Automating Sun Cluster 3.0 Data Service Setup
- Sun Cluster 3.0 12/01 Security with the Apache and iPlanet Web and Messaging Agents
- Assumptions and Limitations
- Solaris OE Service Restriction
- Sun Cluster 3.0 Daemons
- Terminal Server Usage
- Node Authentication
- Securing Sun Cluster 3.0 12/01 Software
- Verifying Node Hardening
- Maintaining a Secure System
- Solaris Security Toolkit Software Backout Capabilities
Sun™ Cluster 3.0 12/01 Security with the Apache and iPlanet™ Web and Messaging Agents
Sun™ Cluster 3.0 12/01 software is used by organizations to provide additional assurance that mission-critical services will be available despite unexpected hardware or software failures or usage requirements. The business criticality of Sun Cluster deployments requires that the nodes in a cluster be protected against unauthorized access and misuse by malicious individuals.
To provide a robust environment in which Sun Cluster 3.0 12/01 software can be deployed, very specific requirements have been placed on the configuration of the Solaris™ Operating Environment (Solaris OE) used on Sun Cluster 3.0 nodes. Before the release of Sun Cluster 3.0 12/01 software, no secured configurations were supported. This article takes a first step towards providing secured configurations that use Sun Cluster 3.0 12/01 software by describing how three specific agents can be deployed in a secured configuration that is supported by Sun Microsystems.
These security recommendations are specific to the three Sun Cluster 3.0 agents supported in secured environments: the iPlanet™ Web Server software, the Apache web server, and the iPlanet™ Messaging Server software.
This article contrasts the recommendations made in the Sun BluePrints™ OnLine article "Solaris™ Operating Environment Security: Updated for Solaris 8 Operating Environment" with the functionality required by the Sun Cluster software. This article also describes methods for simplifying the deployment of secured configurations across the potentially many nodes in a cluster and on automated mechanism to deploy them. Solaris™ Security Toolkit software, a free toolkit that automates the hardening of Solaris OE system, is used to harden the Solaris OE images running on the nodes, as well as to install the other security software recommended in this article.
The Solaris Security Toolkit software makes over 80 modifications to the OS of each cluster node. These modifications not only disable unneeded services but also enable optional Solaris OE security enhancements. Executing the Solaris Security Toolkit hardening scripts for Sun Cluster software on a running cluster significantly reduces the number of Solaris OE services and daemons, as well as the number of access points into the cluster.
By reducing access points, disabling unused services, enabling optional security features, and generally improving the overall security of the cluster nodes, you make it much more difficult for an intruder to gain access to the cluster and misuse its resources.
The Solaris OE security hardening recommendations and the security recommendations for the Sun Cluster 3.0 software secured configuration documented in this article are based on the Solaris 8 10/01 OE (Update 6).
The Sun Cluster software qualified to run in the secured environment is Sun Cluster 3.0 12/01 software using either the iPlanet Web Server, the Apache web server, or the iPlanet Messaging Server software. The Apache web server and the iPlanet Web Server software are supported in either scalable or failover modes, while the iPlanet Messaging Server software is only supported in failover mode.