X

News, tips, partners, and perspectives for the Oracle Solaris operating system

SSL Live Migration for HA for Oracle VM Server for SPARC

Guest Author

As detailed in this article, the HA for Oracle VM Server for SPARC data service for Oracle Solaris Cluster can be used to support enhanced availability of Oracle VM Server for SPARC. This high availability (HA) agent can control and manage a guest domain as a "black box." It can fail over the guest domain in case of failure, but it can also use the domain migration procedures to operate a managed switchover.   

Up to this point, using the HA for Oracle VM Server for SPARC service to orchestrate the guest domain migration required, providing the Oracle Solaris Cluster software with administrative credentials for the control domains. Starting with Oracle Solaris Cluster 4.3 SRU3, a resource of type SUNW.ldom starting with version 8 can now live-migrate a guest domain by using SSL (Secure Sockets Layer) certificates that have been set up to establish a trust relationship between different Oracle VM Server for SPARC server control domains, thereby enhancing the security for the system.

To enable live migration of a guest domain by using SSL certificate based authentication, you must first configure the SSL certificates by referring to the version-specific Administration Guide for Oracle VM Server for SPARC.

Resource type SUNW.ldom version 8 introduces the extension property Use_SSL_Certificate that can be tuned to enable or disable SSL certificate-based authentication for live migration. By default Use_SSL_Certificate=FALSE is set which disables SSL certificate based authentication. However, Use_SSL_Certificate=TRUE can be set anytime to enable SSL certificate based authentication.

In order to migrate an existing resource of type SUNW.ldom to resource type version 8, assume the root role or a role that provides solaris.cluster.modify and solaris.cluster.admin authorizations to execute the following on any one node:
$ /usr/cluster/bin/clresource set -p TYPE_VERSION=8 ldom-rs

The steps below briefly describe how to set up the SSL certificates for a guest domain that is managed by Oracle Solaris Cluster Data Service for Oracle VM Server for SPARC 3.3 on a three-node cluster (node1, node2, node3), and leverage the configured SSL certificates for live migration of the guest domain.

Perform the following on each node where a guest domain could be managed by a resource of SUNW.ldom starting with version 8. Setting up SSL certificates for a guest domain requires root privilege.

1. Create the /var/share/ldomsmanager/trust directory, if it does not already exist.
root@node1:~# /usr/bin/mkdir -p /var/share/ldomsmanager/trust
root@node2:~# /usr/bin/mkdir -p /var/share/ldomsmanager/trust
root@node3:~# /usr/bin/mkdir -p /var/share/ldomsmanager/trust


2. Securely copy the remote ldmd certificate to the local ldmd trusted certificate directory.

root@node1:~# /usr/bin/scp \
root@node2.example.com:/var/share/ldomsmanager/server.crt \
/var/share/ldomsmanager/trust/node2.pem

root@node1:~# /usr/bin/scp \
root@node3.example.com:/var/share/ldomsmanager/server.crt \
/var/share/ldomsmanager/trust/node3.pem


root@node2:~# /usr/bin/scp \
root@node1.example.com:/var/share/ldomsmanager/server.crt \
/var/share/ldomsmanager/trust/node1.pem

root@node2:~# /usr/bin/scp \
root@node3.example.com:/var/share/ldomsmanager/server.crt \
/var/share/ldomsmanager/trust/node3.pem


root@node3:~# /usr/bin/scp \
root@node1.example.com:/var/share/ldomsmanager/server.crt \
/var/share/ldomsmanager/trust/node1.pem

root@node3:~# /usr/bin/scp \
root@node2.example.com:/var/share/ldomsmanager/server.crt \
/var/share/ldomsmanager/trust/node2.pem



3. Create a symbolic link from the certificate in the ldmd trusted certificate directory to the /etc/certs/CA/ directory.
root@node1:~# /usr/bin/ln -s /var/share/ldomsmanager/trust/node2.pem \
/etc/certs/CA/

root@node1:~# /usr/bin/ln -s /var/share/ldomsmanager/trust/node3.pem \
/etc/certs/CA/


root@node2:~# /usr/bin/ln -s /var/share/ldomsmanager/trust/node1.pem \
/etc/certs/CA/

root@node2:~# /usr/bin/ln -s /var/share/ldomsmanager/trust/node3.pem \
/etc/certs/CA/


root@node3:~# /usr/bin/ln -s /var/share/ldomsmanager/trust/node1.pem \
/etc/certs/CA/

root@node3:~# /usr/bin/ln -s /var/share/ldomsmanager/trust/node2.pem \
/etc/certs/CA/


4. Restart the svc:/system/ca-certificates service.
root@node1:~# /usr/sbin/svcadm restart svc:/system/ca-certificates
root@node2:~# /usr/sbin/svcadm restart svc:/system/ca-certificates
root@node3:~# /usr/sbin/svcadm restart svc:/system/ca-certificates

5. Verify that the configuration is operational.
root@node1:~# /usr/bin/openssl verify /etc/certs/CA/node2.pem
/etc/certs/CA/node2.pem: OK
root@node1:~# /usr/bin/openssl verify /etc/certs/CA/node3.pem
/etc/certs/CA/node3.pem: OK
root@node2:~# /usr/bin/openssl verify /etc/certs/CA/node1.pem
/etc/certs/CA/node1.pem: OK
root@node2:~# /usr/bin/openssl verify /etc/certs/CA/node3.pem
/etc/certs/CA/node3.pem: OK
root@node3:~# /usr/bin/openssl verify /etc/certs/CA/node1.pem
/etc/certs/CA/node1.pem: OK
root@node3:~# /usr/bin/openssl verify /etc/certs/CA/node2.pem
/etc/certs/CA/node2.pem: OK

6. Restart the ldmd daemon.
root@node1:~# /usr/sbin/svcadm restart svc:/ldoms/ldmd:default
root@node2:~# /usr/sbin/svcadm restart svc:/ldoms/ldmd:default
root@node3:~# /usr/sbin/svcadm restart svc:/ldoms/ldmd:default


7. If the guest domain is already managed by a resource of type SUNW.ldom version 8, set the Use_SSL_Certificate extension property to TRUE.
Assume the root role or a role that provides solaris.cluster.modify and solaris.cluster.admin authorizations to execute the following on any one node:
$ /usr/cluster/bin/clresource set -p Use_SSL_Certificate=TRUE ldom-rs

For a new resource of SUNW.ldom starting with version 8, ensure that the live migration of a guest domain, using SSL certificate authentication, is successful before setting Use_SSL_Certificate=TRUE and enabling the resource.

If you are configuring the SSL certificates for a guest domain that is already running, verify that a dry-run live migration, using SSL certificate authentication, is successful before setting Use_SSL_Certificate=TRUE.

Assume the root role or a role that has been assigned the "LDoms Management" profile and execute the following command:
$ /usr/sbin/ldm migrate-domain -n -c domain-name target_host
$ echo $?
0


For more information, refer the following resources:

Oracle Solaris Cluster Data Service for Oracle VM Server for SPARC Guide
http://docs.oracle.com/cd/E56676_01/html/E56924/index.html

SUNW.ldom(5) Man Page
https://docs.oracle.com/cd/E56676_01/html/E56746/sunw.ldom-5.html

Oracle VM Server for SPARC 3.4 Administration Guide

http://docs.oracle.com/cd/E69554_01/html/E69557/index.html

Oracle VM Server for SPARC 3.3 Administration Guide
https://docs.oracle.com/cd/E62357_01/html/E62358/index.html

Oracle VM Server for SPARC 3.2 Administration Guide
https://docs.oracle.com/cd/E48724_01/html/E48732/index.html

Secure administration of Oracle VM Server for SPARC
https://blogs.oracle.com/jsavit/entry/secure_administration_of_oracle_vm


Tapan Avasthi
Oracle Solaris Cluster Engineering

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha