C H A P T E R 4 |
Additional SMS 1.6 Software Procedures |
This chapter contains additional procedures that you might want to perform while using or updating the SMS 1.6 software. The topics covered in this chapter include:
The SMS security model uses group membership to provide users with the authority to perform various system management tasks. The level and type of system management available depends on a user's group membership. For more information, refer to Chapter 2, "SMS Security" in the System Management Services (SMS) 1.6 Administrator Guide.
Note - Adding users using smsconfig must be performed on both the main and spare SCs once software installation and network configuration are completed. |
The SMS user group IDs are created during initial installation. TABLE 4-1 lists the user groups that are set up for you.
To Add Users to SMS Groups and Configure Directory Access |
SMS provides the ability to add users to SMS groups and refine user access to directories in the domains. This functionality protects domain integrity and system security.
2. Type the following command for each user you want to add.
For example, to add a user to the dmnaadmn group with access to domain A directories, type the following.
sc0: # /opt/SUNWSMS/bin/smsconfig -a -u fdjones -G admn a fdjones has been added to the dmnaadmn group All privileges to domain a have been applied. |
Note - Do not manually add or remove users from SMS groups in the /etc/group file. This can limit or deny access to users. |
3. To list SMS groups and administrative privileges, use the following command.
For example, to display all users with platform privileges, type the following.
4. Type the following command for each user you want to remove.
For example, to remove fdjones from the dmnbadmn group, type the following.
sc0: # /opt/SUNWSMS/bin/smsconfig -r -u fdjones -G admn B fdjones has been removed from the dmnbadmn group. All access to domain B is now denied. |
Note - Do not manually add or remove users from SMS groups in the /etc/group file. This can limit or deny access to users. |
SMS patches are available at http://sunsolve.sun.com.
Before you install patches for your SMS software, follow these guidelines and notify the affected administrators if necessary.
Complete any domain, board, or configuration changes before you begin patch installation.
Read all patch instructions (included with the patch) carefully before attempting to install a patch. Instructions in the patch procedure could preempt these instructions.
This example assumes that the main SC is sc0 and the spare SC is sc1.
To Install a Patch on an SC |
1. Log in to the main SC (sc0) with platform administrator privileges.
2. Turn failover off. Type the following.
3. Stop the SMS processes on the main SC.
4. Stop the SMS process on the spare SC.
5. Install the patch on both SCs.
6. Start the SMS processes on the main SC first.
Wait for all processes to start before proceeding to the next step. Use the showenvironment command to verify that all SMS processes have started.
7. Start the SMS processes on the spare SC (sc1).
8. Enable failover on the main SC (sc0).
To keep the most accurate time of day on Sun Fire high-end systems, configure both system controllers and each bootable domain in the platform as Network Time Protocol (NTP) clients of the same NTP servers.
To Configure an SC as an NTP Client |
Before proceeding, make sure that the platform has the most up-to-date patches, and that the latest recommended patch cluster is installed on the domains and system controllers.
The default NTP configuration file is /etc/inet/ntp.conf. It must contain a minimum of three NTP time servers with independent time sources. (For a list of public NTP time servers, refer to http://www.ntp.org.)
1. Insert the names of three NTP servers into the NTP configuration file of each SC and bootable domain.
Insert the following lines, replacing ntp_server with the actual name of the NTP server.
The server name followed by the prefer argument is the primary NTP server.
2. Add the name of the drift file.
The drift file records the frequency offset of the local clock oscillator. It is read at startup to set the initial frequency offset. Use the driftfile argument, followed by the name of the file.
3. Add instructions for generating statistics.
These instructions consist of one line for a statistics path followed by a line for each type of statistics that is to be collected.
statsdir /var/ntp/ntpstats filegen peerstats file peerstats type day enable filegen loopstats file loopstats type day enable filegen clockstats file clockstats type day enable |
The first line indicates the path in which the statistics files are saved. The following lines each indicate the type of statistic (peer statistics, loop filter statistics, and clock driver statistics).
For more information about the available options, consult the xntp(1M) man page.
The following procedure describes how to manually stop and start SMS.
To Manually Stop and Restart SMS |
1. Log in to the SC as a user with platform administrator privileges.
You must have platform administrator privileges to run the setfailover command.
3. Log out as a platform administrator.
4. Log in to the SC as a user with superuser privileges.
You must have superuser privileges to perform the following tasks.
5. Use the /etc/init.d/sms script to stop SMS.
6. Use the /etc/init.d/sms script to restart SMS.
8. Log in to the SC as a user with platform administrator privileges.
10. Type the following command.
11. Wait until showenvironment finishes displaying all board status.
At this point, you can log out and begin using SMS.
The default Secure Shell (ssh) escape character is ~ (tilde). The SMS console uses the same character for escape sequences. This means that you must use a different escape character for ssh.
