This appendix provides implementation-specific information on installing and upgrading to Gauntlet 4.1. This information supplements the Personal System Administration Guide and the Software Installation Administrator's Guide, which are both available online.
The appendix explains installation and upgrade in the following sections:
 | Note: If you are upgrading to Gauntlet 4.1 from a previous version of Gauntlet, you should back up your firewall and follow the same instructions as someone installing Gauntlet for the first time. Make sure you install the license shipped with Gauntlet 4.1. Your previous license will not work. |
Gauntlet Execution Environment includes these subsystems:
Table A-1. Gauntlet Execution Environment Subsystems
Subsystem | Description |
|---|---|
gauntlet_eoe.books.Gauntlet_AG | Gauntlet for IRIX Administrator's Guide. |
gauntlet_eoe.books.Gauntlet_NG | Gauntlet for IRIX Netperm Table Reference Guide. |
gauntlet_eoe.man.gauntlet | On-line manual pages for some Gauntlet components. |
gauntlet_eoe.man.relnotes | Gauntlet release notes. |
gauntlet_eoe.sw.ace | Software support for Security Dynamics ACE authentication server. |
gauntlet_eoe.sw.apop | Software support for APOP (mail) user authentication. |
gauntlet_eoe.sw.ccard | Software support for CRYPTOCard user authentication. |
gauntlet_eoe.sw.gauntlet | Base Gauntlet software, required. |
gauntlet_eoe.sw.gui | Gauntlet Firewall Manager software, required. |
gauntlet_eoe.sw.mdauth | Software support for MD5 user authentication. |
gauntlet_eoe.sw.safeword | Software support for Secure Computing SafeWord authentication server. |
gauntlet_eoe.sw.skey | Software support for S/Key user authentication. |
gauntlet_eoe.sw.vasco | Software support for VASCO Access Key II user authentication. |
gauntlet_eoe.sw.radius | Software support for RADIUS authentication. |
gauntlet_eoe.sw.digipass | Software support for Digipass authentication. |
The Gauntlet distribution media also includes and some patches that are necessary for Gauntlet operation. The U.S. Domestic version also includes the gauntlet_encrypt subsystems. The patches and the gauntlet_encrypt subsystems have their own release notes.
This section lists the subsystems of the Gauntlet Execution Environment and their sizes.
| Note: The listed subsystem sizes are approximate. See the IRIS Software Installation Guide for information on finding exact sizes. |
Table A-2. Gauntlet Subsystem Sizes
Subsystem Name | Subsystem Size (kilobytes) |
|---|---|
gauntlet_eoe.man.gauntlet | 256 |
gauntlet_eoe.sw.ace | 300 |
gauntlet_eoe.sw.apop | 292 |
gauntlet_eoe.sw.ccard | 452 |
gauntlet_eoe.sw.gauntlet | 6828 |
gauntlet_eoe.sw.gui | 4064 |
gauntlet_eoe.sw.mdauth | 324 |
gauntlet_eoe.sw.safeword | 168 |
gauntlet_eoe.sw.skey | 500 |
gauntlet_eoe.sw.vasco | 440 |
Users of Gauntlet for IRIX have to have a software license and meet certain software prerequisites listed in this section.
Before you start to install Gauntlet 4.1, obtain a software license for the product. See “Activating Your Gauntlet License” for more information.
Your Silicon Graphics system must be running IRIX release 6.2, 6.3, 6.4, or 6.5 and various software subsystems that are part of the IRIX system must be installed on your system before you can run Gauntlet software.
To check your IRIX release level:
From the Desktop toolchest, choose Desktop> Unix Shell.
Type: uname -r
This returns the operating system version.
To check whether the ipgate and named subsystems are installed type:
versions eoe.sw.ipgate eoe.sw.named
If these subsystems are installed, you will see these lines:
I eoe <date> IRIX Execution Environment, 6.2 I eoe.sw <date> IRIX Execution Environment Software I eoe.sw.ipgate <date> IP Network Gateway Support I eoe.sw.named <date> Berkeley Internet Name Domain Server |
(Notice the “I”(installed) at the beginning of each line.)
If these subsystems are not installed, follow the IRIX installation instructions to install them on your system before continuing.
All Gauntlet subsystems can be installed while your system is running. These installation instructions give an overview of how to install the software from a CD-ROM drive that is connected directly to your system. To install the software from a remote CD-ROM drive, or for more detailed information, see the online InSight administrator manuals.
To install the Gauntlet Execution Environment, follow these steps:
Log in as root, as follows.
In a shell window, type login root
Provide the root password if required.
Insert the Gauntlet 4.1 CD-ROM into your CD-ROM drive.
