Beruflich Dokumente
Kultur Dokumente
EXECUTIVE SUMMARY
This white paper provides an overview of the security aspects in HP SMH, which is
the single system management solution introduced to manage an HP-UX system. The
white paper describes the various security features that the application provides, and
includes security related tips for system administrators.
The intended audience for this document includes HP customers currently using or
planning to use the HP System Management Homepage application, system
administrators, response center engineers and HP field and consulting personnel who
advise customers on solutions for their environments. It is assumed that the reader has
functional knowledge of HP-UX system administration.
Table of Contents
Introduction ......................................................................................................................................... 3
SMH key benefits................................................................................................................................. 3
SMH creating a secure product .......................................................................................................... 4
SMH security features ........................................................................................................................... 4
Managing SMH security ....................................................................................................................... 5
The Security menu ............................................................................................................................ 5
Kerberos authentication .................................................................................................................... 7
Timeout Values ................................................................................................................................ 7
Startup Modes ................................................................................................................................. 8
Key and certificate information .......................................................................................................... 9
Secure custom menus........................................................................................................................ 9
Logging .......................................................................................................................................... 9
Bastille (IPFilter) and its affect on SMH Partition Manager ................................................................... 10
Securely maintaining SMH Tips ........................................................................................................ 11
SMH documentation .......................................................................................................................... 11
For more information .......................................................................................................................... 13
HP SIM Security Resources .............................................................................................................. 13
Apache Security Resources .............................................................................................................. 13
Call to action .................................................................................................................................... 13
Introduction
HP System Management Homepage (SMH) is the single system management solution for
managing HP-UX 11i. It is a web-based tool and uses the Apache web server. SMH is also
available for Linux, and Microsoft Windows systems.
The key features of SMH are its system administration capabilities and its ability to display
details of hardware attributes. The SMH solution provides an easy-to-use interface for
displaying hardware fault and status monitoring, system thresholds, diagnostics, and software
version control for an individual server by aggregating the data from HP web-based agents
and management utilities.
SMH integrates with HP Systems Insight Manager (HP SIM) the strategic platform for
multisystem management from HP. HP SIM provides multisystem management capability by
providing administrators single sign-on (SSO) access to SMH on managed servers (standalone or partitioned) from a central console.
Security is a prime goal in the development of SMH. A number of security features are built
into SMH, and the system administrators too can take steps to ensure that security is
maintained during the implementation, usage, and maintenance of SMH. This paper
describes the SMH security features and, contains information and references related to the
security of SMH.
SMH is bundled with HP-UX 11i v3 Base Operating Environment, as well as the
Foundation Operating Environment on HP-UX 11i v1, v2, and earlier versions of v3. The
user does not need to make any configuration changes to start using the application.
SMH uses operating system-based Secure Sockets Layer (SSL) and host-based
authentication to protect web-based system management tools. The tool provides a
secure, encrypted connection between the web browser and the host system.
SMH uses open standards such as WBEM-based property pages for operating system,
software, and hardware information.
Gives users the ability to manage multiple systems from a single console, HP
SIM.
Enables users to determine which aspects of their HP-UX system and software
might require corrective action.
Enables users to view entities requiring attention, and drill down to subsequent
levels of detail until the precise situation and corrective action is determined.
Eliminates tool roulette by providing a guided path to the tool from which
appropriate action can be taken.
SMH provides system management capabilities through plug-in applications. The user
can add custom system management applications in to SMH.
SMH offers auto-start and time-out features that the user can configure by using the
hpsmh(1M) and smhstartconfig(1M) commands.
SMH supports the Mozilla, Firefox, and Internet Explorer web browsers.
SMH provides the command preview feature that enables the user to view the commands
that will be run for a task before executing that task. This feature facilitates training and
usage in scripts.
A majority of the SMH applications are localized. Online help for some of the
applications are available in nine languages: English, French, German, Italian,
Japanese, Korean, Simplified Chinese, Spanish, and Traditional Chinese.
