Configuring SunPlex Manager

SunPlex Manager is a GUI that you can use to administer and view the status all aspects of quorum devices, IPMP groups, interconnect components, and global devices. You can use it in place of many of the Sun Cluster CLI commands.

The procedure for installing SunPlex Manager on your cluster is included in the Sun Cluster Software Installation Guide for Solaris OS. The SunPlex Manager online help contains instructions for completing various tasks using the GUI.

This section contains the following procedures for reconfiguring SunPlex Manager after initial installation.

• Setting up RBAC Roles

• How to Change the Server Address for SunPlex Manager

• How to Configure a New Security Certificate

• How to Regenerate Common Agent Container Security Keys

Setting up RBAC Roles

The SunPlex Manager uses RBAC to determine who has rights to administer the cluster. Several RBAC rights profiles are included in the Sun Cluster software. You can assign these rights profiles to users or to roles to give users different levels of access to Sun Cluster. For more information about how to set up and manage RBAC for Sun Cluster, see Sun Cluster and RBAC in the Sun Cluster Systems Administration Guide.

How to Use the Common Agent Container to Change the Port Numbers for Services or Management Agents

If the default port numbers for your common agent container services conflict with other running processes, you can use the cacaoadm command to change the port number of the conflicting service or management agent on each node of the cluster.

Steps

1. On all cluster nodes, stop the common agent container management daemon.

   # /opt/SUNWcacao/bin/cacaoadm stop

2. Stop Sun Java Web Console.

   # /usr/sbin/sunmcwebserver stop

3. If you do not know the port number currently used by the common agent container service for which you want to change the port number, use the cacaoadm command with the get-param subcommand to retrieve the port number.

   # /opt/SUNWcacao/bin/cacaoadm get-param parameterName

   You can use the cacaoadm command to change the port numbers for the following common agent container services. The following list provides some examples of services and agents that can be managed by the common agent container, along with corresponding parameter names.

   JMX connector port

   jmxmp-connector-port

   SNMP port

   snmp-adaptor-port

   SNMP trap port

   snmp-adaptor-trap-port

   Command stream port

   commandstream-adaptor-port

4. To change a port number, use the cacaoadm command with the setparam subcommand and the parameter name.

   # /opt/SUNWcacao/bin/cacaoadm set-param parameterName=parameterValue =parameterValue

5. Repeat Step 4 on each node of the cluster.

6. Restart Sun Java Web Console.

   # /usr/sbin/sunmcwebserver start

7. Restart the common agent container management daemon on all cluster nodes.

   # /opt/SUNWcacao/bin/cacaoadm start

How to Change the Server Address for SunPlex Manager

If you change the hostname of a cluster node, you must change the address from which SunPlex Manager runs. The default security certificate is generated based on the node's hostname at the time SunPlex Manager is installed. To reset the node's hostname, delete the certificate file, keystore and restart SunPlex Manager. SunPlex Manager will automatically create a new certificate file with the new hostname. You must complete this procedure on any node that has had its hostname changed.

Steps

1. Remove the certificate file, keystore, located in /etc/opt/webconsole.

   # cd /etc/opt/webconsole # pkgrm keystore

2. Restart SunPlex Manager.

   # /usr/sbin/smcwebserver restart

How to Configure a New Security Certificate

You can generate your own security certificate to enable secure administration of your cluster, and then configure SunPlex Manager to use that certificate instead of the one generated by default. This procedure is an example of how to configure SunPlex Manager to use a security certificate generated by a particular security package. The actual tasks you must complete depend on the security package you use.

You must generate an unencrypted certificate to allow the server to start on its own during booting. Once you have generated a new certificate for each node of your cluster, configure SunPlex Manager to use those certificates. Each node must have its own security certificate.

Steps

1. Copy the appropriate certificate to the node.

2. Open the /opt/SUNWscvw/conf/httpd.conf configuration file for editing.

3. Edit the following entry to enable SunPlex Manager to use the new certificate.

   SSLCertificateFile <path to certificate file>

4. If the server private key is not combined with the certificate, edit the SSLCertificateKeyFile entry.

   SSLCertificateKeyFile <path to server key>

5. Save the file and exit the editor.

6. Restart SunPlex Manager.

   # /usr/sbin/smcwebserver restart

7. Repeat this procedure for each node in the cluster.

Example 10–1 Configuring SunPlex Manager to Use a New Security Certificate

The following example shows how to edit the SunPlex Manager configuration file to use a new security certificate.

[Copy the appropriate security certificates to each node.]
[Edit the configuration file.]
# vi /opt/SUNWscvw/conf/httpd.conf
[Edit the appropriate entries.]
SSLCertificateFile /opt/SUNWscvw/conf/ssl/phys-schost-1.crt
SSLCertificateKeyFile /opt/SUNWscvw/conf/ssl/phys-schost-1.key

[Save the file and exit the editor.]
[Restart SunPlex Manager.]
# /usr/sbin/smcwebserver restart

How to Regenerate Common Agent Container Security Keys

SunPlex Manager uses strong encryption techniques to ensure secure communication between the SunPlex Manager web server and each cluster node.

The keys used by the SunPlex Manager are stored under the /etc/opt/SUNWcacao/security directory on each node. They should be identical across all cluster nodes.

Under normal operation, these keys can be left in their default configuration. If you change the hostname of a cluster node, you must regenerate the common agent container security keys. You may also need to regenerate the keys due to a possible key compromise (for example, root compromise on the machine). To regenerate the security keys, using the following procedure.

Steps

1. On all cluster nodes, stop the common agent container management daemon.

   # /opt/SUNWcacao/bin/cacaoadm stop

2. On one node of the cluster, regenerate the security keys.

   phys-schost-1# /opt/SUNWcacao/bin/cacaoadm create-keys --force

3. Restart the common agent container management daemon on the node on which you regenerated the security keys.

   phys-schost-1# /opt/SUNWcacao/bin/cacaoadm start

4. Create a tarfile of the /etc/opt/SUNWcacao/security directory.

   phys-schost-1# tar cf /tmp/SECURITY.tar security

5. Copy the /tmp/Security.tar file to each of the cluster nodes.

6. On each node to which you copied the/tmp/SECURITY.tar file, extract the security files.

   Any security files that already exist in the /etc/opt/SUNWcacao/ directory are overwritten.

   phys-schost-2# cd /etc/opt/SUNWcacao phys-schost-2# tar xf /tmp/SECURITY.tar

7. Delete the /tmp/SECURITY.tar file from each node in the cluster.

   You must delete each copy of the tarfile to avoid security risks.

   phys-schost-1# rm /tmp/SECURITY.tar phys-schost-2# rm /tmp/SECURITY.tar

8. On all nodes, restart the common agent container management daemon.

   phys-schost-1# /opt/SUNWcacao/bin/cacaoadm start

9. Restart SunPlex Manager.

   # /usr/sbin/smcwebserver restart