> CommCell Console > Commvault HyperScale > HyperScale X > Additional Configurations

Strengthening SSH Communication Between HyperScale Nodes

This topic describes how to strengthen Secure Shell (SSH) protocol communication between HyperScale nodes to enhance system security and reliability.

Note

  • SSH communication is automatically secured when you upgrade the nodes to Platform Release 2022E or higher.

  • After upgrading the MediaAgents in your HyperScale environment to version 28.111 or later, you might encounter the following error when connecting to nodes via mRemoteNG:

    "Couldn't agree a client-to-server MAC"

    To resolve this, follow the guidance in the mRemoteNG documentation to update mRemoteNG PuTTY.

Before You Begin

Enable root access on the nodes if root access is currently disabled.

Procedure

Follow these steps to strengthen SSH communication between the HyperScale nodes:

  1. Log in to any one of the nodes in the cluster as the root user.

  2. Navigate to the MediaAgent directory:

    # cd /opt/commvault/MediaAgent

  3. Run the security configuration script:

    # ./cvavahi.py secure_hs

    You will see output similar to the following:

    INFO: Processing SSH configurations...
INFO: Setting SSH cipher configurations...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
INFO: Completed setting SSH cipher configurations successfully...
INFO: Setting SSH MAC configurations...
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
INFO: Completed setting SSH MAC configurations successfully...
INFO: Setting SSH KexAlgorithms configurations...
INFO: Completed setting SSH Kex Algorithms configurations successfully...
Removed symlink /etc/systemd/system/multi-user.target.wants/avahi-daemon.service.
Removed symlink /etc/systemd/system/sockets.target.wants/avahi-daemon.socket.
Removed symlink /etc/systemd/system/dbus-org.freedesktop.Avahi.service.
Warning: Stopping avahi-daemon.service, but it can still be activated by:
  avahi-daemon.socket
Removed symlink /etc/systemd/system/multi-user.target.wants/httpd.service.
WARNING: Unable to update sysctl file.
INFO: /etc/sysctl file updated successfully
INFO: File permissions updated successfully
Unable to find home directory for user[gluster]
Unable to find home directory for user[insights]
INFO: user home directories permission set successfully.
INFO: umask set to 077 successfully...
INFO: user umask set successfully to 077.
INFO: Anonymous root login disabled.
INFO: All security changes completed successfully

  4. Perform the same steps on each node in the cluster to ensure consistent SSH security settings across the environment.

What to Do Next

Disable root access, if it was previously enabled for this procedure.

Securing HyperScale X Nodes

×

Loading...