RSA ACE/Server 5.2 VERITAS Integratin Versin: 1.0 July 17, 2003 Cpyright 2003 RSA Security Inc. All rights reserved. N part f this dcument may be reprduced r distributed in any frm r by any means, r stred in a database r retrieval system, withut prir written permissin f RSA Security Inc. Cpyright 1998-2001 VERITAS Sftware Crpratin. All rights reserved. VERITAS is a registered trademark f VERITAS Sftware Crpratin in the US and ther cuntries. The VERITAS lg and VERITAS Cluster Server are trademarks f VERITAS Sftware Crpratin. All ther trademarks r registered trademarks are the prperty f their respective wners.
Cntents RSA ACE/SERVER VERITAS INTEGRATION...3 CONFIGURATION...3 INTRODUCTION...3 PREREQUISITES...3 INSTALLATION AND CONFIGURATION...4 1. INSTALLING RSA ACE/SERVER 5.2 ON SYSTEM 1... 4 2. CONFIGURING RSA ACE/SERVER 5.2 ON SYSTEM 2... 4 3. VERITAS CLUSTER SERVER INTEGRATION... 5 4. INTEGRATION TESTS... 6 5. ISSUES AND CONCERNS... 7 APPENDIX A APPLICATION SCRIPT...8 APPENDIX B VERITAS CONFIGURATION FILES EXAMPLE...11 RSA Security, Inc 2
Engineering Divisin RSA ACE/Server VERITAS Integratin Cnguratin Intrductin This dcument prvides technical details regarding the cnguratin f RSA ACE/Server 5.2 (primary n VERITAS Cluster Server, Versin 3.5. VERITAS Cluster Server is a high-availability system that runs n a variety f platfrms. These instructins prvide infrmatin n the installatin and cnguratin f the RSA ACE/Server 5.2 (primary using VERITAS Cluster Server 3.5 n the Sun Slaris 9 platfrm. This guide assumes the reader is familiar with the installatin and cnguratin f VERITAS Cluster Server. Als, it is intended fr used by Custmers in cnjunctin by RSA Security Custmer Supprt Engineers. Prerequisites Befre RSA ACE/Server 5.2 (primary is integrated with VERITAS Cluster Server, a wrking VERITAS Cluster Server installatin is required. VERITAS Cluster Server shuld be installed n tw r mre Sun Micrsystems Slaris 9 systems. The systems must share a disk array cngured t be access by either server ne at a time with a cmmn munt pint. As part f the integratin f RSA ACE/Server 5.2 with VERITAS Cluster Server, we will use the VERITAS Applicatin Agent that cmes already integrated with the VERITAS Cluster Server Sftware. Fr integrating RSA ACE/Server 5.2 (primary with VERITAS Cluster Server we will need a public IP address that reslves t a name that will crrespnd t the RSA ACE/Server 5.2 (primary IP and name. Als, we will need a directry n the disk array n which the RSA ACE/Server 5.2 (primary sftware and database les will reside. T describe the integratin f RSA ACE/Server 5.2 (primary and VERITAS Cluster Server n this dcument, we assume that the cnguratin cnsist f tw servers that we named vcmace1 and vcmace2. The disk array uses a munt pint n each system named ha_data. RSA Security, Inc 3
Installatin and Cnguratin 1. Installing RSA ACE/Server 5.2 n System 1 The rst step in the prcess is installing and cnguring the RSA ACE/Server 5.2 primary in ne server that is part f the cluster, fr ur purpses vcmace1. Fllw the fllwing steps: Manually add the RSA ACE/Server 5.2 services t the /etc/services le and if it is necessary mdify the Kernel Parameters accrding t the RSA ACE/Server 5.2 Unix install guide. Dene the IP address and name that will be used by yur RSA ACE/Server 5.2 primary and that VERITAS Cluster Server will make available n the /etc/hst le. Fr this example, the hst name aceprim will be used and assciated t the IP address. The lcal hst le