Using Authentication Keys to Ensure Secure Communications

If nodal traffic must cross over an insecure network, you might consider using authentication keys to secure communication. You can do this by editing the authkeys file. The structure of this file is really simple; you need just two lines of configuration. In the first line, you specify which type of authentication needs to be used. For this purpose, you can choose between crc, shal, and md5. crc is the ideal solution for a secure network; it doesn't offer any real security and therefore is the fastest option for use on a secure network. It just adds a cyclic redundancy check to all packets to make sure packets that are received have not been transformed while in transit. The other two options are shal and md5. Both are secure, so it doesn't really matter which one you use. In Listing 29-4, you see all the relevant lines that can be created in /etc/ha.d/authkeys to ensure that authentication can take place in a secure manner. Note that a long and complicated key is used in the example; the longer the key, the more difficult it is to break it using brute force.

Listing 29-4. Example Contents of the authkeys File auth 3 #1 crc

#2 shal secret 3 md5 h3artb3ats3cur3k3y

In this example, you see that the type of authentication that has to be used is referred to on the line auth 3. The 3 refers to the third line in the configuration file (or better, to the line in the configuration file that starts with a 3), where md5 authentication is configured for the use of a shared secret. After creating this file on one of the nodes, you can copy it to the other node. You have to do this, because in a Heartbeat environment, all configuration files on all servers always must be the same. Use scp as in the following example to do this:

scp /etc/ha.d/authkeys othernode:/etc/ha.d

As a last step, you need to ensure that the permission mode for the files is set to 600 on both nodes. Use the following command to accomplish this:

chmod 600 /etc/ha.d/authkeys

Was this article helpful?

0 0

Post a comment