CP server and VCS cluster (application cluster) node communication involve the following entities:
vxcpserv for the CP server
cpsadm for the VCS cluster node
Figure: End-To-end communication flow with security enabled on CP server and VCS clusters displays a schematic of the end-to-end communication flow with security enabled on CP server and VCS clusters (application clusters).
Communication flow between CP server and VCS cluster nodes with security configured on them is as follows:
Initial setup:
Identities of CP server and VCS cluster nodes are configured on respective nodes by the VCS installer.
The cpsadm command gets the user name, domain type from the environment variables CPS_USERNAME, CPS_DOMAINTYPE. Export these variables before you run the cpsadm command manually. The customized fencing framework exports these environment variables internally before you run the cpsadm commands.
The CP server process (vxcpserv) uses its own user (CPSERVER) which is added to the local vcsauthserver.
Getting credentials from authentication broker:
The cpsadm command tries to get the existing credentials that are present on the local node. The installer generates these credentials during fencing configuration.
The vxcpserv process tries to get the existing credentials that are present on the local node. The installer generates these credentials when it enables security.
Communication between CP server and VCS cluster nodes:
After the CP server establishes its credential and is up, it becomes ready to receive data from the clients. After the cpsadm command obtains its credentials and authenticates CP server credentials, cpsadm connects to the CP server. Data is passed over to the CP server.
Validation:
On receiving data from a particular VCS cluster node, vxcpserv validates its credentials. If validation fails, then the connection request data is rejected.