Updating a GPFS cluster to nistCompliance SP800-131A for a multi-rack system

Learn how to generate FIPS-compliant authentication keys for GPFS for a multi-rack system.

Before you begin

Verify that GPFS service is running and GPFS nodes are up:
mmgetstate -aLv

About this task

In a multi-rack system, each rack has its own GPFS cluster. For example, cluster1 is the name of a cluster that runs on rack 1, cluster2 is running on rack 2, and so on.
To get the actual name of cluster1, run the mmlscluster command on a node in cluster1.
[root@node0101 ~]# mmlscluster

GPFS cluster information
========================
  GPFS cluster name:         gpfs-9940062_hadomain_1-cluster.apdomain.ibm.com
  GPFS cluster id:           14967823331523464152
  GPFS UID domain:           gpfs-9940062_hadomain_1-cluster.apdomain.ibm.com
  Remote shell command:      /usr/bin/ssh
In the following example, the name of the cluster is gpfs-9940062_hadomain_1-cluster.apdomain.ibm.com.

Procedure

  1. Update keys on cluster1.
    1. On cluster1, generate a new public/private access key pair.
      The path of key pair is /var/mmfs/ssl/id_rsa_new.pub.
      mmauth genkey new
    2. Copy the new public key on any node of each rack inside the /tmp directory.

      For example, for a 3 rack system, copy the key on node0201 and node0301.

      scp /var/mmfs/ssl/id_rsa_new.pub node0201:/tmp
    3. On each cluster, except for cluster1, make the new key known to its system.
      For a 3 rack system, run the command on node0201 and node0301.
      mmremotecluster update cluster1 -k cluster1 /tmp/id_rsa_new.pub
      Where:
      cluster1
      Is the actual name of cluster1 as given by the mmlscluster command on a node in cluster1. Replace cluster1 with the correct cluster name.
    4. From any of the cluster1 nodes, commit the new key as the only valid access key.
      The old key is no longer accepted when the command completes successfully.
      mmauth genkey commit
  2. Update keys on the remaining clusters.
    For example, for a 3 rack system, run the commands first on cluster2, then on cluster3.
    1. On cluster2, generate a new public/private access key pair.
      The path of key pair is /var/mmfs/ssl/id_rsa_new.pub.
      mmauth genkey new
    2. Copy the new public key on any node of cluster1, inside the /tmp directory.
      scp /var/mmfs/ssl/id_rsa_new.pub node0101:/tmp
    3. On cluster1, as the system administrator, make the new key known to its system.
      mmauth update cluster2 -k /tmp/id_rsa_new.pub
      Where:
      cluster2
      Is the actual name of cluster2 as given by the mmlscluster command on a node in cluster2.
    4. On cluster2, commit the new key as the only valid access key.
      The old key is no longer accepted when the command completes successfully.
      mmauth genkey commit
  3. Repeat step 2 for each remaining cluster, except for cluster1.
  4. Set the release value to LATEST.
    Run this command on any node of each cluster.
    mmchconfig release=LATEST 
  5. Set the nistCompliance value to SP800-131A.
    Run this command on any node of each cluster.
    mmchconfig nistCompliance=SP800-131A