Symantec Product Authentication Service secures communication between cluster nodes and clients, including the Java console, by using digital certificates for authentication and SSL to encrypt communication over the public network. For more information about the Authentication Service, see the Veritas Cluster Server User's Guide.
To configure the cluster in secure mode, VCS requires you to configure a system in your enterprise as root broker and all nodes in the cluster as authentication brokers.
A root broker serves as the main registration and certification authority; it has a self-signed certificate and can authenticate other brokers. The root broker is only used during initial creation of an authentication broker.
Authentication brokers serve as intermediate registration and certification authorities. Authentication brokers have certificates that are signed by the root. Each node in VCS serves as an authentication broker.
You can set up Authentication Service for the cluster during the installation or after installation. Refer to the Veritas Cluster Server User's Guide to configure the cluster in secure mode after the installation and configuration process.
See Configuring the cluster in secure mode
Secure VCS cluster configuration flowchart depicts the flow of configuring VCS in secure mode.
Secure VCS cluster configuration flowchart
Click the thumbnail above to view full-sized image.
If you decide to enable Authentication Service, the root broker administrator must perform the following preparatory tasks:
The root broker is the main registration and certification authority and can serve multiple clusters. Symantec recommends that you install a single root broker on a utility computer such as an email server or domain controller, which can be highly available.
The installvcs program provides the following modes to enable Symantec Product Authentication Service:
- The root broker administrator must create an encrypted file for each node in the cluster.
- You must fetch the encrypted files from the root broker administrator and copy the encrypted files to the installation node. Make a note of the path of these encrypted files.
- You must gather the following information from the root broker administrator:
- You must fetch the root_hash file from the root broker system and copy the root_hash file to a directory in the installation node. Make a note of the path of this root_hash file.