Sun Open Telecommunications Platform 2.0 Administration Guide

Chapter 1 Solution Life-Cycle Management

This chapter explains the procedure to administer, update, upgrade, back up, and restore Sun OTP.

Solution Administration

NEPs can use Sun OTP to their deploy solutions. This section provides information on how to start, stop, and manage the network equipment provider (NEP) applications deployed on Sun OTP. The following topics are discussed:

Managing Different Applications

This section describes how to manage applications in the the following scenarios:

Scenario 1: Simple application on a single cluster - This application runs only on a single cluster. The application can be modeled as a single cluster resource, which can then added to a single resource group. NEPs would then be able to manage their application by changing the state of a resource group to online or offline. The command to bring the resource group to online state is clresourcegroup online and to bring the resource group to offline state is clresourcegroup online.

The other management states operations are
- manage: Resource groups are in an unmanaged state when they are created. Use the manage subcommand to bring the resource group to a managed state. If you use this subcommand in a non-global zone, it successfully operates only on resource groups whose node list contains that zone. If you use this subcommand in the global zone, it can operate on any resource group. See example:
  
  /usr/cluster/bin/clresourcegroup manage {+| resourcegroup?}
- quiesce: This command stops a resource group from continuously switching from one node or zone to another node. If you use this subcommand in a non-global zone, it operates only on resource groups whose node list contains that zone. If you use this subcommand in the global zone, it can operate on any resource group. Use the -k option to kill methods that are running on behalf of resources in the affected resource groups. If you do not specify the -k option, methods are allowed to continue running until they exit or exceed their configured timeout. See example:
  
  /usr/cluster/bin/clresourcegroup quiesce [*-k*] {+| resourcegroup?}
For more information on changing the state of a resource group, see clrg(1CL).
Scenario 2: Application using multiple components deployed on a single cluster - This application can be managed by using multiple resource group. These resource groups can be managed using the provisioning service. However, the dependency issues between the resource groups should be considered. The state of resource group may have to be changed to online or offline in a sequential order. The administration provisioning service can be used to manage the resource groups lifecycle.

Scenario 3: Application using multiple components deployed on multiple clusters - This application is a multi-tier application. Within a cluster, NEPs could assign the application or each application component to a resource group, as described in scenarios 1 and 2. These resource groups can be managed using the provisioning service. However, the dependency issues between resource groups and within each resource group should be considered.

Consider an example of a 3 tier application where a simple start plan sequentially calls the start procedure for the components representing the 3 tiers of a sample application. Tier 1 is the access logic tier, tier 2 is the business logic tier, and tier 3 is the data tier. The sequence of the start order is 3, 2, and 1 and the stop order is 1, 2, and 3. Sample code of a composite plan for starting and stopping a 3 tier application is as follows. In this sample, DbComponent, AsComponent, and WsComponent representing tier 3, 2 and 1 respectively are installed and our example plans are run on three hosts, that is, one host per each tier.

Sample code for starting a 3 tier application

<?xml version="1.0" encoding="UTF-8"?>
<!-- generated by N1 SPS -->
<executionPlan xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
name='startThreeTierApp' version='5.2.4' xsi:schemaLocation='http://www.sun.com/schema/SPS plan.xsd' 
xmlns='http://www.sun.com/schema/SPS'>
  <compositeSteps>
    <inlineSubplan planName='startTierThree'>
      <varList>
        <var name="hName" default=":[target(/):sys.hostName]"/>
      </varList>
      <simpleSteps implicitLocking='true'>
        <!-- plan runs on three hosts (one host for each tier). Start tier 3 
if and only if this machine is hosting it.-->
        <if>
          <condition><equals value1=":[tierThreeHost]" value2=":[hName]"/></condition>
          <then>
            <call blockName='startDbComponent'>
              <installedComponent name='dbComponent' path='/some/path/db'></installedComponent>
            </call>
          </then>
        </if>
      </simpleSteps>
    </inlineSubplan>

    <inlineSubplan planName='startTierTwo'>
      <varList>
        <var name="hName" default=":[target(/):sys.hostName]"/>
      </varList>
      <simpleSteps implicitLocking='true'>
        <!-- plan runs on three hosts (one host for each tier). Start tier 2 
if and only if this machine is hosting it.-->
        <if>
          <condition><equals value1=":[tierTwoHost]" value2=":[hName]"/></condition>
          <then>
            <call blockName='startAsComponent'>
              <installedComponent name='dbComponent' path='/some/path/as'></installedComponent>
            </call>
          </then>
        </if>
      </simpleSteps>
    </inlineSubplan>

    <inlineSubplan planName='startTierOne'>
      <varList>
        <var name="hName" default=":[target(/):sys.hostName]"/>
      </varList>
      <simpleSteps implicitLocking='true'>
        <!-- plan runs on three hosts (one host for each tier). Start tier 1 
if and only if this machine is hosting it.-->
        <if>
          <condition><equals value1=":[tierOneHost]" value2=":[hName]"/></condition>
          <then>
            <call blockName='startWsComponent'>
              <installedComponent name='dbComponent' path='/some/path/ws'></installedComponent>
            </call>
          </then>
        </if>
      </simpleSteps>
    </inlineSubplan>

  </compositeSteps>
</executionPlan>

Sample code for stopping a 3 tier application

<?xml version="1.0" encoding="UTF-8"?>
<!-- generated by N1 SPS -->
<executionPlan xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
name='stopThreeTierApp' version='5.2.4' xsi:schemaLocation='http://www.sun.com/schema/SPS plan.xsd' 
xmlns='http://www.sun.com/schema/SPS'>
  <compositeSteps>

    <inlineSubplan planName='stopTierOne'>
      <varList>
        <var name="hName" default=":[target(/):sys.hostName]"/>
      </varList>
      <simpleSteps implicitLocking='true'>
        <!-- plan runs on three hosts (one host for each tier). Stop tier 1 
if and only if this machine is hosting it.-->
        <if>
          <condition><equals value1=":[tierOneHost]" value2=":[hName]"/></condition>
          <then>
            <call blockName='stopWsComponent'>
              <installedComponent name='dbComponent' path='/some/path/ws'></installedComponent>
            </call>
          </then>
        </if>
      </simpleSteps>
    </inlineSubplan>

    <inlineSubplan planName='stopTierTwo'>
      <varList>
        <var name="hName" default=":[target(/):sys.hostName]"/>
      </varList>
      <simpleSteps implicitLocking='true'>
        <!-- plan runs on three hosts (one host for each tier). Stop tier 2 
if and only if this machine is hosting it.-->
        <if>
          <condition><equals value1=":[tierTwoHost]" value2=":[hName]"/></condition>
          <then>
            <call blockName='stopAsComponent'>
              <installedComponent name='dbComponent' path='/some/path/as'></installedComponent>
            </call>
          </then>
        </if>
      </simpleSteps>
    </inlineSubplan>

    <inlineSubplan planName='stopTierThree'>
      <varList>
        <var name="hName" default=":[target(/):sys.hostName]"/>
      </varList>
      <simpleSteps implicitLocking='true'>
        <!-- plan runs on three hosts (one host for each tier). Stop tier 3 
if and only if this machine is hosting it.-->
        <if>
          <condition><equals value1=":[tierThreeHost]" value2=":[hName]"/></condition>
          <then>
            <call blockName='stopDbComponent'>
              <installedComponent name='dbComponent' path='/some/path/db'></installedComponent>
            </call>
          </then>
        </if>
      </simpleSteps>
    </inlineSubplan>

  </compositeSteps>
</executionPlan>

Preparing Components For Backup and Restore

NEPs might need to save a state of an application, for example, save a state before running the backup plan. In this case, NEPs should stop the application and save the state. For details on how to manage applications, see Managing Different Applications.

