Symantec Product Authentication Service Release Notes

Transcription

1 Symantec Product Authentication Service Release Notes Linux, Microsoft Windows, and UNIX 4.3

2 Symantec Product Authentication Service Release Notes Copyright 2008 Symantec Corporation. All rights reserved. Symantec Product Authentication Service (AT) Release Notes Doc Version: 13.5 Symantec, the Symantec logo, Symantec Product Authentication Service (AT) are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THIS DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software and commercial computer software documentation as defined in FAR Sections and DFARS Section Symantec Corporation Stevens Creek Blvd. Cupertino, CA Printed in the United States of America.

3 Third-party legal notices Technical support Third-party software may be recommended, distributed, embedded, or bundled with this Symantec product. Such third-party software is licensed separately by its copyright holder. All third-party copyrights associated with this product are listed in the accompanying release notes. AIX is a registered trademark of IBM Corporation. HP-UX is a registered trademark of Hewlett-Packard Development Company, L.P. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark of Sun Microsystems, Inc. Windows is a registered trademark of Microsoft Corporation. For technical assistance, visit (rather than and select phone or support. Use the Knowledge Base search feature to access resources such as TechNotes, product alerts, software downloads, hardware compatibility lists, and our customer notification service.

4

5 Contents Chapter 1 Overview About branding... 2 Product version... 2 New in this release... 2 VSSAT CLIs for LDAP configuration... 2 Storing obfuscated password in the config file... 9 Limited support for PAM authentication plug-in... 9 AuthSequence for unixpwd plug-in... 9 New utilities Broker credential renewal Chart of fixed incidents Upgrading to higher versions Available documentation Chapter 2 Requirements and alerts Supported platforms LIBRARY_PATH requirement with installvss Required patches and service packs Solaris zone support Not supported How to use GSS-API on non-standard Solaris How to check that you have SEAM How to connect to authorization server on UNIX platforms When you must remove startup scripts in cluster configuration Home directory requirement How to choose patch vs. fresh installation Chapter 3 Known Issues Chart of open incidents Numbered issues ( ) Unneeded config actions required while upgrading AT binaries 30 ( ) Failure in detecting primary group for LDAP user ( ) Only local installs and upgrades are supported using installvss script 31

6 vi ( ) No upgrade option for AT Client package on Sun AMD platform 31 ( ) No upgrade option for AT Client package on Sun AMD platform 32 ( ) Unable to make AT HA on MSCS W2k8 AMD machine...32 ( ) vxatd process doesn't come up after upgrade...32 ( ) setuptrust takes 1 min if pbx is not running on broker...32 ( ) Domainname needs to be passed for localhost authentication to succeed 32 Chapter 4 Procedures Common terms...34 Install AT...34 Tasks that you must complete for successful installation...34 About installing and configuring an authentication broker...35 Installing on Windows...35 UNIX installation scripts: when to use install vs. installics...36 Installing root plus authentication broker on UNIX...37 Installing authentication broker only on UNIX...39 Installing root broker only on UNIX...42 About the encryption and the response files...44 About rollback functionality...45 Upgrade AT...45 Secure cluster upgrades...45 Non-secure cluster upgrades...47 Steps for AT cluster configuration (all solutions)...49 How to configure AT into Microsoft Cluster Server...50 Steps to Configure AT into Microsoft Cluster Server...50 Steps to Verify Cluster Configuration for Microsoft Cluster Server...53 How to configure AT into VCS on Windows...55 Sequence of steps for configuration and unconfiguration...55 Detailed steps to configure AT into VCS on Windows...55 Example of input prompts for interactive mode...59 Configuration File Details for Windows...62 How to verify configuration of authentication into VCS on Windows 66 Unconfiguring authentication from VCS on Windows...67 How to configure AT into VCS on UNIX...69 How to check whether AT has already been configured...69 Steps to configure AT into VCS on UNIX...69 Configuration file details on UNIX...72 How to verify configuration of AT into VCS on UNIX...76 Unconfiguring AT from VCS on UNIX...78 How to configure AT into Tru Steps to configure AT into Tru How to verify configuration status on Tru How to configure AT into Sun Cluster...80

7 vii Steps to configure AT into Sun Cluster How to verify configuration into Sun Cluster AT SunCluster unconfiguration steps How to configure AT on HACMP Configuring AT on HACMP How to verify configuration on HACMP Unconfiguring AT on HACMP HACMP configuration details How to configure AT on HP Serviceguard How to configure AT into HP-SG Configuring silently Configuring interactively How to verify configuration status How to unconfigure authentication from HP-SG Uninstall Considerations before you uninstall How to uninstall About authenticating users in active directory Prerequisite for LDAP with AD Checking for LDAP compatibility Finding whether you have ldapsearch Searching users in active directory Configuring LDAP authentication Testing the configuration Chapter 5 Tools The srvscan tool The new service scan dialog box in Windows install The findrb tool Chapter 6 Clarifications Clarifications related to Installation Guide Directories that are spared from deletion How to find domain name Reminder to restart service Prompt appears only in cluster Uninstallation of selected features on Windows The term package name Location of log files, summary files, and response file on UNIX Clarifications related to Administrator s Guide User name and domain name requirements About cluster pdr type

8 viii Expanded information on the -t option in vxatd Updating a principal How to access the CLI Minimum and maximum lengths Remote CLIs that accept only PBX port Chapter 7 Recommendations Minimize the number of root brokers to one Remember to back up the broker s critical data Backing up on Windows Backing up on UNIX Restoring the broker s data on Windows Restoring the broker s data on UNIX Limit use of private domain repository accounts to Symantec services only 120 Use care when entering passwords What to do if you have trouble starting vxatd When you must restart Authentication Broker on trusted HP systems Avoid sudden stops on Windows broker Chapter 8 Procedures for HA deployment of the AT and AZ services How to deploy on VERITAS Cluster Server Terminology Steps to recognize which VCS mode you have How to determine whether a securable cluster is secured VCS non-securable (UNIX) VCS non-securable mode (UNIX): use case VCS non-securable mode (UNIX): use case VCS securable (UNIX) VCS securable (UNIX), used in insecure mode VCS securable (UNIX), used in the secure mode Veritas Cluster Server (Windows) Pre-requisites VCS securable (Windows) VCS securable (Windows) used in insecure mode: use case VCS securable (Windows) used in insecure mode: use case VCS securable (Windows) used in the secure mode: use case VCS securable (Windows) used in the secure mode: use case How to deploy on Microsoft Cluster Server Authentication server in root plus authentication broker mode Authentication server in authentication broker only mode

9 ix How to deploy on SUN Cluster, HPSG, HACMP Authentication server in root plus authentication broker mode Authentication server in authentication broker only mode How to deploy on Tru Cluster Authentication server in root plus authentication broker mode Authentication server in authentication broker only mode Index 175

10 x

11 Chapter 1 Overview This chapter includes the following topics: About branding Product version New in this release Chart of fixed incidents Upgrading to higher versions Available documentation

12 2 Overview About branding About branding Product version New in this release Any version prior to this full-decimal release will not be re-branded and will continue to refer to Symantec Product Authentication Service and Symantec Product Authorization Service together as a single product called VERITAS Security Services or VSS. These Release Notes for Symantec Product Authentication Service (AT) pertain to build x. VSSAT CLIs for LDAP configuration The following LDAP configuration related CLIs are ported back to 4.3 version from 4.4 version to cover the StateStreet issues. listldapdomains Name listldapdomains Synopsis For this command, use the following syntax, without line breaks: vssat listldapdomains Description Use this command to list all the LDAP domains in the authentication broker. This command needs no additional parameters. Output is similar to the following: listldapdomains Found: 2 Domain Name: VSS Server URL: ldap://your_ldap_server.com SSL Enabled: No User Base DN: <distinguish name of your user container> User Object Class: posixaccount User Attribute: uid User GID Attribute: gidnumber

13 Overview New in this release 3 Group Base DN: Group Object Class: Group Attribute: Group GID Attribute:... <distinguish name of your group container> posixgroup cn gidnumber Arguments None addldapdomain Name addldapdomain Synopsis For this command, use the following syntax, without line breaks: vssat addldapdomain --domainname <domain name> --server_url <server URL> --user_base_dn <user base DN> --group_base_dn <group base DN> [--server_trusted_ca_file <trusted CA file name>] [--schema_type <rfc2307 msad>] [--user_object_class <user object class> --user_attribute <user attribute> -- user_gid_attribute <user GID attribute> --group_object_class <group object class> --group_attribute <group attribute> -- group_gid_attribute <group GID attribute>] [--auth_type <FLAT BOB FLAT SKIPNESTED BOB SKIPNESTED>] [--admin_user <admin user DN>] [--admin_user_password <admin user password>] [-- search_scope <SUB ONE BASE>] Description Use this command to add an LDAP domain to the authentication broker. Users not familiar with how LDAP operates must work with their LDAP administrators to determine the following information: What type of LDAP directory the enterprise uses (i.e. Microsoft Active Directory, OpenLDAP, iplanet, etc). The type of LDAP directory dictates the type of scheme to use. The URL to the LDAP directory. For example, ldap:// my_ldap_host.mydomain.myenterprise.com:389, ldaps:// my_ssl_ldap_host.mydomain.myenterperise.com, etc. Note: An LDAP URL must start with ldap:// for non-ssl, or ldaps:// for SSL-enabled LDAP directory. The distinguished name (DN) of the users container. Normally, the users container is in one of the naming contexts. For most LDAP directories, you

14 4 Overview New in this release can use the ldapsearch utility, provided by the directory vendor, to find out the naming contexts. For example: ldapsearch --group_object_class -h <my host> --server_url base -- auth_type "" namingcontexts For Microsoft Active Directory, the users container resembles this example: cn=users,dc=<domain name>,dc=<enterprise name>,dc=com The distinguished name (DN) of the groups container. Normally, the groups container is in one of the naming contexts. For most LDAP directories, you can use the ldapsearch utility, provided by the directory vendor, to find out the naming contexts. For example: ldapsearch --group_object_class -h <my host> --server_url base -- auth_type "" namingcontexts For Microsoft Active Directory, the groups container looks like this example: cn=users,dc=<domain name>,dc=<enterprise name>,dc=com The schema to facilitate users and groups. If the enterprise has migrated their NIS data to the LDAP directory according to Request For Comments 2307, it must use the RFC 2307 schema. RFC 2307 uses the posixaccount objectclass to facilitate user objects. It uses the posixgroup objectclass to facilitate group objects. If the enterprise uses Microsoft Active Directory, it must use the Microsoft Active Directory schema. In this schema, the user objectclass facilitates both user and group objects. If the enterprise uses neither RFC 2307 nor Microsoft Active Directory, it must determine the following: The LDAP objectclass to facilitate user objects. The LDAP objectclass to facilitate group objects. The user attribute in the user objectclass to facilitate user name/id. We use the following rules to construct the DN to the user entry. <user attribute>=<user name>,<user container DN> For example, if the user attribute is configured to cn and users container DN is configured to dc=mydomain,dc=myenterprise, dc=com and the user name for the authenticate call is jdoe, the LDAP DN for jdoe is: cn=jdoe,dc=mydomain,dc=myenterprise,dc=com The group identifier (GID) attribute in the user objectclass to identify the groups the given user belongs to. The group attribute in the group objectclass to facilitate group name. We use the following rules to construct the DN to the group entry. <group attribute>=<group name>,<group container DN>

15 Overview New in this release 5 For example, if the group attribute is configured to cn and groups container DN is configured to dc=mydomain,dc=myenterprise, dc=com and the group name is adm, the LDAP DN for adm is: cn=adm,dc=mydomain,dc=myenterprise,dc=com The group ID attribute in the group objectclass to facilitate group ID for the given group. Note: It is not mandatory to restart the broker after adding the LDAP domain. However, the vssat authenticate command will not work for the newly added domain without the broker parameter until the broker is restarted. Required arguments --domain DomainType:DomainName A symbolic name that uniquely identifies an LDAP domain. --server_url Server URL The URL of the LDAP directory server for the given domain. The LDAP server URL must start with either ldap:// or ldaps://. Starting with ldaps:// indicates that the given LDAP server requires SSL connection. (i.e. ldap://my-server.myorg.com:443 ) If the LDAP server URL starts with ldaps://, the user must also specify -- server_trusted_ca_file. --user_base_dn User Base DN The LDAP-distinguished name for the user container. For example, ou=user,dc=mydomain,dc=myenterprise,dc=com. --group_base_dn Group Base DN The LDAP-distinguished name for the group container. For example, ou=group,dc=mydomain,dc=myenterprise,dc=com. --auth_type <FLAT BOB> This attribute is a string that dictates the type of LDAP authentication mechanism to be used for the given domain. "AuthType" can be either "FLAT"or "BOB". "FLAT" means to use the existing one-level bind while "BOB" indicates Bind-Search(Obtain)-Bind. In "BOB" authentication mode, AT uses a proxy account to bind with the Active Directory, and then searches for the distinguished name before authenticating (bind) the user. For example,"authtype"="bob". --admin_user <admin user DN> This attribute is a string that contains the DN of the admin user or any user which have search permission to the user container, or user subtree as specified by "UserBaseDN". If the user container is searchable by anyone, including an anonymous user. This attribute can be configured to an empty string. For example, "AdminUser"=""

16 6 Overview New in this release --admin_user_password <admin user password> This attribute is a string that contains the bind password of the user that is specified in AdminUser. If AdminUser is an empty string, this attribute must also be an empty string. For example, adminuserpassword"="" --search_scope <SUB ONE BASE> This attribute is a string that indicates the search scope. "SearchScope" can be either "SUB", "BASE", or "ONE". For example, "SearchScope"="SUB" Optional arguments --server_trusted_ca_file Trusted CA file Name The complete path to the name of the file that contains the trusted CA certificates in PEM format. You must use this parameter if the given LDAP server URL starts with ldaps:// (indicating the need for an SSL connection). However, if the given LDAP server URL starts with ldap://, this parameter must be omitted. --schema_type Schema Type Specify which type of LDAP schema to use. Note: If you do use --schema_type, you must omit the following parameters: --schema_type--schema_type, --user_attribute, -i, -o. These values are set automatically, based upon the schema type you chose. If you do not use --schema_type, neither the rfc2307 nor the msad parameters are set automatically, and you must therefore provide the values yourself. Two default schema types are currently supported. rfc2307: the schema that is specified in RFC 2307 msad: Microsoft Active Directory schema. With RFC2307, the following schema is used. User Object Class: posixaccount User Attribute: uid User GID Attribute: gidnumber Group Object Class: posixgroup Group Attribute: cn Group GID Attribute: gidnumber With Microsoft Active Directory, the following schema is used. User Object Class: user User Attribute: cn User GID Attribute: memberof

17 Overview New in this release 7 Group Object Class: group Group Attribute: cn Group GID Attribute: cn Note: For msad schema if you select auth type as "BOB", specify user attribute as "samaccountname". --user_object_class User Object Class Specify the LDAP object class for the user object. (i.e. posixaccount). This parameter is required if it is absent, but you must not use -- schema_type. --user_attribute User Attribute Specify the user attribute within the user object class, using the following syntax: <user attribute>=<prplname>,<user base DN> For example, the LDAP DN for jdoe is as follows: "cn=jdoe,dc=mydomain,dc=myenterprise,dc=com" where: The <user attribute> is "cn" The <prplname> is "jdoe" The <user base DN> is "dc=mydomain,dc=myenterprise,dc=com" Do not use this attribute if you use --schema_type. --user_gid_attribute User Group Id Attribute Specify the attribute within the user object class to retrieve the groups the user belongs to. Do not use this attribute if you use --schema_type. --group_object_class Group Object Class Specify the LDAP object class for the group object. (i.e. posixgroup). Do not use this attribute if you use --schema_type. --group_attribute Group Attribute Specify the group attribute within the group object class, using the following syntax: <group attribute>=<group>,<group base DN> For example, the LDAP DN for adm is as follows: "cn=adm,dc=mydomain,dc=myenterprise,dc=com" where: The <group attribute> is "cn" The <group> is "adm" The <group base DN> is "dc=mydomain,dc=myenterprise,dc=com" Do not use this attribute if you use --schema_type. --group_gid_attribute Group GID Attribute

18 8 Overview New in this release Specify the attribute within the group object class to retrieve the group Do not use this attribute if you use --schema_type. Example 1 vssat addldapdomain --domainname MYADDOMAIN --server_url ldap:// my_ad_host.mydomain.myenterprise.com -u cn=users,dc=mydomain,dc=myenterprise,dc=com --group_base_dn dc=users,dc=mydomain,dc=myenterprise,dc=com --schema_type msad Example 2 vssat addldapdomain --domainname MYENTERPRISE --server_url ldap://my_openldap_host.myenterpise.com -u dc=people,dc=myenterprise,dc=com --group_base_dn dc=group,dc=myenterprise,dc=com --schema_type rfc2307 Example 3 vssat addldapdomain --domainname TESTDOMAIN --server_url ldap:// myldapserver.myenterprise.com -u ou=users,ou=engineering,dc=myenterprise.com --group_base_dn ou=groups,ou=engineering,dc=myenterprise.com --schema_type inetorgperson --user_attribute uid --user_gid_attribute gid -- group_object_class MyDomainGroups --group_attribute cn -- group_gid_attribute gid Example 4 vssat addldapdomain --domainname TEST --server_url ldaps:// my_openldap_host. myenterpise.com:443 --server_trusted_ca_file /user/local/ openssl/trusted_cas.pem -u dc=people,dc=myenterprise,dc=com --group_base_dn dc=group,dc=myenterprise,dc=com --schema_type rfc2307 removeldapdomain Name removeldapdomain Synopsis For this command, use the following syntax, without line breaks: vssat removeldapdomain --domain <domain to be removed> Description Use this command to remove an LDAP domain from the authentication broker. Arguments --domain DomainName

19 Overview New in this release 9 A symbolic name that uniquely identifies an LDAP domain. Example vssat addldapdomain -domain MYADDOMAIN Storing obfuscated password in the config file To reduce security risk, clear text bind password for LDAP is obfuscated and stored in the VRTSatlocal.confile (config file). Both the broker and the LDAP configuration related CLIs are enhanced to change the clear text bind password to obfuscated form. The LDAP configuration related addldapdomain CLI saves the clear text bind password of the LDAP user in obfuscated form. Similarly, the LDAP configuration related listldapdomains CLI when retrieving a LDAP domain does not displays a clear text bind password, the password is obfuscated. Note: To change the bind password for an existing LDAP domain, delete the domain and add it again. For example, incases where the bind password is stored in clear-text format prior to the AT upgrade, will be obfuscated after restarting the broker. Limited support for PAM authentication plug-in A stripped down PAM plug-in is added to the AT 4.3 version. The PAM plug-in allows authentication against Active Directory users through Vintela's PAM module. Additionally, the PAM plug-in also allows authentication of Unix LDAP users. Limited support is provided for PAM authentication plug-in wherein, the plug-in does not have a talk back capability with the client. The plug-in operates only using the initially provided username and password. AuthSequence for unixpwd plug-in To simplify the usage to PAM authentication plug-in, all the relevant plugins on a platform are brought under a common authentication type, that is, unixpwd. The plugins are chained in a configurable order and are tried sequentially, until the authentication succeeds. unixpwd plugin is enhanced to iterate in a sequence of available plug-ins. The sequence of plugins to be tried under 'unixpwd' domain type is specified in the broker configuration file. DefaultAuthSequence parameter is added under the Authentication Broker section. By default, DefaultAuthSequence parameter is set to "pam unixpwd nisplus nis" on Unix platforms and to "nt" on Windows.

20 10 Overview New in this release During the broker startup, unixpwd plugin searches for DefaultAuthSequence parameter to identify the default authentication sequence. If it is absent, the default value is stored in the configuration file. You can manipulate DefaultAuthSequence parameter manually. New utilities The following new utilities are added in the AT 4.3 version. athealth Name athealth Synopsis athealth -i<install dir> -d <data dir> [-l <log level>] [-g] Description Health check utility is used to perform a quick scan on basic sanity of a particular AT installation. The utility checks if AT has been installed properly. Additionally, this utility is used to check the basic parameters if an error is encountered with the AT setup.the utility can be used to on a client as well as broker installation. Required Arguments -l <log level> Log level can be a value between 0 (no logging) to 4 (max logging). -g Creates output file "athealthconf.out" that contains diagnostic info gathered from run of the utility. Optional Arguments -i <install dir> Install directory is the directory of installation that is to be checked using the athealth utility. Typically this is the parent directory of directory that contains vrtsat_t.dll or libvrtsat_t.so. -d <data dir> Data directory is the directory having AT configuration and credential files.

21 Overview New in this release 11 atldapconf Name atldapconf Description The LDAP configuration tool is a CLI program that facilitates configuring LDAP plugin for the Authentication broker. Use this command to connect to the enterprise LDAP server and detect the default parameters for searching the users and groups. To call the LDAP configuration tool run the atldapconf command. The tool uses following CLIs: -d, discover -c, createatcli -x, atconfigure -d, discover Name discover Synopsis Use the following syntax, without line breaks: atldapconf -d -s <ldap server name> [- p <ldap server port>]-u <search_user> [-g <search group>] [-f <attribute_list_file>] [-m <admin_username>][-w <admin_password>][-l <loglevel>] Description Use this command to connect to the LDAP server. This command searches the attributes of the user and the group. It creates a attribute list file that contains the valid values for all the attributes in an descending order of priority. You can change the order of priority. The discover command also retrieves the valid values for the LDAP attributes, which have multiple values such as, ObjectClass. Other attributes of LDAP directory are configurable. Further, you can also search the commonly used attributes that exist on the server and put all the valid attributes in the same attributes list file. The commonly used attributes differ for different LDAP implementations. These values are pre-defined in separate lists for each LDAP implementation. The predefined values are defined in a header file. For example, the list for user gid attributes looks like, - {"gidnumber", "memberof","gid" }

22 12 Overview New in this release Required Arguments -s <ldap server name> Name of the LDAP server. On Windows platforms, if the machine is logged onto the network, then this parameter is optional. -u <search_user> Used to find out the base search paths for users -g <search group> Used to find out the base search paths for group. Optional Arguments -f <attribute_list_file> Name of the attribute list file. The default file name is "AttributeList.txt". - p <ldap server port> The port of the LDAP server. The default value is 389. To bind to the server, the command uses the username and password. If these options are not provided, the commands prompts the user to provide a username and password. Currently, only simple authentication is supported, which takes the user name and password in clear text. -m <admin_username> User name of the connecting user. This is required to make the initial connection to the ldap server when the anonymous searches are disabled. -w <admin_password> Password of the connecting user. This is required to make the initial connection to the ldap server when the anonymous searches are disabled. -l <loglevel> Generates a log file named "atldapconf.debug". The loglevel determines the amount information that goes into the log. The value of loglevel ranges from 0 to 4. Examples atldapconf -d -s sample.server.com -g SAMPLE-DIST-LIST -c, createatcli Name createatcli Synopsis Use the following syntax, without line breaks:

23 Overview New in this release 13 atldapconf -c -d <domainname> [-i <attribute_list_file>] [-o <at_cli_file>] [-a <FLAT BOB>] [-s <BASE ONE SUB>] [-l <loglevel>] Description Use this command to take the attribute list generated by the discover command as input. The command parses the attributes list file and selects the attribute with the highest priority and creates a CLI file complete with vssat addldapdomain. Required Arguments -d <domainname> The domain name. Optional Arguments -i <attribute_list_file> The name of attribute list file. The default file name is "AttributeList.txt". -o <at_cli_file> The name of the AT CLI file. The default file name is "CLI.txt". -a <FLAT BOB> The type of authentication. The default authentication type is FLAT. -s <BASE ONE SUB> The scope of search. The default scope type is SUB. -l <loglevel> Generates a log file named "atldapconf.debug". The loglevel determines the amount information that goes into the log. The value of loglevel ranges from 0 to 4. Examples atldapconf -c -d domainname -x, atconfigure Name atconfigure Synopsis Use the following syntax, without line breaks: atldapconf -x [-f <at_cli_file>] [-p <at_install_path>] [-o <broker_port>] [-l <loglevel>] [-v verify]

24 14 Overview New in this release Description Use this command to read and execute the AT CLI that was generated by the -c, createatcli command, and add the domain to AT. Optional arguments -f <at_cli_file> The name of the AT CLI file. Default file name is "CLI.txt". -p <at_install_path> The install path. It checks in the present working directory and default locations of installation for older versions of AT. -o <broker_port> The broker port. Default port is l <loglevel> Generates a log file named "atldapconf.debug". The loglevel determines the amount information that goes into the log. The value of loglevel ranges from 0 to 4. -v verify Verifies the newly added domain, after adding it. If required, the command prompts the user for a user name and password to check if the user can be authenticated. Note: The broker service needs to be up and running for using the -v option. Examples atldapconf -x -l 4 -v

25 Overview New in this release 15 Broker credential renewal Brokers keep track of the validity period of their credentials and automatically start renewing the credentials one year before the expiry of the existing credentials. Broker credential renewal can be done automatically as well manually. Automatic broker credential renewal process 1 Broker startup: During startup, the broker checks if the automatic broker credential renewal is on. Automatic renewal is on by default. Consuming products can turn it off using the AutomaticCredentialRenew parameter. For more information, see AutomaticCredentialRenew. If this parameter is set to off, the broker does not attempt to renew the credential by itself. Administrator will have to do this manually. 2 Renewal threshold period: If the automatic renewal is on, then broker checks the renewal threshold period. It is one year before the expiry of the existing credential. For example if the validity is for eight years, then seven years from the time broker is commissioned. 3 Renewing broker credentials: If the renewal threshold period is reached, then it will start renewing the broker credentials. First, the broker will take a snapshot of its certificate store. This will allow us to restore to the previous state if something goes wrong. a b If the current broker mode is Root or Root+AB, then the Root credential is renewed first. A new Root credential is generated out of the existing Root key pair and deposited in the credential store. The new Root credential has a new validity period. This new Root credential over writes the existing Root credential in both regular certificate store and the trusted store. For more information see, Renewing Root broker credentials. If the broker mode is Root+AB, then a new AB credential is generated using the existing AB key pair. The new AB credential has a new validity period. For more information see, Renewing Root+AB credentials. If the current broker mode is AB only, then the broker renews its own credential with its remote Root broker. Note: The AT package on the AB machine needs to be upgraded for this. The default AB s credentials renewal threshold is set to a week less than the Root's credentials. Thus, the AB s credential are renewed one week after the Root s credentials are renewed.

