Managing CA VM:Secure in a Single System Image Complex › Overview

Overview

The presentation of a consistent view of system administration across an SSI complex requires that CA VM:Secure support the following environment characteristics:

• The CP Object Directory is identical on every member system. A user ID defined by a USER directory entry may log on to any member system (one at a time) and the virtual machine definition will be exactly the same. A user ID defined by an IDENTITY directory entry may log on to multiple members simultaneously, and each logon instance may be tailored by member specific definitions in a SUBCONFIG directory entry.
• Resource access control, provided by the CA VM:Secure RULEs Facility, provides the same authorizations for a virtual machine, wherever it is running in the complex.
• CA VM:Secure provides identical access to directory management or resource access control administration interfaces from all members of the complex. Product commands may be entered in the same way from any member system.

Any change in virtual machine definitions, configuration file statements, or access control rules must be made simultaneously to every member system in order to preserve the single system image. To accomplish this synchronization in real time, CA VM:Secure operates as a set of distributed servers, one on each member system, which communicate with each other. Each server runs in one of two modes:

• A master server runs on one member node to perform all the function of a non-SSI CA VM:Secure server. These functions are:
  • Processing commands
  • Updating and compiling Configuration files
  • Updating and compiling CP Directory Entries
  • Updating and Compiling RULE files (CA VM:Secure only)
  • Responding to External Security Manager Access Control Interface requests from CP (CA VM:Secure only)
• An agent server runs on every other member node to perform a subset of the function of the master CA VM:Secure server. These functions are:
  • Compiling Configuration files
  • Compiling CP Directory Entries
  • Compiling RULE files (CA VM:Secure only)
  • Responding to External Security Manager Access Control Interface requests from CP (CA VM:Secure only)
  • An agent server implements additional new functions These functions are:
    • Responds to synchronization requests from the master server
    • Converts itself to replace a master if the master server has an outage