Beruflich Dokumente
Kultur Dokumente
Sun Microsystems, Inc. UBRM05-104 500 Eldorado Blvd. Broomeld, CO 80021 U.S.A. Revision A
Copyright 2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Sun, Sun Microsystems, the Sun logo, Solaris, and OpenBoot, are trademarks or registered trademarks of Sun Microsystems, Inc., in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc., in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Federal Acquisitions: Commercial Software Government Users Subject to Standard License Terms and Conditions Export Laws. Products, Services, and technical data delivered by Sun may be subject to U.S. export controls or the trade laws of other countries. You will comply with all such laws and obtain all licenses to export, re-export, or import as may be required after delivery to You. You will not export or re-export to entities on the most current U.S. export exclusions lists or to any country subject to U.S. embargo or terrorist controls as specified in the U.S. export laws. You will not use or provide Products, Services, or technical data for nuclear, missile, or chemical biological weaponry end uses. DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. THIS MANUAL IS DESIGNED TO SUPPORT AN INSTRUCTOR-LED TRAINING (ILT) COURSE AND IS INTENDED TO BE USED FOR REFERENCE PURPOSES IN CONJUNCTION WITH THE ILT COURSE. THE MANUAL IS NOT A STANDALONE TRAINING TOOL. USE OF THE MANUAL FOR SELF-STUDY WITHOUT CLASS ATTENDANCE IS NOT RECOMMENDED. Export Control Classification Number (ECCN) assigned: September 10, 2004
Please Recycle
Copyright 2004 Sun Microsystems Inc., 901 San Antonio Road, Palo Alto, California 94303, Etats-Unis. Tous droits rservs. Ce produit ou document est protg par un copyright et distribu avec des licences qui en restreignent lutilisation, la copie, la distribution, et la dcompilation. Aucune partie de ce produit ou document ne peut tre reproduite sous aucune forme, par quelque moyen que ce soit, sans lautorisation pralable et crite de Sun et de ses bailleurs de licence, sil y en a. Le logiciel dtenu par des tiers, et qui comprend la technologie relative aux polices de caractres, est protg par un copyright et licenci par des fournisseurs de Sun. Sun, Sun Microsystems, le logo Sun, Solaris, et OpenBoot sont des marques de fabrique ou des marques dposes de Sun Microsystems, Inc., aux Etats-Unis et dans dautres pays. Toutes les marques SPARC sont utilises sous licence sont des marques de fabrique ou des marques dposes de SPARC International, Inc. aux Etats-Unis et dans dautres pays. Les produits portant les marques SPARC sont bass sur une architecture dveloppe par Sun Microsystems, Inc. UNIX est une marques dpose aux Etats-Unis et dans dautres pays et licencie exclusivement par X/Open Company, Ltd. Lgislation en matire dexportations. Les Produits, Services et donnes techniques livrs par Sun peuvent tre soumis aux contrles amricains sur les exportations, ou la lgislation commerciale dautres pays. Nous nous conformerons lensemble de ces textes et nous obtiendrons toutes licences dexportation, de r-exportation ou dimportation susceptibles dtre requises aprs livraison Vous. Vous nexporterez, ni ne r-exporterez en aucun cas des entits figurant sur les listes amricaines dinterdiction dexportation les plus courantes, ni vers un quelconque pays soumis embargo par les Etats-Unis, ou des contrles anti-terroristes, comme prvu par la lgislation amricaine en matire dexportations. Vous nutiliserez, ni ne fournirez les Produits, Services ou donnes techniques pour aucune utilisation finale lie aux armes nuclaires, chimiques ou biologiques ou aux missiles. LA DOCUMENTATION EST FOURNIE EN LETAT ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A LAPTITUDE A UNE UTILISATION PARTICULIERE OU A LABSENCE DE CONTREFAON. CE MANUEL DE RFRENCE DOIT TRE UTILIS DANS LE CADRE DUN COURS DE FORMATION DIRIG PAR UN INSTRUCTEUR (ILT). IL NE SAGIT PAS DUN OUTIL DE FORMATION INDPENDANT. NOUS VOUS DCONSEILLONS DE LUTILISER DANS LE CADRE DUNE AUTO-FORMATION.
Please Recycle
Table of Contents
About This Workbook ............................................................Preface-i Course Goals............................................................................ Preface-i Conventions ............................................................................. Preface-ii Typographical Conventions ......................................... Preface-ii Section I: Solaris 10 Operating System Installation ...................I-1 Objectives ............................................................................................ I-1 Exercise: Configuring a Software Installation Using the WAN Boot Procedure..........................................................................................1-1 Objectives ........................................................................................... 1-1 Preparation................................................................................. 1-1 Task 1 Creating a Flash Archive .......................................... 1-2 Task 2 Configuring the Apache Web Server...................... 1-3 Task 3 Web-Install a Signed Patch....................................... 1-3 Task 4 Configuring the WAN Boot and JumpStart Files ....................................................................... 1-3 Task 5 Configuring the WAN Boot Client........................... 1-4 Exercise Summary.............................................................................. 1-5 Exercise Solutions .............................................................................. 1-6 Task 1 Creating a Flash Archive .......................................... 1-6 Task 2 Configuring the Apache Web Server...................... 1-6 Task 3 Web-Install a Signed Patch....................................... 1-7 Task 4 Configuring the WAN Boot and JumpStart Files ....................................................................... 1-7 Task 5 Configuring the WAN Boot Client......................... 1-10 Section II: Solaris 10 System Management ................................II-1 Objectives .......................................................................................... II-1 Exercise 2: Zones .............................................................................2-1 Preparation................................................................................. 2-1 Task 1 Creating Zones ............................................................ 2-2 Task 2 Configuring Resource Pools..................................... 2-3 Task 3 - Configuring CPU Fair Share Scheduling (FSS)...... 2-4
v
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Task 4 Capping Physical Memory Resource...................... 2-5 Task 5 Removing Zones ......................................................... 2-5 Exercise Summary.............................................................................. 2-6 Exercise Solutions .............................................................................. 2-7 Preparation................................................................................. 2-7 Task 1 Creating Zones ............................................................ 2-7 Task 2 Configuring Resource Pools................................... 2-10 Task 3 - Configuring CPU Fair Share Scheduling (FSS).... 2-12 Task 4 Capping Physical Memory Resource.................... 2-12 Task 5 Removing Zones ....................................................... 2-13 Exercise 3: Authentication Changes.............................................. 3-1 Preparation................................................................................. 3-1 Task 1 Identify Changes to Password Checking ............... 3-1 Task 2 Configure Least Privilege ......................................... 3-2 Task 3 Identify Changes to Kerberos .................................. 3-2 Task 4 Identify Changes to Sun Java System Web Server Reserved UID/GID .......................................... 3-2 Task 5 Identify Changes to nobody Account Usage ......... 3-2 Exercise Summary.............................................................................. 3-3 Exercise Solutions .............................................................................. 3-4 Task 1 Identify Changes to Password Checking ............... 3-4 Task 2 Configure Least Privilege ......................................... 3-5 Task 3 Identify Changes to Kerberos .................................. 3-5 Task 4 Identify Changes to Sun Java System Web Server Reserved UID/GID .......................................... 3-5 Task 5 Identify Changes to nobody Account Usage ......... 3-5 Exercise 4: Fault and Service Management .................................. 4-1 Objective............................................................................................. 4-1 Task 1 - Reviewing the Module .............................................. 4-1 Task 2 - Enabling and Disabling Services............................. 4-3 Task 3 - Viewing SMF Log Files.............................................. 4-3 Exercise Summary.............................................................................. 4-4 Exercise Solutions .............................................................................. 4-5 Task 1 - Reviewing the Module .............................................. 4-5 Task 2 - Enabling and Disabling Services.............................. 4-5 Task 3 - Viewing SMF Log Files.............................................. 4-8 Section III: Dynamic Tracing With DTrace.................................... III-1 Objectives ......................................................................................... III-1 Exercise 5: Listing Probes and Writing Simple D Scripts............ 5-1 Task 1 Reviewing the Module.............................................. 5-1 Task 2 Listing Probes............................................................. 5-2 Task 3 Writing D Scripts ....................................................... 5-3 Exercise Summary.............................................................................. 5-4 Exercise Solutions .............................................................................. 5-5
vi
Task 1 Reviewing the Module.............................................. 5-5 Task 2 Listing Probes............................................................. 5-6 Task 3 Writing D Scripts ....................................................... 5-6 Exercise 6: Using the vminfo, sysinfo, io, and syscall Providers ...........................................................................................6-1 Task 1 Writing D Scripts ....................................................... 6-1 Exercise Summary.............................................................................. 6-3 Module 2 Exercise Solutions............................................................. 6-4 Task 1 Writing D scripts......................................................... 6-4 Section IV: Solaris 10 Networking............................................. IV-1 Objectives ......................................................................................... IV-1 Exercise 7: Changes to Internet Protocol Features ......................7-1 Objectives ........................................................................................... 7-1 Preparation................................................................................. 7-1 Task 1 Configure QoS............................................................ 7-1 Task 2:Explore the routeadm(1M) Command in the Solaris OS Startup Scripts ..................................................... 7-2 Task 3: Configure Routing Using the routeadm(1M) Command................................................................................ 7-3 Exercise Summary.............................................................................. 7-5 Exercise Solutions .............................................................................. 7-6 Task 1: Configure QoS.............................................................. 7-6 Task 2: Explore the routeadm(1M) Command in the Solaris OS Startup Scripts ..................................................... 7-8 Task 3: Configure Routing Using the routeadm(1M) Command................................................................................ 7-9 Exercise 8: Examining NFS Version 4 ............................................8-1 Objective............................................................................................. 8-1 Preparation................................................................................. 8-1 Task 1 Configure a NFS Version 4 Server .......................... 8-1 Task 2 Configure a NFS Version 4 Client ........................... 8-2 Task 3 Examining the Pseudo-File System......................... 8-3 Exercise Summary.............................................................................. 8-5 Exercise Solutions .............................................................................. 8-6 Task 1 Configure a NFS version 4 Server ........................... 8-6 Task 2 Configure a NFS Version 4 Client ........................... 8-7 Task 3 Examining the Pseudo-File System......................... 8-9 Exercise 9: Changes to Security.....................................................9-1 Objective............................................................................................. 9-1 Preparation................................................................................. 9-1 Task 1 Using the User-Level SCF Utilities.......................... 9-1 Task 2 Examining Administration Tasks for SCF ............. 9-3 Task 3 Configuring the Solaris IP Filter Firewall .............. 9-6
vii
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Task 4 Configuring NAT in the Solaris OS IP Filter ......... 9-9 Task 5 Explore Solaris IP Filter Redirection NAT Rule .............................................................................. 9-10 Exercise Summary............................................................................ 9-12 Exercise Solutions ............................................................................ 9-13 Task 1 Using the User-Level SCF Utilities........................ 9-13 Task 2 Examining Administration Tasks for SCF ........... 9-16 Task 3 Configuring the Solaris IP Filter Firewall ............ 9-21 Task 4 Configuring NAT in the Solaris OS IP Filter ....... 9-28 Task 5 Explore Solaris IP Filter Redirection NAT Rule .............................................................................. 9-33 Exercise 10: Using System Management Agent ......................... 10-1 Objective........................................................................................... 10-1 Preparation............................................................................... 10-1 Task 1 Starting and Stopping SMA ................................... 10-1 Task 2 Starting the SMA with Debugging Enabled ........ 10-2 Task 3 Using the snmpconf(1M) Script to Build an SMA Configuration File ...................................................... 10-2 Task 4 Adding USM Users ................................................. 10-3 Task 5 Creating a User With the net-snmp-config Script Using the --create-snmpv3-user Option.......... 10-4 Task 6 Configuring the SMA Applications ...................... 10-5 Task 7 Using the Debugging Options With SMA Applications.......................................................................... 10-6 Task 8 Building a VACM .................................................... 10-7 Exercise Summary............................................................................ 10-8 Exercise Solutions ............................................................................ 10-9 Task 1 Starting and Stopping SMA ................................... 10-9 Task 2 Starting the SMA with Debugging Enabled. ..... 10-10 Task 3 Using the snmpconf(1M) Script to Build an SMA Configuration File .................................................... 10-11 Task 4 Adding USM Users ............................................... 10-13 Task 5 Creating a User With the net-snmp-config Script Using the --create-snmpv3-user Option........ 10-15 Task 6 Configuring the SMA Applications .................... 10-17 Task 7 Using the Debugging Options With SMA Applications........................................................................ 10-18 Task 8 Building a VACM .................................................. 10-19
viii
Preface
Install Solaris 10 Operating System Perform key system management tasks Use Dynamic Tracing Perform network administration tasks
This workbook presents the lab exercises for each module in each section of the Student Guide.
Preface-i
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Conventions
Conventions
The following conventions are used in this course to represent various training elements and alternative learning resources.
Typographical Conventions
Courier is used for the names of commands, les, directories, programming code, and on-screen computer output; for example: Use ls -al to list all les. system% You have mail. Courier is also used to indicate programming constructs, such as class names, methods, and keywords; for example: The getServletInfo method is used to get author information. The java.awt.Dialog class contains Dialog constructor. Courier bold is used for characters and numbers that you type; for example: To list the les in this directory, type: # ls Courier bold is also used for each line of programming code that is referenced in a textual description; for example: 1 import java.io.*; 2 import javax.servlet.*; 3 import javax.servlet.http.*; Notice the javax.servlet interface is imported to allow access to its life cycle methods (Line 2).
Courier italics is used for variables and command-line placeholders that are replaced with a real name or value; for example:
To delete a le, use the rm filename command.
Courier italic bold is used to represent variables whose values are to be entered by the student as part of an activity; for example:
Type chmod a+rwx filename to grant read, write, and execute rights for lename to world, group, and users.
Preface-ii
Conventions Palatino italics is used for book titles, new words or terms, or words that you want to emphasize; for example: Read Chapter 6 in the Users Guide. These are called class options.
Preface-iii
Section I
I-1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Lab 1
Create a Flash archive on the WAN Boot server. Congure packages and patches. Congure the WAN Boot server as an Apache web server. Congure Solaris JumpStart and WAN Boot parameters on the WAN Boot server. Congure the client using the WAN Boot procedure.
Preparation
The following tasks require a system that is running the Solaris 10 build 66 OS. Complete the following worksheet before you begin the installation.
q
1-1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Objectives ______________________________________________________________
q
______________________________________________________________
q
Directory containing the Solaris 10 OS Flash archive. The directory must be under the web server documents directory (Ex.: /var/apache/htdocs/flashdir/solaris.flar):
______________________________________________________________
q
Directory containing the wanboot binary and miniroot lesystem (Ex.: /var/apache/htdocs/wanboot10):
______________________________________________________________
q
Directory containing the sysidcfg le, rules, and prole les (Ex.: /var/apache/htdocs/config):
______________________________________________________________
q
______________________________________________________________
q
______________________________________________________________
q
______________________________________________________________
1-2
Objectives
1-3
Objectives 10. Edit the JumpStart conguration les. a. b. c. d. Edit the sysidcfg le. Edit the profile le. Edit the rules le. Run the check script
1-4
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or discoveries you had during the lab exercise.
q q q q
!
?
1-5
Exercise Solutions
Exercise Solutions
Note Do not use this ar for any other purpose in this lab.
1-6
Exercise Solutions Servername WANBootserv (for example: sys-03) 2. Start the web server. # /etc/init.d/apache start
# cd /var/apache/htdocs/var/spool/pkg # pkgtrans . ./SUNWzfs_streamed.pkg SUNWzfs Transferring <SUNWzfs> package instance 2. Install a stream format of the the SUNWzfs package using the HTTP protocol. If you are prompted to overwrite the existing installation of the SUNWzfs package, do so.
# cp -r * /var/apache/htdocs/config 4.
# cp /cdrom/cdrom0/s0/Solaris_10/Tools/Boot/platform/sun4u/wanboot \ /var/apache/htdocs/wanboot10/wanboot
1-7
Exercise Solutions 5. Copy the WAN Boot CGI programs to the web server cgi-bin directory. Each le retains its original name in the new directory Create the conguration le specifying the client sysidcfg le and custom JumpStart les for this client.
# cp /usr/lib/inet/wanboot/*-cgi /var/apache/cgi-bin 6.
# mkdir -p /etc/netboot # vi /etc/netboot/system.conf Insert the following two lines. Use the correct server name for your environment. SsysidCF=http://WANBootserv/config SjumpsCF=http://WANBootserv/config 7. Copy and edit the conguration le containing the WAN Boot parameters.
# cp /etc/inet/wanboot.conf.sample /etc/netboot/wanboot.conf # vi /etc/netboot/wanboot.conf Edit the le to include the following lines. Use the correct server name for your environment. boot_file=/wanboot10/wanboot root_server=http://WANBootserv/cgi-bin/wanboot-cgi root_file=/wanboot10/wpath/miniroot signature_type= encryption_type= server_authentication=no client_authentication=no resolve_hosts= boot_logger=http://WANBootserv/cgi-bin/bootlog-cgi system_conf=system.conf 8. Create the miniroot lesystem under the web server documents directory.
