This chapter explains how to install SunScreen EFS 3.0 on remotely administered SunScreen machines. The software is first installed on the machine that will be the Administration Station, and then on the machine that will be the Screen. Encrypted communication between the Administration Station and the Screen is achieved by use of SunScreen(TM) SKIP (Simple Key-Management for Internet Protocols).
Topics covered include:
Supported configurations for the Administration Station
Installing a remotely administered SunScreen
Installing the software on the Administration Station
Installing certificates on the Administration Station
Installing the software on the Screen
Using SKIP for encrypted communication
If you are installing on a system without a monitor, using the command line for installation is discussed in Appendix A.
If you want to install SunScreen EFS 3.0 in stealth mode, read the information and instructions in Chapter 5.
If you are presently running SunScreen EFS 1.1 or 2.0, and want to upgrade to SunScreen EFS 3.0, read the information and instructions in Chapter 6.
If you are converting FireWall-1 configurations for use on a SunScreen EFS 3.0, or are planning to convert a FireWall-1 machine to a SunScreen EFS 3.0 machine, read the information and instructions in Chapter 7.
SunScreen SKIP is bundled with and installed as part of SunScreen EFS 3.0. For more information regarding SKIP, refer to the SunScreen SKIP 1.5 User's Guide.
Before installing, review the SunScreen EFS 3.0 Release Notes for the latest information about this product.
SunScreen EFS 3.0 allows any machine with a Java-enabled web browser compliant with JDK 1.1.3 or later as an Administration Station, as long as it can connect securely to the Screen using SKIP. The SunScreen EFS 3.0 CD-ROM includes SunScreen SKIP for both SPARC and x86 platforms. This allows any hardware running the Solaris 2.6 or Solaris 7 operating environment to be an Administration Station.
PCs operating Windows 95 or NT 4.x are a supported platform as an Administration Station, using the Administration GUI. This chapter, however, covers Solaris-based Administration Stations only.
This chapter explains how to install SunScreen EFS 3.0 in routing mode with remote administration, using either self-generated or issued certificate technology.
This type of installation requires several steps to complete. You proceed in the following order:
Install the SunScreen Administration software on the Administration Station.
This step installs the required SKIP packages on the Administration Station. This is the first prerequisite to creating a secure method of communication between the Administration Station and the Screen. The use of SKIP technology enables encrypted communication between the two.
Install the Administration certificate on the Administration Station.
Install the SunScreen software on the Screen.
This procedure requires the Administration Station's certificate ID and installs the Screen's certificate.
Install the Screen's certificate ID on the Administration Station.
Start encrypted communication between the Administration Station and the Screen by enabling SKIP on the Administration Station.
The installation procedure requires that the machine be rebooted when indicated. Do not perform any other tasks on the machine while installing the software, as a delay in rebooting the machine may affect installation and cause your system to hang.
Do not begin this procedure until you have read the information in Chapter 2.
Open a terminal window on the Administration Station and become root.
Ensure that the OpenWindows File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Insert the SunScreen EFS 3.0 CD-ROM into the Administration Station's CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
# /cdrom/cdrom0/adminInstaller |
Due to late software changes, the appearance of the installation wizards may differ slightly from that shown. Functionality and performance is not affected. The panels of the installation wizards can be resized, if needed.
The Admin Install's Welcome window appears, as shown in Figure 4-1.
Click Next to continue the installation process.
The Select Type of Install window appears. You are given two choices: Default Install and Custom Install.
The HotJava browser, version 1.1.5, is packaged on the SunScreen EFS 3.0 CD-ROM and is installed as part of the Default Install. If you do not want this installed, select Custom Install and deselect package SUNWdthj.
Select the type of install desired, and Click Next.
The disk space on your machine is checked. An error message appears if you do not have enough disk space.
The Ready to Install window appears, as shown in Figure 4-2. The size of the packages to be installed is confirmed.
Click Install Now to continue the installation process.
The Installing window appears, as shown in Figure 4-3. The status bar shows the progress of the installation.
Click Next to complete the installation process.
An Installation Summary appears, as shown in Figure 4-4.
Select Exit to complete the installation process using the installation wizard.
The installation wizard disappears.
Set the PATH and MANPATH by editing your shell initialization file (such as .profile or .login file).
Eject the CD-ROM from the CD-ROM drive by typing:
# eject cdrom0 |
Install any SKIP upgrades (Export Controlled [1024-bit] or U.S. and Canada Use Only [2048-bit] keys) as instructed in the documentation that is included with the SKIP upgrade CD-ROM.
Reboot to complete the installation by typing:
# sync; init 6 |
The software packages have been installed. You continue the installation process on the machine that is the Administration Station.
To obtain encrypted communication between the Administration Station and the Screen, certificates must be installed on both machines. This can be done by either using self-generated certificates or by installing issued certificates. Both methods are done on the Administration Station.
If you are using self-generated certificates, use Option 1. If you are using issued certificates, use Option 2.
Open a terminal window and create the required SKIP directories by typing:
# skiplocal -i |
Create the self-generated certificate on the Administration Station by typing:
# skiplocal -k -f -V |
The local certificate ID appears, as shown in Figure 4-5. It is the Administration Station's 32-character certificate ID (MKID).
Write down the certificate ID, which begins with `Ox'.
Add SKIP to all the interfaces by typing:
# skipif -a |
Reboot to complete the installation by typing:
# sync; init 6 |
The Administration Station's certificate ID has been generated. You next move to the Screen to install the SunScreen software. Continue to the section, "Installing the Software on the Screen""Installing the Software on the Screen".
To do this procedure, you will need the Key and Certificate diskette.
Open a terminal window on the Administration Station and become root.
Ensure that the OpenWindows File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Create the required SKIP directories by typing:
# skiplocal -i |
Insert the Key and Certificate diskette into the Administration Station's floppy drive.
Mount the diskette by typing:
# volcheck |
Install the SKIP keys by typing:
# install_skip_keys -icg /floppy/floppy0 |
Start the SKIP daemon by typing:
# skipd_restart |
Eject the Key and Certificate diskette by typing:
# eject floppy0 |
Write down the certificate ID, which is eight characters long.
Add SKIP to all the interfaces by typing:
# skipif -a |
Reboot to complete the installation by entering:
# sync; init 6 |
The Administration Station's certificate ID has been installed. You next move to the Screen to install the SunScreen software.
The next step is to install the SunScreen EFS 3.0 software on the machine that serves as the Screen. If you have a monitor and a keyboard attached to your Screen, you can use the installation wizard. If you are operating the Screen without a monitor, you must either temporarily attach a monitor, or install the software via the command line. Command line instructions are located in the Appendix A.
If you are using self-generated certificates, use Option 1. If you are using issued certificates, use Option 2.
Before starting the procedure below, configure all network interfaces you plan on using, if not already done. SunScreen EFS will only see the network interfaces that Solaris sees. For details on Solaris network configuration, see the documentation accompanying the Solaris operating environment.
In this procedure, you need the Administration Station's certificate ID (MKID) from the previous procedure.
On the Screen, open a terminal window and become root.
Insert the SunScreen EFS 3.0 CD-ROM into the Screen's CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
Add the software by typing:
# /cdrom/cdrom0/screenInstaller |
The Screen Install wizard's Welcome window appears, as shown in Figure 4-6.
Click Next to continue the installation process.
The Check Installed Solaris Packages window appears, as shown in Figure 4-7. Prior to installation of the SunScreen EFS 3.0 software, a check is performed to verify that the prerequisite Solaris packages are installed on your machine.
If there are missing required packages, a list will be displayed. You must exit the installation wizard at this point and install the required Solaris packages from your Solaris CD.
Click Next to continue the installation process.
The Secondary HA Designation window appears, as shown in Figure 4-8. No is the default.
Choose Yes if you are configuring an HA cluster and are installing the Secondary SunScreen of that cluster. If this is what you want to do, exit the installation wizard and see the SunScreen EFS 3.0 Administration Guide for instructions on how to set-up an HA cluster.
Accept the default, No, and Click Next.
The Select Screen Type window appears, as shown in Figure 4-9. You are given two types of installations to choose from: Stealth or Routing. Routing mode is the default.
Accept the default, Routing mode, and Click Next.
The Select Administration Type window appears, as shown in Figure 4-10. You are given the choice of Local Administration or Remote Administration. Local Administration is the default.
Select Remote Administration and Click Next.
