HP-UX Secure Resource Partitions (SRP) A.02.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)

Table of contents

Preface ............................................................................................................................................... 5

Intended Audience ........................................................................................................................... 5

Typographic Conventions .................................................................................................................. 5

Related Information .......................................................................................................................... 6

Publishing History............................................................................................................................. 6

HP Encourages Your Comments ......................................................................................................... 6

1 Introduction ...................................................................................................................................... 7

1.1 Product Overview ...................................................................................................................... 7

1.1.1 Securing SRP Compartments ................................................................................................. 8

1.1.2 Subsystems Configured by SRP ............................................................................................. 9

1.2 SRP Components ...................................................................................................................... 10

1.2.1 The SRP Manager .............................................................................................................. 11

1.2.2 The srp_sys Utility .............................................................................................................. 11

1.2.3 The srp Utility .................................................................................................................... 11

1.2.4 The srp_su command ......................................................................................................... 11

1.2.5 The srp_ps utility ................................................................................................................ 11

1.2.6 SRP Templates and Services ................................................................................................ 11

1.2.7 Configuration Synchronization Manager (CMGR) Utility and Libraries ..................................... 13

1.3 Planning Considerations and Best Practices ................................................................................. 14

1.3.1 Compatibility with Other Partitioning Continuum Products ...................................................... 14

1.3.2 Coexistence with the INIT Compartment ............................................................................. 14

1.3.3 Cross-Compartment Network Traffic..................................................................................... 15

1.3.4 IP Routers and Strong End System (ES) Model ....................................................................... 15

1.3.5 SRP Login Users................................................................................................................. 15

1.3.6 Compatibility with the Bastille Revert Feature ........................................................................ 16

1.3.7 Compatibility with PRM SRP Commands ............................................................................... 16

1.3.8 Serviceguard Support ........................................................................................................ 16

1.4 Installing SRP ........................................................................................................................... 16

1.5 Migrating to A.02.02 ............................................................................................................... 16

2 Setting Up an SRP ........................................................................................................................... 18

2.1 The srp_sys Utility ..................................................................................................................... 18

2.2 Using srp_sys –setup to Set or modify system properties ................................................................ 18

2.3 Example: srp_sys -setup ............................................................................................................ 19

2.4 Using srp_sys –list to Display System Properties ........................................................................... 22

2.5 Example: srp_sys -list ................................................................................................................ 22

3 Executing the su Command in the Target SRP ..................................................................................... 23

3.1 Using the srp_su Command ....................................................................................................... 23

3.2 Allowing Additional Users to Use the srp_su Command ................................................................ 23

3.3 Example: Using the srp_su Command to Login to the Target SRP .................................................... 23

HP-UX Secure Resource Partitions (SRP)

A.02.02 Administrator’s Guide

HP-UX 11i v3

Summary of content (106 pages)

