About secure communication between the VCS cluster and CP server

In a data center, TCP/IP communication between the VCS cluster (application cluster) and CP server must be made secure. The security of the communication channel involves encryption, authentication, and authorization.

The CP server node or cluster needs to confirm the authenticity of the VCS cluster nodes that communicate with it as a coordination point and only accept requests from known VCS cluster nodes. Requests from unknown clients are rejected as non-authenticated. Similarly, the fencing framework in VCS cluster must confirm that authentic users are conducting fencing operations with the CP server.

Two modes of secure communication between the CP server and the VCS cluster are:

Symantec Product Authentication Services (AT): Entities on behalf of which authentication is done, are referred to as principals. On the VCS cluster nodes, the current VCS installer creates the authentication server credentials on each node in the cluster. It also creates vcsauthserver which authenticates the credentials. The installer then proceeds to start VCS in secure mode. Typically, in an existing VCS cluster with security configured, vcsauthserver runs on each cluster node.

HTTPS communication: The SSL infrastructure uses the client cluster certificates and CP server certificates to ensure that communication is secure. The HTTPS mode does not use the broker mechanism to create the authentication server credentials.