Solution Administration

NEPs can use Sun OTP to their deploy solutions. This section provides information on how to start, stop, and manage the network equipment provider (NEP) applications deployed on Sun OTP. The following topics are discussed:

• Managing Different Applications

• Preparing Components For Backup and Restore

• Preventing Management Stage Change

• Converting a Stand-alone Sun OTP Host to a Clustered Sun OTP Host

• Enabling and Disabling the Sun OTP System Management Service and the Sun OTP Application Provisioning Service

• Administering Web SSO Users

• Hardening and Unhardening the Sun OTP Host

Managing Different Applications

This section describes how to manage applications in the the following scenarios:

• Scenario 1: Simple application on a single cluster - This application runs only on a single cluster. The application can be modeled as a single cluster resource, which can then added to a single resource group. NEPs would then be able to manage their application by changing the state of a resource group to online or offline. The command to bring the resource group to online state is clresourcegroup online and to bring the resource group to offline state is clresourcegroup online.

  The other management states operations are

  • manage: Resource groups are in an unmanaged state when they are created. Use the manage subcommand to bring the resource group to a managed state. If you use this subcommand in a non-global zone, it successfully operates only on resource groups whose node list contains that zone. If you use this subcommand in the global zone, it can operate on any resource group. See example:

    /usr/cluster/bin/clresourcegroup manage {+| resourcegroup?}

  • quiesce: This command stops a resource group from continuously switching from one node or zone to another node. If you use this subcommand in a non-global zone, it operates only on resource groups whose node list contains that zone. If you use this subcommand in the global zone, it can operate on any resource group. Use the -k option to kill methods that are running on behalf of resources in the affected resource groups. If you do not specify the -k option, methods are allowed to continue running until they exit or exceed their configured timeout. See example:

    /usr/cluster/bin/clresourcegroup quiesce [*-k*] {+| resourcegroup?}

  For more information on changing the state of a resource group, see clrg(1CL).

• Scenario 2: Application using multiple components deployed on a single cluster - This application can be managed by using multiple resource group. These resource groups can be managed using the provisioning service. However, the dependency issues between the resource groups should be considered. The state of resource group may have to be changed to online or offline in a sequential order. The administration provisioning service can be used to manage the resource groups lifecycle.

• Scenario 3: Application using multiple components deployed on multiple clusters - This application is a multi-tier application. Within a cluster, NEPs could assign the application or each application component to a resource group, as described in scenarios 1 and 2. These resource groups can be managed using the provisioning service. However, the dependency issues between resource groups and within each resource group should be considered.

  Consider an example of a 3 tier application where a simple start plan sequentially calls the start procedure for the components representing the 3 tiers of a sample application. Tier 1 is the access logic tier, tier 2 is the business logic tier, and tier 3 is the data tier. The sequence of the start order is 3, 2, and 1 and the stop order is 1, 2, and 3. Sample code of a composite plan for starting and stopping a 3 tier application is as follows. In this sample, DbComponent, AsComponent, and WsComponent representing tier 3, 2 and 1 respectively are installed and our example plans are run on three hosts, that is, one host per each tier.

  Sample code for starting a 3 tier application

  <?xml version="1.0" encoding="UTF-8"?>
  <!-- generated by N1 SPS -->
  <executionPlan xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  name='startThreeTierApp' version='5.2.4' xsi:schemaLocation='http://www.sun.com/schema/SPS plan.xsd' 
  xmlns='http://www.sun.com/schema/SPS'>
    <compositeSteps>
      <inlineSubplan planName='startTierThree'>
        <varList>
          <var name="hName" default=":[target(/):sys.hostName]"/>
        </varList>
        <simpleSteps implicitLocking='true'>
          <!-- plan runs on three hosts (one host for each tier). Start tier 3 
  if and only if this machine is hosting it.-->
          <if>
            <condition><equals value1=":[tierThreeHost]" value2=":[hName]"/></condition>
            <then>
              <call blockName='startDbComponent'>
                <installedComponent name='dbComponent' path='/some/path/db'></installedComponent>
              </call>
            </then>
          </if>
        </simpleSteps>
      </inlineSubplan>
  
