| Sun Ray Server Software 4.0 Installation and Configuration Guide for Solaris |    
|
| Sun Ray Server Software 4.0 Installation and Configuration Guide for Solaris |
|
| C H A P T E R 7 |
|
Configuration |
This chapter describes how to configure Solaris Trusted Extensions as well as how to configure the Sun Ray server. Procedures in this chapter include:
For more details on Sun Ray network configuration, see Deployment on Shared Networks of the Sun Ray Server Software 4.0 Administrator’s Guide.
For further instructions on Solaris Trusted extensions, see Appendix A.
| Note - If Apache Tomcat 5.5 is not already installed on your system, see Sun Ray Admin GUI Web Server Requirements before proceeding. |
Perform the following procedures as root from ADMIN_LOW (global zone).
| Note - The latest, detailed instructions for installation and configuration of Solaris Trusted Extensions can be found on docs.sun.com/app/docs/coll/175.9. |
|
Use the Solaris Management Console (SMC) Security Templates to assign the cipso template to the Sun Ray Server. Assign all other Sun Ray devices on the network an admin_low label.
The /etc/security/tsol/tnrhdb file should contain the following entries when you finish:
1. Start the Solaris Management Console (SMC).
2. Make the following selections:
a. In the SMC, select Management Tools
->Select hostname:Scope=Files, Policy=TSOL.
b. Select System Configuration->Computers and Networks
->Security Templates->cipso.
c. From the menu bar, Select Action->Properties->Hosts Assigned to Template.
d. Select Host and enter the IP Address of the Sun Ray interconnect
(for example, 192.168.128.1).
f. Select System Configuration->Computers and Networks
->Security Families->admin_low.
g. From the menu bar, Select Action->Properties->Hosts Assigned to Template.
i. Enter the IP Address of the Sun Ray Interconnect Network (192.168.128.0).
3. Assign all Sun Ray Servers in the failover group a cipso label.
a. Select System Configuration->Computers and Networks
->Security Families->cipso.
b. From the menu bar, Select Action->Properties->Hosts Assigned to Template.
c. Select Host and enter the IP Address of the other Sun Ray Server.
|
In order to have access to certain Sun Ray services from a labeled zone, a shared multilevel port has to be added to the global zone for Sun Ray services.
1. Start the Solaris Management Console (SMC).
2. Make the following selections under Management Tools:
a. Select hostname:Scope=Files, Policy=TSOL.
b. Select System Configuration->Computers and Networks
->Trusted Network Zones->global.
c. From the menu bar, Select Action->Properties.
d. Click Add under Multilevel Ports for Shared IP Addresses.
e. Add 7007 as Port Number, Select TCP as Protocol, and click OK.
f. Repeat this step for ports 7010 and 7015.
g. Restart network services by running the following command:
h. Verify that these ports are listed as shared ports by running the following command:
|
The default entry in /etc/security/tsol/tnzonecfg makes three displays available (6001-6003). Increase the number of available X server ports as required.
1. Start the Solaris Management Console (SMC).
2. Make the following selections:
a. In the SMC, Under Management Tools
->Select hostname:Scope=Files, Policy=TSOL option.
b. Select System Configuration->Computers and Networks
->Trusted Network Zones->global.
c. From the menu bar, Select Action->Properties
d. Under Multilevel Ports for Zone’s IP Addresses, select 6000-6003/tcp.
f. Click Add->Enable Specify A Port Range.
g. Enter 6000 in Begin Port Range Number and 6050 (for 50 displays) in End Port Range Number.
|
When you have finished configuring SRSS 4.0 on Trusted Extensions, reboot.
See Reboot the Sun Ray Server for instructions.
Sun Ray Server Software manipulates the /etc/dt/config/Xservers file. Generally speaking, you should copy /usr/dt/config/Xservers to /etc/dt/config/Xservers.SUNWut.prototype and customize it as needed. Sun Ray Server Software uses the contents of that file as a base configuration when you add Sun Rays DTUs to /etc/dt/config/Xservers.
The Xservers file shipped with dtlogin includes an entry for DISPLAY:0, on the assumption that there is a frame buffer in the system. On a headless Sun Ray server, you need to configure /etc/dt/config/Xservers.SUNWut.prototype so that dtlogin does not try to start an Xsun on DISPLAY:0. For instructions, see /etc/dt/config/README.SUNWut.
| Note - If the server is headless, it has no display and cannot, therefore, have a meaningful value for the DISPLAY variable. |
|
1. Log in as the superuser of the Sun Ray server, either locally or remotely.
2. Open a shell window and change to the following directory:
| Note - Make sure that the /etc/hosts file contains the following entry:
ip-address of the system hostname |
3. Configure the Sun Ray interconnect interface:
where interface-name is the name of the interface to the Sun Ray interconnect, for example: hme1, qfe0, or ge0.
The utadm script begins configuring DHCP for the Sun Ray interconnect, restarts the DHCP daemon, and configures the interface. The script then lists the default values and asks if they are acceptable.
4. If you are satisfied with the default values, and the server is not part of a failover group, answer y.
5. Otherwise, answer n and accept whatever default values are shown by pressing return or provide the correct values from the worksheet.
