| Asset ID: |
1-71-1004673.1 |
| Update Date: | 2011-03-16 |
| Keywords: | |
Solution Type
Technical Instruction Sure
Solution
1004673.1
:
Trusted Solaris[TM] 8 Operating System: Configuring Sun Ray Server 2.0
| Related Items |
- Sun Ray Hardware
- Trusted Solaris Operating System
- Sun Ray Hardware
- Sun Ray Hardware
- Sun Ray Hardware
- Sun Ray Hardware
|
| Related Categories |
- GCS>Sun Microsystems>Desktops>Desktop Virtualization>Sun Ray Hardware
|
PreviouslyPublishedAs
206478
DescriptionThis document describes how to install Sun Ray[TM} Server Software 2.0 on a Trusted Solaris[TM] 8 HW 12/02 platform.
Additional documentation, such as the Sun Ray Server Software
Installation and Configuration Guide and the Sun Ray Server
Software Administrator's Guide, are needed for successful
configuration.
This document is intended for system administrators familiar
with Trusted Solaris[TM] and the Solaris[TM] Management Console
software.
Note: Sun Ray Server 2.0 is supported on HW 12/02 (and later)
versions of Trusted Solaris 8, which is based on Solaris PSR1 (HW
12/02).
Steps to FollowTrusted Solaris 8 (HW 12/02) Operating Systemt ships with two pre-defined profiles designed to work with Sun Ray[TM]. They are:
- Sun Ray Initialization - This
profile contains all commands necessary for system startup.
Note: The default installation path for Sun Ray software
is
/opt/SUNWut
. To change, modify
the the profile's path.
Installation
-
Assign the Sun Ray Management
profile to a role, such as admin. If
assigned to a new role, ensure it also gets the Software Installation profile. In this
document, the role admin is used.
-
The default profile is setup for use with CDROM media. Mount the
CD with all privileges on /cdrom/cdrom0, making the mount point if it
does not already exist: $ /usr/bin/mkdir -p
/cdrom/cdrom0
-
Allocate the CDROM via the Allocate Device option from front
panel, but
do not mount
the CD.
Rather, use the following command to mount the CD: $ /usr/bin/mount -F hsfs -o ro -S allowed=all
/dev/dsk/c0t6d0s0 /cdrom/cdrom0
-
To install the software via NFS or another directory, ensure all
executable files have all allowed
privileges. Verify as follows: $ getfpriv utinstall utinstall FORCED: none
ALLOWED: all
To install locally, set allowed privileges as follows: $
/usr/bin/find . -type -f -a -perm -u+x -exec
setfpriv -s -a all {} \;
-
Install the software: $ /cdrom/cdrom0/utinstall
An enhanced packaging system will automatically install the
files with allowed=all privileges.
-
Assign the Sun Ray devices an admin_low template (this is the range of IP
addresses planned for use by the utadm
command). Use the Security Family Tool within SMC to assign
the Trusted Solaris system a tsol
label. All other Sun Ray devices on the network get an admin_low label. Here is an excerpt
from the /etc/tnrhdb file after the
changes have been made: 192.168.128.1:tsol 192.168.128.0:admin_low
-
Set up the Sun Ray as outlined in the documentation. $ /opt/SUNWut/sbin/utconfig For dedicated
interconnect, enter: $ /opt/SUNWut/sbin/utadm -a <interface_name> For example: $
/opt/SUNWut/sbin/utadm -a hme1 For shared (LAN) interconnect,
enter: $ /opt/SUNWut/sbin/utadm -A <subnetwork> For example: $
/opt/SUNWut/sbin/utadm -A 10.6.133.0
-
The installation and configuration commands will create a utwww user account that is used to run cgi
scripts. To work, this account needs (at minimum) an admin_low label. To set, assume the
secadmin role and use the SMC User
Manager to give the utwww account the
Outside Accred right. Again, assign it
at least an admin_low label.
After the change has been made, the user_attr file has an additional entry
as follows:
utwww::::idlecmd=lock;lock_after_retries=no;idletime=5;labelview=internal,showsl;\
clearance=0x00000000000000000000000000000000000000000000000000000000000000000000;\
profiles=Outside
Accred;min_label=0x00000000000000000000000000000000000000000000000000000000000000000000
The back slashes are not part of the data, but are shown here
ease of view.
