Chapter 4 Installing and Configuring the Trusted Solaris SSP 3.3

After the Trusted Solaris 8 operating environment is installed and configured on the SSP and the SSP network is configured, the Trusted Solaris version of SSP 3.3 software can be installed. The procedures in this chapter require that you have completed the preparation for SSP installation in Chapter 3, Preparing for SSP 3.3 Installation. This chapter describes the following topics:

• Preparing to Install from a CD-ROM

• Installing SSP 3.3 on a Trusted Solaris 8 Operating Environment

• Entering System Information in the Trusted Solaris SSP 3.3 Environment

• Configuring Trusted Solaris SSP 3.3

• Installing the SSP 3.3 AnswerBook2 Collection

Preparing to Install from a CD-ROM

To install the Trusted Solaris version of SSP 3.3 shipped on the Trusted Solaris Supplement CD, you need to set up the CD-ROM. The following set of procedures properly allocates and mounts the CD-ROM for installing the Trusted Solaris SSP 3.3 software, and enables the admin role to execute the commands on the CD.

Prepare the CD-ROM Device

1. Log in to the SSP as a user who can assume the system administrator role, hereafter called the admin role.

2. In the admin role, follow the procedure in Setting up a CD-ROM.

Check the prof_attr Setting in the nsswitch.conf File

In the admin role, use the Name Service Switch action in the System_Admin folder to make sure the nsswitch.conf(4) entry for the prof_attr database has an appropriate entry for your configuration.

The following example shows the correct /etc/nsswitch.conf prof_attr entry for an SSP that is a NIS+ client:

prof_attr: files nisplus

Installing SSP 3.3 on a Trusted Solaris 8 Operating Environment

Before installation, all of the preparatory work in Chapter 3, Preparing for SSP 3.3 Installation should be complete. If you plan to install a spare SSP and a main SSP, install the spare SSP first.

To Create a New Trusted Solaris SSP 3.3 Disk

All tasks are performed by the system administrator (admin role) at the label admin_low.

1. On the SSP, log in as a user who can assume the admin role and assume it.

2. In the admin role, finish setting up the CD-ROM if you have not done so.

3. See Setting up a CD-ROM if you are unfamiliar with the procedure.

4. Change directory to the Tools directory:

   ssp$ cd /cdrom/admin-cdrom_0/trusted_sol_8_sup1/System_Service_Processor_3.3/Tools

5. Install the Trusted Solaris SSP software by typing:

   ssp$ ./ssp_install ../Product

6. When you are asked to install the SUNWsspfp (the SSP flash prom image) package, type y.

   The installation process verifies the disk space available and checks for any conflicts with packages already installed.

7. If conflicting files exist, type y when you are asked if you want to install these conflicting files.

8. Use the Device Allocation Manager to deallocate the CD-ROM drive. Remove the CD.

   If you are unfamiliar with the steps, see Deallocating the CD-ROM.

9. If you have a backup file of a previous SSP environment, restore this file by typing:

   ssp$ /opt/SUNWssp/bin/ssp_restore backup_directory/ssp_backup.cpio

   where the backup_directory is the directory in which the ssp_backup.cpio file resides. For information on backing up the SSP, see To Create an SSP Backup File.

10. Configure the SSP as a main or spare using the ssp_config(1M) command.

    ssp$ /opt/SUNWssp/bin/ssp_config

    The subsequent prompts and information displayed will vary depending on whether you restored a backup file in Step 9.

    The following is an example session that shows the prompts and responses displayed if you restored an SSP backup file and you are configuring the main SSP:

    ---

    Beginning setup of this workstation to act as a MAIN or SPARE SSP.
    Are you currently configuring the MAIN SSP? (y/n)y
    MAIN SSP configuration completed.

    ---

11. If you did not restore the SSP environment during the install procedure, you will be prompted for system information. See To Enter SSP System Information for details.

12. Reboot the SSP.

13. Log in to the SSP as user ssp with password ssp.

14. Enter the the value for the SUNW_HOSTNAME variable (the platform name) when you are prompted to do so.

15. If you have just configured the spare SSP, stay in the admin role to perform the following steps on each domain.

    If the domain is running Trusted Solaris software, the following steps need to be run from the admin role. See Step 1 for how to access a Trusted Solaris domain from the admin role.

