manualshive.com logo in svg

Novell BUSINESS CONTINUITY CLUSTERING FOR NETWARE 1.1 - ADMINISTRATION, Manual

The Novell BUSINESS CONTINUITY CLUSTERING FOR NETWARE 1.1 - ADMINISTRATION manual is available for free download on manualshive.com. This comprehensive guide will help you navigate the administration of your NetWare system with ease. Get your manual today and ensure your business continuity with confidence.

Share
Download
background image

Security Considerations

C

no

vd

ocx (

e

n)

  1

1

 Decemb

er

 2

007

91

C

Security Considerations

This section contains specific instructions on how to configure and maintain a Business Continuity 
Cluster in the most secure way possible. It contains the following subsections:

Š

Section C.1, “Security Features,” on page 91

Š

Section C.2, “Security Configuration,” on page 91

Š

Section C.3, “Other Security Considerations,” on page 96

C.1  Security Features

The following table contains a summary of the security features of BCC 1.1:

Table C-1   

BCC 1.1 Security Features

C.2  Security Configuration

The following subsections provide a summary of security-related configuration settings for BCC 
1.1:

Š

Section C.2.1, “BCC Configuration Settings,” on page 92

Š

Section C.2.2, “Security Information for Other Products,” on page 95

Feature

Yes/No

Details

Users are authenticated

Yes

Administrative users are authenticated via 
eDirectory™.

Users are authorized

Yes

Users are authorized via eDirectory trustees.

Access to configuration information is 
controlled

Yes

Access to the administrative interface is 
restricted to valid users that have write rights 
to the configuration files.

Roles are used to control access

Yes

Configurable through iManager

Logging and/or security auditing is done

Yes

 Syslog on Linux. Fake syslog on NetWare.

Data on the wire is encrypted by default

Yes

The following data is encrypted on the wire:

Š

Intercluster communications

Š

IDM data can be encrypted

Data stored is encrypted 

No

Passwords, keys, and any other 
authentication materials are stored 
encrypted

Yes

Intercluster communications for usernames 
and passwords are encrypted. Cluster 
credentials are stored encrypted in eDirectory.

Security is on by default

Yes

Summary of Contents for BUSINESS CONTINUITY CLUSTERING FOR NETWARE 1.1 - ADMINISTRATION

Page 1: ...l c o m novdocx en 11 December 2007 Novell Business Continuity Clustering 1 1 for NetWare Administration Guide Business Continuity Clustering for NetWare 1 1 F e b r u a r y 1 5 2 0 0 8 A D M I N I S...

Page 2: ...t or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuc...

Page 3: ...ll Trademarks For Novell Trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the pro...

Page 4: ...novdocx en 11 December 2007...

Page 5: ...nuity Cluster Component Locations 25 2 4 Configuring File System Mirroring 25 2 4 1 Configuring NSS Mirroring 26 2 4 2 Configuring SAN Based Mirroring 29 2 4 3 LUN Masking 29 2 5 Setting Up Novell Bus...

Page 6: ...ters Not Functional 65 4 14 Resource Does Not Migrate to Another Cluster 65 4 15 Resource Cannot Be Brought Online 65 4 16 Dumping Syslog on NetWare 66 4 17 Slow Failovers 66 4 18 Resource Script Sear...

Page 7: ...B Setting Up Auto Failover 87 B 1 Enabling Auto Failover 87 B 2 Creating an Auto Failover Policy 88 B 3 Refining the Auto Failover Policy 88 B 4 Adding or Editing Monitor Configurations 89 C Security...

Page 8: ...8 Novell Business Continuity Clustering 1 1 for NetWare Administration Guide novdocx en 11 December 2007...

Page 9: ...installing configuring and managing Novell Cluster Services Feedback We want to hear your comments and suggestions about this manual and the other documentation included with this product Please use...

Page 10: ...10 Novell Business Continuity Clustering 1 1 for NetWare Administration Guide novdocx en 11 December 2007...

