Versions Compared

Version Old Version 2 New Version Current
Changes made by

Brian Nordland

Brian Nordland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typelist
printabletrue

...

In environments where automatic failover is desired, it is possible to enhance automatic failover to monitor for additional events via a Hardware Management Console (HMC) using cluster monitors. See Advanced Node Failure Detection for additional information.

...

PowerHA uses the Power Virtual Server API to manage and control resources in IBM Power Virtual Server.

Configuring PowerHA to Accept Digital Certificates from IBM Cloud Services

All communication between PowerHA and the IBM Cloud uses TLS for communication. This communication uses digital certificates to both encrypt and protect the communication.

Create a *SYSTEM certificate store to hold the digital certificates

To create the *SYSTEM certificate store, use the following steps:

Expand
titleCreating the *SYSTEM certificate store

  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. Click on Create Certificate Store on the left-hand navigation menu

  4. On the right-hand side of the page select *SYSTEM.

    Image Added
Info

Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this system, and these steps have already been performed.

  1. Create a password for the *SYSTEM store and click Create.

Info

Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts.

Panel
panelIconIdatlassian-light_bulb_on
panelIcon:light_bulb_on:
panelIconText:light_bulb_on:
bgColor#E3FCEF

Tip: The system certificate store must be created on all nodes in the cluster. Ensure the *SYSTEM certificate store is created on all nodes in the cluster before continuing.

Trusting the IBM Cloud Certificate Authority

There are two options for trusting the IBM Cloud Certificate Authority:

  • Recommended: Populate digital certificate manager with well known CAs.

Expand
titlePopulate digital certificate manager with well known CAs.

Open the *SYSTEM certificate store in Digital Certificate Manager

Info

If the *SYSTEM certificate store was created in the previous step, simply select it in the left-hand menu in Digital Certificate Manager and continue on to the next section.

  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. Click Open Certificate Store.

  4. Select the *SYSTEM option, click continue.

Info

If *SYSTEM does not appear in the list, the system certificate store either does not exist, or is already open. If it does not exist, see Creating the *SYSTEM Certificate Store. If it is already open, select it in the left-hand menu.

  1. Sign in with the password for the certificate store and click Open.

Populate the *SYSTEM certificate store in Digital Certificate Manager with CAs

  1. Click the Populate with CAs link in Digital Certificate Manager

    image-20250120-150242.pngImage Added

  2. Click the Select All button to select all certificates

  3. Click the Populate button to populate the system certificate store with all well known CAs.

  4. Repeat these steps on all nodes in the cluster.

  • Bypassing strict-certificate checking in PowerHA using a PowerHA Policy

Expand
titleBypassing strict-certificate checking in PowerHA using a PowerHA Policy
Note

Warning: While this step only needs to be performed on one node, it is not as secure as the option for trusting well-known certificates. While this option still uses encrypted communication between PowerHA and IBM Cloud services, it does not protect against a man-in-the-middle attack.

Add a PowerHA policy to bypass strict certificate checking in PowerHA. For example, the following policy would bypass strict certificate checking for any configuration description:

ADDHAPCY PCY(QHA_COMM_STRICT_CERT_CHECK) PCYDMN(*NONE) QUAL('CFGD(*ALL)') VALUE(*NO)

This step only needs to be performed on one node as the policy applies to the entire PowerHA cluster.

Creating an API Key

The API key at a minimum must have the following access levels to the Workspace for Power Virtual Server service:

...

  1. In the IBM Cloud console, go to Manage > Access (IAM) and select Service IDs.

  2. If you don’t have a service ID created, create the service ID.

  3. Click the Actions icon > Manage service ID.

  4. Click API keys.

  5. Click create

  6. Add a name and description to easily identify the API key.

  7. Click Create.

  8. Save your API key by copying or downloading it to a secure location.

Panel
panelIconId1f512
panelIcon:lock:
panelIconText🔒
bgColor#DEEBFF

For security reasons, the API key is only available to be copied or downloaded at the time of creation. If the API key is lost, you must create a new API key.

...

For this example, a configuration description for DAL10 is created using the following command, followed by selecting the appropriate workspace from the list:

ADDHACFGD NAME(PVSWSDAL) TYPE(*STGCTL) SUBTYPE(*PVS) PVSHOST('apikey')

...

