IBM LoadLeveler for AIX 5L: Using and Administering

Step 16: Configuring LoadLeveler to use DCE security services

When LoadLeveler is configured to exploit DCE security, it uses PSSP and DCE security services to:

Authenticate the identity of users and programs interacting with LoadLeveler.
Authorize users and programs to use LoadLeveler services. It will prevent unauthorized users and programs from misusing resources or disrupting services.
Delegate the DCE credentials of the user submitting a job to all processes making up that job.

You can skip this section if you do not plan to use these security features or if you plan to continue to use only the limited support for DCE available in LoadLeveler 2.1. Please consult Usage notes for additional information.

When LoadLeveler is configured to exploit DCE security, most of its interactions with DCE are through the PSSP security services API. For this reason, it is important that you configure PSSP security services before you configure LoadLeveler for DCE. For more information on PSSP security services, please refer to: RS/6000 SP Planning Volume 2, Control Workstation and Software Environment (GA22-7281-05), Parallel System Support Programs for AIX Installation and Migration Guide Version 3 Release 2 (GA22-7347-02), and Parallel System Support Programs for AIX Administration Guide Version 3 Release 2 (SA22-7348-02).

DCE maintains a registry of all DCE principals which have been authorized to login to the DCE cell. In order for LoadLeveler daemons to login to DCE, DCE accounts must be set up, and DCE key files must be created for these daemons. Each LoadLeveler daemon on each node is associated with a different DCE principal. The DCE principal of the Schedddaemon running on node A is distinct from the DCE principal of the Schedd daemon running on node B. Since it is possible for up to seven LoadLeveler daemons to run on any particular node (Master, Negotiator, Schedd, Startd, Kbdd, Starter, and GSmonitor), the number of DCE principal accounts and key files that must be created could reach as high as 7x(number of nodes). Since it is not always possible to know in advance on which node a particular daemon will run, a conservative approach would be to create accounts and key files for all seven daemons on all nodes in a given LoadLeveler cluster. However, it is only necessary to create accounts and key files for DCE principals which will actually be instantiated and run in the cluster.

These are the steps used for configuring LoadLeveler for DCE. We recommend that you use SMIT and the lldcegrpmaint command to perform this task. The manual steps are also described in Manual configuration, and may be useful should you need to create a highly customized LoadLeveler environment. Some of the names used in this section are the default names as defined in the file /usr/lpp/ssp/config/spsec_defaults and can be overridden with appropriate specifications in the file /spdata/sys1/spsec/spsec_overrides. Also, the term "LoadLeveler node" is used to refer to a node on an SP system that will be part of a LoadLeveler cluster.

Using SMIT and the lldcegrpmaint command

Login to the SP control workstation as root, then login to DCE as cell_admin.
Start the SMIT program. From SMIT's main menu, select the RS/6000 SP System Management option, then select the RS/6000 SP Security option in the next menu.
Perform the appropriate steps associated with this menu to configure the security features of this SP system. From LoadLeveler's perspective, the important actions are:
- Create dcehostnames
- Configure SP Trusted Services to use DCE Authentication
Before continuing to step 4, ensure that:
- DCE hostnames for LoadLeveler nodes are defined.
- A DCE group named spsec-services and a DCE organization named spsec-services are created.
- The DCE principals of the LoadLeveler daemons on LoadLeveler nodes are created.
- The DCE principals of the LoadLeveler daemons on LoadLeveler nodes are added to the spsec-services group and the spsec-services organization.
- A DCE account is created for each DCE principal associated with the LoadLeveler daemons on the SP system.
- A DCE key file is created for each LoadLeveler daemon on the LoadLeveler nodes.
If the LoadLeveler cluster consists of nodes spanning several SP systems, then you should repeat step 1 through step 3 for each SP system.
PSSP security services use certain fields in the SDR (System Data Repository) to determine the current software configuration. Use the command "splstdata -p" to verify that the field ts_auth_methods is set to either dce or dce:compat. If ts_auth_methods is set to dce:compat then either DCE or non-DCE authentication is allowed. For some PSSP applications, this setting also implies that if DCE authentication is activated but, DCE authentication cannot be performed, then non-DCE authentication will be used. However, LoadLeveler can not change authentication methods dynamically, and the dce:compat setting simply indicates that LoadLeveler can be brought up in either DCE or non-DCE authentication modes using the DCE_ENABLEMENT keyword.
Add these statements to the LoadLeveler global configuration file:
```
DCE_ENABLEMENT = TRUE
DCE_ADMIN_GROUP = LoadL-admin
DCE_SERVICES_GROUP = LoadL-services
 
