Enhanced Cluster Security | IBM SG24-5131-00 guide

See Part 4 of HACMP for AIX, Version 4.3: Enhanced Scalability Installation and Administration Guide, SC23-4284, for more information on these services.

10.2.2 Enhanced Cluster Security

With HACMP Version 4.3 comes an option to switch security Mode between Standard and Enhanced.

Standard Synchronization is done through the /.rhosts remote command facilities. To avoid the compromised security that the presence of this file presents, the administrator is strongly encouraged to remove these files after the synchronization/verification is done.

Enhanced Kerberos authentication is used for remote commands. That means the kerberos daemons can decide whether a remote host is who they claim to be. This is done by granting access on the basis of tickets, which are provided only to those hosts having the correct identification.

10.3 High Availability for Network File System for AIX

The HANFS for AIX software provides a reliable NFS server capability by allowing a backup processor to recover current NFS activity should the primary NFS server fail.

The HANFS for AIX software supports only two nodes in a cluster.

HANFS for AIX is based on High Availability Cluster Multi-Processing for AIX, Version 4.3 (HACMP for AIX Classic) product architecture, which ensures that critical resources, configured as part of a cluster, are highly available for processing. The HANFS for AIX software extends HACMP for AIX by taking advantage of AIX extensions to the standard NFS functionality that enable it to handle duplicate requests correctly and restore lock state during NFS server failover and reintegration.

Note

A cluster cannot be mixed, that is, have some nodes running the HANFS for AIX software and other nodes running the HACMP for AIX software. A single cluster must either have all nodes running the HANFS for AIX software or all nodes running the HACMP for AIX software. Distinct HANFS and HACMP clusters, however, are allowed on the same physical network.

HACMP Classic vs. HACMP/ES vs. HANFS 201

Image 219

IBM SG24-5131-00 manual Enhanced Cluster Security, High Availability for Network File System for AIX