# /cdrom/cdrom0/s0/Solaris_10/Tools/setup_install_server -w \ /var/apache/htdocs/wanboot10/wpath /var/apache/htdocs/wanboot10/ipath You should receive a message similar to the following saying you were successful: WAN boot Image creation complete The WAN boot Image file has been placed in /var/apache/htdocs/wanboot10/wpath/miniroot
1-8
Exercise Solutions Ensure that you move this file to a location accessible to the web server, and that the WAN boot configuration file wanboot.conf(4) for each WAN boot client contains the entries: root_server=<URL> where <URL> is an HTTP or HTTPS URL scheme pointing to the location of the WAN boot CGI program root_file=<miniroot> where <miniroot> is the path and file name, relative to the web server document directory, of miniroot You should also make sure you have initialized the key generation process by issuing (once):
# cp /var/apache/htdocs/wanboot10/wpath/miniroot \ /var/apache/htdocs/wanboot10/miniroot 9. Check the integrity of the wanboot.conf conguration le. # /usr/sbin/bootconfchk /etc/netboot/wanboot.conf 10. Edit the JumpStart conguration les. # cd /var/apache/htdocs/config a. Edit the sysidcfg le. Edit the le to include the following lines. Use the correct server name and correct IP addresses for your environment. Note The order of entries in the sysidcfg le is not important for regular JumpStart installations but the order is important for WAN Boot installations. # vi /var/apache/htdocs/config/sysidcfg
1-9
Exercise Solutions protocol_ipv6=no default_route=w.x.y.z} (network interface information between brackets typed all on one line) timezone=US/Central system_locale=C terminal=dtterm timeserver=localhost name_service=none security_policy=none b. Edit the profile le.
Note When you are performing these exercises it is important to use the ash archive that has already been created for you. It can be found at: /var/apache/htdocs/flashdir/SunOS5.10_66_SUNWCore_ENUS_sun4u.flar # vi /var/apache/htdocs/config/profile Edit the le to include the following lines. install_type flash_install archive_location http://WANBootserv/flashdir/Name_Of_Flar (on the above line, use the flar you created earlier, or the flar provided within the remote lab environment) partitioning explicit filesys c0t0d0s0 free / filesys c0t0d0s1 512 swap
Note When editing this prole le, it is important to make sure you remove the directory htdocs from the path to the archive location. This is because Apache considers htdocs as the top of the root directory. Also verify you are using the correct disk device names for your environment. c. Edit the rules le. Edit the le to include the following line: hostname WANBootclient1 profile d. Run the check script # /var/apache/htdocs/config/check
# vi /var/apache/htdocs/config/rules
1-10
Exercise Solutions
ok setenv network-boot-arguments host-ip=a.b.c.d, router-ip=a.b.c.1,subnet-mask=255.255.255.0,hostname=WANBootclient1, file=http://WANBootserv-IP/cgi-bin/wanboot-cgi 2. Boot the client. or... 3. 4. Verify the Solaris 10 OS CD 1 is in the client. Boot wanboot off of the CD. ok boot net install
Sun Blade 100 (UltraSPARC-IIe), No Keyboard Copyright 1998-2003 Sun Microsystems, Inc. All rights reserved. OpenBoot 4.10.1, 256 MB memory installed, Serial #50645368. [pt pt-10usb #1] Ethernet address 0:3:ba:4:c9:78, Host ID: 8304c978.
Rebooting with command: boot cdrom -o prompt -F wanboot - install Boot device: /pci@1f,0/ide@d/cdrom@1,0:f File and args: -o prompt -F wanboot - install <time unavailable> wanboot info: WAN boot messages->console <time unavailable> wanboot info: Default net-config-strategy: manual boot> prompt host-ip? a.b.c.d subnet-mask? 255.255.255.0
1-11
Exercise Solutions
router-ip? hostname? WANBootclient1 http-proxy? client-id? aes? 3des? sha1? bootserver? http://WANBootserv-IP/cgi-bin/wanboot-cgi
Unknown variable '/129.148.192.83/cgi-bin/wanboot-cgi'; ignored boot> boot> list host-ip: subnet-mask: router-ip: hostname: http-proxy: client-id: aes: 3des: sha1: bootserver: boot> go <time unavailable> wanboot progress: wanbootfs: Read 128 of 128 kB (100%) <time unavailable> wanboot info: wanbootfs: Download complete Mon Aug 23 19:45:25 wanboot info: WAN boot messages->129.148.192.83:80 SunOS Release 5.10 Version s10_58 64-bit Copyright 1983-2004 Sun Microsystems, Inc. Use is subject to license terms. Configuring devices. Network interface was configured manually.
a.b.c.d 255.255.255.0 UNSET WANBootclient1 UNSET UNSET *HIDDEN* *HIDDEN* *HIDDEN* http://WANBootserv-IP/cgi-bin/wanboot-cgi
1-12
Exercise Solutions 129.148.192.221 NOTE: Not enough memory for graphical installation. Graphical installation requires 96 MB of virtual memory. Found 31 MB of virtual memory. Reverting to text-based installation. Beginning system identification... Searching for configuration file(s)... SUNW,eri0 : 10 Mbps half duplex link up Using sysid configuration file http://129.148.192.83/config/sysidcfg Search complete. Discovering additional network configuration...
1-13
Section II
Use of zones in the operating system (OS) Use the authentication features in the OS Use the fault management features in the OS
II - 1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Lab 2
Exercise 2: Zones
In this exercise, you will perform the following tasks:
q q q q q q q
Create a Solaris 10 OS zone Boot a Solaris zone Congure resource pools Congure CPU Fair Share Scheduling Identify changes to the Resource Capping Daemon Halt a Solaris zone Remove a Solaris zone
Preparation
Before you can start this lab, you must determine the following parameters:
q q
You must give your zone a name (example, test-zone). You must establish (create) a zone path (example, /export/testzone). You need information about the lab network environment (run ifconfig -a).
Note Run the ifconfig -a command to gather information on the network environment. The lab environment normally uses lower-order IP addresses. Choose an upper-order IP address. For example, if the global zone IP address is 192.168.201.24, make the non-global IP address 192.168.201.124. Be sure to run the ping -s IP_addr command to verify that the IP address you choose is not in use. For example, ping -s 192.168.202.124.
Exercise 2: Zones
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
2-1
Zone Name _____________________________________________ Zone Path _______________________________________________ Network Interface ________________________________________ IP Address ______________________________________________ Netmask ________________________________________________
Task 2: In this task, you create processor sets and pools. As a naming convention, use your rst name, for example, user1 creates user1-pset and user1-pool Resource names: ____________-pset ____________-pool
Note The zone path be owned by root and have permissions: - must not be group readable - must not be group executable - must not be world readable - must not be world executable Make sure the zone path meets these requirements. 3. 4. 5. 6. Identify the primary network interface, subnet IP address, and netmask. Congure a zone using your assigned values. Verify the Zone conguration. No response indicates that you can proceed with the installation. Commit the zone conguration to stable storage and exit the conguration utility.
2-2
Where is the zone conguration le stored? 7. 8. View the zone conguration XML le. Install the congured zone.
Note The installation will take awhile. For the lab, disregard any installation package errors. 9. List the contents of the zonepath.
10. Display the zone status. 11. Place the zone in the ready state and display the status. Describe the changes that occur when a zone moves from the installed state to the ready state.
12. Boot the new zone and display the status. 13. Log into your domain and congure for your name, time zone and password. 14. Display the zones network information. 15. Display the zone status. 16. In the non-global zone, create a new group named zones and user named student. Assign a password to the new user. 17. Open a new terminal window. Verify the non-global zone operation by logging in as the new user.
Exercise 2: Zones
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
2-3
How do you x it? 3. Verify that the kernel sees the new processor set. Why does or doesn't the kernel see the resource? How can we update the kernel to see this resource? What happens if you try to re-create an existing processor set? 4. 5. 6. Create a pool so that the kernel can see it, and verify. Associate the processor set and pool you just created with each other. Transfer a processor to the new processor set. First use a processor number that doesn't exist, cpu 99 for example, and then use an available processor. Verify each step. What error codes did you see? What did a successful operation output? 7. 8. Disable pools on this zone. Why didn't this work? Remove pools and then disable pools. Verify this step.
Assuming three other zones on the system has a limit of 50, what percentage of CPU utilization will be allocated to your zone? 2. Install and boot the zone.
2-4
2.
test:10000:test project:name::rcap.max-rss=10000
name::::project=test
3. 4. Enable the resource management daemon. Start monitoring the resource management on the system. Switch User to your student account and run a command which will use system resources and take a long time to nish, such as the find command. What value does the RSS eld from rcapstat top out at? Why?
Exercise 2: Zones
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
2-5
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss the experiences, issues, or discoveries you had during the lab exercise.
q q q q
!
?
2-6
Exercise Solutions
Exercise Solutions
Preparation
Task 1: Something like:
q q q q q
Zone Name test-zone Zone Path /export/test-zone Network Interface ce0 (see Task 1, step 3) IP Address 192.168.201.124 (see Task 1, step 3) Netmask 255.255.255.0 (see Task 1, step 3)
Task 2: In this task, you will be creating processor sets and pools. As a naming convention name them using your rst name. For example, user1 would create user1-pset and user1-pool Resource names: user1-pset user1-pool
# ifconfig -a lo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000
Exercise 2: Zones
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
2-7
Exercise Solutions ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.201.24 netmask ffffff00 broadcast 192.168.201.255 4. Congure a zone in memory using your assigned values. # zonecfg -z zone_name No such zone configured Use create to begin configuring a new zone. zonecfg:zone_name create zonecfg:zone_name set zonepath=zone_path zonecfg:work-zone> add net zonecfg:work-zone:net> set physical=ce0 zonecfg:work-zone:net> set address=192.168.201.124 zonecfg:work-zone:net> end 5. 6. Verify the Zone conguration. zonecfg:zone_name verify Commit the zone conguration to stable storage and exit the conguration utility. zonecfg:zone_name commit zonecfg:zone_name exit Where is the zone conguration le stored? The zone conguration is stored in the /etc/zones/zone_name.xml le. 7. 8. View the zone conguration XML le. # more /etc/zones/zone_name.xml Install the congured zone. In the global zone: # zoneadm -z zone_name install 9. List the zonepath. In the global zone: # ls zonepath 10. Display the zone status. In the global zone: # zoneadm list -v 11. Place the zone in the ready state and display the status. In the global zone: # zoneadm -z zone_name ready # zoneadm list -v
2-8
Exercise Solutions Describe the changes that occur when a zone moves from the installed state to the ready state. In this state, the virtual platform for the zone is established. The kernel creates the zsched process, network interfaces are plumbed, le systems are mounted, and devices are congured. A unique zone ID is assigned by the system. At this stage, no processes associated with the zone have been started. 12. Boot the zone and display the status. In the global zone: # zoneadm -z zone_name boot # zoneadm list -v 13. Log into your domain and congure for your name, time zone and password. In the global zone: # zlogin -C zone_name SunOS Release 5.10 Version Generic 64-bit Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. Select a Language 0. English 1. French Please make a choice (0 - 1), or press h or ? for help:0 Select a Locale 0. English (C - 7-bit ASCII) 1. Belgium-Flemish (ISO8859-1) 2. Belgium-Flemish (ISO8859-15 - Euro) 3. Great Britain (ISO8859-1) 4. Great Britain (ISO8859-15 - Euro) 5. Ireland (ISO8859-1) 6. Ireland (ISO8859-15 - Euro) 7. Netherlands (ISO8859-1) 8. Netherlands (ISO8859-15 - Euro) 9. Go Back to Previous Screen Please make a choice (0 - 9), or press h or ? for help:0 What type of terminal are you using? 1) ANSI Standard CRT 2) DEC VT52 3) DEC VT100 4) Heathkit 19 5) Lear Siegler ADM31 6) PC Console 7) Sun Command Tool 8) Sun Workstation
Exercise 2: Zones
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
2-9
Exercise Solutions
9) Televideo 910 10) Televideo 925 11) Wyse Model 50 12) X Terminal Emulator (xterms) 13) CDE Terminal Emulator (dtterm) 14) Other Type the number of your choice and press Return:3 . .
14. Display the zones network information. # ifconfig -a 15. Display the zone status. From the global zone: # zoneadm list -v 16. In the non-global zone, create a new group named zones and user named student. Assign a password to the new user. Something like: # groupadd -g 102 zones # useradd -u 1003 -g 102 -d /export/home/student -s /bin/csh -c "Student" -m -k /etc/skel student or use the Solaris Management Console: # /usr/sadm/bin/smc & Refer to System Administration Guide: Basic Administration, Part number 817-1985-07 17. Open a new terminal window. Verify the non-global zone operation by logging in as the new user.
2-10
Exercise Solutions 2. Create a processor set with a minimum of one processor and a maximum of 5 possible.
# poolcfg -dc 'create pset <name>-pset ( uint pset.min = 1 ; uint pset.max = 5)' What error code do you get? The pset.min only accepts a value of zero. How do you x it? Re-run this command and have pset.min = 0. 3. Verify that the kernel sees the new processor set. # poolcfg -dc info Why does or doesn't the kernel see the resource? If the -d option was not used the kernel isn't updated. How can we update the kernel to see this resource? Re-run the command with the -d option to update the kernel. What happens if you try to re-create an existing processor set? If you try to re-create an existing processor set an error is returned: poolcfg: cannot create the pset, name-pset: Bad parameter supplied 4. 5. 6. Create a pool so that the kernel can see it, and verify. Associate the processor set and pool you just created with each other. Transfer a processor to the new processor set. First use a processor number that doesn't exist, cpu 99 for example, and then use an available processor. Verify each step. What error codes did you see? What did a successful operation output? # poolcfg -dc 'create pool name-pool'; poolcfg -dc info # poolcfg -dc 'associate pool name-pool (pset name-pset)
# poolcfg -dc 'transfer to pset tim-pset (cpu 99)' poolcfg: cannot locate the cpu, 99: Operation successful What error codes did you see? The available processor answer varies depending on the system and what processors are physically available. What did a successful operation output? The available processor answer varies depending on the system and what processors are physically available. 7. # pooladm -d Disable pools on this zone. Why didn't this work?
Exercise 2: Zones
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
2-11
Exercise Solutions pooladm: cannot disable pools: Device busy If there are active pools you cannot disable this feature. Remove the pools rst. 8. Remove pools and then disable pools. Verify this step. # pooladm -x; pooladm -d # poolcfg -dc info poolcfg: cannot load configuration from /dev/poolctl: Facility is not active 9. Now that pools are disabled, was the /etc/pooladm.conf le removed? No. It should still be intact.
# zonecfg -z work-zone zonecfg:zone_name> add rctl zonecfg:zone_name:rctl> set name=zone.cpu-shares zonecfg:zone_name:rctl> add value (priv=system,limit=50,action=deny) zonecfg:work-name:rctl> end Assuming three other zones on the system has a limit of 50, what percentage of CPU utilization will be allocated to your zone? 50/(50 + 50 + 50 + 50) * 100 = 25% 2. Install and boot the zone. # zoneadm -z zone_name install # zoneadm -z zone_name boot
2-12
Exercise Solutions 1. In terminal window number 1, run the rcapstat command. This command will error and end each time the rcapd daemon is stopped. Restart this command each time the daemon is restarted. In window 2, edit /etc/project and add in a line for a new project. Add your user name as the user for this project. The line should look like: Enable the resource management daemon. Restart monitoring the resource management on the system. # rcapadm -E In window number 2: # rcapstat 4. Switch User to your user account and run a command which will use system resources and take a long time to nish, such as the nd command. What value does the RSS eld from rcapstat top out at? The RSS value should top out near what it was set to in step 1. Why? Every process in the project has to share this allotment of memory.
2.
test:10000:test project:name::rcap.max-rss=10000 3.
Exercise 2: Zones
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
2-13
Lab 3
Identify changes to Password Checking Congure Least Privilege Identify changes to Kerberos Identify changes to Sun Java System Web Server 6.1 2004Q2 reserved UID/GID Identify changes to nobody account usage
Preparation
Each user must create a user account for this lab exercise. Create a user with your own name. Assign the user the password of verify1. A Kerberos server and realm must be congured for Task 3. The system should share /export/profile.krb5.
3-1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Task 4 Identify Changes to Sun Java System Web Server Reserved UID/GID
Complete the following step: 1. Verify that the WebServer UID and GID have been updated.
3-2
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss the experiences, issues, or discoveries you had during the lab exercise.
q q q q
!
?
3-3
Exercise Solutions
Exercise Solutions
Task 1 Identify Changes to Password Checking
Open two terminal windows. In one window, log into the system as the user you just created. In the other window, log in as root. 1. Root Window Edit the /etc/default/password le. Un-comment and set the HISTORY value to 3. # vi /etc/default/passwd HISTORY=3 2. User Window As the user you created, change your password to 2verify. $ passwd passwd:Changing password for user_name Enter existing login password: verify1 New Password: 2verify Re-enter new Password:2verify passwd: password successfully changed for user_name 3. User Window Change the password again to verify3 $ passwd passwd:Changing password for user_name Enter existing login password: 2verify New Password: verify3 Re-enter new Password:verify3 passwd: password successfully changed for user_name 4. User Window Change the password again. This time change it back to the original verify1. What happened? Did your users password change? $ passwd passwd:Changing password for user_name Enter existing login password: verify3 New Password: verify1 passwd: Password in history listed Please try again. The command produced an error. The users password did not change, a new password is asked for.
3-4
Exercise Solutions
Task 4 Identify Changes to Sun Java System Web Server Reserved UID/GID
1. Verify that the WebServer UID and GID have been updated. # cat /etc/passwd; cat /etc/group
3-5
Objective
Lab 4
Identify features of the Fault Management Architecture Identify features of the Service Management Facility
2.
3.
4.
4-1
Objective
5.
What is a plug-in?
6.
7.
8.
4-2
Objective
4-3
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or discoveries you had during the lab exercise.
q q q q
!
?
