Managing HP Servers through Firewalls with Insight Management 7.0 White Paper Table of Contents Abstract .............................................................................................................................................. 3 Acronyms in text .................................................................................................................................. 3 Introduction ......................................................................................................................................... 5 HP management products ..................................................................................................................... 6 Case 1: Management protocols banned from DMZ ................................................................................. 6 Asset management ........................................................................................................................... 6 Fault management ............................................................................................................................ 7 Deployment and Migration ................................................................................................................ 7 Integrate ......................................................................................................................................... 7 Control ........................................................................................................................................... 7 Case 2: Separate management network ................................................................................................. 7 Asset Management........................................................................................................................... 9 Fault Management ........................................................................................................................... 9 Deployment and Migration ................................................................................................................ 9 Integrate ......................................................................................................................................... 9 Control ........................................................................................................................................... 9 Case 3: Managing through a firewall using a single network .................................................................. 10 Asset Management......................................................................................................................... 10 SNMP ....................................................................................................................................... 11 DMI .......................................................................................................................................... 12 WBEM ...................................................................................................................................... 12 WMI ......................................................................................................................................... 12 WS-MAN .................................................................................................................................. 13 SSH .......................................................................................................................................... 13 Fault management .......................................................................................................................... 13 Deployment and Migration .............................................................................................................. 14 Control ......................................................................................................................................... 14 Integrate ....................................................................................................................................... 14 Control ......................................................................................................................................... 14 Configuration Management............................................................................................................. 15 Version Control .......................................................................................................................... 17 Replicate Agent Settings .............................................................................................................. 17 SSH .......................................................................................................................................... 17 Best Practices ................................................................................................................................. 17 HP Insight Management Installer ...................................................................................................... 18 HP Systems Insight Manager ........................................................................................................ 18 HP Insight Control....................................................................................................................... 18 HP Matrix Operating Environment ................................................................................................ 18 HP Insight Management Installer Ports............................................................................................... 18 HP Smart Update Manager Ports ..................................................................................................... 21 HP Insight Control for VCenter Ports ................................................................................................. 23 HP Onboard Administrator Ports ...................................................................................................... 24 HP Virtual Connect Manager Ports ................................................................................................... 24 Policies required for IM DVD Installation ........................................................................................... 