SA 225 S10 Student Workbook

Sun Microsystems, Inc.UBRM05-104

500 Eldorado Blvd.Broomfield, CO 80021

U.S.A.

Revision A

StudentWorkbook

Solaris™ 10 for ExperiencedSystem Administrators

SA-225-S10

Please

Recycle

Copyright 2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.

This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, anddecompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization ofSun and its licensors, if any.

Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.

Sun, Sun Microsystems, the Sun logo, Solaris, and OpenBoot, are trademarks or registered trademarks of Sun Microsystems, Inc., in the U.S.and other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc., in the U.S. andother countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.

UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.

Federal Acquisitions: Commercial Software – Government Users Subject to Standard License Terms and Conditions

Export Laws. Products, Services, and technical data delivered by Sun may be subject to U.S. export controls or the trade laws of othercountries. You will comply with all such laws and obtain all licenses to export, re-export, or import as may be required after delivery toYou. You will not export or re-export to entities on the most current U.S. export exclusions lists or to any country subject to U.S. embargoor terrorist controls as specified in the U.S. export laws. You will not use or provide Products, Services, or technical data for nuclear, missile,or chemical biological weaponry end uses.

DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, ANDWARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSEOR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BELEGALLY INVALID.

THIS MANUAL IS DESIGNED TO SUPPORT AN INSTRUCTOR-LED TRAINING (ILT) COURSE AND IS INTENDED TO BEUSED FOR REFERENCE PURPOSES IN CONJUNCTION WITH THE ILT COURSE. THE MANUAL IS NOT A STANDALONETRAINING TOOL. USE OF THE MANUAL FOR SELF-STUDY WITHOUT CLASS ATTENDANCE IS NOT RECOMMENDED.

Export Control Classification Number (ECCN) assigned: September 10, 2004

Please

Recycle

Copyright 2004 Sun Microsystems Inc., 901 San Antonio Road, Palo Alto, California 94303, Etats-Unis. Tous droits réservés.

Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution,et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit,sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.

Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licenciépar des fournisseurs de Sun.

Sun, Sun Microsystems, le logo Sun, Solaris, et OpenBoot sont des marques de fabrique ou des marques déposées de Sun Microsystems,Inc., aux Etats-Unis et dans d’autres pays.

Toutes les marques SPARC sont utilisées sous licence sont des marques de fabrique ou des marques déposées de SPARC International, Inc.aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par SunMicrosystems, Inc.

UNIX est une marques déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.

Législation en matière dexportations. Les Produits, Services et données techniques livrés par Sun peuvent être soumis aux contrôlesaméricains sur les exportations, ou à la législation commerciale dautres pays. Nous nous conformerons à lensemble de ces textes et nousobtiendrons toutes licences dexportation, de ré-exportation ou dimportation susceptibles dêtre requises après livraison à Vous. Vousnexporterez, ni ne ré-exporterez en aucun cas à des entités figurant sur les listes américaines dinterdiction dexportation les plus courantes,ni vers un quelconque pays soumis à embargo par les Etats-Unis, ou à des contrôles anti-terroristes, comme prévu par la législationaméricaine en matière dexportations. Vous nutiliserez, ni ne fournirez les Produits, Services ou données techniques pour aucune utilisationfinale liée aux armes nucléaires, chimiques ou biologiques ou aux missiles.

LA DOCUMENTATION EST FOURNIE “EN L’ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIESEXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, YCOMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNEUTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFAÇON.

CE MANUEL DE RÉFÉRENCE DOIT ÊTRE UTILISÉ DANS LE CADRE D’UN COURS DE FORMATION DIRIGÉ PAR UNINSTRUCTEUR (ILT). IL NE S’AGIT PAS D’UN OUTIL DE FORMATION INDÉPENDANT. NOUS VOUS DÉCONSEILLONS DEL’UTILISER DANS LE CADRE D’UNE AUTO-FORMATION.

vCopyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Table of Contents

About This Workbook ............................................................Preface-iCourse Goals............................................................................ Preface-iConventions .............................................................................Preface-ii

Typographical Conventions .........................................Preface-ii

Section I: Solaris™ 10 Operating System Installation ...................I-1Objectives ............................................................................................ I-1

Exercise: Configuring a Software Installation Using the WAN BootProcedure..........................................................................................1-1

Objectives ........................................................................................... 1-1Preparation................................................................................. 1-1Task 1 – Creating a Flash Archive .......................................... 1-2Task 2 – Configuring the Apache Web Server...................... 1-3Task 3 – Web-Install a Signed Patch....................................... 1-3Task 4– Configuring the WAN Boot and

JumpStart Files ....................................................................... 1-3Task 5– Configuring the WAN Boot Client........................... 1-4

Exercise Summary.............................................................................. 1-5Exercise Solutions .............................................................................. 1-6

Task 1 – Creating a Flash Archive .......................................... 1-6Task 2 – Configuring the Apache Web Server...................... 1-6Task 3 – Web-Install a Signed Patch....................................... 1-7Task 4– Configuring the WAN Boot and

JumpStart Files ....................................................................... 1-7Task 5– Configuring the WAN Boot Client......................... 1-10

Section II: Solaris™ 10 System Management ................................II-1Objectives .......................................................................................... II-1

Exercise 2: Zones .............................................................................2-1Preparation................................................................................. 2-1Task 1– Creating Zones ............................................................ 2-2Task 2 – Configuring Resource Pools..................................... 2-3Task 3 - Configuring CPU Fair Share Scheduling (FSS)...... 2-4

vi Solaris™ 10 for Experienced System AdministratorsCopyright 2004 Sun Microsystems, Inc. All Rights Reserved. SunU, Revision A

Task 4 – Capping Physical Memory Resource...................... 2-5Task 5– Removing Zones ......................................................... 2-5


Preparation................................................................................. 2-7Task 1– Creating Zones ............................................................ 2-7Task 2 – Configuring Resource Pools................................... 2-10Task 3 - Configuring CPU Fair Share Scheduling (FSS).... 2-12Task 4 – Capping Physical Memory Resource.................... 2-12Task 5– Removing Zones ....................................................... 2-13

Exercise 3: Authentication Changes.............................................. 3-1Preparation................................................................................. 3-1Task 1 – Identify Changes to Password Checking ............... 3-1Task 2 – Configure Least Privilege ......................................... 3-2Task 3 – Identify Changes to Kerberos .................................. 3-2Task 4 – Identify Changes to Sun Java System

Web Server Reserved UID/GID .......................................... 3-2Task 5 – Identify Changes to nobody Account Usage ......... 3-2


Task 1 – Identify Changes to Password Checking ............... 3-4Task 2 – Configure Least Privilege ......................................... 3-5Task 3 – Identify Changes to Kerberos .................................. 3-5Task 4 – Identify Changes to Sun Java System

Web Server Reserved UID/GID .......................................... 3-5Task 5 – Identify Changes to nobody Account Usage ......... 3-5

Exercise 4: Fault and Service Management .................................. 4-1Objective............................................................................................. 4-1

Task 1 - Reviewing the Module .............................................. 4-1Task 2 - Enabling and Disabling Services............................. 4-3Task 3 - Viewing SMF Log Files.............................................. 4-3


Task 1 - Reviewing the Module .............................................. 4-5Task 2 - Enabling and Disabling Services.............................. 4-5Task 3 - Viewing SMF Log Files.............................................. 4-8

Section III: Dynamic Tracing With DTrace.................................... III-1Objectives ......................................................................................... III-1

Exercise 5: Listing Probes and Writing Simple D Scripts............ 5-1Task 1 – Reviewing the Module.............................................. 5-1Task 2 – Listing Probes............................................................. 5-2Task 3 – Writing D Scripts ....................................................... 5-3


viiCopyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Task 1 – Reviewing the Module.............................................. 5-5Task 2 – Listing Probes............................................................. 5-6Task 3 – Writing D Scripts ....................................................... 5-6

Exercise 6: Using the vminfo , sysinfo , io , and syscallProviders ...........................................................................................6-1

Task 1 – Writing D Scripts ....................................................... 6-1Exercise Summary.............................................................................. 6-3Module 2 Exercise Solutions............................................................. 6-4

Task 1– Writing D scripts......................................................... 6-4

Section IV: Solaris™ 10 Networking............................................. IV-1Objectives ......................................................................................... IV-1

Exercise 7: Changes to Internet Protocol Features ......................7-1Objectives ........................................................................................... 7-1

Preparation................................................................................. 7-1Task 1 – Configure QoS............................................................ 7-1Task 2:Explore the routeadm (1M) Command in the

Solaris OS Startup Scripts ..................................................... 7-2Task 3: Configure Routing Using the routeadm (1M)

Command................................................................................ 7-3Exercise Summary.............................................................................. 7-5Exercise Solutions .............................................................................. 7-6

Task 1: Configure QoS.............................................................. 7-6Task 2: Explore the routeadm (1M) Command in the

Solaris OS Startup Scripts ..................................................... 7-8Task 3: Configure Routing Using the routeadm (1M)

Command................................................................................ 7-9

Exercise 8: Examining NFS Version 4 ............................................8-1Objective............................................................................................. 8-1

Preparation................................................................................. 8-1Task 1 – Configure a NFS Version 4 Server .......................... 8-1Task 2 – Configure a NFS Version 4 Client ........................... 8-2Task 3 – Examining the Pseudo-File System......................... 8-3


Task 1 – Configure a NFS version 4 Server ........................... 8-6Task 2 – Configure a NFS Version 4 Client ........................... 8-7Task 3 – Examining the Pseudo-File System......................... 8-9

Exercise 9: Changes to Security.....................................................9-1Objective............................................................................................. 9-1

Preparation................................................................................. 9-1Task 1 – Using the User-Level SCF Utilities.......................... 9-1Task 2 – Examining Administration Tasks for SCF ............. 9-3Task 3 – Configuring the Solaris IP Filter Firewall .............. 9-6

viii Solaris™ 10 for Experienced System AdministratorsCopyright 2004 Sun Microsystems, Inc. All Rights Reserved. SunU, Revision A

Task 4 – Configuring NAT in the Solaris OS IP Filter ......... 9-9Task 5 – Explore Solaris IP Filter Redirection

NAT Rule .............................................................................. 9-10Exercise Summary............................................................................ 9-12Exercise Solutions ............................................................................ 9-13

Task 1 – Using the User-Level SCF Utilities........................ 9-13Task 2 – Examining Administration Tasks for SCF ........... 9-16Task 3 – Configuring the Solaris IP Filter Firewall ............ 9-21Task 4 – Configuring NAT in the Solaris OS IP Filter ....... 9-28Task 5 – Explore Solaris IP Filter Redirection

NAT Rule .............................................................................. 9-33

Exercise 10: Using System Management Agent ......................... 10-1Objective........................................................................................... 10-1

Preparation............................................................................... 10-1Task 1 – Starting and Stopping SMA ................................... 10-1Task 2 – Starting the SMA with Debugging Enabled ........ 10-2Task 3 – Using the snmpconf (1M) Script to Build an

SMA Configuration File ...................................................... 10-2Task 4 – Adding USM Users ................................................. 10-3Task 5 – Creating a User With the net-snmp-config

Script Using the --create-snmpv3-user Option.......... 10-4Task 6 – Configuring the SMA Applications ...................... 10-5Task 7 – Using the Debugging Options With SMA

Applications.......................................................................... 10-6Task 8 – Building a VACM .................................................... 10-7

Exercise Summary............................................................................ 10-8Exercise Solutions ............................................................................ 10-9

Task 1 – Starting and Stopping SMA ................................... 10-9Task 2 – Starting the SMA with Debugging Enabled. ..... 10-10Task 3 – Using the snmpconf (1M) Script to Build an

SMA Configuration File .................................................... 10-11Task 4 – Adding USM Users ............................................... 10-13Task 5 – Creating a User With the net-snmp-config

Script Using the --create-snmpv3-user Option........ 10-15Task 6 – Configuring the SMA Applications .................... 10-17Task 7 – Using the Debugging Options With SMA

Applications........................................................................ 10-18Task 8 – Building a VACM .................................................. 10-19

Preface-iCopyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Preface

About This Workbook

Course Goals

Upon completion of this course, you should be able to:

● Install Solaris™ 10 Operating System

● Perform key system management tasks

● Use Dynamic Tracing

● Perform network administration tasks

This workbook presents the lab exercises for each module in each sectionof the Student Guide.

Conventions

Preface-ii Solaris™ 10 for Experienced System AdministratorsCopyright 2004 Sun Microsystems, Inc. All Rights Reserved. SunU, Revision A

Conventions

The following conventions are used in this course to represent varioustraining elements and alternative learning resources.

Typographical Conventions

Courier is used for the names of commands, files, directories,programming code, and on-screen computer output; for example:

Use ls -al to list all files.system% You have mail .

Courier is also used to indicate programming constructs, such as classnames, methods, and keywords; for example:

The getServletInfo method is used to get author information.The java.awt.Dialog class contains Dialog constructor.

Courier bold is used for characters and numbers that you type; forexample:

To list the files in this directory, type:# ls

Courier bold is also used for each line of programming code that isreferenced in a textual description; for example:

1 import java.io.*;2 import javax.servlet.*;3 import javax.servlet.http.*;Notice the javax.servlet interface is imported to allow access to its lifecycle methods (Line 2).

Courier italics is used for variables and command-line placeholdersthat are replaced with a real name or value; for example:

To delete a file, use the rm filename command.

Courier italic bold is used to represent variables whose values are tobe entered by the student as part of an activity; for example:

Type chmod a+rwx filename to grant read, write, and executerights for filename to world, group, and users.

Conventions

About This Workbook Preface-iiiCopyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Palatino italics is used for book titles, new words or terms, or words thatyou want to emphasize; for example:

Read Chapter 6 in the User’s Guide.These are called class options.

I - 1Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Section I

Section I: Solaris™ 10 Operating SystemInstallation

Objectives

Upon completion of this section, you should be able to:

● Install the operating system.

1-1Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Lab 1

Exercise:ConfiguringaSoftware InstallationUsing the WAN Boot Procedure

Objectives

This lab has three separate objectives. In this lab you create a Flash archiveof specific directory contents, you will add packages and patches, and youconfigure a WAN Boot server to support one installation client. All stepsare performed on the WAN Boot server except where noted otherwise.The configuration includes the following tasks:

● Create a Flash archive on the WAN Boot server.

● Configure packages and patches.

● Configure the WAN Boot server as an Apache web server.

● Configure Solaris JumpStart™ and WAN Boot parameters on theWAN Boot server.

● Configure the client using the WAN Boot procedure.

Preparation

The following tasks require a system that is running the Solaris™ 10 build66 OS.

Complete the following worksheet before you begin the installation.

● WAN Boot server name (Ex.: WANBootserv ):

Objectives

1-2 Solaris™ 10 for Experienced System AdministratorsCopyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

______________________________________________________________

● Directory containing the web server documents(Ex.: /var/apache/htdocs ):

______________________________________________________________

● Directory containing the Solaris 10 OS Flash archive. The directorymust be under the web server documents directory(Ex.: /var/apache/htdocs/flashdir/solaris.flar ):

______________________________________________________________

● Directory containing the wanboot binary and miniroot filesystem(Ex.: /var/apache/htdocs/wanboot10 ):

______________________________________________________________

● Directory containing the sysidcfg file, rules, and profile files(Ex.: /var/apache/htdocs/config ):

______________________________________________________________

● Directory containing the wanboot.conf and system.conf files(Ex.: /etc/netboot ):

______________________________________________________________

● WAN Boot client name (Ex.: WANBootclient1 ):

______________________________________________________________

● WAN Boot client IP address (Ex.: 192.168.1.25):

______________________________________________________________

Task 1 – Creating a Flash Archive

Create a Flash archive that excludes all of the /usr/bin directory exceptfor /usr/bin/cat . Skip the disk space check and ignore the integritycheck.

Note – Do not use this flar for any other purpose in this lab.

Objectives

Exercise: Configuring a Software Installation Using the WAN Boot Procedure 1-3Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Task 2 – Configuring the Apache Web Server

Perform the following steps to configure and start the Apache web server:

1. Update the primary configuration file for the Apache web server.

Set the Servername option to the correct name for your system.

2. Start the web server.

Task 3 – Web-Install a Signed Patch

1. Install the SUNWzfspackage onto the server.

2. Install a patch on the client for the SUNWzfspackage using the HTTPprotocol.

Task 4– Configuring the WAN Boot and JumpStartFiles

Perform the following steps to configure the WAN Boot and JumpStartserver files:

1. Create the JumpStart configuration directory under the web serverdocuments directory.

2. Change to the JumpStart sample directory.

3. Copy the directory contents to the /var/apache/htdocs/configdirectory.

4. Copy the wanboot binary to a directory under the web serverdocuments directory.

5. Copy the WAN Boot CGI programs to the web server cgi-bindirectory. Each file retains its original name in the new directory

6. Create the configuration file specifying the client sysidcfg file andcustom JumpStart files for this client.

7. Copy and edit the configuration file containing the WAN Bootparameters.

8. Create the miniroot file system under the web server documentsdirectory.

9. Check the integrity of the wanboot.conf configuration file.

Objectives


10. Edit the JumpStart configuration files.

a. Edit the sysidcfg file.

b. Edit the profile file.

c. Edit the rules file.

d. Run the check script

Task 5– Configuring the WAN Boot Client

Perform the following steps on the WAN Boot client to boot and installthe client. Verify your EEPROM version. If it is version 4.14 or later,proceed with steps 1 and 2; otherwise proceed with steps 3 and 4.

1. Set network boot argument variables for WANBootclient1 at the okprompt.

2. Boot the client.

or...

3. Insert a Solaris 10 OS CD 1into the client.

4. Boot wanboot off of the CD.

Exercise Summary


Exercise Summary

?!

Discussion – Take a few minutes to discuss what experiences, issues, ordiscoveries you had during the lab exercise.

● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Task 1 – Creating a Flash Archive

Create a Flash archive that excludes all of the /usr/bin directory exceptfor /usr/bin/cat . Skip the disk space check and ignore the integritycheck.

# flarcreate -n solaris10 -S -I -x /usr/bin -y /usr/bin/cat/var/opt/test.flar

Verify the command worked by listing all of the files within the Flasharchive that contain the string bin/cat .

# flar info -l test.flar |grep -i bin/catusr/apache/tomcat/bin/catalina.shusr/bin/cat

Note – Do not use this flar for any other purpose in this lab.

Task 2 – Configuring the Apache Web Server

Perform the following steps to configure and start the Apache web server:

1. Update the primary configuration file for the Apache web server.

Set the Servername option to the correct name for your system.

# cp /etc/apache/httpd.conf-example /etc/apache/httpd.conf# vi /etc/apache/httpd.conf

Edit the line that reads:

#Servername 127.0.0.1

Remove the pound sign (#) and change it to the correct server name foryour environment:

Exercise Solutions


Servername WANBootserv (for example: sys-03)

2. Start the web server.

# /etc/init.d/apache start

Task 3 – Web-Install a Signed Patch

1. Since the http protocol can only install packages that are in streamsformat use the following commands to convert it to this format.

# cd /var/apache/htdocs/var/spool/pkg# pkgtrans . ./SUNWzfs_streamed.pkg SUNWzfsTransferring <SUNWzfs> package instance

2. Install a stream format of the the SUNWzfspackage using the HTTPprotocol. If you are prompted to overwrite the existing installation ofthe SUNWzfspackage, do so.

# pkgadd -d http:// WANBootserv /var/spool/pkg/SUNWzfs_streamed.pkg SUNWzfs

Task 4– Configuring the WAN Boot and JumpStartFiles

Note – Insert the Solaris 10 CD 1 of 2. Perform the following steps toconfigure the WAN Boot and JumpStart server files:

1. Create the JumpStart configuration directory under the web serverdocuments directory.

# mkdir /var/apache/htdocs/config

2. Change to the JumpStart sample directory.

# cd /cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample

3. Copy the directory contents to the /var/apache/htdocs/configdirectory.

# cp -r * /var/apache/htdocs/config

4. Copy the wanboot binary to a directory under the web serverdocuments directory.

# cp /cdrom/cdrom0/s0/Solaris_10/Tools/Boot/platform/sun4u/wanboot \/var/apache/htdocs/wanboot10/wanboot

Exercise Solutions


5. Copy the WAN Boot CGI programs to the web server cgi-bindirectory. Each file retains its original name in the new directory

# cp /usr/lib/inet/wanboot/*-cgi /var/apache/cgi-bin

6. Create the configuration file specifying the client sysidcfg file andcustom JumpStart files for this client.

# mkdir -p /etc/netboot# vi /etc/netboot/system.conf

Insert the following two lines. Use the correct server name for yourenvironment.

SsysidCF=http:// WANBootserv /configSjumpsCF=http:// WANBootserv /config

7. Copy and edit the configuration file containing the WAN Bootparameters.

# cp /etc/inet/wanboot.conf.sample /etc/netboot/wanboot.conf# vi /etc/netboot/wanboot.conf

Edit the file to include the following lines. Use the correct server name foryour environment.

boot_file=/wanboot10/wanbootroot_server=http:// WANBootserv /cgi-bin/wanboot-cgiroot_file=/wanboot10/wpath/minirootsignature_type=encryption_type=server_authentication=noclient_authentication=noresolve_hosts=boot_logger=http:// WANBootserv /cgi-bin/bootlog-cgisystem_conf=system.conf

8. Create the miniroot filesystem under the web server documentsdirectory.

# /cdrom/cdrom0/s0/Solaris_10/Tools/setup_install_server -w \/var/apache/htdocs/wanboot10/wpath /var/apache/htdocs/wanboot10/ipath

You should receive a message similar to the following saying you weresuccessful:

WAN boot Image creation complete

The WAN boot Image file has been placed in /var/apache/htdocs/wanboot10/wpath/miniroot

Exercise Solutions


Ensure that you move this file to a location accessible to the web server, and that the WAN boot configuration file wanboot.conf(4) for each WAN boot client contains the entries:

root_server=<URL> where <URL> is an HTTP or HTTPS URL scheme pointing to the location of the WAN boot CGI program

root_file=<miniroot> where <miniroot> is the path and file name, relative to the web server document directory, of ’miniroot’

You should also make sure you have initialized the key generation process by issuing (once):

# /usr/sbin/wanbootutil keygen -m

Install Server setup complete

# cp /var/apache/htdocs/wanboot10/wpath/miniroot \/var/apache/htdocs/wanboot10/miniroot

9. Check the integrity of the wanboot.conf configuration file.

# /usr/sbin/bootconfchk /etc/netboot/wanboot.conf

10. Edit the JumpStart configuration files.

# cd /var/apache/htdocs/config

a. Edit the sysidcfg file.

# vi /var/apache/htdocs/config/sysidcfg

Edit the file to include the following lines. Use the correct server nameand correct IP addresses for your environment.

Note – The order of entries in the sysidcfg file is not important for regularJumpStart installations but the order is important for WAN Boot installations.

network_interface= Your_Primary_Interface { primaryhostname=WANBootclient1 ip_address= a.b.c.dnetmask=255.255.255.0

Exercise Solutions


protocol_ipv6=nodefault_route=w.x.y.z}(network interface information between brackets typed all on one line)timezone=US/Centralsystem_locale=Cterminal=dttermtimeserver=localhostname_service=nonesecurity_policy=none

b. Edit the profile file.

Note – When you are performing these exercises it is important to use theflash archive that has already been created for you. It can be found at:/var/apache/htdocs/flashdir/SunOS5.10_66_SUNWCore_EN-US_sun4u.flar

# vi /var/apache/htdocs/config/profile

Edit the file to include the following lines.

install_type flash_installarchive_location http:// WANBootserv /flashdir/ Name_Of_Flar(on the above line, use the flar you created earlier, or the flarprovided within the remote lab environment)partitioning explicitfilesys c0t0d0s0 free /filesys c0t0d0s1 512 swap

Note – When editing this profile file, it is important to make sure youremove the directory htdocs from the path to the archive location. This isbecause Apache considers htdocs as the top of the root directory. Alsoverify you are using the correct disk device names for your environment.

c. Edit the rules file.

# vi /var/apache/htdocs/config/rules

Edit the file to include the following line:

hostname WANBootclient1 – profile -

d. Run the check script

# / var/apache/htdocs/config/check

Exercise Solutions


Task 5– Configuring the WAN Boot Client

Perform the following steps on the WAN Boot client to boot and installthe client. Verify your EEPROM version. If it is version 4.14 or later,proceed with steps 1 and 2; otherwise proceed with steps 3 and 4.

Use the banner command at the ok prompt to show your version of thePROM.

1. Set network boot argument variables for WANBootclient1 at the okprompt.

ok setenv network-boot-arguments host-ip= a.b.c.d ,router-ip= a.b.c.1 ,subnet-mask=255.255.255.0,hostname=WANBootclient1,file=http:// WANBootserv-IP /cgi-bin/wanboot-cgi

2. Boot the client.

ok boot net – install

or...

3. Verify the Solaris 10 OS CD 1 is in the client.

4. Boot wanboot off of the CD.

ok boot cdrom -o prompt -F wanboot - installResetting ...

Sun Blade 100 (UltraSPARC-IIe), No KeyboardCopyright 1998-2003 Sun Microsystems, Inc. All rights reserved.OpenBoot 4.10.1, 256 MB memory installed, Serial #50645368.[pt pt-10usb #1]Ethernet address 0:3:ba:4:c9:78, Host ID: 8304c978.

Rebooting with command: boot cdrom -o prompt -F wanboot - installBoot device: /pci@1f,0/ide@d/cdrom@1,0:f File and args: -o prompt -Fwanboot - install

<time unavailable> wanboot info: WAN boot messages->console<time unavailable> wanboot info: Default net-config-strategy: manual

boot> prompt

host-ip? a.b.c.d

subnet-mask? 255.255.255.0

Exercise Solutions


router-ip?

hostname? WANBootclient1

http-proxy?

client-id?

aes?

3des?

sha1?

bootserver? http:// WANBootserv-IP /cgi-bin/wanboot-cgi

Unknown variable '/129.148.192.83/cgi-bin/wanboot-cgi'; ignored boot>

boot> list

host-ip: a.b.c.d subnet-mask: 255.255.255.0 router-ip: UNSET hostname: WANBootclient1 http-proxy: UNSET client-id: UNSET aes: *HIDDEN* 3des: *HIDDEN* sha1: *HIDDEN* bootserver: http:// WANBootserv-IP /cgi-bin/wanboot-cgi

boot> go

<time unavailable> wanboot progress: wanbootfs: Read 128 of 128 kB (100%) <time unavailable> wanboot info: wanbootfs: Download complete Mon Aug 23 19:45:25 wanboot info: WAN boot messages->129.148.192.83:80

SunOS Release 5.10 Version s10_58 64-bit Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. Configuring devices. Network interface was configured manually.

Exercise Solutions


129.148.192.221 NOTE: Not enough memory for graphical installation. Graphical installation requires 96 MB of virtual memory. Found 31 MB of virtual memory. Reverting to text-based installation. Beginning system identification... Searching for configuration file(s)... SUNW,eri0 : 10 Mbps half duplex link up Using sysid configuration file http://129.148.192.83/config/sysidcfg Search complete. Discovering additional network configuration...

II - 1Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Section II

Section II: Solaris™ 10 SystemManagement

Objectives


● Use of zones in the operating system (OS)

● Use the authentification features in the OS

● Use the fault management features in the OS

Exercise 2: Zones 2-1Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Lab 2

Exercise 2: Zones

In this exercise, you will perform the following tasks:

● Create a Solaris™ 10 OS zone

● Boot a Solaris zone

● Configure resource pools

● Configure CPU Fair Share Scheduling

● Identify changes to the Resource Capping Daemon

● Halt a Solaris zone

● Remove a Solaris zone

Preparation

Before you can start this lab, you must determine the followingparameters:

● You must give your zone a name (example, test-zone ).

● You must establish (create) a zone path (example, /export/test-zone ).

● You need information about the lab network environment (runifconfig -a ).

Note – Run the ifconfig -a command to gather information on thenetwork environment. The lab environment normally uses lower-order IPaddresses. Choose an upper-order IP address. For example, if the globalzone IP address is 192.168.201.24, make the non-global IP address192.168.201.124. Be sure to run the ping -s IP_addr command to verifythat the IP address you choose is not in use. For example,ping -s 192.168.202.124 .


Task 1: Determine the following values:

● Zone Name _____________________________________________

● Zone Path _______________________________________________

● Network Interface ________________________________________

● IP Address ______________________________________________

● Netmask ________________________________________________

Task 2: In this task, you create processor sets and pools. As a namingconvention, use your first name, for example, user1 creates user1-psetand user1-pool

Resource names:

____________-pset

____________-pool

Task 1– Creating Zones

Perform the following steps:

1. Log in to the lab server.

2. Create the zone path.

Note – The zone path be owned by root and have permissions:- must not be group readable- must not be group executable- must not be world readable- must not be world executableMake sure the zone path meets these requirements.

3. Identify the primary network interface, subnet IP address, andnetmask.

4. Configure a zone using your assigned values.

5. Verify the Zone configuration.

No response indicates that you can proceed with the installation.

6. Commit the zone configuration to stable storage and exit theconfiguration utility.


Where is the zone configuration file stored?

7. View the zone configuration XML file.

8. Install the configured zone.

Note – The installation will take awhile. For the lab, disregard anyinstallation package errors.

9. List the contents of the zonepath.

10. Display the zone status.

11. Place the zone in the ready state and display the status.

Describe the changes that occur when a zone moves from theinstalled state to the ready state.

12. Boot the new zone and display the status.

13. Log into your domain and configure for your name, time zone andpassword.

14. Display the zone’s network information.


16. In the non-global zone, create a new group named zones and usernamed student . Assign a password to the new user.

17. Open a new terminal window. Verify the non-global zone operationby logging in as the new user.

Task 2 – Configuring Resource Pools

In this task we will verify that resource pools are enabled, configure apool, transfer resources and destroy the pool.

1. Log in to the non-global zone and enable the resource pool facility.

What is the maximum number of resource pools per non-globalzone?

2. Create a processor set with a minimum of one processor and amaximum of 5 possible.

What error code do you get?


How do you fix it?

3. Verify that the kernel sees the new processor set.

Why does or doesn't the kernel see the resource?

How can we update the kernel to see this resource?

What happens if you try to re-create an existing processor set?

4. Create a pool so that the kernel can see it, and verify.

5. Associate the processor set and pool you just created with each other.

6. Transfer a processor to the new processor set. First use a processornumber that doesn't exist, cpu 99 for example, and then use anavailable processor. Verify each step.

What error codes did you see?

What did a successful operation output?

7. Disable pools on this zone. Why didn't this work?

8. Remove pools and then disable pools. Verify this step.

Task 3 - Configuring CPU Fair Share Scheduling (FSS)


1. Update the zones configuration with the following FSS parameters:

● Limit = 50

● Privilege = system

● Action = deny

Assuming three other zones on the system has a limit of 50, whatpercentage of CPU utilization will be allocated to your zone?

2. Install and boot the zone.


Task 4 – Capping Physical Memory Resource

For this task you will need to open up two terminal windows:

1. In terminal window number 1, run the rcapstat command. Thiscommand will error and end each time the rcapd daemon isstopped. Restart this command each time the daemon is restarted.

2. In window 2, edit /etc/project and add in a line for a new project.Add your user name as the user for this project. The line should looklike:

test:10000:test project: name::rcap.max-rss=10000

In order to change the user's default project to test append thefollowing line to /etc/user_attr , using the same user name as in/etc/project :

name::::project=test

3. Enable the resource management daemon. Start monitoring theresource management on the system.

4. Switch User to your student account and run a command whichwill use system resources and take a long time to finish, such as thefind command.

What value does the RSS field from rcapstat top out at?

Why?

Task 5– Removing Zones


1. Log out of the zone.

2. Halt the zone.

3. Uninstall the zone.

4. Delete the zone.

5. Verify that the zone is deleted.

Exercise Summary


Exercise Summary

?!

Discussion – Take a few minutes to discuss the experiences, issues, ordiscoveries you had during the lab exercise.

● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Preparation

Task 1:

Something like:

● Zone Name test-zone

● Zone Path /export/test-zone

● Network Interface ce0 (see Task 1, step 3)

● IP Address 192.168.201.124 (see Task 1, step 3)

● Netmask 255.255.255.0 (see Task 1, step 3)

Task 2:

In this task, you will be creating processor sets and pools. As a namingconvention name them using your first name. For example, user1 wouldcreate user1-pset and user1-pool

Resource names:

user1-pset

user1-pool

Task 1– Creating Zones


1. Log in to the lab server.

2. Create the zone path.

# mkdir -M 700 /export/ zone_name

3. Identify the primary network interface, subnet IP address, andnetmask.

# ifconfig -alo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1inet 127.0.0.1 netmask ff000000

Exercise Solutions


ce0 : flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2inet 192.168.201 .24 netmask ffffff00 broadcast 192.168.201.255

4. Configure a zone in memory using your assigned values.

# zonecfg -z zone_nameNo such zone configuredUse ’create’ to begin configuring a new zone.zonecfg: zone_name createzonecfg: zone_name set zonepath= zone_pathzonecfg:work-zone> add netzonecfg:work-zone:net> set physical=ce0zonecfg:work-zone:net> set address= 192.168.201.124zonecfg:work-zone:net> end

5. Verify the Zone configuration.

zonecfg: zone_name verify

6. Commit the zone configuration to stable storage and exit theconfiguration utility.

zonecfg: zone_name commitzonecfg: zone_name exit

Where is the zone configuration file stored?

The zone configuration is stored in the /etc/zones/z one_name.xmlfile.

7. View the zone configuration XML file.

# more /etc/zones/ zone_name.xml

8. Install the configured zone.

In the global zone:

# zoneadm -z zone_name install

9. List the zonepath.

In the global zone:

# ls zonepath


In the global zone:

# zoneadm list -v

11. Place the zone in the ready state and display the status.

In the global zone:

# zoneadm -z zone_name ready# zoneadm list -v

Exercise Solutions


Describe the changes that occur when a zone moves from theinstalled state to the ready state.

In this state, the virtual platform for the zone is established. The kernelcreates the zsched process, network interfaces are plumbed, file systems aremounted, and devices are configured. A unique zone ID is assigned by thesystem. At this stage, no processes associated with the zone have beenstarted.

12. Boot the zone and display the status.

In the global zone:

# zoneadm -z zone_name boot# zoneadm list -v

13. Log into your domain and configure for your name, time zone andpassword.

In the global zone:

# zlogin -C zone_nameSunOS Release 5.10 Version Generic 64-bitCopyright 1983-2004 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.Select a Language 0. English 1. FrenchPlease make a choice (0 - 1), or press h or ? for help: 0Select a Locale 0. English (C - 7-bit ASCII) 1. Belgium-Flemish (ISO8859-1) 2. Belgium-Flemish (ISO8859-15 - Euro) 3. Great Britain (ISO8859-1) 4. Great Britain (ISO8859-15 - Euro) 5. Ireland (ISO8859-1) 6. Ireland (ISO8859-15 - Euro) 7. Netherlands (ISO8859-1) 8. Netherlands (ISO8859-15 - Euro) 9. Go Back to Previous ScreenPlease make a choice (0 - 9), or press h or ? for help: 0What type of terminal are you using? 1) ANSI Standard CRT 2) DEC VT52 3) DEC VT100 4) Heathkit 19 5) Lear Siegler ADM31 6) PC Console 7) Sun Command Tool 8) Sun Workstation

Exercise Solutions


9) Televideo 910 10) Televideo 925 11) Wyse Model 50 12) X Terminal Emulator (xterms) 13) CDE Terminal Emulator (dtterm) 14) OtherType the number of your choice and press Return: 3..

14. Display the zone’s network information.

# ifconfig -a


From the global zone:

# zoneadm list -v

16. In the non-global zone, create a new group named zones and usernamed student . Assign a password to the new user.

Something like:

# groupadd -g 102 zones# useradd -u 1003 -g 102 -d /export/home/student -s/bin/csh -c "Student" -m -k /etc/skel student

or use the Solaris Management Console:

# /usr/sadm/bin/smc &

Refer to System Administration Guide: Basic Administration, Part number817-1985-07

17. Open a new terminal window. Verify the non-global zone operationby logging in as the new user.

Task 2 – Configuring Resource Pools

In this task we will verify that resource pools are enabled, configure apool, transfer resources and destroy the pool.

1. Log in to the global zone and enable the resource pool facility.

# pooladm -e

What is the maximum number of resource pools per non-globalzone?

One pool per non-global zone.

Exercise Solutions


2. Create a processor set with a minimum of one processor and amaximum of 5 possible.

# poolcfg -dc 'create pset <name>-pset ( uint pset.min = 1 ; uintpset.max = 5)'

What error code do you get?

The pset.min only accepts a value of zero.

How do you fix it?

Re-run this command and have pset.min = 0.

3. Verify that the kernel sees the new processor set.

# poolcfg -dc info

Why does or doesn't the kernel see the resource?

If the -d option was not used the kernel isn't updated.

How can we update the kernel to see this resource?

Re-run the command with the -d option to update the kernel.

What happens if you try to re-create an existing processor set?

If you try to re-create an existing processor set an error is returned:

poolcfg: cannot create the pset, name-pset: Bad parameter supplied

4. Create a pool so that the kernel can see it, and verify.

# poolcfg -dc 'create pool name-pool'; poolcfg -dc info

5. Associate the processor set and pool you just created with each other.

# poolcfg -dc 'associate pool name-pool (pset name-pset)’

6. Transfer a processor to the new processor set. First use a processornumber that doesn't exist, cpu 99 for example, and then use anavailable processor. Verify each step. What error codes did you see?What did a successful operation output?

# poolcfg -dc 'transfer to pset tim-pset (cpu 99)'poolcfg: cannot locate the cpu, 99: Operation successful

What error codes did you see?

The available processor answer varies depending on the system and whatprocessors are physically available.

What did a successful operation output?

The available processor answer varies depending on the system and whatprocessors are physically available.

7. Disable pools on this zone. Why didn't this work?

# pooladm -d

Exercise Solutions


pooladm: cannot disable pools: Device busy

If there are active pools you cannot disable this feature. Remove the poolsfirst.

8. Remove pools and then disable pools. Verify this step.

# pooladm -x; pooladm -d# poolcfg -dc infopoolcfg: cannot load configuration from /dev/poolctl: Facility is notactive

9. Now that pools are disabled, was the /etc/pooladm.conf fileremoved?

No. It should still be intact.

Task 3 - Configuring CPU Fair Share Scheduling (FSS)


1. Update the zones configuration with the following FSS parameters:

● Limit = 50

● Privilege = system

● Action = deny

# zonecfg -z work-zonezonecfg: zone_name> add rctlzonecfg: zone_name :rctl> set name=zone.cpu-shareszonecfg: zone_name :rctl> add value(priv=system,limit=50,action=deny)zonecfg: work-name :rctl> end

Assuming three other zones on the system has a limit of 50, whatpercentage of CPU utilization will be allocated to your zone?

50/(50 + 50 + 50 + 50) * 100 = 25%

2. Install and boot the zone.

# zoneadm -z zone_name install# zoneadm -z zone_name boot

Task 4 – Capping Physical Memory Resource

For this task you will need to open up two terminal windows on the non-global zone:

Exercise Solutions


1. In terminal window number 1, run the rcapstat command. Thiscommand will error and end each time the rcapd daemon isstopped. Restart this command each time the daemon is restarted.

2. In window 2, edit /etc/project and add in a line for a new project.Add your user name as the user for this project. The line should looklike:

test:10000:test project: name::rcap.max-rss=10000

3. Enable the resource management daemon. Restart monitoring theresource management on the system.

# rcapadm -EIn window number 2:# rcapstat

4. Switch User to your user account and run a command which will usesystem resources and take a long time to finish, such as the findcommand.

What value does the RSS field from rcapstat top out at?

The RSS value should top out near what it was set to in step 1.

Why?

Every process in the project has to share this allotment of memory.

Task 5– Removing Zones


1. Log out of the non-global zone.

# exit

2. Halt the non-global zone.

# zoneadm -z zone_name halt

3. Uninstall the non-global zone.

# zoneadm -z zone_name uninstall

4. Delete the non-global zone.

# zonecfg -z zone_name delete

5. Verify that the non-global zone is deleted.

# zoneadm list -v


Lab 3

Exercise 3: Authentication Changes

In this exercise, you will perform the following tasks:

● Identify changes to Password Checking

● Configure Least Privilege

● Identify changes to Kerberos

● Identify changes to Sun Java™ System Web Server 6.1 2004Q2reserved UID/GID

● Identify changes to nobody account usage

Preparation

Each user must create a user account for this lab exercise. Create a userwith your own name. Assign the user the password of verify1 .

A Kerberos server and realm must be configured for Task 3. The systemshould share /export/profile.krb5.

Task 1 – Identify Changes to Password Checking

Open two terminal windows. In one window, log into the system asthe user you just created. In the other window, log in as root.

Complete the following steps:

1. Root Window – Edit the /etc/default/password file. Un-commentand set the HISTORYvalue to 3.

2. User Window – As the user you created, change your password to2verify .

3. User Window – Change the password again to verify3.

4. User Window – Change the password again, back to the originalverify1 . What happened? Did your user’s password change?


Task 2 – Configure Least Privilege


1. Verify your shell’s current settings.

2. Remove your effective and inheritable ability to work with theproc_session privilege set.


4. Try to add the proc_session privilege back to your shell. Did itwork? Why not?

Task 3 – Identify Changes to Kerberos


1. Configure the local Kerberos client according to the configuration filefrom the server.

2. Verify that the file and its contents have been copied over.

3. Log into the localhost using permissions gained fromremote_server .

Task 4 – Identify Changes to Sun Java System WebServer Reserved UID/GID

Complete the following step:

1. Verify that the WebServer UID and GID have been updated.

Task 5 – Identify Changes to nobody Account Usage

Complete the following step:

1. Verify that the nobody account entries have been updated.

Exercise Summary

Exercise 3: Authentication Changes 3-3Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Exercise Summary

?!

Discussion – Take a few minutes to discuss the experiences, issues, ordiscoveries you had during the lab exercise.

● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Task 1 – Identify Changes to Password Checking

Open two terminal windows. In one window, log into the system asthe user you just created. In the other window, log in as root.

1. Root Window – Edit the /etc/default/password file. Un-commentand set the HISTORYvalue to 3.

# vi /etc/default/passwdHISTORY=3

2. User Window – As the user you created, change your password to2verify .

$ passwdpasswd:Changing password for user_nameEnter existing login password: verify1New Password: 2verifyRe-enter new Password: 2verifypasswd: password successfully changed for user_name

3. User Window – Change the password again to verify3

$ passwdpasswd:Changing password for user_nameEnter existing login password: 2verifyNew Password: verify3Re-enter new Password: verify3passwd: password successfully changed for user_name

4. User Window – Change the password again. This time change itback to the original verify1 . What happened? Did your user’spassword change?

$ passwdpasswd:Changing password for user_nameEnter existing login password: verify3New Password: verify1passwd: Password in history listedPlease try again.

The command produced an error. The user’s password did not change, anew password is asked for.

Exercise Solutions

Exercise 3: Authentication Changes 3-5Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Task 2 – Configure Least Privilege


$ priv $$

2. Remove your effective and inheritable ability to work with theproc_session privilege set.

$ ppriv -s EI-proc_session $$


$ ppriv $$

4. Try to add the proc_session privilege back to your shell. Did itwork? Why not?

$ ppriv -s EI+proc_session $$

It did not work because you removed your ability to work with effective andinheritable values for this session.

