Installing SEAM Software

The installation process is best done using the following procedures. The first step is to establish a writeable area to place files that are used during the configuration process. This writeable file system and an image of the SEAM packages should be exportable to all systems that need SEAM installed. You can choose to either:

1. Copy the SEAM CD to a local disk on an NFS server that can be exported -- see "How to Copy the SEAM Image to a Local File System".

2. Mount a writable file system on the CD and export both -- see "How to Mount a Writeable File System on the SEAS CD".

After a writeable area is prepared, the next step is to define needed information for the configuration files, so you don't need to enter this information manually. This is called the preconfiguration procedure. The last procedure installs the SEAM software using the preconfiguration information, if available.

The procedure to establish configuration files for the master KDC, slave KDCs, and SEAM clients is optional, but in sites with many systems, using the configuration files has many advantages.

1. The data needs to be entered only once, so the installations run faster

2. Since the configuration files are shared by all of the installations, the chances of making an error during the installation are reduced.

The tool used in this process gathers information such as the realm name, the KDC server names, and other important information, and stores it.

The next step is to install the SEAM product. Before attempting to install, you need to determine what type of system you need. The installation process allows you to select a master KDC installation, a slave KDC installation, or a SEAM client installation. The master KDC packages should only be included on the KDC master server; likewise, the slave KDC packages should only be installed on KDC slave servers (see "How to Install SEAM Software Using the GUI").

The SEAM client packages should be installed on any host that requires SEAM. These hosts can include network application servers, NFS servers, and all clients. A simpler procedure can be used for installing the SEAM clients if the preconfiguration process has been completed (see "How to Install SEAM Clients Without the GUI").

The last procedure in this section explains how to fix a system that had all of the software installed before the preconfiguration step was completed. This can happen when the default SEAS 3.0 installation is done without doing the preconfiguration process first. Refer to "How to Fix an Unconfigured System" for a complete explanation.

How to Copy the SEAM Image to a Local File System

If you do not want to leave the SEAS 3.0 CD mounted on a server while SEAM installations are occurring, then copying the packages from the SEAS CD is the best way to make the SEAM image available. The packages require about 50MB. This procedure requires that you have the SEAS 3.0 CD available on the server.

1. Become root on an NFS server.

2. Copy the SEAM image from the SEAS 3.0 CD to a local file system.

   # cd /export # mkdir SEAM # cd /cdrom # find .install products/Sun_Enterprise_Authentication_Mechanism_1.0 -print| cpio -dump /export/SEAM

   ---

   Note -

   The last line is split on two lines to make it readable, but should be entered as one command.

   ---

3. Export the file system.

   To make the configuration files available for all installations, /export or /export/SEAM needs to be NFS-mountable by all hosts.

   1. Edit the /etc/dfs/dfstab file.

      Add an entry for either /export or /export/SEAM if one does not exist.

      share -f nfs -ro /export/SEAM

   2. Start the NFS services.

      If this is the first share command or set of share commands that you have initiated, the NFS daemons are probably not running. The following commands kill the daemons and restart them.

      # /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start

Where to Go From Here

Now that an area has been prepared to store the configuration file, you can follow the steps in "How to Preconfigure SEAM Installations ".

How to Mount a Writeable File System on the SEAS CD

If you want to leave the SEAS CD on a server while SEAM installations are occurring, then you need to mount a writeable file system onto of the CD to provide an area for the preconfiguration information to be stored. This procedure requires that you have the SEAS 3.0 CD available on the server.

1. Become root on an NFS server.

2. Create a file system for the preconfiguration files.

   # cd /export # mkdir SEAM_preconfig

3. Mount the file system on the SEAS CD.

   # SEAM=/cdrom/products/Sun_Enterprise_Authentication_Mechanism_1.0/\ > .install/pkgutil/siteconfig_response # mount -F lofs /export/SEAM_preconfig $SEAM

4. Export the file system.

   To make the configuration files available for all installations, /export or /export/SEAM needs to be NFS-mountable by all hosts.

