Setting Up Cross-Cluster Security

Provides an overview of the configure-crosscluster.sh utility that is used to set up security between two clusters.

About this task

When all local and remote CLDB nodes are reachable from the local node, you can run the configure-crosscluster.sh utility on any CLDB node to automatically set up a trust relationship between clusters.

For two or more HPE Ezmeral Data Fabric clusters to communicate with one another, a secure trust relationship must exist between the clusters. A secure trust relationship between clusters is required for running commands remotely, creating remote replicas and mirror copies of volumes, and accessing data using NFS on the other cluster. The following sections describe the quick way to configure both the clusters for mirroring, replication, and remote access, and the advanced manual way to configure the clusters for mirroring, replication, remote access, and/or NFS server access.

Quick Configuration

About this task

You can run the configure-crosscluster.sh utility on any CLDB node in a cluster to automatically set up a trust relationship between the cluster and another cluster. To automatically configure two clusters for remote access, mirroring, and replication in both directions:

Procedure

  1. Log in to the CLDB node on a cluster.
  2. Run the configure-crosscluster.sh utility with the all parameter.
    For example: 
    # /opt/mapr/server/configure-crosscluster.sh create all -remoteip <remote_node_IP>
    When the utility runs, it performs the following actions on all the clusters:
    1. Updates the /opt/mapr/conf/mapr-clusters.conf file to include the first entry from the /opt/mapr/conf/mapr-clusters.conf file on the other cluster.
    2. Imports the certificate of the other cluster in the /opt/mapr/conf/ssl_truststore file, and copies the updated /opt/mapr/conf/ssl_truststore file to all the other nodes on the cluster.
    3. Generates a cross-cluster ticket for the other cluster, copies the ticket to the CLDB node on the other cluster, merges the ticket with the /opt/mapr/conf/maprserverticket file on the node in the other cluster, and copies the updated /opt/mapr/conf/maprserverticket file to all other CLDB nodes on the other cluster.
    For more information on the arguments, syntax, and options, see the configure-crosscluster.sh utility.
  3. Verify access to the remote cluster by:
    • Running remote commands on a node in either cluster.
    • Creating mirror volumes on any node in the destination cluster.
    • Setting up table and stream replication on tables and streams in the source cluster.
    To configure access over NFS, see Configuring Secure Clusters for Cross-Cluster NFS Access.

Advanced Configuration

About this task

Using the configure-crosscluster.sh utility with the default configuration works only when all local and remote CLDB nodes are reachable from the local node. It does not work, for example, if you set up multi-homed clusters as documented in the MAPR_SUBNETS section in Designating NICs for HPE Ezmeral Data Fabric, because the configure-crosscluster.sh utility cannot traverse between local and remote IPs (for example, from the external IP 23.21.203.95 to internal IP 10.10.100.100). In such environments, run the configure-crosscluster.sh utility with the -remotehosts parameter.

You can configure the clusters manually for unidirectional or bidirectional remote access, mirroring, or replication only. The following sections describe the manual steps for: