Manualshelf

Managing Serviceguard Seventeenth Edition, First Reprint December 2009

ManualsBrandsHP ManualsSoftwareHP Serviceguard Software
191192193194195196197198199200
IMPORTANT: If $SGCONF/cmclnodelist does not exist, Serviceguard will look at
~/.rhosts. HP strongly recommends that you use cmclnodelist.
NOTE: When you upgrade a cluster from Version A.11.15 or earlier, entries in
$SGCONF/cmclnodelist are automatically updated to Access Control Policies in the
cluster configuration file. All non-root user-hostname pairs are assigned the role of
Monitor.
Ensuring that the Root User on Another Node Is Recognized
The HP-UX root user on any cluster node can configure the cluster. This requires that
Serviceguard on one node be able to recognize the root user on another.
Serviceguard uses the identd daemon to verify user names, and, in the case of a root
user, verification succeeds only if identd returns the username root. Because identd
may return the username for the first match on UID 0, you must check /etc/passwd
on each node you intend to configure into the cluster, and ensure that the entry for the
root user comes before any other entry with a UID of 0.
About identd
HP strongly recommends that you use identd for user verification, so you should
make sure that each prospective cluster node is configured to run it. identd is usually
started by inetd from /etc/inetd.conf.
Make sure that a line such as the following is uncommented in /etc/inetd.conf:
auth stream tcp6 wait bin /usr/lbin/identd identd
NOTE: If the -T option to identd is available on your system, you should set it to
120 (-T120); this ensures that a connection inadvertently left open will be closed after
two minutes. In this case, the identd entry in /etc/inetd.conf should look like
this:
auth stream tcp6 wait bin /usr/lbin/identd identd -T120
Check the man page for identd to determine whether the -T option is supported for
your version of identd
(It is possible to disable identd, though HP recommends against doing so. If for some
reason you have to disable identd, see “Disabling identd” (page 252).)
For more information about identd, see the white paper Securing Serviceguard at
http://docs.hp.com -> High Availability -> Serviceguard -> White
Papers, and the identd (1M) manpage.
198 Building an HA Cluster Configuration