SunScreen 3.1 Installation Guide

Chapter 7 Upgrading From SunScreen EFS and SunScreen SPF-200

This chapter explains how to upgrade to SunScreen 3.1 from either SunScreen EFS 1.1, 2.0, 3.0, or SunScreen SPF-200. These instructions apply to all versions of the previously mentioned products.

Topics covered include:

Overview of the upgrade from SunScreen EFS 1.1, 2.0, or 3.0
Preparing to upgrade
Upgrading a locally administered SunScreen EFS Screen
Upgrading a remotely administered SunScreen EFS Screen
Upgrading an SunScreen EFS 2.0 or 3.0 high availability (HA) system
Upgrading from SunScreen SPF-200 to SunScreen 3.1

Before You begin

Caution -

To retain your existing SunScreen configuration files, you must take special care when upgrading to SunScreen 3.1. Do not remove your existing software packages unless you are instructed to do so.

The order in which you do the installation for the upgrade software is different from an initial installation. First, you install the upgrade software on the Screen and then on the Administration Station. This order prevents damage to the existing configurations and makes it easier to communicate between the Administration Station and the Screen.

Note -

Since SunScreen 3.1 uses ordered packet filtering rules and ordered NAT mappings, you must review your packet filtering rules after the upgrade is complete to verify the filtering order. Be aware that NAT mappings in SunScreen 3.1 are different from NAT mappings in earlier releases. Please see the SunScreen 3.1 Reference Manual for details on NAT mappings.

Before installing, review the SunScreen 3.1 Release Notes for the latest information about this product.

Upgrade Overview (SunScreen EFS 1.1, 2.0, or 3.0)

If you are upgrading from SunScreen EFS 1.1 or 2.0 your machine upgrades to SunScreen 3.1 in routing mode. If you are upgrading from SunScreen EFS 3.0, the current mode of your machine is preserved.

The upgrade procedure automatically backs up your previous SunScreen configurations, certificates, and packages in case the upgrade fails. Next, the program automatically removes your previous SunScreen software packages and then installs the SunScreen 3.1 software packages. The following procedures describe how to upgrade both locally and remotely administered Screens.

Note -

Before starting the upgrade procedure, make a backup of your existing logfiles. The upgrade procedure removes your existing logfiles. Refer to your SunScreen EFS documentation for backup procedures, if needed.

Caution -

To retain configurations and SKIP keys and certificates (including your system's SKIP local identities) between software upgrades, do not remove /etc/opt/SUNWicg.

Preparing to Upgrade

The following sections describe how to prepare both locally administered and remotely administered machines for upgrading.

Note -

If you want to use the command line, be aware that some commands and some arguments have been removed or added since SunScreen EFS 1.1, 2.0, and SunScreen SPF200. Check the man pages and the SunScreen 3.1 Reference Manual.

Before proceeding, verify that all the software packages required for your operating environment are installed.

SunScreen 3.1 runs on Solaris 2.6, Solaris 7, and Solaris 8 operating environments for SPARC and Intel platforms. It also runs on Trusted Solaris 7 for the SPARC platform. If you are running Solaris 2.5.1, or earlier, you must upgrade your operating environment to at least Solaris 2.6.

In addition to the Solaris Core system support packages, there are additional Solaris packages required prior to installing SunScreen.

Caution -

Do not reinstall the Solaris Core system support software group if you are upgrading from SunScreen EFS 1.1, 2.0, or 3.0 to SunScreen 3.1.

To Install the Solaris and Kernel Patches on the Screen

Add the following packages to the Screen from your Solaris CD, if not already on your system:

If you plan on using the administration GUI on your Screen itself, you will need to install the End User distribution of Solaris, as well as the packages listed in this section.

