For example:

gryf

root

#cluster1, node1

sly

root

#cluster1,

node2

bit

root

#cluster1,

node3

This example grants root access to the node on which this cmclnodelist file resides to root users on the nodes gryf, sly, and bit.

Serviceguard also accepts the use of a “+” in the cmclnodelist file; this indicates that the root user on any Serviceguard node can configure Serviceguard on this node.

IMPORTANT: If $SGCONF/cmclnodelist does not exist, Serviceguard will look at ~/.rhosts. HP strongly recommends that you use cmclnodelist.

NOTE: When you upgrade a cluster from Version A.11.15 or earlier, entries in

$SGCONF/cmclnodelist are automatically updated to Access Control Policies in the cluster configuration file. All non-root user-hostname pairs are assigned the role of Monitor.

Ensuring that the Root User on Another Node Is Recognized

The HP-UX root user on any cluster node can configure the cluster. This requires that Serviceguard on one node be able to recognize the root user on another.

Serviceguard uses the identd daemon to verify user names, and, in the case of a root user, verification succeeds only if identd returns the username root. Because identd may return the username for the first match on UID 0, you must check /etc/passwd on each node you intend to configure into the cluster, and ensure that the entry for the root user comes before any other entry with a UID of 0.

NOTE: You need to do this even if you plan to use cmpreparecl (1m) or cmpdeploycl (1m), which calls cmpreparecl. For more information about these commands, see “Using Easy Deployment Commands to Configure the Cluster” (page 162).

About identd

HP strongly recommends that you use identd for user verification, so you should make sure that each prospective cluster node is configured to run it. identd is usually started by inetd from /etc/inetd.conf.

NOTE: If you plan to use cmpreparecl (1m) (or cmpdeploycl (1m), which calls cmpreparecl), you can skip the rest of this subsection.

Make sure that a line such as the following is uncommented in /etc/inetd.conf:

auth stream tcp6 wait bin /usr/lbin/identd identd

NOTE: If the -toption to identd is available on your system, you should set it to 120 (-t120); this ensures that a connection inadvertently left open will be closed after two minutes. In this case, the identd entry in /etc/inetd.conf should look like this:

auth stream tcp6 wait bin /usr/lbin/identd identd -t120

Check the man page for identd to determine whether the -toption is supported for your version of identd

(It is possible to disable identd, though HP recommends against doing so. If for some reason you have to disable identd, see “Disabling identd” (page 225).)

For more information about identd, see the white paper Securing Serviceguard at http:// www.hp.com/go/hpux-serviceguard-docs, and the identd (1M) manpage.

Preparing Your Systems 167

Page 167
Image 167
HP Serviceguard manual Ensuring that the Root User on Another Node Is Recognized, About identd