administeringtrusted networking administeringnetwork in Trusted Extensions configuringtrusted network This chapter provides implementation details and procedures for securing a Solaris Trusted Extensions network.Managing the Trusted Network (Task Map) Configuring Trusted Network Databases (Task Map) Configuring Routes and Checking Network Information in Trusted Extensions (Task Map) Troubleshooting the Trusted Network (Task Map) Managing Trusted Networking (Task Map) tasks and task mapsManaging Trusted Networking (Task Map) The following table points to the task maps for common trusted networking procedures.Task Description For Instructions Configure network databases. Creates remote host templates,and assigns hosts to the templates. Configuring Trusted Network Databases (Task Map) Configure routing, and check network databases and network information in the kernel. Configures static routes that enable labeled packets to reach their destination through labeled and unlabeled gateways.Also, displays the state of your network. Configuring Routes and Checking Network Information in Trusted Extensions (Task Map) Troubleshoot networking problems. Steps to take when diagnosing network problems with labeled packets. Troubleshooting the Trusted Network (Task Map) Configuring Trusted Network Databases (Task Map) tasks and task mapsConfiguring Trusted Network Databases (Task Map) administeringtrusted network databases trusted networkusing templates IP addressesin tnrhdb file Computers and Networks toolmodifying tnrhdb database Security Templates toolmodifying tnrhdb trusted networkediting local files IP addressesin tnrhdb database tnrhdb databaseconfiguring hostsassigning a template remote host templatesassigning Security Templates toolmodifying tnrhdb hostsassigning a template fallback mechanismfor remote hosts fallback mechanismusing for network configuration tnrhdb databasefallback mechanism tnrhdb databasewildcard address Solaris Management Consoleadministering trusted network trusted networkadministering with Solaris Management Console Trusted Extensions software includes the tnrhtp and tnrhdb databases. These databases provide labels for remote hosts that contact the system. The Solaris Management Console provides the GUI that you use to administer these databases.Task Description For Instructions Determine if your site requires customized security templates. Evaluates the existing templates for the security requirements of your site. How to Determine If You Need Site-Specific Security Templates Access the Security Templates tool in the Solaris Management Console. Accesses the tool for modifying trusted network databases. How to Open the Trusted Networking Tools Modify security templates. Modifies the definitions of security attributes in your trusted network by modifying the trusted network databases. How to Construct a Remote Host Template Changes the DOI to a value different from 1. Example 19–1 Creates a security template for labeled hosts that restrict communication between other hosts to a single label. Example 19–2 Creates a security template for unlabeled hosts that operate as single-label gateways. Example 19–3 Creates a security template for hosts with a restricted label range. Example 19–4 Creates a security template for a host that specifies a set of discrete labels in its label range. Example 19–5 Creates a security template for unlabeled systems and networks. Example 19–6 Creates a security template for two developer systems. Example 19–7 Add hosts to the known network. Adds systems and networks to the trusted network. How to Add Hosts to the System's Known Network Provide remote host access by using wildcard entries. Allows hosts within a range of IP addresses to communicate with a system by indirectly assigning each host to the same security template. Example 19–8Example 19–9Example 19–10 Change the admin_low wildcard entry in the tnrhdb file. Increases security by replacing the wildcard entry with specific addresses for the host to contact at boot time. How to Limit the Hosts That Can Be Contacted on the Trusted Network Increases security by replacing the wildcard entry with a network of labeled hosts as the default. Example 19–11 Create an entry for the host address 0.0.0.0 Configures a Sun Ray server to accept the initial contact from a remote client Example 19–13 Assign security templates. Associates a template with an IP address or list of contiguous IP addresses. How to Assign a Security Template to a Host or a Group of Hosts You must be in the Security Administrator role in the global zone. Familiarize yourself with the Trusted Extensions templates.Read the tnrhtp file on a local host. The comments in the file are helpful. You can also view the security attribute values in the Security Templates tool in the Solaris Management Console.The default templates match any installation. The label range for each template is ADMIN_LOW to ADMIN_HIGH. The cipso template defines a CIPSO host type whose DOI is 1. The label range for the template is ADMIN_LOW to ADMIN_HIGH. The admin_low template defines an unlabeled host whose DOI is 1. The template's default label is ADMIN_LOW. The label range for the template is ADMIN_LOW to ADMIN_HIGH. In the default configuration, the address 0.0.0.0 is assigned to this template. Therefore, all non-CIPSO hosts are treated as hosts that operate at the ADMIN_LOW security label. Keep the default templates.For support purposes, do not delete or modify the default