Table 7-1 Screen Solaris Packages


Package Type	Package Name	Description
system	`SUNWeuluf`	TF-8 L10N For Language Environment User Files
system	`SUNWjvjit`	Java JIT compiler
system	S`UNWjvrt`	JavaVM run time environment
system	`SUNWlibC`	SPARCompilers Bundled libC
system	`SUNWlibms`	SPARCompilers Bundled shared libm
system	`SUNWsprot`	SPARCompilers Bundled tools
system	`SUNWtoo`	Programming Tools
system	`SUNWvolr`	Volume Management (Root)
system	`SUNWvolu`	Volume Management (Usr)
system	`SUNWxwice`	ICE components
system	`SUNWxwplt`	X Window System platform software
system	`SUNWxwrtl`	X Window System & Graphics Runtime Library Links
system	`SUNWmfrun`	Motif RunTime Kit
system	`SUNWloc`	System Localization
system	`SUNWdoc`	Documentation Tools

If you are using Solaris 2.6 as your operating environment, add the following patches, if not already on your system, by typing:

For SPARC systems:
# cd /cdrom/cdrom0/sparc/Patches
# patchadd 106125-06
# patchadd 105181-11
# patchadd 105284-15
# patchadd 105490-04
# patchadd 106040-10
# patchadd 106409-01
 
For Intel systems:
# cd /cdrom/cdrom0/i386/Patches
# patchadd 106126-06
# patchadd 105182-13
# patchadd 105285-15
# patchadd 105491-04
# patchadd 106041-10
# patchadd 106410-01

Note -

In addition to the patches provide by SunScreen 3.1, make sure you install all recommended security patches available for your operating environment. For security reasons, you should always keep your operating environment up to date with available patches.

Reboot by typing:
# sync; init 6

To Install the Solaris Packages on the Remote Administration Station

If you will be using a remote Administration Station, add the following packages to the Administration Station from your Solaris CD, if not already on your system:

Table 7-2 Administration Station Solaris Packages


Package Type	Package Name	Description
system	`SUNWjvrt`	JavaVM run time environmen
system	`SUNWmfrun`	Motif RunTime Kit
system	`SUNWxwplt`	X Window System Platform software

If you are using Solaris 2.6 as your operating environment, add the following patches, if not already on your system, by typing:

For SPARC systems:
# cd /cdrom/cdrom0/sparc/Patches
# patchadd 106125-06
# patchadd 105284-15
# patchadd 105490-04
# patchadd 106040-10
# patchadd 106409-01
 
For Intel systems:
# cd /cdrom/cdrom0/i386/Patches
# patchadd 106126-06
# patchadd 105285-15
# patchadd 105491-04
# patchadd 106041-10
# patchadd 106410-01

Note -

In addition to the patches provided by SunScreen 3.1, make sure you install all recommended security patches available for your operating environment. For security reasons, you should always keep your operating environment up to date with available patches.

Upgrading a Locally Administered SunScreen EFS Screen

The following procedures explain how to upgrade a Screen to SunScreen 3.1 from SunScreen EFS 1.1, 2.0, or 3.0.

Note -

The upgrade software automatically backs up your system in case the upgrade fails. If there are any other system backups you want to make, do so now before performing the upgrade.

To Upgrade a Locally Administered SunScreen EFS Screen

Caution -

Do not run the installation wizard as it is for an initial installation only and can corrupt your existing configurations.

Open a terminal window and become root.

Insert the SunScreen 3.1 CD-ROM into the CD-ROM drive.

When the File Manager window appears, start by clicking on the upgrade icon.

Next, the software automatically removes the existing SKIP and SunScreen EFS software packages. Wait until this completes.

The packages are removed automatically one-by-one. No confirmations are needed or accepted. The file and package names will appear as output on your monitor.

Next, the SunScreen 3.1 software is automatically installed.

The file and package names appear as output, wait until this completes.

Next, your existing SunScreen EFS configurations are automatically converted to SunScreen 3.1 policies.

If there are any conversion errors, they are itemized and appear on your monitor. Wait until this completes.

Remove the old SunScreen EFS PATH and MANPATH from your shell initialization file.

Set the PATH and MANPATH by editing your shell initialization file (such as .profile or .login file).

PATH=/opt/SUNWicg/SunScreen/bin:$PATH PATH=/usr/dt/bin:$PATH export PATH MANPATH=$MANPATH:/opt/SUNWicg/SunScreen/man export MANPATH

Install any SKIP upgrades (see "Upgrading Cryptography Modules").

While you do not need to use encryption in a locally administered Screen, you may want to use encrypted communication for a VPN over public and private networks.

Reboot by typing:
# sync; init 6

Open a terminal window and become root.

List the policies that have been converted by typing:
# ssadm policy -l
Note -
NAT mappings have changed considerably in SunScreen 3.1. If you are using NAT and are upgrading from SunScreen EFS 1.1 or 2.0, you must modify your NAT mappings before you activate the configuration. If you are converting from SunScreen EFS 1.1, be aware that ordered rules is a new feature. See the SunScreen 3.1 Reference Manual for more details on ordered rules.

