Beruflich Dokumente
Kultur Dokumente
www.ideasinternational.com
WHITE PAPER
HP-UX 11i V3:
ENGINEERED FOR CRITICAL WORKLOADS
custom consulting services
PREPARED FOR
HP
TABLE OF CONTENTS
Executive Summary ............................. 1
HP-UX 11i Optimized for
24x7 Global Enterprises ...................... 1
HP-UX Operating Environment Bundles . 2
HP-UX Design Goals ............................. 1
Virtualization ....................................... 3
HP-UX 11i v3s Complete Portfolio of
Virtualization Techniques ...................... 1
Online Migration .................................... 5
Workload Management Tools ................ 1
HP Insight Dynamics VSE ................... 6
Performance Optimization Tools ............ 7
Availability ........................................... 1
Error-Handling Architecture ................. 10
HA Cluster and DR Options ................. 10
Security ............................................. 11
Role-Based Access Control (RBAC) .... 13
Encryption ........................................... 13
Host-Based Intrusion Detection ........... 13
August 2010
Executive Summary
This white paper presents a technical comparison of HP-UX 11i v3, AIX 6.1, and Solaris 10
UNIX operating systems, focusing on their functional capabilities in terms of virtualization,
reliability, and security. In each of these areas, the paper identifies some critical technical
requirements, describes the significance of these requirements in current customer
environments, and then shows how well HP-UX 11i v3 meets these requirements compared to
the other UNIX systems.
HP-UX, AIX, and Solaris all offer very strong functionality today, with each leading in one area
or another. But HP-UX stands out for its balance. It does not lag its competitors in any one
area, and it breaks out with leading functionality in several areas valued by business users. One
particular area of strength for HP-UX is the unique level of integration between virtualization,
workload management, and high availability (HA) / disaster recovery in HP Insight Dynamics
VSE. The combination of HP-UX and Insight Dynamics VSE gives customers the full benefit of
virtualization in a highly available environment. In the newest version of HP-UX, online
migration of Integrity Virtual Machines is up to two times faster than the previous release, and
encryption is supported for live migration of sensitive workloads. Live migration has also been
fully integrated into the VSE-OE and DC-OE operating environments. HP-UX can now become
the basis for truly virtual infrastructure, in which computing resources are treated as a single
pool of resources that can be drawn upon on demand by workloads. HP-UX 11i v3 deployment
is facilitated by HPs Reference Architectures for Insight Dynamics VSE, which document best
practices for deploying ISV solutions from IBM, Oracle, SAP, and SAS in an Insight Dynamics
VSE environment on HP Integrity servers.
In the area of security, HP-UX 11i v3 has superior storage encryption capabilities compared to
the other UNIX systems, with the unique ability to encrypt both entire storage volumes and
individual files. HP-UX 11i v3 also offers unique, host-based intrusion detection functions that
are integrated into the operating system; such functions require installation of add-ons in the
other UNIX systems.
By addressing some of the major Total Cost of Ownership (TCO) concerns customers have
today, these capabilities help to put HP-UX in a leadership position for delivering the proven
benefits of UNIX platforms.
This document is copyrighted by Ideas International, Inc. (IDEAS) and is protected by U.S. and international copyright laws and conventions. This document may not be copied, reproduced, stored in a retrieval system, transmitted in
any form, posted on a public or private website or bulletin board, or sublicensed to a third party without the written consent of IDEAS. No copyright may be obscured or removed from the paper. All trademarks and registered marks of
products and companies referred to in this paper are protected.
This document was developed on the basis of information and sources believed to be reliable. This document is to be used as is. IDEAS makes no guarantees or representations regarding, and shall have no liability for the accuracy
of, data, subject matter, quality, or timeliness of the content. The data contained in this document are subject to change. IDEAS accepts no responsibility to inform the reader of changes in the data. In addition, IDEAS may change its
view of the products, services, and companies described in this document.
