Fast Track to the Solaris 10 OS Adoption: Security

Please click on a question below or download a pdf version.

1. Are there any white papers or further information on the N1 Grid Containers and overall security design of this new technology, primarily under the Solaris 10 OS?
2. Where is there documentation for Process Rights Management?
3. Is there some kind of documentation in the Solaris 10 OS, because when I installed it, the system required the corresponding documentation disk.
4. Do you have a blueprint doc on building LDAP with Kerberos and tying that into AD? Also, from a security perspective, what do you recommend for handling user home directories with LDAP? NFS over IPsec?
5. Is there full MIT Kerberos 5 library support in the Solaris 10 OS? The Solaris 9 OS has only the GSS lib.
6. Is RBAC and user rights management the same thing?

Q: Are there any white papers or further information on the N1 Grid Containers and overall security design of this new technology, primarily under the Solaris 10 OS?

A: Yes, the Solaris 10 OS security white paper covers this material and is available at www.sun.com/solaris/. Also, there will be a new white paper for Solaris Containers (the new name for N1 Grid Containers) in the next few weeks.

Back to top

Q: Where is there documentation for Process Rights Management?

A: Please check docs.sun.com.

Back to top

Q: Is there some kind of documentation in the Solaris 10 OS, because when I installed it, the system required the corresponding documentation disk.

A: It is not required to perform a successful installation, and we are not providing them as part of the Solaris Express program, although it will be available as part of the final product.

Back to top

Q: Do you have a blueprint doc on building LDAP with Kerberos and tying that into AD? Also, from a security perspective, what do you recommend for handling user home directories with LDAP? NFS over IPsec?

A: There is a revision of the Sun BluePrint - named "Solaris and LDAP Naming Services" - in progress, though the current version provides valuable information. Kerberos NFS home directories provide a great deal of protection, and in particular, NFSv4 systems require that Kerberos be available for use for providing authentication and privacy of NFS transactions. IPsec can certainly be used at any time to provide host-based authentication and network privacy protection of any IP-based transaction. Thus, IPsec can be used with versions 8, 9, and 10.

Back to top

Q: Is there full MIT Kerberos 5 library support in the Solaris 10 OS? The Solaris 9 OS has only the GSS lib.

A: While we have an MIT-based implementation of Kerberos in the Solaris 10 OS, we do not expose the Kerberos API directly as it is unstable and not well defined (many apps over the years have used different parts of the API). However we have been working with MIT on defining what portion of the API is considered stable and committed to for the longer term, so we hope that we'll be able to expose this API in a future release. Today, we suggest using GSS-API so that you don't tie your application too much to Kerberos and can leverage future GSS-API based mechanisms we may offer. We also are including SASL in the Solaris 10 OS, which offers linkage to GSS-API (and thus Kerberos), so your application may also wish to use SASL.

Back to top

Q: Is RBAC and user rights management the same thing?

A: No, they are complementary technologies you can find inside of the Solaris OS. You can get more information under "Rights Management" and "Roles Management" at: http://docs.sun.com/

Back to top

Next >