26 16 Overview New in this release The new AB credentials has a new validity period and overwrites the older credentials. For more information, see Renewing AB credentials. Incase, the renewal fails, the broker still come up with its existing credential and retries the operation a day later. The broker keeps on trying until the renewal is successful. Broker credential renewal can also be done manually using the -w option. For more information see, Manual broker credential renewal option. Renewing Root broker credentials This automatic credential renewal is triggered upon reaching the renewal threshold. Alternately, administrator can also renew the Root credentials manually. For more information, see Renew Root broker credentials. Renewing AB credentials The AT broker supports AB credentials of the remote Root brokers. However, the AB needs to re-establish trust with the remote Root broker if it is running in Root only mode. This is because, the broker running in Root only mode uses the Root credential for accepting the incoming connections and when it renews the Root credential, clients have to re-establish trust with that Root broker. On the other hand, AB is not required to re-establish trust if the remote Root broker is running in Root+AB mode. This is because, the remote Root+AB broker uses its AB credential to accept the connections and the certificate chain is completed using the old Root credential from the client's trusted store. If products do not want to upgrade their ABs, then they can manually acquire a new credential for each of the AB that is under the newly renewed Root broker. To acquire new credentials manually 1 Perform a setuptrust against the renewed Root broker to download the new Root credentials. 2 Run the vxatd -a -n <broker identity> -p <password> -x <domain type> -y <domain name> -q <root broker name> -z <root broker port> -h <hash file name> command to acquire new AB credentials. The new AB credentials are available with its new validity. Renewing Root+AB credentials To renew credentials of Root+AB first renew Root broker credentials and then AB as explained above.

27 Overview New in this release 17 AT client and broker credential renewal The existing credentials issued by the AB continue to function even after renewing the AB credentials. Clients can continue to acquire new credentials and renew the existing credentials until the older Root credential expires. Clients would continue to operate with the older Root credential in their trusted store. Thus, peer credentials that are signed by both old and new ABs will be accepted. Similarly, the old credentials issued by the old (pre-renew) broker will be accepted by the peers that have established trust with the new (renewed) Root broker. The new credentials issued by the renewed AB and Root brokers can have expiry date up to 20 years. The actual expiry date depends on the type of credential and the expiry intervals. To download the new Root credentials, AT clients are required to re-establish trust with their broker once before the old Root credential expires. AT clients can re-establish trust within a year (Root credential renewal threshold period) after the Root/AB renewed their credentials. To perform the trust establishment in high security mode, the clients need to receive the hash of the new Root credential out of band. If the AT CLI is used, then it will prompt to verify the incoming Root credential. Broker renewal configuration parameters The following parameters are added to the broker configuration to support automatic broker credential renewal: AutomaticCredentialRenew Configures the broker to automatically renew its credentials towards the end of the validity period. This parameter applies to both Root and AB. Section: [Security\Authentication\Authentication Broker] Key: AutomaticCredentialRenew Type: Integer Allowed Values: 0/1 Default: 1 RootRenewThreshold Specifies when the automatic Root broker credential renewal should happen. The broker starts credential renewal when the remaining validity period falls below this limit. Section: [Security\Authentication\Authentication Broker] Key: RootRenewThreshold

28 18 Overview New in this release Type: Integer Unit: days Allowed Values: 1 to 20*365 Default: 365 ABRenewThreshold Specifies when the automatic AB credential renewal should happen. The broker starts credential renewal when the remaining validity period falls below this limit. Section: [Security\Authentication\Authentication Broker] Key: ABRenewThreshold Type: Integer Unit: days Allowed Values: 1 to 20*365 Default: 360 ABCredExpiry Specifies the credential expiry limit for the new AB credentials issued by a Root broker. Section: [Security\Authentication\Authentication Broker Key: ABCredExpiry Type: Integer Unit: seconds Default Value: 20*365*24*3600 RBCredExpiry Specifies the credential expiry limit for the new Root credentials. Section: [Security\Authentication\Authentication Broker Key: RBCredExpiry Type: Integer Unit: seconds Default Value: 20*365*24*3600 Manual broker credential renewal option To manually renew the broker credentials, use the -w option added to vxatd. This command takes a back up the existing credential store.

29 Overview Chart of fixed incidents 19 Shutdown the broker process before running the command and start it manually afterwards. Renew Root broker credentials Run the following command to renew the Root broker credentials: # vxatd -o -r -w Renew Authentication broker (AB) credentials Run the following command to renew the Authentication broker credentials: # vxatd -o -a -w Renew Root+AB credentials # vxatd -o -a -r -w You can also renew the Root+AB broker in two steps. First, renew the root credential only and then renew the AB credential as explained above. Configuring broker validity Products can configure the broker credential validity up to 20 years. Only the renewed credentials can be configured for such validity. Chart of fixed incidents This topic discusses the fixed issues for which incident numbers are available in this release of Symantec Product Authentication Service. Fixed issues, by number table shows fixed numbered issues, sorted in ascending order by incident number. Table 1-1 Etrack Incident Fixed issues, by number Abstract Garbage is displayed in Java GUI when you use the CLI to add the name of a principal with Chinese characters LDAP authentications for duplicate user entries across LDAP subdomains User attribute for auth type BOB and schema type msad Upgrading to higher versions After installing x, if you need to upgrade to AT 4.4 /5.0 version, make sure you upgrade to x/ x or higher.

30 20 Overview Available documentation Available documentation The at_admin.pdf file on your disc provides information on the following topics: Basic terminology and concepts Architecture of Symantec Product Authentication Service Description and use the command line interface Description and use of the administration console The at_install.pdf on your disc provides information on the following topics: System requirements Installation and configuration of Symantec Product Authentication Service Special information related to installation in a clustered environment.

31 Chapter 2 Requirements and alerts Note: Any version prior to this full-decimal release will not be re-branded and will continue to refer to Symantec Product Authentication Service and Symantec Product Authorization Service together as a single product called VERITAS Security Services or VSS. The present chapter contains the following topics: Supported platforms Required patches and service packs Not supported How to use GSS-API on non-standard Solaris How to connect to authorization server on UNIX platforms When you must remove startup scripts in cluster configuration Home directory requirement How to choose patch vs. fresh installation

32 22 Requirements and alerts Supported platforms Supported platforms The following chart shows support for Symantec Product Authentication Service: Platform AIX , 5.1, 5.2, 5.3, 6.1 (32 bit) AIX 5.1, 5.2, 5.3, 6.1 (PPC 64bit) AT support Server and client Client only FreeBSD 4.9 (x86) Client only was not released in HP-UX 11.00, 11.11, IRIX (MIPS-32) Linux Redhat AS 2.1 (on x86) Linux Redhat AS/ES 3.0 (on x86) Linux Redhat AS/ES 3.0 (on IA64) Linux Redhat EL 4.0 (on x86_64) Linux Redhat EL 4.0 (on IA 64) Linux SuSe SLES 8.0, 9.0 (on x86) Linux SuSe SLES 8.0, 9.0 (on IA64) Linux SuSe SLES 9.0 (on x86_64) Linux MontaVista 11.0 (on x86) Linux WS 21, 30 (on x86) Mac OS 10.3 (PPC) Solaris 6 (Sparc) Solaris 7, 8, 9, 10 (Sparc) Solaris 7, 8, 9, 10 (Sparc 64 bit) Solaris 10 (x86) Solaris 10 (x86-64) Tru64 5.1, 5.2 Windows 2000, 2003 (on x86) Server and client Client only Server and client Server and client Server and client (64 bit) Server and client (32 bit compatibility mode) Server and client Server and client Server and client (64 bit) Server and client (32 bit compatibility mode); native 64 bit client Client only Client only Client only Desupported AT 4.2 and above Server and client Server and client Server and client Client only Server and client Server and client

33 Requirements and alerts Required patches and service packs 23 Platform Windows XP SP1 and SP2 (on x86) Windows Storage Server 2003 (on x86) Windows 2000 SAK, SAK Business Server (on x86) Windows 2003 (on x86_64) Windows 2003 (on IA64) AT support Server and client Server and client Client only Client only (64 bit and 32 bit compatibility mode) Server and client (64 bit and 32 bit compatibility mode) LIBRARY_PATH requirement with installvss If you use installvss to install AT, you must set the LD_LIBRARY_PATH at the specified location. For example: export LD_LIBRARY_PATH=perl/lib/5.8.0/alpha-dec_osf-thread-multi /CORE:$LD_LIBRARY_PATH Required patches and service packs Below is a list of patches for HP-UX 11.x. Some or all of the patches mentioned in this document may have been revised. If the base patch is unavailable, the cumulative patch containing the base patch should be applied. Patches that are required for HP The chart below lists patches for HP Table 2-1 Patches for HP Patch ID PHSS_26559 PHSS_24303 PHSS_24627 PHSS_26945 Patch Description s700_ ld(1) and linker tools cumulative patch 11.0 ld(1) and linker tools cumulative patch 11.0 HP ac++ -AA runtime libraries (acc A.03.33) or 11.0 HP ac++ -AA runtime libraries (acc A.03.37)

34 24 Requirements and alerts Required patches and service packs Table 2-1 Patches for HP Patch ID PHSS_32229 PHCO_18227 PHCO_29633 PHCO_26960 Patch Description It is a LIBCL patch. After installation if there is an error related to cfc_flush then install PHSS_33403 patch libc cumulative patch 11.0 libc cumulative patch Pthread library cumulative patch Patches that are required for HP Table 2-2 Patches for HP Patch ID PHSS_26560 PHSS_24304 Description 1.0 ld(1) and linker tools 1.0 ld(1) linker tools cumulative patch PHSS_ ld(1) HO ac++ run-time libraries a3.37 Service packs The list below shows service packs required for successful installation of AT on the Windows platform: For NT 4.0, service pack 3 For Windows 2000, service pack 2 For Windows 64 bit machines, you should have Service Pack 1 in order to support side by side installation of 32 bit and 64 bit. C runtime requirement for AIX 3.x On all AIX 3.x versions, the required C runtime (bos.rte.libc ) should be at level Other patches and requirements We recommend 100MB disk space. We recommend 256MB memory. The minimum glibc version required on a Linux RedHat EL bit machine is

35 Requirements and alerts Solaris zone support 25 For SunOS 5.8, you should install patch On Solaris x86, users must install the latest GSS-API patches in order for GSS-API to work. For AIX 4.3, C Runtime ( bos.rte.libc ) should be at level Solaris zone support AT 4.3 packages should be installed from the global zone. They automatically get propagated into all the existing and yet-to-be-created local zones. AT packages contain the following package parameters: SUNW_PKG_ALLZONES=true Not supported We do not support making the root broker highly available on secure clusters. The ICS Installer does not support the following types of installation for AT and AZ: Upgrade on servers from authentication broker only to root plus authentication broker Push installs of either the client or the server (broker) to remote machines Silent (non-interactive) upgrades of the server/broker Before you perform an upgrade of AT or AZ, shut down local Symantec applications that are using AT or AZ services. Otherwise, the upgrade process imposes a short outage that could impact the applications that need those services. How to use GSS-API on non-standard Solaris GSS-API is available on Solaris OS 5.7 and onward. However, GSS-API may not be available on any non-standard Solaris OS. Before installing AT onto a nonstandard Solaris OS, the user must install Solaris Enterprise Authentication Mechanism (SEAM) from SUN. How to check that you have SEAM If the SunOS is not a custom build and it is 5.9 and above, SEAM should be there by default. Make sure that the following directories and files exist:

36 26 Requirements and alerts How to connect to authorization server on UNIX platforms The file /etc/gss/mech The directory /usr/lib/gss/ The file /usr/lib/libgss.so.1 How to connect to authorization server on UNIX platforms To connect to the authorization server from within the administration console on all UNIX platforms, you must enter the domain name. This is a required field. When you must remove startup scripts in cluster configuration If you are doing cluster configuration on any UNIX platform, you need to remove the startup scripts that get installed with the package. Once your services are cluster enabled, you want the cluster to decide when or how the service should be started. Since clustered services usually depend on bringing some shared storage online, it is better if these startup scripts are removed. These startup scripts (S700vxatd on HP-UX, S70vxatd on others) are in the run level 2 directories (/etc/rc2.d on Solaris, /etc/rc.d/rc2.d on AIX, /sbin/ rc2.d on HP-UX, /etc/rc.d/rc2.d on Linux, /sbin/rc2.d on Tru64). If you are not sure of the run level, run the following command: who -r Startup scripts in non-cluster configuration The following procedure is a workaround for startup scripts on UNIX. If the run level on UNIX is other than 2, and you want AT to be started up on reboot, copy the startup scripts from the run level 2 directory into the run level directory for which you are running. For example, if you are running run level 3, then on Solaris, copy /etc/rc2.d/s70vxatd to /etc/rc3.d Similarly, the kill script K99vxatd should be copied for stopping the service. Home directory requirement This version of Symantec Product Authentication Service requires that non-root users have their home directories set properly in the namespace that they use to

37 Requirements and alerts How to choose patch vs. fresh installation 27 login to the host (NIS/NIS+ or /etc/passwd). Therefore, all products that integrate with AT will require their users to have their home directories set. How to choose patch vs. fresh installation Use the following guidelines to determine whether your system was configured under the old model: For non-securable VCS For securable VCS If you see a vxatd resource, your system was configured under the old model. If you see a vxssclusterpdr resource group, your system was configured under the old model. If AT is already configured into VCS as per the old model, you should configure the authentication path by running the VxATclconf.pl with the -P option from the "C:\Program Files\VERITAS\Security\Authentication\bin" directory. See Detailed steps to configure AT into VCS on Windows and Steps to configure AT into VCS on UNIX.

38 28 Requirements and alerts How to choose patch vs. fresh installation

39 Chapter 3 Known Issues This chapter includes the following topics: Chart of open incidents Numbered issues

40 30 Known Issues Chart of open incidents Chart of open incidents Table 3-1 Known issues, by number shows known issues, with numbers, sorted in ascending order by incident number. Table 3-1 Etrack Incident Known issues, by number Abstract Unneeded config actions required while upgrading AT binaries Failure in detecting primary group for LDAP user Only local installs and upgrades are supported using installvss script No upgrade option for client package on Sun AMD Unable to install x64 client if old server is installed on System Not able to make AT HA on MSCS W2k8 AMD machine vxatd process doesn't come up after upgrade setuptrust takes 1 min if pbx is not running on broker Domainname needs to be passed for localhost authentication to succeed Numbered issues This topic discusses known issues for which incident numbers are available in this release of Symantec Product Authentication Service. ( ) Unneeded config actions required while upgrading AT binaries While upgrading AT binaries to AT x version, despite choosing not to configure the AT Server, Installer prompts to set Root Broker and Authentication Broker password. The user is asked to provide the following unneeded information: Enter password for root broker administrator Reenter password for root broker administrator Enter password for authentication broker administrator Reenter password for authentication broker administrator

41 Known Issues Numbered issues 31 Further, despite of the broker not being configured the CPI Installer gives a success message after it tries to start the AT server. The following message is displayed: SYMANTEC PRODUCT AUTHENTICATION SERVICE INSTALLATION PROGRAM Do you want to start Symantec Product Authentication Service processes now? [y,n,q] (y) Symantec Product Authentication Service was started successfully. Press [Return] to continue. ( ) Failure in detecting primary group for LDAP user AT fails to detect primary group of the active directory user for LDAP domain. After adding a LDAP domain and authenticating the LDAP user, vssat showcred does not reflect the primary group of this user in the credentials returned by AT. However, the credential lists the secondary groups that the user is a member of in the active directory. This issue persists because the AT code (all branches) does not implement getting primary group for a user from active directory due to Microsoft's implementation. ( ) Only local installs and upgrades are supported using installvss script When the installvss script is run to upgrade VxAT, a prompt is displayed asking for system names where AT is to be installed/ upgraded. But currently, only local installs and upgrades are supported when using installvss script. Remote system configuration is not done correctly when the remote systems are specified during the install/upgrade. Workaround Run intsallvss script locally on each of the machines where AT is to be installed/upgraded. ( ) No upgrade option for AT Client package on Sun AMD platform AT Client package cannot be upgraded on Sun AMD platform.

42 32 Known Issues Numbered issues Workaround Follow the given steps: 1 Backup /etc/vx/vss. 2 Backup /var/vrtsat. 3 Remove the package, using the pkgrm command. 4 Add the new package, using the pkgadd command. ( ) No upgrade option for AT Client package on Sun AMD platform x64 client cannot be installed on a system if an old server is installed on it. Workaround This workaround is applicable only while installing Solaris/Linux x64 (AMD64) client. Follow the given steps: 1 Backup /etc/vx/vss. 2 Backup /var/vrtsat. 3 Remove the package, using the rpm command. 4 Add the new package, using the rpm command. ( ) Unable to make AT HA on MSCS W2k8 AMD machine In this release, AT will not be HA on MSCS W2k8 AMD machine. ( ) vxatd process doesn't come up after upgrade After upgrading AT to x, the vxatd process does not restart. You need to restart the vxatd process manually. ( ) setuptrust takes 1 min if pbx is not running on broker On a machine where PBX is installed and not running, the client still first tries to authenticate using the PBX Port till the time-out and then uses the regular broker port. Thus, setuptrust takes more time, which should take 2 seconds in a normal scenario. ( ) Domainname needs to be passed for localhost authentication to succeed When authenticating a local host you need to provide the domain name.

43 Chapter 4 Procedures This chapter includes the following topics: Common terms Install AT Upgrade AT Steps for AT cluster configuration (all solutions) How to configure AT into Microsoft Cluster Server How to configure AT into VCS on Windows How to configure AT into VCS on UNIX How to configure AT into Tru64 How to configure AT into Sun Cluster How to configure AT on HACMP How to configure AT on HP Serviceguard Uninstall About authenticating users in active directory About authenticating users in active directory About authenticating users in active directory

44 34 Procedures Common terms Common terms The table below defines terms that are common to the discussions of installation and configuration of Symantec Product Authentication Service for all platforms. AT Service Virtual Name AT Service Virtual IP Address Mount Point Network Interface install_dir The hostname for the AT Service Virtual IP Address The IP Address for the AT Service Virtual Name. The shared mount point for the Authentication data files The network interface where the AT Service Virtual Name will be presented. The installation directory of the for the Symantec Product Authentication Service. For example, <install_dir>/bin/vssat would correspond to /opt/vrtsat/bin/vssat on UNIX and C:\Program Files\VERITAS\Security\ Autentication\bin\vssat on Windows. Install AT There have been a number of changes in installation since the publication of the Symantec Product Authentication Service Installation Guide. These Release Notes include the most up to date information. Tasks that you must complete for successful installation You must install at least one root broker, one authentication broker, and one authentication client. Perform the tasks in the following order: Select an installation mode Install a root broker Install an authentication broker, if you did not select root plus authentication broker mode when installing the broker Install client or clients

45 Procedures Install AT 35 About installing and configuring an authentication broker Installing on Windows If you plan to install an authentication broker on a machine separate from a root broker, you must perform the following tasks: 1 Provision an identity for the authentication broker. (See "Provisioning an identity for the authentication broker" in the Installation Guide.) 2 Copy the root hash file from the root machine to the authentication broker machine. (See "Finding and copying the root hash file in the Installation Guide.) 3 Run the install program again to install the authentication broker machine. On a Windows platform, you can install the authentication broker either interactively or in silent mode. The present topic discusses only the interactive mode. For information on silent mode, see the Installation Guide. To install on Windows using a traditional wizard 1 Log on as administrator on the machine where you want to install. 2 Confirm that the machine uses the NTFS file system. FAT does not provide any file system security and hence compromises the security of AT. 3 Run VxSSVRTSatSetup.exe from the CD. 4 When the opening InstallShield wizard screen is displayed, click Next. 5 When the Setup Type screen is displayed, select Complete and click Next: 6 If you are installing AT on a cluster, do the following: In Destination Folder on the Setup Type dialog box, click Browse. In the Path text box on the Choose Folder dialog box, type the new path: C:\Program Files\VERITAS\Security\ Then click OK. When you have completed your selections, click Next. 7 On the Authentication Broker Service Options screen, select the mode, and indicate whether or not the service is clustered. Click Next. 8 (If service is not clustered) Indicate whether the service is to be started manually or automatically and whether it is to be started immediately after installation This area is greyed-out if you enable clustering.

46 36 Procedures Install AT 9 (For Authentication Broker Only mode) Indicate whether you want authentication to look for root brokers. 10 (For Authentication Broker Only mode) If you selected Yes, provide the IP range to scan, and click Next. 11 (For Authentication Broker Only mode) If you requested a scan, select a root broker from the list when the root brokers dialog box is displayed, and click Next. 12 (For Authentication Broker Only mode) Complete the Authentication Broker Identity screen as follows, and then click Next: In the Root Broker area: For Host Name, enter the host name or IP address that allows the authentication broker to reach the root broker. For Port, keep or change the port number, whose default is For Hash File, click Browse to browse for the root_hash file you copied from the root broker. Or type the value into the Hash Value field. In the Broker Identity area: For Name, enter the identity of the authentication broker as configured in the root broker s private domain repository. For Password, enter the password for the authentication broker as configured in the root broker s private domain repository. For Domain Name, enter the domain in which the root and this authentication broker reside. 13 (For all modes) Provide the password or passwords and click Next. 14 When the InstallShield Wizard Complete screen is displayed, click Finish. 15 If you need to configure AT to use the cluster, run the cluster configuration script. See one of the following: How to configure AT into VCS on Windows How to configure AT into Microsoft Cluster Server UNIX installation scripts: when to use install vs. installics The install script is a wrapper around installics that simply invokes installics, and then, after installics finishes, asks the user whether he or she wants to continue or exit. If the user answers "y," the install script invokes installics again. Otherwise, it exits to the command line prompt.

47 Procedures Install AT 37 Guidelines for use are as follows: Use installics if you just want to perform one operation (install, upgrade, configure, or uninstall) on the host. Use install if you need to perform several sequential operations with installics. Installing root plus authentication broker on UNIX Before you install AT in root plus authentication broker mode, you must do the following: Select an administrator password of at least 5 characters for the root broker and the authentication broker If you intend to configure AT to use a cluster, determine the cluster name To install root plus authentication broker 1 Go to the directory in which the installics script is located, and type the following command to invoke installics:./installics 2 At the task menu, type I to install or upgrade a product. 3 When you are prompted to select a product to install, type 2 to install the Symantec Product Authentication Service. 4 When you are prompted to install the AT server, type y. 5 When you are prompted to select the mode in which AT will be installed, type 1 for the Root+AB mode. 6 When you are prompted for the system name, type the name of the host on which you are installing AT. The ICS Installer does not support remote installation (push install) for AT. Install AT on the local host only. 7 When the package to be installed is displayed, press Enter to continue, and then allow the installation to complete. The VRTSat package will be installed. The following message is displayed when the installation is complete: Installation completed successfully on all systems 8 When you are prompted to configure AT, type y. 9 When you are prompted for the root broker administrator password, type in the password that you selected.

48 38 Procedures Install AT The password must be at least 5 characters. No characters are echoed when you type in the password and you will not be prompted to retype it for confirmation. Be careful to type it correctly. 10 When you are prompted for the authentication broker administrator password, type in the password you selected. The password must be at least 5 characters. No characters are echoed when you type in the password and you will not be prompted to retype it for confirmation. Be careful to type it correctly. 11 If the Symantec Private Branch Exchange is installed on the host, you receive the following prompt: Do you want to enable Private Branch Exchange (PBX) support in Authentication Broker Server? [y,n,q] (n) If you receive this prompt, type y if you want AT to communicate through the Private Branch Exchange. Otherwise, type n. AT can be configured to communicate with its clients through the Private Branch Exchange over port 1556 rather than over the default broker port If the host on which you are installing AT is part of a cluster, you receive the following prompt: Will HostName be configured as part of a cluster? [y,n,q] (n) If you receive this prompt, do the following: If you intend to configure AT to use the cluster, type y. Otherwise, type n. If you typed y, enter the cluster name when you are prompted for the logical cluster name. The ICS Installer must know whether AT will be configured to use a cluster. However, it will not perform the cluster configuration. You will be instructed to perform the cluster configuration manually later in this procedure. 13 When you are prompted to start the Symantec Product Authentication Service processes, type y if you want to start them now. Otherwise, type n. If you type n, you can type the following command to start the service at a later time: /opt/vrtsat/bin/vxatd 14 When you are prompted for an encryption key, type a string of at least five characters to use as a key for encrypting the installics response file. Since the installics response file contains the broker passwords, it must be encrypted for security reasons. To decrypt the response file for a silent installation, you must insert this key string into a file, and then specify the key file name with the installics -enckeyfile option.

