10.2 Security Configuration

The following subsections provide a summary of security-related configuration settings for Business Continuity Clustering 1.1:

10.2.1 BCC Configuration Settings

The following table lists the BCC configuration settings that are security-related or impact the security of BCC:

Table 10-2 BCC Security Configuration Settings

Configuration Setting

Possible Values

Default Value

Recommended Value for Best Security

Inter-cluster communications scheme

HTTP (port 5988)

HTTPS (port 5989)

HTTPS

HTTPS

Identity Manager communications

Secure/Non-secure

This is the certificate in the Identity Manager driver setup. If you create the driver with an SSL certificate, it is secure. If not, it is in the clear.

Secure

SSL certificates are mandatory for User Synchronization drivers to synchronize between trees.

BCC Administrator user quota in sys:tmp

0 MB to unlimited MB

Unlimited MB

5 MB

Set this by using the NSS user quotas feature.

BCC Administrator user

Any LUM-enabled eDirectory User

This is the user you specify when you are setting the BCC credentials.

The BCC Administrator user is not automatically assigned the rights necessary to manage all aspects of each peer cluster. When managing individual clusters, you must log in as the Cluster Administrator user. You can manually assign the Cluster Administrator rights to the BCC Administrator user for each of the peer clusters if you want the BCC Administrator user to have all rights.

Unique BCC Administrator user (not the Admin user and not the Cluster Admin user)

BCC Administrator group

Any LUM-enabled eDirectory group

bccgroup

Unique group used for BCC administration.

See Section 4.3, Configuring a BCC Administrator User.

Peer cluster CIMOM URL (same as the Inter-cluster communication scheme)

http://cluster_ip_address

cluster_ip_address where https:// is assumed.

cluster_ip_address

https:// is assumed.

Default value

10.2.2 Changing the NCS: BCC Setings Attribute in the BCC XML Configuration

WARNING:You should not change the configuration settings for the NCS:BCC Settings attribute unless instructed to do so by Novell Support. Doing so can have adverse affects on your cluster nodes and BCC.

The following XML for the NCS:BCC Settings attribute is saved on the local Cluster object in eDirectory. The BCC must be restarted for changes to these settings to take effect. These are advanced settings that are intentionally not exposed in the BCC plug-in for iManager.

<bccSettings>
        <adminGroupName>bccgroup</adminGroupName>
        <authorizationCacheTTL>300</authorizationCacheTTL>
        <cimConnectTimeout>15</cimConnectTimeout>
        <cimReceiveTimeout>30</cimReceiveTimeout>
        <cimSendTimeout>30</cimSendTimeout>
        <idlePriorityThreshold>3</idlePriorityThreshold>
        <initialNormalThreads>3</initialNormalThreads>
        <initialPriorityThreads>2</initialPriorityThreads>
        <ipcResponseTimeout>15</ipcResponseTimeout>
        <maximumPriorityThreads>20</maximumPriorityThreads>
        <minimumPriorityThreads>2</minimumPriorityThreads>
        <resourceOfflineTimeout>300</resourceOfflineTimeout>
        <resourceOnlineTimeout>300</resourceOnlineTimeout>
        <scanForNewDevicesDelay>5</scanForNewDevicesDelay>
</bccSettings>

Table 10-3 provides additional information on each setting:

Table 10-3 BCC XML Settings

Setting

Description

Default Value

<adminGroupName>

The name of the LUM-enabled group that BCC uses on Linux.

bccgroup

<authorizationCacheTTL>

The number of seconds the authorization rights are cached in the BCC OpenWBEM provider.

300 seconds

This is supported in BCC 1.1 and later.

<cimConnectTimeout>

BCC CIM client connect timeout in seconds.

15 seconds

<cimReceiveTimeout>

BCC CIM client receive timeout in seconds.

30 seconds

<cimSendTimeout>

BCC CIM client send timeout in seconds.

30 seconds

<idlePriorityThreshold>

The number of idle high priority threads before BCC starts killing priority threads.

3

<initialNormalThreads>

The number of normal threads created by BCC.

3

<initialPriorityThreads>

The number of high priority threads created by BCC at startup.

2

<ipcResponseTimeout>

The timeout in seconds that BCC waits for an IPC response.

15

<maximumPriorityThreads>

The maximum number of high priority threads BCC creates.

20

<minimumPriorityThreads>

The minimum number of high priority threads BCC keeps after killing idle high priority threads.

2

<resourceOfflineTimeout>

The number of seconds BCC waits for a resource to go offline during a BCC migrate.

300

<resourceOnlineTimeout>

The number of seconds BCC waits for a resource to go online during a BCC migrate.

300

<scanForNewDevicesDelay>

The number of seconds BCC sleeps after performing a scan for new devices during a BCC migration of a resource.

5

10.2.3 Disabling SSL for Inter-Cluster Communication

Disabling SSL for inter-cluster communication should only be done for debugging purposes, and should not be done in a production environment or for an extended period of time.

To turn off SSL for inter-cluster communication, or to specify a different communication port, you need to modify the Novell Cluster Servicesā„¢ Cluster object that is stored in eDirectory by using an eDirectory management tool such as iManager or ConsoleOneĀ®. See the Novell iManager 2.7 Administration Guide for information on using iManager.

Disabling SSL communication to a specific peer cluster requires changing the BCC management address to the peer cluster. The address is contained in the NCS:BCC Peers attribute that is stored on the NCS Cluster object.

For example, a default NCS:BCC Peers attribute could appear similar to the following example where https:// is assumed and is never specified explicitly:

<peer>
  <cluster>chicago_cluster</cluster>
  <tree>DIGITALAIRLINES-TREE</tree>
  <address>10.1.1.10</address>
</peer>

To disable SSL for inter-cluster communication, you would change the <address> attribute to specify http:// with the IP address, as shown in the following example:

<peer>
  <cluster>chicago_cluster</cluster>
  <tree>DIGITALAIRLINES-TREE</tree>
  <address>http://10.1.1.10</address>
</peer>

The BCC management address of chicago_cluster now specifies non-secure HTTP communication.

The BCC management port can also be changed by modifying the NCS:BCC Peers attribute values.

The default ports for secure and non-secure inter-cluster communication are 5989 and 5988 respectively.

For example, if you want to change the secure port on which OpenWBEM listens from port 5989 to port 1234, you would change the <address> attribute value in the above examples to:

<peer>
  <cluster>chicago_cluster</cluster>
  <tree>DIGITALAIRLINES-TREE</tree>
  <address>10.1.1.10:1234</address>
</peer>

The attribute now specifies that inter-cluster communication uses HTTPS over port number 1234.

The NCS:BCC Peers attribute has a value for each peer cluster in the BCC. Attribute values are synchronized among peer clusters by the BCC-specific Identity Manager driver, so a change to an attribute value on one cluster causes that attribute value to be synchronized to each peer cluster in the BCC.

The changes do not take effect until either a reboot of each cluster node, or a restart of the Business Continuity Clustering software on each cluster node.

The following table provides an example of possible combinations of scheme and port specifier for the <address> tag for values of the NCS:BCC Peers attribute:

Table 10-4 Example of Scheme and Port Specifier Values for the NCS:BCC Peers Attribute

Value

Protocol Used

Port Used

10.1.1.10

HTTPS

5989

10.1.1.10:1234

HTTPS

1234

http://10.1.1.10

HTTP

5988

http://10.1.1.10:1234

HTTP

1234