25 Additional policies required for proper operations of the system .......................................................... 25 Conclusion ........................................................................................................................................ 26 Appendix A: Configuring a separate management network .................................................................... 27 Appendix B: Modifying default ports .................................................................................................... 28 For more information .......................................................................................................................... 29 Call to action .................................................................................................................................... 29 Abstract This paper identifies possible ways of managing HP servers with HP Insight Management deployed in the area of the network that is considered more secure than the standard production network. This is not a best practices document. This document provides information that can enable system administrators to create management solutions appropriate for specific computing environments. Insight Control is a product in the HP Insight Management family of products that can be downloaded from the Internet. Insight Control is installed through the HP Insight Management Installer wizard, which integrates the installation and upgrade of all Insight Management products. Acronyms in text The following acronyms are used in the text of this document. Acronym Acronym expansion CLP Command Line Protocol CMS Central Management Server CIM Common Information Model DIMM Dual inline memory module DCOM Distributed Component Object Model DMTF Distributed Management Task Force HP SIM HP Systems Insight Manager HTTP Hyper Text Transport Protocol HTTPS Hypertext Transfer Protocol over Secure Socket Layer ICMP Internet Control Message Protocol. IETF Internet Engineering Task Force iLO 2 Integrated Lights-Out 2 IPMI Intelligent Platform Management Interface MIB Management Information Base OS Operating System RMCP Remote Management Control Protocol RPC Remote procedure call SSH Secure Shell SSL Secure Socket Layer SM CLP Server Management Command Line Protocol SMASH Systems Management Architecture for Server Hardware SMI-S Server Management Initiative – Specification SMTP Simple Mail Transfer Protocol 3 SNMP Simple Network Management Protocol TCP/IP Transmission Control Protocol / Internet Protocol UDP User Datagram Protocol WBEM Web-Based Enterprise Management WMI Windows Management Instrumentation WS-Management Web Services for Management XML Extensible Markup Language 4 Introduction Managing systems in a secure environment is a challenge that most system administrators face. It requires a careful balance between critical security requirements and the need to effectively manage and maintain the systems. Within Internet connected architecture, there is typically a more secure zone, commonly referred to as the demilitarized zone (DMZ). This zone is positioned between the corporate servers and the Internet, usually separated from both by firewalls that restrict traffic flow. With this architecture, servers that provide publicly available Internet services can be accessed through a firewall, but these services are inaccessible on the internal network. This more secure zone provides an area that is isolated from the internal network and is hardened against external attack (Figure 1). The security challenges in the DMZ are similar to those in other areas of a network that require special security attention. Figure 1 Block diagram of a generic corporate computing environment Through three sample case studies, this paper explores options for managing HP systems in the DMZ. It explains the benefits and risks associated with each option. Information in this paper should allow system administrators to tailor solutions for their own computing environments, based on the levels of management they need and the security risk level they are willing to take. In Case 1, the majority of management protocols are prohibited from the secure network, and the management solution will not be allowed to violate any security restrictions. This solution is not recommended, as the administrator is incapable of managing the hardware in the DMZ. It completely eliminates the use of HP management tools such as HP Insight Control. In Case 2, a completely separate network is used for management. This solution has the benefit of completely segregating management traffic from the primary network and allowing a full spectrum of management capabilities (because management protocols can enter through the firewall). However, it is the most expensive option in terms of hardware and infrastructure costs. While it does increase cost due to additional hardware and infrastructure, this option allows the use of iLO 2 to securely manage hardware in the DMZ. Of the two options providing management capabilities in the DMZ (case 2 and 3), this one has the least risk of hackers or security breaches. In Case 3, management protocols are allowed and management traffic is permitted to travel through the firewall to HP Insight Control. This results in a fully featured management solution at a measured risk. Because the infrastructure uses a single network for both management and production traffic, this option does increase the risk from hackers or security breaches. The intended audience for this paper is engineers and system administrators familiar with existing HP technology and servers. The paper does not attempt to define and explain all the security concepts and topics mentioned. Instead, it refers readers to resources containing that information. 