The utadm script prompts for the following:
6. The utadm script again lists the configuration values and asks if they are acceptable. Answer appropriately.
The utadm script configures the Sun Ray DTU firmware versions and restarts the DHCP daemon.
7. Repeat Step 1 through Step 6 for each of the secondary servers in your failover group.
|
1. Log in as the superuser of the Sun Ray server.
You can log in locally or remotely use the rlogin or telnet commands.
2. Open a shell window and change to the following directory:
3. Configure the Sun Ray LAN subnet:
Where subnet# is the name (really a number) of the subnet, such as 192.168.128.0.
The utadm script begins configuring DHCP for the Sun Ray interconnect, restarts the DHCP daemon, and configures the interface. The script then lists the default values and asks if they are acceptable.
4. If you are satisfied with the default values, and the server is not part of a failover group, answer y.
5. Otherwise, answer n and accept whatever default values are shown by pressing return or provide the correct values from the worksheet.
The utadm script prompts for the following:
6. The utadm script again lists the configuration values and asks if they are acceptable. Answer appropriately.
7. Repeat Step 1 through Step 6 for each of the secondary servers in your failover group. See Configure Sun Ray Server Software.
9. Proceed to Configure Sun Ray Server Software.
|
When you configure a Sun Ray server for a shared network, the utadm -A command enables the server’s LAN connection. If you do not use utadm -A, however, and you still wish to enable or disable the LAN connection, use this procedure.
When the LAN connection is turned off, Sun Ray DTUs on the LAN cannot attach to the server.
| Tip - If you plan to use an existing DHCP server to provide Sun Ray parameters, use this procedure to turn the LAN connection on or off on the Sun Ray server. |
1. Log in as the superuser of the Sun Ray server, either locally or remotely.
2. Turn the Sun Ray LAN connection on:
| Tip - Use utadm -l to verify the current setting for Sun Ray LAN connection. To disable all Sun Ray LAN connections, use utadm -L off. |
3. Restart services as prompted:
|
1. If you have not already done so, log in as the superuser of the Sun Ray server.
You can log in locally or remotely use the rlogin or telnet commands.
2. Open a shell window and change to the following directory:
3. Configure Sun Ray Server Software.
4. Accept the default utconfig values shown by pressing Return or provide the correct values from the worksheet.
The utconfig script prompts for the following:
| Note - All servers in a failover group must use the same administration password. |
The utconfig script begins configuring Sun Ray Server Software.
The Sun Ray Data Store is restarted.
| Note - The utconfig script states that you must restart the authentication manager. This happens automatically when you reboot the Sun Ray server. |
The utconfig script ends, indicating a log file is available at the following location:
where the year, month, etc. are represented by numeric values reflecting the time utconfig was started.
5. Repeat Step 1 through Step 4 for each secondary server if in a failover group.
|
Perform this task after all servers in the failover group have been configured.
1. If you have not already done so, log in as the superuser of the primary Sun Ray server.
You can log in locally or remotely use the rlogin or telnet commands.
2. Open a shell window and change to the following directory:
3. Configure this server as the primary Sun Ray server and identify all secondary servers.
Where secondary-server1, secondary-server2, ... identifies the host names of the secondary servers. Include all secondary servers in this command.
4. Log in as the superuser of a secondary Sun Ray server.
You can log in locally or remotely using the rlogin or telnet commands.
5. Open a shell window and change to the following directory:
6. Configure the server as a secondary Sun Ray server and identify the primary server.
Where primary-server is the host name of the primary server configured in Step 3.
7. Repeat Step 4 through Step 6 for all remaining secondary servers.
8. When you are finished, go to Synchronize the Sun Ray DTU Firmware.
|
Log files for Sun Ray servers contain time-stamped error messages which are difficult to interpret if the time is out of sync. To make troubleshooting easier, please make sure that all secondary servers periodically synchronize with their primary server. For instance:
|
| Note - This task is performed on standalone Sun Ray servers or the last Sun Ray server configured in a failover group. If your server is not one of these, see Reboot the Sun Ray Server. |
1. If you have not already done so, log in as the superuser of the Sun Ray server.
You can log in locally or remotely using the rlogin or telnet commands.
2. Open a shell window and change to the following directory:
3. Synchronize the Sun Ray DTU firmware:
The Sun Ray DTUs will reboot themselves and load the new firmware.
4. When you are finished, go to Reboot the Sun Ray Server for instructions how to reboot the server.
|
In place of the old Sun Directory Service (Sun DS) used in Sun Ray Server Software versions 1.0 through 1.3, versions 2.0, 3, and later provides a private data store service, the Sun Ray Data Store (SRDS).
SRDS uses service port 7012, to avoid conflict with the standard LDAP port number, 389. When you upgrade a server to SRSS 2.0 or later, the LDAP port remains in use until all the servers in the failover group have been upgraded and converted. Port conversion is required only if you plan to continue to run SunDS on the recently upgraded SRSS server.
| Note - Even though you have upgraded a server, you cannot run the Sun Ray Data Store until you also convert the port number. |
| Tip - Perform this task on standalone Sun Ray servers or on the primary server in a failover group after all the servers in the group have been upgraded. |
1. If you have not already done so, log in as the superuser of the primary Sun Ray server.
You can log in locally or remotely use the rlogin or telnet commands.
