This section provides procedures to configure IPsec to secure communication between partner clusters.
For additional information about configuring secure communication between partner clusters, see Planning Security.
The following example procedure configures a cluster, cluster-paris, for IPsec secure communication with another cluster, cluster-newyork. The procedure assumes that the local logical hostname on cluster-paris is lh-paris-1 and that the remote logical hostname is lh-newyork-1. Inbound messages are sent to lh-paris-1 and outbound messages are sent to lh-newyork-1.
Perform the following procedure on each node of cluster-paris.
For a reminder of which node is phys-paris-1, see Example Disaster Recovery Framework Cluster Configuration in Administering the Disaster Recovery Framework for Oracle Solaris Cluster 4.4.
The policy file is located at /etc/inet/ipsecinit.conf. Permissions on this file should be 644. For more information about this file, see the ipsecconf(8) man page.
For information about the names and values that are supported by the Disaster Recovery framework, see Appendix B, Legal Names and Values of Disaster Recovery Framework Entities, in Administering the Disaster Recovery Framework for Oracle Solaris Cluster 4.4.
The default port for the tcp_udp plug-in is 2084. You can specify this value in the etc/cacao/instances/default/modules/com.sun.cluster.geocontrol.xml file.
The following entry in the /etc/inet/ipsecinit.conf file configures a policy with no preference for authorization or encryption algorithms.
# {raddr lh-newyork-1 rport 2084} ipsec {auth_algs any encr_algs any \ sa shared} {laddr lh-paris-1 lport 2084} ipsec {auth_algs any encr_algs \ any sa shared}
When you configure the communication policy on the secondary cluster, cluster-newyork, you must reverse the policies.
# {laddr lh-newyork-1 lport 2084} ipsec {auth_algs any encr_algs \ any sa shared} {raddr lh-paris-1 rport 2084} ipsec {auth_algs any encr_algs \ any sa shared}
# ipsecconf -a /etc/inet/ipsecinit.conf
The communication file is located at /etc/init/secret/ipseckeys. Permissions on the file should be 600.
Add keys:
# ipseckey -f /etc/init/secret/ipseckeys
Key entries have the following general format:
# inbound to cluster-paris add esp spi paris-encr-spi dst lh-paris-1 encr_alg paris-encr-algorithm \ encrkey paris-encrkey-value add ah spi newyork-auth-spi dst lh-paris-1 auth_alg paris-auth-algorithm \ authkey paris-authkey-value # outbound to cluster-newyork add esp spi newyork-encr-spi dst lh-newyork-1 encr_alg newyork-encr-algorithm \ encrkey newyork-encrkey-value add ah spi newyork-auth-spi dst lh-newyork-1 auth_alg newyork-auth-algorithm \ authkey newyork-authkey-value
For more information about the communication files, see the ipsecconf(8) man page.
Next Steps
If you are configuring a zone cluster as a member of a partnership, go to Preparing a Zone Cluster for Partner Membership.
Otherwise, go to Enabling the Disaster Recovery Framework Infrastructure.