4-4
Exercise Solutions
Exercise Solutions
Task 1 - Reviewing the Module
1. What is an FMRI and how is it used? An FMRI is a fault managed resource identier. In FMA it is used to identify the defective component or the detector of an error. In SMF it is used to identify a service. 2. What is a diagnosis engine? A diagnosis engine is a plug-in that subscribes to error events and attempts to diagnose a fault. 3. 4. 5. What command is used to show all current error events? The fmdump -e command. What command is used to show faulty system components? The fmadm faulty command. What is a plug-in? A plug-in is a module used to provide services to the fault management daemon. 6. What is a SERD engine and what does it do? A SERD engine looks for a certain number of events within a certain time frame. If the number of events occur a fault is created. 7. What command is used to show service dependencies? Service dependencies are shown with the svcs -d fmri and svcs -D fmri commands. 8. What is a method to SMF? A method to SMF is a program used to start, stop, or restart a service.
4-5
Exercise Solutions legacy_run legacy_run legacy_run . . . Aug_27 Aug_27 Aug_27 2. lrc:/etc/rcS_d/S41cachefs_root lrc:/etc/rcS_d/S55fdevattach lrc:/etc/rc2_d/S10lu
# svcs | grep legacy | wc -l 44 Your answer may vary depending on the version of the Solaris 10 OS you are running. 3. How many SMF controlled services are running on your system? # svcs | grep online | wc -l 61 This number will vary depending on what services have been modied. 4. List the state and dependencies for all network/shell instances. # svcs -l network/shell* fmri svc:/network/shell fmri enabled state next_state restarter dependency dependency fmri enabled state next_state restarter dependency dependency fmri enabled state next_state restarter dependency dependency svc:/network/shell:kshell false disabled none svc:/network/inetd:default optional_all/error svc:/network/physical (online) require_any/error svc:/network/loopback (online) svc:/network/shell:tcp true online none svc:/network/inetd:default optional_all/error svc:/network/physical (online) require_any/error svc:/network/loopback (online) svc:/network/shell:tcp6only true online none svc:/network/inetd:default optional_all/error svc:/network/physical (online) require_any/error svc:/network/loopback (online) 5. What is the restarter for these instances?
4-6
Exercise Solutions The inetd command. 6. Execute the spray command to send packets to your host (localhost). What happens? Change your system so that spray works.
# spray localhost spray: cannot clnt_create localhost:netpath: RPC: Program not registered The spray command does not work. Look at the spray service instances to see if they are enabled. # svcs -l *spray* fmri svc:/network/rpc/spray fmri enabled state next_state restarter dependency fmri enabled state next_state restarter dependency fmri enabled state next_state restarter dependency svc:/network/rpc/spray:ticlts false disabled none svc:/network/inetd:default require_all/error svc:/network/rpc/bind (online) svc:/network/rpc/spray:udp false disabled none svc:/network/inetd:default require_all/error svc:/network/rpc/bind (online) svc:/network/rpc/spray:udp6 false disabled none svc:/network/inetd:default require_all/error svc:/network/rpc/bind (online) All instances of the spray service are disabled. Enable the udp instance of the spray service. # svcadm enable svc:/network/rpc/spray:udp There are no errors so try the spray command again. # spray localhost sending 1162 packets of length 86 to localhost ... no packets dropped by localhost 7390 packets/sec, 635602 bytes/sec 7. Reboot your machine. Does spray still work? Why? The spray command still works because a change using the svcadm command is persistent.
4-7
Exercise Solutions 8. What are the processes connected with the cron service? FMRI svc:/system/cron:default 218 cron
Kill the cron service. What does SMF show now for cron processes?
# pkill cron # svcs -p *cron* STATE STIME FMRI online 15:41:23 svc:/system/cron:default 15:41:23 3059 cron The process number of cron has changed. It was automaticaly restarted by SMF.
# grep WARNING * network-smtp:sendmail.log:WARNING: local host name (sys61) is not qualified; see cf/README: WHO AM I? system-filesystem-local:default.log:WARNING: /sbin/mountall -l failed: 1 system-filesystem-local:default.log:WARNING: /sbin/mountall -l failed: 1 # grep ERROR * svc.startd.log:Aug 26 16:21:02/23 ERROR: Could not get running snapshot for svc:/system/manifest-import:default. Using editing version to run method start. svc.startd.log:Aug 26 16:21:02/26 ERROR: Could not get running snapshot for svc:/system/rmtmpfiles:default. Using editing version to run method start. svc.startd.log:Aug 26 16:21:02/24 ERROR: Could not get running snapshot for svc:/system/sysevent:default. Using editing version to run method start. svc.startd.log:Aug 26 16:21:02/25 ERROR: Could not get running snapshot for svc:/system/mdmonitor:default. Using editing version to run method start. svc.startd.log:Aug 27 07:14:52/38 ERROR: svc:/network/rpc/keyserv:default: Method "/usr/sbin/keyserv" failed with exit code 1.
4-8
Exercise Solutions svc.startd.log:Aug 27 07:14:52/38 svc:/network/rpc/keyserv:default: exit code 1. svc.startd.log:Aug 27 07:14:52/38 svc:/network/rpc/keyserv:default: exit code 1. ERROR: Method "/usr/sbin/keyserv" failed with ERROR: Method "/usr/sbin/keyserv" failed with
4-9
Section III
III - 1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Lab 5
Answer review questions about the module List DTrace probes using various criteria Write simple D program scripts
Preparation
Find out from your instructor the root password for your machine.
5-1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
_____________________________________________________________ _____________________________________________________________ 5. How do you fully specify a probe? _____________________________________________________________ _____________________________________________________________ 6. What are the major components of DTrace? _____________________________________________________________ _____________________________________________________________ 7. What dtrace(1M) option allows you to enable all probes from a given module? _____________________________________________________________ _____________________________________________________________ 8. What are the units of the built-in timestamp D variable? _____________________________________________________________ _____________________________________________________________ 9. What should be the rst line of the ds.d script in order to run it as follows: # ./ds.d _____________________________________________________________ _____________________________________________________________
5-2
3.
Run a command to list all probes from the lockstat provider. _____________________________________________________________ _____________________________________________________________
5-3
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or discoveries you had during the lab exercise.
q q q q
!
?
5-4
Exercise Solutions
Exercise Solutions
This section provides the answers to the exercise tasks.
provider:module:function:name
What are the major components of DTrace? Probes, providers, consumers, and the D language What dtrace(1M) option allows you to enable all probes from a given module? dtrace -m module_name 8. 9. What are the units of the built-in timestamp D variable? Nanoseconds What should be the rst line of the ds.d script to run it as follows: # ./ds.d #!/usr/sbin/dtrace -s
5-5
Exercise Solutions
# cat hello.d #!/usr/sbin/dtrace -s BEGIN { trace("Hello World\n"); } # dtrace -s hello.d dtrace: script 'hello.d' matched 1 probe CPU ID FUNCTION:NAME 0 1 :BEGIN ^C # dtrace -q -s hello.d Hello World ^C 2.
Hello World
Write a D script that displays the PIDs and names of all processes issuing the kill(2) system call. Start another terminal window, and test your script by starting a few sleep 900 commands in background and then killing them with the shell kill pid command or the pkill sleep command.
5-6
Exercise Solutions # cat kill.d #!/usr/sbin/dtrace -s syscall::kill:entry { trace(pid); trace(execname); } # ./kill.d dtrace: script './kill.d' CPU ID 0 78 0 78 0 78 0 78 0 78 0 78 0 78 ^C
matched 1 probe FUNCTION:NAME kill:entry 5083 kill:entry 349 kill:entry 349 kill:entry 349 kill:entry 5128 kill:entry 5128 kill:entry 5128
5-7
Lab 6
Write D scripts that use the vminfo, sysinfo, io, and syscall providers
Preparation
Find out from your instructor the root password for your machine. Change to the directory containing the Module 2 lab les. (Ask your instructor for the path name.)
2.
3.
6-1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
graph range from 0 to 50 milliseconds (ms), in increments of 1ms. Have the key for the aggregation be the literal string: Read elapsed time:. Test your script by running the following command in another terminal window: grep fubar /usr/share/man/sman1/*. Run the iosnoop.d script (with another similar grep command, grep fubar /usr/share/man/sman5/*) to verify that most of the reads are under 1ms. (Note: because of le caching you only get one try. If you do not see the grep commands in the iosnoop.d output try another sman directory.) 4. Re-write the timesys.d D script shown on [page 2-46] so that it accepts the executable command name as an argument instead of only working with the grep command. Test your script with an ls command that you enter in another terminal window. Write a pagefault.d D script that follows all the functions used in handling a page fault. Have it trace starting with the kernel function: pagefault(). Invoke the script with the -F option of the dtrace(1M) command.
5.
6-2
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss the experiences you had during the lab exercise, and any issues or discoveries that arose.
q q q q
!
?
6-3
# cat paging.d #!/usr/sbin/dtrace -qs BEGIN { printf("%8s %8s\n", "pi", "po"); i = 0; po = 0; pi = 0; } tick-1sec { ++i; } vminfo:::pgpgin { pi = pi + arg0; } vminfo:::pgpgout { po = po + arg0; } tick-1sec /i == $1/ { printf("%8d %8d\n", (pi*8)/i, (po*8)/i);
6-4
Module 2 Exercise Solutions i = 0; pi = 0; po = 0; } # ./paging.d 5 pi po 0 0 20 11448 0 1126 771 0 51 0 ^C 2. Write a D script that displays the total number of cow_fault and sysfork events that occur every five seconds, to show that when the number of fork system calls increases so does the number of copy on write faults. Test your script by running many date and sleep 1 commands in the background in another terminal window.
# cat cow.d #!/usr/sbin/dtrace -qs BEGIN { printf("%6s %8s\n", "cows", "forks"); } vminfo:::cow_fault { ++c; } sysinfo:::sysfork { ++f; } tick-5sec { printf("%6d %8d\n", c, f); c = 0; f = 0; } # ./cow.d cows forks 198 9
6-5
Module 2 Exercise Solutions 66 16 0 465 0 ^C 3. Using the io provider probes with the lquantize aggregation function, write a D script that displays a graph of the time taken in milliseconds for every device read. Have the scale of the distribution graph range from 0 to 50 milliseconds (ms), in increments of 1ms. Have the key for the aggregation be the literal string: Read elapsed time:. Test your script by running the following command in another terminal window: grep fubar /usr/share/man/sman1/*. Run the iosnoop.d script (with another similar grep command, grep fubar /usr/share/man/sman5/*) to verify that most of the reads are under 1ms. (Note: because of le caching you only get one try. If you do not see the grep commands in the iosnoop.d output try another sman directory.) 3 1 0 21 0
# cat io.d #!/usr/sbin/dtrace -qs io:::start / args[0]->b_flags&B_READ / { start[args[0]->b_edev, args[0]->b_blkno] = timestamp; } io:::done /start[args[0]->b_edev, args[0]->b_blkno]/ { elapsed = (timestamp - start[args[0]->b_edev, args[0]->b_blkno])/1000000; @["Read elapsed time:"] = lquantize(elapsed,0,50,1); } # ./io.d ^C Read elapsed time: value ------------- Distribution ------------- count < 0 | 0 0 |@@@@@@@@@@@@@@@@@@@@@@@@ 775 1 |@@@ 83 2 |@@ 49 3 |@@ 78 4 |@@ 76 5 |@@ 59
6-6
6-7
Module 2 Exercise Solutions # ./iosnoop.d COMMAND DEVICE RW MS grep sd2 R 8.504 grep sd2 R 7.127 grep sd2 R 0.320 grep sd2 R 0.367 grep sd2 R 0.712 grep sd2 R 0.318 grep sd2 R 5.016 grep sd2 R 5.251 grep sd2 R 0.617 grep sd2 R 2.039 grep sd2 R 7.340 grep sd2 R 0.322 grep sd2 R 6.116 grep sd2 R 0.325 grep sd2 R 0.549 grep sd2 R 2.844 grep sd2 R 0.322 grep sd2 R 0.201 grep sd2 R 0.328 grep sd2 R 0.304 grep sd2 R 0.202
PID 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183
FILE <none> /usr/share/man/sman5/ANSI.5 /usr/share/man/sman5/C++.5 /usr/share/man/sman5/C.5 /usr/share/man/sman5/CSI.5 /usr/share/man/sman5/ISO.5 /usr/share/man/sman5/Intro.5 /usr/share/man/sman5/Intro.5 /usr/share/man/sman5/Intro.5 /usr/share/man/sman5/Intro.5 /usr/share/man/sman5/MT-Level.5 /usr/share/man/sman5/POSIX.1.5 /usr/share/man/sman5/POSIX.2.5 /usr/share/man/sman5/POSIX.5 /usr/share/man/sman5/SEAM.5 /usr/share/man/sman5/SEAM.5 /usr/share/man/sman5/SUS.5 /usr/share/man/sman5/SUSv2.5 /usr/share/man/sman5/SUSv3.5 /usr/share/man/sman5/SVID.5 /usr/share/man/sman5/SVID3.5
6-8
Module 2 Exercise Solutions grep 0.310 grep 0.309 grep 0.200 grep 0.315 grep 0.316 grep 0.227 grep 0.325 grep 0.469 grep 0.206 grep 3.857 grep 0.516 grep 0.791 grep 0.511 grep 0.441 grep 0.466 grep 0.625 grep 0.687 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 1183 /usr/share/man/sman5/XNS.5 /usr/share/man/sman5/XNS4.5 /usr/share/man/sman5/XNS5.5 /usr/share/man/sman5/XPG.5 /usr/share/man/sman5/XPG3.5 /usr/share/man/sman5/XPG4.5 /usr/share/man/sman5/XPG4v2.5 /usr/share/man/sman5/advance.5 /usr/share/man/sman5/architecture.5 /usr/share/man/sman5/ascii.5 /usr/share/man/sman5/attributes.5 /usr/share/man/sman5/attributes.5 /usr/share/man/sman5/attributes.5 /usr/share/man/sman5/attributes.5 /usr/share/man/sman5/audit_binfile.5 /usr/share/man/sman5/audit_syslog.5 /usr/share/man/sman5/audit_syslog.5
sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 sd2 ^C
R R R R R R R R R R R R R R R R R
4.
Re-write the timesys.d D script shown on [page 2-46] so that it accepts the executable command name as an argument instead of only working with the grep command. Test your script with an ls command that you enter in another terminal window.
6-9
Module 2 Exercise Solutions printf("\nSystem Call Times for %s:\n\n", $1); printf("%20s\t%10s\n", "Syscall", "Microseconds"); } syscall:::entry /execname == $1/ { name[probefunc] = timestamp; self->start = 1; } syscall:::return /self->start/ { printf("%20s\t%10d\n", probefunc, (timestamp-name[probefunc])/1000); self->start = 0; } syscall::rexit:entry { exit(0); } # ./timesys2.d '"ls"' System Call Times for ls: Syscall mmap resolvepath resolvepath stat open stat open mmap ... setcontext getrlimit getpid setcontext brk brk stat gtime ioctl brk 34 23 17 23 23 27 45 20 76 19 Microseconds 49 45 63 39 53 33 30 37
6-10
Module 2 Exercise Solutions ... write write write write write write write write write # 5. Write a pagefault.d D script that follows all the functions used in handling a page fault. Have it trace starting with the kernel function: pagefault(). Invoke the script with the -F option of the dtrace(1M) command. 69 67 68 94 68 66 65 66 65
# cat pagefault.d #!/usr/sbin/dtrace -s fbt::pagefault:entry { self->start = 1; } fbt::pagefault:return /self->start/ { exit(0); } fbt::: /self->start/ # dtrace -F -s pagefault.d dtrace: script 'pagefault.d' matched 31656 probes CPU FUNCTION 0 -> pagefault 0 -> as_fault 0 -> as_segat 0 -> avl_find 0 -> as_segcompar 0 <- as_segcompar ... 0 -> fop_getpage 0 -> ufs_getpage 0 -> ufs_lockfs_begin_getpage
6-11
Module 2 Exercise Solutions 0 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 ... 0 0 0 0 0 0 0 0 0 0 0 # -> tsd_get <- tsd_get -> tsd_agent_get <- tsd_agent_get -> ufs_lockfs_is_under_rawlockfs -> mutex_owner <- mutex_owner <- ufs_lockfs_is_under_rawlockfs <- ufs_lockfs_begin_getpage -> rw_owner <- rw_owner <- page_lookup -> page_lookup_create -> page_try_reclaim_lock <- page_try_reclaim_lock -> page_reclaim -> page_list_sub -> page_sub <- page_sub -> page_ctr_sub <- page_ctr_sub <- sfmmu_select_tsb_szc -> sfmmu_hat_exit <- sfmmu_hat_exit <- sfmmu_check_page_sizes <- hat_memload -> page_unlock <- page_unlock <- segvn_faultpage <- segvn_fault <- as_fault <- pagefault
6-12
Section IV
Practice theInternet Protocol (IP) changes in the OS Practice the network lesystem changes (NFS) in the OS Practice the security feature changes in the OS Practice other networking featrue changes in the OS
IV - 1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Lab 7
Congure Quality of Service (QoS) les Explore the routeadm(1M) command in the Solaris Operating System (Solaris OS) startup scripts Congure routing using routeadm(1M)
Preparation
This lab requires no special preparation.
ipqos(7ipp) ipqosconf(1M)
3. 4.
Using the appropriate command, display the current Internet Protocol (IP) Quality of Service (IPQoS) settings. Flush the current settings for IPQoS.
5.
7-1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Objectives 6. Create the following ipqos conguration le: a. b. c. d. Create an action using module ipgpc. (Hint: See the /etc/inet/ipqosconf.1.sample le) Add a class named ftp with next action called dmark1. Add a lter called ftpout, with direction LOCAL_OUT, dport 21 and class ftp. Create another action using module dscpmk, with name dmark1 and set the Differentiated Services Code Point (DSCP) code point to 001110=14. Set the next action to acct1. Create an action using module flowacct. Use timer 10, timeout 30, and set the global statistic to true.
e. f. g. 7.
