Security mode
The security mode of a cluster determines the level of security that the cluster provides for communications between nodes in the cluster and also for communications between clusters.
There are three security modes:
- EMPTY
- The receiving node and the sending node do not authenticate each other, do not encrypt transmitted data, and do not check the integrity of transmitted data.
- AUTHONLY
- The sending and receiving nodes authenticate each other with a TLS handshake and then close the TLS connection. Communication continues in the clear. The nodes do not encrypt transmitted data and do not check data integrity.
- Cipher
- To set this mode, you must specify the name of a supported cipher, such as AES128-GCM-SHA256. The sending and receiving nodes authenticate each other with a TLS handshake. A TLS connection is established. The transmitted data is encrypted with the specified cipher and is checked for data integrity.
- To find a list of supported ciphers, choose one of the following methods:
- See the frequently answered questions (FAQs) in IBM Spectrum Scale™ FAQ in IBM® Knowledge Center (www.ibm.com/support/knowledgecenter/STXKQY/gpfsclustersfaq.html).
- Enter the following command at the command line:
mmauth show ciphers
In IBM Spectrum
Scale V4.2
or later, the default security mode is AUTHONLY.
The mmcrcluster command sets the mode when
it creates the cluster. You can display the security mode by running
the following command:
mmlsconfig cipherlist
You
can change the security mode with the following command: mmchconfig cipherlist=security_mode
If
you are changing the security mode from EMPTY to
another mode, you can do so without stopping the GPFS daemon. However, if you are changing the
security mode from another mode to EMPTY,
you must stop the GPFS daemon
on all the nodes in the cluster. Change the security mode to EMPTY and
then restart the GPFS daemon.The default security mode is EMPTY in IBM Spectrum Scale V4.1 or earlier and is
AUTHONLY in IBM Spectrum
Scale V4.2 or later. If you migrate a cluster from IBM Spectrum Scale V4.1 to V4.2 or later by running
mmchconfig release=LATEST, the command checks the security mode. If the mode is
EMPTY, the command fails with an error message. You then can do either of
two actions:
- Change the security mode to a valid value other than EMPTY, such as AUTHONLY, and rerun the mmchconfig release=LATEST command. Or,
- Leave the security mode set to EMPTY and re-run the mmchconfig release=LATEST command with the option --accept-empty-cipherlist-security.
Configuring the security mode to a setting other than EMPTY (that is, either AUTHONLY or a supported cipher) requires the use of the GSKit toolkit for encryption and authentication. As such, the gpfs.gskit package, which is available on all Editions, should be installed.