HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator’s Guide HP-UX 11i v3 Table of contents Preface ............................................................................................................................................... 5 Intended Audience ........................................................................................................................... 5 Typographic Conventions...........................................................................................
3.1 Using the srp_su Command ....................................................................................................... 23 3.2 Allowing Additional Users to Use the srp_su Command ................................................................ 23 3.3 Example: Using the srp_su Command to Login to the Target SRP .................................................... 23 4 Getting Started with SRP ........................................................................................................
10 Using the oracledb Template .......................................................................................................... 62 10.1 Adding the oracledb Template to an SRP Compartment .............................................................. 62 10.1.1 The cmpt Service ............................................................................................................. 62 10.1.2 The ipfilter Service ....................................................................................
17.2.3 Removing or Disabling IPSec ............................................................................................ 93 17.3 Reporting Problems ................................................................................................................ 94 Appendix A Configuration Example ..................................................................................................... 95 A.1 Sample Base Configuration .........................................................................
Preface This document describes how to install, configure, and troubleshoot HP-UX Secure Resource Partitions (SRP). Intended Audience This document is intended for system and network administrators responsible for installing, configuring, and managing HP-UX SRP. Administrators are expected to have knowledge of operating system and networking concepts, commands, and configuration.
points of the main text. Related Information For more information about the products and subsystems used with SRP, see the following documentation: • • • • • HP-UX Security Containment and Role-Based Access Control (RBAC) is documented in the HPUX System Administrator's Guide: Security Management: HP-UX 11i Version 3, available at: http://docs.hp.com/en/oshpux11iv3.html#System%20Administration HP Process Resource Manager (PRM) documentation is available at: http://docs.hp.com/en/ha.
1 Introduction This chapter addresses the following topics: • 1.1 Product Overview • 1.2 SRP Components • 1.3 Planning Considerations and Best Practices • 1.4 Installing SRP • 1.5 Migration A.02.00/A.02.00.01 to A.02.01 1.1 Product Overview HP-UX Secure Resource Partitions (SRP) version 2 enables you to create and manage SRP compartments, which provide isolated execution environments for applications.
Figure 1.1 SRP Compartments Example 1.1.1 Securing SRP Compartments SRP provides a framework for managing compartment and networking security. This framework is primarily enforced with Security Containment compartment file access rules. The default set of compartment access rules delivered with SRP has been developed to favor functional isolation, application compatibility and user session functionality over strong security containment.
You can also use HP-UX Encrypted Volume and File system (EVFS) to protect disk data at rest, or disk data that is not in use, such as when a disk device is physically transported. For more information on EVFS, see the HP-UX Encrypted Volume and File system (EVFS) Administrator's Guide. 1.1.
a role with the RBAC authorization to log in to cmpt1, and assign the user user1 to that role. You can configure the system so that user1 can log in only to cmpt1 and access only the files available to cmpt1. You can also use RBAC to configure the system so that an executable can run in only cmpt1. These security restriction are examples of only a small subset of the restrictions and conditions you can configure using HP-UX Security Containment.
• • • The srp_su utility SRP templates, which manage configuration data for services The Configuration Synchronization Manager (CMGR) Utility and Libraries 1.2.1 The srp_sys Utility The /opt/hpsrp/bin/srp_sys utility manages system-wide configuration properties for SRP. It is required to run srp_sys –setup to configure the system for SRP prior to configuring individual SRPs on the system. You can also use srp_sys to view and modify system-wide configuration settings for SRP. 1.2.
• tomcat Manages configuration data for running an HP-UX Tomcat-based servlet Engine in an SRP compartment. • custom Manages custom configuration of the SRP compartment. You can use this template to specify additional Security Containment file access rules, IPFilter rules and Provisioning for an SRP compartment. • oracledb Manages configuration data for running an Oracle Database Server in an SRP compartment.
• provision Executes a script to deploy an application in an SRP compartment. HP provides provision scripts for Apache Web Server, Tomcat Servlet Engine, and Secure Shell daemon (sshd) templates. • network Configures an IP interface for use by a compartment. By default, SRP IP interfaces will not be shared between SRPs, however these interfaces are accessible by default from the INIT compartment.
1.3.2 Coexistence with the INIT Compartment The INIT compartment is a permanent, default compartment defined by the Security Containment product. By default, all system processes and services (all processes started by the init process) run in the INIT compartment, and the INIT compartment has access to all files and ,processes .. The INIT compartment also has access to all interfaces configured in other compartments, including the ifaces compartment and all SRPs.
