Chapter 2 Installing and Configuring the Trusted Solaris 7 Environment on the SSP

This chapter covers installing and configuring the Trusted Solaris 7 operating environment on the Sun Enterprise 10000 SSP. These steps are prerequisites to installing the Trusted Solaris SSP 3.1.1 on the SSP.

• "Back Up the SSP"

• "Install Trusted Solaris 7 on the SSP"

• "Configure the SSP Network"

• "Install the AnswerBook2 Server"

The procedures in this guide use the conventions shown in the following table for command line prompts.

Table 2-1 Command Line Prompt Conventions

Prompt	User Indicated
ssp#	root role on the SSP
ssp%	ssp role on the SSP
#	root role or superuser on a system other than the SSP

Back Up the SSP

Backing up an existing SSP is required if you want to retain the current SSP environment. The backup file must be created with the ssp_backup command on a Solaris SSP 3.1 or SSP 3.1.1 system; a SSP 3.0 backup file can not be restored to Trusted Solaris SSP 3.1.1. If you have a new system or you do not wish to restore the SSP environment after Trusted Solaris installation, you do not need to create backup file.

To determine what version of the SSP software is currently running, see your current SSP documentation.

To Back Up the SSP Environment

---

Note -

The size of the SSP backup file can range from approximately 4Mbytes to well over 80Mbytes, depending upon the contents of the adm, data, etc, ict, and .ssp_private directories in the /var/opt/SUNWssp/ directory). You can use the du(1M)ommand to determine the approximate amount of disk space required for the backup file. Delete any unnecessary message or log files from the /var/opt/SUNWssp/adm directory prior to invoking ssp_backup.

---

1. On the main Solaris SSP, log in as superuser to create a backup file.

2. Run the ssp_backup command:

   ssp# /opt/SUNWssp/bin/ssp_backup target_directory

   The directory specified by target_directory must exist. This is the directory where the backup file, named ssp_backup.cpio, will be created. After ssp_backup is run, do not make any changes to the Sun Enterprise 10000 environment, such as domain state or power status of boards, until you have completed the install procedure and restored the SSP environment.

3. Save the /target_directory/ssp_backup.cpio file to a safe location.

   This file will be used during installation of Trusted Solaris SSP 3.1.1 to restore the SSP environment on a single SSP system, or to synchronize the SSP environment between the SSPs on a dual SSP system.

   ---

   Note -

   It is suggested that you also back up the SSP with ufsdump(1M) before the install. You can back up all of the files on the SSP using usfdump, instead of just the SSP configuration information that is backed up by ssp_backup. This backup can be used to restore the SSP in the event of a disk failure.

   ---

Install Trusted Solaris 7 on the SSP

Installation of the Trusted Solaris 7 operating environment on the SSP is same as installing it on a workstation that will be a NIS+ client.

See Trusted Solaris Installation and Configuration Guide for details.

Configure the SSP Network

After installing the Trusted Solaris operating environment on the SSP, you need to configure its SSP network files before installing the Trusted Solaris SSP 3.1.1 software.

---

Note -

Configuring the network is very important. Complete it before installing the SSP 3.1.1 software.

---

This section describes the following SSP network configurations:

• "Two Subnets"

• "Three Subnets"

• "Spare SSP"

Two Subnets

The following table and figure describe the two-subnet network configuration.

Table 2-2 Two-Subnet Network Configuration

Subnet	Name	Description
Primary	Domain Subnet or dom_subnet	SSP and the domains
Second	Control Board Subnet or cb0_subnet	SSP and the control board

Figure 2-1 Two-Subnet Network Configuration

In Figure 2-1, the Built-in port is le0 for a Sparcstation^TM 5 and hme0 for a Sun Ultra^TM 5.

Three Subnets

The following table and figure describe the three-subnet network configuration.

