Veritas Cluster Server can be configured to utilize Symantec
Security Services.
Running VCS in Secure Mode guarantees that all inter-system
communication is encrypted and that users are verified with
security credentials.
When running VCS in Secure Mode, NIS and system usernames and
passwords are used to verify identity. VCS usernames and
passwords are no longer utilized when a cluster is running in
Secure Mode.
Before configuring a cluster to operate using Symantec Security
Services, another system must already have Symantec Security
Services installed and be operating as a Root Broker. Refer to
the Veritas Cluster Server Installation Guide for more
information on configuring a VxSS Root Broker.
Would you like to configure VCS to use Symantec Security
Services? [y,n,q] (n) y
If the VRTSat depot is already installed, the installer provides you different modes to configure the cluster in secure mode.
Security can be configured completely automatically by the installer or it can also be configured semi automatically. In automatic mode, no user intervention is required. In the semi automatic mode, Authentication Broker related setup on Root Broker is expected to be performed by the Root Broker Administrator and CPI will ask for certain information that will be used to configure Authentication Brokers.1) Configure security completely automatically
2) Provide AB credentials using BLOBs
Select the Security option you would like to perform [1-3,q,?] (1)
Depending on the menu option you choose, the installer prompts you to select the configuration mode.
Select the Security option you would like to perform [1-3,q,?] (1)1
In order to enable Symantec Security Services on a VCS Cluster, Veritas Authentication Services (VRTSat rpm) must be installed on a system and operating as a Root Broker. Refer to the Veritas Cluster Server Installation Guide for more information on installing and configuring Veritas Authorization Services.Enter the name of the VxSS Root Broker system:
east
Checking ssh communication with venus ............ HP-UX B.11.23
Checking vxatd process ................................. running
Checking vxatd version ................................ 4.3.13.0
Checking security domain ........ root@venus.symantecexample.com
Systems will use root@east.symantecexample.com as its VxSS Domain
Make sure that you completed the pre-configuration tasks.
See Preparing to install VCS 5.0
Select the Security option you would like to perform [1-3,q,?] (1)2
You need to create AB account for each cluster node on the Root Broker. Also you need to create a BLOB per cluster node. Please verify that the version of VRTSat installed on root broker supports BLOB creating. You need to use --in option to create BLOBs. Make sure that the input file is in the following format:root_broker=<root_broker>:<root_broker_port>
broker_admin_password=<root_broker_admin_password>
Refer to the VxSS Documentation for steps to create BLOBs. CPI needs a locally accessible path for BLOBs. You can either copy the BLOBs on north or mount the BLOBs using some removable media.Do you want to continue? [y,n,q,b] (y)
Make sure that you completed the pre-configuration tasks.
See Preparing to install VCS 5.0
Select the Security option you would like to perform [1-3,q,?] (1)3
Veritas Cluster Server 5.0 Installation Program
You need to create authentication broker principal for each cluster node on the Root Broker. Refer to the VxSS Documentation for the configuration steps. Also make sure that the root_hash file is either copied to the installer node or it is locally accessible (via mounted file system or any other means). CPI will ask for the locally accessible path of root_hash file. You also need the AB principal passwords. Press 'b' anytime (expect when prompted for passwords) to go to the previous menu.Enter root broker name: [b]
east.symantecexample.com
Enter root broker FQDN: [b] (symantecexample.com)
Enter root broker domain: [b] (root@east.symantecexample.com)
Enter root broker port: [b] (2821)
Enter path to the locally accessible root hash [b]
(/var/tmp/installvcs-1Lcljr/root_hash)
Enter authentication broker principal name on north [b]
Enter authentication broker password on north:
Enter authentication broker principal name on south [b]
Proceed to configure Cluster Management Console.
See Configure Cluster Management Console