JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Configuration and Administration     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

Managing the Trusted Network (Task Map)

Configuring Trusted Network Databases (Task Map)

How to Determine If You Need Site-Specific Security Templates

How to Construct a Remote Host Template

How to Add Hosts to the System's Known Network

How to Assign a Security Template to a Host or a Group of Hosts

How to Limit the Hosts That Can Be Contacted on the Trusted Network

Configuring Routes and Checking Network Information in Trusted Extensions (Task Map)

How to Configure Routes With Security Attributes

How to Check the Syntax of Trusted Network Databases

How to Compare Trusted Network Database Information With the Kernel Cache

How to Synchronize the Kernel Cache With Trusted Network Databases

Configuring Labeled IPsec (Task Map)

How to Apply IPsec Protections in a Multilevel Trusted Extensions Network

How to Configure a Tunnel Across an Untrusted Network

Troubleshooting the Trusted Network (Task Map)

How to Verify That a Host's Interfaces Are Up

How to Debug the Trusted Extensions Network

How to Debug a Client Connection to the LDAP Server

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Reference)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Troubleshooting the Trusted Network (Task Map)

The following task map describes tasks to debug your network.

Task
Description
For Instructions
Determine why two hosts cannot communicate.
Checks that the interfaces on a single system are up.
Uses debugging tools when two hosts cannot communicate with each other.
Determine why an LDAP client cannot reach the LDAP server.
Troubleshoots the loss of connection between an LDAP server and a client.

How to Verify That a Host's Interfaces Are Up

Use this procedure if your system does not communicate with other hosts as expected.

Before You Begin

You must be in the global zone in a role that can check network settings. The Security Administrator role and the System Administrator role can check these settings.

  1. Verify that the system's network interface is up.

    The following output shows that the system has two network interfaces, bgeo and bge0:3. Neither interface is up.

    # ipadm show-addr
    ...
    ADDROBJ          TYPE      STATE        ADDR
    bge0/static1     static    disabled     192.168.0.11/24
    bge0:0/static1     static    disabled     192.168.0.12/24
  2. If the interface is not up, bring it up and then verify that it is up.

    The following output shows that both interfaces are up.

    # ipadm enable-if bge0
    # ipadm show-addr
    ...
    ADDROBJ          TYPE      STATE        ADDR
    bge0/static1     static    ok           192.168.0.11/24
    bge0:0/static1     static    ok           192.168.0.12/24

How to Debug the Trusted Extensions Network

To debug two hosts that should be communicating but are not, you can use Trusted Extensions and Oracle Solaris debugging tools. For example, Oracle Solaris network debugging commands such as snoop and netstat are available. For details, see the snoop(1M) and netstat(1M) man pages. For commands that are specific to Trusted Extensions, see Appendix D, List of Trusted Extensions Man Pages.

Before You Begin

You must be in the global zone in a role that can check network settings. The Security Administrator role or the System Administrator role can check these settings.

  1. Check that the hosts that cannot communicate are using the same naming service.
    1. On each host, check the nsswitch.conf file.
      1. Check the values for the Trusted Extensions databases in the nsswitch.conf file.
      2. If the values are different, correct the nsswitch.conf file.
  2. Check that each host is defined correctly.

    Use the command line to check that the network information in the kernel is current. Check that the assignment in each host's kernel cache matches the assignment on the other hosts on the network.

    To get security information for the source, destination, and gateway hosts in the transmission, use the tninfo command.

    • Display the IP address and the assigned security template for a given host.
      $ tninfo -h hostname
      IP Address: IP-address
      Template: template-name
    • Display a template definition.
      $ tninfo -t template-name
      template: template-name
      host_type: one of CIPSO or UNLABELED
      doi: 1
      min_sl: minimum-label
      hex: minimum-hex-label
      max_sl: maximum-label
      hex: maximum-hex-label
    • Display the MLPs for a zone.
      $ tninfo -m zone-name
      private: ports-that-are-specific-to-this-zone-only
      shared: ports-that-the-zone-shares-with-other-zones
  3. Fix any incorrect information.
    • To change or check network security information, use the trusted network databases. To verify the syntax of the databases, use the tnchkdb command.

    • To update the kernel cache, restart the tnctl service on the host whose information is out of date. Allow some time for this process to complete.

      Rebooting clears the kernel cache. At boot time, the cache is populated with database information. The nsswitch.conf file determines that local databases are used to populate the kernel.

  4. Collect transmission information to help you in debugging.
    • Verify your routing configuration.

      Use the get subcommand to the route command.

      $ route get [ip] -secattr sl=label,doi=integer

      For details, see the route(1M) man page.

    • View the label information in packets.

      Use the snoop -v command.

      The -v option displays the details of packet headers, including label information. This command provides a lot of detail, so you might want to restrict the packets that the command examines. For details, see the snoop(1M) man page.

    • View the routing table entries and the security attributes on sockets.

      Use the -R option with the netstat -a|-r command.

      The -aR option displays extended security attributes for sockets. The -rR option displays routing table entries. For details, see the netstat(1M) man page.

How to Debug a Client Connection to the LDAP Server

Misconfiguration of the client entry on the LDAP server can prevent the client from communicating with the server. Similarly, misconfiguration of files on the client can prevent communication. Check the following entries and files when attempting to debug a client-server communication problem.

Before You Begin

You must be in the Security Administrator role in the global zone on the LDAP client.

  1. Check that the remote host template for the LDAP server and for the gateway to the LDAP server are correct.
    # tninfo -h LDAP-server
    # route get LDAP-server
    # tninfo -h gateway-to-LDAP-server

    If a remote host template assignment is incorrect, assign the host to the correct template.

  2. Check and correct the /etc/hosts file.

    Your system, the interfaces for the labeled zones on your system, the gateway to the LDAP server, and the LDAP server must be listed in the file. You might have more entries.

    Look for duplicate entries. Remove any entries that are labeled zones on other systems. For example, if Lserver is the name of your LDAP server, and LServer-zones is the shared interface for the labeled zones, remove LServer-zones from /etc/hosts.

  3. If you are using DNS, check and correct the entries in the resolv.conf file.
    # more resolv.conf
    search list of domains
    domain domain-name
    nameserver IP-address
    
    ...
    nameserver IP-address
  4. Check that the tnrhdb and tnrhtp entries in the nsswitch.conf file are accurate.
  5. Check that the client is correctly configured on the server.
    # ldaplist -l tnrhdb client-IP-address
  6. Check that the interfaces for your labeled zones are correctly configured on the LDAP server.
    # ldaplist -l tnrhdb client-zone-IP-address
  7. Verify that you can ping the LDAP server from all currently running zones.
    # ldapclient list
    ...
    NS_LDAP_SERVERS= LDAP-server-address
    # zlogin zone-name1 ping LDAP-server-address
    LDAP-server-address is alive
    # zlogin zone-name2 ping LDAP-server-address
    LDAP-server-address is alive
    ...
  8. Configure LDAP and reboot.
    1. For the procedure, see Make the Global Zone an LDAP Client in Trusted Extensions.
    2. In every labeled zone, re-establish the zone as a client of the LDAP server.
      # zlogin zone-name1
      # ldapclient init \
      -a profileName=profileName \
      -a domainName=domain \
      -a proxyDN=proxyDN \
      -a proxyPassword=password LDAP-Server-IP-Address
      # exit
      # zlogin zone-name2 ...
    3. Halt all zones, lock the file systems, and reboot.
      # zoneadm list
      # zoneadm -z zone-name halt
      # lockfs -fa
      # reboot