Symantec Product Authentication Service Release Notes

(1)

Authentication Service

Release Notes

Linux, Microsoft Windows, and UNIX

(2)

Release Notes

Symantec, the Symantec logo, Symantec Product Authentication Service (AT) are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THIS DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH

DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be “commercial computer software” and “commercial computer software documentation” as defined in FAR Sections 12.212 and DFARS Section 227.7202.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014

www.symantec.com

(3)

Third-party software may be recommended, distributed, embedded, or bundled with this Symantec product. Such third-party software is licensed separately by its copyright holder. All third-party copyrights associated with this product are listed in the accompanying release notes.

AIX is a registered trademark of IBM Corporation.

HP-UX is a registered trademark of Hewlett-Packard Development Company, L.P.

Linux is a registered trademark of Linus Torvalds. Solaris is a trademark of Sun Microsystems, Inc.

Windows is a registered trademark of Microsoft Corporation.

Technical support

For technical assistance, visit http://support.veritas.com (rather than http://support/symantec.com) and select phone or email support. Use the Knowledge Base search feature to access resources such as TechNotes, product alerts, software downloads, hardware compatibility lists, and our customer email notification service.

(4)

(5)

Chapter 1 Overview

About branding ... 2

Product version ... 2

New in this release ... 2

VSSAT CLIs for LDAP configuration ... 2

Storing obfuscated password in the config file ... 9

Limited support for PAM authentication plug-in ... 9

AuthSequence for unixpwd plug-in ... 9

New utilities ... 10

Broker credential renewal ... 15

Chart of fixed incidents ... 19

Upgrading to higher versions ... 19

Available documentation ... 20

Chapter 2 Requirements and alerts

Supported platforms ... 22

LIBRARY_PATH requirement with installvss ... 23

Required patches and service packs ... 23

Solaris zone support ... 25

Not supported ... 25

How to use GSS-API on non-standard Solaris ... 25

How to check that you have SEAM ... 25

How to connect to authorization server on UNIX platforms ... 26

When you must remove startup scripts in cluster configuration ... 26

Home directory requirement ... 26

How to choose patch vs. fresh installation ... 27

Chapter 3 Known Issues

Chart of open incidents ... 30

Numbered issues ... 30

(1374044) Unneeded config actions required while upgrading AT binaries 30 (1380848) Failure in detecting primary group for LDAP user ... 31

(6)

(1536557) No upgrade option for AT Client package on Sun AMD platform 31 (1536557) No upgrade option for AT Client package on Sun AMD platform 32

(1670558) Unable to make AT HA on MSCS W2k8 AMD machine ...32

(1706555) vxatd process doesn't come up after upgrade ...32

(1713170) setuptrust takes 1 min if pbx is not running on broker ...32

(1719059) Domainname needs to be passed for localhost authentication to succeed 32

Chapter 4 Procedures

Common terms ...34

Install AT ...34

Tasks that you must complete for successful installation ...34

About installing and configuring an authentication broker ...35

Installing on Windows ...35

UNIX installation scripts: when to use install vs. installics ...36

Installing root plus authentication broker on UNIX ...37

Installing authentication broker only on UNIX ...39

Installing root broker only on UNIX ...42

About the encryption and the response files ...44

About rollback functionality ...45

Upgrade AT ...45

Secure cluster upgrades ...45

Non-secure cluster upgrades ...47

Steps for AT cluster configuration (all solutions) ...49

How to configure AT into Microsoft Cluster Server ...50

Steps to Configure AT into Microsoft Cluster Server ...50

Steps to Verify Cluster Configuration for Microsoft Cluster Server ....53

How to configure AT into VCS on Windows ...55

Sequence of steps for configuration and unconfiguration ...55

Detailed steps to configure AT into VCS on Windows ...55

Example of input prompts for interactive mode ...59

Configuration File Details for Windows ...62

How to verify configuration of authentication into VCS on Windows 66 Unconfiguring authentication from VCS on Windows ...67

How to configure AT into VCS on UNIX ...69

How to check whether AT has already been configured ...69

Steps to configure AT into VCS on UNIX ...69

Configuration file details on UNIX ...72

How to verify configuration of AT into VCS on UNIX ...76

Unconfiguring AT from VCS on UNIX ...78

How to configure AT into Tru64 ...79

Steps to configure AT into Tru64 ...79

How to verify configuration status on Tru64 ...80

(7)

Steps to configure AT into Sun Cluster ... 80

How to verify configuration into Sun Cluster ... 82

AT SunCluster unconfiguration steps ... 83

How to configure AT on HACMP ... 84

Configuring AT on HACMP ... 84

How to verify configuration on HACMP ... 87

Unconfiguring AT on HACMP ... 87

HACMP configuration details ... 88

How to configure AT on HP Serviceguard ... 89

How to configure AT into HP-SG ... 89

Configuring silently ... 90

Configuring interactively ... 90

How to verify configuration status ... 92

How to unconfigure authentication from HP-SG ... 96

Uninstall ... 98

Considerations before you uninstall ... 98

How to uninstall ... 98

About authenticating users in active directory ... 99

Prerequisite for LDAP with AD ... 99

Checking for LDAP compatibility ... 99

Finding whether you have ldapsearch ... 99

Searching users in active directory ... 100

Configuring LDAP authentication ... 100

Testing the configuration ... 101

Chapter 5 Tools

The srvscan tool ... 104

The new service scan dialog box in Windows install ... 105

The findrb tool ... 105

Chapter 6 Clarifications

Clarifications related to Installation Guide ... 110

Directories that are spared from deletion ... 110

How to find domain name ... 110

Reminder to restart service ... 110

Prompt appears only in cluster ... 110

Uninstallation of selected features on Windows ... 110

The term package name ... 111

Location of log files, summary files, and response file on UNIX ... 111

Clarifications related to Administrator’s Guide ... 111

User name and domain name requirements ... 111

(8)

Expanded information on the -t option in vxatd ... 112

Updating a principal ... 112

How to access the CLI ... 112

Minimum and maximum lengths ... 113

Remote CLIs that accept only PBX port ... 113

Chapter 7 Recommendations

Minimize the number of root brokers to one ... 116

Remember to back up the broker’s critical data ... 116

Backing up on Windows ... 116

Backing up on UNIX ... 117

Restoring the broker’s data on Windows ... 118

Restoring the broker’s data on UNIX ... 120

Limit use of private domain repository accounts to Symantec services only 120 Use care when entering passwords ... 121

