HP Cache Server Appliance Administrator Guide

ManualsBrandsHP ManualsServerHP Web Cache Server Appliance sa2200

100

Chapter 11 Security Options

To use the ARM security feature, you must do the following in the order listed:

• Edit the

arm_security.config file to open specific ports and define the hosts that are allowed to

communicate with the Traffic Server machine.

• Enable the ARM security option

To edit the arm_security.config file and enable the ARM security option:

1. Telnet into the HP web cache appliance and select Shell Access as described in Overview of Access

Methods‚ on page 7.

2. Open the

arm_security.config file located in Traffic Server’s config directory with Vi.

3. Add open, allow, and deny rules to define which ports you want to remain open and which hosts are

allowed to communicate with Traffic Server.

Each rule must have one of the following formats:

open tcp|udp ports o_ports

deny tcp|udp dport d_ports src src_IP_addresses

allow tcp|udp dport d_ports src src_IP_addresses

where o_ports

is the port, or series of ports separated by spaces, that you want to remain open.

d_ports is the destination port, or series of destination ports separated by spaces, through which TCP or

UDP traffic should either be allowed or denied.

src_IP_addresses is the IP address or range of IP addresses specifying the source of the

communication.

You may also want to open the NFS and DNS ports, if required.

The following example rules specify that ports 119, 23, and 554 are to remain open for TCP

communication and that hosts 1.1.1.1 through 1.1.1.7 are allowed access to destination port 80. However,

the host 11.11.11.11 is denied access to destination port 80.

open tcp ports 119 23 554

allow tcp dport 80 src 1.1.1.1-1.1.1.7

deny tcp dport 80 11.11.11.11

For more information about the format of the arm_security.config file and additional options that can

be used, refer to arm_security.config‚ on page 160.

4. Save and close the

arm_security.config file.

5. Run the command

traffic_line -x to apply the configuration changes.

IMPORTANT By default, the

arm_security.config file specifies that all ports on the Traffic

Server machine are closed (including telnet) except port 8080, which remains open

to allow Traffic Server to continue functioning normally. If you enable the ARM

security option with the default

arm_security.config file, you will be locked

out of the system. Before you enable the ARM security option, ensure that you have

either console access to the Traffic Server machine, or that you have added the

appropriate rules to the

arm_security.config file to allow telnet or ssh

access for yourself.

NOTE If the Traffic Server machine is part of a cluster, ensure that port 90 is open for UDP

traffic and include rules to allow communication from all other machines in the

cluster.