Solaris Trusted Extensions Administrator's Procedures
Previous Next

Getting Started as a Trusted Extensions Administrator (Task Map)

Familiarize yourself with the following procedures before administering Trusted Extensions.

Task

Description

For Instructions

Log in.

Logs you in securely.

Logging In to Trusted Extensions in Solaris Trusted Extensions User’s Guide

Perform common user tasks on a desktop.

These tasks include:

  • Configuring your workspaces

  • Using workspaces at different labels

  • Accessing Trusted Extensions man pages

  • Accessing Trusted Extensions online help

Working on a Labeled System in Solaris Trusted Extensions User’s Guide

Perform tasks that require the trusted path.

These tasks include:

  • Allocating a device

  • Changing your password

  • Changing the label of a workspace

Performing Trusted Actions in Solaris Trusted Extensions User’s Guide

Create useful roles.

Creates administrative roles for your site. Creating roles in LDAP is a one-time task.

The Security Administrator role is a useful role.

Role Creation in Trusted Extensions

Create the Security Administrator Role in Trusted Extensions

(Optional) Make root a role.

Prevents anonymous login by root. This task is done once per system.

How to Make root User Into a Role in System Administration Guide: Security Services

Assume a role.

Enters the global zone in a role. All administrative tasks are performed in the global zone.

How to Enter the Global Zone in Trusted Extensions

Exit a role workspace and become regular user.

Leaves the global zone.

How to Exit the Global Zone in Trusted Extensions

Locally administer users, roles, rights, zones, and networks.

Uses the Solaris Management Console to manage the distributed system.

How to Administer the Local System With the Solaris Management Console

Administer the system by using Trusted CDE actions.

Uses the administrative actions in the Trusted_Extensions folder.

How to Start CDE Administrative Actions in Trusted Extensions

Edit an administrative file.

Edits files in a trusted editor.

How to Edit Administrative Files in Trusted Extensions

Administer device allocation in Trusted CDE.

Uses the Device Allocation Manager – Device Administration GUI.

Managing Devices in Trusted Extensions (Task Map)

How to Enter the Global Zone in Trusted Extensions

By assuming a role, you enter the global zone in Trusted Extensions. Administration of the entire system is possible only from the global zone. Only superuser or a role can enter the global zone.

After assuming a role, the role can create a workspace at a user label to edit administration files in a labeled zone.

For troubleshooting purposes, you can also enter the global zone by starting a Failsafe session. For details, see How to Log In to a Failsafe Session in Trusted Extensions.

Before You Begin

You have created one or more roles, or you plan to enter the global zone as superuser. For pointers, see Role Creation in Trusted Extensions.

  1. Use a trusted mechanism.
    • In Solaris Trusted Extensions (GNOME), click your user name in the trusted stripe and choose a role.

      If you have been assigned a role, the role names are displayed in a list.

      For the location and significance of Trusted Extensions desktop features, see Chapter 4, Elements of Trusted Extensions (Reference), in Solaris Trusted Extensions User’s Guide.

    • In Solaris Trusted Extensions (CDE), open the Trusted Path menu.
      1. Click mouse button 3 over the workspace switch area.
        The illustration shows the Workspace Switch Area in Trusted CDE.
      2. Choose Assume rolename Role from the Trusted Path menu.
  2. At the prompt, type the role password.

    In Trusted CDE, a new role workspace is created, the workspace switch button changes to the color of the role desktop, and the title bar above each window shows Trusted Path. In Trusted GNOME, the current workspace changes to the role workspace.

    In Trusted CDE, you leave a role workspace by using the mouse to choose a regular user workspace. You can also delete the last role workspace to exit a role. In Trusted GNOME, you can click the role name on the trusted stripe, and from the menu, select a different role or user. This action changes the current workspace to the process of the new role or user.

How to Exit the Global Zone in Trusted Extensions

The menu locations for exiting a role are different in Trusted GNOME and Trusted CDE.

Before You Begin

You are in the global zone.

  • On both desktops, you can click a user workspace in the Workspace Switch area.