• • • • Do not use the INIT compartment to run applications or non-essential services. Any application or service that is not intended to be shared by SRPs should be run in an SRP and not in INIT. Manage system resources when logged in to the INIT compartment. If a utility manages system-wide resources or configuration files, such as SMH, run the utility from the INIT compartment. The SRP utilities manage system resources and should be executed from the INIT compartment.
configure the IPFilter service with SRP if you are using Bastille to manage IPFilter rules. If Bastille is managing IPFilter rules, the /etc/opt/ipf/ipf.conf or /etc/opt/ipf/ipf.conf file contains a statement similar to the following: # WARNING: This file was generated automatically and will be replaced # the next time you run Bastille. DO NOT EDIT IT DIRECTLY!!! 1.3.
After the update is done, existing SRP compartment configurations will not use the old .srp_incl files (for example, base.srp_incl). To retain changes made to the original compartment include files, copy the *.old files back to their original locations. For example, to restore the customized base.srp_incl file, do as follows: # cd /etc/opt/hpsrp/cmpt # cp base.srp_incl.old base.
2 Setting Up an SRP This chapter describes how to use srp_setup to set up the SRP environment. This chapter addresses the following topics: • • • • • 2.1 2.2 2.3 2.4 2.5 The srp_sys Utility Using srp_sys –setup to Set or modify system properties Example: srp_sys -setup Using srp_sys –list to Display System Properties Example: srp_sys -list 2.1 The srp_sys Utility The /opt/hpsrp/bin/srp_sys utility is used to set and view system-wide configuration properties that affect SRP.
IMPORTANT: By default, once compartment login is enabled, only the root user (user name of “root”) is allowed to login to the INIT compartment. To allow additional users to login to the INIT compartment, you will need to assign any additional users to the RBAC role of SRPlogin-init.
# # Compartment Setup # ############################## Checking the Compartment module ... [ Enabled ] ############################## # # cmpt Login configuration # ############################## Checking Compartment Login Configuration File... [ OK ] Checking cmpt login feature ... [ Enabled ] Note: By default, once compartment login is enabled, only the root user (user name of "root") will be allowed to login to the INIT compartment.
Checking sshd configuration ... Enter sshd configuration file: [/opt/ssh/etc/sshd_config] [ OK ] Saving SRP default template ... [ OK ] Detected Init Compartment Secure Shell daemon listening on all IP addresses. Will conflict with any SRP Secure Shell daemons. Would you like to restrict the Init compartment's sshd IP addresses? [y] RETURN Enter IP addresses, separated by comma ',': [15.146.224.214] RETURN sshd will then listen on these interfaces: ListenAddress 15.146.224.
- Unverified The subsystem is installed, enabled, but the configuration has been customized in a way that prevents validation Invalid Config The subsystem is installed, enabled but has failed the configuration validation check, or is configured with an invalid option for the SRP environment Not Enabled The subsystem is installed, but has not been enabled Not Installed The subsystem software has not been installed You can use the –verbose option to obtain more detailed information 2.
3 Executing the su Command in the Target SRP The srp_su command executes the su(1) command in the specified SRP. You must execute the srp_su command from within the INIT compartment. System administrators can use this command to login or execute a command within an SRP. This chapter addresses the following topics: • 3.1 Using the srp_su Command • 3.2 Allowing Additional Users to Use the srp_su Command • 3.3 Example: Using the srp_su Command to Login to the Target SRP 3.
The root user logs in from the INIT compartment to mySRP SRP as user admin1 with a new login session in the mySRP: # /opt/hpsrp/bin/srp_su mySRP – admin1 User admin1 logs in from the INIT compartment to mySRP SRP as admin2 with a new login session, where admin2 is configured for compartment login. Create a new RBAC rule to allow user admin1 to use the srp_su command as follows: 1. Create a new hpux.security.srp_su authorization. # authadm add hpux.security.srp_su 2.
4 Getting Started with SRP This chapter shows the commands used to manage the lifecycle of a sample SRP compartment. This chapter addresses the following topics: • • • • • • • • • • • • 4.
Step 1: Setting Up SRP In this example, the product has just been installed. The root user runs srp_sys -setup to enable the subsystems managed by SRP. HP requires that you run srp_sys -setup before using the srp utility, but you can run it anytime that you want to change the default parameters for SRP or verify the status of the subsystems configured by SRP. For more information about srp_sys, see 2.1 The srp_sys Utility.
The command output and user input for this example are as follows: # /opt/hpsrp/bin/srp -a mySRP Enter the requested values when prompted, then press return. Enter "?" for help at prompt. Press control-c to exit.
// lock out access to the other compartment's root directory perm nsearch /var/hpsrp // open access to compartment root perm all /var/hpsrp/mySRP // to DNS grant bidir udp peer port 53 init : : Step 5: Adding the sshd Template After you have created a base SRP compartment, you can configure the compartment to host specific services using the -t template_name option.
