Use this page to configure security for the new cluster,
including the security level, and the certificate and encryption key
to use for secure cluster communications.
Configure security properties for the cluster based on the needs
of your specific cluster environment. The wizard provides default
values based on best practices.
Fields
The security settings that you configure
determine the security level and the methods that PowerHA® SystemMirror uses
to secure cluster communications.
- Level
- The security level for the cluster determines the level of overall
protection to use for the cluster. Select one of the following security
levels for the new cluster:
- Low
- This level of security provides only heartbeat authentication,
which is the default option.
Using this setting for the security
level provides minimal security for cluster communications. Packet
integrity is the primary emphasis for most packets exchanged at this
security level. Packet integrity is provided by hashing of the packets
instead of complete encryption of the packets. If your cluster is
deployed in a trusted networking environment, this security level
might be sufficient for your needs.
- Medium
- This level of security includes heartbeat authentication and also
provides encryption of some messages, such as cluster event communications.
Using
this setting for the security level means that some communication
packets are encrypted while some packets are exchanged with integrity
checks.
- High
- This level of security includes heartbeat authentication and provides
encryption of all messages, including kernel interfaces.
Using this
setting for the security level means that almost all cluster communications
are encrypted. Using this level of security might result in reduced
communication performance due to extensive encryption.
- None
- This level of security provides no encryption or hashing for any
cluster communication packets. You cannot configure any other security
properties when you select this security level.
- Configuration
- The value that you select for this property indicates the type
of certificate and the associated public/private key pair that the
cluster uses for authentication. PowerHA SystemMirror uses
this key pair to protect and encrypt the symmetric keys that are distributed
among the nodes. These symmetric keys are then used to encrypt and
secure cluster communications.
Choose the type of certificate that
you require to deploy security for the cluster based on the infrastructure
already in place in your environment. By default, the wizard creates
an internal key pair. However, you can choose to use Open Secure Shell
(SSH) key pairs or your own custom key information.
Select
one of the following configuration options for the new cluster:
- PowerHA Certificate/Key
- Select this option for the nodes in the cluster to use self-generated
certificates and their associated public/private key pairs. This option
allows PowerHA SystemMirror to
generate the key pair dynamically and to exchange the keys with the
other nodes in the cluster, as needed. This option assumes a trusted
networking environment. This value is the default option.
- SSH Certificate/Key
- Select this option to enable PowerHA SystemMirror to use
the public/private key pairs that are configured to protect the SSH
daemon on various nodes.
- Custom Certificate/Key
- Select this option to use specific files in your environment that
contain a certificate and private key pair of your choice. When you
select this option, you must also specify the absolute path and file
names for the Certificate and the associated Key properties.
The path and file names must exist on each node in the cluster and
contain information related to each node.
- Certificate
- Specify the absolute path and file name for the location of the
custom certificate. This field is available only when the Configuration property
is set to the Custom Certificate/Key value.
- Key
- Specify the absolute path and file name for the location of the
key that is associated with the custom certificate. This field is
available only when the Configuration property
is set to the Custom Certificate/Key value.
- Symmetric Algorithm
- Specify the algorithm that to use for generating a symmetric key
to share among the nodes in the cluster to encrypt communications
within the cluster. Select one of the following algorithms to use
for symmetric key generation:
- Data Encryption Standard (DES)
- Generates a 56-bit symmetric key. This value is the default option.
- Triple Data Encryption Algorithm (3DES)
- Uses three DES keys to generate a longer, more secure symmetric
key.
- Advanced Encryption Standard (AES)
- Generates a symmetric key with a minimum size of 128 bits and
provides the strongest encryption security.
- Asymmetric Algorithm
- Indicates the asymmetric algorithm that PowerHA SystemMirror uses
to identify the node and to securely exchange the symmetric keys across
the cluster.
- Automatically distribute certificates
- Select whether certificates for the nodes within the cluster are
to be distributed automatically upon cluster creation.
- Grace period (hh:mm:ss)
- Specify the length of time in hours, minutes, and seconds. This
value is the length of time in which messages from an outdated symmetric
or public key are allowed to be valid and accepted by nodes within
the cluster. An encryption key, whether a symmetric key or a public
key from a certificate, becomes outdated when a new key is generated
based on the periodic refresh rate. The grace period allows messages
that are already encrypted with the prior key to remain valid for
the time period specified. The default is 24 days.
You must select
Yes for the Automatically distribute certificates property
to be able to configure the grace period.
For more information about cluster security, see
the Cluster security topic in the AIX® Information Center.