Chapter 3 Configuring Sun Cluster Geographic Edition Software

This chapter describes the steps for configuring and enabling the Sun Cluster Geographic Edition for partnership. The chapter also contains information on how to uninstall the Sun Cluster Geographic Edition software.

This chapter contains the following sections:

• Configuring Security

• Enabling the Sun Cluster Geographic Edition Infrastructure

Configuring Security

You must configure the Sun Cluster Geographic Edition software for secure management communication between partner clusters. The configuration must be reciprocal. For example, each node in cluster cluster-paris must be configured to trust each node in cluster cluster-newyork.

For an example of a cluster configuration, see Example Cluster Configuration in Sun Cluster Geographic Edition System Administration Guide.

Trusted host certificates for the partner must be configured on every node of the cluster, because any node in the cluster can host the Sun Cluster Geographic Edition infrastructure resource groups and the logical hostname for inter-cluster communication.

Use the /usr/j2se/bin/keytool command to configure trusted host certificates.

How to Install Certificates on Partner Clusters

This procedure refers to nodes phys-paris-1 and phys-paris-2 on cluster cluster-paris and nodes phys-newyork-1 and phys-newyork-2 on cluster cluster-newyork.

Before You Begin

Ensure that you have the following Network Security Services software packages installed:

• SUNWpr, version 4.5.0

• SUNWprx

• SUNWtls, version 3.9.4

• SUNWtlsu

Steps

1. On one node of each cluster, phys-paris-1 on cluster cluster-paris and phys-newyork-1 on cluster cluster-newyork, complete the following tasks:

   1. Log in to one node of the cluster as root.

   2. Stop the common agent carrier.

      # /opt/SUNWcacao/bin/cacaoadm stop

   3. Regenerate the JSSE/NSS keys and certificates.

      This procedure creates a file named /etc/opt/SUNWcacao/security/nss/localca/localca.cert. The localca.cert file is used as temporary storage while the key is read.

      # /opt/SUNWcacao/bin/cacaoadm create-keys

   To deletes all other keys in the local trustore, use the --force option. If you use the --force option, these keys must be added again after you have completed this procedure.

   You can use the --directory option to generate this file in a different directory from the default security directory if you want to avoid overwriting keys. However, the common agent carrier only uses keys from the default directory, so you will later need to add the keys you generate to the file in the default directory.

   Once a cluster has been configured, do not repeat this step of executing a create-keys --force command. Otherwise the certificates you previously configured will be lost.

   For more information about regenerating common agent carrier keys and certificates, refer to How to Configure a New Security Certificate in Sun Cluster System Administration Guide for Solaris OS.

2. Exchange local certificate authority between nodes phys-paris-1 and phys-newyork-1.

   1. Change the directory to the certificate directory on node phys-paris-1.

      phys-paris-1# cd /etc/opt/SUNWcacao/security/nss/localca

   2. Copy the certificate file localca.cert from node phys-paris-1 to node phys-newyork-1.

      This procedure renames the localca.cert file to localca.cert.cluster-paris as a reminder of which cluster the file comes from.

      phys-paris-1# rcp localca.cert \ phys-newyork-1:/etc/opt/SUNWcacao/security/jsse/localca.cert.cluster-paris

   3. Change to the directory on the node phys-newyork-1 where you copied the file.

      phys-newyork-1# cd /etc/opt/SUNWcacao/security/jsse

   4. Import the certificates from the localca.cert.cluster-paris file into the local keystore on node phys-newyork-1.

      This procedure loads the public key from cluster-paris into thephys-newyork-1 node of cluster-newyork.

      ---

      Note –

      To perform this procedure, you must be in the /etc/opt/SUNWcacao/security/jsse directory.

      ---

      phys-newyork-1# keytool -import -v -alias cluster-paris -keystore truststore \ -file localca.cert.cluster-paris

      The truststore parameter in the keytool command is a file that is located in the directory where you copied the file. The-alias option specifies the cluster name of the remote cluster where the certificate was generated.

      Type trustpass when asked for the keystore password. The trustpass password is the nonsecret password that the common agent carrier provides. The truststore parameter holds the public keys of the public and private pairs, so absolute secrecy is not required.

      Type yes when asked whether to trust the certificate.

   5. Verify that the certificate was correctly added to the keystore.

      phys-newyork-1# keytool -list -v -keystore truststore

3. Exchange local certificate authority between nodes phys-newyork-1 and phys-paris-1.

   1. Change the directory to the certificate directory on node phys-newyork-1.

      phys-newyork-1# cd /etc/opt/SUNWcacao/security/nss/localca

      The certificate to be imported is in a file called localca.cert.

   2. Copy the certificate file from node phys-newyork-1 to node phys-paris-1.

      This procedure renames localca.cert to localca.cert.cluster-newyork as a reminder of which cluster the file comes from.

      # rcp localca.cert \ phys-paris-1:/etc/opt/SUNWcacao/security/jsse/localca.cert.cluster-newyork

   3. Change to the directory on node phys-paris-1 where you copied the file.

      phys-paris-1# cd /etc/opt/SUNWcacao/security/jsse

   4. Import the certificate into the local keystore on node phys-paris-1.

      ---

      Note –

      To perform this procedure, you must be in the /etc/opt/SUNWcacao/security/jsse directory.

      ---

      phys-paris-1# keytool -import -v -alias cluster-newyork -keystore truststore \ -file localca.cert.cluster-newyork

      The truststore parameter in the keytool command is a file that is located in the directory where you copied the file. The-alias option specifies the cluster name of the remote cluster where the certificate was generated.

      Type trustpass when asked for the keystore password. The trustpass password is the nonsecret password that the common agent carrier provides. The truststore parameter holds the public keys of the public and private pairs, so absolute secrecy is not required.

      Type yes when asked whether to trust the certificate.

   5. Verify that the certificate was correctly added to the keystore.

      phys-paris-1# keytool -list -v -keystore truststore

4. On each node of cluster cluster-paris except node phys-paris-1, copy the /etc/opt/SUNWcacao/security/ directory and all the subdirectories that are retrieved from node phys-paris-1 to the /etc/opt/SUNWcacao/ directory.

   phys-paris-2# cd /etc/opt/SUNWcacao phys-paris-2# rcp -r phys-paris-1:/etc/opt/SUNWcacao/security .

5. On each node of cluster cluster-newyork except node phys-newyork-1, copy the /etc/opt/SUNWcacao/security directory and all the subdirectories that are retrieved from node phys-newyork-1 to the /etc/opt/SUNWcacao/security.

   phys-newyork-2# cd /etc/opt/SUNWcacao phys-newyork-2# rcp -r phys-newyork-1:/etc/opt/SUNWcacao/security .

6. On each node of each cluster verify that the certificates have been correctly added.

   ---

   Note –

   After copying the security directory, the output of the keytool list command on all nodes of one cluster shows the same values for local and remote keys. All nodes of the remote cluster shows the same values, but the local and remote tags will be interchanged.

   ---

   # cd /etc/opt/SUNWcacao/security/jsse # keytool -list -v -keystore truststore

7. Restart the common agent carrier on each node of each cluster.

   # /opt/SUNWcacao/bin/cacaoadm start

Enabling the Sun Cluster Geographic Edition Infrastructure

When the Sun Cluster Geographic Edition software is enabled, the cluster is ready to enter a partnership with another enabled cluster. You can use the CLI or the GUI to create a cluster partnership.

For more information about setting up and installing Sun Cluster Geographic Edition, see Chapter 3, Administering the Sun Cluster Geographic Edition Infrastructure, in Sun Cluster Geographic Edition System Administration Guide.

To use the geoadm command to enable the local cluster for partnership membership, you must have the Geo Management role-based access control (RBAC) rights profile.

For more information, see the rbac(5) man page and Sun Cluster Geographic Edition Software and RBAC in Sun Cluster Geographic Edition System Administration Guide.

How to Enable Sun Cluster Geographic Edition Software

Before You Begin

Before you enable Sun Cluster Geographic Edition software on a cluster, ensure that the following conditions are met:

• The cluster is running the Solaris Operating System and the Sun Cluster software.

• The Sun Cluster management-agent container for SunPlex Manager is running.

• The Sun Cluster Geographic Edition software is installed.

Steps

1. Log in to one of the cluster nodes.

   You must be assigned the Geo Operation RBAC rights profile to complete this procedure. For more information about RBAC, see Sun Cluster Geographic Edition Software and RBAC in Sun Cluster Geographic Edition System Administration Guide.

2. Ensure that the logical hostname, which is the same as the cluster name, is available and defined.

   # scconf -p | grep -i "cluster name"

   If the cluster name is not the name you want to use, you can change the cluster name with the following command:

   # scconf -c -C cluster=cluster-name

   For more information, see the scconf(1M) man page.

3. Confirm that a logical hostname that matches the cluster name is available and defined in the local host files.

   The local host file, hosts, is located in the /etc/inet directory.

   Confirm that the logical hostname is also defined in the network namespace database, for example, NIS.

4. On one node of the cluster, create the Sun Cluster Geographic Edition infrastructure resource groups and enable the Sun Cluster Geographic Edition control module.

   # geoadm start

   The geoadm start command enables the Sun Cluster Geographic Edition control module on the local cluster only. For more information, see the geoadm(1M) man page.

5. Verify that you have enabled the infrastructure and that the Sun Cluster Geographic Edition resource groups are online.

   # geoadm show # scstat -g

   The output for the geoadm show command should state that the Sun Cluster Geographic Edition infrastructure is active from a particular node in the cluster.

   The output for the scstat -g command should state that the geo-failovercontrol, geo-hbmonitor, and geo-clustername resources and the geo-infrastructure resource groups are online on one node of the cluster.

   For more information, see the scstat(1M) man page.

Example 3–1 Enabling a Cluster

The following example illustrates how to enable Sun Cluster Geographic Edition software on a cluster:

# geoadm start
# geoadm show
# scstat -g

Next Steps

See Administering Sun StorEdge Availability Suite 3.2.1 Protection Groups in Sun Cluster Geographic Edition System Administration Guide or Administering Hitachi TrueCopy Protection Groups in Sun Cluster Geographic Edition System Administration Guide for information on creating protection groups.