About security services
Prev	Introducing Veritas Cluster Server	Next

---

About security services

VCS uses the Symantec Product Authentication Service to provide secure communication between cluster nodes and clients, including the Java and the Web consoles. VCS uses digital certificates for authentication and uses SSL to encrypt communication over the public network.

In secure mode:

• VCS uses platform-based authentication.
• VCS does not store user passwords.
• All VCS users are system and domain users and are configured using fully-qualified user names. For example, administrator@vcsdomain. VCS provides a single sign-on mechanism, so authenticated users need not sign on each time to connect to a cluster.

VCS requires a system in your enterprise to be configured as a root broker. Additionally, all nodes in the cluster must be configured as authentication brokers.

• A root broker serves as the main registration and certification authority; it has a self-signed certificate and can authenticate other brokers. The root broker may be a system in the cluster. Symantec recommends having a single root broker per domain, typically a datacenter, acting as root broker for all products using Symantec Product Authentication Services. The root broker is only used during initial creation of an authentication broker.
• Authentication brokers serve as intermediate registration and certification authorities. An authentication broker authenticates users, such as a login to the cluster, or services, such as daemons running on application nodes. but cannot authenticate other brokers. Authentication brokers have certificates that are signed by the root. Each node in VCS serves as an authentication broker.

  Security credentials for the authentication broker must be obtained from the root broker.

For secure communication, VCS components acquire credentials from the authentication broker that is configured on the local system. The acquired certificate is used during authentication and is presented to clients for the SSL handshake.

VCS and its components specify the account name and the domain in the following format:

• HAD Account

  name = _HA_VCS_(systemname)

  domain = HA_SERVICES@(fully_qualified_system_name)

• CmdServer

  name = _CMDSERVER_VCS_(systemname)

  domain = HA_SERVICES@(fully_qualified_system_name)

For instructions on how to set up Security Services while setting up the cluster, see the Veritas Cluster Server Installation Guide.

You can also enable and disable Security Services manually

See Enabling and disabling Security Services.