n vcmace1 shuld be altered t cntain an entry fr a hst aceprim and the IP address Manually munt the shared disk array n vcmace1 at the cmmn munt pint. Fr this example, we assume the le system is munted at /ha_data. Temprarily change the hst name f the server n which yu are ging t perfrm the installatin t the hstname assciated with the high available IP address. Fr ur example, the name is changed frm vcmace1 t aceprim. Install RSA ACE/Server 5.2 (primary accrding t the instructins n the RSA ACE/Server 5.2 Unix install guide. Please be sure t select a directry under /ha_data fr the installatin lcatin. Once cmplete, the RSA ACE/Server 5.2 (primary installatin shuld specify USR_ACE as /ha_data/ace/prg and VAR_ACE as /ha_data/ace/data accrding t ur example. Change back the hst name frm temprary (aceprim t the permanent (vcmace1 If yu want t test RSA ACE/Server 5.2 (primary n system 1, manually dene a virtual interface with the IP address used fr the RSA ACE/Server 5.2 installatin n the public Ethernet interface. Once the virtual interface is up, Start RSA ACE/Server 5.2 (primary manually, and check that all prcesses start, and that yu are able t authenticate. At the end, Stp RSA ACE/Server 5.2 (primary manually, and Delete the virtual interface yu dened. 2. Cnguring RSA ACE/Server 5.2 n System 2 On the secnd system we need t d a small amunt f manual cnguratin. The fllwing steps are required n the nn-installatin system, vcmace2, in the cluster: Manually add the RSA ACE/Server 5.2 services t the /etc/services le and if it is necessary mdify the Kernel Parameters accrding t the RSA ACE/Server 5.2 Unix install guide. If yu want cpy the services le frm system 1 (vcmace1. Manually un-munt frm system 1(vcmace1 the shared disk array, and munt the disk array n system 2 (vcmace2 at the cmmn munt pint. Fr this example, we assume the le system is munted at /ha_data. Create a symblic link t sdace.txt le in the /etc. The riginal sdace.txt will be n the installatin directry f RSA ACE/Server 5.2 (primary that resides n the shared disk RSA Security, Inc 4
array and that nw is munted n system 2. Fr ur example, it is lcated at /ha_data/ace/data/sdace.txt (fr ur example. Create a symblic link t the libsdxauthr.s dynamic library in the /usr/lib directry. The riginal libsdxauthr.s will be n the installatin directry f RSA ACE/Server 5.2 (primary that resides n the shared disk array and that nw is munted n system 2. Fr ur example, it is lcated at /ha_data/ace/prg/libsdxauthr.s. Dene the IP address and name that will be used by yur RSA ACE/Server 5.2 primary and that VERITAS Cluster Server will make available n the /etc/hst le. Fr this example, the hst name aceprim will be used and assciated t the IP address. The lcal hst le n vcmace2 shuld be altered t cntain an entry fr a hst aceprim and the IP address If yu want t test RSA ACE/Server 5.2 (primary n system 2, manually dene a virtual interface with the IP address used fr the RSA ACE/Server 5.2 installatin n the public Ethernet interface. Once the virtual interface is up, Start RSA ACE/Server 5.2 (primary manually, and check that all prcesses start, and that yu are able t authenticate. At the end, Stp RSA ACE/Server 5.2 (primary manually, and Delete the virtual interface yu dened. 