Monday Jun 28, 2010

Run HCTS 5.0 on guests of OVM

HCTS 5.0 supports virtual machines. You can install two guests OS on a single OVM server, install HCTS 5.0 on the guests as TM and SUT respecitvely, and start the test between guests. This execution doesn't require any physical network connection between the two guests.

To perform it, follow these steps:

[1] Install OVM on a machine. This machine is OVM server.
    NOTE: Suppose the IP of the OVM server is,

[2] Install the first guest OS
    NOTE: Suppose the first guest OS to be installed is S10U9
[2.1] On OVM server

[2.1.1]  Download the guest OS installation ISO file on the OVM server.

       # mkdir /OVS/s10u9_iso
       and download the solarisdvd.iso file under /OVS/s10u9_iso

[2.1.2] # mkdir /OVS/running_pool/s10u9
      # cd /OVS/running_pool/s10u9
      # dd if=/dev/zero of=`pwd`/disk.img bs=1024K seek=20480 count=1

[2.1.3] # virt-install
      Would you like a fully virtualized guest? (yes or no) yes
      What is the name of your virtual machine? s10u9
      How much RAM should be allocated (in megabyts)? 2048
      What would you like to use as the disk (path)? /OVS/running_pool/s10u9/disk.img
      Would you like to enable graphics support? (yes or no) yes
      What would you like to use for the virtual CD image? /OVS/s10u9_iso/solarisdvd.iso

      Alternatively, the command could be as follows:
      # virt-install --hvm --vnc --name s10u9 --ram 2048 \\
        --file /OVS/running_pool/s10u9/disk.img \\
        --cdrom /OVS/s10u9_iso/solarisdvd.iso

[2.2] Turn to a remote machine (referenced as Working Desktop below)    

    # vncviewer
    A GUI is openned, and you can continue with the S10U9 (guest OS) installation.

[2.3] On OVM server

[2.3.1]  # cd /
       # xm create -c s10u9

[2.3.2]\* (This step is for Solaris 10 only)
       # virsh attach-interface s10u9 bridge xenbr0

[2.4] On Working Desktop
    # vncviewer
    Open vnc viewer window.

    # dladm show-link
    Check whehter the xnf0 interface has been added successfully.

    # ifconfig xnf0 plumb
    # ifconfig xnf0 dhcp or # ifconfig xnf0 <IP_address>/24 up
    (This <IP_address> ought to be in the same network segment as the OVM server's IP)

[3] Install the second guest OS
    NOTE: Suppose the second guest OS to be installed is OSOL_142

    Repeat [2.1] - [2.4] replacing 's10u9_iso' with 'osol_142_iso',
                         replacing 's10u9' with 'osol_142',
                         replacing 'solarisdvd.iso' with 'osol-dev-142-X86.iso'

    NOTE: (1) [2.3.2] could be ignored, since the xnf0 will be added to OpenSolaris automatically.
          (2) The port number in [2.2] and [2.4] would be changed to 5901, since 5900 has been occupied with the first one.

[4] Install HCTS 5.0 on the two guest OS

[5] Start HCTS 5.0 on guests, and set one as TM and another as SUT.

    The TM is set as Manual Network Configuration.
    The Manual Network Configuration option of SUT is enabled.
    A config file named as /opt/SUNWhcts/etc/sut_manual_ip.conf is generated manually. Its format is as follows:
    interface_name local_IP_address(SUT) remote_IP_address(TM)

    Startup the system certification.

Tuesday Jan 12, 2010

Request an Object Signing certificate from SunPKI Store with an Aladdin eToken Pro on Windows OS

Request an Object Signing certificate from SunPKI Store with an Aladdin eToken Pro on Windows OS

Hardware Security Module(HSM): Aladdin eToken Pro 72K
Software environment: Windows XP SP2 + eToken PKI Client 5.1 + JDK 1.6

Part 1: select Aladdin eToken Pro as the HSM device

An Object Signing certificate request can only be approved if the request was submitted using an HSM device. A HSM device is a specialized hardware cryptographic component that is used to generate and protect the private keys during any operations that involve that key.

