supported by the Border Gateway Protocol

 

 

(BGP).

allow from

This lists all the nodes that are allowed access. Permissible entries are:

 

all

All hosts are allowed access.

 

domain

Hosts whose names match, or end in, this string

 

 

are allowed access, for example, hp.com.

 

hostname

The named host (for example, kitcat.myco.com)

 

 

is allowed access.

 

IP address

Either a full IP address, or a partial IP address

 

 

of 1 to 3 bytes for subnet inclusion is allowed.

 

network/netmask

This pair of addresses allows more precise

 

 

inclusion of hosts, (for example,

 

 

10.163.121.23/225.225.0.0).

 

network/nnnCIDR

This specification is like the network/netmask

 

 

specification, except the netmask consists of

 

 

nnn high-order 1 bits. “CIDR” stands for

Classless Interdomain Routing, a type of routing supported by the Border Gateway Protocol (BGP).

The most typical entry is hostname. The following entries are from a typical /etc/opt/cmom/ cmomhosts file:

order allow,deny

allow from lanode1.myco.com allow from lanode2.myco.com allow from nynode1.myco.com allow from nynode2.myco.com allow from 10.177.242.12

If the file is installed on all nodes in the Continentalclusters, these entries will allow Continentalclusters commands and monitors running on lanode1, lanode2, nynode1, nynode2 to obtain information about the clusters in the configuration.

Network Security Configuration Requirements

In a Continentalclusters configuration, if the clusters are behind firewalls in their respective sites, you must set appropriate firewall rules to enable inter-cluster communication. The monitoring daemon of Continentalclusters communicates with Serviceguard Cluster Object Manager on remote clusters. You can determine the ports used by Cluster Object Manager from the hacl-probeentry in the /etc/services file. In the firewall of all participating clusters, you must set the rule such that TCP and UDP protocol traffic on the hacl-probeports are allowed from and to the IP addresses of all nodes in the Continentalclusters configuration. For more information on firewall and ports, see HP Serviceguard A.11.18 Release Notes available at http://www.hp.com/go/ hpux-ha-monitoring-docs.

Setting up Security with Continentalclusters Version A.08.00

From Continentalclusters version A.08.00, all nodes in all clusters must be able to communicate with one another using SSH. This secure communication channel is not required for versions prior to A.08.00. When Continentalclusters version A.08.00 is installed, a special Continentalclusters user group, conclgrp, and a special user, conclusr are created.

NOTE: The conclusr is used by Continentalclusters software for inter node communication. All Continentalclusters commands and operations must be performed as root user only.

60 Designing Continentalclusters