Establishing secure communication within the global cluster (optional)


Establishing secure communication within the global cluster (optional)
Prev	Deploying disaster recovery: New application installation	Next

A global cluster is created in non-secure mode by default. You may continue to allow the global cluster to run in non-secure mode or choose to establish secure communication between clusters.

The following prerequisites are required for establishing secure communication within a global cluster:

The clusters within the global cluster must be running in secure mode.
You must have Administrator privileges for the domain.

The following information is required for adding secure communication to a global cluster:

The active host name or IP address of each cluster in the global configuration.
The user name and password of the administrator for each cluster in the configuration.
If the local clusters do not point to the same root broker, the host name and port address of each root broker.

Adding secure communication involves the following tasks:

Taking the ClusterService-Proc (wac) resource in the ClusterService group offline on the clusters in the global environment.
Adding the -secure option to the StartProgram attribute on each node.
Establishing trust between root brokers if the local clusters do not point to the same root broker.
Bringing the ClusterService-Proc (wac) resource online on the clusters in the global cluster.

To take the ClusterService-Proc (wac) resource offline on all clusters

From Cluster Monitor, log on to a cluster in the global cluster.
In the Service Groups tab of the Cluster Explorer configuration tree, expand the ClusterService group and the Process agent.
Right-click the ClusterService-Proc resource, click Offline, and click the appropriate system from the menu.
Repeat all the previous steps for the additional clusters in the global cluster.

To add the -secure option to the StartProgram resource

In the Service Groups tab of the Cluster Explorer configuration tree, right-click the ClusterService-Proc resource under the Process type in the ClusterService group.
Click View > Properties view.
Click the Edit icon to edit the StartProgram attribute.
In the Edit Attribute dialog box, add -secure switch to the path of the executable Scalar Value.
For example:
```
"C:\Program Files\Veritas\Cluster Server\bin\wac.exe" -secure
```
Repeat the previous step for each system in the cluster.
Click OK to close the Edit Attribute dialog box.
Click the Save and Close Configuration icon in the tool bar.
Repeat all the previous steps for each cluster in the global cluster.

To establish trust between root brokers if there is more than one root broker

Establishing trust between root brokers is only required if the local clusters do not point to the same root broker.
Log on to the root broker for each cluster and set up trust to the other root brokers in the global cluster.

The complete syntax of the command is:
```
vssat setuptrust --broker host:port --securitylevel [low|medium|high] 
[--hashfile fileName | --hash rootHashInHex]
```
For example, to establish trust with a low security level in a global cluster comprised of Cluster1 pointing to RB1 and Cluster2 pointing to RB2 use the following commands:

From RB1, type:
```
vssat setuptrust --broker RB2:14141 --securitylevel low
```
From RB2, type:
```
vssat setuptrust --broker RB1:14141 --securitylevel low
```

To bring the ClusterService-Proc (wac) resource online on all clusters

In the Service Groups tab of the Cluster Explorer configuration tree, expand the ClusterService group and the Process agent.
Right-click the ClusterService-Proc resource, click Online, and click the appropriate system from the menu.
Repeat all the previous steps for the additional clusters in the global cluster.

Prev	Up	Next
Verifying the disaster recovery configuration	Home	Adding multiple DR sites (optional)