      <inlineSubplan planName='startTierTwo'>
        <varList>
          <var name="hName" default=":[target(/):sys.hostName]"/>
        </varList>
        <simpleSteps implicitLocking='true'>
          <!-- plan runs on three hosts (one host for each tier). Start tier 2 
  if and only if this machine is hosting it.-->
          <if>
            <condition><equals value1=":[tierTwoHost]" value2=":[hName]"/></condition>
            <then>
              <call blockName='startAsComponent'>
                <installedComponent name='dbComponent' path='/some/path/as'></installedComponent>
              </call>
            </then>
          </if>
        </simpleSteps>
      </inlineSubplan>
  
      <inlineSubplan planName='startTierOne'>
        <varList>
          <var name="hName" default=":[target(/):sys.hostName]"/>
        </varList>
        <simpleSteps implicitLocking='true'>
          <!-- plan runs on three hosts (one host for each tier). Start tier 1 
  if and only if this machine is hosting it.-->
          <if>
            <condition><equals value1=":[tierOneHost]" value2=":[hName]"/></condition>
            <then>
              <call blockName='startWsComponent'>
                <installedComponent name='dbComponent' path='/some/path/ws'></installedComponent>
              </call>
            </then>
          </if>
        </simpleSteps>
      </inlineSubplan>
  
    </compositeSteps>
  </executionPlan>

  Sample code for stopping a 3 tier application

  <?xml version="1.0" encoding="UTF-8"?>
  <!-- generated by N1 SPS -->
  <executionPlan xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  name='stopThreeTierApp' version='5.2.4' xsi:schemaLocation='http://www.sun.com/schema/SPS plan.xsd' 
  xmlns='http://www.sun.com/schema/SPS'>
    <compositeSteps>
  
      <inlineSubplan planName='stopTierOne'>
        <varList>
          <var name="hName" default=":[target(/):sys.hostName]"/>
        </varList>
        <simpleSteps implicitLocking='true'>
          <!-- plan runs on three hosts (one host for each tier). Stop tier 1 
  if and only if this machine is hosting it.-->
          <if>
            <condition><equals value1=":[tierOneHost]" value2=":[hName]"/></condition>
            <then>
              <call blockName='stopWsComponent'>
                <installedComponent name='dbComponent' path='/some/path/ws'></installedComponent>
              </call>
            </then>
          </if>
        </simpleSteps>
      </inlineSubplan>
  
      <inlineSubplan planName='stopTierTwo'>
        <varList>
          <var name="hName" default=":[target(/):sys.hostName]"/>
        </varList>
        <simpleSteps implicitLocking='true'>
          <!-- plan runs on three hosts (one host for each tier). Stop tier 2 
  if and only if this machine is hosting it.-->
          <if>
            <condition><equals value1=":[tierTwoHost]" value2=":[hName]"/></condition>
            <then>
              <call blockName='stopAsComponent'>
                <installedComponent name='dbComponent' path='/some/path/as'></installedComponent>
              </call>
            </then>
          </if>
        </simpleSteps>
      </inlineSubplan>
  
      <inlineSubplan planName='stopTierThree'>
        <varList>
          <var name="hName" default=":[target(/):sys.hostName]"/>
        </varList>
        <simpleSteps implicitLocking='true'>
          <!-- plan runs on three hosts (one host for each tier). Stop tier 3 
  if and only if this machine is hosting it.-->
          <if>
            <condition><equals value1=":[tierThreeHost]" value2=":[hName]"/></condition>
            <then>
              <call blockName='stopDbComponent'>
                <installedComponent name='dbComponent' path='/some/path/db'></installedComponent>
              </call>
            </then>
          </if>
        </simpleSteps>
      </inlineSubplan>
  
    </compositeSteps>
  </executionPlan>

Preparing Components For Backup and Restore

NEPs might need to save a state of an application, for example, save a state before running the backup plan. In this case, NEPs should stop the application and save the state. For details on how to manage applications, see Managing Different Applications.

