Table Of Contents
Installing the Cisco Security Manager High Availability Solution
Making Ethernet Connections
Installing Microsoft Windows Server 2003
Connecting the Servers to External Storage
Installing Symantec VERITAS Products
Mirroring the Boot Disk (Optional)
VERITAS Volume Manager Configuration Tasks
Primary Server (without Replication)
Primary Servers (with Replication)
Secondary Servers and the Primary Server in a Secondary Cluster
Installing Security Manager
Installing Security Manager on the Primary Server
Installing Security Manager on Secondary Servers
VERITAS Volume Replicator Tasks
Updating Permissions on the Working Volume
Shared Storage
Replication
VERITAS Cluster Server Tasks
Single Local Cluster (Dual-Node) Configuration
Creating the Cluster
Creating the Application Service Group
Creating the ClusterService Group (Optional)
Dual Geographic Cluster Configuration
Creating the Primary and Secondary Clusters
Creating the ClusterService Group
Creating the Replication Service Group
Creating the Application Service Group
Creating the Cluster Level Configuration
Installing the Cisco Security Manager High Availability Solution
This chapter explains how to install Security Manager in an HA or DR deployment configuration. The following outlines the tasks to complete. You should perform these tasks in order, although some tasks are optional or might not apply, depending on your specific configuration.
•Making Ethernet Connections
•Installing Microsoft Windows Server 2003
•Connecting the Servers to External Storage
•Installing Symantec VERITAS Products
•Mirroring the Boot Disk (Optional)
•VERITAS Volume Manager Configuration Tasks
•Installing Security Manager
•VERITAS Volume Replicator Tasks
•Updating Permissions on the Working Volume
•VERITAS Cluster Server Tasks
Making Ethernet Connections
Step 1 Make the Ethernet connections between the servers and switches according to Figure 1-1 or Figure 1-2, depending on your cluster configuration.
Note Use of a second Ethernet connection to the router/switch network for each server is optional, but it adds an extra level of redundancy in the event of a NIC or local Ethernet switch failure. VERITAS Cluster Server (VCS) includes the IPMultiNicPlus agent. This agent allows setting up multiple NIC cards on a server which provides redundant access for the server to the router/switch network. If a NIC card fails, a cable is removed, or some other failure occurs, VCS can detect the failure and reassign the working virtual IP address to another working NIC card on the server. See the VERITAS Cluster Server Bundled Agents Reference Guide for details on the IPMultiNicPlus agent. The examples in this document only show the case of a single NIC card for network access.
You can also used vendor specific NIC teaming (IEEE 802.3ad link aggregation) solutions as an alternative.
Step 2 In the case of a dual-node cluster, make the Ethernet cluster communication connections between the servers according to Figure 1-2. When connecting directly between servers, you might not have to use a crossover Ethernet cable, depending on whether the interfaces support automatic crossover detection. Most newer Ethernet interfaces support this feature and allow using a straight through cable when directly connecting to another server.
Installing Microsoft Windows Server 2003
Install one of the supported Microsoft Windows operating systems:
•Windows Server 2003 Standard Edition with SP1 or
•Windows Server 2003 Enterprise Edition with SP1 or
•Windows Server 2003 R2 Standard Edition or
•Windows Server 2003 R2 Enterprise Edition
We recommend that you use the same operating system on all servers.
Note VERITAS Storage Foundation HA requires that you install the operating system in the same path on all systems. For example, if you install Windows 2003 on C:\WINDOWS of one node, installations on all other nodes must be on C:\WINDOWS. Make sure that the same drive letter is available on all nodes and that the system drive has adequate space for the installation.
Connecting the Servers to External Storage
If you are using a dual-node cluster, then shared external storage is required. You may use any storage hardware in Hardware Compatibility List for VERITAS Storage Foundation & High Availability Solutions 4.3 for Windows. Either internal or external storage can be used for a single-node cluster.
Installing Symantec VERITAS Products
Install and configure the Symantec VERITAS products and components. The products and components required vary depending on whether a single local cluster, dual geographic clusters, or replication without clustering configuration is used. Some components are optional, such as the GUI for Volume Manager (VERITAS Enterprise Administrator). See Table 2-1.
