On Wed, 22 Sep 2004 20:02:40 -0700, mr kay wrote:

> bigtiny@mac.com (bigtiny) wrote in message
> news:<c4435822.0409201305.5edaf22@posting.google.c om>...
>> In the old days most inter-node communication was done via good old rsh.
>> I believe in release 5.1 came the introduction of clcomd which handles
>> all inter-node communications. You basically don't need /.rhosts, but
>> instead use /usr/es/sbin/cluster/etc/rhosts....read up on it....

> THanks for the info. I assumed it is safe to disable telnet and ftp in
> hacmp environment as hacmp uses rshd and snmp to operate correctly (I
> think). Is this true? Correct me if i'm wrong.

As Bigtiny said, HA does not use rsh any more. V4 did so you cannot remove
it if that's what you're running. I have direct from IBM:

HACMP v5.2 does NOT use rsh anymore, but uses clcomd. This will do away
with all the rsh related problems

Which I sincerely hope is true as I suffer from a number of rsh related
problems.

I can't be sure about where the change came in, as I only asked about 5.2
as that's what I intend to upgrade to. But I think it's most likely that
it changed between V4 and V5, it's a pretty major change that's only
likely to have happened at a version update. I don't know why they didn't
just use ssh.

So basically you cannot harden an HACMP V4 cluster, if that's what you
have you have to upgrade it. Rsh is fundamentally insecure and if you have
it enabled you are not "hard".

SNMP is no security risk to the best of my knowledge.

Remember that HA also has its own services such as clver and godm (V4 does
- I havn't installed V5 yet) and you can't stop these or the cluster will
not verify. But you can have an external firewall blocking access to them
from outside the cluster which would be a good idea in a secure
environment.

Regards, Ian