// // allow access to the shared sshd files // perm nsearch /opt perm nsearch /opt/ssh perm nsearch,read /opt/ssh perm perm perm perm perm nsearch nsearch nsearch nsearch nsearch /var /var/hpsrp /var/hpsrp/mySRP /var/hpsrp/mySRP/opt /var/hpsrp/mySRP/opt/ssh perm all /var/hpsrp/mySRP/opt/ssh // // add shared rules from the include file at "/opt/hpsrp/etc/cmpt/sshd.srp_incl" // #include "/opt/hpsrp/etc/cmpt/sshd.
Configure LAN interfaces.................................... [ OK ] Mounting file systems in /var/hpsrp/mySRP/etc/fstab......... [ OK ] Starting HP-UX Secure Shell................................. [ OK ] Step 8: Getting SRP status information To get status of an SRP, the srp command can be called with the status option. The following command displays the status of the SRP mySRP: srp -status mySRP If the SRP name is not specified, the status is displayed for all SRPs configured on the system.
Press return or enter "yes" to make the selected modifications with these values. Do you wish to continue? [yes] replace prm rules succeeded Step 10: Stopping the SRP Compartment To stop an SRP compartment, enter the following command: srp -stop compartment_name stops the SRP compartment by executing the shutdown scripts in the /var/hpsrp/compartment_name/sbin/init.d subdirectories and setting the SRP state to “stopped”.
5 Using the SRP Environment Once you have created an SRP, and started it with the srp –start command, the SRP is now available for user sessions and execution of programs. This chapter discusses the following topics: • • • 5.1 Establising a User Session in the SRP 5.2 Managing SRP Startup and Shutdown Actions 5.3 Deploying Applications in an SRP Environment 5.
performed when the SRP is started or stopped, such as notifying management or auditing systems, or mounting the SRP home directory (/var/hpsrp/srp_name). NOTE: If you are using shared storage to mount the SRP home directory to facilitate cloning of an SRP, consider using the SRP setup script to automatically mount and unmount the SRP home directory.
5.3.3 Deploying Applications with the Application Templates SRP includes special templates for deploying key applications. The ssh, apache, and tomcat templates, fully deploy these applications within the SRP using the shared executable model. The oracledb template configures the SRP for Oracle usage; however you must first install the Oracle database product on the system in the desired location. Optionally, you may also use the custom template to deploy an Oracle database for your SRP.
Figure 5.1 illustrates the installation rules and file locations. Figure 5.
6 Using the base Template The base template manages SRP compartment data that is not application-specific. This chapter describes how to use the base template to create a base SRP compartment. You can also use the base template to add additional base services to a compartment or to delete or modify the base services for a compartment. This chapter addresses the following topics: • • 6.1 Creating a Base SRP Compartment 6.2 Replacing or Deleting Base SRP Data 6.
6.1.1 The cmpt Service The cmpt Service configures an HP-UX Security Containment compartment, which forms the core of the SRP compartment. You must use the cmpt service when you create an SRP compartment; you cannot create an SRP compartment without the cmpt service. 6.1.1.1 Input Data The cmpt service uses the compartment name specified in the srp command for the Security Containment compartment name. 6.1.1.
• • usr var For example, SRP creates a /var/hpsrp/compartment_name/sbin directory with init.d, rc0.d, rc1.d, rc2.d, rc3.d, and rc4.d subdirectories for use by initialization scripts, as described in 12.1 SRP Startup and Shutdown Processing. 6.1.2 The admin Service The admin service uses the HP-UX Security Containment RBAC and compartment login features to associate an HP-UX user with an RBAC role that has authorization to administer the compartment.
group, use the procedure is described in HP Process Resource Manager User's Guide, “Assigning secure compartments to PRM groups.” 6.1.3.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 13.1 Creating an SRP Compartment or Adding Data to a Compartment. PRM Group Name Name for the PRM group. Variable Name: prm_group_name. Default: The SRP compartment name. PRM Group Type (FSS or PSET) Specifies the type of PRM group.
physical memory value is specified in megabytes. Variable Name: prm_phys_mem. Default: 0 (no dedicated physical memory). 6.1.3.2 Configuration Data By default, SRP creates a new PRM group using the SRP compartment name as the PRM group name. By default, the PRM group information is stored in the /etc/prmconf file. You can change the filename by running the srp_setup utility, as described in 2 Setting Up an SRP. 6.1.
SRP start time? file(/etc/rc.config.d/netconf or netconf-ipv6) Variable Name: assign_ip Default: (yes) 6.1.4.2 Configuration Data SRP configures IP interface information for the HP-UX Transport subsystem, the initialization and shutdown service, and for the compartment, as described in the sections that follow.
This script also adds or deletes the default gateway route for the compartment interface. This script is executed when the srp -start or srp -stop command is executed for the compartment. By default, it is also executed when the system starts up or shuts down. The /var/hpsrp/compartment_name/sbin/init.d/srp_net file is linked to /var/hpsrp/compartment_name/sbin/init.d/rc2.d/S340srp_net and /var/hpsrp/compartment_name/sbin/init.d/rc1.d/K660srp_net.
You can use the login service to grant non-root users the authorization to log in to the compartment. 6.1.6.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 13.1 Creating an SRP Compartment or Adding Data to a Compartment. Unix groups for Name of the HP-UX user groups separated by “,” whose members are compartment login authorized to log in to the SRP compartment.
Variable Name: ipf_for_ipsec. Valid Input: yes or no. Default: no. 6.1.7.2 Configuration Data If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf.conf file. If the compartment address is an IPv6 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf6.conf file. SRP adds the following IPFilter rules for the compartment, where cmpt_address is the compartment IP address: • Rules that allow all TCP, UDP, and ICMP outbound packets from the compartment address.
6.1.8 The ipsec Service The ipsec service configures HP-UX IPSec to encrypt and authenticate IP packets between the compartment IP address and a remote IP address. 6.1.8.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 13.1 Creating an SRP Compartment or Adding Data to a Compartment. IPsec peer IP address The destination, or remote IP address for the IPSec policies. Variable Name: ipsec_peer_addr.
The IKE policy specifies parameters used to establish an IKE security association with the specified remote IP address. The authentication method is PSK (preshared key). The default HP-UX IPSec values are used for all other parameters. • An authentication record The authentication record contains the specified remote IP address and preshared key value. The default HP-UX IPSec values are used for all other parameters.
6.2 Replacing or Deleting Base SRP Data Use the following command to replace base template data from an SRP compartment: srp -r[eplace] compartment_name -t base [-s service[,service]...] The srp -replace command deletes the specified data, then prompts you for replacement data.
7 Using the apache Template This chapter describes how to use the apache template to add configuration data for hosting an HPUX Apache-based Web Server in an SRP compartment. You can also use the apache template to delete or modify the apache template data for a compartment. This chapter addresses the following topics: • • 7.1 Adding the apache Template to an SRP Compartment 7.2 Replacing or Deleting Apache SRP Data 7.
Default: 3.0. Apache data path The root directory for Apache data. The cmpt service adds rules to allow the compartment all access to this directory. Users and processes in the SRP compartment can read, write, traverse (nsearch), and delete (ulink) the contents of these directories. Variable Name: data_path. Default: /var/hpsrp/compartment_name/opt/hpws22/apache. Apache executable path The root directory for Apache executables.
IPFilter Port Numbers Specifies the local TCP port numbers for IPFilter rules that allow inbound packets. Variable Name: ipf_tcp_ports. Valid Input: One or more TCP port numbers each in the range 1- 65535, separated by commas. Default: 80,443. These are the IANA registered port numbers for HTTP and HTTPS (SSL). 7.1.2.2 Configuration Data If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf.conf file.
Valid Input: A TCP port number in the range 1- 65535. Default: 80, the IANA registered port number for HTTP. Apache HTTPS Specifies the TCP port number on which the compartment Apache server will receive port number HTTPS (SSL) requests. Variable Name: https_port. Valid Input: A TCP port number in the range 1- 65535. Default: 443, the IANA registered port number for HTTPS. Tomcat AJP port number Specifies the TCP port number on which the compartment apache web server will send request to tomcat server.
7.1.3.3. Completing the Configuration After you apply the apache cmpt service and the default apache provisioning script, you can start the SRP compartment, and have a fully-functional HP-UX Apache-based Web Server in the compartment. You can further customize the Web Server as needed by editing the compartmentspecific Apache configuration files (/var/hpsrp/compartment_name/etc/rc.config.d/hpws22_apacheconf and the compartment-specific apachectl file, located in the bin subdirectory below the data_path).
8 Using the tomcat Template This chapter describes how to use the tomcat template to add configuration data for hosting an HPUX Tomcat servlet engine in an SRP compartment. You can also use the tomcat template to delete or modify the tomcat template data for a compartment. This chapter addresses the following topics: • • 8.1 Adding the tomcat Template to an SRP Compartment 8.2 Replacing or Deleting Tomcat SRP Data 8.
Variable Name: wss_version. Default: 3.0. Tomcat data path The root directory for Tomcat data. The cmpt service adds rules to allow the compartment all access to this directory. Users and processes in the SRP compartment can read, write, traverse (nsearch), and delete (ulink) the contents of these directories. Variable Name: data_path. Default: /var/hpsrp/compartment_name/opt/hpws22/tomcat. Tomcat executable path The root directory for Tomcat executables.