This will be the last action. Congure your system with the le you created. (Use the -v option for verbose output, and make corrections as needed.) 8. 9. Display the conguration using the ipqosconf command. Use File Transfer Protocol (FTP) and attempt to connect to one of the other servers in the pod.
10. Use the kstat(1M) command to display statistics. 11. Use the ipqosconf command to ush the conguration.
7-2
Objectives d. e. f. What command line from the script is used to turn on IP forwarding (IP version 4 [IPv4]), if needed? Under what condition is IP forwarding and routing used if the machine is using IPv6? Describe the default behavior for IP forwarding (IPv4 and IPv6) and routing (IPv4 and IPv6). Include the /etc/defaultrouter le, /etc/notrouter le, number of interfaces, DHCP, and /etc/inet/ndpd.conf le.
3.
7-3
Objectives a. Make certain the system will retain the setting on a reboot. You may reboot this system. That is, both the eri1 and eri0 interfaces are congured, and the ip_forwarding variable is set to 0. Examine the /etc/inet/routing.conf le; how has it changed? Examine the output of the routeadm command without options; what has changed?
b. c. 4.
Continue with sys-02. Congure this system as a router between the two networks. Congure this system without rebooting it. a. b. c. Verify the IP forwarding setting with ndd. Examine the /etc/inet/routing.conf le. Examine the output of the routeadm command without options.
5. 6.
Congure sys-03, enable the eri1 interface and test and disable the eri0 interface. Congure sys-04, enable the eri1 interface, turn off IP forwarding, and match the /etc/inet/routing.conf le and output from the routeadm command with sys-01. The should be the same. You should not reboot this system. Upon completion, do the following. a. b. c. d. Verify that sys-01 can ping sys-04. Verify that sys-04 can ping sys-03 and sys-02. Verify the IP forwarding is not turned on for sys-04 Verify sys-02 is routing packets.
7.
8.
Start with sys-04. Restore all systems to the original conguration; use the routeadm command to revert to the defaults. Check the /etc/inet/routing.conf le to conrm the proper settings. Do not reboot sys-02; return it to the default conguration using the routeadm command.
7-4
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or discoveries you had during the lab exercise.
q q q q
!
?
7-5
Exercise Solutions
Exercise Solutions
Task 1: Configure QoS
Login to the remote server as the root user. Perform steps 2, 3 ,and 4 to ensure there is not already IPQoS settings congured.
ipqos(7ipp) ipqosconf(1M)
3. 4. 5. 6.
Using the appropriate command, display the current IPQoS settings. # ipqosconf Flush the current settings for IPQoS. # ipqosconf -f Use the kstat(1M) command to output statistics for module ipgpc. # kstat -m ipgpc Create the following ipqos conguration le: a. b. c. d. e. f. g. Create an action using module ipgpc. (Hint: See the /etc/inet/ipqosconf.1.sample le.) Add a class named ftp with next action called dmark1. Add a lter called ftpout, with direction LOCAL_OUT, dport 21 and class ftp. Create another action using module dscpmk, with name dmark1 and set the DSCP code point to 001110=14. Set the next action to acct1 Create an action using module flowacct. Use timer 10, timeout 30, set the global statistic to true.
This will be the last action. fmt_version 1.0 action { module ipgpc # Name must be ipgpc.classify for ipgpc action.
7-6
Exercise Solutions name ipgpc.classify class { name ftp next_action dmark1 } filter { name ftpout # Outgoing locally generated traffic. direction LOCAL_OUT dport 21 class ftp } } action { module dscpmk name dmark1 params { dscp_map {0-63:14} next_action acct1 } } action { name acct1 module flowacct params { timer 10 timeout 30 global_stats TRUE max_limit 1024 next_action continue } } 7. Congure your system with the le you created. (Use the -v option for verbose output and make corrections as needed.) # /usr/sbin/ipqosconf -a ipqos.txt -v Notice: IPQoS configuration applied. 8. 9. Display the conguration using the ipqosconf command. Use FTP and attempt to connect to one of the other servers in the pod. Successful connection is not required.
7-7
Exercise Solutions 10. Use the kstat(1M) command to display statistics. # kstat -m ipgpc 11. Use the ipqosconf command to ush the conguration. # ipqosconf -f
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then numdhcp=`/usr/sbin/ifconfig -a4 | /usr/bin/grep -c DHCP` else numdhcp=0 fi if [ ! -f /etc/notrouter -a $numdhcp -eq 0 -a \ \( $numifs -gt 2 -o $numptptifs -gt 0 -o -f /etc/gateways \) ]; then ... d. What command line from the script is used to turn on ip_forwarding (IPv4), if needed? routeadmstr="-e ipv4-forwarding" e. Under what condition is ip_forwarding and routing used if the machine is using IPv6? If the /etc/inet/ndpd.conf le exists
7-8
Exercise Solutions f. Describe the default behavior for ip_forwarding (IPv4 and IPv6) and routing (IPv4 and IPv6). Include the /etc/defaultrouter le, /etc/notrouter le, number of interfaces, DHCP, and the /etc/inet/ndpd.conf le.
An interface was congured with DHCP. The /etc/defaultrouter le is non-empty. The /etc/notrouter le exists.
If all of the preceding are false, then IPv4 forwarding is enabled if at least one of the following is true:
q q q
There are two or more non-loopback interfaces congured. There is one or more point-to-point interface congured. The /etc/gateways le exists.
ipv4-routing IPv4 routing is disabled if the /etc/defaultrouter le is not empty, and enabled otherwise. ipv6-forwarding IPv6 forwarding is enabled if both of the following are true:
q q
Otherwise, IPv6 forwarding is disabled. ipv6-routing If ipv6-forwarding is enabled, then ipv6-routing is enabled.
7-9
Exercise Solutions # routeadm Configuration Current Current Option Configuration System State --------------------------------------------------------IPv4 forwarding default (disabled) disabled IPv4 routing default (disabled) disabled IPv6 forwarding default (disabled) disabled IPv6 routing default (disabled) disabled # cat /etc/inet/routing.conf # # Parameters for IP forwarding and routing. # Do not edit this file by hand -- use routeadm(1m) instead. # ipv4-forwarding default disabled ipv4-routing default disabled ipv6-forwarding default disabled ipv6-routing default disabled 3. Congure sys-01 using the ifconfig command to add the eri1 interface, create the necessary boot les to enable the eri1 interface on bootup, and use the routeadm command to disable IP forwarding.
# # # #
eri1 plumb eri1 192.168.1.1 up -d ipv4-forwarding -u Create the /etc/hostname.eri1 le, and add sys-01b to /etc/hostname.eri1 and to the /etc/hosts le. When you nish, you should do the following: a. Make certain the system will retain the setting on a reboot. You may reboot this system. That is, both the eri1 and eri0 interfaces are congured, and ip_forwarding is set to 0. Examine the /etc/inet/routing.conf le, how has it changed?
b.
# cat routing.conf # # Parameters for IP forwarding and routing. # Do not edit this file by hand -- use routeadm(1m) instead. # ipv4-forwarding disabled disabled ipv4-routing default disabled ipv6-forwarding default disabled ipv6-routing default disabled
7-10
Exercise Solutions c. Examine the output of the routeadm command without options; what has changed?
# routeadm Configuration Current Current Option Configuration System State --------------------------------------------------------IPv4 forwarding disabled disabled IPv4 routing default (disabled) disabled IPv6 forwarding default (disabled) disabled IPv6 routing default (disabled) disabled 4. Continue with sys-02. Congure this system as a router between the two networks. Congure this system without rebooting it. # # # # ifconfig ifconfig routeadm routeadm eri1 plumb eri1 192.168.1.2 up -e ipv4-forwarding -e ipv4-routing -u a. Verify the IP forwarding setting with ndd.
# ndd -get /dev/ip ip_forwarding 1 b. c. 5. Examine the /etc/inet/routing.conf le. Examine the output of the routeadm command without options.
Congure sys-03, enable the eri1 interface, and test and disable the eri0 interface.
# ifconfig eri1 plumb # ifconfig eri1 192.168.1.3 up 6. Congure sys-04, enable the eri1 interface, turn off IP forwarding, and match the /etc/inet/routing.conf le and output from the routeadm command with sys-01. This should be the same. You should not reboot this system.
# # # #
eri1 plumb eri1 192.168.1.4 up -d ipv4-forwarding -u 7. Upon completion, do the following. a. b. c. Verify that sys-01 can ping sys-04. Verify that sys-04 can ping sys-03 and sys-02. Verify the IP forwarding is not turned on for sys-04
7-11
Start with sys-04. Restore all systems to the original conguration; use the routeadm command to revert to the defaults. Check the /etc/inet/routing.conf le to conrm the proper settings. Do not reboot sys-02; return it to the default conguration using the routeadm command. a. b. sys-04: Remove the /etc/hostname.eri1 le, and remove entries from the /etc/hosts le for the eri1 interface. sys-03: Be careful. Enable the eri0 interface, then logout. Login using the eri0, interface disable the eri1 interface, and remove the /etc/hostname.eri1 le and entries in the /etc/hosts le. sys-02: Remove the /etc/hostname.eri1 le, and remove entries from the /etc/hosts le.
-d ipv4-forwarding -d ipv4-routing -r ipv4-forwarding -r ipv4-routing -u eri1 down unplumb d. sys-01: Remove entries in the /etc/hosts le, and remove the /etc/hostname.eri1 le.
7-12
Lab 8
Conguring a Network File System (NFS) version 4 server Conguring a NFS version 4 client Examining the pseudo-le system Examining NFS Client behavior when a le system is unshared
Preparation
You will need two machines in the same subnet to perform these labs; one will be used as the NFS client and the other as the NFS server. No other special preparation is required. To start the lab, login into the remote lab environment.
3.
8-1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Objective 4. Use the svcadm command to stop (if necessary) and start the NFS server. If the server is not running, you can just start it. If it is currently running, stop and start the server so that it reads the changes to the /etc/default/nfs le. Verify the le system is shared. Login into the NFS client machine and verify that the le system is shared.
5. 6.
8-2
Objective 12. Login to the NFS client and use the umount(1M) command to remove the mounted le system. 13. On the NFS server, kill the mountd daemon. 14. On the NFS client, re-issue the mount command to mount the remote le system again. Did this command work? 15. On the NFS server use the showmount(1M) command to show all clients that have mounted the le system.
10. Now attempt to mount the /export_fs/local directory on the mount point. 11. Could you mount the le system. 12. Can you change directory to the mount point?
8-3
Objective 13. Can you change directory to /mount-point/projects? 14. Can you change directory to /mount-point/projects/nfs4? 15. Change directory to the root directory. Use the mount command to display the current mounts. 16. Use the umount command to remove the mounted le system and verify it is no longer mounted. 17. Change the /etc/default/nfs le and enable NFS version 4 on the client machine. 18. Mount the export_fs le system from the NFS server on the newly created mount point. 19. Could you mount the le system? 20. Can you change directory to the mount point? 21. Use the ls command to list the contents of the directory. 22. Can you change directory to /mount-point/projects? 23. Can you change directory to /mount-point/projects/nfs4?
8-4
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or discoveries you had during the lab exercise.
q q q q
!
?
8-5
Exercise Solutions
Exercise Solutions
Task 1 Configure a NFS version 4 Server
The purpose of this exercise to congure a NFS version 4 client and a NFS version 4 server. 1. 2. Select the machine that is to be the server and login to that machine as the root user. Edit the /etc/default/nfs le to congure the machine as a NFS version 4 only server. (Copy the existing conguration lines and make changes to the copies.) Before: # Sets the minimum version of the NFS protocol that will be registered # and offered by the server. The default is 2. #NFS_SERVER_VERSMIN=2 # Sets the maximum version of the NFS protocol that will be registered # and offered by the server. The default is 3. #NFS_SERVER_VERSMAX=3 After: # Sets the minimum version of the NFS protocol that will be registered # and offered by the server. The default is 2. #NFS_SERVER_VERSMIN=2 NFS_SERVER_VERSMIN=4 # Sets the maximum version of the NFS protocol that will be registered # and offered by the server. The default is 3. #NFS_SERVER_VERSMAX=3 NFS_SERVER_VERSMAX=4 3. Edit the /etc/dfs/dfstab le and share the /usr/share/man directory. Add the following line to /etc/dfs/dfstab: share -F nfs -o ro /usr/share/man 4. Use the svcadm command to stop (if necessary) and start the NFS server. If the server is not running, you can just start it. If it is currently running, stop and start the server so that it reads the changes to the /etc/default/nfs le.
sys-04 # vi /etc/default/nfs
sys-04 # vi /etc/dfs/dfstab
8-6
Exercise Solutions sys-04 # svcadm disable svc:/network/nfs/server sys-04 # svcadm enable svc:/network/nfs/server 5. Verify the le system is shared. SERVER ACCESS sys-04 TRANSPORT sys-04 # dfshares RESOURCE sys-04:/usr/share/man or... sys-04 # share 6. /usr/share/man ro ""
Login into the NFS client machine and verify that the le system is shared. SERVER ACCESS sys-04 TRANSPORT -
sys-01 # vi /etc/default/nfs
8-7
Exercise Solutions # the NFS client. Can be overridden by the "vers=" NFS mount option. # If "vers=" is not specified for an NFS mount, this is the version # that will be attempted first. The default is 3. #NFS_CLIENT_VERSMAX=3 NFS_CLIENT_VERSMAX=4 3. 4. Create the /usr/local/man directory to be used as the mount point. Open another terminal on the client and run the following snoop command: Mount the /usr/share/man directory on the /usr/local/man mount point that you created. Examine the snoop command output and observe that NFS version 4 is in use. Use the nfsstat(1M) command to verify that you are using NFS version 4. sys-01 # mkdir -p /usr/local/man
sys-01 # nfsstat -m /usr/local/man /usr/local/man from sys-04:/usr/share/man Flags: vers=4,proto=tcp,sec=sys,hard,intr,link,symlink,acl,rsize=1048576,wsize=1 048576,retrans=5,timeo=600 Attr cache: acregmin=3,acregmax=60,acdirmin=30,acdirmax=60 8. Test by displaying a man page from the /usr/local/man directory. sys-01 # man -M /usr/local/man ls ... 9. Login into the NFS server machine as the root user. Use the rpcinfo(1M) command to verify NFS version 4 is running. Check for the rpcbind and mountd services. Examples: sys-04 # /usr/bin/rpcinfo -u localhost rpcbind sys-04 # /usr/bin/rpcinfo -u localhost mountd sys-04 # /usr/bin/rpcinfo -u localhost rpcbind program 100000 version 2 ready and waiting program 100000 version 3 ready and waiting program 100000 version 4 ready and waiting ssys-04 # /usr/bin/rpcinfo -u localhost mountd rpcinfo: RPC: Program not registered program 100005 is not available
8-8
Exercise Solutions 10. Did either command indicate NFS version 4 was active? Maybe, if other versions of NFS were run before. 11. Was rpcbind present? Yes. If the mountd daemon is running, do the following: 12. Login to the NFS client and use the umount(1M) command to remove the mounted le system. sys-01 # umount /usr/local/man 13. On the NFS server, kill the mountd daemon. sys-04 # pkill mountd 14. On the NFS client, re-issue the mount command to mount the remote le system again. Did this command work? sys-01 # mount sys-04:/usr/share/man /usr/local/man Yes. On the NFS server use the showmount(1M) command to show all clients that have mounted the le system. Did the command work? If not, why? sys-04 # showmount -e showmount: sys-04: RPC: Program not registered The showmount(1M) command does not work with NFS version 4. Note The mountd(1M) service is built into NFS version 4 so you can remove the running daemon and NFS version 4 will work. Restart it for other versions of NFS. It is started by the /etc/init.d/nfs.server script if there are shared le systems.
8-9
Exercise Solutions /export_fs/projects /export_fs/local /export_fs/payroll /export_fs/projects/nfs4 /export_fs/projects/nfs4x sys-04 sys-04 sys-04 sys-04 3. # # # # mkdir mkdir mkdir mkdir -p -p -p -p /export_fs/projects/nfs4x /export_fs/projects/nfs4 /export_fs/payroll /export_fs/local
Stop the NFS server, then congure the NFS server to use NFS version 2, version3, and version 4.
sys-04 # /etc/init.d/nfs.server stop # Sets the maximum version of the NFS protocol that will be registered # and offered by the server. The default is 3. #NFS_SERVER_VERSMAX=3 NFS_SERVER_VERSMAX=4 4. share -F nfs share -F nfs Edit the /etc/dfs/dfstab le and share the /export_fs/projects/nfs4 and /export_fs/local directories.
/export_fs/projects/nfs4 /export_fs/local 5. 6. Restart the NFS server service. Login to the client machine. Verify that the client supports NFS version 3 and version 2 only.
# Sets the minimum version of the NFS protocol that will be used by # the NFS client. Can be overridden by the "vers=" NFS mount option. # The default is 2. #NFS_CLIENT_VERSMIN=2 # Sets the maximum version of the NFS protocol that will be used by # the NFS client. Can be overridden by the "vers=" NFS mount option. # If "vers=" is not specified for an NFS mount, this is the version # that will be attempted first. The default is 3. #NFS_CLIENT_VERSMAX=3 7. 8. Create a new mount point. Mount the export_fs le system from the NFS server onto the newly created mount point. In a seperate window, use snoop to watch the trac on the network, and verify NFSv3 is being used. sys-01 # mkdir /sys-04
8-10
Exercise Solutions sys-01 # mount sys-04:/export_fs /sys-04 nfs mount: sys-04:/export_fs: Permission denied 9. Could you mount the le system? No. 10. Try to mount the /export_fs/local directory onto the mount point. sys-01 # mount sys-04:/export_fs/local /sys-04 11. Could you mount the le system. Yes. 12. Can you change directory to the mount point? Yes. 13. Can you change directory to /sys-04/projects? No. 14. Can you change directory to /sys-04/projects/nfs4? No. 15. Change directory to the root directory. Use the mount command to display the current mounts. sys-01 # mount / on /dev/dsk/c0t0d0s0 read/write/setuid/devices/intr/largefiles/logging/xattr/onerror=panic/dev =800018 on Sat Jul 10 09:18:20 2004 /devices on /devices read/write/setuid/devices/dev=4800000 on Sat Jul 10 09:18:17 2004 /proc on proc read/write/setuid/devices/dev=4840000 on Sat Jul 10 09:18:20 2004 /etc/mnttab on mnttab read/write/setuid/devices/dev=4900001 on Sat Jul 10 09:18:20 2004 /dev/fd on fd read/write/setuid/devices/dev=4940001 on Sat Jul 10 09:18:20 2004 /var on /dev/dsk/c0t0d0s3 read/write/setuid/devices/intr/largefiles/logging/xattr/onerror=panic/dev =80001b on Sat Jul 10 09:18:41 24 /var/run on swap read/write/setuid/devices/xattr/dev=49c0001 on Sat Jul 10 09:18:41 2004 /tmp on swap read/write/setuid/devices/xattr/dev=49c0002 on Sat Jul 10 09:18:41 2004 /sys-04 on sys-04:/export_fs/local remote/read/write/setuid/devices/xattr/dev=4ac0016 on Sat Jul 10 16:50:03 2004
8-11
Exercise Solutions 16. Use the umount command to remove the mounted le system and verify it is no longer mounted. sys-01 # umount /sys-04 sys-01 # mount / on /dev/dsk/c0t0d0s0 read/write/setuid/devices/intr/largefiles/logging/xattr/onerror=panic/dev =800018 on Sat Jul 10 09:18:20 2004 /devices on /devices read/write/setuid/devices/dev=4800000 on Sat Jul 10 09:18:17 2004 /proc on proc read/write/setuid/devices/dev=4840000 on Sat Jul 10 09:18:20 2004 /etc/mnttab on mnttab read/write/setuid/devices/dev=4900001 on Sat Jul 10 09:18:20 2004 /dev/fd on fd read/write/setuid/devices/dev=4940001 on Sat Jul 10 09:18:20 2004 /var on /dev/dsk/c0t0d0s3 read/write/setuid/devices/intr/largefiles/logging/xattr/onerror=panic/dev =80001b on Sat Jul 10 09:18:41 24 /var/run on swap read/write/setuid/devices/xattr/dev=49c0001 on Sat Jul 10 09:18:41 2004 /tmp on swap read/write/setuid/devices/xattr/dev=49c0002 on Sat Jul 10 09:18:41 2004 17. Change the /etc/default/nfs le and enable NFS version 4 on the client machine. # Sets the maximum version of the NFS protocol that will be used by # the NFS client. Can be overridden by the "vers=" NFS mount option. # If "vers=" is not specified for an NFS mount, this is the version # that will be attempted first. The default is 3. NFS_CLIENT_VERSMAX=4 18. Mount the export_fs le system from the NFS server onto the newly created mount point. sys-01 # mount sys-04:/export_fs /sys-04 19. Could you mount the le system? Yes 20. Can you change directory to the mount point? Yes. 21. Use the ls command to list the contents of the directory. sys-01 # ls local projects 22. Can you change directory to /mount-point/projects? Yes
8-12
8-13
Lab 9
Using the user level Solaris Operating System (Solaris OS) Cryptographic Framework (SCF) utilities Examining administration tasks for SCF Conguring the Solaris OS Internet Protocol (IP) Filter rewall Conguring Network Address Translation (NAT) in the Solaris IP Filter
q q q
Preparation
Login to the remote lab systems.
9-1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Objective 2. You use the/dev/urandom random device and dd(1M) command to generate and store key material in a le. The dd(1M) command takes as an option a block size in bytes. You must convert the listed key size in bit to bytes by dividing the size by eight. Find the key size in bytes for a 3DES key. The following command generates a key le called 3des.key. # dd if=/dev/urandom of=/var/tmp/3des.key bs=24 count=1 The bs value is the block size in bytes and count is the number of blocks to output. 4. You now encrypt a le using 3DES. SCF limits the key size for encryption to 128 bits to meet export regulations. The 192-bit key is a combination of three 64 bit keys. Data Encryption Standard (DES) uses a 64-bit key: actually a 56-bit key and eight bits of parity. 3DES uses three DES keys. Use the encrypt(1M) utility to encrypt the /usr/share/man/man1/bash.1 le and store the encrypted le in the /var/tmp directory. 5. 6. 7. 8. 9. Examine the original le using a strings(1M) command. Examine the output le using the same command. Now decrypt the le and save the decrypted output to the /var/tmp directory. Verify the output le is no longer encrypted. Did this operation remove the encrypted le? Create a new key and save it to a le; this key should be 128 bits.
3.
10. Now attempt to encrypt the bash.1 le using the new key. 11. Record the error code indicating an invalid key value. _____________________________________________________________ _____________________________________________________________ 12. The SCF limits encryption key size to 128 bits for export reasons. However, this limit does not apply to keyed hash mechanisms. List the key requirements for the mac(1M) utility mechanisms. 13. Create a 512-bit key using the steps described earlier. 14. Create a keyed digest of the le bash.1. 15. Copy the /etc/hosts le to the /var/tmp directory. 16. Use the digest(1M) command to create a digest of the /var/tmp/hosts le. 17. Edit the /var/tmp/hosts le and add a line to the le.
9-2
Objective 18. Create a digest of the le again using the same mechanism. 19. Remove the line you added in a previous step and re-compute the digest. 20. Create a key suitable for use with the ARCFOUR encryption mechanism. 21. The ARCFOUR algorithm is suitable for encrypting streams of data. In this exercise, you create a .TAR le of the ./inet/* les, encrypt the resulting le, and save the output to the /var/tmp directory in one step. Change directory to the /etc/ directory. 22. Use the tar command to encrypt the contents of the ./inet directory, redirect the output to the encrypt command, and save the resulting le to the /var/tmp directory. 23. Change directory to /var/tmp and verify the le in encrypted. 24. Decrypt and extract the tar le to the /var/tmp/ directory.
Start and stop the kcfd(1M) daemon Load and unload user-level, kernel software, and kernel hardware providers Set a policy to allow or deny access to specic providers or mechanisms that a provider uses The cryptoadm command lists providers and mechanisms. To do so, you use the list option or the list option with arguments. Use the cryptoadm commands in the following formats to compare the different output. A brief listing:
1.
9-3
Objective des aes arcfour blowfish sha1 md5 rsa kernel hardware providers: List the mechanisms for all installed providers: # cryptoadm list -m user-level providers: ===================== /usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented. /usr/lib/security/$ISA/pkcs11_softtoken.so: CKM_DES_CBC,CKM_DES_CBC_PAD ... kernel software providers: ========================== des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC aes: CKM_AES_ECB,CKM_AES_CBC arcfour: CKM_RC4 blowfish: CKM_BF_ECB,CKM_BF_CBC sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS kernel hardware providers: List mechanisms for a specific installed provider. # cryptoadm list -m rsa rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS Listing all providers and available mechanisms: # cryptoadm list -p user-level providers: ===================== /usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled. /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled. kernel software providers: ========================== des: all mechanisms are enabled. aes: all mechanisms are enabled. arcfour: all mechanisms are enabled. blowfish: all mechanisms are enabled.
9-4
Objective sha1: all mechanisms are enabled. md5: all mechanisms are enabled. rsa: all mechanisms are enabled. kernel hardware providers: Listing available mechanisms for a specific provider: # cryptoadm list -p /usr/lib/security/'$ISA'/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled. 2. The administrator might need to disable a specic mechanisms if a problem is found with the algorithm, making it undesirable for use, or if another providers implementation is more robust. In this example, you disable the user-lever providers mechanism for the DES algorithm. First list the mechanisms for the user-level provider pkcs11_softtoken.so. Find all of the mechanisms for DES and use the disable option to disable them. (Hint: all mechanisms for an algorithm are grouped together in the output of the previous command.) Now you will attempt to encrypt the /etc/hosts le using the DES mechanism. It is unnecessary to generate a key le. Omit the -k option from the previous tasks and type in random keys when you are prompted for a key. What was the result? _____________________________________________________________ _____________________________________________________________ _____________________________________________________________ 5. 6. List the available mechanisms for the user-level provider. You can enable a providers mechanisms by using the enable option. You can list the mechanism to enable or use the special keyword all. Enable all user-level mechanisms. List the available mechanisms to verify they are enabled. The refresh option is used to allow the administrator to see an updated list of provider information. You would use the refresh option after installing and conguring a hardware provider or installing a software provider package. You also use the refresh option if a kernel mechanism is temporally removed. Use the unload option to unload the kernel mechanism Blowsh. List the providers to see the result of the last command.
3.
4.
7. 8.
9.
10. Now use the refresh option to restore the kernel mechanism Blowsh and then repeat the previous listing.
9-5
Objective 11. The administrator might need to uninstall a kernel-level mechanism if site policy forbids the use of that mechanism or for other reasons. The uninstall option is used to remove a mechanism. First list the providers and mechanisms. You need the list of mechanisms for RSA to proceed. Cut and paste the output of a provider mechanism listing for kernel provider mechanism RSA into a le or another shell window. 12. Use the uninstall option to remove RSA. 13. List the providers and note that RSA is no longer listed. 14. To install the provider, you can use the install option. This command will require that you supply the mechanism operands. Use the install option to re-install RSA, add the mechanisms list, space delimited, that you saved in a previous step. 15. Conrm the RSA provider is installed.
2. 3. 4.
5. 6.
7.
9-6
Objective 8. Note that the ping command from the test host has not resumed. Use the ipfstat(1M) command to display the current inbound and outbound lters. Use the ipf -D command to disable the lter.
9.
10. Use the ipf -E command to re-enable the lter. 11. Use the ipf(1M) command to ush the current rule set. 12. Check the lters again with the ipfstat command. In a few moments you should observe the ping command from the test host resume. You can stop the ping command after it resumes. 13. Add a new rule to the /etc/ipf/ipf.conf le to allow the ssh command to run from anywhere to the lter host and keep the state. 14. Add the rules to the kernel module and test by using secure shell from the test host to the lter host. Note If the ssh(1M) command is not congured for root access, you must edit the /etc/ssh/sshd_config le and change the PermitRootLogin variable from the default no value to yes. 15. Use the ipmon(1M) command to examine the state information. 16. On the test host, end the secure shell session and attempt to use the telnet command to connect to the lter host. Allow the attempt to continue. 17. On the lter host, use the ipfstat command to examine the blocked input packets. Execute the command two or three times and observe the increase in the number of blocked packets recorded. 18. Edit the /etc/syslog.conf le and add a line to log auth.info to the le /var/log/authlog. Stop and start syslog. 19. The reason the blocked packet account increased when you observed it with the ipfstat -ihn command is that the lter drops packets silently so the telnet service tries several times to connect with the lter host. You now edit the rule to log packets that are blocked and to send a packet with the RST ag set in response to telnet connections. 20. Make the following edits to the block rule. Flush and add the new rule set to the kernel module. block in log level auth.info all 21. Attempt to use the telnet command to connect from the test host to the lter and apply the tail command to the /var/log/authlog le on the lter host.
9-7
Objective 22. On the lter host, use the ipmon command to examine the logs. 23. Make the following edits to the /etc/ipf/ipf.conf le: block in log level auth.info all block return-rst in quick on eri0 proto tcp from any to 192.168.201.22/32 port = 23 pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = 22 keep state 24. Flush the existing rules and add the new set. 25. Telnet from the test host to the lter host, and observe the results. 26. In this step, you create a second rule set. It is added to the kernel as an inactive rule set. You switch between the active and inactive rules sets to test one and return to the other. Copy the /etc/ipf/ipf.conf le to the /etc/ipf/ipf2.conf le and append the following: pass in quick on eri0 proto icmp from any to \ 192.168.201.22 icmp-type echo keep state pass in qucik on eri0 proto icmp from any to \ 192.168.201.22 icmp-type echorep keep state pass in quick on eri0 proto icmp from any to \ 192.168.201.22 icmp-type unreach code needfrag These added rules allow Internet Control Message Protocol (ICMP) ping command and ping command replies and allow ICMP messages indicating a packet must be fragmented. The rules can be entered as three lines or with the line continuation. The ipf(1M) command accepts both. 27. Add an inactive rule set to the ipf kernel module: # ipf -I -f /etc/ipf/ipf2.conf 28. List the current inbound rules using the ipfstat command. 29. Now list the inactive rule set in the kernel. Use the same ipfstat command, but with the addition of the -I option: 30. To switch between rule sets in the kernel, use the -s option to the ipf command: 31. Test the new rules by attempting to send multiple pings to the lter host from the test host. Use the ipf command to switch active rules sets while the ping command is executing. 32. To remove an inactive rule set from the kernel, use the ipf -IFa command.
9-8
Objective
2.
Note You might nd it more convenient to enable the internal interface of a third host and use the telnet command to connect to the test host on the internal side. The next steps require that you unplumb the primary interface on the test host, if you use the nts it can time out forcing you to re-login. 5. Login to the test host using the network terminal server (nts). You must disable the primary interface, ush the route table and add a route to the internal interface of the NAT router (lter host). On the NAT router, you must enable and verify IP forwarding. From the test host, ping the outside network address of one of the systems in the pod. In this example, system three at 192.168.201.24 is used. Use the ping -s command to setup a continuous ping. On the NAT router, use the snoop -r -d eri1 command to examine the ping command trafc being received on the 192.168.100.22 interface. Note the trafc is originating from the test host's IP address and is intended for 192.168.201.24. Now, stop the snoop command operation on the eri1 interface instance and execute the snoop -r -d eri0 192.168.201.24 command (in this case, the -d option is not necessary but is included for clarity). Note that the packets appear to originate from the NAT router's IP address.
6. 7.
8.
9-9
Objective 9. Next, you examine Port Address Translation (PAT). This requires that you use the snoop command on both interfaces of the NAT router. You must open three shells on that host, two for snoop commands and one for ipnat(1M) commands.
10. On the NAT router, edit the /etc/ipf/ipnat.conf le and change the current rule to the following: map eri0 192.168.100.0/24 -> 192.168.201.22/32 \ portmap tcp/udp 40000:50000 11. Flush the existing NAT rules and add the new rule. 12. In one shell on the NAT router use the snoop -r -v -d eri1 192.168.100.25 command to examine in bound packets from the test host. In another shell, use the snoop -r-v -d eri0 192.168.201.24 command to examine the outbound packets destined for the target host. You substitute the correct IP address for your test and NAT hosts. 13. When both snoop commands are setup, use the telnet command to connect from the test host to the destination host. Examine the two snoop command outputs and note that the port address is translated. 14. The ipnat(1M) command lists the current mappings and active sessions. The active session portion of the output of this command also shows the port mapping and can be useful when troubleshooting one of many active sessions. 15. The ipmon(1M) command can also be used to monitor NAT information.
9-10
Objective This rule redirects connections from port 23 on 192.168.201.22 (sys-02) to port 23 on 192.168.100.21 (eri1 of sys-01). 7. 8. Add the rule to Solaris IP Filter. Login to sys-04 and initiate a telnet session from sys-04 to sys-02. This telnet connection will connect you to sys-01.
9-11
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or discoveries you had during the lab exercise.
q q q q
!
?
9-12
Exercise Solutions
Exercise Solutions
Task 1 Using the User-Level SCF Utilities
The purpose of the exercise is to understand how customers might use the SCFs user-level utilities. The encrypt(1M) and mac(1M) utilities require input keys. The length of the key depends on the mechanism used. To determine the key length, these commands have list options that display minimum and maximum key length in bits. The rst step in this exercise demonstrates how to generate a key. 1. Determine the key length needed. For both the mac(1M) and encrypt(1M) commands, you can use the -l option to list key lengths. List the key lengths for the mechanisms that these utilities support. # mac -l Algorithm Keysize: Min Max (bits) -----------------------------------------des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512 # encrypt -l Algorithm Keysize: Min Max (bits) -----------------------------------------aes 128 128 arcfour 8 128 des 64 64 3des 192 192 2. You use the/dev/urandom random device and dd(1M) command to generate and store key material in a le. The dd(1M) command takes as an option a block size in bytes. You must convert the listed key size in bit to bytes by dividing the size by eight. Find the key size in bytes for a 3DES key. 24 3. The following command generates a key le called 3des.key. # dd if=/dev/urandom of=/var/tmp/3des.key bs=24 count=1 The bs value is the block size in bytes and count is the number of blocks to output.