   1. Edit the /etc/dfs/dfstab file.

      Add an entry for /cdrom and for the new directory /export/SEAM_preconfig, if one does not exist.

      share -f nfs -ro /cdrom share -f nfs -ro /export/SEAM_preconfig

   2. Start the NFS services.

      If this is the first share command or set of share commands that you have initiated, the NFS daemons are probably not running. The following commands kill the daemons and restart them.

      # /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start

Where to Go From Here

Now that an area has been prepared to store the configuration file, you can follow the steps in "How to Preconfigure SEAM Installations ".

How to Preconfigure SEAM Installations

This procedure can be followed to preconfigure much of the information needed when configuring either the KDCs or the SEAM clients. If preconfiguration is needed, a writeable file system must be available for the preconfiguration information (see "How to Copy the SEAM Image to a Local File System" or "How to Mount a Writeable File System on the SEAS CD"). The information stored on the NFS file system can be accessed by each host in the realm during the installation procedure. This process is optional, but should be very helpful for large sites.

---

Note -

This procedure will install SEAM on the NFS server using the preconfiguration information, but none of the SEAM applications will work until at least a KDC master is installed.

---

In this procedure the following configuration parameters are used:

hardware configuration = SPARC




realm name = ACME.COM




DNS domain name = acme.com




master kdc = kdc1.acme.com




slave kdc = kdc2.acme.com




answerbook server = denver




online help URL = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/8897




file system holding SEAM packages = /export/SEAM

1. Become root on an NFS server.

2. Start the install process.

   # cd /export/SEAM/products/Sun_Enterprise_Authentication_Mechanism_1.0 # ./installer

   ---

   Note -

   If you are using the CD for package installations instead of using an NFS server, then installer is found in: /net/denver/cdrom/products/Sun_Enterprise_Authentication_Mechanism_1.0.

   ---

3. Click Next in the Welcome screen.

4. Select the type of installation.

   The next screen asks you to select a default installation or a custom installation. Select the custom installation to get to the preconfiguration screens. Click Next to proceed.

5. Click Next in the Locale Selection screen.

6. Select the software components to be installed.

   If the NFS server is not going to be a SEAM client or if you are just collecting preconfiguration information, then none of the components need to be selected. For a Solaris 7 NFS server that is going to provide Kerberized NFS support, the only components that should be selected are Kernel Module and SEAM Client. For a Solaris 2.6 NFS server that is going to provide Kerberized NFS support, select the same components but make sure to add the "5.6 Patches" and the GSS-API component. Click Next to proceed.

   ---

   Note -

   A disk space check is done after this step. If there is enough space then you should not have to do anything.

   ---

7. Define site configuration information.

   The next screen allows you to select the configuration procedure as well as entering configuration information.

   1. Select the configuration procedure.

      The top part of the screen allows you to select how the machine will be configured. For this procedure you should select "Re-configure site information." You can select to:

      • Use previously configured site information -- Use after the preconfiguration process has been completed

      • Re-configure site information -- Use this to enter new information

      • Configure just this machine -- Use to enter new information for this host

      • Configure this machine later -- Use when you are not sure about all of the configuration parameters, but want to install the packages anyway

   2. Identify the site configuration directory.

      The path should be to a file system that is mountable by all of the systems that require SEAM installations.

   3. Specify the realm name.

      By convention, the realm name is capitalized to help differentiate it from other domain names. For this example, the domain name is ACME.COM.

   4. Identify the master KDC and slave KDC server names.

      Use fully-qualified host names. For this example, the host names are kdc1.acme.com for the master and kdc2.acme.com for the slave. You can add as many slaves as needed.

   5. Enter the DNS domain name for this realm.

   6. Specify the URL for online help.

      This URL is used by the SEAM Administration Tool, so the URL should be defined properly to enable the "Help Contents" menu to work. The web version of this manual can be installed on any appropriate AnswerBook2 server. You will need to change the localhost entry and add information after the SEAM portion of the address.

      For this example, the URL should point to http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6685, unless another location is more appropriate. The section titled "SEAM Administration Tool" in the "Administering Principals and Policies" chapter of the Sun Enterprise Authentication Mechanism Guide is the suggested location to use.

      You can verify the URL by entering the URL into any web browser and verifing that the page is available. Make sure that the SEAS documentation has been installed before attempting to verify the URL.

   7. Identify the maximum lifetime for tickets.

      If the default value is acceptable, do not change it.

   8. Identify the maximum lifetime for renewable tickets.

      If the default value is acceptable, do not change it.

   9. Review the definitions that you have set.

      If the definitions are correct, click Next to proceed. When you click Next, the preconfiguration information is saved to the configuration directory.

      

8. Click Install Now to start the installation.

   The screen will show the components selected. If there are no components selected and you are just collecting the preconfiguration information, you can click Exit.

9. A summary of the installation process is displayed; click Next to proceed.

10. Additional information is displayed in the next screen; click Exit to finish the procedure.

    A window is displayed asking if you want to reboot. Rebooting is not necessary until the server needs to use SEAM.

How to Install SEAM Software Using the GUI

In this example, the SEAM master server installation is selected, but the process is much the same for the slave and client installations. The SEAM packages have been installed on /net/denver/export/SEAM, although they could be installed on a local file system or you can install using the SEAS CD.

SEAM client installations can be made faster by following the instructions in "How to Install SEAM Clients Without the GUI".

1. Start the installation script.

   # cd /net/denver/export/SEAM/products/Sun_Enterprise_Authentication_Mechanism_1.0 # ./installer

2. Click Next in the Welcome screen.

3. Select the type of installation.

   The next screen asks you to select a default installation or a custom installation. Select the custom installation. Click Next to proceed.

4. Click Next in the Locale Selection screen.

   Currently there are no locales to select in the SEAS release.

5. Click Next in the Select Install Directory screen.

   SEAM will install files in several directories. You must leave the path as "/".

6. Select the software components to be installed.

   For a master, select the Master Server package. For a slave, select the Slave Server package. Other packages are added as needed. Click Next to proceed.

   ---

   Note -

   A disk space check is done after this step. If there is enough space then you should not have to do anything.

   ---

7. Click Install Now to start the installation.

   The screen will show the components selected.

8. Select the configuration procedure and directory.

   The next screen allows you to select the configuration procedure, as well as identifying the path to the configuration files. If you have preconfigured site information, select "Use previously configured site information" and specify the directory path to the configuration files.

   

9. A summary of the installation process is displayed; click Next to proceed.

10. Additional information is displayed in the next screen; click Exit to finish the procedure.

Where to Go From Here

The Sun Enterprise Authentication Mechanism Guide includes a list of the tasks that can be done after the SEAM software is installed.

How to Install SEAM Clients Without the GUI

SEAM clients can be installed without using the GUI, after the preconfiguration process is complete. Not using the GUI means that you do not need to go through any of the screens, so the installation should run faster. Because you do not use any of the screens, you might only add client packages.

If necessary you can install all of the clients before the preconfiguration process is complete and use the script mentioned in "How to Fix an Unconfigured System" to complete the configuration.

1. Become root on the client.

2. Change directory to the preconfiguration area.

   # cd /net/denver/export/SEAM/products/Sun_Enterprise_Authentication_Mechanism_1.0

   ---

   Note -

   To load packages from the CD, use the path: /net/denver/cdrom/products/Sun_Enterprise_Authentication_Mechanism_1.0.

   ---

3. Start the installer.

   # ./installer -nodisplay

How to Fix an Unconfigured System

If a full installation is done without creating the preconfiguration files first, you can correct the system using the following procedure.

1. Become root on the system.

2. Run the script to fix the configuration.

   # cd /net/denver/export/SEAM/products/Sun_Enterprise_Authentication_Mechanism_1.0 # ./sparc/Tools/seamfixconfig

   ---

   Note -

   If you are using the SEAS 3.0 CD, the path would be: /net/denver/cdrom/products/Sun_Enterprise_Authentication_Mechanism_1.0.

   ---