Choose the one policy that you want to activate by typing:
# ssadm activate configuration_name

To configure and manage your Screen from your Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the administration GUI by typing the following URL:
http://localhost:3852

For management information, see the SunScreen 3.1 Administration Guide.

Upgrading a Remotely Administered SunScreen EFS Screen

The following procedures explain how to upgrade a remotely administered SunScreen EFS Screen to a SunScreen 3.1 Screen. The upgrade software automatically backs up your system in case the upgrade fails. If there are any other system backups you want to make, do so before performing the upgrade.

Note -

The upgrade procedure for remote administration requires that you install the upgrade software on the Screen first and then on the Administration Station.

To Upgrade the Screen

Follow the instructions in "To Upgrade a Locally Administered SunScreen EFS Screen." This portion of the process is the same whether you are using local or remote administration.

After you finish the Screen upgrade, move to the remote Administration Station.

To Upgrade the Remote Administration Station

Note -

This is a manual procedure. Do not run the upgrade script on the Administration Station.

Open a terminal window on the Administration Station and become root.

Remove each SunScreen EFS 1.1, 2.0, or 3.0, package individually by typing:

For SunScreen EFS 1.1:
# pkgrm SUNWicgSA 
 
For SunScreen EFS 2.0:
# pkgrm SUNWicgSA SUNWicgSD SUNWicgSM SUNWHJicg
 
For SunScreen EFS 3.0:
# pkgrm SUNWicgSA SUNWicgSD SUNWicgSM SUNWicgSS SUNWdthj SUNWhttp

Follow the program prompts and answer all the questions with y.

The pkgrm program ends with the statement: Removal of name_of_package was successful.

Note -
If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

Remove the SKIP software packages by typing:

For SunScreen EFS 1.1 and 2.0:
# pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr
 
For SunScreen EFS 3.0:
# pkgrm SUNWbcd SUNWbdcx SUNWrc2 SUNWrc4 SUNWrc4x SUNWes SUNWesx SUNWkeyman SUNWkisup

(EFS 1.1 and 2.0 only) You can leave any SunScreen EFS 3.0 cryptography upgrades on your system. Remove any SKIP cryptography upgrades by typing:
For SunScreen EFS 1.1 and 2.0: #pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup

Insert the SunScreen 3.1 CD-ROM into the Administration Station's CD-ROM drive.

Add the SunScreen 3.1 packages by typing:

For SPARC systems:
# pkgadd  -d /cdrom/cdrom0/sparc
 
For Intel systems:
# pkgadd  -d /cdrom/cdrom0/i386

For SPARC systems, you are prompted with a menu of packages to install:

The following packages are available:
1  NSCPcom       Netscape Communicator
                   (sparc) 20.4.70,REV=1999.08.20.17.43
  2  SUNWbdc       SKIP Bulk Data Crypt
                   (sparc) 1.5.1
  3  SUNWbdcx      SKIP Bulk Data Crypt (64-bit)
                   (sparc) 1.5.1
  4  SUNWdes       SKIP DES Crypto Module
                   (sparc) 1.5.1
  5  SUNWdesx      SKIP DES Crypto Module (64-bit)
                   (sparc) 1.5.1
  6  SUNWdthj      HotJava Browser for Solaris
                   (sparc) 1.1.5,REV=1998.12.03
  7  SUNWdtnsc     Netscape Componentization Support for CDE
                   (sparc) 1.0,REV=1999.06.14.15.50
  8  SUNWes        SKIP End System
                   (sparc) 1.5.1
  9  SUNWesx       SKIP End System (64-bit)
                   (sparc) 1.5.1
 10  SUNWfwcnv     SunScreen Firewall conversion
                   (sparc) 3.1
11  SUNWhttp      Sun WebServer daemon and supporting binaries
                   (sparc) 2.0
 12  SUNWicgSA     SunScreen Administration Software
                   (sparc) 3.1
 13  SUNWicgSD     SunScreen online documentation
                   (sparc) 3.1
 14  SUNWicgSF     SunScreen full function
                   (sparc) 3.1
 15  SUNWicgSM     SunScreen man pages
                   (sparc) 3.1
 16  SUNWicgSS     SunScreen Firewall
                   (sparc) 3.1
 17  SUNWkeymg     SKIP Key Manager Tools
                   (sparc) 1.5.1
 18  SUNWkusup     SKIP U-Support module
                   (sparc) 1.5.1
 19  SUNWrc2       SKIP RC2 Crypto Module
                   (sparc) 1.5.1
 20  SUNWrc4       SKIP RC4 Crypto Module
                   (sparc) 1.5.1
21  SUNWrc4x      SKIP RC4 Crypto Module (64-bit)
                   (sparc) 1.5.1
 22  SUNWsman      SKIP Man Pages
                   (sparc) 1.5.1
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