There are three ways to use a different escape character for ssh:
The following sections explain how to change the ssh escape character.
To Permanently Change the ssh Escape Character |
If you already have a .ssh/config file in your home directory, open that in your text editor.
If you do not already have a .ssh/config file in your home directory, use your text editor to create one.
2. Type the following text into the file.
In this example, the caret (^) is the new escape character.
3. Save the file as .ssh/config.
The next time you start ssh, the program will recognize ^ as the new escape character. This change remains permanent unless you delete the .ssh/config file, or specify another escape character.
To Change the Escape Character for a Single ssh Session |
The ssh command contains a -e option that enables you to specify a different escape character for the duration of the ssh session. You can specify the new escape character when you log in to ssh. Once you exit ssh, the default escape character reverts to ~.
To change the escape character for a single session, follow these steps. In this example, the caret (^) character is the new escape character.
1. Log in to ssh from the system prompt, including the -e^ option as shown in the example.
You can use a different escape character in place of ^.
login-options stands for the other options you normally use when logging in using ssh, such as the remote host name, login name, and so on.
2. When you have finished using ssh in this session, type the new escape character (^ in this example), followed by a period.
This exits ssh, and returns you to the local system prompt.
Since SMS 1.3, the default sequence to stop the system [Stop-A] has been changed to the following alternate: [Return] [~] [Control-B].
This was done to facilitate failover. The Solaris 8 OS introduced this new feature, which gives the system the ability to force a hanging system to halt when required without allowing random or spurious breaks to cause an unintentional stop.
To Enable the Alternate Break Sequence |
1. Log in to the SC as superuser.
2. In the /etc/default/kbd file, uncomment the following line:
SMS enables you to switch between versions of SMS using the smsversion script. The two versions must both be a minimum of SMS 1.5 and must both reside on the same version of the Solaris OS. This means that SMS 1.6 cannot switch to SMS versions earlier than 1.5. For SMS 1.6 on Solaris 9 OS, you can switch back to SMS 1.5. For SMS 1.6 software on Solaris 10 OS, you cannot switch back to SMS 1.5, because Solaris 10 OS supports only SMS 1.6. For more information about the smsversion command, refer to the System Management Services (SMS) 1.6 Administrator Guide.
Switching to other SMS versions from SMS 1.6 has security implications. SMS 1.6 uses a different security profile than previous versions of SMS. This profile automatically hardens the SCs when you run the smsinstall command. Since this hardening is not undone by the smsversion command, you must manually undo the hardening before switching to a version of SMS other than 1.6.
To switch to another SMS version from SMS 1.6, follow this sequence. These procedures are explained in detail later in this section.
1. Undo hardening manually (using the Solaris Security Toolkit).
2. Switch to another version of SMS (using the smsversion command).
3. Reharden manually (using the Solaris Security Toolkit).
The changes take effect after you reboot the system. If you do not remove the hardening manually, it remains in effect after the version switch, and this can impact SMS functionality.
To Manually Undo Hardening |
You can use the Solaris Security Toolkit to administer any aspect of Solaris security on the system controllers. Refer to the Solaris Security Toolkit 4.2 Administrator Guide or the Solaris Security Toolkit 4.2 Reference Manual. Both the smsinstall and the smsupgrade scripts install the Solaris Security Toolkit in /opt/SUNWjass/.
To undo the hardening manually, perform the following procedure. You must perform the procedure twice: once on the main SC, and once on the spare SC.
1. Log in to the SC as superuser.
2. Type the following command at the sc prompt to undo the hardening.
The system prompts you to select a hardening operation (called a Solaris Security Toolkit run) to undo.
3. Type the number of the run you want to undo at the Choice (`q' to exit)? prompt.
4. Change to the OpenBoot PROM prompt.
You can now switch to another version of SMS.
To Switch to a Different Version of SMS |
Perform the following steps on the SC on which you want to switch to a different version of SMS. The two SMS software installations must be adjacent and co-resident on the SC.
1. Log in to the spare SC as superuser.
2. Make certain your configuration is stable.
Being stable means the following commands should not be running: smsconfig, poweron, poweroff, setkeyswitch, cfgadm, rcfgadm, addtag, deletetag, addboard, moveboard, deleteboard, setbus, setdefaults, setobpparams, setupplatform, enablecomponent, or disablecomponent. If any of these commands are running, stop them before proceeding.
3. Use smsbackup to back up your SMS configuration.
See To Back Up the SMS Environment.
4. Deactivate failover by typing the following command at the SC superuser prompt.
5. Stop SMS by typing the following command.
6. Type the following command to run smsversion.
where version-number is the SMS version to which you want to switch. The example in this procedure shows a switch from SMS 1.6 to SMS 1.5.
