This chapter provides an overview of the tasks required to install and configure the Sun N1 Service Provisioning System 6.0. This chapter also contains an overview of the applications included in the Sun N1 Service Provisioning System 6.0 and the types of network protocols that you can use for additional security.
This chapter discusses the following topics:
Installing the Sun N1 Service Provisioning System 6.0 – Process Overview
Overview of Sun N1 Service Provisioning System 6.0 Applications
The process overview below describes the tasks necessary to properly install and configure the Sun N1 Service Provisioning System 6.0.
Determine whether your server meets the minimum requirements to install.
See Chapter 2, System Requirements for the Sun N1 Service Provisioning System 6.0.
Make configuration decisions and gather the information that you need to install the product.
(Optional) You can create a special operating system group and user account to be used by Sun N1 Service Provisioning System 6.0.
If you create a new user and a new group, be sure to include the new user in the group. For more information about creating user accounts, see the documentation for your operating system.
(Optional) Install Jython on CLI Client machines.
You might choose to install Jython on any machine from which you want to run the CLI Client. Jython is not required to run the CLI Client. Jython is available from http://www.jython.org.
For more information about using the CLI CLient with Jython, see Chapter 1, Using the Command-Line Interface, in Sun N1 Service Provisioning System 5.2 Command-Line Interface Reference Manual.
Install each of the Sun N1 Service Provisioning System 6.0 applications individually using the appropriate installation script provided on the product media.
For installation instructions, see Chapter 4, Installing the Sun N1 Service Provisioning System 6.0 on Linux and UNIX Systems or Chapter 5, Installing the Sun N1 Service Provisioning System 6.0 on Windows Systems.
(Optional) If you plan to access the Master Server on the Internet, you can increase the Master Server security by configuring the Sun N1 Service Provisioning System 6.0 to use SSH to communicate with that server.
See Chapter 8, Configuring the Sun N1 Service Provisioning System 6.0 to Use Secure Shell.
(Optional) If you want to provide the maximum security for communication among the applications, configure the applications to use SSL when communicating.
See Chapter 9, Configuring the Sun N1 Service Provisioning System 6.0 for SSL.
(Optional) If you do not use SSL to provide security for communication among applications, you can configure the JVM security policy so that the applications accept only connections from localhost. This setup provides a minimum level of security.
See Chapter 10, Configuring the Java Virtual Machine Security Policy.
(Optional) Start the applications.
The installation program prompts you to start the applications upon successful installation. If you choose not to start the applications at that time, start the applications by following the instructions in Starting Applications on Linux and UNIX Systems or Starting Applications on Windows Systems.
Complete the initial setup.
See Configuring the Sun N1 Service Provisioning System – Process Overview in Sun N1 Service Provisioning System 5.2 System Administration Guide for more initial setup instructions.
The Sun N1 Service Provisioning System 6.0 is a distributed software platform. The provisioning system includes the following special-purpose applications that you install on the servers in your network. These applications interact to allow you to deploy software to the servers in your network.
Master Server – A central server that stores components and plans, and provides an interface for managing application deployments.
Local Distributor – Optional servers that act as a proxy for the Master Server to optimize network communications across data centers and through firewalls.
Remote Agent – A management application that performs operations on a host. Every server that you want to be controlled by the Sun N1 Service Provisioning System 6.0 must have the Remote Agent application.
Command Line Interface Client – Optional applications that accept commands to be executed on the Master Server.
The Master Server runs on Linux, UNIX, and Windows based servers. The Master Server is a central server that does the following:
Manages a database that identifies all of the hosts that are registered in the provisioning software
Stores components and plans in a repository
Performs version control on the objects that are stored in the repository
Authenticates provisioning system users and ensures that only authorized users perform specific operations
Includes special-purpose engines for performing tasks such as dependency tracking and deployments
Provides both a browser interface and a command-line interface for users
A Local Distributor is a proxy that optimizes the distribution and management of Remote Agents. Data centers can use Local Distributors to do the following:
Minimize network traffic during deployments. The Master Server sends one copy of a component to a Local Distributor, which replicates the component for installation on other servers.
Minimize firewall reconfigurations. If a firewall stands between the Master Server and a collection of servers, administrators can open the firewall only for the Local Distributors, rather than for every server involved in a deployment.
Minimize the load to the Master Server during large scale deployments.
The Remote Agent is an application that runs on every server being managed by the Sun N1 Service Provisioning System 6.0. Remote Agents perform the tasks requested by the Master Server. Remote agents can do the following:
Report server hardware and software configurations to the Master Server
Start and stop services
Manage directory contents and properties
Install and uninstall software
Run operating system commands and native scripts specified by components and plans
The Command Line Interface (CLI) Client provides a communication path to the Master Server to enable the execution of commands from local and remote servers. The CLI Client enables commands to be executed in the following environments:
Windows command line
UNIX shell such as bash
To execute these commands, the CLI Client establishes a connection to the Master Server through TCP/IP or securely using SSL, or SSH.
The CLI Client operates in the following two modes:
Single-command mode, which enables you to submit one command at a time
Interactive mode, which prompts you for commands, maintains a command history and allows for Jython scripting
When operating in interactive mode, the CLI Client uses the Jython programming language. Jython is a Java implementation of the high-level, dynamic, object-oriented language Python.
Install Jython on any server on which you plan to run the CLI Client in interactive mode. For more information about Jython and to download Jython, visit http://www.jython.org.
The Sun N1 Service Provisioning System 6.0 supports a variety of network protocols for communication among the software applications. You select the protocol to apply to each of the following types of network communication:
Communication between the Master Server and Local Distributors or Remote Agents
Communication between a particular Local Distributor and Remote Agents
Communication between the Master Server and a CLI Client
The Sun N1 Service Provisioning System 6.0 supports the following protocols:
Raw (TCP/IP)
Secure Shell
Secure Sockets Layer (SSL)
You can tailor your network security to meet the needs of your particular network topology. For example, the communication within each of your data centers is secure, but your network connection to a remote data center passes through the public Internet. You might configure the Master Server to use SSL when communicating with a Local Distributor that is installed inside the firewall of the remote data center. Consequently, the communication over the Internet to the remote data center is secure. The Local Distributor might use raw TCP/IP to communicate with the Remote Agents because the communication over the local network is secure. For more information about the different protocols and about configuring the protocols, read Chapter 8, Configuring the Sun N1 Service Provisioning System 6.0 to Use Secure Shell and Chapter 9, Configuring the Sun N1 Service Provisioning System 6.0 for SSL.
Raw (TCP/IP) is standard TCP/IP without additional encryption or authentication. The advantage of raw is that it requires no additional set-up and configuration. If your data center network is protected by a firewall, using raw provides a convenient method for communication among Sun N1 Service Provisioning System 6.0 applications.
Secure Shell (SSH) is a UNIX command suite and protocol for securely accessing a remote computer. SSH secures network client/server communications by authenticating both endpoints with a digital certificate and by encrypting passwords. SSH uses RSA public key cryptography to manage connections and authentication. SSH is more secure than telnet or other shell-based communication methods.
You can configure the Sun N1 Service Provisioning System 6.0 applications to communicate using SSH. The Sun N1 Service Provisioning System 6.0 supports OpenSSH which is a free version of SSH that has been primarily developed by the OpenBSD Project. For more details about OpenSSH, see http://www.openssh.com. The software can be configured to support other versions of SSH as well.
Secure Sockets Layer (SSL) is a protocol for securing communication over IP networks. SSL uses TCP/IP sockets technology to exchange messages between a client and a server while protecting the message with a public-and-private key encryption system developed by RSA. Support for SSL is included in most web server products, as well as in the Netscape NavigatorTM browser and Microsoft web browsers.
You can configure the Sun N1 Service Provisioning System 6.0 applications to use SSL for network communications to help prevent the software messages from being read or altered. Optionally, the applications can be configured to use SSL to authenticate each other before communicating, thereby increasing network security.
In general usage, plug-in applications are programs that can easily be installed and used as part of your web browser. A plug-in application is recognized automatically by the browser and its function is integrated into the main HTML file that is being presented. Web browser plug-in applications generally play sound or motion video or perform some other functions.
In the Sun N1 Service Provisioning System environment, a plug-in differs only slightly in concept from the general usage. A plug-in for the Sun N1 Service Provisioning System product is a packaged solution that extends the provisioning capability of the product for a specific platform, application, or environment. For example, you might create a plug-in solution for a specific application, such as Oracle 8i, or for some feature of an operating system, such as Solaris Zones.
A plug-in includes all of the relevant data that is needed to support a new custom application. The contents of the plug– in are described in the plug-in descriptor file. This file is located in a standard place within the plug–in packaging structure.
Several plug–ins have been created for use with the Sun N1 Service Provisioning System. The plug-ins are available on the Sun N1 Service Provisioning System 6.0: Supplement CD and in the image downloaded from the Sun Download Center.
The plug-ins are packaged in Java archive files (.jar files). To make a given plug-in known to the Sun N1 Service Provisioning System product, you need to import the plug-in. For instructions to import a plug-in, see the user's guide associated with the plug-in that you want to import in the Plug-In User's Guide document collection at http://docs.sun.com/db/coll/1329.1.
The Sun N1 Service Provisioning System provides the following features to ensure the security of your data, applications, and network.
Secure HTTP (HTTPS) support –You can configure your SPS environment to use HTTPS to ensure the security of your connection to the master server. By using Secure Sockets Layer (SSL) digital certificates and keystores, you can protect your connection to the Master Server through the web browser interface.