IDEAS accepts no responsibility for decisions made on the basis of information contained herein, nor from the readers attempts to duplicate performance results or other outcomes. Nor can the paper be used to predict future values or
performance levels. This document may not be used to create an endorsement for products and services discussed in the paper or for other products and services offered by the vendors discussed.
AUGUST 2010
infrastructures to achieve 24x7 lights-out computing and dramatically reduce total cost of
ownership all integrated and rigorously tested to operate as a single system.
HP-UX is now fully integrated into HPs Converged Infrastructure, a blueprint for data centers
that is designed to eliminate boundaries between IT silos, so that customers can invest more of
their IT budget on business innovation rather than maintenance. HP Converged Infrastructure
enables administrators to easily provision predefined server and storage capacity for HP-UX
Integrity systems, and HP-UX can be deployed on server hardware that is optimized for a
mission-critical Converged Infrastructure, such as HP BladeSystem Matrix.
Base OE (BOE)
Comprehensive security
Consolidation safeguards secure
resource and hard partitions
Provision infrastructure
Optimize infrastructure
Protect continuity of
services
Source: HP
AUGUST 2010
HP-UX 11i v3 was released in early 2007. Individual releases of HP-UX are supported for a
decade or so to enable customers to upgrade when it makes the most sense for the business to
do so. Investment protection is provided through binary compatibility for source, data, and
binaries.
With HP-UX 11i v3, HP focused on continued improvements to RAS to meet the needs of the
24x7 global enterprise. It also focused on the agile enterprise and the increasing need to
transport and store large amounts of data a change driven by compliance and archiving
regulations as well as evolving data types and ever-expanding media files. HP designed the
current release of HP-UX 11i v3 to provide flexibility with mission-critical virtualization; capacity
for the most demanding workloads; affordable data-center-class availability and security; and
centralized expert control. The newest release of HP-UX, in the spring of 2010, introduced a
number of functional enhancements that significantly strengthen its appeal as a data center
computing platform. The core OS includes several new capabilities to reduce downtime, both
unplanned and planned. In particular, online migration of Integrity Virtual Machines is up to
two times faster than the previous release, and migrations are made more secure with
encryption. HP also added a suspend/resume capability for Integrity Virtual Machine guests,
which provides increased flexibility for deploying workloads in virtual machines.
In addition to being faster and more secure, Online Virtual Machine Migration for HP Integrity
Virtual Machines has been fully integrated into the VSE-OE and DC-OE operating environments.
Software such as HP Insight Dynamics VSE and HP Serviceguard Solutions extend the
reliability, scalability, and flexibility of HP-UX so that it benefits workloads, data centers, and IT
infrastructures on an end-to-end basis. With complete flexibility to move virtual machines
according to business policies driven by availability and service levels, HP-UX can now become
the basis for truly virtual infrastructure, in which computing resources are treated as a single
pool of resources that can be drawn upon on demand by workloads.
It is clear that HP is continuing to invest in enhancing the functionality of HP-UX, following its
traditional approach of responding to specific needs that its customers have raised. But how
does HP-UX compare with the other leading UNIX systems on the market today? The next few
sections compare the functionality of HP-UX 11i v3 with the latest releases of its major
competitors: IBMs AIX 6.1 and Oracles Solaris 10. The comparison focuses on several key
functional areas, including virtualization support, reliability functions, and security functions.
Virtualization
Virtualization continues to take hold across the industry with the proven ability to deliver a
variety of business and operational benefits, including consolidation and improved resource
utilization; simplified resource provisioning; simplified implementation of high availability (HA)
and disaster recovery (DR); legacy application support; and improved test and development
processes. One of the most basic enablers of virtualization is the ability to run multiple
operating systems simultaneously on a single server. There are a number of ways to
accomplish this feat, depending on the goals of a virtualization deployment. For example, in
some cases (e.g., web server farms), it may be acceptable (or necessary) to run multiple
instances of the same OS. In other cases, particularly with consolidation, it may be desirable to
run heterogeneous operating systems either different release or patch levels of the same
operating system, or entirely different operating systems altogether simultaneously on a
single server.