Page 11: ...have to be carefully planned and replicated One mistake and the redundant site is no longer able to effectively take over in the event of a disaster 1 1 Disaster Recovery Implications The implication...

Page 12: ...isaster occurs in one data center the other automatically takes over Figure 1 1 Stretch Cluster Cluster of Clusters A cluster of clusters consists of two or more clusters in which each cluster is loca...

Page 13: ...ibre Channel Switch Fibre Channel Disk Arrays Building A Building B Server 2A Ethernet Switch Server 3A Server 1A Server 4A Fibre Channel Switch Fibre Channel Disk Arrays Disk blocks Ethernet Switch W...

Page 14: ...in a separate eDirectory tree IP addresses for each cluster can be on different IP subnets It accommodates more than two sites and cluster resources can fail over to separate clusters multiple site f...

Page 15: ...g software provides the following advantages Integrates with SAN hardware devices to automate the failover process using standards based mechanisms such as SMI S Utilizes Novell Identity Manager techn...

Page 16: ...arios include A Two Site Business Continuity Cluster Solution A Multiple Site Business Continuity Cluster Solution A Low Cost Business Continuity Cluster Solution Two Site Business Continuity Cluster...

Page 17: ...ks is typically done by SAN vendors but can be done by host based mirroring for synchronous replication over short distances The illustration below depicts a four site business continuity cluster Serv...

Page 18: ...and hotels Low Cost Business Continuity Cluster Solution The low cost business continuity cluster solution is similar to the previous two solutions but replaces Fibre Channel arrays with iSCSI arrays...

Page 19: ...ection 2 1 1 NetWare 6 5 SP 5 or SP 6 OES 1 SP2 or SP3 NetWare on page 19 Section 2 1 2 Novell eDirectory 8 8 on page 20 Section 2 1 3 Novell Cluster Services 1 8 2 for NetWare on page 20 Section 2 1...

Page 20: ...erface separately The CLI for the SAN might not initially be included with your hardware Also some SAN hardware may not be SMI S compliant and can t be managed using SMI S commands The recommended con...

Page 21: ...xec ncf File The sys system autoexec ncf file must be modified so that the call to sys bin unixenv ncf is before the calls to openwbem ncf and ldbcc ncf 2 1 9 Shared Disk Systems For Business Continui...

Page 22: ...e 25 for specific information on where to install IDM components NOTE Filtered eDirectory replicas are not supported with this version of Business Continuity Cluster software Full replicas are require...

Page 23: ...the following sections Section 2 3 1 Business Continuity Cluster Licensing on page 23 Section 2 3 2 Running the Business Continuity Cluster Installation Program on page 23 Section 2 3 3 Business Cont...

Page 24: ...uished name for the cluster where you want to install the core software files If you don t know the fully distinguished name for the cluster you can browse and select it 6 Select the servers in the cl...

Page 25: ...ach method has its own strengths and weaknesses After considering the different methods you will need to choose either host based mirroring or SAN based mirroring also called array based mirroring and...

Page 26: ...e mirrored after they are created If you have an existing partition that you want to mirror you can either create another partition of equal size on another device to mirror the first partition to or...

Page 27: ...be activated and cluster enabled when it is created The Activate on Creation feature is enabled by default This causes the pool to be activated as soon as it is created If you choose not to activate...

Page 28: ...of the Novell Cluster Services 1 8 2 Administration Guide for NetWare Novell Cluster Services Configuration and Setup After configuring NSS mirroring and creating a pool and volume on the mirrored NS...

Page 29: ...ntinuity Cluster software consists of Configuring Business Continuity Specific IDM Drivers on page 29 Configuring Clusters for Business Continuity on page 35 Configuring Cluster Resources for Business...

Page 30: ...iver link 4 Choose to place the new driver in a new driver set then click Next Both the User Object Synchronization Driver and the Cluster Resource Synchronization Driver can be added to the same driv...

Page 31: ...olume objects You would then specify the context of the new container in this step The IDM Driver object must have sufficient rights to create modify and delete objects and attributes in the following...

Page 32: ...ext You must specify the driver name including the context you supplied in Step 8 on page 30 for this cluster Use the following format when specifying the driver name DriverName DriverSet Organization...

Page 33: ...in a manner that prevents IDM synchronization loops IDM synchronization loops can cause excessive network traffic and slow server communication and performance For example in a three cluster business...

Page 34: ...nge your BCC synchronization scenario 1 In the Connections section of the Business Continuity Cluster Properties page select one or more peer clusters that you want a cluster to synchronize to then cl...

Page 35: ...e cluster you are enabling for business continuity 2 Enter your username and password 3 Ensure that the Business Continuity specific IDM drivers are running 3a In the left column click DirXML and then...

Page 36: ...esources to 4 Continue with Step 1 in the Adding Resource Script Search and Replace Values section below Adding Resource Script Search and Replace Values To enable a resource for business continuity c...

Page 37: ...iguration Information You can create scripts and add commands that are specific to your SAN hardware These scripts and commands might be needed to promote mirrored LUNs to primary on the cluster where...

Page 38: ...rt If you checked the CIM Client check box in the previous screen accept the default port number or specify a different port number This is the port number that CIMOM your SAN manager uses Consult you...

Page 39: ...ch time the server starts For this reason you can t assign eDirectory trustee rights to the _Admin volume To assign BCC administrative user eDirectory trustee rights 1 Start your Internet browser and...

Page 40: ...rite fileScan modify rights addTrustee Note the following items with this example The name element is the BCC administrative user The tree name is required The filename element must be _ADMIN Novell C...

Page 41: ...ling a Cluster Resource for Business Continuity Cluster resources must be enabled for business continuity on the primary cluster before they can be synchronized and appear as resources in the other cl...

Page 42: ...for business continuity certain values such as IP addresses DNS names and tree names specified in resource load and unload scripts need to be changed in corresponding resources in the other clusters...

Page 43: ...load and unload scripts in the source cluster to their original values Selecting Peer Clusters for the Resource Peer clusters are the other clusters that this cluster resource can be migrated to The c...

Page 44: ...ster site to manually migrate or bring up resources at that site Each resource will start on its preferred node on the destination cluster TIP You can use the cluster migrate command to start resource...

Page 45: ...and password for the administrative user that the selected cluster will use to connect to a selected peer cluster You might need to do this if the administrator username or password changes for any cl...

Page 46: ...er connections are down You can also see the status of the BCC resources in the business continuity cluster Using the Server Console At the server console of a server in the business continuity cluste...

Page 47: ...clusters where you no longer want the resource to run IMPORTANT If you disable BCC for a cluster using either iManager or the Cluster Disable console command BCC will also be disabled for those clust...

Page 48: ...be BCC enabled This can be a time consuming process if you have many BCC enabled cluster resources For this reason you should use caution when disabling BCC for an entire cluster CLUSTER ENABLE resour...

Page 49: ...one node is a member of the cluster 1 After a failure bring up one node in the cluster All other nodes should remain powered off 2 Run the cluster resetresources command 3 Bring up the remaining nodes...

Page 50: ...t manually The former primary SAN must be demoted to secondary before bringing cluster servers back up Consult your SAN hardware documentation for instructions on demoting and promoting SANs You can u...

Page 51: ...Lost Users might not be able to access servers in the primary cluster but can possibly access servers in the secondary cluster If both clusters are up nothing additional is required An error will be d...

Page 52: ...ack up Additional response is the same as for SAN based mirroring described above Secondary SAN Fails but Secondary Cluster Does Not Bring up your secondary SAN or iSCSI target before bringing up your...

Page 53: ...on on what is required for BCC 1 1 See Upgrading to OES NetWare http www novell com documentation oes install nw data hqwoj1yu html hqwoj1yu for more information on upgrading NetWare In addition to up...

Page 54: ...orms the necessary updates to convert BCC 1 0 to BCC 1 1 This includes searching eDirectoryTM for SAN scripts and updating those scripts to be SMI S compliant 3 1 4 Resetting BCC Administrative User C...

Page 55: ...nodes in BCC 1 0 clusters to BCC 1 1 for NetWare To do this follow the instructions in Section 3 1 Upgrading BCC 1 0 to BCC 1 1 for NetWare on page 53 IMPORTANT All cluster nodes in every cluster in y...

Page 56: ...cember 2007 The same restrictions that apply to migrating or failing over resources between nodes within a mixed cluster also apply to migrating or failing over resources between clusters in a mixed B...

Page 57: ...3 Administration of Peer Clusters Not Functional on page 65 Section 4 14 Resource Does Not Migrate to Another Cluster on page 65 Section 4 15 Resource Cannot Be Brought Online on page 65 Section 4 16...

Page 58: ...u entered the wrong username and or password for the selected peer cluster Enter the correct username and password that this cluster will use to connect to the selected peer cluster Cannot Connect 3 T...

Page 59: ...text field view and if necessary change the port numbers next to the IP address For example the Authentication context field might contain a value similar to 123 12 23 12 2003 2003 In this example the...

Page 60: ...ropriate contexts in your eDirectory tree to manage your BCC The IDM Driver object must have sufficient rights to create modify and delete objects and attributes in the following containers The Identi...

Page 61: ...recommends using SSL certificates for encryption and security NOTE You should create or use a different certificate than the default dummy certificate BCC Cluster Sync KMO that is included with BCC Se...

Page 62: ...lag with this option Stop BCC by entering rcnovell bccd stop at the server console then restart it by entering opt novell bcc sbin bccd flags Replace flags with any combination of v t and or d 4 8 Pro...

Page 63: ...led Click the red icon for the driver on the DirXML Driver Overview page You can enable the driver using the radio buttons in the Driver Startup section of the page that displays Selecting the Auto St...

Page 64: ...er the URL for iManager The URL is http server_ip_address nps iManager html Replace server_ip_address with the IP address or DNS name of the server that has iManager and the IDM preconfigured template...

Page 65: ...e a resource from one cluster to another the problem might be caused by one of the following conditions The resource has not been BCC enabled Remote clusters cannot communicate See Section 4 12 Peer C...

Page 66: ...n back online for changes to the unload script to take effect Be aware that client data may be lost if clients are accessing the resource when it is brought offline 4 18 Resource Script Search and Rep...

Page 67: ...enable the General tab 6 Click Apply to save your changes 4 20 IP Address Virtual Server DN or Pool Name Does Not Appear on the iManager Cluster Configuration Page You might see a DSML read error if...

Page 68: ...ry Ensure that eDirectory and your clusters are stable before implementing BCC Engage Novell Consulting Engage a consulting group from your SAN vendor The cluster node that hosts the IDM driver should...

Page 69: ...e All user objects must be modified to have their Home Directory attribute reference the new volume object volume reference Use LDIF and ICE in the NSMI script Disk Array Mapping Information area This...

Page 70: ...er Message 1000 Unknown error 1001 Received XML is invalid 1002 The object pointers in eDirectory for the given cluster resource are invalid 1003 The referenced object is not a valid NCS BCC object 10...

Page 71: ...nced in the message that appears You can get additional information on how to use the log file by entering help log at the NetWare server console 1020 CIM Client error 1021 Error creating a system res...

Page 72: ...72 Novell Business Continuity Clustering 1 1 for NetWare Administration Guide novdocx en 11 December 2007...

Page 73: ...their virtual nature virtual IP addresses and virtual NICs behave like physical IP addresses and physical NICs and they are similarly configured using either the INETCFG server based utility or the Ne...

