Manuals / Symantec / Computer Equipment / Computer Accessories

Symantec 5 Creating encrypted files for the security infrastructure, Venus # vssat showbrokerhash

Models: 5

1 176

Download 176 pages 9.76 Kb

Page 35

Preparing to install VCS 35

Preparing to configure the clusters in secure mode

■If the output displays the following error, then the account for the given authentication broker is not created on this root broker:

"Failed To Get Attributes For Principal"

Proceed to step 3.

3Create a principal account for each authentication broker in the cluster. For example:

venus> # vssat addprpl --pdrtype root --domain \ root@venus.symantecexample.com --prplname galaxy \ --password password --prpltype service

You must use this password that you create in the input file for the encrypted file.

Creating encrypted files for the security infrastructure

Create encrypted files (BLOB files) only if you plan to choose the semiautomatic mode that uses an encrypted file to configure the Authentication Service. The administrator must create the encrypted files on the root broker node. The administrator must create encrypted files for each node that is going to be a part of the cluster before you configure the Authentication Service for VCS.

To create encrypted files

1Make a note of the following root broker information. This information is required for the input file for the encrypted file:

hash	The value of the root hash string, which consists of 40
	characters. Execute the following command to find
	this value:
	venus> # vssat showbrokerhash
root_domain	The value for the domain name of the root broker
	system. Execute the following command to find this
	value:
	venus> # vssat showalltrustedcreds

2Make a note of the following authentication broker information for each node. This information is required for the input file for the encrypted file:

Image 35

Symantec 5 manual Creating encrypted files for the security infrastructure, Venus # vssat showbrokerhash

Contents

Veritas Cluster Server Installation Guide Legal Notice Veritas Cluster Server Installation GuideSymantec Corporation Ellis Street Mountain View, CA Contacting Technical Support Technical SupportDocumentation feedback Customer serviceLicensing and registration Additional enterprise services Maintenance agreement resourcesContents Contents Chapter Configuring VCS clusters for data integrity 121 Chapter Adding and removing cluster nodesIndex 173 171Contents This chapter includes the following topics About Veritas Cluster ServerAbout VCS basics Example of a four-node VCS cluster About multiple nodesAbout shared storage About network channels for heartbeating See About the LLT and GAB configuration files onAbout LLT and GAB About VCS seeding About preexisting network partitionsAbout global clusters About VCS featuresVeritas Installation Assessment Service About VCS notificationsYou can add the following optional components to VCS About VCS optional componentsAbout I/O fencing About Symantec Product Authentication Service AT About Veritas Cluster Server Management Console See Preparing to configure the clusters in secure mode onSee Installing the Java Console on About Cluster Manager Java ConsoleAbout VCS optional components Page 1lists the hardware requirements for a VCS cluster About planning to install VCSHardware requirements Description Required disk spaceHardware requirements for a VCS cluster Kernel Architecture Supported operating systemsRhel Required Linux RPMs for VCSSupported software Planning to install VCS Supported software Preparing to configure the clusters in secure mode About preparing to install VCS1depicts the flow of configuring VCS cluster in secure mode Workflow to configure VCS cluster in secure mode This task Preparatory tasks to configure a cluster in secure modeTasks # ./installer Installing the root broker for the security infrastructureSee About Symantec Product Authentication Service AT on Venus # vssat showprpl --pdrtype root \ Venus # vssat showalltrustedcredsVenus # vssat showbrokerhash Creating encrypted files for the security infrastructureAddprpl command RootBroker # vssat createpkg \ For examplePerforming preinstallation tasks Https//licensing.symantec.com Obtaining VCS license keysTask Reference You can use network switches instead of hubs Setting up the private networkPage See About installing and configuring VCS on Configuring SuSE network interfaces# ifconfig -a Run the commandWhere ethX is the interface name For example # cd /etc/sysconfig# cd /etc/sysconfig/network Setting up inter-system communication# ifconfig eth0 # ssh-keygen -t dsa Setting up ssh on cluster systemsAccept the default location of ~/.ssh/iddsa # exec /usr/bin/ssh-agent $SHELL # ssh-add Setting up shared storageSee About setting up disk-based I/O fencing on # chmod 755 ~/.sshFor the C Shell csh or tcsh, type Setting the Path variableSetting the Manpath variable Case of a panic, the node will reboot after 10 seconds Setting the kernel.panic tunableOptimizing LLT media speed settings on private NICs # mount -o ro /dev/cdrom /mnt/cdrom Performing automated pre-installation checkMounting the product disc # ./installvcs -precheck galaxy nebula VCS About installing and configuring VCSExample vcscluster27 To configure Veritas Cluster Server you needExample galaxy, nebula Var/tmp/privatedir/roothash To configure VCS clusters in secure mode optional, you needTo configure Smtp email notification optional, you need Optional VCS RPMs To configure Snmp trap notification optional, you needTo configure global clusters optional, you need See About preparing to install VCS on About the VCS installation programOptional features of the installvcs program VRTSvcsmn Manual pages for VCS commandsOptional action Reference Interacting with the installvcs programAbout installvcs program command options Installvcs command usage takes the following formInstallvcs system1 system2... options Nooptionalpkgs Option and Syntax DescriptionConfiguring VCS using configure option Installing VCS using installonly optionOverview of tasks Installing and configuring VCS 5.0 RU3See Configuring the basic cluster on 3lists the installation and the configuration tasksStarting the software installation # cd /clusterserver Specifying systems for installationStart the installvcs program # ./installvcs -rshSee Checking licensing information on the system on Licensing VCSEnter keys for additional product features Choosing VCS RPMs for installationChoosing to install VCS RPMs or configure VCS See Configuring VCS using configure option on Starting the software configuration# cd /dvdrom/clusterserver Specifying systems for configurationConfiguring the basic cluster # ./installvcs -configurePage Configuring the cluster in secure mode Root/roothash East.symantecexample.comSymantecexample.com Root@east.symantecexample.comTo add a user, enter y at the prompt Configuring Smtp email notificationEnter the user’s name, password, and level of privileges Adding VCS usersSee Configuring Snmp trap notification on Verify and confirm the Smtp notification information Configuring Snmp trap notificationSee Configuring global clusters on If you do not want to add, answer nVerify and confirm the Snmp notification information Configuring global clustersSee Creating VCS configuration files on Installing VCS RPMsVerifying the NIC configuration Creating VCS configuration filesSet the Persistentname for all the NICs Completing the installationStarting VCS File description VCS node authentication broker See Software requirements for the Java Console on Installing the Java ConsoleSoftware requirements for the Java Console Hardware requirements for the Java Console# cd /mnt/cdrom/distarch/clusterserver/rpms Installing the Java Console on Linux for IBM PowerInstalling the Java Console on a Windows system Navigate to the folder that contains the RPMsSoftware requirements for VCS Simulator Installing VCS SimulatorInstalling VCS Simulator on Unix systems Installing VCS Simulator on Windows systemsReviewing the installation Checking licensing information on the system Verifying the cluster after installationSee About verifying the VCS installation on Verifying and updating licenses on the system# hastop -all -force Updating product licenses using vxlicinstReplacing a VCS demo license with a permanent license # cd /opt/VRTS/bin# hastart Accessing the VCS documentationTo access the VCS documentation Start VCS on each nodeAbout configuring VCS clusters for data integrity Configuring VCS clusters for data integritySee About data disks on About I/O fencing componentsAbout data disks About coordination points1illustrates the tasks involved to configure I/O fencing About setting up disk-based I/O fencingWorkflow to configure disk-based I/O fencing I/O fencing configuration files include Preparing to configure disk-based I/O fencing # fdisk -l Initializing disks as VxVM disksLibnamevidpid # vxddladm listsupport allExample specifies the CDS format Identifying disks to use as coordinator disksChecking shared disks for I/O fencing See Testing the disks using vxfentsthdw utility on Verifying that the nodes have access to the same diskTesting the shared disks for SCSI-3 # /opt/VRTSvcs/vxfen/bin/vxfentsthdw Testing the disks using vxfentsthdw utilitySee Removing permissions for communication on Dev/sdr If you use rsh for communication# /opt/VRTSvcs/vxfen/bin/vxfentsthdw -n # vxdg -g vxfencoorddg set coordinator=on Setting up disk-based I/O fencing manuallySetting up coordinator disk groups # vxdg init vxfencoorddg sdx sdy sdzDeport the coordinator disk group Creating I/O fencing configuration filesFor raw device configuration Stop VCS on all nodes Modifying VCS configuration to use I/O fencingMake a backup copy of the main.cf file # /etc/init.d/vxfen start Verifying I/O fencing configuration# hacf -verify /etc/VRTSvcs/conf/config Start VCS# vxfenadm -d Removing permissions for communicationPage About the LLT and GAB configuration files About verifying the VCS installationGalaxy Nebula About the VCS configuration file main.cf Sample main.cf file for VCS clusters Page Sample main.cf file for global clusters ClusterAddress = Application wac IP gcoip NIC csgnic Gcoip requires csgnicWac requires gcoip Verifying LLT, GAB, and cluster operation Verifying the LLT, GAB, and VCS configuration filesVerify the content of the configuration files See Setting the Path variable onOutput on nebula resembles Verifying LLTSee Verifying the cluster on Output on galaxy resemblesEth1 UP Output resembles Verifying GABVerifying the cluster Verifying the cluster nodes Current Eth1 UP eth2 UP Adding a node to a cluster About adding and removing nodesSee Adding a license key on Setting up the hardwarePreparing for a manual installation when adding a node See Mounting the product disc on Installing VCS RPMs for a manual installationSLES10/ppc64, required Rpms Adding a license keyChecking licensing information on the system See Setting up VCS related security configuration on Setting up the node to run in secure modeSee Configuring LLT and GAB on See Configuring the authentication broker on node saturn onConfiguring the authentication broker on node saturn Setting up VCS related security configuration Configuring LLT and GABIf the file on one of the existing nodes resembles On the new system, run the command# /sbin/lltconfig -c Add the new system to the cluster To verify GAB On the new node, run the commandAdding the node to the existing cluster Start VCS on the new node Removing a node from a clusterStarting VCS and verifying the cluster Stop VCS on the new nodeVerifying the status of nodes and service groups # hastatus -summary Deleting the departing node from VCS configurationCheck the status of the systems and the service groups # haconf -makerw # hagrp -unlink grp4 grp1 # hagrp -switch grp3 -to nebula# hagrp -dep # hagrp -delete grp4 Save the configuration, making it read onlyCheck the status Delete the node from the clusterRemoving security credentials from the leaving node Modifying configuration files on each remaining node# rpm -qa grep Vrts Stop GAB and LLTTo determine the RPMs to remove, enter # /etc/init.d/gab stop # /etc/init.d/llt stop# rm /etc/llttab # rm /etc/gabtab # rm /etc/llthosts Remove the LLT and GAB configuration filesCreating a single-node cluster using the installer program About installing VCS on a single nodeSee Starting the software installation on Preparing for a single node installationStarting the installer for the single node cluster Tasks to create a single-node cluster using the installerSet the path variable Installing the VCS software manually on a single nodeCreating a single-node cluster manually See Licensing VCS on# hastart -onenode Renaming the LLT and GAB startup filesModifying the startup files Verifying single-node operationAdding a node to a single-node cluster Installing VxVM or VxFS if necessary Setting up a node to join the single-node clusterBringing up the existing node Configuring the shared storageSee Setting up shared storage on Display the service groups currently configuredRename the GAB and LLT startup files so they can be used Configuring LLTFreeze the service groups Stop VCS on Node aSee LLT directives on Setting up /etc/llthostsSetting up /etc/llttab LLT directivesDirective Description Additional considerations for LLTLLT directives Starting LLT and GAB Configuring GAB when adding a node to a single node clusterReconfiguring VCS on the existing node Reconfigure VCS on the existing nodesVerifying configuration on both nodes Verify that VCS is up on both nodes Unfreeze the service groupsImplement the new two-node configuration Start the VCS on Node BPage See About adding and removing nodes on About the uninstallvcs programPreparing to uninstall VCS Removing VCS 5.0 RU3 RPMs Uninstalling VCS 5.0 RU3# cd /opt/VRTS/install # ./uninstallvcs Running uninstallvcs from the VCS 5.0 RU3 disc Uninstallvcs program is not available in /opt/VRTS/install Following checklist is to configure LLT over UDP Using the UDP layer for LLTWhen to use LLT over UDP Configuring LLT over UDPSee Broadcast address in the /etc/llttab file on Link command in the /etc/llttab fileSee Sample configuration links crossing IP routers on Broadcast address in the /etc/llttab fileTable A-2describes the fields of the set-addr command Set-addr command in the /etc/llttab file# setparms ipaddress Configuring the netmask for LLTSelecting UDP ports # cat /etc/llttab Configuring the broadcast address for LLTSample configuration direct-attached links For second network interfaceFile for Node 1 resembles UDPFigure A-2 Sample configuration links crossing IP routers/etc/llttab file on Node 0 resembles Performing automated VCS installationsOr, in the case of a list Syntax in the response fileExample response file Or, in the case of an integer valueTable A-3 Response file variables Variable Description Response file variable definitions$CPICFGOPTLICENSE $CPICFGOPTPKGPATH $CPICFGKEYS Table A-3 $CPICFGOPTUNINSTALL See Installing and configuring VCS 5.0 RU3 on# ./installvcs -responsefile /tmp/installvcs-uui.response Index GAB RAM VCS