From an implementation standpoint, operating systems can use several possible technologies
to manage multiple operating system instances. Such approaches include server partitioning,
hardware assistance, virtual machines, and virtual operating systems (i.e, virtual servers).
AUGUST 2010
HP-UX supports all of these virtualization types in some form on Integrity servers. For the most
demanding workloads that require their own copies of an operating system (either HP-UX or
heterogeneous), HP-UX offers several approaches:
HP nPartitions (nPars). HP nPars are hard partitions that provide complete electrical isolation
between operating system instances, so that hardware or software errors in one partition
cannot crash or panic other partitions (requires cell-based servers). Electrical isolation also
enables a key nPars advantage in online serviceability (i.e., the ability to add/replace real
memory/CPU resources without impacting the entire system). Further, nPars incur no
performance overhead with respect to I/O performance, since the operating system has
direct access to the I/O, just as on a physical system. HP-UX 11i v3 also supports Dynamic
nPartitions, which allow nPars to be reconfigured online at the granularity of cell boards. The
ability to reconfigure Dynamic nPartitions introduces several benefits, including the capability
to: perform hardware maintenance on a server while that server continues to run mission
critical applications; add cell boards needed to accommodate growth without shutting the
server down; and migrate cell boards to different partitions in response to changing
workloads without incurring downtime. nPars within an HP Integrity server can run multiple
operating systems in parallel: HP-UX, including different release levels, or OpenVMS.
HP Virtual Partitions (vPars). HP vPars are soft partitions that offer finer granularity than
nPars. They can be as small as a single CPU, and can be used to host multiple instances of
either HP-UX 11i v2 or HP-UX 11i v3, each of which can be independently managed. Both
CPUs and memory can be dynamically moved between vPars without a reboot. Since the OS
still has direct access to the CPUs, memory, and I/O resources that are assigned to it, vPars
offer close to standalone server performance with the flexibility of software partitions.
HP Integrity Virtual Machines (VMs). HP Integrity VMs offer the finest granularity for running
multiple complete operating system instances (up to 20 per processor or core). HP Integrity
VMs are a true virtual machine implementation with fully virtualized processors, memory,
and I/O. HP Integrity VMs can run either HP-UX 11i v3 or the older HP-UX 11i v2, and they
can be deployed within an nPar. HP Integrity VMs support up to eight virtual CPUs and
capping of CPU resources. Resources can be dynamically moved between guests without
affecting the operation of the running applications, and online migration enables relocation
of an entire virtual machine from one host to another without interrupting its processing.
HP Secure Resource Partitions (SRPs). HP SRPs provide many of the benefits of a virtual
operating system, enabling applications to be stacked securely within a single instance of
HP-UX 11i. HP SRPs combine the HP-UX Security Containment function with HP Process
Resource Manager (PRM) resource management. HP SRPs allow discrete sets of processes
and files to be contained within compartments; provide role-based access control to
administer privileges for these compartments; and provide rules that dictate intercompartmental communication.
AUGUST 2010
Solaris supports several methods for running multiple operating instances simultaneously on a
single server. Some high-end SPARC64 servers have a hard partitioning function called dynamic
domains, which is similar in design to HPs nPars. Oracle also offers a more flexible
virtualization function called Oracle VM Server for SPARC (formerly called Logical Domains, or
LDOMs), which allow multiple separate instances of Solaris to run on a single processor.
However, Oracle VM Server for SPARC is only supported on Oracle servers that have chip
multithreading technology (CMT). Finally, Solaris Containers allow multiple private execution
environments to be created within a single instance of Solaris 10, similar to HPs Secure
Resource Partitions.
