trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective
owners.
This Symantec product may contain third party software for which Symantec is
required to provide attribution to the third party (“Third Party Programs”).
Some of the Third Party Programs are available under open source or free
software licenses. The License Agreement accompanying the Software does not
alter any rights or obligations you may have under those open source or free
software licenses. Please see the Third Party Legal Notice file accompanying this
Symantec product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting
its use, copying, distribution, and decompilation/reverse engineering. No part of
this document may be reproduced in any form by any means without prior
written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION
CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT
NOTICE.
The Licensed Software and Documentation are deemed to be commercial
computer software as defined in FAR 12.212 and subject to restricted rights as
defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted
Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or
Commercial Computer Software Documentation", as applicable, and any
successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation
by the U.S. Government shall be solely in accordance with the terms of this
Agreement.
Page 3
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Page 4
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Support’s primary role is to respond to specific queries about product features
and functionality. The Technical Support group also creates content for our
online Knowledge Base. The Technical Support group works collaboratively with
the other functional areas within Symantec to answer your questions in a timely
fashion. For example, the Technical Support group works with Product
Engineering and Symantec Security Response to provide alerting services and
virus definition updates.
Symantec’s maintenance offerings include the following:
■A range of support options that give you the flexibility to select the right
amount of service for any size organization
■Telephone and Web-based support that provides rapid response and
up-to-the-minute information
■Upgrade assurance that delivers automatic software upgrade protection
■Global support that is available 24 hours a day, 7 days a week
■Advanced features, including Account Management Services
For information about Symantec’s Maintenance Programs, you can visit our
Web site at the following URL:
www.symantec.com/techsupp
Contacting Technical Support
Customers with a current maintenance agreement may access Technical
Support information at the following URL:
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to
replicate the problem.
When you contact Technical Support, please have the following information
available:
■Product release level
■Hardware information
■Available memory, disk space, and NIC information
■Operating system
■Version and patch level
■Network topology
■Router, gateway, and IP address information
■Problem description:
Page 5
■Error messages and log files
■Troubleshooting that was performed before contacting Symantec
■Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our
technical support Web page at the following URL:
www.symantec.com/techsupp
Customer service
Customer service information is available at the following URL:
www.symantec.com/techsupp
Customer Service is available to assist with the following types of issues:
■Questions regarding product licensing or serialization
■Product registration updates, such as address or name changes
■General product information (features, language availability, local dealers)
■Latest information about product updates and upgrades
■Information about upgrade assurance and maintenance contracts
■Information about the Symantec Buying Programs
■Advice about Symantec's technical support options
■Nontechnical presales questions
■Issues that are related to CD-ROMs or manuals
Documentation feedback
Your feedback on product documentation is important to us. Send suggestions
for improvements and reports on errors or omissions to
clustering_docs@symantec.com.
Include the title and document version (located on the second page), and chapter
and section titles of the text on which you are reporting.
Page 6
6
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement,
please contact the maintenance agreement administration team for your region
as follows:
Asia-Pacific and Japancustomercare_apac@symantec.c
Europe, Middle-East, and Africasemea@symantec.com
North America and Latin Americasupportsolutions@symantec.com
Additional enterprise services
Symantec offers a comprehensive set of services that allow you to maximize
your investment in Symantec products and to develop your knowledge,
expertise, and global insight, which enable you to manage your business risks
proactively.
Enterprise services that are available include the following:
om
Symantec Early Warning Solutions These solutions provide early warning of cyber attacks,
comprehensive threat analysis, and countermeasures to prevent
attacks before they occur.
Managed Security ServicesThese services remove the burden of managing and monitoring
security devices and events, ensuring rapid response to real
threats.
Consulting ServicesSymantec Consulting Services provide on-site technical
expertise from Symantec and its trusted partners. Symantec
Consulting Services offer a variety of prepackaged and
customizable options that include assessment, design,
implementation, monitoring, and management capabilities. Each
is focused on establishing and maintaining the integrity and
availability of your IT resources.
Educational ServicesEducational Services provide a full array of technical training,
security education, security certification, and awareness
communication programs.
To access more information about Enterprise services, please visit our Web site
at the following URL:
www.symantec.com
Select your country or language from the site index.
Page 7
Contents
Chapter 1Getting ready to install VCS One
About installing VCS One ..................................................................................18
Installing the VCS One agents ...........................................................................18
Getting your VCS One licenses ..........................................................................19
Setting up the Policy Master cluster hardware ...............................................20
Opening the required ports ................................................................................21
■About the Symantec Product Authentication Service
■Configuring ssh, rsh, or remsh before installing
Page 18
18 Getting ready to install VCS One
About installing VCS One
About installing VCS One
Installing Veritas Cluster Server (VCS) One involves the following procedures:
■Setting up the hardware for the Policy Master cluster
■Setting up the network communications among systems
■Setting up Symantec Product Authentication Service (AT)
■Configuring shared storage
■Creating the disk group and file system for VCS One Policy Master database
■Installing the VCS One Policy Master and verifying the installation
■Connecting the VCS One client systems to the Policy Master cluster using
the public network
■Installing the VCS One client software on the client systems
■Installing the agents
■Installing the Simulator (optional)
■Testing shared storage devices and coordinator disks for compliance with
SCSI-3 persistent reservations
■Configuring I/O Fencing (optional, but recommended)
Installing the VCS One agents
In addition to the agents that are bundled with the product, VCS One provides
agents for the management of key enterprise applications. Typically, agents
start, stop, and monitor resources and report state changes. The high
availability agents are located on the Veritas High Availability Agent Pack
software disc that is included with VCS One. The Agent Pack disc contains the
currently shipping agents and is released quarterly to add new agents. See the
following documentation available on the Agent Pack disc:
■For an overview of the supported high availability agents, read the Veritas
High Availability Agent Pack Getting Started Guide.
■For installation instructions, read the agent installation and configuration
guides.
Page 19
Getting your VCS One licenses
VCS One is a licensed product.
Table 1-1 lists the VCS One license types.
Table 1-1VCS One license types
VCS One license typeDescription
DemoA demo license that lets you use the product for
NFRA not-for-resale license, limited to one year.
19Getting ready to install VCS One
Getting your VCS One licenses
30 days for evaluation purposes only.
After 12 months, the product auto-disables
high availability (HA) for the Policy Master and
significantly reduces functionality.
Symantec partners and customers use this
license for stack certification and testing.
After 12 months, the product auto-disables
high availability (HA) for the Policy Master and
significantly reduces functionality.
PermanentA permanent license.
Regardless of the license type, the VCS One functional modes are described in
Table 1-2.
Table 1-2VCS One functional modes
VCS One functional modesFeatures
VCS One HAVCS One with all features enabled
VCS One StartVCS One with all features enabled except:
■Auto-failover
■Priority-based application availability
VCS One Start lets you manually start, stop,
and move applications.
Note: If you choose VCS One Start, you must set the GrpFaultPolicy and
NodeFaultPolicy attributes to NoFailover when you create a service group. For
information about how to set these attributes when you create a service group,
see the Veritas Cluster Server One User’s Guide.
Page 20
20 Getting ready to install VCS One
Setting up the Policy Master cluster hardware
Setting up the Policy Master cluster hardware
The Policy Master manages the VCS One cluster. You must set up a Policy
Master cluster with two systems to ensure high availability for the Policy
Master. Each system in the Policy Master cluster is connected to shared storage
and dedicated network links. Follow the instructions in this section to acquire
and set up the hardware that is needed to run the Policy Master cluster.
To set up the Policy Master cluster hardware
1Select two to four Solaris or Linux systems with the following capabilities:
■At least 2 gigabytes of physical memory
■At least one network interface for private communication between the
Policy Master cluster systems; two links are desirable.
■At least one network link between the Policy Master and the VCS One
client systems. Two links are preferable.
2Choose a storage architecture for the Policy Master configuration data.
See “Configuring your storage architecture” on page 51.
If you use Storage Foundation, select a storage device for the Policy Master
configuration database. The device is shared between the two systems and
should support SCSI-3 persistent reservations.
For information on how to connect and configure the storage at the
appropriate time, see: “Adding storage devices” on page 98.
3Connect the TCP/IP network to the client systems.
4Use the ping utility to test the network connections.
Page 21
Opening the required ports
Before you install the VCS One Policy Master or client on Linux, you must open
the ports that are specified in Table 1-3.
Table 1-3VCS One required ports
21Getting ready to install VCS One
Opening the required ports
Host systemVCS One compo-
nents
Policy Master
system
Client systemClient14154Inbound for messages
Policy Master 14151Inbound
Policy Master
database
Web server14171 (secure)Inbound
Web server admin
port
Authentication
server
Port to open on
host system
14157
Not modifiable
14172Inbound
14159
Note: If you
upgrade from
VCS One 2.0.1 to
VCS One 5.0, the
default port
number for the
authentication
broker is 2821.
Outbound/inbound
port
Inbound and outbound
from the Policy Master
14151Outbound for messages to
the Policy Master
Simulator systemSimulator14156Inbound
Root broker on a
private branch
exchange (PBX)
system
Symantec Product
Authentication (AT)
Service
1556
Page 22
22 Getting ready to install VCS One
Running installation prechecks
To open the required ports on Linux
1Log on as a user who has the privileges to change the firewall configuration.
2Set up the table of IP packet filter rules for each of the ports you want to
open. Enter the following:
iptables -I INPUT -p tcp --dport port -j ACCEPT
iptables -I OUTPUT -p tcp --dport port -j ACCEPT
Where port is the port number. Specify INPUT for an inbound port, and
OUTPUT for an outbound port. For example, the commands to open the
required ports for the VCS One client on Linux are:
“Logging on and mounting the product disc” on page 22.
Page 24
24 Getting ready to install VCS One
Running installation prechecks
2Determine the block device file for the DVD drive. Enter the following:
3Make a note of the device file as it applies to your system.
4Create a directory in which to mount the software disc and mount the disc
5Verify that the disc is mounted. Enter the following:
Running the prechecks
You can run installation prechecks on the installer utility menu or from the
command line. The installation precheck utility performs preinstallation checks
on the systems you specify.
If there is an error, the utility provides error details. For example, you might see
an error saying that your server is running on a platform that VCS One does not
support. If that happens, check the Veritas Cluster Server One Release Notes for
information about supported platforms.
# ioscan -fnC disk
using the appropriate drive name. For example, enter the following:
# mkdir -p /dvdrom
# /usr/sbin/mount -F cdfs /dev/dsk/c3t2d0 /dvdrom
# mount
Running the prechecks from the installer menu
To run the prechecks from the installer menu, navigate to the directory that
contains the product installer and follow these steps.
To run the prechecks on the installer menu
1Go to the directory for your platform. Enter the following:
■On Solaris (10 SPARC 64-bit), enter the following:
# cd /cdrom/cdrom0/sol_sparc
■On Linux (RHEL 5 x86_64), enter the following:
# cd /mnt/cdrom/rhel5_x86_64
2From the software disc, start the installer. Enter the following:
./installer
3From the installer menu, perform a preinstallation check. Press P.
Running the prechecks from the command line
To run the prechecks from the command line, navigate to the directory that
contains the product installer and follow these steps.
Page 25
About the Symantec Product Authentication Service
Note that running installvcsonepm or installvcsonecd -precheck
from /opt/VRTS/install does not work. Run it from the software disc as
indicated.
To run the prechecks from the command line
1Go to the cluster_server_one directory. Enter the following:
cd cluster_server_one
2Enter the Policy Master installation command with the -precheck option,
specifying the systems on which to install. Enter the following:
./installvcsonepm -precheck sysA
3Enter the client installation command with the -precheck option,
specifying the systems on which to install. Enter the following:
./installvcsonecd -precheck sysBsysCsysD
About the Symantec Product Authentication Service
25Getting ready to install VCS One
Symantec Product Authentication Service provides a hierarchy of brokers that
issue credentials. These brokers allow trusted communications between users
and processes on the Policy Master systems and client systems. All VCS One
environments require the Symantec Product Authentication Service for trusted
communications. The Symantec Product Authentication Service is installed
when you install VCS One.
