Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
11121314151617181920
19
IMPORTANT: By default, once compartment login is enabled, only the root user (user
name of root) is allowed to login to the INIT compartment. To allow additional users to login
to the INIT compartment, you will need to assign any additional users to the RBAC role of
SRPlogin-init.
To enable additional users for INIT compartment login:
>roleadm assign <user_name> SRPlogin-init
To enable additional groups for INIT compartment login:
>roleadm assign “&<group_name>” SRPlogin-init
Strong ES Model (required for the SRP product when using networking). Enables symmetric
routing on the system which causes connection based protocols such as TCP to use the same
interface for both inbound and outbound. Note that enabling the strong ES model makes the
system unable to function as an IP router. For more information about the strong ES model,
see 1.3.4 IP Routers and Strong End System (ES) Model.
ip_ire_cmpt_route_lookup_policy/ ip6_ire_cmpt_route_lookup_policy (required
for the SRP product when using networking). Controls the route lookup logic in the
compartment enabled environment. Set this feature to 0 to enable the strong security model
which requires a strict route lookup logic; set this feature to 1 to disable the strong security
model.
cmpt_allow_local Allows SRPs on the same server to communicate via the network without
requiring additional security configuration. Sets the default rule for inter-compartment
loopback communications that are addressed to local network interfaces or IP addresses. The
default rule only applies if there is no explicit compartment network rule matching the
communication attempt.
Limited Scope Secure Shell Daemon. Used to prevent the secure shell daemon in the
INIT compartment from listening on SRP specific IP addresses. You can specify the IP
addresses to be used, with the default being the system default IP address. (For more
information about address collisions, see 1.3.2.2 Address Collisions with INADDR_ANY and
IN6ADDR_ANY Sockets in the INIT Compartment.)
2.3 Example: srp_sys -setup
In this example, the user presses RETURN and accepts the default values for each prompt.
# /opt/hpsrp/bin/srp_sys -setup
##############################
#
# Setup SRP default template
#
##############################
Loading SRP default template ... [ OK ]
The default services do not include IPFilter or IPSec. You can add them to the set of default services in
the following dialog.
Enable SRP configuration for the following services:
admin (compartment administrator) [y] RETURN