Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP Serviceguard Metrocluster
11121314151617181920
# cmapplyconf -v -C /etc/cmcluster/cluster.config
For more information, see Managing Serviceguard, latest edition at http://www.hp.com/go/
hpux-serviceguard-docs —>HP Serviceguard.
Setting up security
From Continentalclusters, all the nodes in all the clusters must be able to communicate with one
another using SSH.
When Continentalclusters is installed, a special Continentalclusters user group, conclgrp, and
a special user, conclusr are created using groupadd and useradd commands.
NOTE: The conclusr is used by Continentalclusters software for inter node communication. All
Continentalclusters commands and operations must be performed as root user only. When a node
is no longer part of Continentalclusters configuration, the user must be deleted from the removed
node.
To set up the SSH environment for Continentalclusters on all the nodes of all the clusters:
1. Set a password for the Continentalclusters user. By default, the Continentalclusters user is
conclusr.
a. Log in as root user.
b. Set the password for conclusr on the node.
# passwd conclusr
2. Set up SSH equivalence between the nodes in the Continentalclusters.
a. Log in to any node in the Continentalclusters as conclusr.
b. Create a text file and add the Fully Qualified Domain Names (FQDN) of all the nodes
in all the clusters to be configured in the Continentalclusters.
For example, consider a Continentalclusters with two clusters, Cluster A and Cluster B,
each having two nodes, Node 1 and Node 2. Create a text file <host-list-file>,
with the following entries:
Node1.cup.hp.com
Node2.cup.hp.com
Node1.ind.hp.com
Node2.ind.hp.com
c. Run the following Serviceguard command to create and distribute the SSH keys:
csshsetup -r -k rsa -f <host-list-file>
The SSH keys set up trust among all the Continentalclusters nodes. This command also
prompts for the password of the user conclusr, for every node specified in the file
created in step 2b. Enter the password when prompted.
After the keys are created and distributed, the SSH connection is tested. If errors are detected
in the SSH connection, an error message appears. Rectify the error on the node, and run the
following command:
csshsetup -r -k rsa -f <host-list-file>
3. The conclusr must have a USER_ROLE of MONITOR. All users on a node have this role by
default. To confirm if conclusr has MONITOR access, on every node that belongs to
Continentalclusters, log in as conclusr and run the following command:
# cmviewcl
In case conclusr user does not have MONITOR access, the execution of the command fails
with the following error:
# cmviewcl
Creating the Serviceguard clusters at both the sites 11