VCS One uses an embedded broker model where the root broker and
authentication broker are always running on the active Policy Master system.
The Symantec Product Authentication Service issues credentials to the Policy
Master, the VCS One client processes, and all users in the VCS One cluster.
Symantec Product Authentication Service supports third-party private domain
repositories, such as LDAP and Active Directory.
For information on setting up authentication with third-party private domain
repositories, see Chapter 7, “Setting up authentication plug-ins for VCS One” on
page 83.
Removing earlier versions of the Symantec Product Authentication
Service
If you have an earlier version of the Symantec Product Authentication Service
installed, you must remove it before installing VCS One. The Symantec Product
Authentication Service is installed when you install VCS One.
On your Policy Master and client systems, remove all VRTSatclient and
VRTSatserver packages, including credentials and the /var/VRTSat and
Page 26
26 Getting ready to install VCS One
Configuring ssh, rsh, or remsh before installing
/var/VRTSat_lhc directories, before installing VCS One. Before removing
them, ensure that they are not in use by other products.
Configuring ssh, rsh, or remsh before installing
You can install VCS One on remote systems using either secure shell (ssh) or
remote shell (rsh). You can use remsh (for client installations on HP-UX only).
Symantec recommends using ssh.
Configuring ssh
The ssh program lets you log on to a remote system and execute commands on
it. It enables encrypted communications and an authentication process between
two untrusted hosts over an insecure network. The ssh program is the preferred
method of remote communication because it is more secure than the rsh suite of
protocols. Symantec recommends configuring a secure shell environment
before installing VCS One and other Veritas products by Symantec. The
following is an example ssh setup procedure.
Before you enable ssh, read the ssh documentation and online manual pages. If
you have questions or issues about your ssh configuration, contact your
operating system support provider. For access to online manuals and other
resources, visit the OpenSSH Web site at:
http://openssh.org
To configure ssh
1Log on as root on the system where you plan to run the installation.
2Navigate to the root directory. Enter the following:
cd /
3Generate a DSA key pair. Enter the following:
ssh-keygen -t dsa
4At the prompt, press Enter to accept the default location of /.ssh/id_dsa.
Typically, this location is the following:
■For AIX, HP-UX, and Solaris:
/.ssh/id_dsa
■For Linux:
/root/.ssh/id_dsa
5At the passphrase prompt, do not enter one. Press Enter.
6Press Enter again.
Page 27
Configuring ssh, rsh, or remsh before installing
7Ensure that the /.ssh directory is on all target installation systems. Go to
the root directory and enter the following:
ls /.ssh/
If you do not see /.ssh directory, you must create it on all the target
systems and set the write permission to root only. Enter the following:
cd /
mkdir /.ssh
8Change the permissions of the /.ssh directory. Do one of the following:
■For AIX, HP-UX, and Solaris, enter the following:
chmod 700 /.ssh
■For Linux, enter the following:
chmod 700 /root/.ssh
9Append the public key from the source system to the authorized_keys file on
the target system, using secure file transfer. Do the following, in this order:
■Make sure the secure file transfer program (SFTP) is enabled on the
target installation systems.
To enable SFTP, the /etc/ssh/sshd_config file must contain the
10 Verify that you can connect to the target system. On the source system,
enter the following:
ssh target_system uname -a
The command should execute from the source system to the target system
without the system requesting a passphrase or password.
11 Repeat step 10 on each target system.
Restoring the password requirement between systems
If you configure ssh to enable passwordless communications between systems
during an installation, you can restore the password requirement when the
installation is finished.
For instructions, see the section appropriate to your operating system:
Page 29
Configuring ssh, rsh, or remsh before installing
■“Restoring the password requirement between AIX, HP-UX, and Solaris
systems”
■“Restoring the password requirement between Linux systems”
Restoring the password requirement between AIX, HP-UX,
and Solaris systems
To restore the password requirement between AIX, HP-UX, and Solaris
systems
◆Remove the id_dsa.pub.hostname entry you appended to the file
/.ssh/authorized_keys on all systems where you added it.
Restoring the password requirement between Linux systems
To restore the password requirement between Linux systems
◆Remove the id_dsa.pub.hostname entry you appended to the file
/root/.ssh/authorized_keys2 on all systems where you added it.
29Getting ready to install VCS One
Configuring rsh or remsh
The rsh (remote shell) program lets you log on to and execute commands on a
remote system. The remote system on which the rsh executes the command
must be running the rsh daemon.
The rsh program is not secure for network use, because it sends unencrypted
information over the network. The ssh program is the preferred method of
remote communication because it is more secure than the rsh suite of protocols.
See “Configuring ssh” on page 26.
If you run rsh with the basename “remsh,” rsh checks for the file
/usr/bin/remsh. If this file exists, rsh uses remsh is an alias for rsh. If
/usr/bin/remsh does not exist, rsh uses remsh as a host name.
Before you enable rsh, read the rsh documentation and online manual pages. If
you have questions or issues about your rsh configuration, see the operating
system documentation.
Configuring rsh on Solaris
To configure rsh on Solaris
1Determine the rsh/rlogin status. Do one of the following:
■On Solaris 10, enter the following:
inetadm | grep -i login
Page 30
30 Getting ready to install VCS One
Configuring ssh, rsh, or remsh before installing
If the service is enabled, the following line is displayed:
enabled online svc:/network/login:rlogin
If the service is disabled, the following line is displayed:
disabled disabled svc:/network/login:rlogin
■On Solaris 9, enter the following:
cat /etc/inet/inetd.conf | grep rsh
The inetadm command does not work on Solaris 9.
If the service is enabled, the following information is displayed:
The command should return “Symantec.” If it does not, there is an issue
with rsh-setup.
Modifying the .rhosts file on Solaris
A separate .rhosts file is in the $HOME directory of each user. You must modify
the .rhosts file for each user who remotely accesses the system using rsh.
Make sure that each line of the .rhosts file contains a fully-qualified domain
name or IP address for each remote system having access to the local system.
For example, if the root user must remotely access system1 from system2, you
must add an entry for system2.companyname.com in the .rhosts file on
system1.
Page 31
Configuring ssh, rsh, or remsh before installing
To modify the .rhosts file on Solaris
1Enter the following:
echo "system2.companyname.com" >> $HOME/.rhosts
2To ensure security, delete the .rhosts file from each user’s $HOME directory.
Enter the following:
rm -f $HOME/.rhosts
Configuring rsh on Linux
To configure rsh on Linux
1Make sure the rsh and rsh-server packages are installed. Enter the following:
rpm -qa | grep rsh
2If it is not already in the file, enter the following command to append the
line “rsh” to the /etc/securetty file. Enter the following:
echo "rsh" >> /etc/securetty
3In the /etc/pam.d/rsh file for the pam_rhosts_auth.so entry, change the
“auth” type from “required” to “sufficient.”
auth sufficient pam_rhosts_auth.so
31Getting ready to install VCS One
4Enable the rsh server. Enter the following:
chkconfig rsh on
5Verify that rsh is set up correctly. Enter the following:
The command should return “Symantec.” If it does not, there is an issue
with rsh-setup.
Modifying the .rhosts file on Linux
A separate .rhosts file is in the $HOME directory of each user. You must modify
the .rhosts file for each user who remotely accesses the system using rsh.
Make sure that each line of the .rhosts file contains a fully-qualified domain
name or IP address for each remote system having access to the local system.
For example, if the root user must remotely access system1 from system2, you
must add an entry for system2.companyname.com in the .rhosts file on
system1.
To modify the .rhosts file on Linux
1Enter the following:
echo "system2.companyname.com" >> $HOME/.rhosts
Page 32
32 Getting ready to install VCS One
Configuring ssh, rsh, or remsh before installing
2Remove the “rsh” entry in the /etc/securetty file.
3Disable the rsh server. Enter the following:
chkconfig rsh off
4To ensure security, delete the .rhosts file from each user’s $HOME directory.
Enter the following:
rm -f $HOME/.rhosts
Configuring remsh on HP-UX
Remote shell (remsh) functionality is enabled automatically after installing an
HP-UX system.
Modifying the .rhosts file on HP-UX
A separate .rhosts file is in the $HOME directory of each user. You must modify
the .rhosts file for each user who remotely accesses the system using remsh.
Make sure that each line of the .rhosts file contains a fully-qualified domain
name or IP address for each remote system having access to the local system.
For example, if the root user must remotely access system1 from system2, you
must add an entry for system2.companyname.com in the .rhosts file on
system1.
To modify the .rhosts file on HP-UX
1Enter the following:
echo "system2.companyname.com" >> $HOME/.rhosts
2To ensure security, delete the .rhosts file from each user’s $HOME
directory. Enter the following:
rm -f $HOME/.rhosts
For more information on configuring remsh, see the operating system
documentation and the remsh(1M) manual page.
Configuring rsh on AIX
To configure rsh on AIX
1Enable rsh. Create a /.rhosts file on each target system. Add a line to the
file specifying the full domain name of the source system. For example, add
the following line:
sysname.domainname.com root
2Change permissions on the /.rhosts file to 600. Enter the following:
chmod 600 /.rhosts
Page 33
Configuring ssh, rsh, or remsh before installing
3Verify that rsh is set up correctly. Enter the following:
The command should return “Symantec.” If it does not, there is an issue
with rsh-setup.
4To ensure security, delete the /.rhosts file from each target system. Enter
the following:
rm -f /.rhosts
33Getting ready to install VCS One
Page 34
34 Getting ready to install VCS One
Configuring ssh, rsh, or remsh before installing
Page 35
Chapter
Installing and configuring
the VCS One Policy Master
This chapter includes the following topics:
■Before you install the Policy Master
■Installing the Policy Master
■Configuring the Policy Master
2
■After you install the Policy Master
Page 36
36 Installing and configuring the VCS One Policy Master
Before you install the Policy Master
Before you install the Policy Master
For all platforms, you must perform the necessary preinstallation tasks.
See Chapter 1, “Getting ready to install VCS One”.
Before you install on Linux, you must enable the required ports.
See “Opening the required ports” on page 21.
Installing patches
Before you install the Policy Master, install the required operating system
patches. See the Veritas Cluster Server One Release Notes for the required
operating systems patches.
Preparing your network on Solaris
Before you configure the Policy Master on Solaris, you must configure your IP
addresses and NICs for a Solaris Policy Master installation. You must also
preserve the configuration across reboots.
Configuring your IP addresses and NICs for Solaris
To begin configuring your IP addresses and NICs for Solaris, connect to the
Policy Master system through the console.
To configure your IP addresses and NICs for Solaris
1Configure test IP address on the base of each NIC. Do not use the
where pm_nic is the Policy Master NIC, test_ip is the IP address for that
NIC (and the IP address that you use to test your network connection), and
netmask is your Policy Master netmask.
2If you need additional IP addresses on the Policy Master NIC, such as host IP
addresses, you can plumb the other IP addresses. Enter the following:
# ifconfig pm_nic addif additional_ip netmask netmask up
where pm_nic is the Policy Master NIC, and additional_ip is any
additional IP address you need to plumb, and netmask is your Policy
Master netmask.
addif
Page 37
Before you install the Policy Master
Preserving the configuration across reboots
To preserve your configuration across reboots
1Save your test IP address on the base of each NIC. Do not use the addif
command. Enter the following at the beginning of the
/etc/hostname.pm_nic file:
test_ip netmask netmask broadcast + deprecated -failover
up \
where pm_nic is the Policy Master NIC, test_ip is the IP address for that
NIC (and the IP address that you use to test your network connection), and
netmask is your Policy Master netmask.
2If you need additional IP addresses on the Policy Master NIC, such as host IP
addresses, you can plumb the other IP addresses. Enter the following lines in
the /etc/hostname.pm_nic file, after the line you entered in step 1:
addif additional_ip netmask netmask broadcast + up
where pm_nic is the Policy Master NIC, additional_ip is any additional
IP address you need to plumb, and netmask is your Policy Master netmask.
