You can use IP Security Architecture (IPsec) to configure secure communication between partner clusters. IPsec enables you to set policies that permit or require either secure datagram authentication, or actual data encryption, or both, between machines communicating by using IP. Consider using IPsec for the following cluster communications:
Secure Sun StorEdge Availability Suite 3.2.1 communications, if you use Sun StorEdge Availability Suite 3.2.1 for data replication
Secure TCP/UDP heartbeat communications
Sun Cluster software and Sun Cluster Geographic Edition software support IPsec by using only manual keys. Keys must be stored manually on the cluster nodes for each combination of server and client IP address. The keys must also be stored manually on each client.
Refer to the System Administration Guide: IP Services for a full description of IPsec configuration parameters.
 How to Configure IPsec for Secure Cluster Communication
How to Configure IPsec for Secure Cluster CommunicationIn the Sun Cluster Geographic Edition infrastructure, the hostname of a logical host is identical to the cluster name. The logical hostname is a special high availability (HA) resource. You must set up a number of IP addresses for various Sun Cluster Geographic Edition components, depending on your cluster configuration.
On each partner cluster, you must configure encryption and authorization for exchanging inbound and outbound packets from a physical node to the logical-hostname addresses. The values for the IPsec configuration parameters on these addresses must be consistent between partner clusters.
IPsec uses two configuration files:
IPsec policy file, /etc/inet/ipsecinit.conf. Contains directional rules to support an authenticated, encrypted heartbeat. The contents of this file will be different on the two clusters in your partnership.
IPsec keys file, /etc/init/secret/ipseckeys. Contains keys files for specific authentication and encryption algorithms. The contents of this file will be identical on both clusters in your partnership.
The following procedure configures an example cluster, cluster-paris, for IPsec secure communication with another example cluster, cluster-newyork. Both clusters are running the Solaris OS 9 release. The procedure assumes that the local logical hostname on cluster-paris is lh-paris-1 and that the remote logical hostname is lh-newyork-1. Inbound messages are sent to lh-paris-1 and outbound messages are sent to lh-newyork-1.
Use the following procedure on each node of cluster-paris.
Log in to the first node of the primary cluster, phys-paris-1, as superuser.
For a reminder of which node is phys-paris-1, see Example Sun Cluster Geographic Edition Cluster Configuration.
Set up an entry for the local address and remote address in the IPsec policy file.
The policy file is located at /etc/inet/ipsecinit.conf. Permissions on this file should be 644. For more information about this file, see the ipsecconf(1M) man page.
For information about the names and values that are supported by Sun Cluster Geographic Edition software, see Appendix B, Legal Names and Values of Sun Cluster Geographic Edition Entities.
Configure the communication policy.
The default port for the or tcp_udp plug-in is 2084. This is specified in the /etc/opt/SUNWcacao/modules/com.sun.cluster.agent.geocontrol.xml file.
The following command configures a policy with no preference for authorization or encryption algorithms:
| # {raddr lh-newyork-1 rport 2084} ipsec {auth_algs any encr_algs any \
sa shared} {laddr lh-paris-1 lport 2084} ipsec {auth_algs any encr_algs \
any sa shared} | 
When you configure the communication policy on the secondary cluster, cluster-newyork, the policies need to be reversed:
| # {laddr lh-newyork-1 lport 2084} ipsec {auth_algs any encr_algs \
any sa shared} {raddr lh-paris-1 rport 2084} ipsec {auth_algs any encr_algs \
any sa shared} | 
Add the policy by rebooting the node or by running the following command.
| # ipsecconf -a /etc/inet/ipsecinit.conf | 
Set up encryption and authentication keys for inbound and outbound communication.
The communication file is located at /etc/init/secret/ipseckeys. Permissions on the file should be 600.
Add keys by running the following command:
| # ipseckey -f /etc/init/secret/ipseckeys | 
Key entries have the following general format:
| # inbound to cluster-paris add esp spi <paris-encr-spi> dst lh-paris-1 encr_alg <paris-encr-algorithm> \ encrkey <paris-encrkey-value> add ah spi <newyork-auth-spi> dst lh-paris-1 auth_alg <paris-auth-algorith> \ authkey <paris-authkey-value> # outbound to cluster-newyork add esp spi <newyork-encr-spi> dst lh-newyork-1 encr_alg \ <newyork-encr-algorithm> encrkey <newyork-encrkey-value> add ah spi <newyork-auth-spi> dst lh-newyork-1 auth_alg \ <newyork-auth-algorithm> authkey <newyork-authkey-value> | 
For more information about the communication files, see the ipsecconf(1M) man page.