Authentication server in root plus authentication broker mode Description:

To achieve the desired configuration, we need to first configure the systems as follows:

Root plus authentication broker (sys01)

Root plus authentication broker (sys02)

AT un-configured on passive nodes

Follow similar steps as in “VCS securable (UNIX) in insecure mode: use case 1.”

Authentication server in authentication broker only mode Description

To achieve the desired configuration, we need to first configure the systems as follows:

Authentication broker mode (sys01)

Authentication broker mode (sys02)

Root running on sys03 which is not part of the cluster

Follow similar steps as in “VCS securable (UNIX) in insecure mode: use case 2.”

How to deploy on Tru Cluster

This section describes how to configure a Tru Cluster with a highly available root plus authentication broker.

Authentication server in root plus authentication broker mode Description:

To achieve the desired configuration, we need to first configure the systems as follows:

Root plus authentication broker (sys01)

Root plus authentication broker is clustered.

The configuration of one node configures all other nodes as well

Note: AT install using ICS installer. Since Tru Cluster uses CFS “Cluster File System” all AT/AZ configuration directories are shared. User must

install/configure AT/AZ only on single node. There is no need to install/configure AT/AZ on all cluster nodes.

Select one node in the cluster that does not have AT installed or configured, this will be the node used to configure AT in and highly available mode. When the AT package is installed on this node it will automatically be installed on the other nodes as well.

Using ICSInstaller to install AT package on all nodes

To install the AT back package on all nodes

1 Run ./installics command from the directory where you un-tarred the ICS package on sys01.

2 It will display the following menu:

3 Select (I) for Installation. If AT is already installed, uninstall it and start from step 1.

VERITAS Infrastructure Core Services Installer 1.2.3.45

VERITAS Product Version Installed Licensed

VERITAS Infrastructure Core Services no N/A VERITAS Private Branch Exchange no N/A VERITAS Authentication Service no N/A VERITAS Service Management Framework no N/A VERITAS Authorization Service no N/A

Selection Menu:

I: Install/Upgrade a Product C: Configure an Installed Product L: License a Product P: Perform a Preinstallation Check U: Uninstall a Product D: View a Product Description Q: Quit ?: Help

Enter a Selection: [I, C, L, P, U, D, Q, ?] (I)

4 Once the menu is selected, the ICS installer shall prompt to choose the product to be installed. Select AT, option 3.

5 Enter the name of active node, i.e. sys 01, on which you want to install AT.

6 Press Enter when ICS installer asks for confirmation VERITAS Infrastructure Core Services Installer 1.2.3.45 1) VERITAS Infrastructure Core Services

2) VERITAS Private Branch Exchange 3) VERITAS Authentication Service

4) VERITAS Service Management Framework 5) VERITAS Authorization Service

B) Back to previous menu Select a product to install: [1-5, b, q]

VERITAS Authentication Service 4.3.33.2

Enter the system names separated by spaces on which to install AT:sys01 Checking system communication:

Checking OS version on sys01 OSF1 V5.1 Checking system support for sys01 OSF1 V5.1 supported by AT

Checking VRTSat package not installed

Using rsh and rcp to communicate with remote systems.

Initial system check completed successfully.

Press [Return] to continue:

installics will install the following AT subsets on OSF1 target systems: sys01 VRTSat VERITAS Authentication Service

Press [Return] to continue:

7 ICS installer shall now check for space and dependent packages. Press Enter once checks are successful.

8 ICS installer shall ask for passphrase. It could be any characters (minimum 6)

VERITAS Authentication Service 4.3.33.2

Checking system installation requirements:

Checking AT installation requirements on OSF1 target systems: sys01 Checking AT installation requirements on sys01:

Checking for external dependencies ... all external dependencies satisfied Checking file system space ... required space is available

Stopping VRTSat processes ...Done

Installation requirements checks completed successfully.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2

You are required to specify a passphrase with minimum of 6 characters. This passphrase will be used to protect sensitive information gathered during product configuration. All sensitive information stored in the response file will be encrypted with this passphrase.

Please remember the passphrase you have entered. You will not be able to perform silent installation without this passphrase.

