Create a Cluster Wizard: Configure Security

Use this page to configure security for the new cluster, including the security level, and the certificate and encryption key to use for secure cluster communications.

Configure security properties for the cluster based on the needs of your specific cluster environment. The wizard provides default values based on best practices.

Fields

The security settings that you configure determine the security level and the methods that PowerHA® SystemMirror uses to secure cluster communications.

Level
The security level for the cluster determines the level of overall protection to use for the cluster. Select one of the following security levels for the new cluster:
Low
This level of security provides only heartbeat authentication, which is the default option.

Using this setting for the security level provides minimal security for cluster communications. Packet integrity is the primary emphasis for most packets exchanged at this security level. Packet integrity is provided by hashing of the packets instead of complete encryption of the packets. If your cluster is deployed in a trusted networking environment, this security level might be sufficient for your needs.

Medium
This level of security includes heartbeat authentication and also provides encryption of some messages, such as cluster event communications.

Using this setting for the security level means that some communication packets are encrypted while some packets are exchanged with integrity checks.

High
This level of security includes heartbeat authentication and provides encryption of all messages, including kernel interfaces.

Using this setting for the security level means that almost all cluster communications are encrypted. Using this level of security might result in reduced communication performance due to extensive encryption.

None
This level of security provides no encryption or hashing for any cluster communication packets. You cannot configure any other security properties when you select this security level.
Configuration
The value that you select for this property indicates the type of certificate and the associated public/private key pair that the cluster uses for authentication. PowerHA SystemMirror uses this key pair to protect and encrypt the symmetric keys that are distributed among the nodes. These symmetric keys are then used to encrypt and secure cluster communications.

Choose the type of certificate that you require to deploy security for the cluster based on the infrastructure already in place in your environment. By default, the wizard creates an internal key pair. However, you can choose to use Open Secure Shell (SSH) key pairs or your own custom key information.

Select one of the following configuration options for the new cluster:

PowerHA Certificate/Key
Select this option for the nodes in the cluster to use self-generated certificates and their associated public/private key pairs. This option allows PowerHA SystemMirror to generate the key pair dynamically and to exchange the keys with the other nodes in the cluster, as needed. This option assumes a trusted networking environment. This value is the default option.
SSH Certificate/Key
Select this option to enable PowerHA SystemMirror to use the public/private key pairs that are configured to protect the SSH daemon on various nodes.
Custom Certificate/Key
Select this option to use specific files in your environment that contain a certificate and private key pair of your choice. When you select this option, you must also specify the absolute path and file names for the Certificate and the associated Key properties. The path and file names must exist on each node in the cluster and contain information related to each node.
Certificate
Specify the absolute path and file name for the location of the custom certificate. This field is available only when the Configuration property is set to the Custom Certificate/Key value.
Key
Specify the absolute path and file name for the location of the key that is associated with the custom certificate. This field is available only when the Configuration property is set to the Custom Certificate/Key value.
Symmetric Algorithm
Specify the algorithm that to use for generating a symmetric key to share among the nodes in the cluster to encrypt communications within the cluster. Select one of the following algorithms to use for symmetric key generation:
Data Encryption Standard (DES)
Generates a 56-bit symmetric key. This value is the default option.
Triple Data Encryption Algorithm (3DES)
Uses three DES keys to generate a longer, more secure symmetric key.
Advanced Encryption Standard (AES)
Generates a symmetric key with a minimum size of 128 bits and provides the strongest encryption security.
Asymmetric Algorithm
Indicates the asymmetric algorithm that PowerHA SystemMirror uses to identify the node and to securely exchange the symmetric keys across the cluster.
Automatically distribute certificates
Select whether certificates for the nodes within the cluster are to be distributed automatically upon cluster creation.
Grace period (hh:mm:ss)
Specify the length of time in hours, minutes, and seconds. This value is the length of time in which messages from an outdated symmetric or public key are allowed to be valid and accepted by nodes within the cluster. An encryption key, whether a symmetric key or a public key from a certificate, becomes outdated when a new key is generated based on the periodic refresh rate. The grace period allows messages that are already encrypted with the prior key to remain valid for the time period specified. The default is 24 days.

You must select Yes for the Automatically distribute certificates property to be able to configure the grace period.

For more information about cluster security, see the Cluster security topic in the AIX® Information Center.