensions toolbox.A Trusted Extensions toolbox has the value Policy=TSOL.On a trusted network that uses LDAP as a naming service, perform the following tests:To check that local administrative databases can be accessed, open the following toolbox:This Computer (this-host: Scope=Files, Policy=TSOL) To check that the LDAP server's local administrative databases can be accessed, specify the following toolbox:This Computer (ldap-server: Scope=Files, Policy=TSOL) To check that the naming service databases on the LDAP server can be accessed, specify the following toolbox:This Computer (ldap-server: Scope=LDAP, Policy=TSOL) On a trusted network that does not use LDAP as a naming service, perform the following tests:To check that local administrative databases can be accessed, open the following toolbox:This Computer (this-host: Scope=Files, Policy=TSOL) To check that a remote system's local administrative databases can be accessed, specify the following toolbox:This Computer (remote-system: Scope=Files, Policy=TSOL) Under System Configuration, navigate to Computers and Networks, then Security Templates. Check that the correct templates and labels have been applied to the remote systems.¬eldapsvr; To troubleshoot LDAP configuration, see Chapter 13, LDAP Troubleshooting (Reference), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).