Configuring SunPlex Manager

SunPlex Manager is a GUI that you can use to administer and view the status of some aspects of quorum devices, IPMP groups, interconnect components, and global devices. You can use it in place of many of the Sun Cluster CLI commands.

The procedure for installing SunPlex Manager on your cluster is included in the Sun Cluster Software Installation Guide for Solaris OS. The SunPlex Manager online help contains instructions for completing various tasks using the GUI.

This section contains the following procedures for reconfiguring SunPlex Manager after initial installation.

• Setting up RBAC Roles

• How to Change the Port Number for SunPlex Manager

• How to Change the Server Address for SunPlex Manager

• How to Configure a New Security Certificate

• How to Regenerate Common Agent Container Security Keys

Setting up RBAC Roles

The SPM uses RBAC to determine who has rights to administer the cluster. Several RBAC rights profiles are included in the Sun Cluster software. You can assign these rights profiles to users or to roles to give users different levels of access to Sun Cluster. For more information about how to set up and manage RBAC for Sun Cluster, see Sun Cluster and RBAC in the Sun Cluster Systems Administration Guide.

SunPlex Manager Character Set Support

The SunPlex Manager recognizes a limited character set to increase security. Characters that are not a part of the set are silently filtered out when HTML forms are submitted to the SunPlex Manager server. The following characters are accepted by the SunPlex Manager:

()+,-./0-9:=@A-Z^_a-z{|}~

This filter can potentially cause problems in the following two areas:

• Password entry for Sun Java System services. If the password contains unusual characters, these characters will be stripped out resulting in two problems. Either the resulting password will be under 8 characters and will fail, or the application will be configured with a different password than the user expects.

• Localization. Alternative character sets (for example: accented characters or Asian characters) will not work for input.

How to Change the Port Number for SunPlex Manager

If the default port number (6789) conflicts with another running process, change the port number of SunPlex Manager on each node of the cluster.

The port number must be identical on all nodes of the cluster.

1. Open the /opt/SUNWscvw/conf/httpd.conf configuration file using a text editor.

2. Change the Port number entry.

   The Port entry is located under Section 2, 'Main' server configuration.

3. Edit the VirtualHost entry to reflect the new port number.

   The <VirtualHost _default_:6789> entry is located in the section titled “SSL Virtual Host Context”.

4. Save the configuration file and exit the editor.

5. Restart SunPlex Manager.

   # /opt/SUNWscvw/bin/apachectl restart

6. Repeat this procedure on each node of the cluster.

How to Use the Common Agent Container to Change the Port Numbers for Services or Management Agents

If the default port numbers for your common agent container services conflict with other running processes, you can use the cacaoadm command to change the port number of the conflicting service or management agent on each node of the cluster.

1. On all cluster nodes, stop the common agent container management daemon.

   # /opt/SUNWcacao/bin/cacaoadm stop

2. If you do not know the port number currently used by the common agent container service for which you want to change the port number, use the cacaoadm command with the getparam subcommand to retrieve the port number.

   # /opt/SUNWcacao/bin/cacaoadm getparam parameterName

   You can use the cacaoadm command to change the port numbers for the following common agent container services. The following list provides some examples of services and agents that can be managed by the common agent container, along with corresponding parameter names.

   JMX connector port

   jmxmp.connector.port

   SNMP port

   snmp.adaptor.port

   SNMP trap port

   snmp.adaptor.trap.port

   Command stream port

   commandstream.adaptor.port

3. To change a port number, use the cacaoadm command with the setparam subcommand and the parameter name.

   # /opt/SUNWcacao/bin/cacaoadm setparam parameterName=parameterValue

4. Repeat Step 3 on each node of the cluster.

5. Restart the common agent container management daemon on all cluster nodes.

   # /opt/SUNWcacao/bin/cacaoadm start

How to Change the Server Address for SunPlex Manager

If you change the hostname of a cluster node, you must change the address from which SunPlex Manager runs. Because the default security certificate is generated based on the node's hostname at the time SunPlex Manager is installed, you must remove one of the SunPlex Manager installation packages and reinstall it. You must complete this procedure on any node that has had its host name changed.

1. Make the Sun Cluster CD-ROM image available to the node.

2. Remove the SUNWscvw package.

   # pkgrm SUNWscvw

3. Re-install the SUNWscvw package.

   # cd <path to CD-ROM image>/SunCluster_3_1_u1/Packages # pkgadd -d . SUNWscvw

How to Configure a New Security Certificate

You can generate your own security certificate to enable secure administration of your cluster, and then configure SunPlex Manager to use that certificate instead of the one generated by default. This procedure is an example of how to configure SunPlex Manager to use a security certificate generated by a particular security package. The actual tasks you must complete depend on the security package you use.

You must generate an unencrypted certificate to allow the server to start on its own during booting. Once you have generated a new certificate for each node of your cluster, configure SunPlex Manager to use those certificates. Each node must have its own security certificate.

1. Copy the appropriate certificate to the node.

2. Open the /opt/SUNWscvw/conf/httpd.conf configuration file for editing.

3. Edit the following entry to enable SunPlex Manager to use the new certificate.

   SSLCertificateFile <path to certificate file>

4. If the server private key is not combined with the certificate, edit the SSLCertificateKeyFile entry.

   SSLCertificateKeyFile <path to server key>

5. Save the file and exit the editor.

6. Restart SunPlex Manager.

   # /opt/SUNWscvw/bin/apachectl restart

7. Repeat this procedure for each node in the cluster.

Example—Configuring SunPlex Manager to Use a New Security Certificate

The following example shows how to edit the SunPlex Manager configuration file to use a new security certificate.

[Copy the appropriate security certificates to each node.]
[Edit the configuration file.]
# vi /opt/SUNWscvw/conf/httpd.conf
[Edit the appropriate entries.]
SSLCertificateFile /opt/SUNWscvw/conf/ssl/phys-schost-1.crt
SSLCertificateKeyFile /opt/SUNWscvw/conf/ssl/phys-schost-1.key
[Save the file and exit the editor.]
[Restart SunPlex Manager.]
# /opt/SUNWscvw/bin/apachectl restart

How to Regenerate Common Agent Container Security Keys

SunPlex Manager uses strong encryption techniques to ensure secure communication between the SunPlex Manager web server and each cluster node.

The keys used by the SunPlex Manager are stored under the /etc/opt/SUNWcacao/security directory on each node. They should be identical across all cluster nodes.

Under normal operation, these keys can be left in their default configuration. If you need to regenerate the keys due to a possible key compromise (for example, root compromise on the machine) or other reason, you can regenerate the security keys using the following procedure.

1. On all cluster nodes, stop the common agent container management daemon.

   # /opt/SUNWcacao/bin/cacaoadm stop

2. On one node of the cluster, regenerate the security keys.

   phys-schost-1# /opt/SUNWcacao/bin/cacaoadm create --force

3. Restart the common agent container management daemon on the node on which you regenerated the security keys.

   phys-schost-1# /opt/SUNWcacao/bin/cacaoadm start

4. Create a tarfile of the /etc/opt/SUNWcacao/security directory.

   phys-schost-1# tar cf /tmp/SECURITY.tar security

5. Copy the /tmp/Security.tar file to each of the cluster nodes.

6. On each node to which you copied the/tmp/SECURITY.tar file, extract the security files.

   Any security files that already exist in the /etc/opt/SUNWcacao/ directory are overwritten.

   phys-schost-2# cd /etc/opt/SUNWcacao phys-schost-2# tar xf /tmp/SECURITY.tar

7. Delete the /tmp/SECURITY.tar file from each node in the cluster.

   You must delete each copy of the tarfile to avoid security risks.

   phys-schost-1# rm /tmp/SECURITY.tar phys-schost-2# rm /tmp/SECURITY.tar

8. On all nodes, restart the common agent container management daemon.

   phys-schost-1# /opt/SUNWcacao/bin/cacaoadm start

9. Restart SunPlex Manager.

   # /opt/SUNWscvw/bin/apachectl restart