Table 2-1 VERITAS Software Components
VERITAS Product/Component
|
Single Local Cluster
|
Dual Geographic Clusters
|
Replication w/o Clustering
|
Storage Foundation for Windows
|
—
|
—
|
Required
|
Storage Foundation HA for Windows
|
Required
|
Required
|
—
|
Volume Replicator Option
|
Not Required
|
Required
|
Required
|
Global Cluster Option
|
Not Required
|
Required
|
—
|
Dynamic Multipathing Option
|
See Note1
|
See Note1
|
See Note1
|
VEA (GUI)2
|
Optional
|
Optional
|
Optional
|
Cluster Manager (GUI) 2
|
Optional
|
Optional
|
—
|
See the applicable VERITAS release notes and installation guides for prerequisites and installing the VERITAS software.
Note One important prerequisite is that you configure the servers as part of a Windows Server 2003 domain.
Mirroring the Boot Disk (Optional)
Mirroring the boot disk is optional; however, it provides an extra level of protection for a given server. If the boot disk fails, the machine can be recovered quickly by booting from the mirrored alternate boot disk. Mirroring is accomplished by placing the boot disk in a dynamic disk group under VERITAS Volume Manager control and then adding a mirror.
See the section called "Set up a Dynamic Boot and System Volume" in the VERITAS Storage Foundation administrator's guide for details on this procedure.
VERITAS Volume Manager Configuration Tasks
In this section, you configure the necessary disk group and volumes required for the Security Manager application. The configuration varies depending on whether the server involved is the primary server or a secondary server and whether or not replication is involved. You can perform Volume Manager tasks with the VEA GUI or through the command line. For details on using VEA or the command line for these steps see the VERITAS Storage Foundation for Windows administrator's guide.
The following procedures are provided in this section:
•Primary Server (without Replication)
•Primary Servers (with Replication)
•Secondary Servers and the Primary Server in a Secondary Cluster
Primary Server (without Replication)
The procedure in this section applies to the primary server in a single-cluster configuration, where replication is not involved. In a single-cluster configuration, external shared storage is used, which is accessible to all servers in the cluster.
Step 1 Create a disk group with the following characteristics:
•Group Name: datadg
•Type: Dynamic (Cluster)
•Number of Disks: If using software RAID1 , then include at least two disks in the group for mirroring; otherwise, a single logical disk (using hardware RAID) is sufficient. The disks used for this disk group must be accessible to all nodes in the cluster.
Step 2 Create a volume in the datadg disk group with the following characteristics:
•Volume Name: cscopx
•Assigned Driver Letter: <Selected Driver Letter>2
•File Type: NTFS
Primary Servers (with Replication)
This procedure applies to the primary servers in a dual geographic configuration where replication is running between the two clusters. For each cluster you can use either a single-node cluster or a cluster with multiple nodes using shared storage; however, this document does not cover the case of a multi-node cluster in a dual geographic configuration.
Perform this procedure on the primary server in both the primary and secondary cluster.
Step 1 Create a disk group with the following characteristics:
•Group Name: datadg
•Type: Dynamic (Cluster) (when using VCS), Dynamic (Secondary) (when not using VCS)
•Number of Disks: If using software RAID1, include at least two disks in the group for mirroring; otherwise, a single logical disk (which uses hardware RAID) is sufficient. If this is a multi-node cluster, then the disks used for this disk group must be accessible to all nodes in the cluster.
Step 2 Create a volume in the datadg disk group with the following characteristics:
•Volume Name: cscopx
•Assigned Driver Letter: <Selected Driver Letter> (for the primary cluster), None (for the secondary cluster)
•File Type: NTFS (for the primary cluster), None (for the secondary cluster)
•Volume Logging: None
Step 3 Create a volume in the datadg disk group for use as a storage replicator log (SRL) with the following characteristics:
•Volume Name: data_srl
•Assigned Driver Letter: None
•File Type: Unformatted
•Volume Logging: None
Note For information on choosing the proper size of the SRL, see the Volume Replicator administrator's guide.
