How to install SSO Server in Solaris 10 Zones?

Document ID : KB000049747
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

If it is planned to install SSO Server in a Solaris Local Zone, in addition it is necessary to first install and configure the embedded Access Control (AC) component in this host's Global Zone.

Moreover, it has been shown that it is of advantage for various reasons to enable an alternative mechanism for interaction of the AC kernel module and daemons.

This document is describing how to do this.

Solution:

  1. Install AC in the Global Zone

    Before installing SSO Server in any Local Zone it is necessary to install AC alone in the this host's Global Zone.
    In a root shell connected to the Global Zone locate and run the AC installer

    cd /tmp/eTrustAccessControl/solaris./install_baseselect the default options and finish the installation
  2. Configure AC to use IOCTL

    Edit the file /opt/CA/AccessControl/seos.ini and setSEOS_use_ioctl = 1
  3. Adjust the AC init script to load only the AC kernel module

    A sample init script to startup AC is provided in
    /opt/CA/AccessControl/samples/system.init/Solaris2.x/S99SEOS

    Edit the file and replace the call to load the full AC with the call only loading the AC kernel module
    ...# "${SEOSBIN}"/seload > /dev/null"${SEOSBIN}"/SEOS_load > /dev/null...
    Implement the modified init script so that it gets parsed upon startup of the Global Zone.
    Please see the Solaris documentation how to do this.

    Note:

    When rebooting the complete Solaris 10 host make sure that the AC kernel module is first loaded in the Global Zone prior starting up any Local Zone and the SSO Server in the Local Zone.

    To verify if the AC Kernel module has been loaded successfully submit
    /opt/CA/AccessControl/bin/issec
    The output should say:
    ...CA Access Control kernel extension is loaded.CA Access Control daemons are not running....
  4. Install SSO Server in any Local Zone

    Open a root shell in the Local Zone and run the SSO Server installer
    cd /tmp/eTrustSSOServer./setup
    Right after installation the automatic startup of AC and SSO Server might fail since AC is not configured yet to use the Global Zone's AC kernel

  5. Configure the embedded AC in the Local Zone to use IOCTL

    Edit the file /opt/CA/AccessControl/seos.ini and set
    SEOS_use_ioctl = 1
  6. Inventory AC in the newly created Local Zone

    On the Global Zone invoke 'SEOS_load -z' followed by 'SEOS_load -i'
    This should produce an output similar to the one below listing all the configured zones:
     SEOS_load: device usage enabled.  module: 219 7ae00000 72140 314 1 seos (SEOS driver v12.0)  dev major: seos 314  dev path : /devices/pseudo/seos@0:seos  dev link : /dev/seos  zone: ssotest1 match: /dev/seos.  zone: ssotest2 match: /dev/seos.
    Note
    This step needs to be repeated whenever a new Local Zone is created and SSO is installed to it

  7. Reboot the Global Zone and then the Local Zone

    Verify with SSO Client and also Policy Manager that SSO Server is working correctly in all the Local Zones.