7. Follow the prompts shown on the screen.
The following example shows sample screen output.
8. Type the following command to run smsrestore.
where filename is the absolute path to the backup file that you created in Step 3 using smsbackup. The filename argument must contain the full path name for the file. This file can reside anywhere on the system, connected network, or tape device. If no filename is specified, you receive an error.
9. If the SMS version you selected in Step 6 requires changes to your network configuration, run smsconfig -m and then reboot the SC. Then log in to the SC as superuser again.
If you do not need to make network changes, proceed to the next step.
10. Stop SMS on the main SC (sc0).
11. Type the following command to start SMS on the spare SC (sc1).
12. Repeat Step 1 through Step 11 to switch SMS versions on the main SC (sc0).
13. Reactivate failover using the following command.
The version switching procedure is now complete. To restore security on the SC, you must reharden the SC.
To Reharden After the Version Switch |
To reharden the SCs after the version switch is complete, perform the following procedure. You must perform the procedure twice: once on the main SC, and once on the spare SC.
1. Log in to the main SC as superuser.
2. Type the following command to reharden.
The system responds with the prompt Are you sure?
4. Change to the OpenBoot PROM prompt.
The system rehardens the main SC.
6. Repeat the procedure on the spare SC (sc1).
Note - The -q (quiet) option suppresses verbose output from the system when you execute this command. |
This section contains procedures that describe how to check the version of Solaris Security Toolkit. If the version of the Solaris Security Toolkit software is out of date, you can use the procedures in this section to uninstall the software.
To Determine Which Version of Solaris Security Toolkit Is Installed |
2. Type the pkginfo command with the -l option.
The pkginfo command can be executed by the sms-svc user.
The -l option provides information about the package. Look for the VERSION field as in the following output example.
If the Solaris Security Toolkit has not been installed, pkginfo returns a message similar to the following.
To Remove an Incompatible Version of the Solaris Security Toolkit |
The SMS 1.6 version of the smsinstall script installs Solaris Security Toolkit 4.2 only if no previous versions are already installed. If you have modified any files in the Solaris Security Toolkit that you want to preserve, save them before following these steps. If you have added configuration files according to the instructions in the Solaris Security Toolkit documentation, you do not need to save them. They will be preserved.
2. Use the pkgrm command to remove the Solaris Security Toolkit package.
A message similar to this one is displayed for each package.
The following package is currently installed: SUNWjass Solaris Security Toolkit (Solaris) 4.2 Do you want to remove this package? |
3. To remove each package, type y for Yes.
Here is an example. The message varies by package.
The procedure in this section describes how to manually back up and restore SMS 1.6 on the SCs.
To Back Up the SMS Environment |
Do the following tasks to back up and restore SMS 1.6 on the SCs.
1. Log in to the SC as superuser.
2. Disable failover by typing the following command.
4. Back up the SMS environment.
Run smsbackup or have the latest copy of the smsbackup file (sms_backup.X.X.cpio) accessible to the disk.
Note - The sms_backup.X.X.cpio file of one SC cannot be used by the other SC. They are SC-specific files and are not interchangeable. |
where directory_name is the name of the directory in which the backup file is created. This file can reside in any directory on the system, connected network, or tape device to which you have read/write privileges. If you do not specify a directory_name, the backup file is created in /var/tmp.
The directory_name you specify must be mounted as a UNIX file system (UFS). Specifying a temporary file system (TMPFS), such as /tmp, causes smsbackup to fail.
If you are not certain that your directory_name is mounted as a UFS, type the following command.
A UFS returns directory information. Any other type of file system returns a warning.
To Restore SMS 1.6 Software |
3. Run smsrestore on the smsbackup file.
where filename is the absolute path to the backup file that was created by smsbackup(1M). The filename must contain the full path name for the file. This file can reside anywhere on the system, connected network, or tape device. If no filename is specified, you receive an error.
This section describes how to change the IP address or host name of a domain or system controller.
To Change the IP Address of an SC or Domain |
1. Update your name service maps with the new IP address.
2. Reboot the domain or system controller.
To Change the Host Name of a Domain or SC |
1. Update your name service maps with the new host name.
2. Change the host name in the following files in the domain:
/etc/hostname.interface-card-name
4. Change the host name in the following files, if applicable:
/etc/defaultdomain (only if your NIS domain name has changed)
/etc/hostname.* (only if your host name is specified in the file)
/etc/hostname6.* (only if your host name is specified in the file)
5. If the host name was changed in the SC, run the smsconfig -m command.
For more information about the smsconfig(1M) command, refer to the System Management Services (SMS) 1.6 Reference Manual or the SMS 1.6 man pages.
Copyright © 2006, Sun Microsystems, Inc. All Rights Reserved.