For object signing, especially for signing objects in the form of JAR files (using jarsigner), the cryptographic hardware devices of choice are:
(i) Sun Crypto Accelerator 6000 PCIe Adapter (SCA 6000), and
(ii) SafeNet/Aladdin eToken (USB connected cryptographic device).

Considering the first one is too expensive (about $1300), we choose the Aladdin eToken Pro 72K (about $60).

Part 2: Prepare the Aladdin eToken Pro

2.1 Install Aladdin eToken PKI Client which could be downloaded from Aladdin web site or just require it from your Aladdin agent.

2.2 Plug the eToken into the USB slot of the system and select the "Initialization" function of the PKI Client to initialize the eToken.

2.3 Input a personal password (referred as <pin> as below) for the eToken.

Part 3: Request an Object Signing Certificate from SunPKI Store

3.1 Create (in current dir) file 'eToken-pkcs11.cfg' with the two lines

name = eToken
library = c:\\WINDOWS\\system32\\eTPKCS11.dll

3.2 Generate the key pair with following command

keytool -genkey -alias <alias> -validity 365 -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keystore NONE -storetype PKCS11 -providerClass -providerArg ./eToken-pkcs11.cfg -storepass <pin>

What is your first and last name?
Unknown: <your object name & version> (e.g. Sun Device Detection Tool)
What is the name of your organizational unit?
Unknown: <whatever> (e.g. Sun Microsystems Inc System)
What is the name of your organization?
Unknown: Sun Microsystems Inc (e.g. Sun Microsystems Inc)
What is the name of your City or Locality?
Unknown: <whatever> (e.g. Menlo Park)
What is the name of your State or Province?
Unknown: <whatever> (e.g. California)
What is the two-letter country code for this unit?
Unknown: US
Is CN=..., OU=..., O="Sun Microsystems Inc", L=..., ST=..., C=US correct?
no: yes


[1] Make sure JDK 1.6 is installed.
In Special Publication SP 800-57 Part 1 [SP800-57], NIST recommends using at least 2048-bit public keys for securing information beyond 2010 (and 3072-bit keys for securing information beyond 2030). So we use the '-keysize 2048' to generate the key pair.

The country code must be "US". Otherwise the next step would fail.

The generated key pair could be checked with following command:

keytool -list -v -alias <alias> -keystore NONE -storetype PKCS11 -providerClass -providerArg ./eToken-pkcs11.cfg -storepass <pin>

3.3 Generate the CSR with following command

keytool -certreq -alias <alias> -file ./certreq.csr -keystore NONE -storetype PKCS11 -providerClass -providerArg ./eToken-pkcs11.cfg -storepass <pin>

3.4 Submit CSR

Reference to

3.5 Receive the certificate

You would receive an email from containing the certificate chain. The email will contain the certificates in two forms, ASCII/Base64 encoded and a binary PKCS7 attachment. You should import the ASCII/Base64 encoded form (not the PKCS7) because the import of the PKCS7 chain may not work due to bug 6731685 (fixed in JDK 7, but not earlier releases).

The ASCII/Base64 encoded form is a paragraph ascii characters embraced with

Copy the ASCII/Base64 encoded form certificate (those ascii characters including the two lines of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and paste them into a single text file to save as 'cert.ascii'.

3.6 Import the certificate with following command

keytool -importcert -v -trustcacerts -file cert.ascii -alias <alias> -keystore NONE -storetype PKCS11 -providerClass -providerArg ./eToken-pkcs11.cfg -storepass <pin>

3.7 Verify the installed certificate chain with following command

keytool -list -v -alias <alias> -keystore NONE -storetype PKCS11 -providerClass -providerArg ./eToken-pkcs11.cfg -storepass <pin>

3.8 Signed jar files with following command

jarsigner -verbose -keystore NONE -storetype PKCS11 -providerClass -providerArg ./eToken-pkcs11.cfg -storepass <pin> <a jarfile name> <alias>


In step 2, 3, 6, 7 and 8, the eToken must be pluged in.