37Installing and configuring the VCS One Policy Master
Preparing your network on Linux
On Linux, if the incorrect netmask is used to plumb the Base IP address, the
network may not work. Symantec recommends using MultiNICA Performance
Mode in the Policy Master service group (PMSG). MultiNICA Performance Mode
requires a unique Base IP address with the correct Netmask addresses plumbed
on the required NICs.
See the Veritas Cluster Server One Bundled Agents Reference Guide for
information about MultiNICA Performance Mode.
Preparing Policy Master cluster information
Before you install the Policy Master software, have the following information
ready:
■Names of the systems to install the Policy Master software
Make sure that you can ping each system name from each of the Policy
Master systems.
If the Policy Master systems are in the same time zone, clock times on each
system must be within 30 minutes of one another. If the clock times are
more than 30 minutes apart, the installation may fail. Use the ntpdate
command to synchronize clock times.
■A unique name for the Policy Master cluster, such as vcsonepm_cluster.
Page 38
38 Installing and configuring the VCS One Policy Master
Before you install the Policy Master
The name can be up to 128 characters long, and must start with an
alphanumeric character. It can only contain the following characters: A-Z,
a-z, 0-9, ‘_’ and ‘-’. The name cannot contain the following reserved words:
“cluster,” “system,” “group,” “resource,” and “type.”
■A numerical ID for the Policy Master cluster (a number from 0 - 65535). For
example: 11.
If your configuration has multiple Policy Master clusters (including VCS
clusters), each ID must be unique.
In a configuration that has only one Policy Master system, you do not need
to provide a numerical ID.
■Names of two or more private NICs on each system.
In a configuration that has only one Policy Master system, you do not need
to provide any private NIC information.
■A port number for the authentication service (a number from 0 - 65536). The
port must not be a port on which other applications listen.
Instead of providing an authentication service port number, you can use the
default port (14159).
■One or more virtual IP addresses for the systems in the Policy Master
cluster.
Note: In a Policy Master cluster system, the virtual and physical IP
addresses must be different.
■Netmasks that the virtual IP addresses use.
■Public NICs on each Policy Master system.
■Base IP addresses on each of the public NICs.
Preparing your storage architecture
Symantec recommends that you set up a storage architecture to store your
configuration data. You must configure shared storage in order for the Policy
Master to fail over from one system to another. Prepare the information that
VCS One requires to set up your storage architecture.
Preparing to install Veritas Storage Foundation
Before you install Storage Foundation, have the following system information
ready:
■The name of the disk group to be created.
Page 39
Before you install the Policy Master
■Names of one or more disks that are part of the disk group. Use short disk
names.
■Name of the volume that needs to be created within the disk group.
■Size of the volume that needs to be created. For example, 4400240 (number
of blocks), 2G, or 240M.
■Mount point where the volume is mounted.
Preparing to configure NetApp filer
Before you install NetApp filer, have the following system information ready:
■Mount point where the volume is mounted.
■IP address or host name for the NetApp filer.
■Access method for the NetApp filer (rsh, ssh, or api).
■User name for accessing the NetApp filer.
■Password for accessing the NetApp filer (for API access mode).
39Installing and configuring the VCS One Policy Master
■IP address or host name for the NIC connected to the NetApp filer for each
Policy Master system.
■File system path or NetApp filer to be used to store the VCS One
configuration.
Note: The installer exports the NetApp volume and mounts the mount
point. If the mount point is already mounted, the installer prompts you
before unmounting it forcibly.
Preparing to configure other shared storage architectures
If you do not install Storage Foundation or NetApp filer when you install VCS
One, you can configure another storage architecture. For example, you can
configure local storage, or a customized shared storage architecture. Before you
configure your storage architecture, mount the shared storage on each system
and note the shared storage mount point. For example, /PM.
Preparing to configure disaster recovery
Disaster recovery uses global clustering to protect against the types of outages
that large-scale natural disasters cause. In such situations, VCS One global
clusters migrate applications to remote clusters located considerable distances
apart.
Page 40
40 Installing and configuring the VCS One Policy Master
Installing the Policy Master
If you configure disaster recovery, VCS One monitors events between clusters.
Using disaster recovery, the global cluster is aware of the state of the service
groups in the global cluster at all times.
To configure disaster recovery, have the following information ready:
■Two or more unique virtual IP addresses dedicated to disaster recovery. (If
you do not want to configure separate virtual IP addresses for disaster
recovery, you can use the Policy Master virtual IP addresses.)
■If you configure additional virtual IP addresses, obtain the netmask for each
virtual IP address.
■A NIC for each unique virtual IP address. (If your Policy Master is set up with
redundant NICs, you do not need a dedicated NIC for disaster recovery.)
Installing the Policy Master
The Veritas Cluster Server One (VCS One) Policy Master software is on the VCS
One software disc for the appropriate platform.
Note: This release of VCS One does not support installing the Policy Master on
Solaris with zones configured. On Solaris, you must install the Policy Master on
a system free of zones.
The VCS One installer installs the Policy Master, and, (optionally) Storage
Foundation. The installer also gives you the option to configure NetApp filer and
disaster recovery.
The installation procedures are in the following subsections:
■“Launching the installer” on page 40
■“Specifying the target system” on page 41
■“Specifying whether to install Storage Foundation” on page 42
■“Selecting a license type” on page 42
■“Specifying when to configure the Policy Master” on page 43
Launching the installer
Launch the VCS One installer to install the Policy Master. You can configure the
Policy Master during the installation process, or you can come back and
configure it after the installation is complete.
Page 41
Installing the Policy Master
To launch the VCS One installer
1Log on as root on one of the Policy Master cluster systems.
2On the VCS One software disc, change directories to the platform-specific
directory. Enter the following:
# cd platform
where platform is the platform-specific directory, such as RHEL5_x86_64
or sol_sparc.
3On the software disc, start the installer script. Enter the following:
# ./installer
4From the Task menu, select the following task:
Install/Upgrade a Product
5From the list of products, select Veritas Cluster Server One by
Symantec - Policy Master
.
6Accept the End User License Agreement (EULA). At the EULA prompt, enter
the following: y.
The installer provides information about the installation and configuration.
41Installing and configuring the VCS One Policy Master
7Review the information on each page and press Enter to continue.
Specifying the target system
You must specify the name of the target system for each Policy Master system.
To specify the target system
1At the system names prompt, enter the names of the systems on which you
want to install the VCS One Policy Master. Separate each name with a space.
Do not enter fully-qualified domain names or IP addresses. For example,
enter the following: sys1 sys2
Note: If you install the Policy Master on a single system, you only need to
enter one system name.
If you install the Policy Master on a single system, you see a prompt.
2Do one of the following:
If you install the Policy
Master on multiple systems
If you install the Policy
Master on a single system
Go to the next section, “Specifying whether to install
Storage Foundation.”
At the single node confirmation prompt, enter y.
Then go to the next section, “Specifying whether to
install Storage Foundation.”
Page 42
42 Installing and configuring the VCS One Policy Master
Installing the Policy Master
Specifying whether to install Storage Foundation
You can optionally install and configure Storage Foundation to store the VCS
One Policy Master configuration database.
Note: On Solaris, VCS One supports Storage Foundation 5.0MP1 and above. On
Linux, VCS One does not support versions of Storage Foundation before Storage
Foundation 5.0 MP2.
Veritas Storage Foundation by Symantec includes Veritas File System by
Symantec (VxFS) and Veritas Volume Manager by Symantec (VxVM) with
varying feature levels.
Veritas File System is a high performance journaling file system that provides
easy management and quick-recovery for applications. Veritas File System
delivers scalable performance, continuous availability, increased I/O
throughput, and structural integrity.
Veritas Volume Manager removes the physical limitations of disk storage. With
Veritas Volume Manager, you can configure, share, and manage your storage
online. Managing storage online optimizes storage I/O performance without
interrupting data availability. Veritas Volume Manager also provides
easy-to-use, online storage management tools to reduce downtime.
To specify whether to install Storage Foundation
◆Read the information and decide if you want to install and use Storage
Foundation to store the VCS One configuration. At the Storage Foundation
prompt, if you want to install Storage Foundation packages, enter y.
Selecting a license type
If you do not have a license installed, you must select a license type.
For more information on licensing, see Veritas Cluster Server One Release Notes.
To select a license type
◆Do one of the following:
■If the installer finds your license, you are not asked to select a license
type. Go to the next section, “Reviewing the package list.”
■If you are asked to select a license type (demo, NFR, or permanent), type
the number corresponding to your license type. Then, go to the next
section, “Reviewing the package list.”
Page 43
Reviewing the package list
The installer provides a list of packages to be installed.
To review the package list
◆Read each page listing the packages to be installed and press Enter to
continue.
For a list of the packages, see Appendix F, “Required packages” on
page 203.
Specifying when to configure the Policy Master
On Linux, you must specify whether to configure the Policy Master right after
the installation, or complete the installation and configure the Policy Master
later.
On Solaris, if do not install Storage Foundation, you must specify whether to
configure the Policy Master right after the installation. If you install Storage
Foundation on Solaris, you must reboot your machine and then proceed with the
configuration.
43Installing and configuring the VCS One Policy Master
Installing the Policy Master
To specify when to configure the Policy Master
1Do one of the following:
If you install the Policy
Master on Linux
If you install the Policy
Master on Solaris, and you do
not install Storage
Fou ndat ion
If you install the Policy
Master on Solaris, and install
Storage Foundation (or
locally-mounted storage)
Proceed to step 2.
Proceed to step 2.
Reboot your system.
After you reboot, go to the next section: “Configuring
the Policy Master.”
2At the VCS One configuration readiness prompt, do one of the following:
To configure the Policy
Master as part of the
installation process
Enter the following: y.
Go to the next section, “Configuring the Policy
Master.”
Page 44
44 Installing and configuring the VCS One Policy Master
Configuring the Policy Master
To install Policy Master now,
but configure it later
Enter the following: n.
The installer installs the packages, and you can
configure the Policy Master later. When you are ready
to configure, see the next section:
“Configuring the Policy Master.”
Configuring the Policy Master
During the configuration process, you configure your Policy Master cluster. The
installer also gives you the option to configure disaster recovery, and Storage
Foundation or NetApp.
The configuration procedures are in the following subsections:
■“Starting the Policy Master configuration” on page 44
■“Configuring the Policy Master cluster” on page 44
■“Specifying the authentication services port number” on page 46
■“Configuring virtual IP addresses for the Policy Master” on page 46
■“Choosing a storage architecture to configure” on page 48
■“Configuring disaster recovery” on page 48
■“Configuring your storage architecture” on page 51
■“Starting the Policy Master” on page 54
Starting the Policy Master configuration
If you have not yet started the Policy Master configuration, do so now.
To start the Policy Master configuration
1Start the VCS One configuration. Enter the following:
# ./installvcsonepm -configure
2Enter the names of the systems on which you want to configure the VCS One
Policy Master. Separate each name with a space. Do not enter fully-qualified
domain names or IP addresses. For example, enter the following: sys1
sys2
Configuring the Policy Master cluster
You must provide a host name for the Policy Master cluster. If you install the
Policy Master on two or more systems, you must also provide a numerical ID
number and configure heartbeat settings.
Page 45
Configuring the Policy Master
Naming the Policy Master cluster
You must specify a unique name to identify the Policy Master cluster.
To name the Policy Master cluster
◆At the cluster name prompt, enter a unique name for the Policy Master
cluster. For example, enter the following: my_cluster.
Creating an ID for the Policy Master cluster
If you install the Policy Master on more than one system, you must create an ID
for the Policy Master cluster.
To create an ID for the Policy Master cluster
◆At the cluster ID prompt, enter a unique ID between 0-65535. For example,
enter the following: 65000
Configuring the heartbeat settings
If you install the Policy Master on more than one system, you must designate at
least one NIC for a private heartbeat link. A private heartbeat link is a link that
sends status information between systems within the Policy Master cluster.