Default: 8081. Tomcat AJP port number Specifies the TCP port number on which the compartment Tomcat server will receive request from apache webserver. Variable Name: ajp_port. Valid Input: A TCP port number in the range 1- 65535. Default: 8009. IPFilter Port Numbers Specifies the local TCP port numbers for IPFilter rules that allow inbound packets. Variable Name: ipf_tcp_ports. Valid Input: One or more TCP port numbers each in the range 1- 65535, separated by commas.
Variable Name: data_src. Default: /opt/hpws22/tomcat/newconfig. Tomcat data path The target directory for the copied Tomcat data. Variable Name: data_path. Default: /var/hpsrp/compartment_name/opt/hpws/tomcat. Java Home Path The java home path Variable Name: java_path Default: /opt/java1.5 Tomcat user name Specifies the Unix user name under which the Tomcat processes in this compartment will run. Variable Name: user. Default: www.
• Creating compartment-specific initialization scripts and startup file to start Tomcat with the compartment-specific configuration files when the compartment startup script is executed. The setup script: o Modifies the initialization scripts to start/stop tomcat application as the tomcat user. Also, exported variables that define tomcat’s CATALINA_HOME, CATALINA_BASE and JAVA_HOME directory. o Creates the compartment-specific startup configuration file, /var/hpsrp/compartment_name/etc/rc.config.
9 Using the custom Template The custom template enables you to specify additional Security Containment file access rules and IPFilter rules for an SRP compartment. You can also use the custom template to accommodate additional applications in a SRP compartment, or to add compartment or IPFilter rules to increase security controls for an SRP compartment. You can also use the custom template to delete or modify the custom template data for a compartment. This chapter addresses the following topics: • • 9.
9.1.1 The cmpt Service The cmpt service for the custom template applies additional compartment rules to your compartment. You can specify a rules file to include and/or specify file system paths to configure for different access types. 9.1.1.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 13.1 Creating an SRP Compartment or Adding Data to a Compartment.
Valid Input: One or more TCP port numbers each in the range 1- 65535, separated by commas. Default: None. IPFilter UDP port numbers Specifies the local UDP port numbers for IPFilter rules that allow inbound packets. Variable Name: ipf_udp_ports. Valid Input: One or more UDP port numbers each in the range 1- 65535, separated by commas. Default: None. 9.1.2.2 Configuration Data If the compartment address is an IPv4 address, SRP adds IPFilter rules to the /etc/opt/ipf/ipf.conf file.
The srp -replace command deletes the specified data, then prompts you for replacement data. For example, the following command deletes all the IPFilter data for the custom template added with the id 2008–05–09, then prompts you for replacement data: srp -replace mySRP -t custom -s ipfilter id 2008-05-09 Use the following command to delete custom template data from an SRP compartment: srp -d[elete] compartment_name -t custom [-s service[,service]...
10 Using the oracledb Template This chapter describes how to use the oracledb template to add configuration data for hosting an Oracle Database Server in an SRP compartment. At time this document was published, HP had certified this template with the Oracle 10g Database Server. You can also use the oracledb template to delete or modify the oracledb template data for a compartment. 10.
the system. Variable Name: exec_path. Default: /opt/var/hpsrp/compartment_name/opt/u01/home/oracle. Oracle DB data path The root directory for Oracle data. The cmpt service adds rules to allow the compartment all access to this directory. Users and processes in the SRP compartment can read, write, traverse (nsearch), and delete (ulink) the contents of these directories.
10.1.3 The provision Service The provision service executes the script provided to provision (deploy) an admin, login, network service in the SRP compartment. 10.1.3.1 Input Data SRP prompts for the following data. You can also specify a variable name and value in the command line, as described in 13.1 Creating an SRP Compartment or Adding Data to a Compartment. provision script path The provision script to use. Variable Name: script_name. Default: None.
CAUTION: If you do not specify the -template and/or -service arguments, srp deletes all templates and/or services for the compartment. For example, the command srp -delete mySRP deletes the entire mySRP SRP compartment. For more information, see 13.2 Deleting Configuration Data and 13.3 Replacing Configuration Data.