Enter a passphrase with minimum of six (6) characters

9 Select Yes for AT server installation

10 Once installation is done on sys01, ICS installer shall prompt for AT configuration on active sys01 node. Select yes.

Do you want to install the AT Server? [y,n,q] (y) Installing AT Server and Client ... Done

VERITAS Authentication Service 4.3.33.2

Checking VERITAS Authentication Service 4.3.33.2 packages on sys01:

Checking VRTSat package ...not installed Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2

Installing VERITAS Authentication Service 4.3.33.2 on sys01:

Installing VRTSat 4.3.33.2 on sys01 ... done 1 of 1 steps

VERITAS Authentication Service 4.3.33.2 installation completed successfully.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.

It is optional to configure AT now. If you choose to configure AT later, you can either do so manually or run the installics -configure command.

Are you ready to configure AT on sys01? [y, n, q] (y)

11 You will be asked a set of AT configuration-related questions.

12 Select root plus authentication broker mode, option 3, for active node sys01.

For AT 4.2 say NO to cluster configuration through ICSInstaller.

If you are deploying AT 4.3 using ICS 1.4.x, then you need to say YES to cluster configuration and enter the virtual name for AT.

installics will now ask sets of AT configuration-related questions.

When a [b] is presented after a question, 'b' may be entered to go back to the first question of the configuration set.

When a [?] is presented after a question, '?' may be entered for help or additional information about the question.

Following each set of questions, the information you have entered will be presented for confirmation. To repeat the set of questions and correct any previous errors, enter 'n' at the confirmation prompt.

No configuration changes are made to the systems until all configuration questions are completed and confirmed.

Press [Return] to continue:

1) Root Broker Only.

2) Authentication Broker Only.

3) Authentication + Root Broker.

Enter the mode in which you want to install VRTSat [1-3,q]

Cluster configuration should be done finally by running the AT high availability scripts and not through ICS installers.

After this step, AT gets installed on all nodes of the cluster with the chosen AT mode.

13 Now AT package is installed on all nodes, and AT is configured on all nodes of the cluster due to “Cluster File System”. (AT gets upgraded on all nodes of the cluster automatically

)

VCS appears to be installed and running. Going ahead with cluster configuration Do you want the installer to do a cluster configuration for Authentication Service? [y,n,q]

(n)

VERITAS Authentication Service 4.3.33.2 Configuring VERITAS Authentication Service:

VERITAS Authentication Service configured successfully.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2 Starting Authentication daemon ... Done VERITAS Authentication Service was started successfully.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2 Configuring VERITAS Authentication Service:

VERITAS Authentication Service configured successfully.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2 Starting Authentication daemon ... Done

VERITAS Authentication Service was started successfully.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2 The installation response file is saved at:

/opt/VRTS/install/logs/installics1002002901.response The installics log is saved at:

/var/tmp/installics1002002901/installics.log

14 Make AT highly available from the active node.

From /opt/VRTSat/bin, run cluster configuration script in either silent or interactive mode. For more details for script options refer to “Procedures.” .

/opt/VRTSat/bin/tcvxat -setvirtualname <cluster name>

[Note: Use “clu_get_info” to find out cluster name.]

# clu_get_info

Cluster information for cluster truclussym

/opt/VRTSat/bin/tcvxat -register

15 Install AZ 4.3 package on active node sys01 using ICSinstaller. Steps are similar to AT installation steps 1-9.

16 Configure AZ on active node, which in turn configure AZ on all nodes of the cluster automatically.

17 Make sure that AZ process is not up before initiating AZ high availability process.

Make AZ highly available from the active node (where AT is also running now)

From /opt/VRTSaz/bin, run cluster configuration script in either silent or interactive mode. For example:

/opt/VRTSat/bin/tcvxaz -register

Authentication server in authentication broker only mode

This section describes how to configure a Tru Cluster with a highly available authentication brokerDescrption:

Description

To achieve the desired configuration, we need to first configure the systems as follows:

Authentication broker (sys01)

That is, authentication broker is clustered. The configuration of one node configures all other nodes as well

Note: AT install using ICS installer. Since Tru Cluster uses CFS “Cluster File System” all AT/AZ configuration directories are shared. User must

install/configure AT/AZ only on single node. There is no need to install/configure AT/AZ on all cluster nodes.

1 Create principals on sys03 (where the root resides) for authentication broker that we are going to configure on all nodes of the cluster. Due to shared file system AT from all nodes get configure with same identity.

For example, run the following command:

vssat addprpl --pdrtype root --domain root --prplname id_az 2 All cluster nodes essentially should not have AT installed or configured.

Select one node to be the active node in the cluster. You shall be configuring AT in high availability mode from this node.

On active node, say sys01, install AT package. AT package will get installed on other nodes automatically.

