Learn how to generate FIPS-compliant authentication keys for GPFS for a multi-rack
system.
Before you begin
Verify that GPFS service is running and GPFS nodes are up:
mmgetstate -aLv
About this task
In a multi-rack system, each rack has its own GPFS cluster. For example, cluster1 is the
name of a cluster that runs on rack 1, cluster2 is running on rack 2, and so on. To get the
actual name of cluster1, run the
mmlscluster command on a node in
cluster1.
[root@node0101 ~]# mmlscluster
GPFS cluster information
========================
GPFS cluster name: gpfs-9940062_hadomain_1-cluster.apdomain.ibm.com
GPFS cluster id: 14967823331523464152
GPFS UID domain: gpfs-9940062_hadomain_1-cluster.apdomain.ibm.com
Remote shell command: /usr/bin/ssh
In
the following example, the name of the cluster is
gpfs-9940062_hadomain_1-cluster.apdomain.ibm.com
.
Procedure
- Update keys on cluster1.
- On cluster1, generate a new public/private access key pair.
The path of key pair is
/var/mmfs/ssl/id_rsa_new.pub.
mmauth genkey new
- Copy the new public key on any node of each rack inside the /tmp directory.
For example, for a 3 rack system, copy the key on node0201 and
node0301.
scp /var/mmfs/ssl/id_rsa_new.pub node0201:/tmp
- On each cluster, except for cluster1, make the new key known to its system.
For a 3 rack
system, run the command on node0201 and node0301.
mmremotecluster update cluster1 -k cluster1 /tmp/id_rsa_new.pub
Where:
- cluster1
- Is the actual name of cluster1 as given by the mmlscluster command on a node
in cluster1. Replace cluster1 with the correct cluster name.
- From any of the cluster1 nodes, commit the new key as the only valid access key.
The old key
is no longer accepted when the command completes
successfully.
mmauth genkey commit
- Update keys on the remaining clusters.
For example, for a 3 rack system, run
the commands first on cluster2, then on cluster3.
- On cluster2, generate a new public/private access key pair.
The path of key pair is
/var/mmfs/ssl/id_rsa_new.pub.
mmauth genkey new
- Copy the new public key on any node of cluster1, inside the /tmp
directory.
scp /var/mmfs/ssl/id_rsa_new.pub node0101:/tmp
- On cluster1, as the system administrator, make the new key known to its system.
mmauth update cluster2 -k /tmp/id_rsa_new.pub
Where:
- cluster2
- Is the actual name of cluster2 as given by the mmlscluster command on a node
in cluster2.
- On cluster2, commit the new key as the only valid access key.
The old key is no longer
accepted when the command completes
successfully.
mmauth genkey commit
- Repeat step 2 for each remaining cluster, except for cluster1.
- Set the
release
value to LATEST. Run this command on any
node of each cluster.
mmchconfig release=LATEST
- Set the
nistCompliance
value to SP800-131A. Run this command
on any node of each
cluster.
mmchconfig nistCompliance=SP800-131A