Private heartbeats are generated every half second.
You can optionally designate a NIC for a low-priority heartbeat link. Low
priority heartbeats are generated every second and do not send status
information. If none of the high-priority links work, low-priority links are
automatically promoted to high-priority links.
45Installing and configuring the VCS One Policy Master
To configure the heartbeat settings
1At the first heartbeat prompt, enter the NIC for the first private heartbeat
2At the second heartbeat prompt, specify if you want to configure a second
3If you configure a second private heartbeat, enter the NIC. For example,
link on your VCS One cluster. For example, enter the following:
■(On Linux) eth0
■(On Solaris x64) bge0
Type y to confirm the NIC entry.
private heartbeat link. Type y or n.
enter the following:
■(On Linux) eth1
■(On Solaris x64) bge1
Type y to confirm the NIC entry.
Page 46
46 Installing and configuring the VCS One Policy Master
Configuring the Policy Master
4At the low priority heartbeat prompt, specify if you want to configure a low
priority heartbeat link. Type y or n.
5If you configured a low priority heartbeat, enter the NIC. For example, enter
the following:
■(On Linux) eth2
■(On Solaris x64) bge2
Type y to confirm the NIC entry.
6At the all systems prompt, specify if you want to use the same NICs for
private heartbeat links on all systems. Type y or n.
Specifying the authentication services port number
You must specify if you want to use the default port number for authentication
services.
To specify the authentication services port number
◆At the authentication services port number prompt, do one of the following:
■If you want to use the default port number (14159) for authentication
services, enter the following: y.
■If you want to specify a different port number for authentication
services, enter the following: n. At the next prompt, enter the port
number you want to use. For example, enter the following: 14001.
Confirming the Policy Master cluster configuration
At the cluster configuration verification prompt, verify that the name, ID,
broker port, and NIC information is correct.
(The broker port is the authentication services port number you set in the
section “Specifying the authentication services port number.” )
To confirm the Policy Master cluster configuration
◆At the Policy Master cluster configuration verification prompt, confirm that
the configuration information is correct. Enter y.
Configuring virtual IP addresses for the Policy Master
You must enter the NICs for the Policy Master virtual IP address. If you install
on Solaris, you must specify if you want to use the mpathd. You must also enter
the Policy Master virtual IP addresses and netmasks.
Page 47
Configuring the Policy Master
Entering the NICs for the Policy Master virtual IP address
To enter the NICs for the Policy Master virtual IP address
1Enter the NIC for the Policy Master Virtual IP address to use on your system.
From the list of NIC devices that are discovered on your systems, select any
NIC that is up and running on a public network. For example, enter the
following:
■(On Linux) eth0
■(On Solaris x64) bge0
2At the all nodes prompt, specify if you want to use the same NIC on all Policy
Master systems. Do one of the following:
■To use the same NIC on all Policy Master systems, enter y.
■To select your NICs one-by-one for each Policy Master system, enter n.
Specifying whether to use the mpathd (Solaris only)
If you install on Solaris, you must indicate if you want to use the mpathd that the
operating system provides.
47Installing and configuring the VCS One Policy Master
To specify whether to use the mpathd
1At the mpathd prompt, do one of the following:
■If you want to use the mpathd, enter y.
Then go to step 2.
■If you do not want to use the mpathd, enter n.
Then go to the next section, “Choosing a storage architecture to
configure.”
2If you use the mpahtd, enter its absolute path. For example, enter the
following:
/sbin/in.mpathd
Entering the Policy Master virtual IP addresses and netmasks
To enter the Policy Master virtual IP addresses and netmasks
1Enter one or more Policy Master virtual IP addresses. For example, enter the
following: 192.168.1.20 192.168.1.21
2Enter the netmasks for the virtual IP addresses you entered. Review the
information. For example, enter the following: 255.255.248.0.
3At the Policy Master configuration verification prompt, confirm that the
virtual IP addresses, netmasks, and NICs are correct. Enter the following: y.
Page 48
48 Installing and configuring the VCS One Policy Master
Configuring the Policy Master
Choosing a storage architecture to configure
Symantec recommends that you use a shared storage architecture for storing
the configuration database. You can configure Storage Foundation if you are in
the process of installing Storage Foundation, or it is already on your system.
Otherwise, you can configure NetApp filer or another storage architecture.
To select and configure a storage architecture
1At the Storage Architecture prompt, select the storage architecture you want
to configure.
2See Table 2-1 for details on the remaining configuration tasks.
Table 2-1VCS One configuration task details
To configureComplete these tasks
Storage Foundation as part of the
installation and configuration
process
Storage Foundation when it is
already installed on your system
NetApp filer, or another storage
architecture
Configuring disaster recovery
Follow the steps in this section to specify if you want to configure disaster
recovery.
For information about disaster recovery, see “Preparing to configure disaster
recovery” on page 39.
Deciding when to configure disaster recovery
You can configure disaster recovery during the VCS One installation and
configuration process, or you can configure it after installing and configuring
VCS One.
1“Configuring disaster recovery” on page 48
2“Configuring Storage Foundation” on page 51
3“Starting the Policy Master” on page 54
1“Configuring Storage Foundation” on page 51
2“Configuring disaster recovery” on page 48
3“Starting the Policy Master” on page 54
1“Configuring your storage architecture” on
page 51
2“Configuring disaster recovery” on page 48
3“Starting the Policy Master” on page 54
Page 49
Configuring the Policy Master
Specify when to configure disaster recovery
◆At the VCS One disaster recovery configuration prompt, do one of the
following:
49Installing and configuring the VCS One Policy Master
If you want to configure
disaster recovery as part of
the VCS One installation and
configuration process
If you do not want to
configure disaster recovery,
or if you want to configure
disaster recovery after you
install and configure VCS
One
Enter the following: y.
Go to the next section, “Configuring disaster recovery
as part of the installation and configuration process.”
Enter the following: n.
To configure disaster recovery after you install the
Policy Master, see the section:
“Configuring disaster recovery after you install VCS
One” on page 50.
Configuring disaster recovery as part of the installation and
configuration process
Follow these steps to configure disaster recovery during the installation and
configuration process. To configure disaster recovery later, see:
“Configuring disaster recovery after you install VCS One” on page 50.
To configure disaster recovery
1Enter one or more virtual IP addresses, separated by a space. For example,
enter the following:
192.168.1.15 192.168.1.16.
Symantec recommends dedicating two or more unique virtual IP addresses
to disaster recovery. If you dedicate fewer than two unique virtual IP
addresses to disaster recovery, you are prompted to specify if you want to
continue.
2Do one of the following:
3Do one of the following:
■If you are prompted about continuing with fewer than two unique
virtual IP addresses, go to step 3.
■If you are not prompted about continuing with fewer than two unique
virtual IP addresses, go to step 5.
■To add more virtual IP addresses, enter the following: n. Go back to
step 1.
■To continue with fewer than two unique virtual IP addresses, enter the
following: y. Go to step 4.
Page 50
50 Installing and configuring the VCS One Policy Master
Configuring the Policy Master
4Do one of the following:
If the virtual IP address is already configured, and you see the
disaster recovery configuration verification prompt
If you do not see the disaster recovery configuration
verification prompt
Skip to step 8
Go to step 5
5For each unique virtual IP address, enter the NIC. For example, enter the
following:
■(On Linux) eth0
■(On Solaris x64) bge0
You are prompted to specify if you want to use the same NIC for all Policy
Master systems.
6At the all nodes prompt, do one of the following:
■If you want to use the same NIC on all Policy Master systems, type y.
■If you want to use different NICs on the different Policy Master
systems, type n. Then specify a NIC for each system.
7For each unique virtual IP address, enter the netmask. For example, enter
the following: 255.255.248.0.
8At the disaster recovery configuration verification prompt, verify that the
virtual IP address, NIC, and netmask are correct. Enter the following: y.
Configuring disaster recovery after you install VCS One
Follow these steps to configure disaster recovery after you install and configure
VCS One.
To configure disaster recovery after installing and configuring VCS One
1Launch the VCS One disaster recovery installer. Enter the following:
# ./installvcsonepm -configuredr
2Enter the name of the system on which you want to configure disaster
recovery. For example, enter the following: sys1.
3Follow the disaster recovery installation steps.
See: “Configuring disaster recovery as part of the installation and
configuration process” on page 49.
4Verify that the disaster recovery service group is online. Enter the following:
# /opt/VRTSvcsone/bin/hagrp -state
Page 51
Configuring your storage architecture
This section provides storage architecture configuration instructions. For
information on configuring your storage architecture, select the appropriate
link:
“Configuring Storage Foundation” on page 51
“Configuring NetApp Filer” on page 52
“Configuring other shared storage architectures” on page 54
Configuring Storage Foundation
When you configure Storage Foundation, you are prompted to specify a disk
group for the configuration database. A disk group is a collection of disks that
share a common configuration (for example, the configuration objects that
belong to a single database).
Note: For the Policy Master to fail over from one system to another, the disk
group and volume must not be in use by other applications. The disk group must
also be free of any volumes that are in use by other applications.
51Installing and configuring the VCS One Policy Master
Configuring the Policy Master
To configure Storage Foundation
1Enter a disk group for the configuration database. For example, enter the
following: pmdg.
2Do one of the following:
If you are not prompted to
enter disk names
If you are prompted to enter
disk names
Go to step 5.
Go to step 3.
3At the disk prompt, enter the names of the disks in the disk group. Separate
disk names with a space. For example, enter the following: sdb sdb2.
The Policy Master uses the names you enter to create the disk group.
4At the initialization prompt, choose to initialize the disks. Enter the
following: y.
You are prompted to specify a volume for the configuration database. A
volume is a virtual disk device that appears to applications, databases, and
file systems. A volume is like a physical disk partition. However, a volume
does not have the physical limitations of a disk partition.
Page 52
52 Installing and configuring the VCS One Policy Master
Configuring the Policy Master
5Enter the name of the volume for the configuration database. For example,
enter the following: pmvol.
6Do one of the following:
If you are prompted to enter
the volume size
If you are not prompted to
enter the volume size
Go to step 7.
Go to step 8.
7Enter the volume size. For example, enter the following: 200M.
8Do one of the following:
■If the volume is not mounted, go to step 9 and enter the mount point.
■If the volume is already mounted, go to step 10 and verify your
configuration.
9Enter the mount point for the configuration database. For example, enter
the following: /PM.
10 At Storage Foundation configuration verification prompt, enter the
following: y.
If the installer uses an existing disk group for the configuration database,
you are prompted about cleaning up the shared storage directories.
11 If you are prompted to clean up the shared storage directories, enter the
following: y.
Configuring NetApp Filer
Follow the instructions in this section to configure Network Appliance filer
(NFS) to store your configuration information. Only Network Appliance filers
are supported as NetApp servers.
To configure Network Appliance Filer
1Enter the mount point for the configuration database. For example, enter
the following: /software/vcsone.
The installer mounts the mount point. If the mount point is already
mounted, you can choose to unmount it through the installer.
2Enter the fully-qualified host name or IP address for the NetApp Filer. For
example, enter the following: netapp3.veritas.com.
3Select an access method (rsh, ssh, or api).
4Enter the name of the user who accesses the Network Appliance filer. For
example, enter the following: root.
Page 53
Configuring the Policy Master
5Enter the password for accessing the Network Appliance filer. At the
prompt, enter the password again.
6For each Policy Master system, enter the host name or IP address for each
NIC that is connected to the NetApp Filer. For example, enter the following:
# thoropt158.
7On the NetApp filer you designate to store the VCS One configuration, enter
the exported file system pathname. For example, enter the following:
# /vol/name_of_volume /name_of_directory_path
8At the API over SSL prompt, do one of the following:
■If you do not want to use API over SSL, enter the following: n.
■If you want to use API over SSL, enter the following: y. At the prompt,
enter the SSL library path. The path should be on a local disk, and must
contain the libcrypto.so and libssl.so library files. For example, enter
the following: /usr/lib.
