Sun ONE Portal Server, Secure Remote Access 6.1 Installation Guide |
Chapter 1
Preparing for InstallationThis chapter discusses the recommendations and requirements for installing Sun ONE Portal Server, Secure Remote Access.
This chapter includes the following sections:
Installation OverviewThe Secure Remote Access product has two CDs. The first CD ROM contains Sun ONE Portal Server, Secure Remote Access software (as well as the portal server software). A second CD contains third party software that can be optionally installed. Installation instructions for the packaged third party software are available in Appendix A, "Installing Third-Party Software".
You use the pssetup installation script to install and uninstall Secure Remote Access components. See Chapter 2, "Installing Sun ONE Portal Server, Secure Remote Access" for instructions.
You can install Secure Remote Access software in two ways:
- A fresh installation of the Sun ONE Portal Server software along with Secure Remote Access.
If you are carrying out a fresh installation of Secure Remote Access, you need to install:
- Install Secure Remote Access on an existing installation of the portal server.
On an existing open mode installation of portal server, you need to install:
The installation script pssetup is used to install and uninstall components of the Secure Remote Access.
Installation ComponentsSecure Remote Access components can be installed on an node with portal server (referred to as a portal server node) or a node without portal server (referredto as an separate node). Table 1-1 lists the installable components, their descriptions, and the nodes that they can be installed on.
System RequirementsThis section describes the minimum system requirements for Secure Remote Access. This section discusses the following requirements:
Hardware Requirements
For a new installation of the software, the hardware requirements are as follows:
- Dual processor Ultra 60 or better
- 512 Mbytes of memory per processor
- 1 Gbyte of hard drive swap space
- 50 Mbytes under the directory chosen to install JDK
- 100 Mbytes under /etc to store component files. By default, the software components are installed in /etc/opt
- 200 Mbytes under /var for the log files
Note
Application servers have additional requirements. See the Sun ONE Portal Server 6.1 Installation Guide for details.
Software Requirements
The following third party software is used with Secure Remote Access:
- Rhino is required for Netlet file support.
- SMB Client is required for NetFile.
- For information on these products, see Appendix A, "Installing Third-Party Software.".
Operating System Requirements
Solaris 8 Operating System and Solaris 9 Operating System support Secure Remote Access on the Sun ONE Application Server and the Sun ONE Web Server.
Solaris 8 Operating System supports Secure Remote Access on the BEA and IBM application servers.
The portal server software requires at least a user distribution of the Solaris 8 Operating System or Solaris 9 Operating System. The Solaris 8 Operating System requires the following operating system patches as well for a successful installation of the product:
These are the minimum required patches. The last two digits of the patch number are the minor revision number. If updates to the patch have been released, install the most recent patch revision (the one with the higher revision number). Typically, these patches are made obsolete when a new patch is released and only the most recent patch is available at the SunSolve site. Please review the readme for each patch to find out what dependencies or patches may be required.
The installer will allow you to continue if you feel that the latest patches are installed.
Browser Recommendations
The following browsers are supported for administration and for the end user to access the portal server desktop:
Table 1-2 lists the supported browsers and the required Java plug-ins.
Installation ScenariosDepending on the end user and system requirements, you can install all Secure Remote Access components on a single machine with the portal server, or you can install them on multiple machines.
Deploying on a Single Machine
In this scenario, all Secure Remote Access components (see Table 1-1) are installed on the same machine. The machine must have the portal server installed on it.
This deployment is not generally recommended for production environments.
Deploying on Multiple Machines
The portal server also supports an installation group that includes multiple gateways communicating with multiple servers. Figure 1-1 shows a diagram of the portal server in an installation that contains multiple gateway and server components.
See the Sun ONE Portal, Secure Remote Access 6.0 Deployment Guide for other possible configurations.
Figure 1-1 Multiple Gateway and Server Component Installation
Figure 1-1 shows a sample deployment of Secure Remote Access, consisting of the following components:
- Two clients: Browser 1 and Browser 2.
- Two Gateway hosts: Gateway 1 and Gateway 2. Gateway hosts are in the demilitarized zone (DMZ).
- A load balancer is also present in the DMZ to direct the HTTP and Netlet traffic to the available Gateway host.
- Two installations of the portal server with Secure Remote Access: Sun ONE Portal Server 1 and Sun ONE Portal Server 2.
- Sun ONE Portal Server 1 has the Rewriter Proxy installed on it, and Sun ONE Portal Server 2 has both the Rewriter and the Netlet Proxies installed on it.
- There is one application host: Application host 1.
- There are two other hosts: Other host 1 and Other host 2.