Preventing Management Stage Change

You can configure the resource group property so that administrators will not be able to offline the resources. If the RG_System property is TRUE for a resource group, the resource group has restricted privileges and the operation of clresource and clresourcegroup commands are affected. This prevents accidental modification or deletion of critical resource groups and resources restricted privileges.

To enable the RG_System property on the resource group, type the following command:

/usr/cluster/bin/clrg set -p RG_System=true RG-Name

Example to set the OTP provisioning services group to system group

/usr/cluster/bin/clrg set -p RG_System=true otp-system-rg

To disable theRG_System property on the resource group, type the following command:

/usr/cluster/bin/clrg set -p RG_System=false RG-Name

Example to disable the System property on the OTP provisioning services group

/usr/cluster/bin/clrg set -p RG_System=false otp-system-rg

For more details on the System property, refer to the following Sun Cluster documents:

Sun Cluster 3.2 Reference Collection for Solaris OS http://docs.sun.com/app/docs/coll/1029.6
rg_properties(5)

Converting a Stand-alone Sun OTP Host to a Clustered Sun OTP Host

This section provides the procedure to convert a stand-alone Sun OTP host to a clustered Sun OTP host. The conversion from stand-alone to clustered OTP host ensures that the following changes are performed on the host:

The shared disk for the cluster is created.
The provisioning services are moved to the shared disk and run from the shared disk.
The RGM settings for the otp-system-rg resource group and its resources are updated accordingly.
The host node type is changed from single to first node.

To Convert a Stand-alone Sun OTP Host to a Clustered Sun OTP Host

Go to https://Sun OTP host:9090, where Sun OTP host is the IP address or the fully qualified name of the provisioning service logical hostname that is already configured during Sun OTP installation.

The Sun OTP common Single Sign-On login screen appears.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

Convert the Stand-alone Sun OTP host to the Clustered Sun OTP host.

Note –
Before performing Step 4, make sure that the Sun OTP Plan settings have the correct value for the privateInterface1 and privateInterface2 variables.
1. Click Convert.
  
  The Convert Single to Clustered plan details screen appears.
2. Click run.
  
  The Convert Single to Clustered plan run screen appears.
3. Type the name of the stand-alone Sun OTP host that you want to convert to a clustered Sun OTP host in the target host field.
4. Click run plan (includes preflight).

Create the database and metaset on the stand-alone OTP host.

The shared storage should have a minimum of 1.5 gigabytes disk space.

For example,

metadb -a -f -c 6 c1t0d0s7

metaset -s sm-dg -a -h standalonehostname

metaset -s sm-dg -a /dev/did/rdsk/d6

metainit -s sm-dg d0 1 1 /dev/did/rdsk/d6s0

newfs /dev/md/sm-dg/rdsk/d0

Add the following entry to the /etc/vfstab file.

/dev/md/sm-dg/dsk/d0 /dev/md/sm-dg/rdsk/d0 /var/js ufs 2 no logging

Change the storage of the Sun OTP system management service and the Sun OTP application provisioning service from local disks to shared disks.
1. Create temporary mount points and mount the shared volumes onto the temporary mount points.
  
  Type mkdir /tmp/js
  
  Type mount /dev/md/sm-dg/dsk/d0 /tmp/js
2. Bring the otp-system-rg resource group offline.
  
  clresourcegroup set -p RG_system=false otp-system-rg
  
  clresourcegroup offline otp-system-rg
3. Move the Sun OTP system service contents from the local disk to the shared volume.
  
  mv /var/js/* /tmp/js
  
  umount /tmp/js
4. Disable all the resources in the otp-system-rg resource group.
  
  clresource disable otp-lhn-rs
  
  clresource disable otp-hasp-rs
  
  clresource disable otp-nfs-rs
  
  clresource disable otp-sm-rs
  
  clresource disable otp-spsra-rs
  
  clresource disable otp-spsms-rs
5. Modify the properties of the HAStoragePlus resource.
  
  clresource set -p FilesystemMountPoints=/var/js otp-hasp-rs
  
  clresource set -p GlobalDevicePaths=/dev/md/sm-dg/dsk/d0 otp-hasp-rs
6. Enable all the resources in the otp-system-rg resource group.
  
  clresource enable otp-lhn-rs
  
  clresource enable otp-hasp-rs
  
  clresource enable otp-nfs-rs
  
  clresource enable otp-sm-rs
  
  clresource enable otp-spsra-rs
  
  clresource enable otp-spsms-rs
7. Bring the otp-system-rg resource group online.
  
  clresourcegroup online otp-system-rg
8. Set the system property of the otp-system-rg resource group to true.
  
  clresourcegroup set -p RG_system=true otp-system-rg

Next Steps

You can add new hosts to the cluster.

Enabling and Disabling the Sun OTP System Management Service and the Sun OTP Application Provisioning Service

This section provides procedures for enabling and disabling the system management service and the application provisioning service on a single Sun OTP host.

To Enable and Disable the Sun OTP System Management Service Using the CLI

The following steps enable and disable the Sun OTP system management service on the entire cluster. Ensure to run this plan on the first (or single) node.

Use the serviceManagement script with the n1sm option to enable and disable the Sun OTP system management service.
- To enable the service, use the start option.
  
  /opt/SUNWotp/cli/serviceManagement n1sm start
- To disable the service, use the stop option.
  
  /opt/SUNWotp/cli/serviceManagement n1sm stop
Tip –
You can check the log information in the /var/OTP/OTPSvcMgmt.log file to verify whether the services are enabled or disabled.

To Enable and Disable the Sun OTP Application Provisioning Service Using the CLI

Note –

If the Sun OTP application provisioning service is running in the high availability mode, the provisioning service is enabled or disabled on all the hosts in the cluster.
If the Sun OTP application provisioning service is not running in the high-availability mode, the Sun OTP application provisioning service is enabled or disabled only on the target host.

Use the serviceManagement script with the n1sps option to enable and disable the Sun OTP application provisioning service.
- To enable the service, use the start option.
  
  /opt/SUNWotp/cli/serviceManagement n1sps start
- To disable the service, use the stop option.
  
  /opt/SUNWotp/cli/serviceManagement n1sps stop

To Enable and Disable the Sun OTP System Management and Sun OTP Application Provisioning Service Using GUI

The graphical user interface cannot be used to disable the Sun OTP application provisioning service on the host on which it is running. In other words, if the service is running on otpclient01, you cannot use the graphical user interface on otpclient01 to disable the application provisioning service. Instead, use the command- line interface to disable the application provisioning service.

Go to https://Sun OTP host:9090 where Sun OTP host is the IP address or the fully qualified name of the Sun OTP host on which the resource group is active.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

Click Enable & Disable and click run.

Type the host name on which you want to enable or disable the services in the target host field.

Decide whether to enable or disable the services.
- Select the N1SPS should be running and N1SM should be running check boxes to enable the services.
- Do not select the N1SPS should be running and N1SM should be running check boxes to disable the services.

Select the Yes, I really want to modify state of services check box.

Click run plan (includes preflight)

Type the clrg command to check status of the otp-system-rg resource group.

Tip –
You can also check the log information in the /var/OTP/SUNWotp-debug.log file to verify whether the services are enabled or disabled.

Administering Web SSO Users

This section provides procedures to administer Web SSO users. Sun OTP 2.0 provides you the ability to administer Web Single Sign On (SSO) using the browser user interface (BUI) and the command-line interface (CLI). You can create new Web SSO users, change the password of existing users, and remove existing users.

The following topics are discussed:

Adding Web SSO User

You can add new Web SSO users.

This task creates user accounts for Sun OTP application provisioning service, Sun OTP system management service, and Sun OTP security service with the provided credentials. The timeout value for each user session on server is two hours.

To Create a Role

You need to manually create a user role before assigning the role to the Web SSO user. You need to create a role on all the cluster hosts and on all the zones, if applicable.