In the shell window, type:
inst -f /CDROM/dist
At the inst> prompt, type:
inst> install default inst> install patch* inst> go
You may see messages from inst(1M) that indicate that it cannot proceed because of conflicts. Some patch files included on the Gauntlet 4.1 CD-ROM may include updates to IRIX software subsystems which you do not have installed. You can safely resolve such conflicts by choosing to not install that part of that patch using the conflicts command.
Below is an example of the kind of conflict which can safely be resolved. Note that the conflict in this example is that the base subsystem is not installed:
Patch patchSG0000639.eoe1_sw.svr4net does not have base subsystem eoe1.sw.svr4net version 1021572036 to 1029999900 installed 1a. Do not install patchSG0000639.eoe1_sw.svr4net (1029999906)
To resolve the above conflict, you would type at the inst> command line:
inst> conflicts 1a
See the Software Installation Administrator' s Guide for help with other conflicts.After all conflicts are resolved, type go at the >inst prompt to try again.
The software is installed when you see this message:
Installation and/or removal succeeded. You can insert another tape or CD-ROM now. Type "quit" if you are ready to leave the installation tool.
At the inst> prompt, type:
inst> quit
You may see some exit messages.
Reboot your system.
The new software will be used.
After you've installed the software, you have to configure it. See “Configuring the Firewall” for more information.
To find out exactly which files were installed, use the showfiles(1M) command. To see all the files that were installed as part of the Gauntlet Execution Environment, type:
showfiles gauntlet_eoe |
If you would like to see files of specific subsystems, for example, what files were installed for S/Key support, call showfiles(1M) with the subsystem, as follows:
showfiles gauntlet_eoe.sw.skey |
See Table A-1 for a list of all subsystems.
To find out which files would be installed before installing the Gauntlet Execution Environment subsystems, follow these steps:
In a shell window, type
# inst -f /CDROM/dist
At the inst> prompt, type:
inst> admin At the admin> prompt, type:
admin > files gauntlet_eoe
To exit
At the admin> prompt, type return.
At the inst> prompt, type quit
You must configure Gauntlet before it works correctly. Gauntlet provides a text-based interface to help you configure your firewall for management via the Web. To get started, run the /usr/local/etc/gauntlet-admin command. When you finish setting up your firewall, reboot your machine. You can continue configurations using the Web-based Gauntlet Firewall Manager located at http://your_host:21000/auth/gui.html.
“Upgrading to Gauntlet 4.1” explains how to use the upgrade tool to automatically change most configuration information.
Your copy of Gauntlet for IRIX requires a software license in order to operate. This chapter defines some important software licensing terms, describes the basic procedure for obtaining, installing, and testing a software license for Gauntlet for IRIX, and lists addresses and phone numbers for contacting Silicon Graphics License Administration.
For more information about software licenses, see the FLEXlm User's Guide, which provides detailed information on using and administering software licenses. It is included in the system software documentation; the online version is in the subsystem license_eoe.books.FlexLM_UG.
A software license is a collection of information that, after installation, allows you to use a licensed software product on one or more systems. Software license information includes license type, license expiration date, a license password, system hostname, and host ID number (lmhostid), and additional information concerning the license and licensed software.
You can find the host name using the command /sbin/uname -n, and the host ID number using the command /usr/sbin/lmhostid. The license must be installed on the system that has the host name included in the software license information. If the host ID in the license is “ANY”, the software license can be installed on any system.
There are two types of software licenses, node-locked and concurrent:
node-locked—A node-locked license is installed on a particular system (node) and allows the licensed software to run on that system.
concurrent—A concurrent license allows the licensed software to run on one or more systems in the network simultaneously. The number of systems (nodes) allowed is included in the software license information. The system on which a concurrent license is installed must be configured as a license server. (See Chapter 1 of the FLEXlm User's Guide for more information about license servers.)
There are two durations of software licenses, temporary and permanent:
temporary—A temporary license allows you to use the licensed software for a short period, typically a week to several months. The expiration date tells you the last date on which you can use the licensed software. Temporary licenses are often shipped with software so that you can use the software before a permanent license is issued.
permanent—A permanent license allows you to use this release of the licensed software for a long time. Permanent licenses are issued only for software that has been purchased.
To obtain and install a software license, follow these steps:
Check whether you have received software license information.
Software license information is distributed in several ways: on labels attached to a Software License Registration card, on sheets of paper included with the product, or by mail, FAX, electronic mail, or via the World Wide Web.
Determine if you need to install a software license.
You may or may not need to install a software license for Gauntlet for IRIX:
If you are updating your system to this release of Gauntlet for IRIX, you need to install a new license at this time.