3. VERITAS Cluster Server Integratin Once VERITAS Cluster Server has been installed and tested, and the RSA ACE/Server 5.2 (primary has been installed n system 1 and cngured n system 2, ur attentin can be turned t the VERITAS Cluster Server integratin shell scripts. VERITAS Cluster Server has a variety f integratin methds. Fr the RSA ACE/Server 5.2 (primary applicatin we cnsidered that the best way was t used the VERITAS Applicatin Agent that cmes bundled with VERITAS Cluster Server. The VERITAS Applicatin Agent uses cmmand scripts t start, stp, and mnitr the applicatin. Fr the case f the RSA ACE/Server 5.2 (primary a single shell script can be used t perfrm all the VERITAS-related functins. A cpy f this script is placed in a nn-shared directry n each system in the cluster. The nn-shared directry shuld have the same name n bth systems. A cpy f a mdel f the shell script can be fund at Appendix A, and it was called ace. Althugh, detailed VERITAS Cluster Server cnguratin is utside the scpe f this dcument, a simple cnguratin that will shw the integratin f VERITAS Cluster Server with RSA ACE/Server 5.2 (primary will be as fllw: Dene n VERITAS Cluster Server a new service grup fr RSA ACE/Server 5.2 (primary. Include the tw systems in the service grup. Fr ur example we called aceprimary. Dene a NIC resurce n the service grup t cntrl the Ethernet interface n which the virtual IP (high available address used fr the RSA ACE/Server 5.2 will be dened. Fr ur case we called, aceprimnic. Dene an IP resurce n the service grup t cntrl the virtual IP used by RSA ACE/Server 5.2 and that will be available between the systems in the cluster. Fr ur case, we called aceprimip. Dene the resurce(s n the service grup that best describes the shared disk array that yu are using. Fr ur case, we used a munt resurce. The resurces yu dened RSA Security, Inc 5
here are the nes that will be in charge f managing the shared disk array. Fr ur case, we called it ha_data. Dene an applicatin resurce n the service grup that will start, stp and mnitr the RSA ACE/Server 5.2 (primary applicatin. Dene the applicatin as a failver applicatin, this will prevent fr allwing trying t start RSA ACE/Server 5.2 n bth systems at the same time. Als, dene the start, stp, and mnitr prperties f the resurce. Fr ur case, we called aceprimapp. Given that we are using ne shell script t mnitr, start, and stp RSA ACE/Server 5.2 dene the prperties f the applicatin resurce like this: StartPrgram: <nn-shared directry>/ace start StpPrgram: <nn-shared directry>/ace stp MnitrPrgram: <nn-shared directry>/ace mnitr Fr example, if the script is placed in the directry /etc/init.d/, the applicatin resurce prperties fr start, stp, and mnitr will lk like this: StartPrgram: /etc/init.d/ace start StpPrgram: /etc/init.d/ace stp MnitrPrgram: /etc/init.d/ace mnitr As part f the applicatin cnguratin, it is recmmended t create dependencies between the abve dened resurces. Based n the abve resurces the recmmended dependencies are: IP resurce depends n the NIC resurce Applicatin resurce depends n IP resurce Applicatin resurce depends n the shared disk array resurce It is strngly recmmended that each resurce shuld be tested independently t nd failures easily. Als, it is recmmended that until the entire cnguratin has been tested t make the resurces critical. A sample cnguratin le (main.cf and a VERITAS reprt n the cnguratin can be fund n Appendix B. 4. Integratin Tests The rst test t d will be t manually switch ver the service grup frm ne system int the ther, and testing that users cntinue t authenticate against the primary and all the prcesses run n each system. The integrated slutin can be tested by manually terminating sme