    If the domain is running Solaris software, you can get to the domain's root user via netcon(1M) then logging in as root.

    1. Edit the /etc/ssphostname file to replace the host name of the main SSP with the host name of the spare SSP.

    2. Switch console communication from the main SSP to the spare SSP by typing:

       $ /etc/init.d/cvc stop $ /etc/init.d/cvc start

    3. Configure the spare SSP by following the steps in Configuring Trusted Solaris SSP 3.3.

16. If you have just configured the main SSP, do the following:

    1. Monitor the platform message file by typing:

       ssp% tail -f $SSPLOGGER/messages

    2. Before proceeding, wait for the “Startup of SSP programs complete” message to appear in the log.

       The platform message file displays information about various SSP processes that are started. If you did not restore an SSP backup file, the thermcaldata.tcl database is generated during SSP startup, which may take some time to complete.

    3. Check the platform message file and verify that the correct flash PROM version (3.46) is installed.

       For information on updating the control board prom, see the cb_prom(1M) man page.

    ---

    Note –

    If an error occurs during installation, use the pkgrm(1M) command to remove all SSP 3.3 software packages that were installed, and return to the beginning of the SSP 3.3 installation procedure.

    ---

To Install and Synchronize Spare and Main SSPs

The main SSP is installed after the spare SSP is installed and configured.

1. Install Trusted Solaris 8, Trusted Solaris SSP 3.3, and Trusted Solaris AP 2.3 on the main SSP.

2. If you have made changes to the SSP environment on the spare SSP, synchronize the two SSPs using new backup files.

   1. In the admin role at label admin_low, create a backup file on the spare.

      ssp$ /opt/SUNWssp/bin/ssp_backup backup_directory

   2. In the admin role at label admin_low, restore the backup file on the main SSP.

      ssp$ /opt/SUNWssp/bin/ssp_restore backup_directory/ssp_backup.cpio

Entering System Information in the Trusted Solaris SSP 3.3 Environment

If you did not restore a backup file during the install procedure, you will be prompted for the following system information.

---

Caution –

If you are rebooting, you must be at the SSP workstation console to see the messages described in this section. You cannot see these messages or perform these steps from a remote login session.

---

To Enter SSP System Information

1. Specify the processor speed by typing in the corresponding number.

   If you have a mixture of processors, select the number corresponding to the lowest processor speed. You are prompted to confirm your selection.

2. Enter the name of the platform this SSP will service.

   The platform name is simply a name by which the SSP software refers to the entire Sun Enterprise 10000 host. The platform name is not the host name of a domain. A domain name can be the same as the platform name, but it is not recommended.

   ---

   Note –

   The term starfire is reserved and cannot be used as the platform name.

   ---

3. Define the host control boards.

   For each control board slot, indicate whether there is a control board present and the host name for the respective control board (host names are in the /etc/hosts file). If the IP address for a control board is not found in existing configuration files, you will be prompted for this information. If two control boards are present, you will be asked which control board is the primary (active) control board.

4. Confirm your responses to all the system information questions.

5. Indicate whether this is a main SSP or spare SSP.

   The following is an example session that shows the prompts and responses displayed if you did not restore a backup file:

   ---

   ssp$ /opt/SUNWssp/bin/ssp_config
   
    You must specify what type of processor modules you have installed in your
    Enterprise-10000 platform. Please select one of the options below.
   
    1) 250 MHz processors
    2) 336 MHz processors
    3) 400 MHz processors
    4) Unlisted (manually enter clock values)
    5)
    
    What speed of processors do you have installed? 2
    
    Your selections are apparently for a 336 MHz processor.
    
    Is this correct? (y/n) y
   
    The platform name identifies the entire host machine to the SSP
    software. The platform name occupies a different name space than
    domain names (hostnames of bootable systems).
   
    What is the name of the platform this SSP will service? allxf4
   
    Do you have a control board 0? (y/n) y
   
    Please enter the host name of the control board 0 [allxf4cb0]: xf4-cb0
    
   Do you have a control board 1? (y/n) y
   
    Please enter the host name of the control board 1 [allxf4cb1]: xf4-cb1
   
    Please identify the primary control board.
   
    Is Control Board 0 [xf4-cb0] the primary? (y/n) y
   
    Platform name = allxf4
    Control board 0 = xf4-cb0 => 129.153.151.123
    Control board 1 = xf4-cb1 => 129.153.152.123
    Primary Control Board = 0
    Is this correct? (y/n) y
    Are you currently configuring the MAIN SSP? (y/n) y
    Main SSP configuration completed.

   ---

6. Return to Step 12 and continue.

Configuring Trusted Solaris SSP 3.3

After you have completed installing Trusted Solaris SSP 3.3, you may need to do the following:

• Modify the user ssp so that it can administer the SSP. See Enabling the User ssp to Administer the SSP.

• Edit some of the initialization files in the /export/home/ssp directory. If you made changes to the files, and you did not restore the environment during the install, and you want to retain your changes, see Editing Initialization Files.

• Configure the Network Time Protocol Daemon. See Configuring the Network Time Protocol Daemon.

---

Note –

The flash PROM boot firmware should be version 3.46.

---

Enabling the User ssp to Administer the SSP

The user ssp is created by default during SSP installation. The secadmin role must assign profiles that enable the ssp user to administer the SSP.

It might be useful for the user ssp to be able to assume administrative roles, such as admin. For more information on the value of assigning roles, see “Understanding Trusted Software Administration” in Trusted Solaris Administration Overview.

Assign SSP Administration Profile to ssp

1. Log in as a user who can assume the role secadmin and assume it.

2. Add two rights, “SSP Administration” and “SSP Installation” to the ssp user.

   1. Invoke the Solaris Management Console toolbox where the ssp user is defined for your site.

      See “To Select a Toolbox of the Appropriate Scope” in Trusted Solaris Installation and Configuration if you need help in choosing the correct toolbox.

   2. Double-click the Trusted Solaris Configuration node in the Navigation pane.

   3. Double-click the Users tool and enter the secadmin role password.

   4. Double-click the User Accounts tool.

   5. Double-click the ssp user.

   6. Click the Rights tab.

   7. Follow the online help to add the SSP profiles to the ssp user's Granted Rights.

3. Click the Roles tab and assign the admin role to the ssp user if site security permits.

4. Click OK to save your changes.

Editing Initialization Files

When you run the ssp_restore command, the following files are copied and saved with a .__upgrade suffix. If you have made changes to these files, you can incorporate these changes into the new versions of the files when you have completed the install procedure.

The default blacklist(4) file found in /var/opt/SUNWssp/etc is backed up by ssp_backup and restored by ssp_restore. However, if you have created a .postrc file that changes the location of the blacklist file, the relocated blacklist file is not backed up by ssp_backup.

The following files are copied and saved when you run ssp_restore.

• /export/home/ssp/.Xdefaults

• /export/home/ssp/.xinitrc

• /export/home/ssp/.drtclrc

• /export/home/ssp/.redxrc

• /export/home/ssp/.cshrc

• /export/home/ssp/.login

• /export/home/ssp/.postrc

• /var/opt/SUNWssp/.ssp_private/ssp_resource

• /var/opt/SUNWssp/adm/.logger

The following additional files are copied and saved only when ssp_restore is run:

• /export/home/ssp/.ssp_env

• /export/home/ssp/.dtprofile

• /export/home/ssp/.dt/dtwmrc

• /export/home/ssp/.dt/user.dtwmrc

• /export/home/ssp/.link_files

• /export/home/ssp/.copy_files

If you made changes to the Ultra-Enterprise-10000.snmpd.cnf file that is in the /etc/opt/SUNWssp/snmp/agt directory, you will have to incorporate your changes into the file installed on the restored system.

---

Note –

These files are located in the ADMIN_LOW single-level directory (SLD) of the /export/home/ssp directory. If you want to edit them, you need to log in as the user ssp at the label ADMIN_LOW. This is the default if you are accessing the SSP via CDE login or CDE rlogin. If you are performing a command line rlogin to the user ssp, you probably are not working at the ADMIN_LOW label and will see these files as symbolic links of the actual files in the ADMIN_LOW SLD.

