Using ClusterCATS
Configuring Clusters

Administering security

When you enable ClusterCATS administration security for a cluster, only authorized users are able to access and administer the cluster, using ClusterCATS Explorer (Windows) or the ClusterCATS Web Explorer (UNIX). ClusterCATS provides these administration security settings for securing your server cluster environment:

• Disabled Authentication - this is the default setting. It provides no security challenge, so anyone can access the server cluster with a ClusterCATS administration tool, or even a web browser, and modify the cluster environment.
• Local User Authentication - this is the recommended security setting for most clusters, residing in small to mid-sized organizations that have only a few administrators. This setting provides a security challenge for anyone accessing the server. The authentication is based on administrative privileges that you define for specific users on each server in the cluster.
• Windows NT Domain Authentication (Windows NT Only)- you may want to use this security setting if your organization is fairly large and contains many distributed administrator groups that need to access your server clusters. To use this setting, you must define your global administrators' group in the form "BT_clustername", where clustername is the exact name of the cluster you created with the ClusterCATS Explorer. The global administrators group must exist within the same domain as the clustered servers.

This section describes the following:

• "Configuring authentication on Windows"
• "Configuring authentication on UNIX"

Configuring authentication on Windows

The following sections describe how to enable authentication for your environment.

• "Configuring local-user authentication"
• "Configuring Windows NT domain authentication"

Configuring local-user authentication

Local-user authentication lets ClusterCATS authenticate specific users per server. Local users of a server must have an account on the server where the web server resides.

For example, if a cluster includes several web servers and you have an account on only one, then you can only administer that server.

To configure authentication modes for your clusters:

1. Create a user account on each server within your cluster for each administrator whom you want to be able to administer the servers using the ClusterCATS Explorer.

   If your cluster members are NT servers, use the Windows User Manager utility to create your user accounts.

   Note:   If only one person will administer all cluster members in the cluster, be sure to create the same user account (identical user name and password) on each cluster member. The ClusterCATS Explorer will then prompt you only once for a user name and password. However, if you create multiple administrator accounts on each server, ClusterCATS Explorer will display user name and password prompts upon each attempt to access the servers from the ClusterCATS Explorer.

2. In ClusterCATS Explorer, select a cluster.
3. Select Configure > Administration or Cluster > Properties (both menu selections display the Properties dialog box); or right-click the cluster and select Configure > Administration.

   The Properties dialog box appears:

   

4. Select Local User from the Mode drop-down box.
5. Enter a user name and password defined for a valid account.

   Note:   ClusterCATS requires you to enter a valid user name and password after selecting the authentication type, so you do not inadvertently lock yourself out of the cluster.

6. Click OK to enable local user authentication for the selected cluster. Only administrators who have accounts on each secured server can access and administer those cluster members using ClusterCATS Explorer.

Configuring Windows NT domain authentication

Windows NT Domain authentication lets ClusterCATS authenticate administrators who have been added to a Windows NT domain user group.

Note:   This authentication mode can be used only on NT servers and on Windows 2000 servers if the domain is using the Windows NT compatible domain controller model rather than the Active Directory model.

Before you can enable NT domain authentication on a cluster, you must create an NT global user group within the domain you want to secure. You can do this using the Windows NT User Manager for Domains utility. After you create a user group, add users to it, and enable the NT Domain authentication mode from the ClusterCATS Explorer, all users you add to that group are automatically authenticated to view and change the cluster. All servers in the cluster must reside in the same Windows NT domain unless a trusted relationship is set up between two or more domains.

A global group must exist in the domain from which the ClusterCATS Explorer is executed. Cluster members in other domains need only the trust relationship. ClusterCATS Explorer determines what servers exist in which NT domain by communicating with any Windows NT domain controller for the domain. You can view the list of servers that exist in the Windows NT domain with the Network Neighborhood Windows NT utility. If no trust relationship exists, then cluster members must be from the same Windows NT domain.

To enable Windows NT domain authentication:

1. Select Start > Programs > Administrative Tools > User Manager for Domains to open the User Manager for Domains utility.
2. Select User > New Global Group.

   The New Global Group dialog box appears.

3. Enter a name and description for the group in the applicable fields.

   Your global group name must be BT_clustername, where clustername is the name of your ClusterCATS cluster.

4. Click Add to add the administrators whom you want to have privileges to your global group.

   The Add Users and Groups dialog box appears.

5. Select the domain from the List Names drop-down box.
6. Select the users you want to add to the group and click Add.
7. Click OK in all open dialog boxes to apply your changes and to close the User Manager for Domains utility.
8. Open the ClusterCATS Explorer and select a cluster for which to configure authentication.
9. Select Configure > Administration or Cluster > Properties (both menu selections display the Properties dialog box) or right-click the cluster and select Configure > Administration.

   The Properties dialog box appears.

10. Select NT Domain from the Mode drop-down box.
11. Enter a valid user name and password that participates in the domain.

    Note:   ClusterCATS requires you to enter a valid user name and password after selecting the authentication type, so you do not inadvertently lock yourself out of the cluster.

12. Click OK to enable Windows NT Domain authentication for the selected cluster. Only users whom you added to the Global User Group of the domain can use ClusterCATS Explorer to view and administer clusters with ClusterCATS Explorer.

Disabling authentication

Disabling authentication lets any user employ ClusterCATS Explorer to create, configure, or administer clusters. When a cluster is added, administrators have unrestricted access to the content in that cluster. Therefore, you should choose disabled mode only if security is not a concern (for example, in a development or QA environment).

By default, ClusterCATS administrator security is disabled. However, if you have previously configured the security mode for your cluster and now want to turn if off, perform the following procedure.

To disable authentication:

1. Open the ClusterCATS Explorer and select a cluster with authentication enabled.
2. Select Configure > Authentication or select Cluster > Properties (both menu selections display the Properties dialog box.) or right-click the cluster and select Configure > Administration.
3. Select Disabled from the Mode drop-down box.
4. Click OK to apply your changes.

Configuring authentication on UNIX

To configure authentication modes for your clusters:

1. In ClusterCATS Web Explorer, click the Show Cluster link. The Show Cluster page appears.
2. Enter the fully qualified host name of the server for which to configure administrator authentication in the Web Server Name field.
3. Click OK.

   The Cluster Member List page appears.

4. Click the Authentication link.

   The Cluster Authentication page appears:

   

5. Select Local User from the Authentication drop-down box to enable local-user authentication.
6. Select Disabled to disable authentication.
7. If using local user authentication, enter a valid user name and password and click OK.

   ClusterCATS requires you to enter a valid user name and password after selecting the authentication type, so you do not inadvertently lock yourself out of the cluster.

Copyright © 2002, Macromedia Inc. All rights reserved.

Comments