CHAPTER 1 Preparing for Installation

This chapter contains an overview of the i-Planet installation, information on the i-Planet system requirements, an i-Planet diagram and discussion of components, and information you need for installation, including i-Planet software installation and license installation.

Installation Overview

Installation of the i-Planet product consists of two parts:

	1.	i-Planet software installation
	2.	License installation

The i-Planet product includes two CD-ROMs, one containing the i-Planet software itself, and one containing third-party software that can be optionally installed. Software on this CD is described in Appendix B.

System Requirements

This section describes the system requirements for i-Planet software. Refer to the i-Planet Release Notes for the most recent information on requirements and patches.

TABLE 1-1 System Requirements

Component
Description

Operating environment

i-Planet 2.0 software runs in the Solaris^{^TM}2.5.1, 2.6, and Solaris 7 operating environments. The basic firewall application provided and SecurID authentication do not run under Solaris 7.
Patches required from Sun Microsystems before using the Java^{^TM} Development Kit (JDK^{^TM}) in the Solaris 2.5.1 operating environment include: Patch No. 103566-08 or later (X11/OpenWindows^{^TM} patch) and Patch No. 103640-08 or later (kernel patch). Refer to the URL
http: //www.javasoft.com/products/jdk/1.2/install-solaris-patches.html or to http://sunsolve.sun.com for patch information.

System

i-Planet 2.0 software ideally uses two machines: one server to function as a gateway between the Internet and your internal network ("the i-Planet gateway") and one server to function as a platform and applications server ("the i-Planet server").

Machine type: a dual CPU Ultra 60 with 300 MHz is recommended for both the i-Planet gateway and for the i-Planet server.

Memory: the gateway and the i-Planet server should each have a minimum of 128 Mbytes of memory.

Disk space: the i-Planet gateway should have a minimum of 40 Mbytes of free disk space; the i-Planet server should have a minimum of 50 Mbytes of free disk space.

Browser

A browser (Netscape Navigator^{^TM} 4.04 or higher, Internet Explorer 4.0 or higher) and an Internet connection are required for a remote client to connect to the i-Planet server, and for the system administrator to use the Administration Console.
A patch from Netscape Communications Corporation is required if you are using the Netscape browser versions 4.04 or 4.05: Patch JDK 1.1AWT. This patch can be downloaded from the Netscape website.

Component	Description
Operating environment	i-Planet 2.0 software runs in the Solaris^{^TM}2.5.1, 2.6, and Solaris 7 operating environments. The basic firewall application provided and SecurID authentication do not run under Solaris 7. Patches required from Sun Microsystems before using the Java^{^TM} Development Kit (JDK^{^TM}) in the Solaris 2.5.1 operating environment include: Patch No. 103566-08 or later (X11/OpenWindows^{^TM} patch) and Patch No. 103640-08 or later (kernel patch). Refer to the URL http: //www.javasoft.com/products/jdk/1.2/install-solaris-patches.html or to http://sunsolve.sun.com for patch information.
System	i-Planet 2.0 software ideally uses two machines: one server to function as a gateway between the Internet and your internal network ("the i-Planet gateway") and one server to function as a platform and applications server ("the i-Planet server"). Machine type: a dual CPU Ultra 60 with 300 MHz is recommended for both the i-Planet gateway and for the i-Planet server. Memory: the gateway and the i-Planet server should each have a minimum of 128 Mbytes of memory. Disk space: the i-Planet gateway should have a minimum of 40 Mbytes of free disk space; the i-Planet server should have a minimum of 50 Mbytes of free disk space.
Browser	A browser (Netscape Navigator^{^TM} 4.04 or higher, Internet Explorer 4.0 or higher) and an Internet connection are required for a remote client to connect to the i-Planet server, and for the system administrator to use the Administration Console. A patch from Netscape Communications Corporation is required if you are using the Netscape browser versions 4.04 or 4.05: Patch JDK 1.1AWT. This patch can be downloaded from the Netscape website.

Diagram and Components

i-Planet software has three main components:

Reverse proxy

Platform

Applications

For security reasons, the recommended installation is to put the reverse proxy component on a machine separate from the platform and applications; this machine is called the i-Planet gateway. The platform and the applications together are called the i-Planet server. The i-Planet server can be installed on the i-Planet gateway machine or on a separate machine.

FIGURE 1-1 shows a basic diagram of the i-Planet product, including the default port numbers.