9-13
Exercise Solutions 4. You now encrypt a le using 3DES. SCF limits the key size for encryption to 128 bits to meet export regulations. The 192-bit key is a combination of three 64 bit keys. Data Encryption Standard (DES) uses a 64-bit key: actually a 56-bit key and eight bits of parity. 3DES uses three DES keys. Use the encrypt(1M) utility to encrypt the /usr/share/man/man1/bash.1 le and store the encrypted le in the /var/tmp directory. # encrypt -a 3des -k /var/tmp/3des.key -i \ /usr/share/man/man1/bash.1 -o /var/tmp/bash.1.encrypt 5. Examine the original le using a strings(1M) command. Examine the output le using the same command. # strings /var/tmp/bash.1.encrypt 6. Now decrypt the le and save the decrypted output to the /var/tmp directory. # decrypt -a 3des -k /var/tmp/3des.key -i \ /var/tmp/bash.1.encrypt -o /var/tmp/bash.1 7. 8. 9. Verify the output le is no longer encrypted. # strings /var/tmp/bash.1 Did this operation remove the encrypted le? No. Create a new key and save it to a le; this key should be 128 bits. # dd if=/dev/urandom of=/var/tmp/128bit.key bs=16 count=1 10. Now attempt to encrypt the bash.1 le using the new key. # encrypt -a 3des -k /var/tmp/128bit.key -i \ /usr/share/man/man1/bash.1 -o /var/tmp/bash.1.encrypt 11. Record the error code indicating an invalid key value. encrypt: failed to generate a key: CKR_ATTRIBUTE_VALUE_INVALID 12. The SCF limits encryption key size to 128 bits for export reasons. However, this limit does not apply to keyed hash mechanisms. List the key requirements for the mac(1M) utility mechanisms. # mac -l Algorithm Keysize: Min Max (bits) -----------------------------------------des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512
9-14
Exercise Solutions 13. Create a 512-bit key using the steps described earlier. # dd if=/dev/urandom of=/var/tmp/512bit.key \ bs=64 count=1 14. Create a keyed digest of the le bash.1. # mac -a md5_hmac -k /var/tmp/512bit.key \ /usr/share/man/man1/bash.1 6fc2a3f74a74140248158bd2ef18cb64 15. Copy the /etc/hosts le to the /var/tmp directory. # cp /etc/hosts /var/tmp 16. Use the digest(1M) command to create a digest of the /var/tmp/hosts le. # digest -a sha1 /var/tmp/hosts 81ec58a6be6e255ddae99f8ae1fb3e18bb9403f4 17. Edit the /var/tmp/hosts le and add a line to the le. # vi /var/tmp 18. Create a digest of the le again using the same mechanism. # digest -a sha1 /var/tmp/hosts 2386f728194d07d7bf4297c3a7308153c3c16c47 19. Remove the line you added in a previous step and re-compute the digest. # digest -a sha1 /var/tmp/hosts 81ec58a6be6e255ddae99f8ae1fb3e18bb9403f4 20. Create a key suitable for use with the ARCFOUR encryption mechanism. # dd if=/dev/urandom of=/var/tmp/arc.key bs=4 count=1 21. The ARCFOUR algorithm is suitable for encrypting streams of data. In this exercise, you create a .TAR le of the ./inet/* les, encrypt the resulting le, and save the output to the /var/tmp directory in one step. Change directory to the /etc/ directory. # cd /etc 22. Use the tar command to encrypt the contents of the ./inet directory, redirect the output to the encrypt command, and save the resulting le to the /var/tmp directory. # tar cvf - ./inet | encrypt -a arcfour \ -k /var/tmp/arc.key -o /var/tmp/tarencrypt 23. Change directory to /var/tmp and verify the le in encrypted. # cd/var/tmp # strings ./tarencrypt
9-15
Exercise Solutions 24. Decrypt and extract the tar le to the /var/tmp/ directory. # decrypt -a arcfour -k /var/tmp/arc.key \ -i ./tarencrypt | tar xvf -
Start and stop the kcfd(1M) daemon Load and unload user-level, kernel software, and kernel hardware providers Set a policy to allow or deny access to specic providers or mechanisms that a provider uses The cryptoadm command lists providers and mechanisms. To do so, you use the list option or the list option with arguments. Use the cryptoadm commands in the following formats to compare the different output. A brief listing:
1.
# cryptoadm list user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so kernel software providers: des aes arcfour blowfish sha1 md5 rsa kernel hardware providers: List the mechanisms for all installed providers: # cryptoadm list -m user-level providers: =====================
9-16
Exercise Solutions /usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented. /usr/lib/security/$ISA/pkcs11_softtoken.so: CKM_DES_CBC,CKM_DES_CBC_PAD ... kernel software providers: ========================== des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC aes: CKM_AES_ECB,CKM_AES_CBC arcfour: CKM_RC4 blowfish: CKM_BF_ECB,CKM_BF_CBC sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS kernel hardware providers: List mechanisms for a specific installed provider. # cryptoadm list -m provider=rsa rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS Listing all providers and available mechanisms: # cryptoadm list -p user-level providers: ===================== /usr/lib/security/$ISA/pkcs11_kernel.so: all mechanisms are enabled. /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled. kernel software providers: ========================== des: all mechanisms are enabled. aes: all mechanisms are enabled. arcfour: all mechanisms are enabled. blowfish: all mechanisms are enabled. sha1: all mechanisms are enabled. md5: all mechanisms are enabled. rsa: all mechanisms are enabled. kernel hardware providers: Listing available mechanisms for a specific provider: # cryptoadm list -p /usr/lib/security/'$ISA'/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled. 2. The administrator might need to disable a specic mechanisms if a problem is found with the algorithm, making it undesirable for use, or if another providers implementation is more robust. In this
9-17
Exercise Solutions example, you disable the user-lever providers mechanism for the DES algorithm. First list the mechanisms for the user-level provider pkcs11_softtoken.so. # cryptoadm list -m /usr/lib/security/'$ISA'/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN,CKM_DES_MAC_GENER AL,CKM_DES_MAC,CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GE N,CKM_AES_CBC,CKM_AES_CBC_PAD,CKM_AES_ECB,CKM_AES_KEY_GEN,CKM_SHA_1,CKM_S HA_1_HMAC,CKM_SHA_1_HMAC_GENERAL,CKM_SSL3_SHA1_MAC,CKM_MD5,CKM_MD5_HMAC,C KM_MD5_HMAC_GENERAL,CKM_SSL3_MD5_MAC,CKM_RC4,CKM_RC4_KEY_GEN,CKM_DSA,CKM_ DSA_SHA1,CKM_DSA_KEY_PAIR_GEN,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_ RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_DH_PKCS_KEY_PAIR_GEN,CKM _DH_PKCS_DERIVE,CKM_MD5_KEY_DERIVATION,CKM_SHA1_KEY_DERIVATION,CKM_PBE_SH A1_RC4_128,CKM_PKCS5_PBKD2,CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_TLS_PRE_MASTER _KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_TLS_MASTER_KEY_DERIVE,CKM_SSL3_MA STER_KEY_DERIVE_DH,CKM_TLS_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERI VE,CKM_TLS_KEY_AND_MAC_DERIVE 3. Find all of the mechanisms for DES and use the disable option to disable them. (Hint: all mechanisms for an algorithm are grouped together in the output of the previous command.)
# cryptoadm disable \ provider=/usr/lib/security/'$ISA'/pkcs11_softtoken.so \ mechanism=CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB \ CKM_DES_KEY_GEN,CKM_DES_MAC_GENERAL,CKM_DES_MAC 4. Now you will attempt to encrypt the /etc/hosts le using the DES mechanism. It is unnecessary to generate a key le. Omit the -k option from the previous tasks and type in random keys when you are prompted for a key. What was the result?
# encrypt -a des -i /etc/hosts -o /var/tmp/hosts Enter key: encrypt: no cryptographic provider was found for this algorithm -- des 5. List the available mechanisms for the user-level provider. # cryptoadm list -p /usr/lib/security/'$ISA'/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled, except CKM_DES_MAC,CKM_DES_MAC_GENERAL,CKM_DES_KEY_GEN,CKM_DES_ECB,CKM_DES_CBC_P AD,CKM_DES_CBC 6. You can enable a providers mechanisms by using the enable option. You can list the mechanism to enable or use the special keyword all. Enable all user-level mechanisms. List the available mechanisms to verify they are enabled.
9-18
Exercise Solutions # cryptoadm list -p /usr/lib/security/'$ISA'/pkcs11_softtoken.so /usr/lib/security/$ISA/pkcs11_softtoken.so: all mechanisms are enabled. 8. The refresh option is used to allow the administrator to see an updated list of provider information. You would use the refresh option after installing and conguring a hardware provider or installing a software provider package. You also use the refresh option if a kernel mechanism is temporally removed. Use the unload option to unload the kernel mechanism Blowsh. # cryptoadm unload provider=blowfish 9. List the providers to see the result of the last command. # cryptoadm list user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so kernel software providers: des aes arcfour blowfish (inactive) sha1 md5 rsa kernel hardware providers: 10. Now use the refresh option to restore the kernel mechanism Blowsh and then repeat the previous listing. # cryptoadm refresh # cryptoadm list user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so kernel software providers: des aes arcfour blowfish sha1 md5 rsa
9-19
Exercise Solutions kernel hardware providers: 11. The administrator might need to uninstall a kernel-level mechanism if site policy forbids the use of that mechanism or for other reasons. The uninstall option is used to remove a mechanism. First list the providers and mechanisms. You need the list of mechanisms for RSA to proceed. Cut and paste the output of a provider mechanism listing for kernel provider mechanism RSA into a le or another shell window. # cryptoadm list -m user-level providers: ===================== /usr/lib/security/$ISA/pkcs11_kernel.so: no slots presented. /usr/lib/security/$ISA/pkcs11_softtoken.so: CKM_DES_CBC,CKM_DES_CBC_PAD,CKM_DES_ECB,CKM_DES_KEY_GEN,CKM_DES_MAC_GENER AL,CKM_DES_MAC,CKM_DES3_CBC,CKM_DES3_CBC_PAD,CKM_DES3_ECB,CKM_DES3_KEY_GE N,CKM_AES_CBC,CKM_AES_CBC_PAD,CKM_AES_ECB,CKM_AES_KEY_GEN,CKM_SHA_1,CKM_S HA_1_HMAC,CKM_SHA_1_HMAC_GENERAL,CKM_SSL3_SHA1_MAC,CKM_MD5,CKM_MD5_HMAC,C KM_MD5_HMAC_GENERAL,CKM_SSL3_MD5_MAC,CKM_RC4,CKM_RC4_KEY_GEN,CKM_DSA,CKM_ DSA_SHA1,CKM_DSA_KEY_PAIR_GEN,CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_ RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS,CKM_DH_PKCS_KEY_PAIR_GEN,CKM _DH_PKCS_DERIVE,CKM_MD5_KEY_DERIVATION,CKM_SHA1_KEY_DERIVATION,CKM_PBE_SH A1_RC4_128,CKM_PKCS5_PBKD2,CKM_SSL3_PRE_MASTER_KEY_GEN,CKM_TLS_PRE_MASTER _KEY_GEN,CKM_SSL3_MASTER_KEY_DERIVE,CKM_TLS_MASTER_KEY_DERIVE,CKM_SSL3_MA STER_KEY_DERIVE_DH,CKM_TLS_MASTER_KEY_DERIVE_DH,CKM_SSL3_KEY_AND_MAC_DERI VE,CKM_TLS_KEY_AND_MAC_DERIVE kernel software providers: ========================== des: CKM_DES_ECB,CKM_DES_CBC,CKM_DES3_ECB,CKM_DES3_CBC aes: CKM_AES_ECB,CKM_AES_CBC arcfour: CKM_RC4 blowfish: CKM_BF_ECB,CKM_BF_CBC sha1: CKM_SHA_1,CKM_SHA_1_HMAC,CKM_SHA_1_HMAC_GENERAL md5: CKM_MD5,CKM_MD5_HMAC,CKM_MD5_HMAC_GENERAL rsa: CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,CKM_SHA1_RSA_PKCS kernel hardware providers: ========================== 12. Use the uninstall option to remove RSA. # cryptoadm uninstall provider=rsa 13. List the providers and note that RSA is no longer listed. # cryptoadm list
9-20
Exercise Solutions user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so kernel software providers: des aes arcfour blowfish sha1 md5 kernel hardware providers: 14. To install the provider, you can use the install option. This command will require that you supply the mechanism operands. Use the install option to re-install RSA, add the mechanisms list, space delimited, that you saved in a previous step. # cryptoadm install provider=rsa \ mechanism=CKM_RSA_PKCS CKM_RSA_X_509 \ CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS 15. Conrm the rsa provider is installed. # cryptoadm list -p rsa
sys-04# ping -s sys-02 PING sys-02: 56 data bytes 64 bytes from sys-02 (192.168.201.22): 64 bytes from sys-02 (192.168.201.22): 64 bytes from sys-02 (192.168.201.22): 64 bytes from sys-02 (192.168.201.22): ^C ----sys-02 PING Statistics----
9-21
Exercise Solutions 4 packets transmitted, 4 packets received, 0% packet loss round-trip (ms) min/avg/max/stddev = 0.358/0.573/1.13/0.37 sys-04# telnet sys-02 Trying 192.168.201.22... Connected to sys-02. Escape character is '^]'. login: root Password: Last login: Wed Jul 14 16:14:58 from 192.168.201.1 Sun Microsystems Inc. SunOS 5.10 s10_57 May 2004 Welcome to Sol10_v120 on sys-02 sys-02# exit Connection to sys-02 closed by foreign host. sys-04# From the gateway: $ telnet nts-0 Trying 192.168.201.3... Connected to nts-0. Escape character is '^]'. 2 Attached to port 2 sys-02 console login: root Password: Last login: Wed Jul 14 17:25:59 on console Jul 14 18:27:26 sys-03 login: ROOT LOGIN /dev/console Sun Microsystems Inc. SunOS 5.10 s10_57 May 2004 Welcome to Sol10_v120 on sys-02
sys-02# 2. Login to the IP Filter host on the console using the network terminal server. Congure a rule to disallow all trafc. sys-04 # echo block in all > /etc/ipf/ipf.conf 3. Start a ping command with the -s option from the test host to the lter host.
sys-04# ping -s sys-02 PING sys-02: 56 data bytes 64 bytes from sys-02 (192.168.201.22): icmp_seq=7. time=1.15 ms 64 bytes from sys-02 (192.168.201.22): icmp_seq=8. time=0.487 ms 64 bytes from sys-02 (192.168.201.22): icmp_seq=9. time=0.485 ms
9-22
Exercise Solutions 64 bytes from sys-02 (192.168.201.22): icmp_seq=10. time=0.460 ms ... 4. Set the TERM variable to vt100 and edit the /etc/ipf/pfil.ap le and remove the comment from the line indicating the interface type for the lter host. #eri1 eri1 5. 6. -1 -1 0 0 pfil pfil Is changed to: Execute the /etc/init.d/pfil script with the start option. sys-04# /etc/init.d/pfil start Use the ifconfig command to display the interfaces on the lter host. Note the IP address and unplumb the interface. Now plumb the interface, add an IP address, and set the interface to up.
sys-02# ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 192.168.201.22 netmask ffffff00 broadcast 192.168.201.255 ether 0:3:ba:68:44:d3 eri1: flags=1000862<BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 0.0.0.0 netmask 0 broadcast 255.255.255.255 ether 0:3:ba:68:44:d3 sys-02:/> ifconfig eri0 unplumb sys-02# ifconfig eri0 plumb sys-02# ifconfig eri0 192.168.201.22 up 7. 8. Use the /etc/init.d/ipfboot script to start the IP Filter. sys-04# /etc/init.d/ipfboot start Note that the ping command from the test host has not resumed. Use the ipfstat(1M) command to display the current inbound and outbound lters. sys-02# ipfstat -io empty list for ipfilter(out) block in all 9. Use the ipf -D command to disable the lter. 10. Use the ipf -E command to re-enable the lter. 11. Use the ipf(1M) command to ush the current rule set. sys-02# ipf -Fa
9-23
Exercise Solutions 12. Check the lters again with the ipfstat command. In a few moments you should observe the ping command from the test host resume. You can stop the ping command after it resumes. sys-02# ipfstat -io empty list for ipfilter(out) empty list for ipfilter(in) 13. Add a new rule to the /etc/ipf/ipf.conf le to allow the ssh command to run from anywhere to the lter host and keep the state. sys-04# echo "pass in quick on eri0 proto tcp from any to \ 192.168.201.22/32 port = 22 keep state" >> /etc/ipf/ipf.conf 14. Add the rules to the kernel module and test by using secure shell from the test host to the lter host. sys-04# ipf -Fa -f /etc/ipf/ipf.conf
Note If the ssh(1M) command is not congured for root access, you must edit the /etc/ssh/sshd_config le and change the PermitRootLogin variable from the default no value to yes. sys-04# ssh sys-02 The authenticity of host 'sys-02 (192.168.201.22)'can't be established. RSA key fingerprintis 8a:33:65:c8:70:3e:4d:79:a6:b6:e8:a4:6d:0f:00:ca. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'sys-02,192.168.201.22' (RSA) to the list of known hosts. Password: Last login: Wed Jul 14 19:51:09 2004 from sys-04 Sun Microsystems Inc. SunOS 5.10 s10_57 May 2004 Welcome to Sol10_v120 on sys-02
sys-02# 15. Use the ipmon(1M) command to examine the state information. sys-02# ipmon -o S 14/07/2004 19:45:58.033602 STATE:NEW 192.168.201.25,32794 -> 192.168.201.22,22 PR tcp 14/07/2004 19:48:07.960067 STATE:CLOSE 192.168.201.25,32794 -> 192.168.201.22,22 PR tcp Forward: Pkts in 21 Bytes in 2136 Pkts out 2 14/07/2004 19:51:04.184549 STATE:NEW 192.168.201.25,32795 -> 192.168.201.22,22 PR tcp 16. On the test host, end the secure shell session and attempt to use the telnet command to connect to the lter host. Allow the attempt to continue.