For example, a configuration description for WDC07 is added using the following command followed by selecting the appropriate workspace from the list:

ADDHACFGD NAME(PVSWSWDC07PVSWSWDC) TYPE(*STGCTL) SUBTYPE(*PVS) PVSHOST('apikey')

Configuring Global Replication Services (GRS)

PowerHA requires GRS to be configured outside of PowerHA. This includes performing the following actions:

Actions on the primary site:

...

...

Enabling replication for the IASP volumes by setting the volumes to be replication-enabled

...

Creating a new volume group

...

Placing the replication enabled volumes into the volume group

Actions on the target workspace:

  • Onboard the auxiliary volumes by using the IBM Cloud CLI or API.

  • Attach the a auxiliary volumes to the target virtual server

See the IBM Cloud documentation on getting started with GRS for additional information.

Adding Copy Description

A copy description gives PowerHA the information it needs to describe and manage a single copy of an IASP. With GRS, because the IASP is replicated, there are two copies of the IASP. Therefore, PowerHA requires two copy descriptions.

...

Info

Note: When using the command in batch mode, volume IDs  must be specified in the command rather than the *SELECT option. The Volume IDs for a volume can be found in the IBM Cloud console.

Configuring Global Replication Services (GRS)

While GRS can be configured outside of PowerHA, it is possible to also configure GRS using the Configure PVS Mirror (CFGPVSMIR) command:

CFGPVSMIR ASPDEV(MYIASP) ACTION(*CREATE)

This command will do the following:

  • Validate various configuration

  • If the target copy description has not yet had the *ADDNODE operation performed for the node at the target site with the lowest backup sequence (called the mirror site primary node), it will prompt to select the appropriate Power Virtual Server Instance to associate with the target node.

  • Ensure the IASP volumes are all in the same storage pool.

  • Enable replication for the IASP volumes by setting the volumes to be replication-enabled

  • Create or update a volume group

  • Place the replication enabled volumes into the volume group

  • Onboard the auxiliary volumes

  • Attach the auxiliary volumes to the target virtual server

  • Add volumes to the target copy description

If a failure occurs while performing the CFGPVSMIR command, such as a network communication failure during the operation, the CFGPVSMIR command can be run again, and it will check and confirm which steps need to be performed.

Expand
titleManually Configuring GRS
Info

If the CFGPVSMIR command was used, these steps should be skipped.

While the CFGPVSMIR command will handle many of the steps in an automated fashion, GRS can also be manually configured. This includes performing the following actions:

Actions on the primary site:

  • Ensuring the IASP volumes are all in the same storage pool.

  • Enabling replication for the IASP volumes by setting the volumes to be replication-enabled

  • Creating a new volume group

  • Placing the replication enabled volumes into the volume group

Actions on the target workspace:

  • Onboard the auxiliary volumes by using the IBM Cloud CLI or API.

  • Attach the a auxiliary volumes to the target virtual server

See the IBM Cloud documentation on getting started with GRS for additional information.

Adding Volumes to the Backup (Target) Copy Description

Volumes are added to the target copy description in the same way that they are added to the source copy description, using the CHGPVSCPYD command. In this instance, the volume IDs must be obtained from the target Power Virtual Server workspace in the IBM Cloud.

For example, the copy description for the backup copy can be added using the following command:

CHGPVSCPYD ASPCPY(WDC07CPY) ACTION(*ADDVOL)

Starting a PowerHA Session

...

This command specifies to start a session called MYSSN that is of type Global Mirror. PowerHA uses Global Mirror to represent asynchronous replication as is used with Global Replication Services. In addition, the command specifies that this session references the CRG named MYCRG. PowerHA automatically pulls together the CRG information and Copy Description information from the copy descriptions that describe sites in the CRG.

Starting the CRG

Once everything is configured, the cluster resource group can be started. Starting the cluster resource group starts regular PowerHA monitoring and health checks of the environment. These health checks run at 15 minute intervals and will post messages to the QSYSOPR upon a failure that would prevent a switchover or failover.

In addition to posting a message to QSYSOPR, the status of the node in the CRG recovery domain status field is updated to reflect the combined status of the last healthcheck and the status of the node. This status field can be displayed by going to taking option 6=Recovery Domain on the Work with Cluster Resource groups menu from within the WRKCLU menu.

The following command in this example starts the cluster resource group:

STRCRG CRG(MYCRG)

Panel
panelIconId1f4a1
panelIcon:bulb:
panelIconText💡
bgColor#E3FCEF

The cluster resource group must be restarted if clustering is ended on all nodes.

Results

PowerHA management of GRS is now configured between the nodes in the CRG. To verify and monitor the status of replication, use one of the following:

...