Adding the Package to the Cluster
After the setup is complete, add the package to the Serviceguard cluster and start it up.
cmapplyconf
cmmodpkg
If necessary, consult the Managing ServiceGuard manual available at http://www.hp.com/go/
Configuring Access Roles
To restrict unauthorized users from viewing the values of package attributes, set appropriate roles for users who manage the cluster and packages. Set the Sybase administrator password using the SAPASSWD package attribute. Along with other package attributes, password set for the SAPASSWD package attribute is also stored in the Cluster Database.
If you do not restrict access of users for the SAPASSWD package attribute, then unauthorized users can use the cmviewcl command to view the Sybase administrator password. HP recommends to granting access to users based only on their roles in managing the cluster and packages. Configure Role Based Access (RBA) using the following configuration parameters in the cluster:
•USER_NAME
•USER_HOST
•USER_ROLE
Specify one of the following values for the USER_ROLE parameter:
Table 8 Parameters in USER_ROLE
User Role | Description |
MONITOR | Allowed to perform cluster and package view operations. |
PACKAGE_ADMIN | Allowed to perform package administration, and use cluster and package view commands. |
FULL_ADMIN | Allowed to perform cluster administration, package administration, and cluster and package view |
| operations. |
Assign any of these roles to users who are not configured as root users. Root users are usually given complete control on the cluster using the FULL_ADMIN value.
When any of these values are specified for users who are not root users, they can view the Sybase administrator password using the cmviewclcommand. Only those users who are not configured with any of these values cannot view the Sybase administrator password using the cmviewcl command.
For more information on configuring security for a Serviceguard cluster, see the Securing Serviceguard, March 2009 whitepaper available at http://www.hp.com/go/
Serviceguard allows the Role Based Access feature to be switched off, in which case only the root user will be able to view the package attributes.
As the Sybase administrator password is also entered in the package configuration ASCII file, it is recommended that this file is secured either by using file permissions feature provided by the operating system or by deleting the file after the package is applied.
