Chapter 3 Installing and Configuring the Trusted Solaris SSP 3.1.1

After the Trusted Solaris 7 operating environment is installed and configured on the SSP and the SSP network is configured, the Trusted Solaris version of SSP 3.1.1 software can be installed. The procedures in this chapter require that you have completed the steps in Chapter 2, Installing and Configuring the Trusted Solaris 7 Environment on the SSP. This chapter describes the following topics:

• "Installing from a CDROM"

• "Installing a Dual SSP Configuration"

• "Installing a Single SSP Configuration"

• "Entering System Information in the Trusted Solaris 3.1.1 Environment"

• "Configuring Trusted Solaris SSP 3.1.1"

Installing from a CDROM

To install the Trusted Solaris version of SSP 3.1.1 shipped on the Trusted Solaris Supplemental CD, you need to set up the CDROM. The following set of procedures properly allocates and mounts the CDROM for installing the Trusted Solaris SSP 3.1.1 software.

• "Prepare the CDROM Device"

• "Add the /cdrom/root/Tools/ssp_install Command to the Custom Root Role Profile"

• "Check the tsolprof Setting in the nsswitch.conf File"

• "Assume the root Role with the New Profile"

Prepare the CDROM Device

1. Log in as a user on the SSP that can assume the root and secadmin roles. Assume the root role.

2. In the root role, at label admin_low, use the Device Allocation Manager to allocate the CDROM drive, but do not mount it.

   Do not try to use the Volume Manager; it is disabled in the Trusted Solaris environment.

   1. Click the triangle above the Style Manager on the Front Panel to display the Trusted Desktop subpanel. Click Device Allocation.

   2. Double-click the CDROM device to move it to the Allocated Devices list.

   3. Write down the device name for the CDROM drive as indicated in the "Insert disk into..." message in the Device Allocation window.

      For example, if the message reads:

      Insert disk into /dev/dsk/c0t2d0s0.
            Make sure disk is labeled ADMIN_LOW [ADMIN_LOW].
            Press RETURN when cdrom_0 is ready, or ^C to cancel.

      then write down the device name, /dev/dsk/c0t2d0s0, before continuing.

   4. Insert the Trusted Solaris Supplemental CD into the CDROM drive and press the Return key.

   5. Answer n to the Do you want cdrom_0 mounted: (y/n)? n question.

      ---

      Note -

      This differs from the instructions in Trusted Solaris Installation and Configuration. Follow these instructions: do not mount the CDROM.

      ---

3. In the root role, at label admin_low, make sure that /cdrom/root exists.

   If it does not, create it:

   ssp# mkdir -p /cdrom/root

4. Mount the CDROM with all allowed and forced privileges.

   ---

   ssp# mount -F hsfs -o ro -S "allowed=all;forced=all" cdrom_device /cdrom/root
   

   ---

   For example, for the CDROM on device /dev/dsk/c0t2d0s0, type:

   ssp# mount -F hsfs -o ro -S "allowed=all;forced=all" \ /dev/dsk/c0t2d0s0 /cdrom/root

5. Check that the mount succeeded with the df(1M) command:

   ssp# df -k grep | cdrom /dev/dsk/c0t2d0s0 544100 544100 0 100% /cdrom/root

Add the /cdrom/root/Tools/ssp_install Command to the Custom Root Role Profile

This procedure requires that the CDROM has been mounted as described in "Prepare the CDROM Device".

1. Assume the secadmin role. At label admin_low, open the Profile Manager application.

2. In the Profile Manager: Load window, select none for Name Service then click the OK button.

3. In the Profile Manager: Open window select Custom Root Role then click the Modify button.

4. In the Profile Manager main window, select View from the menu bar then select Commands from the submenu.

5. Enter /cdrom/root/Tools in the Pathname: box, then click the Add button next to it.

   You should see /cdrom/root/Tools added to the Exclude list.

6. Click on /cdrom/root/Tools in the Exclude list.

   It expands to display all the commands available in the /cdrom/root/Tools directory.

