HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

221

222

223

224

225

226

227

228

229

230

Configuration Overview

Requirements

To use HP-UX IPSec with Serviceguard, your topology must meet the following requirements:

• The same version of HP-UX IPSec must be installed on all cluster nodes.

• Serviceguard version A.11.16 or later must be installed on all cluster nodes.

• All cluster nodes must have the same HP-UX IPSec configuration database file.

Serviceguard Heartbeat Requirement and Recommendation

• You must allow Serviceguard heartbeat messages to pass in clear text. Do not use HP-UX

IPSec to encrypt or authenticate Serviceguard heartbeat and control messages exchanged

between the cluster nodes. The overhead for establishing IKE and IPsec Security Associations

(SAs), and for encrypting or authenticating heartbeat messages may cause unnecessary

cluster reformations.

• When using HP-UX IPSec to secure a cluster, HP recommends that you have at least one

network dedicated for Serviceguard heartbeat messages (one network used only to send

and receive Serviceguard heartbeat messages).

Configuration Steps

When configuring HP-UX IPSec for Serviceguard, configure HP-UX IPSec using an

ipsec_config batch file according to the instructions in Chapter 4: “Configuring HP-UX IPSec”

(page 65) on one cluster node, referred to as the configuration node. Additional configuration

requirements are listed below and described in the following sections. After you have verified

the HP-UX IPSec configuration on the configuration node, copy the configuration files to the

other cluster nodes.

After you have configured HP-UX IPSec, configure Serviceguard as described in the Serviceguard

product documentation.

The general procedure for configuring HP-UX IPSec with Serviceguard is listed below:

• “Step 1: Configuring HP-UX Host IPsec Policies for Serviceguard” (page 226)

— You must ensure that HP-UX IPSec allows Serviceguard heartbeat messages pass in

clear text to avoid unnecessary cluster reformations. Configure HP-UX IPSec to allow

all traffic between the heartbeat IP addresses to pass in clear text.

— If you are using optional Serviceguard features such as Quorum Server or Serviceguard

Manager, you must configure HP-UX IPSec so it does not discard messages for these

services that are exchanged with systems external to the cluster.

• “Step 2: Configuring HP-UX IPSec IKE policies” (page 235)

Configure IKE policies that include the Serviceguard package addresses and client addresses.

• “Step 3: Configuring Authentication Records for Preshared Keys” (page 236)

The authentication records contain the preshared key values and may include IKE ID

information.

• “Step 4: Configuring Authentication Records for Certificates” (page 239)

The authentication records contain IKE ID information to verify the ID information in the

security certificates.

• “Step 5: Verifying and Testing the HP-UX IPSec Configuration” (page 242)

Verify and test the HP-UX IPSec configuration on the configuration node.

• “Step 6: Configuring HP-UX IPSec Start-up Options” (page 243)

HP-UX IPSec must be running on all cluster nodes before you start the cluster. You may

want to configure startup options so HP-UX IPSec starts automatically at system boot-up

time.

224 HP-UX IPSec and Serviceguard