1. Trusted Extensions Administration Concepts
2. Trusted Extensions Administration Tools
3. Getting Started as a Trusted Extensions Administrator (Tasks)
4. Security Requirements on a Trusted Extensions System (Overview)
5. Administering Security Requirements in Trusted Extensions (Tasks)
6. Users, Rights, and Roles in Trusted Extensions (Overview)
7. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
8. Remote Administration in Trusted Extensions (Tasks)
9. Trusted Extensions and LDAP (Overview)
10. Managing Zones in Trusted Extensions (Tasks)
11. Managing and Mounting Files in Trusted Extensions (Tasks)
12. Trusted Networking (Overview)
13. Managing Networks in Trusted Extensions (Tasks)
Managing the Trusted Network (Task Map)
Configuring Trusted Network Databases (Task Map)
How to Determine If You Need Site-Specific Security Templates
How to Open the Trusted Networking Tools
How to Construct a Remote Host Template
How to Add Hosts to the System's Known Network
How to Assign a Security Template to a Host or a Group of Hosts
How to Limit the Hosts That Can Be Contacted on the Trusted Network
Configuring Routes and Checking Network Information in Trusted Extensions (Task Map)
How to Configure Routes With Security Attributes
How to Check the Syntax of Trusted Network Databases
How to Compare Trusted Network Database Information With the Kernel Cache
How to Synchronize the Kernel Cache With Trusted Network Databases
Troubleshooting the Trusted Network (Task Map)
How to Verify That a Host's Interfaces Are Up
14. Multilevel Mail in Trusted Extensions (Overview)
15. Managing Labeled Printing (Tasks)
16. Devices in Trusted Extensions (Overview)
17. Managing Devices for Trusted Extensions (Tasks)
18. Trusted Extensions Auditing (Overview)
19. Software Management in Trusted Extensions (Tasks)
A. Quick Reference to Trusted Extensions Administration
The following task map describes tasks to debug your network.
| 
 | 
Use this procedure if your system does not communicate with other hosts as expected.
You must be in the global zone in a role that can check network settings. The Security Administrator role and the System Administrator role can check these settings.
The following output shows that the system has two network interfaces, hme0 and hme0:3. Neither interface is up.
# ifconfig -a
...
hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
         inet 192.168.0.11 netmask ffffff00 broadcast 192.168.0.255
hme0:3 flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
         inet 192.168.0.12 netmask ffffff00 broadcast 192.168.0.255The following output shows that both interfaces are up.
# ifconfig hme0 up # ifconfig -a ... hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,... hme0:3 flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,..
To debug two hosts that should be communicating but are not, you can use Trusted Extensions and Solaris debugging tools. For example, Oracle Solaris network debugging commands such as snoop and netstat are available. For details, see the snoop(1M) and netstat(1M) man pages. For commands that are specific to Trusted Extensions, see Table 2-4.
For problems with contacting labeled zones, see Managing Zones (Task Map).
For debugging NFS mounts, see How to Troubleshoot Mount Failures in Trusted Extensions.
For debugging LDAP communications, see How to Debug a Client Connection to the LDAP Server.
You must be in the global zone in a role that can check network settings. The Security Administrator role or the System Administrator role can check these settings.
Note - The tnd service is running only if the ldap service running.
For details, see the tnd(1M) man page.
For example, at a site that uses LDAP to administer the network, the entries are similar to the following:
# Trusted Extensions tnrhtp: files ldap tnrhdb: files ldap
To modify these entries, the system administrator uses the Name Service Switch action. For details, see How to Start CDE Administrative Actions in Trusted Extensions. This action preserves the required DAC and MAC file permissions.
$ ldaplist -l
$ ldaplist -l hosts | grep hostname
In the Security Templates tool, check that each host is assigned to a security template that is compatible with the security template of the other host.
For an an unlabeled system, check that the default label assignment is correct.
In the Trusted Network Zones tool, check that the multilevel ports (MLPs) are correctly configured.
Check that the assignment in each host's kernel cache matches the assignment on the network, and on the other host.
To get security information for the source, destination, and gateway hosts in the transmission, use the tninfo command.
$ tninfo -h hostname IP Address: IP-address Template: template-name
$ tninfo -t template-name template: template-name host_type: one of CIPSO or UNLABELED doi: 1 min_sl: minimum-label hex: minimum-hex-label max_sl: maximum-label hex: maximum-hex-label
$ tninfo -m zone-name private: ports-that-are-specific-to-this-zone-only shared: ports-that-the-zone-shares-with-other-zones
To change or check network security information, use the Solaris Management Console tools. For details, see How to Open the Trusted Networking Tools
To update the kernel cache, restart the tnctl service on the host whose information is out of date. Allow some time for this process to complete. Then, refresh the tnd service. If the refresh fails, try restarting the tnd service. For details, see How to Synchronize the Kernel Cache With Trusted Network Databases.
Note - The tnd service is running only if the ldap service running.
Rebooting clears the kernel cache. At boot time, the cache is populated with database information. The nsswitch.conf file determines whether local databases or LDAP databases are used to populate the kernel.
Use the get subcommand to the route command.
$ route get [ip] -secattr sl=label,doi=integer
For details, see the route(1M) man page.
Use the snoop -v command.
The -v option displays the details of packet headers, including label information. This command provides a lot of detail, so you might want to restrict the packets that the command examines. For details, see the snoop(1M) man page.
Use the -R option with the netstat -a|-r command.
The -aR option displays extended security attributes for sockets. The -rR option displays routing table entries. For details, see the netstat(1M) man page.
Misconfiguration of the client entry on the LDAP server can prevent the client from communicating with the server. Similarly, misconfiguration of files on the client can prevent communication. Check the following entries and files when attempting to debug a client-server communication problem.
You must be in the Security Administrator role in the global zone on the LDAP client.
# tninfo -h LDAP-server # route get LDAP-server # tninfo -h gateway-to-LDAP-server
If a remote host template assignment is incorrect, assign the host to the correct template by using the Security Templates tool in the Solaris Management Console.
Your system, the interfaces for the labeled zones on your system, the gateway to the LDAP server, and the LDAP server must be listed in the file. You might have more entries.
Look for duplicate entries. Remove any entries that are labeled zones on other systems. For example, if Lserver is the name of your LDAP server, and LServer-zones is the shared interface for the labeled zones, remove LServer-zones from /etc/hosts.
# more resolv.conf search list of domains domain domain-name nameserver IP-address ... nameserver IP-address
# ldaplist -l tnrhdb client-IP-address
# ldaplist -l tnrhdb client-zone-IP-address
# ldapclient list ... NS_LDAP_SERVERS= LDAP-server-address # zlogin zone-name1 ping LDAP-server-address LDAP-server-address is alive # zlogin zone-name2 ping LDAP-server-address LDAP-server-address is alive ...
# zlogin zone-name1 # ldapclient init \ -a profileName=profileName \ -a domainName=domain \ -a proxyDN=proxyDN \ -a proxyPassword=password LDAP-Server-IP-Address # exit # zlogin zone-name2 ...
If you are using Oracle Solaris ZFS, halt the zones and lock the file systems before rebooting. If you are not using ZFS, you can reboot without halting the zones and locking the file systems.
# zoneadm list # zoneadm -z zone-name halt # lockfs -fa # reboot