7. Select command ssp_install and add it to the Include list.

8. Click on the Privileges... button and select ALL privileges for the ssp_install command.

9. Select Profiles from the Profile Manager main window menu bar then select Save Profile from the submenu to save the Custom Root Role profile.

   For more details on adding commands to role's profile, see "To Add a Command to a Role's Profile" section in Trusted Solaris Installation and Configuration.

Check the tsolprof Setting in the nsswitch.conf File

1. Assume the root role. In the root role, make sure that the tsolprof entry in the /etc/nsswitch.conf file has files as its first value:

   tsolprof: files nisplus

Assume the root Role with the New Profile

1. Go to the workspace of the user who can assume the root role.

2. Delete the root role workspace.

3. Assume the root role again.

   This action re-reads the root role's profiles. The Custom Root Role profile with your changes is now in effect.

4. In the root role, at label admin_low, issue the clist(1M) command to verify that the command /cdrom/root/Tools/ssp_install is available.

   ssp# clist -p | grep /cdrom/root/Tools/ssp_install /cdrom/root/Tools/ssp_install: all

   The list should indicate all, which means all privileges.

Installing a Dual SSP Configuration

The following table shows the supported combinations of SSP software for dual SSP configurations:

Table 3-1 Supported Dual SSP Configurations

SSP version on the Main SSP	SSP Version on the Spare SSP
3.1	3.1 or 3.1.1
3.1.1	3.1 or 3.1.1

To Install Trusted Solaris SSP 3.1.1 on the Spare SSP

1. On the spare SSP (referred to here as SSP2), log in as a user who can assume the root and secadmin roles. Assume the root role.

2. As root at label admin_low, perform "Installing from a CDROM" if you have not done so.

3. Change directory to the Tools directory:

   ---

   ssp# cd /cdrom/root/Tools
   

   ---

4. Install the Trusted Solaris SSP 3.1.1 software on SSP2 by typing:

   ---

   ssp# ./ssp_install pathname
   

   ---

   Where pathname specifies the path to the Product directory, /cdrom/root/Product.

5. When you are asked if you want to install the SSP 3.1.1 AnswerBook (the SUNWuessp package), type y to install it; otherwise, type n.

   If you install the SSP 3.1.1 Answerbook, you must respond to the following prompts:

   1. When you are requested to select an installation option, type 2 (heavy installation): Select an installation option: 2

   2. When requested to specify the parent path for the AnswerBook2 Collection, type the path to the directory in which you want to put the SSP 3.1.1 AnswerBook.

      It is suggested that you install it in /opt. Specify the parent path of this AnswerBook2 Collection directory: /opt

   3. Type y at this prompt:

      This package contains scripts which will be executed with superuser 
      permission during the process of installing this package. 
      
      Do you want to continue with the installation of <SUNWuessp> [y,n,?]  y
      

6. When you are asked if you want to install the SUNWsspfp package, type y to the prompts.

   Do you want to install the SUNWsspfp package? (y/n) y
   This package contains scripts which will be executed with superuser 
   permission during the process of installing this package. 
   
   Do you want to continue with the installation of <SUNWsspfp> [y,n,?]  y
   

7. Remove the /cdrom/root/Tools/ssp_install command from the Custom Root Role profile.

   1. Assume the secadmin role. At label admin_low, open the Profile Manager application.

   2. In the Profile Manager: Load window, select none for the Name Service then click the OK button.

   3. In the Profile Manager: Open window select Custom Root Role, then click the Modify button.

   4. In the Profile Manager main window, select View from the menu bar, then select Commands from the submenu.

   5. Select the /cdrom/root/Tools/ssp_install command from the Include list and move it to the Exclude list.

   6. Select Profiles from the Profile Manager main window menu bar then select Save Profile from the submenu to save the profile.

   For more details on removing commands from a role's profile, see "To Remove a Command from a Role's Profile" section in Trusted Solaris Installation and Configuration.

8. Assume the root role, at label admin_low to unmount /cdrom/root using the following command:

   ssp# umount /cdrom/root

9. In the root role, at label admin_low, use the Device Allocation Manager to deallocate the CDROM drive. Remove the CDROM.

   Do not use the Volume Manager, it is disabled in the Trusted Solaris environment.

