< Previous  | TOC | Index | Next  >

Preparing SF Oracle RAC cluster setup for optional features

After planning the SF Oracle RAC features that you want to configure, you must prepare to configure these features.

See About SF Oracle RAC component features

Workflow for fresh install of SF 5.0 for Oracle RAC represents the major tasks and decisions required to install and configure SF Oracle RAC.

Workflow for fresh install of SF 5.0 for Oracle RAC

Click the thumbnail above to view full-sized image.

Complete the following preparatory tasks based on the SF Oracle RAC features you want to configure:

• Installing root broker for Symantec Product Authentication Service
• Creating encrypted files for Symantec Product Authentication Service
• Installing the management server for the Veritas Cluster Management Console

Installing root broker for Symantec Product Authentication Service

Install the root broker only if you plan on using Symantec Product Authentication Service. The root broker administrator must install and configure the root broker before you configure the Authentication Service for SF Oracle RAC. Symantec recommends that you install the root broker on a stable system that is outside the cluster. You can install the root broker on an AIX, HP-UX, Linux, or Solaris system. See Symantec Product Authentication Service Installation Guide for more information. You can configure the Authentication Service during or after SF Oracle RAC installation.

See Symantec Product Authentication Service

 To install the root broker

1. Change to the directory where you can start the installsfrac program:

   # cd cluster_server

2. Start the Root Broker installation program:

   # ./installsfrac -security

3. Select to install the Root Broker from the three choices that the installer presents:

   [3] Install Symantec Product Authentication Service Root Broker.

4. Enter the name of the system where you want to install the Root Broker.

   Enter the system name on which to install Symantec Product Authentication Service: venus

5. Review the output as the installer:
   • checks to make sure that the SF Oracle RAC supports the operating system
   • verifies that you are installing from the global zone (only on Solaris)
   • checks if the system already runs the security depot
6. Review the output as the installsfrac program checks for the installed depots on the system.

   The installsfrac program lists the depots that will be installed on the system. Press Enter to continue.

7. Review the output as the installer installs the root broker on the system.
8. Enter y when the installer prompts you to configure the Symantec Product Authentication Service.
9. Enter a password for the root broker. Make sure the password contains a minimum of five characters.
10. Enter a password for the authentication broker. Make sure the password contains a minimum of five characters.
11. Press Enter to start the Authentication Server processes.

    Do you want to start Symantec Product Authentication Service processes now? [y,n,q] y

12. Review the output as the installer starts the Authentication Service.
13. If you plan to configure the Authentication Service during SF Oracle RAC installation, choose to configure the cluster in secure mode when the installer prompts you.

    See Configuring SF Oracle RAC components

Creating encrypted files for Symantec Product Authentication Service

Create encrypted files only if you plan on choosing the semiautomatic mode that uses an encrypted file to configure the Authentication Service. The encrypted files must be created by the administrator on the root broker node. The administrator must create encrypted files for each node that would be a part of the cluster before you configure the Authentication Service for SF Oracle RAC. See Veritas Cluster Server User's Guide for more information. You can configure the Authentication Service during or after SF Oracle RAC installation.

See Symantec Product Authentication Service

The example procedure assumes venus as the root broker node. The example procedure creates encrypted files for nodes galaxy and nebula that would form the SF Oracle RAC cluster rac_cluster101.

 To create encrypted files

1. Determine the root broker domain name. Enter the following command on the root broker system:

   venus> # vssat showalltrustedcreds

   For example, the domain name would resemble "Domain Name: root@venus.symantecexample.com" in the output.

2. For each node in the cluster, make sure that you have created an account on root broker system.

   For example, to verify on node galaxy:

   venus> # vssat showprpl --pdrtype root \

   --domain root@venus.symantecexample.com --prplname galaxy

   • If the output displays the principal account on root broker for the authentication broker on the node, then delete the existing principal accounts. For example:

     venus> # vssat deleteprpl --pdrtype root \

     --domain root@venus.symantecexample.com \

     --prplname galaxy --silent

   • If the output displays an error similar to "Failed To Get Attributes For Principal," then the account for given authentication broker is not created on this root broker. Proceed to step 3.
3. Create a principal account for each authentication broker in the cluster. For example:

   venus> # vssat addprpl --pdrtype root --domain \

   root@venus.symantecexample.com --prplname galaxy \

   --password password --prpltype service

   You must use this password that you create in the input file for the encrypted file.

4. Make a note of the following information that is required for the input file for the encrypted file.
   • hash - The root hash string that consists of 40 characters, as shown by the command:

     venus> # vssat showbrokerhash

   • identity - Authentication broker identity

     The value that you provide for --prplname in step 3 (for example, galaxy).

   • password - Authentication broker password

     The value that you provide for --password in step 3.

   • root_domain - Domain name of the root broker system

     The value that you determined in step 1.

   • broker_admin_password - Authentication broker password for Administrator account on the node

     Provide a password of at least five characters long.

5. For each node in the cluster, create the input file for the encrypted file.

   The installer presents the format of the input file for the encrypted file when you proceed to configure the Authentication Service using encrypted file. For example, the input file for authentication broker on galaxy would resemble:

   [setuptrust]

   broker=venus.symantecexample.com

   hash=758a33dbd6fae751630058ace3dedb54e562fe98

   securitylevel=high

   [configab]

   identity=galaxy

   password=password

   root_domain=vx:root@venus.symantecexample.com

   root_broker=venus.symantecexample.com:2821

   broker_admin_password=ab_admin_password

   start_broker=true

   enable_pbx=false

6. Back up these input files that you created for the authentication broker on each node in the cluster.

   Note that for security purposes, the command to create the output file for the encrypted file deletes the input file.

7. For each node in the cluster, create the output file for the encrypted file from the root broker system using the following command.

   RootBroker> # vssat createpkg --in /path/to/blob/input/file.txt --out /path/to/encrypted/blob/file.txt --host_ctx AB-hostname

   For example:

   venus> # vssat createpkg --in /tmp/galaxy.blob.in \

   --out /tmp/galaxy.blob.out --host_ctx galaxy

   Note that this command creates a encrypted file even if you provide wrong password for "password=" entry, but the encrypted file will fail to install on authentication broker node.

8. After you complete creating output files for the encrypted file, you must copy these files to the installer node.
9. After you have created the encrypted file, you can start the SF Oracle RAC installation and choose to configure the cluster in secure mode.

   See Configuring SF Oracle RAC components

Installing the management server for the Veritas Cluster
Management Console

Install the Cluster Management Console management server only if you plan to centrally manage multiple clusters. Make sure you have a root broker in your domain. SF Oracle RAC clusters need not be secure to configure Cluster Management Console to manage multiple clusters.

See Veritas Cluster Management Console

Refer to the Veritas Cluster Server Installation Guide for more information om installing the management server.