Original Question:
> We're looking at switching a TruCluster 5.1 installation over to
> enhanced security. Are there any known catches/problems? It's a
> three node cluster running Tru64 5.1pk2.
Thanks go out to:
Rochelle Lauer <LAUER_at_hepmail.physics.yale.edu>
Ann Majeske <Ann.Majeske_at_Compaq.com>
Denise Dumas <dumas_at_zk3.dec.com> (Very clear response and good information)
Edward J. Branley <ed_at_softadv.com>
Vincent D'Antonio <vdantoni_at_BISYS-Plans.com> (Who had some problems)
Clegg, Larry <Larry_Clegg_at_intuit.com>
The general consensus was that there shouldn't be a problem converting.
Vincent D'Antonio did have a problem converting, but we decided to
go ahead based on the majority opinion.
We followed Denise Dumas' instructions and didn't have any problems in
the switch from BASE to ENHANCED security. I'm attaching Denise's
message in case anyone else is looking at switching over soon:
This summary is a little late as I wanted to wait until we had day or
so to settle in after the change.
----- snip ----- snip ----- snip ----- snip ----- snip -----
Hi,
The issue you'll have is that changing from Base to Enhanced security
requires that every node reboot. This is to make sure that all the
processes use the new security libraries. The old library expects to find
passwords in /etc/password. The new library expects to find them in
/var/tcb/auth.db. Oops. The other issue is that Enhanced uses a different
(stronger) password encryption than Base (which is why users are forced to
change their passwords - we never have cleartext, so we can't just convert
existing passwords to the new algorithm).
So clearly the easiest way to do this is to choose enhanced security,
custom profile, and reboot all the nodes at once.
If you can't do that, and have to run with some rebooted and some not for
days or weeks, there is an interim mode that you can use called the Upgrade
profile. It leaves passwords in the old algorithm, stores them in both
files, and lets rebooted and not-rebooted nodes coexist until you've been
able to reboot all the nodes. At that time you use sysman secconfig again,
choose enhanced, with custom profile, and the password get pulled from
/etc/passwd and a change is forced so the new password algorithm is used.
You don't get the benefit of enhanced security until you've completed the
changeover.
This is why we recommend that if you want enhanced security you choose it
when you initially create the cluster - trying to explain this stuff is
painful ;-)
Denise Dumas
Tru64 Security team
----- snip ----- snip ----- snip ----- snip ----- snip -----
Thanks again,
Tom
--
+-----------------------------------+---------------------------------+
| Tom Webster | "Funny, I've never seen it |
| SysAdmin MDA-SSD ISS-IS-HB-S&O | do THAT before...." |
| webster_at_ssdpdc.lgb.cal.boeing.com | - Any user support person |
+-----------------------------------+---------------------------------+
| Unless clearly stated otherwise, all opinions are my own. |
+---------------------------------------------------------------------+
Received on Fri May 18 2001 - 16:45:27 NZST