Security configuration details on CP server and SFCFSHA cluster


Security configuration details on CP server and SFCFSHA cluster
Prev	About secure communication between the SFCFSHA cluster and CP server	Next

This section discusses the security configuration details for the CP server and SFCFSHA cluster (application cluster).

Settings in secure mode

The following are the settings for secure communication between the CP server and SFCFSHA cluster:

CP server settings:

Installer creates a user with the following values:

username: CPSERVER
domainname: VCS_SERVICES@cluster_uuid
domaintype: vx

Run the following commands on the CP server to verify the settings:

# export EAT_DATA_DIR=/var/VRTSvcs/vcsauth/data/CPSERVER

 # /opt/VRTScps/bin/cpsat showcred

Note:

The CP server configuration file (/etc/vxcps.conf) must not contain a line specifying security=0. If there is no line specifying "security" parameter or if there is a line specifying security=1, CP server with security is enabled (which is the default).

SFCFSHA cluster node(s) settings:
On SFCFSHA cluster, the installer creates a user for cpsadm during fencing configuration with the following values:
- username: CPSADM
- domainname: VCS_SERVICES@cluster_uuid
- domaintype: vx
Run the following commands on the SFCFSHA cluster node(s) to verify the security settings:
```
# export EAT_DATA_DIR=/var/VRTSvcs/vcsauth/data/CPSADM
```
```
 # /opt/VRTScps/bin/cpsat showcred 
```

The users described above are used only for authentication for the communication between the CP server and the SFCFSHA cluster nodes.

For CP server's authorization, customized fencing framework on the SFCFSHA cluster uses the following user if security is configured:

CPSADM@VCS_SERVICES@cluster_uuid

where cluster_uuid is the application cluster's universal unique identifier.

For each SFCFSHA cluster node, this user must be registered on the CP server database before fencing starts on the SFCFSHA cluster node(s). This can be verified by issuing the following command:

# cpsadm -s cp_server -a list_users

The following is an example of the command output:

Username/Domain Type                              
CPSADM@VCS_SERVICES@77a2549c-1dd2-11b2-88d6-00306e4b2e0b/vx 
 
Cluster Name / UUID                           Role
cluster1/{77a2549c-1dd2-11b2-88d6-00306e4b2e0b} Operator

Note:

The configuration file (/etc/vxfenmode) on each client node must not contain a line specifying security=0. If there is no line specifying "security" parameter or if there is a line specifying security=1, client node starts with security enabled (which is the default).

Settings in non-secure mode

In non-secure mode, only authorization is provided on the CP server. Passwords are not requested. Authentication and encryption are not provided. User credentials of "cpsclient@hostname" of "vx" domaintype are used by the customized fencing framework for communication between CP server or SFCFSHA cluster node(s).

For each SFCFSHA cluster node, this user must be added on the CP server database before fencing starts on the SFCFSHA cluster node(s). The user can be verified by issuing the following command:

# cpsadm -s cpserver -a list_users

The following is an example of the command output:

Username/Domain Type  Cluster Name / UUID                 Role
cpsclient@galaxy/vx   cluster1 / {f0735332-e3709c1c73b9}  Operator

Note:

In non-secure mode, CP server configuration file (/etc/vxcps.conf) should contain a line specifying security=0. Similarly, on each SFCFSHA cluster node the configuration file (/etc/vxfenmode) should contain a line specifying security=0.

Prev	Up	Next
How secure communication between the CP servers and the SFCFSHA clusters work	Home	Storage Foundation Cluster File System High Availability and Veritas Volume Manager cluster functionality agents