49 Procedures Install AT 39 See About the encryption and the response files. 15 Press Enter to continue. The installics script exits. 16 If you need to configure AT to use the cluster, run the cluster configuration script. See one of the following: How to configure AT into VCS on UNIX How to configure AT into Tru64 How to configure AT into Sun Cluster How to configure AT on HACMP How to configure AT on HP Serviceguard Installing authentication broker only on UNIX Before you install AT in authentication broker only mode, you must do the following: Select a remote root broker Copy the root broker /opt/vrtsat/bin/root_hash file to the host on which you are installing the authentication broker See "Finding and copying the root hash file" in the Installation Guide. Provision identity on the root broker for this authentication broker See "Provisioning an identity for the authentication broker" in the Installation Guide. Select an administrator password of at least 5 characters for the authentication broker If you intend to configure AT to use a cluster, determine the cluster name To install authentication broker only 1 Go to the directory in which the installics script is located, and type the following command to invoke installics:./installics 2 At the task menu, type I to install or upgrade a product. 3 When you are prompted to select a product to install, type 2 to install the Symantec Product Authentication Service. 4 When you are prompted to install the AT server, type y. 5 When you are prompted to select the mode in which AT will be installed, type 3 for the AB mode.

50 40 Procedures Install AT 6 When you are prompted for the system name, type the name of the host on which you are installing AT. The ICS Installer does not support remote installation (push install) for AT. Install AT on the local host only. 7 When the package to be installed is displayed, press Enter to continue, and then allow the installation to complete. The VRTSat package will be installed. The following message is displayed when the installation is complete: Installation completed successfully on all systems 8 When you are prompted to configure AT, type y. 9 The ICS Installer begins prompting you for information on the remote broker. Respond to these prompts as described in the following: Please enter the root broker host Enter the broker port (2821) Please enter complete path to the file which contains the root broker's hash Type the name of the host on which the root broker resides Type 1556 if the root broker is configured to use the Symantec Private Branch Exchange. Otherwise, press Enter to accept the default. Type the path to the root broker hash file. 10 The ICS Installer displays the remote broker information you have provided. Review the information, and then do one of the following: If the information is correct, type y, and then proceed to step 11. If the information is incorrect, type n, and then repeat step Press Enter to continue. 12 The ICS Installer begins prompting you for information on the authentication broker credentials. Respond to these prompts as described in the following: Enter authentication broker's identity Enter password for remoteab Type the user name that you provisioned for this authentication broker Type the password for the authentication broker user name. No characters are echoed when you type the password and you will not be prompted to retype the password for confirmation. Be careful to type the password correctly.

51 Procedures Install AT 41 Enter the domain name for the authentication broker's identity Type the name of the domain in which the authentication broker user name was created. For example, where FullyQualifiedHostName is the name of the host on which the root broker resides. 13 The ICS Installer displays the credential information you have provided. Review the information, and then do one of the following: If the information is correct, type y, and then proceed to step 14. If the information is incorrect, type n, and then repeat step When you are prompted for the authentication broker administrator password, type in the password you selected. The password must be at least 5 characters. No characters are echoed when you type in the password and you will not be prompted to retype it for confirmation. Be careful to type it correctly. 15 If the Symantec Private Branch Exchange is installed on the host, you receive the following prompt: Do you want to enable Private Branch Exchange (PBX) support in Authentication Broker Server? [y,n,q] (n) If you receive this prompt, type y if you want AT to communicate through the Private Branch Exchange. Otherwise, type n. AT can be configured to communicate with its clients through the Private Branch Exchange over port 1556 rather than over the default broker port If the host on which you are installing AT is part of a cluster, you receive the following prompt: Will HostName be configured as part of a cluster? [y,n,q] (n) If you receive this prompt, do the following: If you intend to configure AT to use the cluster, type y. Otherwise, type n. If you typed y, enter the cluster name when you are prompted for the logical cluster name. The ICS Installer must know whether AT will be configured to use a cluster. You will be instructed to perform the cluster configuration manually later in this procedure. 17 When you are prompted to start the Symantec Product Authentication Service processes, type y if you want to start them now. Otherwise, type n. If you type n, you can type the following command to start the service at a later time: /opt/vrtsat/bin/vxatd

52 42 Procedures Install AT 18 When you are prompted for an encryption key, type a string of at least five characters to use as a key for encrypting the installics response file. Since the installics response file contains the broker password, it must be encrypted for security reasons. To decrypt the response file for a silent installation, you must insert this key string into a file, and then specify the key file name with the installics -enckeyfile option. See About the encryption and the response files. 19 Press Enter to continue. The installics script exits. 20 If you need to configure AT to use the cluster, run the cluster configuration script after running installics. See one of the following: How to configure AT into VCS on UNIX How to configure AT into Tru64 How to configure AT into Sun Cluster How to configure AT on HACMP How to configure AT on HP Serviceguard Installing root broker only on UNIX Before you install AT in authentication broker mode, you must do the following: Select a root broker administrator password of at least 5 characters for the root broker If you intend to configure AT to use a cluster, determine the cluster name To install root broker only 1 Go to the directory in which the installics script is located, and type the following command to invoke installics:./installics 2 At the task menu, type I to install or upgrade a product. 3 When you are prompted to select a product to install, type 2 to install the Symantec Product Authentication Service. 4 When you are prompted to install the AT server, type y. 5 When you are prompted to select the mode in which AT will be installed, type 2 for the Root mode. 6 When you are prompted for the system name, type the name of the host on which you are installing AT. The ICS Installer does not support remote installation (push install) for AT. Install AT on the local host only.

53 Procedures Install AT 43 7 When the package to be installed is displayed, press Enter to continue, and then allow the installation to complete. The VRTSat package will be installed. The following message is displayed when the installation is complete: Installation completed successfully on all systems 8 When you are prompted to configure AT, type y. 9 When you are prompted for the root broker administrator password, type in the password that you selected. The password must be at least 5 characters. No characters are echoed when you type in the password and you will not be prompted to retype it for confirmation. Be careful to type it correctly. 10 If the Symantec Private Branch Exchange is installed on the host, you receive the following prompt: Do you want to enable Private Branch Exchange (PBX) support in Authentication Broker Server? [y,n,q] (n) If you receive this prompt, type y if you want AT to communicate through the Private Branch Exchange. Otherwise, type n. AT can be configured to communicate with its clients through the Private Branch Exchange over port 1556 rather than over the default broker port If the host on which you are installing AT is part of a cluster, you receive the following prompt: Will HostName be configured as part of a cluster? [y,n,q] (n) If you receive this prompt, do the following: If you intend to configure AT to use the cluster, type y. Otherwise, type n. If you typed y, enter the cluster name when you are prompted for the logical cluster name. The ICS Installer must know whether AT will be configured to use a cluster. However, it will not perform the cluster configuration. You will be instructed to perform the cluster configuration manually later in this procedure. 12 When you are prompted to start the Symantec Product Authentication Service processes, type y if you want to start them now. Otherwise, type n. If you type n, you can type the following command to start the service at a later time: /opt/vrtsat/bin/vxatd 13 When you are prompted for an encryption key, type a string of at least five characters to use as a key for encrypting the installics response file.

54 44 Procedures Install AT Since the installics response file contains the broker passwords, it must be encrypted for security reasons. To decrypt the response file for a silent installation, you must insert this key string into a file, and then specify the key file name with the installics -enckeyfile option. See About the encryption and the response files. 14 Press Enter to continue. The installics script exits. 15 If you need to configure AT to use the cluster, run the cluster configuration script after running installics. See one of the following: How to configure AT into VCS on UNIX How to configure AT into Tru64 How to configure AT into Sun Cluster How to configure AT on HACMP How to configure AT on HP Serviceguard About the encryption and the response files The encryption file and the response file are two separate files. The installics program itself creates the response file. The user creates the encryption file. When you install interactively, near the end of the installation, you provide an encryption key for encrypting the passwords in a response file. The installics program generates the responsefile with the information that you provided. At the end of the installation, installics identifies the name and location of the response file, as indicated in the following sample response: Installation log files, summary file, and response file are saved at: /opt/vrts/install/logs/installics-aaaaaa Where AAAAAA is some random string. The response file resides in this directory with the name: installics-aaaaaa.response. The user must create the encryption file and insert the encryption key that was specified in the last prompt. To invoke installics with the response file and encryption key file, use the following command:./installics -enckeyfile UserCreatedEncryptionFile -responsefile ProgramCreatedResponseFile See About the encryption and the response files on page 44.

55 Procedures About rollback functionality 45 About rollback functionality Upgrade AT Secure cluster upgrades For AT 4.3, rollback is supported when you install by using the MSIs. By default, rollback functionality is disabled. To enable it, you must specify it on the command line when using the AT MSI to install authentication. Assume, for example, that AT 4.3.xx.0 is installed on the system, and you want to upgrade it to 4.3.yy.0 using the client+server MSI. Use the following command line: msiexec /qn /i "VERITAS Authentication Service.msi" ROLLBACK=YES The command upgrades the current version to 4.3.yy.0. When uninstalling 4.3.yy.0 and restoring 4.3.xx.0, you must pass the following parameters: msiexec /qn /x "VERITAS Authentication Service.msi" ROLLBACK=YES The approach to upgrading the Symantec Product Authentication Service on a VCS cluster varies depending on whether it is configured as a non-secure or a secure cluster. To prepare for the upgrade: 1 Refer to the Symantec product documentation to determine the location of the Symantec Product Authentication Service installation media and documentation. 2 Locate the Symantec Product Authentication Service installer on the installation media. About upgrading on a secure cluster For a secure cluster, the steps are the same regardless of whether the Symantec Product Authentication Service is configured for high availability. In either case, you must do the following: Identify and shut down all Symantec products on each node in the cluster that depend on the Symantec Product Authentication Service. Offline the Symantec Product Authentication Service service group on each node in the cluster. Shut down the Veritas Cluster Server. Upgrade the Symantec Product Authentication Service on each node.

56 46 Procedures Upgrade AT Restart the Veritas Cluster Server. Online the Symantec Product Authentication Service service group on each node. Restart all of the Symantec applications that you shut down on each node. This section provides detailed instructions on how to perform these steps. Performing upgrade on a secure VCS cluster To upgrade AT on securable VCS 1 On each node in the cluster, identify and shut down any Symantec products that depend on the Symantec Product Authentication Service on that node. Consult with your network security team to determine which products you need to shut down. 2 (Optional) On each node, offline group VxSS_Service using the VCS Console or by typing the following command: hagrp -offline vxss_service -sys SystemName where SystemName is the name of the node. The VxSS_Service group is created when the Symantec Product Authentication Service is configured as an application on securable VCS. The service group vxss_service may not be present unless authentication itself is running in high availability mode. 3 Offline the service group "VxSS". Securable VCS creates the VxSS service group when it is configured as a secure cluster. 4 Shut down the Veritas Cluster Server. Since securable VCS depends on the Symantec Product Authentication Service, you cannot upgrade the Symantec Product Authentication Service while the Veritas Cluster Server is running. 5 Stop VCS on all cluster nodes. We recommend that you shut down the Veritas Cluster Server in a gradual manner. Make sure that all VCS services/ processes are not running on cluster nodes. 6 On each node, upgrade the Symantec Product Authentication Service using the Symantec Product Authentication Service installer. This process will keep AT configured in its previous mode. 7 Restart the Veritas Cluster Server on all cluster nodes. 8 (Optional) On each node, online group VxSS_Service using the VCS Console or by typing the following command: hagrp -online vxss_service -sys SystemName

57 Procedures Upgrade AT 47 Non-secure cluster upgrades where SystemName is the name of the node. The service group vxss_service may not be present unless authentication itself is running in high availability mode. 9 Verify that service group VxSS is online. If it is not online, manually bring it online. 10 On each node, restart any Symantec products that you shut down in step 1. About upgrading in a non-secure cluster For a non-secure cluster, if the Symantec Product Authentication Service is not configured for high availability, a normal upgrade is all that is required. No special steps are needed. However, if the Symantec Product Authentication Service is configured for high availability, you must do the following: Performing upgrade in a non-secure cluster For a non-secure cluster, if the Symantec Product Authentication Service is not configured for high availability, a normal upgrade is all that is required. No special steps are needed. However, if the Symantec Product Authentication Service is configured for high availability, you must do the following: 1 Select a node in the cluster on which the Symantec Product Authentication Service must be upgraded and perform the remaining steps on this node. 2 Identify and shut down all Symantec products on the node that depend on the Symantec Product Authentication Service. 3 Offline the Symantec Product Authentication Service service group on the node. 4 On each node, offline group VxSS_Service using the VCS Console or by typing the following command that is appropriate to your cluster: Table 4-1 Cluster type VCS [nonsecure/ insecure] VCS [secure] Commands to offline the AT service group on various clusters Command to offline AT service group hagrp -offline vxss_service -sys <Node name> hagrp -offline VxSS -sys <Node name> hagrp -offline vxss_service -sys <Node name>

58 48 Procedures Upgrade AT Table 4-1 Cluster type MCSG [HP-SG] Tru Cluster Sun Cluster HACMP MSCS Commands to offline the AT service group on various clusters Command to offline AT service group cmhaltpkg -v -n <Node Name> vxsspackage caa_stop VRTSat scswitch -F -g vxss_resources /usr/es/sbin/cluster/utilities/clrgmove -s 'false' -d -i -g vxss_service -n <Node Name> cluster. group VxSS-ClusterGroup /OFFLINE /WAIT:50 The VxSS_Service group is created when AT is configured as an application on securable VCS. The service group vxss_service may not be present unless authentication itself is running in high availability mode. 5 Upgrade the Symantec Product Authentication Service on the node. 6 Online the Symantec Product Authentication Service service group on the node. The service group vxss_service may not be present unless authentication itself is running in high availability mode. On each node, online group VxSS_Service using the VCS Console or by typing the following command that is appropriate to your cluster: Table 4-2 Cluster type VCS [nonsecure/ insecure] VCS [secure] MCSG [HP-SG] Tru Cluster Sun Cluster HACMP Commands to online the AT service group on various clusters Command to online AT service group hagrp -online vxss_service -sys <Node name> hagrp -online VxSS -sys <Node name> hagrp -online vxss_service -sys <Node name> cmrunpkg -v -n <Node Name> vxsspackage caa_start VRTSat scswitch -R -g vxss_resources -h <Node Name> /usr/es/sbin/cluster/utilities/clrgmove -s 'false' -u -i -g vxss_service -n <Node Name>

59 Procedures Steps for AT cluster configuration (all solutions) 49 Table 4-2 Cluster type MSCS Commands to online the AT service group on various clusters Command to online AT service group cluster. group VxSS-ClusterGroup /ONLINE /WAIT:50 The service group vxss_service may not be present unless authentication itself is running in high availability mode. 7 Restart all of the Symantec applications that you shut down on the node. 8 Repeat these steps on the remaining nodes in the cluster. Steps for AT cluster configuration (all solutions) This topic contains an overview of the steps necessary for configuring AT in a cluster. The steps are common to all clustering solutions. To install AT that is intended to be HA 1 Install the AT base package on all cluster nodes. 2 If you are using ICSINstaller to configure AT on *REMOTE* node answer n to the following question during installation: Are you ready to configure AT on xyz? [y, n, q] (y) n where xyz is any remote node. 3 Configure AT in root plus authentication broker mode on one node only. This node with root plus authentication broker will be the active node. 4 Add one principal on the active node by using the vssat addprp command as follows: vssat addprpl --pdrtype root --domain root --prplname test1 5 Using the principal that you created on the active node, configure AT in authentication broker only mode on the rest of the cluster nodes. The nodes with authentication broker only are the passive nodes. The authentication broker on every cluster node must be under the same root hierarchy. 6 Make AT highly available on the active node.

60 50 Procedures How to configure AT into Microsoft Cluster Server How to configure AT into Microsoft Cluster Server This topic tells how to configure Symantec Product Authentication Service into Microsoft Cluster Server and how to verify the configuration. Steps to Configure AT into Microsoft Cluster Server Prerequisites are as follows: Note: Veritas Volume Manager disk group is not supported for shared disks. AT configuration should be done before configuring AT into MSCS. Install the AT binaries on all nodes and configure the broker on all cluster nodes in Root + AB, or AB mode. There should be one resource group configured into MSCS having physical disk resource in it. Physical disk resource should get online/offline on all nodes of cluster. Find and make a note of the following values: Disk Group Name Disk Resource Name Shared Driver Letter Network Interface AT Service Virtual IP Address AT Service Virtual Name Subnet Mask Invoke AT HA configuration from the cluster node where AT is configured. To configure AT into Microsoft Cluster Server 1 Find the VxATmscs.bat file, which resides the following location: C:\Program Files\VERITAS\Security\Authentication\bin 2 Run VxATmscs.bat as follows: VxATmscs.bat -c <Disk Group Name> <Disk Resource Name> <Shared Drive Letter> <Network Interface> <AT Service Virtual IP Address> <Subnet Mask> <AT Service Virtual Name> For example, if you assume the following values: <Disk Group Name> = Disk <Disk Resource Name> = Disk E <Shared Drive Letter> = E

61 Procedures How to configure AT into Microsoft Cluster Server 51 <Network Interface> = private <AT Service Virtual IP Address> = <Subnet Mask> = <AT Service Virtual Name> = MSCSCLUS Then the usage for configuration is as follows: C:\Program Files\VERITAS\Security\Authentication\bin> VxATmscs.bat -c Disk "Disk E:" E private MSCSCLUS For the same values, unconfiguration would be as follows: C:\Program Files\VERITAS\Security\Authentication\bin> VxATmscs.bat -u E Disk "Disk E:" See Table 4-3, Options for -c for information about the options. About options for configuration Table 4-3, Options for -c shows the available -c (configuration) options in the left column and an explanation of those options in the right column: Table 4-3 Options for -c Option Disk Group Name Disk Resource Name Shared Drive Letter Network Interface AT Service Virtual IP Address SubnetMask AT Service Virtual Name Meaning Name of resource group in which shared disk resource has been configured before initiating the configuration of AT into MSCS configuration. Name of shared disk resource configured in Disk Group Name The drive on which shared disk will be available. Cluster Group always contains resource for shared disk. Name given to network.use quotes if there is space in Network Name. For example, private 1. IP address which you want to configure. Do not specify in quotes. Subnet Mask for specified IP Address. Do not specify in quotes. Virtual name that is used by AT clients. Do not specify in quotes. The virtual name for AT service is not the same as the cluster name assigned to VCS clusters. AT service's cluster name or virtual name is something that is dedicated to AT service. It should resolve to an existing virtual IP address that is assigned to AT.

62 52 Procedures How to configure AT into Microsoft Cluster Server Table 4-4, Options for -u shows the available -u (unconfiguration) options in the left column and an explanation of those options in the right column. Table 4-4 Options for -u Option Disk Group Name in which to move disk resource Disk Resource Name Shared Drive Letter Meaning When user wants to un-configure, Disk resource gets moved to the resource group specified by the user. A script deletes the VxSS resource group and the shared data from disk. Use quotes if there is space in Disk Group Name. For example, Disk Group. Name of shared disk resource configured in Disk Group Name. Use quotes if there is space in Disk Group Name. For example, Disk G. The drive on which the shared disk is available. Cluster Group always contains the resource for the shared disk. Do not specify in quotes.

63 Procedures How to configure AT into Microsoft Cluster Server 53 Steps to Verify Cluster Configuration for Microsoft Cluster Server After you have configured, you can verify the cluster configure in the following ways: Using Cluster Administrator Using the command line interface How to verify cluster configuration by using Cluster Administrator You can use the Cluster Administrator to verify the cluster configuration. Check that the VxSS-Cluster Group resource group was created. Figure 4-1 VxSS Cluster Group shows how the screen should look. Figure 4-1 VxSS Cluster Group The vxatd resource will be dependent on vxatip and vxatmnt resources. The vxatmnt resource name can be anything; since it is configured into another resource group. VxATmscs.bat moves that resource into VxSS-ClusterGroup.

64 54 Procedures How to configure AT into Microsoft Cluster Server How to use the command line interface to verify You can verify VxAT MSCS configuration by using the cluster command to check the VxSS-ClusterGroup resource. Syntax is as follows: C:\Program Files\VERITAS\Security\Authentication\bin>cluster group VxSS-ClusterGroup Output is as follows: Listing status for resource group 'VxSS-ClusterGroup': Group Node Status VxSS-ClusterGroup SSCLUS02 Online Check status of each resource from VxSS-ClusterGroup You can check the status of each resource from the VxSS-ClusterGroup in order to verify VxAT MSCS configuration. Check status for vxatip Use the following command to check the status for vxatip: C:\Program Files\VERITAS\Security\Authentication\bin>cluster res vxatip Output is as follows: Listing status for resource 'vxatip': Resource Group Node Status vxatip VxSS-ClusterGroup SSCLUS02 Online Check status for Disk E Use the following command to check the status for Disk E: C:\Program Files\VERITAS\Security\Authentication\bin> cluster res "Disk E:" Output is as follows: Listing status for resource 'Disk E:': Resource Group Node Status Disk E: VxSS-ClusterGroup SSCLUS02 Online Check status for vxatd Use the following command to check the status for vxatd: C:\Program Files\VERITAS\Security\Authentication\bin>cluster res vxatd

65 Procedures How to configure AT into VCS on Windows 55 Output is as follows: Listing status for resource 'vxatd': Resource Group Node Status vxatd VxSS-ClusterGroup SSCLUS02 Online How to configure AT into VCS on Windows This topic tells how to configure Symantec Product Authentication Service into Veritas Cluster Server (VCS) on Windows and how to verify the configuration. Sequence of steps for configuration and unconfiguration The sequence of steps for configuring and unconfiguring is as follows: Install/Configure 1 Run -Ti on all nodes 2 Run -Mi or -Mn on any one node Where -Mi is interactive and -Mn is non-interactive Uninstall/ UnConfigure 1 Run -Mu on any one node 2 Run -Tu on all nodes Detailed steps to configure AT into VCS on Windows This topic provides steps for configuring Symantec Product Authentication Service into Veritas Cluster Server on Windows. Prerequisites Prerequisites are the following: Install and configure AT if it is not already installed. Find out whether the VCS mode is securable or non securable by running the following command: /opt/vrtsvcs/bin/haclus -value SecureClus VCS is securable if you get output as 0 or 1. VCS is non-securable if you get other output, such as the following: VCS:10048:Attribute SecureClus does not exist

66 56 Procedures How to configure AT into VCS on Windows Based on whether VCS is securable or non-securable, you will proceed as follows: If VCS is nonsecurable 1 Configure AT on one of cluster nodes into any mode. 2 Keep AT unconfigured from remaining nodes. 3 Invoke HA configuration from the cluster node where AT is configured. AT will get configured into the appropriate mode automatically during AT HA configuration. If VCS is Securable 1 Find a cluster node where AT has been running with its highest configuration mode. That is, if AT is running in root mode on sys01 and in authentication broker only mode on sys2, then sys01 is running in the higher mode. 2 Invoke AT HA configuration from sys01, which uses root mode. There should be a separate disk group available for AT. It should have a properly formatted volume under it depending on underlying volume manager. Make sure that one can import or deport the disk group manually. Find and make a note of the following values: Systems Names Disk Group Name and Volume Shared Drive Letter AT Service Virtual Name AT Service Virtual IP Address Netmask System Mac Addresses Caution: AT should be installed on all the cluster nodes before initiating configuration into VCS. To configure AT into VCS on Windows 1 After you install AT, locate VxATclconf.pl, which must be run from the following directory on Windows: C:\Program Files\VERITAS\Security\Authentication\bin 2 Familiarize yourself with the options that you can use with VxATclconf.pl.

