test

SunScreen 3.2 Configuration Examples

Setting Up Remote Administration with SKIP

Before you begin, verify that the Administration Station can communicate with the Screen. After logging on as root, perform the following procedures:

Install the Administration Station Software

  1. On the Administration Station, install the SunScreen Administration Station software.

    See the SunScreen 3.2 Installation Guide for complete information including command line installation. Also check the SunScreen 3.2 Release Notes, which may show additional installation issues.

  2. On Administration Station, generate a local certificate ID and set up SunScreen SKIP as follows:

    1. Initialize the SunScreen SKIP directories by typing:


      #  skiplocal -i

    2. Generate the certificate ID by typing:


      # skiplocal -k

      Because the output of skiplocal -k is verbose, use the command shown in the next step, skiplocal -l, to list the certificate ID you just created in a more clearly understood format.

    3. List the certificate ID you just created by typing:


      # skiplocal -l

    4. Write down the certificate ID for use when installing the SunScreen software on the Screen, for example:


      c590723af78f869118cd35dee50680a6

    5. Add SunScreen SKIP to all the interfaces by typing:


      # skipif -a

    6. Reboot the system.

Install the Screen Software

  1. On the Screen, install the SunScreen Screen software.

    Install the Screen with remote administration. If you use the command line to install the Screen software, make sure that you do not install End System SKIP (SUNWes and SUNWesx) on the Screen.

  2. Use the Administration Station's certificate ID, when prompted.

  3. Write down the Screen's certificate ID for use in the next section.

  4. Reboot the Screen upon completion.

Enable Communication Between the Administration Station and the Screen

Return to the Administration Station and add an ACL using the skiptool GUI.

This action allows all hosts not specified by other ACL entries to communicate with the Administration Station system in the clear. Then, the only encrypted traffic will be between this system and the Screen.

Note -

These steps can also be accomplished using the skiphost command as described in the file /etc/opt/SUNWicg/SunScreen/AdminSetup.readme.

  1. Launch the skiptool GUI by typing:


    # skiptool

  2. Click the Add button under Host and choose Off.

  3. Type `default' as the hostname and click Apply.

  4. Click the Add button under Host and choose SKIP.

  5. Type the following information:

    screenname as hostname ( hk-screen in this example), MD5 for Remote Key ID, the Screen's certificate ID for Local Key ID. Use the Administration Station's certificate ID for the local Key ID and the default values for key, traffic, and authentication algorithms

  6. Verify that Access Control is set to Enabled.

  7. Choose Save from the File menu to make your changes permanent.

    Enabling SunScreen SKIP allows the Administration Station to begin encrypted communication with the Screen.

  8. Continuing on the Administration Station, start a browser and verify that remote administration to the Screen is working by typing a URL like this one:


    http://hk-screen:3852

    The SunScreen log-in screen for Screen hk-screen appears. For your own configuration, replace hk-screen with the name of you Screen.