Veritas Storage Foundation 5.1 SP1 for Oracle RAC Administrator"s Guide (5900-1512, April 2011)
Table 3-20
Fencing startup issues on SF Oracle RAC cluster (client cluster)
nodes (continued)
Description and resolutionIssue
If you had configured secure communication between the CP server and the SF Oracle
RAC cluster (client cluster) nodes, authentication failure can occur due to the following
causes:
■ Symantec Product Authentication Services (AT) is not properly configured on the CP
server and/or the SF Oracle RAC cluster.
■ The CP server and the SF Oracle RAC cluster nodes use the same root broker but the
certificate hash of the root broker is not same on the SF Oracle RAC cluster and the CP
server. Run the following command on both the CP server and the SF Oracle RAC cluster
to see the certificate hash:
# cpsat showalltrustedcreds
■ The CP server and the SF Oracle RAC cluster nodes use different root brokers, and trust
is not established between the authentication brokers:
See “About secure communication between the SF Oracle RAC cluster and CP server”
on page 66.
■ The hostname of the SF Oracle RAC cluster nodes is not the same hostname used when
configuring AT.
The hostname of the SF Oracle RAC cluster nodes must be set to the hostname used
when configuring AT. You can view the fully qualified hostname registered with AT
using the cpsat showcred command. After entering this command, the hostname
appears in the User Name field.
■ The CP server and SF Oracle RAC cluster do not have the same security setting.
In order to configure secure communication, both the CP server and the SF Oracle RAC
cluster must have same security setting.
In order to have the same security setting, the security parameter must have same
value in the /etc/vxcps.conf file on CP server and in the /etc/vxfenmode file on
the SF Oracle RAC cluster (client cluster) nodes.
Authentication failure
213Troubleshooting SF Oracle RAC
Troubleshooting I/O fencing