AIX 6.1
Solaris 10
Multiple OS Instances
(Same OS)
Dynamic domains,
Oracle VM Server for
SPARC
Multiple OS Instances
(Older OS)
Dynamic domains
OS Virtualization
Secure Resource
Partitions
Solaris Containers
HW/FW-Assisted
Hypervisor
None
Electrical Isolation
nPars
None
Dynamic domains
Integrity VMs
Micro-Partitions,
Workload Partitions
Hardware Assistance
Online Migration
Online Migration
Most forms of virtualization to some degree isolate workloads from the details about the
servers on which they are hosted. As a result, the use of virtualization generally makes it easier
to move a workload from one machine to another without disturbing the workloads application
environment. The ability to transfer virtualized workloads across the network in this manner
enables a number of benefits that can greatly affect operational costs, including reduced
downtime and better controls for maintaining service levels.
HP-UX 11i v3 supports live migration for Integrity Virtual Machines, allowing the state of an
Integrity Virtual Machine to be relocated from one physical host to another without interrupting
its processing. In the newest version of HP-UX, online migration of Integrity Virtual Machines is
up to two times faster than the previous release, and it has now been fully integrated into the
VSE-OE and DC-OE operating environments. The new release also adds the ability to encrypt
virtual machines during migration, which will be valuable for using virtualization to maintain
service levels in sensitive workloads. Finally, HP added a suspend/resume capability for
Integrity Virtual Machine guests, which provides increased flexibility for deploying workloads in
virtual machines. Among other uses, administrators can use this mechanism to maintain
libraries of pre-built virtual machines containing various workloads.
AIX 6.1 has two different ways of moving virtualized workloads across systems without
interrupting applications. The first method, called Live Partition Mobility, can transfer an
AUGUST 2010
operating system from one POWER server to another while the operating system continues
running. 1 The other method, Live Application Mobility, is a function of AIX 6.1 that can be used
to move Workload Partitions (virtualized operating systems similar to Solaris Containers or HP
Secure Resource Partitions) from one host to another. Neither of these options supports
encryption, however. Solaris Containers support cold migration, in which the state of a
Container is captured in a file for migration from one host to another. Oracle VM Server for
SPARC supports warm migration, in which partitions can be moved from one host to another
with minimal interruption, but the approach incurs some downtime. Oracle VM Server for x86
supports live migration of Solaris, with encryption.
Global Workload Manager (gWLM) is an intelligent policy engine that automatically allocates
resources among multiple workloads to increase server utilization while meeting service
levels for high-priority applications. Designed to work across multiple HP-UX 11i, OpenVMS,
and Linux environments, the workload management features are ideal for large, centralized
IT environments that host applications for many departments.
Requires that the guest OS uses the Virtual I/O server to virtualize the I/O connections, rather than
running the I/O directly through the hardware.
AUGUST 2010
In an HP Integrity Virtual
Machine environment, HP
Serviceguard can monitor the
application in addition to the
guest OS, the host OS, and
the hardware. It can protect
from failures at any level.
Alternatively, users may want to use the failover capability to move software application
packages between servers in a cluster whenever desired, not just in a failed cluster node
scenario. In an HP Integrity Virtual Machine environment, HP Serviceguard can monitor the
application in addition to the guest OS, the host OS, and the hardware. It can protect from
failures at any level. Most virtual machine failover solutions only monitor the hardware,
hypervisor, or the guest OS, and not the actual application. Upon failure, Serviceguard can
move virtual machines automatically to the failover node. This failover works seamlessly, since
HP Serviceguard can be loaded directly into the Integrity VM host to monitor the applications
running within the VM, or loaded onto the host to monitor the VMs themselves.
Further, Insight Dynamics VSEs workload management can be leveraged to automatically
reallocate (or invoke) resources after failover to retain service-level goals. Insight Dynamics
VSEs integration of the HP Serviceguard Solutions portfolio of clustering and disaster recovery
with virtualization and workload management functions, as well as HPs utility pricing offerings,
means that workloads can automatically maintain service levels even in the event of failures
within a data center, or of up to two entire data centers. As a result, overall system utilization
is improved offering the following benefits:
Provides business isolation for applications while making optimum use of server resources.
Protects applications from failure or degradation caused by hardware or software problems
in other parts of the affected server.
Optimizes application performance and behavior by isolating applications within their own
operating environments where they can have dedicated resources.