templates. You can change the host that is assigned these default templates. For an example, see How to Limit the Hosts That Can Be Contacted on the Trusted Network. Create new templates if you want to do any of the following:Limit the label range of a host or a group of hosts. Create a single-label host. Create a host that recognizes a few discrete labels. Use a different DOI than 1. Require a default label for unlabeled hosts that is not ADMIN_LOW. For details, see How to Construct a Remote Host Template. Solaris Management ConsoleSecurity Templates tool Security Templates toolusing Trusted Network toolsusing You must be in the global zone in a role that can modify network security. For example, roles that are assigned the Information Security or Network Security rights profile can modify security settings. The Security Administrator role includes these profiles.To use the LDAP toolbox, you must have completed Configuring the Solaris Management Console for LDAP (Task Map). Start the Solaris Management Console.For details, see Initialize the Solaris Management Console Server in Trusted Extensions. Use the appropriate tool.To modify a template, use the Security Templates tool.All currently defined templates display in the right pane. When you select or create a template, online help is available in the left pane. To assign a host to a template, use the Security Templates tool. To create a host that can be assigned to a template, use the Computers and Networks tool. To assign a label to a zone, use the Trusted Network Zones tool. For more information about zones in Trusted Extensions, see Chapter 16, Managing Zones in Trusted Extensions (Tasks). security attributessetting for remote hosts tnrhtp databaseadding to administeringremote host templates remote host templatescreating You must be in the global zone in a role that can modify network security. For example, roles that are assigned the Information Security or Network Security rights profiles can modify security settings. The Security Administrator role includes these profiles. In the Solaris Management Console, navigate to the Security Templates tool.See How to Open the Trusted Networking Tools for the steps. Under Computers and Networks, double-click Security Templates.The existing templates are displayed in the View pane. These templates describe the security attributes for hosts that this system can contact. These hosts include CIPSO hosts that are running Trusted Extensions and unlabeled hosts. Examine the cipso template.View which hosts and which networks are already assigned this template. Examine the admin_low template.View which hosts and which networks are already assigned this template. Create a template.If the provided templates do not sufficiently describe the hosts that can be in communication with this system, choose Add Template from the Action menu.Use the online help for assistance. Before assigning hosts to the templates, create all the templates that your site requires. Modify an existing template that is not a default template.Double-click the template, and use the online help for assistance. You can change the assigned hosts or the assigned networks. In this example, the security administrator's network has a DOI whose value is different from 1. The team that initially configured the system has completed Configure the Domain of Interpretation.First, the security administrator confirms the value of the DOI in the /etc/system file:# grep doi /etc/system set default_doi = 4Then, in the Security Templates tool, for every template that the administrator creates, the value of doi is set to 4. For the single-label system that is described in Example 19–2, the security administrator creates the following template:template: CIPSO_PUBLIC host_type: CIPSO doi: 4 min_sl: PUBLIC max_sl: PUBLIC In this example, the security administrator wants to create a gateway that can only pass packets at a single label, PUBLIC. Using the Security Templates tool in the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.First, the gateway host and IP address are added to the Computers and Networks tool.gateway-1 192.168.131.75Then, the template is created in the Security Templates tool.  The following are the values in the template:template: CIPSO_PUBLIC host_type: CIPSO doi: 1 min_sl: PUBLIC max_sl: PUBLICThe tool supplies the hexadecimal value for PUBLIC, 0X0002-08-08.Finally, the gateway-1 host is assigned to the template by its name and IP address.gateway-1 192.168.131.75On a local host, the tnrhtp entry appears similar to the following:cipso_public:host_type=cipso;doi=1;min_sl=0X0002-08-08;max_sl=0X0002-08-08;On a local host, the tnrhdb entry appears similar to the following:# gateway-1 192.168.131.75:cipso_public Any IP router can forward messages with CIPSO labels even though the router does not explicitly support labels. Such an unlabeled router needs a default label to define the level at which connections to the router, perhaps for router management, need to be handled. In this example, the security administrator creates a router that can forward traffic at any label, but all direct communication with the router is handled at the default label, PUBLIC.In the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.First, the router and its IP address are added to the Computers and Networks tool.router-1 192.168.131.82Then, the template is created in the Security Templates tool. The following values are in the template:Template Name: UNL_PUBLIC Host Type: UNLABELED DOI: 1 Default Label: PUBLIC Minimum Label: ADMIN_LOW Maximum Label: ADMIN_HIGHThe tool supplies the hexadecimal value for the labels.Finally, the router-1 router is assigned to the template by its name and IP address.router-1 192.168.131.82 In this example, the security administrator wants to create a gateway that restricts packets to a narrow label range. In the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.First, the host and its IP address are added to the Computers and Networks tool.gateway-ir 192.168.131.78Then, the template is created in the Security Templates tool. The following values are in the template:Template Name: CIPSO_IUO_RSTRCT Host Type: CIPSO DOI: 1 Minimum Label: CONFIDENTIAL : INTERNAL USE ONLY Maximum Label: CONFIDENTIAL : RESTRICTEDThe tool supplies the hexadecimal value for the labels.Finally, the gateway-ir gateway is assigned to the template by its name and IP address.gateway-ir 192.168.131.78 In this example, the security administrator wants to create a security template that recognizes two labels only. In the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.First, each host and IP address that is going to use this template is added to the Computers and Networks tool.host-slset1 192.168.132.21 host-slset2 192.168.132.22 host-slset3 192.168.132.23 host-slset4 192.168.132.24Then, the template is created in the Security Templates tool. The following values are in the template:Template Name: CIPSO_PUB_RSTRCT Host Type: CIPSO DOI: 1 Minimum Label: PUBLIC Maximum Label: CONFIDENTIAL : RESTRICTED SL Set: PUBLIC, CONFIDENTIAL : RESTRICTEDThe tool supplies the hexadecimal value for the labels.Finally, the range of IP addresses are assigned to the template by using the Wildcard button and a prefix.192.168.132.0/17 In this example, the security administrator allows a subnetwork of Solaris systems to have the PUBLIC label in the trusted network. The template has the following values:Template Name: public Host Type: Unlabeled Default Label: Public Minimum Label: Public Maximum Label: Public DOI: 1 Wildcard Entry: 10.10.0.0 Prefix: 16All systems on the 10.10.0.0 subnetwork are handled at the label PUBLIC. In this example, the security administrator creates a SANDBOX template. This template is assigned to systems that are used by developers of trusted software. The two systems that are assigned this template create and test labeled programs. However, their tests do not affect the other labeled systems, because the label SANDBOX is disjoint from the other labels on the network.Template Name: cipso_sandbox Host Type: CIPSO Minimum Label: SANDBOX Maximum Label: SANDBOX DOI: 1 Hostname: DevMachine1 IP Address: 196.168.129.129 Hostname: DevMachine2 IP Address: 196.168.129.102The developers who use these systems can communicate with each other at the label SANDBOX. Solaris Management ConsoleComputers and Networks tool Computers and Networks tooladding known hosts hostsentering in network files /etc/hosts file The Computers tool in the Solaris Management Console is identical to the Computers tool in the Solaris OS. This procedure is provided here for your convenience. After the hosts are known, you then assign the hosts to a security template. You must be in an administrator who can manage networks. For example, roles that include the Network Management or System Administrator rights profiles can manage networks. In the Solaris Management Console, navigate to the Computers tool.For details, see How to Open the Trusted Networking Tools. In the Computers tool, confirm that you want to view all computers on the network. Add a host that this system can contact.You must add every host that this system might contact, including any static routers and any audit servers.From the Action menu, choose Add Computer. Identify the host by name and IP address. Provide additional information about the host. To add the host, click Apply. When the entries are complete, click OK. Add a group of hosts that this system can contact.Use the online help to add groups of hosts by using a network IP address. Security Templates toolassigning templates Computers and Networks tooladding known hosts hostsassigning to security template interfacesassigning to security template /etc/hosts file tnrhdb databaseadding to administeringremote host database remote host templatesassigning to hosts You must be in the Security Administrator role in the global zone.All hosts that you want to assign to a template must exist in the Computers and Networks tool. For details, see How to Add Hosts to the System's Known Network. In the Solaris Management Console, navigate to the Security Templates tool.For details, see How to Open the Trusted Networking Tools. Double-click the appropriate template name. Click the Hosts Assigned to Template tab. To assign the template to a single host, do the following:In the Hostname field, type the host's name. In the IP Address field, type the host's address. Click the Add button. To save your changes, click OK. To assign a template to a group of hosts with contiguous addresses, do the following:Click Wildcard. In the IP Address field, type the IP address. In the Prefix field, type the prefix that describes the group of contiguous addresses. Click the Add button. To save your changes, click OK. In the following example, a security administrator assigns several IPv4 subnetworks to the same security template. In the Hosts Assigned to Template tab, the administrator adds the following wildcard