Cluster secure communication subsystem
PowerHA® SystemMirror® has a common communication infrastructure that increases the security of intersystem communications. Cluster utilities use the Cluster Communications daemon that runs on each node for communication between the nodes.
Because there is only one common communications path, all communications are reliably secured. Although most components communicate through the Cluster Communications daemon, the following components use another mechanism for inter-node communications:
| Component | Communication Method |
|---|---|
| Cluster Manager | RSCT |
| Heartbeat messaging | Cluster Aware AIX® |
| Cluster Information Program (Clinfo) | SNMP |
For users who require additional security, PowerHA SystemMirror provides message authentication and encryption for messages sent between cluster nodes.
Connection authentication
Standard security mode checks the source IP address against an access list, checks that the value of the source port is between 571 and 1023, and uses the principle of least-privilege for remote command execution. Standard security is the default security mode. For added security, you can set up a VPN for connections between nodes for PowerHA SystemMirror inter-node communications.
Message authentication and encryption
Message authentication and message encryption provide additional security for PowerHA SystemMirror messages sent between cluster nodes. Message authentication ensures the origination and integrity of a message. Message encryption changes the appearance of the data as it is transmitted and translates it to its original form when received by a node that authenticates the message. You can configure the security options and options for distributing encryption keys using the SMIT interface.