67 Procedures How to configure AT into VCS on Windows 57 See Table 4-5, Options for VxATclconf.pl script on Windows. Table 4-5 Option -Mi -Mn Options for VxATclconf.pl script on Windows Function Selects interactive mode. During configuration the script requests, the required option values before creating the needed resources. Selects non-interactive mode. Reads input from VxATclinput.txt, which resides in the same directory where the VxATclconf.pl file is present. The VxATclinput.txt file contains all the attribute values required to configure AT into VCS (default option). -P Cleans up the current configuration of AT into VCS and modifies AT credential setup to make AT highly available per the new model. -Mu -Ti -Tu -F<input file> -I<VxAT install path> -V<VCS install path> -D<string> -help Unconfigures AT from VCS. Installs AT agent. Uninstalls AT agent. Specifies an input file to use other than the default. The default is VxATclinput.txt in the same directory. Specifies the AT installation path. Default patch for AT on Windows is C:\Program Files\VERITAS\Security\Authentication Specifies the Veritas Cluster Server installation path. Default patch cluster server on Windows is C:\Program Files\VERITAS\cluster server Specifies debug mode only; commands go nowhere. Provides usage information Only one of the following options can be used at a time: -P -Ti -Tu

68 58 Procedures How to configure AT into VCS on Windows -Mi -Mn -Mu The default mode is non-interactive. The default configuration file is VxATclinput.txt. The install locations fall to platform defaults. By default, all commands are dispatched. See Example of input prompts for interactive mode. 3 Run the VxATclconf.pl command with the -Ti option on every node in the cluster. This is used to setup the customer AT agent for cluster server to use. See Table 4-6, Examples of using -Ti. Table 4-6 Examples of using -Ti Purpose Example To specify paths for AT installation and VCS install To specify path for AT installation only To run with defaults perl VxATclconf.pl -Ti -I"C:\Program Files\VERITAS\Security\Authentication" -V"C:\Program Files\VERITAS\cluster server" perl VxATclconf.pl -Ti -I"C:\Program Files\VERITAS\Security\Authentication" perl VxATclconf.pl -Ti Note that there is no space between the options and their input. 4 If you want to run non-interactively, run the perl script from the C:\Program Files\VERITAS\Security\Authentication\bin> directory, and use the -Mn option, as shown in Table 4-7, Examples of using -Mn : Table 4-7 Purpose Examples of using -Mn Example To specify paths for AT installation and VCS installation perl VxATclconf.pl -Mn -I"C:\Program Files\VERITAS\Security\Authentication" -V"C:\Program Files\VERITAS\cluster server" To specify paths for AT installation and VCS installation and to specify input file perl VxATclconf.pl -Mn -I"C:\Program Files\VERITAS\Security\Authentication -F"C:\Program Files\VERITAS\Security\ Authentication\bin\VxATclinput.txt" -V"C:\Program Files\Veritas\cluster server" To run with defaults perl VxATclconf.pl -Mn

69 Procedures How to configure AT into VCS on Windows 59 If you are using -Mn option, then the input file VxATclinput.txt should be present in same directory where the VxATclconf.pl file resides, unless you specify a different input file. Note that there is no space between the options and their input. 5 If you want to run interactively, run the perl script from the C:\Program Files\VERITAS\Security\Authentication\bin> directory, and use the -Mi option, as shown in Table 4-8, Examples of using -Mi. Table 4-8 Purpose Examples of using -Mi Examples To specify paths for AT installation and VCS installation To run with defaults perl VxATclconf.pl -Mi -I"C:\Program Files\VERITAS\Security\Authentication" -V"C:\Program Files\Veritas\cluster server" perl VxATclconf.pl -Mi Note that there is no space between the options and their input. During configuration, the script will ask the user for required attribute values for resources. Example of input prompts for interactive mode The following is an example of the input prompts and screen responses you will receive when you run the VxATclconf.pl script in interactive mode (-Mi): Enter the Agent:OnlineRetryLimit [ 10 ] : Enter the Agent:RestartLimit [ 10 ] : Enter the Agent:OnlineWaitLimit [ 10 ] : Enter the GEN:SystemList [ SIGWINVCS1 SIGWINVCS2 ] : Enter the GEN:DiskGroupConfig [ y ] : Enter the GEN: AT virtual name [ vcs ] : Enter the GEN:ClusterAuthSourceLocation [ C:\AT_cred\ ] : Enter the GEN:AuthSourceMountLocation [ C:\AT_cred\ ] : Initializing AT HA in Root+AB mode... hatype -delete AT hatype -add AT hatype -modify AT OnlineWaitLimit 10 hatype -modify AT RestartLimit 10 hatype -modify AT OnlineRetryLimit 10 haagent -start AT -sys SIGWINVCS1VCS WARNING V Please look for messages in the log file haagent -start AT -sys SIGWINVCS2VCS WARNING V Please look for messages in the log file VCS WARNING V Cluster already writable. VCS is configured in In-Secure mode.

70 60 Procedures How to configure AT into VCS on Windows Enter the IP:Address [ ] : Enter the IP:SubNetMask [ ] : Are IP:MACAddress values different on different nodes? Enter y/n :y Enter the System name:sigwinvcs1 Enter all IP:MACAddress values in one line separated by spaces (e.g A3-C8-A5-D3) E4-66-4E Do you want to enter IP:MACAddress values for another system? Enter y/n :y Enter the System name:sigwinvcs2 Enter all IP:MACAddress values in one line separated by spaces (e.g A3-C8-A5-D3) E4-66-CF Do you want to enter IP:MACAddress values for another system? Enter y/n :n Are NIC:MACAddress values different on different nodes? Enter y/n :y Enter the System name:sigwinvcs1 Enter all NIC:MACAddress values in one line separated by spaces (e.g A3-C8-A5-D3) E4-66-4E Do you want to enter NIC:MACAddress values for another system? Enter y/n :y Enter the System name:sigwinvcs2 Enter all NIC:MACAddress values in one line separated by spaces (e.g A3-C8-A5-D3) E4-66-CF Do you want to enter NIC:MACAddress values for another system? Enter y/n :n Configuring Disk resources: Enter the VMDg:DiskGroupName [ ATdg ] : Entry MountV:MountPath is optional. So, do you want to enter a value? Enter y/n :y Enter the MountV:MountPath [ "C:\AT_cred" ] : Enter the MountV:VolumeName [ ATvol ] : Enter the MountV:VMDGResName [ vxatdg ] : Entry RegRep:MountResName is optional. So, do you want to enter a value? Enter y/n :y Enter the RegRep:MountResName [ vxatmnt ] : Entry RegRep:Keys is optional. So, do you want to enter a value? Enter y/n :y Enter the RegRep:Keys [ "HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\ SECURITY\AUTHENTICATION" ] : Entry RegRep:ExcludeKeys is optional. So, do you want to enter a value? Enter y/n :y Enter the RegRep:ExcludeKeys : Entry RegRep:ExcludeKeys is optional. So, do you want to enter a value? Enter y/n :n

71 Procedures How to configure AT into VCS on Windows 61 Entry RegRep:ReplicationDirectory is optional. So, do you want to enter a value? Enter y/n :y Enter the RegRep:ReplicationDirectory [ "\\" ] : sleeping for 1 seconds Creating mount resources... Executing hares -add vxatdg VMDg vxss_service Executing hares -modify vxatdg DiskGroupName ATdg Executing hares -add vxatmnt MountV vxss_service Executing hares -modify vxatmnt MountPath "C:\AT_cred" Executing hares -modify vxatmnt VMDGResName vxatdg Executing hares -modify vxatmnt VolumeName ATvol Executing hares -add vxatregrep RegRep vxss_service Executing hares -modify vxatregrep ReplicationDirectory "\\" Executing hares -modify vxatregrep MountResName vxatmnt Executing hares -modify vxatregrep Keys "HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\SECURITY\AUTHENTICATION" Done creating mount resources... sleeping for 1 seconds Executing hares -link vxatregrep vxatmnt Executing hares -link vxatmnt vxatdg sleeping for 5 seconds Executing hares -add vxat AT vxss_service Executing hares -add vxatip IP vxss_service Executing hares -modify vxatip Address Executing hares -local vxatip MACAddress Executing hares -modify vxatip MACAddress E4-66-4E -sys SIGWINVCS1 Executing hares -modify vxatip SubNetMask Executing hares -modify vxatip MACAddress E4-66-CF -sys SIGWINVCS2 Executing hares -add vxatnic NIC vxss_service Executing hares -local vxatnic MACAddress Executing hares -modify vxatnic MACAddress E4-66-4E - sys SIGWINVCS1 Executing hares -modify vxatnic MACAddress E4-66-CF - sys SIGWINVCS2 Executing hares -link vxatip vxatnic Executing hares -link vxat vxatip Executing hares -link vxat vxatregrep sleeping for 5 seconds sleeping for 20 seconds sleeping for 30 seconds Bring the resource online... hagrp -state vxss_service -sys SIGWINVCS1 sleeping for 1 seconds sleeping for 1 seconds sleeping for 1 seconds

72 62 Procedures How to configure AT into VCS on Windows sleeping for 1 seconds sleeping for 1 seconds sleeping for 2 seconds Now online... sleeping for 5 seconds 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. Configuration File Details for Windows To run non-interactively, with the -Mn option, the user must manually fill all the required details into the VxATclinput.txt file. This file contains information for all the resources that will get configured along with the AT agent resource. VCS provides bundle agents for the following: IP MNT Disk Group Volume VCS does not provide a bundle agent for the AT agent resource. Depending on the underlying platform and supported volume manager for shared disk configuration, VCS supports different resource types. For a list of the supported resource types, see Table 4-9, Resource types that are supported. Table 4-9 Resource types that are supported Platform Volume Manager VCS Resource type for Volume Group VCS Resource type for Logical Volume HP-UX LVM LVMVolumeGroup LVMLogicalVolume AIX LVM LVMVG [Note: In AIX, we do not have resource for volume, Volume group resource directly linked with mount resource.] HP-UX/Linux/ AIX/Solaris/ Windows VxVM DiskGroup Volume

73 Procedures How to configure AT into VCS on Windows 63 How to modify the VxATclinput.txt file This topic provides an example of the VxATclinput.txt file with notes on what to modify. ################################################################### #process ################################################################### BeginProcessSection StartProgram= StopProgram="net stop vrtsat" EndProcessSection In VxAT VCS old model VxAT is of type Process Agent, which has 2 properties i.e. StartProgram and StopProgram. In New model we are not using this section. Custom agent works exactly like Process agent resource in case of non-securable VCS. The user need not update anything in this section. ################################################################### # AT # Agent ################################################################### BeginATSection EndATSection This section is for VxAT custom agent, in case if we want to add arguments in future. No changes are required. Keep it as it is. ################################################################### #GenericService ################################################################### BeginGenericServiceSection ServiceName="Veritas Authentication Service" EndGenericServiceSection No changes are required. ################################################################### #IP ################################################################### BeginIPSection Address=nnn.nnn.nnn.nnn This is the AT Service Virtual IP Address SubNetMask=nnn.nnn.nnn.nnn This it the Netmask for the AT Service Virtual IP Address. MACAddress@<hostname>=<Hosts MAC Address>

74 64 Procedures How to configure AT into VCS on Windows Need to specify cluster node name at <hostname> and the mac address of the network interface to present the AT Service Virtual Name at <hostname MAC Address>. For example: User needs to repeat the line for every cluster node. EndIPSection ################################################################### #NIC ################################################################### BeginNICSection MAC Address> Need to specify cluster node name at <hostname> and the mac address of the network interface to present the AT Service Virtual Name at <hostname MAC Address>. For example: User need to repeat the line for every cluster node. One can copy same lines specified in last section. EndNICSection ################################################################### #MountV ################################################################### BeginMountVSection MountPath=<Shared volume mount location> This is the Shared Drive Letter and directory for the AT files. It is recommended to use drive letter as mount point. If a mount point directory is used instead of a drive letter, please ensure that the mount directory is empty on inactive node before performing a failover. For example: MountPath=L:\ One can create a shared disk group, volumes on top of that, assigning a shared drive letter for the created volume using VERITAS enterprise administrator. VolumeName=atmnt Volume name of created volume under disk group. VMDGResName=vxatDG This is the resource name, Do not change this.

75 Procedures How to configure AT into VCS on Windows 65 EndMountVSection ################################################################### # Agent(AT) ################################################################### BeginAgentSection OnlineRetryLimit=10 RestartLimit=10 OnlineWaitLimit=10 EndAgentSection No changes required for this section. ################################################################### #DiskRes ################################################################### BeginDiskResSection Signatures= EndDiskResSection No need to specify for this section. ################################################################### #VMDg ################################################################### BeginVMDgSection DiskGroupName=<Disk Group Name> One can create shared disk group using VERITAS enterprise administrator. EndVMDgSection ################################################################### #RegRep ################################################################### BeginRegRepSection MountResName=vxatMNT ReplicationDirectory="\\" Keys="HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\SECURITY\AUTHENTICATION" EndRegRepSection No changes are required. ################################################################### #General config Info ################################################################### BeginGENSection DiskGroupConfig=y Do not change value of this key. SystemList=<Cluster node list>

76 66 Procedures How to configure AT into VCS on Windows List of all cluster nodes where authentication should have been Installed.The list of system nodes can be listed by using "hasys - list". ClusterName=<AT Service Virtual Name> This is the host name for the AT Service Virtual Name. ClusterAuthSourceLocation=<Shared volume mount location> Must match MountPath Specify same value specified under MountV section for MountPath=<Shared volume mount location> AuthSourceMountLocation=<Shared volume mount location> Must match MountPath EndGENSection How to verify configuration of authentication into VCS on Windows You can verify configuration of AT into VCS on Windows either through the command line or through the GUI. How to verify through the command line You can use the command line to verify the configuration, as follows: hastatus -sound -group vxss_service On Windows the command is already in PATH. Output is similar to the following: attempting to connect...connected group resource system message MANJULA RUNNING UTER RUNNING vxss_service MANJULA ONLINE vxss_service UTER OFFLINE vxatdg MANJULA ONLINE vxatdg UTER OFFLINE vxatmnt MANJULA ONLINE vxatmnt UTER OFFLINE vxatregrep MANJULA ONLINE vxatregrep UTER OFFLINE vxat MANJULA ONLINE vxat UTER OFFLINE vxatip MANJULA ONLINE vxatip UTER OFFLINE vxatnic MANJULA ONLINE

77 Procedures How to configure AT into VCS on Windows 67 How to verify through the JAVA console You can verify configuration by looking at the resource tree through the GUI. See Figure 4-2 Resource tree for successful configuration. Figure 4-2 Resource tree for successful configuration Unconfiguring authentication from VCS on Windows This topic explains how to unconfigure authentication from VCS on Windows. To unconfigure from VCS on Windows 1 Run the VxATclconf.pl script with the -Mu option from the "C:\Program Files\VERITAS\Security\Authentication\bin" directory. It takes authentication resources offline and deletes the VxAT resource group.

78 68 Procedures How to configure AT into VCS on Windows See Table 4-10, Examples of using -Mu : Table 4-10 Examples of using -Mu Purpose Example To specify paths for AT installation and VCS installation perl VxATclconf.pl Mu -I"C:\Program Files\VERITAS\Security\Authentication" -V"C:\Program Files\Veritas\cluster server" To specify paths for AT installation and VCS installation and to specify input file perl VxATclconf.pl -Mu -I"C:\Program Files\VERITAS\Security\Authentication" -F"C:\Program Files\VERITAS\Security\ Authentication\bin\VxATclinput.txt" -V"C:\Program Files\Veritas\cluster server" To run with defaults perl VxATclconf.pl -Mu Note that there is no space between the options and their input. 2 Verify the configuration and check whether the vxss_service resource group is removed or not. See How to verify configuration of authentication into VCS on Windows. 3 To remove the authentication folder from VCS install path bin directory, run VxATclconf.pl with the -Tu option from the "C:\Program Files\VERITAS\Security\Authentication\bin directory. See Table 4-11, Examples of using -Tu : Table 4-11 Examples of using -Tu Purpose Example To specify paths for both AT installation and VCS installation perl VxATclconf.pl -Tu -V"C:\Program Files\VERITAS\cluster server" -I"C:\Program Files\VERITAS\Security\Authentication" To specify path for VCS installation only perl VxATclconf.pl -Tu -V"C:\Program Files\VERITAS\cluster server" Note that there is no space between the options and their input.

79 Procedures How to configure AT into VCS on UNIX 69 How to configure AT into VCS on UNIX This topic tells how to configure Symantec Product Authentication Service into Veritas Cluster Server (VCS) on UNIX and how to verify the configuration. How to check whether AT has already been configured Use any of the following methods to find out whether AT has already been configured into VCS on UNIX: Check for resource group "vxss_service" by running the hagrp -list command from the /opt/vrtsvcs/bin directory. Use the command hastatus -sound -group vxss_service to verify the status of the group. VCS-UNIX cluster platforms: Steps to configure AT into VCS on UNIX This topic provides steps for configuring Symantec Product Authentication Service into Veritas Cluster Server on UNIX. Prerequisites Prerequisites are the following: Remote shell must be enabled for cluster configuration to take place. Install and configure AT if it is not already installed. There should be a separate disk group available for AT. It should have a properly formatted volume under it depending on underlying volume manager (VxVM, LVM etc.). Make sure that one can import or deport the disk group manually. Make sure that Perl is in the default PATH. If Perl is not present in the default PATH, add the following Perl path to default path: /opt/vrtsperl/bin/ Find and make a note of the following values: Systems Names Disk Group Name and Volume Mount Point AT Service Virtual Name

80 70 Procedures How to configure AT into VCS on UNIX AT Service Virtual IP Address Netmask Network Interface To configure AT into VCS on UNIX 1 Locate VxATclconf.pl, which resides in the following location: /opt/vrtsat/bin 2 Familiarize yourself with the options that you can use with VxATclconf.pl. See Table 4-12, Options for VxATclconf.pl script on UNIX :. Table 4-12 Option -Mi -Mn -Mu Options for VxATclconf.pl script on UNIX Function Selects interactive mode. During configuration the script requests the required option values before creating the needed resources. Selects non-interactive mode. Reads input from VxATclinput.txt, which resides in the same directory where the VxATclconf.pl file is present. The VxATclinput.txt file contains all the attribute values required to configure AT into VCS (default option). Unconfigures AT from VCS -P Cleans up the current configuration of AT into VCS and modifies AT credential setup to make AT highly available per the new model. -F<input file> -I<VxAT install location> -V<VCS install location> -D<string> -help Specifies an input file to use other than the default. The default is VxATclinput.txt in the same directory Specifies the AT installation path. Default patch for AT on UNIX is /opt/vrtsat/. Specifies the Veritas Cluster Server installation path. Default patch cluster server on UNIX is /opt/vrtsvcs/. Specifies debug mode only. Commands go nowhere Provides usage information

81 Procedures How to configure AT into VCS on UNIX 71 Only one of the following options can be used at a time: -P -Mi -Mn -Mu See Example of input prompts for interactive mode. 3 If you want to run non-interactively, run VxATclconf.pl with the -Mn option from the /opt/vrtsat/bin directory. If you are using the -Mn option, then the input file VxATclinput.txt should be present in same directory where the perl file is present. See Table 4-13, Examples of -Mn on UNIX : Table 4-13 Examples of -Mn on UNIX Purpose Example To specify paths for both AT installation and VCS installation perl VxATclconf.pl -Mn -I/opt/VRTSat -V/opt/ VRTSvcs To use default installation paths for authentication and VCS. perl VxATclconf.pl -Mn Note that there is no space between the options and their input. 4 If you want to run interactively, run VxATclconf.pl with the -Mi option from the /opt/vrtsat/bin directory. See Table 4-14, Examples of -Mi on UNIX. Table 4-14 Examples of -Mi on UNIX Purpose Example To specify paths for both AT installation and VCS installation perl VxATclconf.pl -Mi -I/opt/VRTSat -V/opt/ VRTSvcs To use default installation paths for authentication and VCS. perl VxATclconf.pl -Mi Note that there is no space between the options and their input.

82 72 Procedures How to configure AT into VCS on UNIX Configuration file details on UNIX For UNIX platforms, the default input file VxATclinput.txt is shipped under the /opt/vrtsat/bin directory. Note: If you are using the -Mn option, then the input file VxATclinput.txt should be present in same directory where the perl file is present. The input file contains all the attribute values that are required to configure AT into VCS. ################################################################### # Process ################################################################### BeginProcessSection PathName="/opt/VRTSat/bin/vxatd" EndProcessSection No changes are required ################################################################### # AT ################################################################### BeginATSection EndATSection No changes are required ################################################################### #IP # For example Address= nnn.nnn.nnn.nnn (IP address of the AT Service # Virtual Name) # Eg: NetMask=nnn.nnn.nnn.nnn # Eg: Device=hme0 ################################################################### BeginIPSection Address=nnn.nnn.nnn.nnn This is the AT Service Virtual IP Address. NetMask=nnn.nnn.nnn.nnn This it the Netmask for the AT Service Virtual IP Address. Device=lan2 Network Interface device name to which the AT Service Virtual IP address is active. EndIPSection ################################################################### #NIC # Device - The network interface device to present the AT Service # Virtual Name on # NetworkHosts@<hostname> - The NetworkHosts <ip address> available # on the Device for each cluster node # NetworkHosts@sys01=<ip address available on specified Device> # NetworkHosts@sys02=<ip address available on specified Device>

83 Procedures How to configure AT into VCS on UNIX 73 # e.g. # NetworkHosts@swlx09= # NetworkHosts@swlx10= ################################################################### #Mount # Enter the values # Eg: BlockDevice=/dev/vx/dsk/orabindg/orabinvol # Eg: MountPoint=/var/VRTSat/mnt ################################################################### BeginMountSection MountPoint=/var/VRTSat/mnt New Mount point for shared volume BlockDevice=/dev/vx/dsk/vxss/volat Block device associated with the shared disk group volume. FSType=vxfs FsckOpt=%-y No Change. If shared volume is having vxfs. EndMountSection ################################################################### # Diskgroup(VM) # Separate Diskgroup and Volume for AT should be created # For Eg:- DiskGroup=orabindg ################################################################### BeginDiskGroupSection StartVolumes=1 StopVolumes=1 No Change. DiskGroup=<Disk Group Name> Disk Group Name EndDiskGroupSection ################################################################### #Volume(VM) # DiskGroup - Incude the one you created for AT # For Eg:- DiskGroup=orabindg and Volume=orabinvol ################################################################### BeginVolumeSection DiskGroup=<Disk Group Name> Disk Group Name Volume=<Volume Name Only> Volume name that will be present under specified Disk Group. EndVolumeSection ################################################################### # Agent(AT) ################################################################### BeginAgentSection

84 74 Procedures How to configure AT into VCS on UNIX OnlineRetryLimit=10 RestartLimit=10 OnlineWaitLimit=10 EndAgentSection No Change. ################################################################### # LVMLogicalVolume(HP) # Eg: LogicalVolume=test1 # Eg: VolumeGroup=testgroup ################################################################### This section is needed for HP-UX platform and if LVM is present on cluster nodes. BeginLVMLogicalVolumeSection LogicalVolume=<Logical Voulme Name> Logical Volume name VolumeGroup=<Disk Group Name> Disk Group Name EndLVMLogicalVolumeSection ################################################################### #LVMVolumeGroup(HP) # Eg: VolumeGroup=testgroup ################################################################### BeginLVMVolumeGroupSection VolumeGroup=vgdatabase Disk Group Name EndLVMVolumeGroupSection ################################################################### # LVMVG(AIX) ################################################################### BeginLVMVGSection VolumeGroup= Name of the volume group configured with LVM. For example, testvg1. MajorNumber= Integer that represents the major number of the volume group. To ensure NFS functions properly, assign the same major number to the volume group on each system in the cluster. ImportvgOpt= Attribute used to specify options for the importvg command. Default is "n". This option indicates the volume group is not automatically activated when imported. VaryonvgOpt=

85 Procedures How to configure AT into VCS on UNIX 75 Attribute used to specify options for the varyonvg command. By default, this string is empty. SyncODM= Integer that specifies whether or not the agent ensures the ODM is in sync with any changes to the volume group. If set to 1, the agent ensures the ODM is in sync with the changes to the volume group (if the volume group was modified on another system in the cluster). The sync operation occurs on the system where the agent brings the volume group online. If set to 0, the changes to the volume group are independent of the ODM. Default is 1. Disks= List of disks underneath the volume group. If multiple paths to the same disk device exist, specify all of the paths in this list to ensure high availability. The Disks attribute enables you to set localized values for cluster systems. For example, if the physical volume is "hdisk2" on systema and "hdisk9" on systemb, specify the Disks attribute for the volume group created on top of the physical volume as: LVMVG myvg ( VolumeGroup = myvg MajorNumber = 45 Disks@systemA = { hdisk2 } Disks@systemB = { hdisk9 } If a volume group spans more than one shared disk (such as hdisk3 and hdisk6), this attribute is defined in the resource definition for the volume group as: Disks = { "hdisk3", "hdisk6", "hdisk10" } EndLVMVGSection ################################################################### # DiskReservation(linux) # Eg:- Disks=test2 ################################################################### #### BeginDiskReservationSection Disks= FailFast= Percentage= EndDiskReservationSection No Changes ################################################################### # General config Info # For SystemList enter the list of systems # Eg:- SystemList=thor126 thor127 # For ClusterName Eg: ClusterName=host.my_domain.com # For ClusterAuthSourceLocation enter the location # Eg:- ClusterAuthSourceLocation: Must match the MountPath entry # AuthSourceMountLocation: Must match the MountPath entry

86 76 Procedures How to configure AT into VCS on UNIX ################################################################### BeginGENSection DiskGroupConfig=n VolumeConfig=n If the underlying volume manager is VxVM, then and only then can the user can say "y" to DiskGroupConfig and VolumeConfig. This will create Disk Group and Volume resources into cluster. HPLVMVolumeGroupConfig=y HPLVMLogicalVolumeConfig=y Specify "y" for HP-UX platform; otherwise give "n" here. AIXLVMVGConfig=n Specify "y" for AIX platform; otherwise give "n" here. DiskReservationConfig=n Specify "y" for Linux platform; otherwise give "n" here. SystemList=<Cluster node list> List of all cluster nodes where authentication should have been Installed. The list of system nodes can be listed by using "hasys -list". ClusterName=<AT Service Virtual Name> Used as AT process virtual name. ClusterAuthSourceLocation=<Shared volume mount path> AuthSourceMountLocation=<Shared volume mount path> Specify same value specified under MountV section for MountPath=<Shared volume mount path> EndGENSection How to verify configuration of AT into VCS on UNIX You can verify configuration of AT into VCS either through the command line or through the GUI. How to verify through the command line You can use the command line to verify the configuration on UNIX. Use the command as follows: hastatus -sound -group vxss_service The hastatus CLI is available under the /opt/vrtsvcs/bin directory on UNIX. Output is similar to the following: group resource system message

87 Procedures How to configure AT into VCS on UNIX 77 khaki RUNNING linen RUNNING vxss_service linen ONLINE vxss_service khaki OFFLINE vxatmnt linen ONLINE vxatmnt khaki OFFLINE vxatdg linen ONLINE vxatdg khaki OFFLINE vxat linen ONLINE vxat khaki OFFLINE vxatip linen ONLINE vxatip khaki OFFLINE vxatnic linen ONLINE vxatnic khaki ONLINE vrtsaz linen ONLINE vrtsaz khaki OFFLINE vxazmnt linen ONLINE vxazmnt khaki OFFLINE vxazdg linen ONLINE vxazdg khaki OFFLINE How to verify through the GUI You can also verify configuration by looking at the resource tree through the GUI. Figure 4-3 Resources tree for all versions of VCS shows how the resources tree for AT looks for a successful configuration. Note: In earlier releases, the resource tree differed for non-securable VCS and securable VCS. The resource tree now looks the same for all versions of VCS.

