HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

221

222

223

224

225

226

227

228

229

230

Step 1: Configuring HP-UX Host IPsec Policies for Serviceguard

Overview

Use the procedure described in Chapter 4, “Step 1: Configuring Host IPsec Policies” (page 72)

to configure host IPsec policies, with the following additional requirements:

• Configure PASS host IPsec policies for all packets sent between the heartbeat IP addresses.

This ensures that Serviceguard does not unnecessarily reform the cluster because of delays

introduced by HP-UX IPSec. This also ensures that HP-UX IPSec does not encrypt,

authenticate, or discard other Serviceguard control messages.

• If you are using optional Serviceguard features that exchange messages with external systems,

you can configure HP-UX IPSec to secure these messages for these services. You must also

verify that the IPSec configuration does not discard these messages.

Services that exchange messages with external systems include the following:

— “Serviceguard Quorum Server” (page 228)

— “Remote Command Execution” (page 228)

— “Serviceguard Manager Plug-in Version” (page 229)

— “Serviceguard Manager Standalone Version” (page 230)

— “WBEM Access” (page 231)

— “Cluster Object Manager (COM)” (page 232)

— “Consolidated Log (clog)” (page 232)

Table G-1 (page 233) provides a summary of the port numbers and protocols for these services.

This section describes the Serviceguard cluster information you need to determine before

configuring host IPsec policies. It also describes how to configure host IPsec policies for package

addresses, heartbeat IP addresses, and optional Serviceguard services. This section also contains

a summary of the port numbers and protocols used by Serviceguard services.

This section contains the following subsections:

• “Determining Serviceguard Cluster Information” (page 226)

• “Configuring Host IPsec Policies for Package Addresses” (page 226)

• “Configuring PASS Host IPsec Policies for Intracluster Messages” (page 227)

• “Configuring Host IPsec Policies for External Access” (page 227)

• “Summary: Serviceguard Port Numbers and Protocols” (page 233)

Determining Serviceguard Cluster Information

Before configuring IPsec policies, determine the following information about the Serviceguard

cluster:

• Heartbeat IP addresses

The heartbeat IP address for each cluster node is specified using the HEARTBEAT_IP

parameter in the node definitions section of the cluster configuration file.

• Package addresses

Package addresses are configured using the ip_address parameter within the package_ip

module in a package configuration file. In legacy package control scripts, package addresses

are configured using IP[i ] statements.

Configuring Host IPsec Policies for Package Addresses

On the cluster nodes, configure host IPsec policies with source IP address set to the package

addresses.

On the cluster clients, configure host IPsec policies with the destination address set to the package

addresses.

226 HP-UX IPSec and Serviceguard