Create a new role account.

For example, create a role by name ssorole.

roleadd -s /bin/pfksh -d /export/home/ssorole -K defaultpriv=basic -P "Cluster Management,Web Console Management,Cluster Operation,Sun Cluster Commands,All" ssorole

Note –
It is mandatory to add a profile to the role that you create. Else, you will not be able to perform the administration task on a cluster. For more information on the roleadd command, see the roleadd man page.

Change the password for the new role.

For example

passwd ssorole

Enter the new password for the role and confirm the password.

Create a home directory for the role.

mkdir /export/home/ssorole

chown ssorole:other /export/home/ssorole

Restart the name service cache daemon for the new role to take effect.

Perform this step after all the above steps are performed on all the cluster hosts and on all the zones, if applicable.

svcadm restart system/name-service-cache

To Add Web SSO User Using GUI

Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

Click Add User and click run.

The SynchronizeWebSSOUsers plan run screen appears.

Type the host name in the target host field.

Type the Web SSO user name in the WebSSO login name field.

Type the password in the WebSSO password field.

Confirm the password in the Retype WebSSO password field.

Type the user role in the User role field.

You need to manually create a role before assigning it to the Web SSO user.

If there is no user role, do not specify any value for this field.

Click run plan (includes preflight).

To Add Web SSO User Using the CLI

The ssocli command needs to be executed on the same server which was used for the deployment.
Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

Type the following command to add Web SSO user.

/opt/SUNWotp/cli/ssocli add -u ssousername -f oldpasswordfile -c clusterhostset -r role -i

ssousername is the Web SSO user name.

oldpasswordfile is the file that contains the old or initial password on the first line.

clusterhostset is the cluster host set.

role is the role of the Web SSO user. You need to manuallycreate a role before assigning it to the Web SSO user.

If there is no user role, do not specify any value for role.

For example

/opt/SUNWotp/cli/ssocli add -u ssouser -f /tmp/pass -c cl-sso -r manager -i

Changing the Password of Existing Web SSO User

You can change the password of sn existing Web SSO user account.

To Change the Password of Existing Web SSO User Using GUI

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

Click Change User Password and click run.

The ChangeWebSSOPassword plan run screen appears.

Type the host name in the target host field.

Type the Web SSO user name in the WebSSO login name field.

Type the old password in the Old WebSSO password field.

Type the new password in the New WebSSO password field.

Confirm the new password in the Retype New WebSSO password field.

Click run plan (includes preflight).

To Change the Password of Existing Web SSO User Using the CLI

The ssocli command needs to be executed on the same server which was used for the deployment.
Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

Type the following command to change the password.

/opt/SUNWotp/cli/ssocli password -u ssousername -f oldpasswordfile -n newpasswordfile -c clusterhostset

ssousername is the Web SSO user name.

oldpasswordfile is the file that contains the old or initial password on the first line.

newpasswordfile is the file that contains the new password on the first line.

clusterhostset is the cluster host set.

For example

/opt/SUNWotp/cli/ssocli password -u ssouser -f /tmp/oldpass -n /tmp/newpass -c cl-sso

Removing Web SSO User

You can remove Web SSO users.

To Remove Web SSO User Using GUI

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

Click Remove User and click run.

The RemoveWebSSOUsers plan run screen appears.

Type the host name in the target host field.

Type the Web SSO user to remove in the WebSSO login name field.

Click run plan (includes preflight).

To Remove Web SSO User Using the CLI

The ssocli command needs to be executed on the same server which was used for the deployment.
Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

Type the following command to remove Web SSO user.

/opt/SUNWotp/cli/ssocli remove -u ssousername -c clusterhostset

ssousername is the Web SSO user name.

clusterhostset is the cluster host set.

For example

/opt/SUNWotp/cli/ssocli remove -u ssouser -c cl-sso

Hardening and Unhardening the Sun OTP Host

This section provides procedures for hardening and unhardening the system. Using Sun OTP 2.0, you can harden and unharden the Sun OTP host. Hardening is the process of modifying the Solaris^TM operating system configuration to improve the network security of a system. By using the hardening process, you can close the ports and disable the services that might present a security risk to the system. You can unharden, that is, reopen the ports and enable the services that were closed by the hardening process. Hardening and unhardening must be done on both global and non-global zones.

To Install the Sun OTP SST Driver

Solaris Security Toolkit (SST) driver must be installed on both global and non-global zones.

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to the https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

Click Install Driver and click run.

Click run.

The InstallSST plan run screen appears.

Type the media directory in the Media Directory field.

Type the host name on which to install the driver in the target host field.

Click run plan (includes preflight).

To Uninstall the Sun OTP SST Driver

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to the https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

Click Uninstall Driver and click run.

The UninstallSST plan run screen appears.

Type the host name on which to uninstall the driver in the target host field.

Click run plan (includes preflight).

To Harden the Sun OTP Host

Hardening is the process of modifying the Solaris OS configuration to improve a system's security. By using the hardening process, you can close the ports and disable the services that might present a security risk to the system.

Before You Begin

Install the Sun OTP SST Driver

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to the https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

Click Harden and click run.

The Harden plan run screen appears.

Type the host name that you want to harden in the target host field.

Click run plan (includes preflight).

Note –
The plan does not close the ports and disable the services that are required by the Sun OTP components.

Once the plan completes, reboot the Sun OTP host for hardening to take effect.

To Unharden the Sun OTP Host

Using unhardening, you can reopen the ports and enable the services that were closed by the hardening process.

Hardening is defined in certain configuration files. If you have changed certain configuration files, you can choose one of the following options during unhardening:

Roll back only the unchanged configuration files to its default state. The changed files can be retained in its current state.
Roll back all the configuration files, including the changed files, to its default state.

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to the https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

Choose the state of the configuration files.
- To roll back only the unchanged configuration files to its default state, click UnHarden & Keep.
- To roll back all the configuration files, including the changed files, to its default state, click UnHarden & Revert.

Click run.

Type the host name that you want to unharden in the target host field.

Click run plan (includes preflight).

Solution Updates and Patch Clusters

This section gives an overview of patch clusters and the procedure to update Sun OTP.

The following topics are discussed:

Sun OTP Patch Clusters

Patch clusters are the consolidation of all Sun OTP and OTP-relevant component product packages and patches that are required for maintenance and maximized solution stack stability. All fixes for Sun OTP will be released as patch clusters. You can install patch clusters using both the CLI and N1SPS interfaces.

Sun OTP is a single unified solution stack consisting of integrated component products. Change management for the Sun OTP solution stack involves consolidating individual component product fixes into Sun OTP patch clusters and qualifying those patch clusters as a unified sets of change. Individual patches for constituent component products should not be used. Changes to a Sun OTP solution stack will be made through rigorously qualified patch clusters.

The patch clusters handle complexities such as dependencies, installation order, special instructions, reboots and reconfiguration, single user and multi-user modes.

Following are the two types of patch clusters:

Critical patch cluster - A critical patch cluster includes fixes that are critical to the proper functioning and operation of Sun OTP. Critical patch clusters are time-sensitive and will be released periodically.
Maintenance patch cluster - A maintenance patch cluster is the consolidation of component product fixes released on a periodic basis.

Updating Sun OTP Components

This section describes the method to apply Sun OTP patch cluster to update a system. You can update single or multiple components of Sun OTP by using the Command-Line Interface (CLI) or Graphical User Interface (GUI).

To Update Sun OTP Components Using the GUI

Open a browser and log in to the Sun OTP application provisioning service on the 1.1 Sun OTP provisioning server.

Go to URL https://install server:9090 where install server is either the IP address or the fully qualified name of the 1.1 Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Import the Sun OTP Update plug-in.
1. Click Administration in the left menu.
2. Click the plug-ins link.
3. Click the import link to import a new plug-in.
4. Type the following path of the jar file in one line in the Import plug-in JAR field.
  2.0_mediadir/common/components/sunotp/SUNWotpupdate/ reloc/SUNWotp/update/jar/com.sun.OTPUpdate_1.0.jar
  2.0_mediadir is the fully qualified path name to the Sun Open Telecommunications Platform 2.0 installation source directory.
5. Click continue to import.
  
  After successful import, the Sun OTP Update plug-in appears under Common Tasks.

Prepare Sun OTP components for update.
1. Click OTP Update in the left menu to display the OTP update steps page.
2. Click Prepare and click run.
3. Click select from list under variable settings.
4. At the bottom of the select variable setting from list... screen, click create set to create a new variable set.
5. Type a new variable set name in the Set Name field.
6. Type the values for the following variables:
  
  mediaDirectory - Fully-qualified path name to the Sun Open Telecommunications Platform 2.0 installation source directory.
  
  logFile - Path of the log file that would contain the output of update operation
  
  Solaris - yes or no, default value is yes
  
  SunCluster - yes or no, default value is yes
  
  ManagementServices - yes or no, default value is yes
  
  SecurityServices - yes or no, default value is yes
7. Click save to save the variable set.
8. Close the select variable setting from list... screen.
9. In the Prepare screen, click the drop-down list under variable settings, and choose the new variable set.
10. Type the host name that you want to update in the target host field.
11. Click run plan (includes preflight).

Update Sun OTP components.
1. Click Update and click run.
2. Type the host name that you want to update in the target host field.
3. Click run plan (includes preflight).
  
  The page is reloaded and a progress bar is displayed during the process. When the plan completes, wait for the Sun OTP host to boot into multi-user mode.

To Update Sun OTP Components Using CLI

Navigate to the following directory.

cd 2.0_mediadir/common/components/sunotp

2.0_mediadir is the fully-qualified path name to the Sun Open Telecommunications Platform 2.0 installation source directory.

Add the SUNWotpupdate package on the Sun OTP host.

pkgadd -d . SUNWotpupdate

Run the otp_update.sh script.

/opt/SUNWotp/update/cli/otp_update.sh -L logfilepath -D 2.0_mediadir components

logfilepath is the path of the log file that contains the output of the update operation.

2.0_mediadir is the fully qualified path name to the Sun Open Telecommunications Platform 2.0 installation source directory.

components are Sun OTP components to update. components can be a combination of solaris, n1sps, n1sm, suncluster, and jse.

Solution Upgrades

This section provides procedures to upgrade Sun OTP. To upgrade Sun OTP, you first have to upgrade the provisioning server and then upgrade Sun OTP using one of the upgrade methods, that is, standard. dual-partition, or live upgrade. This section describes both the GUI and CLI upgrade procedures. Details on how to prepare a host before running the upgrade plan is also explained. At a certain point during the process of upgrading Sun OTP, NEPs can upgrade their application. The procedures described in this section gives pointer to such points.

Note –

The procedures for command-line upgrade are examples and are provided only for demonstration purposes.

The following topics are discussed:

Upgrading Sun OTP

You can upgrade Sun OTP 1.1 to version 2.0 by using one of the following upgrades methods:

Standard upgrade. Shuts down the cluster before you upgrade the cluster nodes. You must return the cluster to production after all the nodes are fully upgraded.
Dual-partition upgrade. Divides the cluster into two groups of nodes. You must bring down one group of nodes and upgrade those nodes. The other group of nodes continue to provide services. After you complete the upgrade of the first group of nodes, switch services to the upgraded nodes. You can then upgrade the remaining nodes and boot them back to the rest of the cluster. The cluster outage time is limited to the amount of time needed for the cluster to switch over services to the upgraded partition.
Live upgrade. Maintains the previous cluster configuration until you have upgraded all nodes, and commit to the upgrade. If the upgraded configuration causes a problem, revert to your previous cluster configuration until you can rectify the problem.

Table 1–1 Task map: Description of various upgrade tasks


Task	Description
Upgrading Sun OTP 1.1 Provisioning Server to Version 2.0	This section describes the procedure to upgrade the provisioning server
Upgrading Sun OTP Using Standard Upgrade	This section describes the procedure to upgrade Sun OTP using the standard upgrade method. It includes both the GUI and CLI procedures, and details about how to upgrade the remaining service and install the security service.
Upgrading Sun OTP Using Dual-Partition Upgrade	This section describes the procedure to upgrade Sun OTP using the dual-partition method. It includes both the GUI and CLI procedures, and details about how to prepare the hosts for dual-partition upgrade.
Upgrading Sun OTP Using Live Upgrade	This section describes the procedure to upgrade Sun OTP using the live upgrade method. It includes both the GUI and CLI procedures, and details about how to prepare the hosts for dual-partition upgrade.

To Upgrade Sun OTP 1.1 Provisioning Server to Version 2.0

Note –

You can directly use the Sun OTP 2.0 provisioning server to upgrade Sun OTP. Sun OTP 2.0 provisioning server has the SUNWotp, SUNWotpupdate, and SUNWotpupg packages installed.

Remove the packages.

pkgrm SUNWotp SUNWotpcli SUNWotputil

If the OSP plug-in along with the SUNWotpra custom package was used to install the Solaris OS on this system, remove the SUNWotpra package.

pkgrm SUNWotpra

Change to the following directory.

cd 2.0_mediadir/common/components/sunotp

2.0_mediadir is the fully qualified path name to the Sun Open Telecommunications Platform 2.0 installation source directory.

Add the following packages.

pkgadd -d . SUNWotp SUNWotpupdate SUNWotpupg

Reconfigure the Sun OTP application provisioning service on the Sun OTP 1.1 Sun OTP provisioning server.

/opt/SUNWotp/upgrade/n1sps_reconfigure.pl --run reconfig --nodetype none --params mediadir=2.0_mediadir

2.0_mediadir is the fully qualified path name to the Sun Open Telecommunications Platform 2.0 installation source directory.

Upgrading Sun OTP Using Standard Upgrade

This section describes the procedure to upgrade Sun OTP using the standard upgrade method. It includes both the GUI and CLI procedures, and details about how to upgrade the remaining service and install the security service.

To Upgrade Sun OTP from 1.1 to Sun OTP 2.0 Using the GUI

Before You Begin

Upgrade Sun OTP 1.1 Provisioning Server to Version 2.0

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to URL https://install server:9090 where install server is either the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Upgrade in the left panel.

Set up the configuration for upgrade by creating two variable sets.

Run this plan on all the Sun OTP hosts.
1. Click Set up Configuration and click run.
2. Click the select from list... option corresponding to the /com/sun/OTP/Utilities/OTPConfig directory.
3. Click create set to create a new variable set.
4. Type a new variable set name in the Set Name field.
5. Click the check boxes for the appropriate plan variables for which you want to type the values.
6. Type the values for the appropriate plan variables in the text fields. For description about the Sun OTP plan settings and the clustered Sun OTP host plan worksheet, see Appendix A Sun OTP Upgrade Plan Worksheet.
  
  Note –
  Do not specify the values for the zone-related variables and specify RAW for the spsRAConnectionType variable.
7. Click save to save the variable set.
8. Close the select variable setting from list... screen.
9. Under variable settings, click the drop-down list corresponding to the /com/sun/OTP/Utilities/OTPConfig directory and choose the new variable set.
10. Click select from list... corresponding to the /com/sun/OTPupgrade/Upgrade directory.
11. Click create set to create a new variable set.
12. Type a new variable set name in the Set Name field.
13. Type the values for the following variables:
  
  logFile - Path of the log file that would contain the output of upgrade operation. For example, /var/OTP/OTPUpgrade.log.
  
  upgradeType - standard
14. Click save to save the variable set.
15. Close the select variable setting from list... screen.
16. Under variable settings, click the drop-down list corresponding to the /com/sun/OTPupgrade/Upgrade directory and choose the new variable set.
17. Type the host name in the target host field.
18. Enter and confirm the password.
  
  The password is the password provided in the password file while setting up the Sun OTP provisioning server. The password can be 8 to 12 alphanumeric characters. You need to use this password and the user name otpadmin as the access credentials for all Sun OTP components including Web SSO.
19. Click run plan (includes preflight).

Back up the Sun OTP system management data.

Run this plan only on the first Sun OTP host that is running the Sun OTP system management service.
1. Click Backup Data and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).

Upgrade the operating system.

Run this plan on all the Sun OTP hosts.
1. Click Upgrade OS and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).
  
  The plan is complete after initiating the patch upgrade process. You need to monitor the consoles on all the hosts and wait until the completion of patch upgrade cluster.

Upgrade the Sun OTP high availability service.

Run this plan on all the Sun OTP hosts.
1. Click Upgrade HA Services and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).

Upgrade the NEP application and the NEP application agent

If a NFS agent is used as part of the hosted application, upgrade the NFS agent before activating Sun Cluster. You can upgrade the agents later too. For more details on upgrading Sun Cluster, see Chapter 8, Upgrading Sun Cluster Software, in Sun Cluster Software Installation Guide for Solaris OS.

Note –
The upgrade procedure is specific to the hosted application, and can be automated by NEP's end-to-end upgrade. See the application documentation for instructions.

Activate the new cluster environment by rebooting all the Sun OTP hosts.

/usr/sbin/init 6

Perform the common steps for all types of upgrade. See Upgrade Remaining Services and Install the Security Service.

To Upgrade Remaining Services and Install the Security Service Using GUI

Upgrade the Sun OTP application provisioning service.

Run this plan simultaneously on all the Sun OTP hosts.
1. Click OTP Upgrade in the left panel.
2. Click Upgrade Provisioning Services.
3. Type the host name in the target host field.
4. Click run plan (includes preflight).
  
  Monitor the debug log in the /var/OTP/SUNWotp-debug.log file and wait until the reconfiguration of Sun OTP application provisioning service before running the next plan.

Upgrade the Sun OTP system management service.

Run this plan on all the Sun OTP hosts.
1. Click Upgrade Management Service and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).

Install the Sun OTP security service.

Run this plan on all the Sun OTP hosts.
1. Click OTP Setup in the left panel.
2. Click Install Security Service and click run.
3. Type the host name in the target host field.
4. Click run plan (includes preflight).

Configure the Sun OTP AHE components as highly available services.

Run this plan only on the first Sun OTP host.
1. Click Configure Components and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).

Restore the Sun OTP system management data that was backed up.

Run this plan only on the first Sun OTP host.
1. Click OTP Upgrade in the left panel.
2. Click Restore Data and click run.
3. Type the host name in the target host field.
4. Click run plan (includes preflight).

Install Web SSO.

Run this plan on all the Sun OTP hosts.
1. Click OTP Setup in the left panel.
2. Click Install WebSSO and click run.
3. Type the host name in the target host field.
4. Click run plan (includes preflight).

To Upgrade Sun OTP from 1.1 to 2.0 Using CLI

Before You Begin

Upgrade Sun OTP 1.1 Provisioning Server to Version 2.0

Copy the input_otp.dat file to a NFS-mounted directory.

cp /opt/SUNWotp/cli/templates/input_otp.dat /export/

Edit the /export/input_otp.dat file to add the values for each variable.

For description about the Sun OTP plan settings and the clustered Sun OTP host plan worksheet, see Appendix A Sun OTP Upgrade Plan Worksheet.

Note –
Do not specify the values for the zone-related variables and specify RAW for the spsRAConnectionType variable.

For each host, specify the values for the following upgrade-related variables.

h1_UpgradelogFile - Path of the log file that would contain the output of upgrade operation. For example, /var/OTP/OTPUpgrade.log.

upgradeType - standard.

Set up the configuration for upgrade.

/opt/SUNWotp/cli/deploy_otp -u S -f /export/input_otp.dat -o "-P passwordfile"

passwordfile is the absolute path of the password file. You can create this file in your home directory. The password file must contain a line with a valid password for all Sun OTP components. The password can be 8 to 12 alphanumeric characters. You need to use this password and the user name otpadmin as the access credentials for all Sun OTP components including Web SSO.

Back up the Sun OTP system management data.

/opt/SUNWotp/cli/deploy_otp -u b -f /export/input_otp.dat -o "-B hostname"

hostname is the first host name that is running the Sun OTP system management service.

Upgrade the operating system.

/opt/SUNWotp/cli/deploy_otp -u P -f /export/input_otp.dat

The command is complete after initiating the patch upgrade process. You need to monitor the consoles on all the hosts and wait until the completion of patch upgrade cluster.

Upgrade the Sun OTP high availability service.

/opt/SUNWotp/cli/deploy_otp -u a -f /export/input_otp.dat

Upgrade the NEP application and the NEP application agent

If a NFS agent is used as part of the hosted application, upgrade the NFS agent before activating Sun Cluster. You can upgrade the agents later too. For more details on upgrading Sun Cluster, see Chapter 8, Upgrading Sun Cluster Software, in Sun Cluster Software Installation Guide for Solaris OS.

Note –
The upgrade procedure is specific to the hosted application, and can be automated by NEP's end-to-end upgrade. See the application documentation for instructions.

Activate the new cluster environment by rebooting all the Sun OTP hosts.

/usr/sbin/init 6

Perform the common steps for all the types of upgrade. See Upgrade Remaining Services and Install the Security Service .

To Upgrade Remaining Services and Install the Security Service Using CLI

Upgrade the Sun OTP application provisioning service.

/opt/SUNWotp/cli/deploy_otp -u p -f /export/input_otp.dat

This command reconfigures the Sun OTP application provisioning service.

When the command is complete, monitor the debug log in the /var/OTP/SUNWotp-debug.log file and wait until the reconfiguration of the Sun OTP application provisioning service.

Upgrade the Sun OTP system management service.

/opt/SUNWotp/cli/deploy_otp -u m -f /export/input_otp.dat

Install the Sun OTP security service.

/opt/SUNWotp/cli/deploy_otp -i s -f /export/input_otp.dat

Configure the Sun OTP AHE components as highly available services.

/opt/SUNWotp/cli/deploy_otp -c h -f /export/input_otp.dat

Restore the Sun OTP system management data that was backed up.

/opt/SUNWotp/cli/deploy_otp -u r -f /export/input_otp.dat -o "-R hostname"

hostname is the first host name where Sun OTP system management data was backed up.

Install Web SSO.

/opt/SUNWotp/cli/deploy_otp --install websso --file /export/input_otp.dat

Upgrading Sun OTP Using Dual-Partition Upgrade

This section describes the procedure to upgrade Sun OTP using the dual-partition method. It includes both the GUI and CLI procedures, and details about how to prepare the hosts for dual-partition upgrade.

To Prepare Hosts for Dual-Partition Upgrade

You must perform this procedure before you upgrade Sun Open Telecommunications Platform using dual-partition upgrade.

Set the resource group property to false.

clresourcegroup set -p RG_system=false otp-system-rg

Reset the value to true after completing the live upgrade.

Set up the ssh login between the hosts in the cluster.

Perform this step on all the hosts in the cluster.
1. Type the following command.
  
  ssh-keygen -t rsa
2. Accept the default values on all nodes.
3. Append the contents of the /.ssh/id_rsa.pub file to the /.ssh/authorized_keys2 file from each host to all the cluster hosts.
4. Edit the /etc/ssh/sshd_config file. Set the value of the PermitRootLogin variable to yes.
5. Restart the ssh instance.
  
  svcadm restart svc:/network/ssh:default
6. Verify you are able to log in between all the cluster hosts without typing the password.