Preventing Management Stage Change

You can configure the resource group property so that administrators will not be able to offline the resources. If the RG_System property is TRUE for a resource group, the resource group has restricted privileges and the operation of clresource and clresourcegroup commands are affected. This prevents accidental modification or deletion of critical resource groups and resources restricted privileges.

To enable the RG_System property on the resource group, type the following command:

/usr/cluster/bin/clrg set -p RG_System=true RG-Name

Example to set the OTP provisioning services group to system group

/usr/cluster/bin/clrg set -p RG_System=true otp-system-rg

To disable theRG_System property on the resource group, type the following command:

/usr/cluster/bin/clrg set -p RG_System=false RG-Name

Example to disable the System property on the OTP provisioning services group

/usr/cluster/bin/clrg set -p RG_System=false otp-system-rg

For more details on the System property, refer to the following Sun Cluster documents:

• Sun Cluster 3.2 Reference Collection for Solaris OS http://docs.sun.com/app/docs/coll/1029.6

• rg_properties(5)

Converting a Stand-alone Sun OTP Host to a Clustered Sun OTP Host

This section provides the procedure to convert a stand-alone Sun OTP host to a clustered Sun OTP host. The conversion from stand-alone to clustered OTP host ensures that the following changes are performed on the host:

• The shared disk for the cluster is created.

• The provisioning services are moved to the shared disk and run from the shared disk.

• The RGM settings for the otp-system-rg resource group and its resources are updated accordingly.

• The host node type is changed from single to first node.

To Convert a Stand-alone Sun OTP Host to a Clustered Sun OTP Host

1. Go to https://Sun OTP host:9090, where Sun OTP host is the IP address or the fully qualified name of the provisioning service logical hostname that is already configured during Sun OTP installation.

   The Sun OTP common Single Sign-On login screen appears.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Convert the Stand-alone Sun OTP host to the Clustered Sun OTP host.

   ---

   Note –

   Before performing Step 4, make sure that the Sun OTP Plan settings have the correct value for the privateInterface1 and privateInterface2 variables.

   ---

   1. Click Convert.

      The Convert Single to Clustered plan details screen appears.

   2. Click run.

      The Convert Single to Clustered plan run screen appears.

   3. Type the name of the stand-alone Sun OTP host that you want to convert to a clustered Sun OTP host in the target host field.

   4. Click run plan (includes preflight).

5. Create the database and metaset on the stand-alone OTP host.

   The shared storage should have a minimum of 1.5 gigabytes disk space.

   For example,

   metadb -a -f -c 6 c1t0d0s7

   metaset -s sm-dg -a -h standalonehostname

   metaset -s sm-dg -a /dev/did/rdsk/d6

   metainit -s sm-dg d0 1 1 /dev/did/rdsk/d6s0

   newfs /dev/md/sm-dg/rdsk/d0

6. Add the following entry to the /etc/vfstab file.

   /dev/md/sm-dg/dsk/d0 /dev/md/sm-dg/rdsk/d0 /var/js ufs 2 no logging

7. Change the storage of the Sun OTP system management service and the Sun OTP application provisioning service from local disks to shared disks.