88 78 Procedures How to configure AT into VCS on UNIX Figure 4-3 Resources tree for all versions of VCS Unconfiguring AT from VCS on UNIX This topic tells how to unconfigure AT from VCS on UNIX platforms. To unconfigure AT from VCS on UNIX 1 Run the VxATclconf.pl with the -Mu option from the /opt/vrtsat/bin directory. Run as follows: perl VxATclconf.pl -Mu -I/opt/VRTSat -V/opt/VRTSvcs This command takes AT resources offline and delete the VxAT resource group. 2 Use same commands used in last step to verify configuration and check whether vxss_service resource group is removed or not.

89 Procedures How to configure AT into Tru64 79 See How to verify configuration of AT into VCS on UNIX. How to configure AT into Tru64 This topic tells how to configure Symantec Product Authentication Service into Tru64 and how to verify the configuration. Steps to configure AT into Tru64 This topic provides steps for configuring AT into Tru64 and verifying the configuration. Prerequisites Prerequisites are the following: Remote shell must be enabled for cluster configuration to take place. Install and configure AT if it is not already installed. Find and make a note of the AT Service Virtual Name. To configure AT into Tru64 1 Locate tcvxat, which resides in the /opt/vrtsat/bin directory. 2 Set the cluster name first, using the following command line option:./tcvxat -setvirtualname <clustername> 3 Configure AT into Tru Cluster as follows:./tcvxat -register Output is similar to the following: Creating VRTSat application profile Validating profile caa_profile -validate VRTSat Registering profile caa_register VRTSat Starting VRTSat service caa_start VRTSat Attempting to start `VRTSat` on member `MyHost` Start of `VRTSat` on member `MyHost` succeeded. VRTSat successfully registered as a caa application A companion command exists to unregister. It is as follows:./tcvxat -unregister

90 80 Procedures How to configure AT into Sun Cluster How to verify configuration status on Tru64 You can verify configuration on Tru Cluster by using the caa_stat utility as follows: To verify configuration 1 Locate the caa_stat utility, which resides in the /opt/vrtsat/bin directory. 2 Run as follows: caa_stat Output is similar to the following: NAME=VRTSat TYPE=application TARGET=ONLINE STATE=ONLINE on MyHost How to configure AT into Sun Cluster This topic includes the following information: Steps to configure AT into Sun Cluster How to verify configuration into Sun Cluster Steps to configure AT into Sun Cluster This topic explains how to configure Symantec Product Authentication Service into Sun Cluster without using installics. Prerequisites Prerequisites are as follows: Remote shell must be enabled for cluster configuration to take place. Install and configure AT if it is not already installed. Configure AT on one of the cluster odes in any mode. Keep AT unconfigured on other cluster nodes. A global device should be configured properly into Sun cluster. There should be a separate disk group available for AT. It should have a properly formatted volume under it depending on underlying volume manager. Register the new disk group in the cluster before using it. Find and make a note of the following values:

91 Procedures How to configure AT into Sun Cluster 81 Disk Group Name and Volume AT Service Virtual Name Globaldevice (Network Interface) Invoke AT HA configuration from the cluster node where AT is configured. To configure AT into Sun Cluster 1 Locate scvxat, which resides in the /opt/vrtsat/bin directory. 2 Note the following parameters, which you will need to enter later: <device to mount> Block device used to mount. The path to Device group block device is as follows: /dev/vx/dsk/<disk group name>/<volume name> <device to fsck> Character device corresponding to block device. The path to Device group raw device is as follows: /dev/vx/rdsk/<disk group name>/ <volume name> <Mount Point> Location where logical volume should get mounted. Specify the mount point /var/ VRTSat/mnt. 3 Run the scvxat script with the -clean option on every node of the cluster, as follows:./scvxat -clean <device to mount> <device to fsck> <Mount Point> For example:./scvxat -clean /dev/vx/dsk/sigclus/at_vol /dev/vx/rdsk/ sigclus/at_vol /var/vrtsat/mnt 4 Run the scvxat script with the -cleansource option on the active node as follows:./scvxat -cleanresource The disk group is the one that you created by using VxVM. Output similar to the following indicates success: /var/vrtsat/mnt is not present. Creating /var/vrtsat/mnt Modified /etc/vfstab, added the following entry: /dev/vx/dsk/sigclus/at_vol /dev/vx/rdsk/sigclus/at_vol /var/ VRTSat/mnt ufs 2 no - Change if you need special settings

92 82 Procedures How to configure AT into Sun Cluster 5 Make a note of the following parameters, which you will need to provide: <AT Service Virtual Name> <globaldevice> <Mount Point> AT Service Virtual Name, configured into one network interface of all cluster nodes Name of global device that is shown in the output of scstat -p Location where logical volume should get mounted. Specify the mount point /var/vrtsat/mnt. 6 Provide the parameters to the scvxat script with the -create option, as follows:./scvxat -create <AT Service Virtual Name> <globaldev> <Mount Point> 7 Provide the parameters to the scvxat script with the -cleansource option, as follows:./scvxat -cleanresource The following message indicates success: VRTSat successfully configured as a failover resource How to verify configuration into Sun Cluster You can use the following methods to verify configuration into Sun Cluster: The scstat utility, which resides in the /opt/vrtsat/bin directory The SunPlex Manager How to use the utility to verify configuration Use the scstat utility to verify the status of Symantec Product Authentication Service configuration, as follows: scstat -p scstat -g" Shows you cluster status, for example the status of nodes, Quorum device, Device groups, resource groups, IPMP groups Shows you the status of resource group only Output provides resource name, node name, state, and status messages. How to use the SunPlex Manager to verify configuration To verify configuration through the SunPlex Manager, compare your screen with the one shown in Figure 4-4 SunPlex Manager screen shot.

93 Procedures How to configure AT into Sun Cluster 83 Figure 4-4 SunPlex Manager screen shot AT SunCluster unconfiguration steps To unconfigure AT 4.3 from SunCluster 1 Locate scvxat, which resides in the /opt/vrtsat/bin directory. 2 Note the following parameters, given earlier while configuring AT high availability into SunCluster. <Device to Mount> : Block device used to mount The path to device group block device is as follows: /dev/vx/dsk/<disk group name>/<volume name> <Device to fsck> : Character device correspoding to block device The path to device group raw device is as follows:

94 84 Procedures How to configure AT on HACMP /dev/vx/rdsk/<disk group name>/<volume name> <Mount Point> : Location where logical volume should get mounted. Specify the mount point, e.g. /var/vrtsat/mnt 3 Run the scvxat script with the -clean option on every node of the cluster as follows:./scvxat -clean <device to mount> <device to fsck> <mount point> For example:./scvxat -clean /dev/vx/dsk/sigclus/at_vol /dev/vx/rdsk/ sigclus/at_vol /var/vrtsat/mnt 4 Run the scvxat script with the -cleansource option, as follows:./scvxat -cleanresource How to configure AT on HACMP HACMP is High Availability Cluster Multiprocessing for AIX. This section explains how to configure Symantec Product Authentication Service for high availability on HACMP AIX 5.3. Configuring AT on HACMP This topic explains how to install and configure Symantec Product Authentication Service on HACMP. Prerequisites Prerequisites are as follows: Remote shell must be enabled for cluster configuration to take place. Install and configure AT if it is not already installed. Configure AT on one of the cluster nodes in any mode. Keep AT unconfigured on other cluster nodes. Make an LVM shared volume group or Veritas Volume Manager shared disk group with a volume with a file system. Make sure that one can import or deport the volume group or disk group manually. Register the volume group or disk group with the HACMP cluster. Find and make a note of the following values: AT Service Virtual Name Network Interface

95 Procedures How to configure AT on HACMP 85 Shared disk group or shared volume group

96 86 Procedures How to configure AT on HACMP Shared logical volume Mount Point Invoke AT HA configuration from the cluster node where AT is configured. To install and configure AT 1 Locate the hacmp_at_config file, which resides in the /opt/vrtsat/bin directory. 2 Run hacmp_at_config with the -c option as follows:./hacmp_at_config -c -s <AT Service Virtual Name> -w <Network Interface> -m <Mount point> -d <Top level directory name> The options are as follows: Option Meaning -s AT Service Virtual Name -w Network interface on which the AT Service Virtual Name is to be visible. -m Mount point of the filesystem in which the VxAT shared storage will reside -d Top level directory name for the VxAT. For example:./hacmp_at_config -c -s chevyserv1 -w net_ether_01 -m /ha -d /ha Error codes are as follows: 0 Success 2 Usage error 3 If vxss_service group is already present. Other values Error

97 Procedures How to configure AT on HACMP 87 How to verify configuration on HACMP Unconfiguring AT on HACMP This topic tells how to verify the configuration status. To verify configuration status on HACMP 1 Run cldisp, to check whether the vxat application was created. Output is as follows: Cluster: aixhacmp Cluster services: active State of cluster: up Substate: stable ############# APPLICATIONS ############# Cluster aixhacmp provides the following applications: vxat Application: vxat {online} This application is part of resource group 'vxss_service' Run clrginfo to check whether the vxss_service resource group exists. Output is as follows: Group Name State Node vxss_service ONLINE hostname01 OFFLINE hostname02 This topic explains how to uninstall and unconfigure Symantec Product Authentication Service on HACMP. To uninstall AT 1 Locate the hacmp_at_config file, which resides in the /opt/vrtsat/bin directory. 2 Run hacmp_at_config with the -u option as follows:./hacmp_at_config -u -m <Mount point> Run the verification test and verify whether VxAT resource group has been deleted or not.

98 88 Procedures How to configure AT on HACMP HACMP configuration details Figure 4-5 Failover: VxSS Service illustrates configurations details. Figure 4-5 Failover: VxSS Service About the vxss_service failover group This group contains all the resources that are necessary for Symantec Product Authentication Service, such as mount group, file system, AT Service Virtual Name, etc. The vxss_service group also contains a VxAT application server. The application monitor for this application tries to bring it up some predefined number of times. Finally the application server fails, since it does not find the VxAT application server on the same node in an online state.

99 Procedures How to configure AT on HP Serviceguard 89 How to configure AT on HP Serviceguard You can configure Symantec Product Authentication Service as failover data services on HP Serviceguard. How to configure AT into HP-SG You can configure Symantec Product Authentication Service into HP-SG either silently or interactively. Prerequisites Prerequisites are as follows: Remote shell must be enabled for cluster configuration to take place. Install and configure AT if it is not already installed. Configure AT on one of the cluster nodes in any mode. Keep AT unconfigured on other cluster nodes. There should be a separate volume group available for AT. It should have a properly formatted volume under it depending on underlying volume manager. Only LVM is supported. There is no support for VxVM. Make sure that one can import or deport the volume group manually. Perl must be in the default PATH in order to execute cluster scripts. Find and make a note of the following values: LVM Volume group, and volume with a filesystem on it Systems Names AT Virtual Service Name AT Virtual Service IP Address Network subnet Mount Point Invoke AT HA configuration from the cluster node where AT is configured. Steps Use the hpsgvxatconf.pl command to configure AT into HP-SG either silently or interactively. This perl script resides in the following directory: /opt/vrtsat/bin/cluster/ Use the command as follows, with either uppercase or lowercase options: perl hpsgvxatconf.pl [c u] [i] [h]

100 90 Procedures How to configure AT on HP Serviceguard Table 4-15, Options for hpsgvxatconf.pl shows the options and their meanings: Table 4-15 Option c u i h Options for hpsgvxatconf.pl Meaning Silently configures AT into cluster Unconfigures AT from cluster Interactively configures AT into cluster by asking questions and filling the configuration file. Prints usage Configuring silently You can configure Symantec Product Authentication Service silently. In that case, you must edit the hpsgvxat.conf file yourself and put the necessary entries into it. The hpsgvxat.conf file should reside in the /opt/vrtsat/bin/cluster directory. To configure AT silently Run the hpsgvxatconf.pl with the c option as follows: perl hpsgvxatconf.pl c Note that there is no hyphen (-) before the c. Configuring interactively You can configure Symantec Product Authentication Service interactively. Interactive configuration creates the hpsgvxat.conf file in the local directory from which the perl script hpsgvxatconf.pl was called and adds required information into it. To configure AT interactively 1 Run the hpsgvxatconf.pl with the i option as follows: perl hpsgvxatconf.pl i Note that there is no hyphen (-) before the i. 2 Enter the VxAT package name or press enter for default [vxsspackage]. 3 Enter directory for the configuration file or press enter for default [/tmp/ cmcluster]: /etc/cmcluster. Path should contain cmcluster in it. (e.g. /tmp/ cmcluster, /usr/cmcluster etc.)

101 Procedures How to configure AT on HP Serviceguard 91 4 Enter the cluster configuration file name. Specify the full path (for example /etc/cmcluster/hp.ascii) or press enter for default [/etc/cmcluster/ cluster2.ascii]:" 5 Enter a list of the system names that require configuration, separated by spaces, as follows: System01 System02 6 Enter the AT Service Virtual Name. 7 Enter the AT Service Virtual IP Address: nnn.nnn.nnn.nnn 8 Enter the subnet for specified address: nnn.nnn.nnn.nnn 9 Enter the name of the HP shared volume group or LVM shared volume group, such as /dev/vgdatabase 10 Enter the name of the HP shared logical volume or LVM shared logical volume, such as /dev/vgdatabase/lvol1 11 Enter the new mount point for logical volume or press enter for default [/var/vrtsat/mnt]. 12 Enter any unmount options wanted or press enter for default [-V]. 13 Enter any file system check (fsck) options needed or press enter for default [-y -o full] 14 Enter the type of file system the HP shared volume group or LVM shared volume group, or press enter for default [vxfs] Sample output Output is like the following: Existing configuration is: Configuration type : new Package name : vxsspackage ConfigDirectory : /etc/cmcluster Node : sshp05 Node : sshp06 Service Name 0 : atservice Service FailFast 0 : 0 Service Halt Timeout 0 : 0 Service Restart 0 : -1 Service Command 0 : /opt/vrtsat/bin/cluster/ hpsg_atservicescript.sh Pre Exec action 0 : /opt/vrtsat/bin/vssregctl -f"/var/vrtsat/.vrtsat/profile/vrtsatlocal.conf" -s - b"security\authentication\authentication Broker" -t"string" -k"clustername" -v"hpservmay"

102 92 Procedures How to configure AT on HP Serviceguard Pre Exec action 1 : /opt/vrtsat/bin/vssregctl -f"/var/vrtsat/.vrtsat/profile/vrtsatlocal.conf" -s - b"security\authentication\authentication Broker\AtPlugins\vx" -t"string" -k"abauthsourcelocation" -v"/var/vrtsat/mnt/ ABAuthSource" Pre Exec action 2 : /opt/vrtsat/bin/vssregctl -f"/var/vrtsat/.vrtsat/profile/vrtsatlocal.conf" -s - b"security\authentication\authentication Broker\AtPlugins\vx" -t"string" -k"rbauthsourcelocation" -v"/var/vrtsat/mnt/ RBAuthSource" Pre Exec action 3 : /opt/vrtsat/bin/vssregctl -f"/var/vrtsat /.VRTSat/profile/VRTSatlocal.conf" -s - b"security\authentication\authentication Broker" -t"string" -k"rootbrokertag" -v"sshp06" Pre Exec action 4 : /usr/bin/mkdir /var/vrtsat/mnt 2> /dev/null Pre Exec action 5 : vgchange -a e /dev/vgdatabase Pre Exec action 6 : mount /dev/vgdatabase/lvol1 /var/vrtsat/mnt Pre Exec action 7 : cp -f /var/vrtsat/abauthsource /var/vrtsat /mnt Pre Exec action 8 : cp -f /var/vrtsat/rbauthsource /var/vrtsat/ mnt Pre Exec action 9 : /usr/bin/umount /var/vrtsat/mnt Pre Exec action 10 : rcp -r /var/vrtsat/.vrtsat sshp05:/var/ VRTSat Pre Exec action 11 : rcp /opt/vrtsat/bin/root_hash sshp05:/opt/ VRTSat/bin Custom halt command 0 : /opt/vrtsat/bin/cluster/ hpsg_atservicestop.sh IP address 0 : and subnet 0 : Name 0 : /dev/vgdatabase/lvol1 How to verify configuration status The following error codes provide some information about the status: 0 Success 1 Indicates that configuration file (hpsgvxat.conf) is not available under /opt/vrtsat/bin/cluster. 2 Indicates usage error In addition, you can verify configuration status in the following ways: By using the cmviewcl utility By using Serviceguard Manager

103 Procedures How to configure AT on HP Serviceguard 93 How to use the utility to verify configuration Use the cmviewcl utility to verify the status of AT configuration, as follows: cmviewcl -v Sample output Output is similar to the following: CLUSTER STATUS hpservmay up NODE STATUS STATE sshp05 up running Network_Parameters: INTERFACE STATUS PATH NAME PRIMARY up 0/1/2/0 lan0 PRIMARY up 0/4/1/0/6/0 lan1 PRIMARY up 0/4/1/0/7/0 lan2 PACKAGE STATUS STATE AUTO_RUN NODE vxsspackage up running enabled sshp05 Policy_Parameters: POLICY_NAME CONFIGURED_VALUE Failover configured_node Failback manual Script_Parameters: ITEM STATUS MAX_RESTARTS RESTARTS NAME Service up Unlimited 0 atservice Node_Switching_Parameters: NODE_TYPE STATUS SWITCHING NAME Primary up enabled sshp05 (current) Alternate up enabled sshp06 NODE STATUS STATE sshp06 up running Network_Parameters: INTERFACE STATUS PATH NAME PRIMARY up 0/1/2/0 lan0 PRIMARY up 0/4/1/0/6/0 lan1 PRIMARY up 0/4/1/0/7/0 lan2 How to use Serviceguard Manager to verify You can use Serviceguard to verify the configuration of AT into HP-SG. Figure 4-6 Serviceguard Manager shows how the Serviceguard Manager screen should look.

104 94 Procedures How to configure AT on HP Serviceguard Figure 4-6 Serviceguard Manager Figure 4-7 Service tab for vxsspackage shows how the Service tab for vxsspackage should look.

105 Procedures How to configure AT on HP Serviceguard 95 Figure 4-7 Service tab for vxsspackage Figure 4-8 General tab for vxsspackage shows how the General tab for vxsspackage should look.

106 96 Procedures How to configure AT on HP Serviceguard Figure 4-8 General tab for vxsspackage How to unconfigure authentication from HP-SG Use the hpsgvxatconf.pl command to unconfigure authentication from HP-SG. This perl script resides in the following directory: /opt/vrtsat/bin/cluster Use the command as follows, with either uppercase or lowercase options: perl hpsgvxatconf.pl u Note that there is no hyphen (-) before the u. Sample output Output is similar to the following: Warning: Configuration type not defined. Taking default as new and continuing Existing configuration is: Configuration type : new Package name : vxsspackage ConfigDirectory : /usr/cmcluster

107 Procedures How to configure AT on HP Serviceguard 97 Node : sshp05 Node : sshp06 Service Name 0 : atservice Service FailFast 0 : 0 Service Halt Timeout 0 : 0 Service Restart 0 : -1 Service Command 0 : /opt/vrtsat/bin/cluster/ hpsg_atservicescript.sh Pre Exec action 0 : /opt/vrtsat/bin/vssregctl -f"/var/vrtsat/.vrtsat/profile/vrtsatlocal.conf" -s - b"security\authentication\authentication Broker" -t"string" - k"clustername" -v"hpservmay" Pre Exec action 1 : /opt/vrtsat/bin/vssregctl -f"/var/vrtsat/.vrtsat/profile/vrtsatlocal.conf" -s - b"security\authentication\authentication Broker\AtPlugins\vx" - t"string" -k"abauthsourcelocation" -v"/var/vrtsat/mnt/ ABAuthSource" Pre Exec action 2 : /opt/vrtsat/bin/vssregctl -f"/var/vrtsat/.vrtsat/profile/vrtsatlocal.conf" -s - b"security\authentication\authentication Broker\AtPlugins\vx" - t"string" -k"rbauthsourcelocation" -v"/var/vrtsat/mnt/ RBAuthSource" Pre Exec action 3 : /opt/vrtsat/bin/vssregctl -f"/var/vrtsat/.vrtsat/profile/vrtsatlocal.conf" -s - b"security\authentication\authentication Broker" -t"string" - k"rootbrokertag" -v"sshp05" Pre Exec action 4 : /usr/bin/mkdir /var/vrtsat/mnt 2> /dev/null Pre Exec action 5 : vgchange -a e /dev/vgdatabase Pre Exec action 6 : mount /dev/vgdatabase/lvol1 /var/vrtsat/mnt Pre Exec action 7 : cp -f /var/vrtsat/abauthsource /var/vrtsat/ mnt Pre Exec action 8 : cp -f /var/vrtsat/rbauthsource /var/vrtsat/ mnt Pre Exec action 9 : /usr/bin/umount /var/vrtsat/mnt Pre Exec action 10 : rcp -r /var/vrtsat/.vrtsat sshp06:/var/ VRTSat Pre Exec action 11 : rcp /opt/vrtsat/bin/root_hash sshp06:/opt/ VRTSat/bin Custom halt command 0 : /opt/vrtsat/bin/cluster/ hpsg_atservicestop.sh IP address 0 : and subnet 0 : Name 0 : /dev/vgdatabase/lvol1 cmhaltpkg : Warning: Package vxsspackage is not currently running. Switching will be disabled. cmhaltpkg : Warning: Package vxsspackage is already unable to be switched.

108 98 Procedures Uninstall Uninstall Before uninstalling Symantec Product Authentication Service, see Considerations before you uninstall. Considerations before you uninstall Other Symantec products and the Symantec Infrastructure Core Services use the Symantec Product Authentication Service. How to uninstall Caution: Removing AT adversely affects other Symantec products that use it. Remove AT only if you are certain that no other Symantec products use it. If you have other Symantec products that are installed on your network, check the Symantec product documentation and consult with your network security team to determine whether any of these products use the AT that you want to uninstall. If other Symantec products use the Symantec Product Authentication Service or if you are not sure, do not uninstall AT. The Symantec Product Authorization Service (AZ) also depends on AT. If AZ is also installed, uninstall it before you uninstall AT. To uninstall on Windows, you can use the Add/Remove feature in the control panel. You can use installics to uninstall AT. To uninstall on UNIX 1 Go to the directory in which the installics script is located and type the following command:./installics 2 At the task menu prompt, type U to uninstall a product. 3 At the product menu prompt, type 2 to uninstall the Symantec Product Authentication Service. 4 When you are prompted for the system name, type the name of the host on which you want to uninstall the Symantec Product Authentication Service. 5 When you are prompted to confirm the uninstallation, type Y, and then allow the uninstallation to complete. A progress bar tracks the uninstallation progress. The installics script exits when the uninstallation is complete.

109 Procedures About authenticating users in active directory 99 About authenticating users in active directory Symantec Product Authentication Service can authenticate users in LDAPcompatible directories. If you want to authenticate users in Active Directory, you do not have to exclusively deploy an authentication broker on Windows. The authentication broker can be deployed on any OS. Prerequisite for LDAP with AD Administrators should check that the product that they are using supports LDAP. If you are deploying VxSS 4.2.x, you may not be able to get the Active Directory groups. In that case, we recommend upgrading to Symantec Product Authentication Service 4.3. Checking for LDAP compatibility Prior to configuring LDAP authentication, you will need to find out whether your directory server is LDAP-compatible. Earlier versions of AD on Windows 2000 Servers are not LDAP-compatible. You should apply at least service pack 2. To find out whether your directory server is LDAP-compatible, work with your directory administrator to find out the following: The name or IP of the host where the directory server is running. The port the directory server is listening on. (For AD, usually 389 for non- SSL, and 443 for SSL) Whether the directory server is configured to only accept SSL connections and reject all non-ssl connections. If the answer is yes, then you will need to export the trusted CAs into a file in PEM format. The distinguished name (DN) to the users and groups containers. Once you have the name or IP and the port, you can use the ldapsearch tool to find out the rest. Finding whether you have ldapsearch The ldapsearch tool is usually available on the latest versions of UNIX operating systems. To see whether you have this tool, Type the following at the command line: which ldapsearch If you do not have ldapsearch, you can download it from OS vendor's web site.

110 100 Procedures About authenticating users in active directory Using ldapsearch to find naming contexts With ldapsearch, you can find out what the naming contexts are. For example, from the command line, type: ldapsearch -h <hostname or IP of your AD> -p 389 -b "" -s base "(objectclass=*)" The display will show a set of information about your Active Directory. You should see one or more "namingcontexts" attributes. What you see depends on how your AD is configured. Usually "defaultnamingcontext" or "rootdomainnamingcontext" is the base DN to your users and groups container. In most cases, "defaultnamingcontext" and "rootdomainnamingcontext" are the same. Usually, they look like this. DC=<your domain name>,dc=<your enterprise name>,dc=com Your users and groups container should be "CN=Users,DC=<your domain name>,dc=<your enterprise name>,dc=com". If your ldapsearch command does not return anything, most likely it is for one of the following reasons. The host is unreachable Port 389 is unreachable. The Active Directory admin disabled search on the namingcontext. Searching users in active directory Once you have found out the naming context, you can search users in AD. Pick an enterprise user. At the command line, type: ldapsearch -h <hostname or IP of your AD> -p 389 -D "CN=<user name>,cn=users,dc=<your domain name>,dc=<your enterprise name>,dc=com" -w <user password> -b "CN=Users,DC=<your domain name>,dc=<your enterprise name>,dc=com" -s sub "(objectclass=user)" You should see a list of users. If the ldapsearch command does not work here, then you will need to do more troubleshooting with your AD administrator. Configuring LDAP authentication To configure the LDAP authentication, you must directly edit the VRTSatlocal.conf file: To edit this file 1 Take a backup of the Symantec Product Authentication Service. 2 Shut down the Symantec Product Authentication Service Broker. 3 Use your favorite editor (i.e. vi) to edit the VRTSatlocal.conf file.

111 Procedures About authenticating users in active directory 101 On Windows, the VRTSatlocal.conf file can be located in <install_dir>\systemprofile. On UNIX, the VRTSatlocal.conf file can be located in /var/ VRTSat/.VRTSat/profile" 4 Find [Security\Authentication\Authentication Broker\AtPlugins\ldap\DomainInfos\ldap\VSS] and replace VSS with your domain name. [Security\Authentication\Authentication Broker\AtPlugins\ldap\DomainInfos\ldap\<your domain name here>] 5 Find the "URL" attribute in the LDAP servers section and set it to your AD server. "URL"="ldap://<your AD server host/ip>:<389 or your AD server port> 6 Find the "UserBaseDN" attribute and configure it to point to your users container. "UserBaseDN"="CN=Users,DC=<your domain name>,dc=<your enterprise name>,dc=com" 7 Find the "GroupBaseDN" attribute and configure it to point to your groups container. "GroupBaseDN"="CN=Groups,DC=<your domain name>,dc=<your enterprise name>,dc=com" 8 Configure the rest of the schema map. "UserAttr"="cn" "DefaultGroupObjClass"="group" "DefaultUserObjClass"="user" "DefaultGroupAttr"="cn" "DefaultUserAttr"="cn" "DefaultGroupGIDAttr"="cn" "DefaultUserGIDAttr"="memberOf" 9 Restart the Symantec Product Authentication Service Broker Testing the configuration Now your should be able to use the LDAP authentication plug-in. To test it, run vssat at the command line vssat authenticate --domain ldap:<your domain name> --prplname <user name> --password <user password> --broker <authentication broker name:port>

112 102 Procedures About authenticating users in active directory

113 Chapter 5 Tools This chapter includes the following topics: The srvscan tool The findrb tool

114 104 Tools The srvscan tool The srvscan tool The srvscan tool is an independent executable. It can scan your subnet for hosts that have the authentication port open. Hosts that have the authentication port open are running the authentication server in either root or broker mode. Location of srvscan The srvscan utility is located in the following areas: Unix Windows /opt/vrtsat/bin C:\Program Files\VERITAS\Security\Authentication\bin Usage of srvscan Usage for srvscan is as follows: srvscan [-p port] [-I {IP <IP range>}] [-x <timeout>] [-N <maxnodes>] [-f <filename>] [-R] [-v] Explanation of options for srvscan The options for srvscan, which are case sensitive, have the following meanings: -p (Required) Uses 'port' as the service port to be scanned. -I Uses '(IP range)/(ip)' as the IP range/ip to scan. Default is current subnet range. Specifies the range of IP addresses to be scanned. If no range is given, then current subnet range is scanned for the service. -x Uses 'timeout' in seconds that the scan should continue. The scanning stops after the timeout expires, whether or not the specified port is found in the network. The default time out is calculated internally according to the range given. -N Specifies the maximum number of successful nodes to be searched for. If some number is specified, the tool returns immediately once it finds that number of hosts having the given port open. -f Redirects output to the given file. -R Displays the default network and subnet range and their time-outs. -v Displays verbose output. Sample output of srvscan The command lists the IP addresses of the nodes within the IP-range under which the specified port is open.

115 Tools The findrb tool 105 Sample output from srvscan reflects the number of nodes found, as follows: # srvscan -n AuthBroker -p I nn.nnn.nn.nn-nnn -x 10 Number of nodes to scan: 91 Maximum simultaneous connections: 91 Port 2821 open on nnn.nnn.nnn.nn Port 2821 open on nnn.nnn.nnn.nn Port 2821 open on nnn.nnn.nnn.nn Port 2821 open on nnn.nnn.nnn.nn Port 2821 open on nnn.nnn.nnn.nn Total Hosts found: 5 Total processing time: 11 seconds The new service scan dialog box in Windows install The findrb tool During a Windows installation of the authentication broker, a new dialog box gives you the option to look for root brokers that are installed. If you want the installer to look for the root broker, select yes, and then select or type in the range of IPs in the form StartIP-EndIP:port, where port is the root broker port (2821 or 1556). The findrb tool relies on the authentication client being installed. Given a list of hosts that are running authentication servers, findrb contacts all the authentication servers and returns a list of their root brokers. Location of findrb The findrb tool resides in the following area: Unix Windows /opt/vrtsat/bin \Program Files\VERITAS\Security\Authentication\bin Usage of findrb Usage for findrb is as follows: findrb {-h -i <file> [-o <file>] } Explanation of options The options for findrb have the following meanings: -h list of hosts When -h option is used, it reads input from the command line and writes output to stdout.

116 106 Tools The findrb tool -i <file> read from file Using -i enables findrb to read input from a file (format is given below). -o <file> write to file Using -o makes it to write output to a file. Input file format for findrb Input file format for findrb is a list of host names (or IP addresses) separated by white spaces or new lines, as follows: #cat ip host1.my_domain.com host2.my_domain.com Output file format of findrb Output file format for findrb is a space separated list of host names followed by the tag "ROOTBROKERS," as follows #cat op ROOTBROKERS roothost.my_domain.com anotherroot.my_domain.com Sample run of discovery tools The following is a sample run from the authentication installer, using findrb and srvscan: 1) Root Broker Only. 2) Authentication Broker Only. 3) Authentication + Root Broker. Enter the mode in which you want to install VRTSat [1-3,q] 2 Do you know where your root broker is (y/n)? n Do you want the installer to find a root broker for you (y/n)? y Installer will scan for root broker host in this range: With this timeout: 20 seconds Is this ok (y/n)? n Enter desired IP address range with a - and no space: Enter desired timeout in second, whole number only: 30 Pick one from the following root broker hosts: media.my_domain.com hostname3.my_domain.com moluccas1 hal-sunf280-1.my_domain.com hal-sunb100-4.my_domain.com hostname3 Enter the broker port (2821)

117 Tools The findrb tool 107 Enter authentication broker s identity on root broker host hostname3 george Enter password for george on root broker host hostname3 Enter the domain name for this Authentication Broker on root broker host hostname3 root Enter the absolute pathname (path plus filename) of the root s hash which you obtained from root broker host hostname3 /tmp/ root_hash

118 108 Tools The findrb tool

119 Chapter 6 Clarifications This chapter includes the following topics: Clarifications related to Installation Guide Clarifications related to Administrator s Guide

120 110 Clarifications Clarifications related to Installation Guide Clarifications related to Installation Guide This topic includes clarifications of material in the Installation Guide that was already frozen when the product release was made. Directories that are spared from deletion When you uninstall authentication, the following directories are not deleted: UNIX Windows The /var/vrtsat/profiles directory is not deleted The <install_dir>\systemprofile is not deleted. How to find domain name Reminder to restart service Symantec Product Authentication Installation Guide, page 32, indicates that you must provide the domain name when installing in Authentication Broker Only mode. If you do not know the domain name, go to the root broker machine and run the following command: vssat listpd --pdrtype root In the Symantec Product Authentication Service Installation Guide, several procedures require you to stop AT. At the completion of those procedures, remember to restart the service manually. Prompt appears only in cluster The prompt that is mentioned on page 26 of the Symantec Product Authentication Service Installation Guide appears only when authentication is installed on a cluster. Uninstallation of selected features on Windows Page 40 of the Symantec Product Authentication Service Installation Guide gives instructions on removing authentication on Windows platforms. You can remove by rerunning VxSSVRTSatSetup.exe and selecting Remove, or by selecting Remove from Add/Remove Programs.

121 Clarifications Clarifications related to Administrator s Guide 111 Before removing, reread information about dependencies. Then do one of the following: To uninstall the Symantec Product Authentication Service completely, click Remove. To uninstall selected features of the Symantec Product Authentication Service, click Modify. The term package name On page 45 of the Symantec Product Authentication Service Installation Guide, "package name" refers to the MSI file name. Location of log files, summary files, and response file on UNIX Installation log files, summary file, and response file are saved at /opt/vrts/install/logs/installics-aaaaaa, where AAAAAA is some random string. The response file is in this directory with the name installics- AAAAAA.response. Clarifications related to Administrator s Guide This topic includes clarifications of material in the Administrator s Guide that already frozen when the product release was made. User name and domain name requirements About cluster pdr type Depending upon the underneath name space, some user names and domains are case sensitive. UNIX password, nis, and most other UNIX side name spaces are case sensitive. Windows and LDAP are not case sensitive. User name and domain name have 80 bytes limit. Therefore, if you use pure ascii characters in the name, the limit is 79 characters. If you have non-ascii characters in the name, the limit can vary. If you have non-ascii characters in the name, we recommend limiting to 40 characters. In order to have a cluster pdr type, you must have a VCS cluster that supports the secure option.

122 112 Clarifications Clarifications related to Administrator s Guide Expanded information on the -t option in vxatd The following options are specific to Windows: -i Add the program to the service manager. You can use this option along with -t if you want to. -t Set start up type for the existing service. Choices are the following: 2 For Automatic start up of authentication service during system startup. 3 For manual startup of authentication service 4 To disable AT -u -k Remove the program from the service manager. Stop the service. Updating a principal On page 66 of the Symantec Product Authentication Administrator s Guide, in the area on updating a principal in a private domain, steps 3 and 4 are redundant. The two steps should read as follows: In the upper pane, select the domain in which the principal to be updated exists. In the lower pane, select the principal that you want to update. How to access the CLI The proper path for accessing the CLI is: UNIX Windows /opt/vrtsat/bin C:\Program Files\VERITAS\Security\Authentication\bin

123 Clarifications Clarifications related to Administrator s Guide 113 Minimum and maximum lengths The following rules govern minimum and maximum lengths: The minimum acceptable password length is 5 characters. Fully qualified domain names cannot be longer than 64 characters. That is, <Vx Domain Name>@FQDN must be 64 characters or fewer. Principal names cannot be longer than 64 characters. Remote CLIs that accept only PBX port The following remote administration CLIs only accept the PBX port. They do not work over the regular 2821 port: vssat listpd vssat createpd vssat addprpl

124 114 Clarifications Clarifications related to Administrator s Guide

125 Chapter 7 Recommendations This chapter includes the following topics: Minimize the number of root brokers to one Remember to back up the broker s critical data Limit use of private domain repository accounts to Symantec services only Use care when entering passwords What to do if you have trouble starting vxatd When you must restart Authentication Broker on trusted HP systems Avoid sudden stops on Windows broker

126 116 Recommendations Minimize the number of root brokers to one Minimize the number of root brokers to one Having a single root broker brings all the Symantec products under the same security domain, instead of creating islands of security. Such consolidation facilitates single sign-on and secure communications among various products. The root broker owns the trust relationship for all hosts in its trust hierarchy. If you have more than one root broker, you must establish trust relationships across all root brokers. Maintaining trust relationships across root brokers is expensive and time consuming. Minimizing the number of root brokers is also attractive from a security perspective. Repairing an environment after a root broker has been compromised is more burdensome than if only an authentication broker has been compromised. When a root broker is compromised, the scope of compromise is the entire security domain. With fewer root brokers, the risk of compromising the entire security domain is minimized. Remember to back up the broker s critical data You should back up the broker s critical data, including the private domain repository. Backing up on Windows For information on restoring, see Restoring the broker s data on Windows. To back up the broker s data on Windows 1 Locate the vssat showbackuplist command, which resides in the following location on Windows: C:\Program Files\VERITAS\Security\Authentication\bin The actual installation path for Authentication can be obtained from the following Windows registry key: HKLM\Software\Veritas\Security\Authentication\ InstallDir 2 Run the command, using the following syntax, without line breaks: vssat showbackuplist [--filename <file name for list>] The vssat showbackuplist command is a management tool used to back up and list the critical files. The command does not restore files. 3 Examine the output of vssat showbackuplist. Each directory or file displays on a separate line. If you provide the -- filename argument, output goes to that file. For example, to get the listing in a file named list.txt, run the following command.

127 Recommendations Remember to back up the broker s critical data 117 Backing up on UNIX vssat showbackuplist --filename list.txt If you do not request a file, output is displayed onto the standard output, as follows: B FileOrDirToBeBackedup R RestoreAboveFileOrDirToFileOrDir K RegistryKey For example, output on Windows appears as follows: C:\Program Files\VERITAS\Security\Authentication\bin>vssat showbackuplist B C:\Program Files\VERITAS\Security\Authentication\ systemprofile\vrtsatlocal.conf B C:\Program Files\VERITAS\Security\Authentication\ systemprofile\certstore B C:\Program Files\VERITAS\Security\Authentication\ systemprofile\rbauthsource B C:\Program Files\VERITAS\Security\Authentication\ systemprofile\abauthsource K HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\Security\ Authentication Quiescing... Snapshot Directory :C:\Program Files\VERITAS\Security\Authentication\Snapshot 4 After backing up the broker s critical data, perform additional backup by running the following command: % reg export HKLM\SOFTWARE\VERITAS\Security\Authentication <snapshotdir>\atkey.reg Output is as follows: C:\>reg export HKLM\SOFTWARE\VERITAS\Security\Authentication "c:\program Files\VERITAS\Security\Authentication\Snapshot\ AtKey.reg" The operation completed successfully. K HKEY_LOCAL_MACHINE\SOFTWARE\VERITAS\Security\ Authentication Quiescing... Snapshot Directory :C:\Program Files\VERITAS\Security\Authentication\Snapshot For information on restoring, see Restoring the broker s data on UNIX. The vssat showbackuplist command is a management tool used to back up and list the critical files. Warning: The vssat showbackuplist command does not restore files.

128 118 Recommendations Remember to back up the broker s critical data 1 Locate the vssat showbackuplist command, which resides in the following location on UNIX: /opt/vrtsat/bin On 64bit UNIX platforms, the 64bit CLI resides under the architecture specific sub directory like 'sparcv9', 'ia64', 'x64' etc. 2 Run the command, using the following syntax, without line breaks: vssat showbackuplist [--filename <file name for list>] 3 Examine the output of vssat showbackuplist. Each directory or file displays on a separate line. If you provide the -- filename argument, output goes to that file. For example, to get the listing in a file named list.txt, run the following command. vssat showbackuplist --filename list.txt If you do not request a file, output is displayed onto the standard output, as follows: B FileOrDirToBeBackedup R RestoreAboveFileOrDirToFileOrDir K RegistryKey For example, output on UNIX appears as follows: bash-2.05b#./vssat showbackuplist B /var/vrtsat/.vrtsat/profile/vrtsatlocal.conf B /var/vrtsat/.vrtsat/profile/certstore B /var/vrtsat/rbauthsource B /var/vrtsat/abauthsource B /etc/vx/vss/vrtsat.conf Quiescing... Snapshot Directory :/var/vrtsatsnapshot 4 After backing up the broker s critical data, perform additional backup by running the following command: % cp -f /etc/vx/vss/* <snapshotdir> <snapshotdir> is listed from the output of vssat showbackuplist. Example output is as follows: bash-2.05b# cp -f /etc/vx/vss/* /var/vrtsatsnapshot Restoring the broker s data on Windows This topic explains how to restore the broker s data that you have backed up. To restore the broker's data 1 Shutdown the broker by running the following command: net stop vrtsat 2 Look up the snapshot dir by running the vssregctl command.

129 Recommendations Remember to back up the broker s critical data 119 Note that the vssregctrl command can adversely affect the operation of the Symantec Product Authentication Service if used improperly, which may affect the operation of other Symantec products. Use the vssregctrl command only as shown in the following. Do not use this command for any other purpose. % vssregctl -l -q -b"security\authentication\ Authentication Broker" -ksnapshotdirectory 3 Restore the backup files by running the following commands: % reg import <snapshotdir>atkey.reg % xcopy /E <snapshotdir> <install_dir> Sample output of the reg import command is as follows: C:\Program Files\VERITAS\Security\Authentication\Snapshot>reg import AtKey.reg The operation completed successfully. Sample output of the xcopy command is as follows: C:\Program Files\VERITAS\Security\Authentication>xcopy /E Snapshot. Snapshot\systemprofile\ABAuthSource Snapshot\systemprofile\RBAuthSource Snapshot\systemprofile\VRTSatlocal.conf Snapshot\systemprofile\certstore\28b9d521.0 Snapshot\systemprofile\certstore\bb7eb69b.0 Snapshot\systemprofile\certstore\ef12cf8d.0 Snapshot\systemprofile\certstore\keystore\ABPrivKeyFile.pem Snapshot\systemprofile\certstore\keystore\ABPubKeyFile.pem Snapshot\systemprofile\certstore\keystore\DummyWebPrivKeyFil e.pem Snapshot\systemprofile\certstore\keystore\DummyWebPubKeyFile.pem Snapshot\systemprofile\certstore\keystore\PrivKeyFile.pem Snapshot\systemprofile\certstore\keystore\PubKeyFile.pem Snapshot\systemprofile\certstore\keystore\RBPrivKeyFile.pem Snapshot\systemprofile\certstore\keystore\RBPubKeyFile.pem Snapshot\systemprofile\certstore\trusted\bb7eb69b.0 Snapshot\systemprofile\systruststore\28b9d File(s) copied 4 Start the broker by running the following command net start vrtsat

130 120 Recommendations Limit use of private domain repository accounts to Symantec services only Restoring the broker s data on UNIX This topic explains how to restore the broker s data that you have backed up. To restore the broker's data 1 Shutdown the broker by running the following command: pkill vxatd If pkill is not supported, run the following command: ps -fe grep vxatd grep -v grep awk '{print $2}' xargs kill -9 2 Look up the snapshot dir by running the vssregctl command. Note that the vssregctrl command can adversely affect the operation of the Symantec Product Authentication Service if used improperly, which may affect the operation of other Symantec products. Use the vssregctrl command only as shown in the following. Do not use this command for any other purpose. % vssregctl -l -q -b"security\authentication\ Authentication Broker" -ksnapshotdirectory 3 Restore the backup files by running the following commands: % cp -f <snapshotdir>/vrtsat.* /etc/vx/vss/ % cp -rf <snapshotdir>/profile /var/vrtsat/.vrtsat % cp -rf <snapshotdir>/*authsource /var/vrtsat/ 4 Start the broker by running the following command: vxatd Limit use of private domain repository accounts to Symantec services only The private domain repository was designed for use when Symantec programs need to authenticate each other. The private domain repository eliminates the need to define and store Symantec programs identities in a site s human user authentication domain (such as: Windows NT4, NIS, NIS+ UNIX password, Active Directory, LDAP, and so on). Do not use a private domain repository for a site s users accounts for the following reasons: Private domain repository account management is limited Regular security tasks such as changing passwords are burdensome. The existing tools to support these tasks cannot be used because the private domain repository is not a standard account database. Using the private domain repository for human accounts is redundant. Sites already have user accounts with which AT can integrate (Windows NT4, NIS, and so on).

131 Recommendations Use care when entering passwords 121 Private domain repository access is not always optimized for performance Each authentication broker has a unique private domain repository that is local and through which all authentication and account management is performed. Unlike a site s domain controller, the authentication broker host might not be on a network segment that is optimized for speed. You should not force user authentication requests to traverse the network. (The problem is less for service identities, whose credentials typically expire much later and do not need to authenticate frequently.) Any authentication broker that can see a particular non-private domain can authenticate identities for that domain. Use care when entering passwords In all cases where the user has to enter a password when using the installics or installer scripts on UNIX, no characters are echoed as the password is typed in. There will be no chance given to confirm the password by typing it in again. Therefore, type carefully. What to do if you have trouble starting vxatd If the vxatd daemon does not start, verify that the configuration data entered during installation is correct. If it is incorrect, you can use the vssat command to enter the correct data, and then try starting the daemon again. When you must restart Authentication Broker on trusted HP systems The Authentication Broker must be restarted if the system is converted into a trusted operating system while the Authentication Broker is running. Avoid sudden stops on Windows broker On Windows, once you have started the broker, you should not stop it again until it has been up for 15 seconds.

132 122 Recommendations Avoid sudden stops on Windows broker

133 Chapter 8 Procedures for HA deployment of the AT and AZ services This chapter includes the following topics: How to deploy on VERITAS Cluster Server VCS non-securable (UNIX) VCS securable (UNIX) Veritas Cluster Server (Windows) VCS securable (Windows) How to deploy on Microsoft Cluster Server How to deploy on SUN Cluster, HPSG, HACMP How to deploy on Tru Cluster

134 124 Procedures for HA deployment of the AT and AZ services How to deploy on VERITAS Cluster Server How to deploy on VERITAS Cluster Server Terminology We make the following distinctions: Securable vs non-securable: Whether or not it is possible to secure a cluster Secure vs non-secure: In a situation where you could secure a cluster, whether or not you have chosen to do so Therefore the following possible configurations for VCS and security exist: Securable, and you choose to secure Securable, but you choose not to secure Non-securable, where your only option is non-secure The configuration that you select determines how VCS works and determines the steps that would be necessary to change its configuration. Other than VCS, all other clustering solutions supported by the authentication service do not support a secure cluster configuration and therefore are non-securable. We distinguish between use case 1 and use case 2 as follows: Use case 1: AT made highly available in root plus authentication broker mode Use case 2: AT made high available in authentication broker only mode, with the root outside the cluster Steps to recognize which VCS mode you have To recognize which VCS mode you have, run the following command: haclus -value SecureClus The cluster is non-securable if the output of the command is: VCS:10048:Attribute SecureClus does not exist Otherwise the cluster is securable. Even if a cluster is securable, it may or may not actually be configured in secure mode. How to determine whether a securable cluster is secured The next question is whether a cluster that could be secured is in fact configured in secure mode. If the output of haclus is 0, then the cluster is configured as insecure. If the output is 1, then the cluster is configured as secure. To recognize which VCS mode you have, run the following command:

135 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) 125 haclus -value SecureClus" VCS non-securable (UNIX) This topic presents use cases for VCS clusters that can not be secured, are non-securable. VCS non-securable mode (UNIX): use case 1 In this use case we will explain the steps that need to be performed in order to configure this non-securable cluster to have a high availability root and authentication broker, as well as a high availability authorization server. Description To achieve the desired configuration, we need to first configure the systems as follows: Root plus authentication on sys01 AT is unconfigured on passive nodes Select one node to be the active node in the cluster. The active node essentially should not have AT installed or configured. You shall be configuring AT in high availability mode from this node. All other nodes in the cluster called as passive nodes, for example sys02.

136 126 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) Using ICSInstaller to install AT package on all nodes To use ICSInstaller to install AT package 1 Run./installics command from the directory where you un-tarred the ICS package on sys01 2 It will display the following menu: VERITAS Product Version Installed Licensed VERITAS Infrastructure Core Services no N/A VERITAS Private Branch Exchange N/A VERITAS Authentication Service no N/A VERITAS Service Management Framework no N/A VERITAS Authorization Service no N/A Selection Menu: I Install/Upgrade a Product C Configure an Installed Product L License a Product P Perform a Preinstallation Check U Uninstall a Product D View a Product Description Q Quit? Help Enter a Selection: [I, C, L, P, U, D, Q,?] (I) 3 Select (I) for Installation. If AT is already installed uninstall it and start from step 1. 4 Once the menu is selected ICS installer shall prompt to choose the product to be installed. Select AT i.e. option 3 VERITAS Infrastructure Core Services Installer VERITAS Infrastructure Core Services 2 VERITAS Private Branch Exchange 3 VERITAS Authentication Service 4 VERITAS Service Management Framework 5 VERITAS Authorization Service B Back to previous menu Select a product to install: [1-5, b, q] 3 VERITAS Authentication Service

137 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) Enter the name of active node i.e. sys01 on which you want to install AT. Enter the system names separated by spaces on which to install AT: sys01 Checking OS version on sys01... AIX 5.1 Checking system support for sys01... AIX 5.1 supported by AT Checking VRTSat package... not installed Initial system check completed successfully. Press [Return] to continue: 6 Press Enter when ICS installer asks for confirmation VERITAS Authentication Service installics will install the following AT filesets on Aix target systems: sys01 VRTSat VERITAS Authentication Service Press [Return] to continue: 7 ICS installer shall now check for space and dependent packages. Press Enter once checks are successful. VERITAS Authentication Service Checking system installation requirements: Checking AT installation requirements on Aix target systems: sys01 Checking AT installation requirements on sys01: Checking for external dependencies... all external dependencies satisfied Checking file system space... required space is available Stopping VRTSat processes... Done Installation requirements checks completed successfully. Press [Return] to continue:

138 128 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) 8 ICS installer shall ask for passphrase. It could be any characters (minimum 6) VERITAS Authentication Service You are required to specify a passphrase with minimum of 6 characters. This passphrase will be used to protect sensitive information gathered during product configuration. All sensitive information stored in the response file will be encrypted with this passphrase. Please remember the passphrase you have entered. You will not be able to perform silent installation without this passphrase. Enter a passphrase with minimum of six (6) characters 9 Select Yes for AT server installation Do you want to install the AT Server? [y,n,q] (y) Installing AT Server and Client... Done 10 Once Installation is done on sys01, ICS installer shall prompt for AT configuration on active sys01 node. Select yes. VERITAS Authentication Service It is optional to configure AT now. If you choose to configure AT later, you can either do so manually or run the installics -configure command. Are you ready to configure AT on sys01? [y, n, q] (y) 11 Select root plus authentication broker mode i.e. option 3 for active node sys01. For AT 4.2 say NO to cluster configuration through ICSInstaller For AT 4.3 using ICS 1.4.x then you need to say a YES to cluster configuration and enter the virtual name for AT.

