Upgrading an High Availability (HA) System

Do not run the upgrade procedure on an HA secondary machine. Run it only on the HA primary machine.

Overview

To upgrade a SunScreen EFS 2.0 or 3.0 HA system, you must:

1. Upgrade the HA secondary machine.

   1. Manually remove the SunScreen EFS 2.0 or 3.0 software packages, certificates, configurations, and logfiles

   2. Run the installation program to install the SunScreen 3.1 software.

2. Upgrade the SunScreen EFS HA primary machine.

   1. Run the upgrade program on the HA primary machine

   2. Complete the upgrade on the primary machine

3. Finish the Upgrade

   1. Defining a Screen object for each upgraded HA secondary system.

   2. Activate the configuration.

To Upgrade a SunScreen EFS HA Secondary Machine

To upgrade a SunScreen EFS secondary machine, you must first manually remove the old SunScreen EFS software. Then, you install the new SunScreen 3.1 software.

Remove the SunScreen EFS Software

1. On the machine that is the SunScreen EFS secondary, become root.

2. Remove the SunScreen EFS software packages by typing:

   For SunScreen EFS 2.0: # pkgrm SUNWicgSS SUNWicgEF SUNWicgSM SUNWHJicg SUNWjvjit SUNWjvrt SUNWicgSD SUNWicgSA SUNWfwcnv For SunScreen EFS 3.0: # pkgrm SUNWicgSS SUNWicgSA SUNWicgSD SUNWicgSM SUNWdthj SUNWfwcnv SUNWhttp SUNWsman

   ---

   Note -

   If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

   ---

3. Remove any SKIP software packages by typing:

   For SunScreen EFS 2.0: # pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr For SunScreen EFS 3.0: # pkgrm SUNWbcd SUNWbdcx SUNWrc2 SUNWrc4 SUNWrc4x SUNWes SUNWesx SUNWkeyman SUNWkisup

4. (EFS 2.0 only) Leave any SunScreen EFS 3.0 cryptography upgrades on your system. If needed, remove any SKIP cryptography upgrades by typing:

   # pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup

5. Remove all old SunScreen EFS certificates, configurations, and logfiles by typing:

   # rm -rf /var/opt/SUNWicg /etc/opt/SUNWicg/etc/skip

6. Reboot your machine to complete the removal of the SunScreen EFS installation by typing:

   # sync; init 6

Install SunScreen 3.1

Before You Begin

Before you start, you will need to know the name of the HA network interface and the IP address of the primary HA interface. You can determine the name of the HA interface by issuing these commands on the secondary machine:

# ssadm edit initial
edit> list interface

To determine the IP address of the HA primary network interface, run the ifconfig -a command on the HA primary machine.

Install the Software

Follow the directions for a regular installation (routing with local administration, routing with remote administration, or stealth) with these exceptions:

Exception 1 -- When you encounter the Secondary HA Designation window (as was shown in "Installing in Routing Mode With Local Administration"), select Yes, then click Next.

Exception 2 -- When you encounter the Secondary HA Data window:

• Type the HA interface. This is the network interface (for example qfe0) on both the primary and secondary systems that are used for administration and HA communication.

• Type the HA primary IP address. This is the IP address of the primary machine's HA interface.

To Upgrade the HA Primary Machine

Run the Upgrade Program

1. Follow the procedure "To Upgrade a Locally Administered SunScreen EFS Screen." Then, return to this section.

Complete the HA Primary Upgrade

Overview

After you upgrade the SunScreen EFS 2.0 or 3.0 HA primary Screen to SunScreen 3.1, you must define that Screen's HA interface. You do this only on the HA primary Screen and not on any of the HA secondary Screens. Before proceeding, you must know the following information:

• the machine name of the HA primary Screen (for example haprimary)

• the IP addresses on your dedicated HA network (for example 129.129.129.0 to 129.129.129.255)

• the network interface to be used for HA communication (for example qfe0)

• the name of the SunScreen EFS 2.0 or 3.0 active configuration (for example Initial)

Steps

1. On the HA primary Screen, open a terminal window and become root.

2. Use the following as an example of what you would type to define the primary HA interface:

   # ssadm edit Initial edit> add address qfe0 RANGE 129.129.129.0 129.129.129.255 edit> delete interface qfe0 edit> add interface SCREEN haprimary qfe0 HA qfe0 edit> save edit> quit

To Finish the HA Upgrade

SunScreen EFS 3.0 to SunScreen 3.1

If you are upgrading from SunScreen EFS 3.0 to SunScreen 3.1, all you have to do is activate the configuration by typing a command similar to the following, on the primary machine:

# ssadm activate Initial

SunScreen EFS 2.0 to SunScreen 3.1

The last steps are done on the upgraded primary Screen. These steps include initializing the primary interface, adding the HA secondary IP address, and then activating the configuration.

1. Initialize the primary network interface by typing a command similar to the following:

   # ssadm ha init_primary qfe0

2. Add the IP address of the secondary HA machine by typing a command similar to the following:

   # ssadm ha add_secondary 123.234.123.210

3. Activate the configuration by typing a command similar to the following:

   # ssadm activate Initial