Logical Domains 1.2 Administration Guide

Installing the Logical Domains Manager and Solaris Security Toolkit

There are three methods of installing Logical Domains Manager and Solaris Security Toolkit software:


Note –

Remember that you need to manually install the LDoms MIB software package after you install the Logical Domains and Solaris Security Toolkit packages. It is not automatically installed with the other packages. Refer to the Logical Domains (LDoms) MIB 1.0.1 Administration Guide for more information about installing and using the LDoms MIB.


Installing the Logical Domains Manager and Solaris Security Toolkit Software Automatically

If you use the install-ldm installation script, you have several choices to specify how you want the script to run. Each choice is described in the procedures that follow.

ProcedureInstall With No Special Options

  1. Run the install-ldm installation script with no options.

    The installation script is part of the SUNWldm package and is in the Install subdirectory.


    # Install/install-ldm
    
    1. If one or more packages are previously installed, you receive this message.


      # Install/install-ldm
      ERROR: One or more packages are already installed: SUNWldm SUNWjass.
      If packages SUNWldm.v and SUNWjass are factory pre-installed, run
      install-ldm -p to perform post-install actions.  Otherwise remove the
      package(s) and restart install-ldm.

      If you want to perform post-installation actions only, go to Enable the Logical Domains Manager Daemon and Run the Solaris Security Toolkit Only.

    2. If the process is successful, you receive messages similar to those in the following examples.

    • Example 3–1 shows a successful run of the install-ldm script if you choose the following default security profile:

      a) Hardened Solaris configuration for LDoms (recommended)

    • Example 3–2 shows a successful run of the install-ldm script if you choose the following security profile:

      c) Your custom-defined Solaris security configuration profile

      The drivers that are displayed for you to choose are drivers ending with -secure.driver. If you write a customized driver that does not end with -secure.driver, you must specify your customized driver with the install-ldm -d option. (See Install With a Customized Hardening Driver.)


Example 3–1 Output From Hardened Solaris Configuration for LDoms


# Install/install-ldm
Welcome to the LDoms installer.
 
You are about to install the domain manager package that will enable
you to create, destroy and control other domains on your system. Given
the capabilities of the domain manager, you can now change the security
configuration of this Solaris instance using the Solaris Security
Toolkit.
 
Select a security profile from this list:
 
a) Hardened Solaris configuration for LDoms (recommended)
b) Standard Solaris configuration
c) Your custom-defined Solaris security configuration profile
 
Enter a, b, or c [a]: a
The changes made by selecting this option can be undone through the
Solaris Security Toolkit's undo feature. This can be done with the
`/opt/SUNWjass/bin/jass-execute -u'  command.
 
Installing LDoms and Solaris Security Toolkit packages.
pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_admin SUNWldm.v
Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWldm> was successful.
pkgadd -n -d "/var/tmp/install/Product/Solaris_Security_Toolkit" -a pkg_admin SUNWjass
Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWjass> was successful. 
 
Verifying that all packages are fully installed.  OK.
Enabling services: svc:/ldoms/ldmd:default
Running Solaris Security Toolkit 4.2.0 driver ldm_control-secure.driver.
Please wait. . . 
/opt/SUNWjass/bin/jass-execute -q -d ldm_control-secure.driver
Executing driver, ldm_control-secure.driver
Solaris Security Toolkit hardening executed successfully; log file
/var/opt/SUNWjass/run/20070208142843/jass-install-log.txt.  It will not
take effect until the next reboot.  Before rebooting, make sure SSH or
the serial line is setup for use after the reboot.


Example 3–2 Output From Choosing Customized Configuration Profile


# Install/install-ldm
Welcome to the LDoms installer.
 
You are about to install the domain manager package that will enable
you to create, destroy and control other domains on your system. Given
the capabilities of the domain manager, you can now change the security
configuration of this Solaris instance using the Solaris Security
Toolkit.
 
