Administration Guide

Understanding security for system partitions

Planning for your SP system should have included a study of all the planning considerations that apply to partitioning. During that process, you should have determined which authentication services and security configuration to use in each partition. Within a system partition, there are certain authentication rules that govern the setting of the security attributes. These rules apply to the default system partition, and they apply to each additional partition that you might create.

The Syspar class definition in the SDR contains a set of four security attributes for each partition. These attributes are auth_install, auth_root_rcmd, auth_methods, and ts_auth_methods. The rules that govern which values to set for these attributes that represent your security configuration are the following:

1. The auth_install attribute must contain the value dce if the ts_auth_methods attribute contains dce. It must contain the value k4 if either the auth_root_rcmd or auth_methods attributes contain k4 or the ts_auth_methods attribute contains compat. The value std need not be set because Standard AIX is an implied method with nothing to install.
2. The auth_root_rcmd and auth_methods attributes must have one security method in common, |but for one exception. The exception is that you can set AIX |authorization methods for remote commands to none when you are |running an enhanced security environment with the restricted root access and |secure remote command process options enabled. Your plan for setting these attributes in each partition should have been recorded using the authentication planning worksheet in Appendix C of the book IBM RS/6000 SP: Planning Volume 2, Control Workstation and Software Environment.

Each partition has its own set of security attributes. The AIX Remote Command authentication setting on the control workstation is the union of the auth_methods settings for all partitions. The trusted services authentication methods setting on the control workstation is the union of the ts_auth_methods settings for all partitions.

When you need to change the security settings in a partition it should not be done as part of the system partitioning process. Changes to existing partitions should be done either before or after the partitioning process. An attempt to change the security settings of an existing system partition by applying a customization file with changed values might result in failures during execution of the spapply_config command because the rules have been violated. The spcustomize_syspar command will only verify that the values in the custom file do not violate the rules. The values are not checked against the existing partitions until the spapply_config command runs.

When partitioning a system by expanding the number of partitions, by collapsing partitions together, or by moving nodes between partitions, follow these guidelines:

1. Do not change the security settings for existing system partitions.
2. Newly defined partitions may have security settings different from those in previously existing partitions.

You can use any setup that does not violate the authentication rules.

For example, you have decided to create two partitions during your initial system installation. The install was started using Kerberos V4. The second partition is to be DCE only. There are two options:

1. During the "Set up system partitions" step in the book PSSP: Installation and Migration Guide, you can create a custom file containing two Kerberos V4 partitions. After running the spapply_config command on the CWS, you can transition the second partition to DCE and Kerberos V4, then to DCE only.

   You would perform all the steps in "Chapter 5. Adding authentication configurations to the SP System" of the book PSSP: Installation and Migration Guide, except for rebooting the nodes. Then continue the installation step that follows the "Set up system partitions" step.

2. During the "Set up system partitions" step in the book PSSP: Installation and Migration Guide, you can create a custom file containing Kerberos V4 settings for the original default system partition and DCE settings for the new partition. Additional DCE setup on the control workstation, discussed in Preparing the control workstation before you define system partitions, will need to be done both before and after running the spapply_config command.