Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
41424344454647484950
determines the priority for a new policy by adding n to the current highest priority for that policy
category, where n is the automatic priority increment value. When a policy is added with this
mechanism, it becomes the last policy evaluated before the default policy in the category; you
might have to modify the priority value for your policies.
Using IPSec with IPFilter
HP-UX IPFilter is located below HP-UX IPSec in the networking stack. HP-UX IPFilter processes
inbound IP packets before HP-UX IPSec and processes outbound packets after HP-UX IPSec.
If HP-UX IPSec secures a packet (the packet has an AH or ESP header), HP-UX IPFilter cannot
filter the packet based on upper layer information, such as TCP port numbers and connection
states, and ICMP message types. The only upper-layer protocol information that HP-UX IPFilter
processes is the IP protocol number IPSec packets do not match any IPFilter rules based on the
TCP, UDP, or ICMP protocol type or based on field values for these protocols (such as port
numbers).
To use IPSec with IPFilter, you must configure IPFilter to pass the following packets:
IP packets with protocol 50 (IPsec Encapsulating Security Payload protocol, ESP)
IP packets with protocol 51 (IPsec Authentication Header protocol, AH)
UDP packets with port 500 (IPsec Internet Key Exchange protocol, IKE)
Completing the Configuration
After you configure a base compartment, you can apply an application template to add
application-specific configuration data. For more information, see Chapter 6 (page 47), Chapter 7
(page 53), Chapter 8 (page 57), or Chapter 9 (page 61).
Starting the SRP Compartment
To start the SRP compartment, use the srp -start compartment_name command. If you
configured an IP interface for this compartment, the startup script sets the interface state to UP.
For more information about starting SRP compartments, see Chapter 10 (page 65).
Replacing or Deleting Base SRP Data
Use the following command to replace base template data in an SRP compartment:
srp -r[eplace] compartment_name -t base [-s service[,service]...]
The srp -replace command deletes the specified data, then prompts you for replacement
data. For example, the following command deletes all PRM data for the base template, then
prompts you for replacement data:
srp -replace myCmpt -t base -s prm
Use the following command to delete base template data from an SRP compartment:
srp -d[elete] compartment_name -t base [-s service[,service]...]
You cannot delete the cmpt service from an SRP compartment. The cmpt service is required for
all SRP compartments.
CAUTION: If you do not specify the -template and -service arguments, srp deletes the
compartment or replaces all data for the compartment. For example, the srp -delete myCmpt
command deletes the myCmpt SRP compartment.
For more information, see “Deleting Configuration Data” (page 69) and “Replacing Configuration
Data” (page 69).
Starting the SRP Compartment 45