Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Annotated Sun BluePrints

Sun Blueprint program was at least partially a reaction to IBM Red Books program but it never managed to get to the same level. In this sense it's funny that they call them blue. Still some of blueprints are honest attempt to help Sun administrators and represent great values. Still a lot of them are typical corporate junk. That's typical for IBM too (some Redbooks and red papers are written in obscure jargon and there is a strong suspicion that they were written to hide information not to inform the readers and that IBM famous note "this page is intentionally left blank" has some subtle meaning indeed ;-) and is probably a side effect of the size of the company. As Sun put it:

Articles are maintained in this archive for the benefit and historical reference of our readers. Details of the recommendations set forth in these articles may not reflect Sun's latest hardware and software releases. Caution, careful analysis and common sense should be exercised when applying these Sun BluePrints articles to newer products and software releases.

We will try to grade some of them "for the benefit and historical reference of our readers" ;-). Right now this effort is mostly limited to Best Security Blueprints section.

News

This article explains the mechanics of the boot process on the Solaris Operating System for x86 platforms so that you understand what is needed to create a customized CD/DVD. It discusses both the hard disk and CD/DVD boot processes, and points out the differences between the two.

There are a number of practical applications for this topic, including:

• Jumpstart Software — The feature in Solaris that allows access to Solaris installation media and configuration rules over a network
• Diagnostics — The ability to create a bootable CD for the purpose of diagnosing system problems without accessing or modifying the copy of the operating system that is installed on the target system
• Restoration — The ability to create a bootable CD with tools that aid in the repair and restoration of a down system
• Diskless clients that cannot do PXE booting—PXE is a DHCP-based network-based installation technology similar to Solaris Jumpstart. Some older x86-based system are incapable of using PXE
• Canned Firewall—The creation of a bootable CD that starts Solaris on a system configured with multiple network interfaces. A preset ipf configuration is then used to establish a network firewall on that system.

This article begins by examining the layout of a hard disk in the x86 architecture and the components on it that are used for booting. It then describes the pieces that are unique to a CD boot. Finally, this article puts the pieces together and creates an image file that can be burned to CD.

Configuring JumpStart Servers to Provision Sun x86-64 Systems (February 2005)
-by Pierre Reynes
Organizations are constantly challenged to deploy systems throughout the enterprise with consistent and reliable configurations. Solaris JumpStart technology provides a mechanism for fully automating the Solaris Operating System (Solaris OS) installation process. With the ability to locate installation information over the network or from a local CD-ROM drive, and use customized profiles, JumpStart facilitates the rapid and consistent deployment of Solaris OS-based systems.

Many organizations have relied on UltraSPARC/Solaris platforms for years, and use JumpStart technology for operating system deployment. With the introduction of Sun x86-64 based systems, organizations are now seeking ways to use existing JumpStart servers to deploy the Solaris OS and Linux operating environment on Sun x86-64 based systems. This article describes how to modify existing JumpStart servers to support the deployment of the Solaris OS and Linux operating environment on Sun x86-64 based systems, as well as how to use standard Linux installation tools for configuring Sun x86-64 based systems.

[April, 2004] Building OpenSSH--Tools and Tradeoffs, Updated for OpenSSH 3.7.1p2 -by Jason Reid

This article updates the information in the January 2003 Sun BluePrints OnLine article, "Building OpenSSH--Tools and Tradeoffs". This article contains information about gathering the needed components, deciding the compile-time configuration decisions, building the components, and finally assembling OpenSSH. The script file, "Building OpenSSH Tools TAR", provides tools that simplify the packaging and deployment of the OpenSSH tool on the Solaris Operating Environment. This article targets an advanced audience.

[April, 2004] Building a Bootable DVD to Deploy a Solaris Flash Archive -by John S. Howard

This article provides techniques to augment a DVD-ROM-based installation with the services and behaviors typically provided by a JumpStart server. The techniques presented in this article can be used when you need to perform an automated installation of a Solaris Flash archive, but are unable to use a JumpStart server. This article describes a procedure to create a bootable installation DVD-ROM with a complete software stack on a DVD that you can use to perform a standardized and fully automated installation of the software stack from the DVD.

This article also examines the structure of a bootable Solaris OS DVD and provides information about modifying installation behaviors to perform an automated install of a Solaris Flash archive from a DVD.

[March, 2004] Understanding Tuning TCP - by Deepak Kakadia

This article describes some of key Transport Control Protocol (TCP) tunable parameters related to performance tuning. More importantly, it describes how these tunables work, how they interact with each other, and how they impact network traffic when they are modified. This article requires an advanced level reader.

[Jan, 2004]  Solaris Operating System Availability Features -by Thomas M. Chalfant

The processor offlining feature enables a processor to be removed from use by Solaris in response to one or more L2 cache errors. The page retirement feature enables a page of memory to be removed from use by Solaris in response to repeated ECC errors within a memory page on a DIMM. This paper provides detailed discussion regarding the algorithm, implementation, kernel tunables, and messages you are likely to see on a system running the appropriate kernel updates. This article is ideal for an intermediate to advanced reader.

[Jan, 2004] Design, Features, and Applicability of Solaris File Systems - by Brian Wong

The Solaris Operating System includes many file systems, and more are available as add-ons. Deciding which file system to apply to a particular application can be puzzling without insight into the design criteria and engineering tradeoffs that go into each product. This article offers a taxonomy of file systems, describes some of the strengths and weaknesses of the different file systems, and provides insight into the issues you should consider when deciding how to apply the set of file systems that are available for specific applications. This article requires an intermediate reader.

Securing Web Applications through a Secure Reverse Proxy (November 2003) -by Anh-Duy Nguyen

This article describes recommended practices for setting up the Sun ONE Proxy Server software to represent a secure content server to outside clients, preventing direct, unmonitored access to your server's data from outside your company. This article uses recommended practices to secure your web applications behind a firewall and leverage access and authentication using the Sun ONE platform products.

This article assumes an intermediate reader who is familiar with installing and configuring the Sun ONE Proxy Server. It also assumes that the reader can configure the firewall router to allow a specific server on a specific port access through the firewall without allowing any other machines in or out.

Design, Features, and Applicability of Solaris File Systems  by Brian Wong

The Solaris Operating System includes many file systems, and more are available as add-ons. Deciding which file system to apply to a particular application can be puzzling without insight into the design criteria and engineering tradeoffs that go into each product. This article offers a taxonomy of file systems, describes some of the strengths and weaknesses of the different file systems, and provides insight into the issues you should consider when deciding how to apply the set of file systems that are available for specific applications. This article requires an intermediate reader.

[Dec, 2003] Performance Forensics-by Bob Sneed

The health care industry has well-established protocols for the triage, diagnosis, and treatment of patient complaints, while the resolution of system-performance complaints often seems to take a path that lacks any recognizable process or discipline. This article draws from lessons and concepts of health care delivery to provide ideas for addressing system-performance complaints with predictable and accurate results. Specific tools from the Solaris Operating System are discussed. This article is applicable to all audience levels.

[Feb, 2001] Auditing in the Solaris 8 Operating Environment -by William Osser and Alex Noordergraaf

The use of the Solaris 8 Operating Environment auditing (BSM) has never been well understood. This article presents an auditing configuration optimized for the Solaris 8 OE. The recommended configuration will audit activity on a system without generated gigabytes of data every day. In addition, the configuration files are available for download from http://www.sun.com/blueprints/tools.

Recommended Links

Sun BluePrints Program

Security Sun Blueprints Program and Sun Blueprints Online Magazine

Sun's BluePrints for J2EE

Books

• Sun BluePrints Publications

• Sun BluePrints, The Official Sun Microsystems Resource Series Series 

Performance

• A Strategy for Managing Performance (December 2002)
  -by John Brady
  This article addresses the importance of adopting and executing a thorough performance management strategy in your compute environment. Managing performance puts you in the position of being proactive and in control of your compute resources, not vice versa, while saving revenue at the same time. This article offers suggestions for developing a performance management strategy that enables you to predict and correct potential performance problems, to control resources, to track changes for capacity planning and to consolidate resources.
   
• System Performance Management: Moving from Chaos to Value (July 2001)
  -by Jon Hill and Kemer Thomson
  This article presents the rationale for formal system performance management from a management, systems administrative and vendor perspective. It describes four classes of systems monitoring tools and their uses. The article discusses the issues of tool integration, "best-of-breed versus integrated suite" and the decision to "buy versus build."
   
• Performance Oriented System Administration (December 2002)
  -by Bob Larson
  In most cases, using the default configuration for an operating system helps ensure that cascading effects don't overly complicate system tuning and maintenance. In some cases, however, you might need to tune a system. This article explains the algorithms and heuristics surrounding the most important tunables and describes several kernel tunables and the algorithms behind them.
   
• Performance Forensics (December 2003)
  -by Bob Sneed
  The health care industry has well-established protocols for the triage, diagnosis, and treatment of patient complaints, while the resolution of system-performance complaints often seems to take a path that lacks any recognizable process or discipline. This article draws from lessons and concepts of health care delivery to provide ideas for addressing system-performance complaints with predictable and accurate results. Specific tools from the Solaris Operating System are discussed. This article is applicable to all audience levels.
• Application Troubleshooting: Alternate Methods of Debugging (November 2001)
  -by Christopher Duncan
  What to do when applications are crashing or hanging is a critical issue for any software user. Few people will have the resources and skill set to debug the application directly using a source code debugger. In many cases source code debugging may not even be an option. This paper will discuss a variety of options open to a Solaris Operating Environment user to narrow down the causes and scope of a application failure. The article discusses programs such as truss, proc tools and features of the Solaris runtime linker.

