Automated Remote Support Security With TSM and OSM on NonStop Servers

ManualsBrandsHP ManualsServerHP Integrity NonStop Service Information

HP NonStop S-Series and NS-Series Server Automated Remote Support

Page 5 of 7

shared security which both MSPs/ME’s (Master

Service Processors/Maintenance Entities)

provide. Up to eighteen usernames and

passwords can be configured for the SP.

H. EMS Event Viewer Security

The EMS Event Viewer (EV) can be launched

from the SC application. The username and

password entered in any previous Connect dialog

of the SC application are not passed to the EV

when it is launched. The username and

password will need to be re-entered. The

username and password is then used to set up a

session with the event distribution software on

the NonStop™ S-Series/NS-Series server. . If the

EV is invoked from the desktop, the NSK

username and password is required.

Remote Access Process and Security

On a NonStop™ S-Series/NS-Series Server,

there are two support access points: the NSK

operating system and the Service

Processor/Maintenance Entity. Remote access

for both access points is via the NSC Console

and configured and controlled by the system

manager.

When the GMCSC needs remote access to

diagnose a hardware or software problem, a

connection is made from the GMCSC into the

NSC Console. This connection is established

using Microsoft NetMeeting, a Microsoft software

product designed for remote service access.

A. NT Security

The first level of remote access security is NT

security. NT RAS (Remote Access Service) must

be configured before remote access can occur.

Beyond RAS, the NT user must be allowed to

operate over a remote connection. If this

configuration is not done, the connection will fail,

even if the correct username and password are

used. (The default NT user is not given remote

access. The system manager must use the NT

User Manager application to enable remote

B. NetMeeting Security

Once a connection to the NT system is

established using RAS, a connection to the

Microsoft NetMeeting software must be

established. This can only happen if the

NetMeeting application is already running on the

NSC Console. NetMeeting relies on the NT RAS

security username (must be part of the

administrators group) and password that must be

entered before any connection to a NonStop™ S-

Series or NS-Series server can be attempted.

The system manager controls the assignment of

the NT RAS username and password. All remote

communications over NetMeeting are encrypted.

C. NSK Server Security

The third level of security is NSK security. Once

the connection is made, the GMCSC starts the

SC application and runs a Connect dialog

specifying the IP address of the customer’s

NonStop™ S-Series or NS-Series server.

Because the NonStop™ S-Series or NS-Series

server IP addresses are not part of the RAS PPP

address pool, starting SC without going through

NetMeeting will not allow any LAN access to the

NonStop™ S-Series or NS-Series server.

D. Session Security

Once a connection is established and TSM or

OSM applications are run on the NSC Console,

the same security mechanisms discussed above

apply for NSK security, RPC sessions, and FTP

sessions. The NSK TSM or OSM Server utilizes

NSK security, requiring an NSK logon for access.

The Service Processor/ME provides the

username and password security.

E. Audit Trail

There are two kinds of audit provided by

TSM/OSM.

The Low-Level Link provides the ability to show

the set of active sessions as reported by the SP

or ME. This is provided through the Sessions

menu item in the Display menu after System

Discovery has completed. This display shows all

active LAN RPC sessions with the SP or ME from

any NSC Console.

An audit trail of Service Connection operation is

maintained on NSK in the ZSERVICE.ZZUSERS

file. The following occurrences will be logged in

that file:

• Any validation of NSK security,

• An Authorization Failure, where the NSK

username and password fail to validate,

and

• An action on any object.

When the ZZUSERS file becomes full (500

entries), it is renamed to

$ZSERVICE.ZZUSERS2 file and the ZZUSERS

file is started anew.

F. Access and Security Precautions

TSM or OSM provides two levels of access:

monitoring access and action access. The level

of access is governed by the NSK logon provided

by the system manager.

Monitoring access allows a user to see what is on

a system, information about the resources on a

system, the state of the resources on a system,