SunScreen 3.1 Installation Guide

Upgrading From SunScreen SPF-200 to SunScreen 3.1 in Stealth Mode

The upgrade from SunScreen SPF-200 to SunScreen 3.1 requires a unique set of steps. You can use the SunScreen SPF-200 Screen machine and upgrade it to become a SunScreen 3.1 Screen in stealth mode. If choosing this option, you should plan a time that is convenient for the upgrade as it will require significant downtime.

Note -

Have your original installation diskette for your SunScreen SPF-200 Screen in the event that the upgrade procedure fails and you must then return to your original SunScreen SPF-200 configuration.

To Upgrade From SPF-200 to SunScreen 3.1 in Stealth Mode

Back up the SunScreen SPF-200 Screen. Refer to your SunScreen SPF-200 documentation, if needed.

Store this backup in a secure location because it contains sensitive information that must be protected.

Back up the SunScreen SPF-200 Administration Station, following regular Solaris procedures.

Store this backup in a secure location because it contains sensitive information that must be protected.

Install Patch 105047-21 on the Administration Station and Screen, if not already installed.

This patch is available through Sun Service.

Insert the SunScreen 3.1 CD-ROM into the Administration Station's CD-ROM drive.

Mount the CD-ROM by typing:
# volcheck

You must install a special patch onto the Screen. From the Administration Station, install the SunScreen SPF-200 patch on the Screen by typing:
# ss_client Name_of_Screen ss_patch install noreboot < \ /cdrom/cdrom0/sparc/Patches/spfUpgradePatch.tar.Z
Note -
Do not install this patch on the Administration Station itself or any other system. Do not reboot your system.

You must gather the SunScreen SPF-200 configurations and send them to the Administration Station. Run the special script to do this by typing:
# ss_client Name_of_Screen config2 > 200config.tar
This file contains sensitive information. The SKIP connection creates secure, encrypted communication between the Administration Station and the Screen. Do not send this file over insecure lines. To move this file, use a diskette or a secured connection only.

Note -
Do not change the name of the file from 200config.tar.

From the Administration Station, obtain your Administration Station's certificate ID by typing:
# skiplocal list
A list of encryption certificate IDs is displayed.

Write down the correct certificate ID for your Administration Station.

On the Screen, install either Solaris 2.6 , Solaris 7, or Solaris 8, following the instructions accompanying your Solaris CD.

Note -
You must reinstall the Solaris operating environment because the version of the Solaris operating envronment used with the SunScreen SPF-200 cannot be upgraded.

On the Administration Station, verify that your operating environment is at least Solaris 2.6. If not, upgrade your operating environment as necessary.

On the Screen, using the same interface ID that the SunScreen SPF-200 used as its administrative interface (for example, le0), configure that interface only.

See the Solaris documentation, if necessary.

Remove the old SunScreen SPF-200 Administration Station software by typing:
# pkgrm SUNWicgSA

Remove the old SKIP packages from the Administration Station by typing:

# pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr
 
To remove any SKIP crypto upgrades:
# pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup

On the Administration Station, install the SunScreen 3.1 software by following the instructions in "Installing in Stealth Mode."

On the Administration Station, move the SKIP keys by typing:
# cp -rp /etc/opt/SUNWicg/skip/* /etc/skip/.

Reboot the Administration Station by typing:
# sync; init 6

On the Screen, install the SunScreen 3.1 software by following the instructions in "Installing in Stealth Mode."

Enter the Administration Station's certificate ID from Step 7 when prompted.

On the Administration Station, create a session on the Screen by typing:

# SSADM_TICKET_FILE=$HOME/.ssadmticket
# export SSADM_TICKET_FILE
# touch $SSADM_TICKET_FILE
# chmod go= $SSADM_TICKET_FILE
# ssadm -r Name_of_Screen login admin admin

On the Administration Station, verify that you are able to remotely administer the upgraded Screen by typing:
# ssadm -r Name_of_Screen active

On the Administration Station, begin the conversion of the SunScreen SPF-200 configurations to SunScreen 3.1 policies on the Screen by typing:
# ssadm -r Name_of_Screen spf2efs < 200config.tar

Verify your migrated configuration before activating it. To view and update the migrated configurations, open a Java-enabled web browser and launch the administration GUI by typing:
http://Name_of_Screen:3852
Note -
NAT mappings have changed considerably in SunScreen 3.1. If you are using NAT, you must modify them before activating the configuration. Be aware that ordered rules is a new feature. See the SunScreen 3.1 Reference Manual for more details on ordered rules and NAT mappings.

See the SunScreen 3.1 Administration Guide for instructions on using the administration GUI.

On the Administration Station, activate your migrated configuration by typing:
# ssadm -r Name_of_Screen activate Name_of_Configuration