Internals

• Design, Features, and Applicability of Solaris File Systems (January 2004)
  -by Brian Wong
  The Solaris Operating System includes many file systems, and more are available as add-ons. Deciding which file system to apply to a particular application can be puzzling without insight into the design criteria and engineering tradeoffs that go into each product. This article offers a taxonomy of file systems, describes some of the strengths and weaknesses of the different file systems, and provides insight into the issues you should consider when deciding how to apply the set of file systems that are available for specific applications. This article requires an intermediate reader.
   
• System Management Services Software: An Inside Look (January 2003)
  -by Tom Chalfant
  This article addresses some of the more advanced topics of System Management Services (SMS) software including the Management Network (MAN) and SMS security. In addition, it provides insight to a new security feature that enables you to use secure shell for file synchronization between system controllers (SCs).

Booting and Recovery

• WebStart Flash (November 2001)
  -by John S. Howard and Alex Noordergraaf
  The Solaris Operating Environment Flash installation component extends JumpStart technology by adding a mechanism to create a system archive, a snapshot of an installed system, and installation of the Solaris Operating Environment from that archive. This article introduces the concepts and best practices for a Flash archive, describes the master machine, and suggested storage strategies, and provides a complete example of creating a Flash archive and installing a Web server with Flash.
• Hardware Replication Challenges (November 2003)
  -by Selim Daoud
  This article describes the challenges of keeping valuable hardware-replicated data safe. Being able to access and manipulate the cloned data is crucial and often neglected. This article describes the different types of data replication and the procedure to access a hardware-replicated set of data. This article targets an intermediate audience.
• Configuring Boot Disks (December 2001)
  -by John S. Howard and David Deeths
  This article is the fourth chapter of the Sun BluePrints book titled Boot Disk Management: A Guide For The Solaris Operating Environment (ISBN 0-13-062153-6), which is available through www.sun.com/books, amazon.com, and Barnes & Noble bookstores.
  
  This chapter presents a reference configuration of the root disk and associated disks that emphasizes the value of configuring a system for high availability and high serviceability. This chapter explains the value of creating a system with both of these characteristics, and outlines the methods used to do so.
• Using filesync for Disaster Recovery, Business Continuance, and Mobility (July 2003)
  -by John Rosander
  The Solaris Operating Environment filesync(1) command can be used for disaster recovery, business continuance, and mobility. This article details how to use the filesync(1) command to synchronize directories between Sun servers, and between Sun servers and Linux laptops. This article is ideal for a reader with an intermediate level of expertise.

Architecture

• The IT Utility Model--Part II (August 2003)
  -by Emlyn Pagden
  This article is the second part of a two-part series and provides solutions for implementing and maintaining a utility model within a service provider or data center environment. This article also discusses the required financial management systems, and describes the application software and hardware required to support each of the solution areas of a utility model. This article is targeted to an advanced audience.
   
• The IT Utility Model--Part I (July 2003)
  -by Emlyn Pagden
  This article is part one of a two-part series that describes the current business requirements for a utility model, and discusses the current commercial and political issues faced when implementing one. Both financial and technical aspects are covered, from detailing what a utility model is and why it is needed, to describing the mechanism required for capturing compute resource consumption to accurately bill customers. The intended audience for this article is IT Architects, Finance staff, and Executive officers. This article is targeted for an advanced level of expertise.

• Planning to Fail (December 2000)
  -by John S. Howard
  This article presents design guidelines and "best practices" for the selection and configuration of system software such as Veritas Volume Manager, Dynamic Mulit-pathing, Dynamic Reconfiguration, and Live Update. It also focuses on which versions and combinations of these software tools result in viable configurations, and which combinations to avoid.
   
• Architecting a Service Provider Infrastructure for Maximum Growth (June 2000)
  -by Stan Stringfellow - Special to Sun BluePrints OnLine
  Stan introduces the first of a new series of Sun BluePrints OnLine articles that will examine the issues involved with building scalable and highly available service provider infrastructures. ISPs, ASPs, NSP's corporate Web services, Telco services, and digital wireless network services all benefit from the principles that will be discussed in these series of articles.
• Establishing an Architectural Model (February 2002)
  -by John V. Nguyen
  This article is the complete third chapter of the upcoming Sun BluePrints book, Designing ISP Architectures, ISBN 0-13-045496-6. This article introduces an architectural model as a framework for designing platform-independent ISP architectures, based upon expertise and Sun best practices for designing ISP architectures. Ideal for IT architects and consultants who design ISP architectures, John's complete book will be available beginning March 2002 through www.sun.com/books, amazon.com, and Barnes & Noble bookstores.
• Enterprise Network Design Patterns: High Availability (December 2003)
  -by Deepak Kakadia, Sam Halabi, and Bill Cormier
  This article describes how to create highly available network designs, using Sun technologies and network switching/routers. Its content is geared for an advanced reader.
   
• Network Design Patterns: N-Tier Data Centers (October 2003)
  -by Deepak Kakadia and Richard Croucher
  This article describes design concepts and principles that can be extremely valuable in the construction of optimal Sun ONE N-Tier Data Center architectures. When trying to deliver complete and optimal solutions, there is a void on how to assemble the various Sun ONE components to craft a complete working system. This paper describes in detail how to assemble the various building blocks of an N-Tier system.

Security

Best

[Nov 2000] **** Solaris Operating Environment Minimization for Security: A Simple, Reproducible and Secure Application Installation Methodolgy - Updated for Solaris 8 Operating Environment  -by Alex Noordergraaf

This article updates the original OS Minimization article's required package listings for Solaris 8 Operating Environment and 64bit UltraSPARC II hardware.

Review:

This is a very good paper. It explains how to remove unnecessary packages -- actually they consider a very practical case of Solaris + Netscape Enterprise Server.  The paper a little bit weak on the tool side,  though.

The Solaris Operating Environment installation process requires the selection of one of four installation clusters:

• Core
• End User
• Developer
• Entire Distribution

Each installation cluster represents a specific group of packages (operating system modules) to be installed. This grouping together of packages into large clusters is done to simplify the installation of the OS for the mass market. Because each of these installation clusters contains support for a variety of hardware platforms (Solaris^TM Operating Environment (Intel Platform Edition), microSPARC^TM, UltraSPARC^TM, UltraSPARC II, and so on) and software requirements (NIS, NIS+, DNS, OpenWindows^TM, Common Desktop Environment (CDE), Development, CAD, and more), far more packages are installed than will actually ever be used on a single Solaris Operating Enironment.

The Core cluster installs the smallest Solaris Operating Environment image. Only packages that may be required for any SPARC^TM or Solaris Operating Environment (Intel Platform Edition) system are installed. The End User cluster builds on the Core cluster by also installing the window managers included with the Solaris Operating Environment (OpenWindows and CDE). The Developer and Entire Distribution clusters include additional libraries, header files, and software packages that may be needed on systems used as compile and development servers.

The size of the clusters varies significantly: the Core cluster contains only 39 packages and uses 52MBytes; the End User cluster has 142 packages and uses 242 MBytes; the Developer cluster has 235 packages and consumes 493 MBytes of disk space. Experience to date has shown that in many cases, a secure server may require only 10 Solaris Operating Environment packages and use as few as 36MBytes of disk space.

Installing unnecessary services, packages, and applications can severely compromise system security. One well known example of this is the rpc.cmsd daemon, which is unnecessary on many data center systems. This daemon is installed and started by default when the End User, Developer, or Entire Distribution cluster is chosen during the installation process.

There have been many bugs filed against the rpc.cmsd subsystem of OpenWindows/CDE in the last few years, and at least two CERT advisories (CA-99-08, CA-96.09). To make matters even worse, scanners for rpc.cmsd are included in the most common Internet scanning tools available on the Internet. The best protection against rpc.cmsd vulnerabilities is to not install the daemon at all, and avoid having to insure it is not accidentally enabled.

The problem described above is well known in the computer industry, and there are hundreds of similar examples. Not surprisingly, almost every security reference book ever written discusses the need to perform "minimal OS installations" [Garfinkel]. Unfortunately, this is easier said than done. Other than the occasional firewall, no software applications are shipped with lists of their package requirements, and there's no easy way of determining this information other then through trial and error.

Because it is so difficult to determine the minimal set of necessary packages, system administrators commonly just install the Entire Distribution cluster. While this may be the easiest to do from the short-term perspective of getting a system up and running, it makes it nearly impossible to secure the system. Unfortunately, this practice is all too common, and is even done by so-called experts brought in to provide infrastructure support, web services, or application support. (If your organization is outsourcing such activities, be sure to require the supplier to provide information on what their OS installation policies and procedures are, or you may be in for some unpleasant surprises.)

