Manualshelf

Managing Serviceguard 13th Edition, February 2007

ManualsBrandsHP ManualsSoftwareHP Serviceguard Software
181182183184185186187188189190
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5 189
NOTE Do not edit the /etc/cmcluster.conf configuration file.
Editing Security Files
Serviceguard daemons grant access to commands by matching incoming
hostname and username against the access control policies you define.
Serviceguard nodes can communicate over any of the cluster’s shared
networks, so all their primary addresses on each of those networks must
be identified.
Because, access control policies for Serviceguard are based on
hostnames, IP addresses must be resolved to hostnames to match the
names specified in the access control policies.
An IP address can resolve to multiple hostnames (aliases); one of those
should match the name defined in the policy.
The subsections that follow describe how to configure IP and user
identities, and Serviceguard access control polices, so as to achieve the
level of security you need the cluster to have.
Configuring IP Address Resolution
Serviceguard uses the name resolution services built in to HP-UX. HP
recommends that you define name resolutions in each node’s /etc/hosts
file first, rather than rely solely on DNS or NIS services.
For example, consider a two node cluster (gryf and sly) with two private
subnets and a public subnet. These nodes will be granting permission to
a non-cluster node (bit) which does not share the private subnets. The
/etc/hosts file on both cluster nodes should contain:
15.145.162.131 gryf.uksr.hp.com gryf
10.8.0.131 gryf.uksr.hp.com gryf
10.8.1.131 gryf.uksr.hp.com gryf
15.145.162.132 sly.uksr.hp.com sly
10.8.0.132 sly.uksr.hp.com sly
10.8.1.132 sly.uksr.hp.com sly