Prepare Environment for HA with the GSSnsupdate Script

To run high availability scenarios in secure DNS Zone domains, you need to configure your UNIX or Linux server so that it is able to authenticate and change the DNS HOST A records for the Master and Replica servers in scenarios.

You may configure your UNIX/Linux environment for Arcserve Continuity Suite using the included script, written by PERL. Contact Support to obtain other versions of this script.

The following steps should be performed on all UNIX/Linux hosts in your environment.

To prepare UNIX and Linux hosts for HA in secure DNS zone domains

  1. Configure the Linux host as a Kerberos client. To do this, edit the file, /etc/krb5.conf and make the following changes:

    2. [libdefaults]

    default_realm = <DOMAIN name i.e. XOSOFT.ORG>

    [realms]

    <DOMAIN name> = {

    kdc = <DC Server fqdn>:88

    admin_server = <DNS Server fqdn>

    default_domain = <DOMAIN name i.e. XOSOFT.ORG>

    }

    [domain_realm]

    <domain name >= <DOMAIN name> i.e. .xosoft.org =XOSOFT.ORG

  2. Create a keytab file with ktpass on the domain controller you specified in "kdc" in the previous step. Log in under a domain admin account on the KDC.

    3. Note: The ktpass utility may not be loaded on Windows by default. You may obtain it from the Windows Support Tools package.

    ktpass -princ host/<a name you pick@DOMAIN> -mapuser <domain admin@DOMAIN> -pass <password> -out c:\ <filename->.keytab -ptype KRB5_NT_PRINCIPAL

  3. Transfer the keytab file <filename->.keytab to the Linux host securely.
  4. On the Linux host, combine the keytab file into a single file called, /etc/krb5.keytab, using the ktutil program. You may need to install the Ktutil package first.
  5. [root@server01-1x1 bin]# ktutil
  6. ktutil: rkt /root/ <filename->.keytab
  7. ktutil: wkt /etc/krb5.keytab
  8. ktutil: list
  9. ktutil: q
  11. Ensure the Linux host time is synchronized to NTP server or to Microsoft DNS server.
  12. Copy nsupdate-gss.pl PERL script and install the set of PERL libraries required by the script. These PERL sources can be found at http://search.cpan.org or other RPM.
  13. perl-Digest-HMAC
  14. perl-Net-IP
  15. perl-Net-DNS
  16. perl-GSSAPI
  17. perl-Krb5…
  18. Comment all the following lines in the nsupdate-gss.pl script located in /opt/CA/ARCserve RHA/:
  19. #############################
  20. my $sys_retcode = system("kinit -k host/xodemo");
  21. if ($sys_retcode != 0) {
  22.         print "Failt to create and cache Kerberos ticket through 'kinit'\n";
  23.         exit 1;
  24. }
  25. #############################
  26. Initialize Kerberos cache with the following command:

    27. kinit redhat

    redhat is Domain Administrator's account created on the Active Directory.

  27. Check Kerberos cache with the following command:

    28. kinit or kinit –l

  28. Run the following test to ensure the environment is ready and the script can securely update DNS A records.

    29. ./nsupdate-gss.pl 192.168.88.1 shagu01-RHEL5u3-x64 xosoft.org --add_ips=192.168.88.21 --ttl=60 --del_ips=192.168.88.31

  29. Define the nsupdate-gss.pl script in the ws_rep.cfg file located in the install directory /opt/CA/ARCserveRHA/bin to perform a secure update against Microsoft DNS. Remove the # in front of the "GSSNsupdateScript = " line, as shown below.

    30. ####################

    # Script for secure update dynamically against MS DNS server on UNIX/Linux hosts

    GSSNsupdateScript = "[INSTALLDIR]/scripts/nsupdate-gss.pl"

    #

    # User can visit arcserve support, or

    # define the script by shell or PERL with the arguments matching

    # GSSNsupdateScript NAME_SERVER HOST DOMAIN [options]

    # Options:

    #         --add_ips=IPS        target IPs for A records to be added

    #         --ttl=TTL            TTL for the added A records

    #         --del_ips=IPS        target IPs for A records to be removed

  30. Stop and restart the Engine:

    31. /etc/init.d/ARCserveRHA stop

    /etc/init.d/ARCserveRHA stop

  31. Repeat this procedure for the other host.