Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
221222223224225226227228229230
Configuring PASS Host IPsec Policies for Intracluster Messages
Configure a PASS host IPsec policy (host IPsec policy with -action PASS ) for each pair of
heartbeat IP addresses in the cluster to ensure that Serviceguard heartbeat and intracluster control
messages pass in clear text.
Since the IPsec configuration database is the same for all cluster nodes, you must configure a
PASS host IPsec policy for each heartbeat IP address pair in the cluster.
Specify the following values for the remaining filter parameters in the host IPsec policies:
Protocol: ALL
Source and destination ports: 0 (all ports)
For the cluster shown in Figure G-1 (page 222), configure a host ipsec policy for each heartbeat
address pair is to configure six host ipsec policies with the following filter specifications:
Destination PortSource PortProtocolDestination IP Address/
Prefix
Source IP Address/
Prefix
00
ALL
10.1.1.1/3210.0.0.0/8
00ALL10.2.2.2/3210.0.0.0/8
00ALL10.3.3.3/3210.0.0.0/8
00ALL15.1.1.1/3215.0.0.0/8
00ALL15.2.2.2/3215.0.0.0/8
00ALL15.3.3.3/3215.0.0.0/8
CAUTION: Use caution when configuring “open” host ipsec policies (policies that allow all or
most packets to pass in clear text). For more information, see “Maximizing Security” (page 66).
Private Dedicated Heartbeat Networks
If you are using a dedicated heartbeat network that is also a private network, you can simplify
your configuration by replacing the heartbeat address filters in the private network with one
host IPsec policy for the subnet. For example, you could replace the policies for the first three
address pairs in the above table with one host IPsec policy that has the following filter:
Destination PortSource PortProtocolDestination IP Address/
Prefix
Source IP Address/
Prefix
00ALL10.0.0.0/810.0.0.0/8
Configuring Host IPsec Policies for External Access
You can also configure host IPsec policies for packets exchanged between cluster nodes and
external nodes. This section describes how to configure policies for the following applications
and services:
“Serviceguard Quorum Server” (page 228)
“Remote Command Execution” (page 228)
“Serviceguard Manager Plug-in Version” (page 229)
“Serviceguard Manager Standalone Version” (page 230)
“WBEM Access” (page 231)
“Cluster Object Manager (COM)” (page 232)
“Consolidated Log (clog)” (page 232)
Step 1: Configuring HP-UX Host IPsec Policies for Serviceguard 227