HP UX System Adstration manual Edit the cfservd.conf File, # /opt/dsau/sbin/cfkey

Page 32

Edit the cfservd.conf File

The file /var/opt/dsau/cfengine_master/inputs/cfservd.conf controls which managed clients have access to the files served by cfservd on the master. Make the following edits to cfservd.conf:

Replace the “<%CFSERVD_DOMAIN_LIST%>” token with a comma-separated list of wildcard DNS domains or hostnames for the systems that are allowed to access this server. For example:

domain_list

= ( “*.abc.xyz.com,*.cde.xyz.com” )

This statement allows all hosts in the abc.xyz.com and cde.xyz.com domains to access the master server. No spaces are allowed in this comma-separated list. Each domain must be prefixed with the “*.” wildcard.

NOTE: The csync_wizard only supports specifying wildcard domain names in cfservd.conf. If you manually edit cfservd.conf and include a combination of specific hostnames or IP address and wildcard domains, then subsequent runs of csync_wizard will replace this line with a list of wildcard domains based on the list of hosts present in cfrun.hosts.

This example allows all hosts in the listed domains to access files on the master server.

You can also specify lists of specific host, IP address ranges, and so on. Refer to the cfengine reference manual for additional information.

Distribute the Master update.conf to Each Cluster Member Use the following commands:

#cd /var/opt/dsau/cfengine_master/inputs

#ccp update.conf /var/opt/dsau/cfengine/inputs/

cfengine itself will take care of distributing the remaining files both cluster-wide and to all managed clients.

Distribute the cfengine Security Keys

Since cfengine uses a public/private key exchange model to validate the authenticity of managed clients, a key must be configured that is associated with the relocatable IP address of the package. That address is the one that remote clients see as the master server. Since any cluster member can become the adoptive node, this key must be identical across all cluster members. cfengine’s cfkey generates a public/private key pair for the current system. cfkey creates the files localhost.priv and localhost.pub.

cfengine expects keys to be named using the following convention: username-IP_address.pub

For example, root-10.0.0.3.pub

The administrator copies the localhost.pub key to the correct name based on the system’s IP address. For the case of a cluster, the keys for the current member are used to generate the keys cluster-wide using the following steps:

1. Use cfkey to create the public and private key pair for this cluster member:

# /opt/dsau/sbin/cfkey

32 Configuration Synchronization

Image 32
Contents Distributed Systems Administration Utilities Users Guide Copyright 2009 Hewlett-Packard Development Company, L.P Table of Contents HP-Supported Open Source pdsh Options Index Syslog-ngLog-Forwarding Configuration List of FiguresList of Tables Consolidated Logging CommandsTarget Node Error Messages About this Document Intended AudienceTypographic Conventions Related InformationProduct Support HP Encourages Your Comments Introduction Distributed Systems Administration Utilities Commands Configuration Synchronization CommandConsolidated Logging Commands Command Fanout CommandsUtility Setup Command Open Source cfengine CommandsOpen Source pdsh Commands Open Source ComponentsDsau Manual Page Sections Distributed Systems Administration Utilities Manual PagesOpen Source syslog-ng Command Configuration Synchronization Cfengine OverviewCfengine Daemons and Commands Configuration SynchronizationCfengine Master Server Deployment Models Cfengine OverviewConfiguring cfengine Using the Configuration Synchronization WizardWizard displays the following introductory screen Configuration Data for csyncwizard# /opt/dsau/sbin/csyncwizard Wizard proceeds to configure the system as a master server # /opt/dsau/sbin/csyncwizard Configuration Synchronization Configuring cfengine Would you like to manage clients? N Cluster Configuration Notes for cfengine Serviceguard Automation FeaturesVar/opt/dsau/cfengine/inputs directory Using the Wizard to Configure a Synchronization Client Opt/dsau/bin/csyncdispatcher Memberadded newhostManual Configuration When prompted, enter the name of the client to add# mkdir -p /var/opt/dsau/cfenginemaster/inputs Manually Configuring a Standalone Synchronization ServerStart by creating the directory # /opt/dsau/sbin/cfkey # /var/opt/dsau/cfengine/ppkeys # cp localhost.pub root-10.0.0.5.pub# /sbin/init.d/cfservd start # cfagent --no-lock --verbose --no-splay# cfrun -- --inform # cfrun -v -- --verboseInitial Serviceguard Package Preparation # mkdir -p /csync/dsau/cfenginemaster/masterfilesPolicyhost = csync.abc.xyz.com List Managed Clients in cfrun.hostsEdit the cfservd.conf File # /opt/dsau/sbin/cfkey# ccp /etc/rc.config.d/cfservd /etc/rc.config.d/cfservd # cp localhost.pub root-192.10.25.12.pub# ccp * /var/opt/dsau/cfengine/ppkeys # cexec /sbin/init.d/cfservd startTest the configuration by performing the following steps # ccp csync csync.conf /etc/cmcluster/csyncApply the package and start it # cmapplyconf -P csync.conf # cmmodpkg -e csyncConfiguring a Synchronization Managed Client On a managed client, use the commandSecurity Notes Choosing a Synchronization Invocation MethodKey Exchange Csync Network Port UsageEncryption Encryption Checksum alertsDisabling Use of cfengine Logging OptionsChecksum Alerts # /sbin/init.d/cfservd stopCfengine Troubleshooting Syntax error due to missing or superfluous spaces#cfagent -K Unable to connect to a cfengine client or masterCfagent -d, -d1, -d2, or -d3 cfservd Cfrun Consolidated Logging Introduction to syslogSyslog Message Format 2describes syslog Facilities MessagesImproved Log Consolidation Log Consolidation OverviewMessage Filtering Syslog Co-existence Etc/cmcluster/package-name/package-name.log Log Consolidation Configuration Syslog-ng Log Consolidator ConfigurationOpt/dsau/sbin/clogwizard Using the Log Consolidation WizardConfiguration Data for clogwizard Answer yes y. The wizard then prompts Where N is the expected number of clientsAnswer yes y or press Enter. The next question is If these choices are correct, continue Next prompt is Log files that reside on this cluster can be consolidated Consolidated package logs would be located here Cluster Configuration Notes for clog Minimizing Message Loss During Failover Configuring a Log Forwarding Client Using clogwizard Or press Enter. The next question isEnter the ssh port to be used for port forwarding Manually Configuring Log Consolidation Manually Configuring a Standalone Log Consolidation ServerFor example, for TCP # /sbin/init.d/syslogd stop # /sbin/init.d/syslogd startReplace the %UDPLOOPBACKLOG% token with Create the following symbolic link Change the Clogconfigured line toIf using the TCP protocol, add Add the following linesLog Consolidation Configuration SYSLOGDOPTS=-D -N KEEPALIVE% tokens with appropriate values UDPLOOPBACKSOURCE% and %UDPLOOPBACKLOG% tokens If consolidating package logs of this cluster, add Creating the clog PackageIf using VxVM, comment out the LVM Volume Group line Then use cmviewcl to make sure it is running Testing and Starting the clog PackageDistribute it cluster-wide Manually Configuring a Standalone Log Forwarding Client Manually Configuring Log Forwarding ClientsUsing VxVM Instead of LVM Ln -sf /etc/syslog-ng.conf.client /etc/syslog-ng.conf # /sbin/init.d/syslog-ng start # cpp /etc/rc.config.d/syslogd /etc/rc.config.d Destination dsyslog%TYPE% %TYPE%%IP%port%PORT% If using the TCP protocol, add the following lines If using ssh port forwarding, addOtherwise, if using the UDP protocol, add Create the following symbolic link on each cluster memberStart syslog-ngon all cluster members using Forwarding Ascii Log DataFor the destination line For the filter lineConsolidating Package Logs on the Log Consolidation Server For the log linePerform the following steps to disable log consolidation Disabling Log ConsolidationDisabling a Standalone Log Consolidation System #/sbin/init.d/syslogd stopDisabling a Serviceguard Cluster Log Consolidation System Disabling a Standalone Log Forwarding Client#/sbin/init.d/syslogd start # /sbin/init.d/syslog-ng stopDisabling a Serviceguard Cluster Log Forwarding Client #/sbin/init.d/syslogd stop #/sbin/init.d/syslogd startSsh Port Forwarding Securing Consolidated LogsLog File Protections # cd /opt/ssh/etc # ccp sshhost* /opt/ssh/etc Using Bastille to Harden the SystemClog Network Port Usage Using the System and Consolidated Log Viewer Viewing System and Consolidated LogsStarting System Management Homepage To log in to the System Management Homepage, navigate toViewing System and Consolidated Logs Page Command Fanout Parallel Distributed ShellPdsh Utility Wrappers All nodesSystems Cwall displays a wall1M broadcast message on multiple hostsSecurity Configuration Remote Shell Security SetupSsh Security Setup # csshsetup -r -f memberslist.txtCommand Fanout Troubleshooting Ssh Command MessagesRsh Command Messages Target Node Error MessagesHP-Supported Open Source pdsh Options Page Index CfanouthostsLVM UDP