This chapter explains how to upgrade to SunScreen EFS 3.0 from either SunScreen EFS 1.1 or 2.0, or SunScreen SPF-200.
Topics covered include:
Overview of the upgrade from SunScreen EFS 1.1 or 2.0
Preparing to upgrade
Upgrading a locally administered SunScreen EFS
Upgrading a remotely administered SunScreen EFS
Upgrading an EFS 2.0 High Availability (HA) System
Upgrading from SPF-200 to SunScreen EFS
This is not an initial installation. To retain your existing SunScreen EFS 1.1 or 2.0 configurations, you must take special care when upgrading to SunScreen EFS 3.0. Do not remove your existing software packages; this will be done as part of the procedure and must only be done in this manner.
For a remotely administered SunScreen EFS, the order in which the upgrade software is installed is different from the order given for an initial installation. Upgrade software is installed on the Screen first and then on the Administration Station. This order prevents damaging the configurations and makes communication between the Administration Station and the Screen easier.
Since SunScreen EFS 3.0 uses ordered packet filtering rules and ordered NAT mappings, you must review your packet filtering rules after the conversion is complete to verify the filtering order is as you want. NAT mappings have changed considerably between earlier releases and SunScreen EFS 3.0. Please see the SunScreen EFS Reference Manual for detail on NAT mappings.
Before installing, review the SunScreen EFS 3.0 Release Notes for the latest information about this product.
Do not begin any of these procedures until you have read the information in Chapter 2.
The SunScreen EFS 3.0 CD-ROM includes a program that automatically backs up your SunScreen EFS 1.1 or 2.0 configurations, certificates, and packages to elsewhere in the filesystem in case the upgrade fails. Then the program automatically removes your SunScreen EFS 1.1 or 2.0 software packages and then installs the SunScreen EFS 3.0 software packages. The following procedures describe how to upgrade both locally and remotely administered SunScreen EFS machines.
Before starting the upgrade procedure to SunScreen EFS 3.0, first make a backup of your existing logfiles. The upgrade procedure will remove your existing logfiles and they will be lost if a backup is not performed. Refer to your SunScreen EFS 1.1 or 2.0 documentation for backup procedures, if needed.
To retain configurations and SKIP keys and certificates (including your system's SKIP local identities) between software upgrades, do not remove /etc/opt/SUNWicg.
The following sections describe how to prepare both locally administered and remotely administered machines for upgrading.
If you want to use the command line, be aware that some commands and some arguments have been removed or added since SunScreen EFS 1.1 and 2.0. Check the man pages and the SunScreen EFS 3.0 Reference Manual before using.
Before proceeding, verify that all the software packages required for your operating environment are installed.
SunScreen EFS, Release 3.0, runs on Solaris 2.6 and Solaris 7 operating environments for SPARC and x86 platforms. If you are running Solaris 2.5.1, or earlier, you must upgrade your operating environment to at least Solaris 2.6. In addition to the Solaris Core System Support packages, there are additional Solaris packages required prior to installing SunScreen EFS.
Do not reinstall the Core System Support software group if you are upgrading from SunScreen EFS 1.1 or 2.0 to SunScreen EFS 3.0.
Add the following packages to the Screen from your Solaris CD, if not already on your system:
system SUNWdoc Documentation Tools
system SUNWeuluf UTF-8 L10N For Language Environment User Files
system SUNWjvjit Java JIT compiler
system SUNWjvrt JavaVM run time environment
system SUNWlibC SPARCompilers Bundled libC
system SUNWlibms SPARCompilers Bundled shared libm
system SUNWsprot SPARCompilers Bundled tools
system SUNWtoo Programming Tools
system SUNWvolr Volume Management (Root)
system SUNWvolu Volume Management (Usr)
system SUNWxwice ICE components
system SUNWxwplt X Window System platform software
system SUNWxwrtl X Window System & Graphics Runtime Library Links
system SUNWmfrun Motif RunTime Kit
If you are using Solaris 2.6 as your operating environment, add the following patches, if not already on your system, by typing:
For SPARC systems: # cd /cdrom/cdrom0/sparc/Patches # patchadd 106125-06 # patchadd 105181-11 # patchadd 105284-15 # patchadd 105490-04 # patchadd 106040-10 # patchadd 106409-01 For x86 systems: # cd /cdrom/cdrom0/i386/Patches # patchadd 106126-06 # patchadd 105182-13 # patchadd 105285-15 # patchadd 105491-04 # patchadd 106041-10 # patchadd 106410-01 |
These patches must be added in the order given.
