Appendix A Command Line Installation

This appendix contains procedures for installing SunScreen 3.1 Lite using the command line.

An expert system administrator can use command line installation as an alternative to the installation wizard. Before installing, review the SunScreen 3.1 Release Notes for the latest information about this product.

Installing the Administration Station

You can install the required SunScreen 3.1 Lite packages on the Administration Station using pkgadd to install the software. After you install the administration packages, you must set up your certificate environment.

To Install the Software on the Administration Station

1. Open a terminal window on the Administration Station and become root.

2. Insert the Solaris 8 Easy Access CD-ROM into the Administration Station's CD-ROM drive.

3. Add the software by typing:

   For SPARC systems: # pkgadd -d /cdrom/cdrom0/sparc For Intel systems: # pkgadd -d /cdrom/cdrom0/i386

   For SPARC systems, you are prompted with a menu of packages to install:

   The following packages are available: 1 NSCPcom Netscape Communicator (sparc) 20.4.70,REV=1999.08.20.17.43 2 SUNWbdc SKIP Bulk Data Crypt (sparc) 1.5.1 3 SUNWbdcx SKIP Bulk Data Crypt (64-bit) (sparc) 1.5.1 4 SUNWdes SKIP DES Crypto Module (sparc) 1.5.1 5 SUNWdesx SKIP DES Crypto Module (64-bit) (sparc) 1.5.1 6 SUNWdthj HotJava Browser for Solaris (sparc) 1.1.5,REV=1998.12.03 7 SUNWdtnsc Netscape Componentization Support for CDE (sparc) 1.0,REV=1999.06.14.15.50 8 SUNWes SKIP End System (sparc) 1.5.1 9 SUNWesx SKIP End System (64-bit) (sparc) 1.5.1 10 SUNWfwcnv SunScreen Firewall conversion (sparc) 3.1 11 SUNWhttp Sun WebServer daemon and supporting binaries (sparc) 2.0 12 SUNWicgSA SunScreen Administration Software (sparc) 3.1 13 SUNWicgSD SunScreen online documentation (sparc) 3.1 14 SUNWicgSF SunScreen full function (sparc) 3.1 15 SUNWicgSM SunScreen man pages (sparc) 3.1 16 SUNWicgSS SunScreen Firewall (sparc) 3.1 17 SUNWkeymg SKIP Key Manager Tools (sparc) 1.5.1 18 SUNWkusup SKIP U-Support module (sparc) 1.5.1 19 SUNWrc2 SKIP RC2 Crypto Module (sparc) 1.5.1 20 SUNWrc4 SKIP RC4 Crypto Module (sparc) 1.5.1 21 SUNWrc4x SKIP RC4 Crypto Module (64-bit) (sparc) 1.5.1 22 SUNWsman SKIP Man Pages (sparc) 1.5.1 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]:

   For Intel systems, you are prompted with a menu of packages to install:

   The following packages are available: 1 NSCPcom Netscape Communicator (i386) 20.4.70,REV=1999.08.20.17.56 2 SUNWbdc SKIP Bulk Data Crypt (i386) 1.5.1 3 SUNWdes SKIP DES Crypto Module (i386) 1.5.1 4 SUNWdthj HotJava Browser for Solaris (i386) 1.1.5,REV=1998.12.03 5 SUNWdtnsc Netscape Componentization Support for CDE (i386) 1.0,REV=1999.06.14.15.53 6 SUNWes SKIP End System (i386) 1.5.1 7 SUNWfwcnv SunScreen Firewall conversion (i386) 3.1 8 SUNWhttp Sun WebServer daemon and supporting binaries (i386) 2.0 9 SUNWicgSA SunScreen Administration Software (i386) 3.1 10 SUNWicgSD SunScreen online documentation (i386) 3.1 11 SUNWicgSF SunScreen full function (i386) 3.1 12 SUNWicgSM SunScreen man pages (i386) 3.1 13 SUNWicgSS SunScreen Firewall (i386) 3.1 14 SUNWkeymg SKIP Key Manager Tools (i386) 1.5.1 15 SUNWkusup SKIP U-Support module (i386) 1.5.1 16 SUNWrc2 SKIP RC2 Crypto Module (i386) 1.5.1 17 SUNWrc4 SKIP RC4 Crypto Module (i386) 1.5.1 18 SUNWsman SKIP Man Pages (i386) 1.5.1

4. Follow the program prompts, answering all the questions with y.

   When completed, you return to the same menu of packages.