What to do if you have trouble starting vxatd ... 121

When you must restart Authentication Broker on trusted HP systems ... 121

Avoid sudden stops on Windows broker ... 121

Chapter 8 Procedures for HA deployment of the AT and AZ services

How to deploy on VERITAS Cluster Server ... 124

Terminology ... 124

Steps to recognize which VCS mode you have ... 124

How to determine whether a securable cluster is secured ... 124

VCS non-securable (UNIX) ... 125

VCS non-securable mode (UNIX): use case 1 ... 125

VCS non-securable mode (UNIX): use case 2 ... 130

VCS securable (UNIX) ... 136

VCS securable (UNIX), used in insecure mode ... 136

VCS securable (UNIX), used in the secure mode ... 138

Veritas Cluster Server (Windows) ... 139

Pre-requisites ... 139

VCS securable (Windows) ... 140

VCS securable (Windows) used in insecure mode: use case 1 ... 140

VCS securable (Windows) used in insecure mode: use case 2 ... 142

VCS securable (Windows) used in the secure mode: use case 1 ... 145

VCS securable (Windows) used in the secure mode: use case 2 ... 145

How to deploy on Microsoft Cluster Server ... 146

Authentication server in root plus authentication broker mode ... 146

(9)

How to deploy on SUN Cluster, HPSG, HACMP ... 152

Authentication server in authentication broker only mode ... 153

How to deploy on Tru Cluster ... 153

Authentication server in authentication broker only mode ... 160

169

(10)

(11)

Chapter

1

Overview

This chapter includes the following topics:

“About branding”

“Product version”

“New in this release”

“Chart of fixed incidents”

“Upgrading to higher versions”

(12)

About branding

Any version prior to this full-decimal release will not be re-branded and will continue to refer to Symantec Product Authentication Service and Symantec Product Authorization Service together as a single product called VERITAS Security Services or VSS.

Product version

These Release Notes for Symantec Product Authentication Service (AT) pertain to build 4.3.43.x.

New in this release

VSSAT CLIs for LDAP configuration

The following LDAP configuration related CLIs are ported back to 4.3 version from 4.4 version to cover the StateStreet issues.

listldapdomains

Name

listldapdomains

Synopsis

For this command, use the following syntax, without line breaks: vssat listldapdomains

Description

Use this command to list all the LDAP domains in the authentication broker. This command needs no additional parameters. Output is similar to the following: listldapdomains ---Found: 2 Domain Name: VSS

Server URL: ldap://your_ldap_server.com SSL Enabled: No

User Base DN: <distinguish name of your user container> User Object Class: posixAccount

User Attribute: uid User GID Attribute: gidNumber

(13)

Group Base DN: <distinguish name of your group container> Group Object Class: posixGroup

Group Attribute: cn Group GID Attribute: gidNumber ... Arguments None

addldapdomain

Name addldapdomain Synopsis

For this command, use the following syntax, without line breaks:

vssat addldapdomain --domainname <domain name> --server_url <server URL> --user_base_dn <user base DN> --group_base_dn <group base DN> [--server_trusted_ca_file <trusted CA file name>] [--schema_type <rfc2307 | msad>] | [--user_object_class <user object class> user_attribute <user attribute> --user_gid_attribute <user GID attribute> --group_object_class <group object class> group_attribute <group attribute> --group_gid_attribute <group GID attribute>] [--auth_type <FLAT | BOB | FLAT SKIPNESTED | BOB SKIPNESTED>] [--admin_user <admin user DN>] admin_user_password <admin user password>] [--search_scope <SUB | ONE | BASE>]

Description

Use this command to add an LDAP domain to the authentication broker. Users not familiar with how LDAP operates must work with their LDAP administrators to determine the following information:

What type of LDAP directory the enterprise uses (i.e. Microsoft Active Directory, OpenLDAP, iPlanet, etc). The type of LDAP directory dictates the type of scheme to use.

The URL to the LDAP directory. For example, “ldap:// my_ldap_host.mydomain.myenterprise.com:389”, “ldaps:// my_ssl_ldap_host.mydomain.myenterperise.com”, etc.

Note: An LDAP URL must start with “ldap://” for non-SSL, or “ldaps://” for SSL-enabled LDAP directory.

The distinguished name (DN) of the users container. Normally, the users container is in one of the naming contexts. For most LDAP directories, you

(14)

can use the ldapsearch utility, provided by the directory vendor, to find out the naming contexts. For example:

ldapsearch --group_object_class -h <my host> --server_url base --auth_type "" namingContexts

For Microsoft Active Directory, the users container resembles this example: cn=users,dc=<domain name>,dc=<enterprise name>,dc=com

The distinguished name (DN) of the groups container. Normally, the groups container is in one of the naming contexts. For most LDAP directories, you can use the ldapsearch utility, provided by the directory vendor, to find out the naming contexts. For example:

ldapsearch --group_object_class -h <my host> --server_url base --auth_type "" namingContexts

For Microsoft Active Directory, the groups container looks like this example:

cn=users,dc=<domain name>,dc=<enterprise name>,dc=com

The schema to facilitate users and groups.

If the enterprise has migrated their NIS data to the LDAP directory according to Request For Comments 2307, it must use the RFC 2307 schema. RFC 2307 uses the “posixAccount” objectclass to facilitate user objects. It uses the “posixGroup” objectclass to facilitate group objects. If the enterprise uses Microsoft Active Directory, it must use the Microsoft Active Directory schema. In this schema, the “user” objectclass facilitates both user and group objects.

If the enterprise uses neither RFC 2307 nor Microsoft Active Directory, it must determine the following:

The LDAP objectclass to facilitate user objects.

The LDAP objectclass to facilitate group objects.

The user attribute in the user objectclass to facilitate user name/ID. We use the following rules to construct the DN to the user entry.

<user attribute>=<user name>,<user container DN> For example, if the user attribute is configured to “cn” and users container DN is configured to “dc=mydomain,dc=myenterprise, dc=com” and the user name for the authenticate call is “jdoe”, the LDAP DN for “jdoe” is:

cn=jdoe,dc=mydomain,dc=myenterprise,dc=com

The group identifier (GID) attribute in the user objectclass to identify the groups the given user belongs to.

The group attribute in the group objectclass to facilitate group name. We use the following rules to construct the DN to the group entry.

(15)

For example, if the group attribute is configured to “cn” and groups container DN is configured to “dc=mydomain,dc=myenterprise, dc=com” and the group name is “adm”, the LDAP DN for “adm” is:

cn=adm,dc=mydomain,dc=myenterprise,dc=com

The group ID attribute in the group objectclass to facilitate group ID for the given group.

Note: It is not mandatory to restart the broker after adding the LDAP domain. However, the ‘vssat authenticate’ command will not work for the newly added domain without the broker parameter until the broker is restarted.

Required arguments

--domain DomainType:DomainName

A symbolic name that uniquely identifies an LDAP domain. --server_url Server URL

The URL of the LDAP directory server for the given domain. The LDAP server URL must start with either “ldap://” or “ldaps://”. Starting with “ldaps://” indicates that the given LDAP server requires SSL

connection. (i.e. ldap://my-server.myorg.com:443”) If the LDAP server URL starts with “ldaps://”, the user must also specify

--server_trusted_ca_file. --user_base_dn User Base DN

The LDAP-distinguished name for the user container. For example, ou=user,dc=mydomain,dc=myenterprise,dc=com.