FIGURE 1-1 i-Planet Basic Diagram

The i-Planet Gateway

The i-Planet gateway contains the reverse proxy and the optional firewall application. The gateway is configured to listen for client traffic from the Internet on port 443. The gateway uses the secure socket layer protocol (SSL) to communicate with a browser, and can be configured to use SSL to communicate with the i-Planet server.

The i-Planet Server

The i-Planet server contains the platform and the applications.The platform includes administration services, such as authentication, licensing, and logging. The applications include desktop, mail, calendar, intranet browsing, and file access. The i-Planet server is configured to listen for traffic (non-SSL) from the i-Planet gateway on port 8080 by default; it can be configured to listen for SSL traffic from the i-Planet gateway on port 443 by default.

i-Planet Clients

i-Planet clients can connect to the i-Planet gateway through the Internet or from their internal intranet. An i-Planet remote client can be directly connected to the Internet or it can be connected through a web proxy or a firewall or both to the Internet. All clients use a browser to access i-Planet software.

Information Needed for Installation

This section describes the information you need for i-Planet installation and for license installation.

Information for i-Planet Installation

i-Planet software is installed by running a script. There are two types of installation:

The default installation

The default installation provides default answers in brackets to most questions. The minimum information you must provide or verify includes:

The fully qualified host name of the i-Planet gateway

The fully qualified host name of the i-Planet server

Your network domain name

Any network subdomain names

The name of your web proxy host, if one is being used

Organization-specific information for a self-signed SSL certificate on the i-Planet gateway

The default installation is also documented in the i-Planet Quick Install card.

Your own installation settings (also called a nondefault, or a customized installation)

The customized installation allows you to change several parameters, including the i-Planet installation directory, the default port numbers, whether SSL is used between the i-Planet gateway and server, and so on. If you choose a customized installation, you provide the same information as for a default installation, plus you provide additional information.

TABLE 1-2 shows the information needed for installation.

TABLE 1-2 Installation Information

Information
Description

i-Planet gateway name

The fully qualified host name (example: hostname.eng.sun.com) of the external interface to the Internet of the machine on which you install the gateway software. The gateway contains the encrypting proxy and the reverse proxy, which together handle all traffic from the Internet to the intranet. The gateway also contains the optional basic firewall application.

i-Planet server name

The fully qualified host name (example: hostname2.eng.sun.com) of the machine on which you install the platform and applications software. The platform includes the Java web server and the administration services, such as authentication, licensing, and logging. The applications include the desktop, mail, calendar, intranet browsing, and file access applications.

installation directory

i-Planet software is installed in /opt unless you specify a different directory.

basic firewall application

If your organization does not have a firewall that can be used to restrict the external access to the i-Planet gateway machine to traffic on port 443 (or to the port you have configured to carry SSL traffic), you have the option of installing a basic firewall application on the i-Planet gateway.
The basic firewall application examines packets coming only from the external gateway interface, and follows these rules:

Allows external access to port 443 (or to the port you specify for the encrypting proxy during installation) of the gateway through the gateway's public, or external, interface

Allows the gateway machine access to anywhere

Allows routing information from the Internet interface on the gateway machine to be updated

Denies everything not expressly allowed in the above rules

The basic firewall application does not run under Solaris 7.
If you want greater control over the ports and traffic than this basic firewall application provides, consider installing a firewall product such as Sun Microsystems' SunScreen^{^TM}EFS software.

network interface type

If you install the basic firewall application, you specify the gateway network interface. The machine on which you install the firewall should have more than one network interface. To list available interfaces, use the command ifconfig -a.

name service

If you install the basic firewall application, you specify your name service: NIS, DNS, NIS and DNS, or none.

network domain name

Your network domain name. The network domain name does not include the host name or subdomain name. An example of a network domain name is sun.com.

network subdomain names

If any URLs within your organization's intranet contain only a host and subdomain, such as host.eng, that subdomain must be entered as a network subdomain name during installation. For example, within the network domain name of sun.com, if host.group appears in a URL, then group must be entered as a network subdomain name. As a general rule, if any URL in your organization's domain is not fully qualified, the subdomain must be entered during installation. The subdomain name must not contain dots. Note: if you forget or omit subdomain names during installation, you can add subdomain names by editing a configuration file on the gateway; refer to the i-Planet Administration Guide for instructions.

