C.2 Security Configuration

The following subsections provide a summary of security-related configuration settings for Business Continuity Clustering 1.1:

C.2.1 BCC Configuration Settings

The following table lists the BCC configuration settings that are security-related or impact the security of BCC:

Table C-2 BCC Security Configuration Settings

Configuration Setting

Possible Values

Default Value

Recommended Value for Best Security

Inter-cluster communications scheme




Identity Manager communications




BCC Administrator user quota in sys:tmp

0 MB to unlimited MB

Unlimited MB

5 MB

BCC Administrator user

Any LUM-enabled eDirectory User


Unique BCC Administrator user (not Admin user)

BCC Administrator group

Any LUM-enabled eDirectory group


Unique group used for BCC administration

Peer cluster CIMOM URL




Default value

Changing the BCC XML Configuration

WARNING:You should not change these configuration settings unless instructed to do so by Novell Support. Doing so can have adverse affects on your cluster nodes and BCC.

The following XML is saved on the NCS:BCC Settings attribute on the local Cluster object in eDirectory. The BCC must be restarted for changes to these settings to take effect.


On Linux, the above XML is written to /etc/opt/novell/bcc/bccsettings.xml. It should be noted that on Linux this file might be overwritten by BCC at any time. Therefore, any changes to this file on Linux are ignored and lost. All changes should be made in eDirectory.

Table C-3 provides additional information on each setting:

Table C-3 BCC XML Settings



Default Value


The name of the LUM-enabled group that BCC uses on Linux.



The number of seconds the authorization rights are cached in the BCC OpenWBEM provider.

300 seconds

This is not supported until the first support pack.


BCC CIM client connect timeout in seconds.

15 seconds


BCC CIM client receive timeout in seconds.

30 seconds


BCC CIM client send timeout in seconds.

30 seconds


The number of idle high priority threads before BCC starts killing priority threads.



The number of normal threads created by BCC.



The number of high priority threads created by BCC at startup.



The timeout in seconds that BCC waits for an IPC response.



The maximum number of high priority threads BCC creates.



The minimum number of high priority threads BCC keeps after killing idle high priority threads.



The number of seconds BCC waits for a resource to go offline during a BCC migrate.



The number of seconds BCC waits for a resource to go online during a BCC migrate.



The number of seconds BCC sleeps after performing a scan for new devices during a BCC migration of a resource.


Disabling SSL for Inter-Cluster Communication

Disabling SSL for inter-cluster communication should only be done for debugging purposes, and should not be done in a production environment or for an extended period of time.

To turn off SSL for inter-cluster communication, or to specify a different communication port, you need to modify the Novell Cluster Servicesā„¢ Cluster object that is stored in eDirectory by using an eDirectory management tool such as iManager or ConsoleOneĀ®. See the Novell iManager 2.5 Documentation Web site for information on using iManager.

Disabling SSL communication to a specific peer cluster requires changing the BCC management address to the peer cluster. The address is contained in the NCS:BCC Peers attribute that is stored on the NCS Cluster object.

For example, a default NCS:BCC Peers attribute could appear similar to the following example:


To disable SSL for inter-cluster communication, you would change the <address> attribute to specify http:// with the IP address, as shown in the following example:


The BCC management address of chicago_cluster now specifies non-secure HTTP communication.

The BCC management port can also be changed by modifying the NCS:BCC Peers attribute values.

The default ports for secure and non-secure inter-cluster communication are 5989 and 5988 respectively.

For example, if you want to change the secure port on which OpenWBEM listens from port 5989 to port 1234, you would change the <address> attribute value in the above examples to:


The attribute now specifies that inter-cluster communication uses HTTPS over port number 1234.

The NCS:BCC Peers attribute has a value for each peer cluster in the BCC. Attribute values are synchronized among peer cluster by the BCC-specific Identity Manager driver, so a change to an attribute value on one cluster causes that attribute value to be synchronized to each peer cluster in the BCC.

The changes do not take effect until either a reboot of each cluster node, or by a restart of the Business Continuity Clustering software on each cluster node.

The following table provides an example of possible combinations of scheme and port specifier for the <address> tag for values of the NCS:BCC Peers attribute:

Table C-4 Example of Scheme and Port Specifier Values for the NCS:BCC Peers Attribute


Protocol Used

Port Used













C.2.2 Security Information for Other Products

The following table provides links to security-related information for other products that impact the security of BCC:

Table C-5 Security Information for Other Products

Product Name

Links to Security Information


Securing Access to NSS Volumes, Directories, and Files.


Security Considerations.


Security for eDirectory is provided by NICI. See the NICI 2.7x Administration Guide

Identity Manager (IDM)

Security: Best Practices in the Identity Manager Administration Guide.


Configuring Access Control to iSCSI Targets and Enabling and Configuring iSCSI Initiator Security in the NW 6.5 SP8: iSCSI 1.1.3 Administration Guide


OpenWBEM should be configured on each node to allow only the necessary users. OpenWBEM by default allows all users. For more information, see Changing the Authentication Configurationin the OpenWBEM Services Administration Guide for OES.

Linux User Management (LUM)

Linux User Management Technology Guide.