Chapter 10 Administering Sun Cluster With the Graphical User Interfaces

This chapter provides descriptions of SunPlex Manager and Sun Management Center graphical user interface (GUI) tools, which you can use to administer many aspects of a cluster. It also contains procedures to configure and launch SunPlex Manager. The online help included with each GUI provides instructions for how to accomplish various administrative tasks using the GUI.

This is a list of the procedures in this chapter.

• How to Use the Common Agent Container to Change the Port Numbers for Services or Management Agents

• How to Change the Server Address for SunPlex Manager

• How to Configure a New Security Certificate

• How to Regenerate Common Agent Container Security Keys

• How to Launch SunPlex Manager

• SPARC: How to Launch SunPlex Manager From the Sun Management Center Web Console

SunPlex Manager Overview

SunPlex Manager is a GUI that enables you to graphically display cluster information, monitor configuration changes, and check the status of cluster components. SunPlex Manager also allows you to perform many administrative tasks for the following Sun Cluster components. However, SunPlex Manager currently cannot perform all Sun Cluster administrative tasks. You must use the command-line interface for some operations.

• Adapters

• Cables

• Data Services

• Global Devices

• Interconnects

• Junctions

• Nodes

• Quorum Devices

• Resource Groups

• Resources

SunPlex Installer, an installation module of SunPlex Manager, can be used to install certain Sun Cluster data services. You can SunPlex Installer once you've launched SunPlex Manager. SunPlex Installer is located at the following port.

https://node:6789/

Information about installing and using SunPlex Manager can be found in the following locations.

• Installing and starting SunPlex Manager: See the Sun Cluster Software Installation Guide for Solaris OS.

• Configuring port numbers, server addresses, security certificates, and users: See Configuring SunPlex Manager.

• Installing and administering aspects of your cluster using SunPlex Manager: See the online help supplied with SunPlex Manager.

• Regenerating SunPlex Manager security keys: See How to Regenerate Common Agent Container Security Keys.

SPARC: Sun Management Center Overview

The Sun Cluster module for Sun Management Center^TM (formerly Sun Enterprise SyMON^TM) GUI Console enables you to graphically display cluster resources, resource types, and resource groups. It also enables you to monitor configuration changes and check the status of cluster components. However, the Sun Cluster module for Sun Management Center cannot perform Sun Cluster configuration tasks. You must use the command-line interface for configuration operations. See “Command Line Interface” in Chapter 1 for more information.

For information on installing and starting the Sun Cluster module for Sun Management Center, and for viewing the cluster-specific online help supplied with the Sun Cluster module, see the Sun Cluster Software Installation Guide for Solaris OS.

The Sun Cluster module of Sun Management Center is Simple Network Management Protocol (SNMP) compliant. Sun Cluster has created a Management Information Base (MIB) that can be used as the data definition by third-party management stations based on SNMP.

The Sun Cluster MIB file is located at /opt/SUNWsymon/modules/cfg/sun-cluster-mib.mib on any cluster node.

The Sun Cluster MIB file is an ASN.1 specification of the Sun Cluster data that is modeled. This is the same specification used by all Sun Management Center MIBs. To use the Sun Cluster MIB, refer to the instructions for using other Sun Management Center MIBs in the SNMP MIBs for Sun Management Center Modules in Sun Management Center 3.5 Update 2 User’s Guide in SNMP MIBs for Sun Management Center Modules in Sun Management Center 3.5 Update 2 User’s Guide.

Configuring SunPlex Manager

SunPlex Manager is a GUI that you can use to administer and view the status all aspects of quorum devices, IPMP groups, interconnect components, and global devices. You can use it in place of many of the Sun Cluster CLI commands.

The procedure for installing SunPlex Manager on your cluster is included in the Sun Cluster Software Installation Guide for Solaris OS. The SunPlex Manager online help contains instructions for completing various tasks using the GUI.

This section contains the following procedures for reconfiguring SunPlex Manager after initial installation.

• Setting up RBAC Roles

• How to Change the Server Address for SunPlex Manager

• How to Configure a New Security Certificate

• How to Regenerate Common Agent Container Security Keys

Setting up RBAC Roles

The SunPlex Manager uses RBAC to determine who has rights to administer the cluster. Several RBAC rights profiles are included in the Sun Cluster software. You can assign these rights profiles to users or to roles to give users different levels of access to Sun Cluster. For more information about how to set up and manage RBAC for Sun Cluster, see Sun Cluster and RBAC in the Sun Cluster Systems Administration Guide.

How to Use the Common Agent Container to Change the Port Numbers for Services or Management Agents

If the default port numbers for your common agent container services conflict with other running processes, you can use the cacaoadm command to change the port number of the conflicting service or management agent on each node of the cluster.

Steps

1. On all cluster nodes, stop the common agent container management daemon.

   # /opt/SUNWcacao/bin/cacaoadm stop

2. Stop Sun Java Web Console.

   # /usr/sbin/sunmcwebserver stop

3. If you do not know the port number currently used by the common agent container service for which you want to change the port number, use the cacaoadm command with the get-param subcommand to retrieve the port number.

   # /opt/SUNWcacao/bin/cacaoadm get-param parameterName

   You can use the cacaoadm command to change the port numbers for the following common agent container services. The following list provides some examples of services and agents that can be managed by the common agent container, along with corresponding parameter names.

   JMX connector port

   jmxmp-connector-port

   SNMP port

   snmp-adaptor-port

   SNMP trap port

   snmp-adaptor-trap-port

   Command stream port

   commandstream-adaptor-port

4. To change a port number, use the cacaoadm command with the setparam subcommand and the parameter name.

   # /opt/SUNWcacao/bin/cacaoadm set-param parameterName=parameterValue =parameterValue

5. Repeat Step 4 on each node of the cluster.

6. Restart Sun Java Web Console.

   # /usr/sbin/sunmcwebserver start

7. Restart the common agent container management daemon on all cluster nodes.

   # /opt/SUNWcacao/bin/cacaoadm start

How to Change the Server Address for SunPlex Manager

If you change the hostname of a cluster node, you must change the address from which SunPlex Manager runs. The default security certificate is generated based on the node's hostname at the time SunPlex Manager is installed. To reset the node's hostname, delete the certificate file, keystore and restart SunPlex Manager. SunPlex Manager will automatically create a new certificate file with the new hostname. You must complete this procedure on any node that has had its hostname changed.

Steps

1. Remove the certificate file, keystore, located in /etc/opt/webconsole.

   # cd /etc/opt/webconsole # pkgrm keystore

2. Restart SunPlex Manager.

   # /usr/sbin/smcwebserver restart

How to Configure a New Security Certificate

You can generate your own security certificate to enable secure administration of your cluster, and then configure SunPlex Manager to use that certificate instead of the one generated by default. This procedure is an example of how to configure SunPlex Manager to use a security certificate generated by a particular security package. The actual tasks you must complete depend on the security package you use.

You must generate an unencrypted certificate to allow the server to start on its own during booting. Once you have generated a new certificate for each node of your cluster, configure SunPlex Manager to use those certificates. Each node must have its own security certificate.

Steps

1. Copy the appropriate certificate to the node.

2. Open the /opt/SUNWscvw/conf/httpd.conf configuration file for editing.

3. Edit the following entry to enable SunPlex Manager to use the new certificate.

   SSLCertificateFile <path to certificate file>

4. If the server private key is not combined with the certificate, edit the SSLCertificateKeyFile entry.

   SSLCertificateKeyFile <path to server key>

5. Save the file and exit the editor.

6. Restart SunPlex Manager.

   # /usr/sbin/smcwebserver restart

7. Repeat this procedure for each node in the cluster.

Example 10–1 Configuring SunPlex Manager to Use a New Security Certificate

The following example shows how to edit the SunPlex Manager configuration file to use a new security certificate.

[Copy the appropriate security certificates to each node.]
[Edit the configuration file.]
# vi /opt/SUNWscvw/conf/httpd.conf
[Edit the appropriate entries.]
SSLCertificateFile /opt/SUNWscvw/conf/ssl/phys-schost-1.crt
SSLCertificateKeyFile /opt/SUNWscvw/conf/ssl/phys-schost-1.key

[Save the file and exit the editor.]
[Restart SunPlex Manager.]
# /usr/sbin/smcwebserver restart

How to Regenerate Common Agent Container Security Keys

SunPlex Manager uses strong encryption techniques to ensure secure communication between the SunPlex Manager web server and each cluster node.