PAGE 1
HP-UX Secure Resource Partitions (SRP) A.02.02 Administrator’s Guide HP-UX 11i v3 Table of contents Preface ............................................................................................................................................... 5 Intended Audience ........................................................................................................................... 5 Typographic Conventions...........................................................................................
PAGE 2
4 Reporting Process Status for an SRP Compartment .............................................................................. 25 5 Using SRP Manager ........................................................................................................................ 26 5.1 Configuring and Managing SRPs with SRP Manager .................................................................... 26 6 Getting Started with SRP ......................................................................................
PAGE 3
11.2 Replacing or Deleting Custom SRP Data.................................................................................... 65 12 Using the oracledb Template .......................................................................................................... 66 12.1 Adding the oracledb Template to an SRP Compartment .............................................................. 66 12.1.1 The cmpt Service ...............................................................................................
PAGE 4
Appendix A Configuration Example ..................................................................................................... 98 A.1 Sample Base Configuration ....................................................................................................... 98 The base.srp_incl File.................................................................................................................. 99 Appendix B SRP Serviceguard Default Route Script ................................................
PAGE 5
Preface This document describes how to install, configure, and troubleshoot HP-UX Secure Resource Partitions (SRP). Intended Audience This document is intended for system and network administrators responsible for installing, configuring, and managing HP-UX SRP. Administrators are expected to have knowledge of operating system and networking concepts, commands, and configuration.
PAGE 6
points of the main text. Related Information For more information about the products and subsystems used with SRP, see the following documentation: • • • • HP-UX Security Containment and Role-Based Access Control (RBAC), documented in the HPUX System Administrator's Guide: Security Management: HP-UX 11i Version 3. HP-UX IPFilter HP-UX IPSec HP-UX Encrypted Volumes and File Systems (EVFS) These documents are located at: http://www.hp.
PAGE 7
1 Introduction This chapter addresses the following topics: • 1.1 Product Overview • 1.2 SRP Components • 1.3 Planning Considerations and Best Practices • 1.4 Installing SRP • 1.5 Migrating to A.02.02 1.1 Product Overview HP-UX Secure Resource Partitions (SRP) provides a lightweight workload consolidation environment that enables you to consolidate multiple workloads within a single instance of the HP-UX operating system.
PAGE 8
Figure 1.1 SRP Compartments Example 1.1.1 Securing SRP Compartments SRP provides a framework for managing compartment and networking security. This framework is primarily enforced with Security Containment compartment access rules. The default set of compartment access rules delivered with SRP has been developed to favor functional isolation, application compatibility and user session functionality over strong security containment.
PAGE 9
You can also use HP-UX Encrypted Volume and File system (EVFS) to protect disk data at rest, or disk data that is not in use, such as when a disk device is physically transported. For more information on EVFS, see the HP-UX Encrypted Volume and File system (EVFS) Administrator's Guide. 1.1.
PAGE 10
1.1.2.2 HP Process Resource Manager (PRM) HP Process Resource Manager (PRM) manages CPU and memory allocation and enables you to configure dedicated resources for an SRP compartment. PRM can be used to set minimum and maximum allocations of system resources available to processes in an SRP compartment. When PRM is enabled for SRP, each SRP compartment is assigned a PRM group. 1.1.2.3 IP Interfaces You can use SRP to create an IP interface for exclusive use by the compartment.
PAGE 11
1.2.1 The SRP Manager The SRP Manager is integrated in the System Management Homepage (SMH) and provides a graphical user interface (GUI) to configure and manage HP-UX SRPs. See 5 Using SRP Manager for more information. 1.2.2 The srp_sys Utility The /opt/hpsrp/bin/srp_sys utility manages system-wide configuration properties for SRP. It is required to run srp_sys –setup to configure the system for SRP prior to configuring individual SRPs on the system.
PAGE 12
• base Configures a base SRP compartment without any application-specific parameters. A base compartment consists of a Security Containment compartment, a compartment home directory subtree, a compartment file system view, and other configuration data. After you create a base SRP compartment, you can apply one of the following application templates to extend the base with parameters suitable for applications hosted by a compartment.
PAGE 13
• login Defines the users and groups allowed to login to the SRP compartment. Uses the HP-UX Security Containment RBAC and compartment login features to configure the compartment login access for a set of HP-UX users and groups. If compartment login is enabled for the system with the default RBAC configuration and you do not configure the SRP login service, only the root (UID 0) user is allowed to log in to the compartment. • prm Configures a PRM group for the SRP compartment.
PAGE 14
1.3 Planning Considerations and Best Practices This section contains information to consider when planning an SRP deployment and best practices to follow when managing a system with SRP compartments. 1.3.1 Compatibility with Other Partitioning Continuum Products HP-UX SRP is a component of the Partitioning Continuum for HP-UX and is compatible with HP-UX nPartitions, HP-UX vPar, and Integrity Virtual Machine (VM) solutions.
PAGE 15
will succeed. However, the sshd daemon running in the SRP compartment might not receive SSH connection requests on its socket. To prevent sshd address collisions, the srp_sys utility prompts for the system sshd configuration file name (the configuration file that the sshd daemon running in the INIT compartment would use) and checks if this file configures the daemon to listen on a wildcard IP address.
PAGE 16
NOTE: By default, RBAC configuration also authorizes the root user to log in to all compartments. 1.3.6 Compatibility with the Bastille Revert Feature If you use the bastille -r command to revert to the Bastille baseline configuration, you may lose any IPFilter rules configured using SRP that are not in the baseline. HP recommends that you do not configure the IPFilter service with SRP if you are using Bastille to manage IPFilter rules. If Bastille is managing IPFilter rules, the /etc/opt/ipf/ipf.
PAGE 17
/etc/opt/hpsrp/cmpt/base.srp_incl /etc/opt/hpsrp/templates/srpdefaults.cst /etc/opt/hpsrp/cmpt/oracledb.srp_incl /etc/opt/hpsrp/cmpt/sshd.srp_incl /opt/hpsrp/bin/util/secsh_setup /opt/hpsrp/bin/util/srp_backup /opt/hpsrp/bin/util/srp_restore /opt/hpsrp/bin/util/apache_setup If you are upgrading from a previous version of SRP and have already modified one of these files, the modified version will be used.
PAGE 18
2 Setting Up an SRP This chapter describes how to use srp_setup to set up the SRP environment. This chapter addresses the following topics: • • • • • 2.1 2.2 2.3 2.4 2.5 The srp_sys Utility Using srp_sys –setup to Set or modify system properties Example: srp_sys -setup Using srp_sys –list to Display System Properties Example: srp_sys -list 2.1 The srp_sys Utility The /opt/hpsrp/bin/srp_sys utility is used to set and view system-wide configuration properties that affect SRP.
PAGE 19
IMPORTANT: By default, once compartment login is enabled, only the root user (user name of root) is allowed to login to the INIT compartment. To allow additional users to login to the INIT compartment, you will need to assign any additional users to the RBAC role of SRPlogin-init.
PAGE 20
init (compartment startup and shutdown scripts) [y] RETURN login (compartment login via pam_security) [y] RETURN network (IP address and network interface management [y] RETURN prm (Process Resource Management) [y] RETURN ipfilter (ipfilter host firewall rules) [n] RETURN ipsec (ipsec secure transport rules) [n] RETURN provision (run customizable provision script) [y] RETURN Selected SRP service(s) are: cmpt,admin,init,login,network,prm,provision Would you like to save the changes? [y] RETURN Saving SRP def
PAGE 21
############################## # # network configuration # ############################## Checking network strong ES model ... Checking compartment IPv4 routing policy ... [ Enabled ] [ Enabled ] Checking compartment IPv6 routing policy ... [ Enabled ] Checking kernel tunable cmpt_allow_local ... [ Enabled ] ############################## # # sshd configuration # ############################## Checking sshd configuration ...
PAGE 22
Would you like to set/change IPsec password? [n] RETURN Checking IPsec starts at boot-up... [ Enabled ] ############################## # # SRP setup completed. # ############################## 2.4 Using srp_sys –list to Display System Properties You can use the srp_sys –list command to review the current settings for system-wide configuration options affecting SRP.
PAGE 23
3 Executing the su Command in the Target SRP The srp_su command executes the su(1) command in the specified SRP. You must execute the srp_su command from within the INIT compartment. System administrators can use this command to login or execute a command within an SRP. This chapter addresses the following topics: • 3.1 Using the srp_su Command • 3.2 Allowing Additional Users to Use the srp_su Command • 3.3 Example: Using the srp_su Command to Login to the Target SRP 3.
PAGE 24
The root user logs in from the INIT compartment to mySRP SRP as user admin1 with a new login session in the mySRP: # /opt/hpsrp/bin/srp_su mySRP – admin1 User admin1 logs in from the INIT compartment to mySRP SRP as admin2 with a new login session, where admin2 is configured for compartment login. Create a new RBAC rule to allow user admin1 to use the srp_su command as follows: 1. Create a new hpux.security.srp_su authorization. # authadm add hpux.security.srp_su 2.
PAGE 25
4 Reporting Process Status for an SRP Compartment To report process status for an SRP compartment, use the srp_ps utlity, located in the /opt/hpsrp/bin directory. The srp_ps utility invokes the ps command with the provided ps_arguments and filters the ps output for the desired SRP compartment: srp_ps [srp_name] [ps_arguments] When you run the srp_ps utility from the INIT compartment and supply an srp_name, srp_ps prints process status for the specified compartment.
PAGE 26
5 Using SRP Manager The SRP Manager is integrated in the System Management Homepage (SMH) and provides a graphical user interface (GUI) to configure and manage HP-UX SRPs. With SRP Manager, you can perform the following tasks: • • • • • • Monitor SRP status and activity on you system Create a new SRP Start or stop an SRP Export and import an SRP Modify an SRP Delete an SRP NOTE: HP requires that you run srp_sys -setup before using SRP Manager.
PAGE 27
When you create an SRP using SRP Manager, you can define a new SRP for your system and provision the SRP specific directory tree. You can also specify optional services (Network, PRM, IPFilter, IPSec, and templates (SSHD, Apache, Tomcat, Custom, and Oracle) to apply to the SRP. To create an SRP, from the SRP Manager home page, click Create an SRP and the following screen appears: Figure 5.
PAGE 28
Once an SRP is created, you can add or modify its configurations and service templates. To view or modify an SRP, from the SRP Manager home page, click View/Modify and the following screen appears: Figure 5.3 SRP Manager – Viewing or Modifying an SRP From the SRP Manager help files, select the Viewing or Modifying an SRP help menu item for more information on viewing or modifying an SRP.
PAGE 29
6 Getting Started with SRP This chapter shows the commands used to manage the lifecycle of a sample SRP compartment. This chapter addresses the following topics: • • • • • • • • • • • • 6.
PAGE 30
Step 1: Setting Up SRP In this example, the product has just been installed. The root user runs srp_sys -setup to enable the subsystems managed by SRP. HP requires that you run srp_sys -setup before using SRP Manager or the srp utility, but you can run it anytime that you want to change the default parameters for SRP or verify the status of the subsystems configured by SRP. Now that you have setup your SRP, you can configure and manage your SRP using SRP Manager or the srp utility.