port numbers

Default port numbers are provided for the encrypting proxy (443), the reverse proxy (10443), and the i-Planet server (8080 for non-SSL communication, 443 for SSL communication). If you select a customized installation, you can change these port numbers. You can also specify a port number for a web proxy host, if you use one.
The reverse proxy and the encrypting proxy must use different port numbers. The i-Planet gateway must know the i-Planet server port number, whether or not you use SSL communication between the two machines.

web proxy host

A web proxy host potentially handles all HTTP requests between the gateway and the intranet.
If you are using a web proxy host, use the web proxy option during installation to specify the fully qualified host name of your web proxy. The gateway will then use that proxy for all HTTP requests. This scenario is desirable if you do not want the gateway to have the routing information it would need to find the intranet machines.
If you do not specify a web proxy host, the gateway will make a direct connection to intranet machines when a user tries to access one of those intranet machines.
After installation, you can change your web proxy host or add one if you did not specify one during installation by editing a configuration file on the gateway; refer to the i-Planet Administration Guide for instructions.

SSL communication

The secure socket layer (SSL) protocol provides a way to encrypt communication between two machines. i-Planet software uses SSL to encrypt communication between a browser and the i-Planet gateway, and, optionally, between the i-Planet gateway and the i-Planet server if they are installed on separate machines.
By default, the gateway communicates with the i-Planet server "in the clear," or with unencrypted communication. During installation, you have the option of specifying that the gateway use SSL to communicate with the i-Planet server. In this case, you must have an SSL certificate installed on each machine. The i-Planet gateway must know the i-Planet server port number, whether or not you use SSL communication between the two machines.
After installation, you can change whether or not you use SSL between the gateway and the i-Planet server; refer to the i-Planet Administration Guide for instructions.

SSL certificate

To have an encrypted SSL link, you must have an SSL certificate on the machines using SSL.
A self-signed SSL certificate on the gateway is created during i-Planet installation on the gateway. To create this certificate, you must enter organization-specific information, such as company name and address, and a passphrase. Do not use the equal sign (=) in the certificate field entries.
If you are using SSL between the gateway and the i-Planet server, you must install an SSL certificate from a Certificate Authority vendor on the i-Planet server; refer to Appendix A for instructions on obtaining and installing an SSL certificate from a Certificate Authority vendor.
You can create new self-signed SSL certificates, and you can request and install SSL vendor certificates at any time after installation. Refer to Appendix A for information on certificates and instructions on installing them.