10. If you have a backup file from the main SSP, restore it on SSP2.

    1. In the root role, at label admin_low, copy the ssp_backup.cpio file to a backup directory on SSP2.

    2. Type:

       ssp# /opt/SUNWssp/bin/ssp_restore \ backup_directory/ssp_backup.cpio

       Where backup_directory is the directory to which you copied the ssp_backup.cpio file in Step a. This restores the SSP environment on the spare SSP.

11. Configure the main SSP (referred to here as SSP1) to be a spare SSP using ssp_config(1M).

    1. On SSP1, log in as superuser if SSP1 is running Solaris software. If SSP1 is running Trusted Solaris software, log in as a user who can assume the root role, and assume it.

    2. Type:

       ssp# /opt/SUNWssp/bin/ssp_config Beginning setup of this workstation to act as a MAIN or SPARE SSP. Are you currently configuring the MAIN SSP? (y/n)n SPARE SSP configuration completed.

    3. If SSP1 is currently running SSP 3.1, kill the rarpd process:

       ssp# ps -ef | grep rarpd ssp# kill -9 rarpd_pid

       Where rarpd_pid is the process ID shown by the ps command for rarpd. Killing the rarpd process prevents the SSP from responding to control board boot requests.

12. Change SSP2 to be the main SSP.

    1. On SSP2, log in as a user who can assume the root role, and assume it.

    2. Type:

       ssp# /opt/SUNWssp/bin/ssp_config Beginning setup of this workstation to act as a MAIN or SPARE SSP. Are you currently configuring the MAIN SSP? (y/n)y MAIN SSP configuration completed.

    If you did not restore the SSP environment during the install procedure, you will be prompted for system information. See "To Name the Platform and Control Board" for details.

13. Reboot SSP2.

14. Log in as the user install who can assume the role ssp on SSP2. The password for install is install.

    The installation of Trusted Solaris SSP 3.1.1 created the ssp role, and assigned the ssp role to the install user.

15. Assume the role ssp. The password for the ssp role is ssp.

16. In the ssp role, open a terminal window and check the log message:

    ssp% tail -f $SSPLOGGER/messages

    Wait for the "Startup of SSP programs complete" message.

17. On each domain, perform the following steps as root.

    If the domain is running Trusted Solaris software, the following steps need to be run from the root role. See Step 1 for how to access a Trusted Solaris domain from the root role.

    If the domain is running Solaris software, you can get to the domain's root user via netcon(1M) then logging in as root.

    1. Edit the /etc/ssphostname file to replace the host name of SSP1 with the host name of SSP2.

    2. Switch console communication from SSP1 to SSP2.

       If the domain is running Trusted Solaris 7 or Solaris 7 5/99 release or later, issue the following:

       ---

       # /etc/init.d/cvc stop
       # /etc/init.d/cvc start
       

       ---

       If the domain is running Solaris 2.5, 2.6 or the Solaris 7 3/99 release or earlier, issue the following:

       ---

       # ps -ef | grep cvcd
       # kill -9 cvcd_pid
       # cvcd_path/cvcd
       

       ---

       where cvcd_path is /sbin under the Solaris 2.5 and 2.6 operating environments, and cvcd_path is /platform/SUNW,Ultra-Enterprise-10000/lib/cvcd under the Solaris 7 operating environment.

18. On the SSP2, perform the steps in "Configuring Trusted Solaris SSP 3.1.1".

19. If alternate pathing is desired on install the Trusted Solaris AP 2.2 as described in Chapter 5, Trusted Solaris Alternate Pathing 2.2 on the Sun Enterprise 10000 Server.