11 Using the sshd Template This chapter describes how to use the sshd template to add configuration data for hosting an HP-UX Secure Shell daemon (sshd) in an SRP compartment. You can also use the sshd template to delete or modify the sshd template data for a compartment. This chapter addresses the following topics: • • 11.1 Adding the sshd Template to an SRP Compartment 11.2 Replacing or Deleting SSHD SRP Data 11.
and key files. Variable Name: data_path. Default: /var/hpsrp/compartment_name/opt/ssh. sshd executable path The location of the executables for the HP-UX Secure Shell product. Variable Name: exec_path. Default: /opt/ssh. 11.1.1.2 Configuration Data SRP adds entries to the rules file for the SRP compartment to authorize read access to exec_path and all access to data_path. SRP also adds entries for other SSH directories by including the rules specified in the /opt/hpsrp/etc/cmpt/sshd.srp_incl file. 11.1.
11.1.3.1 Input Data SRP prompts for the following data: sshd data path Specifies the compartment-specific target directory for sshd configuration and key files. Variable Name: data_path. Default: /var/hpsrp/compartment_name/opt/ssh. sshd executable path The location of the executables for the HP-UX Secure Shell product. Variable Name: exec_path. Default: /opt/ssh. Copy SSH config data from Specifies the directory from which you want to copy SSH configuration data.
o o Creates the compartment-specific startup configuration file, /var/hpsrp/compartment_name/etc/rc.config.d/sshd, which specifies the compartment-specific sshd configuration file as a startup argument for sshd. Adds the startup and shutdown script secsh to the compartment-specific init.d directory, /var/hpsrp/compartment_name/sbin/init.d. This file is linked to the /var/hpsrp/compartment_name/sbin/rc2.d/S393secsh and /var/hpsrp/compartment_name/sbin/rc1.d/K393sech files. 11.1.3.
12 Starting and Stopping SRP Compartments This chapter describes how to start and stop SRP compartments. For complete syntax information, see srp(1M). This chapter addresses the following topics: • • • 12.1 SRP Startup and Shutdown Processing 12.2 Starting an SRP Compartment 12.3 Stopping an SRP Compartment 12.1 SRP Startup and Shutdown Processing By default, all SRP compartments are automatically started at system startup time and are automatically stopped at system shutdown time.
• The /sbin/rc3.d/S999srp file is the last or one of the last startup scripts executed when the transitions from run level 2 to run level 3 (typically at system startup). The /sbin/rc2.d/K001srp file is the first or one of the first shutdown scripts executed when the system transitions from run level 3 to run level 2 (typically at system shutdown). The SRP initialization and shutdown scripts are processed as follows: • The /sbin/init.d/srp script reads the /etc/rc.config.
13 Managing SRP Data This chapter describes how to add, update, delete, list, and manage SRP data. For complete syntax information, see srp(1m). This chapter addresses the following topics: • • • • • • • • 13.1 13.2 13.4 13.5 13.6 13.7 13.8 13.
network prm apache cmpt ipfilter provision custom cmpt ipfilter provision oracledb cmpt ipfilter sshd cmpt ipfilter provision If you specify multiple services, srp processes each service for each template in the order specified. Default: None. instance Unique string identifier used to identify an instance of a template usage for templates that can be applied multiple times. This is valid for the custom template only and is ignored for all other templates.
template Specifies the template name. If you specify multiple templates, srp processes each template in the order specified. Valid Input: base, apache, tomcat, custom, oracledb, sshd. Default: All templates configured for the SRP compartment. service Specifies the name of the service to delete. If you specify multiple services, srp processes each service for each template in the order specified. Default: All services configured for the template.
CAUTION: If you do not specify the -template and/or -service arguments, srp deletes all templates and/or services for the compartment. For example, the command srp -delete mySRP deletes the entire mySRP SRP compartment. 13.4 Displaying Help Text and Input Parameters Use the following command to display srp help text and information about input parameters: srp -h[elp] [-v[erbose] [-t template[,template]...] [-s service[,service]...] Where: -verbose Displays verbose (detailed) help text.
13.7 Listing SRP Configuration Data Use the following command to list verbose information about compartments. This information includes configuration data. srp -l[ist] [compartment_name] -v[erbose] [-t template[,template]...] [-s service[,service]...] [i[d] instance][-x[mloutput]] Where: compartment_name Specifies the name of an existing SRP compartment. verbose Displays verbose (detailed) configuration data. template Specifies the template name.
Where backup_directory is an empty directory. The srp -Backup command executes the /opt/hpsrp/util/srp_backup script. By default, this script creates copies of the following directories, including all subdirectories and files, and stores them under the specified backup directory: /etc/cmpt /etc/opt/ipf /etc/prmconf /etc/rbac /etc/rc.config.d/netconf /etc/rc.config.d/netconf-ipv6 /var/adm/ipsec/config.
14 Customizing SRP Data This chapter describes procedures for customizing SRP data. It addresses the following topics: • • • 14.1 Modifying Provision Scripts 14.2 Modifying Compartment Rule Include Files 14.3 Manually Editing SRP Configuration Data NOTE: You should run the system administration and performance tools (for example: glance, gpm, kprof, kgmon, ktrace, and caliper) in the INIT compartment 14.