For Intel systems, you are prompted with a menu of packages to install:

The following packages are available:
1  NSCPcom       Netscape Communicator
                   (i386) 20.4.70,REV=1999.08.20.17.56
  2  SUNWbdc       SKIP Bulk Data Crypt
                   (i386) 1.5.1
  3  SUNWdes       SKIP DES Crypto Module
                   (i386) 1.5.1
  4  SUNWdthj      HotJava Browser for Solaris
                   (i386) 1.1.5,REV=1998.12.03
  5  SUNWdtnsc     Netscape Componentization Support for CDE
                   (i386) 1.0,REV=1999.06.14.15.53
  6  SUNWes        SKIP End System
                   (i386) 1.5.1
  7  SUNWfwcnv     SunScreen Firewall conversion
                   (i386) 3.1
  8  SUNWhttp      Sun WebServer daemon and supporting binaries
                   (i386) 2.0
  9  SUNWicgSA     SunScreen Administration Software
                   (i386) 3.1
 10  SUNWicgSD     SunScreen online documentation
                   (i386) 3.1
11  SUNWicgSF     SunScreen full function
                   (i386) 3.1
 12  SUNWicgSM     SunScreen man pages
                   (i386) 3.1
 13  SUNWicgSS     SunScreen Firewall
                   (i386) 3.1
 14  SUNWkeymg     SKIP Key Manager Tools
                   (i386) 1.5.1
 15  SUNWkusup     SKIP U-Support module
                   (i386) 1.5.1
 16  SUNWrc2       SKIP RC2 Crypto Module
                   (i386) 1.5.1
 17  SUNWrc4       SKIP RC4 Crypto Module
                   (i386) 1.5.1
 18  SUNWsman      SKIP Man Pages
                   (i386) 1.5.1

For a minimum SPARC installation, type: 2-5, 8-9, 12, 17-21 For a minimum Intel installation, type: 2-3, 6, 9, 14-17

Follow the program prompts, answering all the questions with y.

When completed, you return to the same menu of packages.

Type q to quit pkgadd.

(EFS 1.1 and 2.0 only) Move the SKIP keys by typing:
# cp -rp /etc/opt/SUNWicg/skip/* /etc/skip/.

Eject the CD-ROM from the CD-ROM drive by typing:
# eject cdrom0

Install any SKIP upgrades (see "Upgrading Cryptography Modules").

Reboot to complete the upgrade by typing:
# sync; init 6

Open a terminal window and become root.

To configure and manage your Screen from your Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the administration GUI by typing the following URL:
http://name_of_screen:3852

To configure and manage your Screen, see the SunScreen 3.1 Administration Guide.

Upgrading an High Availability (HA) System

Note -

Do not run the upgrade procedure on an HA secondary machine. Run it only on the HA primary machine.

Overview

To upgrade a SunScreen EFS 2.0 or 3.0 HA system, you must:

Upgrade the HA secondary machine.
1. Manually remove the SunScreen EFS 2.0 or 3.0 software packages, certificates, configurations, and logfiles
2. Run the installation program to install the SunScreen 3.1 software.

Upgrade the SunScreen EFS HA primary machine.
1. Run the upgrade program on the HA primary machine
2. Complete the upgrade on the primary machine

Finish the Upgrade
1. Defining a Screen object for each upgraded HA secondary system.
2. Activate the configuration.

To Upgrade a SunScreen EFS HA Secondary Machine

To upgrade a SunScreen EFS secondary machine, you must first manually remove the old SunScreen EFS software. Then, you install the new SunScreen 3.1 software.

Remove the SunScreen EFS Software

On the machine that is the SunScreen EFS secondary, become root.

