Managing Serviceguard 12th Edition, March 2006

Building an HA Cluster Configuration

Preparing Your Systems

Chapter 5192

For NIS, enter (one line):

hosts: files [NOTFOUND=continue UNAVAIL=continue] nis

[NOTFOUND=return UNAVAIL=return

Username Validation

Serviceguard relies on the ident service of the client node to verify the

username of the incoming network connection. If the Serviceguard

daemon is unable to connect to the client's ident daemon, permission will

be denied.

Root on a node is defined as any user who has the UID of 0. For a user to

be identified as root on a remote system, the “root” user entry in

/etc/passwd for the local system must come before any other user who

may also be UID 0. The ident daemon will return the username for the

first UID match. For Serviceguard to consider a remote user as a root

user on that remote node, the ident service must return the username as

“root”.

It is possible to configure Serviceguard to not use the ident service,

however this configuration is not recommended. Consult the white paper

“Securing Serviceguard” for more information.

To disable the use of identd, add the -i option to the tcp hacl-cfg and

hacl-probe inetd configurations.

For example, on HP-UX with Serviceguard A.11.17:

1. Change the cmclconfd entry in /etc/inetd.conf to appear as:

hacl-cfg stream tcp nowait root /usr/lbin/cmclconfd \

cmclconfd -c -i

2. Change the cmomd entry in /etc/inetd.conf to appear as:

hacl-probe stream tcp nowait root \

/opt/cmom/lbin/cmomd /opt/cmom/lbin/cmomd -i -f \

/var/opt/cmom/cmomd.log -r /var/opt/cmom

3. Restart inetd:

/etc/init.d/inetd restart