HP Serviceguard Manager Plug-in Security Whitepaper, March 2009
Authentication
SMH
SMH launches an instance of Tomcat for its exclusive use. Tomcat is used as
a
Java web application
container within which SgmgrPI resides. For Java web applications,
SMH
acts as a
web proxy; it
redirect
s
web
requests for URLs be
longing to
SgmgrPI
, which proces
se
s these requests and send
s
the
responses
back to HPSMH, which are forwarded back
to the client
.
To safeguard the data exchanged
between the client and
SMH
, HTTP requests must arrive at
SMH
at
a well
known
port 2381
throu
gh a secure HTTP channel, or HTTPS (s
ee path 1
in Figure 1
)
.
Before a client can access
any functionality provided by
SMH or web applications hosted by Tomcat,
the client will be authenticated
by the Pluggable Authentication Module
(PAM)
through a login
process
(see path 2 in figure 1)
.
The
actual
authentication mechanism used is determined by PAM. It
can
be user
-
password (
/etc/passwd
)
, NIS, LDAP
or
any other
mechanism
supported in the PAM
framework
.
Successful logins create secure cookies
i
n the client'
s browser, which identify the user for
future requests, as well as cookie files
o
n the server side. The use of secure cookies and HTTPS
effectively creates a secure s
ession between the client and
SMH.
SgmgrPI
SgmgrPI exists as a web
application
, or servle
t, hosted by Tomcat. Tomcat does not open any IP port
to
receive
requests directly from the Internet or Intranet. Instead,
all requests are
forwarded
from
SMH
as described above.
Since the data transferred between
SMH
and
SgmgrPI, and other web applicati
ons hosted by Tomcat,
will possibly include sensitive information,
SMH
employ
s
a secure communication channel
based on
the use of
UNIX
domain
sockets
in HP
-
UX and HTTPS in Linux
, to avoid data interception and spoofing
(see path 3 in figure 1)
.
The
commun
ication
channel
is strictly local to a single system, and is bound to a file on the
file system
or IP address of the local system
. This type of connection is used to implement communication
between local processes and can not be accessed from external host
s,
eliminating the risks associated
with external data interception and spoofing.
A
ccess to the file specifying the socket address is
subject to the same user/group authorization as regular files. This fact will be used to create an
authentic
ation mechanism based on regular
file system
credentials, to ensure that the Tomcat instance
used by
SMH
will only accept requests coming from the
SMH itself
.
The file used to specify the socket address will be the
/opt/hpsmh/
logs
/
smh.socket
in
HP
-
UX
.
The
/opt/hpsmh/
logs
/smh.socket
file will be owned by the
hpsmh
user, the only member of the
hpsmh
user group. This
user will also be the owner of
SMH
and Tomcat processes. The files inside the
/opt/hpsmh
/logs
directory will be accessible
only
to the
hpsmh
and
root
users,
avoiding the risks
associated with interception and spoofing of the data transferred between Tomcat and
HPSMH
by
unauthorized local users.
In Linux, the secure communication channel is established over the url
-
https://localhost:1188.
Identity Propagation
The identity of the authenticated client will be inclu
ded in the request
before SMH forwards it to
SgmgrPI
. When the request arrives at SgmgrPI, it first extracts the user identity from
the request
, and
establishe
s
the user's
privile
ge
based on the retrieved identity.
T
he
privilege
information
is used
by
SgmgrPI to
perform
the following
tasks
: