Ambrose Bierce, The Enlarged Devil’s Dictionary | IBM SG24-5131-00

Kerberos

Also spelled Cerberus - The watchdog of Hades, whose duty was to guard the entrance (against whom or what does not clearly appear); it is known to have had three heads.

-Ambrose Bierce, The Enlarged Devil’s Dictionary

The following is simply a shortened description on how kerberos works. For more details, the redbook Inside the RS/6000 SP, SG24-5145, covers the subject in much more detail.

When dealing with authentication and Kerberos, three entities are involved: the client, who is requesting service from a server; the second entity, and the Key Distribution Center or Kerberos server, which is a machine that manages the database, where all the authentication data is kept and maintained.

Kerberos is a third-party system used to authenticate users or services that are known to Kerberos as principals. The very first action to take regarding Kerberos and principals is to register the latter to the former. When this is done, Kerberos asks for a principal’s password, which is converted to a principal (user or service) 56-bit key using the DES (Data Encryption Standard) algorithm. This key is stored in the Kerberos server database.

When a client needs the services of a server, the client must prove its identity to the server so that the server knows to whom it is talking.

Tickets are the means the Kerberos server gives to clients to authenticate themselves to the service providers and get work done on their behalf on the services servers. Tickets have a finite life, known as the ticket life span.

In Kerberos terms, to make a Kerberos authenticated service provider work on behalf of a client is a three-step process:

•Get a ticket-granting ticket.

•Get a service ticket.

•Get the work done on the service provider.

The main role of the ticket-granting ticket service is to avoid unnecessary password traffic over the network; so, the user should issue his password only once per session. What this ticket-granting ticket service does is to give the client systems a ticket that has a certain time span, whose purpose is to

