When the VBS daemon on C3 is started, it reads the contents of the configuration file to determine the clusters that are allowed to communicate with C3. As VBS B consists of C2 and C3, the VBS daemon determines that C2 can communicate with C3.

Hence, the VBS daemon adds the Cluster IDs of C2 and C3 to the access control file, $VBS_HOME/web/admin/.xprtlaccess.

# cat /opt/VRTSvbs/web/admin/.xprtlaccess

<ClusterId of C2>@vbs_domain@<Name of VOM CMS>.vx:user

<ClusterId of C3>@vbs_domain@<Name of VOM CMS>.vx:user

No external hosts or clusters can pretend to be one of C2 or C3 because they do not have the credential.