```
DCE_ENABLEMENT must be set to TRUE to activate the DCE security features of LoadLeveler. The LoadL-admin group should be populated with DCE principals of users who are to be given LoadLeveler administrative privileges. For more information on populating the LoadL-admin group, see 9. The LoadL-services group should be populated with the DCE principals of all the LoadLeveler daemons that will be running in the current cluster. You can use the lldcegrpmaint command to automate this process. For more information on populating the LoadL-services group, see step 8. Note that these daemons are already members of the spsec-services group. If there is more than one DCE-enabled LoadLeveler cluster within the same DCE cell, then it is important that the name assigned to DCE_SERVICES_GROUP for each cluster be distinct; this will avoid any potential operational conflict.
Add DCE hostnames to the machine stanzas of the LoadLeveler administration file. The machine stanza of each node defined in the LoadLeveler administration file must contain a statement with this format:
```
dce_host_name = DCE hostname
 
```
Execute either "SDRGetObjects Node dcehostname," or "llextSDR" to obtain a listing of DCE hostnames of nodes on an SP system.
Execute the command:
```
lldcegrpmaint config_pathname admin_pathname
 
```
Where config_pathname is the pathname of the LoadLeveler global configuration file and admin_pathname is the pathname of the LoadLeveler administration file. The lldcegrpmaint command will:
- Create the LoadL-services and LoadL-admin DCE groups (if they do not already exist).
- Add the DCE principals of all the LoadLeveler daemons in the LoadLeveler cluster defined by the admin_pathname file to the LoadL-services group.
For more information about the lldcegrpmaint command, see lldcegrpmaint - LoadLeveler DCE group maintenance utility.
Add the DCE principals of users who will have LoadLeveler administrative authority for the cluster to the LoadL-admin group. For example, this command adds loadl to the LoadL-admin group:
```
dcecp -c group add LoadL-admin -member loadl
 
```

Manual configuration

Here is an example of the steps you must take to configure LoadLeveler for DCE.

In this example, the LoadLeveler cluster consists of 3 nodes of an SP system which belong to the same DCE cell. Their hostnames and DCE hostnames are the same: c163n01.pok.ibm.com, c163n02.pok.ibm.com, and c163n03.pok.ibm.com. Assume that the basic PSSP security setup steps have been performed, and that the DCE group spsec-services and the DCE organization spsec-services have been created.

Login to any node in the DCE cell as root and login to DCE as cell_admin.
Create LoadLeveler's product directory if it does not already exist. First, see if the directory has already been created:
```
dcecp -c cdsli /.:/subsys
 
```
This command lists the contents of the /.:/subsys directory in DCE. LoadLeveler's product name within DCE is LoadL, so its product directory is /.:/subsys/LoadL. If this directory already exists, then continue to the next step. If it does not exist, issue to following command to create it:
```
dcecp -c directory create /.:/subsys/LoadL
 
 
```
Create the DCE principal names for all of the LoadLeveler daemons in the LoadLeveler cluster. PSSP security services expect the DCE principal name of a LoadLeveler daemon to have the format:
```
product_name/dce_host_name/dce_daemon_name
```
Where:
product_name
Is the product name and should always be set to LoadL.
dce_host_name
Is the DCE hostname of the node on which the daemon will run.
dce_daemon_name
Is the DCE name of the daemon and is defined in the file /usr/lpp/ssp/config/spsec_defaults. Go to the LoadLeveler section of this file. You will find a SERVICE record similar to this for all the seven daemons:
```
SERVICE:LoadL/Master:kw:root:system
 