9If you have mounted something on the mount point you specified, the
installer asks you if you want to unmount it. Do one of the following:
■If you are prompted to unmount the mount point, go to step 10.
■If you are not prompted to unmount the mount point, go to step 11.
53Installing and configuring the VCS One Policy Master
10 At the prompt for unmounting the mount point, do one of the following:
■If you do not want to unmount the mount point, enter the following: n.
■If you want to unmount the mount point, enter the following: y.
11 Confirm that the Network Appliance filer configuration is correct. Enter the
following: y.
If the installer uses an existing Network Appliance filer for the
configuration database, you are prompted about cleaning up the shared
storage directories.
12 Do one of the following:
If you are not prompted to
clean up the shared storage
directories
If you are prompted to clean
up the shared storage
directories
Go to:
“Starting the Policy Master” on page 54.
Clean up the shared storage directories to prevent the
installation from failing. At the prompt for
performing cleanup, enter the following: y.
Then, go to:
“Starting the Policy Master” on page 54.
Page 54
54 Installing and configuring the VCS One Policy Master
Configuring the Policy Master
Configuring other shared storage architectures
The VCS One Policy Master uses a database to store configuration information.
If you do not install Storage Foundation or NetApp, you can choose another
option for shared storage. You can also store the configuration database using
local storage.
If you do not configure Storage Foundation or Network Appliance filer to store
your configuration data, keep in mind the following:
■VCS One does not automatically mount your storage configuration. You
must manually mount the storage on each system in the Policy Master
cluster.
■If VCS One faults because it fails to connect to the database directory, you
must troubleshoot the issue manually.
Follow the steps in this section to set up the configuration database using shared
storage, or using local storage.
To set up the configuration database
1Enter the mount point for the configuration database. For example, enter
the following: /PM.
2Do one of the following:
If you are not prompted to
clean up the shared storage
directories
If you are prompted to clean
up the shared storage
directories
Starting the Policy Master
You must start the Policy Master after the configuration process.
To start the Policy Master
◆At the Start VCS One Policy Master processes prompt, enter y to start them.
The VCS One Policy Master starts and reports success or failure.
The following directory contains the path to the log files, the summary file,
and the response file that the installation creates:
/var/VRTS/install/logs/
Go to the next section:
“Starting the Policy Master.”
At the prompt for performing cleanup, enter the
following: y.
Then, go to the next section:
“Starting the Policy Master.”
Page 55
After you install the Policy Master
After you install the Policy Master, see the following sections for information
about the next installation steps:
■“Verifying the Policy Master installation,” in the next section
■“Setting the default platform in the VCS One cluster” on page 57
■“About configuring VCS One” on page 57
Verifying the Policy Master installation
Once you install the Policy Master, is a good idea to verify the Policy Master
installation. Verifying the installation checks if all of the Policy Master systems,
service groups, and resources are up and running.
To verify the Policy Master installation
1Check the state of the Policy Master service group on each system. Enter the
following:
# /opt/VRTSvcsone/bin/haadmin -state
The output should show the PMSG is ONLINE on one system, OFFLINE on the
other.
55Installing and configuring the VCS One Policy Master
After you install the Policy Master
2Verify that the PMSG is online on one system and offline on the other. Enter
the following:
# /opt/VRTSvcsone/bin/haadmin -status -summary
3Display the status of each of the PMSG resources on each system. Enter the
following:
# /opt/VRTSvcsone/bin/haadmin -status
The status of each resource in the Policy Master service group displays.
For a new installation, the output of the haadmin -status command shows the
following:
■All systems are running.
■NIC resources are ONLINE on all systems.
■All other resources are ONLINE on one system and OFFLINE on the other.
Table 2-3 describes the resources in the haadmin -status output when the
Policy Master uses Storage Foundation for storing configuration information.
Page 56
56 Installing and configuring the VCS One Policy Master
After you install the Policy Master
Note: If you use the “other shared storage” option, the pmdg, pmvol, and
pmmount resources may not exist. If you use Network Appliance filer, the pmdg
resource may not exist.
Table 2-3PMSG resources when the Policy Master uses Storage Foundation
ResourceDescription
pmipPolicy Master virtual IP address
pmnicPolicy Master virtual IP address NIC device
vcsonedbVCS One database
pmPolicy Master daemon
atdSymantec Product Authentication Service daemon
VCSOneWebVCS One web console
pmdgThe database and repository disk group
pmvolThe volume for the file system containing the database
pmmountThe file system mount point
Table 2-4 describes the PMSG resources in the haadmin -status output when
the Policy Master uses NetApp for storing configuration information.
.
Table 2-4PMSG resources when the Policy Master uses NetApp
ResourceDescription
pmipPolicy Master virtual IP address
pmnicPolicy Master virtual IP address NIC device
vcsonedbVCS One database
pmPolicy Master daemon
atdSymantec Product Authentication Service daemon
pmmountMount point for the volume/qtree exported from NetApp filer
when NetApp is selected for shared storage
pmexportExports and deports the volume/qtree on NetApp filer to
active and passive Policy Master systems, respectively
Page 57
After you install the Policy Master
Table 2-4PMSG resources when the Policy Master uses NetApp (continued)
ResourceDescription
pmfilerMonitors ICMP connectivity between the Policy Master and
the NetApp filer
VCSOneWebVCS One web console
Table 2-5 describes the DRSG resources in the haadmin -status output when
the Policy Master uses disaster recovery. The table contains the resources you
see when you configure two virtual IP addresses for disaster recovery.
Table 2-5DRSG resources when the Policy Master uses disaster recovery
ResourceDescription
DRSGDisaster recovery service group
dr_appThe DRApp resource that manages the disaster recovery
service group (DRSG
57Installing and configuring the VCS One Policy Master
drip1Disaster recovery virtual IP address 1
drip2Disaster recovery virtual IP address 2
drnic1NIC device for disaster recovery virtual IP address 1
drnic2NIC device for disaster recovery virtual IP address 2
Setting the default platform in the VCS One cluster
You may want to make changes at the VCS One cluster level. For example, you
can set the default platform to match the platform that is most prevalent in your
VCS One cluster. If you set the default platform, fewer users have to specify the
platform name.
To set the default platform in the VCS One cluster
◆Set the default platform in the VCS One cluster. Enter the following:
Each system in a VCS One cluster has a unique host name and IP address. In
addition, VCS One uses attributes to match systems and users. The system-level
attribute, SysUserName, which is initially NULL, contains the name of the VCS
Page 58
58 Installing and configuring the VCS One Policy Master
After you install the Policy Master
One client user who first registers with the system. If another user tries to
register with the system, they are rejected.
The user level attribute, VCSOneClientName, lists the VCS One client system
with which the user is registered. A user can only register with one system in the
VCS One cluster.
See the Veritas Cluster Server One User’s Guide for information about the
following topics:
■Adding users and assigning roles
■Adding systems to the VCS One cluster
■Creating service groups for your applications
■Administering groups, resources, and systems
Page 59
Chapter
Accessing the web console
This chapter includes the following topics:
■Before you access the VCS One web console
■Accessing the VCS One web console
■Recreating the SSL certificate
3
Page 60
60 Accessing the web console
Before you access the VCS One web console
Before you access the VCS One web console
Before you access the VCS One web console for the first time, do the following:
■Install a supported browser.
See the Veritas Cluster Server One Release Notes for supported browser
versions.
■In the browser, do the following:
■Enable cookies
■Disable browser caching
■Disable the pop-up blocker
■Enable ActiveX controls (Internet Explorer only)
■Install a supported Flash version.
See the Veritas Cluster Server One Release Notes for supported Flash
versions.
■Enable the ports that the web server uses.
See “Opening the required ports” on page 21.
Setting who can access the VCS One web console
The root user on the Policy Master system can log in without being added to the
VCS One configuration. To allow other users to log in to the VCS One web
console, you must explicitly add those users as VCS One users with assigned
roles.
Page 61
Accessing the VCS One web console
Follow the instructions in this section each time you access the VCS One web
console. When you access the VCS One web console for the first time, you see a
message about authentication. Read the message and click OK to add and
permanently store a trusted security certificate. After you add the security
certificate, the VCS One web console login page appears in the browser.
To access the VCS One web console
1Open a web browser and enter the following URL:
https://PM_cluster_virtual_IP_address:14171
Symantec recommends that you use the virtual IP address of the Policy
Master (PM) cluster instead of the name of the active system in the Policy
Master cluster. If you use the virtual IP address, the VCS One console
maintains a connection with the Policy Master after a Policy Master cluster
failover operation.
2In the web browser, click the VCS One web console link.
61Accessing the web console
Accessing the VCS One web console
3In the Log on page, specify the following details:
■In the Select Language box, select the appropriate language. In this
release, only English is supported.
■In the User Name field, enter the name of the user.
■In the Password field, enter the password.
■In the Domain field, enter the domain name.
You must specify a domain name for all domain types except unixpwd
(which is the default domain type) and pam. To view a list of all the
domains on the Policy Master system, enter the following command:
haat showallbrokerdomains -j broker
If you leave the Domain field blank and the domain type is unixpwd or
pam, VCS One assumes that the domain type is the same as the Policy
Master system’s domain type.
■In the Domain Type field, select a domain type (unixpwd, nt, nis,
nisplus, pam, vx, or ldap).
■In the Broker:Port field, enter the authentication broker name and the
port number separated by a colon (:). This field is optional and is
populated automatically.
4Click Log On.
The web console is best viewed at 1024x768 screen resolution.
Page 62
62 Accessing the web console
Recreating the SSL certificate
Recreating the SSL certificate
The VCS One installer creates an SSL certificate on each Policy Master system.
The SSL certificate works if you access the VCS One web console using a VCS
One Policy Master virtual IP address.
With Internet Explorer 7, using a host name that resolves to a VCS One Policy
Master virtual IP address when accessing the VCS One web console may display
invalid SSL certificate messages.To prevent these messages, you must recreate
the SSL certificate.
This section provides the general steps and resources needed to recreate an SSL
certificate. For more detailed information about SSL-related tasks, see the
Apache Tomcat 6.0 SSL Configuration instructions available on the Internet.
To recreate the SSL certificate, you can use Java Keytool, or another tool of your
choice. For your convenience, the Java Keytool utility is included in the VCS One
installation, and located at:
/opt/VRTSvcsone/jre/bin
To recreate the SSL certificate
1Locate the key store containing the certificate that the VCS One installer
created at:
/opt/VRTSvcsone/web/tomcat/cert
2Follow the Apache Tomcat 6.0 SSL Configuration instructions for creating
an SSL certificate.
3At the prompt, enter the information for the host name that you want to use
to access the VCS One web console.
4To restart the VCS One web console, use the
commands to take it offline and bring it online. Enter the following:
5From the browser, choose to install the new certificate.
Page 63
Chapter
Installing and configuring
the VCS One client
This chapter includes the following topics:
■Preparing to install the VCS One client
■Preparing to install the VCS One client
■Installing the VCS One client
4
■Configuring the VCS One client
■Installing the client using a permanent credential
■After you install the VCS One client
Page 64
64 Installing and configuring the VCS One client
Preparing to install the VCS One client
Preparing to install the VCS One client
This section lists what you must do and prepare before you can install the VCS
One client.
■Perform the general preparations if you have not already.
See “Preparing to install the VCS One client” on page 64.
■Perform platform-specific preparations.
See “Platform-specific preparations” on page 64.
■Right before the installation, you must perform some setup tasks.
See “Right before the installation” on page 66.
General preparations (all platforms)
Client installation involves a set of certain pre-installation tasks to be
performed before you actually run the installer. These tasks are broadly divided
in to the following categories:
■General preparations that are common irrespective of the platform on
which you would install the client.
■Platform specific preparations.
Before you begin to install the VCS One client, ensure that the following general
preparations are ready in advance.
■Uninstall any earlier version of the VCS One client.
For uninstallation instructions, see the Veritas Cluster Server One
Installation Guide for the VCS One version you want to uninstall.