entries:IP Address: 192.168.113.0 IP address: 192.168.75.0 In the following example, a security administrator assigns contiguous IPv4 addresses that are not along octet boundaries to the same security template. In the Hosts Assigned to Template tab, the administrator adds the following wildcard entries:IP Address: 192.168.113.100 Prefix Length: 25This wildcard entry covers the address range of 192.168.113.0 to 192.168.113.127. The address includes 192.168.113.100. In the following example, a security administrator assigns contiguous IPv6 addresses to the same security template. In the Hosts Assigned to Template tab, the administrator adds the following wildcard entries:IP Address: 2001:a08:3903:200::0 Prefix Length: 56This wildcard entry covers the address range of 2001:a08:3903:200::0 to 2001:a08:3903:2ff:ffff:ffff:ffff:ffff. The address includes 2001:a08:3903:201:20e:cff:fe08:58c. trusted network0.0.0.0 tnrhdb entry protectinglabeled hosts from contact by arbitrary unlabeled hosts limitingdefined hosts on the network protectingfrom access by arbitrary hosts This procedure protects labeled hosts from being contacted by arbitrary unlabeled hosts. When Trusted Extensions is installed, this default template defines every host on the network. Use this procedure to enumerate specific unlabeled hosts.The local tnrhdb file on each system is used to contact the network at boot time. By default, every host that is not provided with a CIPSO template is defined by the admin_low template. This template assigns every system that is not otherwise defined (0.0.0.0) to be an unlabeled system with the default label of admin_low.tnrhdb database0.0.0.0 wildcard addressThe default admin_low template can be a security risk on a Trusted Extensions network. If site security requires strong protection, the security administrator can remove the 0.0.0.0 wildcard entry after the system is installed. The entry must be replaced with entries for every host that the system contacts during boot.For example, DNS servers, home directory servers, audit servers, broadcast and multicast addresses, and routers must be in the local tnrhdb file after the 0.0.0.0 wildcard entry is removed.tnrhdb database0.0.0.0 host addressIf an application initially recognizes clients at the host address 0.0.0.0, then you must add the 0.0.0.0/32:admin_low host entry to the tnrhdb database. For example, to receive initial connection requests from potential Sun Ray clients, Sun Ray servers must include this entry. Then, when the server recognizes the clients, the clients are provided an IP address and connected as CIPSO clients. You must be in the Security Administrator role in the global zone.All hosts that are to be contacted at boot time must exist in the Computers and Networks tool. In the Solaris Management Console, navigate to the Security Templates tool in the Files scope.The Files scope protects the system during boot. To access the Security Templates tool, see How to Open the Trusted Networking Tools. Modify the hosts that are assigned to the admin_low template.Double-click the admin_low template.Every host that is added can be contacted during boot at the label ADMIN_LOW. Click the Hosts Assigned to Template tab.Every host that is added can be contacted during boot at the label ADMIN_LOW. Add each unlabeled host that must be contacted at boot time.For details, see How to Assign a Security Template to a Host or a Group of Hosts.Include every on-link router that is not running Trusted Extensions, through which this host must communicate. Add the ranges of hosts that must be contacted at boot time. Remove the 0.0.0.0 entry. Modify the hosts that are assigned to the cipso template.Double-click the cipso template.Every host that is added can be contacted during boot. Click the Hosts Assigned to Template tab.Every host that is added can be contacted during boot at the label ADMIN_LOW. Add each labeled host that must be contacted at boot time.For details, see How to Assign a Security Template to a Host or a Group of Hosts.Include the LDAP server. Include every on-link router that is running Trusted Extensions, through which this host must communicate Make sure that all network interfaces are assigned to the template. Include broadcast addresses. Add the ranges of hosts that must be contacted at boot time. Verify that the host assignments allow the system to boot. In this example, the security administrator creates a public gateway system. The administrator removes the 0.0.0.0 entry from the admin_low template and assigns the entry to an unlabeled template that is named public. The system then recognizes any system that is not listed in its tnrhdb file as an unlabeled system with the security attributes of the public security template.The following describes an unlabeled template that was created specifically for public gateways.Template Name: public Host Type: Unlabeled Default Label: Public Minimum Label: Public Maximum Label: Public DOI: 1 The following example shows the local tnrhdb database with entries for an LDAP client with two network interfaces. The client communicates with another network and with routers.127.0.0.1:cipso Loopback address 192.168.112.111:cipso Interface 1 of this host 192.168.113.111:cipso Interface 2 of this host 10.6.6.2:cipso LDAP server 192.168.113.6:cipso Audit server 192.168.112.255:cipso Subnet broadcast address 192.168.113.255:cipso Subnet broadcast address 192.168.113.1:cipso Router 192.168.117.0:cipso Another Trusted