Manualshelf

HP-UX Workload Manager A.03.04.xx Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i Workload Management (gWLM/WLM) Software
41424344454647484950
7 Security
This section highlights security items you should be aware of.
Relationship between host name and SSL certificates
SSL certificates are created when you install WLM. This enables WLM to run in secure mode
within the system on which it is installed. As of version A.03.01, when you start WLM using the
/sbin/init.d/wlm start script, the script uses secure mode by default. This requires that
you distribute security certificates to all systems or partitions being managed by the same WLM
global arbiter (wlmpard). In addition, if you upgrade WLM and the /etc/rc.config.d/wlm script
had been modified prior to the upgrade, you must check that the following variables in
/etc/rc.config.d/wlm are enabled (set to 1):
WLMD_SECURE_ENABLE
WLMPARD_SECURE_ENABLE
WLMCOMD_SECURE_ENABLE
The name of each certificate created when you install WLM is based on the name of the host
where the certificate is generated. Thus, on host1, the certificate is named host1.pem. This makes
it easier for you to identify trusted systems. If you have not yet assigned a host name to the
system where WLM is being installed, the certificate is given the default name loopback.pem.
When you assign a name to the host, security will continue to work even if the host name differs
from the certificate name. To achieve a match between the host and certificate names, you can
use the wlmcert command to remove the current certificate and then to reset the certificates so
that the host and certificate names match. For more information on security certificates and the
wlmcert command, see wlmcert(1M). This and other WLM manpages are also available at:
http://www.hp.com/go/wlm
When using WLM to manage partitions, each partition must have in its truststore the certificate
of every other partition with which it is being managed.
NOTE: If you use Serviceguard on the system running wlmpard, any systems to which wlmpard
might fail over must have the same certificates installed in their truststores as does the primary
wlmpard node. Therefore, be sure to install the certificates from the systems managed by that
wlmpard on any systems to which wlmpard might fail over. Also, install the certificates from
all failover systems to the systems being managed by that wlmpard.
Data collectors
Data collectors invoked by WLM run as root and can pose a security threat. Hewlett-Packard
makes no claims of any kind with regard to the security of data collectors not provided by
Hewlett-Packard. Furthermore, Hewlett-Packard shall not be liable for any security breaches
resulting from the use of said data collectors.
wlmgui and wlmcomd
WLM and the WLM GUI allow you to set up secure communications as described in wlmcert(1M).
If you choose not to use secure communications, here are several security tips:
Do not use wlmgui over the Internet. Use wlmgui and wlmcomd only on trusted LANs
where you trust all the users: All data exchanged between wlmcomd and wlmgui, including
the users password, is transmitted without encryption over the network.
Restrict communications between wlmcomd and wlmgui to only authorized users to improve
security.
Relationship between host name and SSL certificates 41