Standard security mode

Edit online

In standard security mode, PowerHA® SystemMirror® authenticates requests for incoming connections by checking the source IP address, the port number, and user privilege.

Remote command execution for commands in /usr/es/sbin/cluster uses the principle of least privileged. This ensures that no arbitrary command can run on a remote node with root privilege. A select set of PowerHA SystemMirror commands are considered trusted and allowed to run as root; all other commands run as user nobody.

The dependency on rsh and the ~/.rhosts file to configure host access has been eliminated. Although this file is optional, some commands external to PowerHA SystemMirror - for example user-defined event scripts and user programs - may still require an ~/.rhosts file. PowerHA SystemMirror now relies on an internal PowerHA SystemMirror trusted host file, /etc/cluster/rhosts to authenticate PowerHA SystemMirror communications.

Note: PowerHA SystemMirror does not use remote native AIX® remote execution (rsh) so you do not need to configure a ~/.rhosts file unless you intend to use Workload Partitions (WPAR) which have their own requirements on this file.

To manage inter-node communications, the Cluster Communications daemon requires a list of valid cluster IP labels or addresses to use. There are two ways to provide this information:

Automatic node configuration
Individual node configuration (more secure).

Note: During discovery, each node that receives a connect request checks the /etc/cluster/rhosts file to ensure that the request is from a legitimate cluster node. The smit.log file indicates whether this file is missing or has incorrect entries.