14.11 Using Encrypted Volumes in a Server Cluster (NetWare)

If you use an encrypted NSS volume in a Novell Cluster Services™ cluster, you must manually enter the password for the volume on one of the servers only when you first start or restart the cluster. You activate the NSS pool and volume on one of the servers, enter the volume password, then deactivate the pool and volume before you can bring the cluster resource online for the first time.

NSS uses the password to create a key, which it stores in the server memory. The NCS software passes the key to other nodes. After all servers hold the key, the volume is available while any one of the servers is still participating actively in the cluster. If all servers in the cluster fail, you must repeat this procedure when you recover the cluster and restart services.

  1. Boot or restart the servers in the cluster.

    If you automated the loading of cluster resources, the cluster reports each resource is comatose because it cannot bring the corresponding encrypted volume online.

    If you opt to manually start cluster resources, the cluster resources are not yet active.

  2. From one of the nodes in the cluster, activate the encrypted volumes.

    1. Activate the cluster pool and its encrypted volumes by entering the following commands at the server console:

      nss /poolactivate=poolname
      
      nss /volumeactivate=volumename
      

      At the prompt, enter the password for the encrypted volume. NSS creates the 128-bit encryption key and stores it in the server’s memory.

      If the server already knows the key for the volume, you are not prompted for the password.

    2. To deactivate the cluster pool, enter

      nss /pooldeactivate=poolname
      
  3. Follow the normal procedures to activate the cluster resources.

    For information, see the OES Novell Cluster Services Administration Guide for NetWare. The node passes the key information to the other nodes. While at least one of the servers is actively participating in the cluster, you do not need to reenter the encryption password again.