HP-UX Workload Manager A.03.04.xx Release Notes

• Rely—only to the extent that you trust your intranet—on the monitoring information from

wlmgui to decide on a course of action.

• The WLM GUI sends data to wlmcomd over the network without verifying the recipient.

• Each connection to wlmcomd represents a separate process on the system. As such, each

connection consumes resources, such as open file descriptors, a process ID, memory, and

so forth. A large number of connections could result in denial of service. You can restrict

connections by deploying wlmcomd on systems behind a firewall that blocks access to the

port being used.

Partitions

WLM manages virtual partitions and nPartitions through a global arbiter. WLM’s global

arbitration uses non-secured communications. A rogue user could manipulate the communications,

resulting in one or more partitions being granted an incorrect number of cores. Use global

arbitration only on trusted local area networks.

By default, wlmpard communicates to the partitions on a system through port 9691.

If the partitions use a firewall or if you are using the HP-UX Bastille product on the partitions,

it is likely that communications on this port are being blocked. To use wlmpard in your

environment, specifically allow port 9691 or another port to be open to incoming connections.

If you use a port other than 9691, be sure to restart wlmpard to communicate on the new port.

If you use Bastille or the Install-Time-Security Levels to configure the IPFilter firewall, you may

want to put the rules regarding which port to leave open in the following file:

/etc/opt/sec_mgmt/bastille/ipf.customrules

After that, run bastille -b to load the rules and make sure that Bastille does not remove them

later during subsequent runs/lockdowns.

42 Security