RSA ACE/Server 5.2 prcesses t make sure the mnitr prtin f the script wuld crrectly detect that the RSA ACE/Server 5.2 is n lnger functining. This can be dne by simply changing t the ACEPROG directry (/ha_data/ace/prg and stpping the ACE/Server frm the cmmand line (./aceserver stp. Other, mre drastic, tests culd als be perfrmed. The mnitr prtin f the script can als tested n bth the active system (i.e., the system n which the RSA ACE/Server 5.2 instance was running and the inactive system (i.e., the stand-by RSA Security, Inc 6
system n which the RSA ACE/Server 5.2 wuld be started in the event f failure. VERITAS Cluster Server runs the mnitr script n bth systems t validate their anticipated state. The active system can als be abruptly halted (pwered-ff t validate that the inactive system wuld start the RSA ACE/Server 5.2 prcesses. A Remte Administratin installatin can als be used t verify that it cnnects t the fail-ver RSA ACE/Server 5.2 withut any manual recnguratin. Althugh the user s administrative sessin is lst (and requires the user t restart the applicatin and re-authenticate, n Remte Admin applicatin cnguratin changes shuld be required. RSA ACE/Agents shuld authenticate against either instance f the Primary server (vcmace1 r vcmace2 withut recnguratin. Replicas shuld be able t cnnect t either instance f the Primary Server (vcmace1 r vcmace2 RSA ACE/Server QuickAdmin can als be used t verify that it cnnects t the fail-ver RSA ACE/Server 5.2 withut any manual recnguratin. Althugh the user s administrative sessin is lst (and requires the user t restart the applicatin and re-authenticate, n QuickAdmin applicatin cnguratin changes shuld be required. 5. Issues and Cncerns The mnitring capabilities f the script are fairly minimal and culd be enhanced t prvide mre cmprehensive mnitring f ACE/Server prcesses. The ACE-VERITAS integratin script currently requires manual mdicatin t dene the installatin lcatin and t mnitr any ther prcesses desired. RSA Security, Inc 7
Appendix A Applicatin Script This is the script used fr all VERITAS cntrl functins. It can be passed three different parameters: start, stp, r mnitr. These are used t start the ACE/Server, stp the ACE/Server and determine if the server is running, respectively.!/bin/sh Startup fr the Ace Server & Assciated Prgress Database NOTE - Current assumptin 1 -> Applicatin is dwn. 0 -> Applicatin is up. LOG_EXEC=lgger LOG_OPT="-p daemn.err" AUTH_PORT=5500 STATUS_ACE_DOWN=0 STATUS_ACE_UP=1 ACE_DIR=/data/ace_VERITAS/ace/prg SD_HIGH_AVAILABILITY=1 exprt SD_HIGH_AVAILABILITY case "$1" in 'start' if [ -x $ACE_DIR/sdcnnect ] ; then ech "Starting Prgress Database..." > /dev/cnsle ulimit -n 1000 cd $ACE_DIR./sdcnnect shutdwn./sdcnnect clean./sdcnnect start result_cde=$? if [ ${result_cde} = 0 ] then db_brker=0 else db_brker=1 if [ -x $ACE_DIR/aceserver ] ; then ech "Starting ACE/Server..." > /dev/cnsle cd $ACE_DIR./aceserver start result_cde=$? if [ ${result_cde} = 0 ] then ace_daemns=0 else RSA Security, Inc 8