```
The relevant portion of this record is Master; this is the DCE daemon name of LoadL_master. The DCE daemon names of other daemons can be identified in a similar manner.
For the c163n01.pok.ibm.com node, the following commands will create the desired principal names:
```
dcecp -c principal create LoadL/c163n01.pok.ibm.com/Master
dcecp -c principal create LoadL/c163n01.pok.ibm.com/Negotiator
dcecp -c principal create LoadL/c163n01.pok.ibm.com/Schedd
dcecp -c principal create LoadL/c163n01.pok.ibm.com/Kbdd
dcecp -c principal create LoadL/c163n01.pok.ibm.com/Startd
dcecp -c principal create LoadL/c163n01.pok.ibm.com/Starter
dcecp -c principal create LoadL/c163n01.pok.ibm.com/GSmonitor
 
```
These commands must then be repeated for each node in the LoadLeveler cluster, replacing the dce_host_name with the DCE hostname of each respective node.
Add the principals defined in step 3 to the PSSP security services' services group. This group is named spsec-services. PSSP security services require that any daemon using their APIs be members of this group. This command will add the DCE principal of the Master daemon on node c163n01 to the spsec-services group.
```
dcecp -c group add spsec-services -member LoadL/c163n01.pok.ibm.com/Master
 
```
This operation must be repeated for all of the other LoadLeveler daemons on c163n01, and the complete set of operations must be repeated for all of the nodes in the LoadLeveler cluster.
Add the principals defined in step 3 to the spsec-services organization. The following command will add the DCE principal of the Master daemon on node c163n01 to the spsec-services organization.
```
dcecp -c organization add spsec-services -member LoadL/c163n01.pok.ibm.com/Master
```
This operation must be repeated for all of the other LoadLeveler daemons on c163n01, and the complete set of operations must be repeated for all of the nodes in the LoadLeveler cluster.
Create a DCE account for each of the principals defined in step 3. This series of commands will create a DCE account for the Master daemon on node c163n01:
```
dcecp  <Enter>      
dcecp> account create LoadL/c163n01.pok.ibm.com/Master \
       -group spsec-services -organization spsec-services \
       -password  service-password -mypwd  cell_admin's-password
dcecp> quit
 
```
The service-password passed to DCE in this command can be any valid DCE password. Please take note of it since you will need it when you create the key file for this daemon in step 8. The continuation character "\" is not supported by dcecp, but appears in the example merely for clarity. This operation must be repeated for the other LoadLeveler daemons on c163n01, and the complete set of operations must be repeated for all of the nodes in the LoadLeveler cluster.
Create directories to contain the key files for the principals defined in step 3.
```
mkdir -p /spdata/sys1/keyfiles/LoadL/dce_host_name
 
```
You must login to the appropriate node to perform this operation. This operation must be repeated for every node in the LoadLeveler cluster.
NOTE: The directory /spdata/sys1/keyfiles should already exist on each node in the cluster which has been installed with a level of PSSP software that supports DCE Security exploitation. If this directory does not exist, then the node cannot support DCE Security and LoadLeveler 2.2 in DCE mode will not run on it. If this configuration seems to be in error, contact your system administrator to determine which nodes in the cluster should support DCE Security.
Create a key file for each LoadLeveler daemon on the node on which it will run. The key file contains security-related information specific to each daemon. Use this series of commands:
```
 dcecp  <Enter>
 dcecp> keytab create LoadL/c163n01.pok.ibm.com/Master \
        -storage /spdata/sys1/keyfiles/LoadL/c163n01.pok.ibm.com/Master \
        -data { LoadL/c163n01.pok.ibm.com/Master plain 1 service-password }
 dcecp> quit
 
