Planning Volume 2, Control Workstation and Software Environment

Security across system partitions

There are rules that govern the setting of security attributes within a partition. These rules apply to the default single system partition as well as to each additional partition that you might create. Choosing authentication options explains those rules. The setting for AIX remote command authentication on the control workstation is the union of the related settings in all partitions. The setting of authentication method for SP trusted services on the control workstation is the union of the related settings in all partitions.

If you are planning to change your partition configuration, consider the following:

• Adding Kerberos V4 authentication to a node requires the node be customized which is a procedure described in the book PSSP: Installation and Migration Guide. A node can have Kerberos V4 authentication added in one of the following ways:
  • Adding Kerberos V4 authentication to the security configuration of the system partition in which the node resides.
  • Repartitioning such that the node moves to a partition having Kerberos V4 authentication already set in the security configuration.
• Changing security authentication settings for a partition requires all the affected nodes to be rebooted.
• There are partitioning commands and SMIT panels available for partitioning your SP system. Although the commands provide interfaces to allow setting the security attributes in the SDR, do not use them to change the settings for existing partitions. Use the security commands and SMIT panels listed in the book PSSP: Installation and Migration Guide to change these settings.

When an SP system is to be partitioned, you might have different security requirements in different partitions. If you use DCE security services, partition names can be appended to the group names in the spsec_overrides file to define different groups in different partitions. To accomplish this, use the :p option in the spsec_overrides file before configuring SP security services. See Chapter 6, Planning for security, particularly Preparing to configure SP trusted services to use DCE.