How to Debug the Trusted Extensions Network

Language:

To debug two hosts that should be communicating but are not, you can use Trusted Extensions and Oracle Solaris debugging tools. For example, Oracle Solaris network debugging commands such as snoop and netstat are available. For details, see the snoop(1M) and netstat(1M) man pages. For commands that are specific to Trusted Extensions, see Appendix D, List of Trusted Extensions Man Pages.

For problems with contacting labeled zones, see Managing Zones.
For debugging NFS mounts, see How to Troubleshoot Mount Failures in Trusted Extensions.

Before You Begin

You must be in the global zone in a role that can check network attribute values. The Security Administrator role or the System Administrator role can check these values. Only the root role can edit files.

Check that the hosts that cannot communicate are using the same naming service.

On each system, check the values for the Trusted Extensions databases in the name-service/switch SMF service.

# svccfg -s name-service/switch listprop config
config/value_authorization  astring  solaris.smf.value.name-service.switch
config/default              astring  ldap
...
config/tnrhtp               astring  "files ldap"
config/tnrhdb               astring  "files ldap"

If the values are different on different hosts, correct the values on the offending hosts.

# svccfg -s name-service/switch setprop config/tnrhtp="files ldap"
# svccfg -s name-service/switch setprop config/tnrhdb="files ldap"

Then, restart the naming service daemon on those hosts.
```
# svcadm restart name-service/switch
```

Verify that each host is defined correctly by displaying the security attributes for the source, destination, and gateway hosts in the transmission.
Use the command line to check that the network information is correct. Verify that the assignment on each host matches the assignment on the other hosts on the network. Depending on the view you want, use the tncfg command, the tninfo command, or the txzonemgr GUI.
- Display a template definition.
  The tninfo -t command displays the labels in string and hexadecimal format.
```
# tninfo -t template-name
template: template-name
host_type: one of cipso or UNLABELED
doi: 1
min_sl: minimum-label
hex: minimum-hex-label
max_sl: maximum-label
hex: maximum-hex-label
```
- Display a template and the hosts that are assigned to it.
  The tncfg -t command displays the labels in string format and lists the assigned hosts.
```
# tncfg -t template info
name=<template-name>
host_type=<one of cipso or unlabeled>
doi=1
min_label=<minimum-label>
max_label=<maximum-label>
host=127.0.0.1/32       /** Localhost **/
host=192.168.1.2/32     /** LDAP server **/
host=192.168.1.22/32    /** Gateway to LDAP server **/
host=192.168.113.0/24   /** Additional network **/
host=192.168.113.100/25      /** Additional network **/
host=2001:a08:3903:200::0/56/** Additional network **/
```
- Display the IP address and the assigned security template for a specific host.
  The tninfo -h command displays the IP address of the specified host and the name of its assigned security template.
```
# tninfo -h hostname
IP Address: IP-address
Template: template-name
```
  The tncfg get host= command displays the name of the security template that defines the specified host.
```
# tncfg get host=hostname|IP-address[/prefix]
template-name
```
- Display the multilevel ports (MLP)s for a zone.
  The tncfg -z command lists one MLP per line.
```
# tncfg -z zone-name info [mlp_private | mlp_shared]
mlp_private=<port/protocol-that-is-specific-to-this-zone-only>
mlp_shared=<port/protocol-that-the-zone-shares-with-other-zones>
```
  The tninfo -m command lists the private MLPs in one line and the shared MLPs on a second line. The MLPs are separated by semicolons.
```
# tninfo -m zone-name
private: ports-that-are-specific-to-this-zone-only
shared: ports-that-the-zone-shares-with-other-zones
```
  For a GUI display of the MLPs, use the txzonemgr command. Double-click the zone, then select Configure Multilevel Ports.
Fix any incorrect information.
1. To change or check network security information, use the trusted network administrative commands, tncfg and txzonemgr. To verify the syntax of the databases, use the tnchkdb command.
  For example, the following output shows that a template name, internal_cipso, is undefined:
```
# tnchkdb
checking /etc/security/tsol/tnrhtp ...
checking /etc/security/tsol/tnrhdb ...
tnchkdb: unknown template name: internal_cipso at line 49
tnchkdb: unknown template name: internal_cipso at line 50
tnchkdb: unknown template name: internal_cipso at line 51
checking /etc/security/tsol/tnzonecfg ...
```
  The error indicates that the tncfg and txzonemgr commands were not used to create and assign the internal_cipso security template.
  To repair, replace the tnrhdb file with the original file, then use the tncfg command to create and assign security templates.
2. To clear the kernel cache, reboot.
  At boot time, the cache is populated with database information. The SMF service, name-service/switch, determines if local or LDAP databases are used to populate the kernel.
Collect transmission information to assist in debugging.
1. Verify your routing configuration.
```
# route get [ip] -secattr sl=label,doi=integer
```
  For details, see the route(1M) man page.
2. View the label information in packets.
```
# snoop -v
```
  The –v option displays the details of packet headers, including label information. This command provides a lot of detail, so you might want to restrict the packets that the command examines. For details, see the snoop(1M) man page.
3. View the routing table entries and the security attributes on sockets.
```
# netstat -aR
```
  The –aR option displays extended security attributes for sockets.
```
# netstat -rR
```
  The –rR option displays routing table entries. For details, see the netstat(1M) man page.