Configuring Trusted Solaris SSP 3.3

After you have completed installing Trusted Solaris SSP 3.3, you may need to do the following:

• Modify the user ssp so that it can administer the SSP. See Enabling the User ssp to Administer the SSP.

• Edit some of the initialization files in the /export/home/ssp directory. If you made changes to the files, and you did not restore the environment during the install, and you want to retain your changes, see Editing Initialization Files.

• Configure the Network Time Protocol Daemon. See Configuring the Network Time Protocol Daemon.

The flash PROM boot firmware should be version 3.46.

Enabling the User ssp to Administer the SSP

The user ssp is created by default during SSP installation. The secadmin role must assign profiles that enable the ssp user to administer the SSP.

It might be useful for the user ssp to be able to assume administrative roles, such as admin. For more information on the value of assigning roles, see “Understanding Trusted Software Administration” in Trusted Solaris Administration Overview.

Assign SSP Administration Profile to ssp

1. Log in as a user who can assume the role secadmin and assume it.

2. Add two rights, “SSP Administration” and “SSP Installation” to the ssp user.

   1. Invoke the Solaris Management Console toolbox where the ssp user is defined for your site.

      See “To Select a Toolbox of the Appropriate Scope” in Trusted Solaris Installation and Configuration if you need help in choosing the correct toolbox.

   2. Double-click the Trusted Solaris Configuration node in the Navigation pane.

   3. Double-click the Users tool and enter the secadmin role password.

   4. Double-click the User Accounts tool.

   5. Double-click the ssp user.

   6. Click the Rights tab.

   7. Follow the online help to add the SSP profiles to the ssp user's Granted Rights.

3. Click the Roles tab and assign the admin role to the ssp user if site security permits.

4. Click OK to save your changes.

Editing Initialization Files

When you run the ssp_restore command, the following files are copied and saved with a .__upgrade suffix. If you have made changes to these files, you can incorporate these changes into the new versions of the files when you have completed the install procedure.

The default blacklist(4) file found in /var/opt/SUNWssp/etc is backed up by ssp_backup and restored by ssp_restore. However, if you have created a .postrc file that changes the location of the blacklist file, the relocated blacklist file is not backed up by ssp_backup.

The following files are copied and saved when you run ssp_restore.

• /export/home/ssp/.Xdefaults

• /export/home/ssp/.xinitrc

• /export/home/ssp/.drtclrc

• /export/home/ssp/.redxrc

• /export/home/ssp/.cshrc

• /export/home/ssp/.login

• /export/home/ssp/.postrc

• /var/opt/SUNWssp/.ssp_private/ssp_resource

• /var/opt/SUNWssp/adm/.logger

The following additional files are copied and saved only when ssp_restore is run:

• /export/home/ssp/.ssp_env

• /export/home/ssp/.dtprofile

• /export/home/ssp/.dt/dtwmrc

• /export/home/ssp/.dt/user.dtwmrc

• /export/home/ssp/.link_files

• /export/home/ssp/.copy_files

If you made changes to the Ultra-Enterprise-10000.snmpd.cnf file that is in the /etc/opt/SUNWssp/snmp/agt directory, you will have to incorporate your changes into the file installed on the restored system.

These files are located in the ADMIN_LOW single-level directory (SLD) of the /export/home/ssp directory. If you want to edit them, you need to log in as the user ssp at the label ADMIN_LOW. This is the default if you are accessing the SSP via CDE login or CDE rlogin. If you are performing a command line rlogin to the user ssp, you probably are not working at the ADMIN_LOW label and will see these files as symbolic links of the actual files in the ADMIN_LOW SLD.

Configuring the Network Time Protocol Daemon

If the SSP is to function as a time server, configure the Network Time Protocol (NTP) daemon.

The NTP daemon, xntpd(1M), provides a mechanism for keeping the time settings synchronized between the SSP and the domains. OBP obtains the time from the SSP when the domain is booted, and NTP keeps the time synchronized from that point on.

The configuration is based on information provided by the system administrator. If the Sun 10000 Enterprise system is not current running in an NTP subnet, does not have access to the Internet, and is not going to use a radio clock, you can set up the Sun Enterprise 10000 system to use its own internal time-of-day clock as the reference clock. Usually, however, the SSP uses its internal time-of-day clock for the Sun Enterprise 10000 system.

The NTP packages are compiled with support for a local reference clock. This means that your system can poll itself for the time instead of polling another system or network clock. The poll is done through the network loopback interface. The first three numbers in the IP address are 127.127.1. The last numbers in the IP address are the NTP stratum to use for the clock.

When setting the SSP and the domains, set the SSP to stratum 4. Set up the domains as peers to the SSP and set the local clock two strata higher.

If the ntp.conf file does not exist, create it as described in the following procedure.

To Create the ntp.conf File

1. On the SSP, log in as a user who can assume the admin role and assume it.

2. Using the Admin Editor action, create the /etc/inet/ntp.conf file.

You must have an ntp.conf file on both the SSP and the domains. The following is an example of server/peer lines in the /etc/inet/ntp.conf file on the SSP.

server 127.127.1.0
fudge 127.127.1.0 stratum 8

You can add lines similar to the following to the /etc/inet/ntp.conf file on the domains:

server ssp_name
server 127.127.1.0
fudge 127.127.1.0 stratum 10

For more information on the NTP daemon, refer to the xntpd(1M) man page.