Category Archives: Solaris

HOWTO install a Splunk Universal Forwarder on Solaris 11 SPARC and x64 Using pkg(p5p) and tar

05 Saturday Mar 2022

Posted by in Solaris, Splunk

2 Comments

Tags

I recently had to get the Forwarders installed and there are no detailed steps in the Splunk docs for Solaris 11. If you need Solaris 10 steps, see my post here.

1) There are two installation options and platforms supported by Splunk; using pkg and tar on SPARC and x64 CPUs. The platform/CPU type is at the end of the filename shown below. The steps below cover both types of installation scenarios. Choose the steps for the way in which you want to install and the platform you have. There is a Universal Forwarder for SPARC and x64 (Intel/AMD) CPUs. Be sure to su – root before you start, or use sudo in front of the commands.

a) Native pkg (as in .p5p) formatted binary – easy to manage and upgrade, software included in inventory and vuln scans. Installed using pkg:
splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p
splunkforwarder-8.2.3-cd0848707637-solaris-sparc.p5p

b) Extracted via tar – software not seen by inventory and vuln scans, only the running splunkd process identifies it in scans (but not the version running). Installed using tar:
splunkforwarder-8.2.3-cd0848707637-SunOS-x86_64.tar.Z
splunkforwarder-8.2.3-cd0848707637-SunOS-sparc.tar.Z

2) Verify that you have the required libc installed.
> pvs /usr/lib/libc.so.1 | grep SUNW_1.22.7
> pvs /usr/lib/libc.so.1 (to get a list of all libc versions)

3) Backup your files. If you have any locally customized .conf files in the following folders, save a copy now. Note that some older forwarders
may not use upper case letters in the path.

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/
/opt/splunkforwarder/etc/system/local/

4) If an existing Forwarder is running, identify your Splunk index. You will need this value along with your hostname, IP address and platform later.
> cat /opt/splunkforwarder/etc/system/local/inputs.conf | grep index
> hostname
> ifconfig -a | grep inet (or just ifconfig -a if you have multiple NICs plumbed)
> uname -a

5) Check for existing version and state.
If the existing Forwarder was installed with pkg:
> pkg list | splunk
> pkg info -r splunkforwarder | egrep -i “Summary|Version”
> /opt/splunkforwarder/bin/splunk status
> ps aevx | grep splunkd

If the existing Forwarder was installed with tar:
> /opt/splunkforwarder/bin/splunk version
> /opt/splunkforwarder/bin/splunk status
> ps aevx | grep splunkd

6) Stop the currently installed Universal Forwarder and then remove it.
> /opt/splunkforwarder/bin/splunk stop

If installed via pkg:
> pkg uninstall splunkforwarder
> rm /etc/init.d/splunk

If installed via tar:
> cd /opt/
> rm -r splunkforwarder
> rm /etc/init.d/splunk

7) Make sure the Splunk sockets are no longer in use or locked. Copy/paste each line below one at a time and press enter.
> PORT=8089; for PID in /proc/*; do pfiles ${PID} |grep “port: ${PORT}” && echo ${PID}; done
> PORT=9997; for PID in /proc/*; do pfiles ${PID} |grep “port: ${PORT}” && echo ${PID}; done

a) If the commands above return anything (and they shouldn’t), you need to kill the process.
> pfiles process_id (from the output of the commands above to get process details)
> pkill process_id

8) Move the package to your host. Based on your CPU type (SPARC or x64) and the installation method you chose (pkg or tar), copy the Universal Forwarder to your server using scp, Filezilla, WinSCP or your preferred file transfer method.

If installing with tar:
> cp splunkforwarder-8.2.3-cd0848707637-SunOS-x86_64.tar.Z /opt/
> cd /opt
> uncompress splunkforwarder-8.2.3-cd0848707637-SunOS-x86_64.tar.Z
> tar xvf splunkforwarder-8.2.3-cd0848707637-SunOS-x86_64.tar
> chown -R root:root splunkforwarder

If installing with pkg:
> cp splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p /opt/
> cd /opt/
> pkg list -g file:////opt/splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p
> pkgrepo info -s /opt/splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p
> pkg set-publisher -p /opt/splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p splunk
> pkg install -nv splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p
> pkg install -g ./splunkforwarder-8.2.3-cd0848707637-solaris-intel.p5p splunkforwarder

a) For both pkgadd and tar, start and accept the license.
> /opt/splunkforwarder/bin/splunk start –accept-license –answer-yes

This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: splunkadm  (<– you can use any account name you want here, its for splunkd, not an OS account)
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:

b) For both pkgadd and tar, enable auto-start when the server is rebooted.
> /opt/splunkforwarder/bin/splunk enable boot-start

c) For both pkgadd and tar, copy the deploymentclient.conf file (provided by the Splunk team) to the path listed below. Note that if a Deployment server is not being used, skip this step.
> cp deploymentclient.conf /opt/splunkforwarder/etc/system/local/
> /opt/splunkforwarder/etc/system/local/
> chown root:root deploymentclient.conf

8) Restart the Forwarder, verify that its running and contact your Splunk team via email. Send them your index, hostname, ip and platform so they can associate your new Forwarder with the proper inputs.
> /opt/splunkforwarder/bin/splunk restart
> /opt/splunkforwarder/bin/splunk status
> ps aevx | grep splunkd

9) Connectivity issues? See if the Solaris firewall is on and has any rules for Splunk ports 8089 and 9997. Adjust rules as needed.
> svcs -x firewall:default
> pfbash pfctl -s rules

HOWTO install a Splunk Universal Forwarder on Solaris 10 SPARC and x64 Using pkgadd and tar

13 Sunday Feb 2022

Posted by in Solaris, Splunk

1 Comment

OK, OK, I know. Solaris 10 is old and dusty. Extended support has been pushed out to January 2024 so there are still plenty of systems in use out there. I recently had to get the Forwarders installed and there are no detailed steps in the Splunk docs. This covers installing via pkgadd and tar. Also, the last available Forwarder I could find on their site that supports Solaris 10 is v7.3.9.

1) There are two installation options and platforms supported by Splunk; using pkgadd and tar on SPARC and x64 CPUs. The platform/CPU type is at the end of the filename shown below. The steps below cover both types of installation scenarios. Choose the steps for the way in which you want to install and the platform you have. There is a Universal Forwarder for SPARC and x64 (Intel/AMD) CPUs so simply insert the Forwarder filename you need in the steps listed below. This HOWTO was done using Solaris 10 x64 so if you have a SPARC host, use the sparc Forwarder filename.

a) Native pkg formatted binary – easy to manage and upgrade, software included in inventory and vuln scans. Installed using pkgadd:
splunkforwarder-7.3.9-39a78bf1bc5b-solaris-10-intel.pkg.Z
splunkforwarder-7.3.9-39a78bf1bc5b-solaris-10-sparc.pkg.Z

b) Extracted via tar – software not seen by inventory and vuln scans, only the running splunkd process identifies it in scans (but not the version running). Installed using tar:
splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-x86_64.tar.Z
splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-sparc.tar.Z

2) Verify that you have the required libc installed.
> pvs /usr/lib/libc.so.1 | grep SUNW_1.22.7
> pvs /usr/lib/libc.so.1 (to get a list of all libc versions)

a) Solaris 10 hosts must be updated to libc SUNW_1.22.7 or later. See the Oracle Support page that lists patches that include libc changes (Oracle Support required): https://support.oracle.com/rs?type=doc&id=2069855.1

SUNW_1.22.7
SPARC: Patch 144500-19
X64: Patch 144501-19

3) Backup your files. If you have any locally customized .conf files in the following folders, save a copy now. Note that some older forwarders
may not use upper case letters in the path.

