HP Insight Dynamics- VSE for ProLiant Installation and Configuration Guide

ManualsBrandsHP ManualsSoftwareHP Matrix Operating Environment w/Insight Control BL 24x7 Supp Flexible Lic

Bastille Settings on the CMS

If Bastille/Install-Time Security is used to secure the CMS, use the “Managed DMZ” level for initial lockdown.

To configure the CMS for Managed DMZ, use Procedure 2-4. For additional information, see

bastille

(1M).

Procedure 2-4 Configure CMS for Managed DMZ Under HP-UX Bastille

1. Copy the configuration file /etc/opt/sec_mgmt/bastille/MANDMZ.config to

/etc/opt/sec_mgmt/bastille/config.

NOTE: In some versions of HP-UX Bastille, the MANDMZ.config file might be located in a subdirectory

under /etc/opt/sec_mgmt/bastille/.

2. Add the following rules to the top of the file /etc/opt/sec_mgmt/bastille/ipf.customrules.

NOTE: Lines shown ending in “\” should be combined with the following line and entered as a single

line.

# Custom CMS firewall rules # Allow ping pass in quick

proto icmp from any to any icmp-type 8 \ keep state # Allow HTTP

on port 280 for inbound HP SIM connections pass in quick proto tcp

from any to any port = 280 # Allow HTTPS on port 50000 for inbound

HP SIM connections pass in quick proto tcp from any to any port =

50000 # Global Workload Manager uses ports 9617 and 9618 to # communicate

with remote agents pass in quick proto tcp from any to any port =

9617 \ flags S keep state keep frags pass in quick proto tcp from

any to any port = 9618 \ flags S keep state keep frags # Application

Discovery uses OpenSSL on port 9143 pass in quick proto tcp from any

to any port = 9143 \ flags S keep state keep frags

3. Run the Bastille configuration engine by entering the following command:

# /opt/sec_mgmt/bastille/bin/bastille

-b

Firewall Settings on Managed Systems

The following set of protocols should be allowed through the firewall:

• The Internet Control Message Protocol ICMPv4 Type 8 (Echo), the ping protocol. Both inbound and

outbound ping are needed for SIM discovery and system status.

• HTTPS over port 5989, used by WBEM.

• HTTPS over port 2381, used by web agents.

• SSH-2 over port 22, used by the Distributed Task Facility (DTF).

• Global Workload Manager uses port 9617 on managed nodes. Refer to the “Communications Ports”

section of the

HP Global Workload Manager Version 4.1 User's Guide

for information about changing

the default ports.

Bastille Settings on the Managed System

If Bastille/Install-Time Security is used to secure the managed system, use the “Managed DMZ” level for

initial lockdown. To configure a managed system for Managed DMZ, use Procedure 2-5. For additional

information, see

bastille

(1M).

Procedure 2-5 Configure Managed System for Managed DMZ Under HP-UX Bastille

1. Copy the configuration file /etc/opt/sec_mgmt/bastille/MANDMZ.config to

/etc/opt/sec_mgmt/bastille/config.

28 Performing an installation