HTTP and Netlet requests from Browser 1 and Browser 2 are directed to the load balancer. The load balancer directs this to any available gateway.
The HTTP request from Browser 1 is directed to Gateway 1. This in turns directs the request to the Rewriter Proxy configured on Sun ONE Portal Server 1. In the absence of the Rewriter Proxy, HTTP requests to multiple intranet hosts would result in multiple ports being opened in the firewall. The Rewriter Proxy ensures that only one port is opened in the firewall. The Rewriter Proxy also extends SSL traffic from Gateway to the portal server node.
The HTTP request from Browser 2 is directed to the load balancer. This in turn directs the request to Gateway 2. From Gateway 2, the request is passed to Other host 2 through the Rewriter Proxy installed on Sun ONE Portal Server 2.
The Netlet request from Browser 2 is directed to Gateway 2 by the load balancer. Gateway 2 directs the request to the required Application host 2 through Netlet Proxy installed on Sun ONE Portal Server 2.
Character RestrictionsThe following characters are the valid for the fields during installation.
" " represents empty space.
- Directories - " a-z A-Z 0-9. / _ -"
- Hostnames - " a-z A-Z 0-9 _ -"
- Domains and Subdomains - " a-z A-Z 0-9 . _ -"
- IP - "0-9 ."
- Ports - "0-9"
Port values are between 1 and 65535. The IP must be a valid internet IP.
- Organizations - " a-z A-Z 0-9 . _ -"
- Sun ONE Directory Server root suffix, - "a-zA-Z0-9 . " " _ = -"
- Directory Manager - "a-zA-Z0-9 " " _ = -"
- Gateway Profile - "a-zA-Z0-9 . / _ -"
- Certificate Info (except for country) - "a-zA-Z " " _ -"
- Country in Certificate - "a-zA-Z"
URI - "a-zA-Z0-9 _ / -"
Installation ChecklistsThe following checklists will help you install Secure Remote Access smoothly.
These checklists are tables that have 4 columns. The first column contains the question that is asked by the installation script. The second column contains the default value for that question. The third column is blank. You can note the actual value in that column for ready reference later. The fourth column contains the description.
Print out the relevant checklists and note the values for the specific parameters that you need to supply as part of the installation. This will ease the job of answering questions during the installation.
The following checklists are available:
Table 1-4 Checklist for Installing Portal Server on BEA Application Server
Table 1-5 Checklist for Installing Portal Server on IBM Application Server
Table 1-8 Checklist for Installing Gateway on a Portal Server Node
Parameter
Default Value/Example
Actual Value
Description
gateway base directory
/opt
This is the directory in which to install gateway.
hostname of gateway
hostname
This is the name of the machine that will serve as gateway.
sub-domain name for hostname
subdomain
This is the sub-domain to which the gateway machine belongs.
domain name for hostname
domain
This is the domain to which the gateway machine belongs.
IP address of hostname.subdomain.domain
This is the IP address of the gateway machine.
hostname runs SSL
y
Specify whether the gateway machine should run SSL.
port that gateway listens on
443
This is the port on which the gateway machine will listen.
name of this gateway profile
default
This is the profile that the gateway machine uses. A gateway profile contains all the information related to gateway configuration, such as the port on which gateway listens, SSL options, and proxy options.
You can create multiple profiles in the gateway admin console and associate different instances of gateway with different profiles.
Specify the same profile name specified when you installed Sun ONE Portal Server or Secure Remote Access support.
See “Creating a Gateway Profile” in the Sun ONE Portal Server, Secure Remote Access 6.1 Administrator’s Guide for more information.
password for the logging user?
create self-signed certificate
y
Choose y if you want to create a self-signed certificate for gateway. If you choose n, a certificate database is created anyway.
If you have a certificate issued by a trusted third-party, you can import that certificate into the database that is created during the installation.
You can generate a self-signed certificate, or obtain a certificate from a certificate authority after installation. See Chapter 4, "Installing SSL Certificates" for more information.
name of your organization
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your division
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your city or locality
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your state or province
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
two-letter country code
us
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
password for the certificate database
This is the password for the certificate database. This should contain a minimum of 8 alphanumeric characters.
Do not use multibyte characters in the password.
URI for deployment
/portal
Specify the URI that you specified during the installation of the portal server.
start gateway after installation
y
Specify whether to start gateway after installation.
Table 1-9 Checklist for Installing Gateway on a Separate Node
Parameter
Default Value/Example
Actual Value
Description
use existing JDK?
n
1.3.1_06 is the recommended version of JDK. Using other versions may result in instability or lowered performance.
If you choose y, you are asked to specify the location of the JDK directory.
If you choose n, the JDK is installed under /usr/java_1.3.1_06.
specify JDK directory location
/usr/java
This question is asked only if you chose y in the previous question which asks if you want to choose the JDK directory.
You need to specify the path where you want the JDK to be installed.
identity server SDK base directory
/opt
This is the directory in which the identity server SDK will be installed.
hostname of the identity server server
hostname
This is the machine on which the identity server is installed.
Specify the machine on which the identity server was installed for the portal server.
sub-domain name for hostname
subdomain
This is the sub-domain to which the identity server machine belongs.
Specify the sub-domain of the machine on which the identity server was installed for the portal server.
domain name for hostname
domain
This is the domain to which the identity server machine belongs.
Specify the domain of the machine on which the identity server was installed for the portal server.
IP address of hostname
This is the IP address of the identity server machine.
Specify the IP address of the machine on which the identity server was installed for the portal server.
hostname runs SSL
n
Specify whether the identity server machine runs SSL.
Choose the same option specified during the portal server installation.
port used to access portal server
80
Specify the port that the identity server machine uses to access the portal server.
Specify the same port specified during the portal server installation.
hostname of directory server
hostname
This is the machine where the directory server is installed.
Specify the machine on where the directory server was installed for the portal server.
sub-domain name for hostname
subdomain
This is the sub-domain to which the directory server belongs.
Specify the sub-domain of the machine where the directory server was installed for the portal server.
domain name for hostname
domain
This is the domain to which the directory server machine belongs.
Specify the domain of the machine where the directory server was installed for the portal server.
port used to access directory server
389
This is the port which the portal server uses to access the directory server.
Specify the directory server port specified during the portal server installation.
root suffix of the directory tree
o=isp
This is the default top level organization. Any new organization that you create is created under this organization.
Specify the same value specified for the portal server installation.
directory manager
cn=Manager
This is the LDAP directory manager.
directory manager password
This is the password for the directory manager.
password for identity server administrator
Specify the password for the identity server administrator.
Specify the same password specified during the portal server installation.
password for identity server internal LDAP authentication user password
Specify the password for the identity server internal LDAP authentication user password.
gateway base directory
/opt
This is the directory on the machine on which gateway needs to be installed.
hostname of gateway
hostname
This is the name of the machine that will serve as gateway.
sub-domain name for hostname
subdomain
This is the sub-domain to which the gateway machine belongs.
domain name for hostname
domain
This is the domain to which the gateway machine belongs.
IP address of hostname.subdomain.domain
This is the IP address of the gateway machine.
hostname running SSL
y
Specify whether the gateway machine needs to run SSL.
port that hostname listens on
443
This is the port on which the gateway machine listens.
name of this gateway profile
default
This is the profile that the gateway machine uses. A gateway profile contains all the information related to gateway configuration, such as the port on which gateway listens, SSL options, and proxy options.
You can create multiple profiles in the gateway admin console and associate different instances of gateway with different profiles.
Specify the same profile name specified when you installed Sun ONE Portal Server or Secure Remote Access support.
See “Creating a Gateway Profile” in the Sun ONE Portal Server, Secure Remote Access 6.1 Administrator’s Guide for more information.
password for logging user
Specify the logging user password.
create self-signed certificate
y
Choose y if you want to create a self-signed certificate for gateway. If you choose n, a certificate database is created anyway.
If you have a certificate issued by a trusted third-party, you can import that certificate into the database that is created during install.
You can generate a self-signed certificate, or obtain a certificate from a certificate authority after installation. See Chapter 4, "Installing SSL Certificates" for more information.
name of your organization
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your division
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your city or locality
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your state or province
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
two-letter country code
us
This question is not asked if you chose not to create a self-signed certificate.
password for the certificate database
This is the password for the certificate database. This should contain a minimum of 8 alphanumeric characters.
Do not use multibyte characters in the password.
URI for deployment
/portal
Specify the URI that you specified during the installation of the portal server.
start gateway after installation
y
Specify whether you want to start gateway after installation is complete.
Table 1-10 Checklist for Installing the Netlet Proxy on a Portal Server Node
Parameter
Default Value/Example
Actual Value
Description
this Netlet Proxy needs to work with the portal server installed on this node
y
Choose y if you want this Netlet Proxy to work with the portal server installed on the same node.
If you choose n, see "Checklist for Installing the Netlet Proxy on a Separate Node".
Netlet Proxy base directory
/opt
This is the directory in which you want to install the Netlet Proxy.
hostname of the Netlet Proxy
hostname
This is the machine on which you want to install the Netlet Proxy.
sub-domain name for hostname
subdomain
This is the sub-domain to which the Netlet Proxy machine belongs.
domain name for hostname
domain
This is the domain to which the Netlet Proxy machine belongs.
