Using scp(1M) seems the most straightforward since ssh/scp/sftp is installed in almost all Solaris 11.2 Package Groups (link here.) Only downside is that scp is run from the command line or a script.
The benefit of IPsec is that all traffic can be encrypted. However, it requires either manual keying or an IKE v2 infrastructure.
Secure NFS is an extension of typical NFS setups, so should be rather simple, if remote file access works for the customer.
After meeting with the customer it turns out the key application that needs secure file transfer only support ftp(1M) (and not sftp or even ftps) or NFS. Thus looking closer at Secure NFS seemed the logical path. Using IPsec to only secure NFS traffic looked to be more work than necessary.
My setup uses Solaris Zones for a number of reasons.
The steps that follow are done on a system running Solaris 11.2. For convenience, I will refer to it as Solaris or Solaris 11. Due to possible packaging differences, Solaris 11 11/11 or Solaris 11.1 might require some changes. I have not tested these steps with either.
Building a Secure NFS configuration consists of the following steps:
To make this easier to follow, and to write, I am breaking this into several different steps.
When you done, come back here for the comments below, if you wish.
This pretty much does it. In summary, we have done the following:
I hope this will be helpful to others!
There is currently (I noticed this in Solaris 11.2 SRU 12, and it exists in earlier releases and SRUs) the situation that kadmin will restart too quickly on Solaris startup and go into maintenance mode. At this time there is no fix. I created a script in /etc/rc3.d to clear the error with svcadm(1M) after about 30 seconds.
I address this with a legacy run script started by SMF when going to multiuser-server. If this were a more permanent requirement I would create an SMF service.
kadmin.sh README S99kadmin
root@kdc1:/etc/rc3.d# cat S99kadmin
root@kdc1:/etc/rc3.d# cat kadmin.sh
svcadm clear kadmin
logger "cleared kadmin"