Select a security profile from this list:
 
a) Hardened Solaris configuration for LDoms (recommended)
b) Standard Solaris configuration
c) Your custom-defined Solaris security configuration profile
 
Enter a, b, or c [a]: c
Choose a Solaris Security Toolkit .driver configuration profile from
this list
1) ldm_control-secure.driver
2) secure.driver
3) server-secure.driver
4) suncluster3x-secure.driver
5) sunfire_15k_sc-secure.driver
 
Enter a number 1 to 5: 2
The driver you selected may not perform all the LDoms-specific
operations specified in the LDoms Administration Guide.
Is this OK (yes/no)? [no] y
The changes made by selecting this option can be undone through the
Solaris Security Toolkit's undo feature. This can be done with the
`/opt/SUNWjass/bin/jass-execute -u' command.
 
Installing LDoms and Solaris Security Toolkit packages.
pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_admin SUNWldm.v
Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWldm> was successful.
pkgadd -n -d "/var/tmp/install/Product/Solaris_Security_Toolkit" -a pkg_admin SUNWjass
Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWjass> was successful. 
 
Verifying that all packages are fully installed.  OK.
Enabling services: svc:/ldoms/ldmd:default
Running Solaris Security Toolkit 4.2.0 driver secure.driver.
Please wait. . . 
/opt/SUNWjass/bin/jass-execute -q -d secure.driver
Executing driver, secure.driver
Solaris Security Toolkit hardening executed successfully; log file
/var/opt/SUNWjass/run/20070102142843/jass-install-log.txt.  It will not
take effect until the next reboot.  Before rebooting, make sure SSH or
the serial line is setup for use after the reboot.

ProcedureInstall With a Customized Hardening Driver

  1. Run the install-ldm installation script with the -d option to specify a Solaris Security Toolkit customized hardening driver; for example, server-secure-myname.driver.

    The installation script is part of the SUNWldm package and is in the Install subdirectory.


    # Install/install-ldm -d server-secure-myname.driver
    

    If the process is successful, you receive messages similar to those in the following example:


Example 3–3 Output From Successful Run of the install-ldm -d Script


# Install/install-ldm -d server-secure.driver
The driver you selected may not perform all the LDoms-specific
operations specified in the LDoms Administration Guide.
Installing LDoms and Solaris Security Toolkit packages.
pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_admin SUNWldm.v
Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWldm> was successful.
pkgadd -n -d "/var/tmp/install/Product/Solaris_Security_Toolkit" -a pkg_admin SUNWjass
Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWjass> was successful. 
 
Verifying that all packages are fully installed.  OK.
Enabling services: svc:/ldoms/ldmd:default
Running Solaris Security Toolkit 4.2.0 driver server-secure-myname.driver.
Please wait. . . 
/opt/SUNWjass/bin/jass-execute -q -d server-secure-myname.driver
Executing driver, server-secure-myname.driver
Solaris Security Toolkit hardening executed successfully; log file
/var/opt/SUNWjass/run/20061114143128/jass-install-log.txt.  It will not
take effect until the next reboot.  Before rebooting, make sure SSH or
the serial line is setup for use after the reboot.

ProcedureInstall and Do Not Harden Your System

  1. Run the install-ldm installation script with the -d none option to specify not to harden your system using a Solaris Security Toolkit driver.

    The installation script is part of the SUNWldm package and is in the Install subdirectory.


    # Install/install-ldm -d none
    

    If the process is successful, you receive messages similar to those in the following example:


Example 3–4 Output From Successful Run of the install-ldm -d none Script


# Install/install-ldm -d none
Installing LDoms and Solaris Security Toolkit packages.
pkgadd -n -d "/var/tmp/install/Product/Logical_Domain_Manager" -a pkg_admin SUNWldm.v
Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWldm> was successful.
pkgadd -n -d "/var/tmp/install/Product/Solaris_Security_Toolkit" -a pkg_admin SUNWjass
Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
 
Installation of <SUNWjass> was successful. 
 
Verifying that all packages are fully installed.  OK.
Enabling services: svc:/ldoms/ldmd:default
Solaris Security Toolkit was not applied. Bypassing the use of the
Solaris Security Toolkit is not recommended and should only be
performed when alternative hardening steps are to be taken.