Provides resource isolation within an operating environment such that applications sharing
an operating system image can receive dedicated system resources in order to meet servicelevel objectives.
AUGUST 2010
which also support AIX and Solaris), as well as HP Caliper and HPjmeter for optimizing
application performance. GlancePlus Pak provides an overview of system performance, allowing
administrators to examine system activities; identify and resolve performance bottlenecks; and
tune systems. Administrators can view real-time summaries of data on the performance of HPUX systems, and then drill down to diagnostic details at the system level, application level and
process level. Performance metrics can be collected for analysis on a historical basis, and
alarms can be set up to trigger automated commands or scripts based on any combination of
metrics.
AIX 6.1
Solaris 10
Performance
Management
Perfview, GlancePlus
Pak, Caliper (C++),
HPjmeter (Java)
Kernel Tracing
ktracer
ProbeVue
Dynamic Tracing
(DTrace)
HP Caliper is a tool that can be used to analyze the performance of C++ applications. HP
Caliper allows administrators and developers to understand the performance and execution of a
C++ application, and to identify ways to improve its runtime performance. Another tool,
HPjmeter, helps administrators and developers optimize the performance of Java applications
by displaying their behavior in real time, with the ability to automatically detect problems and
alerts in Java code. HPjmeter can provide particularly extensive visibility over the behavior of
memory in Java applications, showing the impact of garbage collection on application
performance and delivering alerts when memory leaks are detected.
HP-UX also has a tool called ktracer, which can be used to analyze the performance of
processes and systems at the kernel level, in order to detect performance bottlenecks and
discover opportunities to improve performance. ktracer is integrated with HP Caliper, and it
provides the user with an overall performance view. It tracks performance bottlenecks and
issues throughout the stack, so that performance can be optimized across both the application
and the kernel.
These interactive tools help administrators, working together with developers, extract the
maximum performance from HP-UX systems. The depth of information provided by HPs tools
enables administrators to find and overcome performance bottlenecks in less time. Moreover,
the graphical user interfaces (GUIs) of HPs tools allow administrators to diagnose and repair
many problems by applying a point-and-click approach, rather than the remember and type
approach that is required for tools with command-line or textual user interfaces (TUIs). As a
result, some performance management tasks in HP-UX can be performed by personnel even if
they do not have a great deal of experience with issuing UNIX commands.
Most of the native performance management capabilities provided by IBM and Oracle for AIX
and Solaris, respectively, are more low-level tools driven by command lines. Solaris 10 includes
a powerful kernel tracing tool called Dynamic Tracing (DTrace), which enables administrators
and developers to monitor operating system behavior in real time and at the kernel level, using
a scripting language to configure diagnostic routines. IBM offers a tool for AIX 6.1 called
ProbeVue, which targets similar functionality to DTrace, taking advantage of prebuilt code in
the AIX kernel to capture the status and parameters of kernel functions. Also, IBMs
Performance Toolbox for AIX provides a graphical user interface to help administrators with
load monitoring, and analyzing system information to diagnose performance bottlenecks.
AUGUST 2010
Availability
HP Serviceguard Solutions
work with HPs utility pricing
offerings to automatically
activate capacity as needed,
as in the case of a failed
server. In some cases, downtime can be eliminated as
cluster monitoring is able to
detect potential faults and
address them without an
interruption in business
activities.
Like scalability, availability is a key concern for users in small and medium-sized businesses as
well as in large enterprise organizations. When it comes to availability, the issues that
administrators are concerned with generally fall into two classes: avoiding planned downtime
due to maintenance, and minimizing the impact of unplanned downtime due to failures or
threshold violations. The operating system itself can help to reduce downtime in several ways.
First, it can reduce planned downtime by minimizing the need (and the time required) for
rebooting when maintenance is performed in the hardware or in the operating system software
itself. Further, it can support frameworks for smoothing service-level recovery when a serious
failure does occur, either in hardware or software.