PAGE 31
192.0.2.1 for the compartment address and lan1 for the network interface. The user accepts the default values for all other variables. The command output and user input for this example are as follows: # /opt/hpsrp/bin/srp -a mySRP Enter the requested values when prompted, then press return. Enter "?" for help at prompt. Press control-c to exit.
PAGE 32
Compartment Configuration (/etc/cmpt/mySRP.rules): @tag-start compartment="mySRP" template="base" service="cmpt" id="1" ; #include "/opt/hpsrp/etc/cmpt/base.
PAGE 33
---------------------------------------------------------------------Compartment Configuration (/etc/cmpt/mySRP.
PAGE 34
*********************************************** Compartment mySRP startup in progress Mon Dec 7 13:58:18 IST 2009 *********************************************** Configure LAN interfaces.................................... [ OK ] Mounting file systems in /var/hpsrp/mySRP/etc/fstab......... [ OK ] Starting HP-UX Secure Shell................................. [ OK ] Step 8: Listing SRP status information To display the status of an SRP, the srp command can be called with the status option.
PAGE 35
The following template variables have been set to the values shown: prm_cpu_shares = 20 Press return or enter "yes" to make the selected modifications with these values. Do you wish to continue? [yes] replace prm rules succeeded Step 10: Stopping the SRP Compartment To stop an SRP compartment, enter the following command: srp -stop srp_name stops the SRP compartment by executing the shutdown scripts in the /var/hpsrp/srp_name/sbin/init.d subdirectories and setting the SRP state to “stopped”.
PAGE 36
7 Using the SRP Environment Once you have created an SRP, and started it with the srp –start command, the SRP is now available for user sessions and execution of programs. This chapter discusses the following topics: • • • 7.1 Establising a User Session in the SRP 7.2 Managing SRP Startup and Shutdown Actions 7.3 Deploying Applications in an SRP Environment 7.
PAGE 37
performed when the SRP is started or stopped, such as notifying management or auditing systems, or mounting the SRP home directory (/var/hpsrp/srp_name). NOTE: If you are using shared storage to mount the SRP home directory to facilitate cloning of an SRP, consider using the SRP setup script to automatically mount and unmount the SRP home directory.
PAGE 38
7.3.3 Deploying Applications with the Application Templates SRP includes special templates for deploying key applications that use shared executables. The ssh, apache, and tomcat templates, fully deploy these applications within the SRP using the shared executable model. The oracledb template configures the SRP for Oracle usage; however you must first install the Oracle database product on the system in the desired location.
PAGE 39
Figure 7.
PAGE 40
8 Using the base Template The base template manages SRP compartment data that is not application-specific. This chapter describes how to use the base template to create an SRP compartment. You can also use the base template to add additional base services to a compartment or to delete or modify the base services for a compartment. This chapter addresses the following topics: • • 8.1 Creating a SRP Compartment 8.2 Replacing or Deleting Base SRP Data 8.
PAGE 41
8.1.1 The cmpt Service The cmpt Service configures an HP-UX Security Containment compartment, which forms the core of the SRP compartment. You must use the cmpt service when you create an SRP compartment; you cannot create an SRP compartment without the cmpt service. 8.1.1.1 Input Data The cmpt service uses the compartment name specified in the srp command for the Security Containment compartment name. 8.1.1.
PAGE 42
• var For example, SRP creates a /var/hpsrp/srp_name/sbin directory with init.d, rc0.d, rc1.d, rc2.d, rc3.d, and rc4.d subdirectories for use by initialization scripts, as described in 14.1 SRP Startup and Shutdown Processing. 8.1.2 The admin Service The admin service associates HP-UX users with an RBAC role that has authorization to administer the compartment. By default, this authorization enables the administrator to start and stop the compartment. 8.1.2.1 Input Data SRP prompts for the following data.
PAGE 43
group, use the procedure is described in HP Process Resource Manager User's Guide, “Assigning secure compartments to PRM groups.” 8.1.3.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 15.1 Creating an SRP Compartment or Adding Data to an SRP. PRM Group Name Name for the PRM group. Variable Name: prm_group_name. Default: The SRP compartment name. PRM Group Type (FSS or PSET) Specifies the type of PRM group.
PAGE 44
physical memory value is specified in megabytes. Variable Name: prm_phys_mem. Default: 0 (no dedicated physical shared memory). 8.1.3.2 Configuration Data By default, SRP creates a new PRM group using the SRP compartment name as the PRM group name. By default, the PRM group information is stored in the /etc/prmconf file. You can change the filename by running the srp_setup utility, as described in 2 Setting Up an SRP. 8.1.
PAGE 45
Default: (yes) 8.1.4.2 Configuration Data SRP configures IP interface information for the HP-UX Transport subsystem, the initialization and shutdown service, and for the compartment, as described in the sections that follow. HP-UX Transport If you specify an IP address that is not already configured for the system, SRP also configures the IP interface information for the HP-UX Transport subsystem as follows: IPv4 Address If you specify an IPv4 address, SRP adds configuration data to the /etc/rc.config.
PAGE 46
The /var/hpsrp/srp_name/sbin/init.d/srp_net file is linked to /var/hpsrp/srp_name/sbin/init.d/rc2.d/S340srp_net and /var/hpsrp/srp_name/sbin/init.d/rc1.d/K660srp_net. For more information about SRP initialization and shutdown scripts, see 14 Starting and Stopping SRP Compartments. Security Containment Compartment SRP adds a network interface rule for the IP address to the compartment rule file (/etc/cmpt/srp_name.rules). This allows the SRP access to its IP address. 8.1.
PAGE 47