20. After SSP2 is installed and configured, you can install SSP1.

    1. Install Trusted Solaris 7, Trusted Solaris SSP 3.1.1, and Trusted Solaris AP 2.2 on SSP1.

    2. If you have made changes to the SSP environment or SSP2, synchronize the two SSPs using new backup files.

       1. In the root role at label admin_low, create a backup file on SSP2.

          ssp# /opt/SUMWssp/bin/ssp_backup target_directory

       2. In the root role at label admin_low, restore the backup file on SSP1.

          ssp# /opt/SUMWssp/bin/ssp_restore \ backup_directory/ssp_backup.cpio

Installing a Single SSP Configuration

To Install Trusted Solaris SSP 3.1.1 on the Main SSP

1. Log in as a user who can assume the root and secadmin roles. Assume the root role.

2. As root at label admin_low, perform "Installing from a CDROM" if you have not done so.

3. Change directory to the Tools directory:

   ssp# cd /cdrom/root/Tools

4. Install the Trusted Solaris SSP 3.1.1. software by typing:

   ssp# ./ssp_install pathname

   Where pathname is the path to the Product directory, /cdrom/root/Product.

5. When you are asked if you want to install the SSP 3.1.1 AnswerBook (the SUNWuessp package), type y to install it; otherwise, type n.

   If you install the SSP 3.1.1 Answerbook, you must respond to the following prompts:

   1. When you are requested to select an installation option, type 2 (heavy installation): Select an installation option: 2

   2. When requested to specify the parent path for the AnswerBook2 Collection, type the path to the directory in which you want to put the SSP 3.1.1 AnswerBook.

      It is suggested that you install it in /opt.

      Specify the parent path of this AnswerBook2 Collection directory: /opt
      

   3. Type y at this prompt:

      This package contains scripts which will be executed with superuser 
      permission during the process of installing this package. 
      
      Do you want to continue with the installation of <SUNWuessp> [y,n,?]  y
      

6. When you are asked if you want to install the SUNWsspfp package, type y to the prompts.

   Do you want to install the SUNWsspfp package? (y/n) y
   This package contains scripts which will be executed with superuser
   permissions during the process of installing this package.
   Do you want to continue with the installation of <SUNWsspfp> [y,n,?]  y
   

7. Remove the /cdrom/root/Tools/ssp_install command from the Custom Root Role profile.

   1. Assume the secadmin role. At label admin_low, open the Profile Manager application.

   2. In the Profile Manager: Load window, select none for Name Service then click the OK button.

   3. In the Profile Manager: Open window select Custom Root Role, then click the Modify button.

   4. In the Profile Manager main window, select View from the menu bar, then select Commands from the submenu.

   5. Select the /cdrom/root/Tools/ssp_install command from the Include list and move it to the Exclude list.

   6. Select Profiles from the Profile Manager main window menu bar then select Save Profile from the submenu to save the profile.

8. Assume the root role, at label admin_low to unmount /cdrom/root using the following command:

   ssp# umount /cdrom/root

9. In the root role, at label admin_low, use the Device Allocation Manager to deallocate the CDROM drive. Remove the CDROM.

   Do not use the Volume Manager, it is disabled in the Trusted Solaris environment.

10. If you have a backup file of the SSP environment, restore it.

    1. In the root role, at label admin_low, copy the ssp_backup.cpio file to a backup directory on SSP1.

    2. Type:

       ssp# /opt/SUNWssp/bin/ssp_restore backup_directory/ssp_backup.cpio

       Where backup_directory is the directory to which you copied the ssp_backup.cpio file in Step a.

       This restores the SSP environment on SSP1.

11. Type:

    ssp# /opt/SUNWssp/bin/ssp_config Beginning setup of this workstation to act as a MAIN or SPARE SSP. Are you currently configuring the MAIN SSP? (y/n) y MAIN SSP configuration completed.

    If you did not perform a restore in Step 10, you will need to provide system information. See "To Name the Platform and Control Board" for more information.

12. Reboot the SSP.

13. To configure Trusted Solaris SSP 3.1.1 on the SSP, perform the steps in "Configuring Trusted Solaris SSP 3.1.1".

14. If alternate pathing is desired on the SSP, install the Trusted Solaris AP 2.2 as described in Chapter 5, Trusted Solaris Alternate Pathing 2.2 on the Sun Enterprise 10000 Server.

Entering System Information in the Trusted Solaris 3.1.1 Environment

To Name the Platform and Control Board

If you did not restore the SSP environment during the install procedure, you will be prompted for system information when running the /opt/SUNWssp/bin/ssp_config command for the main SSP, or during the reboot of the SSP.