Most advances with regard to UNIX system availability have occurred in three areas: dynamic
reconfiguration (i.e., the ability for operating systems to adapt to the addition and removal of
CPU and memory resources without requiring a reboot); error handling architectures (which
help application and higher-level service infrastructures correctly adapt when failures occur in
hardware or lower-level software); and and high availability (HA) and disaster recovery (DR)
tools (which enable workloads to transparently migrate to alternate hosts when hardware,
software, storage or network failures occur).
AIX 6.1
Solaris 10
Online Reconfiguration
OS
Online Reconfiguration
Hardware
No
Reduced OS Update
Downtime
Concurrent
Maintenance
LiveUpgrade
Error Handling
Architecture
System Fault
Management
None
Solaris Fault
Management
Architecture (FMA)
HA Cluster and DR
Options
HP Serviceguard
IBM PowerHA
Operating systems can help to minimize planned downtime by reducing the number of
administrative tasks that require a system restart, which can consume a great deal of time in
high-end environments. For example, in HP-UX, most of the OS tuning required for a workload
can be performed without a reboot (75% of tuning operations that would have required a reboot
in the past have been eliminated in HP-UX 11i v3). Historically, hardware maintenance was one
scenario in which some downtime was almost certainly unavoidable. However, some advanced
UNIX servers now have the ability to dynamically add and remove processor and memory
modules without being shut down, making it possible to upgrade servers without interrupting
operations. Online CPU and memory addition is especially useful when coupled with utility pricing
programs, which bring resources online only when they are needed by applications.
Moreover, in virtualized environments, where by definition resources such as CPUs and memory
can be created and removed at will, it becomes increasingly critical for operating systems to
have the ability to respond to constantly changing resources. For this hot plug functionality to
work correctly, the operating system must recognize CPU and memory modules as they come
AUGUST 2010
online. It is also necessary for the operating system to recognize when the resources are no
longer available, which is somewhat more challenging, since it requires the OS to gracefully
dry up use of resources that reside in the components being detached.
Currently, HP-UX, AIX, and Solaris all have the ability to dynamically add and remove processors
and memory in a running instance of the operating system without reboot. It should be noted,
though, that only Solaris and HP-UX have the ability to add and remove both real and virtual CPU
and memory resources (i.e., support the maintenance and upgrade of hardware online, as well as
support the dynamic reconfiguration of operating systems running in virtual machines). IBM does
not currently support hot-plug CPUs or memory on its POWER servers.
Another way for operating systems to help minimize planned downtime is to reduce the time
required for making major changes to the operating system software itself, by allowing
administrators to install a new version of the operating system while the existing version
continues to operate normally. Instead of replacing the operating system directory structures and
files, the new system is built in a separate root directory structure. Once the installation is
complete, the administrator can quickly reboot from the other root directory and immediately
begin using the new system. Fallback is simple simply reboot the original system and resume
using it. This capability is a major improvement for UNIX, since the traditional installation
procedure would have required a complete tape restore to recover from a bad installation. It also
relieves the fears of those who distrust new releases by providing quick fallback. HP-UX, AIX, and
Solaris now all support this capability, although they have different names for it: HP-UX 11i v3 has
Dynamic Root Disk, Solaris has LiveUpgrade, and AIX 6.1 has Concurrent Maintenance.
Error-Handling Architecture
Despite improvements to the robustness of hardware, faults can still occur in critical hardware
components including processors, memory, and I/O devices that are expensive and
sometimes extraordinarily challenging to replicate. In response, leading-edge UNIX system
developers have introduced error-handling architectures that help workloads recover from
outages by key hardware components in single systems, allowing them to continue functioning
by adapting to critical changes in hardware.
