Designing Disaster Recovery Clusters using Metroclusters and Continentalclusters, Reprinted October 2011 (5900-1881)
supported by the Border Gateway Protocol
(BGP).
allow from This lists all the nodes that are allowed access. Permissible entries are:
all All hosts are allowed access.
domain Hosts whose names match, or end in, this string
are allowed access, for example, hp.com.
hostname The named host (for example, kitcat.myco.com)
is allowed access.
IP address Either a full IP address, or a partial IP address
of 1 to 3 bytes for subnet inclusion is allowed.
network/netmask This pair of addresses allows more precise
inclusion of hosts, (for example,
10.163.121.23/225.225.0.0).
network/nnnCIDR This specification is like the network/netmask
specification, except the netmask consists of
nnn high-order 1 bits. “CIDR” stands for
Classless Interdomain Routing, a type of routing
supported by the Border Gateway Protocol
(BGP).
The most typical entry is hostname. The following entries are from a typical /etc/opt/cmom/
cmomhosts file:
order allow,deny
allow from lanode1.myco.com
allow from lanode2.myco.com
allow from nynode1.myco.com
allow from nynode2.myco.com
allow from 10.177.242.12
If the file is installed on all nodes in the Continentalclusters, these entries will allow Continentalclusters
commands and monitors running on lanode1, lanode2, nynode1, nynode2 to obtain information
about the clusters in the configuration.
Network Security Configuration Requirements
In a Continentalclusters configuration, if the clusters are behind firewalls in their respective sites,
you must set appropriate firewall rules to enable inter-cluster communication. The monitoring
daemon of Continentalclusters communicates with Serviceguard Cluster Object Manager on remote
clusters. You can determine the ports used by Cluster Object Manager from the hacl-probe
entry in the /etc/services file. In the firewall of all participating clusters, you must set the rule
such that TCP and UDP protocol traffic on the hacl-probe ports are allowed from and to the IP
addresses of all nodes in the Continentalclusters configuration. For more information on firewall
and ports, see HP Serviceguard A.11.18 Release Notes available at http://www.hp.com/go/
hpux-ha-monitoring-docs.
Setting up Security with Continentalclusters Version A.08.00
From Continentalclusters version A.08.00, all nodes in all clusters must be able to communicate
with one another using SSH. This secure communication channel is not required for versions prior
to A.08.00. When Continentalclusters version A.08.00 is installed, a special Continentalclusters
user group, conclgrp, and a special user, conclusr are created.
NOTE: The conclusr is used by Continentalclusters software for inter node communication. All
Continentalclusters commands and operations must be performed as root user only.
60 Designing Continentalclusters