This section discusses the security configuration details for the CP server and SFCFSHA cluster (application cluster).
The following are the settings for secure communication between the CP server and SFCFSHA cluster:
Installer creates a user with the following values:
Run the following commands on the CP server to verify the settings:
# export EAT_DATA_DIR=/var/VRTSvcs/vcsauth/data/CPSERVER
# /opt/VRTScps/bin/cpsat showcred
SFCFSHA cluster node(s) settings:
On SFCFSHA cluster, the installer creates a user for cpsadm during fencing configuration with the following values:
Run the following commands on the SFCFSHA cluster node(s) to verify the security settings:
# export EAT_DATA_DIR=/var/VRTSvcs/vcsauth/data/CPSADM
# /opt/VRTScps/bin/cpsat showcred
The users described above are used only for authentication for the communication between the CP server and the SFCFSHA cluster nodes.
For CP server's authorization, customized fencing framework on the SFCFSHA cluster uses the following user if security is configured:
CPSADM@VCS_SERVICES@cluster_uuid
where cluster_uuid is the application cluster's universal unique identifier.
For each SFCFSHA cluster node, this user must be registered on the CP server database before fencing starts on the SFCFSHA cluster node(s). This can be verified by issuing the following command:
# cpsadm -s cp_server -a list_users
The following is an example of the command output:
Username/Domain Type CPSADM@VCS_SERVICES@77a2549c-1dd2-11b2-88d6-00306e4b2e0b/vx Cluster Name / UUID Role cluster1/{77a2549c-1dd2-11b2-88d6-00306e4b2e0b} Operator
In non-secure mode, only authorization is provided on the CP server. Passwords are not requested. Authentication and encryption are not provided. User credentials of "cpsclient@hostname" of "vx" domaintype are used by the customized fencing framework for communication between CP server or SFCFSHA cluster node(s).
For each SFCFSHA cluster node, this user must be added on the CP server database before fencing starts on the SFCFSHA cluster node(s). The user can be verified by issuing the following command:
# cpsadm -s cpserver -a list_users
The following is an example of the command output:
Username/Domain Type Cluster Name / UUID Role cpsclient@galaxy/vx cluster1 / {f0735332-e3709c1c73b9} Operator