Chapter 3. Cluster Systems Management security infrastructure 29
To ensure that ctcasd uses the correct public key during the encryption process,
the public keys in the trusted host list (THL) file are associated with the host
name of the node. For this reason, it is necessary that all nodes within the CSM
cluster (including the management server) resolve names identically.
First, ctcasd encrypts the session key with the target host’s public key derived
from the THL file. This ensures that only the target node can decrypt this session
key with its private key, and data privacy is ensured.
To ensure data integrity for the host credentials, ctcasd now encrypts the whole
credential data structure using the initiator’s private key. Everyone can decrypt
the data block with the sender’s public key, but the target node can be sure it was
sent by the expected node.
The distribution of public keys to all nodes is performed by CSM. By adding a
node to the CSM cluster, CSM runs RSCT commands to achieve the public key
exchange between the management server and its nodes.
The public key exchange is done over the network. During this exchange, the
network must be secure against tracing and spoofing, because the keys are
binded to a node within the cluster.
In the current version, the host keys generated by ctcasd do not expire, but they
can be updated manually as described in 6.1.4, “The ctcasd daemon key files” on
page 84.
3.2.5 Identity mapping service
The identity mapping (IDM) service result is used for authorization. The IDM
service maps the network identities to local identities if there is a mapping rule
specified in the configuration files (called maps).
Important: To ensure identical host name resolution, all participating cluster
members should use a method for name resolution that gives
identical
results
on all nodes in a CSM cluster. The name resolution method and order can be
changed in /etc/netsvc.conf (for AIX systems). All hosts should also use either
short or fully qualified host names. If the cluster consists of nodes in different
domains, fully qualified host names
must
be used.
Important: With CSM, it is not possible to disable the public key exchange. If
you feel that your network is not secure enough, you should verify the keys on
the management server and nodes manually. To verify the keys, refer to 6.1.8,
“Verifying exchanged public host keys” on page 89.
30 An Introduction to Security in a CSM 1.3 for AIX 5L Environment
This local identity can be used by RMC to retrieve the permission from the RMC
access control list (ACL). To see how RMC gathers permissions for resources
from the ACL, see 3.2.6, “Resource Monitoring and Control access control list”
on page 31.
Because, by default, there is no common user space inside a CSM cluster, same
user names on different hosts might not have the same permissions to access
resources. It is also possible that one user spans across the whole cluster.
As described in 3.2.6, “Resource Monitoring and Control access control list” on
page 31, RMC gathers permissions for resources by using the client’s network
identity first.
For example, if user
david
should exist on all nodes within a 128-nodes cluster
and should have access to a resource on a specific node, the RMC ACL file on
that node must contain an entry for each network identity of the client.
Example 3-2 shows the output for a specific resource in the RMC ACL file for 128
nodes.
Example 3-2 Output of /var/ct/cfg/ctrmc.acl for a specific resource entry
IBM.FileSystem
david@node001 * rw # access for david from node 001
david@node002 * rw # access for david from node 002
david@node003 * rw # access for david from node 003
david@node004 * rw # access for david from node 004
.
.
.
david@node128 * rw # access for david from node 128
This is the main reason for which IDM was designed. IDM simply maps network
identities in a management cluster to a local identity in order to avoid hundreds of
lines in the RMC ACL file.
CSM configures a mapping configuration file, /var/ct/cfg/ctsec_map.global, that
contains the mapping relationship between local and network identities.
To follow our example, the mapping file will need only one line to map the user
david on all the cluster nodes to a single local identity, called mapped_david:
unix:david@<cluster>=mapped_david
This maps the user david, coming from every node in the current active cluster, to
the local identity mapped_david for mappings initiated by the UNIX MPM. This
local identity does not need to exist as a real user in the operating system.
Get An Introduction to Security in a CSM 1.3 for AIX 5L Environment now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