188 IBM Certification Study Guide AIX HACMP

Image 206

IBM SG24-5131-00 manual Ambrose Bierce, The Enlarged Devil’s Dictionary

Contents

AIX Hacmp Page AIX Hacmp Take Note Contents Iv IBM Certification Study Guide AIX Hacmp Page Vi IBM Certification Study Guide AIX Hacmp Appendix A. Special Notices Vii Viii IBM Certification Study Guide AIX Hacmp Figures IBM Certification Study Guide AIX Hacmp Tables Xii IBM Certification Study Guide AIX Hacmp Preface Xiii Team That Wrote This Redbook Comments Welcome Your comments are important to us Xvi IBM Certification Study Guide AIX Hacmp Certification Requirement two Tests Certification OverviewIBM Certified Specialist AIX Hacmp Recommended Prerequisites Hacmp Implementation PreinstallationCertification Exam Objectives System Management Certification Education Courses Following table outlines information about the next course IBM Certification Study Guide AIX Hacmp CPU Options Cluster PlanningCluster Nodes Cluster Node Considerations Cluster Planning Switch adapter is onboard and does not need an extra slot Supported TCP/IP Network Types Cluster Networks1 TCP/IP Networks Slip Socc Special Network Considerations Cluster Planning Non-TCPIP Networks Supported Non-TCP/IP Network Types Special Considerations Serial RS232 Target-mode Scsi Cluster DisksSSA Disks Target-mode SSA Host Specification Disk Capacities 1.2 Supported and Non-Supported Adapters Rules for SSA Loops Cluster Planning RAID vs. Non-RAID RAID Technology RAID Level RAID Levels 2 RAID on the 7133 Disk Subsystem Advantages Subsystems Scsi DisksDisks Advantages Disadvantages Resource Planning Resource Group Options Cluster Planning Hot-Standby Configuration Shared LVM Components Rotating Standby Configuration Hot-Standby Configuration Mutual Takeover Configuration Mutual Takeover Configuration Third-Party Takeover Configuration Third-Party Takeover Configuration Concurrent Disk Access Configurations IP Address Takeover Network Topology Single Network Dual Network Point-to-Point Connection Network Attribute NetworksNetwork Name Adapter Function Network AdaptersAdapter Label Cluster Planning Defining Hardware Addresses NFS Exports and NFS Mounts Application Planning Performance Requirements Application Startup and Shutdown Routines Critical/Non-Critical Prioritizations Licensing MethodsCoexistence with other Applications Special Application Requirements Customization PlanningEvent Customization Event Notification Error Notification Predictive Event Error Correction Sample Screen for Add a Notification Method Notification Application Failure User ID Planning Cluster User and Group IDs User Home Directory Planning Cluster PasswordsHome Directories on Shared Volumes NFS-Mounted Home Directories NFS-Mounted Home Directories on Shared Volumes Cluster Hardware and Software Preparation Cluster Node SetupAdapter Slot Placement Rootvg Mirroring IBM Certification Study Guide AIX Hacmp Procedure This is so that the Quorum OFF functionality takes effect AIX Prerequisite LPPs Necessary Apar Fixes AIX Parameter Settings 4.1 I/O Pacing Checking Network Option Settings Cron and NIS Considerations Editing the /.rhosts File Network Connection and Testing Cabling Considerations Connecting Networks to a Hub IP Addresses and Subnets Testing Non TCP/IP Networks Configuring RS232 Configuring Target Mode Scsi Configuring Target Mode SSA Testing RS232 and Target Mode Networks Cabling Cluster Disk Setup1 SSA AIX Configuration Adapter Router Adapter Definitions Disk Definitions Diagnostics #lsdev -Cc disk grep SSA Upgrade Instructions Microcode Loading Cluster Hardware and Software Preparation Configuring a RAID on SSA Disks Scsi RAID Enclosures Connecting RAID SubsystemsScsi Adapters 110 RAIDiant Arrays Connected on Two Shared 8-Bit Scsi Buses Cluster Hardware and Software Preparation #2416 Adapter Scsi ID and Termination change Termination F1=Help F2=Refresh # chdev -l scsi1 -a id=6 -P Shared LVM Component Configuration Change/Show Characteristics of a Scsi Adapter Creating Non-Concurrent VGs Creating VGs for Concurrent AccessCreating Shared VGs Physical Volume Names Renaming a jfslog and Logical Volumes on the Source Node Creating Shared LVs and File Systems Adding Copies to Logical Volume on the Source Node Importing to Other Nodes Testing a File SystemMirroring Strategies Changing a Volume Group’s Startup Status Quorum Quorum at Vary On Quorum after Vary On Quorum EnabledQuorum Disabled Disabling and Enabling Quorum Alternate Method TaskGuide Quorum in Non-Concurrent Access ConfigurationsQuorum in Concurrent Access Configurations Forcing a Varyon Starting the TaskGuide IBM Certification Study Guide AIX Hacmp First Time Installs Hacmp Installation and Cluster DefinitionInstalling Hacmp Cluster.base.server.utils Cluster.hc Upgrading From a Previous Version Install Server NodesRebooting Servers Upgrade AIX on One Node Install Hacmp 4.3 for AIX on Node a Check Upgraded Configuration Client-only Migration Defining Cluster Topology Defining the Cluster Defining Nodes Defining Adapters Hacmp Installation and Cluster Definition Node Name Configuring Network Modules Adding or Changing Adapters after the Initial Configuration Synchronizing the Cluster Definition Across Nodes Ignore Cluster Configuring Resource Groups Defining Resources Configuring Resources for Resource Groups Service IP Label Configuring