8.1.6.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 15.1 Creating an SRP Compartment or Adding Data to an SRP. Unix groups for Name of the HP-UX user groups separated by “,” whose members are compartment login authorized to log in to the SRP compartment. These groups must already exist in a HP-UX groups database (such as /etc/group). Variable Name: login_group. Default: adm.
PAGE 48
Valid Input: yes or no. Default: no. 8.1.7.2 Configuration Data If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf.conf file. If the compartment address is an IPv6 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf6.conf file. SRP adds the following IPFilter rules for the compartment, where cmpt_address is the compartment IP address: • Rules that allow all TCP, UDP, and ICMP outbound packets from the compartment address.
PAGE 49
8.1.8.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 15.1 Creating an SRP Compartment or Adding Data to an SRP. IPsec peer IP address The destination, or remote IP address for the IPSec policies. Variable Name: ipsec_peer_addr. Valid Input: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. Default: None. IPSec transform The transform for the IPSec host policy.
PAGE 50
The authentication record contains the specified remote IP address and preshared key value. The default HP-UX IPSec values are used for all other parameters. HP-UX IPSec Default Parameter Values For IPSec parameters that SRP does not prompt for, SRP uses the IPSec default values in the configuration records. The IPSec default values are read from the default IPSec profile file, /var/adm/ipsec/.ipsec_profile.
PAGE 51
The srp -replace command deletes the specified data, then prompts you for replacement data. For example, the following command deletes all PRM data for the base template, then prompts you for replacement data: srp -replace mySRP -t base -s prm Use the following command to delete base template data from an SRP compartment: srp -d[elete] srp_name -t base [-s service[,service]...
PAGE 52
9 Using the apache Template This chapter describes how to use the apache template to configure and provision an HP-UX Apachebased Web Server in an SRP compartment. You can also use the apache template to delete or modify the apache template data for a compartment. This chapter addresses the following topics: • • 9.1 Adding the apache Template to an SRP Compartment 9.2 Replacing or Deleting Apache SRP Data 9.
PAGE 53
Default: 3.0. Apache data path The root directory for Apache data. The cmpt service adds rules to allow the compartment all access to this directory. Users and processes in the SRP compartment can read, write, traverse (nsearch), and delete (ulink) the contents of these directories. Variable Name: data_path. Default: /var/hpsrp/srp_name/opt/hpws22/apache. Apache executable path The root directory for Apache executables. The cmpt service adds rules to allow the compartment read access to this directory.
PAGE 54
Variable Name: ipf_tcp_ports. Valid Input: One or more TCP port numbers each in the range 1- 65535, separated by commas. Default: 80,443. These are the IANA registered port numbers for HTTP and HTTPS (SSL). 9.1.2.2 Configuration Data If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf.conf file. If the compartment address is an IPv6 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf6.conf file.
PAGE 55
Apache HTTPS Specifies the TCP port number on which the compartment Apache server will receive port number HTTPS (SSL) requests. Variable Name: https_port. Valid Input: A TCP port number in the range 1- 65535. Default: 443, the IANA registered port number for HTTPS. Tomcat AJP port number Specifies the TCP port number on which the compartment Apache server will send request to Tomcat server. Variable Name: ajp_port. Valid Input: A TCP port number in the range 1- 65535. Default: 8009.
PAGE 56
9.1.3.3. Completing the Configuration After you apply the apache cmpt service and the default apache provisioning script, you can start the SRP compartment, and have a fully-functional HP-UX Apache-based Web Server in the compartment. You can further customize the Web Server as needed by editing the compartmentspecific Apache configuration files (/var/hpsrp/srp_name/etc/rc.config.d/hpws22_apacheconf and the compartmentspecific apachectl file, located in the bin subdirectory below the data_path). 9.
PAGE 57
10 Using the Template tomcat This chapter describes how to use the tomcat template to add configuration data for hosting an HPUX Tomcat servlet engine in an SRP compartment. You can also use the tomcat template to delete or modify the tomcat template data for a compartment. This chapter addresses the following topics: • • 10.1 Adding the tomcat Template to an SRP Compartment 10.2 Replacing or Deleting Tomcat SRP Data 10.
PAGE 58
Variable Name: wss_version. Default: 3.0. Tomcat data path The root directory for Tomcat data. The cmpt service adds rules to allow the compartment all access to this directory. Users and processes in the SRP compartment can read, write, traverse (nsearch), and delete (ulink) the contents of these directories. Variable Name: data_path. Default: /var/hpsrp/srp_name/opt/hpws22/tomcat. Tomcat executable path The root directory for Tomcat executables.
PAGE 59
Valid Input: A TCP port number in the range 1- 65535. Default: 8009. Specifies the local TCP port numbers for IPFilter rules that allow inbound packets. Variable Name: ipf_tcp_ports. Valid Input: One or more TCP port numbers each in the range 1- 65535, separated by commas. Default: 8085,8081,8009 IPFilter Port Numbers *https port is disabled by default in tomcat. 10.1.2.2 Configuration Data If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf.conf file.
PAGE 60
Default: /var/hpsrp/srp_name/opt/hpws/tomcat. Java Home Path The java home path Variable Name: java_path Default: /opt/java1.5 Tomcat user name Specifies the Unix user name under which the Tomcat processes in this compartment will run. Variable Name: user. Default: www. Tomcat HTTP port number Specifies the TCP port number on which the compartment Tomcat server will receive HTTP requests. Variable Name: http_port. Valid Input: A TCP port number in the range 1- 65535. Default: 8081.
PAGE 61
o o Creates the compartment-specific startup configuration file, /var/hpsrp/srp_name/etc/rc.config.d/hpws22_tomcatconf, which specifies the compartment-specific tomcat home directory. Adds the startup and shutdown script hpws22_tomcat to the compartment-specific init.d directory, /var/hpsrp/srp_name/sbin/init.d. This file is linked to the /var/hpsrp/srp_name/sbin/rc3.d/S823hpws22_tomcat and /var/hpsrp/srp_name/sbin/rc3.d/K177hpws22_tomcat files.
