IBM Books

Administration Guide

Chapter 3. Managing and using SP security services

This chapter addresses the tasks that are specific to the security support implemented on the SP system. Other security implementation and administration tasks addressed in AIX and DCE publications are referred to, but are not thoroughly explained. Do not rely solely on PSSP publications to fully explain how to implement or administer security on your SP system. The primary focus in this chapter is to explain the SP system-specific tasks that support your security policy and implementation.

If your SP is not already established with your organization's choice of security implementation or if you are considering changing your security implementation:

  1. To prepare for installation or migration and configuration, or for information about choices regarding the security implementations supported on the SP system, see the book IBM RS/6000 SP: Planning Volume 2, Control Workstation and Software Environment.
  2. To actually install and configure authentication services, see the book PSSP: Installation and Migration Guide.

This chapter explains the tasks involved in on-going management of the security services provided by the PSSP software on the SP system. The main topics included are the following:

The following are prerequisites to performing administrative tasks:

  1. You must have a clearly expressed and understood security policy for your organization. You must understand the degree of control you require over individuals and groups to access resources and perform activities, and in which SP system partitions.
  2. You must already have installed and you must understand the specific versions of the security services (DCE, Kerberos V4, and AIX) that you intend to use to help enforce your security policy.
  3. |You must already have chosen and installed the secure remote command |software before you can enable a secure remote command process to be used by |the PSSP software. That software must be running and root must have the |ability to successfully issue remote commands to the nodes without being |prompted for passwords or passphrases.
  4. You must be, or must become, familiar with the information in Chapter 2, Security features of the SP system and in other publications that relate to your organizations's security policy and implementation.
  5. You need to be authorized to perform the respective security administration tasks.
Enhanced security options:

As of PSSP 3.2 you have the option of running your SP system with an enhanced level of security. The restricted root access option removes the dependency PSSP has to internally issue rsh and rcp commands as a root user from a node. Any such actions can only be run from the control workstation or from nodes configured to authorize them. PSSP does not automatically grant authorization for a root user to issue rsh and rcp commands from a node. If you enable this option some procedures might not work as documented. For example, to run HACMP an administrator must grant the authorizations for a root user to issue rsh and rcp commands that PSSP would otherwise grant automatically.

With PSSP 3.4 you can use a secure remote command process to run in place of the rsh and rcp commands.

Each of the licensed programs discussed in this chapter might be affected in some way with these enhanced security options enabled. See Restricted root access and Secure remote command process for descriptions of these options and limitations.

DCE and HACWS restriction:

If you plan to have DCE authentication enabled, you cannot use HACWS. If you already use HACWS, do not enable DCE authentication.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]