Set the system property for the otp-system-rg variable to false.

/usr/cluster/bin/scrgadm -c -g otp-system-rg -y rg_system=FALSE

Partition the cluster.
1. On the first host, unzip the cluster bundle.
  
  unzip -d /tmp_dir 2.0_mediadir/solaris_sparc/components/cluster.zip
  
  2.0_mediadir is the fully-qualified path name to the Sun OTP 2.0 installation source directory.
2. Type the following command.
  
  /tmp_dir/cluster/Solaris_sparc/Product/sun_cluster/Solaris_10/Tools/scinstall
3. Select Option #3: Manage a dual-partition upgrade.
4. Assign the manager host to the second partition, and the managed host to the first partition. The managed host on the first partition will be halted.
  
  Note –
  The first host or the manager host must remain in the second partition.
5. Boot the hosts in the first partition in the non-cluster mode.
  
  ok boot -x
Note –
For installing and administering Sun Cluster using the GUI, refer to Chapter 12, Administering Sun Cluster With the Graphical User Interfaces, in Sun Cluster System Administration Guide for Solaris OS.

To Upgrade Sun OTP from 1.1 to 2.0 Using the GUI

Before You Begin

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to https://install server:9090 where install server is either the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Upgrade in the left panel.

Set up the configuration for upgrade by creating two variable sets.

Run this plan on all the Sun OTP hosts.
1. Click Set up Configuration and click run.
2. Click select from list... corresponding to the /com/sun/OTP/Utilities/OTPConfig directory.
3. Click create set to create a new variable set.
4. Type a new variable set name in the Set Name field.
5. Click the check boxes for the appropriate plan variables for which you want to enter the values.
6. Type the values for the appropriate plan variables in the text fields. For description about the Sun OTP plan settings and the clustered Sun OTP host plan worksheet, see Appendix A Sun OTP Upgrade Plan Worksheet.
  
  Note –
  Do not specify the values for the zone-related variables and specify RAW for the spsRAConnectionType variable.
7. Click save to save the variable set.
8. Close the select variable setting from list... screen.
9. Under variable settings, click the drop-down list corresponding to the /com/sun/OTP/Utilities/OTPConfig directory and choose the new variable set.
10. Click select from list... corresponding to the /com/sun/OTPupgrade/Upgrade directory.
11. Click create set to create a new variable set.
12. Type a new variable set name in the Set Name field.
13. Type the values for the following variables:
  
  logFile - Path of the log file that would contain the output of upgrade operation. For example, /var/OTP/OTPUpgrade.log.
  
  upgradeType - standard.
14. Click save to save the variable set.
15. Close the select variable setting from list... screen.
16. Under variable settings, click the drop-down list corresponding to the /com/sun/OTPupgrade/Upgrade directory and choose the new variable set.
17. Type the host name in the target host field.
18. Enter and confirm the password.
  
  The password is the password provided in the password file while setting up the Sun OTP provisioning server. The password can be 8 to 12 alphanumeric characters. You need to use this password and the user name otpadmin as the access credentials for all Sun OTP components including Web SSO.
19. Click run plan (includes preflight).

Back up the Sun OTP system management data.

Run this plan on the first Sun OTP host which is running the Sun OTP system management service.
1. Click Backup Data and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).

Upgrade the operating system.

Run this plan simultaneously on all the hosts of the partition that are currently booted in the non-cluster mode.
1. Click Upgrade OS and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).
  
  The plan completes after initiating the patch upgrade process. You need to monitor the consoles on all the hosts and wait until the completion of the patch upgrade cluster.

Upgrade the Sun OTP high availability service.

Run this plan simultaneously on all the hosts of the partition that are currently booted in the non-cluster mode.
1. Click Upgrade HA Services.
2. Click run plan (includes preflight).

Upgrade the NEP application and the NEP application agent

If a NFS agent is used as part of the hosted application, upgrade the NFS agent before activating Sun Cluster. You can upgrade the agents later too. For more details on upgrading Sun Cluster, see Chapter 8, Upgrading Sun Cluster Software, in Sun Cluster Software Installation Guide for Solaris OS.

Note –
The upgrade procedure is specific to the hosted application, and can be automated by NEP's end-to-end upgrade. See the application documentation for instructions.

Activate the new cluster environment.
1. On one of the hosts in the first partition, type the following command to activate the first partition.
  
  /usr/cluster/bin/scinstall
2. Select Manage a dual-partition upgrade.
3. Select Apply dual-partition upgrade changes.
  
  The hosts in the first partition are rebooted into the cluster mode. Once they are successfully booted as active cluster members, the hosts in the second partition are halted.
4. Boot the hosts in the second partition in the non-cluster mode.
  
  ok boot -x
5. On the second partition, run all the steps from upgrading the OS (Upgrade Operating System plan).
6. Boot the second partition in cluster mode.
  1. Run /usr/cluster/bin/scinstall on the second partition.
  2. Select option #3 Manage a dual-partition upgrade.
  3. Select sub option #4 Apply dual-partition upgrade changes.
  4. Press enter to reboot the node to cluster mode.

Perform the common steps for all the types of upgrade. See Upgrade Remaining Services and Install the Security Service.

To Upgrade Sun OTP from 1.1 to 2.0 Using CLI

Before You Begin

Copy the input_otp.dat file to a NFS-mounted directory.

cp /opt/SUNWotp/cli/templates/input_otp.dat /export/

Edit the /export/input_otp.dat file.

Type the values for each variable. For description about the Sun OTP plan settings and the clustered Sun OTP host plan worksheet, see Appendix A Sun OTP Upgrade Plan Worksheet.

Note –
Do not specify the values for the zone-related variables and specify RAW for the spsRAConnectionType variable.

For each host, specify the values for the following upgrade-related variables.

h1_UpgradelogFile - Path of the log file that would contain the output of upgrade operation. For example, /var/OTP/OTPUpgrade.log.

upgradeType - standard.

Set up the configuration for upgrade.

/opt/SUNWotp/cli/deploy_otp -u S -f /export/input_otp.dat -o "-P passwordfile"

passwordfile is the absolute path of the password file. You can create this file in your home directory. The password file must contain a line with a valid password for all Sun OTP components. The password can be 8 to 12 alphanumeric characters. You need to use this password and the user name otpadmin as the access credentials for all Sun OTP components including Web SSO.

Back up the Sun OTP system management data.

/opt/SUNWotp/cli/deploy_otp -u b -f /export/input_otp.dat -o "-B hostname"

hostname is the first host name that is running the Sun OTP system management service.

Upgrade the operating system.

/opt/SUNWotp/cli/deploy_otp -u P -f /export/input_otp.dat -o "-T hostname"

hostname is the name of the host in the partition currently booted in the non-cluster mode. This command needs to be run for every host in this partition.

The command completes after initiating the patch upgrade process. You need to monitor the consoles on all the hosts and wait until the completion of the patch upgrade cluster.

Upgrade Sun OTP high availability service.

/opt/SUNWotp/cli/deploy_otp -u a -f /export/input_otp.dat -o "-T hostname"

hostname is the name of the host in the partition currently booted in non-cluster mode. This command needs to be run for every host in this partition.

Upgrade the NEP application and the NEP application agent

If a NFS agent is used as part of the hosted application, upgrade the NFS agent before activating Sun Cluster. You can upgrade the agents later too. For more details on upgrading Sun Cluster, see Chapter 8, Upgrading Sun Cluster Software, in Sun Cluster Software Installation Guide for Solaris OS.

Note –
The upgrade procedure is specific to the hosted application, and can be automated by NEP's end-to-end upgrade. See the application documentation for instructions.

Activate the new cluster environment.
1. On one of the hosts in the first partition, type the following command to activate the first partition.
  
