Sun Cluster System Administration Guide for Solaris OS

ProcedureHow to Regenerate Common Agent Container Security Keys

Sun Cluster Manager uses strong encryption techniques to ensure secure communication between the Sun Cluster Manager web server and each cluster node.

The keys that Sun Cluster Manager uses are stored under the /etc/opt/SUNWcacao/security directory on each node. They should be identical across all cluster nodes.

Under normal operation, these keys can be left in their default configuration. If you change the hostname of a cluster node, you must regenerate the common agent container security keys. You might also need to regenerate the keys because a possible key compromise (for example, root compromise on the machine). To regenerate the security keys, use the following procedure.

  1. On all cluster nodes, stop the common agent container management daemon.


    # /opt/bin/cacaoadm stop
    
  2. On one node of the cluster, regenerate the security keys.


    phys-schost-1# /opt/bin/cacaoadm create-keys --force
    
  3. Restart the common agent container management daemon on the node on which you regenerated the security keys.


    phys-schost-1# /opt/bin/cacaoadm start
    
  4. Create a tar file of the /etc/cacao/instances/default directory.


    phys-schost-1# cd /etc/cacao/instances/default
    phys-schost-1# tar cf /tmp/SECURITY.tar security
    
  5. Copy the /tmp/Security.tar file to each of the cluster nodes.

  6. On each node to which you copied the/tmp/SECURITY.tar file, extract the security files.

    Any security files that already exist in the /etc/opt/SUNWcacao/ directory are overwritten.


    phys-schost-2# cd /etc/cacao/instances/default
    phys-schost-2# tar xf /tmp/SECURITY.tar
    
  7. Delete the /tmp/SECURITY.tar file from each node in the cluster.

    You must delete each copy of the tar file to avoid security risks.


    phys-schost-1# rm /tmp/SECURITY.tar
    
    phys-schost-2# rm /tmp/SECURITY.tar
    
  8. On all nodes, restart the common agent container management daemon.


    phys-schost-1# /opt/bin/cacaoadm start
  9. Restart Sun Cluster Manager.


    # /usr/sbin/smcwebserver restart