This section provides a procedure for running a program that protects your registry database and system software in a secure network. Use Procedure 5-1 when you
• Create a registry for the network
• Create a registry for a new node in an existing network
• Change the location of rgy_master or rgy_site[n] and the new location does not have adequate security.
When you install new software in a secure network, the software installation procedure automatically executes the protection program.
Run the protection procedure on any disked node in the network. Before executing the procedure, use the Ivolfs command to determine the amount of disk space available on the node. The procedure needs 3000 blocks of disk space. If the disk space is inadequate, remove user files, not DOMAIN system files, to perform the procedure. When the procedure is finished, return the files to the disk.
Run the procedure first on the master site node. Then, repeat it on each of the other site nodes and,
c
finally, on each' nonsite node, The master site node must be available when you run the procedure on ~.
other nodes, \. ._' .
If a node's system software contains links to other system objects, the protection procedure sets the ACLs for the object to which the link points. For example, if Isyslhelp on one node is a link to the
. _
-o
()
o o
o
Isyslhe/p tree on another node, the protection procedures will set ACLs for the second node's Isyslhe/p tree.
In a new network, execute the protection procedure immediately after creating the registry and before creating any links in place of standard software. Then, you need not be concerned with links when you run the protection procedure.
If there are links on nodes, of the type described above, delete the links before executing the procedure, then re-create them when the procedure is finished.
NOTE: Before executing this procedure, the node must be cataloged and must have its registry files and directories.
Procedure 5-1 illustrates responses to the protection program prompts. Give responses appropriate to your site when you execute this program. The output shown illustrates the "most complicated case"
(i.e., that there are customized ACLs for the node). If you select an ACL template from the ones supplied, there are fewer prompts than are illustrated here.
PROCEDURE 5-1: Protecting the Registry Database
1. Log in with a sys_admin account. Set the working directory to linstall and invoke the install
Please enter Installation Type: acl<RETURN>
You are logged in as:
person.sys_admin.organization.node //node_name Do you have adequate rights?
please enter response. (yes or no) yes<RETURN>
please enter //target_node name: //george<RETURN>
ACL Template Types are: can perform node administrator functions. A system administrator is required for some functions.
This type of node has moderate protection. Node admin-istrator privileges are limited to a single user or group of users. A system administrator is required to perform some functions.
This node has the highest protection. Only system admin-istrators can perform any administrative functions on this node.
acl_dir/sys_idacls before you can continue.
Please enter the type of ACL template you would like: user<RETURN>
Have you already copied your customized version of the ACL and IDACL
c'
c
o
o
o
o
o
//george/install/acl_dir/sys_acls //george/install/acl_dir/sys_idacls Please enter 'YES' or 'NO' : yes<RETURN>
If you enter "NO," the script prompts as follows:
Please copy your own customized version of the ACL template to the files sys_acls and sys_idacls. Do this by typing:
$ cpf customized_acls //george/install/acl/acl_dir/sys_acls -r -1
$ cpf customized_idacls //george/install/acl/acl_dir/sys_acls -r -1 Then you must RE-START this procedure.
If you have already copied your customize ACLs to the target node the script will continue as follows:
Have you specified an additional PPO?
Please enter 'YES' or 'NO': yes<RETURN>
If you answer "YES" the script will prompt you for the PPOs as follows:
Please enter the first PPO: #enter additional PPOs here#
PREPARING ACLS
SETTING ACL'S
ACL'S CAN NOT BE SET FOR OBJECTS THAT ARE IN-USE.
NOTE: You may get the following error message:
?(acl) Acl not changed for - object is in use (OS/file server)
This error is expected and will not affect the installation procedures.
Finished Installing ACL's on //george
please shutdown, reset and restart //george 2. Shutdown, reset, and restart the node.
END OF PROCEDURE 5-1.
Installing New DOMAIN Releases on Secured Networks
We only guarantee that consecutive software releases are compatible. Therefore, do not try to run a network with some nodes running SR7.0 or SR8.0 software and some running SR9.0 software.
Software installation instructions are included in the release notes.
Only persons with a sys_admin account can initially install software. Refer to the SR9.6 Release Notes and Installing DOMAIN Software for the procedures to use to install new software on nodes. The software installation program uses the protection program (Procedure 5-1) to protect the new software and registry. command. By default, rbak assigns the destination directory's default ACLto the object being restored. So, by default, the restored file or directory has the same access control assignments as the Protecting RegIstries and Software 5-10