Enabling and disabling Security Services for the cluster


Enabling and disabling Security Services for the cluster
Prev	Administering clusters	Next

This topic describes how to enable and disable Security Services. Do not edit the VCS configuration file main.cf to enable or disable VxSS.

To enable Symantec Product Authentication Service (AT), VCS requires a system in your enterprise that serves as a root broker. You can do one of the following:

Use an existing root broker system in your enterprise.
Set up a root broker system.

See the Veritas Cluster Server Installation Guide for instructions on setting up a root broker.
Configure one of the nodes in the cluster to serve as root broker.

When you enable AT on a VCS cluster using the installvcs program, the installer provides you an option to configure one of the nodes as root broker.

To enable Symantec Product Authentication Services on a VCS cluster

Make sure that all nodes in the cluster are running.
```
hasys -state
```
The output must show the SysState value as RUNNING.
Delete all the VCS users that were created for the non-secure cluster. This step restricts users from inadvertently availing any privileges in the secure cluster.

Note that user names in a secure cluster use the format user@domain.
Perform the following steps for each VCS user that was created for the non-secure cluster:
- Remove the user privileges:
```
hauser -delpriv Administrator | Operator | Guest
```
- Delete the VCS user.
```
hauser -delete username
```
If you want to use an external root broker system, verify you have a root broker configured.
See the Veritas Cluster Server Installation Guide for instructions.
Start the installvcs program with the -security option.
```
/opt/VRTS/install/installvcs -security
```
The installer displays the directory where the logs are created.

Enter 1 to enable the Authentication Service on the cluster.

1)  Enable Symantec Security Services on a VCS Cluster
2)  Disable Symantec Security Services on a VCS Cluster

Select the Security option you would like to perform [1-2,q] 1

If VCS is not configured in the system from where you started the installvcs program, enter the name of a node in the cluster that you want to enable the Authentication Service.
```
Enter the name of one system in the VCS Cluster that you would 
like to enable Veritas Security Services: sys1
```
The installer proceeds to verify communication with the node in the cluster.
Review the output as the installer verifies whether VCS configuration files exist.
The installer also verifies that VCS is running on all systems in the cluster.

Press Enter to confirm that you want to enable the Authentication Service.

Would you like to enable Symantec Security Services on this 
cluster? [y,n,q] (y) y

Proceed with the configuration tasks.

See the Veritas Cluster Server Installation and Configuration Guide for details on the configuration modes.

Based on the root broker system you plan to use, do one of the following:

External root broker system

Enter the root broker name at the installer prompt. For example:

If you already have an external RB(Root Broker)
installed and configured, enter the RB name, or 
press Enter to skip: [b] venus

One of the nodes as root broker

Press Enter at the installer prompt:

If you already have an external RB(Root Broker)
installed and configured, enter the RB name, or 
press Enter to skip: [b]

If AT is not already configured on any of the nodes, the installer asks you to choose a node to use as root broker:

Do you want to configure galaxy as RAB, and other 
nodes as AB? [y,n,q,b] (y)

Based on the node you choose, the installer configures the node to run in RAB (Root+Authentication Broker) mode. The installer configures the other nodes as authentication brokers.

Review the output as the installer modifies the VCS configuration files to enable the Authentication Service, and starts VCS in a secure mode.
The installer creates the Security service group, creates Authentication Server credentials on each node in the cluster and Web credentials for VCS users, and sets up trust with the root broker.

To disable Symantec Product Authentication Services on a VCS cluster

Delete all the VCS users that were created for the secure cluster. This step restricts users from inadvertently availing any privileges in the secure cluster.

Note that user names in a secure cluster use the format user@domain.
Perform the following steps for each VCS user that was created for the secure cluster:
- Remove the user privileges:
```
hauser -delpriv Administrator | Operator | Guest
```
- Delete the VCS user.
```
hauser -delete username
```
Start the installvcs program with the -security option.
```
# /opt/VRTS/install/installvcs -security
```
The installer displays the directory where the logs are created.

Enter 2 to disable the Authentication Service on the cluster.

1)  Enable Symantec Security Services on a VCS Cluster
2)  Disable Symantec Security Services on a VCS Cluster

Select the Security option you would like to perform [1-2,q] 2

If VCS is not configured in the system from where you started the installvcs program, enter the name of a node in the cluster that you want to disable the Authentication Service.
```
Enter the name of one system in the VCS Cluster that you would 
like to disable Symantec Security Services: sys1
```
Review the output as the installer proceeds with a basic verification.
Press Enter at the prompt to confirm that you want to disable the Authentication Service.
```
Would you like to disable Symantec Security Services on this 
cluster? [y,n,q] (y) y
```
Review the output as the installer modifies the VCS configuration files to disable the Authentication Service and starts VCS.

Prev	Up	Next
Initializing cluster attributes in the configuration file	Home	Using the -wait option in scripts