HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

191

192

193

194

195

196

197

198

199

200

• “Step 3: Configuring Authentication Records for Preshared Keys” (page 206)

The authentication records contain the preshared key values and may include IKE ID

information.

• “Step 4: Configuring Authentication Records for Certificates” (page 208)

The authentication records contain IKE ID information to verify the ID information in the security

certificates.

• “Step 5: Verifying and Testing the HP-UX IPSec Configuration” (page 210)

Verify and test the HP-UX IPSec configuration on the configuration node.

• “Step 6: Configuring HP-UX IPSec Start-up Options” (page 211)

HP-UX IPSec must be running on all cluster nodes before you start the cluster. You may want

to configure startup options so HP-UX IPSec starts automatically at system boot-up time.

• “Step 7: Distributing HP-UX IPSec Configuration Files” (page 211)

After you have tested the HP-UX IPSec configuration, distribute the IPsec configuration files to

the other nodes in the cluster.

NOTE: You must maintain the same HP-UX IPSec configuration information on each cluster

node. If you make HP-UX configuration changes after you have started the cluster, you must

make the same changes on all cluster nodes.

• “Step 8: Configuring Serviceguard” (page 212)

Configure Serviceguard according to the product documentation. For each Serviceguard using

HP-UX IPSec, configure IPsec as a package service so the package will failover if HP-UX IPSec

is unavailable.

• “Step 9: Starting HP-UX IPSec and Serviceguard” (page 213)

HP-UX IPSec must be running on all cluster nodes before you start Serviceguard.

Step 1: Configuring HP-UX Host IPsec Policies for Serviceguard

Overview

Use the procedure described in Chapter 4, “Step 1: Configuring host IPsec policies” (page 63) to

configure host IPsec policies, with the following additional requirements:

• Configure PASS host IPsec policies for all packets sent between the heartbeat IP addresses.

This ensures that Serviceguard does not unnecessarily reform the cluster because of delays

introduced by HP-UX IPSec. This also ensures that HP-UX IPSec does not encrypt, authenticate,

or discard other Serviceguard control messages.

• If you are using optional Serviceguard features that exchange messages with external systems,

you can configure HP-UX IPSec to secure these messages for these services. You must also

verify that the IPSec configuration does not discard these messages.

Services that exchange messages with external systems include the following:

◦ “Serviceguard Quorum Server” (page 199)

◦ “Remote Command Execution” (page 200)

◦ “Serviceguard Manager Plug-in Version” (page 201)

◦ “Serviceguard Manager Standalone Version” (page 202)

◦ “WBEM Access” (page 202)

◦ “Cluster Object Manager (COM)” (page 203)

◦ “Consolidated Log (clog)” (page 204)

Step 1: Configuring HP-UX Host IPsec Policies for Serviceguard 197