All the key administrative actions are recorded in samlog, which can be viewed through
the Samlog Viewer in SMH.
SMH validates user inputs. SMH has a limited number of user input fields and the fields
that are available are validated. This reduces the chances of SQL Injection, or other
scripting techniques being used against the SMH product.
The Apache instance for SMH runs as a non-privileged user (hpsmh). In addition, SMH
runs its own Apache instance, with its own built-in security controls, separate from any
other Apache instance that may be running on a system.
The SMH development team follows industry standard Apache security best practices as
part of the SMH configuration (see the For more information section at the end of this
paper for links to Apache Security resources).
The SMH team works closely with the HP team that builds and supports Apache for
HP-UX. Any vulnerability that is announced in Apache in the industry is mitigated in the
HP-UX version of Apache.
A team within HP, known as the Software Security Response Team (SSRT), is dedicated to
addressing any and all potential security vulnerabilities with software and firmware
products sold and supported by the Hewlett-Packard Company. SMH team works closely
with the SSRT team to fix any reported vulnerabilities.
Common HTTP and HTTPS service for HP Insight Management Agents and utilities, for
reduced complexity and system resource requirements.
Greater access control through NIC binding and advanced configuration features for
individual and groups of users.
Facility to launch X application and Run a command. It is available in SMH -> Tasks ->
Launch X Application -> Launch X Application as Root -> Run Command -> Run
Command as Root.
IP Binding
Settings System Management Homepage Security IP Binding
IP Binding specifies the IP addresses that SMH accepts requests from and controls the nets
and subnets that requests are processed.
Administrators can configure SMH to bind only to addresses specified in the IP Binding
window. You can define up to five subnet IP addresses and netmasks.
An IP address on the server is bound if it matches one of the entered IP Binding addresses
after the mask is applied.
IP Restricted Login
Settings System Management Homepage Security IP Restricted Login
IP Restricted login enables SMH to restrict login access based on the IP address of a system
from which the sign-in is attempted.
Multihomed Certificate
Settings System Management Homepage Security Local Server Certificate
SMH allows the setting of multihomed or multiple names to certificates that are not generated
by HP. Through this functionality, the certificate for SMH can contain additional information
for the machine, such as other names in the network and IPs that are available. In the same
way, it is possible to create a request certified to be signed by a Certificate Authority (CA).
Two kinds of values are acceptable as alternative names:
Anonymous/Local Access
Settings System Management Homepage Security Local/Anonymous Access
Anonymous/Local access enables you to select the following settings to include:
Local Access (Disabled by default). Enabling Local Access means you can gain local
access to SMH without being challenged for authentication. This means that any user with
access to the local console is granted full access if Administrator is selected.
Caution: HP does not recommend the use of local access unless your management server
software enables it.
Trust Mode
Settings System Management Homepage Security Trust Mode
The Trust Mode link provides options that enable you to select the security required by your
system. Some situations require a higher level of security than others. Therefore, you have the
following security options:
Trust by certificate
Trust by name
Trust all
Trust by certificate
Trust by name
Trust all
User Groups
SMH uses operating system accounts for authentication and enables you to manage the level
of access of operating system accounts at an operating system account group level.
The users in the operating system group Administrators for Windows or the operating system
group root (which in turn contains the user root by default) for HP-UX and Linux, can define
operating system groups that correspond to SMH access levels of Administrator, Operator, or
User. After operating system groups are added, the operating system administrator can add
operating system users into these operating system groups.
Each SMH access level can be assigned up to five operating system groups. The SMH
installation enables you to assign the operating system groups to SMH. SMH will not allow
adding an operating system group if the specified operating system group is not defined in
the operating system.
The accounts used for SMH need not have elevated access on the host operating system. Any
SMH user with administrative privilege can specify operating system user groups to each
access level of SMH. As a result, all accounts in each operating system user group have
access to SMH specified in the User Groups window.