Reboot by typing:
# sync; init 6 |
If you will be using a remote administration station, add the following packages to the Administration Station from your Solaris CD, if not already on your system:
system SUNWjvrt JavaVM run time environment
system SUNWmfrun Motif RunTime Kit
system SUNWxwplt X Window System Platform software
If you are using Solaris 2.6 as your operating environment, add the following patches, if not already on your system, by typing:
For SPARC systems: # cd /cdrom/cdrom0/sparc/Patches # patchadd 106125-06 # patchadd 105284-15 # patchadd 105490-04 # patchadd 106040-10 # patchadd 106409-01 For x86 systems: # cd /cdrom/cdrom0/i386/Patches # patchadd 106126-06 # patchadd 105285-15 # patchadd 105491-04 # patchadd 106041-10 # patchadd 106410-01 |
The following procedures explain how to upgrade to SunScreen EFS 3.0 from either SunScreen EFS 1.1 or 2.0.
The upgrade software automatically backs up your system in case the upgrade fails. If there are any other system backups you want to make, do so now before performing the upgrade.
Open a terminal window and become root.
Ensure that the OpenWindows File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Insert the SunScreen EFS 3.0 CD-ROM into the CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
Start the upgrade software by typing:
# /cdrom/cdrom0/upgrade |
The software backs up existing SunScreen EFS packages for you. The file and package names will appear as output on your monitor. Wait until this completes.
Next, the software automatically removes the existing SunScreen SKIP and SunScreen EFS 1.1 or 2.0 software packages. Wait until this completes.
The packages are removed automatically one-by-one. No confirmations are needed or accepted. The file and package names will appear as output on your monitor.
Next, the SunScreen EFS 3.0 software is automatically installed for you. Wait until this completes.
The file and package names will appear as output on your monitor.
Next your existing SunScreen EFS 1.1 or 2.0 configurations are automatically converted to SunScreen EFS 3.0 policies. Wait until this completes.
If there are any conversion errors, they are itemized as output on your monitor.
Remove the SunScreen EFS, Release 1.1 or 2.0 PATH and MANPATH from your shell initialization file.
Set the SunScreen EFS 3.0 PATH and MANPATH by editing your shell initialization file (such as .profile or .login file).
Eject the CD from the CD-ROM drive by typing:
# eject cdrom0 |
Install any SKIP upgrades (Export Controlled [1024-bit] or U.S. and Canada Use Only [2048-bit] keys) as instructed in the documentation that is included with the upgrade SKIP CD-ROM.
While you do not need to use encryption in a locally administered SunScreen EFS, you may want to use encrypted communication over public and private networks.
Do not run the installation wizard as it is for an initial installation only and can corrupt your existing configurations.
Reboot by typing:
# sync; init 6 |
Open a terminal window and become root, if not already.
List the policies that have been converted by typing:
# ssadm policy -l |
NAT mappings have changed considerably in SunScreen EFS 3.0. If you are using NAT, you must modify it before activating the configuration. If you are converting from SunScreen EFS 1.1, be aware that ordered rules is a new feature. See the SunScreen EFS 3.0 Reference Manual for more detail.
Choose the one policy that you want to activate by typing:
# ssadm activate configuration_name |
To configure and manage your SunScreen from your Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the Administration GUI by typing the following URL:
http://localhost:3852 |
The Administration GUI login page appears, as shown in Figure 6-1
To configure and manage SunScreen EFS, see the SunScreen EFS 3.0 Administration Guide.
The following procedures explain how to upgrade to a remotely administered SunScreen EFS 3.0 from either SunScreen EFS 1.1 or 2.0. The upgrade software automatically backs up your system in case the upgrade fails. If there are any other system backups you want to make, do so now before performing the upgrade.
The upgrade procedure for remote administration requires that you install the upgrade software on the Screen first and then on the Administration Station.
Open a terminal window on the Screen and become root.
Ensure that the OpenWindows File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Insert the SunScreen EFS 3.0 CD-ROM into the CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
Start the upgrade software by typing:
# /cdrom/cdrom0/upgrade |
Next, the program automatically does a back up of your existing SunScreen EFS configurations, software packages, and certificates.
The file system names appear as output on your monitor. Wait until this completes.
Next, the software automatically removes the existing SunScreen SKIP and SunScreen EFS 1.1 or 2.0 software packages. Wait until this completes.