Extensions network 192.168.112.12:public Specific network router 192.168.113.12:public Specific network router 224.0.0.2:public Multicast address 255.255.255.255:admin_low Broadcast address Sun Ray systemsenabling initial contact between client and serverutadm commanddefault Sun Ray server configurationIn this example, the security administrator configures a Sun Ray server to accept initial connection requests from potential clients. The server is using a private topology and is using the defaults:# utadm -a bge0First, the administrator determines the Solaris Management Console domain name:SMCserver # /usr/sadm/bin/dtsetup scopes Getting list of managable scopes... Scope 1 file:/machine1.ExampleCo.COM/machine1.ExampleCo.COMThen, the administrator adds the entry for client initial connection to the Sun Ray server's tnrhdb database. Because the administrator is testing, the default wildcard address is still used for all unknown addresses:SunRayServer # /usr/sadm/bin/smtnrhdb \ add -D file:/machine1.ExampleCo.COM/machine1.ExampleCo.COM \ -- -w 0.0.0.0 -p 32 -n admin_low Authenticating as user: root Please enter a string value for: password :: ... from machine1.ExampleCo.COM was successful.After this command, the tnhrdb database appears similar to the following. The result of the smtnrhdb command is highlighted:## tnrhdb database ## Sun Ray server address 192.168.128.1:cipso ## Sun Ray client addresses on 192.168.128 network 192.168.128.0/24:admin_low ## Initial address for new clients 0.0.0.0/32:admin_low ## Default wildcard address 0.0.0.0:admin_low Other addresses to be contacted at boot# tnchkdb -h /etc/security/tsol/tnrhdbAfter this phase of testing succeeds, the administrator makes the configuration more secure by removing the default wildcard address, checks the syntax of the tnrhdb database, and tests again. The final tnhrdb database appears similar to the following:## tnrhdb database ## Sun Ray server address 192.168.128.1:cipso ## Sun Ray client addresses on 192.168.128 network 192.168.128.0/24:admin_low ## Initial address for new clients 0.0.0.0/32:admin_low ## 0.0.0.0:admin_low - no other systems can enter network at admin_low Other addresses to be contacted at boot Configuring Routes and Checking Network Information in Trusted Extensions (Task Map) tasks and task mapsConfiguring Routes and Checking Network Information in Trusted Extensions (Task Map) The following task map describes tasks to configure the network and to verify the configuration.Task Description For Instructions Configure static routes. Manually describes the best route from one host to another host. How to Configure Routes With Security Attributes Check the accuracy of the local network databases. Uses the tnchkdb command to check the syntactic validity of the local network databases. How to Check the Syntax of Trusted Network Databases Compare the network database entries with the entries in the kernel cache. Uses the tninfo command to determine if the kernel cache has been updated with the latest database information. How to Compare Trusted Network Database Information With the Kernel Cache Synchronize the kernel cache with the network databases. Uses the tnctl command to update the kernel cache with up-to-date network database information on a running system. How to Synchronize the Kernel Cache With Trusted Network Databases routingstatic with security attributes routingusing route command security attributesusing in routing administeringroutes with security attributes configuringroutes with security attributes You must be in the Security Administrator role in the global zone. Add every destination host and gateway that you are using to route packets over the trusted network.The addresses are added to the local /etc/hosts file, or to its equivalent on the LDAP server. Use the Computers and Networks tool in the Solaris Management Console. The Files scope modifies the /etc/hosts file. The LDAP scope modifies the entries on the LDAP server. For details, see How to Add Hosts to the System's Known Network. Assign each destination host, network, and gateway to a security template.The addresses are added to the local /etc/security/tsol/tnrhdb file, or to its equivalent on the LDAP server. Use the Security Templates tool in the Solaris Management Console. For details, see How to Assign a Security Template to a Host or a Group of Hosts. Set up the routes.In a terminal window, use the route add command to specify routes.The first entry sets up a default route. The entry specifies a gateway's address, 192.168.113.1, to use when no specific route is defined for either the host or the packet's destination.# route add default 192.168.113.1 -staticFor details, see the route1M man page. Set up one or more network entries.Use the secattr flag to specify security attributes.In the following list of commands, the second line shows a network entry. The third line shows a network entry with a label range of PUBLIC to CONFIDENTIAL : INTERNAL USE ONLY.# route add default 192.168.113.36 # route add -net 192.168.102.0 gateway-101 # route add -net 192.168.101.0 gateway-102 \ -secattr min_sl=“PUBLIC”,max_sl=”CONFIDENTIAL : INTERNAL USE ONLY”,doi=1 Set up one or more host entries.The new fourth line shows a host entry for the single-label host, gateway-pub. gateway-pub has a label range of PUBLIC to PUBLIC.