Configuring the Steward process (optional)
In case of a two-cluster GCO, you can configure a Steward to prevent potential split-brain conditions, provided the proper network infrastructure exists.
See The Steward process: Split-brain in two-cluster global clusters.
To configure the Steward process for clusters not running in secure mode
-
Identify a system that will host the Steward process.
Make sure both clusters can connect to the system through a ping command.
-
Copy the file steward from a node in the cluster to the Steward system. The file resides at the following path:
/opt/VRTSvcs/bin/
-
In both clusters, set the Stewards attribute to the IP address of the system running the Steward process. For example:
cluster cluster1938 (
UserNames = { admin = gNOgNInKOjOOmWOiNL }
ClusterAddress = "10.182.147.19"
Administrators = { admin }
CredRenewFrequency = 0
CounterInterval = 5
Stewards = {"10.212.100.165"}
}
-
On the system designated to host the Steward, start the Steward process:
steward -start
To configure the Steward process for clusters running in secure mode
-
Verify the prerequisites for securing Steward communication are met.
See Prerequisites for clusters running in secure mode.
To verify that the wac process runs in secure mode, do the following:
-
Check the value of the wac resource attributes:
hares -value wac StartProgram
The value must be "/opt/VRTSvcs/bin/wacstart -secure."
hares -value wac MonitorProcess
The value must be "/opt/VRTSvcs/bin/wac -secure."
-
List the wac process:
ps -ef | grep wac
The wac process must run as "/opt/VRTSvcs/bin/wac -secure."
-
Identify a system that will host the Steward process.
Make sure both clusters can connect to the system through a ping command.
-
Copy the steward file from a node in the cluster to the Steward system. The file resides at the following path:
/opt/VRTSvcs/bin/
-
Install the Symantec Product Authentication Services client on the system that is designated to run the Steward process.
See the Symantec Product Authentication Service documentation for instructions.
-
Create an account for the Steward in any authentication broker of the clusters that are part of the global cluster. All cluster nodes serve as authentication brokers when the cluster runs in secure mode.
vssat addprpl --pdrtype ab --domain HA_SERVICES@<fully_qualified_name_of_cluster_node_on_which_this_command_is_being_run> --prplname Steward_GCO_systemname --password password --prpltype service
When creating the account, make sure the following conditions are met:
-
The domain name must be of the form: HA_SERVICES@fully_qualified_system_name
-
The account name must be of the form: Steward_GCO_systemname
-
The account type must be service and the domain type must be VX.
-
Note the password used to create the account.
-
Retrieve the broker hash for the account.
vssat showbrokerhash
-
Create a credential package (steward.cred) for this account. Note that the credential package will be bound to a system.
vssat createpkg --prplname Steward_GCO_systemname --domain vx:HA_SERVICES@<fully_qualified_name_of_cluster_node_on_which_this_command_is_being_run> --broker systemname:2821 --password password --hash <brokerhash_obtained_in_above_step> --out steward.cred --host_ctx systemname_on_which_steward_will_run
-
Copy the file steward.cred to the system designated to run the Steward process.
Copy the file to the directory where the steward is installed.
-
Execute the credential package on the system designated to run the Steward process.
vssat execpkg --in <path_to_credential>\steward.cred --ob --host_ctx
The variable <path_to_credential> represents the directory to which you coped the steward credentials.
-
On the Steward system, create a file called Steward.conf and populate it with the following information:
broker=system_name
accountname=accountname
domain=HA_SERVICES@FQDN_of_system_that_issued_the_certificate
-
In both clusters, set the Stewards attribute to the IP address of the system that runs the Steward process. For example:
cluster cluster1938 (
UserNames = { admin = gNOgNInKOjOOmWOiNL }
ClusterAddress = "10.182.147.19"
Administrators = { admin }
CredRenewFrequency = 0
CounterInterval = 5
Stewards = {"10.212.100.165"}
}
-
On the system designated to run the Steward, start the Steward process:
steward -start -secure
To stop the Steward process
When you start the Steward, the process does not release the command window. Stop the Steward process, by typing control+C in the command window or open another command window and run the command to stop the Steward process.
-
To stop the Steward process that is not configured in secure mode, open a new command window and run the following command:
steward -stop
-
To stop the Steward process running in secure mode, open a new command window and run the following command:
steward -stop -secure