Page 74: ...s is especially true in the event of server NIC failures This assumes that the server is running a routing protocol and is advertising its internal virtual IP network which only it knows about and can...

Page 75: ...dvertise reachability to the 1 0 0 0 FF 0 0 0 network and the client would continue to forward packets to Router 1 Being undeliverable these packets would ultimately be dropped by Router 1 Therefore i...

Page 76: ...effects that directly follow from the highly reachable nature of virtual IP addresses They completely and uniquely identify a multihomed server A multihomed server with a virtual IP address no longer...

Page 77: ...The need often arises to move a machine hosting a particular service to some other IP network or to move a service hosted on a particular machine to be rehosted on some other machine connected to a di...

Page 78: ...o recognize and honor the advertised host routes In autonomous systems that use variable length subnet masking VLSM together with routing protocols like RIP II or OSPF the consumption of additional IP...

Page 79: ...OVERRIDE ON 2 The command to bind a virtual IP address for the service must be added to the cluster resource load script The following is an example of a cluster resource load script for a standard Ne...

Page 80: ...needed for any nonvolume cluster resources like DHCP 5 5 1 Displaying Bound Virtual IP Addresses To verify that a virtual IP address is bound enter display secondary ipaddress at the server console of...

Page 81: ...Directory tree For example if you have one tree that has 10 000 users and a second new tree that does not yet have users defined you can use DirXML to quickly copy the 10 000 users to the new tree For...

Page 82: ...n click OK 13 Optional Exclude the Admin User object from being synchronized 13a Click the Exclude Administrative Roles button then click Add 13b Browse to and select the Admin User object then click...

Page 83: ...e DirXMLOverview link 4 Search for and find the BCC driver set 5 Click the red Cluster Sync icon for the driver you want to sync then click the Migrate from eDirectory button 6 Click Add browse to and...

Page 84: ...Cluster Three both synchronize with Cluster One This is illustrated in Figure 2 4 below Figure A 2 Three Cluster IDM Synchronization Master You could also have Cluster One synchronize with Cluster Two...

Page 85: ...tree and you want to maintain that pool s volume trustee assignments you must migrate the pool to a server with an eDirectory replica The replica must be at least read only and must contain all users...

Page 86: ...86 Novell Business Continuity Clustering 1 1 for NetWare Administration Guide novdocx en 11 December 2007...

Page 87: ...luster has been restored some of the data on each cluster will be different This is called data divergence Also the mirroring or synchronization process will either fail or will attempt to overwrite a...

Page 88: ...ation The policy for automatic failover is configured by creating rules Each row in the Failover Policy Configuration table represents a rule that applies to a single cluster or to all clusters in the...

Page 89: ...ng the Advanced button will also display an additional section on this page called Health Monitor Configuration Monitors are an important part of the automatic failover feature and are separate proces...

Page 90: ...decnt monitors This value may be used for some custom monitors 5 Specify which platforms Linux or NetWare you want to be monitored by the health monitor and whether you want the monitor enabled for th...

Page 91: ...mation for Other Products on page 95 Feature Yes No Details Users are authenticated Yes Administrative users are authenticated via eDirectory Users are authorized Yes Users are authorized via eDirecto...

Page 92: ...me bccgroup adminGroupName authorizationCacheTTL 300 authorizationCacheTTL cimConnectTimeout 15 cimConnectTimeout cimReceiveTimeout 30 cimReceiveTimeout cimSendTimeout 30 cimSendTimeout idlePriorityTh...

Page 93: ...acheTTL The number of seconds the authorization rights are cached in the BCC OpenWBEM provider 300 seconds This is not supported until the first support pack cimConnectTimeout BCC CIM client connect t...

Page 94: ...ment address of chicago_cluster now specifies non secure http communication The BCC management port can also be changed by modifying the NCS BCC Peers attribute values The default ports for secure and...

