topic Re: cmclconfd - security token exchange? in Operating System - HP-UX

cmclconfd - security token exchange?

support_5 — Fri, 21 Apr 2006 02:57:12 GMT

Hi Guys,

I've noticed my cmviewcl, cmgetconf, cmquerycl commands are taking a while (1-2 minutes) to return. I've got a 7 node cluster with 36 packages. All nodes have dedicated heartbeat LANs.

As I'm adding a new package, I got the message below:

# cmapplyconf -v -P /etc/cmcluster/packages/stcards/stcards.conf

Checking existing configuration ... Done
Gathering configuration information ... Done
Parsing package file: /etc/cmcluster/packages/stcards/stcards.conf.
Attempting to add package stcards.
(this took a while to come back too)
Maximum configured packages parameter is 70.
Configuring 36 package(s).
34 package(s) can be added to this cluster.
198 access policies can be added to this cluster.

Modify the package configuration ([y]/n)? y
Adding the package configuration for package stcards.
Unable to perform the security token exchange with cmclconfd on node hods01
Unable to perform the security token exchange with cmclconfd on node drds04
Unable to perform the security token exchange with cmclconfd on node drds02
Unable to perform the security token exchange with cmclconfd on node hods04
Unable to perform the security token exchange with cmclconfd on node hods02
Unable to perform the security token exchange with cmclconfd on node drds06
Completed the cluster update.

I can startup the new package ok.

Questions:
1. What is that security token exchange thing?
2. Why is it taking longer for cmviewcl, cmgetconf, cmquerycl to return?

Any help would be greatly appreciated.

Many thanks.

Tung

Re: cmclconfd - security token exchange?

RAC_1 — Fri, 21 Apr 2006 03:08:57 GMT

The mesaages about access configuration makes me think that this is latest version of SG. (At least 11.16?)
What version SG?

Did you think about applying it with -k option? I think (not sure though) security token messages are on account of existing access policies.

Re: cmclconfd - security token exchange?

support_5 — Fri, 21 Apr 2006 03:26:17 GMT

Whoops, silly me. All nodes running HP-UX 11.23, SG 11.16.

Thanks for the suggestion, RAC, but no go, I tried cmquerycl with the -k option, it was a bit faster, but it took a while "Gathering configuration information...", but the warnings and errors below worries me.

Warning: Not probing node drds06 as it is currently unreachable.
This may cause network partitions to be reported.
Warning: Not probing node hods02 as it is currently unreachable.
This may cause network partitions to be reported.

Error: Cannot connect to configuration daemon (cmclconfd) on node drds06
Error: Cannot connect to configuration daemon (cmclconfd) on node hods02

cmclconfd is running on both drds06 and hods02, I can ping both servers from hods01. It was not always like this, the latest change was adding drds06 into the cluster.

More question:
3. Why is it complaining it cannot connect to configuration daemon cmclconfd?

Hmmm...

Many thanks.

Tung

Re: cmclconfd - security token exchange?

RAC_1 — Fri, 21 Apr 2006 03:35:37 GMT

From those two hosts, Can you do cmviewcl on any of the packages running on another hosts?

Are you up to date on patches?

Re: cmclconfd - security token exchange?

support_5 — Fri, 21 Apr 2006 04:01:18 GMT

Yup, I was able to run cmviewcl -p PACKAGE_NAME successfully from the two hosts, still slower to return, though. As for patches, a set of ServiceGuard 11.16 patches were applied from Sep 2005.

We also moved our DNS and Sendmail server, but not sure if that could have affected it?

Re: cmclconfd - security token exchange?

John Bigg — Fri, 21 Apr 2006 04:08:19 GMT

These messages could imply that there is a problem talking to identd. What messages are logged into syslog at the time the messages are reported by cmapplyconf? Can you verify that identd is setup and working correctly?

If identd appears to be working correctly and syslog gives no further clues then it would probably be necessary to turn on logging to determine what is causing this.

Re: cmclconfd - security token exchange?

Stephen Doud — Fri, 21 Apr 2006 08:16:45 GMT

If your servers rely on identd for Serviceguard, insure:
1) identd (sendmail) is at version 8.9.3.1 and patched

2) /etc/nsswitch.conf =
hosts: files dns

3) /etc/hosts contains a list of every IP-bearing NIC on each cluster node

4) nslookup and "who -Rm" shows the correct hostname

5) Port 113 is not denied in /var/adm/inetd.sec

6) Internode HB connection is not done by a router, and if done by switch, no filtering of hacl ports or identd port numbers

Re: cmclconfd - security token exchange?

support_5 — Wed, 10 May 2006 01:26:21 GMT

Sorry for the late reply, guys. identd is not used, commented out in /etc/inetd.conf.

Anyway, the problem went away after a restart of inetd daemon. It seems to have played up after our redundant core switch died? We restarted inetd because our Control-M agents were playing up too, complaining about inetd. cmviewcl and cmgetconf runs great now.

Is this normal behaviour? Strange that it should complain about some security token exchange?

Thanks again for your help, guys.