Sun Cluster Geographic Edition Installation Guide

Configuring Security

You must configure the Sun Cluster Geographic Edition software for secure management communication between partner clusters. The configuration must be reciprocal. For example, each node in cluster cluster-paris must be configured to trust each node in cluster cluster-newyork.

For an example of a cluster configuration, see Example Cluster Configuration in Sun Cluster Geographic Edition System Administration Guide.

Trusted host certificates for the partner must be configured on every node of the cluster, because any node in the cluster can host the Sun Cluster Geographic Edition infrastructure resource groups and the logical hostname for inter-cluster communication.

Use the /usr/j2se/bin/keytool command to configure trusted host certificates.

How to Install Certificates on Partner Clusters

This procedure refers to nodes phys-paris-1 and phys-paris-2 on cluster cluster-paris and nodes phys-newyork-1 and phys-newyork-2 on cluster cluster-newyork.

Before You Begin

Ensure that you have the following Network Security Services software packages installed:

SUNWpr, version 4.5.0
SUNWprx
SUNWtls, version 3.9.4
SUNWtlsu

Steps

On one node of each cluster, phys-paris-1 on cluster cluster-paris and phys-newyork-1 on cluster cluster-newyork, complete the following tasks:
1. Log in to one node of the cluster as root.
2. Stop the common agent carrier.
  # /opt/SUNWcacao/bin/cacaoadm stop
3. Regenerate the JSSE/NSS keys and certificates.
  
  This procedure creates a file named /etc/opt/SUNWcacao/security/nss/localca/localca.cert. The localca.cert file is used as temporary storage while the key is read.
  # /opt/SUNWcacao/bin/cacaoadm create-keys
To deletes all other keys in the local trustore, use the --force option. If you use the --force option, these keys must be added again after you have completed this procedure.

You can use the --directory option to generate this file in a different directory from the default security directory if you want to avoid overwriting keys. However, the common agent carrier only uses keys from the default directory, so you will later need to add the keys you generate to the file in the default directory.

Once a cluster has been configured, do not repeat this step of executing a create-keys --force command. Otherwise the certificates you previously configured will be lost.

For more information about regenerating common agent carrier keys and certificates, refer to How to Configure a New Security Certificate in Sun Cluster System Administration Guide for Solaris OS.

Exchange local certificate authority between nodes phys-paris-1 and phys-newyork-1.
1. Change the directory to the certificate directory on node phys-paris-1.
  phys-paris-1# cd /etc/opt/SUNWcacao/security/nss/localca
2. Copy the certificate file localca.cert from node phys-paris-1 to node phys-newyork-1.
  
  This procedure renames the localca.cert file to localca.cert.cluster-paris as a reminder of which cluster the file comes from.
  phys-paris-1# rcp localca.cert \ phys-newyork-1:/etc/opt/SUNWcacao/security/jsse/localca.cert.cluster-paris
3. Change to the directory on the node phys-newyork-1 where you copied the file.
  phys-newyork-1# cd /etc/opt/SUNWcacao/security/jsse
4. Import the certificates from the localca.cert.cluster-paris file into the local keystore on node phys-newyork-1.
  
  This procedure loads the public key from cluster-paris into thephys-newyork-1 node of cluster-newyork.
  
  Note –
  To perform this procedure, you must be in the /etc/opt/SUNWcacao/security/jsse directory.
  phys-newyork-1# keytool -import -v -alias cluster-paris -keystore truststore \ -file localca.cert.cluster-paris
  The truststore parameter in the keytool command is a file that is located in the directory where you copied the file. The-alias option specifies the cluster name of the remote cluster where the certificate was generated.
  
  Type trustpass when asked for the keystore password. The trustpass password is the nonsecret password that the common agent carrier provides. The truststore parameter holds the public keys of the public and private pairs, so absolute secrecy is not required.
  
  Type yes when asked whether to trust the certificate.
5. Verify that the certificate was correctly added to the keystore.
  phys-newyork-1# keytool -list -v -keystore truststore

Exchange local certificate authority between nodes phys-newyork-1 and phys-paris-1.
1. Change the directory to the certificate directory on node phys-newyork-1.
  phys-newyork-1# cd /etc/opt/SUNWcacao/security/nss/localca
  The certificate to be imported is in a file called localca.cert.
2. Copy the certificate file from node phys-newyork-1 to node phys-paris-1.
  
  This procedure renames localca.cert to localca.cert.cluster-newyork as a reminder of which cluster the file comes from.
  # rcp localca.cert \ phys-paris-1:/etc/opt/SUNWcacao/security/jsse/localca.cert.cluster-newyork
3. Change to the directory on node phys-paris-1 where you copied the file.
  phys-paris-1# cd /etc/opt/SUNWcacao/security/jsse
4. Import the certificate into the local keystore on node phys-paris-1.
  
  Note –
  To perform this procedure, you must be in the /etc/opt/SUNWcacao/security/jsse directory.
  phys-paris-1# keytool -import -v -alias cluster-newyork -keystore truststore \ -file localca.cert.cluster-newyork
  The truststore parameter in the keytool command is a file that is located in the directory where you copied the file. The-alias option specifies the cluster name of the remote cluster where the certificate was generated.
  
  Type trustpass when asked for the keystore password. The trustpass password is the nonsecret password that the common agent carrier provides. The truststore parameter holds the public keys of the public and private pairs, so absolute secrecy is not required.
  
  Type yes when asked whether to trust the certificate.
5. Verify that the certificate was correctly added to the keystore.
  phys-paris-1# keytool -list -v -keystore truststore

On each node of cluster cluster-paris except node phys-paris-1, copy the /etc/opt/SUNWcacao/security/ directory and all the subdirectories that are retrieved from node phys-paris-1 to the /etc/opt/SUNWcacao/ directory.
phys-paris-2# cd /etc/opt/SUNWcacao phys-paris-2# rcp -r phys-paris-1:/etc/opt/SUNWcacao/security .

On each node of cluster cluster-newyork except node phys-newyork-1, copy the /etc/opt/SUNWcacao/security directory and all the subdirectories that are retrieved from node phys-newyork-1 to the /etc/opt/SUNWcacao/security.
phys-newyork-2# cd /etc/opt/SUNWcacao phys-newyork-2# rcp -r phys-newyork-1:/etc/opt/SUNWcacao/security .

On each node of each cluster verify that the certificates have been correctly added.

Note –
After copying the security directory, the output of the keytool list command on all nodes of one cluster shows the same values for local and remote keys. All nodes of the remote cluster shows the same values, but the local and remote tags will be interchanged.
# cd /etc/opt/SUNWcacao/security/jsse # keytool -list -v -keystore truststore

Restart the common agent carrier on each node of each cluster.
# /opt/SUNWcacao/bin/cacaoadm start