---

Caution -

If you are rebooting, you must be at the SSP workstation console to see the messages described in this section. You cannot see these messages or perform these steps from a remote login session.

---

1. Specify the processor speed by typing in the corresponding number:

   • 1 for 250 MHz processors

   • 2 for 336 MHz processors

   • 3 for 400 MHz processors

   • 4 for 500 MHz processors

   • 5 for Unlisted (manually enter clock values)

     If you have a mixture of processors, select the number corresponding to the lowest processor speed. You are prompted to confirm your selection.

2. Enter the name of the platform this SSP will service.

   The platform name is simply a name by which the SSP software refers to the entire Sun Enterprise 10000 host. The platform name is not the host name of a domain. A domain name can be the same as the platform name, but it is not recommended.

   ---

   Note -

   The term starfire is reserved and cannot be used as the platform name.

   ---

   ---

   Note -

   If you make a mistake during this configuration session, continue to the end of the prompts where you will be given an opportunity to correct any errors.

   ---

3. Define the host control boards.

   For each control board slot, indicate whether there is a control board present and the host name for the respective control board (host names are in the /etc/hosts file). If the IP address for a control board is not found, you will be prompted for this information. If two control boards are present, you will be asked which control board is the primary (active) control board.

   Here is a representative session:

   ---

   Do you have a control board 0? (y/n)y
   Please enter the host name of the control board 0 [allxf4cb0]: xf4-cb0
   Do you have a control board 1? (y/n)y
   Please enter the host name of the control board 1 [allxf4cb1]: xf4-cb1
   
   Please identify the primary control board.
   
   Is Control Board 0 [xf4-cb0] the primary? (y/n)y
   
   Platform name     = allxf4
   Control board 0 = xf4-cb0 => 129.153.151.123
   Control board 1 = xf4-cb1 => 129.153.152.123
   Primary Control Board = 0
   
   Is this correct? (y/n)y
   

   ---

   You are prompted to indicate whether this is a main SSP or spare SSP:

   ---

   Are you currently configuring the MAIN SSP? (y/n) y
   

   ---

   When the upgrade is complete, the following message is displayed:

   ---

   MAIN SSP configuration completed.

   ---

Configuring Trusted Solaris SSP 3.1.1

After you have completed installing Trusted Solaris SSP 3.1.1, you need to check the version of the flash PROM and upgrade if necessary. For SSP 3.1.1, you must upgrade your flash PROM if the version is earlier than 3.46. See "Checking and Upgrading the Control Board Flash PROM" below.

You may also need to:

• Edit some of the initialization files in the /export/home/ssp directory. If you made changes to the files, did not restore the environment during the install, and want to retain your changes, see "Editing Initialization Files".

• Configure the Network Time Protocol Daemon. See "Configuring the Network Time Protocol Daemon".

• Create a user on the SSP who can assume the ssp, root, admin, and secadmin roles. See"Creating a User for the SSP Administrator".

Checking and Upgrading the Control Board Flash PROM

You need to have the correct version of the flash PROM boot firmware installed on the control boards; the boot firmware is required to download the control board executive (CBE). You must upgrade if the version is earlier than 3.46.

To Check the Flash PROM Version

1. Log in as a user and assume the ssp role on the main SSP.

2. Check the version of the flash PROM on your control boards by typing:

   ssp% cb_prom -r -h control_board_name Checking PROM revision...3.44

   where control_board_name is the name of the control board as specified in the /etc/hosts configuration file.

   If the version displayed is earlier than 3.46, you must update the flash PROM. To do this, you must upgrade the PROM as described in the following procedure.

To Upgrade the PROM

1. Type:

   ssp% cb_prom -p /opt/SUNWssp/cbobjs/flash_boot.ima -h \ control_board_name Programming PROM...complete.

2. To have the PROM change take effect, type:

   ssp% cb_reset Resetting host xf4-cb0... Resetting host xf4-cb1... xf4-cb1 is ready... xf4-cb0 is ready...

   where xf4-cb1 and xf4-cb0 are replaced with the names of the control boards for your system.