5. Type q to quit pkgadd.

6. Set the PATH and MANPATH by editing your shell initialization file (such as .profile or.login file).

   1. Set the PATH for the Bourne shell by typing:

      PATH=/opt/SUNWicg/SunScreen/bin:$PATH

      export PATH

   2. Set the MANPATH for the Bourne shell by typing:

      MANPATH=$MANPATH:/opt/SUNWicg/SunScreen/man

      export MANPATH

7. Eject the CD-ROM from the CD-ROM drive by typing:

   # eject cdrom0

8. Install any SKIP upgrades (see "Upgrading Cyrptography Modules").

9. Reboot by typing:

   # sync; init 6

The software packages have been installed. You continue the installation process on the Administration Station.

Installing Administration Station Certificates

To obtain encrypted communication between the Administration Station and the Screen, certificates must be installed on both machines. This can be done by either using self-generated certificates or by installing issued certificates. Both methods are done on the Administration Station.

To Create a Self-Generated Certificate on the Administration Station

1. Open a terminal window and create the required SKIP directories by typing:

   # skiplocal -i

2. Create the self-generated certificate on the Administration Station by typing:

   # skiplocal -k -f -V

   The local certificate ID appears. It is the Administration Station's 32-character certificate ID (MKID).

3. Write down the certificate ID, which begins with `Ox.'

4. Add SKIP to all the interfaces by typing:

   # skipif -a

5. Reboot to complete the installation by typing:

   # sync; init 6

The Administration Station's certificate ID has been generated. You next move to the Screen to install the SunScreen 3.1 Lite software.

To Install an Issued Certificate on the Administration Station

To do this procedure, you will need the Key and Certificate diskette.

1. Open a terminal window on the Administration Station and become root.

2. Create the required SKIP directories by typing:

   # skiplocal -i

3. Insert the Key and Certificate diskette into the Administration Station's diskette drive.

4. Install the SKIP keys by typing:

   # install_skip_keys -icg /floppy/floppy0

5. Start the SKIP daemon by typing:

   # skipd_restart

6. Eject the Key and Certificate diskette by typing:

   # eject floppy0

7. Write down the certificate ID, which is eight characters long.

8. Add SKIP to all the interfaces by typing:

   # skipif -a

9. Reboot to complete the installation by typing:

   # sync; init 6

   The Administration Station's certificate ID has been installed. You next move to the Screen to install the SunScreen 3.1 Lite software.

Installing the Screen

You can install the required SunScreen 3.1 Lite packages on the Screen using pkgadd using the following instructions.

To Install the Screen

1. Open a terminal window on the Screen and become root.

2. Insert the Solaris Easy Access CD-ROM into the Screen's CD-ROM drive.

3. Add the software by typing:

   For SPARC systems: # pkgadd -d cdrom/Solaris_8/EA/products/SunScreen_3.1_Lite/sparc For Intel systems: # pkgadd -d cdrom/Solaris_8/EA/products/SunScreen_3.1_Lite/i386

   For SPARC systems, you are prompted with a menu of packages to install:

   The following packages are available: 1 NSCPcom Netscape Communicator (sparc) 20.4.70,REV=1999.08.20.17.43 2 SUNWbdc SKIP Bulk Data Crypt (sparc) 1.5.1 3 SUNWbdcx SKIP Bulk Data Crypt (64-bit) (sparc) 1.5.1 4 SUNWdes SKIP DES Crypto Module (sparc) 1.5.1 5 SUNWdesx SKIP DES Crypto Module (64-bit) (sparc) 1.5.1 6 SUNWdthj HotJava Browser for Solaris (sparc) 1.1.5,REV=1998.12.03 7 SUNWdtnsc Netscape Componentization Support for CDE (sparc) 1.0,REV=1999.06.14.15.50 8 SUNWes SKIP End System (sparc) 1.5.1 9 SUNWesx SKIP End System (64-bit) (sparc) 1.5.1 10 SUNWfwcnv SunScreen Firewall conversion (sparc) 3.1 11 SUNWhttp Sun WebServer daemon and supporting binaries (sparc) 2.0 12 SUNWicgSA SunScreen Administration Software (sparc) 3.1 13 SUNWicgSD SunScreen online documentation (sparc) 3.1 14 SUNWicgSM SunScreen man pages (sparc) 3.1 15 SUNWicgSS SunScreen Firewall (sparc) 3.1 16 SUNWkeymg SKIP Key Manager Tools (sparc) 1.5.1 17 SUNWkusup SKIP U-Support module (sparc) 1.5.1 18 SUNWrc2 SKIP RC2 Crypto Module (sparc) 1.5.1 19 SUNWrc4 SKIP RC4 Crypto Module (sparc) 1.5.1 20 SUNWrc4x SKIP RC4 Crypto Module (64-bit) (sparc) 1.5.1 21 SUNWsman SKIP Man Pages (sparc) 1.5.1