These frameworks allow applications to be adapted for dynamic reconfiguration so that they
behave correctly given a particular combination of CPUs and memory. If applications are not
properly modified to handle dynamic addition or removal of CPUs and memory, they will not
necessarily be optimized to take advantage of available resources. For example, dominant
applications such as database servers typically make assumptions about the number of
processors available. If the number changes while the database is running, performance can
suffer for a variety of reasons. The frameworks sometimes also allow dynamic reconfiguration
operations to be integrated smoothly into day-to-day system management operations,
permitting resource changes to be activated by scripts and other system management
mechanisms. Along these lines, HP-UX 11i v3 has the System Fault Management framework,
while Solaris has its Fault Management Architecture (FMA). AIX has a lower-level mechanism
called First Failure Data Capture (FFDC), which collects diagnostic information about problems
at the time they occur, reducing the need for administrators to recreate the problem at a later
time in order to generate diagnostic information.
10
AUGUST 2010
faults on the failed node, the remaining nodes can continue providing service, keeping the
overall clustered system in operation. HP Serviceguard Solutions work with HPs utility pricing
offerings to automatically activate capacity as needed, as in the case of a failed server. In some
cases, downtime can be eliminated as cluster monitoring is able to detect potential faults and
address them without an interruption in business activities. Clustering can also help with certain
management tasks by absorbing planned downtime in addition to system failures.
Since most HA cluster environments depend on some form of shared storage, the distance
between nodes is often constrained to the maximum length of I/O channels such as SCSI or
Fibre Channel (i.e., at best campus distances up to 100 km). Disaster recovery (DR) options,
which typically work via replication, allow nodes to be separated by geographically significant
or even unlimited distances. DR solutions protect systems from natural and man-made
disasters and provide compliance to government regulations.
HPs portfolio of Serviceguard Solutions is recognized as one of the most proven high
availability and disaster recovery stacks in the industry with some 750,000 licenses sold
worldwide to date. Serviceguard Solutions provide capabilities ranging from cluster failover to
cross-city (Metrocluster) and cross-continent (Continentalclusters) disaster recovery, supporting
failover distances of up to 300 km through dark fiber, and unlimited distances over WAN
connections. Failover can be either fully automated or operator-initiated and with the latest
update to HP-UX 11iv3, Metrocluster and Continentalclusters are now simpler to configure and
easier to manage, with optimized failover times. Serviceguard is fully integrated with Integrity
Virtual Machines, allowing clusters to be deployed in virtual machines so that the computing
resources assigned to cluster nodes can be precisely calibrated.
Using HP-provided toolkits, Serviceguard Solutions can be integrated with Insight Dynamics VSE
and software products from third-party vendors, including Oracle and SAP, to reduce overall time
to production deployment and enhance monitoring capabilities for these products. Unlike other
UNIX vendors, HP integrated its Serviceguard availability and DR solutions with Symantecs
VERITAS Storage Foundation offerings (available only through HP as Serviceguard Storage
Management Suite) to provide a comprehensive solution that delivers improved availability,
manageability, and performance to business-critical environments on HP-UX.
IBM is also recognized for its very strong HA and DR capabilities, which include PowerHA and
PowerHA SystemMirror Enterprise Edition with Geographic Logical Volume Manager (GLVM),
and data migration capabilities in its System Storage products. However, IBM does not
currently offer a comparable level of integration between the virtualization functions in AIX
(i.e., Micro-Partitions and WPARs) and the HA and DR options of PowerHA. As a result, IBMs
virtualization solution for AIX may not be able to offer the same levels of flexibility as HPs
Insight Dynamics VSE, or its operational cost benefits. The Solaris Cluster option for Solaris
can be used to stretch clusters over campus and metropolitan areas, as well as geographic
ranges with Solaris Cluster Geographic Edition. However, Solaris Cluster also does not have the
same degree of integration with workload management, virtualization, infrastructure
management, and utility pricing as Insight Dynamics VSE, and thus does not deliver the same
benefits of automation as HPs solution.
Security
The security functions in UNIX systems have continued to evolve as they have been deployed
in ever-more critical roles. The main areas of focus have been on improving control over
allowable actions by users and administrators; supporting data encryption; and improving tools
to help administrators make sure their systems have been properly secured.
