HP UX Encrypted Volume and Filesystem (EVFS) manual Configuring Evfs on the Configuration Node

Step 3: Configuring EVFS on the Configuration Node

On the configuration node, configure and verify EVFS using the procedures described in Chapter 3 (page 35). After you have verified EVFS operation, you must complete the following additional tasks to use the EVFS volumes with a Serviceguard package:

a.Create a cluster key pair, an EVFS key pair that will be distributed and used on all nodes in the cluster.

b.Add the cluster key pair to the EMD of the EVFS volumes used by the Serviceguard package.

c.Modify the entries in the /etc/evfs/evfstab file so that the package control script or package configuration file in modular packages can enable the EVFS volumes when the package starts.

d.Prepare the EVFS volumes for configuration on the adoptive nodes.

Step 3a: Creating a Cluster Key Pair

A cluster key pair is an EVFS key pair that is distributed and used on all nodes in the cluster. EVFS uses this key pair to enable the EVFS volumes from the package control script or the package configuration file, so this key pair must exist and be the same on all nodes in the cluster. The key pair must meet the following criteria:

•The user account name and user ID for the key owner must exist and be the same on all nodes in the cluster.

•The user account for the key owner must have superuser privileges or the appropriate privileges on all nodes in the cluster.

•The key ID must be unique when compared to other key IDs on all cluster nodes. Do not create a key with a key name that already exists for the key owner on a remote node.

•Each node in the cluster must have a stored passphrase for the private key. EVFS uses the stored passphrase to automatically enable the volume when the package fails over.

•You must use the same passphrase on all nodes, but you must create a new stored passphrase file on each node. Stored passphrase files are encrypted with system-specific data and are unusable on remote systems.

You must know the passphrase for the private key.

IMPORTANT: Do not use the -soption when generating the key pair with the evfspkey keygen command. When you use the -soption, EVFS generates and stores the passphrase for you, and you cannot retrieve the passphrase.

Use the following evfspkey keygen syntax to create the cluster key pair:

evfspkey keygen -p [-c cipher] [-u user] [-k keyname]

Step 3b: Adding the Cluster Keys to the EMD

Add the cluster key pair to the EMD of the EVFS volumes used by the package. Use the following evfsvol add command:

evfsvol add -uuser [-kkeyname] evfs_volume_path

The user and keyname are the user name and key name for the cluster key pair.

Step 3c: Modifying /etc/evfs/evfstab Entries

You must modify entries in the /etc/evfs/evfstab file for EVFS volumes used by the Serviceguard package so EVFS can enable the volumes when the package starts. The entries in /etc/evfs/evfstab must include the key ID and the noauto flag. EVFS uses the key ID to enable the volumes without manual intervention when the package fails over. The noauto flag stops EVFS from enabling the volumes at system startup.

Use the following syntax for the entries in the /etc/evfs/evfstab file:

v volume_path evfs_volume_path user_name.key_name noauto

Step 3: Configuring EVFS on the Configuration Node 159