9-24
Exercise Solutions sys-04# telnet sys-02 Trying 192.168.201.22... 17. On the lter host, use the ipfstat command to examine the blocked input packets. Execute the command two or three times and observe the increase in the number of blocked packets recorded. sys-02# ipfstat -ihn 16 block in all 2 pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = ssh keep state sys-02# ipfstat -ihn 17 @1 block in all 2 @2 pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = ssh keep state 18. Edit the /etc/syslog.conf le and add a line to log auth.info to the le /var/log/authlog. Stop and start syslog. Add to /etc/syslog.conf: auth.info Then type: sys-02# svcadm disable svc:/system/system-log sys-02# svcadm enable svc:/system/system-log 19. The reason the blocked packet account increased when you observed it with the ipfstat -ihn command is that the lter drops packets silently so the telnet service tries several times to connect with the lter host. You now edit the rule to log packets that are blocked and to send a packet with the RST ag set in response to telnet connections. 20. Make the following edits to the block rule. Flush and add the new rule set to the kernel module. block in log level auth.info all sys-02# ipf -Fa -f /etc/ipf/ipf.conf 21. Attempt to use the telnet command to connect from the test host to the lter and apply the tail command to the /var/log/authlog le on the lter host. sys-04# telnet sys-02 Trying 192.168.201.22... sys-02# tail -f /var/log/authlog Jul 14 20:41:11 sys-02 ipmon[677]: [ID 702911 auth.info] eri0 @0:1 b 192.168.201.25,32797 -> 192.168.201.22,23 PR Jul 14 20:41:12 sys-02 ipmon[677]: [ID 702911 auth.info] eri0 @0:1 b 192.168.201.25,32797 -> 192.168.201.22,23 PR /var/log/authlog
20:41:10.953913 tN 20:41:11.572757 tN
9-25
Exercise Solutions 22. On the lter host, use the ipmon command to examine the logs. ssys-02# ipmon -a 14/07/2004 20:46:17.033767 2x eri0 @0:1 b 192.168.201.25,32799 -> 192.168.201.22,23 PR tcp len 20 52 -S IN 14/07/2004 20:11:50.460075 STATE:CLOSE 192.168.201.25,32795 -> 192.168.201.22,22 PR tcp Forward: Pkts in 97 Bytes in 7160 Pkts out 2 14/07/2004 20:48:11.054146 eri0 @0:1 b 192.168.201.25,32799 -> 192.168.201.22,23 PR tcp len 20 52 -S IN 23. Make the following edits to the /etc/ipf/ipf.conf le: block in log level auth.info all block return-rst in quick on eri0 proto tcp from any to 192.168.201.22/32 port = 23 pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = 22 keep state 24. Flush the existing rules and add the new set. sys-02# ipf -Fa -f /etc/ipf/ipf.conf 25. Telnet from the test host to the lter host, and observe the results. sys-04# telnet sys-02 Trying 192.168.201.22... telnet: Unable to connect to remote host: Connection refused 26. In this step, you create a second rule set. It is added to the kernel as an inactive rule set. You switch between the active and inactive rules sets to test one and return to the other. Copy the /etc/ipf/ipf.conf le to the /etc/ipf/ipf2.conf le and append the following: pass in quick on eri0 proto icmp from any to \ 192.168.201.22 icmp-type echo keep state pass in qucik on eri0 proto icmp from any to \ 192.168.201.22 icmp-type echorep keep state pass in quick on eri0 proto icmp from any to \ 192.168.201.22 icmp-type unreach code needfrag These added rules allow Internet Control Message Protocol (ICMP) ping command and ping command replies and allow ICMP messages indicating a packet must be fragmented. The rules can be entered as three lines or with the line continuation. The ipf(1M) command accepts both. 27. Add a inactive rule set to the ipf kernel module: sys-02# ipf -I -f /etc/ipf/ipf2.conf 28. List the current inbound rules using the ipfstat command. sys-02# ipfstat -i
9-26
Exercise Solutions block in log level auth.info all block return-rst in quick on eri0 proto tcp from any to 192.168.201.22/32 port = telnet pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = ssh keep state 29. Now list the inactive rule set in the kernel. Use the same ipfstat command, but with the addition of the -I option: sys-02# ipfstat -Ii block in log level auth.info all block return-rst in quick on eri0 proto tcp from any to 192.168.201.22/32 port = telnet pass in quick on eri0 proto tcp from any to 192.168.201.22/32 port = ssh keep state pass in quick on eri0 proto icmp from any to 192.168.201.22/32 icmp-type echo keep state pass in quick on eri0 proto icmp from any to 192.168.201.22/32 icmp-type echorep keep state pass in quick on eri0 proto icmp from any to 192.168.201.22/32 icmp-type unreach code 4 30. To switch between rule sets in the kernel, use the -s option to the ipf command: ssys-02# ipf -s Set 1 now inactive 31. Test the new rules by attempting to send multiple pings to the lter host from the test host. Use the ipf command to switch active rules sets while the ping command is executing. sys-04# ping -s sys-02 PING sys-02: 56 data bytes 64 bytes from sys-02 (192.168.201.22): 64 bytes from sys-02 (192.168.201.22): 64 bytes from sys-02 (192.168.201.22): 64 bytes from sys-02 (192.168.201.22): sys-04# ipf -s Set 0 now inactive The ping should stop. 32. To remove an inactive rule set from the kernel, use the ipf -IFa command. sys-02# ipf -IFa
9-27
Exercise Solutions
sys-02# ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 192.168.201.22 netmask ffffff00 broadcast 192.168.201.255 ether 0:3:ba:68:44:d3 sys-02# ifconfig eri1 plumb sys-02# ifconfig eri1 192.168.100.22 up sys-02# ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 192.168.201.22 netmask ffffff00 broadcast 192.168.201.255 ether 0:3:ba:68:44:d3 eri1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 6 inet 192.168.100.22 netmask ffffff00 broadcast 192.168.100.255 ether 0:3:ba:68:44:d3 Repeat for the test system with a unique IP address. 3. Verify that you can ping between the lter host and the test host. sys-04# ping 192.168.100.22 192.168.100.22 is alive 4. Add the following NAT rule to the /etc/ipf/ipnat.conf le: map eri0 192.168.100.0/24 -> 192.168.201.22/32 sys-02# echo "map eri0 192.168.100.0/24 -> 192.168.201.22/32" > \ /etc/ipf/ipnat.conf
9-28
Exercise Solutions
Note You might nd it more convenient to enable the internal interface of a third host and use the telnet command to connect to the test host on the internal side. The next steps require that you unplumb the primary interface on the test host, if you use the nts it can time out forcing you to re-login. 5. Login to the test host using the network terminal server (nts). You must disable the primary interface, ush the route table and add a route to the internal interface of the NAT router (lter host).
$ telnet nts-0 Trying 192.168.201.3... Connected to nts-0. Escape character is '^]'. Rotaries Defined: cli Enter Annex port name or number: 4 Attached to port 4 sys-04# sys-04# netstat -rn Routing Table: IPv4 Destination -------------------192.168.201.0 192.168.100.0 default 127.0.0.1 sys-04# route -f default
Flags Ref Use Interface ----- ----- ------ --------U 1 0 eri0 U 1 1 eri1 UG 1 0 UH 4 83 lo0
192.168.201.1
done
192.168.100.22
done
sys-04# netstat -rn Routing Table: IPv4 Destination Gateway Flags Ref Use Interface -------------------- -------------------- ----- ----- ------ --------192.168.100.0 192.168.100.25 U 1 1 eri1
9-29
sys-04# route add default 192.168.100.22 add net default: gateway 192.168.100.22 6. On the NAT router, you must enable and verify IP forwarding. sys-02# routeadm -e ipv4-forwarding sys-02# routeadm Configuration Current Current Option Configuration System State --------------------------------------------------------IPv4 forwarding enabled disabled IPv4 routing default (disabled) disabled IPv6 forwarding default (disabled) disabled IPv6 routing default (disabled) disabled sys-02# routeadm -u sys-02# routeadm Configuration Current Current Option Configuration System State --------------------------------------------------------IPv4 forwarding enabled enabled IPv4 routing default (disabled) disabled IPv6 forwarding default (disabled) disabled IPv6 routing default (disabled) disabled sys-02# ndd -get /dev/ip ip_forwarding 1 7. From the test host, ping the outside network address of one of the systems in the pod. In this example, system three at 192.168.201.24 is used. Use the ping -s command to setup a continuous ping. Sys-04> ping -s 192.168.201.24 8. On the NAT router, use the snoop -r -d eri1 command to examine the ping command trafc being received on the 192.168.100.22 interface. Note the trafc is originating from the test host's IP address and is intended for 192.168.201.24. Now, stop the snoop command operation on the eri1 interface instance and execute the snoop -r -d eri0 192.168.201.24 command (in this case, the -d option is not necessary but is included for clarity). Note that the packets appear to originate from the NAT router's IP address.
9-30
Exercise Solutions 192.168.100.25 number: 310) 192.168.201.24 number: 310) 192.168.100.25 number: 311) 192.168.201.24 number: 311) 192.168.100.25 number: 312) -> 192.168.201.24 ICMP Echo request (ID: 1024 Sequence -> 192.168.100.25 ICMP Echo reply (ID: 1024 Sequence -> 192.168.201.24 ICMP Echo request (ID: 1024 Sequence -> 192.168.100.25 ICMP Echo reply (ID: 1024 Sequence -> 192.168.201.24 ICMP Echo request (ID: 1024 Sequence
sys-02# snoop -r -d eri0 192.168.201.24 Using device /dev/eri (promiscuous mode) 192.168.201.22 -> 192.168.201.24 ICMP Echo number: 586) 192.168.201.24 -> 192.168.201.22 ICMP Echo number: 586) 192.168.201.22 -> 192.168.201.24 ICMP Echo number: 587) 192.168.201.24 -> 192.168.201.22 ICMP Echo number: 587) 192.168.201.22 -> 192.168.201.24 ICMP Echo number: 588) 192.168.201.24 -> 192.168.201.22 ICMP Echo number: 588) 9.
request (ID: 1024 Sequence reply (ID: 1024 Sequence request (ID: 1024 Sequence reply (ID: 1024 Sequence request (ID: 1024 Sequence reply (ID: 1024 Sequence
Next, you examine Port Address Translation (PAT). This requires that you use the snoop command on both interfaces of the NAT router. You must open three shells on that host, two for snoop commands and one for ipnat(1M) commands.
10. On the NAT router, edit the /etc/ipf/ipnat.conf le and change the current rule to the following: map eri0 192.168.100.0/24 -> 192.168.201.22/32 \ portmap tcp/udp 40000:50000 11. Flush the existing NAT rules and add the new rule. sys-02# ipnat -C -f /etc/ipf/ipnat.conf 1 entries flushed from NAT list 12. In one shell on the NAT router use the snoop -r -v -d eri1 192.168.100.25 command to examine in bound packets from the test host. In another shell, use the snoop -r-v -d eri0 192.168.201.24 command to examine the outbound packets destined for the target host. You substitute the correct IP address for your test and NAT hosts.
9-31
Exercise Solutions 13. When both snoop commands are setup, use the telnet command to connect from the test host to the destination host. Examine the two snoop command outputs and note that the port address is translated. sys-02# snoop -r -V -d eri1 192.168.100.25 Using device /dev/eri (promiscuous mode) ... ________________________________ 192.168.201.24 -> 192.168.100.25 ETHER Type=0800 (IP), size = 57 bytes 192.168.201.24 -> 192.168.100.25 IP D=192.168.100.25 S=192.168.201.24 LEN=43, ID=61832, TOS=0x0, TTL=59 192.168.201.24 -> 192.168.100.25 TCP D=32813 S=23 Push Ack=2637557725 Seq=3180665536 Len=3 Win=49640 192.168.201.24 -> 192.168.100.25 TELNET R port=32813 ________________________________ 192.168.100.25 -> 192.168.201.24 ETHER Type=0800 (IP), size = 60 bytes 192.168.100.25 -> 192.168.201.24 IP D=192.168.201.24 S=192.168.100.25 LEN=40, ID=7694, TOS=0x0, TTL=64 192.168.100.25 -> 192.168.201.24 TCP D=23 S=32813 Ack=3180665539 Seq=2637557725 Len=0 Win=49640 192.168.100.25 -> 192.168.201.24 TELNET C port=32813 --------------------------------------------------------sys-02# snoop -r -V -d eri0 192.168.201.24 Using device /dev/eri (promiscuous mode) ... 192.168.201.24 -> 192.168.201.22 ETHER Type=0800 (IP), size = 60 bytes 192.168.201.24 -> 192.168.201.22 IP D=192.168.201.22 S=192.168.201.24 LEN=43, ID=61832, TOS=0x0, TTL=60 192.168.201.24 -> 192.168.201.22 TCP D=40000 S=23 Push Ack=2637557725 Seq=3180665536 Len=3 Win=49640 192.168.201.24 -> 192.168.201.22 TELNET R port=40000 ________________________________ 192.168.201.22 -> 192.168.201.24 ETHER Type=0800 (IP), size = 54 bytes 192.168.201.22 -> 192.168.201.24 IP D=192.168.201.24 S=192.168.201.22 LEN=40, ID=7694, TOS=0x0, TTL=63 192.168.201.22 -> 192.168.201.24 TCP D=23 S=40000 Ack=3180665539 Seq=2637557725 Len=0 Win=49640 192.168.201.22 -> 192.168.201.24 TELNET C port=40000 Note the sequence numbers correspond. 14. The ipnat(1M) command lists the current mappings and active sessions. The active session portion of the output of this command also shows the port mapping and can be useful when troubleshooting one of many active sessions.
9-32
Exercise Solutions sys-02# ipnat -l List of active MAP/Redirect filters: map eri0 192.168.100.0/24 -> 192.168.201.22/32 portmap tcp/udp 40000:50000 List of active sessions: MAP 192.168.100.25 32813 <- -> 192.168.201.22
15. The ipmon(1M) command can also be used to monitor NAT information. sys-02# ipmon -o N 15/07/2004 10:39:13.195560 @1 NAT:MAP 192.168.100.25,0 <- -> 192.168.201.22,0 [192.168.201.1,0] 15/07/2004 10:39:16.240059 @1 NAT:EXPIRE 192.168.100.25,0 <- -> 192.168.201.22,0 [192.168.201.1,0] Pkts 1 Bytes 1 15/07/2004 10:50:19.913343 @1 NAT:MAP 192.168.100.25,0 <- -> 192.168.201.22,0 [192.168.201.1,0] 15/07/2004 10:51:05.240071 @1 NAT:EXPIRE 192.168.100.25,0 <- -> 192.168.201.22,0 [192.168.201.1,0] Pkts 43 Bytes 43 15/07/2004 10:53:15.013707 @1 NAT:MAP 192.168.100.25,0 <- -> 192.168.201.22,0 [192.168.201.24,0] 15/07/2004 11:09:32.240084 @1 NAT:EXPIRE 192.168.100.25,0 <- -> 192.168.201.22,0 [192.168.201.24,0] Pkts 975 Bytes 975 15/07/2004 11:54:18.370069 @1 NAT:EXPIRE 192.168.100.25,32813 <- -> 192.168.201.22,40000 [192.168.201.24,23] Pkts 13 Bytes 15 15/07/2004 12:21:46.272127 @1 NAT:MAP 192.168.100.25,32814 <- -> 192.168.201.22,40001 [192.168.201.24,23]...
sys-01# ifconfig eri1 plumb sys-01# ifconfig eri1 192.168.100.21 up 2. sys-02# ipnat -C 3. On sys-01 verify network connectivity by pinging 192.168.100.22. sys-01# ping 192.168.100.22 192.168.100.22 is alive 4. Log out of sys-01 and login to sys-02, then login to sys-01 from sys-02 using the 192.168.100.21 address. On sys-02 ush all current IP Filtering and NAT rules.
9-33
Exercise Solutions sys-02# telnet 192.168.100.21 Trying 192.168.100.21... Connected to 192.168.100.21. Escape character is '^]'. login: root Password: Last login: Mon Jul 26 09:56:31 from sys-02 Sun Microsystems Inc. SunOS 5.10 s10_62 Welcome to Sol10_v120 on sys-01 sys-01# 5. Unplumb the eri0 interface on sys-01, ush the route table on sys-01 and add a default route to 192.168.100.22 (eri1 on sys-02).
May 2004
sys-01# ifconfig eri0 unplumb sys-01# route -f sys-01# route add default 192.168.100.22 6. Log out of sys-01, you should now be on sys-02. Create a new /etc/ipf/ipnat.conf le containing a single rule: This rule redirects connections from port 23 on 192.168.201.22 (sys-02) to port 23 on 192.168.100.21 (eri1 of sys-01). 7. 8. Add the rule to Solaris IP Filter. Login to sys-04 and initiate a telnet session from sys-04 to sys-02. This telnet connection will connect you to sys-01. sys-02# ipnat -f /etc/ipf/ipnat.conf
sys-04# telnet sys-02 Trying 192.168.201.22... Connected to sys-02. Escape character is '^]'. login: root Password: Last login: Mon Jul 26 09:33:32 from sys-04 Sun Microsystems Inc. SunOS 5.10 s10_62 Welcome to Sol10_v120 on sys-01 sys-01#
May 2004
9-34
Lab 10
Starting and stopping System Management Agent (SMA) Starting SMA with debugging enabled Using the snmpconf(1M) script to build an SMA conguration le Adding User-based Security Model (USM) users Conguring the SMA applications Using the debugging options with SMA applications Building a View-based Access Control Model (VACM)
Preparation
No special preparation is required for this lab.
10-1
Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision A
Objective 3. 4. 5. 6. Examine the running processes. Did SMA stop? Examine the /var/log/snmpd.log le contents. Use the same script but pass the restart option to it. Examine the running processes, did the agent start? Examine the /var/log/snmpd.log le contents.
