OpenSolaris

You are not signed in. Sign in or register.

Installing the Solaris Trusted Extensions Software on a Laptop Computer

These instructions enable you to configure a laptop system with the Solaris[tm] Trusted Extensions software to run in both connected and disconnected modes. The Solaris Trusted Extensions software is included beginning with the release of the Solaris 10 11/06 Operating System.

Each time you want to run your system in connected mode, use the modified version of the OpenSolaris inetmenu tool to configure the system for that network.

Caution - The inetmenu program might be replaced with another utility in the future.

This configuration uses a single shared all-zones interface for both the global zones and labeled zones. The default network label is PUBLIC unless you are connecting to the Sun Wide Area Network.

This page includes the following tasks, which should be followed in this order:

How to Install and Configure the Solaris Operating System

  1. Start the Solaris installation process by booting a Solaris DVD or booting from the network.

  2. Follow the instructions in the installation wizard to build the installation profile.

    Use the default values to build the profile.

    Note - You must reserve a file system slice that has at least 2 Gbytes of free space and call it /zone.

  3. Install the Solaris software.

  4. After the Solaris installation completes, use the /zone slice to create a ZFS pool by doing the following:

    1. Unmount the /zone slice.

      # umount /zone

    2. Edit the /etc/vfstab file by commenting out the /zone entry.

    3. Create the pool.

      # zpool create -f zone slicename

      slicename should be of the format cndnsn.

  5. Download the inetmenu tool and some Trusted Extensions modifications for the tool from the OpenSolaris web site.

    After the Solaris Trusted Extensions software is installed, you can use the inetmenu tool to configure your laptop to run on a network in connected mode.

    1. Create a directory called /opt/tx in which to download the inetmenu package and its Trusted Extensions modifications.

      Caution - Do not install these packages or modifications at this time.

    2. Download the inetmenu package from the Laptop Community page on the OpenSolaris web site.

      The file is called inetmenu-1.9.pkg.gz.

    3. Download the inetmenu modifications from the Trusted Extensions page on the OpenSolaris web site.

      These modifications enable the inetmenu script to operate properly on a system that runs the Solaris Trusted Extensions software.

      The file is called inetmenu-tx.tar.

How to Install the Solaris Trusted Extensions Software

  1. Change to the ExtraValue/Cobundled/Trusted_Extensions directory on the DVD or on the netinstall image.

  2. Start the installation wizard in one of these ways:

    • Double-click the wizard.class file in the CDE File Manager.

    • Open a terminal window and type:

      # java wizard

  3. Follow the instructions in the installation wizard to install the Trusted Extensions software.

    You must agree to the license terms to complete the Trusted Extensions installation.

  4. When the Trusted Extensions installation completes, unconfigure your system's network identity.

    This step enables you to migrate your laptop between networks and to work in a disconnected state. If you are running Nevada build 64a or newer, you will first need to disable the Network Automagic Service (nwam Phase 0). Please refer to the instructions for disabling nwam and enabling manual mode.

    1. Starting with Nevada build 71, we have separated installation from enabling of Trusted Extensions. Therefore, you will need to manually enable the labeling policy. We are currently migrating all the Trusted Extensions packages into standard Solaris metaclusters. The previous install steps should be eliminated by build 76. To enable Trusted Extensions, run the following command:

      2. # svcadm enable labeld

    2. If you are running Nevada, you should disable IPv6 since the virtual network interface,
      vni(7)
      has some issues with IPv6 in this configuration. Comment out the last line in the net-loopback SMF method which enables IPv6 on the loopback interface. The full pathname is:


      /lib/svc/method/net-loopback

    3. Remove any network interface configuration files, such as /etc/hostname.* and /etc/dhcp.*.

      # rm /etc/hostname.*
      # rm /etc/dhcp.*

    4. Update your /etc/hosts and /etc/inet/ipnodes as follows:

      127.0.0.1 localhost loghost
      10.1.2.3 your-hostname

    5. Create the /etc/nodename file.

      # hostname >/etc/nodename

    6. Add the following entry to the /etc/security/tsol/tnrhdb file:

      10.1.2.3:cipso

    7. Specify the virtual network interface (VNI) for your system by adding the following to the /etc/hostname.vni0 file.

      # echo `hostname` all-zones >>/etc/hostname.vni0

      For more information, see the vni(7) man page.

    8. Add the following to the LOCAL DEFINITIONS section of the /etc/security/tsol/label_encodings file.

      Default Label View is Internal;

      This step addresses a problem with the default translation mode for the admin_low and admin_high labels.

    9. (Optional) If your system has NIS enabled, disable it by doing the following:

      # cp /etc/nsswitch.files /etc/nsswitch.conf
      # mv /var/yp /var/yp.save

  5. Reboot the system.

    When the reboot completes, the system is running the Solaris Trusted Extensions software.

How to Configure Your Trusted Extensions System

  1. Log in to Trusted Extensions CDE as superuser.

  2. Open a terminal window.

  3. Verify that the VNI interface is up and that the all-zones option is specified.

    # ifconfig -a

    You should see that the IP address for the vni0 interface is the same as the one you specified in the hosts and ipnodes files. Also, the vni0 interface should include the all-zones option.