# route add default 192.168.113.36 # route add -net 192.168.102.0 gateway-101 # route add -net 192.168.101.0 gateway-102 \ -secattr min_sl="PUBLIC",max_sl="CONFIDENTIAL : INTERNAL USE ONLY",doi=1 # route add -host 192.168.101.3 gateway-pub \ -secattr min_sl="PUBLIC",max_sl="PUBLIC",doi=1 The following route command adds to the routing table the hosts at 192.168.115.0 with 192.168.118.39 as its gateway. The label range is from CONFIDENTIAL : INTERNAL USE ONLY to CONFIDENTIAL : RESTRICTED, and the DOI is 1.$ route add -net 192.168.115.0 192.168.118.39 \ -secattr min_sl="CONFIDENTIAL : INTERNAL USE ONLY",max_sl="CONFIDENTIAL : RESTRICTED",doi=1The result of the added hosts is shown with the netstat -rR command. In the following excerpt, the other routes are replaced by ellipses (...).$ netstat -rRn ... 192.168.115.0 192.168.118.39 UG 0 0 min_sl=CNF : INTERNAL USE ONLY,max_sl=CNF : RESTRICTED,DOI=1,CIPSO ... trusted networkchecking syntax of filesverifyingsyntax of network databasesThe tnchkdb command checks that the syntax of each network database is accurate. The Solaris Management Console runs this command automatically when you use the Security Templates tool or the Trusted Network Zones tool. Typically, you run this command to check the syntax of database files that you are configuring for future use. You must be in the global zone in a role that can check network settings. The Security Administrator role and the System Administrator role can check these settings. In a terminal window, run the tnchkdb command.$ tnchkdb [-h tnrhdb-path] [-t tnrhtp-path] [-z tnzonecfg-path] checking /etc/security/tsol/tnrhtp ... checking /etc/security/tsol/tnrhdb ... checking /etc/security/tsol/tnzonecfg ... In this example, the security administrator is testing a network database file for possible use. Initially, the administrator uses the wrong option. The results of the check are printed on the line for the tnrhdb file:$ tnchkdb -h /opt/secfiles/trial.tnrhtp checking /etc/security/tsol/tnrhtp ... checking /opt/secfiles/trial.tnrhtp ... line 12: Illegal name: min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH line 14: Illegal name: min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH checking /etc/security/tsol/tnzonecfg ...When the security administrator checks the file by using the t option, the command confirms that the syntax of the trial tnrhtp database is accurate:$ tnchkdb -t /opt/secfiles/trial.tnrhtp checking /opt/secfiles/trial.tnrhtp ... checking /etc/security/tsol/tnrhdb ... checking /etc/security/tsol/tnzonecfg ... The network databases might contain information that is not cached in the kernel. This procedure checks that the information is identical. When you use the Solaris Management Console to update the network, the kernel cache is updated with network database information. The tninfo command is useful during testing and for debugging. You must be in the global zone in a role that can check network settings. The Security Administrator role and the System Administrator role can check these settings. In a terminal window, run the tninfo command.tninfo -h hostname displays the IP address and template for the specified host. tninfo -t templatename displays the following information:template: template-name host_type: either CIPSO or UNLABELED doi: 1 min_sl: minimum-label hex: minimum-hex-label max_sl: maximum-label hex:maximum-hex-label tninfo -m zone-name displays the multilevel port (MLP) configuration of a zone. administeringmultilevel ports multilevel ports (MLPs)administering In this example, a system is configured with several labeled zones. All zones share the same IP address. Some zones are also configured with zone-specific addresses. In this configuration, the TCP port for web browsing, port 8080, is an MLP on a shared interface in the public zone. The administrator has also set up telnet, TCP port 23, to be an MLP in the public zone. Because these two MLPs are on a shared interface, no other zone, including the global zone, can receive packets on the shared interface on ports 8080 and 23.In addition, the TCP port for ssh, port 22, is a per-zone MLP in the public zone. The public zone's ssh service can receive any packets on its zone-specific address within the address's label range.The following command shows the MLPs for the public zone:$ tninfo -m public private: 22/tcp shared: 23/tcp;8080/tcpThe following command shows the MLPs for the global zone. Note that ports 23 and 8080 cannot be MLPs in the global zone because the global zone shares the same address with the public zone:$ tninfo -m global private: 111/tcp;111/udp;514/tcp;515/tcp;631/tcp;2049/tcp; 6000-6003/tcp;38672/tcp;60770/tcp; shared: 6000-6003/tcp When the kernel has not been updated with trusted network database information, you have several ways to update the kernel cache. The Solaris Management Console runs this command automatically when you use the Security Templates tool or the Trusted Network Zones tool. You must be in the Security Administrator role in the global zone. tnctl commandupdating kernel cacheTo synchronize the kernel cache with network databases, run one of the following commands:Restart the tnctl service.Do not use this method on systems that obtain their trusted network database information from an LDAP server. The local database information would overwrite the information that is obtained from the LDAP server. $ svcadm restart svc:/network/tnctlThis command reads all information from the local trusted network databases into the kernel. Update the kernel cache for your recently added entries.