test

Oracle Solaris Trusted Extensions Administrator's Procedures

ProcedureHow to Synchronize the Kernel Cache With Trusted Network Databases

When the kernel has not been updated with trusted network database information, you have several ways to update the kernel cache. The Solaris Management Console runs this command automatically when you use the Security Templates tool or the Trusted Network Zones tool.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. To synchronize the kernel cache with network databases, run one of the following commands:

    • Restart the tnctl service.

      Caution – Caution –

      Do not use this method on systems that obtain their trusted network database information from an LDAP server. The local database information would overwrite the information that is obtained from the LDAP server.


      $ svcadm restart  svc:/network/tnctl

      This command reads all information from the local trusted network databases into the kernel.

    • Update the kernel cache for your recently added entries.


      $ tnctl -h hostname

      This command reads only the information from the chosen option into the kernel. For details about the options, see Example 13–17 and the tnctl(1M) man page.

    • Modify the tnd service.

      Note –

      The tnd service is running only if the ldap service running.

      • Change the tnd polling interval.

        This does not update the kernel cache. However, you can shorten the polling interval to update the kernel cache more frequently. For details, see the example in the tnd(1M) man page.

      • Refresh the tnd.

        This Service Management Facility (SMF) command triggers an immediate update of the kernel with recent changes to trusted network databases.


        $ svcadm refresh svc:/network/tnd

      • Restart the tnd by using SMF.


        $ svcadm restart svc:/network/tnd
        Caution – Caution –

        Avoid running the tnd command to restart the tnd. This command can interrupt communications that are currently succeeding.

Example 13–17 Updating the Kernel With Your Latest tnrhdb Entries

In this example, the administrator has added three addresses to the local tnrhdb database. First, the administrator removed the 0.0.0.0 wildcard entry.


$ tnctl -d -h 0.0.0.0:admin_low

Then, the administrator views the format of the final three entries in the /etc/security/tsol/tnrhdb database:


$ tail /etc/security/tsol/tnrhdb
#\:\:0:admin_low
127.0.0.1:cipso
#\:\:1:cipso
192.168.103.5:admin_low
192.168.103.0:cipso
0.0.0.0/32:admin_low

Then, the administrator updates the kernel cache:


$ tnctl -h 192.168.103.5
tnctl -h 192.168.103.0
tnctl -h 0.0.0.0/32

Finally, the administrator verifies that the kernel cache is updated. The output for the first entry is similar to the following:


$ tninfo -h 192.168.103.5
IP Address: 192.168.103.5
Template: admin_low
Example 13–18 Updating Network Information in the Kernel

In this example, the administrator updates the trusted network with a public print server, and then checks that the kernel settings are correct.


$ tnctl -h public-print-server
$ tninfo -h public-print-server
IP Address: 192.168.103.55
Template: PublicOnly
$ tninfo -t PublicOnly
==================================
Remote Host Template Table Entries
----------------------------------
template: PublicOnly
host_type: CIPSO
doi: 1
min_sl: PUBLIC
hex: 0x0002-08-08
max_sl: PUBLIC
hex: 0x0002-08-08