-
Modify dtlogin and dtsession entries in /etc/pam.conf for Sun Ray use. The
updated entries should look as follows:
# pam_sunray.so added to dtlogin-SunRay by SunRay Server
Software dtlogin-SunRay auth sufficient
/opt/SUNWut/lib/pam_sunray.so dtlogin-SunRay
auth requisite
/usr/lib/security/$ISA/pam_tp_auth.so.1
dtlogin-SunRay auth
requisite /usr/lib/security/$ISA/pam_unix.so.1
check_retries
dtlogin-SunRay account
required /usr/lib/security/$ISA/pam_roles.so.1
dtlogin-SunRay account
required /usr/lib/security/$ISA/pam_projects.so.1
dtlogin-SunRay account
required /usr/lib/security/$ISA/pam_unix.so.1
dtlogin-SunRay account
required /usr/lib/security/$ISA/pam_tsol.so.1
# pam_sunray.so added to dtsession-SunRay by SunRay Server
Software dtsession-SunRay auth sufficient
/opt/SUNWut/lib/pam_sunray.so syncondisplay dtsession-SunRay
account required
/usr/lib/security/$ISA/pam_unix.so.1 dtsession-SunRay auth required
/usr/lib/security/$ISA/pam_unix.so.1
-
Reboot the system.
-
The Sun Ray should now work properly. The administration console
(http://host:1660) must be accessed at admin_low.
Security
Notes
-
By default, /etc/tnrhdb contains
0.0.0.0:admin_low . If a site does not permit this
entry or wants to further restrict the entry, the following entries
can be added to achieve this: #Entry required for DHCP
0.0.0.0/32:admin_low #Multicast address 224.0.0.0:admin_low
#Broadcast address 255.255.255.255:admin_low Note: 0.0.0.0/32
matches exactly with the IP address 0.0.0.0, whereas the entry
0.0.0.0 matches any IP address not having an entry in
the /etc/tnrhdb.
Additional
Profiles
The default profile requires manual changes to
/etc/security/exec_attr .
Limitations
Some features are known not to work and therefore are not
supported at this time.
-
The NSCM (Non Smart Card Mobility) feature does not work.
No workaround is available.
-
The CAM (Control Access Mode) feature does not work. No
workaround is available.
-
Suspend/Resume sometimes does not work from the Admin GUI.
Use the utsession command to
suspend/resume a session.
-
Smart Card login (using -S option) does not work. No
workaround is available.
-
When Sun Ray Services are started/restarted via the command
line, removing a smart card does not cause the screen to lock. The
workaround is to reboot the system. See the Security Notes
section above.
ProductTrusted Solaris 8 Operating System
Sun Ray 1g Ultra-Thin Client
Sun Ray 150 Ultra-Thin Client
Sun Ray 1 Ultra-Thin Client
Sun Ray 100 Ultra-Thin Client
Sun Ray 170 Ultra-Thin Client
Internal Comments
The evaluation configuration did not include Sun Ray. This means that any additional security certification the customer may need for their particular value-added configuration, if required, will have to include the addition of Sun Ray.
This document was written by other departments and entered in Voyager by Jan Parcel of Trusted Solaris OE Sustaining.
security, "sun ray", "Trusted Solaris OE"
Previously Published As
25802
Change History
Date: 2006-01-23
User Name: 31620
Action: Update Canceled
Comment: *** Restored Published Content *** SSH AUDIT
Version: 0
Date: 2006-01-23
User Name: 31620
Action: Update Started
Comment: SSH AUDIT
Version: 0
Date: 2006-01-19
User Name: 31620
Action: Update Canceled
Comment: *** Restored Published Content *** SSH AUDIT
Version: 0
Product_uuid
a8609de4-2bd5-11d6-992f-b41be846207a|Trusted Solaris 8 Operating System
17b4fb54-0ee3-11d7-91b0-934b10cdd83f|Sun Ray 1g Ultra-Thin Client
2a1f4cc0-0a18-11d6-99d7-dc92ef4207a7|Sun Ray 150 Ultra-Thin Client
2a10261e-0a18-11d6-8686-ca682ff2e4cc|Sun Ray 1 Ultra-Thin Client
2a1a3906-0a18-11d6-99bc-99a2ccb5e0fb|Sun Ray 100 Ultra-Thin Client
122e905b-cc49-11d8-ab52-080020a9ed93|Sun Ray 170 Ultra-Thin Client
Attachments
This solution has no attachment
