JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

Labeling Hosts and Networks (Tasks)

Viewing Existing Security Templates (Tasks)

How to View Security Templates

How to Determine If You Need Site-Specific Security Templates

How to Add Hosts to the System's Known Network

Creating Security Templates (Tasks)

How to Create Security Templates

Adding Hosts to Security Templates (Tasks)

How to Add a Host to a Security Template

How to Add a Range of Hosts to a Security Template

Limiting the Hosts That Can Reach the Trusted Network (Tasks)

How to Limit the Hosts That Can Be Contacted on the Trusted Network

Configuring Routes and Multilevel Ports (Tasks)

How to Add Default Routes

How to Create a Multilevel Port for a Zone

Configuring Labeled IPsec (Task Map)

How to Apply IPsec Protections in a Multilevel Trusted Extensions Network

How to Configure a Tunnel Across an Untrusted Network

Troubleshooting the Trusted Network (Task Map)

How to Verify That a System's Interfaces Are Up

How to Debug the Trusted Extensions Network

How to Debug a Client's Connection to the LDAP Server

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions



Troubleshooting the Trusted Network (Task Map)

The following task map describes tasks to help you debug your Trusted Extensions network.

For Instructions
Determine why a system and a remote host cannot communicate.
Checks that the interfaces on a single system are up.
Uses debugging tools when a system and a remote host cannot communicate with each other.
Determine why an LDAP client cannot reach the LDAP server.
Troubleshoots the loss of connection between an LDAP server and a client.

How to Verify That a System's Interfaces Are Up

Use this procedure if your system does not communicate with other hosts as expected.

Before You Begin

You must be in the global zone in a role that can check network attribute values. The Security Administrator role and the System Administrator role can check these values.

  1. Verify that the system's network interface is up.

    You can use the Labeled Zone Manager GUI or the ipadm command to display the system's interfaces.

    • Open the Labeled Zone Manager, then double-click the zone of interest.
      # txzonemgr &

      Select Configure Network Interfaces and verify that the value of the Status column for the zone is Up.

    • Or, use the ipadm show-addr command.
      # ipadm show-addr
      ADDROBJ          TYPE      STATE        ADDR
      lo0/v4           static    ok 
      net0/_a          dhcp      down
      net0:0/_a        dhcp      down

      The value of the net0 interfaces should be ok. For more information about the ipadm command, see the ipadm(1M) man page.

  2. If the interface is not up, bring it up.
    1. In the Labeled Zone Manager GUI, double-click the zone whose interface is down.
    2. Select Configure Network Interfaces.
    3. Double-click the interface whose state is Down.
    4. Select Bring Up, then OK.
    5. Click Cancel or OK.

How to Debug the Trusted Extensions Network

To debug two hosts that should be communicating but are not, you can use Trusted Extensions and Oracle Solaris debugging tools. For example, Oracle Solaris network debugging commands such as snoop and netstat are available. For details, see the snoop(1M) and netstat(1M) man pages. For commands that are specific to Trusted Extensions, see Appendix D, List of Trusted Extensions Man Pages.

Before You Begin

You must be in the global zone in a role that can check network attribute values. The Security Administrator role or the System Administrator role can check these values. Only the root role can edit files.

  1. Check that the hosts that cannot communicate are using the same naming service.
    1. On each system, check the values for the Trusted Extensions databases in the name-service/switch SMF service.
      # svccfg -s name-service/switch listprop config
      config/value_authorization  astring
      config/default              astring  ldap
      config/tnrhtp               astring  "files ldap"
      config/tnrhdb               astring  "files ldap"
    2. If the values are different on different hosts, correct the values on the offending hosts.
      # svccfg -s name-service/switch setprop config/tnrhtp="files ldap"
      # svccfg -s name-service/switch setprop config/tnrhdb="files ldap"
    3. Then, restart the naming service daemon on those hosts.
      # svcadm restart name-service/switch
  2. Verify that each host is defined correctly by displaying the security attributes for the source, destination, and gateway hosts in the transmission.

    Use the command line to check that the network information is correct. Verify that the assignment on each host matches the assignment on the other hosts on the network. Depending on the view you want, use the tncfg command, the tninfo command, or the txzonemgr GUI.

    • Display a template definition.

      The tninfo -t command displays the labels in string and hexadecimal format.

      $ tninfo -t template-name
      template: template-name
      host_type: one of cipso or UNLABELED
      doi: 1
      min_sl: minimum-label
      hex: minimum-hex-label
      max_sl: maximum-label
      hex: maximum-hex-label
    • Display a template and the hosts that are assigned to it.

      The tncfg -t command displays the labels in string format and lists the assigned hosts.

      $ tncfg -t template info
         host_type=<one of cipso or unlabeled>
         host=       /** Localhost **/
         host=     /** LDAP server **/
         host=    /** Gateway to LDAP server **/
         host=   /** Additional network **/
         host=      /** Additional network **/
         host=2001:a08:3903:200::0/56/** Additional network **/
    • Display the IP address and the assigned security template for a specific host.

      The tninfo -h command displays the IP address of the specified host and the name of its assigned security template.

      $ tninfo -h hostname
      IP Address: IP-address
      Template: template-name

      The tncfg get host= command displays the name of the security template that defines the specified host.

      $ tncfg get host=hostname|IP-address[/prefix]
    • Display the multilevel ports (MLP)s for a zone.

      The tncfg -z command lists one MLP per line.