PAGE 62
11 Using the custom Template The custom template enables you to specify additional Security Containment file access rules and IPFilter rules for an SRP compartment. You can use the custom template to accommodate additional applications in a SRP compartment, or to add compartment or IPFilter rules to increase security controls for an SRP compartment. You can also use the custom template to delete or modify the custom template data for an SRP compartment. This chapter addresses the following topics: • • 11.
PAGE 63
11.1.1 The cmpt Service The cmpt service for the custom template applies additional compartment rules to your compartment. You can specify a rules file to include and/or specify file system paths to configure for different access types. 11.1.1.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 15.1 Creating an SRP Compartment or Adding Data to an SRP.
PAGE 64
Variable Name: ipf_tcp_ports. Valid Input: One or more TCP port numbers each in the range 1- 65535, separated by commas. Default: None. IPFilter UDP port numbers Specifies the local UDP port numbers for IPFilter rules that allow inbound packets. Variable Name: ipf_udp_ports. Valid Input: One or more UDP port numbers each in the range 1- 65535, separated by commas. Default: None. 11.1.2.2 Configuration Data If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf.
PAGE 65
- srproot: SRP root directory of the compartment • Allows users to write their own functionality for each of the operations like add/delete/replace. 11.2 Replacing or Deleting Custom SRP Data Use the following command to replace custom template data from an SRP compartment: srp -r[eplace] srp_name -t custom [-s service[,service]...] id instance The srp -replace command deletes the specified data, then prompts you for replacement data.
PAGE 66
12 Using the oracledb Template This chapter describes how to use the oracledb template to configure an SRP compartment to share a single set of Oracle executables with other SRPs. You do not need to use this template if you are installinga separate instance of the Oracle executables in the SRP. You can also use the oracledb template to delete or modify the oracledb template data for a compartment. 12.
PAGE 67
Variable Name: exec_path. Default: /opt/var/hpsrp/srp_name/opt/u01/home/oracle. Oracle DB data path The root directory for Oracle data. The cmpt service adds rules to allow the compartment all access to this directory. Users and processes in the SRP compartment can read, write, traverse (nsearch), and delete (ulink) the contents of these directories. In most cases, you would set up the Oracle configuration and schema under this path, and set the value of the ORACLE_HOME environment variable to this path.
PAGE 68
12.1.3 The provision Service The provision service executes the script provided to provision (deploy) an admin, login, network service in the SRP compartment. 12.1.3.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 15.1 Creating an SRP Compartment or Adding Data to an SRP. Oracle executable path The root directory for Oracle executables.. Variable Name: exec_path. Default: /opt/var/hpsrp/srp_name/opt/u01/home/oracle.
PAGE 69
13 Using the sshd Template This chapter describes how to use the sshd template to configure and provision an HP-UX Secure Shell daemon (sshd) in an SRP compartment. You can also use the sshd template to delete or modify the sshd template data for a compartment. This chapter addresses the following topics: • • 13.1 Adding the sshd Template to an SRP Compartment 13.2 Replacing or Deleting SSHD SRP Data 13.
PAGE 70
Variable Name: data_path. Default: /var/hpsrp/srp_name/opt/ssh. sshd executable path The location of the executables for the HP-UX Secure Shell product. Variable Name: exec_path. Default: /opt/ssh. 13.1.1.2 Configuration Data SRP adds entries to the rules file for the SRP compartment to authorize read access to exec_path and all access to data_path. SRP also adds an include statement to add the rules from the /opt/hpsrp/etc/cmpt/sshd.srp_incl file. As delivered by HP, this file is empty.
PAGE 71
13.1.3 The provision Service The provision service executes the script /opt/hpsrp/bin/util/secsh_setup to provision (deploy) an sshd service in the SRP compartment. 13.1.3.1 Input Data SRP prompts for the following data: sshd data path Specifies the compartment-specific target directory for sshd configuration and key files. Variable Name: data_path. Default: /var/hpsrp/srp_name/opt/ssh. sshd executable path The location of the executables for the HP-UX Secure Shell product. Variable Name: exec_path.
PAGE 72
• Creates compartment-specific initialization scripts and startup file to start the sshd with the compartment-specific sshd_config file when the compartment startup script is executed. The setup script: o Creates the compartment-specific startup configuration file, /var/hpsrp/srp_name/etc/rc.config.d/sshd, which specifies the compartment-specific sshd configuration file as a startup argument for sshd. o Adds the startup and shutdown script secsh to the compartment-specific init.
PAGE 73
14 Starting and Stopping SRP Compartments This chapter describes how to start and stop SRP compartments. For complete syntax information, see srp(1M). This chapter addresses the following topics: • • • 14.1 SRP Startup and Shutdown Processing 14.2 Starting an SRP Compartment 14.3 Stopping an SRP Compartment 14.1 SRP Startup and Shutdown Processing By default, all SRP compartments are automatically started at system startup time and are automatically stopped at system shutdown time.
PAGE 74
• The /sbin/rc3.d/S999srp file is the last or one of the last startup scripts executed when the transitions from run level 2 to run level 3 (typically at system startup). The /sbin/rc2.d/K001srp file is the first or one of the first shutdown scripts executed when the system transitions from run level 3 to run level 2 (typically at system shutdown). The SRP initialization and shutdown scripts are processed as follows: • The /sbin/init.d/srp script reads the /etc/rc.config.
PAGE 75
• The srp_rc script runs a customizable post-stop script, /var/hpsrp/srp_name.setup/setup. The script is run in the INIT compartment, with the following command line: /var/hpsrp/srp_name.
PAGE 76
15 Managing SRP Data This chapter describes how to add, update, delete, list, and manage SRP data. For complete syntax information, see srp(1m). This chapter addresses the following topics: • • • • • • • 15.1 15.2 15.3 15.4 15.5 15.6 15.
