SolarisInstallation

• Plan the layout of your disks according to SolarisFilesystemLayout
• Obtain an ip for the new server
  • add the ip to mgmt1:/etc/hosts
  • add the ip to mgmt1:~admin/etc_master/hosts
• Obtain a switch port
• request firewall rule additions
• Install Solaris from CDs
• Install packages
  • Server cluster package ncftp on mgmt box ncftp> open sunsolve.sun.com cd /pub/patches ls *Rec* to find the recommended cluster patch for solaris 8 type "bye" to exit site wget ftp://sunsolve.sun.com/pub/patches/8_Recommended.zip
  • Then ftp file from mgmt server to new server
• Remove root from //etc/ftpusers
• Unzip the file
• Install the package
• Next cd / (to the directory) -- there is a cluster_readme file
• ./install_cluster
• Install SSH
  • Go to www.sunfreeware.com
  • Select sparc 8
  • In the bottom right find open ssh
  • An install document is available \x96 Note: Ignore tcp wrappers section -- Note: Start with the random variable package (currently 112438-01) --
  • Add ssl package
    • From mgmt console, go to ftp://sunfreeware.risq.qc.ca/sparc/8/
    • Find the most recent ssl package
    • Download it and move it to the server
    • Gunzip it
    • Install package pkgadd \x96d /path/to/package/packagename
  • Continue this for the following packages:
    • openssh-3.6.1p1-sol8-sparc-local.gz
    • openssl-0.0.9.7b-sol8-sparc-local.gz
    • zlib-1.1.4-sol8-sparc-local.gz
    • libgcc-3.2.3.2-sol8-sparc-local.gz
    • perl-5.8.0-sol8-sparc-local.gz
    • prngd-0.9.25-sol8-sparc-local.gz
    • egd-0.8-sol8-sparc-local.gz

Installing OpenSSH

OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides solutions for secure tunneling capabilities, as well as authentication methods. OpenSSH is open source and is available for free. Information contained within this document is specific to Solaris 8.

*Random number generator: prngd OpenSSH requires a random number generator to be installed. PRNGD is a Pseudo Random Number Generator Daemon which installs in /usr/local. This is installed via a patch available at SunSolve Patch Access. Search for patch 112438-01.

Download and install the patch. Install the patch using the 'patchadd' command (man patchadd for more information):

patchadd /var/spool/patch/112438-01

You will need to reboot the server. Rebooting requires boot -r to create the new devices.

reboot -- -r

For a procedure to install the random generator, which does not require the server to be rebooted, try the following link: http://www.sunmanagers.org/pipermail/summaries/2002-April/002956.html.

• login and make sure the system came back up clean

Set up the sshd user

Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. When privsep is enabled, during the pre-authentication phase sshd will chroot to "/var/empty" and change its privileges to the "sshd" user and its primary group. sshd is a pseudo-account that should not be used by other daemons, and must be locked and should contain a "nologin" or invalid shell.

As root:

mkdir /var/empty chown root:sys /var/empty chmod 755 /var/empty groupadd sshd useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd

/var/empty should not contain any files.

If you do not do this and attempt to start up sshd, you will get error messages and the daemon will not start.

Install ssh keys and sshd start/stop script Each machine that you want to communicate with via the ssh client will need to have an sshd daemon running. But first, you need to run the following three lines to create the key information for the server machine. Make sure you have /usr/local/bin and /usr/local/sbin in your PATH. If you have been running sshd before and have keys in /usr/local/etc, runing these commands will overwrite them.

As root:

*ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N "" *ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""

*sshd init script Copy /etc/init.d/ssh and /etc/init.d/prngd on mgmt1 to the same directory on the new server. symlink them into rc2.d directory:

set permissions chown root /etc/init.d/sshd /etc/init.d/prngd chgrp sys /etc/init.d/sshd /etc/init.d/prngd chmod 544 /etc/init.d/sshd /etc/init.d/prngd ln -s /etc/init.d/ssh /etc/rc2.d/S99sshd ln -s /etc/init.d/prngd /etc/rc2.d/S99prngd

Start/Stop the ssh daemon manually

/etc/rc2.d/S99sshd start

You can check to see if the daemon is running with the ps command:

ps -e | grep sshd

Add an admin user

 useradd \x96u 100 \x96c "admin home account" \x96d /export/home/admin \x96m \x96s /bin/tcsh admin

• Set admin passwd
• Test the ssh login from mgmt host (using the admin user just created)
• Install sudo
  • In the admin directory of the mgmt box there is a "sparcpkg" directory. In this directory is a "Packages" directory that contains sudo. Note: You may install any of the packages included in this directory if needed.
  • Copy the sudo package SFWsudo to the server scp \x96r Packages admin@(servername):
• Run: pkgadd \x96d /path/to/package/packagename
• copy config file in /opt/sfw/etc/sudoers from oracle-ias2 to the same directory on the new server
• file /opt/sfw/bin/sudo needs to be chmod u+s sudo

files in etc

Copy the following from mgmt1:~admin/etc_master/ into /etc/

• syslog.conf
• hosts
• issue

crle path

Make the following system wide path change crle \x96l /usr/lib:/usr/local/lib:/usr/local/ssl/lib:/ -s /usr/lib/secure

For this server specific files are needed to run fusion and to offer failover solution for oracle-ias2 services.

The following directories (and sub directories) have been moved to /export/home/rhudson

• oracle.tar (needs to be oracle/app/oracle\x85)
• make a symbolic link to /apps/oracle sudo link \x96s /local/oracle/ /apps/
• tomcathome.tar (needs to be /data/linns/\x85)
• www.home.tar (needs to be /data/linns/\x85)
• formshome.tar (needs to be /data/linns/\x85)

Time Sync

Add the following to root's crontab. The -s logs the output to daemon syslog 0 0,8,16 * * * /usr/sbin/ntpdate -s time.gov.ns.ca # Set clock to time server

User Setup

May need to use grpadd to make the grp first!! Go to another server and grep 2000 /etc/group groupadd \x96g gid \x96o group_name

 fusion1-admin-~>sudo userdel ias
 fusion1-admin-~>sudo useradd -u 2000 -g 2000 -c "Oracle IAS User" -d /export/home/ias -m -s /bin/csh ias

 fusion1-admin-~>sudo useradd -u 2001 -g 2000 -c "Oracle oraforms User" -d /export/home/oraform -m -s /bin/sh oraforms
 6 blocks

 fusion1-admin-~>sudo useradd -u 2002 -g 2000 -c "Tomcat User" -d / export/home/tomcat -m -s /bin/tcsh tomcat
 fusion1-admin-~>sudo useradd -u 2003 -g 2000 -c "Fusion User" -d /export/home/fusion -m -s /bin/tcsh fusion
 fusion1-admin-~>

Hardening & Snips

• Perform SolarisHardening
• Set and escrow the root password
• Perform SnipsInstallation
• Add a file with the server's name to the "servers" directory in SystemDatabase. Among other things, this drives the "SnapShots" data collection system.
• install lsof, one of the parameters that SnapShots collects
• Add/adust the new services to "services" directory in SystemDatabase.

Category: SolarisCategory