PKI Store for Object Signing certificates
PKI Store FAQs

Wednesday May 21, 2008

Login OpenSolaris 2008.05 as \*root\* user

When you install the OpenSolaris 2008.05, there is page prompting you to input the root password along with creating a normal user. If you define a normal user at that time, you will find that you are not allowed to login the system with root user. 

What should you do? Re-install the system? It is a solution. But there is a much easier one as follows:

Revise the following line in the file of /etc/user_attr








And then reboot the system. You can login as root again.



Monday Mar 24, 2008

Make Indiana and SNV parallel systems on a single machine

I planed to install a latest snv and an indiana on a single hard disk firstly. However, it failed, since it seems that the Indiana occupied a whole hard disk defaultly.

What I found are two IDE disks. So I changed to install the Indiana on the master disk, and install snv_85 on the secondary one. What I did are listed as follows:

[1] Install Indiana on the master disk (c0d0).

The process is very simple. You have no choice to custom the disk space. Everything is finished by few clicking.

[2] Install the latest SNV (snv_85) on the secondary disk (c0d1).

You need to chose "custom install" rather than "default install", and set c0d1 as the only disk to be layout Indiana filesystem. When you deselect the c0d0, a message will appear to reminder you to reset BIOS after installation. In my experience, the message could be ignored totally.

[3] Reboot and enter the Indiana.

[4] Mount c0d1 to /mnt and copy the content of /mnt/boot/grub/menu.lst to append to the file of /rpool/boot/grub/menu.lst.

The menu.lst file of Indiana is as follows:

splashimage /boot/grub/splash.xpm.gz
timeout 30
default 0

title OpenSolaris Developer Preview 2 snv_79b X86
kernel$ /platform/i86pc/kernel/$ISADIR/unix -B $ZFS-BOOTFS
module$ /platform/i86pc/$ISADIR/boot_archive

title Solaris Express Community Edition snv_85 X86
kernel$ /platform/i86pc/kernel/$ISADIR/unix
module$ /platform/i86pc/$ISADIR/boot_archive

title Solaris xVM
kernel$ /boot/$ISADIR/xen.gz
module$ /platform/i86xpv/kernel/$ISADIR/unix /platform/i86xpv/kernel/$ISADIR/unix
module$ /platform/i86pc/$ISADIR/boot_archive

title Solaris failsafe
kernel /boot/platform/i86pc/kernel/unix -s
module /boot/x86.miniroot-safe


[5] Reboot again. There are really 4 entries displayed in the grub menu while booting. I selected the second one to enter snv_85. What happened then? The system didn't enter snv_85, but returned to the grub menu. There must be something wrong with the menu.lst.

[6] I forgot to set the root commands in menu.lst. Added them as follows:

splashimage /boot/grub/splash.xpm.gz
timeout 30
default 0

title OpenSolaris Developer Preview 2 snv_79b X86
kernel$ /platform/i86pc/kernel/$ISADIR/unix -B $ZFS-BOOTFS
module$ /platform/i86pc/$ISADIR/boot_archive

title Solaris Express Community Edition snv_85 X86
root (hd1,0,a)
kernel$ /platform/i86pc/kernel/$ISADIR/unix
module$ /platform/i86pc/$ISADIR/boot_archive

title Solaris xVM
root (hd1,0,a)
kernel$ /boot/$ISADIR/xen.gz
module$ /platform/i86xpv/kernel/$ISADIR/unix /platform/i86xpv/kernel/$ISADIR/unix
module$ /platform/i86pc/$ISADIR/boot_archive

title Solaris failsafe
root (hd1,0,a)
kernel /boot/platform/i86pc/kernel/unix -s
module /boot/x86.miniroot-safe


NOTE: The root entry has the following format (hdx,x,x) where the first entry in the tuple is the disk identifier, the second entry is the partition number (0-3), and the third entry is the slice number (a-h), where a is slice 0 and h is slice 7. The root command is not needed if your boot environment is on the disk slice given to the installgrub command (such as the Indiana slice).

[7] Reboot and entry any system you want.



Ye Julia Li


« April 2014