1. Installing and Configuring Oracle Solaris Cluster for Kerberos
Oracle Solaris Cluster HA for Kerberos
Installing and Configuring Oracle Solaris Cluster HA for Kerberos
Configuring Oracle Solaris Cluster HA for Kerberos in Non-Global Zones
How to Configure Oracle Solaris Cluster HA for Kerberos in Non-Global Zones
Installing the Oracle Solaris Cluster HA for Kerberos Packages
How to Install the Oracle Solaris Cluster HA for Kerberos Packages
Registering and Configuring Oracle Solaris Cluster HA for Kerberos
How to Register and Configure Oracle Solaris Cluster HA for Kerberos
Tuning the Oracle Solaris Cluster HA for Kerberos Fault Monitor
Operations by the Fault Monitor During a Probe
Verifying Oracle Solaris Cluster HA for Kerberos Installation and Configuration
How to Verify Oracle Solaris Cluster HA for Kerberos Installation and Configuration
This section describes how to register and configure Oracle Solaris Cluster HA for Kerberos.
Before You Begin
To perform this procedure, you need the following information about your configuration.
The name of the resource type for Oracle Solaris Cluster HA for Kerberos. This name is SUNW.krb5.
The names of the cluster nodes and the non-global zones on the nodes that master the data service.
The network resource that clients use to access the data service. You normally set up this IP address when you install the cluster. See the Oracle Solaris Cluster Concepts Guide document for details on network resources.
# clresourcetype register SUNW.krb5
# clresourcegroup create [-n node[,...]] resource-group
Specifies an optional comma-separated list of zones that can master this resource group. Each entry in this list has the format node. Where node is the node name and address and zone specifies the name of a non-global Solaris zone. To specify the global zone, or to specify a node without local zones, specify only node. These are the nodes or zones on which the data service can run. The order here determines the order in which the nodes or zones are considered as primary during failover. If all of the cluster nodes or zones are potential masters, you do not need to use the -n option.
This list is optional. If you omit this list, the global zone of each cluster node can master the resource group.
You should have performed this verification during the Oracle Solaris Cluster installation. See the Chapter 1, Planning the Oracle Solaris Cluster Configuration, in Oracle Solaris Cluster Software Installation Guide for details.
Note - To avoid any failures because of name service lookup, verify that all of the network resources are present in the server's and client's /etc/inet/hosts file. Configure name service mapping in the /etc/nsswitch.conf file on the servers to first check the local files before trying to access NIS or NIS+.
# clreslogicalhostname create -g resource-group \ -h logical-hostname,[logical-hostname] \ [-N netif@node[,...]] lhresource
Specifies the name of the resource group. This name can be your choice but must be unique for a resource group within the cluster.
Specifies a comma-separated list of network resources (logical hostname or shared address).
Specifies an optional, comma-separated list that identifies the IP Networking Multipathing groups that are on each node. netif can be given as an IP Networking Multipathing group name, such as sc_ipmp0. The node can be identified by the node name or node ID, such as sc_ipmp0@1 or sc_ipmp@phys-schost-1. If you do not specify -N, the clreslogicalhostname command attempts to set the NetIfList property for you based on available IPMP groups or public adapters and the subnet associated with the HostnameList property.
Specifies the logical hostname resource to be created in the associated resource group.
Note - If you require a fully qualified hostname, you must specify the fully qualified name with the -h option and you cannot use the fully qualified form in the resource name.
Note - Oracle Solaris Cluster does not currently support the use of adapter names for netif.
# clresource create -g resource-group -t SUNW.krb5 \ [-p Network_resources_used=network-resource, ...] \ [-p Port_list=port-number/protocol] resource
Specifies a comma-separated list of network resources (logical hostnames or shared addresses) that Kerberos will use. If you do not specify this property, the value defaults to all of the network resources that are contained in the resource group.
Specifies a port number and the protocol to be used. If you do not specify this property, the value defaults to 88/tcp,749/tcp,88/udp.
Specifies the name of the resource type to which this resource belongs. This entry is required.
Specifies the name of the resource to be associated with the resource type SUNW.krb5.
The resource is created in the enabled state.
# clresourcegroup online -M resource-group
Example 1-1 Registering Failover Oracle Solaris Cluster HA for Kerberos
The following example shows how to register Oracle Solaris Cluster HA for Kerberos on a two-node cluster. At the end of this example, the clresourcegroup command starts Oracle Solaris Cluster HA for Kerberos.
This example uses the following configuration parameters:
pkdc1.example.com and pkdc2.example.com:sparse_zone
Note - Kerberos is hosted in the global zone on pkdc1.example.com and in the non-global zone “sparse_zone” on pkdc2.example.com.
kdc-1.example.com
krb-rg (for all of the resources)
kdc-1 (logical hostname) and krb-rs (Kerberos application resource)
Register the Kerberos resource type.
# clresourcetype register SUNW.krb5
Create the resource group to contain all of the resources.
# clresourcegroup create -n pkdc1.example.com, pkdc2.example.com:sparse_zone krb-rg
Add the logical hostname resource to the resource group.
# clreslogicalhostname create -g krb-rg -h kdc-1 kdc-1
Add a Kerberos application resource to the resource group.
# clresource create -g krb-rg -t SUNW.krb5 krb-rs
Bring the failover resource group online.
# clresourcegroup online -M krb-rg
This procedure describes how to configures the HAStoragePlus resource type. This resource type synchronizes actions between HAStorage and Oracle Solaris Cluster HA for Kerberos and enables you to use a highly available local file system. It is, however, recommended that you use a global file system rather than using HAStoragePlus because Oracle Solaris Cluster HA for Kerberos is not disk-intensive in most environments.
See Relationship Between Resource Groups and Device Groups in Oracle Solaris Cluster Data Services Planning and Administration Guide for background information.
This procedure uses the following configuration parameters:
Cluster physical node names = pkdc1.example.com and pkdc2.example.com:sparse_zone
Cluster logical hostname = kdc-1.example.com
Resource group = krb-rg
Kerberos application resource = krb-rs
HAStoragePlus resource = krb-hasp-rs
Logical hostname resource = kdc-1
Device group associated with the file system:/global/dg1
Note - The /global/dg1 file system contains the krb-db and krb-conf directories which have symbolic links that point to /var/krb5 and /etc/krb5 respectively.
# clresourcetype register SUNW.krb5
# clresourcegroup create -n pkdc1.example.com, pkdc2.example.com:sparse_zone krb-rg
# clreslogicalhostname create -g krb-rg -h kdc-1
# clresource create -g krb-rg -t SUNW.krb5 krb-rs
# clresourcetype register SUNW.HAStoragePlus
# clresource create -g krb-rg -t SUNW.HAStoragePlus \ -p FilesystemMounPoints=/global/dg1 \ -p AffinityOn=TRUE krb-hasp-rs
# clresourcegroup online -M krb-rg