Security is a core competency of HP, which designed a portfolio of products HP Secure
Advantage to help customers securely share information; improve identity management and
11
AUGUST 2010
compliance controls; ensure business continuity; and defend against network attacks. While
Secure Advantage brings HPs entire security value proposition together across all of its
Enterprise Server and Storage (ESS) platforms, several key components of the portfolio are
based on Integrity and HP-UX, including the following bundled (in HP-UX 11i) components:
HP-UX Host Intrusion Detection. Integrated into the kernel, this package monitors HP-UX
systems for user or application security breaches.
HP-UX Identity Management is a powerful suite of identity management products that all
work together on HP-UX. The suite includes Red Hat Directory Server; Identity Management
Integration (IdMI), which works with HP OpenView Select Access; and an AAA
(Authentication, Access Control, and Accounting) server. The suite allows administrators to
implement single sign-on, which can authorize users to access appropriate applications with
one account and password. The AAA server provides a directory front end to control access
to the network a function critical to ISPs that need to control access to the network and
provide detailed transaction billing information. The AAA server also implements One Time
Password Authentication (OTP) with two-factor authentication, which helps to protect
networks from phishing attacks, unauthorized network access, and identity theft. HP-UX has
long delivered on the promise of centralized LDAP-based user management with the Red Hat
Directory Server (now replaced with a port of the Open Source Fedora 389 Directory Server)
and the HP-UX LDAP-UX client software for platform enablement. HP-UX also bundles the
Select Access server, which layers on top of the LDAP director to facilitate simplified user
and access management across a broad range of platforms, devices, and applications.
Further, the HP-UX IdMI client software layers on top of LDAP-UX for more powerful login
and access control.
A secure disk erase tool, included in HP-UX, can render sensitive hard drive data
unrecoverable in a way that is compliant with Department of Defense specifications.
AIX 6.1
Solaris 10
Yes
Yes
Yes
File-Based
Encryption
Yes
Future
Yes
Volume-Based
Encryption
Yes
Future
No
Lockdown Tools
HP-UX Bastille
Via aixpert
Solaris Security
Toolkit
Secure by Default
Yes
Yes
Yes
Host-Based Intrusion
Detection
Yes
No
No
Role-Based Access
Control (RBAC)
Storage Encryption
Security Configuration
HP-UX and AIX each support the most essential improvements to UNIX security. Both systems,
as well as Solaris, also provide tools that help administrators properly configure security in the
notoriously porous UNIX OS environment. HP-UX, AIX, and Solaris all support a secure by
12
AUGUST 2010
default installation mode, whereby the OS begins operating with high security settings
configured out of the box. However, HP-UX provides a particularly easy mechanism to select
between different security levels.
Encryption
Americas
Ideas International, Inc.
800 Westchester Avenue
Suite N337
Rye Brook, NY 10573-1354
USA
Tel + 1 914 937 4302
Fax +1 914 937 2485
Asia/Pacific and Worldwide
Headquarters
Ideas International Limited
Level 3
20 George Street
Hornsby, NSW, 2077
Australia
Tel +61 2 9472 7777
Fax +61 2 9472 7788
Europe, Middle East, Africa
Ideas International Europe
Milton Park Innovation Centre
99 Milton Park
Abingdon, Oxon OX14 4RY
United Kingdom
Tel + 44 (0) 1235 462 890
Fax + 44 (0) 1235 462 891
actionable intelligence
www.ideasinternational.com
While encryption has long been employed in different parts of IT infrastructure, particularly in
networking, attention has turned more recently toward applying encryption to the data itself as
it resides in storage. Since the operating system plays a direct role in controlling how data
passes back and forth between storage systems and applications, it is a natural place for
encryption functions to be applied in order to protect sensitive data as soon as it enters the
system. HP-UX 11i v3 and AIX 6.1 each support storage encryption. However, while AIX
supports encryption at the file level, HP-UX 11i supports encryption at both the individual-file
and entire-volume levels. Developers are working on encryption capabilities for the ZFS file
system in Solaris, but these functions are not yet shipping in the production versions of Solaris.
13