Synchronizing SYSUAF between independent machines - VMS

This is a discussion on Synchronizing SYSUAF between independent machines - VMS ; Hello We have two HP Integrity boxes (OS Version V8.3-1H1) One of them must be keept as a failover, so we need to keep information synchronized between both machines. The application and data has been confined into a Logical Disk, ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Synchronizing SYSUAF between independent machines

  1. Synchronizing SYSUAF between independent machines

    Hello

    We have two HP Integrity boxes (OS Version V8.3-1H1)

    One of them must be keept as a failover, so we need to keep
    information synchronized between both machines.

    The application and data has been confined into a Logical Disk, so we
    just dismount the shadow and copy the files into the other machine. If
    we need to switch over we just need to mount the volumes on the
    failover server.

    We also need to keep synchronized the sysuaf.dat (and related files
    rights.dat...).

    Which could be the best method to do it?

    Regards Ramon

  2. Re: Synchronizing SYSUAF between independent machines

    On Nov 4, 10:16 am, Ramon Jimenez wrote:
    > Hello
    >
    > We have two HP Integrity boxes (OS Version V8.3-1H1)
    >
    > One of them must be keept as a failover, so we need to keep
    > information synchronized between both machines.
    >
    > The application and data has been confined into a Logical Disk, so we
    > just dismount the shadow and copy the files into the other machine. If
    > we need to switch over we just need to mount the volumes on the
    > failover server.
    >
    > We also need to keep synchronized the sysuaf.dat (and related files
    > rights.dat...).
    >
    > Which could be the best method to do it?
    >
    > Regards Ramon


    Ramon,

    The best method to achieve this type of configuration is to create an
    OpenVMS cluster. In a properly configured, OpenVMS cluster, the
    changeover can be completely automated and often all but transparent
    to all users. It would also be a good idea to use host-based volume
    shadowing to remove the dependency on a single physical disk or
    controller.

    Copying files in the event of a failure is a far less safe solution.

    - Bob Gezelter, http://www.rlgsc.com

  3. RE: Synchronizing SYSUAF between independent machines

    > -----Original Message-----
    > From: Ramon Jimenez [mailto:rjimen37@ford.com]
    > Sent: Tuesday, November 04, 2008 10:16 AM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: Synchronizing SYSUAF between independent machines
    >
    > Hello
    >
    > We have two HP Integrity boxes (OS Version V8.3-1H1)
    >
    > One of them must be keept as a failover, so we need to keep
    > information synchronized between both machines.
    >
    > The application and data has been confined into a Logical Disk, so we
    > just dismount the shadow and copy the files into the other machine. If
    > we need to switch over we just need to mount the volumes on the
    > failover server.
    >
    > We also need to keep synchronized the sysuaf.dat (and related files
    > rights.dat...).
    >
    > Which could be the best method to do it?
    >
    > Regards Ramon


    Why not cluster the two systems, shadow the appropriate disks and
    simply disable logons on the backup system until such time as it
    is required?

    Of course, the preferred way if the app is cluster aware would be
    to cluster and load balance between the two servers. You not only get
    a better use of resources, but in the event one system failed, only
    the users connected to that failed server would have to re-connect.

    In a primary-backup (active-passive) scenario as what typically exists
    in Windows, UNIX and NSK servers, when the primary fails or is shutdown,
    everyone needs to reconnect.


    Regards

    Kerry Main
    Senior Consultant
    HP Services Canada
    Voice: 613-254-8911
    Fax: 613-591-4477
    kerryDOTmainAThpDOTcom
    (remove the DOT's and AT)

    OpenVMS - the secure, multi-site OS that just works.




  4. Re: Synchronizing SYSUAF between independent machines

    In article , Ramon Jimenez writes:
    > Hello
    >
    > We have two HP Integrity boxes (OS Version V8.3-1H1)
    >
    > One of them must be keept as a failover, so we need to keep
    > information synchronized between both machines.
    >
    > The application and data has been confined into a Logical Disk, so we
    > just dismount the shadow and copy the files into the other machine. If
    > we need to switch over we just need to mount the volumes on the
    > failover server.
    >
    > We also need to keep synchronized the sysuaf.dat (and related files
    > rights.dat...).
    >
    > Which could be the best method to do it?


    If you are copying files, there's no reason why you can't copy these
    two. Just be carefull of fileownership, protection, location in
    logical name search lists, and versions.


  5. Re: Synchronizing SYSUAF between independent machines


    > The best method to achieve this type of configuration is to create an
    > OpenVMS cluster.


    Bob,

    I fully agree, the best method is a cluster, but someone has
    decided not to use. So I must find an alternate way.

    So, without the cluster option. Is there another way than copying
    sysuaf.dat and rights.dat files?

    If I need to switch over can I merge sysuaf files so I do not need
    a reboot? or would it be better to reboot the machine and replace the
    sysuaf file?