Kerberos authentication
Administrative access to SMH can be controlled by setting up an SMH User Group, which in
turn maps to a UNIX Group. The UNIX Group can be a group local to the HP-UX system or
can be a group that is maintained in a Directory Service such as Active Directory (as long as
Kerberos and LDAP-UX are installed and configured on the HP-UX system).
Once the Kerberos Authentication is configured, along with SMH User Group, users can
login to SMH as themselves and will have Administrative authority. There would be no reason
to login to SMH directly as root.
SMH uses the sysmgthp service. Since this service is not configured in pam.conf by default
the PAM engine will use the OTHER service, which does not have pam_krb5 configured. By
adding the following to pam.conf you can login to SMH as a user defined in Active
Directory, after configuring the users group in Settings -> System Management Homepage ->
Security -> User Groups.
sysmgthp
auth
required
libpam_hpsec.so.1
sysmgthp
auth
sufficient
libpam_krb5.so.1
sysmgthp
auth
required
libpam_unix.so.1 try_first_pass
sysmgthp
account required
sysmgthp
sysmgthp
account required
libpam_hpsec.so.1
libpam_unix.so.1
Timeout variables
The SMH configuration is based on environment variables and tags that are set by the
/opt/hpsmh/lbin/envvars, /opt/hpsmh/conf.common/smhpd.xml and
/opt/hpsmh/conf/timeout.conf files. To change the default configuration, you can
modify the files to properly set the value of the variables and tag. Table 1: SMH
Configuration Timeout Variables describes the variables. These variables can also be set
through the GUI interface in SMH version A.3.0.0 and later.
<sessiontimeout>15</sessiontimeout>
TIMEOUT_SMH
TIMEOUT_TOMCAT
Description
This variable points to the
/opt/hpsmh/lbin/envvars
directory where JDK is installed.
The <session-timeout> tag
defines the HP SMH session timeout in
minutes. If it is defined, then the HP
SMH session stops after the time
period has elapsed without any user
activity. If it is not defined, then the
default for the HP SMH session timeout
is 15 minutes. You can define the
<session-timeout> tag using any
value between 6 and 120 minutes.
The TIMEOUT_SMH environment
variable defines the HP SMH server
timeout in minutes. If it is defined and
lower than the HP SMH session
timeout, the HP SMH server stops 3
minutes after the HP SMH session
timeout. If it is defined and greater
than the HP SMH session timeout, then
the HP SMH server stops after the time
period has elapsed without any user
activity. If it is not defined or equal to
zero, then HP SMH starts without
timeout. When the automatic startup
on boot startup mode is in use, the
timeout mechanism does not start.
This variable defines the Tomcat
timeout in minutes in the
/opt/hpsmh/conf/timeout.conf
file. If it is defined, Tomcat stops after
this time period has elapsed without
any request to a Java web
application. By default, the timeout for
the HP-UX Tomcat-based Servlet
Engine is 20 minutes and the timeout
for the HP-UX Apache-based Web
Server is 30 minutes. If it is not
defined or equal to zero, then Tomcat
starts without timeout. In this case,
Tomcat stops only when HP SMH is
stopped.
Script
/opt/hpsmh/lbin/envvars
/opt/hpsmh/conf.common/smhpd.xml
/opt/hpsmh/conf/timeout.conf
/opt/hpsmh/conf/timeout.conf
Startup modes
SMH supports three startup modes. You can set the startup mode according to your security
policies and requirements.
Autostart URL
This mode is the default setting for startup. You can start SMH by using a web browser and
navigating to http://hostname:2301/. If autostart is configured as the default, there is a
daemon listening only on http://hostname:2301. There is no daemon listening on port 2381
and hence this port will fail. When a request reaches port 2301 (http), then the HP-UX
Apache-based Web Server is started on port 2381 (https) and the page is automatically
redirected.
Manual startup
You can start SMH from the HP-UX command line as long as you have an X-Windows
interface running (for example, if the DISPLAY variable is properly set). You can start SMH
using the smh command.
Use the /opt/hpsmh/bin/smhstartconfig script to configure the startup mode of the
SMH server and the Tomcat instance that SMH uses.
Logging
The System Management Homepage Log contains HP System Management Homepage
(SMH) level configuration changes as well as successful and failed login attempts. It is helpful
when troubleshooting login or access issues when logging in directly to SMH, or from the HP
Systems Insight Manager (HP SIM).
NOTE: You must have administrative access to SMH to access the System Management
Homepage Log. To access the System Management Homepage Log, select Logs System
Management Homepage System Management Homepage Log
The error log and access_log files are stored on the system at /opt/hpsmh/logs. The
System Management Homepage Error Log contains error information generated by SMH
modules and CGI execution errors (httpd). It is the first place to look when a problem occurs
with starting the server or with server operation because, the log often contains details of
what went wrong and how to fix the problem. The access_log records all requests processed
by the server. So all the URLs accessed will be logged in the access_log, which might be
helpful during auditing. Log records related to Tomcat are stored in a file catalina.out in
the directory /opt/hpsmh/tomcat/logs.
HOST.config
This is a host-based lockdown, without IPFilter configuration. There is no impact on Partition
Manager when this configuration is used.
MANDMZ.config
This is a fairly tight lockdown, but allows select network ports that are used by common
management protocols and tools. For example, WBEM continues to function when this
configuration is used.
To open Partition Manager under this configuration, SSH must be used or changes must be
made to enable ports 2301 and 2381 (both ports are also required for SMH). You can
ensure that Partition Manager can be opened on a system where ports 2301 and 2381 have
been disabled. To do this, prior to running Bastille adjust the IP filtering by adding the
following entries to the /etc/opt/sec_mgmt/bastille/ipf.customrules file:
pass in quick proto tcp from any to any port = 2301 flags S/0xff keep state keep frags
pass in quick proto tcp from any to any port = 2381 flags S/0xff keep state keep frags
For more information, see the ipf(5) manpage.
DMZ.config
This is a tight lockdown. To open Partition Manager under this configuration SSH must be
used. Bastille also impacts using Partition Manager to remotely manage a system where
Bastille is enabled. After the normal transfer of certificates, Partition Manager will work as
described above if the HOST.config or MANDMZ.config configurations are used. However,
the DMZ.config configuration blocks WBEM traffic and thus prevents the usage of Partition
Manager for remotely managing the system.
10
For more information about Bastille, see the bastille(1M) manpage, and the Bastille User
Guide available at /opt/sec_mgmt_bastille/docs/user_guide.txt.
Always logout of an SMH session. SMH automatically logs out the user if there is no
activity for the session timeout period, 15 minutes being the default period. It can be
changed to a value suitable for your security policy.
SMH (HP-UX) depends on system installed Apache, Tomcat, PHP and OpenSSL. If
there is any vulnerability reported for these products then you must upgrade the
Apache suite (hpuxwsAPACHE) installation.
HP WebInspect scans.
Use the native web browser on a local system to invoke SMH (SSL will be used). Do not
set the X-Windows DISPLAY variable on the HP-UX system to create the display on your
local desktop the information, including password information will cross the network in
the clear. You must use the -F option to open the tools in an unsecure manner.
SMH documentation
For more information about SMH, see the following sources:
HP System Management Homepage Release Notes The release notes provide
documentation for what's new with the release, features and change notifications, system
requirements, and known issues. The release notes are available on the HP Technical
Documentation website at http://docs.hp.com.
HP System Management Homepage Help System The help system provides a set of
documentation for using, maintaining, and troubleshooting SMH. In SMH, go to the Help
menu.
HP System Management Homepage Installation Guide The installation guide
provides information about installing and getting started using SMH. It includes an
introduction to basic concepts, definitions, and functionality associated with SMH. The
11
12
Call to action
HP-UX 11i v3 for HP Integrity and HP 9000 servers
www.hp.com/go/hpux11iv3
13