Using ICSInstaller to install AT package on all nodes

To install AT package on all nodes

1 Run ./installics command from the directory where you un-tarred the ICS package on sys01

2 It will display the following menu:

3 Select (I) for Installation. If AT is already installed uninstall it and start from step 1.

VERITAS Infrastructure Core Services Installer 1.2.3.45

VERITAS Product Version Installed Licensed

Selection Menu:

I) Install/Upgrade a Product [1mC[0m) Configure an Installed Product L) License a Product [1mP[0m) Perform a Preinstallation Check U) Uninstall a Product [1mD[0m) View a Product Description Q) Quit [1m?[0m) Help

Enter a Selection: [I, C, L, P, U, D, Q, ?] (I)

4 Once the menu is selected ICS installer shall prompt to choose the product to be installed. Select AT i.e. option 3

5 Enter the name of active node i.e. sys 01 on which you want to install AT.

6 Press Enter when ICS installer asks for confirmation VERITAS Infrastructure Core Services Installer 1.2.3.45 1) VERITAS Infrastructure Core Services

2) VERITAS Private Branch Exchange 3) VERITAS Authentication Service

4) VERITAS Service Management Framework 5) VERITAS Authorization Service

B) Back to previous menu Select a product to install: [1-5, b, q]

VERITAS Authentication Service 4.3.33.2

Enter the system names separated by spaces on which to install AT:sys01 Checking system communication:

Checking OS version on sys01 ...OSF1 V5.1

Checking system support for sys01 ... OSF1 V5.1 supported by AT Checking VRTSat package ... not installed

Using rsh and rcp to communicate with remote systems.

Initial system check completed successfully.

Press [Return] to continue:

installics will install the following AT subsets on OSF1 target systems: sys01 VRTSat VERITAS Authentication Service

Press [Return] to continue:

7 ICS installer shall now check for space and dependent packages. Press Enter once checks are successful.

8 ICS installer shall ask for passphrase. It could be any characters (minimum 6)

VERITAS Authentication Service 4.3.33.2

Checking system installation requirements:

Checking AT installation requirements on OSF1 target systems: sys01 Checking AT installation requirements on sys01:

Checking for external dependencies ... all external dependencies satisfied Checking file system space ... required space is available

Stopping VRTSat processes ... Done

Installation requirements checks completed successfully.

Press [Return] to continue::

VERITAS Authentication Service 4.3.33.2

Please remember the passphrase you have entered. You will not be able to perform silent installation without this passphrase.

Enter a passphrase with minimum of six (6) characters

9 Select Yes for AT server installation

10 Once Installation is done on sys01, ICS installer shall prompt for AT configuration on active sys01 node. Select yes.

Do you want to install the AT Server? [y,n,q] (y) Installing AT Server and Client ... Done

VERITAS Authentication Service 4.3.33.2

Checking VERITAS Authentication Service 4.3.33.2 packages on sys01:

Checking VRTSat package ...not installed Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2

Installing VERITAS Authentication Service 4.3.33.2 on sys01:

Installing VRTSat 4.3.33.2 on sys01 ... done 1 of 1 steps

VERITAS Authentication Service 4.3.33.2 installation completed successfully.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2

It is optional to configure AT now. If you choose to configure AT later, you can either do so manually or run the installics -configure command.

Are you ready to configure AT on sys01? [y, n, q] (y)

11 You will now be asked a set of AT configuration-related questions.

12 Select authentication broker mode i.e. option 2 for active node sys01.

For AT 4.2 say NO to cluster configuration through ICSInstaller.

If you are deploying AT 4.3 using ICS 1.4.x then you need to say a YES to cluster configuration and enter the virtual name for AT. Cluster VERITAS Authentication Service 4.3.33.2

installics will now ask sets of AT configuration-related questions.

When a [b] is presented after a question, 'b' may be entered to go back to the first question of the configuration set.

When a [?] is presented after a question, '?' may be entered for help or additional information about the question.

No configuration changes are made to the systems until all configuration questions are completed and confirmed.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2 1) Root Broker Only.

2) Authentication Broker Only.

3) Authentication + Root Broker.

Enter the mode in which you want to install VRTSat [1-3,q]

configuration should be done finally by running the AT high availability scripts and not through ICS installers.

Note: After this step AT get installed and configured on all nodes of the cluster in authentication broker mode.