---

Configuring the Network Time Protocol Daemon

If the SSP is to function as a time server, configure the Network Time Protocol (NTP) daemon.

The NTP daemon, xntpd(1M), provides a mechanism for keeping the time settings synchronized between the SSP and the domains. OBP obtains the time from the SSP when the domain is booted, and NTP keeps the time synchronized from that point on.

The configuration is based on information provided by the system administrator. If the Sun 10000 Enterprise system is not current running in an NTP subnet, does not have access to the Internet, and is not going to use a radio clock, you can set up the Sun Enterprise 10000 system to use its own internal time-of-day clock as the reference clock. Usually, however, the SSP uses its internal time-of-day clock for the Sun Enterprise 10000 system.

The NTP packages are compiled with support for a local reference clock. This means that your system can poll itself for the time instead of polling another system or network clock. The poll is done through the network loopback interface. The first three numbers in the IP address are 127.127.1. The last numbers in the IP address are the NTP stratum to use for the clock.

When setting the SSP and the domains, set the SSP to stratum 4. Set up the domains as peers to the SSP and set the local clock two strata higher.

If the ntp.conf file does not exist, create it as described in the following procedure.

To Create the ntp.conf File

1. On the SSP, log in as a user who can assume the admin role and assume it.

2. Using the Admin Editor action, create the /etc/inet/ntp.conf file.

You must have an ntp.conf file on both the SSP and the domains. The following is an example of server/peer lines in the /etc/inet/ntp.conf file on the SSP.

---

server 127.127.1.0
fudge 127.127.1.0 stratum 8

---

You can add lines similar to the following to the /etc/inet/ntp.conf file on the domains:

---

server ssp_name
server 127.127.1.0
fudge 127.127.1.0 stratum 10

---

For more information on the NTP daemon, refer to the xntpd(1M) man page.

Installing the SSP 3.3 AnswerBook2 Collection

This section explains how to manually install the SSP 3.3 AnswerBook2 document collection using the standard installation utility, pkgadd(1M).

The SSP 3.3 AnswerBook2 Collection

Before you install the SSP 3.3 AnswerBook2 documentation collection, you must have the AnswerBook2 Server Software installed. For instructions on installing the AnswerBook2 Server Software, see Installing and Administering an AnswerBook2 Server on docs.sun.com. The server software can be obtained from the following sources:

• The Trusted Solaris Software Supplement CD. Instructions for its installation on a Trusted Solaris system are found in Trusted Solaris 8 Roadmap and the README.

• The Web (http://www.sun.com/software/ab2/index.html)

To Install the SSP 3.3 AnswerBook2 Collection

This procedure requires that the CD-ROM has been mounted as described in Setting up a CD-ROM.

1. Log in as a user who can assume the admin role and assume it.

2. If you have a previous version of the SUNWuessp package installed, remove it using the pkgrm(1M) command:

   ssp$ pkgrm SUNWuessp

3. Change directory to the location of the SSP 3.3 AnswerBook package:

   ssp$ cd /cdrom/cdrom0/ssp3.3.sparc/System_Service_Processor_3.3_Answerbook/Product

4. Add the SUNWuessp package by typing:

   ssp$ pkgadd -d . SUNWuessp

5. When you are requested to select an installation option, type 2 (heavy installation):

   Select an installation option: 2

6. When you are asked to specify the parent path for the AnswerBook2 Collection, type the path to the directory in which you want to put the SSP 3.3 AnswerBook2.

   It is recommended that you install the SSP AnswerBook2 Collection in /opt.

   Specify the parent path of this AnswerBook2 Collection directory: /opt

7. Type y at the following prompt:

   ---

      This package contains scripts which will be executed with 
   super-user permission during the process of installing this package.
   
   Do you want to continue with the installation of <SUNWuessp> [y,n,?] y
   

   ---

A message indicates that the SUNWuessp package was successfully installed.

For instructions on launching the AnswerBook2 viewer and viewing document collections, see Viewing Online Documentation Using the AnswerBook2 System in AnswerBook2 Help Collection on docs.sun.com.