# cp base.srp_incl myCustom.srp_incl 2. Remove the rules in the original (base.srp_incl) file. This creates an empty Security Compartment rules file. A compartment that uses only this file for its compartment rule set will have no access any files, system IPC, or network interfaces. NOTE: Creating an empty Security Compartment rules file for the base template files affects all compartments using this file, including those previously created.
The specific tag format for each subsystem in described in the sections that follow. 14.3.1.4 Security Containment Compartment Tag Format Data is stored in the /etc/cmpt/compartment_name.rules file by default. When SRP adds data, it indicates the start of the data with the following tag: //@tag-start 'compartment="compartment_name" template="template_name" service="cmpt" id="instance"; SRP indicates the end of the data with the following tag: //@tag-end; 14.3.1.
• SRP does not add or manage IPv6 route entries. 14.3.1.7 PRM Tag Format Data is stored in the /etc/prmconf file by default. When SRP adds data, it indicates the start of the data with the following tag: #@tag-start compartment="compartment_name" template="base" service="prm" id="instance"; SRP indicates the end of the data with the following tag: #@tag-end; 14.3.1.8 IPFilter Tag Format Data is stored in the /etc/opt/ipf/ipf.conf file for IPv4 addresses and in /etc/opt/ipf/ipf6.conf for IPv6 addresses.
15 Exporting and Importing SRPs You can export and import an SRP across systems by using the srp –export and srp -import commands. These commands allow you to accomplish the following: • Create a clone of an SRP on a secondary system for high availability or load balancing purposes. • Migrate an SRP across systems: export and import an SRP, then delete the original SRP. • Create a copy of an SRP for archival purposes. Similarly, an SRP can be taken offline by exporting and deleting the original SRP.
15.2 Using the srp -import Command The srp -import command imports the SRP contained in the specified exchange file. The exchange file contains the previously exported SRP’s configuration, and possibly specified directories. The srp -import command validates the ability for the target system to accept the exchange file and configures the new SRP. You can only import an SRP that does not exist on the target system. NOTE: • An imported SRP will not be automatically started at system boot time. Refer to 6.1.5.
the SRP, you will not need to export and import file sets, and the data between SRPs will remain consistent. 84 • Keep files and directories used by the SRP within the SRP home directory Locating files within the SRP home directory (/var/hpsrp/) will simplify exporting or mounting SRP file sets.
16 Using Serviceguard with SRP Serviceguard allows you to create high availability clusters of HP 9000 or HP Integrity Servers. A high availability computer system allows application services to continue in spite of a hardware or software failure. Highly available systems protect users from software failures as well as from failure of a system processing unit (SPU), disk, or local area network (LAN) component. In the event that one component fails, the redundant component takes over.
2. Select which application will have the control Determine whether SRP or Serviceguard will control the mounting of file systems and management of the network interface, as follows: • If you selected the classic model in step 1, HP recommends using Serviceguard to control the mounting of file systems and management of the network interface. • If you selected the SRP package model in Step 1, HP recommends using SRP to control the file system mounting and management of the network interface.
following example, the representative Serviceguard package was modified to add a default route, external_script: Before: # SG ip address ip_subnet ip_address 192.10.25.0 192.10.25.12 After: # SG ip address ip_subnet 192.10.25.0 ip_address 192.10.25.12 # srp_route_script configures the required source based routing entries for # the SG managed IP addresses external_script /etc/cmcluster/pkg1/srp_route_script See Appendix B SRP Serviceguard Default Route Script for an example of the srp_route_script script.
17 Verifying and Troubleshooting SRP This chapter contains procedures for verifying and troubleshooting SRP. This chapter addresses the following topics: • • • 17.1 Verification Procedures 17.2 Troubleshooting Procedures 17.3 Reporting Problems NOTE: You can run system administration and performance tools (such as glance, gpm, kprof, kgmon, ktrace, and caliper) in the INIT compartment. 17.
Use the getprocxsec -c pid command to verify the compartment in which the process is running. For example: # getprocxsec -c 968 cmpt= SRP2 • If an application is failing in a compartment and you want to determine if it is failing because of Security Containment rules, you can use the HP-UX audit utility to configure and view audit to see if operations are failing because of permission problems.
For example, the prmlist -g -s command displays configuration information for PRM groups (g) and the PRM group for each Security Containment compartment (-s): # prmlist -g -s PRM configured from file: File last modified: /etc/prmconf Tue Oct 14 12:57:58 2008 CPU CPU LCPU PRM Group PRMID Entitlement Max Attr __________________________________________________________________ EntDir 2 29.17% 80% MktDB 65536 12.50% MktWeb 3 21.88% 45% OTHERS 1 21.88% SRP2 4 14.
If an SRP compartment is up and has a dedicated IP interface, the netstat -rn command shows a default route entry with the compartment IP address (192.0.2.1) as the gateway. For example: # netstat -rn Routing tables Destination Gateway Flags Refs Interface Pmtu : : default 192.0.2.1 U 0 lan1:1 1500 17.1.6 Verifying IPFilter Data Use the following ipfstat command to view the active (loaded) inbound and outbound IPFilter rules: ipfstat -io For example: # ipfstat -io pass out quick proto tcp from 192.0.2.
The output should include an IKE policy with the name SRP-compartment_name-base-1. For example: auth SRP-web2-base-1 -remote 10.2.2.2/32 -preshared myPresharedKey -exchange MM • You can also use the ipsec_policy utility to verify the IPSec host rule selected for a packet from the peer address. In the following example, the SRP compartment address is 19.2.0.2.1 and the peer address is 10.2.2.2.
the compartment for all access. For example: discover compartment mySRP { : : 3. Start the SRP compartment: srp -start compartment_name 4. Attempt to access the compartment applications. After you successfully access the applications, enter the following command to generate a machine readable version of the rules used to access the compartment: getrules -m compartment_name 5. Compare the output from the getrules command with the compartment rules file and make the necessary changes. 6.
17.3 Reporting Problems If you are unable to solve a problem with SRP, complete the following steps: 1. Read any published release notes for SRP to see if the problem is known. If it is a known issue, use the prescribed solution. 2. Determine whether the product is still under warranty or whether your company purchased support services for the product. Your operations manager can supply you with the necessary information. 3. Access http://www.itrc.hp.
Appendix A Configuration Example This appendix includes a sample SRP compartment configuration. A.1 Sample Base Configuration This example shows the system configuration created for a sample compartment. # /opt/hpsrp/bin/srp -list mySRP -verbose Compartment: mySRP Template: base Service: cmpt ---------------------------------------------------------------------Compartment Configuration (/etc/cmpt/mySRP.
SRP init service: //etc/rc.config.d/srpconf: SRP_NAME[1]="mySRP" //etc/rc.config.
********************************************************************** */ /* ********************************************************************** * privileges ********************************************************************** */ disallowed privileges none /* ********************************************************************** * ipc/fifo/uxsock to init compatment ********************************************************************** */ access ipc, fifo, uxsock init /* ********************************
perm read /dev/kepd /* ********************************************************************** * narrow down on /var: ********************************************************************** */ perm none /var/hpsrp // SRP compartment root perm read /var/opt/hpcmgr perm read /var/opt/hpsrp /* ********************************************************************** * narrow down on /etc: ********************************************************************** */ perm read /etc/opt/hpsrp // managed by srp perm read
Appendix B SRP Serviceguard Default Route Script The following script can be used by a Serviceguard package to assign a default route for an IP address associates with an SRP. This script is included with the SRP Serviceguard Reference Implementation and is installed with the SRP product at: /opt/hpsrp/example/serviceguard/srp_as_sg_package/srp_route_script # Copyright (c) 2009 Hewlett-Packard Development Company L.P.
################################################################### # # Get the SRP environment from "/etc/cmcluster/hpsrp//srp_script.incl" # # Environemnt variable example: use a local gateway on the host # SRP_SG_MANAGED_IP[0]="192.0.0.99" # SRP_SG_GATEWAY[0]="192.0.0.99" # # Environemnt variable example: use a remote gateway # SRP_SG_MANAGED_IP[1]="10.1.1.99" # SRP_SG_GATEWAY[1]="10.1.1.1" # ################################################################### . `dirname $0`/srp_script.
function srp_route_delete { # run 'route' command for each IP address rval=0 index=0 last_index=${#SRP_SG_MANAGED_IP[@]} while [ "$index" -lt "$last_index" ] do srp_ip="${SRP_SG_MANAGED_IP[$index]}" srp_gateway="${SRP_SG_GATEWAY[$index]}"; if [ -z "$srp_ip" ] # skip empty slot in the array then let index=$index+1 let last_index=$last_index+1 continue fi if [ "$srp_ip" = "$srp_gateway" ] then # use local IP as gateway emsg=$(/usr/sbin/route delete default $srp_gateway 0 \ source $srp_ip 2>&1) else # use remo
stop) srp_route_delete exit_val=$? ;; validate) exit_val=0 ;; *) sg_log 0 "INFO: Unknown operation: $1" ;; esac exit $exit_val 102
Technology for better business outcomes © Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.