test

SunScreen 3.1 Configuration Examples

Detailed Stealth-Mode HA Configuration

  1. Install a single, stealth Screen as the primary Screen and verify that it works.

    Follow the instructions as described earlier in the stealth-mode example under "General Stealth-Mode Installation"

    Note -

    The Screen requires a single interface to be its administrative interface. Choose an interface and give it the correct IP address and netmask to enable it to communicate with the Administration Station.

  2. Prepare a second Screen as the secondary Screen and add it to the existing stealth-mode Screen to form an HA cluster.

    The HA secondary Screen must be identical to the HA primary Screen in the following ways:

    • Identical Solaris configuration

    • Identical hardware, ideally

    • Identical Interface types

    The only configuration differences between an HA secondary Screen and an HA primary Screen are:

    • /etc/ nodename

    • IP address of the administrative interface

    • IP address of the HA interface

      Note -

      Because this is stealth mode, only the administration and HA interfaces are plumbed with an IP address.

  3. Modify the HA primary Screen, bos-screen1, to run in HA mode.

    1. Configure the HA heartbeat interface by typing: 


      # echo "10.0.4.2" > /etc/hostname.hme3

      and reboot the machine.

    2. Using the administration GUI, define an empty address group object called hme3_grp.

    3. Using the administration GUI, define hme2 as an interface object of type HA using the interface group hme2_grp.

    4. Save, but do not activate, the policy.

      If you activate now, an error message regarding an HA interface being defined but HA not being activated, will appear.

    5. Using the administration GUI, click the Initialize HA button under the Policies section to configure hme2 as an HA interface.

    6. Save and activate the policy.

  4. Configure the HA secondary Screen, bos-screen2.

    1. Configure the administration interface on the secondary Screen by typing:


      # echo "192.168.1.4" > /etc/hostname.hme2

    2. Configure the HA heartbeat interface on the secondary Screen by typing:


      # echo "10.0.4.2" > /etc/hostname.hme3

    3. Reboot the secondary Screen.

    4. Install the SunScreen software on the secondary Screen (install the packages only, do not run ss_install).

    5. Set the PATH to include: /opt/SUNWicg/SunScreen/bin.

    6. Initialize the secondary Screen by typing:


      # ssadm ha init_secondary hme2	10.0.4.1

    7. Reboot the secondary Screen.

  5. Activate the HA cluster.

    From the Administration Station, start the administration GUI by connecting to the HA primary Screen's administrative interface by typing:


    # http://192.168.1.3:3852

  6. Define a Screen object for the HA secondary Screen, as shown in Figure 7-2 and Figure 7-3.

    Figure 7-2 Screen Object Definition for HA Secondary Screen

    Graphic

    Figure 7-3 Secondary Screen Name and HA IP Address

    Graphic

  7. Save and activate the policy.

    Note -

    For fault finding and testing, see the SunScreen 3.1 Reference Manual.

    When administering an HA cluster, you usually contact the primary Screen only because all the configuration information is stored on it. If you need to administer the secondary Screen, add an access control list (ACL) on the Administration Station for the IP address of the secondary Screen's administrative interface (192.168.1.4 in the example) using the same certificate names as those used by the primary Screen. The secondary and primary Screens have the same keys, which are copied across the HA interface during activation.

  8. Reboot the machine.