The following subsections provide a summary of security-related configuration settings for Business Continuity Clustering 1.1:
The following table lists the BCC configuration settings that are security-related or impact the security of BCC:
Table C-2 BCC Security Configuration Settings
|
Configuration Setting |
Possible Values |
Default Value |
Recommended Value for Best Security |
|---|---|---|---|
|
Inter-cluster communications scheme |
HTTP/HTTPS |
HTTPS |
HTTPS |
|
Identity Manager communications |
Secure/Non-secure |
|
Secure |
|
BCC Administrator user quota in sys:tmp |
0 MB to unlimited MB |
Unlimited MB |
5 MB |
|
BCC Administrator user |
Any LUM-enabled eDirectory User |
|
Unique BCC Administrator user (not Admin user) |
|
BCC Administrator group |
Any LUM-enabled eDirectory group |
bccgroup |
Unique group used for BCC administration |
|
Peer cluster CIMOM URL |
http://cluster_ip_address https://cluster_ip_address |
cluster_ip_address |
Default value |
WARNING:You should not change these configuration settings unless instructed to do so by Novell Support. Doing so can have adverse affects on your cluster nodes and BCC.
The following XML is saved on the NCS:BCC Settings attribute on the local Cluster object in eDirectory. The BCC must be restarted for changes to these settings to take effect.
<bccSettings>
<adminGroupName>bccgroup</adminGroupName>
<authorizationCacheTTL>300</authorizationCacheTTL>
<cimConnectTimeout>15</cimConnectTimeout>
<cimReceiveTimeout>30</cimReceiveTimeout>
<cimSendTimeout>30</cimSendTimeout>
<idlePriorityThreshold>3</idlePriorityThreshold>
<initialNormalThreads>3</initialNormalThreads>
<initialPriorityThreads>2</initialPriorityThreads>
<ipcResponseTimeout>15</ipcResponseTimeout>
<maximumPriorityThreads>20</maximumPriorityThreads>
<minimumPriorityThreads>2</minimumPriorityThreads>
<resourceOfflineTimeout>300</resourceOfflineTimeout>
<resourceOnlineTimeout>300</resourceOnlineTimeout>
<scanForNewDevicesDelay>5</scanForNewDevicesDelay>
</bccSettings>
On Linux, the above XML is written to /etc/opt/novell/bcc/bccsettings.xml. It should be noted that on Linux this file might be overwritten by BCC at any time. Therefore, any changes to this file on Linux are ignored and lost. All changes should be made in eDirectory.
Table C-3 provides additional information on each setting:
Table C-3 BCC XML Settings
|
Setting |
Description |
Default Value |
|---|---|---|
|
<adminGroupName> |
The name of the LUM-enabled group that BCC uses on Linux. |
bccgroup |
|
<authorizationCacheTTL> |
The number of seconds the authorization rights are cached in the BCC OpenWBEM provider. |
300 seconds This is not supported until the first support pack. |
|
<cimConnectTimeout> |
BCC CIM client connect timeout in seconds. |
15 seconds |
|
<cimReceiveTimeout> |
BCC CIM client receive timeout in seconds. |
30 seconds |
|
<cimSendTimeout> |
BCC CIM client send timeout in seconds. |
30 seconds |
|
<idlePriorityThreshold> |
The number of idle high priority threads before BCC starts killing priority threads. |
3 |
|
<initialNormalThreads> |
The number of normal threads created by BCC. |
3 |
|
<initialPriorityThreads> |
The number of high priority threads created by BCC at startup. |
2 |
|
<ipcResponseTimeout> |
The timeout in seconds that BCC waits for an IPC response. |
15 |
|
<maximumPriorityThreads> |
The maximum number of high priority threads BCC creates. |
20 |
|
<minimumPriorityThreads> |
The minimum number of high priority threads BCC keeps after killing idle high priority threads. |
2 |
|
<resourceOfflineTimeout> |
The number of seconds BCC waits for a resource to go offline during a BCC migrate. |
300 |
|
<resourceOnlineTimeout> |
The number of seconds BCC waits for a resource to go online during a BCC migrate. |
300 |
|
<scanForNewDevicesDelay> |
The number of seconds BCC sleeps after performing a scan for new devices during a BCC migration of a resource. |
5 |
Disabling SSL for inter-cluster communication should only be done for debugging purposes, and should not be done in a production environment or for an extended period of time.
To turn off SSL for inter-cluster communication, or to specify a different communication port, you need to modify the Novell Cluster Servicesā¢ Cluster object that is stored in eDirectory by using an eDirectory management tool such as iManager or ConsoleOneĀ®. See the Novell iManager 2.5 Documentation Web site for information on using iManager.
Disabling SSL communication to a specific peer cluster requires changing the BCC management address to the peer cluster. The address is contained in the NCS:BCC Peers attribute that is stored on the NCS Cluster object.
For example, a default NCS:BCC Peers attribute could appear similar to the following example:
<peer>
<cluster>chicago_cluster</cluster>
<tree>DIGITALAIRLINES-TREE</tree>
<address>10.1.1.10</address>
</peer>
To disable SSL for inter-cluster communication, you would change the <address> attribute to specify http:// with the IP address, as shown in the following example:
<peer>
<cluster>chicago_cluster</cluster>
<tree>DIGITALAIRLINES-TREE</tree>
<address>http://10.1.1.10</address> </peer>
The BCC management address of chicago_cluster now specifies non-secure HTTP communication.
The BCC management port can also be changed by modifying the NCS:BCC Peers attribute values.
The default ports for secure and non-secure inter-cluster communication are 5989 and 5988 respectively.
For example, if you want to change the secure port on which OpenWBEM listens from port 5989 to port 1234, you would change the <address> attribute value in the above examples to:
<peer>
<cluster>chicago_cluster</cluster>
<tree>DIGITALAIRLINES-TREE</tree>
<address>10.1.1.10:1234</address>
</peer>
The attribute now specifies that inter-cluster communication uses HTTPS over port number 1234.
The NCS:BCC Peers attribute has a value for each peer cluster in the BCC. Attribute values are synchronized among peer cluster by the BCC-specific Identity Manager driver, so a change to an attribute value on one cluster causes that attribute value to be synchronized to each peer cluster in the BCC.
The changes do not take effect until either a reboot of each cluster node, or by a restart of the Business Continuity Clustering software on each cluster node.
The following table provides an example of possible combinations of scheme and port specifier for the <address> tag for values of the NCS:BCC Peers attribute:
Table C-4 Example of Scheme and Port Specifier Values for the NCS:BCC Peers Attribute
|
Value |
Protocol Used |
Port Used |
|---|---|---|
|
10.1.1.10 |
HTTPS |
5989 |
|
10.1.1.10:1234 |
HTTPS |
1234 |
|
http://10.1.1.10 |
HTTP |
5988 |
|
http://10.1.1.10:1234 |
HTTP |
1234 |
|
https://10.1.1.10 |
HTTPS |
5989 |
|
https://10.1.1.10:1234 |
HTTPS |
1234 |
The following table provides links to security-related information for other products that impact the security of BCC:
Table C-5 Security Information for Other Products
|
Product Name |
Links to Security Information |
|---|---|
|
NSS |
and |
|
eDirectory |
Security for eDirectory is provided by NICI. See the NICI 2.7x Administration Guide |
|
Identity Manager (IDM) |
|
|
iSCSI |
|
|
OpenWBEM |
OpenWBEM should be configured on each node to allow only the necessary users. OpenWBEM by default allows all users. For more information, see |
|
Linux User Management (LUM) |