5 HP management products The following HP products are possible management options for HP servers deployed in the DMZ: • HP Insight Control Environment (ICE)-Linux • HP System Management Homepage (SMH) • HP Insight Management Agents (Agents) • HP Insight Management WBEM Providers for Windows (Insight Providers) • HP Infrastructure Orchestration (HPIO) • HP Insight Control Power Management (ICPM) • HP Smart Update Manager (HP SUM) • HP Systems Insight Manager (HP SIM) • HP WEBM Services for HP-UX • HP Insight Control performance management • HP Insight Control Server Deployment (ICSD) • HP Insight Control server migration • HP Version Control Agent (VCA) • HP Version Control Repository Manager (VCRM) • HP Insight Control virtual machine management • HP Virtual Server Environment (VSE) • HP Vulnerability and Patch Management Pack (VPM) • HP Management processors such as Integrated Lights-Out 2 (iLO 2) • HP Insight Control for VMware vCenter Server • HP Onboard Administrator (OA) • HP Virtual Connect Manager (VCM) For information about these HP management products, see the “For more information” section at the end of this paper. Appendix A: Configuring a separate management network gives port information related to these products. Case 1: Management protocols banned from DMZ In some computing environments, IT security policies restrict management protocols in the secure environment. Security policies may or may not permit other protocols (such as email or file sharing) in the DMZ. An acceptable management solution must conform to security restrictions of the environment. Even if active management is not possible, some management information can flow from managed devices in such an environment. Either SNMP or WBEM/WMI can be used to manage ProLiant servers. These can be configured to prevent access from off the platform. For information on how to configure SNMP or WBEM, see the documentation for your operating system. Asset management In this type of computing environment, administrators can collect system asset information from a ProLiant server in the DMZ as long as the Agents or WBEM providers are running and an application is running that can get the data locally. For example, Microsoft Systems Management Server can get asset information from the Agents and transfer that information to its central server through the 6 operating system file share. As a second option, administrators can browse to the web-based System Management Homepage (https://servername:2381/) and manually view the asset information. Fault management Administrators can configure ProLiant servers to send an email (through SMTP) when a hardware problem occurs. In Microsoft Windows operating systems, the Agent Event Notifier provides this optional feature. Administrators can set up and configure the Agent Event Notifier during the agent deployment. In Linux operating systems, if a hardware problem occurs, emails are automatically sent to the root email on the managed system. The Insight Agents for Microsoft Windows also create Windows Event Log entries. A management tool such as HP OpenView Operations or Microsoft Operations Manager operating in the same environment can then collect the log entries and send them back to a centralized server. The Insight Agents for Linux also create entries in the syslog. Administrators can write a script to look for these entries and take appropriate action. Deployment and Migration With HP Insight Control installed managing, deploying Hardware and migration will be a difficult task for the administrators. As, the protocols inside the secure area (DMZ) are banned, we need to disable or allow the protocols within the Intranet, which is not suggestible. Integrate Create templates with detailed requirements (server, storage, networks) for simple or complex infrastructure needs using visual drag-and-drop design tool. Users select from a catalog of published infrastructure templates in the self-service portal, which routes the requests through a configurable approval process. The network resource has to be available to the administrator and protocols have to work fine in order to establish communication. Here security will be primary concern if we want to integrate, as the firewall rules have to loosen. Control HP Insight Control gives you more from every dollar, hour, and watt invested in your ProLiant servers. With Insight Control and related services, you can deploy new ProLiant servers quickly and reliably, catalog your environment accurately, proactively monitor server health to pinpoint failures before they result in unplanned downtime, manage ProLiant servers remotely from any location, and optimize power usage confidently. As a result, you can reduce unplanned downtime and deliver stable IT services to your line-of-business (LOB) users. In this case, we need to disable or allow the protocols within the Intranet and Internet or VPN. The Insight Agents for Microsoft Windows also create Windows Event Log entries. A management tool such as HP OpenView Operations or Microsoft Operations Manager operating in the same environment can then collect the log entries and send them back to a centralized server. The Insight Agents for Linux also create entries in the syslog. Administrators can write a script to look for these entries and take appropriate action Case 2: Separate management network In some computing environments, system administrators create a separate, secondary network parallel to the primary or production network (Figure 2). The chief benefit to this approach is that management traffic flows through the secondary network, while the limited access from the production 7 (primary) network maintains security. Configuring a separate management network using HP Systems Insight Manager allows secure access to the systems in the DMZ. The secondary network can also be used for other operations that would be inappropriate for the primary network, such as tape backups, deployments using Insight Control Server Deployment, or application maintenance. Note: Do not connect the management network to the corporate (internal) network. Compromising one of the systems in the DMZ could allow a hacker to get onto the management network. However, it may be beneficial to allow VPN access to the management network. Figure 2 Parallel primary (production) and secondary (management) networks Servers inside the DMZ and on the internal network can use iLO 2 processors. Because the network connection to iLO 2 is completely isolated from the network ports on the server, there is no possibility for data to flow from the DMZ network to the iLO management network, or vice-versa. Therefore, if anyone compromises the