Information	Description
i-Planet gateway name	The fully qualified host name (example: hostname.eng.sun.com) of the external interface to the Internet of the machine on which you install the gateway software. The gateway contains the encrypting proxy and the reverse proxy, which together handle all traffic from the Internet to the intranet. The gateway also contains the optional basic firewall application.
i-Planet server name	The fully qualified host name (example: hostname2.eng.sun.com) of the machine on which you install the platform and applications software. The platform includes the Java web server and the administration services, such as authentication, licensing, and logging. The applications include the desktop, mail, calendar, intranet browsing, and file access applications.
installation directory	i-Planet software is installed in `/opt` unless you specify a different directory.
basic firewall application	If your organization does not have a firewall that can be used to restrict the external access to the i-Planet gateway machine to traffic on port 443 (or to the port you have configured to carry SSL traffic), you have the option of installing a basic firewall application on the i-Planet gateway. The basic firewall application examines packets coming only from the external gateway interface, and follows these rules: Allows external access to port 443 (or to the port you specify for the encrypting proxy during installation) of the gateway through the gateway's public, or external, interface Allows the gateway machine access to anywhere Allows routing information from the Internet interface on the gateway machine to be updated Denies everything not expressly allowed in the above rules The basic firewall application does not run under Solaris 7. If you want greater control over the ports and traffic than this basic firewall application provides, consider installing a firewall product such as Sun Microsystems' SunScreen^{^TM}EFS software.
network interface type	If you install the basic firewall application, you specify the gateway network interface. The machine on which you install the firewall should have more than one network interface. To list available interfaces, use the command `ifconfig -a`.
name service	If you install the basic firewall application, you specify your name service: NIS, DNS, NIS and DNS, or none.
network domain name	Your network domain name. The network domain name does not include the host name or subdomain name. An example of a network domain name is sun.com.
network subdomain names	If any URLs within your organization's intranet contain only a host and subdomain, such as host.eng, that subdomain must be entered as a network subdomain name during installation. For example, within the network domain name of sun.com, if host.group appears in a URL, then `group` must be entered as a network subdomain name. As a general rule, if any URL in your organization's domain is not fully qualified, the subdomain must be entered during installation. The subdomain name must not contain dots. Note: if you forget or omit subdomain names during installation, you can add subdomain names by editing a configuration file on the gateway; refer to the i-Planet Administration Guide for instructions.
port numbers	Default port numbers are provided for the encrypting proxy (443), the reverse proxy (10443), and the i-Planet server (8080 for non-SSL communication, 443 for SSL communication). If you select a customized installation, you can change these port numbers. You can also specify a port number for a web proxy host, if you use one. The reverse proxy and the encrypting proxy must use different port numbers. The i-Planet gateway must know the i-Planet server port number, whether or not you use SSL communication between the two machines.
web proxy host	A web proxy host potentially handles all HTTP requests between the gateway and the intranet. If you are using a web proxy host, use the web proxy option during installation to specify the fully qualified host name of your web proxy. The gateway will then use that proxy for all HTTP requests. This scenario is desirable if you do not want the gateway to have the routing information it would need to find the intranet machines. If you do not specify a web proxy host, the gateway will make a direct connection to intranet machines when a user tries to access one of those intranet machines. After installation, you can change your web proxy host or add one if you did not specify one during installation by editing a configuration file on the gateway; refer to the i-Planet Administration Guide for instructions.
SSL communication	The secure socket layer (SSL) protocol provides a way to encrypt communication between two machines. i-Planet software uses SSL to encrypt communication between a browser and the i-Planet gateway, and, optionally, between the i-Planet gateway and the i-Planet server if they are installed on separate machines. By default, the gateway communicates with the i-Planet server "in the clear," or with unencrypted communication. During installation, you have the option of specifying that the gateway use SSL to communicate with the i-Planet server. In this case, you must have an SSL certificate installed on each machine. The i-Planet gateway must know the i-Planet server port number, whether or not you use SSL communication between the two machines. After installation, you can change whether or not you use SSL between the gateway and the i-Planet server; refer to the i-Planet Administration Guide for instructions.
SSL certificate	To have an encrypted SSL link, you must have an SSL certificate on the machines using SSL. A self-signed SSL certificate on the gateway is created during i-Planet installation on the gateway. To create this certificate, you must enter organization-specific information, such as company name and address, and a passphrase. Do not use the equal sign (=) in the certificate field entries. If you are using SSL between the gateway and the i-Planet server, you must install an SSL certificate from a Certificate Authority vendor on the i-Planet server; refer to Appendix A for instructions on obtaining and installing an SSL certificate from a Certificate Authority vendor. You can create new self-signed SSL certificates, and you can request and install SSL vendor certificates at any time after installation. Refer to Appendix A for information on certificates and instructions on installing them.

Host and Network Domain Name Example

It is very important that the correct, resolvable addresses for host names and network domain names be entered during installation.

An example of a fully qualified host name is "hostname.eng.sun.com." In this example, "hostname" is the machine name, "eng" is the subdomain name, and "sun.com" is the network domain name. This scenario is illustrated in FIGURE 1-2. Domain names can have more than two components, for example, "sun.co.jp" could also be a network domain name.

FIGURE 1-2 Host, Domain, and Subdomain Name Example

Information about Licenses

Licensing for the i-Planet product is provided through six initial product licenses and subsequently through FLEXlm license manager software. For information about licensing for third-party software products used with i-Planet software, contact the appropriate third-party vendor.

Initial product licenses

The i-Planet software comes with six (including root) user licenses.

FLEXlm license manager software

Sun Microsystems protects its applications by implementing license agreements that detail manufacturer and user obligations.

A license with right-to-use (RTU) tokens or a license by site (domain) is required to use i-Planet software. i-Planet software can be licensed by one of two versions: full features or mail-only features.

Licensing with RTUs is enabled by installing a license server, which is a program that runs on the i-Planet server. The license server has the number of RTUs that you installed. When the i-Planet server starts, it gets the RTUs from the license server. The number of unique, authenticated login names must not exceed the number of RTUs. Licensing by site is enabled by linking the i-Planet product to a network domain.

Information on obtaining and installing your license is included in Chapter 3 of this manual.

The next chapter contains i-Planet installation instructions.