The keys used by the SunPlex Manager are stored under the /etc/opt/SUNWcacao/security directory on each node. They should be identical across all cluster nodes.

Under normal operation, these keys can be left in their default configuration. If you change the hostname of a cluster node, you must regenerate the common agent container security keys. You may also need to regenerate the keys due to a possible key compromise (for example, root compromise on the machine). To regenerate the security keys, using the following procedure.

Steps

1. On all cluster nodes, stop the common agent container management daemon.

   # /opt/SUNWcacao/bin/cacaoadm stop

2. On one node of the cluster, regenerate the security keys.

   phys-schost-1# /opt/SUNWcacao/bin/cacaoadm create-keys --force

3. Restart the common agent container management daemon on the node on which you regenerated the security keys.

   phys-schost-1# /opt/SUNWcacao/bin/cacaoadm start

4. Create a tarfile of the /etc/opt/SUNWcacao/security directory.

   phys-schost-1# tar cf /tmp/SECURITY.tar security

5. Copy the /tmp/Security.tar file to each of the cluster nodes.

6. On each node to which you copied the/tmp/SECURITY.tar file, extract the security files.

   Any security files that already exist in the /etc/opt/SUNWcacao/ directory are overwritten.

   phys-schost-2# cd /etc/opt/SUNWcacao phys-schost-2# tar xf /tmp/SECURITY.tar

7. Delete the /tmp/SECURITY.tar file from each node in the cluster.

   You must delete each copy of the tarfile to avoid security risks.

   phys-schost-1# rm /tmp/SECURITY.tar phys-schost-2# rm /tmp/SECURITY.tar

8. On all nodes, restart the common agent container management daemon.

   phys-schost-1# /opt/SUNWcacao/bin/cacaoadm start

9. Restart SunPlex Manager.

   # /usr/sbin/smcwebserver restart

Launching the SunPlex Manager Software

The SunPlex Manager graphical user interface (GUI) provides an easy way to administer some aspects of the Sun Cluster software. See the SunPlex Manager online help for more information.

How to Launch SunPlex Manager

Follow this procedure to start SunPlex Manager on your cluster.

Steps

1. Do you intend to access SunPlex Manager by using the cluster node root user name and password rather than set up a different user name and password?

   • If yes, go to Step 5.

   • If no, go to Step 3 to set up SunPlex Manager user accounts.

2. Become superuser on a cluster node.

3. Create a user account to access the cluster through SunPlex Manager.

   You use the useradd(1M) command to add a user account to the system. You must set up at least one user account to access SunPlex Manager if you do not use the root system account. SunPlex Manager user accounts are used only by SunPlex Manager. They do not correspond to any Solaris system user accounts. Creating and assigning an RBAC role to a user account is described in more detail in Creating and Assigning an RBAC Role With a Sun Cluster Management Rights Profile.

   ---

   Note –

   Users who do not have a user account set up on a particular node cannot access the cluster through SunPlex Manager from that node, nor can users manage that node through another cluster node to which the users do have access.

   ---

4. (Optional) Repeat Step 3 to set up additional user accounts.

5. From the administrative console or any other machine outside the cluster, launch a browser.

6. Ensure that the browser's disk and memory cache sizes are set to a value that is greater than 0.

7. From the browser, connect to the SunPlex Manager port on one node of the cluster.

   The default port number is 6789.

   https://node:6789/

SPARC: How to Launch SunPlex Manager From the Sun Management Center Web Console

You must possess the solaris.cluster.gui Role-Based Access Control (RBAC) authorization to log into SunPlex Manager. You can learn more about RBAC authorizations in Chapter 8, Using Roles and Privileges (Overview), in System Administration Guide: Security Services, Chapter 10, Role-Based Access Control (Reference), in System Administration Guide: Security Services, and in Chapter 2, Sun Cluster and RBAC.

Steps

1. Log in to the Sun Management Center Web Console.

   The default port number is 6789.

   https://node:6789/

2. Choose the SunPlex Manager link

   If you selected the “Start Each Application in a New Window” option after you logged in, SunPlex will display in a new browser window. Otherwise, SunPlex Manager will display in an existing browser window.

3. To exit SunPlex Manager, click Log Out at the top, right corner of the SunPlex Manager workspace page.

   SunPlex Manager exits.