Environmental Requirements for Symantec Encryption Management Server (formerly PGP Universal Server) clustering

Article:TECH157115  |  Created: 2011-03-31  |  Updated: 2013-04-25  |  Article URL http://www.symantec.com/docs/TECH157115
Article Type
Technical Solution

Product(s)

Environment

Languages

Problem



Symantec Encryption Management Server (formerly PGP Universal Server) has supported clustering since version 2.0. To reliably cluster the following requirements must be met.

Note: While it may be possible to create a cluster with one or more of these requirements unmet, such clusters tend to have significantly more issues and should be considered unsupported.


Environment



Any environment which needs several Symantec Encryption Management Servers working together for clustering.


Solution



  1. Each cluster member MUST have its own, unique Fully Qualified Domain Name (FQDN) .
  2. This FQDN should be entered as the server's hostname. (This can be modified after install: System => Network => Hostname).
  3. Each cluster member MUST be able to resolve the FQDN of all cluster members using DNS.  This requirement may require adjusting firewall, router or DNS configurations.
  4. The IP address returned for each clustering FQDN MUST have a corresponding pointer back to the FQDN. This means each clustering interface should have two entries (one forward and one reverse) in DNS.
  5. The IP address obtained for each server's FQDN MUST be consistent across the cluster. (Using network address translation, NAT, between cluster members is NOT supported).
  6. Each server needs an SSL certificate for the FQDN of the clustering interface.
  7. Each SSL certificate MUST be current rather than expired. If you are using a VeriSign certificate on any of the servers please see TECH157115 for a known issue related to Overusing certificates.
  8. Each SSL certificate MUST be from a recognized certificate authority.  Also verify that the Root and Intermediate CA certificates that your client certificate is issued under is imported into the Trusted Keys section of the Symantec Encryption Management Server.
  9. If you are using self signed certificates, you will want to export the public portion of each server's certificate and then import that into the Trusted Keys store on each server.
  10. Network connections to the clustering interface (and FQDN) MUST NOT go through any sort of load balancer. This may require additional network interfaces configured on the server and static routes setup to route your traffic through multiple gateways. This requires assistance from Symantec Technical Support.
  11. The value entered in the hostname field in the clustering interface MUST be the server's FQDN. (Do not use the IP address).
  12. All cluster members MUST have consistent times. (It is usually easiest to configure all server to use a single NTP server.) Using an NTP server may require adjusting firewall or router configurations.
  13. Each server MUST have only one network interface on each subnet. You cannot have multiple network interfaces on the same broadcast domain per server. See TECH174335 for more info.
  14. Each server MUST be able to connect to all other servers on port 444. This requirement may require adjusting firewall or router configurations.
  15. ICMP (ping) traffic needs to be allowed between the servers. We use this for troubleshooting network connectivity issues between servers (ping, traceroute). This may require adjusting firewall or router configurations.
  16. When using MPLS (MultiProtocol Label Switching) or an VPN tunnel you MUST lower the MTU (Maximum Transmission Unit) instead of 1500. This is best if done in increments of 8. A recommendation would be 1396. But make sure you research what is required for your MTU settings to be lowered. If this is not done clustering may fail or perform slowly as packet headers can be stripped.
  17. The database schema MUST match between all cluster members. If you have schema errors reported in the logs please contact Symantec Technical Support to resolve this issue.
  18. If installing a Universal Server Cluster on VMWare then VMWare Tools MUST be installed before joining the cluster.
  19. If you are running in VMWare you cannot use both NTP and VMWare Time Sync. Either deactivate time sync or do not use NTP.  See TECH149390 for more info on setting correct time on Vmware ESXi with Vmware Tools.
  20. If you have done an upgrade of the Symantec Encryption Management Server (formerly PGP Universal Server) to version 3.0, 3.2, 3.2.1, or 3.3.0 you will also need to reinstall or reconfigure the VMWare Tools due to the kernel upgrades that occur in each of these versions.
  21. When using Directory Synchronization, at least one LDAP server from each configured directory has to be reachable on each of the hosts. Each server has to be able to query all configured directories. These queries are not forwarded through the clustering connection.

Related Articles




Article URL http://www.symantec.com/docs/TECH157115


Terms of use for this information are found in Legal Notices

Please Sign In

Login using SymAccount.

Knowledge Base Search

Knowledge Base Search

Rate this Article

Help us improve your support experience.

MySymantec

MySymantec

Contacting Support

Contacting Support