Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
Managing the Trusted Network (Task Map)
Configuring Trusted Network Databases (Task Map)
How to Determine If You Need Site-Specific Security Templates
How to Construct a Remote Host Template
How to Add Hosts to the System's Known Network
How to Assign a Security Template to a Host or a Group of Hosts
How to Limit the Hosts That Can Be Contacted on the Trusted Network
Configuring Routes and Checking Network Information in Trusted Extensions (Task Map)
How to Configure Routes With Security Attributes
How to Check the Syntax of Trusted Network Databases
How to Compare Trusted Network Database Information With the Kernel Cache
How to Synchronize the Kernel Cache With Trusted Network Databases
Configuring Labeled IPsec (Task Map)
How to Apply IPsec Protections in a Multilevel Trusted Extensions Network
How to Configure a Tunnel Across an Untrusted Network
Troubleshooting the Trusted Network (Task Map)
How to Verify That a Host's Interfaces Are Up
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The following task map describes tasks to debug your network.
|
Use this procedure if your system does not communicate with other hosts as expected.
You must be in the global zone in a role that can check network settings. The Security Administrator role and the System Administrator role can check these settings.
The following output shows that the system has two network interfaces, bgeo and bge0:3. Neither interface is up.
# ipadm show-addr ... ADDROBJ TYPE STATE ADDR bge0/static1 static disabled 192.168.0.11/24 bge0:0/static1 static disabled 192.168.0.12/24
The following output shows that both interfaces are up.
# ipadm enable-if bge0 # ipadm show-addr ... ADDROBJ TYPE STATE ADDR bge0/static1 static ok 192.168.0.11/24 bge0:0/static1 static ok 192.168.0.12/24
To debug two hosts that should be communicating but are not, you can use Trusted Extensions and Oracle Solaris debugging tools. For example, Oracle Solaris network debugging commands such as snoop and netstat are available. For details, see the snoop(1M) and netstat(1M) man pages. For commands that are specific to Trusted Extensions, see Appendix D, List of Trusted Extensions Man Pages.
For problems with contacting labeled zones, see Managing Zones (Task Map).
For debugging NFS mounts, see How to Troubleshoot Mount Failures in Trusted Extensions.
You must be in the global zone in a role that can check network settings. The Security Administrator role or the System Administrator role can check these settings.
Use the command line to check that the network information in the kernel is current. Check that the assignment in each host's kernel cache matches the assignment on the other hosts on the network.
To get security information for the source, destination, and gateway hosts in the transmission, use the tninfo command.
$ tninfo -h hostname IP Address: IP-address Template: template-name
$ tninfo -t template-name template: template-name host_type: one of CIPSO or UNLABELED doi: 1 min_sl: minimum-label hex: minimum-hex-label max_sl: maximum-label hex: maximum-hex-label
$ tninfo -m zone-name private: ports-that-are-specific-to-this-zone-only shared: ports-that-the-zone-shares-with-other-zones
To change or check network security information, use the trusted network databases. To verify the syntax of the databases, use the tnchkdb command.
To update the kernel cache, restart the tnctl service on the host whose information is out of date. Allow some time for this process to complete.
Rebooting clears the kernel cache. At boot time, the cache is populated with database information. The nsswitch.conf file determines that local databases are used to populate the kernel.
Use the get subcommand to the route command.
$ route get [ip] -secattr sl=label,doi=integer
For details, see the route(1M) man page.
Use the snoop -v command.
The -v option displays the details of packet headers, including label information. This command provides a lot of detail, so you might want to restrict the packets that the command examines. For details, see the snoop(1M) man page.
Use the -R option with the netstat -a|-r command.
The -aR option displays extended security attributes for sockets. The -rR option displays routing table entries. For details, see the netstat(1M) man page.
Misconfiguration of the client entry on the LDAP server can prevent the client from communicating with the server. Similarly, misconfiguration of files on the client can prevent communication. Check the following entries and files when attempting to debug a client-server communication problem.
You must be in the Security Administrator role in the global zone on the LDAP client.
# tninfo -h LDAP-server # route get LDAP-server # tninfo -h gateway-to-LDAP-server
If a remote host template assignment is incorrect, assign the host to the correct template.
Your system, the interfaces for the labeled zones on your system, the gateway to the LDAP server, and the LDAP server must be listed in the file. You might have more entries.
Look for duplicate entries. Remove any entries that are labeled zones on other systems. For example, if Lserver is the name of your LDAP server, and LServer-zones is the shared interface for the labeled zones, remove LServer-zones from /etc/hosts.
# more resolv.conf search list of domains domain domain-name nameserver IP-address ... nameserver IP-address
# ldaplist -l tnrhdb client-IP-address
# ldaplist -l tnrhdb client-zone-IP-address
# ldapclient list ... NS_LDAP_SERVERS= LDAP-server-address # zlogin zone-name1 ping LDAP-server-address LDAP-server-address is alive # zlogin zone-name2 ping LDAP-server-address LDAP-server-address is alive ...
# zlogin zone-name1 # ldapclient init \ -a profileName=profileName \ -a domainName=domain \ -a proxyDN=proxyDN \ -a proxyPassword=password LDAP-Server-IP-Address # exit # zlogin zone-name2 ...
# zoneadm list # zoneadm -z zone-name halt # lockfs -fa # reboot