Secondary Servers and the Primary Server in a Secondary Cluster
You must install Security Manager on all secondary servers, as well as the primary server in a secondary cluster. In these cases, you install Security Manager on a spare volume, which is mounted temporarily before installation, then dismounted and not used again until you want to uninstall Security Manager from the server. You must mount the temporary volume on the same drive letter as the one used for the primary server in the primary cluster and must use the same installation path (e.g., F:\Program Files\CSCOpx) during the installation.
Perform the following steps on all secondary servers as well as the primary server in a secondary cluster.
Step 1 If you are not creating the spare volume on an existing disk group, create a new disk group with the following characteristics:
•Group Name: datadg_spare
•Type: Dynamic (Secondary)
•Size: 2GB (The volume only needs to be large enough to install Security Manager)
•Number of Disks: Since this disk group is not used to store application data, a single nonredundant disk is sufficient
Step 2 Create a volume in the disk group with the following characteristics:
•Volume Name: cscopx_spare
•Assigned Driver Letter: <Selected Driver Letter>
•File Type: NTFS
Installing Security Manager
The Security Manager installer detects the presence of VERITAS Storage Foundation and asks you whether you want to install Security Manager in an HA/DR configuration. If you select this option, the only additional information to specify beyond a regular installation is the database password. In a non-HA/DR installation, the database password is autogenerated. However, since the database password must be the same on all servers in the HA/DR configuration, the installer prompts you to specify the password. You must use this same password on all servers in the HA/DR configuration.
Note If you are not using VERITAS, but still want to install Security Manager in the HA/DR mode you can define an environment variable on the server prior to starting the Security Manager installer. Create an environment variable with the name DO_INSTALL_HA and this will trigger the installer to present the HA/DR configuration option.
The HA/DR installation installs the Cisco Security Manager agent for VCS agent, so VCS recognizes a new CSManager resource type and is able to control and monitor Security Manager.
The HA/DR installation also configures the Security Manager and related services in Windows for a Startup Type of Manual, instead of Automatic, because the VERITAS cluster server instead controls the starting and stopping of Security Manager on each server in the HA/DR configuration. Otherwise, the Security Manager application would try to start on all servers in the HA/DR configuration after any server reboot, when Security Manager should run only on a single server at any given time.
You must install Security Manager on each server in the HA/DR configuration. However, only the primary instance of Security Manager is used and protected in the HA/DR configuration. Other installations are performed to enable the primary instance to run on any of the secondary servers in the configuration.
Two specific cases are covered, depending whether the server is a primary or secondary server:
•Installing Security Manager on the Primary Server
•Installing Security Manager on Secondary Servers
Installing Security Manager on the Primary Server
This section describes installing the primary instance of Security Manager that is used in production and is protected by the HA/DR configuration.
Step 1 On the primary server in the cluster, import the datadg disk group, if not already imported, using either the VEA GUI or the command line, as follows:
C:\> vxdg import -g datadg
Step 2 Assign the selected drive letter to the cscopx volume using either the VEA GUI or the command line, as follows:
C:\> vxassist -g datadg assign cscopx DriveLetter=<Selected Drive Letter>:
Step 3 Install Security Manager according to the Security Manager Installation Guide, while noting the following HA specific items.
a. When prompted whether to install Security Manager for HA, indicate yes by checking the box.
b. When prompted for the installation directory, specify: <Selected Drive Letter>:\Program Files\CSCOpx.
c. When prompted to specify the database password, choose an appropriate password and remember it; you will use this password for all Security Manager servers in the HA/DR configuration.
Note Near the end of the Security Manager installation, you might see a message that you are using a multihomed server and that you must update the gatekeeper.cfg file. You can ignore this message, because the online script used in the HA/DR configurations modifies this file.
Step 4 After Security Manager has been installed, reboot the server.
Step 5 After the reboot start Security Manager using the following command:
Note It is necessary to start Security Manager to complete configuration of the Windows registry entries needed for Security Manager to correctly operate.
