CP server and SFCFSHA cluster (application cluster) node communication involve the following entities:
vxcpserv for the CP server
cpsadm for the SFCFSHA cluster node
Figure: End-To-end communication flow with security enabled on CP server and SFCFSHA clusters displays a schematic of the end-to-end communication flow with security enabled on CP server and SFCFSHA clusters (application clusters).
Communication flow between CP server and SFCFSHA cluster nodes with security configured on them is as follows:
Initial setup:
Identities of CP server and SFCFSHA cluster nodes are configured on respective nodes by the VCS installer.
The cpsadm command gets the user name, domain type from the environment variables CPS_USERNAME, CPS_DOMAINTYPE. The user is expected to export these variables before running the cpsadm command manually. The customized fencing framework exports these environment variables internally before running the cpsadm commands.
The CP server process (vxcpserv) uses its own user (CPSERVER) which is added to the local vcsauthserver.
Getting credentials from authentication broker:
The cpsadm command tries to get the existing credentials that is present on the local node. The installer generates these credentials during fencing configuration.
The vxcpserv process tries to get the existing credentials that is present on the local node. The installer generates these credentials when it enables security.
Communication between CP server and SFCFSHA cluster nodes:
After the CP server establishes its credential and is up, it becomes ready to receive data from the clients. After the cpsadm command obtains its credentials and authenticates CP server credentials, cpsadm connects to the CP server. Data is passed over to the CP server.
Validation:
On receiving data from a particular SFCFSHA cluster node, vxcpserv validates its credentials. If validation fails, then the connection request data is rejected.