$ tnctl -h hostnameThis command reads only the information from the chosen option into the kernel. For details about the options, see Example 19–17 and the tnctl1M man page. Change the tnd polling interval.This does not update the kernel cache. However, you can shorten the polling interval to update the kernel cache more frequently. For details, see the example in the tnd1M man page. Refresh the tnd.This Service Management Facility (SMF) command triggers an immediate update of the kernel with recent changes to trusted network databases.$ svcadm refresh svc:/network/tnd Restart the tnd by using SMF.$ svcadm restart svc:/network/tndAvoid running the tnd command to restart the tnd. This command can interrupt communications that are currently succeeding. In this example, the administrator has added three addresses to the local tnrhdb database. First, the administrator removed the 0.0.0.0 wildcard entry.$ tnctl -d -h 0.0.0.0:admin_lowThen, the administrator views the format of the final three entries in the /etc/security/tsol/tnrhdb database:$ tail /etc/security/tsol/tnrhdb #\:\:0:admin_low 127.0.0.1:cipso #\:\:1:cipso 192.168.103.5:admin_low 192.168.103.0:cipso 0.0.0.0/32:admin_lowThen, the administrator updates the kernel cache:$ tnctl -h 192.168.103.5 tnctl -h 192.168.103.0 tnctl -h 0.0.0.0/32Finally, the administrator verifies that the kernel cache is updated. The output for the first entry is similar to the following:$ tninfo -h 192.168.103.5 IP Address: 192.168.103.5 Template: admin_low tnctl commandusingIn this example, the administrator updates the trusted network with a public print server, and then checks that the kernel settings are correct.$ tnctl -h public-print-server $ tninfo -h public-print-server IP Address: 192.168.103.55 Template: PublicOnly $ tninfo -t PublicOnly ================================== Remote Host Template Table Entries ---------------------------------- template: PublicOnly host_type: CIPSO doi: 1 min_sl: PUBLIC hex: 0x0002-08-08 max_sl: PUBLIC hex: 0x0002-08-08 troubleshootingnetwork Troubleshooting the Trusted Network (Task Map) tasks and task mapsTroubleshooting the Trusted Network (Task Map) The following task map describes tasks to debug your network.Task Description For Instructions Determine why two hosts cannot communicate. Checks that the interfaces on a single system are up. How to Verify That a Host's Interfaces Are Up Uses debugging tools when two hosts cannot communicate with each other. How to Debug the Trusted Extensions Network Determine why an LDAP client cannot reach the LDAP server. Troubleshoots the loss of connection between an LDAP server and a client. How to Debug a Client Connection to the LDAP Server troubleshootingverifying interface is up verifyinginterface is up interfacesverifying they are up Use this procedure if your system does not communicate with other hosts as expected. You must be in the global zone in a role that can check network settings. The Security Administrator role and the System Administrator role can check these settings. Verify that the system's network interface is up.The following output shows that the system has two network interfaces, hme0 and hme0:3. Neither interface is up.# ifconfig -a ... hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.0.11 netmask ffffff00 broadcast 192.168.0.255 hme0:3 flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.0.12 netmask ffffff00 broadcast 192.168.0.255 If the interface is not up, bring it up and then verify that it is up.The following output shows that both interfaces are up.# ifconfig hme0 up # ifconfig -a ... hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,... hme0:3 flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,.. troubleshootingtrusted network snoop commandnetstat commandcommandstroubleshooting networkingTo debug two hosts that should be communicating but are not, you can use Trusted Extensions and Solaris debugging tools. For example, Solaris network debugging commands such as snoop and netstat are available. For details, see the snoop1M and netstat1M man pages. For commands that are specific to Trusted Extensions, see Table 8–4.For problems with contacting labeled zones, see Managing Zones (Task Map). For debugging NFS mounts, see How to Troubleshoot Mount Failures in Trusted Extensions. For debugging LDAP communications, see How to Debug a Client Connection to the LDAP Server. You must be in the global zone in a role that can check network settings. The Security Administrator role or the System Administrator role can check these settings. To troubleshoot the tnd daemon, change the polling interval and collect debugging information.For details, see the tnd1M man page. Check that the hosts that cannot communicate are using the same naming service.On each host, check the nsswitch.conf file.Check the values for the Trusted Extensions databases in the nsswitch.conf file.For example, at a site that uses LDAP to administer the network, the entries are similar to the following:# Trusted Extensions tnrhtp: files ldap tnrhdb: files ldap If the values are different, correct the nsswitch.conf file.actionsName Service SwitchName Service Switch actionTo modify these entries, the system administrator uses the Name Service Switch action. For details, see How to Start CDE Administrative Actions in Trusted Extensions. This action preserves the required DAC and MAC file permissions. Check that the LDAP naming service is configured.$ ldaplist -l Check that both hosts are in the LDAP naming service.