;; ace_daemns=1 tuch /ace_ver_scripts/aceserver.state if [ ${db_brker} -a ${ace_daemns} ] then exit 0 else exit 1 'stp' ech "Shutting Dwn ACE/Server..." (cd $ACE_DIR;./aceserver stp ech "Shutting Dwn Prgress Database..." (cd $ACE_DIR;./sdcnnect shutdwn ;./sdcnnect clean if [ -f /ace_ver_scripts/aceserver.state ] then rm /ace_ver_scripts/aceserver.state ;; 'mnitr' ---------------------------------------- check fr database LK les if [! -d $ACE_DIR ] ; then $LOG_EXEC $LOG_OPT "$0: mnitr: $ACE_DIR nt present." exit $STATUS_ACE_DOWN if [! -f $ACE_DIR/../data/sdserv.lk ] ; then $LOG_EXEC $LOG_OPT "$0: mnitr: N serv LK le ($ACE_DIR/../data/sdserv.lk." exit $STATUS_ACE_DOWN if [! -f $ACE_DIR/../data/sdlg.lk ] ; then $LOG_EXEC $LOG_OPT "$0: mnitr: N lg LK le ($ACE_DIR/../data/sdlg.lk." exit $STATUS_ACE_DOWN ---------------------------------------- see that prcess is listening n ACE/Server prt ACE_PORT=`netstat -a -n grep $AUTH_PORT` if [ -z "$ACE_PORT" ] ; then $LOG_EXEC $LOG_OPT "$0: mnitr: N prcess listening n prt $AUTH_PORT." exit $STATUS_ACE_DOWN ---------------------------------------- nd sme ACE/Server prcesses ACE_FE=`ps -ef grep aceserver_fe grep -v grep` ACE_BE=`ps -ef grep aceserver_be grep -v grep` ACE_ADMIN=`ps -ef grep sdadmind grep -v grep` if [ -z "$ACE_FE" - \ -z "$ACE_BE" - \ -z "$ACE_ADMIN" ] ; then $LOG_EXEC $LOG_OPT "$0: mnitr: Unable t nd ACE prcess(es" exit $STATUS_ACE_DOWN exit $STATUS_ACE_UP ;; RSA Security, Inc 9
* ech "Usage: /ace_ver_scripts/ace_script { start stp }" ;; esac exit 0 RSA Security, Inc 10
Appendix B VERITAS Cnguratin Files Example VERITAS Cnguratin File This is the main.cf le frm the test installatin: include "types.cf" cluster veridev ( UserNames = { admin = "cdrpdxpmhpzs." } Administratrs = { admin } CunterInterval = 5 system vfail1 ( system vfail2 ( grup ClusterService ( SystemList = { vfail1 = 0, vfail2 = 1 } AutStartList = { vfail1, vfail2 } OnlineRetryLimit = 3 IP webip ( Device = eri0 Address = "192.168.60.98" NIC csgnic ( Device = eri0 NetwrkType = ether NetwrkHsts @vfail1 = { "192.168.60.2" } NetwrkHsts @vfail2 = { "192.168.60.2" } VRTSWebApp VCSweb ( Critical = 0 AppName = vcs InstallDir = "/pt/vrtsweb/veritas" TimeFrOnline = 5 VCSweb requires webip webip requires csgnic // resurce dependency tree // // grup ClusterService // { // VRTSWebApp VCSweb // { RSA Security, Inc 11
// IP webip // { // NIC csgnic // } // } // } grup aceprimary ( SystemList = { vfail1 = 1, vfail2 = 2 } AutStartList = { vfail1 } Applicatin aceprimapp ( User = rt StartPrgram = "/ace_ver_scripts/ace_script start" StpPrgram = "/ace_ver_scripts/ace_script stp" MnitrPrgram = "/ace_ver_scripts/ace_script mnitr" IP aceprimip ( Device = eri0 Address = "192.168.60.96" Munt aceprimdata ( MuntPint = "/data" BlckDevice = "/dev/dsk/c1t0d0s3" FSType = ufs FsckOpt = "-y" NIC aceprimnic ( Device = eri0 NetwrkType = ether NetwrkHsts @vfail1 = { "192.168.60.2" } NetwrkHsts @vfail2 = { "192.168.60.2" } aceprimapp requires aceprimdata aceprimapp requires aceprimip aceprimip requires aceprimnic // resurce dependency tree // // grup aceprimary // { // Applicatin aceprimapp // { // Munt aceprimdata // IP aceprimip // { // NIC aceprimnic // } // } // } RSA Security, Inc 12
ACE/Server - VERITAS Cnguratin Reprt This is a cpy f a VERITAS cnguratin reprt fr the ACE/Server applicatin agent. Resurce Attribute System Value aceprimapp Grup glbal aceprimary aceprimapp Type glbal Applicatin aceprimapp AutStart glbal 1 aceprimapp Critical glbal 1 aceprimapp Enabled glbal 1 aceprimapp LastOnline glbal vfail1 aceprimapp MnitrOnly glbal 0 aceprimapp ResurceOwner glbal unknwn aceprimapp TriggerEvent glbal 0 aceprimapp ArgListValues vfail1 rt "/ace_ver_scripts/ace_script start" "/ace_ver_scripts/ace_script stp" "" "/ace_ver_scripts/ace_script mnitr" 0 0 aceprimapp ArgListValues vfail2 rt "/ace_ver_scripts/ace_script start" "/ace_ver_scripts/ace_script stp" "" "/ace_ver_scripts/ace_script mnitr" 0 0 aceprimapp CndenceLevel