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/
/opt/splunkforwarder/etc/system/local/

4) Identify your Splunk index. You will need this value along with your hostname, IP address and platform later.
> cat /opt/splunkforwarder/etc/system/local/inputs.conf | grep index
> hostname
> ifconfig -a | grep inet (or just ifconfig -a if you have multiple NICs plumbed)
> uname -a

5) Check for existing version and state.
If the existing Forwarder was installed with pkgadd:
> pkginfo -l | grep splunk
> pkginfo -l splunkforwarder* | grep VERSION
> /opt/splunkforwarder/bin/splunk status
> ps -ef | grep splunkd

If the existing Forwarder was installed with tar:
> /opt/splunkforwarder/bin/splunk version
> /opt/splunkforwarder/bin/splunk status
> ps -ef | grep splunkd

6) Stop the currently installed Universal Forwarder and then remove it.
> /opt/splunkforwarder/bin/splunk stop

If installed via pkgadd:
> pkgrm splunkforwarder
> rm /etc/init.d/splunk

If installed via tar:
> cd /opt/
> rm -r splunkforwarder
> rm /etc/init.d/splunk

7) Make sure the Splunk sockets are no longer in use or locked. Copy/paste each line below one at a time and press enter.
> PORT=8089; for PID in /proc/*; do pfiles ${PID} |grep “port: ${PORT}” && echo ${PID}; done
> PORT=9997; for PID in /proc/*; do pfiles ${PID} |grep “port: ${PORT}” && echo ${PID}; done

a) If the commands above return anything (and they shouldn’t), you need to kill the process.
> pfiles process_id (from the output of the commands above to get process details)
> pkill process_id

8) Move the package to your host. Based on your CPU type (SPARC or x64) and the installation method you chose (pkgadd or tar), copy the Universal Forwarder to your server using scp, Filezilla, WinSCP or your preferred file transfer method.

If installing with tar:
> cp splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-x86_64.tar.Z /opt/
> cd /opt
> uncompress splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-x86_64.tar.Z
> tar xvf splunkforwarder-7.3.9-39a78bf1bc5b-SunOS-x86_64.tar
> chown -R root:root splunkforwarder

If installing with pkgadd:

> uncompress splunkforwarder-7.3.9-39a78bf1bc5b-solaris-10-intel.pkg.Z

> pkgadd -d splunkforwarder-7.3.9-39a78bf1bc5b-solaris-10-intel.pkg all

Do you want to continue with the installation of <splunkforwarder> [y,n,?] y

a) For both pkgadd and tar, start and accept the license.
> /opt/splunkforwarder/bin/splunk start –accept-license –answer-yes

This appears to be your first time running this version of Splunk.

Splunk software must create an administrator account during startup. Otherwise, you cannot log in.
Create credentials for the administrator account.
Characters do not appear on the screen when you type in credentials.

Please enter an administrator username: splunkadm  (<– you can use any account name you want here, its for splunkd, not an OS account)
Password must contain at least:
* 8 total printable ASCII character(s).
Please enter a new password:
Please confirm new password:

b) For both pkgadd and tar, enable auto-start when the server is rebooted.
> /opt/splunkforwarder/bin/splunk enable boot-start

c) For both pkgadd and tar, copy the deploymentclient.conf file to the path listed below. Note that if a Deployment server is not being used, skip this step.
> cp deploymentclient.conf /opt/splunkforwarder/etc/system/local/
> /opt/splunkforwarder/etc/system/local/
> chown root:root deploymentclient.conf

8) Restart the Forwarder, verify that its running and contact your Splunk team via email. Send them your index, hostname, ip and platform so they can associate your new Forwarder with the proper inputs.
> /opt/splunkforwarder/bin/splunk restart
> /opt/splunkforwarder/bin/splunk status
> ps -ef | grep splunkd

9) Connectivity issues? See if the Solaris firewall is on and has any rules for Splunk ports 8089 and 9997. Adjust rules as needed.
> svcs | egrep ‘(pfil|ipfilter)’
> ipfstat -io

HOWTO to reset the root password on Solaris with a UFS filesystem

20 Tuesday May 2014

Posted by in Security, Solaris

Leave a comment

Tags

,

1) Issue a Stop A or halt the system.

2) Insert Solaris 10 DVD. At the OK prompt enter:

ok# boot -s

3) Determine the boot disk partition and mount it.

> mount /dev/dsk/c0t3d0s0 /a (or whatever your mount point is)

> cd /a/etc

> TERM=vt100

> export TERM

> vi /etc/shadow and remove root’s encrypted password string so its colon to colon (::)

> cd /

> umount /a

> init s

4) Login as root with no password and set the new password.

> passwd root

Display fiber channel HBA and FC configuration in Solaris

14 Monday Apr 2014

Posted by in Solaris

Leave a comment

Tags

,

This is a list of commands that will display many details of your fiber channel HBA and FC configuration in Solaris. Note that two commands have “grep qlc or emlx.” Depending on whether you have Qlogic (qlc) or Emulex (emlx) cards, you will grep for that variable. If you have other commands you would like to share, post a comment and I’ll add it.

> fcinfo hba-port

> luxadm -e port

> luxadm -e dump_map <insert the full device path from the above command>

> prtdiag -v | grep qlc or emlx

> prtpicl -v | grep qlc or emlx

> prtconf -vp | grep port-wwn

> cfgadm -al -o show_FCP_dev

> luxadm probe

> luxadm display <insert a WWN number from the above command>

HOWTO Secure iSCSI Luns Between Oracle Solaris 11 and NetApp Storage Using Bidirectional CHAP

09 Thursday Jan 2014

Posted by in iSCSI, NetApp, Oracle, Security, Solaris

Leave a comment

Tags

, , , ,

This post demonstrates how to secure iSCSI luns between Oracle Solaris 11 and NetApp storage. Solaris calls it Bidirectional CHAP rather than Mutual CHAP. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple. Research the relationship between Solaris EFI, Solaris VTOC and lun size as well as UFS vs ZFS to make sure you choose the proper type for your environment. This was done with Solaris 11 (11/11) x86. All steps except the fdisk step near the end are the same for SPARC systems.

