Manualshelf

HPjmeter 4.3 Release Notes and Installation Guide

ManualsBrandsHP ManualsSoftwareHPjmeter Software for HP-UX
11121314151617181920
Want to Know More About Secure Socket Layer Tunneling?:
HP-UX IPSec and HP-UX Secure Shell are two HP products that provide secure socket layer tunneling.
To learn more:
HP-UX IPSec technical documentation (http://www.hp.com/go/hpux-security-docs)
HP-UX Secure Shell overview and download
(http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA)
HP-UX Secure Shell technical documentation (http://www.hp.com/go/hpux-secure-shell-docs)
See also “Connecting to the HPjmeter Node Agent” in the HPjmeter 4.3 User's Guide.
Protecting Data Confidentiality During HPjmeter Console/Node Agent Communication
Data sent to the console is not encrypted by HPjmeter. If you are concerned about confidentiality
of this data, you can protect confidentiality by using SSL tunneling to encrypt the header and data
portion of each packet during transfer.
Working with Firewalls
The node agent has an open socket. Any HPjmeter console on any machine on the network (that
is not blocked by a firewall) can communicate with this node agent. If you want to have a console
contact a node agent through a firewall, you must provide a tunneling port so that the console can
contact the node agent.
NOTE: The console first attempts to use a port between 9505 and 9515 when arranging a port
for its server socket. If it is unable to successfully use a port from this range, it will use an ephemeral
port number.
IMPORTANT: If you choose to open a port through a firewall to enable communication between
a node agent and a console, secure the tunneling port using HP-UX Secure Shell or HP-UX IPSec.
Configuring User Access
The node agent must be started by either the same user or group as the running JVM (recommended)
or root to establish contact.
IMPORTANT: Setting access for owner or group should not be considered a security solution
because node agent to JVM communications are not secured by default—see below.
Securing Communication Between the JVM and the HPjmeter Node Agent
IMPORTANT: The data stream between the JVM and the node agent is not protected from
tampering by a user logged into the system running the JVM. For key applications in production,
you may want to increase your confidence that the data has not been tampered with en route
between the JVM and agent before you take action based on HPjmeter metrics.
Where you deem it necessary, either secure the communication mechanism between the JVM and
node agent (HP-UX 11i v2 or later only), or confirm that the HPjmeter data looks reasonable
according to the usual behavior of your application by independently validating its output.
To secure the communication mechanism between the JVM and node agent on HP-UX 11i v2 or
later operating systems, set the umask of the JVM process to 77 (no access except for the owner)
by executing the command
$ umask 77
before running the JVM.
16 Compatibility Information and Installation Requirements