How secure communication between the CP servers and the SFCFSHA clusters work


How secure communication between the CP servers and the SFCFSHA clusters work
Prev	About secure communication between the SFCFSHA cluster and CP server	Next

CP server and SFCFSHA cluster (application cluster) node communication involve the following entities:

vxcpserv for the CP server
cpsadm for the SFCFSHA cluster node

Figure: End-To-end communication flow with security enabled on CP server and SFCFSHA clusters displays a schematic of the end-to-end communication flow with security enabled on CP server and SFCFSHA clusters (application clusters).

Figure: End-To-end communication flow with security enabled on CP server and SFCFSHA clusters

Communication flow between CP server and SFCFSHA cluster nodes with security configured on them is as follows:

Initial setup:

Identities of CP server and SFCFSHA cluster nodes are configured on respective nodes by the VCS installer.

Note:

At the time of fencing configuration, the installer establishes trust between the CP server and the application cluster so that vxcpserv process can authenticate requests from the application cluster nodes. If you manually configured I/O fencing, then you must set up trust between the CP server and the application cluster.

The cpsadm command gets the user name, domain type from the environment variables CPS_USERNAME, CPS_DOMAINTYPE. The user is expected to export these variables before running the cpsadm command manually. The customized fencing framework exports these environment variables internally before running the cpsadm commands.

The CP server process (vxcpserv) uses its own user (CPSERVER) which is added to the local vcsauthserver.

Getting credentials from authentication broker:

The cpsadm command tries to get the existing credentials that is present on the local node. The installer generates these credentials during fencing configuration.

The vxcpserv process tries to get the existing credentials that is present on the local node. The installer generates these credentials when it enables security.
Communication between CP server and SFCFSHA cluster nodes:

After the CP server establishes its credential and is up, it becomes ready to receive data from the clients. After the cpsadm command obtains its credentials and authenticates CP server credentials, cpsadm connects to the CP server. Data is passed over to the CP server.
Validation:

On receiving data from a particular SFCFSHA cluster node, vxcpserv validates its credentials. If validation fails, then the connection request data is rejected.