Symantec Privileged Access Management

 View Only

CA Security Tech Tip: Using Privileged Identity Management on Solaris Zones

  • 1.  CA Security Tech Tip: Using Privileged Identity Management on Solaris Zones

    Broadcom Employee
    Posted Jan 07, 2016 04:28 PM


    When running Privileged Identity Management on Solaris zones, there are some scenarios that need to be taken into consideration.


    Scenario 1: Branded Zones

    By default, PIM uses /etc/name_to_sysnum to use the native system call for communication with the local zones. When branded zones are being used, communication between the global zone and local zones can be affected, resulting in a situation where the local endpoints cannot see the kernel being loaded. To fix this, it is recommended that IOCTL be used as the communication method.


    Please follow the steps in the "Use ioctl for Communication" section of our Implementation Guide to configure PIM for IOCTL communication.

    Install on a Solaris Branded Zone - CA Privileged Identity Manager - 12.9 - CA Technologies Documentation


    Scenario 2: Adding Additional Local Zones

    Another scenario that may arise is when adding new zones after IOCTL has been configured. The new zone will not be able to communicate with the global zone until the kernel is reloaded in the global zone. To prevent this from occurring, please follow the steps below when adding new zones.


    1. Stop PIM on the global zone (no need to unload the kernel extension)

    2. Create and install a new zone

    3. Log into the new zone and turn the IOCTL token on (seos.ini)
      SEOS_use_ioctl = 1

    4. On the global zone invoke 'SEOS_load -z' followed by SEOS_load -i
      This should produce an output similar to the one below listing all the configured zones:

      SEOS_load: device usage enabled.
      module: 219 7ae00000 72140 314 1 seos (SEOS driver v8.0)
      dev major: seos 314
      dev path : /devices/pseudo/seos@0:seos
      dev link : /dev/seos
      zone: eactest1 match: /dev/seos.
      zone: eactest2 match: /dev/seos.

    5. Reboot the new zone and start PIM.