vfail1 100 aceprimapp CndenceLevel vfail2 0 aceprimapp Flags vfail1 aceprimapp Flags vfail2 aceprimapp IState vfail1 nt waiting aceprimapp IState vfail2 nt waiting aceprimapp Prbed vfail1 1 aceprimapp Prbed vfail2 1 aceprimapp Start vfail1 1 aceprimapp Start vfail2 0 aceprimapp State vfail1 ONLINE aceprimapp State vfail2 OFFLINE aceprimapp CleanPrgram glbal aceprimapp MnitrPrcesses glbal aceprimapp MnitrPrgram glbal /ace_ver_scripts/ace_script mnitr aceprimapp PidFiles glbal aceprimapp StartPrgram glbal /ace_ver_scripts/ace_script start aceprimapp StpPrgram glbal /ace_ver_scripts/ace_script stp aceprimapp User glbal rt aceprimdata Grup glbal aceprimary aceprimdata Type glbal Munt aceprimdata AutStart glbal 1 aceprimdata Critical glbal 1 aceprimdata Enabled glbal 1 aceprimdata LastOnline glbal vfail1 aceprimdata MnitrOnly glbal 0 aceprimdata ResurceOwner glbal unknwn aceprimdata TriggerEvent glbal 0 aceprimdata ArgListValues vfail1 /data /dev/dsk/c1t0d0s3 ufs "" -y 0 aceprimdata ArgListValues vfail2 /data /dev/dsk/c1t0d0s3 ufs "" -y 0 aceprimdata CndenceLevel vfail1 100 aceprimdata CndenceLevel vfail2 0 aceprimdata Flags vfail1 aceprimdata Flags vfail2 aceprimdata IState vfail1 nt waiting aceprimdata IState vfail2 nt waiting aceprimdata Prbed vfail1 1 aceprimdata Prbed vfail2 1 aceprimdata Start vfail1 1 aceprimdata Start vfail2 0 aceprimdata State vfail1 ONLINE aceprimdata State vfail2 OFFLINE aceprimdata BlckDevice glbal /dev/dsk/c1t0d0s3 aceprimdata FSType glbal ufs aceprimdata FsckOpt glbal -y RSA Security, Inc 13
aceprimdata MuntOpt glbal aceprimdata MuntPint glbal /data aceprimdata SnapUmunt glbal 0 aceprimip Grup glbal aceprimary aceprimip Type glbal IP aceprimip AutStart glbal 1 aceprimip Critical glbal 1 aceprimip Enabled glbal 1 aceprimip LastOnline glbal vfail1 aceprimip MnitrOnly glbal 0 aceprimip ResurceOwner glbal unknwn aceprimip TriggerEvent glbal 0 aceprimip ArgListValues vfail1 eri0 192.168.60.96 "" "" 1 0 aceprimip ArgListValues vfail2 eri0 192.168.60.96 "" "" 1 0 aceprimip CndenceLevel vfail1 100 aceprimip CndenceLevel vfail2 0 aceprimip Flags vfail1 aceprimip Flags vfail2 aceprimip IState vfail1 nt waiting aceprimip IState vfail2 nt waiting aceprimip Prbed vfail1 1 aceprimip Prbed vfail2 1 aceprimip Start vfail1 1 aceprimip Start vfail2 0 aceprimip State vfail1 ONLINE aceprimip State vfail2 OFFLINE aceprimip Address glbal 192.168.60.96 aceprimip ArpDelay glbal 1 aceprimip Device glbal eri0 aceprimip IfcngTwice glbal 0 aceprimip NetMask glbal aceprimip Optins glbal aceprimnic Grup glbal aceprimary aceprimnic Type glbal NIC aceprimnic AutStart glbal 1 aceprimnic Critical glbal 1 aceprimnic Enabled glbal 1 aceprimnic LastOnline glbal vfail1 aceprimnic MnitrOnly glbal 0 aceprimnic ResurceOwner glbal unknwn aceprimnic TriggerEvent glbal 0 aceprimnic ArgListValues vfail1 eri0 ether 1 1 192.168.60.2 aceprimnic ArgListValues vfail2 eri0 ether 1 1 192.168.60.2 aceprimnic CndenceLevel vfail1 100 aceprimnic CndenceLevel vfail2 100 aceprimnic Flags vfail1 aceprimnic Flags vfail2 aceprimnic IState vfail1 nt waiting aceprimnic IState vfail2 nt waiting aceprimnic Prbed vfail1 1 aceprimnic Prbed vfail2 1 aceprimnic Start vfail1 0 aceprimnic Start vfail2 0 aceprimnic State vfail1 ONLINE aceprimnic State vfail2 ONLINE aceprimnic Device glbal eri0 aceprimnic NetwrkType glbal ether aceprimnic PingOptimize glbal 1 aceprimnic NetwrkHsts vfail1 192.168.60.2 aceprimnic NetwrkHsts vfail2 192.168.60.2 RSA Security, Inc 14