Enable cluster encryption

For more security you can make your cluster use encryption for inter-node communication with no downtime.  Otherwise operations are allowed or rejected based on IP address, hostname, and the cluster rhosts file.  And, C-SPOC operations are not encrypted one of the important ones being password changes.  Possibly an even better option would be to create a IPsec VPN tunnel between nodes, but I haven’t tested that.

Install rsct.crypt.3des from the expansion pack.

On all nodes:
Enable key distribution on all nodes.
<pre><code># /usr/es/sbin/cluster/utilities/clkeygen -e’Enabled’
0513-077 Subsystem has been changed.
0513-044 The clcomdES Subsystem was requested to stop.
0513-059 The clcomdES Subsystem has been started. Subsystem PID is
The key distribution was Enabled</code></pre>

On one node:
Generate and distribute a key
<pre><code># /usr/es/sbin/cluster/utilities/clkeygen -g’md5_3des’ ‘-d'</code></pre>

Activate the key
<pre><code># /usr/es/sbin/cluster/utilities/clkeygen -kc</code></pre>

Set HACMP to use Message Authentication and Encryption
<pre><code># /usr/es/sbin/cluster/utilities/clchclstr -m ‘md5_3des’ -e

Cluster Name: test_cluster
Cluster Connection Authentication Mode: Standard
Cluster Message Authentication Mode: md5_3des
Cluster Message Encryption: Enabled
Use Persistent Labels for Communication: No</code></pre>

Synchronize the cluster – Done!
<pre><code># /usr/es/sbin/cluster/utilities/cldare -rtV normal</code></pre>

The key files  are in /usr/es/sbin/cluster/etc named key_md5_<symmetric algorithm>

Keys can also be copied manually using scp if you don’t trust your network.

Leave a Reply

Your email address will not be published. Required fields are marked *