The rest of this article presents one method for determining the minimal set of packages required by a particular application--the iPlanet^TM Enterprise Server. Future articles will discuss other applications. The tentative list includes NFS^TM Servers (with SecureRPC and Solstice DiskSuite^TM), iPlanet^TM WebTop, and Sun^TM Cluster. If you have followed this procedure and developed the scripts for a particular application, please forward them to the authors for inclusion in future articles.

Solaris Operating Environment Security: Updated for Solaris 9 Operating Environment (December 2002) -by Alex Noordergraaf and Keith Watson

This article provides recommendations on how to secure a Solaris Operating Environment (Solaris OE). Securing a Solaris OE system requires that changes be made to its default configuration. The changes outlined in this article address the majority of the methods that intruders use to gain unauthorized or privileged access to an improperly configured system. Implementing the changes recommended in this article requires planning, testing, and documentation to be successful in securing a computing environment.

Solaris Operating Environment Network Settings for Security

• Solaris Operating Environment Network Settings for Security: Updated for Solaris 9 Operating Environment (June 2003) -by Alex Noordergraaf
  
  This article describes network settings available within the Solaris Operating Environment (Solaris OE) and recommends how to adjust network settings to strengthen the security posture of Solaris OE systems.
  
  This article updates the original article to include changes for Solaris 9 OE. These additions and modifications are incorporated into an updated "nddconfig" script available from http://www.sun.com/blueprints/tools/. This article is ideal for all levels of expertise.

• Updated (11/01) Solaris Operating Environment Network Settings for Security: Updated for Solaris 8 Operating Environment (December 2000)
  -by Keith Watson and Alex Noordergraaf
  This article updates the original Solaris Operating Environment Network Settings for Security article published December 1999 to include security specific IPv4 and IPv6 options added in Solaris 8 Operating Environment. These additions and modifications have been incorporated into an updated nddconfig script available on http://www.sun.com/blueprints/tools.

Auditing System Security (May 2003) -by Alex Noodergraaf and Glenn Brunette

This article describes how to audit (validate) a system's security using the Solaris Security Toolkit software. You can use the information and procedures in this article to maintain an established security profile after hardening. For systems that are already deployed, you can use this information to assess security before hardening.

This article is the entire sixth chapter of the Sun BluePrints book, "Securing Systems With the Solaris Security Toolkit", by Alex Noodergraaf and Glenn Brunette (ISBN 0-13-141071-7)

General Security

• Public Key Infrastructure Overview (August 2001)
  -by Joel Weise
  This article removes some of the mystique, fear and misconceptions with Public Key Infrastructures (PKI), by providing an overview of what it is, how it works, why and when it should be used, and the benefits it can provide. After reading this article individuals should be better able to determine their requirements for a PKI and what features they need for their particular business.
   
• A Patch Management Strategy for the Solaris Operating Environment (January 2003)
  -by Ramesh Radhakrishnan
  Managing software patches is complex and time consuming. This article offers a high-level strategy for managing patches in a variety of different types of compute environments that are running on the Solaris operating environment. This article divides the patch management process into seven phases, each of which can be tailored to suit your distinct IT environment. This article does not discuss the step-by-step process of installing Solaris OE patches, but instead addresses higher-level concepts that can be used with any patch installation utility. This article is intended for IT managers, IT architects, lead system administrators, and anyone interested in developing a patch management strategy.
   
• Securing Web Applications through a Secure Reverse Proxy (November 2003)
  -by Anh-Duy Nguyen
  This article describes recommended practices for setting up the Sun ONE Proxy Server software to represent a secure content server to outside clients, preventing direct, unmonitored access to your server's data from outside your company. This article uses recommended practices to secure your web applications behind a firewall and leverage access and authentication using the Sun ONE platform products.
  
  This article assumes an intermediate reader who is familiar with installing and configuring the Sun ONE Proxy Server. It also assumes that the reader can configure the firewall router to allow a specific server on a specific port access through the firewall without allowing any other machines in or out.
   
• *** Securing the Sun Fire 12K/15K System Controller (January 2004)
  -by Alex Noordergraaf, Steven Spadaccini and Dina Nimeh
  
  This article provides recommendations on how to securely deploy the Sun Fire 12K and 15K system controllers (SC). These recommendations apply to environments where security is a concern, particularly environments where the uptime requirements of the SC and/or the information on the Sun Fire server is critical to the organization. This article is one in a series that provides recommendations for enhancing security of a Sun Fire system. After securing the SC, we recommend that you use the "Securing the Sun Fire 12K and 15K Domains" article to secure the SC domains. This article includes updates related to System Management Services (SMS) version 1.4.
   
• *** Securing the Sun Fire 12K/15K Domains (January 2004)
  -by Alex Noordergraaf, Steven Spadaccini and Dina Nimeh
  This article documents security modifications that you can implement on Sun Fire 12K and 15K domains without adversely affecting their behavior. The configuration changes in this article enable Solaris Operating Environment (OE) security features and disable potentially insecure services and daemons. This article is one in a series that provides recommendations for enhancing security of a Sun Fire system. Before securing the domains, we recommend that you use the "Securing the Sun Fire 12K and 15K System Controllers" article to secure the system controllers. This article includes updates related to System Management Services (SMS) version 1.4.
   
• Securing Linux Systems With Host-Based Firewalls: Implemented With Linux iptables (November 2003)
  -by Ge' Weijers
  This article provides information and recommendations for securing Linux operating systems with host-based firewalls. This article aims to provide readers with a template for constructing a host-based firewall that provides a useful layer of protection against the risks of exposing a system to internal and/or external users. Additionally, readers can gain an understanding of construction methods for host-based firewalls in general and Linux-based firewalls in particular. This article targets an intermediate audience.
   
• Deploying the Solaris Operating Environment Using a Solaris Security Toolkit CD (September 2003)
  -by Steven Spadaccini
  The Solaris Security Toolkit is a collection of shell scripts combined to form a flexible and extensible framework for rapidly deploying hardened platforms running the Solaris Operating Environment. The Toolkit is, however, quite versatile and can be used for much more than just hardening a system. This article discusses how the Toolkit can be used to construct a bootable CD, based on Sun's JumpStart framework, for building and configuring new systems. This article is authored for intermediate and advanced system administrators.
   
• Securing the Sun Cluster 3.x Software (February 2003)
  -by Alex Noordergraaf
  To provide a robust environment where Sun Cluster 3.x software can be deployed, very specific requirements are placed on the configuration of the Solaris Operating Environment (Solaris OE). This article describes how to secure the Solaris OE and the Sun Cluster 3.x software. Before the release of Sun Cluster 3.0 (12/01) software, no secured configurations were supported. This article includes updates for Sun Cluster 3.1 software.
   
• Building Secure Sun Fire Link Interconnect Networks Using Midframe Servers (February 2003)
  -by Joe Higgins
  This article describes how to install and deploy the Sun Fire Link interconnect so that it can be securely managed and operated. The software architecture and the steps to secure the Sun Fire Link interconnect software are documented.
   
• System Management Services Software: An Inside Look (January 2003)
  -by Tom Chalfant
  This article addresses some of the more advanced topics of System Management Services (SMS) software including the Management Network (MAN) and SMS security. In addition, it provides insight to a new security feature that enables you to use secure shell for file synchronization between system controllers (SCs).
   
• Trust Modeling for Security Architecture Development (December 2002)
  -by Donna Andert, Robin Wakefield, and Joel Weise
  Information technology architects must build applications, systems, and networks that match ordinary users' expectations of trust in terms of identity, authentication, service level agreements, and privacy. This article describes the vocabulary of trust relationships and demonstrates the practical importance of using trust modeling to formalize the threshold for risk.
   
• Minimizing the Solaris Operating Environment for Security: Updated for Solaris 9 Operating Environment (November 2002)
  -by Alex Noordergraaf
  This article provides tips, instructions, and preferred practices for minimizing the Solaris Operating Environment (Solaris OE) to increase system security. It focuses on operating system (OS) installation practices for minimizing and automating Solaris OE installations. It provides a simple, reproducible, and secure application installation methodology.
   
• Securing LDAP Through TLS/SSL--A Cookbook (June 2002)
  -by Stefan Weber
  Deploying secure Lightweight Directory Access Protocol (LDAP) connections is becoming more demanding. This article details the steps on how to set up the Sun Open Net Environment (Sun ONE) Directory Server software so that it can be accessed securely from command line tools.
   
• How Hackers Do It: Tricks, Tools, and Techniques (May 2002)
  -by Alex Noordergraaf
  Learn how to build and maintain secure systems and implement preventive solutions against the common tricks, tools, and techniques used by hackers to gain unauthorized access to Solaris Operating Environment systems.
   
• Securing the Sun Cluster 3.0 Software (May 2002)
  -by Alex Noordergraaf
  Reduce susceptibility to attacks and increase the reliability, availability, and serviceability of systems that run Sun Cluster 3.0 software by implementing the recommendations for configuring the Solaris Operating Environment and supported agents detailed in this article.
   
• Server Virtualization Using Trusted Solaris 8 Operating Environment (February 2002)
  -by Glenn Faden
  Building on the concepts presented in his follow-on article, Maintaining Network Separation with Trusted Solaris 8 Operating Environment, expands on the techniques of configuring labeled networks to show how the Trusted Solaris Operating Environment can be deployed by a network service provider to support multiple customers within a single infrastructure. Through the use of the appropriate Trusted Solaris Operating Environment functionality, each customer can have its own virtual server or community. This article describes best practices for administrative procedures and configuration files that are required to set up fully contained communities.
   
