Advanced ColdFusion Administration
Configuring ColdFusion Clusters

Administrating Security

When you enable ClusterCATS administration security for a specific cluster, only authorized users are able to access and administer that cluster using their ClusterCATS Explorer (Windows) or the ClusterCATS Web Explorer (UNIX). ClusterCATS provides three administration security settings for securing your server cluster environment:

• Disabled Authentication

  This is the default setting. It provides no security challenge, and therefore anyone can access the server cluster with a ClusterCATS administration tool or even a Web browser and modify your cluster environment.

• Local User Authentication

  This is the recommended security setting for most clusters residing in small to mid-sized organizations that have only a few administrators. This setting provides a security challenge for anyone accessing the server. The authentication is based on administrative privileges that you define for specific users on each server in the cluster.

• Windows NT Domain Authentication (Windows NT Only)

  You may want to use this security setting if your organization is fairly large and contains many distributed administrator groups that need to access your server clusters. To use this setting, you must define your global administrators' group in the form "BT_clustername", where clustername is the exact name of the cluster you created with the ClusterCATS Explorer. The global administrators group must exist within the same domain as the clustered servers.

This section describes the following:

• "Configuring authentication on Windows"
• "Configuring authentication on UNIX"

Configuring authentication on Windows

The following sections describe how to enable the type of authentication most appropriate for your environment.

• "Configuring local-user authentication"
• "Configuring Windows NT domain authentication"

Configuring local-user authentication

Local-user authentication lets ClusterCATS authenticate specific users on a per-server basis. Local users of a server must have an account on the server where the Web server resides.

For example, if a cluster includes several Web servers and you only have an account on one, then you can only administer that server.

To configure authentication modes for your clusters:

1. Create a user account on each server within your cluster for each administrator that you want to be able to administer the servers using the ClusterCATS Explorer.

   For Unix, you must be a member of "sys" group. For Windows NT, you must be a member of "admin" group.

   If your cluster members are NT servers, use the Windows User Manager utility to create your user accounts.

   
   

   Note If only one person will administer all cluster members in the cluster, be sure to create the same user account (identical user name and password) on each cluster member. The ClusterCATS Explorer will consequently prompt you only once for a user name and password. However, if multiple, different administrator accounts are created on each server, ClusterCATS Explorer will display user name and password prompts upon each attempt to access the servers from the ClusterCATS Explorer.

   
   
2. Open the ClusterCATS Explorer and select a cluster.
3. Select Configure > Administration or select Cluster > Properties. Both menu selections display the Properties dialog box. Alternatively, you can right-click the cluster and select Configure > Administration.

   The Properties dialog box appears:

   

4. Select Local User from the Mode drop-down box.
5. Enter a user name and password defined for a valid account.
   

   Note ClusterCATS requires you to enter a valid user name and password after selecting the type of authentication you are using so that you do not inadvertently lock yourself out of the cluster.

   
   
6. Click OK to enable local user authentication for the selected cluster. Only administrators who have accounts on each secured server can access and administer those cluster members using ClusterCATS Explorer.

Configuring Windows NT domain authentication

Windows NT Domain authentication lets ClusterCATS authenticate administrators that have been added to a Windows NT domain user group.

Before you can enable NT domain authentication on any specific cluster, you must create an NT global user group within the domain you want to secure. You can do this using the standard Windows NT User Manager for Domains utility. After you create a user group, add users to it, and enable the NT Domain authentication mode from the ClusterCATS Explorer, all users you add to that group are automatically authenticated to view and change the cluster. All servers in the cluster must reside in the same Windows NT domain unless a trusted relationship is set up between two or more domains.

A global group must exist in the domain from which the ClusterCATS Explorer is executed. Cluster members in other domains need only the trust relationship. ClusterCATS Explorer determines what servers exist in which NT domain by communicating with any Windows NT domain controller for the domain. The list of servers that exist in the Windows NT domain can be viewed by looking at the Network Neighborhood Windows NT utility. If no trust relationship exists, then cluster members must be from the same Windows NT domain.

To enable Windows NT domain authentication:

1. Select Start > Programs > Administrative Tools > User Manager for Domains to open the User Manager for Domains utility.
2. Select User > New Global Group.

   The New Global Group dialog box appears.

3. Enter a name and description for the group in the applicable fields.

   Your global group name must be BT_clustername, where clustername is the name of your ClusterCATS cluster.

4. Click Add to add the administrators you want to have privileges to your global group.

   The Add Users and Groups dialog box appears.

5. Select the domain from the List Names drop-down box.
6. Select the users you want to add to the group and click Add.
7. Click OK in all open dialog boxes to apply your changes and to close the User Manager for Domains utility.
8. Open the ClusterCATS Explorer and select the cluster for which you want to configure authentication.
9. Select Configure > Administration or select Cluster > Properties. Both menu selections display the Properties dialog box. Alternatively, you can right-click the cluster and select Configure > Administration.

   The Properties dialog box appears.

10. Select NT Domain from the Mode drop-down box.
11. Enter a valid user name and password that participates in the domain.
    

    Note ClusterCATS requires you to enter a valid user name and password after selecting the type of authentication you are using so that you do not inadvertently lock yourself out of the cluster.

    
    
12. Click OK to enable Windows NT Domain authentication for the selected cluster. Only users who you added to the Global User Group of the domain can use ClusterCATS Explorer to view and administer clusters using the ClusterCATS Explorer.

Disabling authentication

Disabling authentication lets any user use the ClusterCATS Explorer to create, configure, or administer clusters. Once the cluster is added, administrators have unrestricted access to the content in that cluster. Therefore, you should only choose Disabled mode if security is not a concern (for example, in a development or QA environment).

By default, ClusterCATS administrator security is disabled. However, if you have previously configured the security mode for your cluster and now want to turn if off, perform the following procedure.

To disable authentication:

1. Open the ClusterCATS Explorer and select a cluster with authentication enabled.
2. Select Configure > Authentication or select Cluster > Properties. Both menu selections display the Properties dialog box. Alternatively, you can right-click the cluster and select Configure > Administration.
3. Select Disabled from the Mode drop-down box.
4. Click OK to apply your changes.

Configuring authentication on UNIX

To configure authentication modes for your clusters:

1. Open ClusterCATS Web Explorer if it is not already open.
2. Click the Show Cluster link. The Show Cluster page appears.
3. Enter the fully qualified host name of the server for which you want to configure administrator authentication in the Web Server Name field.
4. Click OK. The Cluster Member List page appears.
5. Click the Authentication link. The Cluster Authentication page appears:

   

6. Select Local User from the Authentication drop-down box to enable local-user authentication.
7. Select Disabled to disable authentication.
8. If using local user authentication, enter a valid user name and password and click OK.

   ClusterCATS requires you to enter a valid user name and password after selecting the type of authentication you are using so that you do not inadvertently lock yourself out of the cluster.

Copyright © 2001, Macromedia Inc. All rights reserved.