ProcedureEnable the Logical Domains Manager Daemon and Run the Solaris Security Toolkit Only

You might use this option if the SUNWldm and SUNWjass packages are preinstalled on your server and you want to perform the post-installation actions of enabling the Logical Domains Manager daemon (ldmd) and running the Solaris Security Toolkit.

  1. Run the install-ldm installation script with the -p option to perform only the post-installation actions of enabling ldmd and running the Solaris Security Toolkit to harden your system.


    # Install/install-ldm -p
    Verifying that all packages are fully installed.  OK.
    Enabling services: svc:/ldoms/ldmd:default
    Running Solaris Security Toolkit 4.2.0 driver ldm_control-secure.driver.
    Please wait. . .
    /opt/SUNWjass/bin/jass-execute -q -d ldm_control-secure.driver
    Solaris Security Toolkit hardening executed successfully; log file
    var/opt/SUNWjass/run/20070515140944/jass-install-log.txt.  It will not
    take effect until the next reboot.  Before rebooting, make sure SSH or
    the serial line is setup for use after the reboot.

Using JumpStart to Install the Logical Domains Manager 1.2 and Solaris Security Toolkit 4.2 Software

Refer to JumpStart Technology: Effective Use in the Solaris Operating Environment for complete information about using JumpStart.


Caution – Caution –

Do not disconnect from the virtual console during a network installation.


ProcedureSet Up a JumpStart Server

  1. Refer to the Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

    Perform the following steps.

    1. See Task Map: Preparing Custom JumpStart Installations in Solaris 10 5/09 Installation Guide: Custom JumpStart and Advanced Installations.

    2. Set up networked systems with the procedures in “Creating a Profile Server for Network Systems.”

    3. Create the rules file with the procedure in “Creating the rules File.”

  2. Validate the rules file with the procedure in “Validating the rules File.”

    The Solaris Security Toolkit provides profiles and finish scripts. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about profiles and finish scripts.

ProcedureInstall Using JumpStart Software

  1. Change to the directory where you have downloaded the Solaris Security Toolkit package (SUNWjass).


    # cd /path-to-download
    
  2. Install SUNWjass so that it creates the JumpStart (jumpstart) directory structure.


    # pkgadd -R /jumpstart -d . SUNWjass
    
  3. Use your text editor to modify the /jumpstart/opt/SUNWjass/Sysidcfg/Solaris_10/sysidcfg file to reflect your network environment.

  4. Copy the /jumpstart/opt/SUNWjass/Drivers/user.init.SAMPLE file to the /jumpstart/opt/SUNWjass/Drivers/user.init file.


    # cp user.init.SAMPLE user.init
    
  5. Edit the user.init file to reflect your paths.

  6. To install the Solaris Security Toolkit package (SUNWjass) onto the target system during a JumpStart install, you must place the package in the JASS_PACKAGE_MOUNT directory defined in your user.init file. For example:


    # cp -r /path/to/LDoms_Manager-1_0_2/Product/SUNWjass /jumpstart/opt/SUNWjass/Packages
    
  7. To install the Logical Domains Manager package (SUNWldm.v) onto the target system during a JumpStart install, you must place the package from the download area in the JASS_PACKAGE_MOUNT directory defined in your user.init file. For example:


    # cp -r /path/to/LDoms_Manager-1_0_2/Product/SUNWldm.v /jumpstart/opt/SUNWjass/Packages
    
  8. If you experience problems with a multihomed JumpStart server, modify the two entries in the user.init file for JASS_PACKAGE_MOUNT and JASS_PATCH_MOUNT to the correct path to the JASS_HOME_DIR/Patches and JASS_HOME_DIR/Packages directories. Refer to the comments in the user.init.SAMPLE file for more information.

  9. Use the ldm_control-secure.driver as the basic driver for the Logical Domains Manager control domain.

    Refer to Chapter 4 in the Solaris Security Toolkit 4.2 Reference Manual for information about how to modify the driver for your use. The main driver in the Solaris Security Toolkit that is the counterpart to the ldm_control-secure.driver is the secure.driver.