PAGE 77
apache cmpt ipfilter provision custom cmpt ipfilter provision oracledb cmpt ipfilter sshd cmpt ipfilter provision Default: The default service set is configured via srp_sys –setup. instance Unique string identifier used to identify an instance of a template usage for templates that can be applied multiple times. This is valid for the custom template only and is ignored for all other templates. Valid Input: A text string with alphanumeric, dash (-) , or underscore (_) characters.
PAGE 78
service Specifies the names of the services to delete. Default: All services configured for the template. instance Unique string identifier used to identify an instance of a template usage for templates that can be applied multiple times. This is valid for the custom template only and is ignored for all other templates. Valid Input: A text string with alphanumeric, dash (-) , or underscore (_) characters. The maximum length is 20 characters. Default: None.
PAGE 79
verbose Displays verbose (detailed) help text. template Specifies the templates for which you want to display parameters. Valid Input: base, apache, tomcat, custom, oracledb, sshd. Default: base. service Specifies the services for which you want to display parameters. Table 15.1 lists the services valid for each template. Default: The default services that are valid for the template. The factory configured default services are: admin, cmpt, init, login, network, and prm.
PAGE 80
15.6 Displaying status of SRP Compartments Use the srp –status command to display a status summary for SRP compartments: srp –status [[srp_name] [-verbose|-xmloutput[]] srp_name Specifies the name of an existing SRP compartment. If you do not specify a compartment name, srp displays information about all compartments configured on the system. verbose Verbose mode. Displays detailed status data. template Specifies the templates for which you want to display the status data.
PAGE 81
16 Customizing SRP Data This chapter describes procedures for customizing SRP data. It addresses the following topics: • • • 16.1 Modifying Provision Scripts 16.2 Modifying Compartment Rule Include Files 16.3 Manually Editing SRP Configuration Data NOTE: You should run the system administration and performance tools (for example: glance, gpm, kprof, kgmon, ktrace, and caliper) in the INIT compartment 16.
PAGE 82
# cp base.srp_incl myCustom.srp_incl 2. Remove the rules in the original (base.srp_incl) file. This creates an empty Security Compartment rules file. A compartment that uses only this file for its compartment rule set will have no access any files, system IPC, or network interfaces. NOTE: Creating an empty Security Compartment rules file for the base template files affects all compartments using this file, including those previously created.
PAGE 83
The specific tag format for each subsystem is described in the sections that follow. 16.3.1.4 Security Containment Compartment Tag Format Data is stored in the /etc/cmpt/srp_name.rules file by default. When SRP adds data, it indicates the start of the data with the following tag: //@tag-start 'compartment="srp_name" template="template_name" service="cmpt" id="instance"; SRP indicates the end of the data with the following tag: //@tag-end; 16.3.1.
PAGE 84
16.3.1.7 PRM Tag Format Data is stored in the /etc/prmconf file by default. When SRP adds data, it indicates the start of the data with the following tag: #@tag-start compartment="srp_name" template="base" service="prm" id="instance"; SRP indicates the end of the data with the following tag: #@tag-end; 16.3.1.8 IPFilter Tag Format Data is stored in the /etc/opt/ipf/ipf.conf file for IPv4 addresses and in /etc/opt/ipf/ipf6.conf for IPv6 addresses.
PAGE 85
17 Exporting and Importing SRPs You can export and import an SRP across systems by using the srp –export and srp -import commands. These commands allow you to accomplish the following: • Create a clone of an SRP on a secondary system for high availability or load balancing purposes. • Migrate an SRP across systems: export and import an SRP, then delete the original SRP. • Create a copy of an SRP for archival purposes. Similarly, an SRP can be taken offline by exporting and deleting the original SRP.
PAGE 86
#/var/hpsrp//sbin/init.d/srp_mount start 2. Export the SRP: #srp –export 3. Unmount the fstab filesystems of the SRP: #export compartment= #/var/hpsrp//sbin/init.d/srp_mount stop • User and group definitions are system properties that are not SRP specific and therefore are not exported with the SRP.
PAGE 87
a software version mismatch from the source to the target system. The default is no. You can use the following notation to assign a value to a variable: name=value, name='value', or name="value" 17.3 Best practices for Exporting and Importing an SRP To simplify the export and import of an SRP across systems, HP recommends to you keep the properties of the SRP to be atomic and that you do not share files and data with other SRP compartments unnecessarily.
PAGE 88
18 Using Serviceguard with SRP Serviceguard allows you to create high availability clusters of HP 9000 or HP Integrity Servers. A high availability computer system allows application services to continue in spite of a hardware or software failure. Highly available systems protect users from software failures as well as from failure of a system processing unit (SPU), disk, or local area network (LAN) component. In the event that one component fails, the redundant component takes over.
PAGE 89
2. Select which application will have the control Determine whether SRP or Serviceguard will control the mounting of file systems and management of the network interface, as follows: • If you selected the classic model in step 1, HP recommends using Serviceguard to control the mounting of file systems and management of the network interface. • If you selected the SRP package model in Step 1, HP recommends using SRP to control the file system mounting and management of the network interface.
PAGE 90
following example, the representative Serviceguard package was modified to add a default route, external_script: Before: # SG ip address ip_subnet ip_address 192.10.25.0 192.10.25.12 After: # SG ip address ip_subnet 192.10.25.0 ip_address 192.10.25.12 # srp_route_script configures the required source based routing entries for # the SG managed IP addresses external_script /etc/cmcluster/pkg1/srp_route_script See Appendix B SRP Serviceguard Default Route Script for an example of the srp_route_script script.