For more information, see Chapter 7, Configuring the Sun N1 Service Provisioning System 6.0 for HTTPS.
Secure Shell (SSH) support –SSH is a UNIX-based command suite and protocol for securely accessing a remote computer. SSH secures network client/server communications by authenticating both endpoints with a digital certificate and by encrypting passwords. SSH uses RSA public key cryptography to manage connections and authentication.
For more information, see Chapter 8, Configuring the Sun N1 Service Provisioning System 6.0 to Use Secure Shell.
Secure Sockets Layer (SSL) support – SSL is a protocol for securing communication over IP networks. SSL uses TCP/IP sockets technology to exchange messages between a client and a server, while protecting the message with a public and private key encryption system developed by RSA. Support for SSL is included in most web server products and most web browser software.
Sun N1 Service Provisioning System 6.0 applications can be configured to use SSL for their network communications, preventing messages from being read or tampered with.
For more information, see Chapter 9, Configuring the Sun N1 Service Provisioning System 6.0 for SSL.
Java Virtual Machine (JVM) security policies – Each Sun N1 Service Provisioning System 6.0 application has a Java Virtual Machine (JVM) security policy file. You can modify this policy file to restrict access to the Master Server, Remote Agents, and Local Distributors. You can configure these applications to only accept connections from a specific IP Address and Port range or to allow them only to connect to a specific IP Address and Port range.
For more information, see Chapter 10, Configuring the Java Virtual Machine Security Policy.
User authentication - The Sun N1 Service Provisioning System supports the Java Authentication and Authorization Service (JAAS) for user authentication. By editing the jaas.config file, you can configure your SPS environment to use the following authentication services:
LDAP
Sun Directory Server
Microsoft Windows 2000 Active Directory server
For more information, see Appendix A, Authentication Methods, in Sun N1 Service Provisioning System 5.2 System Administration Guide.
User groups - You can control the access to the different features of the Sun N1 Service Provisioning System software by assigning users to specific user groups. You can then assign certain permissions to each user group to limit the actions available to the users in that group.
For more information, see Chapter 4, Managing Users, in Sun N1 Service Provisioning System 5.2 System Administration Guide.
Permissions - You can assign permissions to user groups to restrict user access to either your entire provisioning environment or to specific plans and components. You can designate permission to run provisioning plans or to create components to a specific user group, and limit the permissions of a different user group to enable those users to manage user accounts.
For more information, see Chapter 3, Controlling Access Using Permissions, in Sun N1 Service Provisioning System 5.2 System Administration Guide.
You can also assign file system permissions to the files and directories assigned to a specific resource. By editing the XML in a resource descriptor file, you can override the file system permissions that are created when you check in a resource to SPS. For more information, see Using a Resource Descriptor File in Sun N1 Service Provisioning System 5.2 XML Schema Reference Guide.
User-Specific Steps – The SPS XML schema enables you to specify alternate users to run specific plans or components. The UserToRunAs attribute of the execNative element allows you designate specific users to run commands native to the operating system on a target host.
For more information, see <execNative> Step in Sun N1 Service Provisioning System 5.2 XML Schema Reference Guide Step in Sun N1 Service Provisioning System 5.2 XML Schema Reference Guide.
Access to Component Elements - The XML schema for Sun N1 SPS components allows you to control the access to specific elements of a component, including the following items:
Component variables
Steps to install, uninstall, or control steps on the component
The access attribute enables you to limit the accessibility of specific component elements to varying degrees. For more information, see Chapter 3, Component Schema, in Sun N1 Service Provisioning System 5.2 XML Schema Reference Guide.
User Sessions - Sun N1 SPS can use user sessions to authenticate users and their credentials to perform provisioning tasks. These sessions can be used to identify users throughout a series of related requests without reauthentication. User sessions use session variables to preserve session-related information, such as user authentication and other credentials.
For more information, see Session Variable Concepts in Sun N1 Service Provisioning System 5.2 Plan and Component Developer’s Guide.
You can modify the session variables in a current session without affecting the session variables that are saved in the database, or you can save your modifications. You can use the either the browser interface or the command-line interface to manage session variables. For more information, see Chapter 5, Session Variables, in Sun N1 Service Provisioning System 5.2 Plan and Component Developer’s Guide.
You can also supply session IDs with the command-line interface to authenticate specific commands. For more information, see Chapter 1, Using the Command-Line Interface, in Sun N1 Service Provisioning System 5.2 Command-Line Interface Reference Manual.
You can set user session duration and timeout policies for your SPS environment with a series of configuration variables in the config.properties file. For more information, see Appendix B, Commonly Updated Configuration Variables, in Sun N1 Service Provisioning System 5.2 System Administration Guide.