This Appendix contains procedures for installing using the command line. These procedures can be used when installing SunScreen EFS 3.0 in:
Routing mode with remote administration.
Stealth mode.
Command line installation is provided as an alternative to using the installation wizard. Command line installation is intended for expert system administrators.
Before installing, review the SunScreen EFS 3.0 Release Notes for the latest information about this product.
This procedure requires the use of pkgadd.
Open a terminal window on the Administration Station and become root.
Ensure that the OpenWindows File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Insert the SunScreen EFS 3.0 CD-ROM into the Administration Station's CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
For SPARC systems: # pkgadd -d /cdrom/cdrom0/sparc For x86 systems: # pkgadd -d /cdrom/cdrom0/i386 |
For SPARC systems, you are prompted with a menu of packages to install:
The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt 1.5 Software (sparc) 1.5 2 SUNWbdcx SKIP Bulk Data Crypt (64-bit) 1.5 Software (sparc) 1.5 3 SUNWdthj HotJava Browser for Solaris (sparc) 1.1.5,REV=1998.12.03 4 SUNWes SKIP End System 1.5 Software (sparc) 1.5 5 SUNWesx SKIP End System (64-bit) 1.5 Software (sparc) 1.5 6 SUNWfwcnv SunScreen Firewall conversion (sparc) 3.0 7 SUNWhttp Sun WebServer daemon and supporting binaries (sparc) 2.0 8 SUNWicgSA SunScreen Administration Software (sparc) 3.0 9 SUNWicgSD SunScreen online documentation (sparc) 3.0 10 SUNWicgSM SunScreen man pages (sparc) 3.0 ... 7 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWicgSS SunScreen Firewall (sparc) 3.0 12 SUNWkeymg SKIP Key Manager Tools 1.5 Software (sparc) 1.5 13 SUNWkisup SKIP I-Support module 1.5 Software (sparc) 1.5 14 SUNWrc2 SKIP RC2 Crypto Module (sparc) 1.5 15 SUNWrc4 SKIP RC4 Crypto Module 1.5 Software (sparc) 1.5 16 SUNWrc4x SKIP RC4 Crypto Module (64-bit) 1.5 Software (sparc) 1.5 17 SUNWsman SKIP Man Pages 1.5 Software (sparc) 1.5 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: |
For x86 systems, you are prompted with a menu of packages to install:
The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt 1.5 Software (i386) 1.5 2 SUNWdthj HotJava Browser for Solaris (i386) 1.1.5,REV=1998.12.03 3 SUNWes SKIP End System 1.5 Software (i386) 1.5 4 SUNWfwcnv SunScreen Firewall conversion (i386) 3.0 5 SUNWhttp Sun WebServer daemon and supporting binaries (i386) 2.0 6 SUNWicgSA SunScreen Administration Software (i386) 3.0 7 SUNWicgSD SunScreen online documentation (i386) 3.0 8 SUNWicgSM SunScreen man pages (i386) 3.0 9 SUNWicgSS SunScreen Firewall (i386) 3.0 10 SUNWkeymg SKIP Key Manager Tools 1.5 Software (i386) 1.5 ... 4 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWkisup SKIP I-Support module 1.5 Software (i386) 1.5 12 SUNWrc2 SKIP RC2 Crypto Module (i386) 1.5 13 SUNWrc4 SKIP RC4 Crypto Module 1.5 Software (i386) 1.5 14 SUNWsman SKIP Man Pages 1.5 Software (i386) 1.5 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: |
For SPARC systems, enter: 1-5, 8, 10, 12-17 For x86 systems, enter: 1-3, 6, 8, 10-14
Follow the program prompts, answering all the questions with y.
When completed, you return to the same menu of packages.
Enter q to quit pkgadd.
Set the PATH and MANPATH by editing your shell initialization file (such as .profile or.login file).