   1. Create temporary mount points and mount the shared volumes onto the temporary mount points.

      Type mkdir /tmp/js

      Type mount /dev/md/sm-dg/dsk/d0 /tmp/js

   2. Bring the otp-system-rg resource group offline.

      clresourcegroup set -p RG_system=false otp-system-rg

      clresourcegroup offline otp-system-rg

   3. Move the Sun OTP system service contents from the local disk to the shared volume.

      mv /var/js/* /tmp/js

      umount /tmp/js

   4. Disable all the resources in the otp-system-rg resource group.

      clresource disable otp-lhn-rs

      clresource disable otp-hasp-rs

      clresource disable otp-nfs-rs

      clresource disable otp-sm-rs

      clresource disable otp-spsra-rs

      clresource disable otp-spsms-rs

   5. Modify the properties of the HAStoragePlus resource.

      clresource set -p FilesystemMountPoints=/var/js otp-hasp-rs

      clresource set -p GlobalDevicePaths=/dev/md/sm-dg/dsk/d0 otp-hasp-rs

   6. Enable all the resources in the otp-system-rg resource group.

      clresource enable otp-lhn-rs

      clresource enable otp-hasp-rs

      clresource enable otp-nfs-rs

      clresource enable otp-sm-rs

      clresource enable otp-spsra-rs

      clresource enable otp-spsms-rs

   7. Bring the otp-system-rg resource group online.

      clresourcegroup online otp-system-rg

   8. Set the system property of the otp-system-rg resource group to true.

      clresourcegroup set -p RG_system=true otp-system-rg

Next Steps

You can add new hosts to the cluster.

Enabling and Disabling the Sun OTP System Management Service and the Sun OTP Application Provisioning Service

This section provides procedures for enabling and disabling the system management service and the application provisioning service on a single Sun OTP host.

To Enable and Disable the Sun OTP System Management Service Using the CLI

The following steps enable and disable the Sun OTP system management service on the entire cluster. Ensure to run this plan on the first (or single) node.

1. Log in as root (su - root) to the Sun OTP host.

2. Use the serviceManagement script with the n1sm option to enable and disable the Sun OTP system management service.

   • To enable the service, use the start option.

     /opt/SUNWotp/cli/serviceManagement n1sm start

   • To disable the service, use the stop option.

     /opt/SUNWotp/cli/serviceManagement n1sm stop

   ---

   Tip –

   You can check the log information in the /var/OTP/OTPSvcMgmt.log file to verify whether the services are enabled or disabled.

   ---

To Enable and Disable the Sun OTP Application Provisioning Service Using the CLI

---

Note –

• If the Sun OTP application provisioning service is running in the high availability mode, the provisioning service is enabled or disabled on all the hosts in the cluster.

• If the Sun OTP application provisioning service is not running in the high-availability mode, the Sun OTP application provisioning service is enabled or disabled only on the target host.

---

1. Log in as root (su - root) to the Sun OTP host.

2. Use the serviceManagement script with the n1sps option to enable and disable the Sun OTP application provisioning service.

   • To enable the service, use the start option.

     /opt/SUNWotp/cli/serviceManagement n1sps start

   • To disable the service, use the stop option.

     /opt/SUNWotp/cli/serviceManagement n1sps stop

To Enable and Disable the Sun OTP System Management and Sun OTP Application Provisioning Service Using GUI

The graphical user interface cannot be used to disable the Sun OTP application provisioning service on the host on which it is running. In other words, if the service is running on otpclient01, you cannot use the graphical user interface on otpclient01 to disable the application provisioning service. Instead, use the command- line interface to disable the application provisioning service.

1. Go to https://Sun OTP host:9090 where Sun OTP host is the IP address or the fully qualified name of the Sun OTP host on which the resource group is active.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Enable & Disable and click run.

5. Type the host name on which you want to enable or disable the services in the target host field.

6. Decide whether to enable or disable the services.

   • Select the N1SPS should be running and N1SM should be running check boxes to enable the services.

   • Do not select the N1SPS should be running and N1SM should be running check boxes to disable the services.

7. Select the Yes, I really want to modify state of services check box.

8. Click run plan (includes preflight)

9. Type the clrg command to check status of the otp-system-rg resource group.

   ---

   Tip –

   You can also check the log information in the /var/OTP/SUNWotp-debug.log file to verify whether the services are enabled or disabled.

