WLI installation and configuration on the cluster is now complete. Following reboot of all nodes, WLI is operational in restricted mode. To maintain the WLI database consistently and ensure product failovers will be successful, HP recommends the following procedure:

1.Execute WLI administrative commands wliadm, wlicert, wlisys, and wlisyspolicy identically on all nodes. This ensures the WLI database that includes all authorized user keys, granted capabilities and associations is uniform.

2.After WLI is initialized and configured, the WLI databases on different nodes contains different information if administrative commands are not identically executed across the cluster.

3.To minimize the need to switch WLI to restricted mode, avoid using wliadm. Deleting and adding administrator keys requires refreshment of an archive in maintenance mode, whereby all WLI restrictions are not enforced.

4.Minimize the use of WLI administrative commands and the total time taken to execute these commands across nodes. The WLI database differs between nodes while WLI administrator command operations are in progress. This could adversely affect product failover and multi-node product behavior.

5.If a failover occurs, the WLI database on the primary node can be unavailable for updates. Before failback of any applications, you must update the recovered node with all WLI commands executed after the failure.

8.2.2Policy protected files

WLI policy enforcement must appear consistent across all nodes. To ensure file access policies are enforced with the same results across all nodes, HP recommends performing the following tasks:

Examine product failover scripting for instances of non shared files protected by WLI file access policies. An example might be configuration data residing under /etc. Because user keys can generate polices on non shared files, the policies must be verified as identical across all nodes to avoid potential failover problems.

Sign binary executables identically across all nodes using the same keys. If the commands are on shared storage file systems for failover or on CFS for multinode applications, only one copy of the binary executable is necessary for all nodes.

Generate file access policies identically across all nodes on nonshared file systems. A file access policy for a file residing in a file system on shared media, such as a member of the HP StorageWorks EVA family, is enforced on all nodes.

Verify user IDs (/etc/passwd entries) and group IDs (/etc/group entries) are consistent across all nodes. File permissions and ownership restrictions are not affected by WLI and can cause file access variations across nodes on WLI protected nodes.

38 HP Serviceguard considerations

Page 38
Image 38
HP UX Security Products and Features Software manual Policy protected files