98 IBM CSM to IBM Systems Director Transformation Guide
? Each AIX machine runs the RMC daemon rmcd, which is under SRC control.
? The CtSec library starts the Cluster Authentication Service (CAS) daemon ctcasd on
demand when CtSec authentication is required. This daemon is also under SRC control.
Both are in the SRC group rsct.
The data that CSM stores in the system registry is managed through CSM-specific resource
managers and mainly resides on the management server. However, the RMC/SR
infrastructure can be exploited in many different ways, such as on individual machines.
Furthermore, RMC itself only provides an abstract view of resource classes and resource
instances. Different resource managers (RMs) provide access to the actual resources. Some
RMs are shipped with RSCT, while other components such as CSM implement their own
RMs. All RMs are under SRC control, in the SRC group rsct_rm. Running the command
lssrc -ls ctrmc will produce a detailed status report of the RMC subsystem, including the
active resource managers.
For more detailed information about RSCT and CSM, visit the Libraries Related to Cluster
Products section at the IBM Cluster Products information center website or the following
books.
SA23-1343-05 - CSM for AIX and Linux V1.7.1: Administration Guide
SA23-1344-05 - CSM for AIX and Linux V1.7.1: Planning and Installation Guide
SA22-7889-20 - RSCT: Administration Guide
SA22-7890-20 - RSCT for AIX: Technical Reference
4.4.2 Authentication and authorization when using IBM Systems Director
Systems Director offers a number of security features by using the authentication and user
administration provided. System administrators can specify user privileges for specific tasks
of resources. This user registry integration, integrity and secure data transmission are key
elements of the basic security model. Systems Director is controlled by two basic
independent processes, authentication and authorization.
Authentication
Systems Director uses authentication to determine the identity of the user. It verifies and
validates that identity. When using default registry settings users are authenticated using their
user IDs and passwords, which reside locally on the operation which is then verified against
the information stored in the user registry that is configured by Systems Director. It also uses
the group information. Besides default registry, options like Lightweight Directory Access
Protocol (LDAP) are also supported,
Authorization
Systems Director uses authorization to validate the roles and privleges of the authenticated
user. This occurs when already authenticated users use Systems Director to perform a
specific task on a resource. If the task or role exists and contains the authorization necessary
to complete the task or role that was speficied, then it proceeds. If a user wants to run
additional commands using smcli then additional roles need to be authorized.
In conjunction with this, Systems Director heavily relies on role-based access control (RBAC),
which allows administrators to create and customize sets of permissions, also known as
roles, and assign them to individual users or groups; refer to Figure 4-12.
Chapter 4. Functional comparison 99
Figure 4-12 Basic IBM Systems Director communication topology
The Systems Director Server by default uses a Secure Sockets Layer (SSL) for the
communication between the web management console and the server, and depending on its
target such as agent, network devices, or storage devices, different communication types may
be utilized. IBM Systems Director stores all of its data in a database repository, which also
contains credentials such as userid and passwords that are used for accessing remote
systems. All of the sensitive data, including credentials, is encrypted using the 3DES
algorithm.
Using the agent manager
The agent manager provides the authentication and authorization for installed common agent
resources and maintains a registry of configuration information about the common agent
managed systems. It also provides the core agent manager functionality services:
? Service catalog
? Credential manager
? Agent registry
? Querying service
Notes:
? The default certificate used by Systems Director should be replaced by either a
self-signed certificate or by using one signed by a certificate authority (CA). This is to
ensure data privacy. The keystore password should also be changed.
? An SSH server is not provided by the Systems Director Server software, so use the
SSH server included by the operating system or a third party.
100 IBM CSM to IBM Systems Director Transformation Guide
Table 4-2 General security comparison
Security Topics Cluster System Management IBM Systems Director
User IDs and passwords HMCs, console servers, and
RSAs all require users to
authenticate before executing
any commands. This includes
the CSM management server.
User IDs and passwords for
each console server, RSA, and
HMC in the cluster are stored in
the CSM database.
Similar to CSM but the
authorization mechanism
compares the user account, or
the group to which the user
belongs, to the role-based
access control (RBAC).The
agent manager then interacts
with the user registry, where
user- and group-related
information is stored usign SSL.
Resource Monitoring and
Control access control lists
Commands, such as rpower
(which can power on or off
nodes and get their power
status) and lshwinfo (which
reports on the hardware in a
node), use the security
functions of RMC to determine
who is allowed to run them.
Access to the hardware control
classes, and to actions on these
classes, is controlled by
stanzas in the
/var/ct/cfg/ctrmc.acls file.
rpower in IBM Systems Director
works similar to the CSM
counterpart. However, due to
the security differences it is
necessary that the HMC
managing the resource is
discovered and the user
requesting this command is
properly authenticatied. The
agent manager is then
responsible for authentication
and authorization services
between the management
server, HMC, and common
agents.
Console server security The rconsole command opens
a console window for a node. It
uses the Conserver open
source package to provide
support for multiple read-only
consoles on a single node.
The dconsole command works
similar to the rconsole
command, and the security
authentication path is the same
as for rpower.
Group Service and Topology
Services
Group services and topology
services, although being part of
RSCT, are not used in the
management domain structure
of CSM. These two
components are used in peer
domain clusters for applications
and are often referred to as
hats, hags, high availability
Group Services daemon
(hagsd) and high availability
Topology Service daemon
(hatsd).
Not used by IBM Systems
Director.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.