You can configure IP Security Architecture (IPsec) for the clprivnet interface to provide secure communication on the cluster interconnect. For information about IPsec, see Part IV, IP Security, in System Administration Guide: IP Services and the ipsecconf(1M) man page. For information about the clprivnet interface, see the clprivnet(7) man page.
Perform this procedure on each global-cluster voting node that you want to configure to use IPsec.
Become superuser.
On each node, determine the IP address of the clprivnet interface of the node.
phys-schost# ifconfig clprivnet0 |
On each node, configure the /etc/inet/ipsecinit.conf policy file and add Security Associations (SAs) between each pair of clprivnet IP addresses that you want to use IPsec.
Follow the instructions in How to Secure Traffic Between Two Systems With IPsec in System Administration Guide: IP Services.
To implement IPsec without rebooting, follow the instructions in the procedure's example, Securing Traffic With IPsec Without Rebooting.
Observe the following guidelines when you add entries to the configuration file:
In each file, add one entry for each clprivnet IP address to use IPsec, including the clprivnet IP address of the local node.
Configure each policy as a separate line in the configuration file.
Ensure that the values of the configuration parameters for these addresses are consistent on all the partner nodes.
To enable striping of data over all links, include the sa unique policy in the entry. This features helps the driver to optimally utilize the bandwidth of the cluster private network, which provides a high granularity of distribution and better throughput. The clprivnet interface uses the Security Parameter Index (SPI) of the packet to stripe the traffic. For more information about the sa unique policy, see the ipsecconf(1M) man page.
Determine from the following list the next task to perform that applies to your cluster configuration. If you need to perform more than one task from this list, go to the first of those tasks in this list.
To install a volume manager, go to Chapter 4, Configuring Solaris Volume Manager Software and Chapter 5, Installing and Configuring Veritas Volume Manager to install volume management software.
If you added a new node to a cluster that uses VxVM, you must perform one of the following tasks:
Install VxVM on that node.
Modify that node's /etc/name_to_major file to support coexistence with VxVM.
Follow the procedures in How to Install Veritas Volume Manager Software to perform one of these required tasks.
To create cluster file systems, go to How to Create Cluster File Systems.
To create non-global zones on a node, go to How to Create a Non-Global Zone on a Global-Cluster Node.
SPARC: To configure Sun Management Center to monitor the cluster, go to SPARC: Installing the Sun Cluster Module for Sun Management Center.
Install third-party applications, register resource types, set up resource groups, and configure data services. See the documentation that is supplied with the application software and the Sun Cluster Data Services Planning and Administration Guide for Solaris OS.
Before you put the cluster into production, make a baseline recording of the cluster configuration for future diagnostic purposes. Go to How to Record Diagnostic Data of the Cluster Configuration.