Remove the SunScreen EFS software packages by typing:

For SunScreen EFS 2.0:
# pkgrm SUNWicgSS SUNWicgEF SUNWicgSM SUNWHJicg SUNWjvjit SUNWjvrt SUNWicgSD SUNWicgSA
SUNWfwcnv
 
For SunScreen EFS 3.0:
# pkgrm SUNWicgSS SUNWicgSA SUNWicgSD SUNWicgSM SUNWdthj SUNWfwcnv SUNWhttp SUNWsman

Note -

If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

Remove any SKIP software packages by typing:

For SunScreen EFS 2.0:
# pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr
 
For SunScreen EFS 3.0:
# pkgrm SUNWbcd SUNWbdcx SUNWrc2 SUNWrc4 SUNWrc4x SUNWes SUNWesx SUNWkeyman SUNWkisup

(EFS 2.0 only) Leave any SunScreen EFS 3.0 cryptography upgrades on your system. If needed, remove any SKIP cryptography upgrades by typing:
# pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup

Remove all old SunScreen EFS certificates, configurations, and logfiles by typing:
# rm -rf /var/opt/SUNWicg /etc/opt/SUNWicg/etc/skip

Reboot your machine to complete the removal of the SunScreen EFS installation by typing:
# sync; init 6

Install SunScreen 3.1

Before You Begin

Before you start, you will need to know the name of the HA network interface and the IP address of the primary HA interface. You can determine the name of the HA interface by issuing these commands on the secondary machine:

# ssadm edit initial
edit> list interface

To determine the IP address of the HA primary network interface, run the ifconfig -a command on the HA primary machine.

Install the Software

Follow the directions for a regular installation (routing with local administration, routing with remote administration, or stealth) with these exceptions:

Exception 1 -- When you encounter the Secondary HA Designation window (as was shown in "Installing in Routing Mode With Local Administration"), select Yes, then click Next.

Exception 2 -- When you encounter the Secondary HA Data window:

Type the HA interface. This is the network interface (for example qfe0) on both the primary and secondary systems that are used for administration and HA communication.

Type the HA primary IP address. This is the IP address of the primary machine's HA interface.

To Upgrade the HA Primary Machine

Run the Upgrade Program

Follow the procedure "To Upgrade a Locally Administered SunScreen EFS Screen." Then, return to this section.

Complete the HA Primary Upgrade

Overview

After you upgrade the SunScreen EFS 2.0 or 3.0 HA primary Screen to SunScreen 3.1, you must define that Screen's HA interface. You do this only on the HA primary Screen and not on any of the HA secondary Screens. Before proceeding, you must know the following information:

the machine name of the HA primary Screen (for example haprimary)
the IP addresses on your dedicated HA network (for example 129.129.129.0 to 129.129.129.255)
the network interface to be used for HA communication (for example qfe0)
the name of the SunScreen EFS 2.0 or 3.0 active configuration (for example Initial)

Steps

On the HA primary Screen, open a terminal window and become root.

Use the following as an example of what you would type to define the primary HA interface:

# ssadm edit Initial
edit> add address qfe0 RANGE 129.129.129.0 129.129.129.255
edit> delete interface qfe0
edit> add interface SCREEN haprimary qfe0 HA qfe0
edit> save
edit> quit

To Finish the HA Upgrade

SunScreen EFS 3.0 to SunScreen 3.1

If you are upgrading from SunScreen EFS 3.0 to SunScreen 3.1, all you have to do is activate the configuration by typing a command similar to the following, on the primary machine:

# ssadm activate Initial

SunScreen EFS 2.0 to SunScreen 3.1

The last steps are done on the upgraded primary Screen. These steps include initializing the primary interface, adding the HA secondary IP address, and then activating the configuration.

Initialize the primary network interface by typing a command similar to the following:
# ssadm ha init_primary qfe0

Add the IP address of the secondary HA machine by typing a command similar to the following:
# ssadm ha add_secondary 123.234.123.210

Activate the configuration by typing a command similar to the following:
# ssadm activate Initial

Upgrading From SunScreen SPF-200 to SunScreen 3.1 in Stealth Mode

The upgrade from SunScreen SPF-200 to SunScreen 3.1 requires a unique set of steps. You can use the SunScreen SPF-200 Screen machine and upgrade it to become a SunScreen 3.1 Screen in stealth mode. If choosing this option, you should plan a time that is convenient for the upgrade as it will require significant downtime.