   ---

Administering Web SSO Users

This section provides procedures to administer Web SSO users. Sun OTP 2.0 provides you the ability to administer Web Single Sign On (SSO) using the browser user interface (BUI) and the command-line interface (CLI). You can create new Web SSO users, change the password of existing users, and remove existing users.

The following topics are discussed:

• Adding Web SSO User

• Changing the Password of Existing Web SSO User

• Removing Web SSO User

Adding Web SSO User

You can add new Web SSO users.

This task creates user accounts for Sun OTP application provisioning service, Sun OTP system management service, and Sun OTP security service with the provided credentials. The timeout value for each user session on server is two hours.

To Create a Role

You need to manually create a user role before assigning the role to the Web SSO user. You need to create a role on all the cluster hosts and on all the zones, if applicable.

1. Log in as root (su - root) to the Sun OTP host.

2. Create a new role account.

   For example, create a role by name ssorole.

   roleadd -s /bin/pfksh -d /export/home/ssorole -K defaultpriv=basic -P "Cluster Management,Web Console Management,Cluster Operation,Sun Cluster Commands,All" ssorole

   ---

   Note –

   It is mandatory to add a profile to the role that you create. Else, you will not be able to perform the administration task on a cluster. For more information on the roleadd command, see the roleadd man page.

   ---

3. Change the password for the new role.

   For example

   passwd ssorole

   Enter the new password for the role and confirm the password.

4. Create a home directory for the role.

   mkdir /export/home/ssorole

   chown ssorole:other /export/home/ssorole

5. Restart the name service cache daemon for the new role to take effect.

   Perform this step after all the above steps are performed on all the cluster hosts and on all the zones, if applicable.

   svcadm restart system/name-service-cache

To Add Web SSO User Using GUI

Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Add User and click run.

   The SynchronizeWebSSOUsers plan run screen appears.

5. Type the host name in the target host field.

6. Type the Web SSO user name in the WebSSO login name field.

7. Type the password in the WebSSO password field.

8. Confirm the password in the Retype WebSSO password field.

9. Type the user role in the User role field.

   You need to manually create a role before assigning it to the Web SSO user.

   If there is no user role, do not specify any value for this field.

10. Click run plan (includes preflight).

To Add Web SSO User Using the CLI

• The ssocli command needs to be executed on the same server which was used for the deployment.

• Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

1. Log in as root (su - root) to the provisioning server.

2. Type the following command to add Web SSO user.

   /opt/SUNWotp/cli/ssocli add -u ssousername -f oldpasswordfile -c clusterhostset -r role -i

   ssousername is the Web SSO user name.

   oldpasswordfile is the file that contains the old or initial password on the first line.

   clusterhostset is the cluster host set.

   role is the role of the Web SSO user. You need to manuallycreate a role before assigning it to the Web SSO user.

   If there is no user role, do not specify any value for role.

   For example

   /opt/SUNWotp/cli/ssocli add -u ssouser -f /tmp/pass -c cl-sso -r manager -i

Changing the Password of Existing Web SSO User

You can change the password of sn existing Web SSO user account.

To Change the Password of Existing Web SSO User Using GUI

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Change User Password and click run.

   The ChangeWebSSOPassword plan run screen appears.

5. Type the host name in the target host field.

6. Type the Web SSO user name in the WebSSO login name field.

7. Type the old password in the Old WebSSO password field.

8. Type the new password in the New WebSSO password field.

9. Confirm the new password in the Retype New WebSSO password field.

10. Click run plan (includes preflight).

To Change the Password of Existing Web SSO User Using the CLI

• The ssocli command needs to be executed on the same server which was used for the deployment.

• Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

1. Log in as root (su - root) to the provisioning server.

2. Type the following command to change the password.

   /opt/SUNWotp/cli/ssocli password -u ssousername -f oldpasswordfile -n newpasswordfile -c clusterhostset

   ssousername is the Web SSO user name.

   oldpasswordfile is the file that contains the old or initial password on the first line.

   newpasswordfile is the file that contains the new password on the first line.

   clusterhostset is the cluster host set.

