/
Advanced cluster node failure detection enhanced with HMC REST interface

Advanced cluster node failure detection enhanced with HMC REST interface

Owned by Kathy Kurth
Last updated: Jul 28, 2020 by Peter Lafler (Deactivated)

Introduction

IBM® PowerHA® for i Standard Edition enhanced advanced node failure detection to support a new representational state transfer (REST) interface. The Hardware Monitor Console (HMC) is being updated to replace the existing Common Information Model (CIM) server with a new representational state transfer (REST) based interface. HMC version V8R8.5.0 is the last version of HMC to support the CIM server, and is the first version of HMC to support all REST API functions that are required by IBM PowerHA SystemMirror® for i licensed program. This function is provided through a new function PowerHA PTF.

Software Requirements

  • 5770-SS1 Base operating system option 3 - Extended Base Directory Support
  • 5770-SS1 Base operating system option 33 - Portable Application Solutions Environment
  • 5733-SC1 - IBM Portable Utilities for IBM i (Only required for initial configuration of a cluster monitor.)
  • 5733-SC1 option 1 - OpenSSH, OpenSSL, zlib (Only required for initial configuration of a cluster monitor.)
  • 5770-HAS IBM PowerHA for i LP
  • HMC version V8R8.5.0 or later. This is the first version of HMC to support the REST server
  • TLS V1.2 Enabled (See: http://www-01.ibm.com/support/docview.wss?uid=nas8N1020876)
  • PowerHA for i new function cluster monitor HMC REST support PTFs:
    • V7R1 - PowerHA PTF Group SF99706 level 13
    • V7R2 - PowerHA PTF Group SF99776 level 6
    • V7R3 - PowerHA PTF Group SF99876 level 3

Configuring advanced node failure detection on hardware management console (HMC) with REST server

A Hardware Management Console (HMC) can be used with advanced node failure detection to prevent cluster partitions when a cluster node has actually failed. The Advanced node failure detection function can reduce the number of failure scenarios that result in cluster partitions.

Before you begin

Consult the requirements and restrictions before setting up advanced node failure detection in a cluster:

  • Using HMC with a Representational state transfer (REST) server requires a HMC minimum version of V8R8.5.0 to implement and configure advanced node failure detection.

  • Check the QSSLPCL system value. Verify that it is set correctly for the release currently running.

NOTE: An incorrect value in QSSLPCL may result in a CPFBBCB diagnostic message with reason code 4.

  • The setup instructions include steps for creating a *SYSTEM certificate keystore. This keystore may have already been created. If so, the password is required. Ask your IBM i administrator for the keystore and access information.

Procedure

These steps guide you through obtaining the digital certificate of your HMC, storing it and referencing it to allow advanced node failure detection for the cluster node.

Create a *SYSTEM certificate store to hold the digital certificates

To create the *SYSTEM certificate store, use the following steps:

 Creating the *SYSTEM certificate store
Procedure

  1. In a web browser, enter http://mysystem:2001/dcm, where mysystem is the host name or IP address of the system. This opens IBM Digital Certificate Manager for i.

  2. Log in with an IBM i profile with sufficient authority.

  3. Click on Create Certificate Store on the left-hand navigation menu

  4. On the right-hand side of the page select *SYSTEM.

Note: If the *SYSTEM option is not available in the list, it indicates that there is a *SYSTEM store already created on this system, and these steps have already been performed.

  1. Create a password for the *SYSTEM store and click Create.

Note: The password is case-sensitive. It is recommended not to use special characters. This password is not attached to a user profile and it will not lock you out of the system after too many attempts.

Result

The *SYSTEM certificate store is created on the node.

Determine the type of Certificate Used by the HMC

Importing Certificates into the System Certificate Store

Follow the instructions depending on the type of certificate used by the HMC.

 Importing Self-Signed Certificates into the System Certificate Store

Extract the self-signed certificates to the IBM i

Begin by extracting the digital certificates for the HMC and copying them to the IBM® i system in the cluster node with these steps:

  1. Sign on your IBM i system and open the command line display.

  2. In the command line display, enter CALL QP2TERM to enter the PASE shell environment.

  3. Retrieve the digital certificates from the HMC with this command:

    openssl s_client -showcerts -connect HMC_name:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | awk '/-BEGIN CERTIFICATE-/{a++}{print > "HMC_name"a".pem"}'

    Replace HMC_name with the name of your system's HMC. This copies the certificates into files named HMC_name1.pem … HMC_nameN.pem, where N is the number of certificates copied from your system's HMC.