1) Check for the iSCSI packages. They should be installed by default.
> pkginfo | grep iSCSI
system    SUNWiscsir    Sun iSCSI Device Driver (root)
system    SUNWiscsiu    Sun iSCSI Management Utilities (usr)

2) Make sure the iSCSI service is running on your Solaris host.
> svcs | grep iscsi
online  6:41:58 svc:/network/iscsi/initiator:default

If not, start it.
> svcadm enable svc:/network/iscsi/initiator:default

3) Get your local iSCSI Initiator Node Name or iqn name on the Solaris host.
> iscsiadm list initiator-node | grep iqn
Initiator node name: iqn.1986-03.com.sun:01:e00000000000.52bcad1c

4) Make sure the iscsi service is running on the NetApp.
netapp> iscsi status

5) Create the volume that will hold the iscsi luns. This command assumes you have aggregate aggr1 already created. If not use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

6) Create a lun on the volume.
netapp> lun create -s 5g -t solaris_efi /vol/MCHAPVOL/SOL11_iSCSI_MCHAP_01

7) Create an igroup and add the Solaris iscsi node name or iqn from step 3 above to it.
netapp> igroup create -i -t solaris ISCSI_MCHAP_SOL11
netapp> igroup add ISCSI_MCHAP_SOL11 iqn.1986-03.com.sun:01:e00000000000.52bcad1c
netapp> igroup show

ISCSI_MCHAP_SOL11 (iSCSI) (ostype: solaris):
iqn.1986-03.com.sun:01:e00000000000.52bcad1c (not logged in)

8) Map the lun to the igroup and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/SOL11_iSCSI_MCHAP_01 ISCSI_MCHAP_SOL11 01

Note: Solaris EFI is for larger than 2 TB luns and Solaris VTOC for smaller disks. This lun is small just to demonstrate the configuration.

9) Obtain the NetApp target nodename.
netapp> iscsi nodename
iqn.1992-08.com.netapp:sn.4055372815

10) On the Solaris host, configure the target (NetApp controller) to be statically discovered. Note that there are two dashes “- -” in front of –static and –sendtargets. For some reason it displays as one dash in some browsers.
> iscsiadm modify discovery –static enable
> iscsiadm modify discovery –sendtargets enable
> iscsiadm add discovery-address 10.10.10.141:3260
> iscsiadm add static-config iqn.1992-08.com.netapp:sn.4055372815,10.10.10.141:3260
> iscsiadm list static-config
Static Configuration Target: iqn.1992-08.com.netapp:sn.4055372815,10.10.10.141:3260

11) Check your discovery methods. Make sure Static and Send Targets are enabled.
> iscsiadm list discovery
Discovery:
Static: enabled
Send Targets: enabled
iSNS: disabled

12) Enable Bidirectional CHAP on the Solaris host for the target NetApp controller.
> iscsiadm modify target-param –authentication CHAP iqn.1992-08.com.netapp:sn.4055372815
> iscsiadm modify target-param -B enable iqn.1992-08.com.netapp:sn.4055372815

13) Set the target device secret key that identifies the target NetApp controller. Note Solaris supports a minimum of 12 and a maximum of 16 character CHAP secrets. Also, there are two dashes “- -” in front of –CHAP-secret. You can make up your own secrets.
> iscsiadm modify target-param –CHAP-secret iqn.1992-08.com.netapp:sn.4055372815
Enter secret: NETAPPBICHAP
Re-enter secret: NETAPPBICHAP

14) Set the Solaris host initiator name and CHAP secret. Remember, there are two dashes “- -” in front of –CHAP-secret. You can make up your own secrets.
> iscsiadm modify initiator-node –authentication CHAP
> iscsiadm modify initiator-node –CHAP-name iqn.1986-03.com.sun:01:e00000000000.52bcad1c
> iscsiadm modify initiator-node –CHAP-secret
Enter secret: BIDIRCHAPSOL11
Re-enter secret: BIDIRCHAPSOL11

15) Verify your target parameters. Make sure Bidirectional Authentication is enabled and Authentication type is CHAP.
> iscsiadm list target-param -v iqn.1992-08.com.netapp:sn.4055372815
Target: iqn.1992-08.com.netapp:sn.4055372815
Alias: –
Bi-directional Authentication: enabled
Authentication Type: CHAP
CHAP Name: iqn.1992-08.com.netapp:sn.4055372815
Login Parameters (Default/Configured):
Data Sequence In Order: yes/-
Data PDU In Order: yes/-
Default Time To Retain: 20/-
Default Time To Wait: 2/-
Error Recovery Level: 0/-
First Burst Length: 65536/-
Immediate Data: yes/-
Initial Ready To Transfer (R2T): yes/-
Max Burst Length: 262144/-
Max Outstanding R2T: 1/-
Max Receive Data Segment Length: 8192/-
Max Connections: 65535/-
Header Digest: NONE/-
Data Digest: NONE/-
Tunable Parameters (Default/Configured):
Session Login Response Time: 60/-
Maximum Connection Retry Time: 180/-
Login Retry Time Interval: 60/-
Configured Sessions: 1

16) Set the Bidirectional CHAP secrets on the NetApp controller.
netapp> iscsi security add -i iqn.1986-03.com.sun:01:e00000000000.52bcad1c -s chap -p BIDIRCHAPSOL11 -n iqn.1986-03.com.sun:01:e00000000000.52bcad1c -o NETAPPBICHAP -m iqn.1992-08.com.netapp:sn.4055372815

a) View the iSCSI security configuration.
netapp> iscsi security show
init: iqn.1986-03.com.sun:01:e00000000000.52bcad1c auth: CHAP Local Inbound password: **** Inbound username: iqn.1986-03.com.sun:01:e00000000000.52bcad1c Outbound password: **** Outbound username: iqn.1992-08.com.netapp:sn.4055372815

17) On the Solaris host, reconfigure the /dev namespace to recognize the iSCSI disk (lun) you just connected.
> devfsadm -i iscsi or devfsadm -Cv -i iscsi

18) Login to server and format the disk. Note – the fdisk command below can be skipped on SPARC systems. Your input is in bold red in the next sequence.
> format
Searching for disks…done

AVAILABLE DISK SELECTIONS:
0. c4t0d0 <VMware-Virtual disk-1.0 cyl 1824 alt 2 hd 255 sec 63>
/pci@0,0/pci15ad,1976@10/sd@0,0
1. c5t2d0 <NETAPP-LUN-7350 cyl 2558 alt 2 hd 128 sec 32>
/iscsi/disk@0000iqn.1992-08.com.netapp%3Asn.8416793903E8,1
Specify disk (enter its number): 1
selecting c5t2d0
[disk formatted]
No Solaris fdisk partition found.

FORMAT MENU:
disk       – select a disk
type       – select (define) a disk type
partition  – select (define) a partition table
current    – describe the current disk
format     – format and analyze the disk
fdisk      – run the fdisk program
repair     – repair a defective sector
label      – write label to the disk
analyze    – surface analysis
defect     – defect list management
backup     – search for backup labels
verify     – read and display labels
save       – save new disk/partition definitions
inquiry    – show disk ID
volname    – set 8-character volume name
!<cmd>     – execute <cmd>, then return
quit
format> fdisk   (skip this command if you are on a SPARC system)
No fdisk table exists. The default partition for the disk is:

a 100% “SOLARIS System” partition

Type “y” to accept the default partition,  otherwise type “n” to edit the
partition table.
y

format> p

PARTITION MENU:
0      – change `0′ partition
1      – change `1′ partition
2      – change `2′ partition
3      – change `3′ partition
4      – change `4′ partition
5      – change `5′ partition
6      – change `6′ partition
7      – change `7′ partition
select – select a predefined table
modify – modify a predefined partition table
name   – name the current table
print  – display the current table
label  – write partition map and label to the disk
!<cmd> – execute <cmd>, then return
quit
partition> p
Current partition table (default):
Total disk cylinders available: 2557 + 2 (reserved cylinders)

Part      Tag    Flag     Cylinders        Size            Blocks
0 unassigned    wm       0               0         (0/0/0)           0
1 unassigned    wm       0               0         (0/0/0)           0
2     backup    wu       0 – 2556        4.99GB    (2557/0/0) 10473472
3 unassigned    wm       0               0         (0/0/0)           0
4 unassigned    wm       0               0         (0/0/0)           0
5 unassigned    wm       0               0         (0/0/0)           0
6 unassigned    wm       0               0         (0/0/0)           0
7 unassigned    wm       0               0         (0/0/0)           0
8       boot    wu       0 –    0        2.00MB    (1/0/0)        4096
9 unassigned    wm       0               0         (0/0/0)           0

partition> 0
Part      Tag    Flag     Cylinders        Size            Blocks
0 unassigned    wm       0               0         (0/0/0)           0

Enter partition id tag[unassigned]: <press enter>
Enter partition permission flags[wm]: <press enter>
Enter new starting cyl[0]: <press enter>
Enter partition size[0b, 0c, 0e, 0.00mb, 0.00gb]: 4.99gb

partition> l     (This is a lower case “L” not a numeral one or 1. This step labels the disk.)
Ready to label disk, continue? y

partition> q

format> q

19) Create the file system. You can choose either UFS or ZFS. Both options are shown below.

a) If you will use UFS:
> newfs -Tv /dev/rdsk/c5t2d0s0
newfs: construct a new file system /dev/rdsk/c5t2d0s0: (y/n)? y
mkfs -F ufs /dev/rdsk/c5t2d0s0 10465280 32 128 8192 8192 -1 1 250 1048576 t 0 -1 8 128 y
/dev/rdsk/c5t2d0s0:     10465280 sectors in 2555 cylinders of 128 tracks, 32 sectors
5110.0MB in 18 cyl groups (149 c/g, 298.00MB/g, 320 i/g)
super-block backups (for fsck -F ufs -o b=#) at: 32, 610368, 1220704, 1831040, 2441376,
3051712, 3662048, 4272384, 4882720, 5493056,
6103392, 6713728, 7324064, 7934400, 8544736, 9155072, 9765408, 10375744

> fsck /dev/rdsk/c5t2d0s0
> mkdir /old_ufs_filesystem
> mount /dev/dsk/c5t2d0s0 /old_ufs_filesystem
> vi /etc/vfstab and add the line below to the bottom of the file. This will mount it when the system boots.
/dev/dsk/c5t2d0s0 /dev/rdsk/c5t2d0s0 /old_ufs_filesystem  ufs  2 yes –
> wq! (to exit the vi session)

b) Check the new mount.
> df -h | grep old_ufs_filesystem
/dev/dsk/c5t2d0s0      5.0G  5.0M 4.9G 1% /old_ufs_filesystem

20) If you will use ZFS:
a) Create a pool.
> zpool create -f netappluns c5t2d0s0

b) Create the filesystem.
> zfs create netappluns/fs

c) List the new filesystem.
> zfs list -r netappluns
NAME           USED  AVAIL  REFER  MOUNTPOINT
netappluns     124K  4.89G    32K  /netappluns
netappluns/fs   31K  4.89G    31K  /netappluns/fs

d) Use the legacy display method.
> df -h | grep netappluns
netappluns       4.9G    32K   4.9G   1%    /netappluns
netappluns/fs    4.9G    31K   4.9G   1%    /netappluns/fs

21) You are done. Hope this helps.

HOWTO Secure iSCSI Luns Between Oracle Solaris 10 and NetApp Storage Using Bidirectional CHAP

27 Friday Dec 2013

Posted by in iSCSI, NetApp, Oracle, Security, Solaris

Leave a comment

Tags

, , , ,

This post demonstrates how to secure iSCSI luns between Oracle Solaris 10 and NetApp storage. Solaris calls it Bidirectional CHAP rather than Mutual CHAP. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple. Research the relationship between Solaris EFI, Solaris VTOC and lun size as well as UFS vs ZFS to make sure you choose the proper type for your environment. This was done with Solaris 10 x86. All steps except the fdisk step near the end are the same for SPARC systems.

1) You need to be running at least the Solaris 10 1/06 release. To verify, check your release file.
> cat /etc/release
Oracle Solaris 10 8/11 s10x_u10wos_17b X86

2) Check for the iSCSI packages.
> pkginfo | grep iSCSI
system    SUNWiscsir    Sun iSCSI Device Driver (root)
system    SUNWiscsiu    Sun iSCSI Management Utilities (usr)

a) For reference the iSCSI target packages are listed below. You don’t need them for this HOWTO.
SUNWiscsitgtr    Sun iSCSI Target (Root)
SUNWiscsitgtu    Sun iSCSI Target (Usr)

3) If not installed, mount the Solaris 10 DVD and install the packages. Note the SPARC path will be different: sol_10_811_sparc
If the DVD doesn’t mount automatically:
> mount -F hsfs /dev/rdsk/c0t2d0s2 /mnt
> cd /mnt/sol_10_811_x86/Solaris_10/Product
If it does:
> cd /cdrom/sol_10_811_x86/Solaris_10/Product
>/usr/sbin/pkgadd -d SUNWiscsir
>/usr/sbin/pkgadd -d SUNWiscsiu

4) Make sure the iSCSI service is running on your Solaris host.
> svcs | grep iscsi
online  6:41:58 svc:/network/iscsi/initiator:default

If not, start it.
> svcadm enable svc:/network/iscsi/initiator:default

5) Get your local iSCSI Initiator Node Name or iqn name on the Solaris host.
> iscsiadm list initiator-node | grep iqn
Initiator node name: iqn.1986-03.com.sun:01:ea2fccf7ffff.52b894f9

6) Make sure the iscsi service is running on the NetApp.
netapp> iscsi status
If not, start it (You need a license for iscsi. Check with the license command.)
netapp> iscsi start

7) Create the volume that will hold the iscsi luns. This command assumes you have aggregate aggr1 already created. If not use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

8) Create a lun on the volume.
netapp> lun create -s 5g -t solaris_efi /vol/MCHAPVOL/SOL10_iSCSI_MCHAP_01

9) Create an igroup and add the Solaris iscsi node name or iqn from step 5 above to it.
netapp> igroup create -i -t solaris ISCSI_MCHAP_SOL10
netapp> igroup add ISCSI_MCHAP_SOL10 iqn.1986-03.com.sun:01:ea2fccf7ffff.52b894f9
netapp> igroup show

ISCSI_MCHAP_SOL10 (iSCSI) (ostype: solaris):
iqn.1986-03.com.sun:01:ea2fccf7ffff.52b894f9 (not logged in)

10) Map the lun to the igroup and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/SOL10_iSCSI_MCHAP_01 ISCSI_MCHAP_SOL10 01

Note: Solaris EFI is for larger than 2 TB luns and Solaris VTOC for smaller disks. This lun is small just to demonstrate the configuration.