10-2
Objective Create access control entries and add a read-write user called user1 with security auth. Create a read-only SNMP version 2 (SNMPv2) user called v2user for community public. Monitor the http daemon, with a maximum for ve processes running and a minimum of zero processes running. 3. 4. 5. Examine the le that was created, and note the comments and the tokens added to the le. Create a basic conguration le. Create another conguration le using snmpconf. This time explore all of the different menus and options.
noAuthNoPriv Checks the user identity authNoPriv Adds the password check authPriv Adds encryption to the data stream Make a backup copy of the /etc/sma/snmp/snmpd.conf le. Edit the /etc/sma/snmp/snmpd.conf le and add the following two lines at the bottom of the le: rwuser initial
1. 2.
10-3
Objective createUser initial MD5 password DES This causes a user called initial to be created when the snmpd daemon reads the snmpd.conf le. This user has security level authNoPriv as the default level. The users authorization passphrase is password, and the encryption key is also set to password. 3. 4. 5. 6. 7. 8. 9. Display the contents of the /var/sma_snmp/snmpd.conf le. Restart the agent. Display the contents of the /var/sma_snmp/snmpd.conf le again. Test the initial user using the snmpget application. Edit the /etc/sma/snmp/snmpd.conf le and remove the line starting with createUser. Restart the agent. Test the initial user using the snmpget application. Is the entry required in the /etc/sma/snmp/snmpd.conf le after the user is created? 10. Clone the initial user with the snmpusm application. 11. Restart the agent. 12. Use the snmpusm application to clone the initial user. 13. Use the snmpusm application to change the new users password. 14. Test the new user entry. 15. Examine the /var/sma_snmp/snmpd.conf le: is there a new entry?
Task 5 Creating a User With the net-snmp-config Script Using the --create-snmpv3-user Option
1. Use the net-snmp-config script to create a user named user2. This user should have read-only access. Give the user a password and encryption passphrase of at least eight characters. If spaces are used in the encryption passphrase, you must quote the passphrase. Quotes are not required for the authentication passphrase. Run the net-snmp-config script with --help to see a usage statement. The agent must be stopped to use this script. Examine the /var/sma_snmp/snmpd.conf and /etc/sma/snmp/snmpd.conf les. Restart the agent. Use snmpget application to test the new user.
2. 3. 4.
10-4
Objective 5. 6. 7. 8. Edit the /etc/sma/snmp/snmpd.conf le and change the user2 entry from rouser user2 to rouser2 authPriv. Restart the agent. Use DES encryption and security level authPriv to test the user. Try the snmpget application without the DES key and with security level authNoPriv.
defVersion ( 1 | 2c | 3 ) Defaults to 3 (-v 3) defCommunity string Default is a null string (-c string) defSecurityName string (-u name) defContext string The default is a null string (-n "") defAuthPassphrase string (-A string) defPrivPassphrase string (-X string) defAuthType MD5 | SHA (-a value) defPrivType DES DES is the only option at this time (-x DES) defSecurityLevel noAuthNoPriv | authNoPriv | authPriv (-l value) dumpPacket ( 1 | yes | true | 0 | no | false ) doDebugging ( 1 | 0 ) debugTokens token[,token...] (-D token)
q q q
There are many more directives. 1. Edit the /etc/sma/snmp/snmp.conf le and add the directives required to make user1 the default user. When you nish, the following commands should work without additional options. The options passed on the command line take precedence over directives in the snmp.conf le. Construct a snmpget command for sysLocation.0 using user2, and pass only the required options.
2.
10-5
Objective
10-6
Objective 6. Now set the doDebugging line in the snmp.conf le to 0 and run the command from the previous step.
2.
10-7
Exercise Summary
Exercise Summary
Discussion Take a few minutes to discuss what experiences, issues, or discoveries you had during the lab exercise.
q q q q
!
?
10-8
Exercise Solutions
Exercise Solutions
Task 1 Starting and Stopping SMA
In this task you start, stop, and restart the agent and examine the /var/log/snmp.log le. Complete the following steps: 1. Use the ps(1M) command to determine the running Simple Network Management Protocol (SNMP) daemons, if any. # ps -ef | grep snmp /usr/lib/dmi/snmpXdmid /usr/lib/snmp/snmpdx /usr/sfw/sbin/snmpd What SNMP services are running? SMA (/usr/sfw/sbin/snmpd) The Solstice Enterprise Agents software Distributed Management Interface (DMI) subagent (/usr/lib/dmi/snmpXdmid) The Solstice Enterprise Agents software master agent (/usr/sfw/sbin/snmpd) Why? The Solstice Enterprise Agents software is congured and started at boot time or port 16161. 2. 3. Use the /etc/init.d/init.sma script to stop SMA. # /etc/init.d/init.sma stop Examine the running processes. # ps -ef | grep snmp Did SMA stop? Yes 4. Examine the /var/log/snmpd.log le contents. # cat /var/log/snmpd.log Received TERM or STOP signal... 5. # /etc/init.d/init.sma restart Examine the running processes, did the agent start? Yes 6. Examine the /var/log/snmpd.log le contents. shutting down...
Use the same script but pass the restart option to it.
10-9
10-10
Exercise Solutions Did it stop? Yes 5. Start the agent again with the init.sma script and examine the log le again. # /etc/init.d/init.sma start # cat /var/log/snmpd.log NET-SNMP version 5.0.9 Explain what happens to the log le at agent startup. The agent creates a new log le at start up. Note The agent can be started with the -L option. This sends output to STDERR instead of the /var/log/snmpd.log le. The -f option causes the process to not fork and run in the foreground of the controlling shell.
Note Tokens other than ALL are available for use with the -D option. They can be found by searching the source code tree for NET-SNMP. The source code tree is included in Solaris 10 OS package SUNWsmaS, which is not installed by default. The following command displays an example command line to search the source code for a list of available debug tokens: # net-snmp-config --debug-tokens
10-11
Exercise Solutions Create access control entries and add a read-write user called user1 with security auth. Create a read-only SNMP version 2 (SNMPv2) user called v2user for community public. Monitor the http daemon, with a maximum for ve processes running and a minimum of zero processes running. a. b. c. d. e. f. g. h. i. j. k. l. m. Congure the system information. Do not read in any existing conguration les. Create a snmpd.conf le. Select Access Control from the menu. Create an SNMPv3 read-write user (called user1). Level auth OID null Create an SNMPv2 read-only user (called v2user). Community public Enter return for the next two elds. Enter nished. From the list, select Monitor Various Aspects... Select Check process that should be running, enter httpd as the process, ve for the maximum number of processes and zero for the minimum. Enter nished. Select System Information Setup. Select each item and ll in the information requested. Enter nished. Enter nished. Select a le name and save the le.
n. o. p. q. r. s. 3. 4.
Examine the le that was created, and note the comments and the tokens added to the le. Create a basic conguration le. a. Run snmpconf -G to list the Groups # snmpconf -G Known GROUPs of tokens: system_setup
10-12
Exercise Solutions basic_setup monitoring_services access_control trapsinks b. 5. Create a basic setup using snmpconf script. # snmpconf -g basic_setup Create another conguration le using the snmpconf script. This time, explore all of the different menus and options.
noAuthNoPriv Checks the user identity authNoPriv Adds the password check authPriv Adds encryption to the data stream Make a backup copy of the /etc/sma/snmp/snmpd.conf le. Edit the /etc/sma/snmp/snmpd.conf le and add the following two lines at the bottom of the le: rwuser initial createUser initial MD5 password DES
1. 2.
# cp /etc/sma/snmp/snmpd.conf /etc/sma/snmp/snmpd.conf.orig
10-13
Exercise Solutions This causes a user called initial to be created when the snmpd daemon reads the snmpd.conf le. This user has security level authNoPriv as the default level. The users authorization passphrase is password, and the encryption key is also set to password. 3. Display the contents of the /var/sma_snmp/snmpd.conf le. # cat /var/sma_snmp/snmpd.conf engineBoots 4 oldEngineID 0x800007e5806944dde60000000040ab809b This is the persistent data le where USM stores passwords and encryption keys. Note the contents are a hexidecimal number representing the SNMP engine ID and a token for the number of times the engine has been booted. 4. 5. Restart the agent. # /etc/init.d/init.sma restart Display the contents of the /var/sma_snmp/snmpd.conf le again. Note the new line. This is how the users password and encryption keys are stored. usmUser 1 3 0x800007e5806944dde60000000040ab809b 0x726561646f6e6c7900 0x726561646f6e6c7900 NULL .1.3.6.1.6.3.10.1.1.2 0x4cf5a5374af91349cb9a3a55f6afafb9 .1.3.6.1.6.3.10.1.2.2 0x4cf5a5374af91349cb9a3a55f6afafb9 0x00 engineBoots 5 oldEngineID 0x800007e5806944dde60000000040ab809b 6. Test the initial user using the snmpget application. # snmpget -v3 -u initial -l authNoPriv / -a MD5 -A password localhost sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49 7. 8. 9. Edit the /etc/sma/snmp/snmpd.conf le and remove the line starting with createUser. Restart the agent. # /etc/init.d/init.sma restart Test the initial user using the snmpget application. # snmpget -v3 -u initial -l authNoPriv / -a MD5 -A password localhost sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49 Is the entry required in the /etc/sma/snmp/snmpd.conf le after the user is created? No
10-14
Exercise Solutions This user can be cloned using the snmpusm application. The clone user has the same passphrase and key as the original user so it should be changed. A user can be cloned once. After the clone is created, the user must be removed and re-entered to be cloned again. 10. Clone the initial user with the snmpusm application. Add a new line in the /etc/sma/snmp/snmpd.conf le: rwuser user1 11. Restart the agent. # /etc/init.d/init.sma restart 12. Use the snmpusm application to clone the initial user. # snmpusm -v3 -u initial -l authNoPriv / -a MD5 -A password localhost create user1 initial 13. Use the snmpusm application to change the new users password. # snmpusm -v3 -u initial -l authNoPriv / -a MD5 -A password localhost passwd password 12345678 14. Test the new user entry. # snmpget -v3 -u user1 -l authNoPriv / -a MD5 -A 12345678 localhost sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49 15. Examine the /var/sma_snmp/snmpd.conf le: is there a new entry? Yes
Task 5 Creating a User With the net-snmp-config Script Using the --create-snmpv3-user Option
1. Use the net-snmp-config script to create a user named user2. This user should have read-only access. Give the user a password and encryption passphrase of at least eight characters. If spaces are used in the encryption passphrase, you must quote the passphrase. Quotes are not required for the authentication passphrase. Run the net-snmp-config script with --help to see a usage statement. The agent must be stopped to use this script.
# net-snmp-config --help ... SNMP Setup commands: --create-snmpv3-user [-ro] [-a authpass] [-x privpass] [-X DES][-A MD5|SHA] [username]
10-15
Exercise Solutions ... # net-snmp-config --create-snmpv3-user -ro Enter a SNMPv3 user name to create: user2 Enter authentication pass-phrase: this is a test Enter encryption pass-phrase: [press return to reuse the authentication pass-phrase] "this is a test" adding the following line to /var/sma_snmp/snmpd.conf: createUser user2 MD5 "this is a test" DES "this is a test" adding the following line to /etc/sma/snmp/snmpd.conf: rouser user2 2. Examine the /var/sma_snmp/snmpd.conf and /etc/sma/snmp/snmpd.conf les.
createUser user2 MD5 "this is a test" DES "this is a test" rouser user2 3. 4. Restart the agent. # /etc/init.d/init.sma restart Use snmpget application to test the new user. # snmpget -v3 -u user2 -l authNoPriv / -a MD5 -A "this is a test" localhost sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49 5. 6. 7. Edit the /etc/sma/snmp/snmpd.conf le and change the user2 entry from rouser user2 to rouser2 authPriv Restart the agent. # /etc/init.d/init.sma restart Use DES encryption and security level authPriv to test the user. # snmpget -v3 -u user2 -l authPriv / -a MD5 -A "this is a test" -x DES / -X "this is a test" localhost sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1140349) 3:10:03.49 8. Try the snmpget application without the DES key and with security level authNoPriv.
# snmpget -v3 -u user2 -l authNoPriv / -a MD5 -A "this is a test" localhost sysUpTime.0 Error in packet Reason: authorizationError (access denied to that object)
10-16
Exercise Solutions
defVersion ( 1 | 2c | 3 ) Defaults to 3 (-v 3) defCommunity string Default is a null string (-c string) defSecurityName string (-u name) defContext string The default is a null string (-n "") defAuthPassphrase string (-A string) defPrivPassphrase string (-X string) defAuthType MD5 | SHA (-a value) defPrivType DES DES is the only option at this time (-x DES) defSecurityLevel noAuthNoPriv | authNoPriv | authPriv (-l value) dumpPacket ( 1 | yes | true | 0 | no | false ) doDebugging ( 1 | 0 ) debugTokens token[,token...] (-D token)
q q q
There are many more directives. 1. Edit the /etc/sma/snmp/snmp.conf le and add the directives required to make user1 the default user. When you nish, the following commands should work without additional options. # snmpget localhost system.sysDescr.0 # snmpwalk localhost system Contents of the snmp.conf file. defVersion 3 defSecurityName user1 defPassphrase 12345678 defAuthType MD5 defSecurityLevel authNoPriv 2. The options passed on the command line take precedence over directives in the snmp.conf le. Construct a snmpget command for sysLocation.0 using user2, and pass only the required options.
10-17
Exercise Solutions -X "this is a test" -l authPriv localhost sysLocation.0 SNMPv2-MIB::sysLocation.0 = STRING: "System administrators office"
# snmpget -D ALL localhost sysLocation.0 2> /var/tmp/error.out SNMPv2-MIB::sysLocation.0 = STRING: "System administrators office" 3. Examine the contents of the /var/tmp/error.out le. Answer the following questions: What path was used to nd conguration les? read_config: config path used:/usr/sfw/etc/snmp:/etc/sma/snmp:/usr/sfw/lib/snmp://.snmp:/var/sma_s nmp Where were the MIB text les located? /etc/sma/snmp/mibs What is the OID of the sysLocation.0 variable? ObjID: SNMPv2-MIB::sysLocation.0 What is the value of the defContext variable? defContext "" What port was used?
10-18
Note Tokens other than ALL are available for use with the -D option. They can be found by searching the source code tree for NET-SNMP. The source code tree is included in Solaris 10 package SUNWsmaS which is not installed by default. The following command will displays a example command line to search the source code for a list of available debug tokens: # net-snmp-config --debug-tokens 4. 5. Add the following line to the snmp.conf le. doDebugging 1 Execute the following command: # snmptranslate -Td -IR -OS system.sysDescr Debugging data dumps to screen (STDERR). 6. Now set the doDebugging line in the snmp.conf le to 0 and run the command from the previous step.
DoDebugging 0 SNMPv2-MIB::sysDescr sysDescr OBJECT-TYPE -- FROM SNMPv2-MIB, RFC1213-MIB -- TEXTUAL CONVENTION DisplayString SYNTAX OCTET STRING (0..255) DISPLAY-HINT "255a" MAX-ACCESS read-only STATUS current DESCRIPTION "A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software." ::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) system(1) 1 }
10-19
Exercise Solutions # net-snmp-config --create-snmpv3-user Enter a SNMPv3 user name to create: user3 Enter authentication pass-phrase: this is a test Enter encryption pass-phrase: [press return to reuse the authentication pass-phrase] "this is a test" adding the following line to /var/sma_snmp/snmpd.conf: createUser user3 MD5 "this is a test" DES "this is a test" adding the following line to /etc/sma/snmp/snmpd.conf: rwuser user3 # snmpget -u user3 -A "this is a test" / -l authNoPriv localhost sysLocation.0 2. 3. 4. Edit the snmpd.conf le and add the following line. group my_group usm user3 Restart the agent. # /etc/init.d/init.sma restart Use the snmpwalk application to view the group entry. # snmpwalk -v3 -u user1 -l authNoPriv -a MD5 -A 12345678 localhost / SNMP-VIEW-BASED-ACM-MIB::vacmGroupName Look for the entries for my_group. SNMP-VIEW-BASED-ACM-MIB::vacmGroupName.3."user3" = STRING: my_group 5. 6. 7. Add the following line to the snmpd.conf le. view my_view included .1.3.6.1.2.1.1 FF Restart the agent. # /etc/init.d/init.sma restart Use the snmpwalk application to see the view table entry. # snmpwalk -v 3 -u user1 -l authNoPriv -a MD5 -A 12345678 localhost / SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyTable Look for the entries that include my_view. SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyMask."my_view".7.1.3.6.1.2.1.1 = Hex-STRING: FF SNMP-VIEW-BASED-ACM-MIB::vacmViewTreeFamilyType."my_view".7.1.3.6.1.2.1.1 = INTEGER: included(1) SNMP-VIEW-BASED-ACMMIB::vacmViewTreeFamilyStorageType."my_view".7.1.3.6.1.2.1.1 = INTEGER: permanent(4)
10-20
Exercise Solutions SNMP-VIEW-BASED-ACMMIB::vacmViewTreeFamilyStatus."my_view".7.1.3.6.1.2.1.1 = INTEGER: active(1) 8. 9. Add the following line to the snmpd.conf le. Access my_group "" usm authPriv prefix my_view "" "" Restart the agent. 10. Use the snmpwalk application to examine the access table. # snmpwalk -v 3 -u user1 -l authNoPriv -a MD5 -A 12345678 localhost / SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable SNMP-VIEW-BASED-ACM-MIB::vacmAccessContextMatch."my_group"."".3.authPriv = INTEGER: prefix(2) SNMP-VIEW-BASED-ACM-MIB::vacmAccessReadViewName."my_group"."".3.authPriv = STRING: my_view SNMP-VIEW-BASED-ACM-MIB::vacmAccessStatus."my_group"."".3.authPriv = INTEGER: active(1) 11. Test the view with user3 and security level authPriv. # snmpget -v 3 -u user3 -l authPriv -a MD5 -A 12345678 / -x DES -X 12345678 localhost sysObjectID.0 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.0
10-21