test

SunScreen 3.2 Installation Guide

Upgrading From SunScreen SPF-200

The upgrade from SunScreen SPF-200 to SunScreen 3.2 requires a unique set of steps and can cause significant network downtime To reduce the downtime, consider transferring your SunScreen SPF-200 configurations to a new system and performing the upgrade on the new system.

Note -

Have your original SunScreen SPF-200 installation diskette nearby in the event that the upgrade procedure fails and you need to return your Screen to its original SunScreen SPF-200 configuration.

To Backup SunScreen SPF-200 and Install Patches

  1. Backup the SunScreen SPF-200 Screen, referring to your SunScreen SPF-200 documentation, if needed.

    The medium used for backing up your software and policies contains unencrypted, sensitive information. Store it in a secure location.

    Note -

    Save your existing log files according to your documentation because they are not backed up automatically.

  2. Backup the SunScreen SPF-200 Administration Station, following regular Solaris software procedures.

    The medium used for backing up your software and policies contains unencrypted, sensitive information. Store it in a secure location

  3. Install Patch 105047-21 on the Administration Station and Screen, if not already installed.

    This patch is available through Sun Service.

  4. Mount the CD-ROM by typing:


    # volcheck

  5. From the Administration Station, install a special SunScreen SPF-200 patch on the Screen, by typing:


    # ss_client Name_of_Screen ss_patch install noreboot < 
/cdrom/cdrom0/sparc/Patches/spfUpgradePatch.tar.Z
    Note -

    Install this patch only on the Screen. Do not install this patch on the Administration Station itself or on any other system. Also, do not reboot your system at this time.

To Install the Software on the SunScreen SPF-200 Screen

  1. On the Administration Station, insert the SunScreen CD into the CD-ROM drive.

  2. From the Administration Station, run a special script to gather the SunScreen SPF-200 Screen's configurations by typing:


    # ss_client Name_of_Screen config2 > 200config.tar
    Note -

    Do not change the name of the 200config.tar file.

    Caution - Caution -

    This file contains sensitive information. Do not send this file over insecure lines. To move this file, use a diskette or a secured connection only.

  3. Obtain your Administration Station's SKIP certificate ID by typing:


    # skiplocal list

    A list of SKIP encryption certificate IDs displays. The SKIP connection creates secure, encrypted communication between the Administration Station and the Screen.

  4. Write down the correct SKIP certificate ID for your Administration Station.

  5. On the Screen, reinstall your Solaris 2.6 , Solaris 7, or Solaris 8 software, following the instructions accompanying your Solaris CD.

    Note -

    You must reinstall the Solaris software because the version used with the SunScreen SPF-200 cannot be upgraded. You can now use a separate system to upgrade to.

  6. On the Administration Station, verify that your operating environment is at least the Solaris 2.6 version.

  7. On the Screen, using the same interface ID that the SunScreen SPF-200 used as its administration interface (for example, le0), configure that interface only.

    See your Solaris software documentation, if necessary.

  8. Remove the old SunScreen SPF-200 administration software by typing:


    # pkgrm SUNWicgSA
    Note -

    If you did not originally install this package, do not run the pkgrm command.

  9. Remove the old SKIP packages from the Administration Station by typing:


    # pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg 
SICGkisup SICGbdcdr
 
To remove any SKIP cryptographic upgrades:
# pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup 
SICGkusup
    Note -

    If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.

To Install the SunScreen 3.2 Software and Verify Installation

To prevent damage to the existing policies and make communication easier between the Administration Station and the Screen, upgrading requires you to first install the SunScreen software on the Screen and then on the Administration Station.

  1. On the Screen, install the SunScreen software according to the instructions in "Installing in Stealth Mode With Remote Administration Using SKIP" in the SunScreen 3.2 Installation Guide.

  2. On the Administration Station, install the SunScreen software according to the instructions in "Installing in Stealth Mode With Remote Administration Using SKIP" in the SunScreen 3.2 Installation Guide.

  3. On the Administration Station, move the SKIP keys by typing:


    # cp -rp /etc/sunscreen/skip/* /etc/skip/

  4. Reboot the Administration Station by typing:


    # sync; init 6

    To enable remote administration between the Screen and Administration Station, you must create a new access control list (ACL) using the same SKIP MKID that was used by the SunScreen SPF-200 as its administration interface and a new Screen MKID.

    Note -

    For the new ACL to take affect, it is important that you follow the exact instructions for the remote Administration Station referenced by the administration GUI in the /etc/sunscreen/AdminSetup.readme file.

  5. Replace the old ACL on the Administration Station with the new ACL using the existing key.

    Note -

    Ensure that your administration interface is the default because it is assumed by the skiphost commands. Specify a non-default interface.

  6. Make sure that the date on the Screen and the Administration Station are synchronized.

To Verify Remote Administration and Convert Policies On the Screen

  1. On the Administration Station, create a session on the Screen by typing:


    # SSADM_TICKET_FILE=$HOME/.ssadmticket
# export SSADM_TICKET_FILE
# touch $SSADM_TICKET_FILE
# chmod go= $SSADM_TICKET_FILE
# ssadm -r Name_of_Screen login admin admin

  2. On the Administration Station, verify that you are able to remotely administer the upgraded Screen by typing:


    # ssadm -r Name_of_Screen active

  3. On the Administration Station, begin the conversion of the SunScreen SPF-200 configurations to SunScreen 3.2 policies on the Screen by typing:


    # ssadm -r Name_of_Screen spf2efs < 200config.tar

  4. Verify your migrated configuration before activating it. To view and update the migrated configurations, open a Java-enabled Web browser and launch the SunScreen administration GUI by typing:


    http://Name_of_Screen:3852

    See "Using the Administration GUI" in the SunScreen 3.2 Administration Guide for instructions on using the administration GUI.

    Note -

    After completing the upgrade from SunScreen SPF-200, you must review your packet filtering rules to verify the filtering order because SunScreen 3.2 uses ordered packet filtering rules and ordered NAT mappings. Also, be aware that NAT mappings changed considerably in SunScreen EFS 3.0 from the NAT mappings used in prior releases of SunScreen. See the SunScreen 3.2 Administrator's Overview for more details on ordered rules and NAT mappings.

  5. On the Administration Station, activate your migrated configuration by typing: 


    # ssadm -r Name_of_Screen activate Name_of_Configuration