test

SunScreen 3.2 Installation Guide

Upgrading a High Availability System

High availability (HA) enables you to deploy groups of Screens together in situations in which the connection between a protected inside network and an insecure outside network is critical. At any time, one member of the HA cluster is the active Screen while the other members are passive. The passive Screens generate the same state as the active Screen but they do not forward traffic. When an active Screen fails, the passive Screen that has been running the longest takes over as the active Screen within 15 seconds. During the 15 seconds, no traffic goes through the HA cluster. An active Screen can be either a secondary Screen or a primary Screen, which administers the secondary Screens. (See "Using High Availability" in SunScreen 3.2 Administration Guide for details regarding creating an HA cluster.)

The actual upgrade procedure is run on the HA primary Screen, only. Before proceeding, manually remove any previously installed SunScreen software from the HA secondary Screens.

The general steps needed to upgrade an HA system running SunScreen EFS 2.0, 3.0, or SunScreen 3.1 are described as follows:

To Upgrade an HA System

  1. Backup your SunScreen and SKIP configurations and logfiles.

    For the commands you use to back up this information, refer to the documentation that accompanied your release of SunScreen.

  2. On the HA secondary Screen:

    1. Manually remove the SunScreen EFS 2.0, 3.0, or SunScreen 3.1 software packages, certificates, policies, and log files.

    2. Run the SunScreen HA command to initialize the secondary.

  3. On the HA primary Screen:

    1. Run the upgrade program.

    2. Complete the primary upgrade.

  4. Complete the upgrade:

    1. If upgrading from SunScreen EFS 2.0, define a screen object for each upgraded HA secondary Screen (see "Working With Screen Objects" in the SunScreen 3.2 Administration Guide).

    2. Activate the desired policy.

To Upgrade the HA Secondary Screen

  1. Before proceeding, remove any previously installed SunScreen software from the secondary Screen, manually.

  2. On the secondary Screen, determine the name and HA network interface of the primary Screen's HA interface that is running the upgrade program by typing:


    # ssadm edit Initial
edit> list interface

  3. On the primary Screen, determine the IP address of the primary Screen's HA interface by typing:


    # ifconfig -a

    This command lists all of the Solaris plumbed network interfaces. The IP address of the primary Screen's HA interface is listed with the HA network interface you determined previously.

To Remove the SunScreen Software

The following steps describe how to manually remove the SunScreen EFS 2.0, 3.0, or SunScreen 3.1 software packages, certificates, policies, and log files:

  1. On the secondary Screen, open a terminal window and become root, if not already.

  2. Remove the SunScreen software packages by typing:

    1. For SunScreen EFS 2.0:


      # pkgrm SUNWicgSS SUNWicgEF SUNWicgSM SUNWHJicg 
SUNWicgSD SUNWicgSA SUNWfwcnv

    2. For SunScreen EFS 3.0:


      # pkgrm SUNWicgSS SUNWicgSA SUNWicgSD SUNWicgSM 
SUNWdthj SUNWfwcnv SUNWhttp

    3. For SunScreen 3.1:


      # pkgrm SUNWicgSF SUNWicgSS SUNWicgSA SUNWicgSD 
SUNWicgSM SUNWdthj SUNWfwcnv SUNWhttp
    Note -

    If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

  3. Remove any SKIP software packages by typing:

    1. For SunScreen EFS 2.0:


      # pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg 
SICGkisup SICGbdcdr

    2. For SunScreen EFS 3.0:


      # pkgrm SUNWbcd SUNWbdcx SUNWrc2 SUNWrc4 
SUNWrc4x SUNWes SUNWesx SUNWkeyman SUNWkisup SUNWsman
    Note -

    SunScreen 3.2 uses the same SKIP modules, plus a few additional packages, that were used by SunScreen 3.1.

  4. For SunScreen EFS 3.1, if needed, remove any SKIP cryptography upgrades by typing:


    # pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup
    Note -

    Leave any cryptography upgrades for SunScreen EFS 3.0 and SunScreen 3.1 on your system.

  5. Remove all previously installed SunScreen EFS certificates, configurations, and log files by typing:


    # rm -rf /var/opt/SUNWicg /etc/opt/SUNWicg /etc/skip
    Note -

    After you reboot your system, physically remove the secondary node from the network to avoid leaving it unprotected. Only leave the HA network connected.

  6. Reboot your system to complete the removal of the previously installed SunScreen software by typing:


    # sync; init 6
To Install the Software on the HA Secondary Screen

  1. Follow the procedure as described in "To Install HA on the Secondary HA Screen" in Chapter 5, "Using High Availability," in the SunScreen 3.2 Administration Guide.

To Upgrade the HA Primary Screen

  1. Follow the procedure "To Upgrade a Locally-Administered Screen", then return to this section to complete the HA system upgrade.

  2. For SunScreen EFS 2.0, when upgrading you must define the Screen's HA interface.

    Before proceeding, you must know the following information:

    • The machine name of the HA primary Screen

    • The IP addresses on your dedicated HA network (for example 10.0.4.0 to 10.0.4.255)

    • The network interface to be used for HA communication (for example qfe0)

    • The name of the active policy configuration (for example Initial)

    1. On the HA primary Screen, open a terminal window and become root, if not already.

    2. The following is an example of what to type to define the primary Screen's HA interface:


      # ssadm edit Initial
      edit> add address qfe0 RANGE 10.0.4.0 10.0.4.255
      edit> delete interface qfe0
      edit> add interface SCREEN haprimary qfe0 HA qfe0
      edit> save
      edit> quit
To Complete the HA Upgrade

  1. For SunScreen EFS 3.0 or SunScreen 3.1:

    1. On the primary Screen, activate the policy configuration by typing a command similar to the following:


      # ssadm activate Initial
    Note -

    It is now safe to reconnect your HA systems to the network.

  2. For SunScreen EFS 2.0:

    The remaining steps are performed on the upgraded primary Screen. These steps include initializing the primary interface, adding the HA secondary IP address, and activating the configuration.

    1. Initialize the primary network interface by typing a command similar to the following:


      # ssadm ha init_primary qfe0

    2. Add the IP address of the secondary HA Screen by typing a command similar to the following:


      # ssadm ha add_secondary 10.0.4.2

    3. On the primary Screen, activate the policy configuration by typing a command similar to the following:


      # ssadm activate Initial
    Note -

    It is now safe to reconnect your HA systems to the network.