    Regards

  6. Re: Synchronizing SYSUAF between independent machines

    Ramon Jimenez wrote:

    > So, without the cluster option. Is there another way than copying
    > sysuaf.dat and rights.dat files?



    Would defining SYSUAF and RIGHSLISTS to point to a decnet file
    specification work ?

    aka DEFINE/SYSTEM/EXEC SYSUAF othernode::SYS$SYSTEM:SYSUAF.DAT

    This would be quite a dog in terms of performance, and you may have to
    setup various proxies.

    You could have a detached process that regularly checks the modified
    date on the sysuaf/rightlists and copy them over to the other node when
    those dates are different than the previous pass.

    Remember to advise your users that in the case of a failover, it is
    possible that a new password recently changed was reverted and they
    would need to change it again.

    ( you would also need to consider copying the password history file as
    well).

  7. Re: Synchronizing SYSUAF between independent machines

    On Wed, 5 Nov 2008 00:09:30 -0800 (PST), Ramon Jimenez
    wrote:

    >
    >> The best method to achieve this type of configuration is to create an
    >> OpenVMS cluster.

    >
    >Bob,
    >
    > I fully agree, the best method is a cluster, but someone has
    >decided not to use. So I must find an alternate way.
    >
    > So, without the cluster option. Is there another way than copying
    >sysuaf.dat and rights.dat files?
    >
    > If I need to switch over can I merge sysuaf files so I do not need
    >a reboot? or would it be better to reboot the machine and replace the
    >sysuaf file?
    >


    Any solution to copy online files may work, may not... and it may even
    work *most of the time*.

    The question to ask is: is "most of the time" good enough for your
    business? And if the resultant copy is a corrupted file, and you
    don't find out until too late, how disruptive to your business is it?

  8. Re: Synchronizing SYSUAF between independent machines


    "Ramon Jimenez" wrote in message
    news:cfa89e38-0e19-4083-8922-8732d661110e@s1g2000prg.googlegroups.com...
    > Hello
    >
    > We have two HP Integrity boxes (OS Version V8.3-1H1)
    >
    > One of them must be keept as a failover, so we need to keep
    > information synchronized between both machines.
    >
    > The application and data has been confined into a Logical Disk, so we
    > just dismount the shadow and copy the files into the other machine. If
    > we need to switch over we just need to mount the volumes on the
    > failover server.
    >
    > We also need to keep synchronized the sysuaf.dat (and related files
    > rights.dat...).
    >
    > Which could be the best method to do it?
    >
    > Regards Ramon


    Some years ago I actually did something like this for an ISP in the Chicago
    area. When they made a change to their sysuaf or rightslist, they
    wanted the information replicated across all nodes out on their network. Any
    node could be used for authorization and authentication of their
    users, and the changes could originate from specific nodes (for security).

    What I did was to run servers on each VMS system and I audited sysuaf and
    rightslist changes. When this occurred, the server would send
    out the changes to the other systems out on the network. The data was
    encrypted. This worked very well. There was also a way to push
    the entire sysuaf/rightslist file set out periodically as part of a larger
    maintanence schedule.

    John




  9. Re: Synchronizing SYSUAF between independent machines

    Thanks to all for you answers,

    Now I need to check options and take a decission.

    This system has a low number of users and there are very few changes.

    Again thans to all


  10. Re: Synchronizing SYSUAF between independent machines

    In article , Ramon Jimenez writes:
    > Thanks to all for you answers,
    >
    > Now I need to check options and take a decission.
    >
    > This system has a low number of users and there are very few changes.


    SYSUAF changes every time someone logs in, starts a network job,
    or starts a batch job.

    Do you need that info consistent, or just usernames, privileges, UICs,
    passwords, and rightslist?


  11. Re: Synchronizing SYSUAF between independent machines

    Main, Kerry wrote:
    >>-----Original Message-----
    >>From: Ramon Jimenez [mailto:rjimen37@ford.com]
    >>Sent: Tuesday, November 04, 2008 10:16 AM
    >>To: Info-VAX@Mvb.Saic.Com
    >>Subject: Synchronizing SYSUAF between independent machines
    >>
    >>Hello
    >>
    >>We have two HP Integrity boxes (OS Version V8.3-1H1)
    >>
    >>One of them must be keept as a failover, so we need to keep
    >>information synchronized between both machines.
    >>
    >>The application and data has been confined into a Logical Disk, so we
    >>just dismount the shadow and copy the files into the other machine. If
    >>we need to switch over we just need to mount the volumes on the
    >>failover server.
    >>
    >>We also need to keep synchronized the sysuaf.dat (and related files
    >>rights.dat...).
    >>
    >>Which could be the best method to do it?