139 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) 129 The final AT high availability (HA) cluster configuration will be done by running the AT high availability configuration scripts and not through ICS installers. VERITAS Authentication Service Root Broker Only. 2 Authentication Broker Only. 3 Authentication + Root Broker. Enter the mode in which you want to install VRTSat [1-3,q] 3 VCS appears to be installed and running. Going ahead with cluster configuration Do you want the installer to do a cluster configuration for Authentication Service? [y,n,q] (n) VERITAS Authentication Service Configuring VERITAS Authentication Service: VERITAS Authentication Service configured successfully. Press [Return] to continue: VERITAS Authentication Service Starting Authentication daemon... Done VERITAS Authentication Service was started successfully. Press [Return] to continue: 12 Repeat steps 1-9 to install AT package on all passive nodes e.g. sys02, sys03, and so on. Then, when ICS asks for configuration on passive nodes, say NO. This shall ensure that AT is un-configured on all passive nodes. VERITAS Authentication Service It is optional to configure AT now. If you choose to configure AT later, you can either do so manually or run the installics -configure command. Are you ready to configure AT on sys01? [y, n, q] (y) Say NO Note: Do not configure AT on passive nodes. If we configure using ICSInstaller then it will start the AT process, and hence 2 root hierarchy may exits if the passive node is configured in root plus authentication broker as well. Leave AT un-configured on all passive nodes of the cluster. i.e. Mode shall be zero on all passive node

140 130 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) 13 Make AT highly available from the active node. From /opt/vrtsat/bin, run cluster configuration script in either silent or interactive mode. For more details for script options refer to perl VxATclconf.pl -Mi in Procedures. 14 Install the package of AZ on both active and passive nodes using ICSinstaller. Steps shall be similar to AT installation i.e Configure AZ on all nodes. ICSInstaller shall ask about configuring AZ after installation. Say NO to cluster configuration through ICSInstaller. VCS non-securable mode (UNIX): use case 2 In this use case we will explain the steps that need to be performed in order to configure this non-securable cluster to have a high availability authentication broker using a root broker on a host outside the cluster. In addition, we configure the authorization server to be highly availability. Description: To achieve the desired configuration, we need to first configure the systems as follows: Authentication broker mode on sys01 Authentication broker mode on sys02 Root broker is running outside cluster on sys03 1 Create one identity on the root broker, sys03, for the new highly available authentication broker. This identity will be used to configure all of the cluster nodes. For example vssat addprpl --pdrtype root --domain root --prplname cluster_23.domain.com Note: Note: The same identity should be used for all authentication broker configured on all nodes of the cluster. 2 The cluster nodes essentially should not have AT installed or configured. Select one node to be the active node in the cluster. You shall be configuring AT in high availability mode from this node. All other nodes in the cluster shall be called as passive nodes, for example sys02

141 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) 131 Using ICSInstaller to install AT package on all nodes To use ICSInstaller to install AT package 1 Run./installics command from the directory where you un-tarred the ICS package. 2 It will display the following menu: VERITAS Product Version Installed Licensed VERITAS Infrastructure Core Services no N/A VERITAS Private Branch Exchange N/A VERITAS Authentication Service no N/A VERITAS Service Management Framework no N/A VERITAS Authorization Service no N/A Selection Menu: I Install/Upgrade a Product C Configure an Installed Product L License a Product P Perform a Preinstallation Check U Uninstall a Product D View a Product Description Q Quit? Help Enter a Selection: [I, C, L, P, U, D, Q,?] (I) 3 Select (I) for Installation. If AT is already installed, uninstall it and start from step 1. 4 Once the menu is selected ICS installer shall prompt to choose the product to be installed. Select AT, i.e. option 3 VERITAS Infrastructure Core Services Installer VERITAS Infrastructure Core Services 2 VERITAS Private Branch Exchange 3 VERITAS Authentication Service 4 VERITAS Service Management Framework 5 VERITAS Authorization Service B Back to previous menu Select a product to install: [1-5, b, q] 3 VERITAS Authentication Service

142 132 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) 5 Enter the name of active node i.e. sys01 on which you want to install AT. Enter the system names separated by spaces on which to install AT: sys01 Checking OS version on sys01... AIX 5.1 Checking system support for sys01... AIX 5.1 supported by AT Checking VRTSat package... not installed Initial system check completed successfully. Press [Return] to continue: 6 Press Enter when ICS installer asks for confirmation VERITAS Authentication Service installics will install the following AT filesets on Aix target systems: sys01 VRTSat VERITAS Authentication Service Press [Return] to continue: 7 ICS installer shall now check for space and dependent packages. Press Enter once checks are successful. VERITAS Authentication Service Checking system installation requirements: Checking AT installation requirements on Aix target systems: sys01 Checking AT installation requirements on sys01: Checking for external dependencies... all external dependencies satisfied Checking file system space... required space is available Stopping VRTSat processes... Done Installation requirements checks completed successfully. Press [Return] to continue:

143 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) ICS installer shall ask for passphrase. It could be any characters (minimum 6) VERITAS Authentication Service You are required to specify a passphrase with minimum of 6 characters. This passphrase will be used to protect sensitive information gathered during product configuration. All sensitive information stored in the response file will be encrypted with this passphrase. Please remember the passphrase you have entered. You will not be able to perform silent installation without this passphrase. Enter a passphrase with minimum of six (6) characters 9 Select Yes for AT server installation Do you want to install the AT Server? [y,n,q] (y) Installing AT Server and Client... Done 10 Once Installation is done on sys01, ICS installer shall prompt for AT configuration on active sys01 node. Select yes. VERITAS Authentication Service It is optional to configure AT now. If you choose to configure AT later, you can either do so manually or run the installics -configure command. Are you ready to configure AT on sys01? [y, n, q] (y) 11 Select authentication broker mode, option 2, for active node sys01. VERITAS Authentication Service Root Broker Only. 2 Authentication Broker Only. 3 Authentication + Root Broker. Enter the mode in which you want to install VRTSat [1-3,q] 2

144 134 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) 12 Copy root_hash from sys03 to sys01 /tmp. Authentication broker on sys01 shall then establish trust with Please enter the root broker host sys03.domain.com(sys03) Enter the broker port (2821) 1556 Please enter complete path to the file which contains the Root Broker's hash /tmp/root_hash You have enter the following information: Broker Host: sys03.domain.com Broker Port: 1556 Broker Hash File: /tmp/root_hash Are the above information correct? [y,n,q] (y) Symantec Infrastructure Core Services Installer 5.0 Setting up trust with sys03.domain.com: Done 13 Provide Authentication broker s identity created in step 1. i.e.cluster23.domain.com Symantec Infrastructure Core Services Installer 5.0 Enter Authentication Broker's identity cluster23.domain.com Enter password for sys01.domain.com Enter the domain name for the Authentication Broker's identity [email protected] Symantec Infrastructure Core Services Installer 5.0 You have entered the following: Authentication Broker identity: cluster23.domain.com Authentication Broker identity's domain: [email protected] Is this information correct? [y,n,q] (y) Enter password for Authentication Broker administrator for the Authentication Broker on host sys01.domain.com Do you want to enable Private Branch Exchange (PBX) support in Authentication Broker Server? [y,n,q] (n) y 14 ICSInstaller shall now prompt for cluster configuration. For AT 4.2 say NO to cluster configuration through ICSInstaller. If you are deploying AT 4.3 using ICS 1.4.x then you need to say a YES to cluster configuration and enter the

145 Procedures for HA deployment of the AT and AZ services VCS non-securable (UNIX) 135 virtual name for AT. Cluster configuration should be done finally by running the AT high availability scripts and not through ICS installers. For 4.2: VCS appears to be installed and running. Going ahead with cluster configuration Do you want the installer to do a cluster configuration for Authentication Service? [y,n,q] (n) n For 4.3 The ICS installer has detected a cluster on sys01.domain.com. In order for Symantec Product Authentication Service to be configured properly in a clustered environment, it must be aware of the logical cluster name before generating its credentials. If this machine will not be configured as a cluster node, please answer "(N)o" to the following question and proceed through the remainder of the installation. If this machine will be configured as a cluster node, please answer "(Y)es" to the following question and then provide the logical cluster name accordingly. After installation, Symantec Product Authentication Service will need to be configured separately by running the Symantec Product Authentication Service cluster configuration script. Will sys01.domain.com be configured as part of a cluster? [y,n,q] (n) y Enter the logical name of the cluster: clust082.pdx.veritas.com Do you want to start Symantec Product Authentication Service processes now? [y,n,q] (y) VERITAS Authentication Service Starting Authentication daemon... Done VERITAS Authentication Service was started successfully. Press [Return] to continue: 15 Repeat steps 1-14 on each passive node from the cluster. Configure AT on passive node in authentication broker mode with same identity created earlier in step Now the AT package is installed on all nodes and AT is configured on all nodes in authentication broker mode with same identity created on sys03 during step Make AT highly available from the active node i.e. sys01 From /opt/vrtsat/bin, run cluster configuration script in either silent or interactive mode. For more details for script options refer to perl VxATclconf.pl Mi in Procedures. 18 Install the AZ 4.3 package on all cluster nodes, and configure AZ using ICSinstaller. Steps shall be similar to AT installation i.e ICSInstaller

146 136 Procedures for HA deployment of the AT and AZ services VCS securable (UNIX) shall ask about configuring AZ after installation. Say NO to cluster configuration through ICSInstaller. 19 Make AZ highly available from the active node (where AT is also running now) From /opt/vrtsaz/bin, run cluster configuration script in either silent or interactive mode. VCS securable (UNIX) VCS securable (UNIX), used in insecure mode This section describes how to configure AT and AZ in high availability mode on a securable VCS which is currently configured in secure mode. See Steps to recognize which VCS mode you have. Pre-requisites VCS comes with AT in the unconfigured state. As a result when we upgrade AT to AT then it does not ask broker (mode) configuration. It directly upgrades all the binaries, and finally AT is installed in root plus authentication broker mode. VCS securable (UNIX) in insecure mode: use case 1 To achieve the desired configuration, we need to first configure the systems as follows: 1 Configure the active node, sys01, as a root plus authentication broker, as follows: /opt/vrtsat/bin/vxatd -r -a 2 Create identities on node where AT has been configured into root plus authentication broker mode for each authentication broker. For example: vssat addprpl --pdrtype root --domain root --prplname sys01.domain.com vssat addprpl --pdrtype root --domain root --prplname sys02.domain.com 3 Copy the root_hash file from the root broker to the other cluster nodes as follows: rcp /opt/vrtsat/bin/root_hash sys02.domain.com:/tmp/root_hash

147 Procedures for HA deployment of the AT and AZ services VCS securable (UNIX) Specify root s information required to configure authentication broker on the other cluster nodes using the following command: /opt/vrtsat/bin/vxatd -a -n <prplname> -p <password> -x vx -y <domain> -q <root broker> -z h <directory where root_hash has been copied from node where AT is running in root plus authentication broker mode> For example: /opt/vrtsat/bin/vxatd -a -n sys02.domain.com -p sys02_password -x vx -y [email protected] -q sys01.domain.com -z h "/tmp/root_hash" 5 Now follow the steps in VCS securable (UNIX) in the secure mode: use case 1. VCS securable (UNIX) in insecure mode: use case 2 Description: To achieve the desired configuration, we need to first configure the systems as follows: Authentication broker (sys01) Authentication broker (sys02) Root running on sys03, which is not part of the cluster 1 Create identities on the root broker sys03 for each authentication broker. For example: vssat addprpl --pdrtype root --domain root --prplname sys01.domain.com vssat addprpl --pdrtype root --domain root --prplname sys02.domain.com 2 Copy the root_hash file from the root broker to the other cluster nodes as follows: rcp sys03.domain.com:/opt/vrtsat/bin/root_hash sys01.domain.com:/tmp/root_hash 3 Specify the root s information required to configure authentication broker on each cluster node using the following command: /opt/vrtsat/bin/vxatd -a -n <prplname> -p <password> -x vx -y <domain> -q <root broker> -z h <directory where root_hash has been copied from node where AT is running in root plus authentication broker mode> For example:

148 138 Procedures for HA deployment of the AT and AZ services VCS securable (UNIX) /opt/vrtsat/bin/vxatd -a -n sys01.domain.com -p sys01_password -x vx -y -q sys03.domain.com -z h "/tmp/root_hash" Now follow the steps in VCS securable (UNIX) in the secure mode: use case 2. VCS securable (UNIX), used in the secure mode This section describes how to configure AT and AZ in high availability mode on a securable VCS which is currently configured in secure mode. VCS securable (UNIX) in the secure mode: use case 1 This section describes how to take an existing VCS (UNIX) cluster that is securable and is in secure mode with a configured root plus authentication broker on one of the nodes and make the root plus authentication broker highly available along with a highly available authorization service. Description: To achieve the desired configuration, we need to first configure the systems as follows: Root plus authentication broker (sys01) Authentication broker mode (sys02) To actualize this use case 1 Determine which cluster node is has the root plus authentication broker configured on it. To do this run the following command and find the node which has a broker mode of 3; /opt/vrtsab/bin/vssat showbrokermode 2 Take VCS offline on all nodes in the cluster. Then upgrade AT using the ICS installer on all nodes of the cluster. 3 Make AT highly available from the active node. From /opt/vrtsat/bin, run cluster configuration script in either silent or interactive mode. For more details for script options refer to perl VxATclconf.pl -Mi in Procedures. 4 Run the ICS installer to install AZ 4.3 package on both active and passive nodes. 5 When the ICSinstaller asks for configuration of AZ, select YES. 6 AZ service may get started on both active and passive node after installing.

149 Procedures for HA deployment of the AT and AZ services Veritas Cluster Server (Windows) Make AZ highly available from the active node (where AT is also running now. From /opt/vrtsaz/bin, run cluster configuration script in either silent or interactive mode. VCS securable (UNIX) in the secure mode: use case 2 This section describes how to take an existing VCS (UNIX) cluster that is securable and is in secure mode with a configured with only authentication broker's on all the cluster nodes and upgrade it to a highly available authentication broker along with a highly available authorization service. Description To achieve the desired configuration, we need to first configure the systems as follows: Authentication broker mode (sys01) Authentication broker mode (sys02) Root broker is running outside cluster (sys03) To actualize this use case 1 Upgrade AT ICS installer on all cluster nodes. 2 Make AT highly available from the active node i.e. sys01. From /opt/vrtsat/bin, run cluster configuration script in either silent or interactive mode. For more details for script options refer to release notes. e.g perl VxATclconf.pl -Mi in Procedures. 3 Run the ICS installer to install AZ 4.3 package on all cluster nodes. 4 AZ service may get started on both active and passive node after installing. 5 Make AZ highly available from the active node (where AT is also running now). From /opt/vrtsaz/bin, run cluster configuration script in either silent or interactive mode. Veritas Cluster Server (Windows) Pre-requisites VCS on Windows comes with AT in un-configured state but configure as a mode 3 broker. As a result when we upgrade AT to AT , it does not ask for the broker mode during the configuration. It directly upgrades all the

150 140 Procedures for HA deployment of the AT and AZ services VCS securable (Windows) binaries, and finally AT is installed in root plus authentication broker mode. To work around this we must first configure cluster nodes to have the correct broker mode before we upgrade each of the nodes. VCS securable (Windows) This topic discusses use case scenarios for Veritas Cluster Server on Windows. VCS securable (Windows) used in insecure mode: use case 1 This section describes how to configure a VCS securable (Windows) cluster that is in insecure mode to have a highly available root and authentication broker. To accomplish this we need to first configure one node, the active node sys01, as a root plus authentication broker and all other nodes, sys02, as authentication brokers of the active nodes root, sys01. Description To achieve the desired configuration, we need to first configure the systems as follows: Root plus authentication broker (sys01) Authentication broker (sys02) 1 Configure the active node, sys01, as a root plus authentication broker, as follows: C:\Program Files\VERITAS\Security\Authentication\bin>vxatd -r -a 2 Create identities on sys01 where AT has been configured into root plus authentication broker mode for each authentication broker. For example: vssat addprpl --pdrtype root --domain root --prplname sys02.domain.com 3 Copy the root_hash file from the root broker to the other cluster nodes as follows: copy "c:\program files\veritas\security\authentication\ bin\root_hash" to \\sys02\e$\tmp\root_hash 4 Specify root s information required to configure authentication broker on the other cluster nodes using the following command: C:\Program Files\VERITAS\Security\Authentication\ bin>vxatd -a -n <prplname> -p <password> -x vx -y <domain> -q <root broker> -z h <directory where root_hash has been

151 Procedures for HA deployment of the AT and AZ services VCS securable (Windows) 141 copied from node where AT is running in root plus authentication broker mode> For example: vxatd -a -n sys02.domain.com -p sys02_password -x vx -y -q sys01.domain.com -z h "C:\tmp\root_hash" 5 Run the VxSSVRTSatSetup.exe shipped with ICS 1.2.x to install AT package on all cluster nodes. 6 Specify ClusterName while installing AT package on active as well as passive nodes, and configure AT in root plus authentication broker mode on all the nodes of the cluster. Note: You will not encounter this step, if broker is already configured. AT process shall come up since AT is configured in root plus authentication broker mode on active and passive node. Figure 8-1 Authentication Broker Service Options screen 7 Invoke AT high availability on active node. See Procedures.

152 142 Procedures for HA deployment of the AT and AZ services VCS securable (Windows) 8 Run the VRTSazSetup.exe shipped with ICS 1.2.x to install AZ 4.3 package on both active and passive cluster nodes. 9 AZ service may get started on both active and passive node after installing. 10 Invoke AZ high availability on active node (where AT service group is online). VCS securable (Windows) used in insecure mode: use case 2 This section describes how to configure a VCS securable (Windows) cluster that is in insecure mode to have a highly available authentication broker. To accomplish this we need to first configure all the nodes of the cluster, sys01 and sys02 to be authentication brokers of another root broker on node sys03. Description Authentication broker (sys01) Authentication broker (sys02) Root running on sys03 which is not part of the cluster 1 On sys03 (where root resides) create a principal for each authentication broker. For example: vssat addprpl --pdrtype root --domain root --prplname sys01.domain.com vssat addprpl --pdrtype root --domain root --prplname sys02.domain.com 2 Copy the root_hash file from the root broker to the other cluster nodes: copy "c:\program files\veritas\security\authentication\ bin\root_hash" to \\sys02\e$\tmp\root_hash 3 Specify root s information required to configure authentication broker on the other cluster nodes using the following command: C:\Program Files\VERITAS\Security\Authentication\ bin>vxatd -a -n <prplname> -p <password> -x vx -y <domain> -q <root broker> -z h <directory where root_hash has been copied from node where AT is running in root plus authentication broker mode> For example: > vxatd -a -n sys01.domain.com -p sys01_password -x vx -y [email protected] -q sys03.domain.com -z h "C:\tmp\root_hash" 4 Run the VxSSVRTSatSetup.exe shipped with ICS 1.2.x to install AT package on all cluster nodes

153 Procedures for HA deployment of the AT and AZ services VCS securable (Windows) Specify ClusterName while installing AT package on active as well as passive nodes and configure AT in authentication broker mode on all the nodes of the cluster. Note: You will not encounter this step, If broker is already configured. AT process shall come up since AT is configured in authentication broker mode on active and passive node configured under same Root hierarchy. Figure 8-2 Authentication Broker Service Options screen: AB 6 Copy root hash file from sys03 to all cluster nodes. For example, copy "c:\program files\veritas\security\authentication\bin\root_hash" to \\sys01\e$\tmp\root_hash

154 144 Procedures for HA deployment of the AT and AZ services VCS securable (Windows) Figure 8-3 Authentication Broker Identity Screen 7 Specify root information that is required to configure authentication broker while installing AT package on active as well as passive nodes, and configure AT in authentication broker mode on all the nodes of the cluster. Specify the root_hash path from step 3. 8 Invoke AT high availability on active node. See Procedures. 9 Run the VRTSazSetup.exe shipped with ICS 1.2.x to install AZ 4.3 package on both active and passive nodes. 10 AZ service may get started on both active and passive node after installing. 11 Invoke AZ high availability on active node (where AT service group is online).

155 Procedures for HA deployment of the AT and AZ services VCS securable (Windows) 145 VCS securable (Windows) used in the secure mode: use case 1 This section describes how to configure AT and AZ in high availability mode on a securable VCS which is currently configured in secure mode. To achieve the desired configuration for use case 1, we need to first configure the systems as follows: Root plus authentication broker (sys01) Authentication broker (sys02) 1 Run the VxSSVRTSatSetup.exe shipped with ICS 1.2.x to upgrade AT on all cluster nodes. 2 Invoke AT high availability on active node. See Procedures. 3 Run the VRTSazSetup.exe shipped with ICS 1.2.x to install AZ 4.3 package on both active and passive nodes. 4 AZ service may get started on both active and passive node after installing. 5 Invoke AZ high availability on active node (where AT service group is online). VCS securable (Windows) used in the secure mode: use case 2 This section describes how to configure a VCS securable (Windows) cluster that is in secure mode to have a highly available authentication broker and authorization service. To achieve the desired configuration for use case 2, we need to first configure the systems as follows: Authentication broker (sys01) Authentication broker (sys02) 1 Run the VxSSVRTSatSetup.exe shipped with ICS 1.2.x to upgrade AT on all cluster nodes. 2 Invoke AT high availability on active node. See Procedures. 3 Run the VRTSazSetup.exe shipped with ICS 1.2.x to install AZ 4.3 package on both active and passive nodes.

156 146 Procedures for HA deployment of the AT and AZ services How to deploy on Microsoft Cluster Server 4 AZ service may get started on both active and passive node after installing. 5 Invoke AZ high availability on active node (where AT service group is online). How to deploy on Microsoft Cluster Server This section describes how to configure a Microsoft Cluster Server cluster to have a highly available root plus authentication broker. Authentication server in root plus authentication broker mode To achieve the desired configuration, we need to first configure the systems as follows: Root plus Authentication broker (sys01) Root plus Authentication broker (sys02) Specify Clustername while installing AT Select one node to be the active node in the cluster e.g. sys01. You shall be configuring AT in high availability mode from this node. All other nodes in the cluster called as passive nodes, for example sys02. Using VxSSVRTSatSetup.exe to install on all nodes To install 1 Run the VxSSVRTSatSetup.exe shipped with ICS 1.2.x to install AT package on the active node sys01. 2 Select Complete.

157 Procedures for HA deployment of the AT and AZ services How to deploy on Microsoft Cluster Server 147 Figure 8-4 Setup Type screen 3 Select "Root+Authentication Broker Mode" while installing AT package on active as well as on passive node. Make sure you select service as cluster and provide clustername. Note: You will not encounter this step if broker is already configured. Uninstall AT and start from step 1. The AT process shall come up since AT is configured in root plus authentication broker mode on the active and passivenode.

158 148 Procedures for HA deployment of the AT and AZ services How to deploy on Microsoft Cluster Server Figure 8-5 Authentication Broker Serv ice Options screen 4 Apply latest AT patch e.g x by running VxSSVRTSatSetup.exe on active and passive nodes. 5 To configure AT on all the passive nodes of the cluster follow the same steps as discussed above. Note: You will not encounter this step if broker is already configured. Uninstall AT and start from step 5. 6 Invoke AT high availability on active node sys01. See Procedures. Authentication server in authentication broker only mode This section describes how to configure a Microsoft Cluster Server cluster to have a highly available authentication broker.

159 Procedures for HA deployment of the AT and AZ services How to deploy on Microsoft Cluster Server 149 Description To achieve the desired configuration, we need to first configure the systems as follows: Authentication broker (sys01) Authentication broker (sys02) Root running on sys03 which is not part of the cluster Note: AT install/upgrade using VxSSVRTSatSetup.exe. You need to configure separately on each node. 1 Create one identity on sys03 (where the root resides) for all authentication brokers that we are going to configure on each node of the cluster. For example: vssat addprpl --pdrtype root --domain root --prplname sys03.domain.com The same identity should be used for all authentication brokers configured on all nodes of the cluster. 2 The cluster nodes essentially should not have AT installed or configured. Select one node to be the active node in the cluster, for example, sys01. You shall be configuring AT in high availability mode from this node. All other nodes in the cluster shall be called passive nodes e.g. sys02 Using VxSSVRTSatSetup.exe to install on all nodes To install 1 Run the VxSSVRTSatSetup.exe shipped with ICS 1.2.x to install AT package on all cluster nodes. 2 Select Complete.

160 150 Procedures for HA deployment of the AT and AZ services How to deploy on Microsoft Cluster Server Figure 8-6 Setup Type screen 3 Select Authentication Broker Only Mode while installing AT package on active as well as passive nodes. Make sure you select service as cluster and provide the clustername. Note: You will not encounter this step if broker is already configured. Uninstall AT and start from step 1. AT process shall come up since AT is configured in authentication broker mode on active and passive node.

161 Procedures for HA deployment of the AT and AZ services How to deploy on Microsoft Cluster Server 151 Figure 8-7 Authentication Broker Service Options screen 4 Copy root_hash file from sys03 i.e from the active node to all passive cluster nodes. For example, copy c:\program files\veritas\security\authentication\bin\ root_hash to \\sys02\e$\tmp\root_hash. 5 In this step, installer asks things that are needed to configure AT into authentication broker mode. For example: Hostname sys03.domain.com HashFile C:\tmp\root_hash Name sys01.domain.com Password sys01_password Domain Name [email protected]

162 152 Procedures for HA deployment of the AT and AZ services How to deploy on SUN Cluster, HPSG, HACMP Figure 8-8 Authentication Broker Identity screen Follow steps 1 to 5 for node. 6 Invoke AT high availability on active node sys01. See Procedures. How to deploy on SUN Cluster, HPSG, HACMP In order to make AT and AZ highly available on SUN Cluster, HPSG, and HACMP, follow these steps: Use /opt/vrtsat/bin/cluster/hpsgvxatconf.pl file to configure AT into MCSG. Use /opt/vrtsat/bin/scvxat file to configure AT into Sun Cluster Use /opt/vrtsat/bin/hacmp_at_config file to configure AT into HACMP. See Procedures.