The Select Type of Install window appears, as shown in Figure 4-11. You are given two choices: Default Install and Custom Install.
The HotJava browser, version 1.1.5, is packaged on the SunScreen EFS 3.0 CD-ROM and is installed as part of the Default Install. If you do not want this installed, select Custom install and deselect package SUNWdthj.
Select the type of install desired, and Click Next.
The disk space on your machine is checked. An error message appears if you do not have enough disk space.
The Ready to Install window appears, as shown in Figure 4-12. The size of the packages to be installed is confirmed.
Click Install Now to continue the installation process.
The Installing Window appears, as is shown in Figure 4-13. The status bar shows the progress of the installation.
Once completed, the Installation Summary window appears, as shown in Figure 4-14. You can resize this window as needed.
Click Next to continue the installation process.
The Select Certificate Type window appears, as shown in Figure 4-15. Self-Generated Certificate is the default.
If you are using Issued Certificates, you must now turn to the following procedure, "Option 2: To Install the Software on the Screen When Using Issued Certificates". Follow the instructions to install your Issued Certificates. Once completed, return to this procedure and resume with Step 17.
Accept the default, Self-Generated Certificate, and Click Next.
The Self-Generated Certificate ID window appears, as shown in Figure 4-16.
Enter the Administration Station's 32-character certificate ID (MKID), obtained in the previous procedure, and Click Next. Do not enter the leading two characters: 0x.
The Generate Screen Certificate window appears. Wait while the Screen's certificate ID is generated. When completed, the Screen's 32-character certificate ID appears at the bottom of the window, as shown in Figure 4-17.
Write down the Screen's 32-character certificate ID (MKID) that appears at the bottom of the window.
Click Next to continue the installation process.
The Select Initial Security Level window appears.
Select the level of security you want: Restrictive, Secure, or Permissive. Permissive is the default.
When in doubt, select Permissive as your initial security level, as shown in Figure 4-18. You can change this later if you need to.
Click Next to continue the installation process.
The Select Name Service(s) window appears, as shown in Figure 4-19. You must select the name service that will be used on the Screen. Your choices are both NIS and DNS, either NIS or DNS, or None. The default has both NIS and DNS selected. To select just one, deselect the one you do not want. For None, deselect both.
Select the appropriate Name Service(s), and Click Next.
The Screen Configuration window appears with the message: Configuring Screen as shown in Figure 4-20. Figure 4-21 shows the message that appears once the Screen is successfully configured.
Click Next to continue the installation process.
The Screen Reboot window appears, as shown in Figure 4-22.
To reboot the machine, click the Screen Reboot button.
The installation wizard disappears.
You must reboot the machine at this time in order to complete the installation process.
The software is installed on the Screen. You now proceed to "To Set the PATH, Install SKIP Upgrades, and Display the AdminSetup.readme File".
The procedure to install the software on the Screen when using Issued Certificates is nearly identical to the previous procedure, which used Self-Generated Certificates. The difference is only that your certificates are contained on diskette instead of being self-generated, and they must be installed when the Select Certificate Window appears.
To install the software on the Screen when using Issued Certificates, follow the instructions contained in the procedure, "Option 1: To Install the Software on the Screen When Using Self-Generated Certificates". When the Select Certificate Type window appears, select Issued Certificate, and follow the procedure below. Once the certificates are installed, return to the previous procedure and resume with Step 17.
To do this procedure, you will need the Key and Certificate diskette.
From the Select Certificate Type window, select Issued Certificate and Click Next.
The Select Certificate Window is shown in Figure 4-23. The Issued Certificate Key Diskettes window next appears, as shown in Figure 4-24.
Insert the Administration Station's Key and Certificate diskette and Click Read Diskette.
Wait until The Issued Certificate ID appears at the bottom of the window, as shown in Figure 4-25.
Write down the certificate ID, which is eight characters long, and Click Next.
The Issued Certificate Key Diskettes window appears, as shown in Figure 4-26.
Insert the Screen's Certificate ID diskette into the floppy drive and Click Read Diskette button.
The Issued Certificate ID appears at the bottom of the window.
Write down the Screen's certificate ID, which is eight characters long, and Click Next.
The Select Initial Security Level window appears.