Step 6 Allow 5 to 10 minutes for Security Manager to complete startup, then login to the application's web interface using the following URL: http://<server hostname or IP address>:1741. Verify that you can successfully login.
Step 7 Logout of the application's web interface, then stop Security Manager using the following command:
Installing Security Manager on Secondary Servers
Installing Security Manager on secondary servers is similar to installing it on a primary server, with one important difference. You install Security Manager onto a spare volume (cscopx_spare) associated with the specific secondary server, which is used again only if you want to upgrade or uninstall Security Manager. This spare volume must be large enough to hold the Security Manager application with an empty database (~2 GB). You can create the spare volume on the datadg disk group if enough space is available or, preferably, on a separate disk group.
Step 1 On the secondary server import the disk group if not already done, which contains the cscopx_spare volume, using either the VEA GUI or the command line, as follows:
C:\> vxdg import -g<DiskGroupName>
Step 2 Assign the selected drive letter to the cscopx_spare volume using either the VEA GUI or the command line, as follows:
C:\> vxassist -g<DiskGroupName> assign cscopx_spare DriveLetter=<Selected Drive Letter>:
Step 3 Install Security Manager according to the Security Manager Installation Guide, noting the following HA-specific items.
a. When prompted whether to install Security Manager for HA, indicate yes by checking the box.
b. When prompted for the installation directory specify: <Selected Drive Letter>:\Program Files\CSCOpx.
c. When prompted to specify the database password, choose the same password you chose for the primary server.
Step 4 After Security Manager has been installed, reboot the server.
Step 5 After the reboot, start Security Manager using the following command:
Note It is necessary to start Security Manager to complete configuration of the Windows registry entries needed for Security Manager to correctly operate.
Step 6 Allow 5 to 10 minutes for Security Manager to complete startup, then login to the application's web interface using the following URL: http://<server hostname or IP address>:1741. Verify that you can successfully login.
Step 7 Logout of the application's web interface, then stop Security Manager using the following command:
Step 8 After installation is complete, unassign the drive letter from the spare volume using either the VEA GUI or the command line, as follows:
C:\> vxassist -g<DiskGroupName> unassign cscopx_spare
VERITAS Volume Replicator Tasks
The tasks covered in this section apply only to the case of a dual geographic cluster configuration where replication is running between the clusters.
Step 1 Using VEA, connect to the primary and secondary hosts.
Step 2 Select Replication Network from the tree, select the Setup Replicated Data Set wizard from the toolbar, and then specify the following on the first panel of the wizard:
•Replicated Data Set Name: CSM_RDS
•Replicated Volume Group name: CSM_RVG
•Select the primary host from the drop-down list.
Step 3 Click Next, and on the Volume to Replicate panel of the wizard, specify the following:
•Dynamic Disk Group: datadg
•Volumes: cscopx
Step 4 Click Next, and on the Storage Replicator Log panel, specify the following:
•Volume for the Replicator Log: data_srl
Step 5 Click Next, review the summary information, and then click Create Primary RVG to create the RVG.
Step 6 After successfully creating the Primary RVG, click Yes when prompted to add a secondary host to the RDS.
Step 7 On the Specify Secondary host for replication panel, enter the name or IP address of the secondary host in the Secondary Host field.
Step 8 Click Next and on the edit replication settings panel specify the following:3
•Primary side IP: <IP address of the primary server>
•Secondary side IP: <IP address of the secondary server>
•Replication Mode: Asynchronous
•Replicator Log Protection: <Choose from Off, Fail, DCM, AutoDCM (Default), Override>. See the Volume Replicator administrator's guide for descriptions of each choice.
Step 9 Click Next to start replication with the default settings. Select Synchronize Automatically and make sure Start Replication is checked.
Step 10 Click Next to display the Summary page, and then click Finish.
Updating Permissions on the Working Volume
When Security Manager is installed, it creates a special local user (casuser) and group (casusers) for running Security Manager. To run the protected instance of Security Manager on secondary servers, you must add the local casusers group permissions to the cscopx volume.
