Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

Domain Solaris OE Configuration

This section describes the additional packages, daemons, startup scripts, and other configuration modifications that are specific to a Sun Fire 15K domain. While not all of these daemons affect the security of the system directly, from a security perspective, you should always be aware of them and their impact on the system.

The following Sun Fire 15K domain-specific packages are installed as part of the SUNWCall cluster:

system SUNWdrcrx  Dynamic Reconfiguration Modules for Sun Fire 15000 (64-bit)
system SUNWsckmr  Init script & links for Sun Fire 15000 Key Management daemon
system SUNWsckmu  Key Management daemon for Sun Fire 15000
 system SUNWsckmx  Key Management Modules for Sun Fire 15000 (64-Bit)

The Sun Fire 15K domain software does not change /etc/passwd, /etc/shadow, or /etc/group files. This is unlike the Sun Fire 15K SMS software on the System Controller (SC) which does modify these files.

The Sun Fire 15K domain-specific daemons are:

root  11  1 0 17:28:32 ? 0:00 /platform/SUNW,Sun-Fire-15000/lib/cvcd 
root  121 1 0 17:28:46 ? 0:00 /usr/platform/SUNW,Sun-Fire-15000/lib/sckmd 

While they are not Sun Fire 15K domain-specific, the following daemons are used for Dynamic Reconfiguration on Sun Fire 15K domains and should not be disabled:

root  324   1 0 07:47:24 ?    0:00 /usr/lib/efcode/sparcv9/efdaemon 
root  58   1 0 05:32:57 ?    0:00 /usr/lib/sysevent/syseventd
root  60   1 0 05:32:57 ?    0:00 /usr/lib/sysevent/syseventconfd 
root  65   1 0 05:32:59 ?    0:00 devfsadmd
root  371   1 0 05:33:12 ?    0:00 /usr/lib/saf/sac -t 300
root  631  295 0 16:30:34 ?    0:00 /usr/lib/dcs

Sun Fire 15K daemons are started by several different startup scripts including the /etc/init.d/cvc and /etc/init.d/sckm scripts.

The additional network used on a Sun Fire 15K domain to communicate with the Sun Fire 15K SC is defined similarly to regular network connections through an /etc/hostname.* entry. A typical Sun Fire 15K domain has a file that is similar to the following /etc file:

# more /etc/hostname.dman0
192.168.103.2 netmask 255.255.255.224 private up

The /etc/hostname.dman0 entry sets up the I1 or domain to the SC Management Network (MAN). This IP address, 192.168.103.2, is used for point-to-point communication between the domain and the SC. This network connection is implemented through the internal Sun Fire 15K MAN. No external wiring is utilized.

The network configuration appears as follows:

dman0: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> 
mtu 1500 index 2 inet 192.168.103.2 netmask ffffffe0 broadcast
192.168.103.31 ether 8:0:20:be:f8:f4 

While the dman0 network supports regular Internet Protocol (IP)-based network traffic, it should only be used by Sun Fire 15K management traffic. Any other use of this internal network may affect the reliability, availability, and serviceability (RAS) of the entire platform. Refer to the scman (7D) and dman (7D) man pages for more information.

Additionally, all Sun Fire 15K SC-to-domain communication over the MAN network is encrypted through the use of IPsec. The IPsec protocol suite is used to provide privacy and authentication services at the IP layer as defined by the Internet Engineering Task Force (IETF). For additional information about IPsec, refer to RFC 2411 at http://www.ietf.org.

Attempts to access Sun Fire 15K domain and SC daemons from non-MAN networks will generate syslog messages indicating that an access attempt was made. A log message appears as follows:

Sep 20 08:04:26 xc17p13-b5 ip: [ID 993989 kern.error] 
ip_fanout_tcp_listen: Policy Failure for the incoming packet (not secure); 
Source 192.168.181.252, Destination 
010.001.073.042.

NOTE

Do not use MAN networks for anything other than Sun Fire 15K management traffic. These are Sun Fire 15K specific networks and they are not for general-purpose use.

  • + Share This
  • 🔖 Save To Your Account