Eject the CD-ROM from the CD-ROM drive by typing
# eject cdrom0 |
Install any SKIP upgrades (Export Controlled [1024-bit] or U.S. and Canada Use Only [2048-bit] keys) as instructed in the documentation that is included with the upgrade SKIP CD-ROM.
Reboot by typing:
# sync; init 6 |
The software packages have been installed. You continue the installation process on the machine that is the Administration Station.
To obtain encrypted communication between the Administration Station and the Screen, certificates must be installed on both machines. This can be done by either using self-generated certificates or by installing issued certificates. Both methods are done on the Administration Station.
Open a terminal window and create the required SKIP directories by typing:
# skiplocal -i |
Create the self-generated certificate on the Administration Station by typing:
# skiplocal -k -f -V |
The local certificate ID appears. It is the Administration Station's 32-character certificate ID (MKID).
Write down the certificate ID, which begins with `Ox'.
Add SKIP to all the interfaces by typing:
# skipif -a |
Reboot to complete the installation by typing:
# sync; init 6 |
The Administration Station's certificate ID has been generated. You next move to the Screen to install the SunScreen software.
To do this procedure, you will need the Key and Certificate floppy diskette.
Open a terminal window on the Administration Station and become root.
Ensure that the OpenWindows File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Create the required SKIP directories by typing:
# skiplocal -i |
Insert the Key and Certificate diskette into the Administration Station's floppy drive.
Mount the CD-ROM by typing:
# volcheck |
Install the SKIP keys by typing:
# install_skip_keys -icg /floppy/floppy0 |
Start the SKIP daemon by typing:
# skipd_restart |
Eject the Key and Certificate floppy diskette by typing:
# eject floppy0 |
Write down the certificate ID, which is eight characters long.
Add SKIP to all the interfaces by entering:
# skipif -a |
Reboot to complete the installation by entering:
# sync; init 6 |
The Administration Station's certificate ID has been installed. You next move to the Screen to install the SunScreen software.
You can install the required SunScreen EFS packages on the Screen by:
Using pkgadd to install the software packages from the SunScreen EFS CD-ROM.
Reboot.
Run ss_install on the Screen.
Reboot.
Open a terminal window on the Screen and become root.
Ensure that the OpenWindows File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Insert the SunScreen EFS 3.0 CD-ROM into the Screen's CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
For SPARC systems: # pkgadd -d /cdrom/cdrom0/sparc For x86 systems: # pkgadd -d /cdrom/cdrom0/i386 |
For SPARC systems, you are prompted with a menu of packages to install:
The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt 1.5 Software (sparc) 1.5 2 SUNWbdcx SKIP Bulk Data Crypt (64-bit) 1.5 Software (sparc) 1.5 3 SUNWdthj HotJava Browser for Solaris (sparc) 1.1.5,REV=1998.12.03 4 SUNWes SKIP End System 1.5 Software (sparc) 1.5 5 SUNWesx SKIP End System (64-bit) 1.5 Software (sparc) 1.5 6 SUNWfwcnv SunScreen Firewall conversion (sparc) 3.0 7 SUNWhttp Sun WebServer daemon and supporting binaries (sparc) 2.0 8 SUNWicgSA SunScreen Administration Software (sparc) 3.0 9 SUNWicgSD SunScreen online documentation (sparc) 3.0 10 SUNWicgSM SunScreen man pages (sparc) 3.0 ... 7 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWicgSS SunScreen Firewall (sparc) 3.0 12 SUNWkeymg SKIP Key Manager Tools 1.5 Software (sparc) 1.5 13 SUNWkisup SKIP I-Support module 1.5 Software (sparc) 1.5 14 SUNWrc2 SKIP RC2 Crypto Module (sparc) 1.5 15 SUNWrc4 SKIP RC4 Crypto Module 1.5 Software (sparc) 1.5 16 SUNWrc4x SKIP RC4 Crypto Module (64-bit) 1.5 Software (sparc) 1.5 17 SUNWsman SKIP Man Pages 1.5 Software (sparc) 1.5 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: |
For x86 systems, you are prompted with a menu of packages to install:
The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt 1.5 Software (i386) 1.5 2 SUNWdthj HotJava Browser for Solaris (i386) 1.1.5,REV=1998.12.03 3 SUNWes SKIP End System 1.5 Software (i386) 1.5 4 SUNWfwcnv SunScreen Firewall conversion (i386) 3.0 5 SUNWhttp Sun WebServer daemon and supporting binaries (i386) 2.0 6 SUNWicgSA SunScreen Administration Software (i386) 3.0 7 SUNWicgSD SunScreen online documentation (i386) 3.0 8 SUNWicgSM SunScreen man pages (i386) 3.0 9 SUNWicgSS SunScreen Firewall (i386) 3.0 10 SUNWkeymg SKIP Key Manager Tools 1.5 Software (i386) 1.5 ... 4 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWkisup SKIP I-Support module 1.5 Software (i386) 1.5 12 SUNWrc2 SKIP RC2 Crypto Module (i386) 1.5 13 SUNWrc4 SKIP RC4 Crypto Module 1.5 Software (i386) 1.5 14 SUNWsman SKIP Man Pages 1.5 Software (i386) 1.5 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: |
For SPARC systems, enter: 1-2, 7-16 For x86 systems, enter: 1, 5-13
Follow the program prompts, answering all the questions with y.
When completed, you return to the same menu of packages.
Enter q to quit pkgadd.
Set the PATH and MANPATH by editing your shell initialization file (such as .profile or.login file).
Eject the CD-ROM from the CD-ROM drive by typing
# eject cdrom0 |
Install any SKIP upgrades (Export Controlled [1024-bit] or U.S. and Canada Use Only [2048-bit] keys) as instructed in the documentation that is included with the upgrade SKIP CD-ROM.
Reboot by typing:
# sync; init 6 |
Open a terminal window and become root, if not already.
Complete installation by typing:
# ss_install |
Answer the questions that appear. The questions and text are similar to the panels that appear when installing using the installation wizard. Review the procedures for installing the software on the Screen in Chapter 4 or 5 if more detail is needed.
If you are using issued certificates, you need your all your certificate diskettes.
The SKIP command to run on the Administration Station is displayed at the end. It is contained in the AdminSetup.readme file, found in the directory /etc/opt/SUNWicg/SunScreen. Write this command down for use in the following procedure.
If you trust that the network between the Screen and the Administration Station is secure, you can ftp the AdminSetup.readme file from the Screen to the Administration Station. This saves you the task of writing down the information which is required in the next procedure.
Reboot by typing:
# sync; init 6 |
On the Administration Station, open a terminal window and become root.
To enable unencrypted communication from the Administration Station to all hosts other than the Screen, type:
# skiphost -a default |
Add a rule so that encrypted communication is possible between the Administration Station and the Screen by typing:
# skiphost command_from_ss_install |
This command is in the AdminSetup.readme file. The command is in the following form, which has been divided into lines for readability:
skiphost -a name_of_Screen -r NSID_type
-R Screen's_certificate_ID -s NSID_type
-S Administration_Station's_certificate_ID
-k key_encryption_algorithm
-t data_encryption_algorithm -m MAC_algorithm
Turn on SKIP by typing:
If Screen has only one interface: # skiphost -o on If Screen has more than one interface, for each interface: # skiphost -i name_of_interface -o on |
To display the interfaces, if forgotten, type ifconfig -a.
Save the SKIP settings by typing:
# skipif -i all -s |
Restart the SKIP daemon by typing:
# skipd_restart |
Refer to the SunScreen SKIP 1.5 User's Guide for more information on operating SKIP, if needed.
After configuring SKIP, check that the encryption parameters and 32-character certificate ID (MKID) values match on both the Administration Station and the Screen.
To configure and manage your SunScreen from your Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the Administration GUI by typing the following URL:
http://Name_of_Screen:3852/ |
See the SunScreen EFS 3.0 Administration Guide for instructions on how to use the Administration GUI.