11) Obtain the NetApp target nodename.
netapp> iscsi nodename
iqn.1992-08.com.netapp:sn.84167939

12) On the Solaris host, configure the target (NetApp controller) to be statically discovered. Note that there are two dashes “- -” in front of –static and –sendtargets. For some reason it displays as one dash in some browsers.
> iscsiadm modify discovery –static enable
> iscsiadm modify discovery –sendtargets enable
> iscsiadm add discovery-address 10.10.10.11:3260
> iscsiadm add static-config iqn.1992-08.com.netapp:sn.84167939,10.10.10.11:3260
> iscsiadm list static-config
Static Configuration Target: iqn.1992-08.com.netapp:sn.84167939,10.10.10.11:3260

13) Check your discovery methods. Make sure Statis and Send Targets are enabled.
> iscsiadm list discovery
Discovery:
Static: enabled
Send Targets: enabled
iSNS: disabled

14) Enable Bidirectional CHAP on the Solaris host for the target NetApp controller. There are two dashes “- -” in front of –authentication.
> iscsiadm modify target-param –authentication CHAP iqn.1992-08.com.netapp:sn.84167939
> iscsiadm modify target-param -B enable iqn.1992-08.com.netapp:sn.84167939

15) Set the target device secret key that identifies the target NetApp controller. Note Solaris supports a minimum of 12 and a maximum of 16 character CHAP secrets. Also, there are two dashes “- -” in front of –CHAP-secret. You can make up your own secrets.
> iscsiadm modify target-param –CHAP-secret iqn.1992-08.com.netapp:sn.84167939
Enter secret: NETAPPBICHAP
Re-enter secret: NETAPPBICHAP

16) Set the Solaris host initiator name and CHAP secret. Remember, there are two dashes “- -” in front of –authentication, –CHAP-name and –CHAP-secret. You can make up your own secrets.
> iscsiadm modify initiator-node –authentication CHAP
> iscsiadm modify initiator-node –CHAP-name iqn.1986-03.com.sun:01:ea2fccf7ffff.52b894f9
> iscsiadm modify initiator-node –CHAP-secret
Enter secret: BIDIRCHAPSOL10
Re-enter secret: BIDIRCHAPSOL10

17) Verify your target parameters. Make sure Bidirectional Authentication is enabled and Authentication type is CHAP.
> iscsiadm list target-param -v iqn.1992-08.com.netapp:sn.84167939
Target: iqn.1992-08.com.netapp:sn.84167939
Alias: –
Bi-directional Authentication: enabled
Authentication Type: CHAP
CHAP Name: iqn.1992-08.com.netapp:sn.84167939
Login Parameters (Default/Configured):
Data Sequence In Order: yes/-
Data PDU In Order: yes/-
Default Time To Retain: 20/-
Default Time To Wait: 2/-
Error Recovery Level: 0/-
First Burst Length: 65536/-
Immediate Data: yes/-
Initial Ready To Transfer (R2T): yes/-
Max Burst Length: 262144/-
Max Outstanding R2T: 1/-
Max Receive Data Segment Length: 8192/-
Max Connections: 1/-
Header Digest: NONE/-
Data Digest: NONE/-
Tunable Parameters (Default/Configured):
Session Login Response Time: 60/-
Maximum Connection Retry Time: 180/-
Login Retry Time Interval: 60/-
Configured Sessions: 1

18) Set the Bidirectional CHAP secrets on the NetApp controller.
netapp> iscsi security add -i iqn.1986-03.com.sun:01:ea2fccf7ffff.52b894f9 -s chap -p BIDIRCHAPSOL10 -n iqn.1986-03.com.sun:01:ea2fccf7ffff.52b894f9 -o NETAPPBICHAP -m iqn.1992-08.com.netapp:sn.84167939

a) View the iSCSI security configuration.
netapp> iscsi security show
init: iqn.1986-03.com.sun:01:ea2fccf7ffff.52b894f9 auth: CHAP Inbound password: **** Inbound username: iqn.1986-03.com.sun:01:ea2fccf7ffff.52b894f9 Outbound password: **** Outbound username: iqn.1992-08.com.netapp:sn.84167939

19) On the Solaris host, reconfigure the /dev namespace to recognize the iSCSI disk (lun) you just connected.
> devfsadm -i iscsi or devfsadm -Cv -i iscsi

20) Verify CHAP configuration on the server. Restart the server and you should see the iSCSI session on the NetApp console.
> reboot

a) As the server boots, on the NetApp console you should see the following message:
[iscsi.notice:notice]: ISCSI: New session from initiator iqn.1986-03.com.sun:01:ea2fccf7ffff.52b894f9 at IP addr 10.10.10.188

21) Login to server and format the disk. Note – the fdisk command below can be skipped on SPARC systems. Your input is in bold red in the next sequence.
> format
AVAILABLE DISK SELECTIONS:
0. c1t0d0 <DEFAULT cyl 1563 alt 2 hd 255 sec 63>
/pci@0,0/pci15ad,1976@10/sd@0,0
1. c2t2d0 <DEFAULT cyl 2557 alt 2 hd 128 sec 32>
/iscsi/disk@0000iqn.1992-08.com.netapp%3Asn.8416793903E8,1Specify disk (enter its number): 1
selecting c2t2d0
[disk formatted]

FORMAT MENU:
disk       – select a disk
type       – select (define) a disk type
partition  – select (define) a partition table
current    – describe the current disk
format     – format and analyze the disk
fdisk      – run the fdisk program
repair     – repair a defective sector
label      – write label to the disk
analyze    – surface analysis
defect     – defect list management
backup     – search for backup labels
verify     – read and display labels
save       – save new disk/partition definitions
inquiry    – show vendor, product and revision
volname    – set 8-character volume name
!<cmd>     – execute <cmd>, then return
quit

format> fdisk   (Note: this command is only necessary on x86 systems. If you are on SPARC, skip to the next step.)
No fdisk table exists. The default partition for the disk is:

a 100% “SOLARIS System” partition

Type “y” to accept the default partition,  otherwise type “n” to edit the
partition table.
y

22) Partition the disk:

format> p

PARTITION MENU:
0      – change `0′ partition
1      – change `1′ partition
2      – change `2′ partition
3      – change `3′ partition
4      – change `4′ partition
5      – change `5′ partition
6      – change `6′ partition
7      – change `7′ partition
select – select a predefined table
modify – modify a predefined partition table
name   – name the current table
print  – display the current table
label  – write partition map and label to the disk
!<cmd> – execute <cmd>, then return
quit
partition> p

Current partition table (original):
Total disk cylinders available: 2556 + 2 (reserved cylinders)

Part      Tag    Flag     Cylinders        Size            Blocks
0 unassigned    wm       0               0               (0/0/0)           0
1 unassigned    wm       0               0               (0/0/0)           0
2        backup    wu        0 – 2555    4.99GB     (2556/0/0) 10469376
3 unassigned    wm       0               0               (0/0/0)           0
4 unassigned    wm       0               0               (0/0/0)           0
5 unassigned    wm       0               0               (0/0/0)           0
6 unassigned    wm       0               0               (0/0/0)           0
7 unassigned    wm       0               0               (0/0/0)           0
8            boot    wu        0 –    0       2.00MB     (1/0/0)        4096
9 unassigned    wm       0               0               (0/0/0)           0

partition> 0
Part      Tag    Flag     Cylinders        Size            Blocks
0 unassigned    wm       0               0         (0/0/0)           0

