< Previous  | TOC | Index | Next  >

Symantec Product Authentication Service

Symantec Product Authentication Service secures communication between cluster nodes and clients, including the Java console, by using digital certificates for authentication and SSL to encrypt communication over the public network. For more information about the Authentication Service, see the Veritas Cluster Server User's Guide.

To configure the cluster in secure mode, VCS requires you to configure a system in your enterprise as root broker and all nodes in the cluster as authentication brokers.

• Root broker

  A root broker serves as the main registration and certification authority; it has a self-signed certificate and can authenticate other brokers. The root broker is only used during initial creation of an authentication broker.

• Authentication brokers

  Authentication brokers serve as intermediate registration and certification authorities. Authentication brokers have certificates that are signed by the root. Each node in VCS serves as an authentication broker.

You can set up Authentication Service for the cluster during the installation or after installation. Refer to the Veritas Cluster Server User's Guide to configure the cluster in secure mode after the installation and configuration process.

See Configuring the cluster in secure mode

Secure VCS cluster configuration flowchart depicts the flow of configuring VCS in secure mode.

Secure VCS cluster configuration flowchart

Click the thumbnail above to view full-sized image.

If you decide to enable Authentication Service, the root broker administrator must perform the following preparatory tasks:

• Install the root broker on another stable system.

  The root broker is the main registration and certification authority and can serve multiple clusters. Symantec recommends that you install a single root broker on a utility computer such as an email server or domain controller, which can be highly available.

  See Installing root broker for Symantec Product Authentication Service

• Configure the root broker system for a passwordless login when you want to use the automatic mode.

The installvcs program provides the following modes to enable Symantec Product Authentication Service:

• In the automatic mode, the installer configures Authentication Service automatically without any user intervention.

  You must provide the name of the root broker system.

• In the semiautomatic modes, the installer provides you an option to use encrypted files or answer the installer prompts to enable security. The semiautomatic mode requires the root broker administrator to set up the basic authentication environment and create principals for authentication brokers. You must complete the following preparatory tasks to configure security in the semiautomatic mode:

   

  With encrypted file

  The root broker administrator must create an encrypted file for each node in the cluster. See Creating encrypted files for Symantec Product Authentication Service You must fetch the encrypted files from the root broker administrator and copy the encrypted files to the installation node. Make a note of the path of these encrypted files.

  Without encrypted file

  You must gather the following information from the root broker administrator: - Root broker name - Root broker domain name - Root broker port (Default is 2821) - Authentication broker principal name for each node - Authentication broker password for each Authentication   broker You must fetch the root_hash file from the root broker system and copy the root_hash file to a directory in the installation node. Make a note of the path of this root_hash file.

  ---

    Note   Make sure that the system clocks of the rook broker and authentication brokers are in sync.

  ---