Table 2-3 Three-Subnet Network Configuration

Subnet	Name	Description
Primary	Domain Subnet or dom_subnet	SSP and the domains
Second	Control Board Subnet 0 or cb0_subnet	SSP and the first control board
Third	Control Board Subnet 1 or cb1_subnet	SSP and the second control board

Figure 2-2 Three-Subnet Network Configuration

In Figure 2-2, the Built-in port is le0 for a Sparcstation 5 and hme0 for a Sun Ultra 5.

Spare SSP

The following table and figure describe the spare SSP network configuration.

Table 2-4 Spare SSP Network Configuration

Subnet	Name	Description
Primary	Domain Subnet or dom_subnet	Both SSPs and the domains
Second	Control Board Subnet 0 or cb0_subnet	Both SSPs and the first control board
Third	Control Board Subnet 1 or cb1_subnet	Both SSPs and the second control board

Figure 2-3 Spare SSP Network Configuration

In Figure 2-3, the Built-in port on the main SSP and the spare SSP is le0 for a Sparcstation 5 and hme0 for a Sun Ultra 5.

To Configure Your SSP Network

This procedure provides instructions for configuring your SSP network in one of the three configurations discussed earlier in this chapter.

1. Log in to the SSP and assume the root role.

   Do the following steps as root at the label admin_low.

2. Create the /etc/hostname.* configuration files.

   If you need to view your network controllers, use ifconfig -a.

   For example, if you are using a QuadFastEthernet^TM (QFE) card, model 1049A, in the two-subnet, three-subnet, or spare SSP network configuration on a Sun Ultra 5, you need the following files:

   • /etc/hostname.qfe0 -- contains the current SSP host name; it configures the primary subnet, dom_subnet.

   • /etc/hostname.hme0 -- contains ssp_hostname-hme0; it configures the second subnet, cb0_subnet.

   The following file is also needed if you are using either the three-subnet or spare SSP configuration:

   • /etc/hostname.qfe1 -- contains ssp_hostname-qfe1; it configures the third subnet, cb1_subnet.

   ---

   Example 2-1 SSP with hostname xf4-ssp

   
   

   File Name	File Contents
   /etc/hostname.qfe0	xf4-ssp
   /etc/hostname.hme0	xf4-ssp-hme0
   /etc/hostname.qfe1	xfe-ssp-qfe1

   ---

3. Set the contents of the defaultrouter file to the IP address of the primary network interface:

   ---

   ssp# echo primary_network_IP_address > /etc/defaultrouter
   

   ---

4. Manually update your name service hosts registry to include the host names and IP addresses of your control board(s) and other hosts, such as domains and the SSP.

   This can involve updating the Network Information Service (NIS+), or the /etc/hosts file, or the Domain Name Service (DNS).

   The following example shows the typical modifications for an /etc/hosts file:

   ---

   # Internet host table
   127.0.0.1  localhost
   0.0.0.0   tsol_default 
   # Entries for dom_subnet.
   www.xxx.yyy.zzz domain1_hostname
   www.xxx.yyy.zzz domain2_hostname
   ...
   www.xxx.yyy.zzz domainn_hostnname(n is the number of domains)
   #
   # Entries on both ssp's. 
   # NOTE : On the spare SSP, make sure "loghost" 
   # belongs to the spare.
   #
   www.xxx.yyy.zzz main_ssp_hostname loghost
   www.xxx.yyy.zzz spare_ssp_hostname
   #
   # The next three entries need to be on cb0_subnet.
   #
   www.xxx.yyy.zzz main_ssp_hostname-hme0
   www.xxx.yyy.zzz spare_ssp_hostname-hme0
   www.xxx.yyy.zzz cb0_hostname
   #
   # The next three entries need to be on cb1_subnet. 
   #
   www.xxx.yyy.zzz main_ssp_hostname-qfe1
   www.xxx.yyy.zzz spare_ssp_hostname-qfe1
   www.xxx.yyy.zzz cb1_hostname
   

   ---

   Here is an example of a main SSP's /etc/hosts file. In this example, the SSP is configured as follows:

   • xf4 and xf4-b3 are host domains.

