Manualshelf

HP Open View Data Protector for Security Containment

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
123456789
5
HP-UX Security Containment product. In this figure, the client system is configured with three different
compartments:
Web server compartment
backup compartment
INIT, the default system compartment
The Data Protector backup and restore agent’s runs in the backup compartment.
Software Infrastructure
Install Open View Data Protector software on the system designated as the Cell Manager. See HP
Open View Storage Data Protector Installation and Licensing Guide (B6960-96002) for more
information on the installation.
The Security Containment product is located on the HP-UX 11iv2 December 2006 Software Pack DVD
for HP-UX 11iv2, and is an integral part of HP-UX 11iv3. See
HP-UX 11i Security Containment
Administrator’s Guide for installation instructions for Security Containment, Role-Based Access Control,
and Standard Mode Security Enhancements on HP-UX 11iv2.
On the client system, perform the following installation steps:
Successfully install Security Containment, Role-Based Access Control, and Standard Mode Security
Enhancements
Install Data Protector Disk agent on the client system. You can install disk agent from Cell
Manager’s GUI. HP recommends that you to install disk agents over a secure connection. To do
this, refer to the Setting up OpenSSH section of the
HP Open View Storage Data Protector
Installation and Licensing Guide. Typically, most systems configured in a secure environment
disable other services, except for Secure SHell (SSH). For example, the HP Protected Systems.
Successful installation of disk agent on the client system adds an omni inetd entry to the
/etc/inetd.conf file. It also updates the /etc/services file to ensure that port 5555 is
mapped to omni if necessary.
Writing Security Policy backup
The compartments feature of the HP-UX Security Containment software enables you to isolate
processes, or subjects, from each other and also from resources, or objects. In this architecture we
have defined two different compartments: backup and Web server. As illustrated in the architecture,
there are two disk agents: DA1 and DA2 that are running in the backup compartment. Data
protector’s inet process runs in INIT compartment. The inet process is responsible for the
communication between systems in the cell and starts other processes needed for backup and restore.
The Data Protector inet service is started when Data Protector is installed on a system. For the
purposes of this document, we assume that the client communicates with the DNS servers and that the
cell servers use the interfaces in the compartment in_iface (for example, this compartment contains
one or more interface rules such as interface lan2 and interface lan3 where the client uses
either or both lan2 and lan3 to resolve DNS requests and to communicate with the cell server).
Data Protector processes communicate using TCP/IP connections. Every Data Protector client system
accepts connections on port 5555 by default. In addition, some processes dynamically allocate ports
on which they accept connections from other Data Protector processes. The incoming connections are
accepted by inetd—which is running in the INIT compartment—before handing them to the data