rehbr01

CA Security Tech Tip: Using Privileged Identity Management on Solaris Zones

Discussion created by rehbr01 Employee on Jan 7, 2016

Introduction:

When running Privileged Identity Management on Solaris zones, there are some scenarios that need to be taken into consideration.

 

Scenario 1: Branded Zones

By default, PIM uses /etc/name_to_sysnum to use the native system call for communication with the local zones. When branded zones are being used, communication between the global zone and local zones can be affected, resulting in a situation where the local endpoints cannot see the kernel being loaded. To fix this, it is recommended that IOCTL be used as the communication method.

 

Please follow the steps in the "Use ioctl for Communication" section of our Implementation Guide to configure PIM for IOCTL communication.

Install on a Solaris Branded Zone - CA Privileged Identity Manager - 12.9 - CA Technologies Documentation

 

Scenario 2: Adding Additional Local Zones

Another scenario that may arise is when adding new zones after IOCTL has been configured. The new zone will not be able to communicate with the global zone until the kernel is reloaded in the global zone. To prevent this from occurring, please follow the steps below when adding new zones.

 

  1. Stop PIM on the global zone (no need to unload the kernel extension)

  2. Create and install a new zone

  3. Log into the new zone and turn the IOCTL token on (seos.ini)
    SEOS_use_ioctl = 1

  4. On the global zone invoke 'SEOS_load -z' followed by SEOS_load -i
    This should produce an output similar to the one below listing all the configured zones:

    SEOS_load: device usage enabled.
    module: 219 7ae00000 72140 314 1 seos (SEOS driver v8.0)
    dev major: seos 314
    dev path : /devices/pseudo/seos@0:seos
    dev link : /dev/seos
    zone: eactest1 match: /dev/seos.
    zone: eactest2 match: /dev/seos.


  5. Reboot the new zone and start PIM.

Outcomes