Veritas Product Authentication Service secures communication between cluster nodes and clients, including the Java console, by using digital certificates for authentication and SSL to encrypt communication over the public network. For more information about the Authentication Service, see the Veritas Cluster Server User's Guide.
To configure the cluster in secure mode, VCS requires you to configure a system in your enterprise as root broker and all nodes in the cluster as authentication brokers.
A root broker serves as the main registration and certification authority; it has a self-signed certificate and can authenticate other brokers. The root broker is only used during initial creation of an authentication broker.
Authentication brokers serve as intermediate registration and certification authorities. Authentication brokers have certificates that are signed by the root. Each node in VCS serves as an authentication broker.
You can set up Authentication Service for the cluster during the installation or after installation. Refer to the Veritas Cluster Server User's Guide to configure the cluster in secure mode after the installation and configuration process.
See Configuring the cluster in secure mode
Secure VCS cluster configuration flowchart depicts the flow of configuring VCS in secure mode.
Secure VCS cluster configuration flowchart
Click the thumbnail above to view full-sized image.
If you decide to enable Authentication Service, the root broker administrator must perform the following preparatory tasks:
The root broker is the main registration and certification authority and can serve multiple clusters. Symantec recommends that you install a single root broker on a utility computer such as an email server or domain controller, which can be highly available.
See Installing root broker for Veritas Product Authentication Service
The installvcs program provides the following modes to enable Veritas Product Authentication Service:
- The root broker administrator must create an encrypted file for each node in the cluster.
See Creating encrypted files for Veritas Product Authentication Service
- You must fetch the encrypted files from the root broker administrator and copy the encrypted files to the installation node. Make a note of the path of these encrypted files.
- You must gather the following information from the root broker administrator:
- Root broker port (Default is 2821)
- Authentication broker principal name for each node
- Authentication broker password for each Authentication
broker- You must fetch the root_hash file from the root broker system and copy the root_hash file to a directory in the installation node. Make a note of the path of this root_hash file.
Note Make sure that the system clocks of the rook broker and authentication brokers are in sync.