13 Now AT package is installed on all nodes, and AT is configured on all nodes of the cluster due to “Cluster File System”. (AT get upgraded on all nodes of the cluster automatically)

14 Make AT highly available from the active node.

From /opt/VRTSat/bin, run cluster configuration script in either silent or interactive mode. For more details for script options refer to “Procedures.”

For example:

/opt/VRTSat/bin/tcvxat -setvirtualname <cluster name>

Use clu_get_info to find out cluster name, as follows:

# clu_get_info

Cluster information for cluster truclussym

/opt/VRTSat/bin/tcvxat -register

15 Install AZ 4.3 package on active node sys01 using ICSinstaller. Steps shall be similar to AT installation.

VERITAS Authentication Service 4.3.33.2 Configuring VERITAS Authentication Service:

VERITAS Authentication Service configured successfully.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2 Starting Authentication daemon ...Done

VERITAS Authentication Service was started successfully.

Press [Return] to continue:

VERITAS Authentication Service 4.3.33.2 The installation response file is saved at:

/opt/VRTS/install/logs/installics1002002901.response The installics log is saved at:

/var/tmp/installics1002002901/installics.log

16 Configure AZ on active node, which in turn configure AZ on all nodes of the cluster automatically.

17 Please make sure that AZ process is not up before initiating AZ high availability process. Make AZ highly available from the active node (where AT is also running now)

Access Token

A data structure generated for an authentication principal when the principal logs on and containing that authentication principal's security identifier, identifiers for groups the principal belongs to, and a list of the privileges the principal has on the local computer where he or she logged in. The access token defines the security context for the authentication principal.

Account Name

An alternative term for “authentication principal.

Administration Console

A graphical interface used to administerAuthentication. For example, the administrator uses it to indicate the location of the different components, trust relationships, plugins, private Symantec domains, etc.

Application Client

A program that accesses a service or function provided by another program, called an application service. An example of an application client is the Symantec Volume Manager GUI. An application client uses Authentication to validate the ID of the user of that client.

Application Host

The machine on which an application is running.

Application Service

A program that is contacted by, and provides services to, an application client.

In CLI command usage and in certain graphics, an abbreviation referring to Authentication.

Authentication Broker

The component that serves, one level beneath the Root Broker, as an intermediate registration authority and a certification authority. The Authentication Broker can authenticate clients, such as users or services, and grant them a certificate that will become part of the product credential. An Authentication Broker cannot, however, authenticate other brokers. That task must be performed by the Root Broker.

Authentication Broker Tree

A three level certificate hierarchy which includes all the identified entities whose certificates chain up to a single root certificate.

Authentication Group

A named collection of authentication principals, established in a native operating system, and treated as a single entity for the sake of convenience and ease. All members of an authentication group will be from the same authentication domain. The product credential

will contain a list of all groups the principal belongs to in that authentication domain. Also called OS Group.

Authentication Library

The part of the Symantec Product Authentication Service that links with an application client and implements the program calls it must make in order to request authentication.

Authentication Mechanism

The method by which authentication is conducted for principals in a specific name-space defined by a domain. For example, a Kerberos domain uses Kerberos tickets and password.

In UNIX platforms, Kerberos domains are used through the GSS-API. An authentication mechanism encapsulates all the details of the authentication algorithm, including APIs, protocols, token formats, token contents semantics and database objects formats. Not all the ingredients are relevant in all mechanisms.

Authentication Plugin

A component used by the Authentication Broker to validate identities within a particular domain. An authentication plugin exists for each supported authentication mechanism.

For example, one plugin can validate NIS identity and password combinations against an NIS database, while another uses a Kerberos ticket to authenticate the principal.

Authentication Principal

A user, computer, or process such as a command line interface (CLI) or service that has the ability to authenticate to Symantec Product Authentication Service with a unique identity.

An authentication principal differs from a security principal in that not all security principals can validate; nor are they all accountable for their actions.

Authentication Private Domain

A specialized authentication domain used to hold identities and password hashes for authentication principals unique to, and managed by, Symantec products for which customers do not want to reuse an existing identity in another domain. Authentication private domains can be used to hold identities of point products, such as SAN Point Control and Volume Manager.

Authentication Private Domain Repository (PDR)

A store of one or more authentication private domains. The Authentication Broker loads this repository, and principals are checked against it in order to be validated.

Boundary Condition

The starting point or initial state of something.

Certificate

A type of electronic passport or ID card that vouches for the identity of its holder and ties

In document Symantec Product Authentication Service Release Notes (Page 163-188)