SunScreen EFS Release 3.0 Installation Guide

Upgrading From SunScreen SPF-200 to SunScreen EFS 3.0 in Stealth Mode

The upgrade from SunScreen SPF-200 to SunScreen EFS 3.0 requires a unique set of steps. You can use the same machine that operates as the SPF-200 Screen and upgrade it to become a SunScreen EFS 3.0 Screen in stealth mode. If choosing this option, be aware that this will require significant downtime and you should plan a time that is convenient for this.


Note -

It is recommended you have your original installation diskette for your SPF-200 Screen in the event that the upgrade procedure fails and you must then return to your original SPF-200 configuration.


To Upgrade from SPF-200 to SunScreen EFS 3.0 in Stealth Mode
  1. Perform a backup of the SPF-200 Screen. Refer to your SPF-200 documentation, if needed.

    This should be stored in a secure location as it contains sensitive information that must be protected.

  2. Perform a backup the SPF-200 Administration Station, following regular Solaris procedures.

    This should be stored in a secure location as it contains sensitive information that must be protected.

  3. Install Patch 105047-21 on the Administration Station and Screen, if not already installed.

    This patch is available through Sun Service.

  4. Insert the SunScreen EFS 3.0 CD-ROM into the Administration Station's CD-ROM drive.

  5. Mount the CD-ROM by typing:


    # volcheck
    

  6. You must install a special patch onto the Screen. From the Administration Station, install the SPF-200 patch on the Screen by typing:


    # ss_client Name_of_Screen ss_patch install noreboot < \
    /cdrom/cdrom0/sparc/Patches/spfUpgradePatch.tar.Z
    


    Note -

    Do not install this patch on the Administration Station itself or any other system. Do not reboot your system.


  7. You must gather the SPF-200 configurations and send them back to the Administration Station. Run the special script to do this by typing:


    # ss_client Name_of_Screen config2 > 200config.tar
    

    This file contains sensitive information. The SKIP connection creates secure, encrypted communication between the Administration Station and the Screen. Do not send this file over insecure lines. To move this file, use a diskette or a secured connection only.


    Note -

    Do not change the name of the file from 200config.tar.


  8. From the Administration Station, obtain your Administration Station's certificate ID by typing:


    # skiplocal list
    

    A list of encryption certificate IDs is displayed.

  9. Write down the correct certificate ID for your Administration Station.

  10. On the Screen, install either Solaris 2.6 or Solaris 7, following the instructions accompanying your Solaris CD.


    Note -

    You must do a fresh installation since the SPF-200 OS can not be upgraded.


  11. On the Administration Station, verify that your operating environment is at least Solaris 2.6. If not, upgrade your operating environment as necessary.

  12. On the Screen, using the same interface id that the SPF-200 used as its administrative interface (e.g. le0), configure that interface only.

    See the Solaris documentation, if necessary.

  13. Remove the old SunScreen SPF-200 Administration Station software by typing:


    # pkgrm SUNWicgSA 
    

  14. Remove the old SKIP packages from the Administration Station by typing:


    # pkgrm SICGcrc2 SICGcrc4 SICGes SICGkeymg SICGkisup
    SICGbdcdr
    
    To remove any SKIP crypto upgrades:
    # pkgrm SICGcdes SICGc3des SICGcsafe SICGkdsup
    SICGkusup
    

  15. On the Administration Station, install the SunScreen EFS 3.0 software by following the instructions in Chapter 5.

  16. On the Administration Station, move the SKIP keys by typing:


    # cp -rp /etc/opt/SUNWicg/skip/* /etc/skip/.
    

  17. Reboot the Administration Station by typing:


    # sync; init 6
    

  18. On the Screen, install the SunScreen EFS 3.0 software by following the instructions in Chapter 5.

    Enter the Administration Station's certificate ID from Step 9 when prompted.

  19. On the Administration Station, create a session on the Screen by entering:


    # SSADM_TICKET_FILE=$HOME/.ssadmticket
    # export SSADM_TICKET_FILE
    # touch $SSADM_TICKET_FILE
    # chmod go= $SSADM_TICKET_FILE
    # ssadm -r Name_of_Screen login admin admin
    

  20. On the Administration Station, verify that you are able to remotely administer the upgraded Screen by typing:


    # ssadm -r Name_of_Screen active
    

  21. On the Administration Station, begin the conversion of the SPF-200 configurations to SunScreen EFS 3.0 policies on the Screen by typing:


    # ssadm -r Name_of_Screen spf2efs < 200config.tar
    

  22. Verify your migrated configuration before activating it. To view/update the migrated configurations, open a Java-enabled web browser compliant with JDK 1.1.3 or later and launch the Administration GUI by typing:


    http://Name_of_Screen:3852
    


    Note -

    NAT mappings have changed considerably in SunScreen EFS 3.0. If you are using NAT, you must modify it before activating the configuration. Be aware that ordered rules is a new feature. See the SunScreen EFS 3.0 Reference Manual for more detail.


See the SunScreen EFS 3.0 Administration Guide for instructions on using the Administration GUI.

  1. On the Administration Station, activate your migrated configuration by entering:


    # ssadm -r Name_of_Screen activate Name_of_Configuration