DMZ network, he or she cannot compromise the iLO network. This architecture permits administrators to use iLO on servers located in the DMZ, or in the internal network, without the risk of compromising sensitive data. This separation is accomplished through the use of a dedicated NIC or the iLO 2 Shared Network Port with its Virtual Local Area Network. For more information, see the paper titled HP Integrated Lights-Out security technology available at http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00212796/c00212796.pdf. For best protection of the servers operating inside the DMZ, administrators should set the SNMP trap destinations to the loop back address and enable the SNMP pass-through in iLO 2 so that SNMP traps are routed onto the iLO management network. While this SNMP pass-through option does not enable all management functions, it allows for passing status, inventory, and fault information to HP Systems Insight Manager or another SNMP-capable management application. This option has the benefit of being very secure because the host operating system does not recognize the Lights-Out product as a NIC. 8 Asset Management With HP Systems Insight Manager installed on the secondary management network, system administrators can collect system asset information from a ProLiant server on that management network through the iLO 2 pass-through. As a second option, administrators can browse to the System Management Homepage (https://servername:2381/) and manually view the asset information. Appendix A: Configuring a separate management network describes the procedure for configuring a separate management network. When using SNMP management protocols, SNMP should be configured to accept packets only from the IP addresses used on the management network, or SNMP should be bound to the secondary network interface (if the operating system allows this). The HP Insight Management Agents should be configured to allow access only from IP addresses on the management network. HP Systems Insight Manager should be configured to discover the systems on the secondary network. WMI and WBEM can be disabled on the primary network by configuring a firewall on the system to disable each of the protocols on the primary NIC. Fault Management SNMP traps can be forwarded through the Lights-Out interface on ProLiant servers. This allows full fault management data to flow into HP Systems Insight Manager or another management product (such as HP OpenView Network Node Manager). The Insight Agents for Microsoft Windows also create Windows Event Log entries. A management tool such as HP OpenView Operations or Microsoft Operations Manager operating in the same environment can then collect the log entries and send them back to a centralized server. The Insight Agents for Linux also create entries in the syslog. Administrators can write a script to look for these entries and take appropriate action. Deployment and Migration In this type of computing environment, administrators can collect network resource information from a gateway which is connected to the intranet in the DMZ through bypassing it from the firewall. Managing, deploying Hardware and migration will be a smooth task for the administrators. Integrate Key integrations are provided through HP Insight Control for Microsoft System Center and HP Insight Control for VMware vCenter Server. The Insight control Agents for Microsoft Windows also create Windows Event Log entries. The Microsoft System Center integration supports OS deployment and updates, HP ProLiant and Blade System management and alerting, proactive virtual machine management, and enhanced inventory reporting. The integration happens with the secondary network which is connected to the network resources. Control Insight Control provides single-console integration with the leading management applications. Insight Control for VMware vCenter Server delivers powerful HP hardware management capabilities to virtualization administrators without ever having to leave the vCenter console. The benefit to this approach is that management traffic flows through the secondary network, while the limited access from the production (primary) network maintains security. We doesn’t require the need of disabling the firewall rules 9 Case 3: Managing through a firewall using a single network In other computing environments, a firewall commonly separates the central management server (CMS) and the managed server. In such an environment (Figure 3), two networks are given different levels of trust. For example, the managed server may be in a DMZ, while the CMS resides in a more trusted portion of the intranet. The firewall is used to control traffic between these two networks. The firewall permits the exchange of only specific types of traffic between specific systems. In some situations, the firewall may simply restrict communication between specific IP addresses. For example, the firewall may allow the exchange of any IP packets between the managed system and the CMS. However, because host names and IP addresses can be spoofed, a higher level of restriction can be imposed through the firewall; that is, the firewall can permit only non-spoofable protocols. In this case study, we assume that the firewall is configured to allow only requests from the CMS to the managed server and returned responses. Typically, this means the firewall will not permit UDP traffic, as connectionless protocols cannot easily be configured to block incoming packets. Only specific TCP ports will be opened, and they will possibly be filtered for certain types of traffic. Figure 3 Firewall separating central management server from managed server Asset Management HP Insight Management provides asset management services by first discovering and identifying the managed systems, gathering data from instrumentation running on each managed system, storing this data in a SQL database, and finally providing reporting capabilities on this gathered data. These steps require communication between the CMS and managed system as described in the following paragraphs. First the managed systems and the instrumentation running on them must be identified. HP Insight Management offers an automatic discovery mechanism using IP ping sweep, or administrators can manually add systems by name or address. In either case, the CMS will attempt to contact the managed system using a ping; if this fails, then no further requests will be sent to the system. HP Insight Management normally uses an ICMP echo to ping a system; however, some network administrators turn off ICMP through firewalls. In this situation, the administrator can configure HP Insight Management to use a TCP port to ping systems. Port 80 is used by default, but an alternative port may be specified in a configuration file. The target system need not be actively listening to the chosen port, but the firewall must be configured to allow these requests to pass. 10 Next, the CMS will attempt to identify a number of management protocols such as SNMP, HTTP, and WBEM. The protocols used for asset management depend on the types of systems being managed (Table 1): • ProLiant servers provide management data through SNMP, giving complete coverage of the hardware instrumentation. Integrity servers running Windows also provide this SNMP instrumentation. • ProLiant and Integrity servers running Microsoft Windows 2003 or 2008 also expose much data through the Insight Providers and WMI. The HP Insight Providers include server providers (information about processors, memory, peripheral devices, computer system information, and sensor information); network providers (network controller information and indications); and storage providers (storage controller information and indications). WMI on Integrity currently does not cover detailed hardware information such as controllers, DIMMs, and physical disks. • ProLiant and Integrity servers running Linux may also provide management data through WBEM. While that data is not currently as rich as the SNMP information, WBEM provides basic hardware and operating system information today. WEBM will be expanded to provide full instrumentation in future. • HP 9000 and Integrity servers running HP-UX provide management data with WBEM. HP recommends WBEM for asset management and makes it available on 11.x versions of HP-UX. (These systems also support SNMP, but SNMP is not required for asset management.) Table 1 Protocols used for asset management of industry-standard servers Server OS ProLiant SNMP WBEM WMI Windows Y Y1 Y ProLiant Linux Y Y HP 9000 HP-UX Y2 Y (11.x) HP Integrity HP-UX Y2 Y HP Integrity Linux Y Y HP Integrity Windows Y Y1 Other devices 1 When WMI mapper is installed 2 Not required for asset management Y SSH WS-MAN Y Y Y Y Selecting the protocols that must be enabled through the firewall depends on the types of system to be managed. Issues associated with each protocol are discussed in the following paragraphs. Ideally, WBEM will be used to manage servers located through a firewall. SNMP SNMP gives the best management coverage but at the highest risk. While no “set” operations are required for asset management, SNMP is UDP-based; therefore, in many environments it is not considered a suitable protocol to pass through the firewall. Because SNMPv1 has a simple, clear-text “community,” it provides a low level of security. However, SNMP may be suitable for some environments in which the network containing the managed systems is relatively controlled. The community string is not suggestible be a “default, Public or Private.” It should be customized accordingly. Using SNMPv3, users can securely collect management information from their SNMP agents without fear that the data has been tampered with. Also, confidential information, such as SNMP set packets 11 that change a device's configuration, can be encrypted to prevent their contents from being exposed on the wire. Also, the group-based administrative model allows different users to access the same SNMP agent with varying access privileges. DMI DMI is similar in design to SNMP. Each component to be managed must have a Management Information Format (MIF) file that specifies the location of the component, name of vendor and model, firmware revision number, interrupt request line (IRQ), I/O port address, and so on. DMI is a remote procedure call (RPC-based protocol). To operate, DMI requires opening a number of ports through a firewall. Therefore, DMI is not recommended for use through firewalls. It is largely being replaced by WBEM. Note DMI is not supported on HP-UX systems running HP-UX 11.23 (11iv2) and HP-UX 11.31 (11iv3). You must use WBEM for this operating system. WBEM Web-Based Enterprise Management (WBEM) is one of the newest management protocols. HP Management products will communicate to systems either directly using the WBEM protocol, or to the Windows WMI systems, using the WMI Mapper Proxy. WBEM uses HTTPS to provide a secure TCP connection from the CMS to the managed system. WBEM uses its own port (5989 for SSL connections) and is supported through firewalls. The CMS can use trusted certificates to authenticate the managed system, while the managed system uses user names and passwords to authenticate the CMS. Note Firewalls should be configured to allow the CMS to communicate with managed systems through default port 5989. If you have modified the default port setting for your WBEM provider, you must configure your firewall for the port number your WBEM provider on which it is actually configured. WMI WMI is Microsoft’s implementation of WBEM. WMI runs over DCOM, which in turn, uses RPC. The WMI Mapper is an application that provides translation from WMI (a DCOM-based interface) to a standardized WBEM interface (CIM XML/HTTP). This is a two-way translation. The WMI Mapper is required for HP Insight Control to manage Windows computers, including ProLiant servers running the Insight Providers for Windows. The WMI Mapper service runs separately from the HP SIM service. For Windows systems behind a firewall, HP recommends installing the WMI Mapper on a managed system in the secure network (Figure 4) and disabling direct remote access to WMI. This mapper allows standard WBEM requests through the firewall, and they are mapped to WMI requests on the managed system. 