Task 3 – Identify Changes to Kerberos

1. Configure the local Kerberos client according to the configuration filefrom the server.

# / usr/sbin/kclient -p /net/remote_server/export/profile.krb5

2. Verify that the file and its contents have been copied over.

# more /etc/krb5/profile.krb5

3. Log into the localhost using permissions gained fromremote_server .

# telnet -k remote_server localhost

Task 4 – Identify Changes to Sun Java System WebServer Reserved UID/GID

1. Verify that the WebServer UID and GID have been updated.

# cat /etc/passwd; cat /etc/group

Task 5 – Identify Changes to nobody Account Usage

1. Verify that the nobody account entries have been updated

# cat /etc/passwd; cat /etc/group

Objective

Exercise 4: Fault and Service Management 4-1Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Lab 4

Exercise 4: Fault and Service Management

Objective

● Identify features of the Fault Management Architecture

● Identify features of the Service Management Facility

Task 1 - Reviewing the Module

1. What is an FMRI and how is it used?

2. What is a diagnosis engine?

3. What command is used to show all current error events?

4. What command is used to show faulty system components?

Objective


5. What is a plug-in?

6. What is a SERD engine and what does it do?

7. What command is used to show service dependencies?

8. What is a method to SMF?

Objective


Task 2 - Enabling and Disabling Services

1. List all the services available on your system.

2. How many legacy services are running on your system?

3. How many SMF controlled services are running on your system?

4. List the state and dependencies for all network/shell instances.

5. What is the restarter for these instances?

6. Execute the spray command to send packets to your host (localhost).What happens? Change your system so that spray works.

7. Reboot your machine. Does spray still work? Why?

8. What are the processes connected with the cron service?

9. Kill the cron service. What does SMF show now for cron processes?

Task 3 - Viewing SMF Log Files

1. Go to the log file directory.

2. Are there any errors in the logs (hint: look for ERROR andWARNING).

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Task 1 - Reviewing the Module

1. What is an FMRI and how is it used?

An FMRI is a fault managed resource identifier. In FMA it is used toidentify the defective component or the detector of an error. In SMF it isused to identify a service.

2. What is a diagnosis engine?

A diagnosis engine is a plug-in that subscribes to error events and attemptsto diagnose a fault.

3. What command is used to show all current error events?

The fmdump -e command.

4. What command is used to show faulty system components?

The fmadm faulty command.

5. What is a plug-in?

A plug-in is a module used to provide services to the fault managementdaemon.

6. What is a SERD engine and what does it do?

A SERD engine looks for a certain number of events within a certain timeframe. If the number of events occur a fault is created.

7. What command is used to show service dependencies?

Service dependencies are shown with the svcs -d fmri and svcs -Dfmri commands.

8. What is a method to SMF?

A method to SMF is a program used to start, stop, or restart a service.

Task 2 - Enabling and Disabling Services

1. List all the services available on your system.

# svcs -aSTATE STIME FMRIlegacy_run Aug_27 lrc:/etc/rcS_d/S10pfillegacy_run Aug_27 lrc:/etc/rcS_d/S29wrsmcfglegacy_run Aug_27 lrc:/etc/rcS_d/S35cacheos_sh

Exercise Solutions


legacy_run Aug_27 lrc:/etc/rcS_d/S41cachefs_rootlegacy_run Aug_27 lrc:/etc/rcS_d/S55fdevattachlegacy_run Aug_27 lrc:/etc/rc2_d/S10lu. . .

2. How many legacy services are running on your system?

# svcs | grep legacy | wc -l 44

Your answer may vary depending on the version of the Solaris 10 OS youare running.

3. How many SMF controlled services are running on your system?

# svcs | grep online | wc -l 61

This number will vary depending on what services have been modified.

4. List the state and dependencies for all network/shell instances.

# svcs -l ’network/shell*’fmri svc:/network/shell

fmri svc:/network/shell:kshellenabled falsestate disablednext_state nonerestarter svc:/network/inetd:defaultdependency optional_all/error svc:/network/physical (online)dependency require_any/error svc:/network/loopback (online)

fmri svc:/network/shell:tcpenabled truestate onlinenext_state nonerestarter svc:/network/inetd:defaultdependency optional_all/error svc:/network/physical (online)dependency require_any/error svc:/network/loopback (online)

fmri svc:/network/shell:tcp6onlyenabled truestate onlinenext_state nonerestarter svc:/network/inetd:defaultdependency optional_all/error svc:/network/physical (online)dependency require_any/error svc:/network/loopback (online)

5. What is the restarter for these instances?

Exercise Solutions


The inetd command.

6. Execute the spray command to send packets to your host (localhost).What happens? Change your system so that spray works.

# spray localhostspray: cannot clnt_create localhost:netpath: RPC: Program not registered

The spray command does not work. Look at the spray service instances tosee if they are enabled.

# svcs -l ’*spray*’fmri svc:/network/rpc/spray

fmri svc:/network/rpc/spray:ticltsenabled falsestate disablednext_state nonerestarter svc:/network/inetd:defaultdependency require_all/error svc:/network/rpc/bind (online)

fmri svc:/network/rpc/spray:udpenabled falsestate disablednext_state nonerestarter svc:/network/inetd:defaultdependency require_all/error svc:/network/rpc/bind (online)

fmri svc:/network/rpc/spray:udp6enabled falsestate disablednext_state nonerestarter svc:/network/inetd:defaultdependency require_all/error svc:/network/rpc/bind (online)

All instances of the spray service are disabled. Enable the udp instance ofthe spray service.

# svcadm enable svc:/network/rpc/spray:udp

There are no errors so try the spray command again.

# spray localhostsending 1162 packets of length 86 to localhost ... no packets dropped by localhost 7390 packets/sec, 635602 bytes/sec

7. Reboot your machine. Does spray still work? Why?

The spray command still works because a change using the svcadmcommand is persistent.

Exercise Solutions


8. What are the processes connected with the cron service?

# svcs -p ’*cron*’STATE STIME FMRIonline Aug_27 svc:/system/cron:default Aug_27 218 cron

9. Kill the cron service. What does SMF show now for cron processes?

# pkill cron# svcs -p ’*cron*’STATE STIME FMRIonline 15:41:23 svc:/system/cron:default 15:41:23 3059 cron

The process number of cron has changed. It was automaticaly restarted bySMF.

Task 3 - Viewing SMF Log Files

1. Go to the log file directory.

# cd /var/svc/log

2. Are there any errors in the logs (hint: look for ERROR andWARNING).

# grep WARNING *network-smtp:sendmail.log:WARNING: local host name (sys61) is notqualified; see cf/README: WHO AM I?system-filesystem-local:default.log:WARNING: /sbin/mountall -l failed: 1system-filesystem-local:default.log:WARNING: /sbin/mountall -l failed: 1# grep ERROR *svc.startd.log:Aug 26 16:21:02/23 ERROR: Could not get running snapshotfor svc:/system/manifest-import:default. Using editing version to runmethod start.svc.startd.log:Aug 26 16:21:02/26 ERROR: Could not get running snapshotfor svc:/system/rmtmpfiles:default. Using editing version to run methodstart.svc.startd.log:Aug 26 16:21:02/24 ERROR: Could not get running snapshotfor svc:/system/sysevent:default. Using editing version to run methodstart.svc.startd.log:Aug 26 16:21:02/25 ERROR: Could not get running snapshotfor svc:/system/mdmonitor:default. Using editing version to run methodstart.svc.startd.log:Aug 27 07:14:52/38 ERROR:svc:/network/rpc/keyserv:default: Method "/usr/sbin/keyserv" failed withexit code 1.

Exercise Solutions


svc.startd.log:Aug 27 07:14:52/38 ERROR:svc:/network/rpc/keyserv:default: Method "/usr/sbin/keyserv" failed withexit code 1.svc.startd.log:Aug 27 07:14:52/38 ERROR:svc:/network/rpc/keyserv:default: Method "/usr/sbin/keyserv" failed withexit code 1.

III - 1Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Section III

Section III: Dynamic Tracing With DTrace

Objectives


● Use the DTrace features for system performance and troubleshooting


Lab 5

Exercise 5: Listing Probes and WritingSimple D Scripts

In this exercise, you complete the following tasks:

● Answer review questions about the module

● List DTrace probes using various criteria

● Write simple D program scripts

Preparation

Find out from your instructor the root password for your machine.

Task 1 – Reviewing the Module

Answer the following questions to review your understanding of theinformation in this module.

1. Describe the main features of DTrace.

_____________________________________________________________

_____________________________________________________________

2. Define a transient failure.

_____________________________________________________________

_____________________________________________________________

3. What are some tools that have been used in the past to debugtransient failures?

_____________________________________________________________

_____________________________________________________________

4. What are some items that can be recorded in an action?


_____________________________________________________________

_____________________________________________________________

5. How do you fully specify a probe?

_____________________________________________________________

_____________________________________________________________

6. What are the major components of DTrace?

_____________________________________________________________

_____________________________________________________________

7. What dtrace (1M) option allows you to enable all probes from agiven module?

_____________________________________________________________

_____________________________________________________________

8. What are the units of the built-in timestamp D variable?

_____________________________________________________________

_____________________________________________________________

9. What should be the first line of the ds.d script in order to run it asfollows:

# ./ds.d

_____________________________________________________________

_____________________________________________________________

Task 2 – Listing Probes


1. Using the dtrace (1M) command, list every probe. How would youcount the number of probes provided by your system?

_____________________________________________________________

_____________________________________________________________

2. Run the dtrace (1M) command to list all probes from the TSmodule.

_____________________________________________________________

_____________________________________________________________

Exercise 5: Listing Probes and Writing Simple D Scripts 5-3Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

3. Run a command to list all probes from the lockstat provider.

_____________________________________________________________

_____________________________________________________________

Task 3 – Writing D Scripts


1. Write a D script that displays “Hello World .” Run it with andwithout the -q option of dtrace (1M).

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

2. Write a D script that displays the PIDs and names of all processesissuing the kill (2) system call. Start another terminal window andtest your script by starting a few sleep 900 commands inbackground and then kill them with the shell kill pid commandand the pkill sleep command.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

This section provides the answers to the exercise tasks.

Task 1 – Reviewing the Module

Review the following answers:

1. Describe the main features of DTrace.

It enables dynamic modification of the system to record arbitrary data.DTrace has low overhead which promotes the tracing of production systems.It is completely safe to use. It can be used on the kernel or applications.

2. Define a transient failure.

A transient failure is any unacceptable behavior that does not result in fatalfailure of the system.

3. What are some tools that have been used in the past to debugtransient failures?

truss , TNF, pstack , and prstat

4. What are some items that can be recorded in an action?

PID and executable name of the current process, nanoseconds since boottimestamp, running thread’s priority, and many more.

5. How do you fully specify a probe?

provider : module : function : name

6. What are the major components of DTrace?

Probes, providers, consumers, and the D language

7. What dtrace (1M) option allows you to enable all probes from agiven module?

dtrace -m module_name

8. What are the units of the built-in timestamp D variable?

Nanoseconds

9. What should be the first line of the ds.d script to run it as follows:

# ./ds.d

#!/usr/sbin/dtrace -s

Exercise Solutions


Task 2 – Listing Probes

Review the following solutions:

1. Using the dtrace (1M) command, list every probe. How would youcount the number of probes provided by your system?

# dtrace -l...# dtrace -l | wc -l

2. Run the dtrace (1M) command to list all probes from the TS module.

# dtrace -l -m TS

3. Run a command to list all probes from the lockstat provider.

# dtrace -l -P lockstat


Review the following answers:

1. Write a D script that displays “Hello World .” Run it with andwithout the -q option of dtrace (1M).

# cat hello.d#!/usr/sbin/dtrace -sBEGIN{trace("Hello World\n");}# dtrace -s hello.ddtrace: script 'hello.d' matched 1 probeCPU ID FUNCTION:NAME 0 1 :BEGIN Hello World

^C

# dtrace -q -s hello.dHello World^C

2. Write a D script that displays the PIDs and names of all processesissuing the kill (2) system call. Start another terminal window, andtest your script by starting a few sleep 900 commands inbackground and then killing them with the shell kill pidcommand or the pkill sleep command.

Exercise Solutions


# cat kill.d#!/usr/sbin/dtrace -s

syscall::kill:entry{trace(pid);trace(execname);}# ./kill.ddtrace: script './kill.d' matched 1 probeCPU ID FUNCTION:NAME

0 78 kill:entry 5083 bash0 78 kill:entry 349 utmpd0 78 kill:entry 349 utmpd0 78 kill:entry 349 utmpd0 78 kill:entry 5128 pkill0 78 kill:entry 5128 pkill0 78 kill:entry 5128 pkill

^C


Lab 6

Exercise 6: Using thevminfo , sysinfo , io ,andsyscall Providers

In this exercise, you complete the following task:

● Write D scripts that use the vminfo , sysinfo , io , and syscallproviders

Preparation

Find out from your instructor the root password for your machine.Change to the directory containing the Module 2 lab files. (Ask yourinstructor for the path name.)



1. Write a D script named paging.d that outputs the same informationas the “pi” and “po” fields of the vmstat (1M) command. These fieldsrepresent the amount of kilobytes being paged in and paged out persecond. Write your script to accept exactly one argument, which isthe interval time in seconds (like the vmstat command). Use thepgpgin and pgpgout probes with the arg0 argument.

2. Write a D script that displays the total number of cow_fault andsysfork events that occur every five seconds, to show that whenthe number of fork system calls increases so does the number of“copy on write” faults. Test your script by running many date andsleep 1 commands in the background in another terminalwindow.

3. Using the io provider probes with the lquantize aggregationfunction, write a D script that displays a graph of the time taken inmilliseconds for every device read. Have the scale of the distribution


graph range from 0 to 50 milliseconds (ms), in increments of 1ms.Have the “key” for the aggregation be the literal string: “Readelapsed time: ”. Test your script by running the followingcommand in another terminal window: grep fubar/usr/share/man/sman1/* . Run the iosnoop.d script (with anothersimilar grep command, grep fubar /usr/share/man/sman5/* ) toverify that most of the reads are under 1ms. (Note: because of filecaching you only get one try. If you do not see the grep commandsin the iosnoop.d output try another sman directory.)

4. Re-write the timesys.d D script shown on [page 2-46] so that itaccepts the executable command name as an argument instead ofonly working with the grep command. Test your script with an lscommand that you enter in another terminal window.

5. Write a pagefault.d D script that follows all the functions used inhandling a page fault. Have it trace starting with the kernel function:pagefault (). Invoke the script with the -F option of the dtrace (1M)command.

Exercise Summary

Exercise 6: Using the vminfo , sysinfo , io , and syscall Providers 6-3Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Exercise Summary

?!

Discussion – Take a few minutes to discuss the experiences you hadduring the lab exercise, and any issues or discoveries that arose.

● Experiences

● Interpretations

● Conclusions

● Applications

Module 2 Exercise Solutions



This section provides the answers to the exercise tasks.

Task 1– Writing D scripts

Review the following solutions:

1. Write a D script named paging.d that outputs the same informationas the “pi” and “po” fields of the vmstat (1M) command. These fieldsrepresent the amount of kilobytes being paged in and paged out persecond. Write your script to accept exactly one argument, which isthe interval time in seconds (like the vmstat command). Use thepgpgin and pgpgout probes with the arg0 argument.

# cat paging.d#!/usr/sbin/dtrace -qs

BEGIN{printf("%8s %8s\n", "pi", "po");i = 0;po = 0;pi = 0;}

tick-1sec{++i;}

vminfo:::pgpgin{pi = pi + arg0;}

vminfo:::pgpgout{po = po + arg0;}

tick-1sec/i == $1/{printf("%8d %8d\n", (pi*8)/i, (po*8)/i);



i = 0;pi = 0;po = 0;}

# ./paging.d 5 pi po 0 0 20 11448 0 1126 771 0 51 0^C

2. Write a D script that displays the total number of cow_fault andsysfork events that occur every five seconds, to show that whenthe number of fork system calls increases so does the number of“copy on write” faults. Test your script by running many date andsleep 1 commands in the background in another terminalwindow.

# cat cow.d#!/usr/sbin/dtrace -qsBEGIN{printf("%6s %8s\n", "cows", "forks");}

vminfo:::cow_fault{++c;}

sysinfo:::sysfork{++f;}

tick-5sec{printf("%6d %8d\n", c, f);c = 0;f = 0;}# ./cow.d cows forks 198 9



66 3 16 1 0 0 465 21 0 0^C

3. Using the io provider probes with the lquantize aggregationfunction, write a D script that displays a graph of the time taken inmilliseconds for every device read. Have the scale of the distributiongraph range from 0 to 50 milliseconds (ms), in increments of 1ms.Have the “key” for the aggregation be the literal string: “Readelapsed time: ”. Test your script by running the followingcommand in another terminal window: grep fubar/usr/share/man/sman1/* . Run the iosnoop.d script (with anothersimilar grep command, grep fubar /usr/share/man/sman5/* ) toverify that most of the reads are under 1ms. (Note: because of filecaching you only get one try. If you do not see the grep commandsin the iosnoop.d output try another sman directory.)

# cat io.d#!/usr/sbin/dtrace -qs

io:::start/ args[0]->b_flags&B_READ /{start[args[0]->b_edev, args[0]->b_blkno] = timestamp;}

io:::done/start[args[0]->b_edev, args[0]->b_blkno]/{elapsed = (timestamp - start[args[0]->b_edev, args[0]->b_blkno])/1000000;@["Read elapsed time:"] = lquantize(elapsed,0,50,1);}# ./io.d^C

Read elapsed time: value ------------- Distribution ------------- count < 0 | 0 0 |@@@@@@@@@@@@@@@@@@@@@@@@ 775 1 |@@@ 83 2 |@@ 49 3 |@@ 78 4 |@@ 76 5 |@@ 59



6 |@@ 72 7 |@ 48 8 |@ 27 9 | 13 10 | 5 11 | 3 12 | 3 13 | 3 14 | 1 15 | 0 16 | 0 17 | 1 18 | 0 19 | 0 20 | 0 21 | 0 22 | 0 23 | 0 24 | 0 25 | 0 26 | 0 27 | 0 28 | 0 29 | 0 30 | 0 31 | 0 32 | 0 33 | 0 34 | 0 35 | 0 36 | 0 37 | 0 38 | 0 39 | 0 40 | 0 41 | 0 42 | 1 43 | 0 44 | 0 45 | 0 46 | 0 47 | 0 48 | 0 49 | 0 >= 50 | 2



# ./iosnoop.d COMMAND PID FILEDEVICE RW MS grep 1183 <none>sd2 R 8.504 grep 1183 /usr/share/man/sman5/ANSI.5sd2 R 7.127 grep 1183 /usr/share/man/sman5/C++.5sd2 R 0.320 grep 1183 /usr/share/man/sman5/C.5sd2 R 0.367 grep 1183 /usr/share/man/sman5/CSI.5sd2 R 0.712 grep 1183 /usr/share/man/sman5/ISO.5sd2 R 0.318 grep 1183 /usr/share/man/sman5/Intro.5sd2 R 5.016 grep 1183 /usr/share/man/sman5/Intro.5sd2 R 5.251 grep 1183 /usr/share/man/sman5/Intro.5sd2 R 0.617 grep 1183 /usr/share/man/sman5/Intro.5sd2 R 2.039 grep 1183 /usr/share/man/sman5/MT-Level.5sd2 R 7.340 grep 1183 /usr/share/man/sman5/POSIX.1.5sd2 R 0.322 grep 1183 /usr/share/man/sman5/POSIX.2.5sd2 R 6.116 grep 1183 /usr/share/man/sman5/POSIX.5sd2 R 0.325 grep 1183 /usr/share/man/sman5/SEAM.5sd2 R 0.549 grep 1183 /usr/share/man/sman5/SEAM.5sd2 R 2.844 grep 1183 /usr/share/man/sman5/SUS.5sd2 R 0.322 grep 1183 /usr/share/man/sman5/SUSv2.5sd2 R 0.201 grep 1183 /usr/share/man/sman5/SUSv3.5sd2 R 0.328 grep 1183 /usr/share/man/sman5/SVID.5sd2 R 0.304 grep 1183 /usr/share/man/sman5/SVID3.5sd2 R 0.202



grep 1183 /usr/share/man/sman5/XNS.5sd2 R 0.310 grep 1183 /usr/share/man/sman5/XNS4.5sd2 R 0.309 grep 1183 /usr/share/man/sman5/XNS5.5sd2 R 0.200 grep 1183 /usr/share/man/sman5/XPG.5sd2 R 0.315 grep 1183 /usr/share/man/sman5/XPG3.5sd2 R 0.316 grep 1183 /usr/share/man/sman5/XPG4.5sd2 R 0.227 grep 1183 /usr/share/man/sman5/XPG4v2.5sd2 R 0.325 grep 1183 /usr/share/man/sman5/advance.5sd2 R 0.469 grep 1183 /usr/share/man/sman5/architecture.5sd2 R 0.206 grep 1183 /usr/share/man/sman5/ascii.5sd2 R 3.857 grep 1183 /usr/share/man/sman5/attributes.5sd2 R 0.516 grep 1183 /usr/share/man/sman5/attributes.5sd2 R 0.791 grep 1183 /usr/share/man/sman5/attributes.5sd2 R 0.511 grep 1183 /usr/share/man/sman5/attributes.5sd2 R 0.441 grep 1183 /usr/share/man/sman5/audit_binfile.5sd2 R 0.466 grep 1183 /usr/share/man/sman5/audit_syslog.5sd2 R 0.625 grep 1183 /usr/share/man/sman5/audit_syslog.5sd2 R 0.687^C

4. Re-write the timesys.d D script shown on [page 2-46] so that itaccepts the executable command name as an argument instead ofonly working with the grep command. Test your script with an lscommand that you enter in another terminal window.

# cat timesys2.d#!/usr/sbin/dtrace -qs

BEGIN{



printf("\nSystem Call Times for %s:\n\n", $1);printf("%20s\t%10s\n", "Syscall", "Microseconds");}

syscall:::entry/execname == $1/{name[probefunc] = timestamp;self->start = 1;}

syscall:::return/self->start/{printf("%20s\t%10d\n", probefunc, (timestamp-name[probefunc])/1000);self->start = 0;}

syscall::rexit:entry{exit(0);}# ./timesys2.d '"ls"'

System Call Times for ls:

Syscall Microseconds mmap 49 resolvepath 45 resolvepath 63 stat 39 open 53 stat 33 open 30 mmap 37... setcontext 34 getrlimit 23 getpid 17 setcontext 23 brk 23 brk 27 stat 45 gtime 20 ioctl 76 brk 19



... write 69 write 67 write 68 write 94 write 68 write 66 write 65 write 66 write 65#

5. Write a pagefault.d D script that follows all the functions used inhandling a page fault. Have it trace starting with the kernel function:pagefault (). Invoke the script with the -F option of the dtrace (1M)command.