Two procedures are provided, depending on whether you are using shared storage or replication:
•Shared Storage
•Replication
Shared Storage
Use this procedure to add the local casusers group permissions for a secondary server when using shared storage.
Step 1 Stop Security Manager if it is running on the primary server
Step 2 Deport the datadg disk group from the primary server.
C:\> vxdg -gdatadg deport
Step 3 Import the datadg diskgroup onto the secondary server.
C:\> vxdg -gdatadg import
Step 4 Assign the primary volume (cscopx) to the selected drive letter using either the VEA GUI or the command line, as follows:
C:\> vxassist -gdatadg assign cscopx DriveLetter=<Selected Drive Letter>:
Step 5 From Windows Explorer, right-click the <Selected Driver Letter>:\Program Files\CSCOpx folder and choose the Sharing and Security menu item.
Step 6 The folder properties dialog box appears. Select the Security Tab, and then click the Add button.
Step 7 In the Select Users or Groups dialog box, click the Location button, and then select the local server from the selection tree.
Step 8 Enter casusers in the enter object names text box, and then click Check Names. The text box should then display <ServerName>\casusers. Click the OK button.
Step 9 Making sure casusers is selected, click the Full Control check box under Allow to grant the casusers group full control.
Step 10 Click the Advanced button. Under the Advanced Settings, select the Replace permission entries on all child objects with entries shown here that apply to child objects check box. Click Apply and wait for the permissions to propagate to all child objects under the CSCOpx directory. When propagation is complete, click OK.
Note While the permissions are being updated you may encounter an error dialog with the title "Error Applying Security" with the message "An error occurred applying security information to: <Selected Drive Letter>:\Program Files\CSCOpx\log\dcr.log. Access is denied.". You can safely ignore this error and click Continue on the error dialog to complete the process of updating permissions.
Step 11 Click OK to dismiss the CSCOpx Properties dialog box.
Step 12 Unassign the drive letter from the cscopx volume.
C:\> vxassist -gdatadg unassign cscopx
Step 13 Deport the datadg disk group from the secondary server.
C:\> vxdg -gdatadg deport
Step 14 Import the datadg diskgroup onto the primary server.
C:\> vxdg -gdatadg import
Step 15 Assign the primary volume (cscopx) to the selected drive letter using either the VEA GUI or the command line, as follows:
C:\> vxassist -gdatadg assign cscopx DriveLetter=<Selected Drive Letter>:
Replication
Use this procedure to add the local casusers group permissions for a secondary server when using replication.
Step 1 Stop Security Manager services in the event they are running on the primary server
Step 2 Unassign the drive letter from the cscopx volume.
C:\> vxassist -gdatadg unassign cscopx
Step 3 Migrate the replication primary to the secondary.
C:\> vxrds -gdatadg migrate CSM_RVG <new primary hostname or IP address>
Step 4 Assign the selected drive letter to the cscopx volume on the secondary.
C:\> vxassist -gdatadg assign cscopx DriveLetter=<Selected Drive Letter>:
Step 5 From Windows Explorer, right-click on the <Selected Driver Letter>:\Program Files\CSCOpx folder and choose the Sharing and Security menu item.
Step 6 The folder properties dialog box appears. Select the Security Tab and click the Add button.
Step 7 In the Select Users or Groups dialog box click the Location button, and select the local server from the selection tree.
Step 8 Enter casusers in the enter object names text box, and then click Check Names. The text box should then display <ServerName>\casusers. Click the OK button.
Step 9 Making sure casusers is selected, click the Full Control check box under Allow to grant the casusers group full control.
Step 10 Click the Advanced button. Under the Advanced Settings, select the Replace permission entries on all child objects with entries shown here that apply to child objects check box. Click Apply and wait for the permissions to be propagated to all child objects under the CSCOpx directory. When propagation is complete, click OK.
Note While the permissions are being updated you may encounter an error dialog with the title "Error Applying Security" with the message "An error occurred applying security information to: <Selected Drive Letter>:\Program Files\CSCOpx\log\dcr.log. Access is denied.". You can safely ignore this error and click Continue on the error dialog to complete the process of updating permissions.