Run-Time Parameters Defining Application Servers Synchronizing Cluster Resources Initial TestingClverify Initial Startup Takeover and Reintegration Cluster Snapshot Applying a Cluster Snapshot Hacmp Installation and Cluster Definition IBM Certification Study Guide AIX Hacmp Cluster Customization Predefined Cluster Events Getdiskvgfs AcquireserviceaddrAcquiretakeoveraddr Nodeupremote Nodedownlocal ReleaseserviceaddrSequence of nodedown Events Nodedownremote Networkup StartserverNetwork Events Networkdown Networkupcomplete Network Adapter Events ConfigtoolongReconfigtopologystart Swapadapter Pre- and Post-Event Processing Event Recovery and RetryConfiguration Resources Cluster Events Change/Show Cluster Event Notification Event Emulator Network Modules/Topology Services and Group Services Creating Shared Volume Groups NFS considerations Cascading Takeover with Cross Mounted NFS File Systems Exporting NFS File SystemsNFS Mounting Creating NFS Mount Points on Clients Caveats about Node Names and NFS NFS Cross Mounts Cross Mounted NFS File Systems and the Network Lock Manager SLEEP=2 Done Device State Cluster TestingNode Verification 131 Network State System ParametersProcess State LVM State Cluster State Ethernet or Token Ring Interface Failure Simulate ErrorsAdapter Failure Switch Adapter Failure Ethernet or Token Ring Adapter or Cable Failure Failure of a 7133 Adapter Re-attach the cables CPU Failure Node Failure / ReintegrationAIX Crash Network Failure 2.3 TCP/IP Subsystem Failure Disk Failure Mirrored rootvg Disk hdisk0 Failure 4.2 7135 Disk Failure Mirrored 7133 Disk Failure Application Failure IBM Certification Study Guide AIX Hacmp 143 Cluster TroubleshootingCluster Log Files Configtoolong Daemons Deadman Switch Increase Amount of Memory for Communications Subsystem Tuning the System Using I/O PacingExtending the syncd Frequency Changing the Failure Detection Rate Node Isolation and Partitioned Clusters Dgsp Message User ID Problems Troubleshooting Strategy IBM Certification Study Guide AIX Hacmp 151 Cluster Management and AdministrationMonitoring the Cluster Clstat Command Monitoring Clusters using HAView 3.2 /tmp/hacmp.out System Error Log3.1 /var/adm/cluster.log 3.3 /usr/sbin/cluster/history/cluster.mmdd Starting and Stopping Hacmp on a Node or a Client Cluster Smux Peer daemon clsmuxpd Hacmp DaemonsCluster Manager daemon clstrmgr Cluster Lock Manager daemon cllockd Cluster Group Services daemon grpsvcsd Starting Cluster Services on a NodeCluster Topology Services daemon topsvcsd Cluster Information Program daemon clinfo Stopping Cluster Services on a Node Automatically Restarting Cluster Services Graceful When to Stop Cluster servicesTypes of Cluster Stops Forced Starting and Stopping Cluster Services on Clients Maintaining Cluster Information Services on Clients Adapters Replacing Failed ComponentsNodes 3.1 SSA/SCSI Disk Replacement RAID Disks Sync the volume group smit clsyncvg Manual Update Changing Shared LVM Components Lazy Update Spoc IBM Certification Study Guide AIX Hacmp TaskGuide Requirements TaskGuideChanging Cluster Resources 1 Add/Change/Remove Cluster Resources Synchronize Cluster Resources Dare Resource Migration Utility Non-Sticky Resource Migration Resource Migration TypesSticky Resource Migration Node Name Default LocationLocations Using the cldare Command to Migrate Resources Stop Location Using the clfindres Command Stopping Resource Groups Applying Software Maintenance to an Hacmp Cluster Fallover System a Rejoins Cluster Backup Strategies Split-Mirror Backups How to do a split-mirror backup Using Events to Schedule a Backup User Management Listing Users On All Cluster Nodes Adding User Accounts on all Cluster Nodes Changing Attributes of Users in a Cluster Removing Users from a Cluster Managing Group Accounts Spoc Log IBM Certification Study Guide AIX Hacmp Hardware Requirements Special RS/6000 SP TopicsHigh Availability Control Workstation Hacws 183 Configuring the Backup CWS Software Requirements Install High Availability Software Hacws Configuration Setup and Test Hacws Kerberos Security Ambrose Bierce, The Enlarged Devil’s Dictionary Configuring Kerberos Security with Hacmp Version VSDs RVSDs Virtual Shared Disk VSDs Special RS/6000 SP Topics Undefined Recoverable Virtual Shared Disk D e Z Rsvd Daemons SP Switch as an Hacmp Network Switch Basics Within Hacmp Switch Failures Eprimary Management Special RS/6000 SP Topics IBM Certification Study Guide AIX Hacmp Hacmp for AIX / Enhanced Scalability Hacmp Classic vs. HACMP/ES vs. HanfsHacmp for AIX Classic 199 IBM Risc System Cluster Technology Rsct Enhanced Cluster Security High Availability for Network File System for AIX Similarities and Differences Decision Criteria Hacmp Classic vs. HACMP/ES vs. Hanfs IBM Certification Study Guide AIX Hacmp Appendix A. Special Notices 205 SP1 Special Notices IBM Certification Study Guide AIX Hacmp Redbooks on CD-ROMs Appendix B. Related PublicationsInternational Technical Support Organization Publications 209 Other Publications 211 How to Get Itso RedbooksHow IBM Employees Can Get Itso Redbooks How Customers Can Get Itso Redbooks Ibmmail IBM Redbook Order Form 213 IBM Certification Study Guide AIX Hacmp List of Abbreviations 215 Netbios Index Symbols 217 HACMP/ES 219 NIS Vgda Vgsa Itso Redbook Evaluation 221 IBM Certification Study Guide AIX Hacmp SG24-5131-00