  4. Start the Solaris Management Console.

    # smc &

    1. From the Toolboxes menu, select the entry for your system that shows Scope=Files, Policy=TSOL.

    2. Click Open.

  5. Add yourself as a normal user.

    1. From the Navigation bar, select System Configuration, and then double-click the Users icon.

      The login window opens.

    2. Log in as root.

    3. Click User Accounts, and then select Add User With Wizard from the Action menu.

      Follow the instructions to add the user.

  6. After your account is created, double click your user icon to modify settings.

    1. (Optional) If you are going to be doing demonstrations, open the Rights tab and add these rights:

      • Object Label Management

      • Device Management

    2. Open the Trusted Extensions Attributes tab and modify these items:

      1. Set the Clearance value to CONFIDENTIAL RESTRICTED.

      2. Set the Lock Account After Maximum Failed Logins value to No.

      3. Set the Idle Time value to Forever.

      4. Click OK.

  7. Edit the /etc/user_attr file to append the following to your user entry:

    ;roles=root

    This step is a temporary workaround until you have verified that your system is working correctly. At that time, you should configure root as a role.

  8. Create security templates for the public and internal zones.

    1. From the Navigation bar, select System Configuration, and then double-click the Computers and Networks icon.

    2. Click Security Templates, and then choose Add Template from the Action menu.

    3. Specify the template name as public.

    4. Set the default label to PUBLIC.

    5. Set the Domain of Interpretation value to 1.

    6. Click OK.

    7. Choose Add Template from the Action menu.

    8. Specify the template name as internal.

    9. Set the default label to CONFIDENTIAL : INTERNAL USER ONLY.

    10. Set the Domain of Interpretation value to 1.

    11. Click OK.

  9. Manually update the kernel cache with trusted networking parameter values.

    # tnctl -T /etc/security/tsol/tnrhtp

  10. Exit the Solaris Management Console.

How to Create the Labeled Zones

  1. Run the txzonemgr script and follow each of these steps.

    Note - You must click OK each time to continue.

  2. Create a new zone called public.

    1. Select Create A New Zone and click OK.

    2. Specify the zone name of public.

    3. Choose Select_Label and click OK.

    4. Choose PUBLIC.

    5. Choose Install to install the public zone.

      A window opens to show you the progress of the zone installation process.

    6. Choose Initialize to initialize the public zone.

    7. Choose Zone_Console to open the zone console window.

    8. Choose Boot to boot the zone.

      The public zone is rebooted automatically.

    The public zone will reboot again automatically.

  3. From the zone terminal console window, log in as superuser and run the following commands:

    • Run these commands on a Solaris 10 11/06 system:

      # rm /etc/auto_home_public
      # netservices limited
      # svcadm disable auditd
      # svcadm disable cde-login
      # exit

    • Run these commands on a Solaris Express system:

      # rm /etc/auto_home_public
      # svcadm disable auditd
      # svcadm disable cde-login
      # exit

  4. From txzonemgr, create the internal, needtoknow, and restricted zones.

    1. Choose Halt to halt the public zone.

    2. Choose Create_Snapshot to create a snapshot of the public zone.

    3. Choose Boot to boot the public zone.

    4. Choose Select Another Zone and click OK.

    5. Choose Create A New Zone and click OK.

    6. Name the new zone internal.

    7. Choose Select_Label and specify a value of CONFIDENTIAL : INTERNAL USE ONLY.

    8. Choose Clone and select zone/public@snapshot.

    9. Choose Zone_Console to open the zone console for the new zone.

    10. Choose Boot to boot the new zone.

    11. Repeat Steps d-j for the needtoknow and restricted zones, which use labels CONFIDENTIAL : NEED TO KNOW and CONFIDENTIAL : RESTRICTED, respectively.

    12. Choose Exit to exit the txzonemgr program.

How to Install and Use inetmenu

You should have downloaded these files from the OpenSolaris web site to the /opt/tx directory of the laptop you are installing:

  • inetmenu-1.9.pkg.gz

  • inetmenu-tx.tar

Caution - The inetmenu program might be replaced with another utility in the future.

  1. Become superuser.

  2. Change to the /opt/tx directory.

  3. Unzip and install the inetmenu software.

    # gunzip inetmenu-1.9.pkg.gz
    # pkgadd -d inetmenu-1.9.pkg

  4. Apply the Trusted Extensions modifications to inetmenu.

    # cd /; tar xvf /opt/tx/inetmenu-tx.tar

  5. Run inetmenu.

    # inetmenu

  6. Select the DHCP-NoNIS option.

    Now, your network should be up with PUBLIC as the default label. You can run the txnetmgr command to verify that it is all-zones.

How to Run Trusted Extensions as a Normal User

For most users, the public zone should provide network connectivity. However, if you are connected to the Sun Wide Area Network, the default label is CONFIDENTIAL : INTERNAL USE ONLY, so you must use the internal zone.

  1. Log out as superuser.

  2. Log in as yourself.

    Choose the windowing system to use: Trusted Extensions CDE or Trusted Extensions Java[tm] Desktop System.

    The Trusted Extensions team recommends that you test using the Trusted Extensions CDE first.

  3. Verify that you can assume the root role.

    You will need to assume this role to run inetmenu.