< Previous  | TOC | Index | Next  >

Creating encrypted files for Symantec Product Authentication Service

Create encrypted files only if you plan on choosing the semiautomatic mode that uses an encrypted file to configure the Authentication Service. The encrypted files must be created by the administrator on the root broker node. The administrator must create encrypted files for each node that would be a part of the cluster before you configure the Authentication Service for VCS. See Veritas Cluster Server User's Guide for more information. You can configure the Authentication Service during or after VCS installation.

See Symantec Product Authentication Service

 To create encrypted files

1. Determine the root broker domain name. Enter the following command on the root broker system:

   east> # vssat showalltrustedcreds

   For example, the domain name would resemble "Domain Name: root@east.symantecexample.com" in the output.

2. For each node in the cluster, make sure that you have created an account on root broker system.

   For example, to verify on node north:

   east> # vssat showprpl --pdrtype root \

   --domain root@east.symantecexample.com --prplname north

   • If the output displays the principal account on root broker for the authentication broker on the node, then delete the existing principal accounts. For example:

     east> # vssat deleteprpl --pdrtype root \

     --domain root@east.symantecexample.com \

     --prplname north --silent

   • If the output displays an error similar to "Failed To Get Attributes For Principal," then the account for given authentication broker is not created on this root broker. Proceed to step 3.
3. Create a principal account for each authentication broker in the cluster. For example:

   east> # vssat addprpl --pdrtype root --domain \

   root@east.symantecexample.com --prplname north \

   --password password --prpltype service

   You must use this password that you create in the input file for the encrypted file.

4. Make a note of the following information that is required for the input file for the encrypted file.
   • hash - The root hash string that consists of 40 characters, as shown by the command:

     east> # vssat showbrokerhash

   • identity - Authentication broker identity

     The value that you provide for --prplname in step 3 (for example, north).

   • password - Authentication broker password

     The value that you provide for --password in step 3.

   • root_domain - Domain name of the root broker system

     The value that you determined in step 1.

   • broker_admin_password - Authentication broker password for Administrator account on the node

     Provide a password of at least five characters long.

5. For each node in the cluster, create the input file for the encrypted file.

   The installer presents the format of the input file for the encrypted file when you proceed to configure the Authentication Service using encrypted file. For example, the input file for authentication broker on north would resemble:

   [setuptrust]

   broker=east.symantecexample.com

   hash=758a33dbd6fae751630058ace3dedb54e562fe98

   securitylevel=high

   [configab]

   identity=north

   password=password

   root_domain=vx:root@east.symantecexample.com

   root_broker=east.symantecexample.com:2821

   broker_admin_password=ab_admin_password

   start_broker=true

   enable_pbx=false

6. Back up these input files that you created for the authentication broker on each node in the cluster.

   Note that for security purposes, the command to create the output file for the encrypted file deletes the input file.

7. For each node in the cluster, create the output file for the encrypted file from the root broker system using the following command.

RootBroker> # vssat createpkg --in /path/to/blob/input/file.txt 
--out /path/to/encrypted/blob/file.txt --host_ctx AB-hostname
 
  For example:

 east> # vssat createpkg --in /tmp/north.blob.in \


 --out /tmp/north.blob.out --host_ctx north


  Note that this command creates a encrypted file even if you provide wrong password for "password=" entry, but the encrypted file will fail to install on authentication broker node.

8. After you complete creating output files for the encrypted file, you must copy these files to the installer node.
9. If you plan to configure the Authentication Service during VCS installation, choose to configure the cluster in secure mode when the installer prompts you.

   See Installing and configuring VCS 5.0