IP address of hostname
This is the IP address of the Netlet Proxy machine.
port that Netlet Proxy listens on
10555
This is the port on which the Netlet Proxy listens.
URI for deployment
/portal
Specify the URI that you specified during the installation of the portal server.
name of the gateway profile to use
default
Specify the gateway profile to be used for the Netlet Proxy.
password for logging user
Specify the logging user password.
Table 1-11 Checklist for Installing the Rewriter Proxy
Parameter
Default Value/Example
Actual Value
Description
Rewriter Proxy base directory
/opt
This is the directory in which you want to install the Rewriter Proxy.
hostname of the Rewriter Proxy
hostname
This is the machine on which you want to install the Rewriter Proxy.
sub-domain name for hostname
subdomain
This is the sub-domain to which the Rewriter Proxy machine belongs.
domain name for hostname
domain
This is the domain to which the Rewriter Proxy machine belongs.
IP address of hostname
This is the IP address of the Rewriter Proxy machine.
hostname runs SSL
y
Specify whether the Rewriter Proxy machine needs to run SSL.
port that hostname listens on
143
Specify the port on which the Rewriter Proxy machine needs to listen.
name of the gateway profile to use
default
This is the gateway profile that the Rewriter Proxy needs to use. A gateway profile contains all the information related to gateway configuration, such as the port on which gateway listens, SSL options, and proxy options.
You can create multiple profiles in the gateway admin console and associate different instances of gateway with different profiles.
Specify the same profile name specified when you installed Sun ONE Portal Server or Secure Remote Access support.
See “Creating a Gateway Profile” in the Sun ONE Portal Server, Secure Remote Access 6.1 Administrator’s Guide for more information.
password for logging user
Specify the logging user password.
create self-signed certificate
y
Choose y if you want to create a self-signed certificate for the gateway. If you choose n, a certificate database is created anyway. You can generate a self-signed certificate, or obtain a certificate from a certificate authority after installation. See Chapter 4, "Installing SSL Certificates" for more information.
name of your organization
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your division
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your city or locality
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your state or province
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
two-letter country code
us
This question is not asked if you chose not to create a self-signed certificate.
password for certificate database
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the password.
URI for deployment
/portal
Specify the URI that you specified during the installation of the portal server.
Table 1-12 Checklist for Installing the Netlet Proxy on a Separate Node
Table 1-13 Checklist for Installing the Rewriter Proxy
Parameter
Default Value/Example
Actual Value
Description
rewriter proxy base directory
/opt
This is the directory in which you want to install the Rewriter Proxy.
hostname of the Rewriter Proxy
hostname
This is the machine on which you want to install the Rewriter Proxy.
sub-domain name for hostname
subdomain
This is the sub-domain to which the Rewriter Proxy machine belongs.
domain name for hostname
domain
This is the domain to which the Rewriter Proxy machine belongs.
IP address of hostname
This is the IP address of the Rewriter Proxy machine.
hostname runs SSL
y
Specify whether the Rewriter Proxy machine needs to run SSL.
port that hostname listens on
10443
Specify the port on which the Rewriter Proxy machine needs to listen.
name of the gateway profile to use
default
This is the gateway profile that the Rewriter Proxy needs to use. A gateway profile contains all the information related to gateway configuration, such as the port on which gateway listens, SSL options, and proxy options.
You can create multiple profiles in the gateway admin console and associate different instances of gateway with different profiles.
Specify the same profile name specified when you installed Sun ONE Portal Server or Secure Remote Access support.
See Creating a gateway Profile in the Sun ONE Portal Server, Secure Remote Access 6.1 Administrator’s Guide for more information.
create self-signed certificate
y
Choose y if you want to create a self-signed certificate for gateway. If you choose n, a certificate database is created anyway. You can generate a self-signed certificate, or obtain a certificate from a certificate authority after installation. See Chapter 4, "Installing SSL Certificates" for more information.
name of your organization
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your division
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your city or locality
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
name of your state or province
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the name.
two-letter country code
us
This question is not asked if you chose not to create a self-signed certificate.
password for certificate database
This question is not asked if you chose not to create a self-signed certificate.
Do not use multibyte characters in the password.
URI for deployment
/portal
Specify the URI that you specified during the installation of the portal server.
Package InformationTable 1-14 lists the packages that are installed for each component of Secure Remote Access.
Directory LayoutThis section outlines the default directory layout for Sun ONE Portal Server, Secure Remote Access software.