1. Installing and Configuring an Oracle Solaris Cluster 4.4 Environment
  2. Establishing the Global Cluster
  3. Establishing a New Global Cluster or New Global-Cluster Node
  4. Securing the Interconnect for Oracle Solaris Cluster With IPsec

Securing the Interconnect for Oracle Solaris Cluster With IPsec

You can optionally configure IPsec to protect traffic on the interconnect, which carries traffic both for internal cluster operations as well as user data for global filesystems.

The following requirements have to be met while configuring IPsec and IKE for Oracle Solaris Cluster interconnect:

  • Configure IKEv2 to automatically manage keys for IPsec on the interconnect.

    Note:

    You can also configure IKE for traffic on the public network.

  • Use the cluster private network address and prefix the same in IKE and IPsec configuration files. The cluster command provides this information. For more information, see the cluster(8CL) man page.

    The network/prefix identifier allows the same IKE rule and IPsec policy to be added identically to all cluster nodes irrespective of the local address assignment on the interconnect.

  • IKEv2 rules pertaining to the interconnect must be tagged with "cluster_interconnect" attribute and with value "yes". This ensures proper handling of cluster interconnect traffic during system shutdown.

  • IKEv2 and IPsec configuration files on all cluster nodes must contain the same IKEv2 rule and IPsec policy that pertain to the interconnect. When new nodes are added to the cluster, you must ensure that it contains the same IKEv2 rules and IPsec policies as the other nodes in the existing cluster.

Note:

IKEv2 service should be enabled on the private network either in non-cluster mode or simultaneously on all the nodes of the cluster when in cluster mode. Enabling IPSec on a subset of nodes can lead to disconnects in the cluster private network paths and nodes could go down due to loss of quorum.