--group_base_dn Group Base DN

The LDAP-distinguished name for the group container. For example, ou=group,dc=mydomain,dc=myenterprise,dc=com.

--auth_type <FLAT | BOB>

This attribute is a string that dictates the type of LDAP authentication mechanism to be used for the given domain. "AuthType" can be either "FLAT"or "BOB". "FLAT" means to use the existing one-level bind while "BOB" indicates Bind-Search(Obtain)-Bind. In "BOB" authentication mode, AT uses a proxy account to bind with the Active Directory, and then searches for the distinguished name before authenticating (bind) the user.

For example,"AuthType"="BOB". --admin_user <admin user DN>

This attribute is a string that contains the DN of the admin user or any user which have search permission to the user container, or user subtree as specified by "UserBaseDN". If the user container is

searchable by anyone, including an anonymous user. This attribute can be configured to an empty string. For example, "AdminUser"=""

(16)

--admin_user_password <admin user password>

This attribute is a string that contains the bind password of the user that is specified in AdminUser. If AdminUser is an empty string, this attribute must also be an empty string. For example,

adminUserPassword"=""

--search_scope <SUB | ONE | BASE>

This attribute is a string that indicates the search scope. "SearchScope" can be either "SUB", "BASE", or "ONE". For example,

"SearchScope"="SUB"

Optional arguments

--server_trusted_ca_file Trusted CA file Name

The complete path to the name of the file that contains the trusted CA certificates in PEM format. You must use this parameter if the given LDAP server URL starts with “ldaps://” (indicating the need for an SSL connection). However, if the given LDAP server URL starts with “ldap://”, this parameter must be omitted.

--schema_type Schema Type

Specify which type of LDAP schema to use.

Note: If you do use --schema_type, you must omit the following parameters: --schema_type--schema_type, --user_attribute, -i, -o. These values are set automatically, based upon the schema type you chose.

If you do not use --schema_type, neither the rfc2307 nor the msad parameters are set automatically, and you must therefore provide the values yourself.

Two default schema types are currently supported.

rfc2307: the schema that is specified in RFC 2307

msad: Microsoft Active Directory schema. With RFC2307, the following schema is used.

User Object Class: posixAccount User Attribute: uid

User GID Attribute: gidNumber Group Object Class: posixGroup Group Attribute: cn

Group GID Attribute: gidNumber

With Microsoft Active Directory, the following schema is used. User Object Class: user

User Attribute: cn

(17)

Group Object Class: group Group Attribute: cn Group GID Attribute: cn

Note: For msad schema if you select auth type as "BOB", specify user attribute as "sAMAccountName".

--user_object_class User Object Class

Specify the LDAP object class for the user object. (i.e. posixAccount). This parameter is required if it is absent, but you must not use --schema_type .

--user_attribute User Attribute

Specify the user attribute within the user object class, using the following syntax:

<user attribute>=<prplname>,<user base DN> For example, the LDAP DN for jdoe is as follows:

"cn=jdoe,dc=mydomain,dc=myenterprise,dc=com" where:

The <user attribute> is "cn"

The <prplname> is "jdoe"

The <user base DN> is "dc=mydomain,dc=myenterprise,dc=com" Do not use this attribute if you use --schema_type.

--user_gid_attribute User Group Id Attribute

Specify the attribute within the user object class to retrieve the groups the user belongs to.

Do not use this attribute if you use --schema_type. --group_object_class Group Object Class

Specify the LDAP object class for the group object. (i.e. posixGroup). Do not use this attribute if you use --schema_type.

--group_attribute Group Attribute

Specify the group attribute within the group object class, using the following syntax:

<group attribute>=<group>,<group base DN> For example, the LDAP DN for adm is as follows:

"cn=adm,dc=mydomain,dc=myenterprise,dc=com" where:

The <group attribute> is "cn"

The <group> is "adm"

The <group base DN> is "dc=mydomain,dc=myenterprise,dc=com" Do not use this attribute if you use --schema_type.

(18)

Specify the attribute within the group object class to retrieve the group Do not use this attribute if you use --schema_type.

Example 1

vssat addldapdomain --domainname MYADDOMAIN --server_url ldap:// my_ad_host.mydomain.myenterprise.com -u

cn=users,dc=mydomain,dc=myenterprise,dc=com --group_base_dn dc=users,dc=mydomain,dc=myenterprise,dc=com --schema_type msad

Example 2

vssat addldapdomain --domainname MYENTERPRISE --server_url ldap://my_openldap_host.myenterpise.com -u

dc=people,dc=myenterprise,dc=com --group_base_dn dc=group,dc=myenterprise,dc=com --schema_type rfc2307

Example 3

vssat addldapdomain --domainname TESTDOMAIN --server_url ldap:// myldapserver.myenterprise.com -u

ou=users,ou=engineering,dc=myenterprise.com --group_base_dn ou=groups,ou=engineering,dc=myenterprise.com --schema_type inetOrgPerson user_attribute uid user_gid_attribute gid group_object_class MyDomainGroups group_attribute cn --group_gid_attribute gid

Example 4

vssat addldapdomain --domainname TEST --server_url ldaps:// my_openldap_host.

myenterpise.com:443 --server_trusted_ca_file /user/local/ openssl/trusted_cas.pem -u dc=people,dc=myenterprise,dc=com --group_base_dn dc=group,dc=myenterprise,dc=com --schema_type rfc2307

removeldapdomain

Name removeldapdomain Synopsis

For this command, use the following syntax, without line breaks: vssat removeldapdomain --domain <domain to be removed>

Description

Use this command to remove an LDAP domain from the authentication broker.

Arguments

(19)

A symbolic name that uniquely identifies an LDAP domain.

Example

vssat addldapdomain -domain MYADDOMAIN

Storing obfuscated password in the config file

To reduce security risk, clear text bind password for LDAP is obfuscated and stored in the VRTSatlocal.confile (config file).

Both the broker and the LDAP configuration related CLIs are enhanced to change the clear text bind password to obfuscated form. The LDAP

configuration related addldapdomain CLI saves the clear text bind password of the LDAP user in obfuscated form. Similarly, the LDAP configuration related listldapdomains CLI when retrieving a LDAP domain does not displays a clear text bind password, the password is obfuscated.

Note: To change the bind password for an existing LDAP domain, delete the domain and add it again. For example, incases where the bind password is stored in clear-text format prior to the AT upgrade, will be obfuscated after restarting the broker.

Limited support for PAM authentication plug-in

A stripped down PAM plug-in is added to the AT 4.3 version. The PAM plug-in allows authentication against Active Directory users through Vintela's PAM module. Additionally, the PAM plug-in also allows authentication of Unix LDAP users.

Limited support is provided for PAM authentication plug-in wherein, the plug-in does not have a talk back capability with the client. The plug-in operates only using the initially provided username and password.