Contents

AIX Hacmp Page AIX Hacmp Take Note Contents Iv IBM Certification Study Guide AIX Hacmp Page Vi IBM Certification Study Guide AIX Hacmp Vii Appendix A. Special Notices Viii IBM Certification Study Guide AIX Hacmp Figures IBM Certification Study Guide AIX Hacmp Tables Xii IBM Certification Study Guide AIX Hacmp Xiii Preface Team That Wrote This Redbook Your comments are important to us Comments Welcome Xvi IBM Certification Study Guide AIX Hacmp Recommended Prerequisites Certification OverviewIBM Certified Specialist AIX Hacmp Certification Requirement two Tests Preinstallation Certification Exam ObjectivesHacmp Implementation System Management Certification Education Courses Following table outlines information about the next course IBM Certification Study Guide AIX Hacmp Cluster Planning Cluster NodesCPU Options Cluster Node Considerations Cluster Planning Switch adapter is onboard and does not need an extra slot Cluster Networks 1 TCP/IP NetworksSupported TCP/IP Network Types Special Network Considerations Slip Socc Cluster Planning Supported Non-TCP/IP Network Types Non-TCPIP Networks Serial RS232 Special Considerations Target-mode SSA Cluster DisksSSA Disks Target-mode Scsi Host Specification 1.2 Supported and Non-Supported Adapters Disk Capacities Rules for SSA Loops Cluster Planning RAID Level RAID vs. Non-RAID RAID Technology RAID Levels 2 RAID on the 7133 Disk Subsystem Advantages Scsi Disks DisksSubsystems Advantages Disadvantages Resource Group Options Resource Planning Cluster Planning Shared LVM Components Hot-Standby Configuration Hot-Standby Configuration Rotating Standby Configuration Mutual Takeover Configuration Mutual Takeover Configuration Third-Party Takeover Configuration Third-Party Takeover Configuration IP Address Takeover Concurrent Disk Access Configurations Single Network Network Topology Point-to-Point Connection Dual Network Networks Network NameNetwork Attribute Network Adapters Adapter LabelAdapter Function Cluster Planning Defining Hardware Addresses Application Planning NFS Exports and NFS Mounts Application Startup and Shutdown Routines Performance Requirements Licensing Methods Coexistence with other ApplicationsCritical/Non-Critical Prioritizations Event Notification Customization PlanningEvent Customization Special Application Requirements Predictive Event Error Correction Error Notification Sample Screen for Add a Notification Method Application Failure Notification Cluster User and Group IDs User ID Planning NFS-Mounted Home Directories Cluster PasswordsHome Directories on Shared Volumes User Home Directory Planning NFS-Mounted Home Directories on Shared Volumes Rootvg Mirroring Cluster Node SetupAdapter Slot Placement Cluster Hardware and Software Preparation IBM Certification Study Guide AIX Hacmp Procedure This is so that the Quorum OFF functionality takes effect Necessary Apar Fixes AIX Prerequisite LPPs 4.1 I/O Pacing AIX Parameter Settings Checking Network Option Settings Cron and NIS Considerations Editing the /.rhosts File Cabling Considerations Network Connection and Testing IP Addresses and Subnets Connecting Networks to a Hub Testing Non TCP/IP Networks Configuring Target Mode Scsi Configuring RS232 Testing RS232 and Target Mode Networks Configuring Target Mode SSA Cluster Disk Setup 1 SSACabling Adapter Router AIX Configuration Disk Definitions Adapter Definitions #lsdev -Cc disk grep SSA Diagnostics Microcode Loading Upgrade Instructions Cluster Hardware and Software Preparation Scsi Configuring a RAID on SSA Disks Connecting RAID Subsystems Scsi AdaptersRAID Enclosures 110 RAIDiant Arrays Connected on Two Shared 8-Bit Scsi Buses Cluster Hardware and Software Preparation #2416 Adapter Scsi ID and Termination change Termination F1=Help F2=Refresh # chdev -l scsi1 -a id=6 -P Change/Show Characteristics of a Scsi Adapter Shared LVM Component Configuration Creating VGs for Concurrent Access Creating Shared VGsCreating Non-Concurrent VGs Physical Volume Names Creating Shared LVs and File Systems Renaming a jfslog and Logical Volumes on the Source Node Adding Copies to Logical Volume on the Source Node Testing a File System Mirroring StrategiesImporting to Other Nodes Changing a Volume Group’s Startup Status Quorum at Vary On Quorum Disabling and Enabling Quorum Quorum EnabledQuorum Disabled Quorum after Vary On Forcing a Varyon Quorum in Non-Concurrent Access ConfigurationsQuorum in Concurrent Access Configurations Alternate Method TaskGuide Starting the TaskGuide IBM Certification Study Guide AIX Hacmp Hacmp Installation and Cluster Definition Installing HacmpFirst Time Installs Cluster.base.server.utils Cluster.hc Install Server Nodes Rebooting ServersUpgrading From a Previous Version Upgrade AIX on One Node Check Upgraded Configuration Install Hacmp 4.3 for AIX on Node a Client-only Migration Defining Cluster Topology Defining Nodes Defining the Cluster Defining Adapters Hacmp Installation and Cluster Definition Node Name Adding or Changing Adapters after the Initial Configuration Configuring Network Modules Synchronizing the Cluster Definition Across Nodes Ignore Cluster Defining Resources Configuring Resource Groups Service IP Label Configuring Resources for Resource Groups Defining Application Servers Configuring Run-Time Parameters Initial Testing