The packages are removed automatically one-by-one. No confirmations are needed or accepted. The file and package names will appear as output on your monitor.
Next, the SunScreen EFS 3.0 software is automatically installed for you. Wait until this completes.
The file and package names will appear as output on your monitor.
Next your existing SunScreen EFS 1.1 or 2.0 configurations are automatically converted to SunScreen EFS 3.0 policies. Wait until this completes.
If there are any conversion errors, they are itemized as output on your monitor.
Remove the SunScreen EFS, Release 1.1 or 2.0 PATH and MANPATH from your shell initialization file.
Set the SunScreen EFS 3.0 PATH and MANPATH by editing your shell initialization file (such as .profile or .login file).
Eject the CD from the CD-ROM drive by typing:
# eject cdrom0 |
Install any SKIP upgrades (Export Controlled [1024-bit] or U.S. and Canada Use Only [2048-bit] keys) as instructed in the documentation that is included with the upgrade SKIP CD-ROM.
Do not run the installation wizard as it is for an initial installation only and can corrupt your existing configurations.
Reboot by typing:
# sync; init 6 |
Open a terminal window and become root, if not already.
List the policies that have been converted by typing:
# ssadm policy -l |
NAT mappings have changed considerably in SunScreen EFS 3.0. If you are using NAT, you must modify it before activating the configuration. If you are converting from SunScreen EFS 1.1, be aware that ordered rules is a new feature. See the SunScreen EFS 3.0 Reference Manual for more detail.
Choose the one policy that you want to activate by typing:
# ssadm activate configuration_name |
You next move to the remote Administration Station.
Open a terminal window on the Administration Station and become root.
Ensure that the OpenWindows File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Remove each SunScreen EFS, Release 1.1 or 2.0, package individually by typing:
For SunScreen EFS 1.1: # pkgrm SUNWicgSA For SunScreen EFS 2.0: # pkgrm SUNWicgSA SUNWicgSD SUNWicgSM SUNWHJicg |
Follow the program prompts and answer all the questions with y.
The pkgrm program ends with the statement: Removal of name_of_package was successful.
If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.
Remove the SKIP software packages by typing:
# pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr |
If needed, remove any SKIP crypto upgrades by typing:
# pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup |
Insert the SunScreen EFS 3.0 CD-ROM into the Administration Station's CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
For SPARC systems: # pkgadd -d /cdrom/cdrom0/sparc For x86 systems: # pkgadd -d /cdrom/cdrom0/i386 |
For SPARC systems, you are prompted with a menu of packages to install:
The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt 1.5 Software (sparc) 1.5 2 SUNWbdcx SKIP Bulk Data Crypt (64-bit) 1.5 Software (sparc) 1.5 3 SUNWdthj HotJava Browser for Solaris (sparc) 1.1.5,REV=1998.12.03 4 SUNWes SKIP End System 1.5 Software (sparc) 1.5 5 SUNWesx SKIP End System (64-bit) 1.5 Software (sparc) 1.5 6 SUNWfwcnv SunScreen Firewall conversion (sparc) 3.0 7 SUNWhttp Sun WebServer daemon and supporting binaries (sparc) 2.0 8 SUNWicgSA SunScreen Administration Software (sparc) 3.0 9 SUNWicgSD SunScreen online documentation (sparc) 3.0 10 SUNWicgSM SunScreen man pages (sparc) 3.0 ... 7 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWicgSS SunScreen Firewall (sparc) 3.0 12 SUNWkeymg SKIP Key Manager Tools 1.5 Software (sparc) 1.5 13 SUNWkisup SKIP I-Support module 1.5 Software (sparc) 1.5 14 SUNWrc2 SKIP RC2 Crypto Module (sparc) 1.5 15 SUNWrc4 SKIP RC4 Crypto Module 1.5 Software (sparc) 1.5 16 SUNWrc4x SKIP RC4 Crypto Module (64-bit) 1.5 Software (sparc) 1.5 17 SUNWsman SKIP Man Pages 1.5 Software (sparc) 1.5 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: |
For x86 systems, you are prompted with a menu of packages to install:
The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt 1.5 Software (i386) 1.5 2 SUNWdthj HotJava Browser for Solaris (i386) 1.1.5,REV=1998.12.03 3 SUNWes SKIP End System 1.5 Software (i386) 1.5 4 SUNWfwcnv SunScreen Firewall conversion (i386) 3.0 5 SUNWhttp Sun WebServer daemon and supporting binaries (i386) 2.0 6 SUNWicgSA SunScreen Administration Software (i386) 3.0 7 SUNWicgSD SunScreen online documentation (i386) 3.0 8 SUNWicgSM SunScreen man pages (i386) 3.0 9 SUNWicgSS SunScreen Firewall (i386) 3.0 10 SUNWkeymg SKIP Key Manager Tools 1.5 Software (i386) 1.5 ... 4 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWkisup SKIP I-Support module 1.5 Software (i386) 1.5 12 SUNWrc2 SKIP RC2 Crypto Module (i386) 1.5 13 SUNWrc4 SKIP RC4 Crypto Module 1.5 Software (i386) 1.5 14 SUNWsman SKIP Man Pages 1.5 Software (i386) 1.5 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: |
For SPARC systems, enter: 1-5, 8, 10, 12-17 For x86 systems, enter: 1-3, 6, 8, 10-14
Follow the program prompts, answering all the questions with y.