# cat pagefault.d#!/usr/sbin/dtrace -s

fbt::pagefault:entry{self->start = 1;}

fbt::pagefault:return/self->start/{exit(0);}

fbt:::/self->start/

# dtrace -F -s pagefault.ddtrace: script 'pagefault.d' matched 31656 probesCPU FUNCTION 0 -> pagefault 0 -> as_fault 0 -> as_segat 0 -> avl_find 0 -> as_segcompar 0 <- as_segcompar... 0 -> fop_getpage 0 -> ufs_getpage 0 -> ufs_lockfs_begin_getpage



0 -> tsd_get 0 <- tsd_get 0 -> tsd_agent_get 0 <- tsd_agent_get 0 -> ufs_lockfs_is_under_rawlockfs 0 -> mutex_owner 0 <- mutex_owner 0 <- ufs_lockfs_is_under_rawlockfs 0 <- ufs_lockfs_begin_getpage 0 -> rw_owner 0 <- rw_owner...0 <- page_lookup 0 -> page_lookup_create 0 -> page_try_reclaim_lock 0 <- page_try_reclaim_lock 0 -> page_reclaim 0 -> page_list_sub 0 -> page_sub 0 <- page_sub 0 -> page_ctr_sub 0 <- page_ctr_sub... 0 <- sfmmu_select_tsb_szc 0 -> sfmmu_hat_exit 0 <- sfmmu_hat_exit 0 <- sfmmu_check_page_sizes 0 <- hat_memload 0 -> page_unlock 0 <- page_unlock 0 <- segvn_faultpage 0 <- segvn_fault 0 <- as_fault 0 <- pagefault#

IV - 1Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Section IV

Section IV: Solaris™ 10 Networking

Objectives


● Practice theInternet Protocol (IP) changes in the OS

● Practice the network filesystem changes (NFS) in the OS

● Practice the security feature changes in the OS

● Practice other networking featrue changes in the OS


Lab 7

Exercise 7: Changes to Internet ProtocolFeatures

Objectives


● Configure Quality of Service (QoS) files

● Explore the routeadm (1M) command in the Solaris™ OperatingSystem (Solaris OS) startup scripts

● Configure routing using routeadm (1M)

Preparation

This lab requires no special preparation.

Task 1 – Configure QoS

1. Login to the remote server as the root user.

2. Review the following man pages:

● ipqos (7ipp)

● ipqosconf (1M)

3. Using the appropriate command, display the current InternetProtocol (IP) Quality of Service (IPQoS) settings.

4. Flush the current settings for IPQoS.

5. Use the kstat (1M) command to output statistics for module ipgpc .

Objectives


6. Create the following ipqos configuration file:

a. Create an action using module ipgpc . (Hint: See the/etc/inet/ipqosconf.1.sample file)

b. Add a class named ftp with next action called dmark1 .

c. Add a filter called ftpout , with direction LOCAL_OUT, dport 21and class ftp .

d. Create another action using module dscpmk , with name dmark1and set the Differentiated Services Code Point (DSCP) codepoint to 001110=14 .

e. Set the next action to acct1 .

f. Create an action using module flowacct.

g. Use timer 10, timeout 30, and set the global statistic to true .

This will be the last action.

7. Configure your system with the file you created.

(Use the -v option for verbose output, and make corrections asneeded.)

8. Display the configuration using the ipqosconf command.

9. Use File Transfer Protocol (FTP) and attempt to connect to one of theother servers in the pod.

10. Use the kstat (1M) command to display statistics.

11. Use the ipqosconf command to flush the configuration.

Task 2:Explore the routeadm (1M) Command in theSolaris OS Startup Scripts

1. Login to the remote server.

2. In this exercise you will confirm the default routing policy for theserver by examining the /etc/init.d/inetinit start script.

3. Answer the following questions.

a. If the /etc/defaultrouter file exists, will the in.routeddaemon and route discovery be executed?

b. If a DHCP interface is configured, will the in.routed daemonand route discovery be executed?

c. What logic in the startup script determined the answer toquestion 2?

Objectives

Exercise 7: Changes to Internet Protocol Features 7-3Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

d. What command line from the script is used to turn on IPforwarding (IP version 4 [IPv4]), if needed?

e. Under what condition is IP forwarding and routing used if themachine is using IPv6?

f. Describe the default behavior for IP forwarding (IPv4 and IPv6)and routing (IPv4 and IPv6). Include the /etc/defaultrouterfile, /etc/notrouter file, number of interfaces, DHCP, and/etc/inet/ndpd.conf file.

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

__________________________________________________________________

Task 3: Configure Routing Using the routeadm (1M)Command

1. This pod has four machines and a gateway. You will configure sys-01as a multi-homed host with no IP forwarding. You will configuresys-02 with two interfaces.

The second interface of sys-02 will be on a new subnet that you willconfigure; the subnet will contain sys-02, sys-03, and sys-04. Theoriginal network will consist of sys-01, sys-04, and the gateway. Youwill not alter the gateway. Only sys-02 will be a router.

2. Start with sys-01. Before making any changes to sys-01 examine the/etc/inet/routing.conf file. Examine the output of the routeadmcommand without options.

3. Configure sys-01 using the ifconfig command to add the eri1interface, create the necessary boot files to enable the eri1 interfaceon bootup, and use the routeadm command to disable IPforwarding.

When you finish, you should do the following:

Objectives


a. Make certain the system will retain the setting on a reboot. Youmay reboot this system. That is, both the eri1 and eri0interfaces are configured, and the ip_forwarding variable isset to 0.

b. Examine the /etc/inet/routing.conf file; how has itchanged?

c. Examine the output of the routeadm command withoutoptions; what has changed?

4. Continue with sys-02. Configure this system as a router between thetwo networks.

Configure this system without rebooting it.

a. Verify the IP forwarding setting with ndd .

b. Examine the /etc/inet/routing.conf file.

c. Examine the output of the routeadm command withoutoptions.

5. Configure sys-03, enable the eri1 interface and test and disable theeri0 interface.

6. Configure sys-04, enable the eri1 interface, turn off IP forwarding,and match the /etc/inet/routing.conf file and output from therouteadm command with sys-01. The should be the same. Youshould not reboot this system.

7. Upon completion, do the following.

a. Verify that sys-01 can ping sys-04.

b. Verify that sys-04 can ping sys-03 and sys-02.

c. Verify the IP forwarding is not turned on for sys-04

d. Verify sys-02 is routing packets.

8. Start with sys-04. Restore all systems to the original configuration;use the routeadm command to revert to the defaults. Check the/etc/inet/routing.conf file to confirm the proper settings. Donot reboot sys-02; return it to the default configuration using therouteadm command.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Task 1: Configure QoS

Login to the remote server as the root user.Perform steps 2, 3 ,and 4 to ensure there is not already IPQoSsettings configured.

1.

2. Review the following man pages:

● ipqos (7ipp)

● ipqosconf (1M)

3. Using the appropriate command, display the current IPQoS settings.

# ipqosconf

4. Flush the current settings for IPQoS.

# ipqosconf -f

5. Use the kstat (1M) command to output statistics for module ipgpc .

# kstat -m ipgpc

6. Create the following ipqos configuration file:

a. Create an action using module ipgpc . (Hint: See the/etc/inet/ipqosconf.1.sample file.)

b. Add a class named ftp with next action called dmark1 .

c. Add a filter called ftpout , with direction LOCAL_OUT, dport 21and class ftp .

d. Create another action using module dscpmk , with name dmark1and set the DSCP code point to 001110=14 .

e. Set the next action to acct1

f. Create an action using module flowacct.

g. Use timer 10, timeout 30, set the global statistic to true .

This will be the last action.

fmt_version 1.0action { module ipgpc # Name must be ipgpc.classify for ipgpc action.

Exercise Solutions


name ipgpc.classify

class { name ftp next_action dmark1 }

filter { name ftpout # Outgoing locally generated traffic. direction LOCAL_OUT dport 21 class ftp }}action { module dscpmk name dmark1 params { dscp_map {0-63:14} next_action acct1 }}action {

name acct1module flowacctparams {

timer 10timeout 30global_stats TRUEmax_limit 1024next_action continue

}}

7. Configure your system with the file you created.

(Use the -v option for verbose output and make corrections asneeded.)

# /usr/sbin/ipqosconf -a ipqos.txt -vNotice: IPQoS configuration applied.

8. Display the configuration using the ipqosconf command.

9. Use FTP and attempt to connect to one of the other servers in thepod.

Successful connection is not required.

Exercise Solutions


10. Use the kstat (1M) command to display statistics.

# kstat -m ipgpc

11. Use the ipqosconf command to flush the configuration.

# ipqosconf -f

Task 2: Explore the routeadm (1M) Command in theSolaris OS Startup Scripts

1. Login to the remote server.

2. In this exercise you will confirm the default routing policy for theserver by examining the /etc/init.d/inetinit start script.

3. Answer the following questions.

a. If /etc/defaultrouter exists, will the in.routed daemon androute discovery be executed?

No.

b. If a DHCP interface is configured, will the in.routed daemonand route discovery be executed?

No.

c. What logic in the startup script determined the answer toquestion 2?

if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then numdhcp= /̀usr/sbin/ifconfig -a4 | /usr/bin/grep -c DHCP` else numdhcp=0 fi

if [ ! -f /etc/notrouter -a $numdhcp -eq 0 -a \ $ $numifs -gt 2 -o $numptptifs -gt 0 -o -f /etc/gateways $]; then ...

d. What command line from the script is used to turn onip_forwarding (IPv4), if needed?

routeadmstr="-e ipv4-forwarding"

e. Under what condition is ip_forwarding and routing used ifthe machine is using IPv6?

If the /etc/inet/ndpd.conf file exists

Exercise Solutions


f. Describe the default behavior for ip_forwarding (IPv4 andIPv6) and routing (IPv4 and IPv6). Include the/etc/defaultrouter file, /etc/notrouter file, number ofinterfaces, DHCP, and the /etc/inet/ndpd.conf file.

ipv4-forwarding – IPv4 forwarding is disabled if any of the following istrue:

● An interface was configured with DHCP.

● The /etc/defaultrouter file is non-empty.

● The /etc/notrouter file exists.

If all of the preceding are false, then IPv4 forwarding is enabled if at leastone of the following is true:

● There are two or more non-loopback interfaces configured.

● There is one or more point-to-point interface configured.

● The /etc/gateways file exists.

ipv4-routing – IPv4 routing is disabled if the /etc/defaultrouter file isnot empty, and enabled otherwise.

ipv6-forwarding – IPv6 forwarding is enabled if both of the following aretrue:

● At least one non-loopback interface is configured.

● The /etc/inet/ndpd.conf file exists.

Otherwise, IPv6 forwarding is disabled.

ipv6-routing – If ipv6-forwarding is enabled, then ipv6-routing is enabled.

Task 3: Configure Routing Using the routeadm (1M)Command

1. This pod has four machines and a gateway. You will configure sys-01as a multi-homed host with no IP forwarding. You will configuresys-02 with two interfaces.

The second interface of sys-02 will be on a new subnet that you willconfigure. The subnet will contain sys-02, sys-03, and sys-04. Theoriginal network will consist of sys-01, sys-04, and the gateway. Youwill not alter the gateway. Only sys-02 will be a router.

2. Start with sys-01. Before making any changes to sys-01, examine the/etc/inet/routing.conf file. Examine the output of the routeadmcommand without options.

Exercise Solutions


# routeadm Configuration Current Current Option Configuration System State--------------------------------------------------------- IPv4 forwarding default (disabled) disabled IPv4 routing default (disabled) disabled IPv6 forwarding default (disabled) disabled IPv6 routing default (disabled) disabled# cat /etc/inet/routing.conf## Parameters for IP forwarding and routing.# Do not edit this file by hand -- use routeadm(1m) instead.#ipv4-forwarding default disabledipv4-routing default disabledipv6-forwarding default disabledipv6-routing default disabled

3. Configure sys-01 using the ifconfig command to add the eri1interface, create the necessary boot files to enable the eri1 interfaceon bootup, and use the routeadm command to disable IPforwarding.

# ifconfig eri1 plumb# ifconfig eri1 192.168.1.1 up# routeadm -d ipv4-forwarding# routeadm -u

Create the /etc/hostname.eri1 file, and add sys-01b to/etc/hostname.eri1 and to the /etc/hosts file.

When you finish, you should do the following:

a. Make certain the system will retain the setting on a reboot. Youmay reboot this system. That is, both the eri1 and eri0interfaces are configured, and ip_forwarding is set to 0.

b. Examine the /etc/inet/routing.conf file, how has itchanged?

# cat routing.conf## Parameters for IP forwarding and routing.# Do not edit this file by hand -- use routeadm(1m) instead.#ipv4-forwarding disabled disabledipv4-routing default disabledipv6-forwarding default disabledipv6-routing default disabled

Exercise Solutions


c. Examine the output of the routeadm command withoutoptions; what has changed?

# routeadm Configuration Current Current Option Configuration System State--------------------------------------------------------- IPv4 forwarding disabled disabled IPv4 routing default (disabled) disabled IPv6 forwarding default (disabled) disabled IPv6 routing default (disabled) disabled

4. Continue with sys-02. Configure this system as a router between thetwo networks.

Configure this system without rebooting it.

# ifconfig eri1 plumb# ifconfig eri1 192.168.1.2 up# routeadm -e ipv4-forwarding -e ipv4-routing# routeadm -u

a. Verify the IP forwarding setting with ndd .

# ndd -get /dev/ip ip_forwarding1

b. Examine the /etc/inet/routing.conf file.

c. Examine the output of the routeadm command withoutoptions.

5. Configure sys-03, enable the eri1 interface, and test and disable theeri0 interface.

# ifconfig eri1 plumb# ifconfig eri1 192.168.1.3 up

6. Configure sys-04, enable the eri1 interface, turn off IP forwarding,and match the /etc/inet/routing.conf file and output from therouteadm command with sys-01. This should be the same. Youshould not reboot this system.

# ifconfig eri1 plumb# ifconfig eri1 192.168.1.4 up# routeadm -d ipv4-forwarding# routeadm -u

7. Upon completion, do the following.

a. Verify that sys-01 can ping sys-04.

b. Verify that sys-04 can ping sys-03 and sys-02.

c. Verify the IP forwarding is not turned on for sys-04

Exercise Solutions


d. Verify sys-02 is routing packets.

8. Start with sys-04. Restore all systems to the original configuration;use the routeadm command to revert to the defaults. Check the/etc/inet/routing.conf file to confirm the proper settings. Donot reboot sys-02; return it to the default configuration using therouteadm command.

a. sys-04: Remove the /etc/hostname.eri1 file, and removeentries from the /etc/hosts file for the eri1 interface.

b. sys-03: Be careful. Enable the eri0 interface, then logout. Loginusing the eri0 , interface disable the eri1 interface, and removethe /etc/hostname.eri1 file and entries in the /etc/hostsfile.

c. sys-02: Remove the /etc/hostname.eri1 file, and removeentries from the /etc/hosts file.

sys-02: routeadm -d ipv4-forwarding -d ipv4-routingsys-02: routeadm -r ipv4-forwarding -r ipv4-routingsys-02: routeadm -usys-02: ifconfig eri1 down unplumb

d. sys-01: Remove entries in the /etc/hosts file, and remove the/etc/hostname.eri1 file.

sys-01: routeadm -r ipv4-forwardingsys-01: routeadm -u


Lab 8

Exercise 8: Examining NFS Version 4

Objective

In this exercise you complete the following tasks:

● Configuring a Network File System (NFS) version 4 server

● Configuring a NFS version 4 client

● Examining the pseudo-file system

● Examining NFS Client behavior when a file system is unshared

Preparation

You will need two machines in the same subnet to perform these labs; onewill be used as the NFS client and the other as the NFS server. No otherspecial preparation is required.

To start the lab, login into the remote lab environment.

Task 1 – Configure a NFS Version 4 Server

The purpose of this exercise to configure a NFS version 4 client and a NFSversion 4 server.

1. Select the machine that is to be the server and login to that machineas the root user.

2. Edit the /etc/default/nfs file to configure the machine as a NFSversion 4 only server. (Copy the existing configuration lines andmake changes to the copies.)

3. Edit the /etc/dfs/dfstab file and share the /usr/share/mandirectory.

Objective


4. Use the svcadm command to stop (if necessary) and start the NFSserver. If the server is not running, you can just start it. If it iscurrently running, stop and start the server so that it reads thechanges to the /etc/default/nfs file.

5. Verify the file system is shared.

6. Login into the NFS client machine and verify that the file system isshared.

Task 2 – Configure a NFS Version 4 Client

1. Select a machine to be the client and login to as the root user.

2. Edit the /etc/default/nfs file to configure the machine as a NFSversion 4 client only.

3. Create the /usr/local/man directory to be used as the mount point.

4. Open another terminal on the client and run the following snoopcommand:

# snoop -V rpc nfs client server

5. Mount the /usr/share/man directory on the /usr/local/manmount point that you created.

6. Examine the snoop output and observe that NFS version 4 is in use.

7. Use the nfsstat (1M) command to verify that you are using NFSversion 4.

8. Test by displaying a man page from the /usr/local/man directory.

9. Login to the NFS server machine as the root user. Use therpcinfo (1M) command to verify NFS version 4 is running. Checkfor the rpcbind and mountd services.

Examples:

# /usr/bin/rpcinfo -u localhost rpcbind# /usr/bin/rpcinfo -u localhost mountdsys-04:/> /usr/bin/rpcinfo -u localhost rpcbindprogram 100000 version 2 ready and waitingprogram 100000 version 3 ready and waitingprogram 100000 version 4 ready and waiting

10. Did either command indicate NFS version 4 was active?

11. Was the rpcbind daemon present?

If the mountd daemon is running, do the following:

Objective

Exercise 8: Examining NFS Version 4 8-3Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

12. Login to the NFS client and use the umount (1M) command to removethe mounted file system.

13. On the NFS server, kill the mountd daemon.

14. On the NFS client, re-issue the mount command to mount the remotefile system again. Did this command work?

15. On the NFS server use the showmount (1M) command to show allclients that have mounted the file system.

Task 3 – Examining the Pseudo-File System

The purpose of this exercise is to examine how the exported file systemsfrom a NFS version 4 server is presented to a NFS version 3 client and aNFS version 4 client.

1. On the NFS client, use the umountall (1M) command to remove theNFS mount from the previous exercise.

2. Login to the server machine and create the following directory tree:

/export_fs/export_fs/projects/export_fs/local/export_fs/payroll/export_fs/projects/nfs4/export_fs/projects/nfs4x

3. Stop the NFS server, then configure the NFS server to use NFSversion 2, version3, and version 4.

4. Edit the /etc/dfs/dfstab file and share the/export_fs/projects/nfs4 and /export_fs/local directories.

5. Restart the NFS server service.

6. Login to the client machine. Verify that the client supports NFSversion 3 and version 2 only.

7. Create a new mount point.

8. Mount the export_fs file system from the NFS server on the newlycreated mount point.

9. Could you mount the file system?

10. Now attempt to mount the /export_fs/local directory on themount point.

11. Could you mount the file system.

12. Can you change directory to the mount point?

Objective


13. Can you change directory to /mount-point/projects ?

14. Can you change directory to /mount-point/projects/nfs4 ?

15. Change directory to the root directory. Use the mount command todisplay the current mounts.

16. Use the umount command to remove the mounted file system andverify it is no longer mounted.

17. Change the /etc/default/nfs file and enable NFS version 4 on theclient machine.

18. Mount the export_fs file system from the NFS server on the newlycreated mount point.



21. Use the ls command to list the contents of the directory.



Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Task 1 – Configure a NFS version 4 Server

The purpose of this exercise to configure a NFS version 4 client and a NFSversion 4 server.

1. Select the machine that is to be the server and login to that machineas the root user.

2. Edit the /etc/default/nfs file to configure the machine as a NFSversion 4 only server. (Copy the existing configuration lines andmake changes to the copies.)

sys-04 # vi /etc/default/nfs

Before:

# Sets the minimum version of the NFS protocol that will be registered# and offered by the server. The default is 2.#NFS_SERVER_VERSMIN=2

# Sets the maximum version of the NFS protocol that will be registered# and offered by the server. The default is 3.#NFS_SERVER_VERSMAX=3

After:

# Sets the minimum version of the NFS protocol that will be registered# and offered by the server. The default is 2.#NFS_SERVER_VERSMIN=2NFS_SERVER_VERSMIN=4

# Sets the maximum version of the NFS protocol that will be registered# and offered by the server. The default is 3.#NFS_SERVER_VERSMAX=3NFS_SERVER_VERSMAX=4

3. Edit the /etc/dfs/dfstab file and share the /usr/share/mandirectory.

sys-04 # vi /etc/dfs/dfstab

Add the following line to /etc/dfs/dfstab :

share -F nfs -o ro /usr/share/man

4. Use the svcadm command to stop (if necessary) and start the NFSserver. If the server is not running, you can just start it. If it iscurrently running, stop and start the server so that it reads thechanges to the /etc/default/nfs file.

