Best Practices: Environmental Requirements for Symantec Encryption Management Server clustering (previously PGP Universal Server)

book

Article ID: 154069

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

Symantec Encryption Management Server (AKA PGP Universal Server) uses clustering for redundancy and additional functionality.

This article will go over the best practices to help you have reliable clustering and for best performance.

 

Resolution

Network Requirements

1.Network interface subnets & broadcast domain
Each server should have only one network interface on each subnet. It is not recommended to have multiple network interfaces on the same broadcast domain per server. SeeTECH174335for more info.

2.Server-to-server connectivity
Each server must be able to connect to all other servers on port 444. This requirement may require adjusting firewall or router configurations.

3.Telnet
It is helpful to have telnet available and allowed between the servers over port 444. This is used for troubleshooting network connectivity issues between servers. This may require adjusting firewall or router configurations.

4.MTU size
When using MPLS (MultiProtocol Label Switching) or a VPN tunnel you MUST lower the MTU (Maximum Transmission Unit) instead of 1500. This is best if done in increments of 8. A recommendation would be 1396. But make sure you research what is required for your MTU settings to be lowered. If this is not done clustering may fail or perform slowly as packet headers can be stripped.

 

Name Resolution Requirements

5.Unique server names
Each cluster member MUST a unique Fully Qualified Domain Name (FQDN).  

6.Hostname is Fully Qualified Domain Name
The FQDN should be entered as the server's hostname. (This can be modified after install: System => Network => Hostname).

7.Name resolution required
Each cluster member MUST be able to resolve the FQDN of all cluster members using DNS.  This requirement may require adjusting firewall, router or DNS configurations.

8.Reverse DNS required
The IP address returned for each clustering FQDN MUST have a corresponding PTR record in DNS resolving back to the FQDN. This means each clustering interface should have two entries (one forward and one reverse) in DNS.

TIP: DNS needs to be reliable for clustering to work when using FQDNs.  If this is not available, then IP addresses is a better option to use for the clustering service.  In some environments where DNS could potentially be changed, using IP addresses will ensure clustering will not be affected.

 

9.No network address translation (NAT)
The IP address obtained for each server's FQDN MUST be consistent across the cluster.  Using network address translation, NAT, between cluster members is NOT supported.

10.Use fully qualified names to set up cluster, not IP address
The value entered in the hostname field in the clustering interface MUST be the server's FQDN. (Do not use the IP address).

11. DNS Round Robin/Load Balancers
Load Balancers and DNS Round Robin is not supported for the clustering service for port 444.  In other words, clustering must be done server-to-server over port 444.See article TECH232399 for more information.

SSL Certificate Requirements

12.SSL certificate required
Each server needs an SSL certificate, and the name on the certificate should match the FQDN of the clustering interface.

13.Current SSL Certificate 
Each SSL certificate MUST be current rather than expired.

14.Trusted certificates (including possible root certificate update for Symantec)
Each SSL certificate MUST be from a recognized certificate authority.  Also verify that the Root and Intermediate CA certificates that your client certificate is issued under is imported into the Trusted Keys section of the Symantec Encryption Management Server (previously PGP Universal Server).  If you are using a Symantec certificate on any of the servers please see TECH194325 for a known issue related to using these certificates.

15.Self-signed certificates must be trusted
If you are using self-signed certificates, you will want to export the public portion of each server's certificate and then import that into the Trusted Keys store on each server.

 

Directory Synchronization Requirement

16.LDAP servers reachable on all cluster members
When using Directory Synchronization, at least one LDAP server from each configured directory has to be reachable on each of the hosts. Each server has to be able to query all configured directories. These queries are not forwarded through the clustering connection.

 

Load balancer Requirement

17.No load balancing for cluster interfaces 
Network connections to the clustering interface (and FQDN) MUST NOT go through any sort of load balancer (either as the gateway or during later network routing). This may require additional network interfaces configured on the server and static routes setup to route your traffic through multiple gateways.  This requires assistance from Symantec Technical Support.

 

Database Schema Requirement

18.Matching database schema 
The database schema MUST match between all cluster members. If you have schema errors reported in the logs please contact Symantec Technical Support to resolve this issue.

 

VMTools and Time Requirements

19.Consistent time between cluster members
All cluster members MUST have consistent time configuration. (It is usually easiest to configure all server to use a single NTP server.) Using an NTP server may require adjusting firewall or router configurations.

20.NTP or VMware time sync (not both)
If you are running in VMWare you cannot use both NTP and VMWare Time Sync. Either deactivate time sync or do not use NTP.  See TECH149390 for more info on setting correct time on VMWare ESXi with VMWare Tools.

21.VMware tools must be installed
If installing a Universal Server Cluster on VMWare then VMWare Tools MUST be installed before joining the cluster. Please see TECH176852 for more information.

22.After server upgrade, VMware tools reinstall may be needed
If you have done an upgrade of the Symantec Encryption Management Server (formerly PGP Universal Server) from an older version to version 3.0, 3.2, 3.2.1, or 3.3.0 you will also need to reinstall or reconfigure the VMWare Tools due to the kernel upgrades that occur in each of these versions. Please see TECH200495 for more information.

 

 

 

Applies To

Any environment which needs several Symantec Encryption Management Servers (previously PGP Universal Servers) working together for clustering.