Note -

Have your original installation diskette for your SunScreen SPF-200 Screen in the event that the upgrade procedure fails and you must then return to your original SunScreen SPF-200 configuration.

To Upgrade From SPF-200 to SunScreen 3.1 in Stealth Mode

Back up the SunScreen SPF-200 Screen. Refer to your SunScreen SPF-200 documentation, if needed.

Store this backup in a secure location because it contains sensitive information that must be protected.

Back up the SunScreen SPF-200 Administration Station, following regular Solaris procedures.

Store this backup in a secure location because it contains sensitive information that must be protected.

Install Patch 105047-21 on the Administration Station and Screen, if not already installed.

This patch is available through Sun Service.

Insert the SunScreen 3.1 CD-ROM into the Administration Station's CD-ROM drive.

Mount the CD-ROM by typing:
# volcheck

You must install a special patch onto the Screen. From the Administration Station, install the SunScreen SPF-200 patch on the Screen by typing:
# ss_client Name_of_Screen ss_patch install noreboot < \ /cdrom/cdrom0/sparc/Patches/spfUpgradePatch.tar.Z
Note -
Do not install this patch on the Administration Station itself or any other system. Do not reboot your system.

You must gather the SunScreen SPF-200 configurations and send them to the Administration Station. Run the special script to do this by typing:
# ss_client Name_of_Screen config2 > 200config.tar
This file contains sensitive information. The SKIP connection creates secure, encrypted communication between the Administration Station and the Screen. Do not send this file over insecure lines. To move this file, use a diskette or a secured connection only.

Note -
Do not change the name of the file from 200config.tar.

From the Administration Station, obtain your Administration Station's certificate ID by typing:
# skiplocal list
A list of encryption certificate IDs is displayed.

Write down the correct certificate ID for your Administration Station.

On the Screen, install either Solaris 2.6 , Solaris 7, or Solaris 8, following the instructions accompanying your Solaris CD.

Note -
You must reinstall the Solaris operating environment because the version of the Solaris operating envronment used with the SunScreen SPF-200 cannot be upgraded.

On the Administration Station, verify that your operating environment is at least Solaris 2.6. If not, upgrade your operating environment as necessary.

On the Screen, using the same interface ID that the SunScreen SPF-200 used as its administrative interface (for example, le0), configure that interface only.

See the Solaris documentation, if necessary.

Remove the old SunScreen SPF-200 Administration Station software by typing:
# pkgrm SUNWicgSA

Remove the old SKIP packages from the Administration Station by typing:

# pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr
 
To remove any SKIP crypto upgrades:
# pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup

On the Administration Station, install the SunScreen 3.1 software by following the instructions in "Installing in Stealth Mode."

On the Administration Station, move the SKIP keys by typing:
# cp -rp /etc/opt/SUNWicg/skip/* /etc/skip/.

Reboot the Administration Station by typing:
# sync; init 6

On the Screen, install the SunScreen 3.1 software by following the instructions in "Installing in Stealth Mode."

Enter the Administration Station's certificate ID from Step 7 when prompted.

On the Administration Station, create a session on the Screen by typing:

# SSADM_TICKET_FILE=$HOME/.ssadmticket
# export SSADM_TICKET_FILE
# touch $SSADM_TICKET_FILE
# chmod go= $SSADM_TICKET_FILE
# ssadm -r Name_of_Screen login admin admin

On the Administration Station, verify that you are able to remotely administer the upgraded Screen by typing:
# ssadm -r Name_of_Screen active

On the Administration Station, begin the conversion of the SunScreen SPF-200 configurations to SunScreen 3.1 policies on the Screen by typing:
# ssadm -r Name_of_Screen spf2efs < 200config.tar

Verify your migrated configuration before activating it. To view and update the migrated configurations, open a Java-enabled web browser and launch the administration GUI by typing:
http://Name_of_Screen:3852
Note -
NAT mappings have changed considerably in SunScreen 3.1. If you are using NAT, you must modify them before activating the configuration. Be aware that ordered rules is a new feature. See the SunScreen 3.1 Reference Manual for more details on ordered rules and NAT mappings.

See the SunScreen 3.1 Administration Guide for instructions on using the administration GUI.

On the Administration Station, activate your migrated configuration by typing:
# ssadm -r Name_of_Screen activate Name_of_Configuration