   • xf4-ssp is the main SSP and xf4-ssp1 is the spare SSP.

   • xf4-cb0 and xf4-cb1 are the host names for the two control boards.

   ---

   #/etc/hosts
   #
   127.0.0.1  localhost
   0.0.0.0   tsol_default 
   #dom_subnet (www.xxx.49.zzz). The 49 subnet
   #
   129.153.49.8    xf4
   129.153.49.9    xf4-b3
   129.153.49.113  xf4-ssp loghost
   129.153.49.114  xf4-ssp1
   #
   #cb0_subnet (www.xxx.151.zzz). The 151 subnet
   #
   129.153.151.113 xf4-ssp-hme0
   129.153.151.114 xf4-ssp1-hme0
   129.153.151.123 xf4-cb0
   #
   #cb1_subnet (www.xxx.152.zzz). The 152 subnet
   #
   129.153.152.113 xf4-ssp-qfe1
   129.153.152.114 xf4-ssp1-qfe1
   129.153.152.127 xf4-cb1

   ---

   The /etc/hosts file is a link to the /etc/inet/hosts file.

   ---

   Note -

   The SSP and the host domains must be on the same subnet so you can boot domains from the network.

   ---

5. Manually update your name service ethers registry to include the Ethernet addresses for the domain(s), SSP(s), and control board(s).

   You need to update NIS+, or the /etc/ethers file. For example:

   ---

   08:00:20:ac:5b:ba       xf4-ssp
   08:00:20:b0:64:78       xf4-ssp1
   00:00:be:a6:55:88       xf4
   00:00:be:a6:6f:89       xf4-b3
   00.00.be.01.00.1e       xf4-cb0
   00.00.be.01.00.57       xf4-cb1

   ---

   ---

   Note -

   The Ethernet address of the control board(s) is located on the front of each control board.

   ---

6. Update the tnrhdb(4) file to indicate the template for the SSP(s), domain(s), control board(s) and interface(s).

   You need to update the NIS+ tnrhdb table, or the /etc/security/tsol/tnrhdb file. For example, if the E10000 is configured as follows:

   ---

   Example 2-2 Tnrhdb Information for SSP xf4-ssp (129.153.49.113)

   
   

   Main SSP	xf4-ssp (129.153.49.113)
   	Is running the Trusted Solaris 7 operating environment.
   Interfaces	xf4-ssp-hme0 (129.153.151.113)
   	xf4-ssp-qfe1 (129.153.152.113)
   Spare SSP	xf4-ssp1 (129.153.49.114)
   	Is running the Trusted Solaris 7 operating environment.
   Interfaces	xf4-ssp1-hme0 (129.153.151.114)
   	xf4-ssp1-qfe1 (129.153.152.114)
   Domain1	xf4 (129.153.49.8)
   	Is running the Trusted Solaris 7 operating environment.
   Domain2	xf4-b3 (129.153.49.9)
   	Is running the Solaris 7 operating environment.
   Control boards	xf4-cb0 (129.153.151.123)
   	xf4-cb1 (129.153.152.127)

   1. Its tnrhdb file or NIS+ table has the following entries:

      # /etc/security/tsol/tnrhdb
      #
      # Assume that template unlab and tsol is defined in the tnrhtp database.
      #
      127.0.0.1:tsol
      0.0.0.0:unlab
      129.153.49.113:tsol
      129.153.151.113:tsol
      129.153.152.113:tsol
      129.153.49.114:tsol
      129.153.151.114:tsol
      129.153.152.114:tsol
      129.153.49.8:tsol
      129.153.49.9:unlab
      129.153.151.123:unlab
      129.153.152.127:unlab

   2. If there are other Solaris or Trusted Solaris machines that the SSP needs to communicate with, they also need to be viewed by the SSP using the correct template. This would require additional entries in this /etc/security/tsol/tnhdb file.