Step 11 Click OK to dismiss the CSCOpx Properties dialog box.
Step 12 Unassign the drive letter from the cscopx volume.
C:\> vxassist -gdatadg unassign cscopx
Step 13 Migrate the replication back to the primary server.
C:\> vxrds -gdatadg migrate CSM_RVG <new primary hostname or IP address>
Step 14 Assign the selected drive letter to the cscopx volume on the primary server.
C:\> vxassist -gdatadg assign cscopx DriveLetter=<Selected Drive Letter>:
VERITAS Cluster Server Tasks
This section covers the steps required to setup and configure the VERITAS cluster(s). There are two specific scenarios described:
Single Local Cluster (Dual-Node) Configuration
Dual Geographic Cluster Configuration
Single Local Cluster (Dual-Node) Configuration
This section specifically covers the setup and configuration of the VERITAS cluster for the case of a single, local cluster with two nodes in the cluster (primary and secondary). This section covers the following procedures:
•Creating the Cluster
•Creating the Application Service Group
•Creating the ClusterService Group (Optional)
Creating the Cluster
Step 1 Create a new cluster using theVCS Configuration wizard, where:
•Cluster Name = CSManager_Primary
•Cluster ID = 0
Include the primary and secondary servers in the definition of the cluster. Part of the cluster definition in the wizard is to specify the NICs for the private network. VCS uses a private network for communications between cluster nodes for cluster maintenance. You can also assign one of the network Ethernet interfaces to act as low-priority cluster communications interface in case all of the dedicated cluster communication interfaces fail.
Step 2 Start the Cluster Manager using Start > All Programs > VERITAS > VERITAS Cluster Manager - Java Console and login to the cluster.
Step 3 Using the Cluster Manager import the CSManager resource type using File > Import Types. Browse to the CSManagerTypes.cf file located under $VCS_ROOT\cluster server\conf\config and click Import.
Creating the Application Service Group
Step 1 Add a service group called APP, and include both servers for this service group with the startup option checked for each server and the service group type of Failover.
Step 2 Add the NIC resource and select the Critical and Enabled check boxes.
•Resource Name = NIC
•Resource Type = NIC
•MACAddress = <MAC address of the NIC used for accessing the Security Manager application>, which is defined uniquely for each server in the cluster.
Note You can find the MAC address associated with each Ethernet interface using the DOS-level command: ipconfig -all.
Step 3 Add the IP resource and select the Critical and Enabled check boxes.
•Resource Name = APP_IP
•Resource Type = IP
•Address = <Virtual IP address allocated for use by the Security Manager application>
•SubNetMask = <subnet mask>
•MACAddress = <MAC Address of the NIC used for accessing the Security Manager application>, which is defined for each server in the cluster.
Step 4 Add the VMDg Resource with Critical and Enabled checked.
•Resource Name = datadg
•Resource Type = VMDg
•DiskGroupName = datadg
Step 5 Add the MountV Resource and select the Critical and Enabled check boxes.
•Resource Name = APP_MountV
•Resource Type = MountV
•Mount Path = <Selected Drive Letter>:\
•Volume Name = cscopx
•VMDg Resource Name = datadg
•ForceUnmount = {NONE, READ-ONLY, ALL}4
Step 6 Add the RegRep resource and select the Critical and Enabled check boxses.
•Resource Name = APP_RegRep
•MountResName = APP_MountV
•ReplicationDirectory = \REGREP\DEFAULT
•Keys = HKLM\Software\JavaSoft\Prefs\vms
Note Security Manager stores client user preferences in the server registry under HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Prefs\vms. The registry replication agent (RegRep) monitors changes to the specified registry location on the active server and synchronizes these changes to a secondary server in the event of a failover.
Step 7 Add the CSManager resource and select the Critical and Enabled check boxes.
•Resource Name = APP_CSManager
•Resource Type = CSManager
•PathName = <Selected Drive Letter>:\Program Files\CSCOpx
•EventIPAddress = The same IP Address as used in APP_IP
•CertificateDir = See Security Certificates for SSL, page 3-2 for an explanation of this attribute.