  /usr/cluster/bin/scinstall
2. Select option #3 Manage a dual-partition upgrade.
3. Select sub option #4 Apply dual-partition upgrade changes.
  
  The hosts in the first partition are rebooted into the cluster mode. Once they are successfully booted as the active cluster members, the hosts in the second partition are halted.
4. Boot the hosts in the second partition in the non-cluster mode.
  
  ok boot -x
5. On the second partition, run all the steps from upgrading the OS (Upgrade Operating System plan).

Perform the common steps for all the types of upgrade. See Upgrade Remaining Services and Install the Security Service .

Upgrading Sun OTP Using Live Upgrade

This section describes the procedure to upgrade Sun OTP using the live upgrade method. It includes both the GUI and CLI procedures, and details about how to prepare the hosts for dual-partition upgrade.

To Prepare Hosts for Live Upgrade

You must perform this procedure before you upgrade Sun Open Telecommunications Platform by using live upgrade.

Create the live upgrade disk partition similar to the root disk.

For example, prtvtoc -h /dev/dsk/c0t0d0s2|fmthard -s "-" /dev/rdsk/c0t1d0s2

To Transfer Global Devices to a New Root Disk

You must perform this procedure before you upgrade Sun Open Telecommunications Platform using live upgrade.

Backup the /etc/vfstab file.

cp /etc/vfstab /etc/vfstab.old

Open the /etc/vfstab file for editing.

Locate the line that corresponds to /global/.device/node@N.

Edit the global device entry as follows:
1. Change the DID names to the physical names.
2. Change /dev/did/{r}dsk/dYsZ to /dev/{r}dsk/cNtXdYsZ.
3. Remove global from the entry.
The following example shows the name of DID device d3s3, which corresponds to /global/.devices/node@s, changed to its physical device names and the global entry removed.

Original:

/dev/did/dsk/d3s3 /dev/did/rdsk/d3s3 /global/.devices/node@2 ufs 2 no global

Changed:

/dev/dsk/c0t0d0s3 /dev/rdsk/c0t0d0s3 /global/.devices/node@2 ufs 2 no -

When the /etc/vfstab file is modified on all cluster nodes, run the OTP upgrade plan to upgrade the OS and cluster. See Upgrading Sun OTP Using Standard Upgrade.

After upgrading Sun OTP high availability service and before rebooting to the new boot environment (BE), restore the original /etc/vfstab file on each node of the un-upgraded BE.

cp /etc/vfstab.old /etc/vfstab

Mount the new Boot Environment (BE).

lumount sunotp1.1-sunotp2.0 /altroot

Locate the line that corresponds to /global/.devices/node@N and replace the dash (-) at the end of the entry with the word global.

/dev/dsk/cNtXdYsZ /dev/rdsk/cNtXdYsZ /global/.devices/node@N ufs 2 no global

Unmount the new BE.

luumount sunotp1.1-sunotp2.0

Check the BE status.

/usr/sbin/lustatus

Activate the BE.

/usr/sbin/luactivate BEname

BEname is the name of the boot environment variable.

Reboot the system.

/usr/sbin/init 6

Perform the common steps for all types of upgrade. See Upgrade Remaining Services and Install the Security Service .

To Upgrade Sun OTP Using the GUI

Before You Begin

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to https://install server:9090 where install server is either the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Upgrade in the left panel.

Set up the configuration for upgrade by creating two variable sets.

Run this plan on all the Sun OTP hosts.
1. Click Set up Configuration and click run.
2. Click select from list... corresponding to the /com/sun/OTP/Utilities/OTPConfig directory.
3. Click create set to create a new variable set.
4. Type a new variable set name in the Set Name field.
5. Click the check boxes for the appropriate plan variables for which you want to enter the values.
6. Type the values for the appropriate plan variables in the text fields. For description about the Sun OTP plan settings and the clustered Sun OTP host plan worksheet, see Appendix A Sun OTP Upgrade Plan Worksheet.
  
  Note –
  Do not specify the values for the zone-related variables and specify RAW for the spsRAConnectionType variable.
7. Click save to save the variable set.
8. Close the select variable setting from list... screen.
9. Under variable settings, click the drop-down list corresponding to the /com/sun/OTP/Utilities/OTPConfig directory and choose the new variable set.
10. Click select from list... corresponding to the /com/sun/OTPupgrade/Upgrade directory.
11. Click create set to create a new variable set.
12. Type a new variable set name in the Set Name field.
13. Type the values for the following variables:
  
  logFile - Path of the log file that would contain the output of upgrade operation. For example, /var/OTP/OTPUpgrade.log.
  
  upgradeType - live-upgrade.
  
  BEname - Name of the boot environment.
  
  diskLayout - Layout of the disk to be used for live upgrade.
  
  Syntax of diskLayout:
  
  mount1:disk_slice1-mount2:disk_slice2-mount3:disk_slice3
  
  Information for / (root), swap and /globaldevices is mandatory.
  
  Example:
  
  /:c2t3d0s0-swap:c2t3d0s1-/globaldevices:c2t3d0s3
14. Click save to save the variable set.
15. Close the select variable setting from list... screen.
16. Under variable settings, click the drop-down list corresponding to the /com/sun/OTPupgrade/Upgrade directory and choose the new variable set.
17. Type the host name in the target host field.
18. Click run plan (includes preflight).

Back up Sun OTP system management data.

Run this plan only on the first Sun OTP host that is running the Sun OTP system management service.
1. Click Backup Data and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).

Upgrade the operating system.

Run this plan on all the Sun OTP hosts.
1. Click Upgrade OS and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).
  
  Wait for the plan completion. The plan is upgraded on the alternate boot disk.

Upgrade Sun OTP high availability service.

Run this plan on all the Sun OTP hosts.
1. Click Upgrade HA Services and click run.
2. Type the host name in the target host field.
3. Click run plan (includes preflight).

Upgrade the NEP application and the NEP application agent

If a NFS agent is used as part of the hosted application, upgrade the NFS agent before activating Sun Cluster. You can upgrade the agents later too. For more details on upgrading Sun Cluster, see Chapter 8, Upgrading Sun Cluster Software, in Sun Cluster Software Installation Guide for Solaris OS.

Note –
The upgrade procedure is specific to the hosted application, and can be automated by NEP's end-to-end upgrade. See the application documentation for instructions.

Activate the new cluster environment.

Run this step on all the Sun OTP hosts.
1. Check the boot environment.
  
  /usr/sbin/lustatus
2. Activate the boot environment.
  
  /usr/sbin/luactivate BEname
  
  BEname is the name of the boot environment.
3. Reboot all the Sun OTP hosts.
  
  /usr/sbin/init 6

Perform the common steps for all the types of upgrade. See Upgrade Remaining Services and Install the Security Service.

To Upgrade Sun OTP Using CLI

Before You Begin

Copy the input_otp.dat file to a NFS-mounted directory.

cp /opt/SUNWotp/cli/templates/input_otp.dat /export/

Edit the /export/input_otp.dat file.

Type the values for each variable. For description about the Sun OTP plan settings and the clustered Sun OTP host plan worksheet, see Appendix A Sun OTP Upgrade Plan Worksheet.

Note –
Do not specify the values for the zone-related variables and specify RAW for the spsRAConnectionType variable.

For each host, specify the values for the following upgrade-related variables.

h1_UpgradelogFile - Path of the log file that would contain the output of upgrade operation. For example, /var/OTP/OTPUpgrade.log.

upgradeType - live-upgrade.

h1_BEname - Name of the boot environment.

h1_diskLayout - Layout of the disk to be used for live upgrade.

Set up the configuration for upgrade.