  4. Press F3 to exit the QP2TERM environment.

  5. Run the following command for each of certificate file to convert the CCSID to 819 (ASCII)

    CHGATR OBJ('HMC_nameX.pem') ATR(*CCSID) VALUE(819).

Select the *SYSTEM certificate store in Digital Certificate Manager

  1. Open the IBM Navigator for i and click Internet Configurations.

  2. On the Internet Configurations page, click Digital Certificate Manager. You need to enter your user profile and password.

  3. Click Select a Certificate Store and select the *SYSTEM option, click continue.

  4. Sign in with the password for the certificate store and click Continue, then Manage Certificates.

Import the HMC certificates into the *SYSTEM certificate store.

  1. Select Import certificate and click Continue. If your HMC has only one certificate, perform these steps for that certificate. If your HMC has multiple certificates, perform these steps for each certificate except the first certificate (HMC_name1.pem), starting with the last certificate and moving backwards through the list of certificates. For example, if there are three certificates: HMC_name1.pem, HMC_name2.pem, and HMC_name3.pem, perform these steps for HMC_name3.pem first, then for HMC_name2.pem.

  2. Select Certificate Authority (CA) and click Continue.

  3. Enter the path name of the certificate you want to import. For example, the path and file name may be /HMC_name1.pem. Click Continue.

Importing a Trusted Certificate into the System Certificate Store

To import a trusted certificate, follow the instructions in the IBM Documentation for Digital Certificate Manager.

Adding a Cluster Monitor to Monitor for Node Failures

The Add Cluster Monitor (ADDCLUMON) command is used to register an HMC with a particular cluster node. The following example adds a cluster monitor:

 ADDCLUMON CLUSTER(MYCLU) 
           NODE(PROD) 
           TYPE(*RESTSVR)
           RESTSVR('hmc1.example.com' 'myhmcuser' 'myhmcpassword')

This command specifies to add a cluster monitor to the node named PROD in cluster MYCLU. This monitor will run on cluster node PROD and connect to the hmc hmc1.example.com with the credentials specified.

Node Parameter on the ADDCLUMON Command

The node specified on the ADDCLUMON command specifies the node that will be connecting to the given HMC. In many cases this means that it is desirable to add the monitor to multiple nodes in the cluster so that if any one node fails, other nodes in the cluster also are monitoring the same HMC. In some environments this means using the same ADDCLUMON command specifying each node in the cluster so that every node is monitoring the specified HMC.

If desired, repeat this process for additional HMCs in the environment.

Results

Advanced node failure detection with cluster monitors is configured. This can be verified using one of the following:

  • The Work with Cluster (WRKCLU) menu, followed by option 6 to work with cluster nodes, followed by option 6 on a cluster node to see the monitors that cluster node has.

  • The Display Cluster Information (DSPCLUINF) command. For example DSPCLUINF and pressing enter until the cluster monitor list is displayed.

More Information

For more information see the following topics in the IBM i Knowledge Center:

Related content

Configuring a PowerHA Cluster (7.5)
Configuring a PowerHA Cluster (7.5)
IBM Partnership
More like this
Configuring a PowerHA Cluster (7.4)
Configuring a PowerHA Cluster (7.4)
IBM Partnership
More like this
Advanced Automatic Node Failure Detection (7.5)
Advanced Automatic Node Failure Detection (7.5)
IBM Partnership
More like this
Advanced Automatic Node Failure Detection (7.4)
Advanced Automatic Node Failure Detection (7.4)
IBM Partnership
More like this
7.4 HA 4.3.1 & 7.2 HA 3.5 PTFs
7.4 HA 4.3.1 & 7.2 HA 3.5 PTFs
IBM Partnership
More like this
7.2 PowerHA (for IBM i 7.2 and 7.3)
7.2 PowerHA (for IBM i 7.2 and 7.3)
IBM Partnership
More like this

Privacy Policy | Cookie Policy | Impressum
From time to time, this website may contain technical inaccuracies and we do not warrant the accuracy of any posted information.
Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.