Complete installation on the Screen by following the instructions in the previous procedure, "Option 1: To Install the Software on the Screen When Using Self-Generated Certificates". Resume with Step 17.
On the Screen, open a terminal window and become root, if not already.
Set the PATH and MANPATH by editing your shell initialization file (such as .profile or .login file).
Install any SKIP upgrades (Export Controlled [1024-bit] or U.S. and Canada Use Only [2048-bit] keys) as instructed in the documentation that is included with the SKIP upgrade CD-ROM.
To display the AdminSetup.readme file, in a terminal window type:
# more /etc/opt/SUNWicg/SunScreen/AdminSetup.readme |
The AdminSetup.readme file contains the Screen's certificate ID as well as the command you run in order to give the Administration Station the Screen's certificate ID, as shown in Figure 4-27. Write the command down for later use, which begins with skiphost -a.
If you trust that the network between the Screen and the Administration Station is secure, you can ftp the AdminSetup.readme file from the Screen to the Administration Station. This saves you the task of writing down the information which is required in the next procedure.
Eject the CD-ROM by typing:
# eject cdrom0 |
If SKIP upgrades were installed, reboot the Screen by typing:
# sync; init 6 |
You now return to the Administration Station to complete SKIP configuration. Proceed to "Using SKIP for Encrypted Communication".
To complete the installation of a remotely administered SunScreen in routing mode, encrypted communication between the Administration Station and the Screen must be achieved. This is done by enabling SunScreen SKIP, which was previously installed. In this procedure, you tell the Administration Station what encryption algorithms to use to communicate with the Screen. For more information regarding SunScreen SKIP for Solaris, see the SunScreen SKIP 1.5 User's Guide.
To configure the Administration Station to communicate with the Screen, you must know:
The Screen's certificate ID.
The command obtained from the AdminSetup.readme file in the previous procedure is now used.
Instructions for using SKIP from the command line are found in Appendix A.
Open a terminal window and become root, if not already.
Launch the skiptool GUI by typing:
# skiptool |
You may need to use skiptool -i name_of_interface (such as qe3) if you wish to set SKIP parameters on a network interface other than the default interface.
The main window of the skiptool GUI appears, as shown in Figure 4-28.
You next add a default ACL to talk to unencrypted to all hosts.
Click the Add button, and under Host, choose the Off security option.
The Add Host properties window opens.
Type `default' as the Hostname and Click Apply.
This is shown in Figure 4-29.
You next add an ACL so the Administration Station and Screen can use encrypted communication.
Click the Add button, and under Host, choose the SKIP security option.
The Add Skip host properties window appears, as shown in Figure 4-30.
Use the information contained in the AdminSetup.readme file, obtained in the preceding procedure, and complete the fields.
Type Name_of_Screen in the Hostname field.
In the Secure field, select Whole Packet from the drop-down list.
In the Remote Key ID, make the appropriate selection from the drop-down list.
Refer to the AdminSetup.readme file to select the correct Remote Key ID. For self-generated certificates on the Administration Station, select MD5 (DH Public Value). For issued certificates, select IPv4. See Figure 4-31 for a sample of the Add SKIP Host Properties window completed.
In the Local Key ID, make the appropriate selection from the drop-down list.
Refer to the AdminSetup.readme file to select the correct Local Key ID. For self-generated certificates on the Administration Station, select MD5 (DH Public Value). For issued certificates, select IPv4. The ID value is filled in automatically.
Turn SKIP on. From the pulldown menu for "Access control is:", located at the top of the skiptool window, select `enabled'.
When you select enabled from the pulldown menu, a window appears when you save the configuration. Click Cancel to prevent these required systems, which are part of the default configuration, from showing up in the Authorized Systems window.
Select Save from the File pulldown menu.
After configuring SKIP, check that the encryption parameters and the certificate ID (MKID) values match on both the Administration Station and the Screen.
To configure and manage your SunScreen from your Administration Station, run a Java-enabled Web browser compliant with JDK 1.1.3 or later, and launch the Administration GUI by typing the following URL:
http://Name_of_Screen:3852/ |
The Administration GUI appears, as shown in Figure 4-32.
To login, type the following and Click Login:
User Name: admin Password: admin |
You next configure and manage your SunScreen with the Administration GUI. See the SunScreen EFS 3.0 Administration Guide for further instructions.