Manualshelf

Best Practices for Deploying HP-UX Secure Resource Partitions (SRP) for SAP Whitepaper

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
11121314151617181920
15
4. Now SRP has to be configured on the host. This is done in the INIT compartment as root user
with the command srp_setup. For details how to use srp_setup, refer to the SRP
Administrators Guide
.
At a minimum, the following services have to be activated:
cmpt
admin
init
login
network
provision
5. After initially calling srp_setup, login problems with another user than root to the INIT
compartment might occur. See the section of this white paper, How to enable login to the
INIT compartmentfor a solution.
6. Create the SRP compartment and configure the base template with IP-Address and optional
hostname. Create an SRP specific UNIX login group and add the SAP users to this group. Use
this group as login group when creating the SRP compartment with the command srp a
<compartment>as described in the SRP Administrator’s Guide
.
Include the sshd template.
7. If the IPFilter service will be used, refer to the SAP document TCP/IP Ports Used by SAP
Applications to see which ports have to be enabled.
8. To include the SAP specific rule files, copy the script from section of this white paper, “Script
add_new_system” into a new file on your system. Also copy the file SAP_RUN.h to
/etc/cmpt/include. Grant execution permission to the script add_new_system and call it as
root user in the INIT compartment:
add_new_system <SRP compartment> <SID> <DBSID> <Systemnr> RUN
If the rule file for the installation of an SAP system is already included in the compartment, it
will be replaced with a new allow rule file. If the BLOCK rule file for all compartments was
not yet extended by the SAP system, this extension will be done as well. The compartment will
be updated with the new rule files.
9. Optional: Create separate compartment for saposcol
If the usage of saposcol will also be secured, the following section “Best practices for
configuring saposcol for several SAP systemsshould be taken into account. As only one
saposcol may run per OS instance, a separate compartment has to be created to grant all
SAP instances access to saposcol. For details how to create this compartment, see the section
of this white paper, “Best practices for configuring saposcol for several SAP systems”. If you
are using the default rule file created with the script add_new_system, the execution
permission for saposcol is already denied. Saposcol has to be started manually once as root
user in the saposcol compartment.
Best practices for configuring saposcol for several SAP systems
To get the highest level of isolation between different SAP systems in SRP compartments, it is
recommended to create a special compartment only for saposcol. Running saposcol requires the login
of a root user, the execution permission for saposcol and IPC access to the other compartments to
gather process information.