For more security you can make your cluster use encryption for inter-node communication with no downtime. Otherwise operations are allowed or rejected based on IP address, hostname, and the cluster rhosts file. And, C-SPOC operations are not encrypted one of the important ones being password changes. Possibly an even better option would be to create a IPsec VPN tunnel between nodes, but I haven’t tested that.
Install rsct.crypt.3des from the expansion pack.
On all nodes:
Enable key distribution on all nodes.
<pre><code># /usr/es/sbin/cluster/utilities/clkeygen -e’Enabled’
0513-077 Subsystem has been changed.
0513-044 The clcomdES Subsystem was requested to stop.
0513-059 The clcomdES Subsystem has been started. Subsystem PID is
315598.
The key distribution was Enabled</code></pre>
On one node:
Generate and distribute a key
<pre><code># /usr/es/sbin/cluster/utilities/clkeygen -g’md5_3des’ ‘-d'</code></pre>
Activate the key
<pre><code># /usr/es/sbin/cluster/utilities/clkeygen -kc</code></pre>
Set HACMP to use Message Authentication and Encryption
<pre><code># /usr/es/sbin/cluster/utilities/clchclstr -m ‘md5_3des’ -e
Cluster Name: test_cluster
Cluster Connection Authentication Mode: Standard
Cluster Message Authentication Mode: md5_3des
Cluster Message Encryption: Enabled
Use Persistent Labels for Communication: No</code></pre>
Synchronize the cluster – Done!
<pre><code># /usr/es/sbin/cluster/utilities/cldare -rtV normal</code></pre>
The key files are in /usr/es/sbin/cluster/etc named key_md5_<symmetric algorithm>
Keys can also be copied manually using scp if you don’t trust your network.