Configuring message authentication and encryption

Edit online

In addition to connection authentication, you can secure the messages sent through the Cluster Communications Daemon between cluster nodes by authenticating and encrypting those messages. You can use message encryption with message authentication, but you cannot use message encryption alone. Message authentication and encryption are disabled by default.

Both message authentication and message encryption rely on secret key technology. For authentication, the message is signed and the signature is encrypted by a key when sent, and the signature is decrypted and verified when received. For encryption, the encryption algorithm uses the key to make data unreadable. The message is encrypted when sent and decrypted when received.

Message authentication and encryption rely on Cluster Security (CtSec) Services in AIX®, and use the encryption keys available from Cluster Security Services. PowerHA® SystemMirror® message authentication uses message digest version 5 (MD5) to create the digital signatures for the message digest. Message authentication uses the following types of keys to encrypt and decrypt signatures and messages (if selected):

  • Data encryption standard (DES)
  • Triple DES
  • Advanced encryption standard (AES).

The message authentication mode is based on the encryption algorithm. Your selection of a message authentication mode depends on the security requirements for your PowerHA SystemMirror cluster.

Authenticating and encrypting messages increases the overhead required to process messages and may impact PowerHA SystemMirror performance. Processing more sophisticated encryption algorithms may take more time than less complex algorithms. Message authentication and encryption are disabled by default.

The PowerHA SystemMirror product does not include encryption libraries. Message authentication and encryption rely on Cluster Security (CtSec) Services in AIX®, and use the encryption keys available from Cluster Security Services. Before you can use message authentication and encryption, the following AIX filesets must be installed on each cluster node:

  • For data encryption with DES message authentication: rsct.crypt.des
  • For data encryption standard Triple DES message authentication: rsct.crypt.3des
  • For data encryption with Advanced Encryption Standard (AES) message authentication: rsct.crypt.aes256

You can install these filesets from the AIX Expansion Pack CD-ROM.

If you install the AIX encryption filesets after you have PowerHA SystemMirror running, restart the Cluster Communications daemon to enable PowerHA SystemMirror to use these filesets. To restart the Cluster Communications daemon:

stopsrc -s clcomd
startsrc -s clcomd

If your configuration includes persistent labels, make sure that this configuration is synchronized before proceeding.

PowerHA SystemMirror provides a SMIT interface to configure message authentication and encryption.

To open the SMIT interface, enter:
smit cspoc

Select Security and Users > PowerHA SystemMirror Cluster Security.

Important: Do not perform other cluster configuration activities while you are configuring message authentication and encryption for a cluster. Doing so may cause communication problems between nodes. Make sure that security configuration is complete and the cluster synchronized before performing other configuration tasks.

For more information about the available authentication and encryption options, see the CAA documentation at Configuring cluster security.