   3. Depending on the site's configuration, you might also need to update tnrhdb files on other Trusted Solaris machines so that they can communicate with the freshly installed SSP using the correct template.

   ---

7. Update the /etc/inet/netmasks file.

   If the netmasks file does not contain the netmask for all the network numbers used in the /etc/inet file.

   ---

   For example, if the /etc/hosts file defines the control boards to be:

   10.100.100.100  ctrl_brd_0
   10.100.101.100  ctrl_brd_1

   The /etc/inet/netmasks file would need to have an entry:

   10.100.0.0      255.255.255.0

   ---

8. Update the /etc/default/login file to allow remote login to the root role from any workstation.

   Comment out the CONSOLE=/dev/console line in the /etc/default/login file, as in:

   #CONSOLE=/dev/console

   Requirements for remote login are discussed in greater detail in "Remote Administration Options" in Trusted Solaris Administrator's Procedures.

9. Edit the /etc/nsswitch.conf file on the main SSP and the spare SSP.

   If you are using local configuration files, the lines in the /etc/nsswitch.conf files are similar to the following example:

   ---

   hosts:      files
   ethers:     files
   netmasks:   files
   bootparams: files
   netmasks:   files
   tnrhtp:     files
   tnrhdb:     files
   tsoluser:   files
   tsolprof:   files

   ---

   For NIS+, the lines in the file are similar to the following example:

   ---

   hosts:      files nisplus
   ethers:     files nisplus
   netmasks:   files nisplus
   bootparams: files nisplus
   tnrhtp:     nisplus files
   tnrhdb:     nisplus files
   tsoluser:   nisplus files
   tsolprof:   files nisplus

   ---

   ---

   Note -

   The name server information (NIS+) is dependent on your network configuration.

   ---

10. Reboot the SSP.

Install the AnswerBook2 Server

You will need the server to be able to view books in the SSP 3.1.1 AnswerBook2^TM collection.

If you have not installed the AnswerBook2 server, or are not sure if you have, at a minimum, version 3.0, you can check the version of the AnswerBook2 server as described in the following procedure.

To Check the AnswerBook2 Server Version

1. On a Trusted Solaris SSP, assume the root role.

2. Type:

   ---

   ssp# pkginfo -l SUNWab2r

   ---

   If your version of the AnswerBook2 server is earlier than version 3.0, you must re-install it.

   ---

   Note -

   It is suggested that you install the AnswerBook2 server on a system other than the SSP.

   ---

If you have installed the AnswerBook2 server on another system, you can install the SSP 3.1.1 AnswerBook2 package on the SSP and add the SSP 3.1.1 AnswerBook2 to the AnswerBook2 index by using the ab2admin(1M) command.

If you do not have the AnswerBook2 server installed on any system, or if you have a version earlier than 3.0, you can install the AnswerBook2 server from the Solaris Documentation CD or from the Web. To install the AnswerBook2 server from the Solaris Documentation CD, refer to the Installation Library for your version of the Solaris operating environment. To install the AnswerBook2 server from the Web, follow the steps in the procedure below.

To Install the AnswerBook2 Server From the Web

1. On a Trusted Solaris SSP, assume the root role.

2. Point your browser to http://www.sun.com/software/ab2.

3. Click Download Versions.

4. Click Download Version 1.4.

5. Read the License Agreement and click on the Accept button.

   You cannot download the software if you do not accept the License Agreement.

6. Read the Export Agreement and click on the Accept button.

   You cannot download the software if you do not accept the Export Agreement.

7. Choose the version of the AnswerBook2 server that is appropriate for the operating environment on your system.

   • If your system is running the Trusted Solaris 7 operating environment, or the Solaris 2.6 or 7 operating environment, click Solaris 2.6 or Solaris 7 Operating Environment.

8. Follow the instructions on the web page to download the software and install the AnswerBook2 server.