  10. After completing the modifications to the ldm_control-secure.driver, make the correct entry in the rules file.

    • If you want to minimize the LDoms control domain, specify the minimal-ldm-control.profile in your rules file similar to the following:


      hostname imbulu - Profiles/minimal-ldm_control.profile
      Drivers/ldm_control-secure-abc.driver

      Note –

      You must manually install the LDoms MIB software package after you install the LDoms and Solaris Security Toolkit packages. They are not automatically installed with the other packages.


    • If you do not want to minimize the LDoms control domain, your entry should be similar to the following:


      hostname imbulu - Profiles/oem.profile Drivers/ldm_control-secure-abc.driver
  11. If you undo hardening during a JumpStart install, you must run the following SMF command to restart the Logical Domains Manager.


    # svcadm enable svc:/ldoms/ldmd:default
    

Installing Logical Domains Manager and Solaris Security Toolkit Software Manually

Perform the following procedures to install the Logical Domains Manager and Solaris Security Toolkit Software manually:

ProcedureInstall the Logical Domains Manager (LDoms) 1.2 Software Manually

Before You Begin

Download the Logical Domains Manager 1.2 software, the SUNWldm package, from the Sun Software Download site. See Download the Software for specific instructions.

  1. Use the pkgadd(1M) command to install the SUNWldm.v package. Use the -G option to install the package in the global zone only and the -d option to specify the path to the directory that contains the SUNWldm.v package.


    # pkgadd -Gd . SUNWldm.v
    
  2. Answer y for yes to all questions in the interactive prompts.

  3. Use the pkginfo(1) command to verify that the SUNWldm package for Logical Domains Manager 1.2 software is installed.

    The revision (REV) information shown below is an example.


    # pkginfo -l SUNWldm | grep VERSION
    VERSION=1.2,REV=2007.08.23.10.20

Procedure(Optional) Install the Solaris Security Toolkit 4.2 Software Manually

If you want to secure your system, download and install the SUNWjass package. The required patches (122608-03 and 125672-01) are included in the SUNWjass package. See Download the Software for specific instructions about downloading the software.

See Chapter 2, Security in this document for more information about security considerations when using Logical Domains Manager software. For further reference, you can find Solaris Security Toolkit 4.2 documentation at:

http://docs.sun.com

  1. Use the pkgadd(1M) command to install the SUNWjass package.


    # pkgadd -d . SUNWjass
    
  2. Use the pkginfo(1) command to verify that the SUNWjass package for Solaris Security Toolkit 4.2 software is installed.


    # pkginfo -l SUNWjass | grep VERSION
    VERSION: 4.2.0
    

Procedure(Optional) Harden the Control Domain Manually

Perform this procedure only if you have installed the Solaris Security Toolkit 4.2 package.


Note –

When you use the Solaris Security Toolkit to harden the control domain, you disable many system services and place certain restrictions on network access. Refer to Related Documentation to find Solaris Security Toolkit 4.2 documentation for more information.


  1. Harden using the ldm_control-secure.driver.


    # /opt/SUNWjass/bin/jass-execute -d ldm_control-secure.driver
    

    You can use other drivers to harden your system. You can also customize drivers to tune the security of your environment. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about drivers and customizing them.

  2. Answer y for yes to all questions in the interactive prompts.

  3. Shut down and reboot your server for the hardening to take place.


    # /usr/sbin/shutdown -y -g0 -i6
    

ProcedureValidate Hardening

  1. Check whether the Logical Domains hardening driver (ldom_control-secure.driver) applied hardening correctly.

    If you want to check on another driver, substitute that driver's name in this command example.


    # /opt/SUNWjass/bin/jass-execute -a ldom_control-secure.driver
    

ProcedureUndo Hardening

  1. Undo the configuration changes applied by the Solaris Security Toolkit.


    # /opt/SUNWjass/bin/jass-execute -u
    

    The Solaris Security Toolkit asks you which hardening runs you want to undo.

  2. Select the hardening runs you want to undo.

  3. Reboot the system so that the unhardened configuration takes place.


    # /usr/sbin/shutdown -y -g0 -i6
    

    Note –

    If you undo hardening that was performed during a JumpStart installation, you must run the following SMF commands to restart the Logical Domains Manager daemon (ldmd) and the virtual network terminal server daemon (vntsd).



    # svcadm enable svc:/ldoms/ldmd:default