AuthSequence for unixpwd plug-in

To simplify the usage to PAM authentication plug-in, all the relevant plugins on a platform are brought under a common authentication type, that is, unixpwd. The plugins are chained in a configurable order and are tried sequentially, until the authentication succeeds. unixpwd plugin is enhanced to iterate in a

sequence of available plug-ins.

The sequence of plugins to be tried under 'unixpwd' domain type is specified in the broker configuration file. DefaultAuthSequence parameter is added under the Authentication Broker section. By default, DefaultAuthSequence parameter is set to "pam unixpwd nisplus nis" on Unix platforms and to "nt" on Windows.

(20)

During the broker startup, unixpwd plugin searches for DefaultAuthSequence parameter to identify the default authentication sequence. If it is absent, the default value is stored in the configuration file. You can manipulate

DefaultAuthSequence parameter manually.

New utilities

The following new utilities are added in the AT 4.3 version.

athealth

Name

athealth

Synopsis

athealth -i_{<install dir> -d <data dir> [-l <log level>] [-g]}

Description

Health check utility is used to perform a quick scan on basic sanity of a particular AT installation. The utility checks if AT has been installed properly. Additionally, this utility is used to check the basic parameters if an error is encountered with the AT setup.The utility can be used to on a client as well as broker installation.

Required Arguments

-l _{<log level>}

Log level can be a value between 0 (no logging) to 4 (max logging). -g

Creates output file "athealthconf.out" that contains diagnostic info gathered from run of the utility.

Optional Arguments

-i _{<install dir>}

Install directory is the directory of installation that is to be checked using the athealth utility.

Typically this is the parent directory of directory that contains vrtsat_t.dll or libvrtsat_t.so.

-d _{<data dir>}

Data directory is the directory having AT configuration and credential files.

(21)

atldapconf

Name

atldapconf

Description

The LDAP configuration tool is a CLI program that facilitates configuring LDAP plugin for the Authentication broker. Use this command to connect to the enterprise LDAP server and detect the default parameters for searching the users and groups.

To call the LDAP configuration tool run the atldapconf command. The tool uses following CLIs: -d, discover -c, createatcli -x, atconfigure

-d, discover

Name discover Synopsis

Use the following syntax, without line breaks:

atldapconf -d -s <ldap server name> [- p <ldap server port>]-u <search_user> [-g <search group>] [-f <attribute_list_file>] [-m <admin_username>][-w <admin_password>][-l <loglevel>]

Description

Use this command to connect to the LDAP server. This command searches the attributes of the user and the group. It creates a attribute list file that contains the valid values for all the attributes in an descending order of priority. You can change the order of priority.

The discover command also retrieves the valid values for the LDAP attributes, which have multiple values such as, ObjectClass. Other attributes of LDAP directory are configurable.

Further, you can also search the commonly used attributes that exist on the server and put all the valid attributes in the same attributes list file. The commonly used attributes differ for different LDAP implementations. These values are pre-defined in separate lists for each LDAP implementation. The predefined values are defined in a header file. For example, the list for user gid attributes looks like, - {"gidNumber", "memberOf","gid" }

(22)

Required Arguments

-s <ldap server name>

Name of the LDAP server. On Windows platforms, if the machine is logged onto the network, then this parameter is optional.

-u <search_user>

Used to find out the base search paths for users -g <search group>

Used to find out the base search paths for group.

Optional Arguments

-f <attribute_list_file>

Name of the attribute list file. The default file name is "AttributeList.txt".

- p <ldap server port>

The port of the LDAP server. The default value is 389. To bind to the server, the command uses the username and password. If these options are not provided, the commands prompts the user to provide a username and password. Currently, only simple authentication is supported, which takes the user name and password in clear text. -m <admin_username>

User name of the connecting user. This is required to make the initial connection to the ldap server when the anonymous searches are disabled.

-w <admin_password>

Password of the connecting user. This is required to make the initial connection to the ldap server when the anonymous searches are disabled.

-l <loglevel>

Generates a log file named "atldapconf.debug". The loglevel determines the amount information that goes into the log. The value of loglevel ranges from 0 to 4.

Examples

atldapconf -d -s sample.server.com -g SAMPLE-DIST-LIST

-c, createatcli

Name

createatcli

Synopsis

(23)

atldapconf -c -d <domainname> [-i <attribute_list_file>] [-o <at_cli_file>] [-a <FLAT|BOB>] [-s <BASE|ONE|SUB>] [-l <loglevel>]

Description

Use this command to take the attribute list generated by the discover command as input. The command parses the attributes list file and selects the attribute with the highest priority and creates a CLI file complete with vssat

addldapdomain.

Required Arguments

-d <domainname> The domain name.

Optional Arguments

-i <attribute_list_file>

The name of attribute list file. The default file name is "AttributeList.txt".

-o <at_cli_file>

The name of the AT CLI file. The default file name is "CLI.txt". -a <FLAT|BOB>

The type of authentication. The default authentication type is FLAT. -s <BASE|ONE|SUB>

The scope of search. The default scope type is SUB. -l <loglevel>

Generates a log file named "atldapconf.debug". The loglevel determines the amount information that goes into the log. The value of loglevel ranges from 0 to 4. Examples atldapconf -c -d domainname

-x, atconfigure

Name atconfigure Synopsis

Use the following syntax, without line breaks:

atldapconf -x [-f <at_cli_file>] [-p <at_install_path>] [-o <broker_port>] [-l <loglevel>] [-v verify]

(24)

Description

Use this command to read and execute the AT CLI that was generated by the -c, createatcli command, and add the domain to AT.

Optional arguments

-f <at_cli_file>

The name of the AT CLI file. Default file name is "CLI.txt". -p <at_install_path>

The install path. It checks in the present working directory and default locations of installation for older versions of AT.

-o <broker_port>

The broker port. Default port is 2821. -l <loglevel>

Generates a log file named "atldapconf.debug". The loglevel determines the amount information that goes into the log. The value of loglevel ranges from 0 to 4.

-v verify

Verifies the newly added domain, after adding it. If required, the command prompts the user for a user name and password to check if the user can be authenticated.

Note: The broker service needs to be up and running for using the -v option.

Examples

(25)

Broker credential renewal

Brokers keep track of the validity period of their credentials and automatically start renewing the credentials one year before the expiry of the existing credentials.

Broker credential renewal can be done automatically as well manually .

Automatic broker credential renewal process

1 Broker startup: During startup, the broker checks if the automatic broker credential renewal is on. Automatic renewal is on by default. Consuming products can turn it off using the “AutomaticCredentialRenew” parameter. For more information, see “AutomaticCredentialRenew.” If this parameter is set to off, the broker does not attempt to renew the credential by itself. Administrator will have to do this manually.

2 Renewal threshold period: If the automatic renewal is on, then broker checks the renewal threshold period. It is one year before the expiry of the existing credential. For example if the validity is for eight years, then seven years from the time broker is commissioned.