If you have received both a temporary license and a permanent software license, install the permanent license; do not install the temporary license.
If you have received a permanent license, you should install it because it enables you to use the software that you have purchased.
If concurrent licenses are used at your site and you plan to use an already-installed license, you can install and use the licensed software on your system without installing a license.
If you have received a temporary software license but do not need to use the software immediately, you may choose to wait to install a license until you obtain the permanent license.
Request a software license if you don't have a software license at all, or if you have a temporary license and need a permanent license.
To obtain a software license, fill out the Software License Registration card that was included with the software (or the replica in the FLEXlm User's Guide). Send the information or the card by electronic mail (preferred), FAX, or mail to Silicon Graphics License Administration or your local service provider. After your request is received by Silicon Graphics or your local service provider, you should receive a software license within two business days.
Identify the system on which you will install the software license.
Because software license information usually must be installed on a particular system, follow these guidelines:
Use the /sbin/uname -n command to identify the system on which the license is intended to be used.
If the sysinfo is “ANY,” you can install the license on any system you choose.
If the host name included with the software license information doesn't match the host name of the system on which you want to install the license, contact Silicon Graphics License Administration.
Install the software license (temporary or permanent).
Check the license type listed in the software license information to find out whether the license is a node-locked license or a concurrent license. The installation procedure depends on the license type:
If you are installing a node-locked license, use the LicenseManager(1M) tool. You can bring up the tool by choosing “License Manager” from the System toolchest.
If the license is a concurrent license, you may need to configure the system on which you plan to install the license as a license server. (See Chapter 1 of the FLEXlm User's Guide for more information about license servers.)
Verify that the software license has been successfully installed.
If the software license is not working, running the command /etc/init.d/gauntlet start will result in a number of warnings about missing licenses.
| Note: If you installed a temporary license and you are entitled to a permanent license, replace the temporary license with a permanent license as soon as possible to ensure uninterrupted use of Gauntlet for IRIX. |
If you are upgrading to Gauntlet 4.1 from a previous version of Gauntlet, you can for the most part, follow the same installation instructions as a new user (see “Installing the Software”.)
However, the file formats used by Gauntlet 4.1 are in some cases quite different from those used by Gauntlet 3.2. This means that your old configuration files will not work with your new version of Gauntlet.
Gauntlet 4.1 for IRIX provides an upgrade program, /usr/local/etc/gauntlet-upgrade, which translates your old configuration files into the new formats wherever possible. This helps you avoid reentering all your configuration data,
To use the upgrade program:
Log into your Gauntlet firewall as root.
Enter the command:
/usr/local/etc/gauntlet-upgrade
The gauntlet-upgrade program will inform you of its progress as it translates your files, concluding with the word “Done”.
You are now ready to set up your firewall using the text-based gauntlet-admin interface, as described in previous chapters.
The gauntlet-upgrade programs performs the following functions:
Translates data stored by the Gauntlet 3.2 administrative interface to formats readable by the Gauntlet 4.1 Java-based Firewall Manager.
Variables previously stored in /usr/gauntlet/cgi-data/*.g are now stored in /usr/local/etc/mgmt/gauntlet.conf.
Copies files which are in new locations under Gauntlet 4.1, including the authorization database, info server database and integrity verification files.
Translates Gauntlet 3.2 trusted and untrusted network configurations to Gauntlet 4.1 format.
Translates Gauntlet 3.2 explicit routing setup to Gauntlet 4.1 static routes.
Converts swIPe and PC Extender configuration files.
Converts plug gateway configuration files.
Keep in mind the following issues when using the gauntlet-upgrade program:
Run gauntlet-upgrade immediately after you have installed Gauntlet 4.1, but before you have configured your firewall using gauntlet-admin. Changes made by gauntlet-admin would be lost during the upgrade process.
The gauntlet-upgrade program is not designed to be run more than once.
gauntlet-upgrade attempts to upgrade all aspects of your firewall which are configurable through the Gauntlet 3.2 administrative interface.
gauntlet-upgrade replicates your Gauntlet 3.2 configuration whenever possible. However, in some cases an automatic upgrade may not be feasible. When using the Gauntlet 4.1 Firewall Manager GUI for the first time, carefully check each aspect of your configuration and make updates where needed.
Manual changes to the Netperm table are not automatically upgraded; you have to make these changes through the Gauntlet 4.1 Firewall Manager or by manually editing /usr/local/etc/netperm-table.
Manual changes to ipfilterd rules are not automatically upgraded; you have to copy your changes to /usr/local/etc/mgmt/template.ipfilterd.conf.