Environmental Requirements for Symantec Encryption Management Server (previously PGP Universal Server) clustering

Article:TECH157115  |  Created: 2011-03-31  |  Updated: 2013-12-05  |  Article URL http://www.symantec.com/docs/TECH157115
Article Type
Technical Solution



Issue



Symantec Encryption Management Server (previously PGP Universal Server) has supported clustering since version 2.0. To have a reliable cluster the following requirements need to be met.

Note: While it may be possible to create a cluster with one or more of these requirements unmet, such clusters tend to have significantly more issues and should be considered unsupported.


Environment



Any environment which needs several Symantec Encryption Management Servers (previously PGP Universal Servers) working together for clustering.


Solution



Network Requirements

1. Network interface subnets & broadcast domain
Each server MUST have only one network interface on each subnet. You cannot have multiple network interfaces on the same broadcast domain per server. SeeTECH174335 for more info.

2. Server-to-server connectivity
Each server MUST be able to connect to all other servers on port 444. This requirement may require adjusting firewall or router configurations.

3. Ping
It is helpful to have ICMP (ping) traffic allowed between the servers. This is used for troubleshooting network connectivity issues between servers (ping, traceroute commands). This may require adjusting firewall or router configurations.

4. MTU size
When using MPLS (MultiProtocol Label Switching) or a VPN tunnel you MUST lower the MTU (Maximum Transmission Unit) instead of 1500. This is best if done in increments of 8. A recommendation would be 1396. But make sure you research what is required for your MTU settings to be lowered. If this is not done clustering may fail or perform slowly as packet headers can be stripped.

 

Name Resolution Requirements

5. Unique server names
Each cluster member MUST a unique Fully Qualified Domain Name (FQDN).

6. Hostname is Fully Qualified Domain Name
The FQDN should be entered as the server's hostname. (This can be modified after install: System => Network => Hostname).

7. Name resolution required
Each cluster member MUST be able to resolve the FQDN of all cluster members using DNS.  This requirement may require adjusting firewall, router or DNS configurations.

8. Reverse DNS required
The IP address returned for each clustering FQDN MUST have a corresponding PTR record in DNS resolving back to the FQDN. This means each clustering interface should have two entries (one forward and one reverse) in DNS.

9. No network address translation (NAT)
The IP address obtained for each server's FQDN MUST be consistent across the cluster.  Using network address translation, NAT, between cluster members is NOT supported.

10. Use fully qualified names to set up cluster, not IP address
The value entered in the hostname field in the clustering interface MUST be the server's FQDN. (Do not use the IP address).

 

SSL Certificate Requirements

11. SSL certificate required
Each server needs an SSL certificate, and the name on the certificate should match the FQDN of the clustering interface.

12. Current SSL Certificate 
Each SSL certificate MUST be current rather than expired.  

13. Trusted certificates (including possible root certificate update for Verisign)
Each SSL certificate MUST be from a recognized certificate authority.  Also verify that the Root and Intermediate CA certificates that your client certificate is issued under is imported into the Trusted Keys section of the Symantec Encryption Management Server (previously PGP Universal Server).  If you are using a VeriSign certificate on any of the servers please see TECH194325 for a known issue related to using VeriSign certificates.

14. Self-signed certificates must be trusted
If you are using self-signed certificates, you will want to export the public portion of each server's certificate and then import that into the Trusted Keys store on each server.

 

Directory Synchronization Requirement

15. LDAP servers reachable on all cluster members
When using Directory Synchronization, at least one LDAP server from each configured directory has to be reachable on each of the hosts. Each server has to be able to query all configured directories. These queries are not forwarded through the clustering connection.

 

Load balancer Requirement

16. No load balancing for cluster interfaces 
Network connections to the clustering interface (and FQDN) MUST NOT go through any sort of load balancer (either as the gateway or during later network routing). This may require additional network interfaces configured on the server and static routes setup to route your traffic through multiple gateways.  This requires assistance from Symantec Technical Support.

 

Database Schema Requirement

17. Matching database schema 
The database schema MUST match between all cluster members. If you have schema errors reported in the logs please contact Symantec Technical Support to resolve this issue.

 

VMTools and Time Requirements

18. Consistent time between cluster members
All cluster members MUST have consistent time configuration. (It is usually easiest to configure all server to use a single NTP server.) Using an NTP server may require adjusting firewall or router configurations.

19. NTP or VMware time sync (not both)
If you are running in VMWare you cannot use both NTP and VMWare Time Sync. Either deactivate time sync or do not use NTP.  See TECH149390 for more info on setting correct time on VMWare ESXi with VMWare Tools.

20. VMware tools must be installed
If installing a Universal Server Cluster on VMWare then VMWare Tools MUST be installed before joining the cluster. Please see TECH176852 for more information.

21. After server upgrade, VMware tools reinstall may be needed
If you have done an upgrade of the Symantec Encryption Management Server (formerly PGP Universal Server) from an older version to version 3.0, 3.2, 3.2.1, or 3.3.0 you will also need to reinstall or reconfigure the VMWare Tools due to the kernel upgrades that occur in each of these versions. Please see TECH200495 for more information.

 

 





Article URL http://www.symantec.com/docs/TECH157115


Terms of use for this information are found in Legal Notices