Security mode

The security mode of a cluster determines the level of security that the cluster provides for communications between nodes in the cluster and also for communications between clusters.

There are three security modes:
EMPTY
The receiving node and the sending node do not authenticate each other, do not encrypt transmitted data, and do not check the integrity of transmitted data.
AUTHONLY
The sending and receiving nodes authenticate each other with a TLS handshake and then close the TLS connection. Communication continues in the clear. The nodes do not encrypt transmitted data and do not check data integrity.
Cipher
To set this mode, you must specify the name of a supported cipher, such as AES128-GCM-SHA256. The sending and receiving nodes authenticate each other with a TLS handshake. A TLS connection is established. The transmitted data is encrypted with the specified cipher and is checked for data integrity.
To find a list of supported ciphers, choose one of the following methods: For FIPS 140-2 considerations, see Encryption.
For both the AUTHONLY mode and the cipher mode, the cluster automatically generates a public/private key pair when the mode is set. However, for communication between clusters, the system administrators are still responsible for exchanging public keys.
In IBM Spectrum Scale V4.2 or later, the default security mode is AUTHONLY. The mmcrcluster command sets the mode when it creates the cluster. You can display the security mode by running the following command:
mmlsconfig cipherlist
You can change the security mode with the following command: 
mmchconfig cipherlist=security_mode
If you are changing the security mode from EMPTY to another mode, you can do so without stopping the GPFS daemon. However, if you are changing the security mode from another mode to EMPTY, you must stop the GPFS daemon on all the nodes in the cluster. Change the security mode to EMPTY and then restart the GPFS daemon.
The default security mode is EMPTY in IBM Spectrum Scale V4.1 or earlier and is AUTHONLY in IBM Spectrum Scale V4.2 or later. If you migrate a cluster from IBM Spectrum Scale V4.1 to V4.2 or later by running mmchconfig release=LATEST, the command checks the security mode. If the mode is EMPTY, the command fails with an error message. You then can do either of two actions:
  • Change the security mode to a valid value other than EMPTY, such as AUTHONLY, and rerun the mmchconfig release=LATEST command. Or,
  • Leave the security mode set to EMPTY and re-run the mmchconfig release=LATEST command with the option --accept-empty-cipherlist-security.
For more information, see Completing the upgrade to a new level of IBM Spectrum Scale.

Configuring the security mode to a setting other than EMPTY (that is, either AUTHONLY or a supported cipher) requires the use of the GSKit toolkit for encryption and authentication. As such, the gpfs.gskit package, which is available on all Editions, should be installed.

Parent topic: Configuring the GPFS cluster
Related concepts:
Displaying cluster configuration information
Node quorum considerations
Node quorum with tiebreaker considerations
Determining how long mmrestripefs takes to complete
Related tasks:
Creating your GPFS cluster
Adding nodes to a GPFS cluster
Deleting nodes from a GPFS cluster
Changing the GPFS cluster configuration data
Running IBM Spectrum Scale commands without remote root login
Displaying and changing the file system manager node
Starting and stopping GPFS
Shutting down an IBM Spectrum Scale cluster
Related reference:
mmauth command
mmchconfig command
mmlsconfig command