This section provides the information about the following methods to secure communication between partner clusters:
You must configure the Geographic Edition software for secure communication between partner clusters. The configuration must be reciprocal, so cluster cluster-paris must be configured to trust its partner cluster cluster-newyork, and cluster cluster-newyork must be configured to trust its partner cluster cluster-paris.
For information and procedures to set up security certificates for partner clusters, see Configuring Trust Between Partner Clusters.
You can use IP Security Architecture (IPsec) to configure secure communication between partner clusters. IPsec enables you to set policies that permit or require either secure datagram authentication, or actual data encryption, or both, between machines communicating by using IP.
Consider using IPsec for the following inter-cluster communications:
Secure communication through Availability Suite from Oracle, if you use the Availability Suite software for data replication
Secure TCP/UDP heartbeat communications
IPsec uses two configuration files:
IPsec policy file, /etc/inet/ipsecinit.conf. Contains directional rules to support an authenticated, encrypted heartbeat. The contents of this file are different on the two clusters of a partnership.
IPsec keys file, /etc/init/secret/ipseckeys. Contains keys files for specific authentication and encryption algorithms. The contents of this file are identical on both clusters of a partnership.
Observe the following guideline when using IPsec for secure inter-cluster communication:
Oracle Solaris Cluster software and Geographic Edition software support IPsec by using only manual keys. Keys must be stored manually on the cluster nodes for each combination of server and client IP address. The keys must also be stored manually on each client.
In the Geographic Edition infrastructure, the hostname of a logical host is identical to the cluster name. The logical hostname is a special HA resource. You must set up a number of IP addresses for various Geographic Edition components, depending on your cluster configuration.
On each partner cluster, you must configure encryption and authorization for exchanging inbound and outbound packets from a physical node to the logical-hostname addresses. The values for the Oracle Solaris IP Security Architecture (IPsec) configuration parameters on these addresses must be consistent between partner clusters.
Oracle Solaris Cluster software does not support the use of IPsec for the cluster interconnect.
Refer to Securing the Network in Oracle Solaris 11.2 for more information about IPsec.