Manualshelf

HP-UX Workload Manager A.03.01 Release Notes for HP-UX 11i v1 and HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Workload Management (gWLM/WLM) Software
41424344454647484950
HP-UX Workload Manager Release Notes
Security
47
When using WLM to manage partitions, each partition must have in its truststore the
certificate of every other partition with which it is being managed.
NOTE If you use Serviceguard on the system running wlmpard, any systems to which
wlmpard might fail over must have the same certificates installed in their
truststores as does the primary wlmpard node. Therefore, be sure to install the
certificates from the systems managed by that wlmpard on any systems to
which wlmpard might fail over. Also, install the certificates from all failover
systems to the systems being managed by that wlmpard.
Data collectors
Data collectors invoked by WLM run as root and can pose a security threat. Hewlett-Packard
makes no claims of any kind with regard to the security of data collectors not provided by
Hewlett-Packard. Furthermore, Hewlett-Packard shall not be liable for any security breaches
resulting from the use of said data collectors.
wlmgui and wlmcomd
WLM and the WLM GUI allow you to set up secure communications as described in the
wlmcert(1M) manpage. If you choose not to use secure communications, here are several
security tips:
Do not use wlmgui over the Internet. Use wlmgui and wlmcomd only on trusted LANs
where you trust all the users: All data exchanged between wlmcomd and wlmgui, including
the user’s password, is transmitted without encryption over the network.
Restrict communications between wlmcomd and wlmgui to only authorized users to
improve security.
Rely—only to the extent that you trust your intranet—on the monitoring information
from wlmgui to decide on a course of action.
The WLM GUI sends data to wlmcomd over the network without verifying the recipient.
Each connection to wlmcomd represents a separate process on the system. As such, each
connection consumes resources, such as open file descriptors, a process ID, memory, and so
forth. A large number of connections could result in denial of service. You can restrict
connections by deploying wlmcomd on systems behind a firewall that blocks access to the
port being used.