You can set up Symantec Product Authentication Service (AT) for the cluster during or after the Storage Foundation configuration.
If you want to enable or disable AT in a cluster that is online, run the following command:
# /opt/VRTS/install/installsf -security
See the Veritas Cluster Server Administrator's Guide for instructions.
The prerequisites to configure a cluster in secure mode are as follows:
A system in your enterprise that serves as root broker (RB).
You can either use an external system as root broker, or use one of the cluster nodes as root broker.
To use an external root broker, identify an existing root broker system in your enterprise or install and configure root broker on a stable system.
To use one of the cluster nodes as root broker, the installer does not require you to do any preparatory tasks.
When you configure the cluster in secure mode using the installsf, choose the automatic mode and choose one of the nodes for the installer to configure as root broker.
Symantec recommends that you configure a single root broker system for your entire enterprise. If you use different root broker systems, then you must establish trust between the root brokers. For example, if the management server and the cluster use different root brokers, then you must establish trust.
For external root broker, an authentication broker (AB) account for each node in the cluster is set up on the root broker system.
See Creating authentication broker accounts on root broker system.
The system clocks of the external root broker and authentication brokers must be in sync.
The installsf provides the following configuration modes:
Figure: Workflow to configure Storage Foundation cluster in secure mode depicts the flow of configuring Storage Foundation cluster in secure mode.
Table: Preparatory tasks to configure a cluster in secure mode (with an external root broker) lists the preparatory tasks in the order which the AT and VCS administrators must perform. These preparatory tasks apply only when you use an external root broker system for the cluster.
Table: Preparatory tasks to configure a cluster in secure mode (with an external root broker)
Tasks |
Who performs this task |
---|---|
Decide one of the following configuration modes to set up a cluster in secure mode:
|
VCS administrator |
Install the root broker on a stable system in the enterprise. |
AT administrator |
To use the semi-automatic mode or the manual mode, on the root broker system, create authentication broker accounts for each node in the cluster. See Creating authentication broker accounts on root broker system. AT administrator requires the following information from the VCS administrator:
|
AT administrator |
To use the semi-automatic mode, create the encrypted files (BLOB files) for each node and provide the files to the VCS administrator. AT administrator requires the following additional information from the VCS administrator:
|
AT administrator |
To use the manual mode, provide the root_hash file (/opt/VRTSat/bin/root_hash) from the root broker system to the VCS administrator. |
AT administrator |
Copy the files that are required to configure a cluster in secure mode to the system from where you plan to install and configure Storage Foundation. See Preparing the installation system for the security infrastructure. |
VCS administrator |