< Previous  | TOC | Index | Next  >

Configure the cluster in secure mode

Veritas Cluster Server can be configured to utilize Symantec 
Security Services.
 
 


Running VCS in Secure Mode guarantees that all inter-system 
communication is encrypted and that users are verified with 
security credentials.
 
 


When running VCS in Secure Mode, NIS and system usernames and 
passwords are used to verify identity.  VCS usernames and 
passwords are no longer utilized when a cluster is running in 
Secure Mode.
 
 


Before configuring a cluster to operate using Symantec Security 
Services, another system must already have Symantec Security 
Services installed and be operating as a Root Broker. Refer to 
the Veritas Cluster Server Installation Guide for more 
information on configuring a VxSS Root Broker.
 
 


Would you like to configure VCS to use Symantec Security 
Services? [y,n,q] (n) y
 

If the VRTSat depot is already installed, the installer provides you different modes to configure the cluster in secure mode.

Security can be configured completely automatically by the 
installer or it can also be configured semi automatically. In 
automatic mode, no user intervention is required. In the semi 
automatic mode, Authentication Broker related setup on Root 
Broker is expected to be performed by the Root Broker 
Administrator and CPI will ask for certain information that will 
be used to configure Authentication Brokers.
 
 


 Security Menu


 


 1) Configure security completely automatically


 2) Provide AB credentials using BLOBs


 3) Provide AB credentials without using BLOBs


 


Select the Security option you would like to perform [1-3,q,?] 
(1)
 
 

Depending on the menu option you choose, the installer prompts you to select the configuration mode.

• Configuring security automatically
• Configuring security semiautomatically using encrypted files
• Configuring security semiautomatically answering prompts

Configuring security automatically

Select the Security option you would like to perform [1-3,q,?] 
(1) 1
 
 


In order to enable Symantec Security Services on a VCS Cluster, 
Veritas Authentication Services (VRTSat rpm) must be installed 
on a system and operating as a Root Broker.  Refer to the Veritas 
Cluster Server Installation Guide for more information on 
installing and configuring Veritas Authorization Services.
 
 


 Enter the name of the VxSS Root Broker system: east


 


 Checking ssh communication with venus ............ HP-UX B.11.23


 Checking vxatd process ................................. running


 Checking vxatd version ................................ 4.3.13.0


 Checking security domain ........ root@venus.symantecexample.com


 


Systems will use root@east.symantecexample.com as its VxSS 
Domain
 
 

Configuring security semiautomatically using encrypted files

Make sure that you completed the pre-configuration tasks.

See Preparing to install VCS 5.0

Select the Security option you would like to perform [1-3,q,?] 
(1) 2
 
 


You need to create AB account for each cluster node on the Root 
Broker. Also you need to create a BLOB per cluster node. Please 
verify that the version of VRTSat installed on root broker 
supports BLOB creating.  You need to use --in option to create 
BLOBs. Make sure that the input file is in the following format:
 
 


 [setuptrust]


 broker=<root_broker>


 hash=<root_hash>


 securitylevel=high


 


 [configab]


 identity=<ab_identity>


 password=<ab_password>


 root_domain=<root_FQDN>


 root_broker=<root_broker>:<root_broker_port>


 broker_admin_password=<root_broker_admin_password>


 start_broker=false


 enable_pbx=false


 


Refer to the VxSS Documentation for steps to create BLOBs. CPI 
needs a locally accessible path for BLOBs.  You can either copy 
the BLOBs on north or mount the BLOBs using some removable 
media.
 
 


 Do you want to continue? [y,n,q,b] (y)


 Enter the path of BLOB for north: [b]/root/blob.north


 


 Enter the path of BLOB for south: [b]/root/blob.south

Configuring security semiautomatically answering prompts

Make sure that you completed the pre-configuration tasks.

See Preparing to install VCS 5.0

Select the Security option you would like to perform [1-3,q,?] 
(1) 3
 
 


 Veritas Cluster Server 5.0 Installation Program


 


You need to create authentication broker principal for each 
cluster node on the Root Broker. Refer to the VxSS Documentation 
for the configuration steps.  Also make sure that the root_hash 
file is either copied to the installer node or it is locally 
accessible (via mounted file system or any other means). CPI 
will ask for the locally accessible path of root_hash file. You 
also need the AB principal passwords.
 
 


Press 'b' anytime (expect when prompted for passwords) to go to 
the previous menu.
 
 


 Press [Return] to continue:


 


 Enter root broker name: [b] east.symantecexample.com


 Enter root broker FQDN: [b] (symantecexample.com) 


 Enter root broker domain: [b] (root@east.symantecexample.com)


 Enter root broker port: [b] (2821)


 Enter path to the locally accessible root hash [b]


 (/var/tmp/installvcs-1Lcljr/root_hash)


 Enter authentication broker principal name on north [b]


 (north.symantecexample.com)


 Enter authentication broker password on north:


 Enter authentication broker principal name on south [b]


 (south.symantecexample.com)


 Enter authentication broker password on south:


 

Proceed to configure Cluster Management Console.

See Configure Cluster Management Console