PAGE 91
19 Verifying and Troubleshooting SRP This chapter contains procedures for verifying and troubleshooting SRP. This chapter addresses the following topics: • • • 19.1 Verification Procedures 19.2 Troubleshooting Procedures 19.3 Reporting Problems NOTE: You can run system administration and performance tools (such as glance, gpm, kprof, kgmon, ktrace, and caliper) in the INIT compartment. 19.
PAGE 92
Use the getprocxsec -c pid command to verify the compartment in which the process is running. For example: # getprocxsec -c 968 cmpt= SRP2 • If an application is failing in a compartment and you want to determine if it is failing because of Security Containment rules, you can use the HP-UX audit utility to configure and view audit to see if operations are failing because of permission problems.
PAGE 93
# prmlist -g -s PRM configured from file: File last modified: /etc/prmconf Tue Oct 14 12:57:58 2008 CPU CPU LCPU PRM Group PRMID Entitlement Max Attr __________________________________________________________________ EntDir 2 29.17% 80% MktDB 65536 12.50% MktWeb 3 21.88% 45% OTHERS 1 21.88% SRP2 4 14.58% 25% Compartment Default PRM Group _____________________________________________ EntDir EntDir MktDB MktDB MktWeb MktWeb SRP2 SRP2 The prmmonitor utility displays statistics for each PRM group.
PAGE 94
Routing tables Destination : : default Gateway Flags Refs Interface Pmtu 192.0.2.1 U 1500 0 lan1:1 19.1.6 Verifying IPFilter Data Use the following ipfstat command to view the active (loaded) inbound and outbound IPFilter rules: ipfstat -io For example: # ipfstat -io pass out quick proto tcp from 192.0.2.1/32 to any keep state pass out quick proto udp from 192.0.2.1/32 to any keep state pass out quick proto icmp from 192.0.2.1/32 to any keep state pass in quick proto icmp from any to 192.0.2.
PAGE 95
auth SRP-web2-base-1 -remote 10.2.2.2/32 -preshared myPresharedKey -exchange MM • You can also use the ipsec_policy utility to verify the IPSec host rule selected for a packet from the peer address. In the following example, the SRP compartment address is 19.2.0.2.1 and the peer address is 10.2.2.2. The ipsec_policy command queries IPSec to determine which IPSec and IKE policies are selected for an outbound packet (-dir out) with source IP address (-sa) 192.0.2.1 and destination IP address (-da) 10.2.2.2.
PAGE 96
: 3. Start the SRP compartment: srp -start srp_name 4. Attempt to access the compartment applications. After you successfully access the applications, enter the following command to generate a machine readable version of the rules used to access the compartment: getrules -m srp_name 5. Compare the output from the getrules command with the compartment rules file and make the necessary changes. 6.
PAGE 97
19.3 Reporting Problems If you are unable to solve a problem with SRP, complete the following steps: 1. Read any published release notes for SRP to see if the problem is known. If it is a known issue, use the prescribed solution. 2. Determine whether the product is still under warranty or whether your company purchased support services for the product. Your operations manager can supply you with the necessary information. 3. Access http://www.itrc.hp.
PAGE 98
Appendix A Configuration Example This appendix includes a sample SRP compartment configuration. A.1 Sample Base Configuration This example shows the system configuration created for a sample compartment. # /opt/hpsrp/bin/srp -list mySRP -verbose Compartment: mySRP Template: base Service: cmpt ---------------------------------------------------------------------Compartment Configuration (/etc/cmpt/mySRP.
PAGE 99
SRP init service: //etc/rc.config.d/srpconf: SRP_NAME[1]="mySRP" //etc/rc.config.
PAGE 100
********************************************************************** */ /* ********************************************************************** * privileges ********************************************************************** */ disallowed privileges none /* ********************************************************************** * ipc/fifo/uxsock to init compatment ********************************************************************** */ access ipc, fifo, uxsock init /* ********************************
PAGE 101
perm read /dev/kepd /* ********************************************************************** * narrow down on /var: ********************************************************************** */ perm none /var/hpsrp // SRP compartment root perm read /var/opt/hpcmgr perm read /var/opt/hpsrp /* ********************************************************************** * narrow down on /etc: ********************************************************************** */ perm read /etc/opt/hpsrp // managed by srp perm read
PAGE 102
Appendix B SRP Serviceguard Default Route Script The following script can be used by a Serviceguard package to assign a default route for an IP address associates with an SRP. This script is included with the SRP Serviceguard Reference Implementation and is installed with the SRP product at: /opt/hpsrp/example/serviceguard/srp_as_sg_package/srp_route_script # Copyright (c) 2009 Hewlett-Packard Development Company L.P.
PAGE 103
################################################################### # # Get the SRP environment from "/etc/cmcluster/hpsrp//srp_script.incl" # # Environemnt variable example: use a local gateway on the host # SRP_SG_MANAGED_IP[0]="192.0.0.99" # SRP_SG_GATEWAY[0]="192.0.0.99" # # Environemnt variable example: use a remote gateway # SRP_SG_MANAGED_IP[1]="10.1.1.99" # SRP_SG_GATEWAY[1]="10.1.1.1" # ################################################################### . `dirname $0`/srp_script.
PAGE 104
function srp_route_delete { # run 'route' command for each IP address rval=0 index=0 last_index=${#SRP_SG_MANAGED_IP[@]} while [ "$index" -lt "$last_index" ] do srp_ip="${SRP_SG_MANAGED_IP[$index]}" srp_gateway="${SRP_SG_GATEWAY[$index]}"; if [ -z "$srp_ip" ] # skip empty slot in the array then let index=$index+1 let last_index=$last_index+1 continue fi if [ "$srp_ip" = "$srp_gateway" ] then # use local IP as gateway emsg=$(/usr/sbin/route delete default $srp_gateway 0 \ source $srp_ip 2>&1) else # use remo
PAGE 105
stop) srp_route_delete exit_val=$? ;; validate) exit_val=0 ;; *) sg_log 0 "INFO: Unknown operation: $1" ;; esac exit $exit_val 105
PAGE 106
Technology for better business outcomes © Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.