Exercise Solutions


sys-04 # svcadm disable svc:/network/nfs/serversys-04 # svcadm enable svc:/network/nfs/server

5. Verify the file system is shared.

sys-04 # dfsharesRESOURCE SERVER ACCESS TRANSPORT sys-04:/usr/share/man sys-04 - -

or...

sys-04 # share- /usr/share/man ro ""

6. Login into the NFS client machine and verify that the file system isshared.

sys-01 # dfshares sys-04RESOURCE SERVER ACCESS TRANSPORT sys-04:/usr/share/man sys-04 - -

Task 2 – Configure a NFS Version 4 Client

1. Select a machine to be the client and login to as the root user.

2. Edit the /etc/default/nfs file to configure the machine as a NFSversion 4 client only.

sys-01 # vi /etc/default/nfs

Before:

# Sets the minimum version of the NFS protocol that will be used by# the NFS client. Can be overridden by the "vers=" NFS mount option.# The default is 2.#NFS_CLIENT_VERSMIN=2

# Sets the maximum version of the NFS protocol that will be used by# the NFS client. Can be overridden by the "vers=" NFS mount option.# If "vers=" is not specified for an NFS mount, this is the version# that will be attempted first. The default is 3.#NFS_CLIENT_VERSMAX=3

After:

# Sets the minimum version of the NFS protocol that will be used by# the NFS client. Can be overridden by the "vers=" NFS mount option.# The default is 2.#NFS_CLIENT_VERSMIN=2NFS_CLIENT_VERSMIN=4

# Sets the maximum version of the NFS protocol that will be used by

Exercise Solutions


# the NFS client. Can be overridden by the "vers=" NFS mount option.# If "vers=" is not specified for an NFS mount, this is the version# that will be attempted first. The default is 3.#NFS_CLIENT_VERSMAX=3NFS_CLIENT_VERSMAX=4

3. Create the /usr/local/man directory to be used as the mount point.

sys-01 # mkdir -p /usr/local/man

4. Open another terminal on the client and run the following snoopcommand:

sys-01 # snoop -V rpc nfs client server

5. Mount the /usr/share/man directory on the /usr/local/manmount point that you created.

sys-01 # mount sys-04:/usr/share/man /usr/local/man

6. Examine the snoop command output and observe that NFS version 4is in use.

7. Use the nfsstat (1M) command to verify that you are using NFSversion 4.

sys-01 # nfsstat -m /usr/local/man/usr/local/man from sys-04:/usr/share/man Flags:vers=4,proto=tcp,sec=sys,hard,intr,link,symlink,acl,rsize=1048576,wsize=1048576,retrans=5,timeo=600 Attr cache: acregmin=3,acregmax=60,acdirmin=30,acdirmax=60

8. Test by displaying a man page from the /usr/local/man directory.

sys-01 # man -M /usr/local/man ls...

9. Login into the NFS server machine as the root user. Use therpcinfo (1M) command to verify NFS version 4 is running. Checkfor the rpcbind and mountd services.

Examples:

sys-04 # /usr/bin/rpcinfo -u localhost rpcbindsys-04 # /usr/bin/rpcinfo -u localhost mountdsys-04 # /usr/bin/rpcinfo -u localhost rpcbindprogram 100000 version 2 ready and waitingprogram 100000 version 3 ready and waitingprogram 100000 version 4 ready and waiting

ssys-04 # /usr/bin/rpcinfo -u localhost mountdrpcinfo: RPC: Program not registeredprogram 100005 is not available

Exercise Solutions


10. Did either command indicate NFS version 4 was active?

Maybe, if other versions of NFS were run before.

11. Was rpcbind present?

Yes.

If the mountd daemon is running, do the following:

12. Login to the NFS client and use the umount (1M) command to removethe mounted file system.

sys-01 # umount /usr/local/man

13. On the NFS server, kill the mountd daemon.

sys-04 # pkill mountd

14. On the NFS client, re-issue the mount command to mount the remotefile system again. Did this command work?

sys-01 # mount sys-04:/usr/share/man /usr/local/man

Yes.

On the NFS server use the showmount (1M) command to show allclients that have mounted the file system.

Did the command work? If not, why?

sys-04 # showmount -eshowmount: sys-04: RPC: Program not registered

The showmount (1M) command does not work with NFS version 4.

Note – The mountd (1M) service is built into NFS version 4 so you canremove the running daemon and NFS version 4 will work. Restart it forother versions of NFS. It is started by the /etc/init.d/nfs.serverscript if there are shared file systems.

Task 3 – Examining the Pseudo-File System

The purpose of this exercise is to examine how the exported file systemsfrom a NFS version 4 server are presented to a NFS version 3 client and aNFS version 4 client.

1. On the NFS client, use the umountall (1M) command to remove theNFS mount from the previous exercise.

2. Login to the server machine and create the following directory tree:

/export_fs

Exercise Solutions


/export_fs/projects/export_fs/local/export_fs/payroll/export_fs/projects/nfs4/export_fs/projects/nfs4x

sys-04 # mkdir -p /export_fs/projects/nfs4xsys-04 # mkdir -p /export_fs/projects/nfs4sys-04 # mkdir -p /export_fs/payrollsys-04 # mkdir -p /export_fs/local

3. Stop the NFS server, then configure the NFS server to use NFSversion 2, version3, and version 4.

sys-04 # /etc/init.d/nfs.server stop# Sets the maximum version of the NFS protocol that will be registered# and offered by the server. The default is 3.#NFS_SERVER_VERSMAX=3NFS_SERVER_VERSMAX=4

4. Edit the /etc/dfs/dfstab file and share the/export_fs/projects/nfs4 and /export_fs/local directories.

share -F nfs /export_fs/projects/nfs4share -F nfs /export_fs/local

5. Restart the NFS server service.

sys-04 # /etc/init.d/nfs.server start

6. Login to the client machine. Verify that the client supports NFSversion 3 and version 2 only.

# Sets the minimum version of the NFS protocol that will be used by# the NFS client. Can be overridden by the "vers=" NFS mount option.# The default is 2.#NFS_CLIENT_VERSMIN=2

# Sets the maximum version of the NFS protocol that will be used by# the NFS client. Can be overridden by the "vers=" NFS mount option.# If "vers=" is not specified for an NFS mount, this is the version# that will be attempted first. The default is 3.#NFS_CLIENT_VERSMAX=3

7. Create a new mount point.

sys-01 # mkdir /sys-04

8. Mount the export_fs file system from the NFS server onto thenewly created mount point. In a seperate window, use snoop towatch the trafic on the network, and verify NFSv3 is being used.

sys-01 # snoop -V rpc nfs client server

Exercise Solutions


sys-01 # mount sys-04:/export_fs /sys-04nfs mount: sys-04:/export_fs: Permission denied


No.

10. Try to mount the /export_fs/local directory onto the mountpoint.

sys-01 # mount sys-04:/export_fs/local /sys-04

11. Could you mount the file system.

Yes.


Yes.

13. Can you change directory to /sys-04/projects ?

No.

14. Can you change directory to /sys-04/projects/nfs4 ?

No.

15. Change directory to the root directory. Use the mount command todisplay the current mounts.

sys-01 # mount/ on /dev/dsk/c0t0d0s0read/write/setuid/devices/intr/largefiles/logging/xattr/onerror=panic/dev=800018 on Sat Jul 10 09:18:20 2004/devices on /devices read/write/setuid/devices/dev=4800000 on Sat Jul 1009:18:17 2004/proc on proc read/write/setuid/devices/dev=4840000 on Sat Jul 1009:18:20 2004/etc/mnttab on mnttab read/write/setuid/devices/dev=4900001 on Sat Jul 1009:18:20 2004/dev/fd on fd read/write/setuid/devices/dev=4940001 on Sat Jul 1009:18:20 2004/var on /dev/dsk/c0t0d0s3read/write/setuid/devices/intr/largefiles/logging/xattr/onerror=panic/dev=80001b on Sat Jul 10 09:18:41 24/var/run on swap read/write/setuid/devices/xattr/dev=49c0001 on Sat Jul10 09:18:41 2004/tmp on swap read/write/setuid/devices/xattr/dev=49c0002 on Sat Jul 1009:18:41 2004/sys-04 on sys-04:/export_fs/localremote/read/write/setuid/devices/xattr/dev=4ac0016 on Sat Jul 10 16:50:032004

Exercise Solutions


16. Use the umount command to remove the mounted file system andverify it is no longer mounted.

sys-01 # umount /sys-04sys-01 # mount/ on /dev/dsk/c0t0d0s0read/write/setuid/devices/intr/largefiles/logging/xattr/onerror=panic/dev=800018 on Sat Jul 10 09:18:20 2004/devices on /devices read/write/setuid/devices/dev=4800000 on Sat Jul 1009:18:17 2004/proc on proc read/write/setuid/devices/dev=4840000 on Sat Jul 1009:18:20 2004/etc/mnttab on mnttab read/write/setuid/devices/dev=4900001 on Sat Jul 1009:18:20 2004/dev/fd on fd read/write/setuid/devices/dev=4940001 on Sat Jul 1009:18:20 2004/var on /dev/dsk/c0t0d0s3read/write/setuid/devices/intr/largefiles/logging/xattr/onerror=panic/dev=80001b on Sat Jul 10 09:18:41 24/var/run on swap read/write/setuid/devices/xattr/dev=49c0001 on Sat Jul10 09:18:41 2004/tmp on swap read/write/setuid/devices/xattr/dev=49c0002 on Sat Jul 1009:18:41 2004

17. Change the /etc/default/nfs file and enable NFS version 4 on theclient machine.

# Sets the maximum version of the NFS protocol that will be used by# the NFS client. Can be overridden by the "vers=" NFS mount option.# If "vers=" is not specified for an NFS mount, this is the version# that will be attempted first. The default is 3.NFS_CLIENT_VERSMAX=4

18. Mount the export_fs file system from the NFS server onto thenewly created mount point.

sys-01 # mount sys-04:/export_fs /sys-04


Yes


Yes.

21. Use the ls command to list the contents of the directory.

sys-01 # lslocal projects


Yes

Exercise Solutions



Yes.


Lab 9

Exercise 9: Changes to Security

Objective


● Using the user level Solaris™ Operating System (Solaris OS)Cryptographic Framework (SCF) utilities

● Examining administration tasks for SCF

● Configuring the Solaris OS Internet Protocol (IP) Filter firewall

● Configuring Network Address Translation (NAT) in the Solaris IPFilter

Preparation

Login to the remote lab systems.

Task 1 – Using the User-Level SCF Utilities

The purpose of the exercise is to understand how customers might use theSCF’s user-level utilities.

The encrypt (1M) and mac(1M) utilities require input keys. The length ofthe key depends on the mechanism used. To determine the key length,these commands have list options that display minimum and maximumkey length in bits. The first step in this exercise demonstrates how togenerate a key.

1. Determine the key length needed. For both the mac(1M) andencrypt (1M) commands, you can use the -l option to list keylengths. List the key lengths for the mechanisms that these utilitiessupport.

Objective


2. You use the/dev/urandom random device and dd(1M) command togenerate and store key material in a file. The dd(1M) command takesas an option a block size in bytes. You must convert the listed keysize in bit to bytes by dividing the size by eight. Find the key size inbytes for a 3DES key.

3. The following command generates a key file called 3des.key .

# dd if=/dev/urandom of=/var/tmp/3des.key bs=24 count=1

The bs value is the block size in bytes and count is the number ofblocks to output.

4. You now encrypt a file using 3DES. SCF limits the key size forencryption to 128 bits to meet export regulations. The 192-bit key is acombination of three 64 bit keys. Data Encryption Standard (DES)uses a 64-bit key: actually a 56-bit key and eight bits of parity. 3DESuses three DES keys.

Use the encrypt (1M) utility to encrypt the/usr/share/man/man1/bash.1 file and store the encrypted file inthe /var/tmp directory.

5. Examine the original file using a strings (1M) command. Examinethe output file using the same command.

6. Now decrypt the file and save the decrypted output to the /var/tmpdirectory.

7. Verify the output file is no longer encrypted.

8. Did this operation remove the encrypted file?

9. Create a new key and save it to a file; this key should be 128 bits.

10. Now attempt to encrypt the bash.1 file using the new key.

11. Record the error code indicating an invalid key value.

_____________________________________________________________

_____________________________________________________________

12. The SCF limits encryption key size to 128 bits for export reasons.However, this limit does not apply to keyed hash mechanisms. Listthe key requirements for the mac(1M) utility mechanisms.

13. Create a 512-bit key using the steps described earlier.

14. Create a keyed digest of the file bash.1 .

15. Copy the /etc/hosts file to the /var/tmp directory.

16. Use the digest (1M) command to create a digest of the/var/tmp/hosts file.

17. Edit the /var/tmp/hosts file and add a line to the file.

Objective

Exercise 9: Changes to Security 9-3Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

18. Create a digest of the file again using the same mechanism.

19. Remove the line you added in a previous step and re-compute thedigest.

20. Create a key suitable for use with the ARCFOUR encryptionmechanism.

21. The ARCFOUR algorithm is suitable for encrypting streams of data.In this exercise, you create a .TAR file of the ./inet/* files, encryptthe resulting file, and save the output to the /var/tmp directory inone step. Change directory to the /etc/ directory.

22. Use the tar command to encrypt the contents of the ./inetdirectory, redirect the output to the encrypt command, and save theresulting file to the /var/tmp directory.

23. Change directory to /var/tmp and verify the file in encrypted.

24. Decrypt and extract the tar file to the /var/tmp/ directory.

Task 2 – Examining Administration Tasks for SCF

The purpose of this exercise is to become familiar with the task requiredfor administration of the SCF. These include enabling and disablingmechanisms, and adding to the framework.

The cryptoadm (1M) command is used for administrating the SCF. Thisutility allows the administrator to do the following:

● Start and stop the kcfd (1M) daemon

● Load and unload user-level, kernel software, and kernel hardwareproviders

● Set a policy to allow or deny access to specific providers ormechanisms that a provider uses

1. The cryptoadm command lists providers and mechanisms. To do so,you use the list option or the list option with arguments. Use thecryptoadm commands in the following formats to compare thedifferent output. A brief listing:

# cryptoadm list

user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so

kernel software providers:

Objective


des aes arcfour blowfish sha1 md5 rsa

kernel hardware providers:List the mechanisms for all installed providers:# cryptoadm list -m

user-level providers:=====================/usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented./usr/lib/security/$ISA/pkcs11_softtoken.so: CKM_DES_CBC,CKM_DES_CBC_PAD...

kernel software providers:==========================des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBCaes: CKM_AES_ECB,CKM_AES_CBCarcfour: CKM_RC4blowfish: CKM_BF_ECB,CKM_BF_CBCsha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERALmd5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERALrsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS

kernel hardware providers:List mechanisms for a specific installed provider.# cryptoadm list -m rsarsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCSListing all providers and available mechanisms:# cryptoadm list -p

user-level providers:=====================/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled./usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled.

kernel software providers:==========================des: all mechanisms are enabled.aes: all mechanisms are enabled.arcfour: all mechanisms are enabled.blowfish: all mechanisms are enabled.

Objective


sha1: all mechanisms are enabled.md5: all mechanisms are enabled.rsa: all mechanisms are enabled.

kernel hardware providers:Listing available mechanisms for a specific provider:# cryptoadm list -p /usr/lib/security/'$ISA'/pkcs11_softtoken.so/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled.

2. The administrator might need to disable a specific mechanisms if aproblem is found with the algorithm, making it undesirable for use,or if another provider’s implementation is more robust. In thisexample, you disable the user-lever provider’s mechanism for theDES algorithm. First list the mechanisms for the user-level providerpkcs11_softtoken.so .

3. Find all of the mechanisms for DES and use the disable option todisable them. (Hint: all mechanisms for an algorithm are groupedtogether in the output of the previous command.)

4. Now you will attempt to encrypt the /etc/hosts file using the DESmechanism. It is unnecessary to generate a key file. Omit the -koption from the previous tasks and type in random keys when youare prompted for a key. What was the result?

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

5. List the available mechanisms for the user-level provider.

6. You can enable a providers mechanisms by using the enable option.You can list the mechanism to enable or use the special keyword all .Enable all user-level mechanisms.

7. List the available mechanisms to verify they are enabled.

8. The refresh option is used to allow the administrator to see anupdated list of provider information. You would use the refreshoption after installing and configuring a hardware provider orinstalling a software provider package. You also use the refreshoption if a kernel mechanism is temporally removed. Use the unloadoption to unload the kernel mechanism Blowfish.

9. List the providers to see the result of the last command.

10. Now use the refresh option to restore the kernel mechanismBlowfish and then repeat the previous listing.

Objective


11. The administrator might need to uninstall a kernel-level mechanismif site policy forbids the use of that mechanism or for other reasons.The uninstall option is used to remove a mechanism. First list theproviders and mechanisms. You need the list of mechanisms for RSAto proceed. Cut and paste the output of a provider mechanism listingfor kernel provider mechanism RSA into a file or another shellwindow.

12. Use the uninstall option to remove RSA.

13. List the providers and note that RSA is no longer listed.

14. To install the provider, you can use the install option. Thiscommand will require that you supply the mechanism operands.Use the install option to re-install RSA, add the mechanisms list,space delimited, that you saved in a previous step.

15. Confirm the RSA provider is installed.

Task 3 – Configuring the Solaris IP Filter Firewall

The purpose of this lab is to configure the Solaris OS IP Filter and use theutilities included with it. Initially you configure a host-based firewall anduse another system to test it. Eventually you will add another system toexamine the NAT in Task 4.

1. Select a host to configure as the Solaris OS IP Filter. In the example,this is sys-02 . You also need a host to test the filter. In the examples,this host is sys-04 . Verify that you can run the ping and telnetcommands from the test host to the filter host. Verify that you havenetwork terminal server access to the filter host.

2. Login to the IP Filter host on the console using the network terminalserver. Configure a rule to disallow all traffic.

3. Start a ping command with the -s option from the test host to thefilter host.

4. Set the TERMvariable to vt100 and edit the /etc/ipf/pfil.ap fileand remove the comment from the line indicating the interface typefor the filter host.

5. Execute the /etc/init.d/pfil script with the start option.

6. Use the ifconfig command to display the interfaces on the filterhost. Note the IP address and unplumb the interface. Now plumbthe interface, add an IP address, and set the interface to up.

7. Use the /etc/init.d/ipfboot script to start the IP Filter.

Objective


8. Note that the ping command from the test host has not resumed.Use the ipfstat (1M) command to display the current inbound andoutbound filters.

9. Use the ipf -D command to disable the filter.

10. Use the ipf -E command to re-enable the filter.

11. Use the ipf (1M) command to flush the current rule set.

12. Check the filters again with the ipfstat command. In a fewmoments you should observe the ping command from the test hostresume. You can stop the ping command after it resumes.

13. Add a new rule to the /etc/ipf/ipf.conf file to allow the sshcommand to run from anywhere to the filter host and keep the state.

14. Add the rules to the kernel module and test by using secure shellfrom the test host to the filter host.

Note – If the ssh (1M) command is not configured for root access, youmust edit the /etc/ssh/sshd_config file and change thePermitRootLogin variable from the default no value to yes .

15. Use the ipmon (1M) command to examine the state information.

16. On the test host, end the secure shell session and attempt to use thetelnet command to connect to the filter host. Allow the attempt tocontinue.

17. On the filter host, use the ipfstat command to examine the blockedinput packets. Execute the command two or three times and observethe increase in the number of blocked packets recorded.

18. Edit the /etc/syslog.conf file and add a line to log auth.info tothe file /var/log/authlog . Stop and start syslog.

19. The reason the blocked packet account increased when you observedit with the ipfstat -ihn command is that the filter drops packetssilently so the telnet service tries several times to connect with thefilter host. You now edit the rule to log packets that are blocked andto send a packet with the RSTflag set in response to telnetconnections.

20. Make the following edits to the block rule. Flush and add the newrule set to the kernel module.

block in log level auth.info all

21. Attempt to use the telnet command to connect from the test host tothe filter and apply the tail command to the /var/log/authlogfile on the filter host.

Objective


22. On the filter host, use the ipmon command to examine the logs.

23. Make the following edits to the /etc/ipf/ipf.conf file:

block in log level auth.info allblock return-rst in quick on eri0 proto tcp from any to 192.168.201.22/32port = 23pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = 22keep state

24. Flush the existing rules and add the new set.

25. Telnet from the test host to the filter host, and observe the results.

26. In this step, you create a second rule set. It is added to the kernel asan inactive rule set. You switch between the active and inactive rulessets to test one and return to the other. Copy the/etc/ipf/ipf.conf file to the /etc/ipf/ipf2.conf file andappend the following:

pass in quick on eri0 proto icmp from any to \192.168.201.22 icmp-type echo keep statepass in qucik on eri0 proto icmp from any to \192.168.201.22 icmp-type echorep keep statepass in quick on eri0 proto icmp from any to \192.168.201.22 icmp-type unreach code needfrag

These added rules allow Internet Control Message Protocol (ICMP)ping command and ping command replies and allow ICMPmessages indicating a packet must be fragmented. The rules can beentered as three lines or with the line continuation. The ipf (1M)command accepts both.

27. Add an inactive rule set to the ipf kernel module:

# ipf -I -f /etc/ipf/ipf2.conf

28. List the current inbound rules using the ipfstat command.

29. Now list the inactive rule set in the kernel. Use the same ipfstatcommand, but with the addition of the -I option:

30. To switch between rule sets in the kernel, use the -s option to theipf command:

31. Test the new rules by attempting to send multiple pings to the filterhost from the test host. Use the ipf command to switch active rulessets while the ping command is executing.

32. To remove an inactive rule set from the kernel, use the ipf -IFacommand.

Objective


Task 4 – Configuring NAT in the Solaris OS IP Filter

1. To start this exercise, return the filter host to a known state byremoving the current rule set and verifying with the ipfstatcommand.

2. This exercise requires you to configure the second interface on thefilter host and the test host. In the examples, 192.168.100 networkaddresses are used for these interfaces. Use the ifconfig (1M)command to plumb and configure the interfaces.

Repeat for the test system with a unique IP address.

3. Verify that you can ping between the filter host and the test host.

4. Add the following NAT rule to the /etc/ipf/ipnat.conf file:

map eri0 192.168.100.0/24 -> 192.168.201.22/32

Note – You might find it more convenient to enable the internal interfaceof a third host and use the telnet command to connect to the test host onthe internal side. The next steps require that you unplumb the primaryinterface on the test host, if you use the nts it can time out forcing you tore-login.

