Manualshelf

Best Practices for Deploying HP-UX Secure Resource Partitions (SRP) for SAP Whitepaper

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
12345678910
6
Hostname considerations
With SRP, it is possible to use the physical hostname for all SRP compartments or define a hostname
for each SRP compartment. It is mandatory for each compartment to have a unique IP Address.
It is dependent upon the planned SAP landscape as to whether or not a virtual host is used. If each
SRP compartment has its own hostname, the SAP system should be installed with the virtual hostname
option offered for sapinst. Changing the hostname after the SAP installation is very complicated and
is not supported for the SAP J2EE engine part.
Note
Make sure during the planning phase that no SID, DBSID or instance
number is used more than once on the host.
This document assumes that several SAP systems, isolated from each other, will be running on one
host. Each SAP system will run in a separate SRP compartment with dedicated OS user login rights.
The directories are not only isolated from each other, but the running processes cannot be shared
between the compartments, with the only exception being the executable, saposcol. Details about
saposcol can be found in the section of this white paper, ”Known limitations.”
In the section,Example configurations,” default directory permissions are listed for installing an SAP
system, running the SAP system and blocking other SAP systems. These activities are primarily based
on directory control.
IPFilter consideration
With SRP, it is also possible to use the IPFilter option for each SRP compartment. The tests conducted
for this white paper used activated IPFilter, but since the ports required by SAP are very customer and
use-case specific, no rule file for ports is provided in this document. If you want to use IPFilter, refer to
the SAP documentation TCP/IP Ports Used by SAP Applications for the list of ports SAP requires.
Resource consideration
By default, SRP will configure all SRP compartments with the same share of total memory and CPU.
The share enforcement will only take place when system CPU or memory limits are hit. Refer to the HP-
UX Secure Resource Partitions (SRP) Administrator's Guide HP-UX 11i
v3 for more information on
how to customize resource shares for an SRP compartment.
Being logged in as a root user in HP-UX, it is always possible to log in as any other user without
providing a password. Even with SRP compartments this rule is valid as the same /etc/passwd file is
used and the root user ID (0) is the same for all root users on the system. Therefore, it is not possible
to distinguish between the different root accounts for the different SRP compartments when calling
su”.
For example, you may switch from the root user in SRP compartment SAPSRP1 to the <sid>adm of SRP
compartment SAPSRP2 without providing a password. Even if the user appears to be logged in, the
rules of compartment SAPSRP1 still apply. The user environment cannot be accessed and the
directories and processes of SAPSRP2 cannot be accessed. This issue is not an SRP-related security
issue, but, rather, it is common to UNIX® systems.
Handle the login privileges for any root user in the usual security-sensitive way; that is, only selected
personnel should know the root password.