This section discusses the security configuration details for the CP server and VCS cluster (application cluster).
The following are the settings for secure communication between the CP server and VCS cluster:
CP server settings:
Installer creates a user with the following values:
Run the following commands on the CP server to verify the settings:
# export EAT_DATA_DIR=/var/VRTSvcs/vcsauth/data/CPSERVER
# /opt/VRTScps/bin/cpsat showcred
VCS cluster node(s) settings:
On VCS cluster, the installer creates a user for cpsadm during fencing configuration with the following values:
username: CPSADM
domainname: VCS_SERVICES@cluster_uuid
domaintype: vx
Run the following commands on the VCS cluster node(s) to verify the security settings:
# export EAT_DATA_DIR=/var/VRTSvcs/vcsauth/data/CPSADM
# /opt/VRTScps/bin/cpsat showcred
The users described above are used only for authentication for the communication between the CP server and the VCS cluster nodes.
For CP server's authorization, customized fencing framework on the VCS cluster uses the following user if security is configured:
CPSADM@VCS_SERVICES@cluster_uuid
where cluster_uuid is the application cluster's universal unique identifier.
For each VCS cluster node, this user must be registered on the CP server database before fencing starts on the VCS cluster node(s). This can be verified by issuing the following command:
# cpsadm -s cp_server -a list_users
The following is an example of the command output:
Username/Domain Type CPSADM@VCS_SERVICES@77a2549c-1dd2-11b2-88d6-00306e4b2e0b/vx Cluster Name / UUID Role cluster1/{77a2549c-1dd2-11b2-88d6-00306e4b2e0b} Operator
The following are the settings for secure communication between the CP server and VCS cluster:
CP server settings:
Installer creates a user with the following values:
CP server and CP server client certificates
Virtual IP addresses and ports for the virtual IP addresses in the vxcps.conf
file.
Run the following commands on the CP server to verify the settings:
# export EAT_DATA_DIR=/var/VRTSvcs/vcsauth/data/CPSERVER
# /opt/VRTScps/bin/cpsat showcred
VCS cluster node(s) settings:
In non-secure mode, only authorization is provided on the CP server. Passwords are not requested. Authentication and encryption are not provided. User credentials of "cpsclient@hostname" of "vx" domaintype are used by the customized fencing framework for communication between CP server or VCS cluster node(s).
For each VCS cluster node, this user must be added on the CP server database before fencing starts on the VCS cluster node(s). The user can be verified by issuing the following command:
# cpsadm -s cpserver -a list_users
The following is an example of the command output:
Username/Domain Type Cluster Name / UUID Role cpsclient@sys1/vx cluster1 / {f0735332-e3709c1c73b9} Operator