2. Open a shell window and change to the following directory:
3. Convert and synchronize the Sun Ray Data Store service port number on all the servers in a failover group:
This step restarts the Sun Ray Data Store on all the servers.
|
This procedure re-enables the old SunDS, in case you need to use it for old private data on the Sun Ray servers.
| Note - You can re-enable the SunDS service only if you have chosen to preserve the old SunDS data when you upgraded from an earlier version of Sun Ray Server Software. |
The following task requires you to have completed the utdssync command. See Convert and Synchronize the Sun Ray Data Store Port.
1. If you have not already done so, log in as the superuser of the primary Sun Ray server.
2. Open a shell window and change to the following directory:
3. Rename the saved configuration file to dsserv.conf:
where date is the current date, in YYMMDD format, and time is the time the save file is created, in hh:mm format.
| Note - Support for the Sun DS product was discontinued as of the Sun Ray Server Software 2.0 release and cannot be used unless it was purchased separately. |
|
Two configuration files are susceptible to corruption:
When they are corrupt, the dtlogin daemon cannot start the Xsun server properly. To prevent or correct this problem, use the following procedure.
1. As a user of the Sun Ray server, open a shell window and compare the
/usr/dt/config/Xservers and /etc/dt/config/Xservers files:
This command compares a known good file with the suspect file. The output should be similar to the following example:
| Note - This is a simplified example. Your output may have tens of lines between the BEGIN SUNRAY CONFIGURATION and END SUNRAY CONFIGURATION comments. |
In the first line of output, there is 106a107,130. The 106 means that the two files are identical to the 106th line of the files. The a107,130 means that the information on lines 107 through 130 of the second file would have to be added to the first file to make it the same as the second.
If your output shows the first three digits to be a number less than 100, the
/etc/dt/config/Xservers file is corrupt.
2. Compare the /usr/dt/config/Xconfig and /etc/dt/config/Xconfig files:
The output should be similar to the following example:
| Note - This is a simplified example. Your output may have tens of lines between the BEGIN SUNRAY CONFIGURATION and END SUNRAY CONFIGURATION comments. |
If your output shows the first three digits to be a number less than 154, the
/etc/dt/config/Xconfig file is corrupt.
|
|
Caution - Replacing the Xserversfile requires shutting down all Sun Ray DTU services. Remember to inform users of the outage. |
1. As superuser, open a shell window and stop the Sun Ray server:
2. Replace the Xservers and Xconfig files as appropriate:
# /bin/cp -p /usr/dt/config/Xservers /etc/dt/config/Xservers # /bin/cp -p /usr/dt/config/Xconfig /etc/dt/config/Xconfig |
3. Re-initialize the authentication policy:
The extra lines within the previous Xservers and Xconfig files are automatically rebuilt.
|
After following the configuration procedures, reboot the Sun Ray server(s).
1. If you have not already done so, log in as the superuser of the Sun Ray server.
You can log in locally or remotely use the rlogin or telnet commands.
2. Open a shell window and reboot the Sun Ray server:
The Sun Ray server is rebooted.
3. Repeat Step 1 and Step 2 for each Sun Ray server.
As of the Sun Ray Server Software 4.0 release, CAM has been replaced by Kiosk Mode. To continue using previous CAM configuration with Kiosk Mode, you must migrate all relevant CAM configuration data to its Kiosk Mode equivalent. The utcammigrate(1m) tool creates all the required Kiosk Mode applications and prototypes needed to convert an old CAM configuration to Kiosk Mode.
| Tip - Before migrating from CAM to Kiosk Mode, be sure to preserve any existing CAM prototype data. See Preserve CAM Prototype Data. |
1. To complete the migration process, execute the following command.
The -u option instructs utcammigrate to upload the relevant Kiosk Mode session configuration and selected applications list to the Sun Ray Data Store. This effectively selects the migrated session for use with all subsequent client connections. If you do not wish to select the session for immediate use, you may omit the -u option from the command above and configure your session manually using the Sun Ray Admin GUI.
2. When Kiosk configuration is complete, perform a cold restart of Sun Ray services.
You can select the server on the Servers tab of the Admin GUI and press the Cold Restart button, or you can execute the following command:
Specifying the -u option to utcammigrate results in the automatic selection of the migrated session. This selection applies to all hosts in a failover group and, as such, it is essential that the migration be completed first before the selection takes place. To ensure that this is the case, execute /opt/SUNWut/sbin/utcammigrate without any options on all hosts but one in a failover group. You may then safely execute /opt/SUNWut/sbin/utcammigrate -u on the last host in the group.
For a more detailed explanation of the migration process, see the utcammigrate(1m) man page.
| Sun Ray Server Software 4.0 Installation and Configuration Guide for Solaris | 820-0413 |
|
Copyright © 2007, Sun Microsystems, Inc. All Rights Reserved.
Configure a Dedicated Sun Ray Interconnect for Trusted Extensions