5. Login to the test host using the network terminal server (nts). Youmust disable the primary interface, flush the route table and add aroute to the internal interface of the NAT router (filter host).

6. On the NAT router, you must enable and verify IP forwarding.

7. From the test host, ping the outside network address of one of thesystems in the pod. In this example, system three at192.168.201.24 is used. Use the ping -s command to setup acontinuous ping.

8. On the NAT router, use the snoop -r -d eri1 command toexamine the ping command traffic being received on the192.168.100.22 interface. Note the traffic is originating from thetest host's IP address and is intended for 192.168.201.24 . Now,stop the snoop command operation on the eri1 interface instanceand execute the snoop -r -d eri0 192.168.201.24 command (inthis case, the -d option is not necessary but is included for clarity).Note that the packets appear to originate from the NAT router's IPaddress.

Objective


9. Next, you examine Port Address Translation (PAT). This requires thatyou use the snoop command on both interfaces of the NAT router.You must open three shells on that host, two for snoop commandsand one for ipnat (1M) commands.

10. On the NAT router, edit the /etc/ipf/ipnat.conf file and changethe current rule to the following:

map eri0 192.168.100.0/24 -> 192.168.201.22/32 \ portmap tcp/udp 40000:50000

11. Flush the existing NAT rules and add the new rule.

12. In one shell on the NAT router use the snoop -r -v -d eri1192.168.100.25 command to examine in bound packets from thetest host. In another shell, use the snoop -r-v -d eri0192.168.201.24 command to examine the outbound packetsdestined for the target host. You substitute the correct IP address foryour test and NAT hosts.

13. When both snoop commands are setup, use the telnet command toconnect from the test host to the destination host. Examine the twosnoop command outputs and note that the port address is translated.

14. The ipnat (1M) command lists the current mappings and activesessions. The active session portion of the output of this commandalso shows the port mapping and can be useful whentroubleshooting one of many active sessions.

15. The ipmon (1M) command can also be used to monitor NATinformation.

Task 5 – Explore Solaris IP Filter Redirection NAT Rule

1. Login to sys-01 and configure the eri1 interface with IP address192.168.100.21.

2. On sys-02 flush all current IP Filtering and NAT rules.

3. On sys-01 verify network connectivity by pinging 192.168.100.22.

4. Log out of sys-01 and login to sys-02 , then login to sys-01 fromsys-02 using the 192.168.100.21 address.

5. Unplumb the eri0 interface on sys-01 , flush the route table onsys-01 and add a default route to 192.168.100.22 (eri1 on sys-02 ).

6. Log out of sys-01 , you should now be on sys-02 . Create a new/etc/ipf/ipnat.conf file containing a single rule:

rdr eri0 192.168.201.22/32 port 23 -> 192.168.100.21 port 23 tcp

Objective


This rule redirects connections from port 23 on 192.168.201.22(sys-02 ) to port 23 on 192.168.100.21 (eri1 of sys-01 ).

7. Add the rule to Solaris IP Filter.

8. Login to sys-04 and initiate a telnet session from sys-04 tosys-02 . This telnet connection will connect you to sys-01 .

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Task 1 – Using the User-Level SCF Utilities

The purpose of the exercise is to understand how customers might use theSCF’s user-level utilities.

The encrypt (1M) and mac(1M) utilities require input keys. The length ofthe key depends on the mechanism used. To determine the key length,these commands have list options that display minimum and maximumkey length in bits. The first step in this exercise demonstrates how togenerate a key.

1. Determine the key length needed. For both the mac(1M) andencrypt (1M) commands, you can use the -l option to list keylengths. List the key lengths for the mechanisms that these utilitiessupport.

# mac -lAlgorithm Keysize: Min Max (bits)------------------------------------------des_mac 64 64sha1_hmac 8 512md5_hmac 8 512

# encrypt -lAlgorithm Keysize: Min Max (bits)------------------------------------------aes 128 128arcfour 8 128des 64 643des 192 192

2. You use the/dev/urandom random device and dd(1M) command togenerate and store key material in a file. The dd(1M) command takesas an option a block size in bytes. You must convert the listed keysize in bit to bytes by dividing the size by eight. Find the key size inbytes for a 3DES key.

24

3. The following command generates a key file called 3des.key .

# dd if=/dev/urandom of=/var/tmp/3des.key bs=24 count=1

The bs value is the block size in bytes and count is the number ofblocks to output.

Exercise Solutions


4. You now encrypt a file using 3DES. SCF limits the key size forencryption to 128 bits to meet export regulations. The 192-bit key is acombination of three 64 bit keys. Data Encryption Standard (DES)uses a 64-bit key: actually a 56-bit key and eight bits of parity. 3DESuses three DES keys.

Use the encrypt (1M) utility to encrypt the/usr/share/man/man1/bash.1 file and store the encrypted file inthe /var/tmp directory.

# encrypt -a 3des -k /var/tmp/3des.key -i \/usr/share/man/man1/bash.1 -o /var/tmp/bash.1.encrypt

5. Examine the original file using a strings (1M) command. Examinethe output file using the same command.

# strings /var/tmp/bash.1.encrypt

6. Now decrypt the file and save the decrypted output to the /var/tmpdirectory.

# decrypt -a 3des -k /var/tmp/3des.key -i \/var/tmp/bash.1.encrypt -o /var/tmp/bash.1

7. Verify the output file is no longer encrypted.

# strings /var/tmp/bash.1

8. Did this operation remove the encrypted file?

No.

9. Create a new key and save it to a file; this key should be 128 bits.

# dd if=/dev/urandom of=/var/tmp/128bit.key bs=16count=1

10. Now attempt to encrypt the bash.1 file using the new key.

# encrypt -a 3des -k /var/tmp/128bit.key -i \/usr/share/man/man1/bash.1 -o /var/tmp/bash.1.encrypt

11. Record the error code indicating an invalid key value.

encrypt: failed to generate a key:CKR_ATTRIBUTE_VALUE_INVALID

12. The SCF limits encryption key size to 128 bits for export reasons.However, this limit does not apply to keyed hash mechanisms. Listthe key requirements for the mac(1M) utility mechanisms.

# mac -lAlgorithm Keysize: Min Max (bits)------------------------------------------des_mac 64 64sha1_hmac 8 512md5_hmac 8 512

Exercise Solutions


13. Create a 512-bit key using the steps described earlier.

# dd if=/dev/urandom of=/var/tmp/512bit.key \ bs=64count=1

14. Create a keyed digest of the file bash.1 .

# mac -a md5_hmac -k /var/tmp/512bit.key \/usr/share/man/man1/bash.16fc2a3f74a74140248158bd2ef18cb64

15. Copy the /etc/hosts file to the /var/tmp directory.

# cp /etc/hosts /var/tmp

16. Use the digest (1M) command to create a digest of the/var/tmp/hosts file.

# digest -a sha1 /var/tmp/hosts81ec58a6be6e255ddae99f8ae1fb3e18bb9403f4

17. Edit the /var/tmp/hosts file and add a line to the file.

# vi /var/tmp

18. Create a digest of the file again using the same mechanism.

# digest -a sha1 /var/tmp/hosts2386f728194d07d7bf4297c3a7308153c3c16c47

19. Remove the line you added in a previous step and re-compute thedigest.

# digest -a sha1 /var/tmp/hosts81ec58a6be6e255ddae99f8ae1fb3e18bb9403f4

20. Create a key suitable for use with the ARCFOUR encryptionmechanism.

# dd if=/dev/urandom of=/var/tmp/arc.key bs=4 count=1

21. The ARCFOUR algorithm is suitable for encrypting streams of data.In this exercise, you create a .TAR file of the ./inet/* files, encryptthe resulting file, and save the output to the /var/tmp directory inone step. Change directory to the /etc/ directory.

# cd /etc

22. Use the tar command to encrypt the contents of the ./inetdirectory, redirect the output to the encrypt command, and save theresulting file to the /var/tmp directory.

# tar cvf - ./inet | encrypt -a arcfour \-k /var/tmp/arc.key -o /var/tmp/tarencrypt

23. Change directory to /var/tmp and verify the file in encrypted.

# cd/var/tmp# strings ./tarencrypt

Exercise Solutions


24. Decrypt and extract the tar file to the /var/tmp/ directory.

# decrypt -a arcfour -k /var/tmp/arc.key \-i ./tarencrypt | tar xvf -

Task 2 – Examining Administration Tasks for SCF

The purpose of this exercise is to become familiar with the task requiredfor administration of the SCF. These include enabling and disablingmechanisms, and adding to the framework.

The cryptoadm (1M) command is used for administrating the SCF. Thisutility allows the administrator to do the following:

● Start and stop the kcfd (1M) daemon

● Load and unload user-level, kernel software, and kernel hardwareproviders

● Set a policy to allow or deny access to specific providers ormechanisms that a provider uses

1. The cryptoadm command lists providers and mechanisms. To do so,you use the list option or the list option with arguments. Use thecryptoadm commands in the following formats to compare thedifferent output. A brief listing:

# cryptoadm list


kernel software providers: des aes arcfour blowfish sha1 md5 rsa

kernel hardware providers:List the mechanisms for all installed providers:# cryptoadm list -m

user-level providers:=====================

Exercise Solutions


/usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented./usr/lib/security/$ISA/pkcs11_softtoken.so: CKM_DES_CBC,CKM_DES_CBC_PAD...


kernel hardware providers:List mechanisms for a specific installed provider.# cryptoadm list -m provider=rsarsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCSListing all providers and available mechanisms:# cryptoadm list -p

user-level providers:=====================/usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled./usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled.

kernel software providers:==========================des: all mechanisms are enabled.aes: all mechanisms are enabled.arcfour: all mechanisms are enabled.blowfish: all mechanisms are enabled.sha1: all mechanisms are enabled.md5: all mechanisms are enabled.rsa: all mechanisms are enabled.

kernel hardware providers:Listing available mechanisms for a specific provider:# cryptoadm list -p /usr/lib/security/'$ISA'/pkcs11_softtoken.so/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled.

2. The administrator might need to disable a specific mechanisms if aproblem is found with the algorithm, making it undesirable for use,or if another provider’s implementation is more robust. In this

Exercise Solutions


example, you disable the user-lever provider’s mechanism for theDES algorithm. First list the mechanisms for the user-level providerpkcs11_softtoken.so .

# cryptoadm list -m /usr/lib/security/'$ISA'/pkcs11_softtoken.so/usr/lib/security/$ISA/pkcs11_softtoken.so:CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN,CKM_DES_MAC_GENERAL,CKM_DES_MAC,CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GEN,CKM_AES_CBC,CKM_AES_CBC_PAD,CKM_AES_ECB,CKM_AES_KEY_GEN,CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL,CKM_SSL3_SHA1_MAC,CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL,CKM_SSL3_MD5_MAC,CKM_RC4,CKM_RC4_KEY_GEN,CKM_DSA,CKM_DSA_SHA1,CKM_DSA_KEY_PAIR_GEN,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_DH_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_DERIVE,CKM_MD5_KEY_DERIVATION,CKM_SHA1_KEY_DERIVATION,CKM_PBE_SHA1_RC4_128,CKM_PKCS5_PBKD2,CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_TLS_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_TLS_MASTER_KEY_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_TLS_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_TLS_KEY_AND_MAC_DERIVE

3. Find all of the mechanisms for DES and use the disable option todisable them. (Hint: all mechanisms for an algorithm are groupedtogether in the output of the previous command.)

# cryptoadm disable \provider=/usr/lib/security/'$ISA'/pkcs11_softtoken.so \mechanism=CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB \CKM_DES_KEY_GEN,CKM_DES_MAC_GENERAL,CKM_DES_MAC

4. Now you will attempt to encrypt the /etc/hosts file using the DESmechanism. It is unnecessary to generate a key file. Omit the -koption from the previous tasks and type in random keys when youare prompted for a key. What was the result?

# encrypt -a des -i /etc/hosts -o /var/tmp/hostsEnter key:encrypt: no cryptographic provider was found for this algorithm -- des

5. List the available mechanisms for the user-level provider.

# cryptoadm list -p /usr/lib/security/'$ISA'/pkcs11_softtoken.so/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled,exceptCKM_DES_MAC,CKM_DES_MAC_GENERAL,CKM_DES_KEY_GEN,CKM_DES_ECB,CKM_DES_CBC_PAD,CKM_DES_CBC

6. You can enable a providers mechanisms by using the enable option.You can list the mechanism to enable or use the special keyword all .Enable all user-level mechanisms.

# cryptoadm enable provider=/usr/lib/security/'$ISA'/pkcs11_softtoken.so

7. List the available mechanisms to verify they are enabled.

Exercise Solutions


# cryptoadm list -p /usr/lib/security/'$ISA'/pkcs11_softtoken.so/usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled.

8. The refresh option is used to allow the administrator to see anupdated list of provider information. You would use the refreshoption after installing and configuring a hardware provider orinstalling a software provider package. You also use the refreshoption if a kernel mechanism is temporally removed. Use the unloadoption to unload the kernel mechanism Blowfish.

# cryptoadm unload provider=blowfish

9. List the providers to see the result of the last command.

# cryptoadm list


kernel software providers: des aes arcfour blowfish (inactive) sha1 md5 rsa

kernel hardware providers:

10. Now use the refresh option to restore the kernel mechanismBlowfish and then repeat the previous listing.

# cryptoadm refresh# cryptoadm list


kernel software providers: des aes arcfour blowfish sha1 md5 rsa

Exercise Solutions



11. The administrator might need to uninstall a kernel-level mechanismif site policy forbids the use of that mechanism or for other reasons.The uninstall option is used to remove a mechanism. First list theproviders and mechanisms. You need the list of mechanisms for RSAto proceed. Cut and paste the output of a provider mechanism listingfor kernel provider mechanism RSA into a file or another shellwindow.

# cryptoadm list -m

user-level providers:=====================/usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented./usr/lib/security/$ISA/pkcs11_softtoken.so:CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN,CKM_DES_MAC_GENERAL,CKM_DES_MAC,CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GEN,CKM_AES_CBC,CKM_AES_CBC_PAD,CKM_AES_ECB,CKM_AES_KEY_GEN,CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL,CKM_SSL3_SHA1_MAC,CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL,CKM_SSL3_MD5_MAC,CKM_RC4,CKM_RC4_KEY_GEN,CKM_DSA,CKM_DSA_SHA1,CKM_DSA_KEY_PAIR_GEN,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_DH_PKCS_KEY_PAIR_GEN,CKM_DH_PKCS_DERIVE,CKM_MD5_KEY_DERIVATION,CKM_SHA1_KEY_DERIVATION,CKM_PBE_SHA1_RC4_128,CKM_PKCS5_PBKD2,CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_TLS_PRE_MASTER_KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_TLS_MASTER_KEY_DERIVE,CKM_SSL3_MASTER_KEY_DERIVE_DH,CKM_TLS_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERIVE,CKM_TLS_KEY_AND_MAC_DERIVE


kernel hardware providers:==========================

12. Use the uninstall option to remove RSA.

# cryptoadm uninstall provider=rsa

13. List the providers and note that RSA is no longer listed.

# cryptoadm list

Exercise Solutions



kernel software providers: des aes arcfour blowfish sha1 md5


14. To install the provider, you can use the install option. Thiscommand will require that you supply the mechanism operands.Use the install option to re-install RSA, add the mechanisms list,space delimited, that you saved in a previous step.

# cryptoadm install provider=rsa \mechanism=CKM_RSA_PKCS CKM_RSA_X_509 \CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS

15. Confirm the rsa provider is installed.

# cryptoadm list -p rsa

Task 3 – Configuring the Solaris IP Filter Firewall

The purpose of this lab is to configure the Solaris OS IP Filter and use theutilities included with it. Initially you configure a host-based firewall anduse another system to test it. Eventually you will add another system toexamine the NAT in Task 4.

1. Select a host to configure as the Solaris OS IP Filter. In the example,this is sys-02 . You also need a host to test the filter. In the examples,this host is sys-04 . Verify that you can run the ping and telnetcommands from the test host to the filter host. Verify that you havenetwork terminal server access to the filter host.

sys-04# ping -s sys-02PING sys-02: 56 data bytes64 bytes from sys-02 (192.168.201.22): icmp_seq=0. time=1.13 ms64 bytes from sys-02 (192.168.201.22): icmp_seq=1. time=0.405 ms64 bytes from sys-02 (192.168.201.22): icmp_seq=2. time=0.358 ms64 bytes from sys-02 (192.168.201.22): icmp_seq=3. time=0.396 ms^C----sys-02 PING Statistics----

Exercise Solutions


4 packets transmitted, 4 packets received, 0% packet lossround-trip (ms) min/avg/max/stddev = 0.358/0.573/1.13/0.37

sys-04# telnet sys-02Trying 192.168.201.22...Connected to sys-02.Escape character is '̂ ]'.login: rootPassword:Last login: Wed Jul 14 16:14:58 from 192.168.201.1Sun Microsystems Inc. SunOS 5.10 s10_57 May 2004Welcome to Sol10_v120 on sys-02

sys-02# exitConnection to sys-02 closed by foreign host.

sys-04#

From the gateway:

$ telnet nts-0Trying 192.168.201.3...Connected to nts-0.Escape character is '̂ ]'.2Attached to port 2

sys-02 console login: rootPassword:Last login: Wed Jul 14 17:25:59 on consoleJul 14 18:27:26 sys-03 login: ROOT LOGIN /dev/consoleSun Microsystems Inc. SunOS 5.10 s10_57 May 2004Welcome to Sol10_v120 on sys-02

sys-02#

2. Login to the IP Filter host on the console using the network terminalserver. Configure a rule to disallow all traffic.

sys-04 # echo “block in all” > /etc/ipf/ipf.conf

3. Start a ping command with the -s option from the test host to thefilter host.

sys-04# ping -s sys-02PING sys-02: 56 data bytes64 bytes from sys-02 (192.168.201.22): icmp_seq=7. time=1.15 ms64 bytes from sys-02 (192.168.201.22): icmp_seq=8. time=0.487 ms64 bytes from sys-02 (192.168.201.22): icmp_seq=9. time=0.485 ms

Exercise Solutions


64 bytes from sys-02 (192.168.201.22): icmp_seq=10. time=0.460 ms...

4. Set the TERMvariable to vt100 and edit the /etc/ipf/pfil.ap fileand remove the comment from the line indicating the interface typefor the filter host.

#eri1 -1 0 pfil

Is changed to:

eri1 -1 0 pfil

5. Execute the /etc/init.d/pfil script with the start option.

sys-04# /etc/init.d/pfil start

6. Use the ifconfig command to display the interfaces on the filterhost. Note the IP address and unplumb the interface. Now plumbthe interface, add an IP address, and set the interface to up.

sys-02# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 192.168.201.22 netmask ffffff00 broadcast 192.168.201.255 ether 0:3:ba:68:44:d3eri1: flags=1000862<BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> mtu 1500index 3 inet 0.0.0.0 netmask 0 broadcast 255.255.255.255 ether 0:3:ba:68:44:d3 sys-02:/> ifconfig eri0 unplumbsys-02# ifconfig eri0 plumbsys-02# ifconfig eri0 192.168.201.22 up

7. Use the /etc/init.d/ipfboot script to start the IP Filter.

sys-04# /etc/init.d/ipfboot start

8. Note that the ping command from the test host has not resumed.Use the ipfstat (1M) command to display the current inbound andoutbound filters.

sys-02# ipfstat -ioempty list for ipfilter(out)block in all

9. Use the ipf -D command to disable the filter.

10. Use the ipf -E command to re-enable the filter.

11. Use the ipf (1M) command to flush the current rule set.

sys-02# ipf -Fa

Exercise Solutions


12. Check the filters again with the ipfstat command. In a fewmoments you should observe the ping command from the test hostresume. You can stop the ping command after it resumes.

sys-02# ipfstat -ioempty list for ipfilter(out)empty list for ipfilter(in)

13. Add a new rule to the /etc/ipf/ipf.conf file to allow the sshcommand to run from anywhere to the filter host and keep the state.

sys-04# echo "pass in quick on eri0 proto tcp from any to \192.168.201.22/32 port = 22 keep state" >> /etc/ipf/ipf.conf

14. Add the rules to the kernel module and test by using secure shellfrom the test host to the filter host.

sys-04# ipf -Fa -f /etc/ipf/ipf.conf

Note – If the ssh (1M) command is not configured for root access, youmust edit the /etc/ssh/sshd_config file and change thePermitRootLogin variable from the default no value to yes .

sys-04# ssh sys-02The authenticity of host 'sys-02 (192.168.201.22)'can't be established.RSA key fingerprintis 8a:33:65:c8:70:3e:4d:79:a6:b6:e8:a4:6d:0f:00:ca.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'sys-02,192.168.201.22' (RSA) to the list ofknown hosts.Password:Last login: Wed Jul 14 19:51:09 2004 from sys-04Sun Microsystems Inc. SunOS 5.10 s10_57 May 2004Welcome to Sol10_v120 on sys-02

sys-02#

15. Use the ipmon (1M) command to examine the state information.

sys-02# ipmon -o S14/07/2004 19:45:58.033602 STATE:NEW 192.168.201.25,32794 ->192.168.201.22,22 PR tcp14/07/2004 19:48:07.960067 STATE:CLOSE 192.168.201.25,32794 ->192.168.201.22,22 PR tcp Forward: Pkts in 21 Bytes in 2136 Pkts out 214/07/2004 19:51:04.184549 STATE:NEW 192.168.201.25,32795 ->192.168.201.22,22 PR tcp

16. On the test host, end the secure shell session and attempt to use thetelnet command to connect to the filter host. Allow the attempt tocontinue.

Exercise Solutions


sys-04# telnet sys-02Trying 192.168.201.22...

17. On the filter host, use the ipfstat command to examine the blockedinput packets. Execute the command two or three times and observethe increase in the number of blocked packets recorded.

sys-02# ipfstat -ihn16 block in all2 pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port =ssh keep state

sys-02# ipfstat -ihn17 @1 block in all2 @2 pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port =ssh keep state

18. Edit the /etc/syslog.conf file and add a line to log auth.info tothe file /var/log/authlog . Stop and start syslog.

Add to /etc/syslog.conf :

auth.info /var/log/authlog

Then type:

sys-02# svcadm disable svc:/system/system-logsys-02# svcadm enable svc:/system/system-log

19. The reason the blocked packet account increased when you observedit with the ipfstat -ihn command is that the filter drops packetssilently so the telnet service tries several times to connect with thefilter host. You now edit the rule to log packets that are blocked andto send a packet with the RSTflag set in response to telnetconnections.

20. Make the following edits to the block rule. Flush and add the newrule set to the kernel module.

block in log level auth.info allsys-02# ipf -Fa -f /etc/ipf/ipf.conf

21. Attempt to use the telnet command to connect from the test host tothe filter and apply the tail command to the /var/log/authlogfile on the filter host.

sys-04# telnet sys-02Trying 192.168.201.22...sys-02# tail -f /var/log/authlogJul 14 20:41:11 sys-02 ipmon[677]: [ID 702911 auth.info] 20:41:10.953913eri0 @0:1 b 192.168.201.25,32797 -> 192.168.201.22,23 PR tNJul 14 20:41:12 sys-02 ipmon[677]: [ID 702911 auth.info] 20:41:11.572757eri0 @0:1 b 192.168.201.25,32797 -> 192.168.201.22,23 PR tN

Exercise Solutions


22. On the filter host, use the ipmon command to examine the logs.

ssys-02# ipmon -a14/07/2004 20:46:17.033767 2x eri0 @0:1 b 192.168.201.25,32799 ->192.168.201.22,23 PR tcp len 20 52 -S IN14/07/2004 20:11:50.460075 STATE:CLOSE 192.168.201.25,32795 ->192.168.201.22,22 PR tcp Forward: Pkts in 97 Bytes in 7160 Pkts out 214/07/2004 20:48:11.054146 eri0 @0:1 b 192.168.201.25,32799 ->192.168.201.22,23 PR tcp len 20 52 -S IN

23. Make the following edits to the /etc/ipf/ipf.conf file:

block in log level auth.info allblock return-rst in quick on eri0 proto tcp from any to 192.168.201.22/32port = 23pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = 22keep state

24. Flush the existing rules and add the new set.

sys-02# ipf -Fa -f /etc/ipf/ipf.conf

25. Telnet from the test host to the filter host, and observe the results.

sys-04# telnet sys-02Trying 192.168.201.22...telnet: Unable to connect to remote host: Connection refused

26. In this step, you create a second rule set. It is added to the kernel asan inactive rule set. You switch between the active and inactive rulessets to test one and return to the other. Copy the/etc/ipf/ipf.conf file to the /etc/ipf/ipf2.conf file andappend the following:

pass in quick on eri0 proto icmp from any to \192.168.201.22 icmp-type echo keep statepass in qucik on eri0 proto icmp from any to \192.168.201.22 icmp-type echorep keep statepass in quick on eri0 proto icmp from any to \192.168.201.22 icmp-type unreach code needfrag

These added rules allow Internet Control Message Protocol (ICMP)ping command and ping command replies and allow ICMPmessages indicating a packet must be fragmented. The rules can beentered as three lines or with the line continuation. The ipf (1M)command accepts both.

27. Add a inactive rule set to the ipf kernel module:

sys-02# ipf -I -f /etc/ipf/ipf2.conf

28. List the current inbound rules using the ipfstat command.

sys-02# ipfstat -i

Exercise Solutions


block in log level auth.info allblock return-rst in quick on eri0 proto tcp from any to 192.168.201.22/32port = telnetpass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = sshkeep state

29. Now list the inactive rule set in the kernel. Use the same ipfstatcommand, but with the addition of the -I option:

sys-02# ipfstat -Iiblock in log level auth.info allblock return-rst in quick on eri0 proto tcp from any to 192.168.201.22/32port = telnetpass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = sshkeep statepass in quick on eri0 proto icmp from any to 192.168.201.22/32 icmp-typeecho keep statepass in quick on eri0 proto icmp from any to 192.168.201.22/32 icmp-typeechorep keep statepass in quick on eri0 proto icmp from any to 192.168.201.22/32 icmp-typeunreach code 4

30. To switch between rule sets in the kernel, use the -s option to theipf command:

ssys-02# ipf -sSet 1 now inactive

31. Test the new rules by attempting to send multiple pings to the filterhost from the test host. Use the ipf command to switch active rulessets while the ping command is executing.

sys-04# ping -s sys-02PING sys-02: 56 data bytes64 bytes from sys-02 (192.168.201.22): icmp_seq=0. time=1.33 ms64 bytes from sys-02 (192.168.201.22): icmp_seq=1. time=0.542 ms64 bytes from sys-02 (192.168.201.22): icmp_seq=2. time=0.516 ms64 bytes from sys-02 (192.168.201.22): icmp_seq=3. time=0.629 mssys-04# ipf -sSet 0 now inactive

The ping should stop.

32. To remove an inactive rule set from the kernel, use the ipf -IFacommand.

sys-02# ipf -IFa

Exercise Solutions


Task 4 – Configuring NAT in the Solaris OS IP Filter

1. To start this exercise, return the filter host to a known state byremoving the current rule set and verifying with the ipfstatcommand.

sys-02# ipfstat -ioempty list for ipfilter(out)empty list for ipfilter(in)

2. This exercise requires you to configure the second interface on thefilter host and the test host. In the examples, 192.168.100 networkaddresses are used for these interfaces. Use the ifconfig (1M)command to plumb and configure the interfaces.

sys-02# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 192.168.201.22 netmask ffffff00 broadcast 192.168.201.255 ether 0:3:ba:68:44:d3

sys-02# ifconfig eri1 plumbsys-02# ifconfig eri1 192.168.100.22 upsys-02# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 192.168.201.22 netmask ffffff00 broadcast 192.168.201.255 ether 0:3:ba:68:44:d3eri1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 6 inet 192.168.100.22 netmask ffffff00 broadcast 192.168.100.255 ether 0:3:ba:68:44:d3

Repeat for the test system with a unique IP address.

3. Verify that you can ping between the filter host and the test host.

sys-04# ping 192.168.100.22192.168.100.22 is alive

4. Add the following NAT rule to the /etc/ipf/ipnat.conf file:

map eri0 192.168.100.0/24 -> 192.168.201.22/32sys-02# echo "map eri0 192.168.100.0/24 -> 192.168.201.22/32" > \/etc/ipf/ipnat.conf

Exercise Solutions


Note – You might find it more convenient to enable the internal interfaceof a third host and use the telnet command to connect to the test host onthe internal side. The next steps require that you unplumb the primaryinterface on the test host, if you use the nts it can time out forcing you tore-login.

5. Login to the test host using the network terminal server (nts). Youmust disable the primary interface, flush the route table and add aroute to the internal interface of the NAT router (filter host).

$ telnet nts-0Trying 192.168.201.3...Connected to nts-0.Escape character is '̂ ]'.

Rotaries Defined: cli -

Enter Annex port name or number: 4Attached to port 4

sys-04#

sys-04# netstat -rn

Routing Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.201.0 192.168.201.25 U 1 0 eri0192.168.100.0 192.168.100.25 U 1 1 eri1default 192.168.201.1 UG 1 0127.0.0.1 127.0.0.1 UH 4 83 lo0

sys-04# route -fdefault 192.168.201.1 done

sys-04# ifconfig eri0 unplumb

sys-04# route -fdefault 192.168.100.22 done

sys-04# netstat -rnRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.100.0 192.168.100.25 U 1 1 eri1

Exercise Solutions


127.0.0.1 127.0.0.1 UH 4 83 lo0

sys-04# route add default 192.168.100.22add net default: gateway 192.168.100.22

6. On the NAT router, you must enable and verify IP forwarding.

sys-02# routeadm -e ipv4-forwardingsys-02# routeadm Configuration Current Current Option Configuration System State--------------------------------------------------------- IPv4 forwarding enabled disabled IPv4 routing default (disabled) disabled IPv6 forwarding default (disabled) disabled IPv6 routing default (disabled) disabled

sys-02# routeadm -usys-02# routeadm Configuration Current Current Option Configuration System State--------------------------------------------------------- IPv4 forwarding enabled enabled IPv4 routing default (disabled) disabled IPv6 forwarding default (disabled) disabled IPv6 routing default (disabled) disabled

sys-02# ndd -get /dev/ip ip_forwarding1

7. From the test host, ping the outside network address of one of thesystems in the pod. In this example, system three at192.168.201.24 is used. Use the ping -s command to setup acontinuous ping.

Sys-04> ping -s 192.168.201.24

8. On the NAT router, use the snoop -r -d eri1 command toexamine the ping command traffic being received on the192.168.100.22 interface. Note the traffic is originating from thetest host's IP address and is intended for 192.168.201.24 . Now,stop the snoop command operation on the eri1 interface instanceand execute the snoop -r -d eri0 192.168.201.24 command (inthis case, the -d option is not necessary but is included for clarity).Note that the packets appear to originate from the NAT router's IPaddress.

sys-02# snoop -r -d eri1Using device /dev/eri (promiscuous mode)

Exercise Solutions


192.168.100.25 -> 192.168.201.24 ICMP Echo request (ID: 1024 Sequencenumber: 310)192.168.201.24 -> 192.168.100.25 ICMP Echo reply (ID: 1024 Sequencenumber: 310)192.168.100.25 -> 192.168.201.24 ICMP Echo request (ID: 1024 Sequencenumber: 311)192.168.201.24 -> 192.168.100.25 ICMP Echo reply (ID: 1024 Sequencenumber: 311)192.168.100.25 -> 192.168.201.24 ICMP Echo request (ID: 1024 Sequencenumber: 312)

sys-02# snoop -r -d eri0 192.168.201.24Using device /dev/eri (promiscuous mode)192.168.201.22 -> 192.168.201.24 ICMP Echo request (ID: 1024 Sequencenumber: 586)192.168.201.24 -> 192.168.201.22 ICMP Echo reply (ID: 1024 Sequencenumber: 586)192.168.201.22 -> 192.168.201.24 ICMP Echo request (ID: 1024 Sequencenumber: 587)192.168.201.24 -> 192.168.201.22 ICMP Echo reply (ID: 1024 Sequencenumber: 587)192.168.201.22 -> 192.168.201.24 ICMP Echo request (ID: 1024 Sequencenumber: 588)192.168.201.24 -> 192.168.201.22 ICMP Echo reply (ID: 1024 Sequencenumber: 588)

9. Next, you examine Port Address Translation (PAT). This requires thatyou use the snoop command on both interfaces of the NAT router.You must open three shells on that host, two for snoop commandsand one for ipnat (1M) commands.

10. On the NAT router, edit the /etc/ipf/ipnat.conf file and changethe current rule to the following:

map eri0 192.168.100.0/24 -> 192.168.201.22/32 \ portmap tcp/udp 40000:50000

11. Flush the existing NAT rules and add the new rule.

sys-02# ipnat -C -f /etc/ipf/ipnat.conf1 entries flushed from NAT list

12. In one shell on the NAT router use the snoop -r -v -d eri1192.168.100.25 command to examine in bound packets from thetest host. In another shell, use the snoop -r-v -d eri0192.168.201.24 command to examine the outbound packetsdestined for the target host. You substitute the correct IP address foryour test and NAT hosts.

Exercise Solutions


13. When both snoop commands are setup, use the telnet command toconnect from the test host to the destination host. Examine the twosnoop command outputs and note that the port address is translated.

sys-02# snoop -r -V -d eri1 192.168.100.25Using device /dev/eri (promiscuous mode)...________________________________192.168.201.24 -> 192.168.100.25 ETHER Type=0800 (IP), size = 57 bytes192.168.201.24 -> 192.168.100.25 IP D=192.168.100.25 S=192.168.201.24LEN=43, ID=61832, TOS=0x0, TTL=59192.168.201.24 -> 192.168.100.25 TCP D=32813 S=23 Push Ack=2637557725Seq=3180665536 Len=3 Win=49640192.168.201.24 -> 192.168.100.25 TELNET R port=32813________________________________192.168.100.25 -> 192.168.201.24 ETHER Type=0800 (IP), size = 60 bytes192.168.100.25 -> 192.168.201.24 IP D=192.168.201.24 S=192.168.100.25LEN=40, ID=7694, TOS=0x0, TTL=64192.168.100.25 -> 192.168.201.24 TCP D=23 S=32813 Ack=3180665539Seq=2637557725 Len=0 Win=49640192.168.100.25 -> 192.168.201.24 TELNET C port=32813---------------------------------------------------------sys-02# snoop -r -V -d eri0 192.168.201.24Using device /dev/eri (promiscuous mode)

...192.168.201.24 -> 192.168.201.22 ETHER Type=0800 (IP), size = 60 bytes192.168.201.24 -> 192.168.201.22 IP D=192.168.201.22 S=192.168.201.24LEN=43, ID=61832, TOS=0x0, TTL=60192.168.201.24 -> 192.168.201.22 TCP D=40000 S=23 Push Ack=2637557725Seq=3180665536 Len=3 Win=49640192.168.201.24 -> 192.168.201.22 TELNET R port=40000________________________________192.168.201.22 -> 192.168.201.24 ETHER Type=0800 (IP), size = 54 bytes192.168.201.22 -> 192.168.201.24 IP D=192.168.201.24 S=192.168.201.22LEN=40, ID=7694, TOS=0x0, TTL=63192.168.201.22 -> 192.168.201.24 TCP D=23 S=40000 Ack=3180665539Seq=2637557725 Len=0 Win=49640192.168.201.22 -> 192.168.201.24 TELNET C port=40000

Note the sequence numbers correspond.

14. The ipnat (1M) command lists the current mappings and activesessions. The active session portion of the output of this commandalso shows the port mapping and can be useful whentroubleshooting one of many active sessions.

Exercise Solutions


sys-02# ipnat -lList of active MAP/Redirect filters:map eri0 192.168.100.0/24 -> 192.168.201.22/32 portmap tcp/udp40000:50000

List of active sessions:MAP 192.168.100.25 32813 <- -> 192.168.201.22 40000 [192.168.201.24 23]

15. The ipmon (1M) command can also be used to monitor NATinformation.

sys-02# ipmon -o N15/07/2004 10:39:13.195560 @1 NAT:MAP 192.168.100.25,0 <- ->192.168.201.22,0 [192.168.201.1,0]15/07/2004 10:39:16.240059 @1 NAT:EXPIRE 192.168.100.25,0 <- ->192.168.201.22,0 [192.168.201.1,0] Pkts 1 Bytes 115/07/2004 10:50:19.913343 @1 NAT:MAP 192.168.100.25,0 <- ->192.168.201.22,0 [192.168.201.1,0]15/07/2004 10:51:05.240071 @1 NAT:EXPIRE 192.168.100.25,0 <- ->192.168.201.22,0 [192.168.201.1,0] Pkts 43 Bytes 4315/07/2004 10:53:15.013707 @1 NAT:MAP 192.168.100.25,0 <- ->192.168.201.22,0 [192.168.201.24,0]15/07/2004 11:09:32.240084 @1 NAT:EXPIRE 192.168.100.25,0 <- ->192.168.201.22,0 [192.168.201.24,0] Pkts 975 Bytes 97515/07/2004 11:54:18.370069 @1 NAT:EXPIRE 192.168.100.25,32813 <- ->192.168.201.22,40000 [192.168.201.24,23] Pkts 13 Bytes 1515/07/2004 12:21:46.272127 @1 NAT:MAP 192.168.100.25,32814 <- ->192.168.201.22,40001 [192.168.201.24,23]...

Task 5 – Explore Solaris IP Filter Redirection NAT Rule

1. Login to sys-01 and configure the eri1 interface with IP address192.168.100.21.

sys-01# ifconfig eri1 plumbsys-01# ifconfig eri1 192.168.100.21 up

2. On sys-02 flush all current IP Filtering and NAT rules.

sys-02# ipnat -C

3. On sys-01 verify network connectivity by pinging 192.168.100.22.

sys-01# ping 192.168.100.22192.168.100.22 is alive

4. Log out of sys-01 and login to sys-02 , then login to sys-01 fromsys-02 using the 192.168.100.21 address.

Exercise Solutions


sys-02# telnet 192.168.100.21Trying 192.168.100.21...Connected to 192.168.100.21.Escape character is '̂ ]'.login: rootPassword:Last login: Mon Jul 26 09:56:31 from sys-02Sun Microsystems Inc. SunOS 5.10 s10_62 May 2004Welcome to Sol10_v120 on sys-01

sys-01#

5. Unplumb the eri0 interface on sys-01 , flush the route table onsys-01 and add a default route to 192.168.100.22 (eri1 on sys-02 ).

sys-01# ifconfig eri0 unplumbsys-01# route -fsys-01# route add default 192.168.100.22

6. Log out of sys-01 , you should now be on sys-02 . Create a new/etc/ipf/ipnat.conf file containing a single rule:

rdr eri0 192.168.201.22/32 port 23 -> 192.168.100.21 port 23 tcp

This rule redirects connections from port 23 on 192.168.201.22(sys-02 ) to port 23 on 192.168.100.21 (eri1 of sys-01 ).

7. Add the rule to Solaris IP Filter.

sys-02# ipnat -f /etc/ipf/ipnat.conf

8. Login to sys-04 and initiate a telnet session from sys-04 tosys-02 . This telnet connection will connect you to sys-01 .

sys-04# telnet sys-02Trying 192.168.201.22...Connected to sys-02.Escape character is '̂ ]'.login: rootPassword:Last login: Mon Jul 26 09:33:32 from sys-04Sun Microsystems Inc. SunOS 5.10 s10_62 May 2004Welcome to Sol10_v120 on sys-01

sys-01#


Lab 10

Exercise 10: Using System ManagementAgent

Objective

In this exercise you will complete the following tasks:

● Starting and stopping System Management Agent (SMA)

● Starting SMA with debugging enabled

● Using the snmpconf (1M) script to build an SMA configuration file

● Adding User-based Security Model (USM) users

● Configuring the SMA applications

● Using the debugging options with SMA applications

● Building a View-based Access Control Model (VACM)

Preparation

No special preparation is required for this lab.

Task 1 – Starting and Stopping SMA

In this task you start, stop, and restart the agent and examine the/var/log/snmp.log file. Complete the following steps:

1. Use the ps(1M) command to determine the running Simple NetworkManagement Protocol (SNMP) daemons, if any.

What SNMP services are running?

Why?

2. Use the /etc/init.d/init.sma script to stop SMA.

Objective


3. Examine the running processes.

Did SMA stop?

4. Examine the /var/log/snmpd.log file contents.

5. Use the same script but pass the restart option to it.

Examine the running processes, did the agent start?


Task 2 – Starting the SMA with Debugging Enabled

In this task you will examine debugging output that can be used to assistyou in the troubleshooting process.

1. Stop the SMA daemon.

2. Start the SMA daemon from the command line with the followingoption: -DALL

3. Examine the /var/log/snmpd.log file

What was the search path used for configuration files?

What tokens were read from the snmpd.conf file?

4. Use the init.sma script to stop the daemon.

Did it stop?

5. Start the agent again with the init.sma script and examine the logfile again.

Explain what happens to the log file at agent startup.

Task 3 – Using the snmpconf (1M) Script to Build anSMA Configuration File

You can edit the snmpd.conf file by hand. However, a simple to useapplication, snmpconf , can assist you with SMA configuration.

1. Add the /user/sfw/bin directory to you PATHenvironmentvariable.

2. Use the snmpconf script to create a snmpd.conf file. Start the scriptwith -I /var/tmp/ to save the new configuration file to the/var/tmp/ directory.

Objective

Exercise 10: Using System Management Agent 10-3Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A

Create access control entries and add a read-write user called user1with security auth . Create a read-only SNMP version 2 (SNMPv2)user called v2user for community public . Monitor the httpdaemon, with a maximum for five processes running and aminimum of zero processes running.

3. Examine the file that was created, and note the comments and thetokens added to the file.

4. Create a basic configuration file.

5. Create another configuration file using snmpconf . This time exploreall of the different menus and options.

Task 4 – Adding USM Users

In this task you create USM users. There are a number of ways you canadd USM users. The net-snmp-config script with the --create-snmpv3-user option is the least complex procedure. You can create usersby adding tokens to the snmpd.conf file or by using the snmpusmapplication.

The USM user identifies an authorized user to communicate with theSNMP engine. The user has an authentication type, Message-Digestalgorithm 5 (MD5) or Secure Hash Algorithm (SHA). This type describesthe message digest algorithm that is used to verify the authenticationpassphrase that the user supplies.

Note – The authentication passphrase must be at least eight characterslong.

There is also a passphrase used as a key for Data Encryption Standard(DES) encryption if the user security level requires encrypted traffic. Thepossible security levels are as follows:

● noAuthNoPriv – Checks the user identity

● authNoPriv – Adds the password check

● authPriv – Adds encryption to the data stream

1. Make a backup copy of the /etc/sma/snmp/snmpd.conf file.

2. Edit the /etc/sma/snmp/snmpd.conf file and add the following twolines at the bottom of the file:

rwuser initial

Objective


createUser initial MD5 password DES

This causes a user called initial to be created when the snmpddaemon reads the snmpd.conf file. This user has security levelauthNoPriv as the default level. The user’s authorization passphraseis password , and the encryption key is also set to password .

3. Display the contents of the /var/sma_snmp/snmpd.conf file.

4. Restart the agent.

5. Display the contents of the /var/sma_snmp/snmpd.conf file again.

6. Test the initial user using the snmpget application.

7. Edit the /etc/sma/snmp/snmpd.conf file and remove the linestarting with createUser .



Is the entry required in the /etc/sma/snmp/snmpd.conf file afterthe user is created?