• Developing a Security Policy (December 2001)
  -by Joel Weise and Charles R. Martin
  Security policy development is a frequently overlooked component of overall security architectures. This article details the importance of security policies and the basic steps involved in their creation.
   
• Sun Cluster 3.0 12/01 Security: with the Apache and iPlanet Web and Messaging Agents (December 2001)
  -by Alex Noordergraaf, Mark Hashimoto and Richard Lau
  This article takes a first step in providing secured configurations for Sun Cluster 3.0 software by describing how three specific agents can be deployed in a secured configuration that is supported by Sun Microsystems. Sun Cluster 3.0 software is used by organizations to provide additional assurance that mission-critical services will be available despite unexpected hardware or software failures.
   
• Kerberos Network Security in the Solaris Operating Environment (October 2001)
  -by Wyllys Ingersoll
  This article describes how to correctly and securely configure Kerberos in the Solaris Operating Environment. It provides best practices and recommendations.
   
• Securing Systems with Host-Based Firewalls - Implemented With SunScreen Lite 3.1 Software (September 2001)
  -by Martin Englund
  This article provides a discussion of why host-based firewalls can be an effective alternative to choke-point based firewalls or an additional layer of security in an environment. Details are then provided on how to implement a host-based firewalls using Sun's free host-based firewall software - SunScreen SecureNet Lite.
   
• The Solaris Fingerprint Database - A Security Tool for Solaris Operating Environment Files (May 2001)
  -by Vasanthan Dasan, Alex Noordergraaf, and Lou Ordorica
  The Solaris Fingerprint Database (sfpDB) enables you to verify the integrity of files distributed with the Solaris Operating Environment. By validating that these files have not been modified administrators can determine whether their systems have, or have not, been hacked and had trojaned malicious replacements for system files installed.
   
• Updated Solaris Operating Environment Security - Updated for Solaris 8 Operating Environment (April 2001)
  -by Alex Noordergraaf and Keith Watson
  This article discusses how system and network security can be dramatically improved on a Solaris Operating Environment (Solaris OE) system. Specific security recommendations are made for Solaris OE versions 2.5.1 through 8. This revised version, of the original Solaris OE Security Sun BluePrints published in January of 2000, incorporates all security-related updates in Solaris 8 OE.
   
• Maintaining Network Separation with Trusted Solaris 8 Operating Environment (March 2001)
  -by Glenn Faden
  Glenn Faden describes how Mandatory Access Control (MAC) can be used to provide concurrent access to two isolated networks without compromising the separation.
   
• Auditing in the Solaris 8 Operating Environment (February 2001)
  -by William Osser and Alex Noordergraaf
  The use of the Solaris 8 Operating Ennvironment auditing (BSM) has never been well understood. This article presents an auditing configuration optimized for the Solaris 8 OE. The recommended configuration will audit activity on a system without generated gigabytes of data every day. In addition, the configuration files are available for download from http://www.sun.com/blueprints/tools.
   
• Directory Server Security (December 2000)
  -by Tom Bialaski
  This article provides an overview of what the LDAP security model consists of and what security changes need to be made to accommodate the Solaris Operating Environment naming service requirements.
   
• Building Secure N-Tier Environments (October 2000)
  -by Alex Noordergraaf
  This article provides recommendations on how to architect and implement secure N-Tier ecommerce environments.
   
• JumpStart Architecture and Security Scripts for the Solaris Operating Environment - Part 3 (September 2000)
  -by Alex Noordergraaf
  This article is third in a three part series describing an automated toolkit for implementing the security modifications documented in earlier Sun BluePrints onLine articles. In conjuction with this final article the toolkit itself is being made freely available.
   
• JumpStart Architecture and Security Scripts for the Solaris Operating Environment - Part 2 (August 2000)
  -by Alex Noordergraaf
  This article is part two of a three part series that presents the JumpStart Architecture and Security Scripts toolkit. We continue with an in-depth review of the configuration files, directories, and scripts used by the toolkit to enhance the security of Solaris Operating Environment systems. This series is a must read for anyone interested in upgrading the security of their site.
   
• JumpStart Architecture and Security Scripts for the Solaris Operating Environment - Part 1 (July 2000)
  -by Alex Noordergraaf
  This article is part one of a three part series presenting the JumpStart Architecture and Security Scripts tool (Toolkit) for the Solaris Operating Environment. The Toolkit is a set of scripts which automatically harden and minimize Solaris Operating Environment systems. The modifications made are based on the recommendations made in the previously published Sun BluePrints OnLine security articles.
   
• Solaris Operating Environment Security (January 2000)
  -by Keith Watson and Alex Noordergraaf
  This article splits the discussion of the Solaris Operating Environment system security into two parts.
   
• Solaris Operating Environment Minimization for Security: A Simple, Reproducible and Secure Application Installation Methodology (December 1999)
  -by Keith Watson and Alex Noordergraaf
  Discuss OS minimization as a technique for reducing system vulnerabilities; a simple method for duplicating these installations on large numbers of servers is also introduced. (See "November 2000" updated for the Solaris 8 Operating Environment)
   
• Updated (11/01) Solaris Operating Environment Network Settings for Security (December 1999)
  -by Keith Watson and Alex Noordergraaf
  Discuss the many low-level network options available within Solaris and their impact on security. (See "December 2000" updated for the Solaris 8 Operating Environment)

Linux

• Linux Overview for Solaris Users (August 2003)
  -by John Cecere
  This article provides a technical overview of the Linux operating environment and compares and contrasts it with the Solaris Operating Environment (Solaris OE). The purpose of this article is to quickly familiarize advanced system administrators with the Linux OE and to provide a reference for Solaris to Linux usage. This article is for intermediate and advanced readers who are experienced with the Solaris OE and are tasked with deploying, servicing,maintaining, and using Linux-based systems.
   
• Securing Sun Linux Systems: Part I, Local Access and File Systems (July 2003)
  -by Glenn Brunette, Michael Hullhorst, and Ge Weijers
  This article is the first part of a two-part series that provides recommendations for securing the Sun Linux 5.0 operating system. This part provides recommendations for securing local access and file systems. The information in this article applies only to the Sun Linux 5.0 distribution, although some of the techniques or recommendations might apply to other Linux distributions. This article is ideal for a reader with a beginner to Intermediate level of expertise.
   
• Securing Sun Linux Systems: Part II, Network Security (July 2003)
  -Glenn Brunette, Michael Hullhorst, and Ge Weijers
  The second in a two-part series, this article provides recommendations for securing the Sun Linux 5.0 operating system. This part provides specific recommendations for network security. The information in this article applies only to the Sun Linux 5.0 distribution, although some techniques or recommendations may apply to other Linux distributions. This article is ideal for a reader with a beginner to Intermediate level of expertise.

RBAC

• Role Based Access Control and Secure Shell--A Closer Look At Two Solaris Operating Environment Security Features (June 2003)
  -by Thomas M. Chalfant
  To aid the customer in adopting better security practices, this article introduces and explains two security features in the Solaris operating environment. The first is Role Based Access Control and the second is Secure Shell. The goal is to provide you with enough information to make an effective decision to use or not use these features at your site as well as to address configuration and implementation topics. This article is targeted to the intermediate level of expertise.

Incident Response

• Responding to Customer's Security Incidents--Part 1: Establishing Teams and a Policy (March 2003)
  -by Vijay Masurkar
  This article is the first of a series of articles that discuss building teams, establishing a security incident response policy, and executing it. The article is intended to provide highlights and best practices information about computer security incident response, building teams to process security incidents, and developing important factors in establishing a security incident response policy framework. The primary audience consists of computer security managers, security policy developers, system administrators, and other related staff responsible for the creation or operation of a computer incident response team and/or a computer security incident response (CSIR) policy and service.
   
• Responding to Customer's Security Incidents--Part 2: Executing a Policy (April 2003)
  -by Vijay Masurkar
  This article is the second in a series that discusses a policy of security incident responses. The article describes the policy best practices and execution features - evaluation, containment, and eradication of and recovery from a security incident - for responding to a customer's incident within the policy scope. Part one of this series, "Responding to Customer's Security Incidents (Part 1): Establishing Teams and a Policy" was a March 2003 Sun BluePrints OnLine article.
   
• Responding to Customer's Security Incidents--Part 3: Following Up After an Incident (September 2003)
  -by Vijay Masurkar
  The third in a five-part series, this article focuses on following up after an incident and presents the best practices that should be executed in the follow-up phase. These topics include acquiring incident data, resorting to legal actions when deemed necessary, and conducting post-incident activities such as taking inventory of the affected assets, assessing the damage, and capturing the lessons learned. This article is intended for advanced readers such as computer security managers, security policy developers, system administrators, and other related staff, who are responsible for the creation or operation of a computer security incident response policy and service.
   
• Responding to a Customer's Security Incidents--Part 4: Processing Incident Data (October 2003)
  -by Vijay Masurkar
  This fourth article focuses on authenticating, preserving, and processing the incident data. Only the salient points for best practices that should be executed in processing the incident data are discussed here. These practices are typically preceded by a recovery phase and are only starting points for a more detailed analysis for building a policy with the associated processes and procedures. This article is targeted to an advanced reader.

