Using the Sybase ASE Toolkit in a Serviceguard Cluster on HP-UX README: Release B.06.00
also stored in the Cluster Database.
If you do not restrict access of users for the SAPASSWD
package attribute, then unauthorized users can use the cmviewcl
command to view the Sybase administrator password. HP
recommends that you grant access to users based only on their roles
in managing the cluster and packages. You can configure Role Based
Access (RBA) using the following configuration parameters in the
cluster:
USER_NAME
USER_HOST
USER_ROLE
You can specify one of the following values for the USER_ROLE
parameter:
MONITOR - Allowed to perform cluster and package
view operations.
PACKAGE_ADMIN - Allowed to perform package
administration, and use cluster and
package view commands.
FULL_ADMIN - Allowed to perform cluster
administration, package administration,
and cluster and package view operations.
You can assign any of these roles to users who are not configured
as root users. Root users are usually given complete control on
the cluster using the FULL_ADMIN value.
When you specify any of these values for users who are not root
users, they can view the Sybase administrator password using the
cmviewcl command. Only those users who are not configured with
any of these values cannot view the Sybase administrator password
using the cmviewcl command.
For more information on configuring security for a Serviceguard
cluster, see the "Securing Serviceguard, March 2009" whitepaper
available at http://docs.hp.com/en/ha.html
Serviceguard allows the Role Based Access feature to be switched
off, in which case only the root user will be able to view the
package attributes.
As the Sybase administrator password is also entered in the package
configuration ASCII file, it is recommended that this file is
secured either by using file permissions feature provided by the
operating system or by deleting the file after the package is
applied.
H. Node-specific Configuration
Ensure that all files that are required by Sybase ASE to start up
cleanly