3. Verify the PROM version by typing:

   ---

   ssp% cb_prom -r -h control_board_name
   Checking PROM revision...3.46

   ---

   where control_board_name is the name of the control board as specified in the /etc/hosts configuration file. The version shown should be 3.46.

Editing Initialization Files

When you run the ssp_restore command, the following files are copied and saved with a .__upgrade suffix. If you have made changes to these files, you can incorporate these changes into the new versions of the files when you have completed the install procedure.

The default blacklist(4) file found in /var/opt/SUNWssp/etc is backed up by ssp_backup and restored by ssp_restore. However, if you have created a .postrc file that changes the location of the blacklist file, the relocated blacklist file is not backed up by ssp_backup.

The following files are copied and saved when you run ssp_restore.

• /export/home/ssp/.Xdefaults

• /export/home/ssp/.openwin-menu

• /export/home/ssp/.xinitrc

• /export/home/ssp/.drtclrc

• /export/home/ssp/.openwin-init

• /export/home/ssp/.openwin-menu-ssp

• /export/home/ssp/.redxrc

• /export/home/ssp/.cshrc

• /export/home/ssp/.login

• /export/home/ssp/.postrc

• /var/opt/SUNWssp/.ssp_private/ssp_resource

• /var/opt/SUNWssp/adm/.logger

• /export/home/ssp/.ssp_env

• /export/home/ssp/.dtprofile

• /export/home/ssp/.dt/dtwmrc

• /export/home/ssp/.dt/user.dtwmrc

• /export/home/ssp/.Xdefaults-ssp-hostname

• /export/home/ssp/.profile

If you made changes to the Ultra-Enterprise-10000.snmpd.cnf file that is in the /etc/opt/SUNWssp/snmp/agt directory, you will have to incorporate your changes into the file installed on the restored system.

---

Note -

No copy is made if a file does not exist.

---

Configuring the Network Time Protocol Daemon

The NTP daemon, ntpd(1M), provides a mechanism for keeping the time settings synchronized between the SSP and the domains. OBP obtains the time from the SSP when the domain is booted, and NTP keeps the time synchronized from that point on.

The configuration is based on information provided by the system administrator. If you are not currently running in an NTP subnet, and you do not have access to the Internet, and you are not going to use a radio clock, you can set up the Sun Enterprise 10000 system to use its own internal time-of-day clock as the reference clock. Usually, however, the SSP uses its internal time-of-day clock for the Sun Enterprise 10000 system.

The NTP packages are compiled with support for a local reference clock. This means that your system can poll itself for the time instead of polling another system or network clock. The poll is done through the network loopback interface. The first three numbers in the IP address are 127.127.1. The last numbers in the IP address are the NTP stratum to use for the clock.

When setting up a Sun Enterprise 10000 system and its SSP, set the SSP to stratum 4. Set up the Sun Enterprise 10000 system as a peer to the SSP and set the local clock two strata higher.

If the ntp.conf file does not exist, create it as described in the following procedure.

To Create the ntp.conf File

1. On the SSP, log in as a user who can assume the root role and assume it.

2. Create the /etc/inet/ntp.conf file in a text editor.

You must have an ntp.conf file on both the SSP and the platform. The following is an example of server/peer lines in the /etc/inet/ntp.conf file on the SSP.

---

server 127.127.1.4

---

You can add lines similar to the following to the /etc/inet/ntp.conf file on the platform:

---

server ssp_name
server 127.127.1.13
fudge 127.127.1.13 stratum 13

---

For more information on the NTP daemon, refer to the Network Time Protocol User's Guide and the NTP Reference.

Creating a User for the SSP Administrator

The installation of Trusted Solaris SSP 3.1.1 enabled the user install to assume the ssp role. This was done to make it easier to do the rest of the SSP 3.1.1 installation and configuration procedures. However, the user install is not a normal user and should not be used as such. It is highly recommended that a normal user be created for the SSP administrator's login. This user should be able to assume the ssp, root, admin and secadmin roles. For more information on creating a user, see "Using the User Manager to Configure Accounts" in Trusted Solaris Administrator's Procedures.