PAM

• Extending Authentication in the Solaris 9 Operating Environment Using Pluggable Authentication Modules (PAM): Part I (September 2002)
  -Michael Haines
  This article is the first of a two-part series that offers a technical overview of how the Solaris 9 Operating Environment implementation of Pluggable Authentication Modules (PAM) works. This article demonstrates straightforward methods for configuring PAM to accommodate site-specific security policy requirements and examines the PAM architecture and its components.

• Extending Authentication in the Solaris 9 Operating Environment Using Pluggable Authentication Modules (PAM): Part II (October 2002)
  -by Michael Haines and Joep Vesseur
  This article is part two of a two-part series and details the PAM application programming interface (API) and the PAM service provider interface (SPI). Also included are procedures on how to effectively write PAM modules when using the Solaris 9 Operating Environment (Solaris 9 OE). By writing these PAM service modules, it is possible to extend the capability of the Solaris 9 OE authentication mechanisms in a number of different ways.
  
  Part one, Extending Authentication in the Solaris 9 Operating Environment Using Pluggable Authentication Modules (PAM): Part I, was published in the September 2002 issue of Sun BluePrints Online.

SSH

• Integrating the Secure Shell Software (May 2003)
  -by Jason Reid
  This article discusses integrating Secure Shell software into an environment. It covers replacing rsh(1) with ssh(1) in scripts, using proxies to bridge disparate networks, limiting privileges with role-based access control (RBAC), and protecting legacy TCP-based applications. This article is the entire fifth chapter of the upcoming Sun BluePrints book "Secure Shell in the Enterprise" by Jason Reid, which will be available in June 2003.
   
• Role Based Access Control and Secure Shell--A Closer Look At Two Solaris Operating Environment Security Features (June 2003)
  -by Thomas M. Chalfant
  To aid the customer in adopting better security practices, this article introduces and explains two security features in the Solaris operating environment. The first is Role Based Access Control and the second is Secure Shell. The goal is to provide you with enough information to make an effective decision to use or not use these features at your site as well as to address configuration and implementation topics. This article is targeted to the intermediate level of expertise.
   
• Building OpenSSH--Tools and Tradeoffs (January 2003)
  -by Jason M. Reid
  This article updates much of the information in the July 2001 Sun BluePrints OnLine article, "Building and Deploying OpenSSH for the Solaris Operating Environment". The article contains information about gathering the needed components, making the compile-time configuration decisions, building the components, and finally assembling the OpenSSH environment.
   
• Configuring the Secure Shell Software (April 2003)
  -by Jason M. Reid
  This article provides recommendations for configuring two specific Secure Shell implementations for the Solaris Operating Environment (Solaris OE): OpenSSH and the Solaris Secure Shell software. The Solaris Secure Shell software is a component of the Solaris 9 OE release. OpenSSH is also available for previous Solaris OE releases. For information on building OpenSSH, consult the January 2003 Sun BluePrints OnLine article, "Building OpenSSH Tools and Tradeoffs." ...
• Configuring OpenSSH for the Solaris Operating Environment (January 2002)
  -by Jason M. Reid
  The network environment was never safe. As more users connect to open networks for remote access, the risks of compromising systems and accounts increase. Secure network tools such as OpenSSH counter the threats of password theft, session hijacking, and other network attacks. These tools require planning, configuration, and integration. This article deals with server and client configurations, key management, and integration into existing environments for the Solaris Operating Environment (OE).
  
  (NOTE - See the Sun BluePrints article "Configuring Secure Shell Software" by Jason M. Reid, April 2003 for additional and updated information.)
• Building and Deploying OpenSSH on the Solaris Operating Environment (July 2001)
  -by Jason M. Reid and Keith Watson
  This article describes the build and deployment processes for OpenSSH on Solaris Operating Environment. There are several components that must be built prior to building OpenSSH itself. Each necessary component is listed and described along with recommendations on build options. Openssh itself is a flexible tool with several options that affect integration into a site's security policy. These options are explored. Issues of packaging and deployment are also addressed.

NTP

• Using NTP to Control and Synchronize System Clocks - Part III: NTP Monitoring and Troubleshooting (September 2001)
  -by David Deeths and Glenn Brunette
  This article is the third in a series of three articles that discuss using Network Time Protocol (NTP) to synchronize system clocks. The goal of this article is to provide an effective understanding of NTP troubleshooting and monitoring.
   
• Using NTP to Control and Synchronize System Clocks - Part II: Basic NTP Administration and Architecture (August 2001)
  -by David Deeths and Glenn Brunette
  This is Part 2 of a three-article series that discusses how to use Network Time Protocol (NTP) to synchronize system clocks. This article explains the basics of client and server administration, covering various client/server configurations, as well as authentication and access control mechanisms. This article also provides a number of suggestions for an effective NTP architecture.
   
• Using NTP to Control and Synchronize System Clocks - Part I: Introduction to NTP (July 2001)
  -by David Deeths and Glenn Brunette
  This article is the first of a series on the Network Time Protocol (NTP). NTP allows synchronizing clocks on different network nodes, which is critical in today's networked world. This first article provides an overview of why time synchronization is important and introduces basic NTP concepts.

Networking

• IP Network Multipathing (Updated) (August 2001)
  -by Mark Garner
  IP Network Multipathing allows a server to have multiple network adapters connected to the same subnet. This article looks at the features of IP Network Multipathing and the steps required to configure it for network adapter resilience.
• Internet Protocol Network Multipathing (Update) (November 2002)
  -by Mark Garner
  This article looks at the features of Internet Protocol network multipathing and the steps required to configure it for network adapter resilience.
  
  This article is an update to the IPMP article published in November 2002. This revision addresses Bug ID: 4451678, "Synopsis: in.mpathd does not accurately detect interface failures in active-standby config". This problem is resolved by applying patch 108528-15 and above. This problem was fixed in the Solaris 9 Operating Environment.
   
• Building Secure Sun Fire Link Interconnect Networks Using Sun Fire 15K and Sun Fire 12K Servers (August 2003)
  -by Joe Higgins and Steven Spadaccini
  Deploying a secure distributed computer system can be difficult. This article describes how to install and deploy the Sun Fire Link product so that it can be securely managed and operated. The article documents the software architecture and steps needed to secure the Sun Fire Link interconnect. The commands used in configuration steps are either Fire Link Manager (FM) or Solaris Operating Environment (Solaris OE) tools. The article also includes a section on how to create, configure, and secure a Sun Fire Link fabric. This article requires a general knowledge of Solaris OE system administration and is written for advanced system administrators.
   
• Understanding Gigabit Ethernet Performance on Sun Fire Servers (February 2003)
  -by Jian Huang
  The recent network-centric computing has been exercising tremendous pressure on servers' network performance. With the increasing popularity of gigabit Ethernet, especially the availability of lower-cost copper-based gigabit Ethernet adapters, the question of how Sun's servers perform in this arena has become one of the most important issues that Sun engineering teams are trying to address. This paper presents an overview of the performance of the new Sun GigaSwift Ethernet MMF Adapter card on a Sun Fire server in terms of TCP/IP networking.
  
  Most of the previous effort on TCP/IP network performance has been focused on bulk-transfer traffic, which imposes on servers a continuous flow of packets with sizes equal to the Maximal Transfer Unit (MTU) of the underlying carrier.
  
  In the client-server computing environment, however, not all requests from clients, nor all replies from the servers are constantly large. The traffic of small packets, whose size is below that of the MTU of the carrier, is also very commonly seen. Hence, this paper investigates the performance of both the bulk-transfer and small-packet traffic on a Sun Fire 6800 server.
  
  In addition to presenting a performance picture, this paper also takes the initiative to study the root cause of the behavior of Sun servers by revealing some of the implementation details of the Solaris Operating Environment (Solaris OE). A set of tuning parameters that affect TCP/IP network performance is discussed and some tuning recommendations is given.
   
• (April 2002) Enterprise Management Systems Part I: Architectures and Standards
  -by Deepak Kakadia, Dr. Tony Thomas, Dr. Sridhar Vembu and Jay Ramasamy
  The first in a two-part series focused on managing services in Service Driven Networks (SDNs), this article presents a summary of typical architectures and a clarification of the standards to help the reader better understand the implementations of various third-party vendor EMSystems solutions.
  
   
• Enterprise Quality of Service (QoS) Part II: Enterprise Solution using Solaris Bandwidth Manager 1.6 Software (March 2002)
  -by Deepak Kakadia
  Deepak's article is the second in a two-part series that focuses on Quality of Service (QoS) issues. This article explores possible approaches to deploying an Enterprise Quality of Service solution using Solaris Bandwidth Manager 1.6 software. It also presents an integrated close-loop solution using Sun Management Center 3.0 software, which exploits API's offered by both products and creates a policy-based QoS solution for the enterprise.
  
   
• Enterprise Quality of Service (QoS): Part I - Internals (February 2002)
  -by Deepak Kakadia
  In a two-article series, distinguished Sun BluePrints author works to clear the confusion surrounding QoS by explaining what it is, how it is implemented, and how to use it in an enterprise. This month's part one article details the basics surrounding the "what" and "how" of implementation, as well as the internals of QoS. Be sure to return to Sun BluePrints OnLine next month for his second article which will focus on how to deploy QoS in an enterprise.
  
   
• Using NTP to Control and Synchronize System Clocks - Part III: NTP Monitoring and Troubleshooting (September 2001)
  -by David Deeths and Glenn Brunette
  This article is the third in a series of three articles that discuss using Network Time Protocol (NTP) to synchronize system clocks. The goal of this article is to provide an effective understanding of NTP troubleshooting and monitoring.
  
   
• Using NTP to Control and Synchronize System Clocks - Part II: Basic NTP Administration and Architecture (August 2001)
  -by David Deeths and Glenn Brunette
  This is Part 2 of a three-article series that discusses how to use Network Time Protocol (NTP) to synchronize system clocks. This article explains the basics of client and server administration, covering various client/server configurations, as well as authentication and access control mechanisms. This article also provides a number of suggestions for an effective NTP architecture.
   
• Using NTP to Control and Synchronize System Clocks - Part I: Introduction to NTP (July 2001)
  -David Deeths and Glenn Brunette
  This article is the first of a series on the Network Time Protocol (NTP). NTP allows synchronizing clocks on different network nodes, which is critical in today's networked world. This first article provides an overview of why time synchronization is important and introduces basic NTP concepts.
   
• Maintaining Network Separation with Trusted Solaris 8 Operating Environment (March 2001)
  -by Glenn Faden
  Glenn Faden describes how Mandatory Access Control (MAC) can be used to provide concurrent access to two isolated networks without compromising the separation.
   
• Policy-Based Networks (October 1999)
  -by Jean-Christophe Martin
  Explores the network policy concept in greater depth, and see how it is implemented in the Solaris Bandwidth Manager software.
   
• Resource Management: Solaris Bandwidth Manager (June 1999)
  -by Evert Hoogendoorn
  Evert explains the benefits of Solaris Bandwidth Manager.

Oracle

• Sun/Oracle Best Practices (January 2001)
  -by Bob Sneed
  In this paper, Best Practice concepts are first defined, then specific high-impact technical issues common with Oracle in the Solaris Operating Environment are discussed.
• Solaris Operating System and ORACLE Relational Database Management System Performance Tuning (October 2003)
  -by Ramesh Radhakrishna
  This article focuses on the performance problems at the Resource Tier (database server). The assumption is that the database server is a Sun server running an ORACLE Relational Management System (RDBMS). The article requires a general knowledge of Solaris Operating System (Solaris OS) and Oracle RDBMS system administration. It is written for beginner- and intermediate-level system administrators responsible for Sun systems, and for Sun's customer engineers, and database administrators responsible for tuning Oracle databases.
• Avoiding Common Performance Issues When Scaling RDBMS Applications With Oracle9i Release 2 And Sun Fire Servers (March 2003)
  -byGlenn Fawcett
  There are a handful of common performance issues that arise when trying to scale Oracle database applications on Solaris Operating Enironment. These issues are sometimes difficult to identify and address. This paper incorporates the experiences of Sun's Strategic Application Engineering group in tuning Oracle RDBMS systems on a variety of workloads. There are accompanying document, Avoiding Common Performance Issues When Scaling RDBMS Applications With Oracle9i Release 2 And Sun Fire Servers Appendices, that supplements the information in this article.
   
• Monitoring and Tuning Oracle - Chapter 22 Part 1 (July 2002)
  -by Allan N. Packer
  Allan N. Packer shares Oracle monitoring and tuning recommendations from his recently-released book, "Configuring and Tuning Databases on the Solaris Platform", ISBN# 0-13-083417-2. In this article, Allan examines ways of managing Oracle behavior, changing tunable parameters, calculating the buffer cache hit rate, and other topics. The article goes on to discuss Oracle monitoring using the utlbstat/utlestat scripts.
   
• Drill-Down Monitoring of Database Servers - Chapter 21 (June 2002)
  -by Allan N. Packer
  Database expert, Allan N. Packer, shares database best practices from his recently-released book, "Configuring and Tuning Databases on the Solaris Platform", ISBN# 0-13-083417-2. In this article, Allen presents a process for identifying and resolving problems with the performance of database servers.
   
• Monitoring and Tuning Oracle - Chapter 22, Part II (August 2002)
  -by Allan N. Packer
  Building on his July 2002 Sun BluePrints OnLine article, Allan continues to provide more best practices for Oracle monitoring using utlbstat/utlestat scripts and to recommend parameter settings for OLTP and DSS environments. Issues ranging from load performance to dynamic reconfiguration and Oracle recovery are also examined. Additional Oracle monitoring and tuning recommendations are available in his recently released book "Configuring and Tuning Databases on the Solaris Platform."
   
• Dynamic Reconfiguration and Oracle 9i Dynamically Resizeable SGA (January 2004)
  -by Erik Vanden Meersch and Kristien Hens
  This article explains how Oracle 9i can operate in combination with Sun's dynamic reconfiguration (DR). It provides a brief overview of DR, intimate shared memory (ISM), dynamic intimate shared memory (DISM), and dynamically resizable system global area (SGA), and explains how these technologies fit together. In addition, this article provides step-by-step details for configuring Oracle relational databases on Sun Fire servers so that the DR capabilities of the Sun platform can be maximized. This article requires an intermediate reader.
   
• Avoiding Common Performance Issues When Scaling RDBMS Applications With Oracle9i Release 2 And Sun Fire Servers (March 2003)
  -byGlenn Fawcett
  There are a handful of common performance issues that arise when trying to scale Oracle database applications on Solaris Operating Enironment. These issues are sometimes difficult to identify and address. This paper incorporates the experiences of Sun's Strategic Application Engineering group in tuning Oracle RDBMS systems on a variety of workloads. There are accompanying document, Avoiding Common Performance Issues When Scaling RDBMS Applications With Oracle9i Release 2 And Sun Fire Servers Appendices, that supplements the information in this article.
  
   
• APPENDICES - Avoiding Common Performance Issues When Scaling RDBMS Applications With Oracle9i Release 2 And Sun Fire Servers Appendices (March 2003)
  -by Glenn Fawcett
  These are the appendices for the article Avoiding Common Performance Issues When Scaling RDBMS Applications With Oracle 9i Release 2 And Sun Fire Servers (March 2003)
   
• ORACLE Middleware Layer Net8 Performance Tuning Utilizing Underlying Network Protocol (October 2002)
  -by Gamini Bulumulle
  This article discusses performance optimization and tuning of SQL*Net based on an arbitrary UNP which could be TCP/IP, SPX/IP or DECnet. SQL*Net performance can be maximized by synchronization with tunable parameters of the UNP, for example, buffer size. This article explain how total SQL*Net transaction performance can be divided into components of connect time and query time, where Total SQL*Net (Net8) Transaction Time = Connect Time + Query Time. Connect time can be maximized by calibration of tunable parameters of SQL*Net and the UNP when designing and implementing networks. Query time is typically affected by database tuning parameters which are outside the scope of this article. However, database tuning parameters, which impact network performance, are discussed.
   
• Best Practices for Deploying the Sun StorADE Utility (January 2004)
  -by Christian Cadieux and Mike Monahan
  This article discusses the Sun Automated Diagnostic Environment (StorADE) utility. The StorADE utility provides centralized monitoring and diagnostics for most Sun storage product offerings. The first part of this article provides an overview and describes how to plan a StorADE deployment. The second part provides step-by-step installation information with best practice recommendations for StorADE configuration; whether the environment contains complex storage area networks (SANs), or straightforward direct-connect devices. This article is intended for IT architects, administrators, and anyone looking for an introductory article on a storage monitoring utility.
   
• Solaris Volume Manager Performance Best Practices (November 2003)
  -by Glenn Fawcett
  Compelling new features such as soft partitioning and automatic device relocation make the Solaris Volume Manager software a viable candidate for storage management needs. Solaris Volume Manager software features enhance storage management capabilities beyond what is handled by intelligent storage arrays with hardware RAID. Now Solaris Volume Manager software is integrated with the Solaris Operating Environment (Solaris OE) and does not require additional license fees. This article provides specific Solaris Volume Manager tips for system, storage, and database administrators who want get the most of Solaris Volume Manager software in their data centers. This article targets an intermediate audience.
   
• APPENDICES - Avoiding Common Performance Issues When Scaling RDBMS Applications With Oracle9i Release 2 And Sun Fire Servers Appendices (March 2003)
  -by Glenn Fawcett
  These are the appendices for the article Avoiding Common Performance Issues When Scaling RDBMS Applications With Oracle 9i Release 2 And Sun Fire Servers (March 2003)
  
   
• Configuring Databases Using Soft Links (January 2003)
  -by Carlos Godinez
  This article explains the advantages of using symbolic (soft) links when configuring databases and provides techniques and examples for using them. This article presents information that will enable you to manage database configuration efficiently and accurately.
   
