HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

191

192

193

194

195

196

197

198

199

200

Quorum Server IPsec Policies

If HP-UX IPSec is installed on the Quorum Server, configure host IPsec policies for the packets listed

below with actions (PASS or transform lists) that match the policies on the cluster nodes.

Destination PortSource PortProtocolDestination IP AddressSource IP Address

01238TCPcluster node addressQuorum Server address

(or wildcard)

Remote Command Execution

To enable systems outside the cluster to execute Serviceguard commands (remote command clients,

such as the systems in the /etc/cmcluster/cmclnodelist file), configure HP-UX IPSec so it

does not discard the packets listed in the sections below.

Cluster Node IPsec Policies for Remote Command Execution

For each cluster node, configure host IPsec policies so HP-UX IPSec does not discard (the transform

list contains any transform except DISCARD ) the packets listed below. If HP-UX IPSec is not installed

on the remote command clients, configure PASS host IPsec policies for these packets.

Destination PortSource PortProtocolDestination IP AddressSource IP Address

05302TCPremote command client

address

cluster node address (or

wildcard)

05302UDPremote command client

address

cluster node address (or

wildcard)

The cluster nodes also initiate TCP connections to the remote command clients using dynamically

assigned source and destination ports, as listed below. You must configure HP-UX IPSec so it does

not discard the packets listed below, however, HP recommends that you do not allow the packets

to pass in clear text. For more information, see “Maximizing security” (page 57).

Destination PortSource PortProtocolDestination IP AddressSource IP Address

00TCPremote command client

address

cluster node address

(or wildcard)

For remote execution of the cmscancl command, HP-UX IPSec must not discard the following

packets:

Destination PortSource PortProtocolDestination IP AddressSource IP Address

0514TCPremote command client

address

cluster node address (or

wildcard)

Remote Command Client Host IPsec Policies

If HP-UX IPSec is installed on the remote command clients, configure host IPsec policies for the

packets listed below with actions (PASS or transform lists) that match the policies on the cluster

nodes.

Destination PortSource PortProtocolDestination IP AddressSource IP Address

53020TCPcluster node addressremote command client

address (or wildcard)

53020UDPcluster node addressremote command client

address (or wildcard)

200 HP-UX IPSec and Serviceguard