Step 8 Link APP_CSManager as the parent of APP_RegRep.
Step 9 Link APP_RegRep as the parent of APP_MountV.
Step 10 Link APP_MountV as the parent of datadg.
Step 11 Link APP_CSManager as the parent of APP_IP.
Step 12 Link APP_IP as the parent of NIC.
See Figure A-1 on page A-2.
Creating the ClusterService Group (Optional)
You can optionally configure a ClusterService group to run the following optional components:
•Cluster Manager (Web Console)
•Notification
You can use the VCS Configuration wizard to configure these components. See the VERITAS Cluster Server administrator's guide for details. The notification service is useful because it can notify you of events happening in the cluster either through email or SNMP traps.
Dual Geographic Cluster Configuration
This section specifically covers the setup and configuration of the VERITAS cluster for the case of two clusters geographically separated with a single node in each cluster.
Note You can also create dual geographic cluster configurations with multiple nodes within one or both clusters.
This section covers the following procedures:
•Creating the Primary and Secondary Clusters
•Creating the ClusterService Group
•Creating the Replication Service Group
•Creating the Application Service Group
•Creating the Cluster Level Configuration
Creating the Primary and Secondary Clusters
Step 1 Create a new cluster on the primary server (in the primary cluster) using the VCS Configuration wizard, where:
•Cluster Name = CSManager_Primary
•Cluster ID = 0
Step 2 Create a new cluster on the primary server (in the secondary cluster) using the VCS Configuration wizard, where:
•Cluster Name = CSManager_Secondary
•Cluster ID = 1
Step 3 In the primary cluster, start the Cluster Manager using Start > All Programs > VERITAS > VERITAS Cluster Manager - Java Console and login to the cluster.
Step 4 Using the Cluster Manager import the CSManager resource type using File > Import Types. Browse to the CSManagerTypes.cf file located under $VCS_ROOT\cluster server\conf\config and click Import.
Step 5 Repeat Steps 3 and 4 for the secondary cluster.
Creating the ClusterService Group
Perform these steps on both the primary and secondary clusters.
Note As an alternate method to the procedures in this section, you can use the VCS Configuration wizard for creating the ClusterService group and wac resource for intercluster communications. You can also configure the optional Cluster Manager (Web Console) and Notification components with the VCS Configuration wizard. See the VERITAS Cluster Server administrator's guide.
Step 1 Add a service group called ClusterService.
Step 2 Add the NIC resource
•Resource Name = NIC
•Resource Type = NIC
•MACAddress = <MAC Address of the NIC card>
Note You can find the MAC address associated with each Ethernet interface using the DOS-level command: ipconfig -all.
Step 3 Add the IP resource
•Resource Name = VCS_IP
•Resource Type = IP
•Address = <Virtual IP address allocated for the cluster>
•SubNetMask = <subnet mask>
•MACAddress = <MAC Address of the corresponding NIC card>
Step 4 Add the wac resource
•Resource Name = wac
•Resource Type = Process
•StartProgram = C:\Program Files\VERITAS\Cluster Server\bin\wac.exe
•StopProgram = C:\Program Files\VERITAS\Cluster Server\bin\wacstop.exe
•MonitorProgram = C:\Program Files\VERITAS\Cluster Server\bin\wacmonitor.exe
Step 5 Link wac as the parent of VCS_IP.
Step 6 Link VCS_IP as the parent of NIC.
See Figure A-4 on page A-4.
Creating the Replication Service Group
Perform these steps on both the primary and secondary clusters.
Step 1 Add a service group called APPrep.
Step 2 Add the Proxy resource
•Resource Name = VVR_NIC_Proxy
•Resource Type = Proxy
•TargetResName = NIC
Step 3 Add the IP resource
•Resource Name = VVR_IP
•Resource Type = IP
•Address = <Virtual IP address allocated for replication>
•SubNetMask = <subnet mask>
•MACAddress = <MAC Address of the corresponding NIC card>
Step 4 Add the VMDg resource
•Resource Name = datadg
•Resource Type = VMDg
•DiskGroupName = datadg
Step 5 Add the VvrRvg resource
•Resource Name = APP_RVG
•Resource Type = VvrRvg
•RVG = CSM_RVG
•VMDgResName = datadg
•IPResName = VVR_IP
Step 6 Link VVR_IP as the parent of VVR_NIC_Proxy.
