HP UX Security Products and Features Software HP Serviceguard considerations, Administration

Page 37

8 HP Serviceguard considerations

8.1 Overview

HP Serviceguard provides clustering services at the application level for HA. If a critical component failure occurs on the designated primary node of a product, HP Serviceguard activates the product on an alternate node through failover package scripting.

The failed-over product requires the same resources on the alternate nodes as were available on the primary node before the critical failure. These resources can include a set of loaded binaries, awakened processes, and reconfigured telecommunication ports. For an HA product to be entirely compatible with HP Serviceguard, enabling resources must be automated through the failover scripting.

WLI has no associated processes in user or kernel space. Therefore, failover packaging is not required for WLI by itself. However, a product that accesses files protected by WLI access policies might need some adjustments to its failover packaging.

WLI does not affect device special files with the exception of /dev/mem and /dev/kmem. A failover package does not need modification for WLI services with regard to the transitioning of communication and storage links between nodes.

The WLI database contains certain files unique to each platform that cannot be shared among cluster nodes. The WLI database must also reside on the root file system, which is mounted early following the kernel initialization phase of boot. Because the WLI database is not sharable among nodes, successful product failover depends on WLI administrative command operations being executed identically on each node following the initial installation.

Veritas Storage Foundation CFS is not supported by WLI. Policies assigned to files residing on CFS file systems are not enforced.

The shared library functions in /opt/wli/lib/libwliapi.so are not supported on HP Serviceguard clusters in this release.

8.2 Administration

Items for consideration are divided into the following general categories:

The WLI database

Policy protected files

8.2.1WLI database

To ensure the initial configuration of the WLI database is consistent across all nodes, HP recommends performing the following procedure:

1.Install WLI on all cluster nodes where it will be used, following the procedure in Section 4.2 (page 21).

2.On a single node only, complete the tasks described in “Configuring” (page 25), including generating a backup of the WLI database in /etc/wli.

3.Copy the WLI database generated in the previous step to all other cluster nodes where WLI is installed.

4.Copy the set of RSA keys to be authorized as WLI recovery and administrator keys to all nodes if they do not reside on a CFS file system. If the keys are copied, passphrases might vary but the RSA keys must be identical.

5.Restore the WLI database backup on all nodes where WLI is installed. Do not complete any of the “Configuring” (page 25) tasks.

6.The WLI configuration on the cluster nodes is complete. Execute the final configuration tasks of switching to restricted mode and rebooting on all nodes with WLI.

8.1 Overview

37

Page 36 Page 38
Image 37
Page 36 Page 38
Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Capabilities Identity-based access controls4 api Page WLI architecture Product overviewApplication API CommandsApplications WLI metadata files WLI database3 .$WLISIGNATURE$ Page Generating keys Key usageUser keys Administrator keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Backing up the WLI database Signing DLKMsRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy Wlisign -a -k adminpriv /usr/sbin/kcmodule # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/cissLoading unsigned DLKMs # kcmodule ciss=unusedPage Overview Backup and restore considerationsWLI database files Write protected Policy protected and metadata filesRead/write protected files RecommendationsIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files Software distributor issues Troubleshooting and known issuesWLI reinstallation Lost WLI administrator key or passphraseSu root # rm -r /etc/wli Wlisyspolicy -s mode=maintenance -k adminkey# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page Instructions # make clean# make all # su wliusr1Ibac add and delete program Flac add and delete programIbac add and delete program Page Administration examples Su root # wlisign -a -k adm1.pvt /usr/bin/tar Wlicert -s -c wli.admin1 -o wmd -k adm1.pvtBdf mydir Tar -vtf tartest.tarCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBprestore -f backuplist Bpbackup -f backuplistConfiguring WLI Quick setup examplesAuthorizing an administrator key Authorizing a user keyFlac policies Testing a Flac policyCreating a Flac policy Enabling a Flac policyIbac policies Removing an Ibac policy Disabling an Ibac policyASM GlossaryPage Index SymbolsIndex
Related manuals
Manual 130 pages 58.55 Kb
Top Page Image Contents