HPE Community
Operating System - HP-UX
1834665 Members
2554 Online
110069 Solutions
New Discussion

Serviceguard & Bastille problem

 
Zlatko Kralj
Occasional Contributor

‎08-22-2007 02:16 AM

‎08-22-2007 02:16 AM

Serviceguard & Bastille problem

Hi,

I have a problem with Serviceguard (A.11.17) cluster and Bastille. After configuring Bastille lockdown, cluster continues to operate normally. But when node1 is rebooted, it doesn't rejoin the cluster. node2 reports that node1 is down & halted, and cmviewcl doesn't work on node2:

cmviewcl: Cannot view the cluster configuration: No such file or directory.
Either this node is not configured in a cluster, user doesn't have
access to view the cluster configuration, or there is some obstacle
to viewing the configuration. Check the syslog file for more information.
For a list of possible causes, see the Serviceguard manual for cmviewcl.


Here's the output when I try to start the node manually:

cmrunnode: Validating network configuration...
Gathering network information
Beginning network probing (this may take a while)
Completed network probing
cmrunnode: Network validation complete
Waiting for nodes to join ....Unable to perform the security token exchange with cmclconfd on node ssap105p
Unable to perform the security token exchange with cmclconfd on node ssap104p
.Unable to perform the security token exchange with cmclconfd on node ssap105p
.Unable to perform the security token exchange with cmclconfd on node ssap105p
Unable to perform the security token exchange with cmclconfd on node ssap104p
done
Cluster successfully formed.
Check the syslog files on all nodes in the cluster to verify that no warnings occurred during startup.


Afterwards, the other node reports that the first one is up & running, but cmviewcl still doesn't work on node1. I used interactive mode to configure Bastille and didn't setup firewall/IPFilter nor blocked ident service. If Bastille changes are reverted (-r), everthing works fine.
Regards,


Zlatko
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎08-22-2007 02:20 AM

‎08-22-2007 02:20 AM

Re: Serviceguard & Bastille problem

Shalom,

Bastille was written without direct knowledge of Serviceguard.

Bastille recommends closing down .rhost networking and makes other changes to inetd.conf

You need to not let Bastille do changes that impact Serviceguard, primarily inetd.conf changes.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
melvyn burnard
Honored Contributor

‎08-22-2007 03:13 AM

‎08-22-2007 03:13 AM

Re: Serviceguard & Bastille problem

you may want to take a look at page 15 of:
http://docs.hp.com/en/B3935-90091/B3935-90091.pdf

Bastille Compatibility
Serviceguard's use of dynamic ports does not work if the pre-defined
configurations are installed for Bastille: Sec20MNGDMZ
(MANDMZ.config) or Sec30DMZ (DMZ.config). These configurations use
different IPFilter rules to define firewall protection than the rules
Serviceguard uses. The required IPFilter-Serviceguard rules are
documented in the HP-UX IPFilter Version A.03.05.09 Administrator's
Guide, which is posted at http://docs.hp.com/-> Internet Security
Solutions -> HP-UX IPFilter
Serviceguard is not compatible with the default settings for the HP-UX
Bastille Sec10Host configuration. The Sec10Host configuration disables
the identd daemon, but Serviceguard requires the identd daemon to be
running for authentication purposes. For information on how to
configure HP-UX Bastille Sec10Host to allow the identd daemon to run,
see the latest HP-UX 11i Version 2 Installation and Update Guide that is
posted at http://docs.hp.com/Core HP-UX - operating environments
-> 11i v2.
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Reply
Stephen Doud
Honored Contributor

‎08-23-2007 01:38 AM

‎08-23-2007 01:38 AM

Re: Serviceguard & Bastille problem

Patch PHSS_35863 (SG version A.11.16 for 11.23) contains this text in the Special Installation Instructions - which probably applies to your situation:

Customers using the HOST.config configuration of
Bastille should update their configuration by editing the
Bastille config file /etc/opt/sec_mgmt/bastille/config to
allow identd to run.

Change the answer to the question "Should Bastille ensure
inetd's ident service does not run on this system?" by
changing the line:
SecureInetd.deactivate_ident="Y"
to
SecureInetd.deactivate_ident="N"

Users may then select between manually updating the
configuration or using Bastille to do the configuration
for them.
0 Kudos
Reply
Zlatko Kralj
Occasional Contributor

‎08-27-2007 12:46 AM

‎08-27-2007 12:46 AM

Re: Serviceguard & Bastille problem

I found out that problem is caused by inetd connection logging. If it's disabled, cluster works normally. Any ideas why this is happening?


Z.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎08-27-2007 01:08 AM

‎08-27-2007 01:08 AM

Re: Serviceguard & Bastille problem

Shalom,

Yes, Bastille tries to disable insecure services in inetd.conf

Once again, Bastille was not designed with serviceguard in mind.

If you answer the questions carefully you may be able to avoid Bastille hammering your SG configuration.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stephen Doud
Honored Contributor

‎08-28-2007 12:06 AM

‎08-28-2007 12:06 AM

Re: Serviceguard & Bastille problem

The A.11.18 release notes contain this:
"To ensure compatibility between Serviceguard (and Serviceguard Manager) and Bastille, do the following, ...."

See http://docs.hp.com/en/B3935-90108/ch01s03.html
for more details.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.