Sun Cluster Geographic Edition System Administration Guide

Chapter 4 Administering Access and Security

This chapter describes how to administer access and security. It contains the following sections:

Sun Cluster Geographic Edition Software and RBAC

This section describes role-based access control (RBAC) in Sun Cluster Geographic Edition software. It contains the following sections:

Setting Up and Using RBAC

Sun Cluster Geographic Edition software bases its RBAC profiles on the RBAC rights profiles that are used in the Sun Cluster software. For general information about setting up and using RBAC with Sun Cluster software, refer to Chapter 2, Sun Cluster and RBAC, in Sun Cluster System Administration Guide for Solaris OS.

Sun Cluster Geographic Edition software adds the following new RBAC entities to the appropriate file in the /etc/security directory:


Note –

The default search order for the auth_attr and prof_attr databases is files nis, which is defined in the /etc/nsswitch.conf file. If you have customized the search order in your environment, confirm that files is in the search list. Including files in the search list enables your system to find the RBAC entries that Sun Cluster Geographic Edition defined.


RBAC Rights Profiles

The Sun Cluster Geographic Edition CLI and GUI use RBAC rights to control end-user access to operations. The general conventions for these rights are described in Table 4–1.

Table 4–1 Sun Cluster Geographic Edition RBAC Rights Profiles

Rights Profile 

Included Authorizations 

Role Identity Permission 

Geo Management 

solaris.cluster.geo.read

Read information about the Sun Cluster Geographic Edition entities 

solaris.cluster.geo.admin

Perform administrative tasks with the Sun Cluster Geographic Edition software 

solaris.cluster.geo.modify

Modify the configuration of the Sun Cluster Geographic Edition software 

Basic Solaris User 

Solaris authorizations 

Perform the same operations that the Basic Solaris User role identity can perform 

solaris.cluster.geo.read

Read information about the Sun Cluster Geographic Edition entities 

Modifying a User's RBAC Properties

To modify the RBAC rights for a user, you must be logged in as the root user or assume a role that is assigned the Primary Administrator rights profile.

For example, you can assign the Geo Management RBAC profile to the user admin as follows:


# usermod -P "Geo Management" admin
# profiles admin
Geo Management
Basic Solaris User
#

For more information about how to modify the RBAC properties for a user, refer to Chapter 2, Sun Cluster and RBAC, in Sun Cluster System Administration Guide for Solaris OS.

Configuring Secure Cluster Communication Using Security Certificates

You must configure the Sun Cluster Geographic Edition software for secure communication between partner clusters. The configuration must be reciprocal, so cluster cluster-paris must be configured to trust its partner cluster cluster-newyorkand cluster cluster-newyork must be configured to trust its partner cluster cluster-paris.

If you are using the GUI to administer the Sun Cluster Geographic Edition software, the root password must be the same on all nodes of both partner clusters.

For information about setting up security certificates for partner clusters, see Configuring Trust Between Partner Clusters.

For information about the example cluster configuration, see Example Sun Cluster Geographic Edition Cluster Configuration.

Configuring Secure Cluster Communication Using IPsec

You can use IP Security Architecture (IPsec) to configure secure communication between partner clusters. IPsec enables you to set policies that permit or require either secure datagram authentication, or actual data encryption, or both, between machines communicating by using IP. Consider using IPsec for the following cluster communications:

Sun Cluster software and Sun Cluster Geographic Edition software support IPsec by using only manual keys. Keys must be stored manually on the cluster nodes for each combination of server and client IP address. The keys must also be stored manually on each client.

Refer to the System Administration Guide: IP Services for a full description of IPsec configuration parameters.

ProcedureHow to Configure IPsec for Secure Cluster Communication

In the Sun Cluster Geographic Edition infrastructure, the hostname of a logical host is identical to the cluster name. The logical hostname is a special HA resource. You must set up a number of IP addresses for various Sun Cluster Geographic Edition components, depending on your cluster configuration.

On each partner cluster, you must configure encryption and authorization for exchanging inbound and outbound packets from a physical node to the logical-hostname addresses. The values for the IPsec configuration parameters on these addresses must be consistent between partner clusters.

IPsec uses two configuration files:

The following procedure configures a cluster, cluster-paris, for IPsec secure communication with another cluster, cluster-newyork. Both clusters are running the Solaris OS 9 release. The procedure assumes that the local logical hostname on cluster-paris is lh-paris-1 and that the remote logical hostname is lh-newyork-1. Inbound messages are sent to lh-paris-1 and outbound messages are sent to lh-newyork-1.

Use the following procedure on each node of cluster-paris.

  1. Log in to the first node of the primary cluster, phys-paris-1, as superuser.

    For a reminder of which node is phys-paris-1, see Example Sun Cluster Geographic Edition Cluster Configuration.

  2. Set up an entry for the local address and remote address in the IPsec policy file.

    The policy file is located at /etc/inet/ipsecinit.conf. Permissions on this file should be 644. For more information about this file, see the ipsecconf(1M) man page.

    For information about the names and values that are supported by Sun Cluster Geographic Edition software, see Appendix B, Legal Names and Values of Sun Cluster Geographic Edition Entities.

    1. Configure the communication policy.

      The default port for the tcp_udp plug-in is 2084. You can specify this value in theetc/cacao/instances/default/modules/com.sun.cluster.geocontrol.xml file.

      The following command configures a policy with no preference for authorization or encryption algorithms.


      # {raddr lh-newyork-1 rport 2084} ipsec {auth_algs any encr_algs any \
      sa shared} {laddr lh-paris-1 lport 2084} ipsec {auth_algs any encr_algs \
      any sa shared}
      

      When you configure the communication policy on the secondary cluster, cluster-newyork, you must reverse the policies.


      # {laddr lh-newyork-1 lport 2084} ipsec {auth_algs any encr_algs \
      any sa shared} {raddr lh-paris-1 rport 2084} ipsec {auth_algs any encr_algs \
      any sa shared}
      
    2. Add the policy by rebooting the node or by running the following command.


      # ipsecconf -a /etc/inet/ipsecinit.conf
      
  3. Set up encryption and authentication keys for inbound and outbound communication.

    The communication file is located at /etc/init/secret/ipseckeys. Permissions on the file should be 600.

    Add keys:


    # ipseckey -f /etc/init/secret/ipseckeys
    

    Key entries have the following general format:


    # inbound to cluster-paris
    add esp spi paris-encr-spi dst lh-paris-1 encr_alg paris-encr-algorithm \
    encrkey paris-encrkey-value
    add ah spi newyork-auth-spi dst lh-paris-1 auth_alg paris-auth-algorithm \
    authkey paris-authkey-value
    
    # outbound to cluster-newyork
    add esp spi newyork-encr-spi dst lh-newyork-1 encr_alg newyork-encr-algorithm \
    encrkey newyork-encrkey-value
    add ah spi newyork-auth-spi dst lh-newyork-1 auth_alg newyork-auth-algorithm \
    authkey newyork-authkey-value
    

    For more information about the communication files, see the ipsecconf(1M) man page.