HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

241

242

243

244

245

246

247

248

249

250

Step 8: Configuring Serviceguard

Configure Serviceguard according to the Serviceguard product documentation, with the additional

requirements listed below. Verify the Serviceguard configuration using the cmcheckconf

command, as described in the Serviceguard product documentation.

Cluster Configuration

HP strongly recommends that you do not secure heartbeat messages using IPsec (with AH or

ESP). However, if you did configure HP-UX IPSec to secure heartbeat messages, increase the

NODE_TIMEOUT parameter value in the cluster configuration to allow time for HP-UX IPSec to

establish SAs and authenticate or encrypt the heartbeat messages.

Package Configuration

For each package using HP-UX IPSec, create the Package Configuration as described in the

Serviceguard documentation. Configure the service information for HP-UX IPSec with the

following values:

• Service command: /var/adm/ipsec/ipsec_status.sh. This is the HP-UX IPSec monitor

script.

• Service fail fast enabled feature: HP recommends that you disable this feature so Serviceguard

does not halt the node if HP-UX IPSec is not available.

• Service restart: None.

• Service halt timeout: HP recommends 300 (seconds) for this parameter.

The sections that follow contain specific examples for modular package configuration and legacy

package configuration files.

Modular Package Configuration Files

For each package using HP-UX IPSec, add a service module to the base module. The service

module will run the HP-UX IPSec monitor script. For example:

service_name ipsec

service_cmd /var/adm/ipsec/ipsec_status.sh

service_restart none

service_fail_fast_enabled no

service_halt_timeout 300

Legacy Package Configuration Files

Legacy packages configurations contain service information in the package control file and a

package control script.

Package Control File

The following are sample entries for HP-UX IPSec from a package control file:

SERVICE_NAME pkg1_ipsec

SERVICE_FAIL_FAST_ENABLED NO

SERVICE_HALT_TIMEOUT 300

Package Control Script

The following are sample entries for HP-UX IPSec from a package control script:

SERVICE_NAME[1]=pkg1_ipsec

SERVICE_CMD[1]="/var/adm/ipsec/ipsec_status.sh"

SERVICE_RESTART[1]=”-r 0”

Monitor Script Polling Interval

By default, the HP-UX IPSec monitor script polls IPsec every 60 seconds to verify that it is

available. To modify the polling interval, change the value of the IPSEC_POLLING_INTERVAL

parameter in the monitor script file, /var/adm/ipsec/ipsec_status.sh.

246 HP-UX IPSec and Serviceguard