■Ensure any DHCP IP addresses have a long-term lease and are not
relinquished while the VCS One client daemon (vcsoneclientd) is running.
The loss of connectivity could fault the VCS One client.
■Ensure the client host name resolves to the client IP address, and vice versa.
Platform-specific preparations
This section includes information and configurations you must prepare before
you install the client on Linux or Solaris. Complete the preparations for your
platform, and then proceed to:
“Right before the installation” on page 66.
Linux-specific preparations
Before you install the VCS One client on a Linux server system, you must first:
Page 65
Preparing to install the VCS One client
■Enable the required ports for Linux.
See “Opening the required ports” on page 21.
■Install the required operating system patches. See the Veritas Cluster Server
One Release Notes for the required operating systems patches.
Solaris-specific preparations
Before you install the VCS One client on a Solaris server system:
■Install the required operating system patches. See the Veritas Cluster Server
One Release Notes for the required operating systems patches.
If you will install the VCS One client on a Solaris system with zones configured:
■Ensure that the zones have been completely installed, including an initial
boot of the zone, before installing the VCS One client.
If you install the VCS One client on Solaris 10 systems running non-global
zones:
■Ensure that /opt is not inherited by any non-global zone, using the following
procedure:
65Installing and configuring the VCS One client
To ensure that /opt is not inherited by any non-global zone command
1Check whether /opt is inherited by a non-global zone command. Enter the
2Look for any occurrences of the /opt directory being inherited. If it is
inherited, you see the following:
inherit-pkg-dir:
dir: /opt
3If you see that the /opt directory is inherited, you must reinstall the zone.
Page 66
66 Installing and configuring the VCS One client
Deciding about a credential installation
Right before the installation
Right before you install the VCS One client, do the following:
■Set up ssh or rsh communications.
■You must have ssh communications from the system where you run the
installation to the systems where you are installing the VCS One client
software.
■Ensure that the specific ports needed for installing the VCS One client
are enabled. See “Opening the required ports” on page 21.
■The ssh communication must be present on the system where the
installation is run and the Policy Master cluster systems.
See “Setting up the Policy Master cluster hardware” on page 20.
■Make sure that the clock times for Policy Master systems in the same time
zone are within 30 minutes of one another or the installation may fail.
■Make sure the Policy Master is running. On a Policy Master system, enter
the following:
# haadmin -state
See “Verifying the Policy Master installation” on page 55.
■Choose the appropriate installation software disc. Installation software
discs are provided for each platform type.
■Mount the software disc on the system where you plan to run the
installation.
■Have the VCS One Policy Master virtual IP address ready. Communication
must be enabled between the installer and the system with the Policy
Master virtual IP address.
Deciding about a credential installation
Installing the VCS One client using credentials is optional. However, if you
install the client without credentials, you must establish paswordless ssh
communication between the client and the active Policy Master system.
For more information on setting up ssh communication, see “Configuring ssh,
rsh, or remsh before installing.”
For a credential deployment, you have the following options:
■Install the client using a deployment credential. If you do not establish ssh
communications with the active Policy Master system, you must have a copy
of the deployment credential on the system from which you run the
installer.
See “Installing the client using a deployment credential” on page 67.
Page 67
Deciding about a credential installation
■Install the client using a permanent credential. If you do not establish ssh
communications with the active Policy Master system, you must have a copy
of the permanent credential on the system from which you run the installer.
See “Installing the client using a permanent credential” on page 68.
Installing the client using a deployment credential
If the installer host does not have an ssh or rsh connection to the active Policy
Master system, you can create a deployment credential. If passwordless ssh or
rsh communication is enabled between the Policy Master system and the system
from which you invoke the installer, skip to the section:
“Right before the installation” on page 66.
The deployment credential is a host-generic credential created on the
authentication broker and copied to clients. Using a deployment credential, a
client can be deployed without having a host-specific credential of its own.
Creating the deployment credential package
You can use the -create_deployment_credential option to create the
deployment credential package on the shared storage. The clients copy and
execute that credential package to authenticate with the Policy Master.
The command creates a deployment credential package file in the following
location:
/vcsone_db_location/data/vcsone_deploy.credential
Reuse the credential package to deploy all clients that can connect to the Policy
Master with the deployment credential.
Each client gets its own host-specific credential from the authentication broker
through the Policy Master after the clients are deployed, and the first time they
are connected to the Policy Master.
67Installing and configuring the VCS One client
To create the deployment credential package
1From the Policy Master, create the deployment credential package. You may
2Review the information and press Enter to continue.
3Enter the timeout for the deployment credential in seconds. For example,
either accept the default values or provide your own. Enter the following:
Installing the client using a permanent credential
You can use the VCS One client daemon -createcredential installation
option to perform installations on several systems without requiring ssh
communication with the Policy Master cluster. The -createcredential
option does the following:
■Creates authentication principals (identities) for each VCS One client
process to be installed.
■Adds the client daemon systems to the Policy Master configuration.
■Transfers the credential packages to the system where you will run the
installation.
■Uses the created credentials with installvcsonecd installation program.
Page 69
Installing the VCS One client
To install the client using permanent credentials
1Log in as root on the Policy Master system or on a system with passwordless
ssh communication with the Policy Master.
2Create authentication credential packages for each VCS One client system.
Enter the following:
# ./installvcsonecd -createcredential
The installer lists the installation log location.
3At the prompt, enter the system names, separated by a single space, where
you want to install VCS One client daemon software or configure software
already installed. For example, the names of the systems may be Sys1, Sys2,
Sys3, and Sys4. (Do not enter fully-qualified domain names.)
Note: Each system must run the same operating system.
As the utility runs, it displays its actions and reports where it places the
credential packages. It does not perform an installation.
4Copy created credential packages to a system where you plan to install the
VCS One client. Make a note of where you copy the files.
69Installing and configuring the VCS One client
5Install or configure the VCS One client daemon software on the systems
specified in step 3. Enter the following:
# ./installvcsonecd
6During the installation, do the following:
■At the permanent credential prompt, enter y.
■Specify the path to the location where you copied the credential
packages in step 4.
Installing the VCS One client
After you have completed the client installation, the client software will be
running and the system will be part of the VCS One cluster.
If you have an earlier version of a VCS One client installed, you must completely
uninstall it before installing the VCS One 5.0 client. For uninstallation
instructions, see the Veritas Cluster Server One Installation Guide for the VCS
One version you want to uninstall.
Before you install the VCS One client on a Solaris system with zones, ensure that
the zones have been completely installed, including an initial boot of the zones.
Page 70
70 Installing and configuring the VCS One client
Installing the VCS One client
Launching the installer
To launch the client installer
1On the software disc, change directories to the platform-specific directory.
Enter the following:
# cd platform
where platform is the platform-specific directory, such as
sles10_x86_64 or sol_sparc.
Go to the directory cluster_server_one.
2Start the installer script. Enter the following:
# ./installer
3From the Task menu, select the following task:
Install/Upgrade a Product
4From the list of products, select:
Veritas Cluster Server One by Symantec - Client Daemon
(VCS One Client)
Note: When the installer installs software on a system where VCS is
installed, any file system soft links in the directory /opt/VRTS/bin
are overridden on the system. Running VCS and VCS One on the same
system is not a supported configuration.
5Accept the End User License Agreement (EULA). At the EULA prompt, enter
the following: y.
The installer provides information about the installation and configuration.
6Review the information on each page and press Enter to continue.
Specifying the target systems
You must specify the name of the target systems for each client system.
To specify the target systems
◆At the system names prompt, enter the names of the systems on which you
want to install the VCS One client. Separate each name with a space. (Do not
enter fully-qualified domain names or IP addresses.) For example, enter the
following: redhat95241 redhat95244
Reviewing the package list
The installer provides a list of packages to be installed.
Page 71
To review the package list
◆Read the list of packages to be installed and press Enter to continue.
For a list of the packages, see Appendix F, “Required packages” on
page 203.
Specifying when to configure the client
You must specify whether to configure the client right after the installation, or
complete the installation and configure the client later.
To specify when to configure the client
◆At the client configuration readiness prompt, do one of the following:
71Installing and configuring the VCS One client
Configuring the VCS One client
To configure the client as
part of the installation
process
To install the client now, but
configure it later
Enter the following: y.
Go to the next section, “Configuring the VCS One
client” on page 71.
Enter the following: n.
The installer installs the packages, and you can
configure the client later. When you are ready to
configure the client, see the next section,
“Configuring the VCS One client” on page 71.
Configuring the VCS One client
The client configuration procedures are in the following subsections:
■“Starting the client configuration” on page 71
■“Entering the virtual IP addresses for the client” on page 72
■“Deciding whether to configure the SSL library path” on page 72
■“Synchronizing the clock times on your systems” on page 73
Starting the client configuration
If you have not yet started the client configuration, do so now.
To start the client configuration
◆Start the VCS One client configuration. Enter the following:
# /opt/VRTS/install/installvcsonecd -configure
system_name
Page 72
72 Installing and configuring the VCS One client
Configuring the VCS One client
Entering the virtual IP addresses for the client
You must enter the Policy Master virtual IP addresses that the client uses. You
must also enter the base IP addresses for the subnets on which the Policy Master
and client communicate.
1Enter the Policy Master virtual IP addresses separated by a space. For
example, enter the following:
# 192.168.5.150 192.168.5.151
2At the Local IP address prompt for each client system, enter the local IP
address of the client system NIC that will communicate with the Policy
Master virtual IP address.
3At the valid list of space-separated IP addresses prompt, for each client
system, enter the base IP addresses for that system.
4At the permanent credential package prompt, do one of the following:
■If you have a permanent credential package, enter the following: y.
■If you have a deployment credential, enter the following: n.
5At the deployment credential package prompt, do one of the following:
■If you have a permanent credential package, enter the following: n.
■If you have a deployment credential, enter the following: y.
Deciding whether to configure the SSL library path
You can optionally configure the SSL library path.
To specify whether to configure the SSL library path
◆At the SSL library path prompt, do one of the following:
■If you do not want to configure the SSL library path, enter the
following: n.
■If you want to configure the SSL library path, enter the following: y.
Then enter the SSL library path. The path must be to a directory that
contains the libcrypto.so and libssl.so library files. For example, enter
the following: /usr/local/lib.
The installer checks that ssh communications exist from the installation system
to the root broker system, and that the clock time difference between the Policy
Master and client is less than 30 seconds.
Page 73
Synchronizing the clock times on your systems
The clock times between the client and Policy Master systems within the same
time zone must be within 30 minutes of one another or the installation may fail.
If the clock times are more than 1000 seconds apart, you see a warning.
To synchronize the clock times on your systems
1Do one of the following:
■If you do not see a warning about the clock times, go to the section
“Completing and verifying the installation.”
■If you see a warning about the clock times, go to step 2.
2At the clock time discrepancy prompt, decide if you want to continue
configuring the client. Do one of the following:
■To continue configuring the client, enter y.
■To stop configuring the client, enter n.
3If you want to synchronize the clock times, use the ntpdate command. For
example, enter the following:
rdate ntphost
73Installing and configuring the VCS One client
Configuring the VCS One client
Completing and verifying the installation
To complete and verify the installation
1At the verification prompt, verify that the virtual IP addresses, base IP
addresses, root broker hash, and the SSL library path (if configured) are
correct. Enter the following: y.
2At the start client prompt, choose whether to start the VCS One client
processes. Do one of the following:
■Follow the prompt to start the vcsoneclientd processes. Enter y.
■Wait until later to start the vcsoneclientd processes. Enter n.
When you are ready to start the client processes, you must enter the
following:
To view the installation logs. Enter the following:
# /var/VRTS/install/logs/
3On the Policy Master, verify that the client is up and running. Enter the
following:
# hasys -state
4On the client, enter the following:
# ps -ef | grep vcsone
# /opt/VRTSvcsone/bin/hastart -client
Page 74
74 Installing and configuring the VCS One client
After you install the VCS One client
Then check that the following resources are online:
vcsoneclientd.bin
vcsoneclientd.bin -shadow
After you install the VCS One client
■The VRTSvcsonemn package includes the VCS One online manual pages
under /opt/VRTS/man. Add this path to the MANPATH environment
variable for your platform. For instructions on how to set the MANPATH
environment variable for your platform, see the Veritas Server One Command Reference Guide.
