How to Configure IP Security Architecture (IPsec) on the Cluster Private Interconnect (Sun Cluster Software Installation Guide for Solaris OS)

Sun Cluster Software Installation Guide for Solaris OS

How to Configure IP Security Architecture (IPsec) on the Cluster Private Interconnect

You can configure IP Security Architecture (IPsec) for the clprivnetinterface to provide secure TCP/IP communication on the cluster interconnect.

For information about IPsec, see Part IV, IP Security, in System Administration Guide: IP Services and the ipsecconf(1M) man page. For information about the clprivnet interface, see the clprivnet(7) man page.

Perform this procedure on each global-cluster voting node that you want to configure to use IPsec.

Become superuser.

On each node, determine the IP address of the clprivnet interface of the node.
phys-schost# ifconfig clprivnet0

On each node, configure the /etc/inet/ipsecinit.conf policy file and add Security Associations (SAs) between each pair of private-interconnect IP addresses that you want to use IPsec.

Follow the instructions in How to Secure Traffic Between Two Systems With IPsec in System Administration Guide: IP Services. In addition, observe the following guidelines:
- Ensure that the values of the configuration parameters for these addresses are consistent on all the partner nodes.
- Configure each policy as a separate line in the configuration file.
- To implement IPsec without rebooting, follow the instructions in the procedure's example, Securing Traffic With IPsec Without Rebooting.
For more information about the sa unique policy, see the ipsecconf(1M) man page.
1. In each file, add one entry for each clprivnet IP address in the cluster to use IPsec.
  
  Include the clprivnet IP address of the local node.
2. If you use VNICs, also add one entry for the IP address of each physical interface that is used by the VNICs.
3. (Optional) To enable striping of data over all links, include the sa unique policy in the entry.
  
  This feature helps the driver to optimally utilize the bandwidth of the cluster private network, which provides a high granularity of distribution and better throughput. The clprivnetinterface uses the Security Parameter Index (SPI) of the packet to stripe the traffic.

On each node, edit the /etc/inet/ike/config file to set the p2_idletime_secs parameter.

Add this entry to the policy rules that are configured for cluster transports. This setting provides the time for security associations to be regenerated when a cluster node reboots, and limits how quickly a rebooted node can rejoin the cluster. A value of 30 seconds should be adequate.
phys-schost# vi /etc/inet/ike/config … { label "clust-priv-interconnect1-clust-priv-interconnect2" … p2_idletime_secs 30 } …

Next Steps

Determine from the following list the next task to perform that applies to your cluster configuration. If you need to perform more than one task from this list, go to the first of those tasks in this list.

To install a volume manager, go to Chapter 4, Configuring Solaris Volume Manager Software and Chapter 5, Installing and Configuring Veritas Volume Manager to install volume management software.

Note –
If you added a new node to a cluster that uses VxVM, you must perform one of the following tasks:
- Install VxVM on that node.
- Modify that node's /etc/name_to_major file to support coexistence with VxVM.
Follow the procedures in How to Install Veritas Volume Manager Software to perform one of these required tasks.
To create cluster file systems, go to How to Create Cluster File Systems.
To create non-global zones on a node, go to How to Create a Non-Global Zone on a Global-Cluster Node.
SPARC: To configure Sun Management Center to monitor the cluster, go to SPARC: Installing the Sun Cluster Module for Sun Management Center.
Install third-party applications, register resource types, set up resource groups, and configure data services. See the documentation that is supplied with the application software and the Sun Cluster Data Services Planning and Administration Guide for Solaris OS.
Before you put the cluster into production, make a baseline recording of the cluster configuration for future diagnostic purposes. Go to How to Record Diagnostic Data of the Cluster Configuration.