3 Renewing broker credentials: If the renewal threshold period is reached, then it will start renewing the broker credentials. First, the broker will take a snapshot of its certificate store. This will allow us to restore to the previous state if something goes wrong.

a If the current broker mode is Root or Root+AB, then the Root credential is renewed first.

A new Root credential is generated out of the existing Root key pair and deposited in the credential store. The new Root credential has a new validity period. This new Root credential over writes the existing Root credential in both regular certificate store and the trusted store. For more information see, “Renewing Root broker credentials.”

If the broker mode is Root+AB, then a new AB credential is generated using the existing AB key pair. The new AB credential has a new validity period.

For more information see, “Renewing Root+AB credentials.” b If the current broker mode is AB only, then the broker renews its own

credential with its remote Root broker.

Note: The AT package on the AB machine needs to be upgraded for this. The default AB’s credentials renewal threshold is set to a week less than the Root's credentials. Thus, the AB’s credential are renewed one week after the Root’s credentials are renewed.

(26)

The new AB credentials has a new validity period and overwrites the older credentials.

For more information, see“Renewing AB credentials.” Incase, the renewal fails, the broker still come up with its existing

credential and retries the operation a day later. The broker keeps on trying until the renewal is successful.

Broker credential renewal can also be done manually using the -w option. For more information see, “Manual broker credential renewal option.”

Renewing Root broker credentials

This automatic credential renewal is triggered upon reaching the renewal threshold.

Alternately, administrator can also renew the Root credentials manually. For more information, see “Renew Root broker credentials.”

Renewing AB credentials

The AT broker supports AB credentials of the remote Root brokers. However, the AB needs to re-establish trust with the remote Root broker if it is running in Root only mode. This is because, the broker running in Root only mode uses the Root credential for accepting the incoming connections and when it renews the Root credential, clients have to re-establish trust with that Root broker. On the other hand, AB is not required to re-establish trust if the remote Root broker is running in Root+AB mode. This is because, the remote Root+AB broker uses its AB credential to accept the connections and the certificate chain is completed using the old Root credential from the client's trusted store.

If products do not want to upgrade their ABs, then they can manually acquire a new credential for each of the AB that is under the newly renewed Root broker.

To acquire new credentials manually

1 Perform a setuptrust against the renewed Root broker to download the new Root credentials.

2 Run the ”vxatd -a -n <broker identity> -p <password> -x <domain type> -y <domain name> -q <root broker name> -z <root broker port> -h <hash file name>” command to acquire new AB credentials. The new AB credentials are available with its new validity.

Renewing Root+AB credentials

To renew credentials of Root+AB first renew Root broker credentials and then AB as explained above.

(27)

AT client and broker credential renewal

The existing credentials issued by the AB continue to function even after renewing the AB credentials. Clients can continue to acquire new credentials and renew the existing credentials until the older Root credential expires. Clients would continue to operate with the older Root credential in their trusted store. Thus, peer credentials that are signed by both old and new ABs will be accepted. Similarly, the old credentials issued by the old (pre-renew) broker will be accepted by the peers that have established trust with the new (renewed) Root broker.

The new credentials issued by the renewed AB and Root brokers can have expiry date up to 20 years. The actual expiry date depends on the type of credential and the expiry intervals.

To download the new Root credentials, AT clients are required to re-establish trust with their broker once before the old Root credential expires. AT clients can re-establish trust within a year (Root credential renewal threshold period) after the Root/AB renewed their credentials.

To perform the trust establishment in high security mode, the clients need to receive the hash of the new Root credential out of band. If the AT CLI is used, then it will prompt to verify the incoming Root credential.

Broker renewal configuration parameters

The following parameters are added to the broker configuration to support automatic broker credential renewal:

AutomaticCredentialRenew

Configures the broker to automatically renew its credentials towards the end of the validity period. This parameter applies to both Root and AB.

Section: [Security\Authentication\Authentication Broker] Key: AutomaticCredentialRenew

Type: Integer Allowed Values: 0/1 Default: 1

RootRenewThreshold

Specifies when the automatic Root broker credential renewal should happen. The broker starts credential renewal when the remaining validity period falls below this limit.

Section: [Security\Authentication\Authentication Broker] Key: RootRenewThreshold

(28)

Type: Integer Unit: days

Allowed Values: 1 to 20*365 Default: 365

ABRenewThreshold

Specifies when the automatic AB credential renewal should happen. The broker starts credential renewal when the remaining validity period falls below this limit.

Section: [Security\Authentication\Authentication Broker] Key: ABRenewThreshold Type: Integer Unit: days Allowed Values: 1 to 20*365 Default: 360 ABCredExpiry

Specifies the credential expiry limit for the new AB credentials issued by a Root broker.

Section: [Security\Authentication\Authentication Broker Key: ABCredExpiry

Type: Integer Unit: seconds

Default Value: 20*365*24*3600

RBCredExpiry

Specifies the credential expiry limit for the new Root credentials. Section: [Security\Authentication\Authentication Broker Key: RBCredExpiry

Type: Integer Unit: seconds

Default Value: 20*365*24*3600

Manual broker credential renewal option

To manually renew the broker credentials, use the -w option added to vxatd. This command takes a back up the existing credential store.

(29)

Shutdown the broker process before running the command and start it manually afterwards.

Renew Root broker credentials

Run the following command to renew the Root broker credentials: # vxatd -o -r -w

Renew Authentication broker (AB) credentials

Run the following command to renew the Authentication broker credentials: # vxatd -o -a -w

Renew Root+AB credentials

# vxatd -o -a -r -w

You can also renew the Root+AB broker in two steps. First, renew the root credential only and then renew the AB credential as explained above.

Configuring broker validity

Products can configure the broker credential validity up to 20 years. Only the renewed credentials can be configured for such validity.

Chart of fixed incidents

This topic discusses the fixed issues for which incident numbers are available in this release of Symantec Product Authentication Service. “Fixed issues, by number” table shows fixed numbered issues, sorted in ascending order by incident number.

Upgrading to higher versions

After installing 4.3.40.x, if you need to upgrade to AT 4.4 /5.0 version, make sure you upgrade to 4.4.20.x/5.0.28.x or higher.

Table 1-1 Fixed issues, by number Etrack Incident Abstract

855810 Garbage is displayed in Java GUI when you use the CLI to add the name of a principal with Chinese characters.

1368778 LDAP authentications for duplicate user entries across LDAP subdomains

(30)

Available documentation

The at_admin.pdf file on your disc provides information on the following topics:

Basic terminology and concepts

Architecture of Symantec Product Authentication Service

Description and use the command line interface

Description and use of the administration console

The at_install.pdf on your disc provides information on the following topics:

System requirements

Installation and configuration of Symantec Product Authentication Service

Special information related to installation in a clustered environment .

(31)

Chapter

2

Requirements and alerts

Note: Any version prior to this full-decimal release will not be re-branded and will continue to refer to Symantec Product Authentication Service and Symantec Product Authorization Service together as a single product called VERITAS Security Services or VSS.