/opt/SUNWotp/cli/deploy_otp -u S -f /export/input_otp.dat -o "-P passwordfile"

passwordfile is the absolute path of the password file. You can create this file in your home directory. The password file must contain a line with a valid password for all Sun OTP components. Password can be 8 to 12 alphanumeric characters. You need to use this password and the user name otpadmin as the access credentials for all Sun OTP components including Web SSO.

Back up the Sun OTP system management data.

/opt/SUNWotp/cli/deploy_otp -u b -f /export/input_otp.dat -o "-B hostname"

hostname is the first host name that is running the Sun OTP system management service.

Upgrade the operating system.

/opt/SUNWotp/cli/deploy_otp -u P -f /export/input_otp.dat

Wait for the plan completion. The plan is upgraded on the alternate boot disk.

Upgrade the Sun OTP high availability service.

/opt/SUNWotp/cli/deploy_otp -u a -f /export/input_otp.dat

Upgrade the NEP application and the NEP application agent

If a NFS agent is used as part of the hosted application, upgrade the NFS agent before activating Sun Cluster. You can upgrade the agents later too. For more details on upgrading Sun Cluster, see Chapter 8, Upgrading Sun Cluster Software, in Sun Cluster Software Installation Guide for Solaris OS.

Note –
The upgrade procedure is specific to the hosted application, and can be automated by NEP's end-to-end upgrade. See the application documentation for instructions.

Activate the new cluster environment.

Run this step on all the Sun OTP hosts.
1. Check the boot environment.
  
  /usr/sbin/lustatus
2. Activate the boot environment.
  
  /usr/sbin/luactivate BEname
  
  BEname is the name of the boot environment.
3. Reboot all the Sun OTP hosts.
  
  /usr/sbin/init 6

Perform the common steps for all the types of upgrade. See Upgrade Remaining Services and Install the Security Service.

Troubleshooting

In case of a live upgrade failure, follow these steps to rollback the OS and Sun OTP availability service.

Activate the original boot environment.

/usr/sbin/luactivate old BE
Reboot to the selected boot environment.
Delete the failed upgrade partition.

ludelete new BE
Restart the upgrade process from OS.

Auditing the System

The audit plan installs the audit package (SUNWotpaudit) on the target hosts and generates a report. The audit report contains the system overview, OTP components summary, runtime summary, firmware summary, package and patch information.

To Audit Your System

Before You Begin

Ensure that Sun Explorer 5.7 is installed and running in the system.

Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

Go to https://install server:9090 where install server is either the IP address or the fully qualified name of the Sun OTP provisioning server.

Type the user name and password.

The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

Click OTP Upgrade in the left panel.

Click Configuration Audit and click run.

Under variable settings, click select from list.

Click create set and provide a name for the variable set in the Set Name field.

Specify the values for the following parameters.
- installPath - The default is /opt
- mediaDirectory - Path of the (SUNWotpaudit) package
- explorerPath - Path of the explorer output file

Click save to save the variable set and close the select variable setting from list... screen.

In the ConfigAudit screen, click the drop-down list under variable settings, and choose the new variable set.

Type the target host where the audit packages have to be installed and run.

Select the OTP version to audit (audit OTP v1.1 or audit OTP v2.0).

Click run plan (includes preflight).

On successful completion, the plan does the following.
- Installs the SUNWotpaudit package in the installPath.
- Generates an audit report report.txt at /var/SUNWotpaudit/output.
Note –
For running the configuration audit tool on non OTP systems, refer to the latest README file present in the SUNWotpaudit package. This plan does not give the entire information about the OTP components present.

Sun OTP Backup and Restore

This section explains the procedure to back up and restore the Sun OTP services. Backup and restore of solution can include backup and restore of the various components they are dependent on. That is, if you want to backup or restore your solution, you can integrate the backup and restore of the various component products on which your solution is dependent upon into your solution backup and restore.

The following topics are discussed:

Backing Up Sun OTP Services

The Sun OTP backup process is component specific. Sun OTP copies and creates the required configuration for backup. You can back up individual Sun OTP services or all running Sun OTP services. The backup and restore process uses the installation framework for its implementation. Therefore, you cannot back up the Sun OTP services that run on the remote host.

To Back Up the Sun OTP Services

Perform this procedure only from the global zone even when Sun OTP security service is running in the non-global zone.

Before You Begin

In a clustered system, ensure that the Sun OTP service that needs to be backed up is running on the current Sun OTP host.

Determine the Sun OTP services that you want to back up.
- To back up all the running Sun OTP services, type:
  
  /opt/SUNWotp/cli/backup_otp -o backupdirectory -l logfile
  
  backupdirectory is a directory name on the Sun OTP host. This directory can be any valid NFS path name that can be accessed by the Sun OTP host with write permission. The back up data is stored in a tar file under this backup directory.
  
  logfile is the name of the log file that contains the output of the backup operation.
- To back up the Sun OTP high availability service, type the following command:
  
  /opt/SUNWotp/cli/backup_otp -c h -o backupdirectory -l logfile
- To back up the Sun OTP system management service, type the following command:
  
  /opt/SUNWotp/cli/backup_otp -c m -o backupdirectory -l logfile
- To back up the Sun OTP application provisioning service, type the following command:
  
  /opt/SUNWotp/cli/backup_otp -c p -o backupdirectory -l logfile
- To back up the Sun OTP security service, type the following command:
  
  /opt/SUNWotp/cli/backup_otp -c s -o backupdirectory -l logfile

Data Backed Up By the Backup Plan

The following table lists the data that is backed up by the backup plan.

Table 1–2 Data Backed Up By the Backup Plan


Sun OTP Service	Data Backed Up
Sun OTP registry files	`/var/OTP` directory
Sun OTP high availability service	`/etc/cluster` directory
Sun OTP application provisioning service	Database, plug-in, and SPS database data, and custom tasks data
Sun OTP system management service	Configuration files and SCS database
Sun OTP security service	`/opt/SUNWotp/accessmgr` directory `/var/opt/SUNWotp/webserver/local-server/web-app` directory `/var/opt/SUNWotp/config/alias` file `/var/opt/SUNWotp/webserver/admin-server/config-store/` directory `/etc/opt/SUNWotp/web-sso` file `/opt/SUNWjass/Drivers/sunotp` driver Instance of the Directory Server.

To Back Up Sun OTP Services at Scheduled Intervals

You can perform scheduled backup of the Sun OTP services. For more details, crontab(1).

Open the crontab file.

To back up Sun OTP services at 1 a.m. each Saturday, for example, add the following line to the crontab file.

0 1 * * 6 /opt/SUNWotp/cli/backup_otp -o /var/otp/backup -l /var/otp/backup.log

In this example, the backup tar files are stored in the /var/otp/backup directory.

To automatically delete old backup tar files at 1 a.m. each Sunday, for example, add the following line to the crontab file.

0 1 * * 7 find /var/otp/backup -name '*.tar' -mtime +10 -exec /bin/rm -f {} \;

In this example, the backup tar files are stored in the /var/otp/backup directory.

Restoring Sun OTP Services

You can restore the Sun OTP services only on the same host where they are backed up. Before the restore process, stop the Web Server from the cluster control. Once you complete the restore process, restart the Web Server.

To Restore Sun OTP Services

Perform this procedure only from the global zone even when Sun OTP security service is running in the non-global zone.

The backup tar file created by the backup plan determines the Sun OTP service to be restored. For example, if the backup tar file contains only the backup data for the Sun OTP application provisioning service, then only the Sun OTP application provisioning service is restored.

Before You Begin

In a clustered system, make sure that the Sun OTP service to be restored is running on the current Sun OTP host.

To restore the Sun OTP services, type the following command:

/opt/SUNWotp/cli/restore_otp -t tarfile -l logfile

tarfile is the backup tar file created by the backup CLI.

logfile is the name of the log file that contains the output of the restore operation.

Note –
Sun OTP configuration data and Sun OTP high availability service is not restored.