Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

Node Authentication

Sun Cluster 3.0 12/01 software provides several options for node authentication. Node authentication is how potential nodes must identify themselves before being allowed to join a cluster. Ensuring that all nodes are properly authenticated is a critical aspect of cluster security. This section discusses what options are available and provides recommendations on what level of node authentication should be used.

The available node authentication options in Sun Cluster 3.0 12/01 software are:

  • none (i.e., any system is permitted to join the cluster)
  • IP address
  • UNIX™
  • Diffie-Hellman using DES

In addition, the scsetup command provides the following under option 6) New nodes:

 *** New Nodes Menu ***

  Please select from one of the following options:

    1) Prevent any new machines from being added to the cluster
    2) Permit any machine to add itself to the cluster
    3) Specify the name of a machine which may add itself
    4) Use standard UNIX authentication
    5) Use Diffie-Hellman authentication

    ?) Help
    q) Return to the Main Menu

At a minimum, the node authentication setup should require that new cluster nodes be added manually and not automatically. This would require selecting options 1 to restrict the ability of systems to add themselves and then using option 3 to specify the name of the new cluster node. These two options run scsetup with the following commands, which can also be run manually:

# scconf -a -T node=.
# scconf -a -T node=phys-sps-1

The next consideration is how to validate that a node is who is says it is. There are two alternatives: standard UNIX or Diffie-Hellman authentication. The default is to use UNIX authentication. If a private interconnect is used to connect the nodes and the scconf command has been used to restrict new nodes from joining this is probably adequate. In environments where other systems may attempt to join into the cluster, or if the data on the cluster is particularly sensitive, then the use of Diffie-Hellman authentication is recommended.

Diffie-Hellman authentication uses Secure RPC to authenticate the nodes in the cluster. This requires that the public and private keys be setup properly on each of the nodes. The most effective means to do this is through NIS+ as it simplifies the management and maintenance of these key pairs. It is however possible to use Secure RPC without NIS+. For additional information on Secure RPC and Diffie-Hellman authentication refer to the keyserv(1M), publickey(4), and nis+(1) man pages.

  • + Share This
  • 🔖 Save To Your Account