The Symantec Product Authentication Service is a common Veritas feature that validates identities based on existing network operating system domains (such as NIS and NT) or private domains. The authentication service protects communication channels among Symantec application clients and services through message integrity and confidentiality services.
Before you install the authentication service, refer to the Symantec Product Authentication Service Installation Guide at the following location on the Veritas software disc:
authentication_service/docs/vxat_install.pdf.
Symantec Product Authentication Service secures communication using digital certificates for authentication and SSL to encrypt communication over the public network. You can configure Storage Foundation to use the Authentication Service to secure communication between the following:
You can set up Authentication Service for the cluster during the Storage Foundation installation and configuration process. If you want to enable Authentication Service after installation, refer to the Veritas Cluster Server User's Guide.
To configure the cluster in secure mode, Storage Foundation requires you to configure a system in your enterprise as root broker and all nodes in the cluster as authentication brokers.
A root broker serves as the main registration and certification authority; it has a self-signed certificate and can authenticate other brokers. The root broker is only used during initial creation of an authentication broker.
Authentication brokers serve as intermediate registration and certification authorities. Authentication brokers have certificates that are signed by the root. Each node in Storage Foundation cluster serves as an authentication broker.
Secure Storage Foundation cluster configuration flowchart depicts the flow of configuring Storage Foundation in secure mode.
Secure Storage Foundation cluster configuration flowchart
Click the thumbnail above to view full-sized image.
If you decide to enable the Authentication Service, the root broker administrator must perform the following preparatory tasks:
The root broker is the main registration and certification authority and can serve multiple clusters. Symantec recommends that you install a single root broker on a utility computer such as an email server or domain controller, which can be highly available.
See Installing root broker for Veritas Product Authentication Service
The installsfrac program provides the following modes to configure Veritas Product Authentication Service:
- The root broker administrator must create an encrypted file for each node in the cluster.
See Creating encrypted files for Veritas Product Authentication Service
- The root broker administrator must provide the encrypted files in a media or make it available on a shared location that you can access.
- You must copy the encrypted files to a directory in the installation node. Make a note of the path of this encrypted files.
- You must gather the following information from the root broker administrator:
Root broker port (Default is 2821)
Authentication broker principal name for each node
Authentication broker password for each Authentication broker
- The root broker administrator must provide the root_hash file in a media or make it available on a shared location that you can access.
- You must copy the root_hash file to a directory in the installation node. Make a note of the path of this root_hash file.
Refer to the Symantec Product Authentication Service Administrator's Guide for more information.
Note Make sure that the system clocks of the Rook Broker and Authentication Brokers systems are in sync.