$ ldaplist -l hosts | grep hostname Check that each host is defined correctly.Use the Solaris Management Console to verify the definitions.In the Security Templates tool, check that each host is assigned to a security template that is compatible with the security template of the other host. For an an unlabeled system, check that the default label assignment is correct. In the Trusted Network Zones tool, check that the multilevel ports (MLPs) are correctly configured. Use the command line to check that the network information in the kernel is current.Check that the assignment in each host's kernel cache matches the assignment on the network, and on the other host.tninfo commandusingTo get security information for the source, destination, and gateway hosts in the transmission, use the tninfo command.Display the IP address and the assigned security template for a given host.$ tninfo -h hostname IP Address: IP-address Template: template-name Display a template definition.$ tninfo -t template-name template: template-name host_type: one of CIPSO or UNLABELED doi: 1 min_sl: minimum-label hex: minimum-hex-label max_sl: maximum-label hex: maximum-hex-label Display the MLPs for a zone.$ tninfo -m zone-name private: ports-that-are-specific-to-this-zone-only shared: ports-that-the-zone-shares-with-other-zones Fix any incorrect information.To change or check network security information, use the Solaris Management Console tools. For details, see How to Open the Trusted Networking Tools To update the kernel cache, restart the tnctl service on the host whose information is out of date. Allow some time for this process to complete. Then, refresh the tnd service. If the refresh fails, try restarting the tnd service. For details, see How to Synchronize the Kernel Cache With Trusted Network Databases.Rebooting clears the kernel cache. At boot time, the cache is populated with database information. The nsswitch.conf file determines whether local databases or LDAP databases are used to populate the kernel. Collect transmission information to help you in debugging.Verify your routing configuration.Use the get subcommand to the route command.$ route get [ip] -secattr sl=label,doi=integerFor details, see the route1M man page. View the label information in packets.Use the snoop -v command.The v option displays the details of packet headers, including label information. This command provides a lot of detail, so you might want to restrict the packets that the command examines. For details, see the snoop1M man page. View the routing table entries and the security attributes on sockets.Use the R option with the netstat -a|-r command.The aR option displays extended security attributes for sockets. The rR option displays routing table entries. For details, see the netstat1M man page. LDAPtroubleshooting troubleshootingLDAP Misconfiguration of the client entry on the LDAP server can prevent the client from communicating with the server. Similarly, misconfiguration of files on the client can prevent communication. Check the following entries and files when attempting to debug a client-server communication problem. You must be in the Security Administrator role in the global zone on the LDAP client. tninfo commandusingCheck that the remote host template for the LDAP server and for the gateway to the LDAP server are correct.# tninfo -h LDAP-server # route get LDAP-server # tninfo -h gateway-to-LDAP-serverIf a remote host template assignment is incorrect, assign the host to the correct template by using the Security Templates tool in the Solaris Management Console. Check and correct the /etc/hosts file.Your system, the interfaces for the labeled zones on your system, the gateway to the LDAP server, and the LDAP server must be listed in the file. You might have more entries.Look for duplicate entries. Remove any entries that are labeled zones on other systems. For example, if Lserver is the name of your LDAP server, and LServer-zones is the shared interface for the labeled zones, remove LServer-zones from /etc/hosts. If you are using DNS, check and correct the entries in the resolv.conf file.# more resolv.conf search list of domains domain domain-name nameserver IP-address ... nameserver IP-address Check that the tnrhdb and tnrhtp entries in the nsswitch.conf file are accurate. Check that the client is correctly configured on the server.# ldaplist -l tnrhdb client-IP-address Check that the interfaces for your labeled zones are correctly configured on the LDAP server.# ldaplist -l tnrhdb client-zone-IP-address Verify that you can ping the LDAP server from all currently running zones.# ldapclient list ... NS_LDAP_SERVERS= LDAP-server-address # zlogin zone-name1 ping LDAP-server-address LDAP-server-address is alive # zlogin zone-name2 ping LDAP-server-address LDAP-server-address is alive ... Configure LDAP and reboot.Run the Create LDAP Client action.This action re-establishes the global zone as a client of the LDAP server. In every labeled zone, re-establish the zone as a client of the LDAP server.# zlogin zone-name1 # ldapclient init \ -a profileName=profileName \ -a domainName=domain \ -a proxyDN=proxyDN \ -a proxyPassword=password LDAP-Server-IP-Address # exit # zlogin zone-name2 ... Halt all zones, lock the file systems, and reboot.If you are using Solaris ZFS, halt the zones and lock the file systems before rebooting. If you are not using ZFS, you can reboot without halting the zones and locking the file systems.# zoneadm list # zoneadm -z zone-name halt # lockfs -fa # reboot