      $ tncfg -z zone-name info [mlp_private | mlp_shared]

      The tninfo -m command lists the private MLPs in one line and the shared MLPs on a second line. The MLPs are separated by semicolons.

      $ tninfo -m zone-name
      private: ports-that-are-specific-to-this-zone-only
      shared: ports-that-the-zone-shares-with-other-zones

      For a GUI display of the MLPs, use the txzonemgr command. Double-click the zone, then select Configure Multilevel Ports.

  3. Fix any incorrect information.
    1. To change or check network security information, use the trusted network administrative commands, tncfg and txzonemgr. To verify the syntax of the databases, use the tnchkdb command.

      For example, the following output shows that a template name, internal_cipso, is undefined:

      # tnchkdb
           checking /etc/security/tsol/tnrhtp ...
           checking /etc/security/tsol/tnrhdb ...
      tnchkdb: unknown template name: internal_cipso at line 49
      tnchkdb: unknown template name: internal_cipso at line 50
      tnchkdb: unknown template name: internal_cipso at line 51
           checking /etc/security/tsol/tnzonecfg ...

      The error indicates that the tncfg and txzonemgr commands were not used to create and assign the internal_cipso security template.

      To repair, replace the tnrhdb file with the original file, then use the tncfg command to create and assign security templates.

    2. To clear the kernel cache, reboot.

      At boot time, the cache is populated with database information. The SMF service, name-service/switch, determines if local or LDAP databases are used to populate the kernel.

  4. Collect transmission information to assist in debugging.
    1. Verify your routing configuration.
      $ route get [ip] -secattr sl=label,doi=integer

      For details, see the route(1M) man page.

    2. View the label information in packets.
      $ snoop -v

      The -v option displays the details of packet headers, including label information. This command provides a lot of detail, so you might want to restrict the packets that the command examines. For details, see the snoop(1M) man page.

    3. View the routing table entries and the security attributes on sockets.
      $ netstat -aR

      The -aR option displays extended security attributes for sockets.

      $ netstat -rR

      The -rR option displays routing table entries. For details, see the netstat(1M) man page.

How to Debug a Client's Connection to the LDAP Server

Misconfiguration of a client entry on the LDAP server can prevent the client from communicating with the server. Similarly, misconfiguration of files on the client can prevent communication. Check the following entries and files when attempting to debug a client-server communication problem.

Before You Begin

You must be in the Security Administrator role in the global zone on the LDAP client.

  1. Check that the remote host template for the LDAP server and for the gateway to the LDAP server are correct.
    1. Use the tncfg or tninfo command to view information.
      # tncfg get host=LDAP-server
      # tncfg get host=gateway-to-LDAP-server
      # tninfo -h LDAP-server
      # tninfo -h gateway-to-LDAP-server
    2. Determine the route to the server.
      # route get LDAP-server

    If a template assignment is incorrect, add the host to the correct template.

  2. Check and if necessary, correct the /etc/hosts file.

    Your system, the interfaces for the labeled zones on your system, the gateway to the LDAP server, and the LDAP server must be listed in the file. You might have more entries.

    Look for duplicate entries. Remove any entries that are labeled zones on other systems. For example, if Lserver is the name of your LDAP server, and LServer-zones is the shared interface for the labeled zones, remove LServer-zones from the /etc/hosts file.

  3. If you are using DNS, check the configuration of the svc:/network/dns/client service.
    # svccfg -s dns/client listprop config
    config                       application
    config/value_authorization   astring
    config/nameserver            astring
  4. To change the values, use the svccfg command.
    # svccfg -s dns/client setprop config/search = astring:
    # svccfg -s dns/client setprop config/nameserver = net_address:
    # svccfg -s dns/client:default refresh
    # svccfg -s dns/client:default validate
    # svcadm enable dns/client
    # svcadm refresh name-service/switch
    # nslookup some-system
  5. Verify that the tnrhdb and tnrhtp entries in the name-service/switch service are accurate.

    In the following output, the tnrhdb and tnrhtp entries are not listed. Therefore, these databases are using the default, files ldap naming services, in that order.

    # svccfg -s name-service/switch listprop config
    config                       application
    config/value_authorization   astring
    config/default               astring       "files ldap"
    config/host                  astring       "files dns"
    config/netgroup              astring       ldap
  6. Check that the client is correctly configured on the server.
    # ldaplist -l tnrhdb client-IP-address
  7. Check that the interfaces for your labeled zones are correctly configured on the LDAP server.
    # ldaplist -l tnrhdb client-zone-IP-address
  8. Verify that you can contact the LDAP server from all currently running zones.
    # ldapclient list
    NS_LDAP_SERVERS= LDAP-server-address
    # zlogin zone-name1 ping LDAP-server-address
    LDAP-server-address is alive
    # zlogin zone-name2 ping LDAP-server-address
    LDAP-server-address is alive
  9. Configure LDAP and reboot.
    1. For the procedure, see Make the Global Zone an LDAP Client in Trusted Extensions.
    2. In every labeled zone, re-establish the zone as a client of the LDAP server.
      # zlogin zone-name1
      # ldapclient init \
      -a profileName=profileName \
      -a domainName=domain \
      -a proxyDN=proxyDN \
      -a proxyPassword=password LDAP-Server-IP-Address
      # exit
      # zlogin zone-name2 ...
    3. Halt all zones and reboot.
      # zoneadm list
      # zoneadm -z zone1 halt
      # zoneadm -z zone2 halt
      # reboot

      You could instead use the txzonemgr GUI to halt the labeled zones.