Scott Fehrman's journal on life as a Principal Engineer (PE) @ Sun. Systems Engineering 101

Recently I had a need to configure the Sun Java System Identity Manager for provisioning users to Solaris. Identity Manager uses Resource Adapters to communicate with resources (Solaris). When you configure a Resource Adapter, you need to specify a userid/password that has the ability to execute user and group management commands. One of the options is to use the sudo utility. Solaris has a far better solution to this problem ... Role Based Access Control (RBAC).

I documented the process of setting up a new Solaris Role (Identity Management) and the creation of a "proxy user" (idmadm). This step-by-step process is available as an article from the BigAdmin Feature Article site.

I use Solaris 10 to demonstrate the Sun Java System Identity Manager. Setting up Identity Manager on Solaris 10 was easy, it had everything I needed ... a JSP/Servlet container and an RDBMS. Solaris 10 had Apache/Tomcat and MySQL already installed.

By default, Apache/Tomcat and MySQL used traditional start-up scripts. I decided to create a Solaris 10 SMF service for Identity Manager. I ended up creating two services, one for the MySQL database and the other for Apache/Tomcat. The Identity Manager service (idmgr) has a dependancy on the MySQL service (mysql).

Documenting my Solaris 10 SMF experiences evolved from my journal "chicken scratchings" to emailed notes to finally a technical whitepaper. The whitepaper was an internal only document. Thanks to a bunch of great co-workers we got it posted as a BigAdmin Feature Article. You can get it here.

If you're thinking about creating your own Solaris 10 service, take a look at the article. It includes step-by-step instructions and manifests that can be modified for your specific service.

This past week I was working at a customer site. We were configuring the Sun Java System Identity Manager. We configured a solution to manage identities for the customer's employees and partners across a wide range of systems. One of the systems we provisioned to was Microsoft Window's Active Directory. As part of the project, we needed to perform various administrative tasks on the Windows 2000 Server. Typically Windows Terminal Service is used to support remote administration. Normally, I would use a Windows system and start the Remote Desktop Protocol (RDP) client to perform Window's administration. But not this time.

I use a 64-bit Athlon AMD powered laptop running Solaris 10. I've been able to accomplish most administrative tasks from Solaris 10 (less Windows admin tasks). A very cool utility was brought to my attention that changed how I would remotely admin Windows Servers. If you haven't discovered it, please check out rdesktop. The installation was simple;

• download the tar.gz file
• unpack it
• run configure
• make
• make install

Solaris 10 included everything to build rdesktop, including gcc and openssl. The only custom part of the install involved telling the configure script where openssl was installed.

# gzcat rdesktop-1.4.1.tar.gz | tar xf - 
# cd rdesktop-1.4.1
# ./configure  --prefix=/usr/local --with-openssl=/usr/sfw
# make
# make install
# /usr/local/bin/rdesktop -g 1024x768 win2kserv

I'm now able to connect to the Windows Terminal Server and perform administrative tasks from Solaris 10. Adding rdesktop to my Solaris 10 system now gives me one less reason to run Windows.

Running Solaris (and not Windows) on my laptop has some extra benefits. Most, if not all, of the customers I visit are concerned about viruses. They get concerned when anyone connects a computer to their network. Keeping track of virus software on employee's systems is challenging enough. Worrying about what might be on a contractor's or vendor's laptop is a whole different challenge. I've been to customers where they will not allow any Windows laptops to connect (to their network) until they've been verified to be safe. I've not seen this type of concern with Solaris.

So ... to anyone that needs to access Windows Terminal Servers, add rdesktop to Solaris 10. You'll be able to remotely administer the Windows Server without having someone worry if your going to infect their network with a Windows-based virus.