Page 95: ...www novell com documentation oes nss_enu data bx8gp06 html eDirectory Security for eDirectory is provided by NICI See the NICI 2 7x Administration Guide http www novell com documentation nici27x nici...

Page 96: ...ounts or that protect BCC data should be examined periodically to ensure that they have not been tampered with When synchronizing cluster or user information between servers outside the corporate fire...

Page 97: ...changes are grouped and sequenced alphabetically Each change entry provides a link to the related topic and a brief description of the change This document was updated on the following dates Section...

Page 98: ...Administration Guide novdocx en 11 December 2007 D 1 2 Troubleshooting BCC 1 1 Location Change Section 4 4 Security Equivalent User on page 60 The NCP server objects for the virtual server of a BCC e...

Reviews:

No comments

Related manuals for BUSINESS CONTINUITY CLUSTERING FOR NETWARE 1.1 - ADMINISTRATION

DAVIS WeatherLink Addendum preview
WeatherLink
Brand: DAVIS Pages: 20
Davis Instruments GroWeatherLink User Manual preview
GroWeatherLink
Brand: Davis Instruments Pages: 108
Tandberg Data IBM LOTUS NOTES-DOMINO V 11.3 - INSTALLATION AND ... Integration Manual preview
IBM LOTUS NOTES-DOMINO V 11.3 - INSTALLATION AND ...
Brand: Tandberg Data Pages: 49
AVG 8.5 ANTI-VIRUS - LINUX-FREEBSD REV 85.2 User Manual preview
8.5 ANTI-VIRUS - LINUX-FREEBSD REV 85.2
Brand: AVG Pages: 234
MACROMEDIA FLASH 8-LEARNING ACTIONSCRIPT 2.0 IN FLASH Manual preview
FLASH 8-LEARNING ACTIONSCRIPT 2.0 IN FLASH
Brand: MACROMEDIA Pages: 830
Seagate FreeAgent Desk 2TB Quick Start Manual preview
FreeAgent Desk 2TB
Brand: Seagate Pages: 2
MACROMEDIA FLASH 8-ACTIONSCRIPT 2.0 LANGUAGE Reference preview
FLASH 8-ACTIONSCRIPT 2.0 LANGUAGE
Brand: MACROMEDIA Pages: 1378
VDO TIS-COMPACT III Brochure preview
TIS-COMPACT III
Brand: VDO Pages: 8
Symantec BACKUP EXEC 11D Quick Installation Manual preview
BACKUP EXEC 11D
Brand: Symantec Pages: 18
Symantec ALTIRIS IT MANAGEMENT SUITE 7.0 MR2 - S Release Note preview
ALTIRIS IT MANAGEMENT SUITE 7.0 MR2 - S
Brand: Symantec Pages: 14
Symantec ALTIRIS DEPLOYMENT SOLUTION 7.1 Manual preview
ALTIRIS DEPLOYMENT SOLUTION 7.1
Brand: Symantec Pages: 90
TomTom Navigation app for iPhone/iPad Reference Manual preview
Navigation app for iPhone/iPad
Brand: TomTom Pages: 84
GRASS VALLEY GECKOFLEX Datasheet preview
GECKOFLEX
Brand: GRASS VALLEY Pages: 1
GNOME 2.4 User Manual preview
2.4
Brand: GNOME Pages: 213
Autodesk 495B1-05A111-1301 - 3ds Max Design 2010 User Manual preview
495B1-05A111-1301 - 3ds Max Design 2010
Brand: Autodesk Pages: 916
3M MicroTouch MT7 User Manual preview
MicroTouch MT7
Brand: 3M Pages: 57
Navman S-Series NavDesk 2009 User Manual preview
S-Series NavDesk 2009
Brand: Navman Pages: 36
Tascam GigaStudio User Manual preview
GigaStudio
Brand: Tascam Pages: 210

Brands by name

Popular brands

Load more brands