163 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster 153 Authentication server in root plus authentication broker mode Description To achieve the desired configuration, we need to first configure the systems as follows: Root plus authentication broker (sys01) Root plus authentication broker (sys02) AT un-configured on passive nodes Follow similar steps as in VCS securable (UNIX) in insecure mode: use case 1. Authentication server in authentication broker only mode Description To achieve the desired configuration, we need to first configure the systems as follows: Authentication broker mode (sys01) Authentication broker mode (sys02) Root running on sys03 which is not part of the cluster Follow similar steps as in VCS securable (UNIX) in insecure mode: use case 2. How to deploy on Tru Cluster This section describes how to configure a Tru Cluster with a highly available root plus authentication broker. Authentication server in root plus authentication broker mode Description: To achieve the desired configuration, we need to first configure the systems as follows: Root plus authentication broker (sys01) Root plus authentication broker is clustered. The configuration of one node configures all other nodes as well

164 154 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster Note: AT install using ICS installer. Since Tru Cluster uses CFS Cluster File System all AT/AZ configuration directories are shared. User must install/configure AT/AZ only on single node. There is no need to install/configure AT/AZ on all cluster nodes. Select one node in the cluster that does not have AT installed or configured, this will be the node used to configure AT in and highly available mode. When the AT package is installed on this node it will automatically be installed on the other nodes as well. Using ICSInstaller to install AT package on all nodes To install the AT back package on all nodes 1 Run./installics command from the directory where you un-tarred the ICS package on sys01. 2 It will display the following menu: VERITAS Infrastructure Core Services Installer VERITAS Product Version Installed Licensed VERITAS Infrastructure Core Services no N/A VERITAS Private Branch Exchange no N/A VERITAS Authentication Service no N/A VERITAS Service Management Framework no N/A VERITAS Authorization Service no N/A Selection Menu: I: Install/Upgrade a Product C: Configure an Installed Product L: License a Product P: Perform a Preinstallation Check U: Uninstall a Product D: View a Product Description Q: Quit?: Help Enter a Selection: [I, C, L, P, U, D, Q,?] (I) 3 Select (I) for Installation. If AT is already installed, uninstall it and start from step 1.

165 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster Once the menu is selected, the ICS installer shall prompt to choose the product to be installed. Select AT, option 3. VERITAS Infrastructure Core Services Installer ) VERITAS Infrastructure Core Services 2) VERITAS Private Branch Exchange 3) VERITAS Authentication Service 4) VERITAS Service Management Framework 5) VERITAS Authorization Service B) Back to previous menu Select a product to install: [1-5, b, q] 5 Enter the name of active node, i.e. sys 01, on which you want to install AT. VERITAS Authentication Service Enter the system names separated by spaces on which to install AT:sys01 Checking system communication: Checking OS version on sys01 OSF1 V5.1 Checking system support for sys01 OSF1 V5.1 supported by AT Checking VRTSat package not installed Using rsh and rcp to communicate with remote systems. Initial system check completed successfully. Press [Return] to continue: 6 Press Enter when ICS installer asks for confirmation installics will install the following AT subsets on OSF1 target systems: sys01 VRTSat VERITAS Authentication Service Press [Return] to continue:

166 156 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster 7 ICS installer shall now check for space and dependent packages. Press Enter once checks are successful. VERITAS Authentication Service Checking system installation requirements: Checking AT installation requirements on OSF1 target systems: sys01 Checking AT installation requirements on sys01: Checking for external dependencies... all external dependencies satisfied Checking file system space... required space is available Stopping VRTSat processes...done Installation requirements checks completed successfully. Press [Return] to continue: 8 ICS installer shall ask for passphrase. It could be any characters (minimum 6) VERITAS Authentication Service You are required to specify a passphrase with minimum of 6 characters. This passphrase will be used to protect sensitive information gathered during product configuration. All sensitive information stored in the response file will be encrypted with this passphrase. Please remember the passphrase you have entered. You will not be able to perform silent installation without this passphrase. Enter a passphrase with minimum of six (6) characters

167 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster Select Yes for AT server installation Do you want to install the AT Server? [y,n,q] (y) Installing AT Server and Client... Done VERITAS Authentication Service Checking VERITAS Authentication Service packages on sys01: Checking VRTSat package...not installed Press [Return] to continue: VERITAS Authentication Service Installing VERITAS Authentication Service on sys01: Installing VRTSat on sys01... done 1 of 1 steps VERITAS Authentication Service installation completed successfully. Press [Return] to continue: 10 Once installation is done on sys01, ICS installer shall prompt for AT configuration on active sys01 node. Select yes. VERITAS Authentication Service It is optional to configure AT now. If you choose to configure AT later, you can either do so manually or run the installics -configure command. Are you ready to configure AT on sys01? [y, n, q] (y)

168 158 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster 11 You will be asked a set of AT configuration-related questions. installics will now ask sets of AT configuration-related questions. When a [b] is presented after a question, 'b' may be entered to go back to the first question of the configuration set. When a [?] is presented after a question, '?' may be entered for help or additional information about the question. Following each set of questions, the information you have entered will be presented for confirmation. To repeat the set of questions and correct any previous errors, enter 'n' at the confirmation prompt. No configuration changes are made to the systems until all configuration questions are completed and confirmed. Press [Return] to continue: 1) Root Broker Only. 2) Authentication Broker Only. 3) Authentication + Root Broker. Enter the mode in which you want to install VRTSat [1-3,q] 12 Select root plus authentication broker mode, option 3, for active node sys01. For AT 4.2 say NO to cluster configuration through ICSInstaller. If you are deploying AT 4.3 using ICS 1.4.x, then you need to say YES to cluster configuration and enter the virtual name for AT.

169 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster 159 Cluster configuration should be done finally by running the AT high availability scripts and not through ICS installers. VCS appears to be installed and running. Going ahead with cluster configuration Do you want the installer to do a cluster configuration for Authentication Service? [y,n,q] (n) VERITAS Authentication Service Configuring VERITAS Authentication Service: VERITAS Authentication Service configured successfully. Press [Return] to continue: VERITAS Authentication Service Starting Authentication daemon... Done VERITAS Authentication Service was started successfully. Press [Return] to continue: VERITAS Authentication Service Configuring VERITAS Authentication Service: VERITAS Authentication Service configured successfully. Press [Return] to continue: VERITAS Authentication Service Starting Authentication daemon... Done VERITAS Authentication Service was started successfully. Press [Return] to continue: VERITAS Authentication Service The installation response file is saved at: /opt/vrts/install/logs/installics response The installics log is saved at: /var/tmp/installics /installics.log After this step, AT gets installed on all nodes of the cluster with the chosen AT mode. 13 Now AT package is installed on all nodes, and AT is configured on all nodes of the cluster due to Cluster File System. (AT gets upgraded on all nodes of the cluster automatically )

170 160 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster 14 Make AT highly available from the active node. From /opt/vrtsat/bin, run cluster configuration script in either silent or interactive mode. For more details for script options refer to Procedures.. /opt/vrtsat/bin/tcvxat -setvirtualname <cluster name> [Note: Use clu_get_info to find out cluster name.] # clu_get_info Cluster information for cluster truclussym /opt/vrtsat/bin/tcvxat -register 15 Install AZ 4.3 package on active node sys01 using ICSinstaller. Steps are similar to AT installation steps Configure AZ on active node, which in turn configure AZ on all nodes of the cluster automatically. 17 Make sure that AZ process is not up before initiating AZ high availability process. Make AZ highly available from the active node (where AT is also running now) From /opt/vrtsaz/bin, run cluster configuration script in either silent or interactive mode. For example: /opt/vrtsat/bin/tcvxaz -register Authentication server in authentication broker only mode This section describes how to configure a Tru Cluster with a highly available authentication brokerdescrption: Description To achieve the desired configuration, we need to first configure the systems as follows: Authentication broker (sys01) That is, authentication broker is clustered. The configuration of one node configures all other nodes as well Note: AT install using ICS installer. Since Tru Cluster uses CFS Cluster File System all AT/AZ configuration directories are shared. User must install/configure AT/AZ only on single node. There is no need to install/configure AT/AZ on all cluster nodes.

171 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster Create principals on sys03 (where the root resides) for authentication broker that we are going to configure on all nodes of the cluster. Due to shared file system AT from all nodes get configure with same identity. For example, run the following command: vssat addprpl --pdrtype root --domain root --prplname id_az 2 All cluster nodes essentially should not have AT installed or configured. Select one node to be the active node in the cluster. You shall be configuring AT in high availability mode from this node. On active node, say sys01, install AT package. AT package will get installed on other nodes automatically.

172 162 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster Using ICSInstaller to install AT package on all nodes To install AT package on all nodes 1 Run./installics command from the directory where you un-tarred the ICS package on sys01 2 It will display the following menu: VERITAS Infrastructure Core Services Installer VERITAS Product Version Installed Licensed VERITAS Infrastructure Core Services no N/A VERITAS Private Branch Exchange no N/A VERITAS Authentication Service no N/A VERITAS Service Management Framework no N/A VERITAS Authorization Service no N/A Selection Menu: I) Install/Upgrade a Product [1mC[0m) Configure an Installed Product L) License a Product [1mP[0m) Perform a Preinstallation Check U) Uninstall a Product [1mD[0m) View a Product Description Q) Quit [1m?[0m) Help Enter a Selection: [I, C, L, P, U, D, Q,?] (I) 3 Select (I) for Installation. If AT is already installed uninstall it and start from step 1.

173 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster Once the menu is selected ICS installer shall prompt to choose the product to be installed. Select AT i.e. option 3 VERITAS Infrastructure Core Services Installer ) VERITAS Infrastructure Core Services 2) VERITAS Private Branch Exchange 3) VERITAS Authentication Service 4) VERITAS Service Management Framework 5) VERITAS Authorization Service B) Back to previous menu Select a product to install: [1-5, b, q] 5 Enter the name of active node i.e. sys 01 on which you want to install AT. VERITAS Authentication Service Enter the system names separated by spaces on which to install AT:sys01 Checking system communication: Checking OS version on sys01...osf1 V5.1 Checking system support for sys01... OSF1 V5.1 supported by AT Checking VRTSat package... not installed Using rsh and rcp to communicate with remote systems. Initial system check completed successfully. Press [Return] to continue: 6 Press Enter when ICS installer asks for confirmation installics will install the following AT subsets on OSF1 target systems: sys01 VRTSat VERITAS Authentication Service Press [Return] to continue:

174 164 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster 7 ICS installer shall now check for space and dependent packages. Press Enter once checks are successful. VERITAS Authentication Service Checking system installation requirements: Checking AT installation requirements on OSF1 target systems: sys01 Checking AT installation requirements on sys01: Checking for external dependencies... all external dependencies satisfied Checking file system space... required space is available Stopping VRTSat processes... Done Installation requirements checks completed successfully. Press [Return] to continue:: 8 ICS installer shall ask for passphrase. It could be any characters (minimum 6) VERITAS Authentication Service You are required to specify a passphrase with minimum of 6 characters. This passphrase will be used to protect sensitive information gathered during product configuration. All sensitive information stored in the response file will be encrypted with this passphrase. Please remember the passphrase you have entered. You will not be able to perform silent installation without this passphrase. Enter a passphrase with minimum of six (6) characters

175 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster Select Yes for AT server installation Do you want to install the AT Server? [y,n,q] (y) Installing AT Server and Client... Done VERITAS Authentication Service Checking VERITAS Authentication Service packages on sys01: Checking VRTSat package...not installed Press [Return] to continue: VERITAS Authentication Service Installing VERITAS Authentication Service on sys01: Installing VRTSat on sys01... done 1 of 1 steps VERITAS Authentication Service installation completed successfully. Press [Return] to continue: 10 Once Installation is done on sys01, ICS installer shall prompt for AT configuration on active sys01 node. Select yes. VERITAS Authentication Service It is optional to configure AT now. If you choose to configure AT later, you can either do so manually or run the installics -configure command. Are you ready to configure AT on sys01? [y, n, q] (y)

176 166 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster 11 You will now be asked a set of AT configuration-related questions. VERITAS Authentication Service installics will now ask sets of AT configuration-related questions. When a [b] is presented after a question, 'b' may be entered to go back to the first question of the configuration set. When a [?] is presented after a question, '?' may be entered for help or additional information about the question. Following each set of questions, the information you have entered will be presented for confirmation. To repeat the set of questions and correct any previous errors, enter 'n' at the confirmation prompt. No configuration changes are made to the systems until all configuration questions are completed and confirmed. Press [Return] to continue: VERITAS Authentication Service ) Root Broker Only. 2) Authentication Broker Only. 3) Authentication + Root Broker. Enter the mode in which you want to install VRTSat [1-3,q] 12 Select authentication broker mode i.e. option 2 for active node sys01. For AT 4.2 say NO to cluster configuration through ICSInstaller. If you are deploying AT 4.3 using ICS 1.4.x then you need to say a YES to cluster configuration and enter the virtual name for AT. Cluster

177 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster 167 configuration should be done finally by running the AT high availability scripts and not through ICS installers. VERITAS Authentication Service Configuring VERITAS Authentication Service: VERITAS Authentication Service configured successfully. Press [Return] to continue: VERITAS Authentication Service Starting Authentication daemon...done VERITAS Authentication Service was started successfully. Press [Return] to continue: VERITAS Authentication Service The installation response file is saved at: /opt/vrts/install/logs/installics response The installics log is saved at: /var/tmp/installics /installics.log Note: After this step AT get installed and configured on all nodes of the cluster in authentication broker mode. 13 Now AT package is installed on all nodes, and AT is configured on all nodes of the cluster due to Cluster File System. (AT get upgraded on all nodes of the cluster automatically) 14 Make AT highly available from the active node. From /opt/vrtsat/bin, run cluster configuration script in either silent or interactive mode. For more details for script options refer to Procedures. For example: /opt/vrtsat/bin/tcvxat -setvirtualname <cluster name> Use clu_get_info to find out cluster name, as follows: # clu_get_info Cluster information for cluster truclussym /opt/vrtsat/bin/tcvxat -register 15 Install AZ 4.3 package on active node sys01 using ICSinstaller. Steps shall be similar to AT installation.

178 168 Procedures for HA deployment of the AT and AZ services How to deploy on Tru Cluster 16 Configure AZ on active node, which in turn configure AZ on all nodes of the cluster automatically. 17 Please make sure that AZ process is not up before initiating AZ high availability process. Make AZ highly available from the active node (where AT is also running now)

179 Glossary Access Token A data structure generated for an authentication principal when the principal logs on and containing that authentication principal's security identifier, identifiers for groups the principal belongs to, and a list of the privileges the principal has on the local computer where he or she logged in. The access token defines the security context for the authentication principal. Account Name An alternative term for authentication principal. Administration Console A graphical interface used to administerauthentication. For example, the administrator uses it to indicate the location of the different components, trust relationships, plugins, private Symantec domains, etc. Application Client A program that accesses a service or function provided by another program, called an application service. An example of an application client is the Symantec Volume Manager GUI. An application client uses Authentication to validate the ID of the user of that client. Application Host The machine on which an application is running. Application Service A program that is contacted by, and provides services to, an application client. AT In CLI command usage and in certain graphics, an abbreviation referring to Authentication. Authentication Broker The component that serves, one level beneath the Root Broker, as an intermediate registration authority and a certification authority. The Authentication Broker can authenticate clients, such as users or services, and grant them a certificate that will become part of the product credential. An Authentication Broker cannot, however, authenticate other brokers. That task must be performed by the Root Broker. Authentication Broker Tree A three level certificate hierarchy which includes all the identified entities whose certificates chain up to a single root certificate. Authentication Group A named collection of authentication principals, established in a native operating system, and treated as a single entity for the sake of convenience and ease. All members of an authentication group will be from the same authentication domain. The product credential

180 170 will contain a list of all groups the principal belongs to in that authentication domain. Also called OS Group. Authentication Library The part of the Symantec Product Authentication Service that links with an application client and implements the program calls it must make in order to request authentication. Authentication Mechanism The method by which authentication is conducted for principals in a specific name-space defined by a domain. For example, a Kerberos domain uses Kerberos tickets and password. In UNIX platforms, Kerberos domains are used through the GSS-API. An authentication mechanism encapsulates all the details of the authentication algorithm, including APIs, protocols, token formats, token contents semantics and database objects formats. Not all the ingredients are relevant in all mechanisms. Authentication Plugin A component used by the Authentication Broker to validate identities within a particular domain. An authentication plugin exists for each supported authentication mechanism. For example, one plugin can validate NIS identity and password combinations against an NIS database, while another uses a Kerberos ticket to authenticate the principal. Authentication Principal A user, computer, or process such as a command line interface (CLI) or service that has the ability to authenticate to Symantec Product Authentication Service with a unique identity. An authentication principal differs from a security principal in that not all security principals can validate; nor are they all accountable for their actions. Authentication Private Domain A specialized authentication domain used to hold identities and password hashes for authentication principals unique to, and managed by, Symantec products for which customers do not want to reuse an existing identity in another domain. Authentication private domains can be used to hold identities of point products, such as SAN Point Control and Volume Manager. Authentication Private Domain Repository (PDR) A store of one or more authentication private domains. The Authentication Broker loads this repository, and principals are checked against it in order to be validated. Boundary Condition The starting point or initial state of something. Certificate A type of electronic passport or ID card that vouches for the identity of its holder and ties the principal's name to his or her public key. product credentials require a certificate and the client s private key. Certification Authority A trusted third party responsible for issuing, managing, and revoking certificates that vouch for the identities of the certificate holders. In Symantec Product Authentication Service, the certification authority is a part of the Authentication Broker. CLI Command line interface.

181 171 Communications Library A part of Authentication that provides secure communication between an application client and an application service, using the product credential acquired in a preceding authentication interaction. Cyphertext The encrypted output of an encryption process. Digital Certificate See Certificate. Digital Signature A block of data appended to a message such that the recipient of the message can verify the contents and the originator of the message. There are a number of digital signature algorithms in use. Domain See Authentication Private Domain. Mapping, Domain-Broker The set of information telling which Authentication Broker should be approached, for each domain, when attempting to authenticate. Message Digest Function An algorithm that generates a digest from its input (for example, a message). The digest is statistically unique. That is, different inputs are extraordinarily unlikely to have the same fingerprint. Moreover, small changes in its input lead to large changes in its output and therefore are easily detected. Object An entity, whether visible and tangible or not, that can be manipulated by a process or program. Plaintext The unencrypted input to an encryption process. Principal See Authentication Principal. Private Domain See Authentication Private Domain.. Product Credential An entitlement to be recognized as a valid identity. A product credential requires both (1) the principal s private key and (2) a X.509v3 certificate with special extensions, produced and signed by the Authentication Broker or Root Broker, to bind the principal s name to the public key. The product credential provides single-sign-on capability for all Symantec applications that use the Symantec Product Authentication Service and that choose to participate in the Symantec single sign-on session. Product Web Credential A special kind of credential that tells the Symantec Product Authentication Service library that there is no corresponding private part stored in the library. Such a credential must be used along with a proxy-capable credential of the web console.

182 172 Protected Application A shorthand way or referring to a resource management application that has been configured to be protected by Symantec Product Authentication/Authorization Service. Public Key Encryption A security method that requires using one key to encrypt a piece of data and another distinct but mathematically-related key to decrypt it. The two keys are the public key, which can be used by anyone, and the private key, which relates to this specific public key and must be kept secret. Either key can be used for encryption, but its companion must be used for decryption. Without both keys, the process fails. Public key encryption is also called asymmetric encryption. Public Key Infrastructure (PKI) A framework established to issue, maintain, and revoke public key certificates. Resource Management Application A Symantec product whose resources are being protected by Symantec Product Authentication Service. Root Broker The first Authentication Broker, which has a self-signed certificate. The Root Broker has a single private domain that holds only the names of brokers that shall be considered valid. The name of the Root Broker itself is stored as the fully qualified domain name. Root Certificate The self-signed digital validation, with specific information stating that it is a certification authority certificate. Root Certification Authority The entity at the top of the hierarchy of authorities allowed to sign digital certificates vouching for the validity of principals, therefore the most trusted certification authority. Root Hash The thumbprint of the Root Broker s credential, it takes the form of a binary file and uniquely identifies a Root Broker. The Root Hash is used for establishing trust relationships. It can be found in /opt/vrtsat/bin for UNIX and C:\Program Files\VERITAS\Security\Authentication\bin on Windows. Secure Sockets Layer Protocol (SSL) A public key protocol originally created by Netscape and used for secure communications between clients and servers over the Web. In context of Symantec Product Authentication Service, Secure Sockets Layer technology provides secured communications between the client, Authentication Broker, and service. The acronym SSL is nearly always used for this term. Security Context The identity of an authentication principal, the groups to which it belongs, and the set of privileges the principal has on the local computer where he or she logged in. The security context is established by the access token. Security Identifier A unique value identifying a secured principal that holds an account within an enterprise.

183 173 Security Principal Name The unique name used to identify a human user, a group, or a computer within a domain. SSPI Security Support Provider Interface (SSPI) from Windows, which provides a set of authentication and communication security services between applications running on Microsoft platforms. Subject A thread executing on behalf of (i.e., with the permissions of) an authentication principal. Those permissions would have been granted by an administrator explicitly to the security principal which includes that authentication principal. Symantec Product Authentication Service A component that validates identities and sets up secured communications between authenticated entities, sometimes referred to as peers. It provides a single sign-on service for all Symantec products that the administrator configures to be protected by it. User A human authentication principal whose name, recognized by Symantec Product Authentication Service, is the name of their operating system access account. The term human user will be used to refer to this type of principal.

184 174

185 Index A access token 169 account name 169 Active Directory 99 AD 99 addldapdomain 3 application host 169 application service 169 AT Service IP Address 34 AT Service Virtual Name 34 athealth 10 authentication broker 169 authentication group 169 authentication library 170 authentication mechanism 170 authentication plugin 170 authentication principal 170 authentication private domain 170 authentication private domain repository 170 authorization, connecting 26 B back up UNIX 117 Windows 116 boundary condition 170 broker 169 broker administration addldapdomain 3 listldapdomains 2 removeldapdomain 8 broker credential renewal 15 automatic broker credential renewal 15 C CA 170 certificate 170 root 172 certification authority 170 root 172 clarifications 109 access CLI 112 Administrator s Guide 111 Installation Guide 110 maximum lengths 113 minimum lengths 113 PBX port 113 update principal 112 vxatd 112 communications library 171 cyphertext 171 D digital signature 171 domain private 170 E encryption files 44 F findrb input file 106 location 105 output 106 purpose 105 sample 106 usage 105 G GSS_API 25 H HACMP configuration, verify 87 configure authentication 84 illustrations 88 unconfigure 87

186 176 Index hash, root 172 host application 169 HP-SG configure authentication 89 interactive configuration 90 silent configuration 90 unconfigure 96 verify configuration 92 I install_dir 34 issues chart 19, 30 numbered 30 K known issues 29 L LDAP compatibility 99 configure 100 ldapsearch 99 test configuration 101 with AD 99 library communications 171 listldapdomains 2 M message digest function 171 Mount Point 34 MSCS configure authentication 50 unconfigure options 52 verify configuration 53 N Network Interface 34 not supported 25 O object 171 P PAM authentication 9 patches, required 23 PKI 172 plaintext 171 platforms, supported 22 plugin authentication 170 principal authentication 170 procedures 33 install AB on UNIX 39 install Root + AB on UNIX 37 install Root Only on UNIX 42 install, Windows 35 upgrade 45 upgrade, secure cluster 45 protected application 172 public key encryption 172 public key infrastructure 172 R recommendations 115 avoid sudden stops 121 back up 116 number of root brokers 116 passwords, entering 121 PDR accounts 120 restarting on HP 121 vxatd 121 removeldapdomain 8 removing startup scrips 26 required patches 23 required service packs 23 resource management application 172 response files 44 restore UNIX 120 Windows 118 rollback 45 root brokers recommended number 116 root certificate 172 root certification authority 172 root hash 172 S SEAM 25

187 Index 177 secure sockets layer protocol 172 security context 172 security identifier 172 service packs, required 23 srvscan dialog box 105 location 104 purpose 104 sample 104 usage 104 SSL 172 SSPI 173 startup scripts, removing 26 subject 173 Sun Cluster configure authentication 80 verify configuration 82 supported platforms 22 system requirements 22 T tools 103 findrb 105 srvscan 104 Tru64 configure authentication 79 verify configuration 80 U unconfigure HACMP 87 HP-SG 96 MSCS 52 VCS, Windows 67 uninstall cautions 98 installics 98 methods 98 UNIX, install AB 39 UNIX, install Root + AB 37 UNIX, install Root Only 42 unixpwd 9 upgrade secure cluster 45 upgrades non-secure cluster 47 secure cluster 45 user, defined 173 utilities athealth 10 atldapconf 11 V VCS config file details 62 configure authentication, UNIX 69 configure authentication, WIndows 55 unconfigure, Windows 67 verify configuration, UNIX 76 verify configuration, WIndows 66 VxATclinput.txt file 63 verify HACMP configuration 87 HP-SG configuration 92 MSCS configuration 53 Sun Cluster configuration 82 Tru64 configuration 80 VCS configuration UNIX 76 VCS configuration Windows 66 vssat commands addldapdomain 3 listldapdomains 2 removeldapdomain 8 W Windows, install authentication 35

188 178 Index