Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SFHA Solutions 6.0: Considerations for upgrading secure VCS 5.x clusters

Created: 17 Oct 2012 • Updated: 18 Oct 2012 | 3 comments
Varadarajan's picture

Veritas Cluster Server (VCS) 6.0 simplifies the installation and configuration of secure clusters. Security components are installed as a part of the product package. When you upgrade a secure cluster from VCS 5.x to VCS 6.0 and later, the upgrade process does not migrate the old broker configuration to the new configuration. To learn more about secure cluster upgrade considerations, see:

Comments 3 CommentsJump to latest comment

mikebounds's picture

This post and the links seem to use broker and root broker interchangably, but these are not the same, so in your post it says:

When you upgrade a secure cluster from VCS 5.x to VCS 6.0 and later, the upgrade process does not migrate the old root broker

But link About upgrading secure VCS 5.x clusters to VCS 6.0 and later does not say "root" broker:

When you upgrade a secure VCS 5.x cluster to VCS version 6.0 and later, the upgrade does not migrate the old broker configuration to the new configuration because of the change in architecture

and link Considerations for upgrading secure VCS 5.x clusters to VCS 6.0 and later says

The HA commands that you run in VCS 6.0 and later are processed by the new broker by default. To ensure that the HA commands are processed by the old broker, set the VCS_REMOTE_BROKER environment variable as follows:
# export VCS_REMOTE_BROKER=RootBrokerIPaddress,2821

In VCS 5.x you have to have Authentication brokers (AB) installed locally, but you can additionally have a remote AB to authenticate the user, so the paragraph above starts off by describing one of these, not sure which, but it is definately NOT describing a root broker as a root broker does not do any authentication or processing of HA commands - it just allows you to create new ABs.  But then the VCS_REMOTE_BROKER variable is shown being set to ROOT broker IP.

So I'm very confused by all of this, can you clarify in respect of:

  1. AB on VCS nodes
  2. Remote AB for authentication of VCS users (this is optional in a secure cluster as you can use local AB)
  3. Root broker

Thanks

Mike

UK Symantec Consultant in VCS, GCO, SF, VVR, VxAT on Solaris, AIX, HP-ux, Linux & Windows

If this post has answered your question then please click on "Mark as solution" link below

Varadarajan's picture

Hi Mike, I made small updates to the post and requested the engineer to further clarify on this forum. If need be, I can further update the post.

Thanks,

Varad

PalakAg's picture

Hi Mark,

Thanks for pointing this out. Varad is updating the document to make it more consistent.

Before 6.0, we used to have one Root borker and all the nodes used to be authentication brokers. However 6.0 onwards this achitecture is changed to have all the nodes to act as root+authentication broker. During upgrade, we do not remove the old root or authentication broker from the nodes, as the customer might have setup old for LDAP users.

So if the customer does not want to migrate to new broker for authenticating its users, he can export VCS_REMOTE_BROKER to the old broker.

Regards,

Palak