Step 7 Link APP_RVG as the parent of VVR_IP.
Step 8 Link APP_RVG as the parent of datadg.
See Figure A-3 on page A-3.
Creating the Application Service Group
Perform these steps on both the primary and secondary clusters.
Step 1 Add a service group called APP.
Step 2 Add the RVG primary resource
•Resource Name = APP_RVGPrimary
•Resource Type = RVGPrimary
•RvgResourceName = APP_RVG
Step 3 Add the MountV resource
•Resource Name = APP_MountV
•Resource Type = MountV
•Mount Path = <Selected Drive Letter>:\
•Volume Name = cscopx
•VMDg Resource Name = datadg
Step 4 Add the RegRep resource and select the Critical and Enabled check boxses.
•Resource Name = APP_RegRep
•MountResName = APP_MountV
•ReplicationDirectory = \REGREP\DEFAULT
•Keys = HKLM\Software\JavaSoft\Prefs\vms
Note Security Manager stores client user preferences in the server registry under HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Prefs\vms. The registry replication agent (RegRep) monitors changes to the specified registry location on the active server and synchronizes these changes to a secondary server in the event of a failover.
Step 5 Add the Proxy resource
•Resource Name = APP_NIC_Proxy
•Resource Type = Proxy
•TargetResName = NIC
Step 6 Add the IP resource
•Resource Name = APP_IP
•Resource Type = IP
•Address = <Virtual IP address allocated for the application>
•SubNetMask = <subnet mask>
•MACAddress = <MAC Address of the corresponding NIC card>
Step 7 Add the CSManager resource
•Resource Name = APP_CSManager
•Resource Type = CSManager
•PathName = <Selected Drive Letter>:\Program Files\CSCOpx
•EventIPAddress = The same IP address as you used in APP_IP
•CertificateDir = See Security Certificates for SSL, page 3-2 for an explanation of this attribute.
Step 8 Link APP_MountV as the parent of APP_RVGPrimary.
Step 9 Link APP_RegRep as the parent of APP_MountV.
Step 10 Link APP_CSManager as the parent of APP_RegRep.
Step 11 Link APP_IP as the parent of APP_NIC_Proxy.
Step 12 Link APP_CSManager as the parent of APP_IP.
See Figure A-2 on page A-3
Creating the Cluster Level Configuration
Step 1 Link the APP service group as the parent of the APPrep service group with an online local firm dependency. Perform this step on both the primary and secondary clusters.
Step 2 Under the cluster properties specify the cluster address, which is the same IP address that you used in the VCS_IP resource.
Step 3 From the primary cluster use the Remote Cluster Configuration wizard (Edit > Add/Delete Remote Cluster) to add the secondary cluster.
Step 4 From the primary cluster configure the APP service group as a global group using the Global Group Configuration wizard (Edit > Configure Global Groups).
See Figure A-5 on page A-4.
1 The use of software RAID 5 is not recommended.
2 You can choose any available drive letter, however, the drive letter must be the same on all systems.
3 For the primary and secondary side IP addresses you can specify the fixed IP addresses of the NIC cards. However, if you use VERITAS Cluster Server, you must go back later and update the IP address to use virtual IP addresses under VCS control. Do this from VEA by selecting the secondary RVG in the tree and then selecting Actions > Change Replication Settings.
4 Defines whether the agent unmounts the volume forcibly when it is being used by other applications. The following choices are available: NONE: The agent does not unmount the volume if an application is accessing it. READ-ONLY: The agent umounts the volume if applications are accessing it in a read-only mode. ALL: The agent unmounts the volume regardless of the type of access an application has. Default is NONE. If the volume cannot be unmounted, automatic failover to the secondary server might be prevented, so you might want to select a value of READ-ONLY or ALL.