    You can also exit the role workspace, and therefore the global zone, by doing one of the following:

    • In Trusted GNOME, click your role name in the trusted stripe.

      When you click the role name, your user name and a list of roles that you can assume is displayed. When you select your user name, all subsequent windows that you create in that workspace are created by the selected name. The windows that you previously created on the current desktop continue to display at the name and label of the role.

      If you choose a different role name, you remain in the global zone in a different role.

    • In Trusted CDE, delete the role workspace.

      Click mouse button 3 over the workspace button and select Delete. You are returned to the last workspace you occupied.

How to Administer the Local System With the Solaris Management Console

The first time that you launch the Solaris Management Console on a system, a delay occurs while the tools are registered and various directories are created. This delay typically occurs during system configuration. For the procedure, see Initialize the Solaris Management Console Server in Trusted Extensions.

To administer a remote system, see Administering Trusted Extensions Remotely (Task Map).

Before You Begin

You must have assumed a role. For details, see How to Enter the Global Zone in Trusted Extensions.

  1. Start the Solaris Management Console.

    In Solaris Trusted Extensions (GNOME), use the command line. In Trusted CDE, you have three choices.

    • Use the smc command in a terminal window.
      $ /usr/sbin/smc &
    • From the Tools pull-up menu on the Front Panel, click the Solaris Management Console icon.
    • In the Trusted_Extensions folder, double-click the Solaris Management Console icon.
  2. Choose Console -> Open Toolbox.
  3. From the list, select a Trusted Extensions toolbox of the appropriate scope.

    A Trusted Extensions toolbox has Policy=TSOL as part of its name. The Files scope updates local files on the current system. The LDAP scope updates LDAP directories on the Sun JavaTM System Directory Server. The toolbox names appear similar to the following:

    This Computer (this-host: Scope=Files, Policy=TSOL)
    This Computer (ldap-server: Scope=LDAP, Policy=TSOL)
  4. Navigate to the desired Solaris Management Console tool.

    The password prompt is displayed.

    For tools that Trusted Extensions has modified, click System Configuration.

  5. Type the password.

    Refer to the online help for additional information about Solaris Management Console tools. For an introduction to the tools that Trusted Extensions modifies, see Solaris Management Console Tools.

  6. To close the GUI, choose Exit from the Console menu.

How to Start CDE Administrative Actions in Trusted Extensions

  1. Assume a role.

    For details, see How to Enter the Global Zone in Trusted Extensions.

  2. In Trusted CDE, bring up the Application Manager.
    1. Click mouse button 3 on the background to bring up the Workspace menu.
    2. Click Applications, then click the Application Manager menu item.
      Dialog box titled Application Manager shows folders, including the Trusted_Extensions folder.

      The Trusted_Extensions folder is in the Application Manager.

  3. Open the Trusted_Extensions folder.
  4. Double-click the appropriate icon.

    For a list of administrative actions, see Trusted CDE Actions.

How to Edit Administrative Files in Trusted Extensions

Administrative files are edited with a trusted editor that incorporates auditing. This editor also prevents the user from executing shell commands and from saving to any file name other than the name of the original file.

  1. Assume a role.

    For details, see How to Enter the Global Zone in Trusted Extensions.

  2. Open a trusted editor.
    • In Solaris Trusted Extensions (CDE), do the following:
      1. To bring up the editor, click mouse button 3 on the background to bring up the Workspace menu.
      2. Click Applications, then click the Application Manager menu item.

        The Trusted_Extensions folder is in the Application Manager.

      3. Open the Trusted_Extensions folder.
      4. Double-click the Admin Editor action.

        You are prompted to provide a file name. For the format, see Step 3 and Step 4.

    • In Solaris Trusted Extensions (GNOME), do the following:
  3. To create a new file, type the full path name for the new file.

    When you save the file, the editor creates a temporary file.

  4. To edit an existing file, type the full path name for the existing file.

    Note - If your editor provides a Save As option, do not use it. Use the editor's Save option to save the file.


  5. To save the file to the specified path name, close the editor.
Previous Next