10. Clone the initial user with the snmpusmapplication.


12. Use the snmpusmapplication to clone the initial user.

13. Use the snmpusmapplication to change the new user’s password.

14. Test the new user entry.

15. Examine the /var/sma_snmp/snmpd.conf file: is there a new entry?

Task 5 – Creating a User With the net-snmp-configScript Using the --create-snmpv3-user Option

1. Use the net-snmp-config script to create a user named user2 . Thisuser should have read-only access. Give the user a password andencryption passphrase of at least eight characters. If spaces are usedin the encryption passphrase, you must quote the passphrase.Quotes are not required for the authentication passphrase. Run thenet-snmp-config script with --help to see a usage statement. Theagent must be stopped to use this script.

2. Examine the /var/sma_snmp/snmpd.conf and/etc/sma/snmp/snmpd.conf files.


4. Use snmpget application to test the new user.

Objective


5. Edit the /etc/sma/snmp/snmpd.conf file and change the user2entry from rouser user2 to rouser2 authPriv .


7. Use DES encryption and security level authPriv to test the user.

8. Try the snmpget application without the DES key and with securitylevel authNoPriv .

Task 6 – Configuring the SMA Applications

The /etc/sma/snmp/snmp.conf file is used to configure the applicationincluded with SMA. Different directives can be set in the snmp.conf fileto create or change the defaults for the common options that the SMAapplications use.

These directives include the following:

● defVersion ( 1 | 2c | 3 ) – Defaults to 3 (-v 3 )

● defCommunity string – Default is a null string (-c string )

● defSecurityName string (-u name)

● defContext string – The default is a null string (-n "" )

● defAuthPassphrase string (-A string )

● defPrivPassphrase string (-X string )

● defAuthType MD5 | SHA(-a value )

● defPrivType DES – DESis the only option at this time (-x DES)

● defSecurityLevel noAuthNoPriv | authNoPriv | authPriv (-lvalue )

● dumpPacket ( 1 | yes | true | 0 | no | false )

● doDebugging ( 1 | 0 )

● debugTokens token [,token ...] (-D token )

There are many more directives.

1. Edit the /etc/sma/snmp/snmp.conf file and add the directivesrequired to make user1 the default user. When you finish, thefollowing commands should work without additional options.

2. The options passed on the command line take precedence overdirectives in the snmp.conf file. Construct a snmpget command forsysLocation.0 using user2 , and pass only the required options.

Objective


Task 7 – Using the Debugging Options With SMAApplications

In this task you configure debugging for SMA applications. Debuggingcan be done at the command line or set in the snmp.conf file. Applicationdebugging output is directed to standard input/output (STDERR).

1. Execute the following command:

# snmpset -u user2 -A “this is a test” -x DES /-X "this is a test" -l authPriv localhost /sysLocation.0 s "Broomfield B7 Rack AA"

2. Execute the following command. This command includes acommand line option to turn on application debugging. The tokenALL returns debug information for all modules. The output is tostandard error. The redirection at the end of the command is to writethe debugging data to a file.

# snmpget -D ALL localhost sysLocation.0 2> /var/tmp/error.out

3. Examine the contents of the /var/tmp/error.out file. Answer thefollowing questions:

What path was used to find configuration files?

_____________________________________________________________

Where were the Management Information Bases (MIB) text fileslocated?

_____________________________________________________________

What is the object identification (OID) of the sysLocation.0variable?

_____________________________________________________________

What is the value of the defContext variable?

_____________________________________________________________

What port was used?

_____________________________________________________________

4. Add the following line to the snmp.conf file.

doDebugging 1


# snmptranslate -Td -IR -OS system.sysDescr

Debugging data dumps to screen (STDERR).

Objective


6. Now set the doDebugging line in the snmp.conf file to 0 and run thecommand from the previous step.

Task 8 – Building a VACM

In this task you create a VACM view and test it. You must create a usercalled user3 . See “Task 4 – Adding USM Users” on page 3.

1. Create a user called user3 , using the net-snmp-config command.The authentication passphrase and encryption passphrase shouldboth be set. Test the new user.

2. Edit the snmpd.conf file and add the following line.

group my_group usm user3


4. Use the snmpwalk application to view the group entry.

5. Add the following line to the snmpd.conf file.

view my_view included .1.3.6.1.2.1.1 FF


# /etc/init.d/init.sma restart

7. Use the snmpwalk application to see the view table entry.


Access my_group "" usm authPriv prefix my_view "" ""


10. Use the snmpwalk application to examine the access table.

11. Test the view with the user3 user and security level authPriv .

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Task 1 – Starting and Stopping SMA

In this task you start, stop, and restart the agent and examine the/var/log/snmp.log file. Complete the following steps:

1. Use the ps(1M) command to determine the running Simple NetworkManagement Protocol (SNMP) daemons, if any.

# ps -ef | grep snmp/usr/lib/dmi/snmpXdmid/usr/lib/snmp/snmpdx/usr/sfw/sbin/snmpd

What SNMP services are running?

SMA (/usr/sfw/sbin/snmpd )

The Solstice Enterprise Agents™ software Distributed ManagementInterface (DMI) subagent (/usr/lib/dmi/snmpXdmid )

The Solstice Enterprise Agents software master agent(/usr/sfw/sbin/snmpd )

Why?

The Solstice Enterprise Agents software is configured and started at boottime or port 16161 .

2. Use the /etc/init.d/init.sma script to stop SMA.

# /etc/init.d/init.sma stop

3. Examine the running processes.

# ps -ef | grep snmp

Did SMA stop?

Yes


# cat /var/log/snmpd.logReceived TERM or STOP signal... shutting down...

5. Use the same script but pass the restart option to it.


Examine the running processes, did the agent start?

Yes


Exercise Solutions


# cat /var/log/snmpd.logNET-SNMP version 5.0.9

Task 2 – Starting the SMA with Debugging Enabled.

In this task you will examine debugging output that can be used to assistyou in the troubleshooting process.

1. Stop the SMA daemon.

# /etc/init.d/init.sma stop

2. Start the SMA daemon from the command line with the followingoption: -DALL

# /usr/sfw/sbin/snmpd -DALL

3. Examine the /var/log/snmpd.log file

# more /var/log/snmpd.logtrace: default_store.c, 191netsnmp_ds_set_boolean: Setting APP:1 = 0/False...

What was the search path used for configuration files?

Search for the words config or path in the file:

read_config: config pathused:/usr/sfw/etc/snmp:/etc/sma/snmp:/usr/sfw/lib/sparcv9/snmp://.snmp:/var/sma_snmptrace: read_config.c, 646read_config: /usr/sfw/etc/snmp/snmpd.conf: No such file or directorytrace: read_config.c, 646read_config: /usr/sfw/etc/snmp/snmpd.local.conf: No such file ordirectorytrace: read_config.c, 665read_config: Reading configuration /etc/sma/snmp/snmpd.conf

What tokens were read from the snmpd.conf file?

snmpd_register_app_config_handler: registering .conf token for "sysdescr"trace: agent_read_config.c, 279snmpd_register_app_config_handler: registering .conf token for"syslocation"...

Use vi or more the log file, search for the word token ; compare thefindings with the /etc/sma/snmp/snmpd.conf file.

4. Use the init.sma script to stop the daemon.

/etc/init.d/init.sma stop

Exercise Solutions


Did it stop?

Yes

5. Start the agent again with the init.sma script and examine the logfile again.

# /etc/init.d/init.sma start# cat /var/log/snmpd.logNET-SNMP version 5.0.9

Explain what happens to the log file at agent startup.

The agent creates a new log file at start up.

Note – The agent can be started with the -L option. This sends output toSTDERR instead of the /var/log/snmpd.log file. The -f option causesthe process to not fork and run in the foreground of the controlling shell.

Note – Tokens other than ALL are available for use with the -D option.They can be found by searching the source code tree for NET-SNMP. Thesource code tree is included in Solaris 10 OS package SUNWsmaS, which isnot installed by default.The following command displays an example command line to search thesource code for a list of available debug tokens:# net-snmp-config --debug-tokens

Task 3 – Using the snmpconf (1M) Script to Build anSMA Configuration File

You can edit the snmpd.conf file by hand. However, a simple to useapplication, snmpconf , can assist you with SMA configuration.

1. Add the /user/sfw/bin directory to you PATHenvironmentvariable.

Edit .profile or the proper start file for the shell you are using, or changethe PATHvariable in the current shell.

2. Use the snmpconf script to create a snmpd.conf file. Start the scriptwith -I /var/tmp/ to save the new configuration file to the/var/tmp/ directory.

# snmpconf -I /var/tmp/

Exercise Solutions


Create access control entries and add a read-write user called user1with security auth . Create a read-only SNMP version 2 (SNMPv2)user called v2user for community public . Monitor the httpdaemon, with a maximum for five processes running and aminimum of zero processes running.

a. Configure the system information.

b. Do not read in any existing configuration files.

c. Create a snmpd.conf file.

d. Select Access Control from the menu.

e. Create an SNMPv3 read-write user (called user1 ).

f. Level auth

g. OID null

h. Create an SNMPv2 read-only user (called v2user ).

i. Community public

j. Enter return for the next two fields.

k. Enter finished.

l. From the list, select Monitor Various Aspects...

m. Select Check process that should be running, enter httpd as theprocess, five for the maximum number of processes and zero for theminimum.

n. Enter finished.

o. Select System Information Setup.

p. Select each item and fill in the information requested.

q. Enter finished.

r. Enter finished.

s. Select a file name and save the file.

3. Examine the file that was created, and note the comments and thetokens added to the file.

4. Create a basic configuration file.

a. Run snmpconf -G to list the Groups

# snmpconf -G

Known GROUPs of tokens:

system_setup

Exercise Solutions


basic_setupmonitoring_servicesaccess_controltrapsinks

b. Create a basic setup using snmpconf script.

# snmpconf -g basic_setup

5. Create another configuration file using the snmpconf script. Thistime, explore all of the different menus and options.

Task 4 – Adding USM Users

In this task you create USM users. There are a number of ways you canadd USM users. The net-snmp-config script with the --create-snmpv3-user option is the least complex procedure. You can create usersby adding tokens to the snmpd.conf file or by using the snmpusmapplication.

The USM user identifies an authorized user to communicate with theSNMP engine. The user has an authentication type, Message-Digestalgorithm 5 (MD5) or Secure Hash Algorithm (SHA). This type describesthe message digest algorithm that is used to verify the authenticationpassphrase that the user supplies.

Note – The authentication passphrase must be at least eightcharacters long.

There is also a passphrase used as a key for Data Encryption Standard(DES) encryption if the user security level requires encrypted traffic. Thepossible security levels are as follows:

● noAuthNoPriv – Checks the user identity

● authNoPriv – Adds the password check

● authPriv – Adds encryption to the data stream

1. Make a backup copy of the /etc/sma/snmp/snmpd.conf file.

# cp /etc/sma/snmp/snmpd.conf /etc/sma/snmp/snmpd.conf.orig

2. Edit the /etc/sma/snmp/snmpd.conf file and add the following twolines at the bottom of the file:

rwuser initialcreateUser initial MD5 password DES

Exercise Solutions


This causes a user called initial to be created when the snmpddaemon reads the snmpd.conf file. This user has security levelauthNoPriv as the default level. The user’s authorization passphraseis password , and the encryption key is also set to password .

3. Display the contents of the /var/sma_snmp/snmpd.conf file.

# cat /var/sma_snmp/snmpd.confengineBoots 4oldEngineID 0x800007e5806944dde60000000040ab809b

This is the persistent data file where USM stores passwords and encryptionkeys. Note the contents are a hexidecimal number representing the SNMPengine ID and a token for the number of times the engine has been booted.



5. Display the contents of the /var/sma_snmp/snmpd.conf file again.

Note the new line. This is how the users password and encryption keys arestored.

usmUser 1 3 0x800007e5806944dde60000000040ab809b 0x726561646f6e6c79000x726561646f6e6c7900 NULL .1.3.6.1.6.3.10.1.1.20x4cf5a5374af91349cb9a3a55f6afafb9 .1.3.6.1.6.3.10.1.2.20x4cf5a5374af91349cb9a3a55f6afafb9 0x00engineBoots 5oldEngineID 0x800007e5806944dde60000000040ab809b


# snmpget -v3 -u initial -l authNoPriv /-a MD5 -A password localhost sysUpTime.0DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49

7. Edit the /etc/sma/snmp/snmpd.conf file and remove the linestarting with createUser .




# snmpget -v3 -u initial -l authNoPriv /-a MD5 -A password localhost sysUpTime.0DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49

Is the entry required in the /etc/sma/snmp/snmpd.conf file afterthe user is created?

No

Exercise Solutions


This user can be cloned using the snmpusmapplication. The clone user hasthe same passphrase and key as the original user so it should be changed. Auser can be cloned once. After the clone is created, the user must be removedand re-entered to be cloned again.

10. Clone the initial user with the snmpusmapplication.

Add a new line in the /etc/sma/snmp/snmpd.conf file:

rwuser user1



12. Use the snmpusmapplication to clone the initial user.

# snmpusm -v3 -u initial -l authNoPriv /-a MD5 -A password localhost create user1 initial

13. Use the snmpusmapplication to change the new user’s password.

# snmpusm -v3 -u initial -l authNoPriv /-a MD5 -A password localhost passwd password 12345678

14. Test the new user entry.

# snmpget -v3 -u user1 -l authNoPriv /-a MD5 -A 12345678 localhost sysUpTime.0DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49

15. Examine the /var/sma_snmp/snmpd.conf file: is there a new entry?

Yes

Task 5 – Creating a User With the net-snmp-configScript Using the --create-snmpv3-user Option

1. Use the net-snmp-config script to create a user named user2 . Thisuser should have read-only access. Give the user a password andencryption passphrase of at least eight characters. If spaces are usedin the encryption passphrase, you must quote the passphrase.Quotes are not required for the authentication passphrase. Run thenet-snmp-config script with --help to see a usage statement. Theagent must be stopped to use this script.

# net-snmp-config --help...SNMP Setup commands:

--create-snmpv3-user [-ro] [-a authpass] [-x privpass] [-X DES][-AMD5|SHA] [username]

Exercise Solutions


...# net-snmp-config --create-snmpv3-user -roEnter a SNMPv3 user name to create:user2Enter authentication pass-phrase:this is a testEnter encryption pass-phrase: [press return to reuse the authentication pass-phrase]"this is a test"adding the following line to /var/sma_snmp/snmpd.conf: createUser user2 MD5 "this is a test" DES "this is a test"adding the following line to /etc/sma/snmp/snmpd.conf: rouser user2

2. Examine the /var/sma_snmp/snmpd.conf and/etc/sma/snmp/snmpd.conf files.

createUser user2 MD5 "this is a test" DES "this is a test"rouser user2



4. Use snmpget application to test the new user.

# snmpget -v3 -u user2 -l authNoPriv /-a MD5 -A "this is a test" localhost sysUpTime.0DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49

5. Edit the /etc/sma/snmp/snmpd.conf file and change the user2entry from rouser user2 to rouser2 authPriv



7. Use DES encryption and security level authPriv to test the user.

# snmpget -v3 -u user2 -l authPriv /-a MD5 -A "this is a test" -x DES /-X "this is a test" localhost sysUpTime.0DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49

8. Try the snmpget application without the DES key and with securitylevel authNoPriv .

# snmpget -v3 -u user2 -l authNoPriv /-a MD5 -A "this is a test" localhost sysUpTime.0Error in packetReason: authorizationError (access denied to that object)

Exercise Solutions


Task 6 – Configuring the SMA Applications

The /etc/sma/snmp/snmp.conf file is used to configure the applicationincluded with SMA. Different directives can be set in the snmp.conf fileto create or change the defaults for the common options that the SMAapplications use.

These directives include the following:

● defVersion ( 1 | 2c | 3 ) – Defaults to 3 (-v 3 )

● defCommunity string – Default is a null string (-c string )

● defSecurityName string (-u name)

● defContext string – The default is a null string (-n "" )

● defAuthPassphrase string (-A string )

● defPrivPassphrase string (-X string )

● defAuthType MD5 | SHA(-a value )

● defPrivType DES – DESis the only option at this time (-x DES)

● defSecurityLevel noAuthNoPriv | authNoPriv | authPriv (-lvalue )

● dumpPacket ( 1 | yes | true | 0 | no | false )

● doDebugging ( 1 | 0 )

● debugTokens token [,token ...] (-D token )

There are many more directives.

1. Edit the /etc/sma/snmp/snmp.conf file and add the directivesrequired to make user1 the default user. When you finish, thefollowing commands should work without additional options.

# snmpget localhost system.sysDescr.0# snmpwalk localhost systemContents of the snmp.conf file.defVersion 3defSecurityName user1defPassphrase 12345678defAuthType MD5defSecurityLevel authNoPriv

2. The options passed on the command line take precedence overdirectives in the snmp.conf file. Construct a snmpget command forsysLocation.0 using user2 , and pass only the required options.

# snmpget -u user2 -A "this is a test" -x DES /

Exercise Solutions


-X "this is a test" -l authPriv localhost sysLocation.0SNMPv2-MIB::sysLocation.0 = STRING: "System administrators office"

Task 7 – Using the Debugging Options With SMAApplications

In this task you configure debugging for SMA applications. Debuggingcan be done at the command line or set in the snmp.conf file. Applicationdebugging output is directed to standard input/output (STDERR).


# snmpset -u user2 -A “this is a test” -x DES /-X "this is a test" -l authPriv localhost /sysLocation.0 s "Broomfield B7 Rack AA"Error in packet.Reason: notWritable (that object does not support modification)

The output of this command is to STDERR. The reason it failed is becausethe object is set in the snmpd.conf file. If the line in the snmpd.conf filethat sets syslocation is commented out, this command works.

2. Execute the following command. This command includes acommand line option to turn on application debugging. The tokenALL returns debug information for all modules. The output is tostandard error. The redirection at the end of the command is to writethe debugging data to a file.

# snmpget -D ALL localhost sysLocation.0 2> /var/tmp/error.outSNMPv2-MIB::sysLocation.0 = STRING: "System administrators office"

3. Examine the contents of the /var/tmp/error.out file. Answer thefollowing questions:

What path was used to find configuration files?

read_config: config pathused:/usr/sfw/etc/snmp:/etc/sma/snmp:/usr/sfw/lib/snmp://.snmp:/var/sma_snmp

Where were the MIB text files located?

/etc/sma/snmp/mibs

What is the OID of the sysLocation.0 variable?

ObjID: SNMPv2-MIB::sysLocation.0

What is the value of the defContext variable?

defContext ""

What port was used?

Exercise Solutions


AF_INET, 127.0.0.1:161

Note – Tokens other than ALL are available for use with the -D option.They can be found by searching the source code tree for NET-SNMP. Thesource code tree is included in Solaris 10 package SUNWsmaS which isnot installed by default.The following command will displays a example command line to searchthe source code for a list of available debug tokens:# net-snmp-config --debug-tokens

4. Add the following line to the snmp.conf file.

doDebugging 1


# snmptranslate -Td -IR -OS system.sysDescr

Debugging data dumps to screen (STDERR).

6. Now set the doDebugging line in the snmp.conf file to 0 and run thecommand from the previous step.

DoDebugging 0SNMPv2-MIB::sysDescrsysDescr OBJECT-TYPE -- FROM SNMPv2-MIB, RFC1213-MIB -- TEXTUAL CONVENTION DisplayString SYNTAX OCTET STRING (0..255) DISPLAY-HINT "255a" MAX-ACCESS read-only STATUS current DESCRIPTION "A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software."::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) system(1) 1 }

Task 8 – Building a VACM

In this task you will create a VACM view and test it. You will need tocreate a user called user3 . See Task 4 – Adding USM users section of thisdocument.

1. Create a user called user3 , using the net-snmp-config command.The authentication passphrase and encryption passphrase shouldboth be set. Test the new user.

Exercise Solutions


# net-snmp-config --create-snmpv3-userEnter a SNMPv3 user name to create:user3Enter authentication pass-phrase:this is a testEnter encryption pass-phrase: [press return to reuse the authentication pass-phrase]"this is a test"adding the following line to /var/sma_snmp/snmpd.conf: createUser user3 MD5 "this is a test" DES "this is a test"adding the following line to /etc/sma/snmp/snmpd.conf: rwuser user3# snmpget -u user3 -A "this is a test" /-l authNoPriv localhost sysLocation.0

2. Edit the snmpd.conf file and add the following line.

group my_group usm user3



4. Use the snmpwalk application to view the group entry.

# snmpwalk -v3 -u user1 -l authNoPriv -a MD5 -A 12345678 localhost /SNMP-VIEW-BASED-ACM-MIB::vacmGroupName

Look for the entries for my_group.

SNMP-VIEW-BASED-ACM-MIB::vacmGroupName.3."user3" = STRING: my_group


view my_view included .1.3.6.1.2.1.1 FF



7. Use the snmpwalk application to see the view table entry.

# snmpwalk -v 3 -u user1 -l authNoPriv -a MD5 -A 12345678 localhost /SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyTable

Look for the entries that include my_view .

SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyMask."my_view".7.1.3.6.1.2.1.1= Hex-STRING: FFSNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyType."my_view".7.1.3.6.1.2.1.1= INTEGER: included(1)SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStorageType."my_view".7.1.3.6.1.2.1.1 = INTEGER:permanent(4)

Exercise Solutions


SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyStatus."my_view".7.1.3.6.1.2.1.1 = INTEGER:active(1)


Access my_group "" usm authPriv prefix my_view "" ""


10. Use the snmpwalk application to examine the access table.

# snmpwalk -v 3 -u user1 -l authNoPriv -a MD5 -A 12345678 localhost /SNMP-VIEW-BASED-ACM-MIB::vacmAccessTableSNMP-VIEW-BASED-ACM-MIB::vacmAccessContextMatch."my_group"."".3.authPriv= INTEGER: prefix(2)SNMP-VIEW-BASED-ACM-MIB::vacmAccessReadViewName."my_group"."".3.authPriv= STRING: my_viewSNMP-VIEW-BASED-ACM-MIB::vacmAccessStatus."my_group"."".3.authPriv =INTEGER: active(1)

11. Test the view with user3 and security level authPriv.

# snmpget -v 3 -u user3 -l authPriv -a MD5 -A 12345678 /-x DES -X 12345678 localhost sysObjectID.0SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.0

Documents

SA 225 S10 Student Workbook