When completed, you return to the same menu of packages.
Type q to quit pkgadd.
Move the SKIP keys by typing:
# cp -rp /etc/opt/SUNWicg/skip/* /etc/skip/. |
Eject the CD-ROM from the CD-ROM drive by typing:
# eject cdrom0 |
Install any SKIP upgrades (Export Controlled [1024-bit] or U.S. and Canada Use Only [2048-bit] keys) as instructed in the documentation that is included with the upgrade CD-ROM.
Reboot to complete the upgrade by typing:
# sync; init 6 |
Open a terminal window and become root, if necessary.
To configure and manage your SunScreen from your Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the Administration GUI by typing the following URL:
http://localhost:3852 |
To configure and manage SunScreen EFS, see the SunScreen EFS 3.0 Administration Guide.
Do not run the upgrade procedure on a HA Secondary machine. It is to be run only on the EFS 2.0 HA Primary machine.
To upgrade an EFS 2.0 HA System, you must:
Upgrade the EFS 2.0 HA Primary machine.
To upgrade the EFS 2.0 Primary machine, follow the procedure "To Upgrade to SunScreen EFS 3.0 in Routing Mode With Local Administration".
Upgrade the EFS 2.0 HA Secondary machine.
To upgrade an HA Secondary machine, you must:
Remove the EFS 2.0 software packages
Install the EFS 3.0 software packages on the machine that will be an HA Secondary
Configure your HA cluster
For more information on configuring and managing HA clusters, see the SunScreen EFS 3.0 Administration Guide.
On the machine that is the EFS 2.0 Secondary, become root, if necessary.
Remove the EFS 2.0 software packages by typing:
# pkgrm SUNWicgSS SUNWicgEF SUNWicgSA SUNWicgSD SUNWicgSM SUNWHJicg |
If you did not originally install any of these packages, omit them from the string or else remove the packages one at a time.
Remove the SKIP software packages by typing:
# pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr |
If needed, remove any SKIP crypto upgrades by typing:
# pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup |
Remove all old EFS 2.0 certificates, configurations, and logfiles by typing:
# rm -rf /var/opt/SUNWicg /etc/opt/SUNWicg |
Reboot your machine to complete the removal of the EFS 2.0 installation by typing:
# sync; init 6 |
After you have upgraded the SunScreen EFS 2.0 HA primary Screen to SunScreen EFS 3.0, you must perform this procedure to define your HA primary Screen's HA interface. This is done only on the HA primary Screen and not on any of the HA secondary Screens. Before proceeding, you must know the following information:
the machine name of the HA primary Screen
the IP addresses on your dedicated HA network
the network interface that connects to that network
the name of the SunScreen EFS 2.0 active configuration
In this example:
the name of the HA primary Screen is "haprimary"
the addresses of the dedicated HA network are 129.129.129.0 to 129.129.129.255
the network interface that connects them is qfe0
the name of the SunScreen EFS 2.0 active configuration is "Initial"
After you have completed the upgrade program on the HA primary Screen and have rebooted:
On the HA primary Screen, open a terminal window and become root.
Type the following:
# ssadm edit Initial edit> add address qfe0 RANGE 129.129.129.0 129.129.129.255 edit> delete interface qfe0 edit> add interface SCREEN haprimary qfe0 HA qfe0 edit> save edit> quit |
Activate the configuration by typing:
# ssadm activate Initial |
See the SunScreen EFS 3.0 Administration Guide for instructions.