■To avoid having to reauthenticate your clients, do not change the Symantec
Product Authentication Service (AT) ClusterName attribute value after you
have deployed your clients. VCS One clients connect to the Policy Master
cluster using authentication credentials with the domain name specified by
the ClusterName attribute value. If the ClusterName attribute value is
changed after VCS One clients have connected to the Policy Master cluster,
the client systems must be reconfigured to reauthenticate them with the
Policy Master.
Therefore, if the ClusterName attribute value changes, you must restart the
Policy Master service group (PMSG) (including the AT daemon vcsoneatd,
the VCS One console, and the Policy Master) and reauthenticate all VCS One
clients.
Page 75
Chapter
Performing unattended
client installations
This chapter includes the following topics:
■About response files
■Installation using a response file
5
Page 76
76 Performing unattended client installations
About response files
About response files
Response files are pre-saved responses to questions that the client installer
asks. Use a response file to perform unattended installations.
Choose a response file type that works with your configuration:
■Deployment credential installation. For unattended installations without
predefined system credentials.
■Credential installation. For unattended installations with predefined system
credentials.
■No credential installation. For installations performed without credentials.
Response file example
This example shows a deployment credential installation and configuration of
the VCS One client on three systems (redhat1, redhat2, and redhat3) using the
deployment credential:
See Appendix E, “Response file variables” for descriptions of each variables.
Using a response file from a previous installation
With each installation, the installation program generates a response file that
documents what the user entered at each installation prompt. The response file
is in the directory indicated at the end of the an installation; for example:
You may use a response file generated from a successful Veritas Cluster Server
One (VCS One) installation, modifying it as needed, and use it to run another
installation. This method is useful to install VCS One clients on multiple
systems in an unattended mode.
77Performing unattended client installations
Installation using a response file
You can edit a response file generated from a successful installation and place it
in a specific directory on the system where you plan to run another installation.
When you run the install program, use the -responsefile response_file option.
To perform an installation using a response file
1Edit the response file and define values for the variables the installation
requires. For example, save it as “response_file” in the /tmp directory.
2Make sure that packages or Red Hat package management (RPM) systems to
be installed have been upgraded.
3Make sure the system where you run the installation command can
communicate with the systems where the software is installed using ssh or
rsh.
4Make sure that the clock times on all systems in the same time zone are
within 30 minutes of one another.
5On the system where you want to run the installation, mount the software
disc and navigate to the directory containing the installation program. Enter
the following:
cd cluster_server_one
6Run the installer with the -responsefile path_to_response_file
Note: If any older versions of VRTS RPMs or packages are on the target system,
installation using the response file fails.
Page 79
Chapter
Installing the Simulator
This chapter includes the following topics:
■About the Simulator
■Before you install the Simulator
■Installing the Simulator
6
Page 80
80 Installing the Simulator
About the Simulator
About the Simulator
You can use the Simulator to view, modify, and test the VCS One cluster
configuration and behavior in a safe simulation that does not affect your
production environment.
For more information about using the Simulator, see the Veritas Cluster Server One User’s Guide.
Before you install the Simulator
You can install the VCS One Simulator software on one or more Windows
systems. A Simulator is available for Windows only.
Before you install the Simulator, do the following:
■Ensure that the Windows version of the system where you will install the
Simulator is at a level supported by this release. For supported operating
system levels, see the Veritas Cluster Server One Release Notes.
■Choose any installation software disc. The Windows Simulator is available
under the simulator directory on each VCS One installation software disc.
Installing the Simulator
The Simulator included in this release of VCS One can co-exist with earlier
versions. Earlier versions of the Simulator use the same ports as the Simulator
included in this release. If you have an earlier version of the Simulator, make
sure that it is not running before you install the version included in this VCS
One release.
To install the Simulator
1Insert the VCS One software disc for any supported platform into the disc
drive.
2Navigate to the simulator directory. From there, open the windows
directory.
3Double click on vcsonesim.exe to start the VCS One Simulator installation
wizard.
4Click Next on the Welcome screen.
5Accept the End-User Software License Agreement and click Next.
6Check the destination folder where the VCS One Simulator will be installed.
Page 81
Installing the Simulator
■If you want to install the software in the displayed directory, click Next.
By default, the Simulator is installed on the desktop in a directory
named VCSOne.
■If you want to change the location for software installation, click
Browse...
Browse to the desired directory and click OK. Then, click Next.
If you change the directory, the VCS One Simulator software is
installed in the specified directory.
7To begin installation, click Next. The VCS One Simulator installation wizard
takes a few minutes to install the software.
8When the VCS One Simulator installation wizard indicates that the
installation is complete, click Finish.
The Simulator installer does not add any files outside of the directory where it
installs the Simulator. The Simulator does not appear in Add or Remove Programs, the Start Up program, or in the registry. You may move the directory
where the Simulator is installed to any location.
81Installing the Simulator
Page 82
82 Installing the Simulator
Installing the Simulator
Page 83
Chapter
Setting up authentication
plug-ins for VCS One
This chapter includes the following topics:
■About authentication plug-ins
■Supported authentication service types
■Displaying information about user names and domain names
7
■Setting up vx authentication
■Setting up unixpwd authentication
■Setting up NIS or NIS+ authentication
■Setting up LDAP authentication
■Setting up Windows Active Directory authentication
■Setting up PAM authentication
■Extending the credential expiry period
■Setting the default domain and domain type
Page 84
84 Setting up authentication plug-ins for VCS One
About authentication plug-ins
About authentication plug-ins
Veritas Cluster Server One (VCS One) uses Symantec Product Authentication
Service (AT) for security. The system is based on Secure Sockets Layer (SSL). AT
lets product components verify the identity of other components and
communicate securely. It also lets users log into VCS One securely.
Each authentication service type supported by VCS One has an authentication
plug-in.
Supported authentication service types
For each authentication service type supported by VCS One, the authentication
broker uses an authentication plug-in to validate the identities within a
particular domain.
Table 7-1 lists the authentication service types and corresponding
authentication plug-ins supported by VCS One.
Table 7-1Authentication service types supported by VCS One
Authentication
AT plug-in nameDescription
service type
Symantec Private
Domain
UNIX password
domain
Network
Information Service
(NIS)
NIS+nisplusUse with the NIS+ domain.
Lightweight
Directory Access
Protocol (LDAP)
Windows Active
Directory
vxUse with the Symantec Private
Domain type.
unixpwdUse with the UNIX password
domain.
nisUse with the NIS domain.
ldapUse with both LDAP and
Windows Active Directory.
Supported LDAP server is:
■Open LDAP 2.2 (RFC 2307)
ldapUse with both LDAP and
Windows Active Directory.
Supported Windows Active
Directory server is:
■Windows Active Directory
2003
Page 85
Displaying information about user names and domain names
Table 7-1Authentication service types supported by VCS One (continued)
85Setting up authentication plug-ins for VCS One
Authentication
AT plug-in nameDescription
service type
Pluggable
Authentication
Modules (PAM)
pamUse with the PAM domain.
Displaying information about user names and
domain names
The case sensitivity and length limits for user names and domain names varies
depending on the authentication service type.
You can display information about the case sensitivity and length limit for user
names and domain names for a specific authentication service type.
To display length limit and case sensitivity information for user names and
domain names
where plugin_type is the authentication plug-in type (that is, vx,
unixpwd, nis, nisplus, ldap, or pam).
The output looks similar to the following:
# /opt/VRTSvcsone/bin/haat showplugininfo -p ldap
Using data dir: /vad_db/data
showplugininfo
----------------------
----------------------
Plugin name: ldap
Default Credential Expiry: 86400
User Credential Expiry: 86400
Service Credential Expiry: 31536000
Web Credential Expiry: 28800
Enabled Flag: 1
Do Not Load: 0
Max UserLength: 64
Is case sensitive: yes
Found Domain(s) 2
*************************************
Domain Name: VSS
Domain Type: ldap
*************************************
Table 7-2 shows authentication service types with case-sensitive user names
and domain names:
Table 7-2Case-sensitive authentication service types
Authentication service typeAT plug-in name
Symantec Private Domainvx
UNIX password domainunixpwd
Network Information Service (NIS)nis
NIS+nisplus
Length limits
Pluggable Authentication Modules
(PAM)
pam
Table 7-3 shows authentication service types with user names and domain
names that are not case sensitive:
Table 7-3Case-insensitive authentication service types
Authentication service typeAT plug-in name
Lightweight Directory Access Protocol
(LDAP)
Windows Active Directoryldap
ldap
For Windows Active Directory and LDAP, Symantec recommends that you limit
user names and domain names to 40 characters or less. (Windows and LDAP
limit user names and domain names to 79 ASCII characters or less. If you use
non-ASCII characters, the limit varies.)
Setting up vx authentication
To set up Symantec Private Domain (vx) authentication, add the user to the
cluster private domain.
Page 87
Setting up vx authentication
The user can then authenticate by using one of the following methods:
■Running halogin to set up the user profile
■Including the -user and -domaintype options with the commands from
within client-side scripts
■Setting environment variables within the scripts
If a common password is acceptable, you can use batch scripts to gather the user
IDs and create them with a random password to get the credentials for all of
them. If the user IDs do not require separate passwords, you can automate the
process.
To add a VCS One user to the private domain with the necessary privileges
1On the active Policy Master system, see if a suitable private domain already
exists. VCSONE_USERS is the default name of the vx private domain in VCS
One. Enter the following:
where domain_name in grep “domain_name” is the domain name you
are searching for, such as VCSONE_USERS.
87Setting up authentication plug-ins for VCS One
2On the active Policy Master system, do one of the following:
If there is no private domainCreate a private domain with a distinct name.
Enter the following:
# /opt/VRTSvcsone/bin/haat createpd
-t \
ab -d domain_name
where -t indicates that the private domain type
is ab or authentication broker, and
domain_name is the domain name.
If a private domain already exists Check to see if the principal for this user is
already there. Enter the following command:
# /opt/VRTSvcsone/bin/haat showprpl
-t \
ab -d domain_name -p principal_name
where -t indicates that the private domain type is
ab or authentication broker, domain_name is the
domain name, and principal_name is the
name of the user who will run the scripts.
3On the active Policy Master system, if the principal for this user already
exists, delete it by entering the following command:
Page 88
88 Setting up authentication plug-ins for VCS One
Setting up vx authentication
# /opt/VRTSvcsone/bin/haat deleteprpl -t ab -d domain_name \
-p principal_name -s
where -t indicates that the private domain type is ab or authentication
broker, domain_name@cluster_domain is the name of the cluster private
domain, and principal_name is the user name. -s indicates the silent
option (that is, no feedback is given when you run the command with the -s
option).
4On the active Policy Master system, create a principal for the user on the
cluster private domain by entering the following command:
# /opt/VRTSvcsone/bin/haat addprpl -t ab -d domain_name \
-p principal_name -s password -b host:port
5On the active Policy Master system, get the root broker hash by entering the
following command:
# /opt/VRTSvcsone/bin/haat showbrokerhash
6On the client system, set up trust between the client system and the
authentication broker by entering the following command:
The LDAP configuration tool, haldapconf, is a command line interface (CLI)
program that lets you configure the LDAP plug-in for the authentication broker.
Use haldapconf to connect to the enterprise LDAP server and detect the
default parameters for searching users and groups.
The haldpaconf configuration tool has the following options:
-d“discover”
Connects to the LDAP server and searches for the user and
group attributes.
-c“createatcli”
Creates an authentication CLI. The authentication CLI is
used to register the LDAP server in the VCS One
authentication broker.
-x“atconfigure”
Configures authentication.
Page 91
Setting up LDAP authentication
Figure 7-1 shows how the LDAP configuration tool works.
91Setting up authentication plug-ins for VCS One
9WbbKDOGDSFRQI_dj^[
YeccWdZfhecfj
B:7FYed\_]khWj_ed
jeeb
GGLVFRYHU
B:7Ffhef[hj_[i
\_b[_ih[jh_[l[Z
FFUHDWHDWFOL
7J9B?\_b[_i
][d[hWj[Z
[DWFRQILJXUH
lhjiWjbeYWb$Yed\\_b[
_ikfZWj[Z
B:7F9ed\_]khWj_edJeebMeha<bem
GGLVFRYHU
/'$36HUYHU
Ki[hYWd[Z_jj^[B:7F
fhef[hj_[i\_b[
J^[lhjiWjbeYWb$Yed\\_b[_i
kfZWj[Zj^hek]^
KDDWDGGOGDSGRPDLQ
Figure 7-1LDAP configuration tool workflow
To set up LDAP authentication
1Connect to the LDAP server and search for the user and group attributes:
■-s ldap_server_name specifies the name of the LDAP server. This
option is required.
Page 92
92 Setting up authentication plug-ins for VCS One
Setting up LDAP authentication
■-p ldap_server_port specifies the LDAP server port. The default
value is 389. To bind the server, the command uses the user name and
password. If you do not provide a user name and password, the
command prompts you to provide them.
■-u search_user specifies the base search paths for users. This
option is required.
■-g search_group specifies the base search paths for the group. This
option is required.
■-f attribute_list_file specifies the name of the attribute list
file. By default, the name is AttributeList.txt. This file is placed in the
working directory.
■-m admin_username specifies the user name of the connecting user.
When anonymous searches are disabled, this option is required to
make the initial connection to the LDAP server.
■-w admin_password specifies the password of the connecting user.
When anonymous searches are disabled, this option is required to
make the initial connection to the LDAP server.
■-l loglevel generates a log file named haldapconf.debug. loglevel
determines the amount of information that goes into the log. The value
of loglevel ranges from 0 to 4.
The haldapconf -d command creates an attribute list file that contains
the valid values for all the attributes in descending order of priority. This
command also retrieves the valid values for the LDAP attributes that have
multiple values.
For example, to run
ldapserver.com, a user named testuser, and a group named testgroup, enter
the following command:
■-d domain_name specifies the domain name. The domain name must
be unique.
■-i attribute_list_file specifies the name of the attribute list
file. By default, the name is AttributeList.txt. The file is placed in the
working directory.
Page 93
Setting up LDAP authentication
■-o at_cli_file specifies the name of the AT CLI file. By default, the
name is CLI.txt. This file is placed in the working directory.
■-a FLAT|BOB specifies the type of authentication. FLAT specifies that
the database structure for LDAP is flat or non-hierarchical. BOB species
that the database structure for LDAP is nested or hierarchical. By
default, the authentication type is FLAT.
■-s BASE|ONE|SUB specifies the scope of the search. BASE is the
primary level, ONE is one down from the primary level, and SUB is
below ONE. By default, the scope is SUB.
■-l loglevel generates a log file named haldapconf.debug. loglevel
determines the amount of information that goes into the log. The value
of loglevel ranges from 0 to 4.
For example, to run haldapconf -c for a domain named myldapdomain1,
enter the following command:
■-f at_cli_file specifies the name of the AT CLI list file. By default,
the name is CLI.txt. This file is placed in the working directory.
■-i at_install_path specifies the path /opt/VRTSvcsone.
■-o broker_port specifies the broker port. Unless you changed the
broker port when you installed VCS One, the default VCS One broker
port is 14159.
■-l loglevel generates a log file named haldapconf.debug. loglevel
determines the amount of information that goes into the log. The value
of loglevel ranges from 0 to 4.
For example, to run haldapconf -x for the default broker port for VCS
One, enter the following command:
# /opt/VRTSvcsone/bin/haldapconf -x -o 14159 -p \
/opt/VRTSvcsone
93Setting up authentication plug-ins for VCS One
4Verify that the LDAP domain has been added and registered by entering the
following command:
# /opt/VRTSvcsone/bin/haat listldapdomains
The output for this command is similar to the following:
Found: 1
Domain Name : LDAP1
Page 94
94 Setting up authentication plug-ins for VCS One
Setting up Windows Active Directory authentication
Server URL : ldap://myldap.server1.com:389
SSL Enabled : No
User Base DN : ou=People, dc=mycompany,dc=corp,dc=com
User Object Class : account
User Attribute : uid
User GID Attribute : gidNumber
Group Base DN : ou=Group, dc=mycompany,dc=corp,dc=com
Group Object Class : posixGroup
Group Attribute : cn
Group GID Attribute : memberUid
Group GID Attribute Type:
Auth Type : FLAT
Admin User :
Admin User Password :
Search Scope : SUB
Setting up Windows Active Directory authentication
VCS One supports the Windows Active Directory through the ldap
authentication plug-in. Enable Active Directory for use with VCS One by
following the procedure for LDAP.
See “Setting up LDAP authentication” on page 90.
Setting up PAM authentication
Pluggable Authentication Modules (PAM) authenticate users on the Policy
Master system.
No set up is required for the PAM domain. You add VCS One users to the PAM
configuration and give them the necessary privileges.
To add a VCS One user to the PAM configuration with the necessary privileges
By default, logged-in VCS One users have a credential that expires in 24-hours.
Users who need to run commands from within client-side scripts may require
longer-term credentials.
You may change the default 24-hour expiry period to a larger value (such as two
years) at the system level. Increasing the default value makes your job easier if
the number of users with distinct passwords is relatively large.
You may change the expiry period in the authentication broker. With this
approach, a user provides their password only once. They can run VCS One
(“ha”) commands without providing it until the end of the expiry period.
If you use this method, you must collect the credentials for these users quickly,
before the expiry period can be reset to the original limit. When you are
finished, you must reset the expiry period to its original setting. No matter how
quickly you complete this process, there is a time window when other users can
log in at the same time and acquire long-term credentials. Also, AT does not
support revoking a granted credential.
Due to these issues, change the expiry period in the authentication broker only
as a last resort and when the systems are not being used by users who should not
have an extended expiry period.
95Setting up authentication plug-ins for VCS One
To extend the expiry period
1Display the current expiry period by entering the following command:
You must specify a user and domain type with VCS One commands. The -user
user@domain
domaintype
For the -domaintype domaintype option, accepted values for domaintype
are unixpwd, nis, nisplus, ldap, pam, and vx (which is the Symantec Private
Domain). These values are case sensitive.
You may set a default domain and domain type using the DefaultAuthDomain
attribute so that you do not have to enter the domain and domain type each time
you run a command.
Accepted values for the DefaultAuthDomain attribute are in the form
domaintype:domainname. Examples include ldap:lab1.com (where lab1.com is a
Windows Active Directory domain) and nis:lab2.com (where lab2 is a NIS
domain).
By default, the unixpwd and pam domain types do not require a domain name.
They assume the authentication broker host name or the VCS One cluster name
based on the UseClusterNameAsDomainName attribute.
After you set the DefaultAuthDomain attribute, VCS One commands use the
specified domain and domain type as the default. After that, you do not have to
specify the domain and domain type with the
when you run a command.
After you set a default domain and domain type, when you run a command with
the
-domaintype domaintype option, it will override the default.
option species the fully-qualified user name and the -domaintype
option specifies the relevant domain type.
-domaintype domaintype option
Note: The domain type unixpwd should only be used for users who are local to
the UNIX system. When the domain type
ignored and the local system’s domain name is used instead. For example, if the
user,
user@domain, is authenticated with the domain type unixpwd on a system
named system1, the user’s credential is
domain name.
For more information on modifying attributes, see the Veritas Cluster Server One User’s Guide.
unixpwd is used, the domain name is
user@system1 instead of the actual
Page 97
Chapter
Adding shared storage and
testing disks for SCSI-3
compliance
This chapter includes the following topics:
■About adding shared storage
8
■Requirements for adding shared storage
■Adding storage devices
■Testing disks for SCSI-3 compliance
■Setting up and testing data disks
■Using additional vxfentsthdw options
■Setting up Policy Master I/0 fencing
■About VCS One client I/O fencing
Page 98
98 Adding shared storage and testing disks for SCSI-3 compliance
About adding shared storage
About adding shared storage
This section describes how to set up a system with SCSI-3 protection for shared
storage.
If two or more systems in the Policy Master cluster share storage devices, you
can configure and use the I/O fencing feature in VCS One. In the event of a
network failure, I/O fencing protects the shared storage from data corruption.
Requirements for adding shared storage
To meet the requirements for shared storage in a production environment, you
must supply the following:
■Three coordinator disks that support SCSI-3 persistent reservations. This is
a requirement for I/O fencing, and applies only to the Policy Master. Clients
do not require coordinator disks.
■Two switches for I/O connection redundancy.
Adding storage devices
For the Policy Master in a production environment, you need to add a minimum
of three coordinator disks in addition to the storage for data. This requirement
does not apply for clients.
To add storage devices to the VCS One cluster
1Physically connect each storage device to each system in the Policy Master
cluster.
2On each system in the VCS One cluster, scan the drives, update the Veritas
Volume Manager (VxVM) device list, and reconfigure VxVM DMP with the
new devices with the following command:
vxdisk scandisks
3On one system in the VCS One cluster, initialize the disks with the following
command:
vxdiskadm
4Choose 1 Add or initialize one or more disks from the menu.
5At the prompt, to select devices, type list.
6Type the name of the devices you are adding when prompted to select
devices. Do one of the following:
■For Solaris or AIX, enter the following:
c3t1d0 c3t2d0
Page 99
Testing disks for SCSI-3 compliance
■For Linux, enter the following:
sdx
7At the Which disk group prompt, enter none.
You create disk groups later.
For details on creating disk groups, see “Setting up and testing the
coordinator disks” on page 103.
8Initialize the disk as the default.
9Exit the utility. Type q.
To verify each system sees the same added devices (optional)
From each system, the names of the added disks may be different. By using a
command to check the serial number of the disk, you can verify that a specific
disk is the same one as seen from each system. This is important when you have
added many disks.
◆Use the following command on each system, making sure that the device
path is the appropriate one from each system (they are likely to be different):
vxfenadm -i device_path
In the output, examine the serial number and verify it is the same disk.
99Adding shared storage and testing disks for SCSI-3 compliance
Testing disks for SCSI-3 compliance
Test the data disks you are going to use for SCSI-3 compliance and I/O fencing
support.
Use the following procedure to test the data disks for either the Policy Master
cluster system or client systems.
Page 100
100 Adding shared storage and testing disks for SCSI-3 compliance
Setting up and testing data disks
Setting up and testing data disks
Verify that each disk you added for use as a data disk supports SCSI-3 persistent
reservations and I/O fencing. Use the vxfentsthdw utility to verify that the
storage you added supports SCSI-3 persistent reservations. The procedure may
destroy data on the disk.
Note: If the disks you want to test have data on them that you want to preserve,
use the -r (read-only) option of vxfentsthdw. Be advised that, with the -r option,
not all SCSI-3 compliance tests are run.
When you run the utility, you are prompted for:
■The names of two systems connected to the storage disks.
■The name of the disk as it is displayed on each system. A given disk may
have a different name on each system.
To test data disks using vxfentsthdw
1Make sure the two systems are connected to the storage device you are
testing, and that the systems are running the same operating system.
2Ensure that both systems have mutual connectivity via rsh or ssh
communications.
3Start vxfentsthdw. Enter the following. If you are using ssh, omit the -n
option:
/opt/VRTSvcsone/vxfen/bin/vxfentsthdw -n
4At the prompts, provide the required information. If the test succeeds, the
following information is displayed:
The disk /dev/disk_name is ready to be configured for I/O
Fencing on node name_of_first_node
The disk /dev/disk_name is ready to be configured for I/O
Fencing on node name_of_second_node
If the testing does not display a message that the disk is ready to be
configured for I/O fencing, the disk has failed the testing.
5Repeat this test on all shared data disks connected to the system.
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.