Enter partition id tag[unassigned]: <press enter>
Enter partition permission flags[wm]: <press enter?
Enter new starting cyl[0]: <press enter>
Enter partition size[0b, 0c, 0e, 0.00mb, 0.00gb]: 4.99gb

partition>    (This is a lower case “L” not a numeral one or 1. This step labels the disk.)
Ready to label disk, continue? y

partition> q

format> q

23) Create the file system. You can choose either UFS or ZFS. Both options are shown below.

a) If you will use UFS:
> newfs -Tv /dev/rdsk/c2t2d0s0
newfs: construct a new file system /dev/rdsk/c2t2d0s0: (y/n)? y
pfexec mkfs -F ufs /dev/rdsk/c2t2d0s0 10465280 32 128 8192 8192 -1 1 250 1048576 t 0 -1 8 128 y
/dev/rdsk/c2t2d0s0: 10465280 sectors in 2555 cylinders of 128 tracks, 32 sectors
5110.0MB in 18 cyl groups (149 c/g, 298.00MB/g, 320 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 610368, 1220704, 1831040, 2441376, 3051712, 3662048, 4272384, 4882720,
5493056, 6103392, 6713728, 7324064, 7934400, 8544736, 9155072, 9765408, 10375744

> fsck /dev/rdsk/c2t2d0s0
> mkdir /old_ufs_filesystem
> mount /dev/dsk/c2t2d0s0 /old_ufs_filesystem
> vi /etc/vfstab and add the line below to the bottom of the file. This will mount it when the system boots.
/dev/dsk/c2t2d0s0 /dev/rdsk/c2t2d0s0 /old_ufs_filesystem  ufs  2 yes –
> wq! (to exit the vi session)

b) Check the new mount.
> df -h | grep old_ufs_filesystem
/dev/dsk/c2t2d0s0  4.9G 5.0M 4.9G 1% /old_ufs_filesystem

24) If you will use ZFS:
a) Create a pool.
> zpool create -f netappluns c2t2d0

b) Create the filesystem.
> zfs create netappluns/fs

c) List the new filesystem.
> zfs list -r netappluns
NAME            USED  AVAIL  REFER  MOUNTPOINT
netappluns      131K  4.89G    31K  /netappluns
netappluns/fs    31K  4.89G    31K  /netappluns/fs

Use the legacy display method.
> df -h | grep netappluns
netappluns             4.9G    32K   4.9G     1%    /netappluns
netappluns/fs          4.9G    31K   4.9G     1%    /netappluns/fs

25) You are done. Hope this helps.

Display the iSCSI Initiator Node Name or IQN from the command line.

01 Sunday Sep 2013

Posted by in HP, iSCSI, Linux, NetApp, NetBSD, Solaris, VMware, Windows

1 Comment

Tags

At some point you will be asked by a Storage Engineer for your system’s iSCSI Initiator Node Name or your iqn. This list shows you how to get your local iSCSI initiator name or iqn from the command line. This assumes the iSCSI service is installed, enabled and running. If you have a different way or want to add an OS or platform to this list simply leave a comment and I’ll add it.

AIX:
> smitty iscsi
select > iSCSI Protocol Device
select > Change / Show Characteristics of an iSCSI Protocol Device

FreeBSD (v10 and newer. Thanks to Edward Tomasz Napierala for this update):
> iscsictl -v  (only after you have established a session with your array)

HP-UX:
> iscsiutil -l

Linux:
> cat /etc/iscsi/initiatorname.iscsi

NetApp Data ONTAP: (this is a target iqn not a host iqn)
7-Mode:
> iscsi nodename

Cluster Mode from the clustershell:
> vserver iscsi show

NetBSD: (please make this easier NetBSD developers! How about an iscsictl list_initiators command?)
> iscsictl add_send_target -a <hostname or IP of your target/storage)
Added Send Target 1
> iscsictl refresh_targets
OK
> iscsictl list_targets
1: iqn.1992-08.com.netapp:sn.84167939
2: 10.1.0.25:3260,1000
> iscsictl login -P 2
Created Session 2, Connection 1
> iscsictl list_sessions
Session 2: Target iqn.1992-08.com.netapp:sn.84167939

On the NetApp filer find the initiator:
netapp01> iscsi initiator show
Initiators connected:
TSIH  TPGroup  Initiator/ISID/IGroup
4    1000   nbsd611.lab.slice2.com (iqn.1994-04.org.netbsd:iscsi.nbsd611.lab.slice2.com:0 / 40:00:01:37:00:00 / )

Solaris 11:
> iscsiadm list initiator-node

VMware ESXi 5.1:
ESXi console:
Get the devices first:
> esxcfg-scsidevs -a | grep iSCSI
Then get the iqn (in this case vmhba33 is the iSCSI device)
> vmkiscsi-tool -I -l vmhba33

esxcli:
> esxcli -s <esxihostname or ip> -u root iscsi adapter get -A vmhba33

Windows:
c:\iscsicli.exe

Solaris 10 1/13 Kerberos KDC HOWTO

07 Friday Jun 2013

Posted by in Security, Solaris

2 Comments

Tags

,

This is based on my demo lab. If you follow the steps and just insert your info you should be fine. I’ll post Kerberized NFS and other services soon.

1) Verify packages are installed. If not, install them.
-> pkginfo SUNWkrbr SUNWkrbu SUNWkdcu SUNWkdcr
system SUNWkdcr Kerberos V5 KDC (root)
system SUNWkdcu Kerberos V5 Master KDC (user)
system SUNWkrbr Kerberos version 5 support (Root)
system SUNWkrbu Kerberos version 5 support (Usr)

2) If not installed, insert DVD, mount ISO or use NFS mount:
-> pkgadd -d /path/to/package/SUNWkrbr
-> pkgadd -d /path/to/package/SUNWkrbu
-> pkgadd -d /path/to/package/SUNWkdcu
-> pkgadd -d /path/to/package/SUNWkdcr

3) Make sure all of the SSH packages are installed.
-> pkginfo SUNWsshcu SUNWsshdr SUNWsshdu SUNWsshr SUNWsshu
system SUNWsshcu SSH Common, (Usr)
system SUNWsshdr SSH Server, (Root)
system SUNWsshdu SSH Server, (Usr)
system SUNWsshr SSH Client and utilities, (Root)
system SUNWsshu SSH Client and utilities, (Usr)

4) Define these elements before you start.
a. Realm name = LAB.SLICE2.COM. This is the name of your Kerberos Realm. Think of it like your Active Directory domain.
b. Master KDC = labkdc01.slice2.com. This is your Kerberos Key Distribution Center. Think of it like your Windows Domain Controller.
c. admin principal and password = kws/admin. This is your administrative principle user account. Think of it like your Windows Domain Admin.
d. The KDC Master password = (your choice). This is the KDC master database password. Do no forget this password or you will be hosed.
e. Host OS: Solaris 10. This was done with Solaris 10 x86 Update 11.
f. Hosts: Solaris 10u11 KDC and Solaris 10u11 client.

