Configuring a Veritas Cluster Server (VCS) secure cluster ensures that all TCP/IP communication between systems is encrypted. In secure mode, VCS does not store user names or passwords. You can configure secure clusters using the script-based installer or by using the web-based installer.
Note: If you have CPS-based fencing configured in your environment, you must have a secure coordination point server (CPS) to run secure clusters or a mix of secure and non-secure clusters.
Configuring security is an optional step in the configuration flow for VCS. You can configure security with or without Federal Information Processing Standard (FIPS). Refer to the following links for the configuration overview and script to configure a secure cluster:
In environments that do not support passwordless Secure Shell (SSH) or passwordless Remote Shell (RSH), you cannot use the -security option to enable secure mode for your cluster.
To configure a secure cluster in such environments, refer to Configuring a secure cluster node by node.
If you need to use an external authentication broker for authenticating VCS users, you must set up a trust relationship between VCS and the broker.
For procedure to set up trust relationships for your VCS cluster, refer to Setting up trust relationships for your VCS cluster.
You can also configure a secure cluster using the web-based installer. However, configuring security is an optional configuration. If you want to configure security later, you can rerun the web‑based installer and simply enable security while retaining the existing configuration. You can also enable the FIPS security option at the same time.
If you plan to upgrade the secure cluster, refer to Considerations for upgrading secure VCS 5.x clusters to VCS 6.0.1.