ClverifySynchronizing Cluster Resources Takeover and Reintegration Initial Startup Cluster Snapshot Applying a Cluster Snapshot Hacmp Installation and Cluster Definition IBM Certification Study Guide AIX Hacmp Predefined Cluster Events Cluster Customization Nodeupremote AcquireserviceaddrAcquiretakeoveraddr Getdiskvgfs Nodedownremote ReleaseserviceaddrSequence of nodedown Events Nodedownlocal Networkupcomplete StartserverNetwork Events Networkdown Networkup Swapadapter ConfigtoolongReconfigtopologystart Network Adapter Events Event Notification Event Recovery and RetryConfiguration Resources Cluster Events Change/Show Cluster Pre- and Post-Event Processing Event Emulator Network Modules/Topology Services and Group Services NFS considerations Creating Shared Volume Groups Creating NFS Mount Points on Clients Exporting NFS File SystemsNFS Mounting Cascading Takeover with Cross Mounted NFS File Systems NFS Cross Mounts Caveats about Node Names and NFS Cross Mounted NFS File Systems and the Network Lock Manager SLEEP=2 Done 131 Cluster TestingNode Verification Device State System Parameters Process StateNetwork State Cluster State LVM State Simulate Errors Adapter FailureEthernet or Token Ring Interface Failure Ethernet or Token Ring Adapter or Cable Failure Switch Adapter Failure Re-attach the cables Failure of a 7133 Adapter Node Failure / Reintegration AIX CrashCPU Failure 2.3 TCP/IP Subsystem Failure Network Failure Mirrored rootvg Disk hdisk0 Failure Disk Failure Mirrored 7133 Disk Failure 4.2 7135 Disk Failure Application Failure IBM Certification Study Guide AIX Hacmp Cluster Troubleshooting Cluster Log Files143 Daemons Configtoolong Deadman Switch Tuning the System Using I/O Pacing Extending the syncd FrequencyIncrease Amount of Memory for Communications Subsystem Node Isolation and Partitioned Clusters Changing the Failure Detection Rate Dgsp Message Troubleshooting Strategy User ID Problems IBM Certification Study Guide AIX Hacmp Cluster Management and Administration Monitoring the Cluster151 Monitoring Clusters using HAView Clstat Command 3.3 /usr/sbin/cluster/history/cluster.mmdd System Error Log3.1 /var/adm/cluster.log 3.2 /tmp/hacmp.out Starting and Stopping Hacmp on a Node or a Client Cluster Lock Manager daemon cllockd Hacmp DaemonsCluster Manager daemon clstrmgr Cluster Smux Peer daemon clsmuxpd Cluster Information Program daemon clinfo Starting Cluster Services on a NodeCluster Topology Services daemon topsvcsd Cluster Group Services daemon grpsvcsd Automatically Restarting Cluster Services Stopping Cluster Services on a Node Forced When to Stop Cluster servicesTypes of Cluster Stops Graceful Maintaining Cluster Information Services on Clients Starting and Stopping Cluster Services on Clients Replacing Failed Components NodesAdapters Disks 3.1 SSA/SCSI Disk Replacement RAID Sync the volume group smit clsyncvg Changing Shared LVM Components Manual Update Lazy Update Spoc IBM Certification Study Guide AIX Hacmp TaskGuide Changing Cluster ResourcesTaskGuide Requirements Synchronize Cluster Resources 1 Add/Change/Remove Cluster Resources Dare Resource Migration Utility Resource Migration Types Sticky Resource MigrationNon-Sticky Resource Migration Default Location LocationsNode Name Stop Location Using the cldare Command to Migrate Resources Stopping Resource Groups Using the clfindres Command Applying Software Maintenance to an Hacmp Cluster Fallover System a Rejoins Cluster Split-Mirror Backups Backup Strategies How to do a split-mirror backup User Management Using Events to Schedule a Backup Adding User Accounts on all Cluster Nodes Listing Users On All Cluster Nodes Removing Users from a Cluster Changing Attributes of Users in a Cluster Spoc Log Managing Group Accounts IBM Certification Study Guide AIX Hacmp 183 Special RS/6000 SP TopicsHigh Availability Control Workstation Hacws Hardware Requirements Software Requirements Configuring the Backup CWS Hacws Configuration Install High Availability Software Setup and Test Hacws Kerberos Security Ambrose Bierce, The Enlarged Devil’s Dictionary Configuring Kerberos Security with Hacmp Version Virtual Shared Disk VSDs VSDs RVSDs Special RS/6000 SP Topics Undefined D e Z Recoverable Virtual Shared Disk Rsvd Daemons Switch Basics Within Hacmp SP Switch as an Hacmp Network Eprimary Management Switch Failures Special RS/6000 SP Topics IBM Certification Study Guide AIX Hacmp 199 Hacmp Classic vs. HACMP/ES vs. HanfsHacmp for AIX Classic Hacmp for AIX / Enhanced Scalability IBM Risc System Cluster Technology Rsct High Availability for Network File System for AIX Enhanced Cluster Security Decision Criteria Similarities and Differences Hacmp Classic vs. HACMP/ES vs. Hanfs IBM Certification Study Guide AIX Hacmp 205 Appendix A. Special Notices SP1 Special Notices IBM Certification Study Guide AIX Hacmp 209 Appendix B. Related PublicationsInternational Technical Support Organization Publications Redbooks on CD-ROMs Other Publications How to Get Itso Redbooks How IBM Employees Can Get Itso Redbooks211 Ibmmail How Customers Can Get Itso Redbooks 213 IBM Redbook Order Form IBM Certification Study Guide AIX Hacmp 215 List of Abbreviations Netbios 217 Index Symbols HACMP/ES NIS 219 Vgda Vgsa 221 Itso Redbook Evaluation IBM Certification Study Guide AIX Hacmp SG24-5131-00