Create Cluster Wizard - Choose Security

Use this page to configure security for the new cluster, including the security level and the certificate and encryption key to use for secure cluster communications.

Fields

The security settings that you configure determine the security level and methods that are used to secure cluster communications.

Security level
The security level for the cluster determines the level of overall protection you want to use for the cluster. Select one of the following security levels for the new cluster:
Low
Using this setting for the security level provides minimal security of cluster communications. Packet integrity is the primary emphasis for most packets exchanged at this security level, which is provided by hashing of the packets instead of complete encryption of the packets. If your cluster is deployed in a trusted networking environment, this security level might be sufficient for your needs. This is the default setting.
Medium
Using this setting for the security level means that some communication packets are completely encrypted and some packets are exchanged with integrity checks.
High
Using this setting for the security level means that almost all cluster communications are encrypted. Using this level of security might result in reduced communication performance due to the extra overhead of using extensive encryption.
Security Node Identity
The security node identity indicates the type of certificate and associated public/private key pair that the cluster is to use for authentication. This key pair is used to protect and encrypt the symmetric keys that are distributed among the nodes, which in turn are used to encrypt and secure cluster communications. The ability to choose the type of certificate allows you to deploy security for the cluster based on the infrastructure already in place in your environment. Select one of the following security node identity types for the new cluster:
PowerHA Certificate/Key
Selecting this option allows the nodes in the cluster to use certificates and their associated public/private key pairs that are self-generated. This option allows PowerHA™ SystemMirror to generate the key pair dynamically and exchange them with the other nodes in the cluster, as needed. This setting assumes a trusted networking environment. This is the default setting.
SSH Certificate/Key
Selecting this option enables PowerHA SystemMirror to use the public/private key pairs configured to protect the SSH daemon on various nodes.
Custom Certificate/Key
Selecting this option allows you to use specific files in your environment that contain a certificate and private key pair of your choice. When you select this option you must also specify the absolute path and file names for the Certificate and the associated Key. The path and file names must exist on each node in the cluster and contain information related to each node.
Symmetric Algorithm
Specifies the algorithm that is used to generate a symmetric key that is shared among the nodes in the cluster to encrypt communications within the cluster. Select one of the following algorithms to use for symmetric key generation:
DES (Data Encryption Standard)
Generates a 56-bit symmetric key. This is the default setting.
3DES (Triple Data Encryption Algorithm)
Uses three DES keys to generate a longer, more secure symmetric key.
AES (Advanced Encryption Standard)
Generates a symmetric key with a minimum size of 128 bits and provides the strongest encryption security.
Asymmetric Algorithm
The asymmetric algorithm is used to identify the node, as well as securely exchange the symmetric keys across the cluster.
Automatically distribute certificates
Specifies whether certificates for the nodes within the cluster are to be distributed automatically upon cluster creation.
Grace period (days)
Specifies the number of days in which messages from an outdated symmetric or public key are allowed to be valid and accepted by nodes within the cluster. An encryption key, whether a symmetric key or a public key from a certificate, becomes outdated when a new key is generated based on the periodic refresh rate. The grace period allows messages that are already encrypted with the prior key to remain valid for the time period specified. The default is 24 days.
Periodic refresh rate (days)
Specifies the length of time before the certificates and keys for the nodes in the cluster are refreshed or regenerated. The default is 24 days.
Certificate
This field is available only when the Security Node Identity is set to Custom Certificate/Key. Enter the absolute path and file name for the location of the custom certificate.
Key
This field is available only when the Security Node Identity is set to Custom Certificate/Key. Enter the absolute path and file name for the location of the key associated with the custom certificate.