• Managing Shared Storage in a Sun Cluster 3.0 Environment With Solaris Volume Manager Software (November 2002)
  -by Kristien Hens and Peter Dennis
  Traditionally, VERITAS Volume Manager (VxVM) has been the volume manager of choice for shared storage in enterprise-level configurations. In this article, a free and easy-to-use alternative, Solaris Volume Manager software, which is part of the Solaris 9 Operating Environment (Solaris 9 OE) is explored. This mature product offers similar functionality to VxVM. Moreover, it is tightly integrated into the Sun Cluster 3.0 software framework and, therefore, should be considered to be the volume manager of choice for shared storage in this environment.
   
• Memory Hierarchy in Cache-Based Systems (November 2002)
  -by Ruud Van Der Pas
  This article will help the reader understand the architecture of modern microprocessors by introducing and explaining the most common terminology and addressing some of the performance related aspects. Written for programmers and people who have a general interest in microprocessors, this article presents introductory information on caches and is designed to provide understanding on how modern microprocessors work and how a cache design impacts performance.
  
  Despite improvements in technology, microprocessors are still much faster than main memory. Memory access time is increasingly the bottleneck in overall application performance. As a result, an application might spend a considerable amount of time waiting for data. This not only negatively impacts the overall performance, but the application cannot benefit much from a processor clock-speed upgrade either. One method for overcoming this problem is to insert a small high-speed buffer memory between the processor and main memory. Such a buffer is generally referred to as cache memory, or cache for short.
   
• Configuring Boot Disks With Solaris Volume Manager Software (October 2002)
  -by Erik Vanden Meersch and Kristien Hens
  This article is an update to the April 2002 Sun BluePrints OnLine article, Configuring Boot Disks With Solstice DiskSuite Software. This article focuses on the Solaris 9 Operating Environment, Solaris Volume Manager software, and VERITAS Volume Manager 3.2 software. It describe how to partition and mirror the system disk, and how to create and maintain a backup system disk. In addition, this article presents technical arguments for the choices made, and includes detailed runbooks.
   
• Sun StorEdge[tm[ Instant Image 3.0 and Oracle8i Database Best Practices (August 2002)
  -by Art Licht
  A methodology for implementing the Sun StorEdge Instant Image 3.0 Point-In-Time (PIT) copy technology to perform non-intrusive and efficient backup operations on Oracle8i databases, without impacting business operations is presented. A method customers can use to repurpose the PIT Oracle8i data for parallel business processes is also included.
   
• Reducing the Backup Window With Sun StorEdge Instant Image Software (July 2002)
  -by Selim Daoud
  This article discusses the advantages and methods of using a point-in-time (PIT) type of backup system versus a more traditional backup approach that requires extended downtime. This article is for anyone interested in reducing the backup window (improving the uptime of important applications) while backing up a system that is nearly online.
   
• LAN-Free Backups Using the Sun StorEdge Instant Image 3.0 Software (June 2002)
  -by Art Licht
  As data grows in size and backup windows shrink, performing backups across the LAN is no longer the ideal method. This article gives an overview of LAN and SAN backup practices and includes procedures for performing LAN-free backups.
   
• Network Storage Evaluations Using Reliability Calculations (June 2002)
  -by Selim Daoud
  This article uses a case study to introduce concepts and calculations for systematically comparing redundancy and reliability factors as they apply to network storage configurations.
  
   
• Storage Resource Management: A Practitioner's Approach (April 2002)
  -by Stevan Arbona and Joe Catalanotti
  Storage resource management (SRM) best practices are presented, with a particular focus on the positive impact that SRM can have on controlling costs by increasing operational efficiency.
  
   
• Configuring Boot Disks With Solstice DiskSuite Software (April 2002)
  -by Erik Vanden Meersch and Kristien Hens
  How to partition the system disk, mirror it, and create and maintain a contingency boot disk are presented. Topics include two-, three-, and four-disk configurations, their associated runbooks, and the SUNBEsdm package with scripts.
  
   
• Configuring Boot Disks (December 2001)
  -by John S. Howard and David Deeths
  This article is the fourth chapter of the Sun BluePrints book titled Boot Disk Management: A Guide For The Solaris Operating Environment (ISBN 0-13-062153-6), which is available through www.sun.com/books, amazon.com, and Barnes & Noble bookstores.
  
  This chapter presents a reference configuration of the root disk and associated disks that emphasizes the value of configuring a system for high availability and high serviceability. This chapter explains the value of creating a system with both of these characteristics, and outlines the methods used to do so.
  
   
• Sun StorEdge T3 Array: Installation, Configuration and Monitoring Best Practices (October 2001)
  -by Ted Gregg
  In order to fully realize the benefits of the capabilities built into the Sun StorEdge T3 array, it must be installed, configured, and monitored with best practices for RAS. This article details these best practices. It includes both Sun StorEdge T3 array configuration and host system configuration recommendations, along with brief descriptions of some of the available software installation and monitoring tools.
  
  Sun StorEdge T3 Dual Storage Array Part 3 - Basic Management (April 2001)
  -by Mark Garner
  The final article in the series looks at the configuration of basic management and monitoring functions on the T3 array. It concludes with example Expect scripts that could be used as a starting point for automating your own T3 installations.
  
   
• Sun StorEdge T3 Dual Storage Array Part 2 - Configuration (March 2001)
  -by Mark Garner
  This second article in the series addresses the installation and configuration of a T3 array partner group. It covers how two single arrays would be reconfigured to form a partner group, how the new devices are created on the host and how VERITAS Volume Manager integrates into the solution.
   
• Sun StorEdge T3 Dual Storage Array Part 1 - Installation, Planning and Design (February 2001)
  -by Mark Garner
  This article looks at the planning and design requirements for the installation of a Sun StorEdge T3 Array partner group. It is the first of three articles which address planning and design, configuration and basic management of a Sun StorEdge T3 Array.
   
• Storage Area Networks: A blueprint for Early Deployment (January 2001)
  -by Brian Wong
  This paper surveys the applications to which Storage Area Networks (SANs) aspire, the available SAN technology-and its limitations-and attempts to prepare users for forthcoming technology, so that they can deploy real operational storage in data centers without further delay.
   
• Wide Thin Disk Striping (October 2000)
  -by Bob Larson
  In this article, the technique of using stripes to distribute data and indexes over several disks is described. The article also contains the recommendations to use wide-thin stripes to maximize operational flexibility while minimizing complexity.
   
• Online Backups Using the VxVM Snapshot Facility (September 2000)
  -by John S. Howard
  Complete and accurate backups performed in a timely fashion are crucial to every datacenter. This article presents a procedure utilizing the snapshot facility of the Veritas Volume Manager software which enables the System Administrator to perform timely, complete and accurate online backups with minimal impact to the user or application.
   
• Sun StorEdge T3 Single Storage Array Design and Installation (September 2000)
  -by Mark Garner
  This article provides a roadmap for the cinfiguration of a single Sun StorEdge T3 Storage Array. It addresses: Prerequisites, Storage Layout Design, Implementation, Configuration and Basic Management.
   
• Toward a Reference Configuration for VxVM Managed Boot Disks (August 2000)
  -by Gene Trantham and John S. Howard
  Gene and John outline the fundamental procedures typically followed in a boot disk encapsulation and the problems this default encapsulation introduces. A best practice for VxVM installation, root disk encapsulation and a reference configuration is presented.
  (See the Sun BluePrints book Boot Disk Management: A Guide for the Solaris Operating Environment by John S. Howard and David Deeths ISBN # 0-13-062153-6 for updated information about the topics detailed in this article.)
   
• SCSI-Initiator ID (August 2000)
  -by David Deeths
  Changing the SCSI-initiator ID is necessary for cluster configurations that share SCSI devices between multiple hosts. This article walks you through the process, and also provides an excellent background on SCSI issues in clustered systems.
  
   
• VxVM Private Regions: Mechanics and Internals of the VxVM Confirguration Database (July 2000)
  -by Gene Trantham
  Gene discuss the functions of the VxVM public and private regions, the configuration database, and the special considerations for root disk encapsulation.
  
   
• Scrubbing Disk Using the Solaris Operating Environment Format Program (June 2000)
  -by Rob Snevely
  Rob explains how to effectively scrub disks on a Solaris Operating Environment system, using the format utility.
  
   
• Veritas VxVM Storage Management Software (May 2000)
  -by Gene Trantham
  Gene explains the underlying actions VxVM during boot disk encapsulation, and details the mechanism by which it seizes and manages a boot device.
   

Performance

• Performance Forensics (December 2003)
  -by Bob Sneed
  The health care industry has well-established protocols for the triage, diagnosis, and treatment of patient complaints, while the resolution of system-performance complaints often seems to take a path that lacks any recognizable process or discipline. This article draws from lessons and concepts of health care delivery to provide ideas for addressing system-performance complaints with predictable and accurate results. Specific tools from the Solaris Operating System are discussed. This article is applicable to all audience levels.
   
• Capacity Planning as a Performance Tuning Tool--Case Study for a Very Large Database Environment (July 2003)
  -by Gamini Bullumille and Marcos Bordin
  This article discusses the performance and scaleability impact due to severe CPU and I/O bottlenecks in a very large database (over 20 terabytes). It describes the methodologies used to collect performance data in a production environment, and explains how to evaluate and analyze the memory, CPU, network, I/O, and Oracle database in a production server by using the following tools:

   - Solaris Operating Environment (Solaris OE) Standard UNIX tools
   - Oracle STATSPACK performance evaluation software from ORACLE Corporation
   - Trace Normal Form (TNF)
   - TeamQuest Model software from Team Quest Corporation
   - VERITAS Tool VxBench from VERITAS Corporation

  The article is intended for use by intermediate to advanced performance tuning experts, database administrators, and TeamQuest specialists. It assumes that the reader has a basic understanding of performance analysis tools and capacity planning. The expertise level of this article is intermediate to advanced.
   

• Understanding Gigabit Ethernet Performance on Sun Fire Servers (February 2003)
  -by Jian Huang
  The recent network-centric computing has been exercising tremendous pressure on servers' network performance. With the increasing popularity of gigabit Ethernet, especially the availability of lower-cost copper-based gigabit Ethernet adapters, the question of how Sun's servers perform in this arena has become one of the most important issues that Sun engineering teams are trying to address. This paper presents an overview of the performance of the new Sun GigaSwift Ethernet MMF Adapter card on a Sun Fire server in terms of TCP/IP networking.
  
  Most of the previous effort on TCP/IP network performance has been focused on bulk-transfer traffic, which imposes on servers a continuous flow of packets with sizes equal to the Maximal Transfer Unit (MTU) of the underlying carrier.
  
  In the client-server computing environment, however, not all requests from clients, nor all replies from the servers are constantly large. The traffic of small packets, whose size is below that of the MTU of the carrier, is also very commonly seen. Hence, this paper investigates the performance of both the bulk-transfer and small-packet traffic on a Sun Fire 6800 server.
  
  In addition to presenting a performance picture, this paper also takes the initiative to study the root cause of the behavior of Sun servers by revealing some of the implementation details of the Solaris Operating Environment (Solaris OE). A set of tuning parameters that affect TCP/IP network performance is discussed and some tuning recommendations is given.
  
   
• BluePrint for Benchmarking Success (January 2003)
  -by Hans Joraandstad and Barbara Perz
  This article provides best practices for benchmarking and it's ideal for those using benchmarking to gather information that will help make a decision on which computer to buy.
  
   
• Memory Hierarchy in Cache-Based Systems (November 2002)
  -by Ruud Van Der Pas
  This article will help the reader understand the architecture of modern microprocessors by introducing and explaining the most common terminology and addressing some of the performance related aspects. Written for programmers and people who have a general interest in microprocessors, this article presents introductory information on caches and is designed to provide understanding on how modern microprocessors work and how a cache design impacts performance.

  Despite improvements in technology, microprocessors are still much faster than main memory. Memory access time is increasingly the bottleneck in overall application performance. As a result, an application might spend a considerable amount of time waiting for data. This not only negatively impacts the overall performance, but the application cannot benefit much from a processor clock-speed upgrade either. One method for overcoming this problem is to insert a small high-speed buffer memory between the processor and main memory. Such a buffer is generally referred to as cache memory, or cache for short.

• HPC Administration Tips and Techniques (October 2002)
  -by Omar Hassaine
  This article gives an introduction to the features introduced in the latest Sun HPC ClusterTools 4 software, including best practices for configuration and mixed clusters. It describes how to configure a checkpointing and migration environment using both Sun Grid Engine and Condor standalone checkpointing libraries. This article also includes discussion about administrative best practices.
  
   
• Application Performance Optimization (March 2002)
  -by Börje Lindh
  This article provides a brief introduction to optimization on the Solaris Operating Environment. To explore this subject in more detail, refer to Rajat Garg's and Ilya Sharapov's Sun BluePrints book, Techniques for Optimizing Applications, published July 2001(ISBN 0-13-093476-3).
  
   
• Sizing Sun Ray Servers Running Windows Applications with SunPCi IIpro Coprocessor Cards (November 2001)
  -by Don DeVitt
  This paper addresses the task of sizing a server capable of supporting Wintel based applications on a Sun Ray Server utilizing Sun Pci IIpro co-processor cards. The paper integrates the the informationof several previously published documents and sizing tools to determine a baselineconfiguration. The paper also suggests many best practice options for configuring the server.
  
   
• Supporting Microsoft Windows 2000 Server Applications from Sun Enterprise Servers (June 2001)
  -by Don DeVitt
  This article explores using multiple SunPCi II Pro cards running on Sun Enterprise servers to support Microsoft Windows 2000 Server applications. New SunPCi II Pro hardware and software now support multiple cards in one Sun Enterprise server. Benchmarks and Sizing information for a Windows 2000 Terminal Server environment are discussed.
  
   
• Administering Sun Cluster 2.2 Environments (October 2000)
  -by David Deeths
  David Deeths discusses the fundamentals and best practices of installing, configuring, and managing a Sun Cluster 2.2 environment. He also offers many tips for effective cluster administration and how to increase and maintain a high level of system availability.
  
   
• Sun HPC ClusterTools Software Best Practices(September 2000)
  -by Omar Hassaine
  This paper discusses the Best Practices for successfully configuring, installing and using the Sun High Performance Computing (HPC) ClusterTools software. It also covers the current status of the Sun HPC ClusterTools in the field and briefly describes the architecture.
  
   
• Static Performance Tuning (May 2000)
  -by Richard Elling
  Richard discusses a class of problems that can affect system performance which is not dynamic by nature, and cannot be detected by conventional dynamic tuning tools.
  
   
• Tales from the Trenches: The Case of the RAM Starved Cluster (April 2000)
  -by Richard Elling
  Richard discusses how Veritas File System (VxFS) affects memory on a Solaris Operating Environment server. He also describes a real world example of the interactions between the Solaris Operating Environment Version 2.5.1, VxFS Version 2.3.1, and user applications.
  
   
• Scenario Planning - Part 2 (March 2000)
  -by Adrian Cockcroft
  Presents part two of the Scenario Planning article and explains how to follow-up a simple planning methodology based on a spreadsheet that is used to break down the problem and experiment with alternative future scenarios.
  
   
• Fast Oracle Parallel Exports on Sun Enterprise Servers (March 2000)
  -by Stan Stringfellow - Special to Sun BluePrints OnLine
  Gives a script that performs very fast Oracle database exports by taking advantage of parallel processing on SMP machines. This script can be invaluable for situations where you need to perform exports of large mission-critical databases that require high availability.
  
   
• Scenario Planning - Part 1 (February 2000)
  -by Adrian Cockcroft
  Discusses scenario planning techniques to help predict latent demand during overload periods. In this part 1 he explains how to simplify your model down to a single bottleneck.
  
   
• Upgrading the Solaris PC NetLink Software (January 2000)
  -by Don DeVitt
  Highlights some of the subtle upgrade options that many system administrators will want to be aware of as they move from one version of Solaris PC NetLink software to the next.
  
   
• Observability (December 1999)
  -by Adrian Cockcroft
  Discusses Capacity Planning and Performance Management techniques.
  
   
• Processing Accounting Data into Workloads (October 1999)
  -by Adrian Cockcroft
  Information about Solaris operating system accounting to include code examples that extract the data in a usable format and pattern match it into workloads.
  
   

Back to Top

JumpStart

• Deploying the Solaris Operating Environment Using a Solaris Security Toolkit CD (September 2003)
  -by Steven Spadaccini
  The Solaris Security Toolkit is a collection of shell scripts combined to form a flexible and extensible framework for rapidly deploying hardened platforms running the Solaris Operating Environment. The Toolkit is, however, quite versatile and can be used for much more than just hardening a system. This article discusses how the Toolkit can be used to construct a bootable CD, based on Sun's JumpStart framework, for building and configuring new systems. This article is authored for intermediate and advanced system administrators.
  
   
• Managing Data Centers With Sun Management Center Change Manager (October 2002)
  -John S. Howard
  Deploying and updating software are two of the most challenging and time consuming tasks facing datacenter managers. The Sun Management Center (Sun MC) Change Manager software provides a framework and tools for quickly and efficiently deploying, replicating, updating, and managing software over a large number of systems. This article presents techniques and best practices for using Sun Management Center Change Manager software.
  
   
• Customizing JumpStart Framework for Installation and Recovery (August 2002)
  -by John S. Howard and Alex Noordergraaf
  Techniques to augment a CDROM-based installation with the services and behaviors provided by a JumpStart server are detailed in this article. These techniques are suitable to situations when a hands-free Solaris Operating Environment (Solaris OE) installation is necessary but when a JumpStart server cannot be used. This article is a chapter from the Sun BluePrints book, "JumpStart Technology: Effective Use in the Solaris Operating Environment", ISBN# 0-13-062154-4.
  
   
• Using Live Upgrade 2.0 With JumpStart Technology and Web Start Flash (April 2002)
  -by John S. Howard
  In this final installment of his three-part series on Solaris Live Upgrade 2.0 (LU) technology, John S. Howard provides recommendations and techniques for integrating LU with the JumpStart software framework and the Solaris Web Start Flash software.
  
   
• WebStart Flash (November 2001)
  -by John S. Howard and Alex Noordergraaf
  The Solaris Operating Environment Flash installation component extends JumpStart technology by adding a mechanism to create a system archive, a snapshot of an installed system, and installation of the Solaris Operating Environment from that archive. This article introduces the concepts and best practices for a Flash archive, describes the master machine, and suggested storage strategies, and provides a complete example of creating a Flash archive and installing a Web server with Flash.