5) Configure NTP. Time is critical to Kerberos. If NTP is already done, skip this step.
-> /var/ntp/ntp.drift
-> cp /etc/inet/ntp.client /etc/inet/ntp.conf
-> vi /etc/inet/ntp.conf
server 10.10.10.2
server 10.10.10.3
driftfile /var/ntp/ntp.drift
multicastclient 224.0.1.1
-> wq!
-> svcadm restart ntp (or svcadm enable ntp if never run before)

a. Verify ntp:
-> ntpq -p
remote refid st t when poll reach delay offset disp
=======================================================
labdc01.lab.sli .LOCL. 1 u 23 64 3 1.17 -25.978 7887.18
labdc02.lab.sli labdc01.lab.sli 2 u 22 64 3 0.99 -36.954 7895.22

6) Login as root on the Solaris host to become the KDC. Edit the Kerberos configuration file krb5.conf to fit your environment. Only change where the text is red below.

-> cp /etc/krb5/krb5.conf /etc/krb5/krb5.conf.orig
-> vi /etc/krb5/krb5.conf
[libdefaults]
default_realm = LAB.SLICE2.COM

[realms]
LAB.SLICE2.COM = {
kdc = labkdc01.lab.slice2.com
# kdc = ___slave_kdc1___
# kdc = ___slave_kdc2___
# kdc = ___slave_kdcN___
admin_server = labkdc01.lab.slice2.com
}

[domain_realm]
lab.slice2.com = LAB.SLICE2.COM

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, …)

versions = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
# help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}

-> wq!

7) Edit the KDC file kdc.conf. Change the text in red with your environment and add the lines in blue to the end of the [realms] header.

-> cp /etc/krb5/kdc.conf /etc/krb5/kdc.conf.orig
-> vi /etc/krb5/kdc.conf

[kdcdefaults]
kdc_ports = 88,750

[realms]
LAB.SLICE2.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}

-> wq!

8) Create the KDC database.

-> /usr/sbin/kdb5_util create -s

Initializing database ‘/var/krb5/principal’ for realm ‘LAB.SLICE2.COM’,
master key name ‘K/M@LAB.SLICE2.COM’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

9) Edit the Kerberos access control list.

-> cp /etc/krb5/kadm5.acl /etc/krb5/kadm5.acl.orig
-> vi /etc/krb5/kadm5.acl and add:

*/admin@LAB.SLICE2.COM *

-> wq!

10) Add principals.

-> /usr/sbin/kadmin.local
Authenticating as principal root/admin@LAB.SLICE2.COM with password.
kadmin.local:

a. Add administration principals to the database.
kadmin.local: addprinc kws/admin

WARNING: no policy specified for kws/admin@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “kws/admin@LAB.SLICE2.COM”:
Re-enter password for principal “kws/admin@LAB.SLICE2.COM”:
Principal “kws/admin@LAB.SLICE2.COM” created.

b. Create the kiprop principals.
admin.local: addprinc -randkey kiprop/labkdc01.lab.slice2.com

WARNING: no policy specified for kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM; defaulting to no policy add_principal: Principal or policy already exists while creating “kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM”.

c. Create a keytab file for the kadmind service.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/labkdc01.lab.slice2.com

Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/labkdc01.lab.slice2.com

Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw

Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

d. Add the kiprop principal for the master KDC server to the kadmind keytab file.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/labkdc01.lab.slice2.com

Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

e. Quit kadmin.local.
kadmin.local: quit

11) Start the Kerberos daemons.
-> svcadm enable -r network/security/krb5kdc
-> svcadm enable -r network/security/kadmin

12) Start kadmin and add more principals.
-> /usr/sbin/kadmin -p kws/admin
Authenticating as principal kws/admin with password.
Password for kws/admin@LAB.SLICE2.COM:

a. Create the master KDC host principal.
kadmin: addprinc -randkey host/labkdc01.lab.slice2.com

WARNING: no policy specified for host/labkdc01.lab.slice2.com@LAB.SLICE2.COM; defaulting to no policy
Principal “host/labkdc01.lab.slice2.com@LAB.SLICE2.COM” created.

b. Create the kclient principal.
kadmin: addprinc clntconfig/admin

WARNING: no policy specified for clntconfig/admin@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “clntconfig/admin@LAB.SLICE2.COM”:
Re-enter password for principal “clntconfig/admin@LAB.SLICE2.COM”:
Principal “clntconfig/admin@LAB.SLICE2.COM” created.

c. Add the master KDC’s host principal to the master KDC’s keytab file.
kadmin: ktadd host/labkdc01.lab.slice2.com

Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.

d. Quit kadmin.
kadmin: quit

13) Synchronize the master KDCs clock.
-> svcadm restart ntp

14) Copy the Master KDC’s krb5.conf file to an NFS share for clients. Create a folder and share it out for clients.
-> mkdir -p /export/install/kerberos_files/
-> vi /etc/dfstab/dfs and add something like this to fit your environment:
share -F nfs -o rw=krbclient01.lab.slice2.com -d “Kerberos Files for Clients” /export/install/kerberos_files
-> wq!
-> shareall
-> cp /etc/krb5/krb5.conf /export/install/kerberos_files/

15) Backup the KDC database

-> /usr/sbin/kdb5_util dump -verbose /export/install/kerberos_files/krb5.db.bkp

K/M@LAB.SLICE2.COM
changepw/labkdc01.lab.slice2.com@LAB.SLICE2.COM
clntconfig/admin@LAB.SLICE2.COM
host/krbclient01.lab.slice2.com@LAB.SLICE2.COM
host/labkdc01.lab.slice2.com@LAB.SLICE2.COM
kadmin/changepw@LAB.SLICE2.COM
kadmin/history@LAB.SLICE2.COM
kadmin/labkdc01.lab.slice2.com@LAB.SLICE2.COM
kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM
krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
kws/admin@LAB.SLICE2.COM
nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM

16) Create user principles.
-> kadmin kws/admin
-> addprinc johndoe

WARNING: no policy specified for johndoe@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “johndoe@LAB.SLICE2.COM”:
Re-enter password for principal “johndoe@LAB.SLICE2.COM”:
Principal “johndoe@LAB.SLICE2.COM” created.

Test user:

-> kinit johndoe
-> klist -c

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: johndoe@LAB.SLICE2.COM

Valid starting Expires Service principal
06/07/13 11:50:45 06/07/13 19:50:45 krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
renew until 06/14/13 11:50:45

Configure a Solaris client to use Kerberos.

1) Login as root to the client. Interactively Configure Kerberos by answering the questions in red:
-> /usr/sbin/kclient

Starting client setup

—————————————————
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: LAB.SLICE2.COM
Specify the KDC hostname for the above realm: labkdc01.lab.slice2.com
labkdc01.lab.slice2.com

Note, this system and the KDC’s time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP).

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: kws/admin
Obtaining TGT for kws/admin …
Password for kws/admin@LAB.SLICE2.COM:

Do you have multiple DNS domains spanning the Kerberos realm LAB.SLICE2.COM ? [y/n]: n
No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: y

nfs/krbclient01.lab.slice2.com entry ADDED to KDC database.
nfs/krbclient01.lab.slice2.com entry ADDED to keytab.

host/krbclient01.lab.slice2.com entry ADDED to KDC database.
host/krbclient01.lab.slice2.com entry ADDED to keytab.

Do you want to copy over the master krb5.conf file ? [y/n]: y
Enter the pathname of the file to be copied: /net/10.10.10.101/export/install/kerberos_files/krb5.conf

Copied /net/10.10.10.101/export/install/kerberos_files/krb5.conf.

