Installing and Uninstalling CA ARCserve RHA › Prepare Environment for HA with the GSSnsupdate Script

Prepare Environment for HA with the GSSnsupdate Script

To run high availability scenarios in secure DNS Zone domains, you need to configure your UNIX or Linux server so that it is able to authenticate and change the DNS HOST A records for the Master and Replica servers in scenarios.

You may configure your UNIX/Linux environment for CA ARCserve RHA using the included script, written by PERL. Contact Support to obtain other versions of this script.

The following steps should be performed on all UNIX/Linux hosts in your environment.

To prepare UNIX and Linux hosts for HA in secure DNS zone domains

1. Configure the Linux host as a Kerberos client. To do this, edit the file, /etc/krb5.conf and make the following changes:

   [libdefaults]
   default_realm = <DOMAIN name i.e. XOSOFT.ORG>
   
   [realms]
    <DOMAIN name> = {
     kdc = <DC Server fqdn>:88
     admin_server = <DNS Server fqdn>
     default_domain = <DOMAIN name i.e. XOSOFT.ORG>
    }
   
   [domain_realm]
   . <domain name >= <DOMAIN name>                i.e. .xosoft.org  =XOSOFT.ORG
   

   

2. Create a keytab file with ktpass on the domain controller you specified in "kdc" in the previous step. Log in under a domain admin account on the KDC.

   Note: The ktpass utility may not be loaded on Windows by default. You may obtain it from the Windows Support Tools package.

   ktpass -princ host/<a name you pick@DOMAIN> -mapuser <domain admin@DOMAIN> -pass <password> -out c:\ <filename>.keytab -ptype KRB5_NT_PRINCIPAL
   

   

3. Transfer the keytab file <filename>.keytab to the Linux host securely.
4. On the Linux host, combine the keytab file into a single file called, /etc/krb5.keytab, using the ktutil program. You may need to install the Ktutil package first.

   [root@server01-1x1 bin]# ktutil
   

   ktutil:  rkt /root/ <filename>.keytab
   

   ktutil:  wkt /etc/krb5.keytab
   

   ktutil:  list
   

   ktutil: q
   

   

5. Ensure the Linux host time is synchronized to NTP server or to Microsoft DNS server.
6. Copy nsupdate-gss.pl PERL script and install the set of PERL libraries required by the script. These PERL sources can be found at http://search.cpan.org or other RPM.

   perl-Digest-HMAC
   perl-Net-IP
   perl-Net-DNS
   perl-GSSAPI
   perl-Krb5…
   

7. Change Kerberos keytab principal name in the nsupdate-gss.pl script located in /opt/CA/ARCserve RHA/ to match the name you chose above, for example, host/xodemo.

   #############################
   my $sys_retcode = system("kinit -k host/xodemo");
   if ($sys_retcode != 0) {
           print "Failt to create and cache Kerberos ticket through 'kinit'\n";
           exit 1;
   }
   

   #############################
   

8. Run the following test to ensure the environment is ready and the script can securely update DNS A records.

   ./nsupdate-gss.pl 192.168.88.1 shagu01-RHEL5u3-x64 xosoft.org --add_ips=192.168.88.21 --ttl=60 --del_ips=192.168.88.31
   

9. Define the nsupdate-gss.pl script in the ws_rep.cfg file located in the install directory /opt/CA/ARCserveRHA/bin to perform a secure update against Microsoft DNS. Remove the # in front of the "GSSNsupdateScript = " line, as shown below.

   ####################
   # Script for secure update dynamically against MS DNS server on UNIX/Linux hosts
   GSSNsupdateScript = "[INSTALLDIR]/scripts/nsupdate-gss.pl"
   #
   # User can ask for support at http://support.ca.com/ for help, or 
   # define the script by shell or PERL with the arguments matching 
   # GSSNsupdateScript NAME_SERVER HOST DOMAIN [options]
   # Options:
   #         --add_ips=IPS        target IPs for A records to be added
   #         --ttl=TTL            TTL for the added A records
   #         --del_ips=IPS        target IPs for A records to be removed
   

10. Stop and restart the Engine:

    /etc/init.d/ARCserveRHA stop
    

    /etc/init.d/ARCserveRHA start
    

11. Repeat this procedure for the other host.