The present chapter contains the following topics:

“Supported platforms”

“Required patches and service packs”

“Not supported”

“How to use GSS-API on non-standard Solaris”

“How to connect to authorization server on UNIX platforms”

“When you must remove startup scripts in cluster configuration”

“Home directory requirement”

(32)

Supported platforms

The following chart shows support for Symantec Product Authentication Service:

Platform AT support

AIX 4.3.3.10, 5.1, 5.2, 5.3, 6.1 (32 bit) Server and client AIX 5.1, 5.2, 5.3, 6.1 (PPC 64bit) Client only

FreeBSD 4.9 (x86) Client only was not released in 4.3.14.0 HP-UX 11.00, 11.11, 11.23 Server and client

IRIX 6.5.15-22 (MIPS-32) Client only Linux Redhat AS 2.1 (on x86) Server and client Linux Redhat AS/ES 3.0 (on x86) Server and client Linux Redhat AS/ES 3.0 (on IA64) Server and client (64 bit)

Linux Redhat EL 4.0 (on x86_64) Server and client (32 bit compatibility mode)

Linux Redhat EL 4.0 (on IA 64) Server and client Linux SuSe SLES 8.0, 9.0 (on x86) Server and client Linux SuSe SLES 8.0, 9.0 (on IA64) Server and client (64 bit)

Linux SuSe SLES 9.0 (on x86_64) Server and client (32 bit compatibility mode); native 64 bit client

Linux MontaVista 11.0 (on x86) Client only Linux WS 21, 30 (on x86) Client only

Mac OS 10.3 (PPC) Client only

Solaris 6 (Sparc) Desupported AT 4.2 and above Solaris 7, 8, 9, 10 (Sparc) Server and client

Solaris 7, 8, 9, 10 (Sparc 64 bit) Server and client

Solaris 10 (x86) Server and client

Solaris 10 (x86-64) Client only

Tru64 5.1, 5.2 Server and client

(33)

LIBRARY_PATH requirement with installvss

If you use installvss to install AT, you must set the LD_LIBRARY_PATH at the specified location. For example:

export

LD_LIBRARY_PATH=perl/lib/5.8.0/alpha-dec_osf-thread-multi /CORE:$LD_LIBRARY_PATH

Required patches and service packs

Below is a list of patches for HP-UX 11.x. Some or all of the patches mentioned in this document may have been revised. If the base patch is unavailable, the cumulative patch containing the base patch should be applied.

Patches that are required for HP 11.00

The chart below lists patches for HP 11.00.

Windows XP SP1 and SP2 (on x86) Server and client Windows Storage Server 2003 (on x86) Server and client Windows 2000 SAK, SAK Business Server

(on x86)

Client only

Windows 2003 (on x86_64) Client only (64 bit and 32 bit compatibility mode)

Windows 2003 (on IA64) Server and client (64 bit and 32 bit compatibility mode)

Platform AT support

Table 2-1 Patches for HP 11.00

Patch ID Patch Description

PHSS_26559 s700_800 11.00 ld(1) and linker tools cumulative patch

PHSS_24303 11.0 ld(1) and linker tools cumulative patch PHSS_24627 11.0 HP aC++ -AA runtime libraries (aCC

A.03.33) or

PHSS_26945 11.0 HP aC++ -AA runtime libraries (aCC A.03.37)

(34)

Patches that are required for HP 11.11

Service packs

The list below shows service packs required for successful installation of AT on the Windows platform:

For NT 4.0, service pack 3

For Windows 2000, service pack 2

For Windows 64 bit machines, you should have Service Pack 1 in order to support side by side installation of 32 bit and 64 bit.

C runtime requirement for AIX 3.x

On all AIX 3.x versions, the required C runtime (bos.rte.libc ) should be at level 4.3.3.88.

Other patches and requirements

We recommend 100MB disk space.

We recommend 256MB memory.

The minimum glibc version required on a Linux RedHat EL 4.0 32bit machine is 2.3.4-2.9.

PHSS_32229 It is a LIBCL patch. After installation if there is an error related to cfc_flush then install PHSS_33403 patch.

PHCO_18227 11.0 libc cumulative patch

PHCO_29633 11.0 libc cumulative patch

PHCO_26960 Pthread library cumulative patch

Table 2-2 Patches for HP 11.11

Patch ID Description

PHSS_26560 1.0 ld(1) and linker tools

PHSS_24304 1.0 ld(1) linker tools cumulative patch PHSS_26946 1.0 ld(1) HO aC++ run-time libraries a3.37 Table 2-1 Patches for HP 11.00

(35)

For SunOS 5.8, you should install patch 108820-03.

On Solaris x86, users must install the latest GSS-API patches in order for GSS-API to work.

For AIX 4.3, C Runtime ( bos.rte.libc ) should be at level 4.3.3.88.

Solaris zone support

AT 4.3 packages should be installed from the global zone. They automatically get propagated into all the existing and yet-to-be-created local zones. AT packages contain the following package parameters:

SUNW_PKG_ALLZONES=true

Not supported

We do not support making the root broker highly available on secure clusters.

The ICS Installer does not support the following types of installation for AT and AZ:

Upgrade on servers from authentication broker only to root plus authentication broker

Push installs of either the client or the server (broker) to remote machines

Silent (non-interactive) upgrades of the server/broker

Before you perform an upgrade of AT or AZ, shut down local Symantec applications that are using AT or AZ services. Otherwise, the upgrade process imposes a short outage that could impact the applications that need those services.

How to use GSS-API on non-standard Solaris

GSS-API is available on Solaris OS 5.7 and onward. However, GSS-API may not be available on any standard Solaris OS. Before installing AT onto a non-standard Solaris OS, the user must install Solaris Enterprise Authentication Mechanism (SEAM) from SUN.

How to check that you have SEAM

If the SunOS is not a custom build and it is 5.9 and above, SEAM should be there by default. Make sure that the following directories and files exist:

(36)

The file /etc/gss/mech

The directory /usr/lib/gss/

The file /usr/lib/libgss.so.1

How to connect to authorization server on UNIX

platforms

To connect to the authorization server from within the administration console on all UNIX platforms, you must enter the domain name. This is a required field.

When you must remove startup scripts in cluster

configuration

If you are doing cluster configuration on any UNIX platform, you need to remove the startup scripts that get installed with the package.

Once your services are cluster enabled, you want the cluster to decide when or how the service should be started. Since clustered services usually depend on bringing some shared storage online, it is better if these startup scripts are removed.

These startup scripts (S700vxatd on HP-UX, S70vxatd on others) are in the run level 2 directories (/etc/rc2.d on Solaris, /etc/rc.d/rc2.d on AIX, /sbin/ rc2.d on HP-UX, /etc/rc.d/rc2.d on Linux, /sbin/rc2.d on Tru64). If you are not sure of the run level, run the following command:

who -r

Startup scripts in non-cluster configuration

The following procedure is a workaround for startup scripts on UNIX. If the run level on UNIX is other than 2, and you want AT to be started up on reboot, copy the startup scripts from the run level 2 directory into the run level directory for which you are running. For example, if you are running run level 3, then on Solaris, copy /etc/rc2.d/S70vxatd to /etc/rc3.d Similarly, the kill script K99vxatd should be copied for stopping the service.