—————————————————
Setup COMPLETE.

2) Check the configuration.
-> klist -e -k -t

Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Timestamp Principal
—- —————– ———————————————————
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (Triple DES cbc mode with HMAC/sha1)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (ArcFour with HMAC/md5)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (DES cbc mode with RSA-MD5)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (Triple DES cbc mode with HMAC/sha1)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (ArcFour with HMAC/md5)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (DES cbc mode with RSA-MD5)
3) Configure ssh to user Kerberos.

3) Create a Kerberos principal to local Solaris user connection using the gsscred command. In this example, link my Kerberos principal johndoe@LAB.SLICE2.COM to my local Solaris user johndoe.

-> gsscred -m kerberos_v5 -a -c John Doe -n johndoe@LAB.SLICE2.COM -u johndoe

a. Check the Kerberos association database:

-> gsscred -l
0401000B06092A864886F712010202000000166A6F686E646F65404C41422E534C494345322E434F4D 100 johndoe, kerberos_v5

4) Ticket info. Sometimes you have to destroy the ticket to properly obtain a new one.
-> kdestroy

Get a fresh ticket:

-> kinit kws/admin
Password for kws/admin@LAB.SLICE2.COM:

Now list your new ticket:

-> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kws/admin@LAB.SLICE2.COM

Valid starting Expires Service principal
06/07/13 15:12:31 06/07/13 23:12:31 krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
renew until 06/14/13 15:12:31

Now you can login to kadmin as the kws admin user.

-> kadmin kws/admin
Authenticating as principal kws/admin@LAB.SLICE2.COM with password.
Password for kws/admin@LAB.SLICE2.COM:

Building a Jumpstart Server with Solaris 10 Update 10 x64 DVD/ISO

01 Saturday Jun 2013

Posted by in Solaris

Leave a comment

Tags

The same process works for SPARC as well. Create an Install Server.

1) Insert the Solaris 10 10 DVD into the Sun server DVD or mount the ISO in the Solaris VM.
-> mkdir -p /export/install/sol_10_u10_x86
Note: that I always add the release version in the directory. Since you can have multiple Solaris versions on the same jumpstart server, it keeps you organized.

2) Start the jumpstart server build process by executing the following:
-> cd /cdrom/sol_10_811_x86/Solaris_10/Tools
-> ./setup_install_server /export/install/sol_10_u10_x86
Verifying target directory…
Calculating the required disk space for the Solaris_10 product
Calculating space required for the installation boot image
Copying the CD image to disk…
Copying Install Boot Image hierarchy…
Copying /boot netboot hierarchy…
Install Server setup complete
Note: this will take quite a while to finish on older servers (and slow DVD drives). ISOs are much faster.

3) Create the jumpstart directory.
-> cd /
-> mkdir /jumpstart_sol_10_u10_x86
-> cp -r /cdrom/sol_10_811_x86/Solaris_10/Misc/jumpstart_sample/* /jumpstart_sol_10_u10_x86/

4) Create and share the jumpstart directory
-> vi /etc/dfs/dfstab and enter the following line:
share -F nfs -o ro,anon=0 -d “Solaris 10 Update 10 Jumpstart” /jumpstart_sol_10_u10_x86
-> wq!
-> share all

Type the share command to verify.
-> share
– /jumpstart_sol_10_u10_x86  ro,anon=0  “Solaris 10 Update 10 Jumpstart”

5) Create a profile for your server. I just use a generic profile because I custom install every server I build (mirrors/RAID5, various packages, etc). You can run highly customized profiles. See the Solaris 10 Installation Guide for more info.
-> cd /jumpstart_sol_10_u10_x86
-> vi homelab_profile (use any name you want – my lab is homelab) and enter the following:
install_type initial_install
system_type standalone
cluster SUNWCall
-> wq!

Note that if you remove “cluster SUNWCall” from the profile, you will be forced though a full interactive install. It’s up to you if you want to cherry pick packages.

6) Update the Rules file. Add the following at the bottom of the rules file:
-> vi rules
# Homelab Profile
any – – homelab_profile –
-> wq!

7) Validate the rules file. You must run this command before every jumpstart session even if you didn’t change it.
-> cd /jumpstart_sol_10_u10_x86
– > ./check
Validating rules…
Validating profile zfsrootsimple…
Validating profile net924_sun4c…
Validating profile upgrade…
Validating profile x86-class…
Validating profile any_machine…
Validating profile homelab_profile…
The custom JumpStart configuration is ok.

8) Edit the /etc/ethers file. The Jumpstart server needs to have a MAC/Hostname paring in the ethers file. To get the MAC address from a running system, open an Xterm and run the following:
– > ifconfig -a | grep ether
ether 0:c:29:a4:73:98

The output 0:c:29:a4:73:98 should be added to the /etc/ethers file along with the IP address of the host.
a) To get the MAC from a new SPARC system with no OS, attach a monitor (or serial cable) to the server and boot. The ethernet address is shown in the banner. You can also type banner at the OK# prompt. Some Sun server models have tiny stickers on the server with MAC addresses.
b) To get the MAC on a Solaris VM, start the Solaris 10 VM. You are looking for the following variable in the .vmx file:
ethernet0.generatedAddress = “00:0c:29:4b:fa:48”
– When the Solaris VM boots the MAC is displayed. You have to be fast to write it down. Or, you can try the options below.
– VMware Workstation on Windows: Browse out the .vmx file for the Solaris VM you want to jumpstart and open the .vmx file in notepad. Look for the ethernet0.generatedAddress variable.
– VMware Workstation on Linux: cd to the .vmx file for the Solaris VM you want to jumpstart and cat the .vmx file.
– VMware vSphere/ESXi: login to vCenter, right-click the Solaris VM, select Edit Settings, on the Hardware tab, select the Network Adapter and the MAC address is shown on the right.

Example /etc/ethers on the Jumpstart server with the MAC from a host named solclient01:
-> vi /etc/ethers
00:0c:29:4b:fa:48   solclient01
-> wq!

c) Make sure you add and entry for the host you are jumpstarting to the hosts file on the master jumpstart server.
-> vi /etc/inet/hosts
# For Jumpstart
10.10.10.111  solclient01  solclient01.lab.slice2.com

9) Setup your server to boot from the network.

Note that this is only good for systems on the same subnet as the jumpstart server. To boot servers off a different subnet, see Create a Boot Server in the Solaris 10 Advanced Installation Guide.
-> cd /cdrom/sol_10_811_x86/Solaris_10/Tools
-> ./add_install_client -c soljump:/jumpstart_sol_10_u10_x86 solclient01 i86pc (or sun4u/sun4v for SPARC)

a) In the add install_client command above, the options that are used have the following meanings:
b) -c – Specifies the master Jumpstart server and path to the Jumpstart directory.
c) solclient01 – The hostname of a system to be built.
d) i86pc – Specifies the platform group of the systems that use the jumpstart server as an install server. Note that if you want to use a sysidcfg file you can use the -p option to provide the path to the file. Most likely you would place it in the shared jumpstart directory. See the sysidcfg man page for variables.

Boot the client and the jumpstart process will start by pulling the solaris binaries from the jumpstart server.