Steps to configure Veritas InfoScale cluster to use local credentials instead of Single Sign-On provided by VCS Authentication Service

book

Article ID: 100017968

calendar_today

Updated On:

Description

Error Message

When the login due to SSO fails, all Veritas High Availability Daemon (HAD) commands like hastatus -sum will report errors below:

V-16-1-53007 Error returned from engine: HAD on this node not accepting clients

OR

V-16-1-53006 "Unable to connect to VCS engine securely"

Cause

Corruption of the SSO security/Authentication configuration and credential files
 

Resolution

This procedure configures the use of VCS User Privileges and disables the use of SSO security.

1) Save the VCS configuration from an elevated command prompt using the command below:

# haconf -dump -makero

2) Stop the Veritas High Availability Engine (had.exe) service on all nodes.  This can be done by stopping the service from Windows Services Manager (services.msc) or by typing the following command through the CLI:

# hastop -all -force
 
Note: This will stop VCS services, but leaves the application(s) online.
 
Important: Newer versions of Windows automatically restart the HAD service when it is set to Automatic. If the service fails to stop with the hastop command, then try the following command to kill HAD and hashadow processes. The command may need to run multiple times in quick succession to kill both processes completely because the processes will restart each other quickly.
 
# taskkill /F /IM had.exe && taskkill /F /IM hashadow.exe

3) Stop the Veritas Command Server (CmdServer) service on all nodes.  This can be done by stopping the service from Windows Services Manager (services.msc) or by typing the following command on each server:
 
# net stop cmdserver

4) Remove the .secure file from the %VCS_HOME%\conf\config directory from each node in the cluster:

Note: %VCS_HOME% represents the VCS installation directory.  By default, this is C:\Program Files\VERITAS\Cluster Server.

5) Open the main.cf file in a text editor such as Notepad.  This file is located under the %VCS_HOME%\conf\config directory.

6) In the main.cf file, set the SecureClus attribute to 0 or delete the SecureClus line completely from the main.cf.

For example:
cluster TestingCluster (
SecureClus = 0
)

7) Save the cluster configuration changes.  This can be done from Notepad by clicking on File > Save.

8) Copy the modified main.cf file to each server in the cluster.  The default file location is in the %VCS_HOME%\conf\config directory on each server.
 
9) Stop the VCS Authentication Service and change it from Automatic to Manual. Do this on all nodes.
 
10) Start the Veritas Command Server (CmdServer) service on all nodes. This can be done by starting the service from Windows Services Manager (services.msc) or by typing the following command on each server:
 
# net start cmdserver
 
11) Restart the Veritas High Availability Engine on all nodes.  This can be done by Windows Services Manager (services.msc) or by typing the following command:
 
# hastart -all

12) Enable write access to the cluster configuration by typing the following command:
 
# haconf -makerw

13) Add a user to login to the cluster. This can be done by typing the following command:
 
# hauser -add admin -priv Administrator

Note: "admin" can be substituted with another name.

14) Save and close the cluster configuration. This can be done by typing the following command:
 
# haconf -dump -makero

Login to the cluster using the username/password created in Step #13.

Issue/Introduction

There are instances when login to Veritas Cluster Java Console using Single Sign-On (SSO) fails with an error related to Veritas Cluster Server (VCS) SSO configuration. In such situations, all VCS commands also fail with errors for SSO.
Powered by Wolken Software