See the SunScreen EFS 3.0 Administration Guide for instructions on setting up an EFS 3.0 HA cluster.
The upgrade from SunScreen SPF-200 to SunScreen EFS 3.0 requires a unique set of steps. You can use the same machine that operates as the SPF-200 Screen and upgrade it to become a SunScreen EFS 3.0 Screen in stealth mode. If choosing this option, be aware that this will require significant downtime and you should plan a time that is convenient for this.
It is recommended you have your original installation diskette for your SPF-200 Screen in the event that the upgrade procedure fails and you must then return to your original SPF-200 configuration.
Perform a backup of the SPF-200 Screen. Refer to your SPF-200 documentation, if needed.
This should be stored in a secure location as it contains sensitive information that must be protected.
Perform a backup the SPF-200 Administration Station, following regular Solaris procedures.
This should be stored in a secure location as it contains sensitive information that must be protected.
Install Patch 105047-21 on the Administration Station and Screen, if not already installed.
This patch is available through Sun Service.
Insert the SunScreen EFS 3.0 CD-ROM into the Administration Station's CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
You must install a special patch onto the Screen. From the Administration Station, install the SPF-200 patch on the Screen by typing:
# ss_client Name_of_Screen ss_patch install noreboot < \ /cdrom/cdrom0/sparc/Patches/spfUpgradePatch.tar.Z |
Do not install this patch on the Administration Station itself or any other system. Do not reboot your system.
You must gather the SPF-200 configurations and send them back to the Administration Station. Run the special script to do this by typing:
# ss_client Name_of_Screen config2 > 200config.tar |
This file contains sensitive information. The SKIP connection creates secure, encrypted communication between the Administration Station and the Screen. Do not send this file over insecure lines. To move this file, use a diskette or a secured connection only.
Do not change the name of the file from 200config.tar.
From the Administration Station, obtain your Administration Station's certificate ID by typing:
# skiplocal list |
A list of encryption certificate IDs is displayed.
Write down the correct certificate ID for your Administration Station.
On the Screen, install either Solaris 2.6 or Solaris 7, following the instructions accompanying your Solaris CD.
You must do a fresh installation since the SPF-200 OS can not be upgraded.
On the Administration Station, verify that your operating environment is at least Solaris 2.6. If not, upgrade your operating environment as necessary.
On the Screen, using the same interface id that the SPF-200 used as its administrative interface (e.g. le0), configure that interface only.
See the Solaris documentation, if necessary.
Remove the old SunScreen SPF-200 Administration Station software by typing:
# pkgrm SUNWicgSA |
Remove the old SKIP packages from the Administration Station by typing:
# pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup SICGbdcdr To remove any SKIP crypto upgrades: # pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup SICGkusup |
On the Administration Station, install the SunScreen EFS 3.0 software by following the instructions in Chapter 5.
On the Administration Station, move the SKIP keys by typing:
# cp -rp /etc/opt/SUNWicg/skip/* /etc/skip/. |
Reboot the Administration Station by typing:
# sync; init 6 |
On the Screen, install the SunScreen EFS 3.0 software by following the instructions in Chapter 5.
Enter the Administration Station's certificate ID from Step 9 when prompted.
On the Administration Station, create a session on the Screen by entering:
# SSADM_TICKET_FILE=$HOME/.ssadmticket # export SSADM_TICKET_FILE # touch $SSADM_TICKET_FILE # chmod go= $SSADM_TICKET_FILE # ssadm -r Name_of_Screen login admin admin |
On the Administration Station, verify that you are able to remotely administer the upgraded Screen by typing:
# ssadm -r Name_of_Screen active |
On the Administration Station, begin the conversion of the SPF-200 configurations to SunScreen EFS 3.0 policies on the Screen by typing:
# ssadm -r Name_of_Screen spf2efs < 200config.tar |
Verify your migrated configuration before activating it. To view/update the migrated configurations, open a Java-enabled web browser compliant with JDK 1.1.3 or later and launch the Administration GUI by typing:
http://Name_of_Screen:3852 |
NAT mappings have changed considerably in SunScreen EFS 3.0. If you are using NAT, you must modify it before activating the configuration. Be aware that ordered rules is a new feature. See the SunScreen EFS 3.0 Reference Manual for more detail.
See the SunScreen EFS 3.0 Administration Guide for instructions on using the Administration GUI.