Thursday May 17, 2007

CACAO and JES

I had customer that was setting up an jump start image to preinstall the Java Enterprise System. They were running into errors with CACAO. It seems that the host information was from the Jump Start System was not being updated. At least until they logged on the first time with the GUI. So below is the link to reset the CACAO host information...

Here is the doc extract and link to reset CACAO in case of host name change or compromised system. http://docs.sun.com/app/docs/doc/819-2971/6n57mi2el?a=view

How to Regenerate Common Agent Container Security Keys

Sun Cluster Manager uses strong encryption techniques to ensure secure communication between the Sun Cluster Manager web server and each cluster node.

The keys that Sun Cluster Manager uses are stored under the /etc/opt/SUNWcacao/security directory on each node. They should be identical across all cluster nodes.

Under normal operation, these keys can be left in their default configuration. If you change the host name of a cluster node, you must regenerate the common agent container security keys. You might also need to regenerate the keys because a possible key compromise (for example, root compromise on the machine). To regenerate the security keys, use the following procedure.

1. On all cluster nodes, stop the common agent container management daemon.

# /opt/SUNWcacao/bin/cacaoadm stop

2. On one node of the cluster, regenerate the security keys.

phys-schost-1# /opt/SUNWcacao/bin/cacaoadm create-keys --force

3. Restart the common agent container management daemon on the node on which you regenerated the security keys.

phys-schost-1# /opt/SUNWcacao/bin/cacaoadm start

4. Create a tar file of the /etc/cacao/instances/default directory.

phys-schost-1# cd /etc/cacao/instances/default phys-schost-1# tar cf /tmp/SECURITY.tar security

5. Copy the /tmp/Security.tar file to each of the cluster nodes.

6. On each node to which you copied the/tmp/SECURITY.tar file, extract the security files.

Any security files that already exist in the /etc/opt/SUNWcacao/ directory are overwritten.

phys-schost-2# cd /etc/cacao/instances/default

phys-schost-2# tar xf /tmp/SECURITY.tar

7. Delete the /tmp/SECURITY.tar file from each node in the cluster.

You must delete each copy of the tar file to avoid security risks.

phys-schost-1# rm /tmp/SECURITY.tar

phys-schost-2# rm /tmp/SECURITY.tar

8. On all nodes, restart the common agent container management daemon.

phys-schost-1# /opt/SUNWcacao/bin/cacaoadm start

9. Restart Sun Cluster Manager.

# /usr/sbin/smcwebserver restart

CACAO and Sun Portal Server

The following is information I have gotten from other sources but felt it would be interesting to share. It documents how CACAO, Portal, Access Manager and Directory interact. 1. When would the cacao servers talk to each other? When you try to perform a "remote" task. For example, when you go to the psconsole running on server1 to create a PS instance on server2, or alternatively, you go to server2 and run psadmin create-instance to create a PS instance on server1. This is a unique feature of PS administration. No other JES products or components (e.g. Sun Cluster or JES-MF) require connections between Cacao agents. 2. What type of data is passed between the cacao server? Uh, many different types, depending on what the task is. Did this answer your question? :-) The protocol is JMXMP over TLS. There are other ways to talk to Cacao (e.g. SNMP), but portal uses none of that. 3. How does one cacao server know about the other? For every PS instance created, we record the host and port (and other config data too) to the Portal Domain Repository. Cacao itself doesn't know about other Cacao agents running on other nodes, but our portal MBeans do. 4. Does the cacao server store any data in the DS (via the AMSDK) and if so, do we know the DN's for those settings? Cacao doesn't. The PDR is stored in DS (not via AM SDK) by PAS. It's a subtree with root sunPortalAdminPortalDomainID=defaultDomain, Also, are the certs that we copied only used when the cacao server talk to each other, or also when other components talk to the cacao server to use the portal mbeans? Our Cacao clients (psconsole, psadmin, psconfig) use the same truststore that the local Cacao agent does. This is true only for PS7.0. We start to use our own truststore in PS7.1 per the recommendation of the Cacao team.
About

leroyk

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today