   For example

   /opt/SUNWotp/cli/ssocli password -u ssouser -f /tmp/oldpass -n /tmp/newpass -c cl-sso

Removing Web SSO User

You can remove Web SSO users.

To Remove Web SSO User Using GUI

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Remove User and click run.

   The RemoveWebSSOUsers plan run screen appears.

5. Type the host name in the target host field.

6. Type the Web SSO user to remove in the WebSSO login name field.

7. Click run plan (includes preflight).

To Remove Web SSO User Using the CLI

• The ssocli command needs to be executed on the same server which was used for the deployment.

• Ensure that the resource group otp-security-ds-rg group is online on the first host of the cluster.

1. Log in as root (su - root) to the provisioning server.

2. Type the following command to remove Web SSO user.

   /opt/SUNWotp/cli/ssocli remove -u ssousername -c clusterhostset

   ssousername is the Web SSO user name.

   clusterhostset is the cluster host set.

   For example

   /opt/SUNWotp/cli/ssocli remove -u ssouser -c cl-sso

Hardening and Unhardening the Sun OTP Host

This section provides procedures for hardening and unhardening the system. Using Sun OTP 2.0, you can harden and unharden the Sun OTP host. Hardening is the process of modifying the Solaris^TM operating system configuration to improve the network security of a system. By using the hardening process, you can close the ports and disable the services that might present a security risk to the system. You can unharden, that is, reopen the ports and enable the services that were closed by the hardening process. Hardening and unhardening must be done on both global and non-global zones.

To Install the Sun OTP SST Driver

Solaris Security Toolkit (SST) driver must be installed on both global and non-global zones.

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to the https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Install Driver and click run.

5. Click run.

   The InstallSST plan run screen appears.

6. Type the media directory in the Media Directory field.

7. Type the host name on which to install the driver in the target host field.

8. Click run plan (includes preflight).

To Uninstall the Sun OTP SST Driver

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to the https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Uninstall Driver and click run.

   The UninstallSST plan run screen appears.

5. Type the host name on which to uninstall the driver in the target host field.

6. Click run plan (includes preflight).

To Harden the Sun OTP Host

Hardening is the process of modifying the Solaris OS configuration to improve a system's security. By using the hardening process, you can close the ports and disable the services that might present a security risk to the system.

Before You Begin

Install the Sun OTP SST Driver

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to the https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Click Harden and click run.

   The Harden plan run screen appears.

5. Type the host name that you want to harden in the target host field.

6. Click run plan (includes preflight).

   ---

   Note –

   The plan does not close the ports and disable the services that are required by the Sun OTP components.

   ---

7. Once the plan completes, reboot the Sun OTP host for hardening to take effect.

To Unharden the Sun OTP Host

Using unhardening, you can reopen the ports and enable the services that were closed by the hardening process.

Hardening is defined in certain configuration files. If you have changed certain configuration files, you can choose one of the following options during unhardening:

• Roll back only the unchanged configuration files to its default state. The changed files can be retained in its current state.

• Roll back all the configuration files, including the changed files, to its default state.

1. Open a browser and log in to the Sun OTP application provisioning service on the Sun OTP provisioning server.

   Go to the https://install server:9090 where install server is the IP address or the fully qualified name of the Sun OTP provisioning server.

2. Type the user name and password.

   The user name is otpadmin. The password is the password provided in the password file while setting up the Sun OTP provisioning server.

3. Click OTP Setup to display the Sun Open Telecommunications Platform utility tasks page.

4. Choose the state of the configuration files.

   • To roll back only the unchanged configuration files to its default state, click UnHarden & Keep.

   • To roll back all the configuration files, including the changed files, to its default state, click UnHarden & Revert.

5. Click run.

6. Type the host name that you want to unharden in the target host field.

7. Click run plan (includes preflight).