    Had the same problem. Customer has two identical systems at two
    sites, each covering a different geographical area. Each system
    is the warm backup of the other. The users of system A and system B
    overlap some, but not completely. (Many users only have access to
    one of the systems, and the users that have access to both have
    different usernames, generally tagged with "_E" or "_W" for East
    and West.) The two systems use different UIC group numbers, so it
    is easy to keep the user populations distinct.

    We had earlier written a program (in Basic) that took a list of
    usernames and used sys$getuaf/sys$setuaf to dump or load all the
    given authorize records to a file. We had originally written this
    for a VAX-to-Alpha migration, where we wanted to not simply merge
    the VAX UAF with Alpha one due to quota issues. When loading, the
    program looks up DEFAULT (or some other specified account) and
    maximizes various and sundry quotas with those of DEFAULT. (Not
    all of them, just those we wanted to bump up on the Alpha.)

    The DCL command file that runs this program prompts for the username
    (can have wild-cards, or be a uic-format account, e.g. [101,*]) and
    then uses AUTHORIZE to list/brief them. It then parses the resulting
    SYSUAF.LIS file to extract all the user names, and generates a
    command file which runs AUTHORIZE and adds them all (with correct
    UIC's to get the identifiers correct), and a second command file to
    generate "grant/id" for all the rights held by the designated users.

    For doing active/passive failovers, we modified this slightly to
    run every night generating the necessary command files and uaf
    dump, and copying them to the inactive system. When switching,
    one of the steps is to restore the latest sysuaf dump on the
    passive system before turning it over to the users. We haven't
    quite figured out what to do about usernames that were deleted
    on the active system since the last time it failed over. Right
    now, it looks like we'll run the dump process on the passive
    system after creating/loading all the current sysuaf info, and
    then diff the resulting "ADD_USERS" command file. Anything that
    is on the passive system that wasn't in the ADD_USERS command
    file we just used to load are accounts that were deleted (or
    renamed?) since the last time. It's expected there will be no
    more than a handful of this and we'll fix them up manually.

    Of course, you get zillions of "duplicate username" and
    "duplicate identifier" errors when you add usernames on the
    passive system that were already there from the last time;
    we submit these command files as a batch job and search the
    log (/match=nor) to ignore these...

    It's a little ugly, and if HP adds new fields to the UAF
    we'll have to update the program, but it works and is pretty
    fast.

    We used a variation of this to initially populate the UAF.
    The customer had provided us with a spreadsheet which we
    exported to a CSV file and then parsed with DCL. IIRC, it
    had a username, first and last name, role (used to determine
    what rights the user has; our application uses application-
    defined VMS rights for determining who can do what), and a
    few other items that we used to generate various UAF fields.





    >>
    >>Regards Ramon

    >
    >
    > Why not cluster the two systems, shadow the appropriate disks and
    > simply disable logons on the backup system until such time as it
    > is required?


    Cost! Have you priced cluster licenses (or worse yet, MCOE licenses)
    recently? After discount, it was well over $30K each for a pair of
    rx3600's.

    Plus they needed extra fibrechannel HBAs and 800 miles of dark 1GB
    or faster fiber.

    >
    > Of course, the preferred way if the app is cluster aware would be
    > to cluster and load balance between the two servers. You not only get
    > a better use of resources, but in the event one system failed, only
    > the users connected to that failed server would have to re-connect.
    >
    > In a primary-backup (active-passive) scenario as what typically exists
    > in Windows, UNIX and NSK servers, when the primary fails or is shutdown,
    > everyone needs to reconnect.
    >
    >
    > Regards
    >
    > Kerry Main
    > Senior Consultant
    > HP Services Canada
    > Voice: 613-254-8911
    > Fax: 613-591-4477
    > kerryDOTmainAThpDOTcom
    > (remove the DOT's and AT)
    >
    > OpenVMS - the secure, multi-site OS that just works.
    >
    >
    >



    --
    John Santos
    Evans Griffiths & Hart, Inc.
    781-861-0670 ext 539

  12. Re: Synchronizing SYSUAF between independent machines

    John Santos wrote:
    > Main, Kerry wrote:
    >> Why not cluster the two systems, shadow the appropriate disks and
    >> simply disable logons on the backup system until such time as it
    >> is required?

    >
    > Cost! Have you priced cluster licenses (or worse yet, MCOE licenses)
    > recently? After discount, it was well over $30K each for a pair of
    > rx3600's.
    >
    > Plus they needed extra fibrechannel HBAs and 800 miles of dark 1GB
    > or faster fiber.


    Unless they had many terabytes of disks shadowed which they needed to be
    able to full-copy in just a few hours, it would be rare to need
    1-gigabit inter-site links. Many multi-site OpenVMS disaster-tolerant
    clusters run happily on 45-megabit DS-3 or 155-megabit OC-3 links.
    Remote access to Fibre Channel disks can be provided using either MSCP
    Serving or SAN Extension (e.g. FC-IP).

+ Reply to Thread