Home directory requirement

This version of Symantec Product Authentication Service requires that non-root users have their home directories set properly in the namespace that they use to

(37)

login to the host (NIS/NIS+ or /etc/passwd). Therefore, all products that integrate with AT will require their users to have their home directories set.

How to choose patch vs. fresh installation

Use the following guidelines to determine whether your system was configured under the old model:

If AT is already configured into VCS as per the old model, you should configure the authentication path by running the VxATclconf.pl with the -P option from the "C:\Program Files\VERITAS\Security\Authentication\bin" directory.

See “Detailed steps to configure AT into VCS on Windows” and “Steps to configure AT into VCS on UNIX”.

For non-securable VCS

If you see a vxatd resource, your system was configured under the old model.

For securable VCS If you see a vxssclusterpdr resource group, your system was configured under the old model.

(38)

(39)

Chapter

3

Known Issues

“Chart of open incidents”

(40)

Chart of open incidents

Table 3-1‚ ”Known issues, by number” shows known issues, with numbers, sorted in ascending order by incident number.

Numbered issues

This topic discusses known issues for which incident numbers are available in this release of Symantec Product Authentication Service.

(1374044) Unneeded config actions required while upgrading AT

binaries

While upgrading AT binaries to AT 4.3.43.x version, despite choosing not to configure the AT Server, Installer prompts to set Root Broker and

Authentication Broker password. The user is asked to provide the following unneeded information:

Enter password for root broker administrator

Reenter password for root broker administrator

Enter password for authentication broker administrator

Reenter password for authentication broker administrator Table 3-1 Known issues, by number

Etrack Incident Abstract

1374044 Unneeded config actions required while upgrading AT binaries 1380848 Failure in detecting primary group for LDAP user

1394289 Only local installs and upgrades are supported using “installvss” script

1536557 No upgrade option for client package on Sun AMD

1539573 Unable to install x64 client if old server is installed on System 1670558 Not able to make AT HA on MSCS W2k8 AMD machine 1706555 vxatd process doesn't come up after upgrade

1713170 setuptrust takes 1 min if pbx is not running on broker

1719059 Domainname needs to be passed for localhost authentication to succeed

(41)

Further, despite of the broker not being configured the CPI Installer gives a success message after it tries to start the AT server. The following message is displayed:

SYMANTEC PRODUCT AUTHENTICATION SERVICE 4.3.43.0 INSTALLATION PROGRAM

Do you want to start Symantec Product Authentication Service processes now? [y,n,q] (y)

Symantec Product Authentication Service was started successfully. Press [Return] to continue.

(1380848) Failure in detecting primary group for LDAP user

AT fails to detect primary group of the active directory user for LDAP domain. After adding a LDAP domain and authenticating the LDAP user, vssat showcred does not reflect the primary group of this user in the credentials returned by AT. However, the credential lists the secondary groups that the user is a member of in the active directory. This issue persists because the AT code (all branches) does not implement getting primary group for a user from active directory due to Microsoft's implementation.

(1394289) Only local installs and upgrades are supported using

“installvss” script

When the “installvss” script is run to upgrade VxAT, a prompt is displayed asking for system names where AT is to be installed/ upgraded. But currently, only local installs and upgrades are supported when using “installvss” script. Remote system configuration is not done correctly when the remote systems are specified during the install/upgrade.

Workaround

Run “intsallvss” script locally on each of the machines where AT is to be installed/upgraded.

(1536557) No upgrade option for AT Client package on Sun AMD

platform

(42)

Workaround

Follow the given steps: 1 Backup /etc/vx/vss. 2 Backup /var/VRTSat.

3 Remove the package, using the pkgrm command. 4 Add the new package, using the pkgadd command.

(1536557) No upgrade option for AT Client package on Sun AMD

platform

x64 client cannot be installed on a system if an old server is installed on it.

Workaround

This workaround is applicable only while installing Solaris/Linux x64 (AMD64) client. Follow the given steps:

1 Backup /etc/vx/vss. 2 Backup /var/VRTSat.

3 Remove the package, using the rpm command. 4 Add the new package, using the rpm command.

(1670558) Unable to make AT HA on MSCS W2k8 AMD machine

In this release, AT will not be HA on MSCS W2k8 AMD machine.

(1706555) vxatd process doesn't come up after upgrade

After upgrading AT to 4.3.43.x, the vxatd process does not restart. You need to restart the vxatd process manually.

(1713170) setuptrust takes 1 min if pbx is not running on broker

On a machine where PBX is installed and not running, the client still first tries to authenticate using the PBX Port till the time-out and then uses the regular broker port. Thus, setuptrust takes more time, which should take 2 seconds in a normal scenario.

(1719059) Domainname needs to be passed for localhost

authentication to succeed

(43)

Chapter

4

Procedures

“Common terms”

“Install AT”

“Upgrade AT”

“Steps for AT cluster configuration (all solutions)”

“How to configure AT into Microsoft Cluster Server”

“How to configure AT into VCS on Windows”

“How to configure AT into VCS on UNIX”

“How to configure AT into Tru64”

“How to configure AT into Sun Cluster”

“How to configure AT on HACMP”

“How to configure AT on HP Serviceguard”

“Uninstall”

“About authenticating users in active directory”

(44)

Common terms

The table below defines terms that are common to the discussions of installation and configuration of Symantec Product Authentication Service for all platforms.

Install AT

There have been a number of changes in installation since the publication of the Symantec Product Authentication Service Installation Guide. These Release Notes include the most up to date information.

Tasks that you must complete for successful installation

You must install at least one root broker, one authentication broker, and one authentication client.

Perform the tasks in the following order:

Select an installation mode

Install a root broker

Install an authentication broker, if you did not select root plus authentication broker mode when installing the broker

Install client or clients

AT Service Virtual Name The hostname for the AT Service Virtual IP Address

AT Service Virtual IP Address The IP Address for the AT Service Virtual Name. Mount Point The shared mount point for the Authentication

data files

Network Interface The network interface where the AT Service Virtual Name will be presented.

install_dir The installation directory of the for the Symantec Product Authentication Service. For example, <install_dir>/bin/vssat would correspond to /opt/VRTSat/bin/vssat on UNIX and C:\Program Files\VERITAS\Security\ Autentication\bin\vssat on Windows.

(45)

About installing and configuring an authentication broker

If you plan to install an authentication broker on a machine separate from a root broker, you must perform the following tasks:

1 Provision an identity for the authentication broker. (See "Provisioning an identity for the authentication broker" in the Installation Guide.)

2 Copy the root hash file from the root machine to the authentication broker machine. (See "Finding and copying the root hash file in the Installation

Guide.)

3 Run the install program again to install the authentication broker machine.

Installing on Windows

On a Windows platform, you can install the authentication broker either interactively or in silent mode. The present topic discusses only the interactive mode. For information on silent mode, see the Installation Guide.

To install on Windows using a traditional wizard

1 Log on as administrator on the machine where you want to install.

2 Confirm that the machine uses the NTFS file system. FAT does not provide any file system security and hence compromises the security of AT. 3 Run VxSSVRTSatSetup.exe from the CD.

4 When the opening InstallShield wizard screen is displayed, click Next. 5 When the Setup Type screen is displayed, select Complete and click Next: 6 If you are installing AT on a cluster, do the following:

When you have completed your selections, click Next.

7 On the Authentication Broker Service Options screen, select the mode, and indicate whether or not the service is clustered. Click Next.

8 (If service is not clustered) Indicate whether the service is to be started manually or automatically and whether it is to be started immediately after installation This area is greyed-out if you enable clustering.

In Destination Folder on the Setup Type dialog box, click Browse. In the Path text box on the Choose Folder dialog box, type the new path: C:\Program Files\VERITAS\Security\

(46)

9 (For Authentication Broker Only mode) Indicate whether you want authentication to look for root brokers.

10 (For Authentication Broker Only mode) If you selected Yes, provide the IP range to scan, and click Next.

11 (For Authentication Broker Only mode) If you requested a scan, select a root broker from the list when the root brokers dialog box is displayed, and click Next.

12 (For Authentication Broker Only mode) Complete the Authentication Broker Identity screen as follows, and then click Next:

13 (For all modes) Provide the password or passwords and click Next. 14 When the InstallShield Wizard Complete screen is displayed, click Finish. 15 If you need to configure AT to use the cluster, run the cluster configuration

script.

See one of the following:

“How to configure AT into VCS on Windows”

“How to configure AT into Microsoft Cluster Server”

UNIX installation scripts: when to use install vs. installics

The install script is a wrapper around installics that simply invokes installics, and then, after installics finishes, asks the user whether he or she wants to continue or exit. If the user answers "y," the install script invokes installics again. Otherwise, it exits to the command line prompt.

In the Root Broker area:

For Host Name, enter the host name or IP address that allows the authentication broker to reach the root broker.

For Port, keep or change the port number, whose default is 2821.

For Hash File, click Browse to browse for the root_hash file you copied from the root broker. Or type the value into the Hash Value field.

In the Broker Identity area:

For Name, enter the identity of the authentication broker as configured in the root broker’s private domain repository.

For Password, enter the password for the authentication broker as configured in the root broker’s private domain repository.

For Domain Name, enter the domain in which the root and this

(47)

Guidelines for use are as follows:

Use installics if you just want to perform one operation (install, upgrade, configure, or uninstall) on the host.

Use install if you need to perform several sequential operations with installics.

Installing root plus authentication broker on UNIX

Before you install AT in root plus authentication broker mode, you must do the following:

Select an administrator password of at least 5 characters for the root broker and the authentication broker

If you intend to configure AT to use a cluster, determine the cluster name To install root plus authentication broker

1 Go to the directory in which the installics script is located, and type the following command to invoke installics:

./installics

2 At the task menu, type I to install or upgrade a product.

3 When you are prompted to select a product to install, type 2 to install the Symantec Product Authentication Service.

4 When you are prompted to install the AT server, type y.

5 When you are prompted to select the mode in which AT will be installed, type 1 for the Root+AB mode.

6 When you are prompted for the system name, type the name of the host on which you are installing AT.

The ICS Installer does not support remote installation (push install) for AT. Install AT on the local host only.

7 When the package to be installed is displayed, press Enter to continue, and then allow the installation to complete.

The VRTSat package will be installed. The following message is displayed when the installation is complete:

Installation completed successfully on all systems

8 When you are prompted to configure AT, type y.

9 When you are prompted for the root broker administrator password, type in the password that you selected.

(48)

The password must be at least 5 characters. No characters are echoed when you type in the password and you will not be prompted to retype it for confirmation. Be careful to type it correctly.

10 When you are prompted for the authentication broker administrator password, type in the password you selected.

The password must be at least 5 characters. No characters are echoed when you type in the password and you will not be prompted to retype it for confirmation. Be careful to type it correctly.

11 If the Symantec Private Branch Exchange is installed on the host, you receive the following prompt:

Do you want to enable Private Branch Exchange (PBX) support in Authentication Broker Server? [y,n,q] (n)

If you receive this prompt, type y if you want AT to communicate through the Private Branch Exchange. Otherwise, type n.

AT can be configured to communicate with its clients through the Private Branch Exchange over port 1556 rather than over the default broker port 2821.

12 If the host on which you are installing AT is part of a cluster, you receive the following prompt:

Will HostName be configured as part of a cluster? [y,n,q] (n) If you receive this prompt, do the following:

If you intend to configure AT to use the cluster, type y. Otherwise, type n.

If you typed y, enter the cluster name when you are prompted for the logical cluster name.

The ICS Installer must know whether AT will be configured to use a cluster. However, it will not perform the cluster configuration.

You will be instructed to perform the cluster configuration manually later in this procedure.

13 When you are prompted to start the Symantec Product Authentication Service processes, type y if you want to start them now. Otherwise, type n. If you type n, you can type the following command to start the service at a later time:

/opt/VRTSat/bin/vxatd

14 When you are prompted for an encryption key, type a string of at least five characters to use as a key for encrypting the installics response file. Since the installics response file contains the broker passwords, it must be encrypted for security reasons. To decrypt the response file for a silent installation, you must insert this key string into a file, and then specify the key file name with the installics -enckeyfile option.

(49)

See “About the encryption and the response files.” 15 Press Enter to continue. The installics script exits.

16 If you need to configure AT to use the cluster, run the cluster configuration script.

See one of the following:

“How to configure AT into VCS on UNIX”

“How to configure AT into Tru64”

“How to configure AT into Sun Cluster”

“How to configure AT on HACMP”

“How to configure AT on HP Serviceguard”

Installing authentication broker only on UNIX

Before you install AT in authentication broker only mode, you must do the following:

Select a remote root broker

Copy the root broker /opt/VRTSat/bin/root_hash file to the host on which you are installing the authentication broker

See "Finding and copying the root hash file" in the Installation Guide.

Provision identity on the root broker for this authentication broker See "Provisioning an identity for the authentication broker" in the

Installation Guide.

Select an administrator password of at least 5 characters for the authentication broker

If you intend to configure AT to use a cluster, determine the cluster name To install authentication broker only

1 Go to the directory in which the installics script is located, and type the following command to invoke installics:

./installics

2 At the task menu, type I to install or upgrade a product.

3 When you are prompted to select a product to install, type 2 to install the Symantec Product Authentication Service.

4 When you are prompted to install the AT server, type y.

5 When you are prompted to select the mode in which AT will be installed, type 3 for the AB mode.