Go to main content

Oracle® Solaris Cluster 4.3 Geographic Edition Installation and Configuration Guide

Exit Print View

Updated: February 2017

Planning Security

This section contains the following information about securing the Geographic Edition framework:

Setting Up and Using RBAC

The Geographic Edition framework bases its RBAC profiles on the RBAC rights profiles that are used in the Oracle Solaris Cluster software. For general information about setting up and using RBAC with Oracle Solaris Cluster software, refer to Chapter 2, Oracle Solaris Cluster and User Rights in Oracle Solaris Cluster 4.3 System Administration Guide.

The Geographic Edition framework adds the following RBAC entities to the appropriate file in the /etc/security directory:

  • RBAC authentication names to auth_attr

  • RBAC execution profiles to prof_attr

  • RBAC execution attributes to exec_attr

Note -  The default search order for the auth_attr and prof_attr databases is files nis, which is defined in the /etc/nsswitch.conf file. If you have customized the search order in your environment, confirm that files is in the search list, so your system can find the RBAC entries that Geographic Edition defined.

RBAC Rights Profiles

The Geographic Edition command-line interface (CLI) and the Oracle Solaris Cluster Manager browser interface use RBAC rights to control end-user access to operations. The following table provides the general conventions for these rights.

Table 1  Geographic Edition RBAC Rights Profiles
Rights Profile
Included Authorizations
Role Identity Permission
Geo Management
Read information about the Geographic Edition entities
Perform administrative tasks with the Geographic Edition framework
Modify the configuration of the Geographic Edition framework
Basic Solaris User
Oracle Solaris authorizations
Perform the same operations that the Basic Solaris User role identity can perform
Read information about the Geographic Edition entities

Configuring Firewalls

Geographic Edition partner clusters communicate using transport services and ICMP echo requests and replies (pings). Their packets must therefore pass data center firewalls, including any firewalls configured on cluster nodes in partner clusters. Figure 2, Table 2, Ports and Protocols Used by Geographic Edition Partnerships - Required Services and Figure 3, Table 3, Ports and Protocols Used by Geographic Edition Partnerships - Optional Services contain lists of required and optional services and protocols used by Geographic Edition partnerships, and the associated ports that you must open in your firewalls for these services to function. The ports listed are defaults. If you customize the port numbers that serve the specified transfer protocols, the customized ports must be opened instead.

Ports other than those listed in the following tables might be required by storage replication services such as the Availability Suite feature of Oracle Solaris software. See the related product documentation for details.

Table 2  Ports and Protocols Used by Geographic Edition Partnerships - Required Services
Port Number
Use in Geographic Edition partnership
Secure shell (ssh). Used during the initial certificate transfer that establishes trust between partner clusters.
UDP (default), TCP
Intercluster heartbeat
The Java Management Extensions (JMX) port (jmxmp-connector-port). A messaging protocol used for the exchange of configuration and status information between the two sites in a partnership.
ICMP Echo Request/Reply
Backup heartbeat between partner clusters
Table 3  Ports and Protocols Used by Geographic Edition Partnerships - Optional Services
Port Number
Use in Geographic Edition partnership
Simple Network Management Protocol (SNMP) communications
SNMP traps

Securing Intercluster Communication

You can use either security certificates or IP Security Architecture (IPsec) to secure communication between partner clusters.

Security Certificates

You must configure the Geographic Edition framework for secure communication between partner clusters. The configuration must be reciprocal, so cluster cluster-paris must be configured to trust its partner cluster cluster-newyork, and cluster cluster-newyork must be configured to trust its partner cluster cluster-paris.

For information and procedures to set up security certificates for partner clusters, see Configuring Trust Between Partner Clusters.

IP Security (IPsec)

You can use IP Security Architecture (IPsec) to configure secure communication between partner clusters. IPsec enables you to set policies that permit or require either secure datagram authentication, or actual data encryption, or both, between machines communicating by using IP.

Consider using IPsec for the following intercluster communications:

  • Secure communication through Availability Suite from Oracle if you use the Availability Suite software for data replication

  • Secure TCP/UDP heartbeat communications

IPsec uses two configuration files:

  • IPsec policy file, /etc/inet/ipsecinit.conf – Contains directional rules to support an authenticated, encrypted heartbeat. The contents of this file are different on the two clusters of a partnership.

  • IPsec keys file, /etc/init/secret/ipseckeys – Contains keys files for specific authentication and encryption algorithms. The contents of this file are identical on both clusters of a partnership.

Observe the following guidelines when using IPsec for secure intercluster communication:

  • Oracle Solaris Cluster software and Geographic Edition software support IPsec by using only manual keys. Keys must be stored manually on the cluster nodes for each combination of server and client IP address. The keys must also be stored manually on each client.

  • In the Geographic Edition framework, the hostname of a logical host is identical to the cluster name. The logical hostname is a special HA resource. You must set up a number of IP addresses for various Geographic Edition components, depending on your cluster configuration.

  • On each partner cluster, you must configure encryption and authorization for exchanging inbound and outbound packets from a physical node to the logical-hostname addresses. The values for the Oracle Solaris IP Security Architecture (IPsec) configuration parameters on these addresses must be consistent between partner clusters.

  • Oracle Solaris Cluster software does not support the use of IPsec for the cluster interconnect.

Refer to Securing the Network in Oracle Solaris 11.3 for more information about IPsec.