   For Intel systems, you are prompted with a menu of packages to install:

   The following packages are available: 1 NSCPcom Netscape Communicator (i386) 20.4.70,REV=1999.08.20.17.56 2 SUNWbdc SKIP Bulk Data Crypt (i386) 1.5.1 3 SUNWdes SKIP DES Crypto Module (i386) 1.5.1 4 SUNWdthj HotJava Browser for Solaris (i386) 1.1.5,REV=1998.12.03 5 SUNWdtnsc Netscape Componentization Support for CDE (i386) 1.0,REV=1999.06.14.15.53 6 SUNWes SKIP End System (i386) 1.5.1 7 SUNWfwcnv SunScreen Firewall conversion (i386) 3.1 8 SUNWhttp Sun WebServer daemon and supporting binaries (i386) 2.0 9 SUNWicgSA SunScreen Administration Software (i386) 3.1 10 SUNWicgSD SunScreen online documentation (i386) 3.1 11 SUNWicgSM SunScreen man pages (i386) 3.1 12 SUNWicgSS SunScreen Firewall (i386) 3.1 13 SUNWkeymg SKIP Key Manager Tools (i386) 1.5.1 14 SUNWkusup SKIP U-Support module (i386) 1.5.1 15 SUNWrc2 SKIP RC2 Crypto Module (i386) 1.5.1 16 SUNWrc4 SKIP RC4 Crypto Module (i386) 1.5.1 17 SUNWsman SKIP Man Pages (i386) 1.5.1

4. For SPARC systems, type: 2-5, 8-9, 11-21. For Intel systems, type: 2-3, 6, 8, 9-17.

5. Follow the program prompts, answering all the questions with y.

   When completed, you return to the same menu of packages.

6. Type q to quit pkgadd.

7. Set the PATH and MANPATH by editing your shell initialization file (such as .profile or.login file).

   PATH=/opt/SUNWicg/SunScreen/bin:$PATH export PATH MANPATH=$MANPATH:/opt/SUNWicg/SunScreen/man export MANPATH

8. Eject the CD-ROM from the CD-ROM drive by typing

   # eject cdrom0

9. Install any SKIP upgrades (see "Upgrading Cyrptography Modules").

10. Reboot by typing:

    # sync; init 6

11. Open a terminal window and become root, if not already.

12. Complete the installation by typing:

    # ss_install

    Answer the questions that appear. The questions and text are similar to those that appear when installing using the installation wizard. Review the procedures for installing the software on the Screen in "Installing Lite With Local Administration" or "Installing Lite With Remote Administration," if more details are needed.

    If you are using issued certificates, you need all of your certificate diskettes.

    ---

    Note -

    The SKIP command to run on the Administration Station is displayed at the end. It is contained in the AdminSetup.readme file, found in the directory /etc/opt/SUNWicg/SunScreen. Write this command down for use in the following procedure. If you trust that the network between the Screen and the Administration Station is secure, you can ftp the AdminSetup.readme file from the Screen to the Administration Station. This saves you the task of writing down the information that is required in the next procedure.

    ---

13. Reboot by typing:

    # sync; init 6

To Use Command-Line SKIP on the Administration Station

1. On the Administration Station, open a terminal window and become root.

2. To enable unencrypted communication from the Administration Station to all hosts other than the Screen, type:

   # skiphost -a default

3. Add a rule so that encrypted communication is possible between the Administration Station and the Screen by typing:

   # skiphost command_from_ss_install

   This command is in the AdminSetup.readme file. The command is in the following form, which has been divided into lines for readability:

   skiphost -a name_of_Screen -r NSID_type

   -R Screen's_certificate_ID -s NSID_type

   -S Administration_Station's_certificate_ID

   -k key_encryption_algorithm

   -t data_encryption_algorithm -m MAC_algorithm

4. Turn on SKIP by typing:

   If Screen has only one interface: # skiphost -o on If Screen has more than one interface, for each interface: # skiphost -i name_of_interface -o on

   ---

   Note -

   To display the interfaces, type: ifconfig -a

   ---

5. Save the SKIP settings by typing:

   # skipif -i all -s

6. Restart the SKIP daemon by typing:

   # skipd_restart

   Refer to the SunScreen SKIP 1.5.1 User's Guide for more information on operating SKIP, if needed.

   ---

   Note -

   After configuring SKIP, check that the encryption parameters and 32-character certificate ID (MKID) values match on both the Administration Station and the Screen.

   ---

7. To configure and manage your Screen from your Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the administration GUI by typing the following URL:

   http://Name_of_Screen:3852/

   See the SunScreen 3.1 Administration Guide for instructions on how to use the administration GUI.