```
You must login to node c163n01 to perform this operation. DCE must be able to locate the key file locally, otherwise the daemon's login to DCE on startup will fail. The principal name passed to DCE in the preceding example is the same principal name defined in step 3. The AIX path passed with the "-storage" flag should point to the same directory created in step 7. The principal name passed with the "-data" flag should match the principal name used at the beginning of the command. The password used in the service-password field must be the same as the service password defined when this principal's account was created in step 6.
This operation must be repeated for all of the other LoadLeveler daemons on node c163n01, and the complete set of operations must be repeated for all of the nodes in the LoadLeveler cluster.
Perform steps 5, 6, and 7 of Using SMIT and the lldcegrpmaint command.
Create the DCE groups LoadL-admin, and LoadL-services. This command creates the DCE group LoadL-admin:
```
dcecp -c group create LoadL-admin
 
```
Add the DCE principals of users who will have LoadLeveler administrative authority for the cluster to the LoadL-admin group. This command adds loadl to the LoadL-admin group:
```
dcecp -c group add LoadL-admin -member loadl
 
```
Add the principals defined in step 3 to the LoadL-services group. This command will add the DCE principal of the Master daemon on node c163n01.pok.ibm.com to LoadL-services:
```
dcecp -c group add LoadL-services -member LoadL/c163n01.pok.ibm.com/Master
 
```
This operation must be repeated for all of the other LoadLeveler daemons on node c163n01, and the complete set of operations must be repeated for all of the nodes in the LoadLeveler cluster.

Usage notes

If the DCE_ENABLEMENT keyword is set to TRUE, LoadLeveler uses the PSSP security service API to perform mutual authentication of all appropriate transactions in addition to using the pair of programs specified by DCE_AUTHENTICATION_PAIR to obtain the opaque credentials object and to authenticate to DCE before starting a job. The default pair of programs used by LoadLeveler, lldelegate and llimpersonate support credentials forwarding. See pages ***, and *** for more information on the DCE_AUTHENTICATION_PAIR keyword.
If the DCE_ENABLEMENT keyword is not defined or set to FALSE, the limited form of DCE authentication introduced in LoadLeveler 2.1 can still be activated through the use of the DCE_AUTHENTICATION_PAIR keyword in conjunction with the llgetdce and llsetdce programs or an installation defined functionally equivalent pair of programs. If this level of DCE support meets your requirements, then you can ignore the setup steps in this section.
When DCE_ENABLEMENT is set to TRUE, LoadLeveler uses a different set of criteria to determine who owns job steps, and who has administrator privileges.
- LoadLeveler considers you to be the owner of a job step if your DCE principal matches the DCE principal associated with that job step.
- LoadLeveler administrators are usually defined to LoadLeveler through a list of names associated with the LOADL_ADMIN keyword. However, when DCE_ENABLEMENT is TRUE, this list is no longer used for this purpose. Instead, users and processes whose DCE principals are members of the LoadL-admin DCE group are given LoadLeveler administrative privileges.
Note: The LOADL_ADMIN keyword is also used to provide LoadLeveler with a list of users who are to receive mail notification of problems encountered by the LoadL_master daemon. This function is not affected by the DCE_ENABLEMENT keyword.
If DCE_ENABLEMENT is set to TRUE, you must login to DCE with the dce_login command before attempting to execute any LoadLeveler command. Also, if an AIX user's user name is different from the user's DCE principal name, then the AIX user must have a .k5login file in the home directory specifying which DCE principal may execute using the AIX account. For example, if your DCE principal in the cell local_dce_cell is user1_dce, and your AIX user name is user1, then you will have to add an entry such as "user1_dce@local_dce_cell" to the .k5login file in your home directory.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]