Preparing the initial security environment on each node

Edit online

Prepare the initial security environment on each node before creating a peer domain using the mkrpdomain command.

Before you can create your peer domain using the mkrpdomain command (described in Creating a peer domain definition), you first need to run the preprpnode command to establish the initial trust between each node that will participate in the peer domain, and the node from which you will run the mkrpdomain command. Later, when you run the mkrpdomain command, the configuration resource manager will establish the additional needed security across all peer domain nodes. This will enable you to issue subsequent commands from any node in the peer domain.
Note: The preprpnode command will automatically exchange public keys between nodes. If you do not feel the security of your network is sufficient to prevent address and identity spoofing, see Guarding against address and identify spoofing when transferring public keys. If you are not sure if your network is secure enough, consult with a network security specialist to see if you are at risk.

This preparatory step is not needed when you create a peer domain in a CAA environment because security arrangements are handled separately from peer domain functions.

The node from which you will issue the mkrpdomain command is called the originator node. Be aware that the originator node does not have to be a node you intend to include in your RSCT peer domain; it could be just a node from which you issue the mkrpdomain command. It could, for example, be the management server of a management domain. To establish trust between the originator node and each node that will be in the peer domain, you must run the preprpnode command on each node that will be in the peer domain. You will need to specify the name of the originator node as the parameter.

For example, suppose that you will be issuing the mkrpdomain command on nodeA. From each node that will be in the peer domain, issue the command: 
preprpnode nodeA
You can also specify multiple node names on the command line: 
preprpnode nodeA nodeB
Instead of listing the node names on the command line, you can, using the -f flag, specify the name of a file that lists the node names. For example: 
preprpnode -f node.list

When using the preprpnode command, you can identify the node by its IP address or by the long or short version of its Domain Name System (DNS) name. If any IP address for the originator node cannot be resolved to a DNS name, than all IP addresses associated with the originator node should be specified on the preprpnode command. This enables you to specify an IP address that is not DNS resolvable on the mkrpdomain command (as described in Creating a peer domain definition). If you are certain that all IP addresses you will later specify on the mkrpdomain command will be resolvable to DNS names, then it is not necessary to specify all of the originator node's IP addresses on the preprpnode command. In this case, however, if you do identify the originator node by an IP address, you must be certain that the IP address is resolvable to a DNS name.

The preprpnode command establishes the initial security environment needed by the mkrpdomain command by:
  • …retrieving the originator node's public key and adding it to the trusted host list of the local node.
  • …modifying the local node's RMC access control list (ACL) to enable access to its resources from the originator node.

You can specify multiple nodes on the preprpnode command, in which case the initial trust will be established between the local node and each of the remote nodes listed. As long as you know which node will be the originator node, however, there should not be a need to specify multiple nodes on the preprpnode command.

If you have, for security reasons, already manually transferred the public keys, you need to use the -k flag when you issue the preprpnode command. For example: 
preprpnode -k nodeA nodeB
Using the -k flag disables the automatic transfer of public keys. While allowing the preprpnode command to copy the public key again will not result in an error, you could reduce overhead by disabling the transfer.

Although the -k flag disables automatic public key transfer, the preprpnode command will still modify the node's RMC ACL file to enable access to the other nodes you will include in the peer domain.

For complete syntax information on the preprpnode command, see the Technical Reference: RSCT for AIX® or the Technical Reference: RSCT for Multiplatforms.

Once you have run the preprpnode command on each node that you will include in the peer domain, you can create a new peer domain.