12 Figure 4 WMI Mapper on managed Windows system behind firewall The WMI Mapper is included with the Windows version of HP SIM but can also be used with other versions. It is available with the HP SIM software or from the HP website at http://www.hp.com/go/hpsim. The mapper can be installed on a Windows system to allow WBEM access to that system. If the mapper is to be used as a proxy to access other systems, as shown in the previous DMZ example, then HP SIM must be configured to recognize the mapper as a proxy: Use the Options Security WMI Proxy Settings menu item and add the system on which the mapper is installed. WS-MAN WS-Management is a public standard SOAP-based protocol for sharing management data among all operating systems, computers, and devices. WS-MAN depends upon SOAP. As of this writing, it is used to manage iLO2 and HPOA. SSH Secure Shell (SSH) allows logging in to another system over a network and executing commands on that system. It also enables administrators to move files from one system to another in an encrypted format. It provides authentication and secure communications over insecure channels, and uses TCP port 22 to communicate. Fault management The HP Agents have two means for communicating faults: SNMP traps and SMTP e-mail (Table 2). Both originate from the agents in the DMZ to the CMS or to the SMTP mail server. The HP Insight Management WBEM providers can communicate faults using WMI indications. It is recommended that the WMI Mapper be installed on the managed system so that these faults can be sent using WBEM (CIM-XML/HTTP) through the firewall. Table 2 How HP agents communicate faults CMS Managed System Port 1 Protocol Description 13 2 In Out In Y Y Y Y Y 1 Out Y 162 SNMP (UDP) SNMP Trap 25 SMTP SMTP E-mail 50004 HTTPS/HTTP WBEM event receiver (configurable) All ports are for TCP and UDP The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be configured to block these ports if the CMS is not to be managed from another system. 2 Deployment and Migration Increase deployment speeds by 12X (20 minutes versus 4 hours) with consistency and reliability using ProLiant servers. HP Insight Control Server Deployment will help in conserving the time in the network through its capabilities. In this case, protocols need to allow between the Management server and systems. Control Staff efficiencies stem from time saved on tasks performed by IT administrators and technicians and translate into increased productivity benefits in server administration, server deployment, server asset management, server hardware maintenance, and new application deployment time. With this type of computing environment, the administrator has to allow the protocols required to communicate between the systems through the connected firewall. Integrate Company uses HP Insight Control to help manage its Microsoft Hyper-V environment, especially to deploy virtual servers. Integrate Insight Control directly into HP Operations Center or with VMware and Microsoft for single-console access to virtual and physical resources. The Matrix Operating Environment can move server profile from one physical blade to another, bringing the flexibility of virtualization to physical servers. With this type of computing environment, the administrator has to allow the protocols required to communicate between the systems through the connected firewall. Control Staff efficiencies stem from time saved on tasks performed by IT administrators and technicians and translate into increased productivity benefits in server administration, server deployment, server asset management, server hardware maintenance, and new application deployment time. With this type of 14 computing environment, the administrator has to allow the protocols required to communicate between the systems through the connected firewall. Selecting the protocols that must be enabled through the firewall depends on the types of system to be managed. Issues associated with each protocol are discussed in the following paragraphs. Ideally, BEM will be used to manage servers located through a firewall. Configuration Management HP web agents on managed systems in a DMZ should first be configured to trust-by-certificate the HP SIM server. This will authenticate all Version Control (VC) commands and all Replicate Agent Settings (RAS) commands to the agent as coming from the specified CMS; these commands require HTTPS over port 2381. Systems must be discoverable by the CMS. Refer to the Asset Management section for more information. Systems must also be identifiable, which minimally requires HTTP access over port 2301. Table 3 identifies the protocols used for configuration management when managing through a firewall. Note HP does not recommended enabling management protocols such as SNMP or DMI on systems outside the firewall or directly connected to the Internet. Table 3 Summary of protocols used for configuration management CMS 2 In Managed System Description ICMP Ping In Y Y 22 SSH SSH server (for DTF) Y Y 161 SNMP (UDP) SNMP Agent 162 SNMP Trap (UDP) Trap listener 80 HTTP Management processor and other devices; standard Web server 280 HTTP Web server for HP SIM; Web agent autostart port 443 HTTPS Management processor and other devices; standard Web server 1433 TCP Microsoft SQL Server database 2301 HTTP Web agent Web server 2367 RMI HP SIM RMI connection 2381 HTTPS Web agent Web server Y Y 4 Y Y 4 Y Y 4 Y Y Y Y Out Protocol1 Out Y Y Port Y 3 Y Y Y Y 5432 ProstgreSQL Server database Y Y 5988 HTTP WBEM service Y Y 5989 HTTPS WBEM service 15 40420 VMM Y 50000 HTTPS HP SIM Web server (configurable ) Y 50001 HTTPS HP SIM SOAP Y 50002 HTTPS HP SIM SOAP with client certificate authentication Y 50003 HTTP HP SIM SOAP 50004 HTTPS/HTTP WBEM event receiver (configurable7) Y 50005 WBEM WBEM Events Y 50006 PostgreSQL PostgreSQL Y 50008 SIM JMS JMS port Y 50009 SIM JNDI JNDI port 50010 DMI 50013 RMI Web Services RMI Loader 50014 JRMP JRMP Invoker 50015 Pooled invoker Pooled invoker Y Y Y Y 5 6 DMI Y Y 51124 HTTPS Agent communications and iLO booting Y Y 51125 HTTPS Agent communications and iLO booting Y Y 51126 HTTPS Communication between the migration agents on servers. Y Y 51127 HTTPS Application station for Insight Control Web Server Y Y 52000 HTTP ESA Y Y 52001 HTTPS ESA Y 4 Y 411 HTTP IBM Director agent Y 4 Y 1311 HTTPS Server administrator Y 4 2069 HTTP OSEM Y 4 Y 3202 HTTPS StorageWorks NAS Y 4 Y 3257 HTTPS Rack & Power Manager Y 4 Y 4095 HTTP CommandView ESL Y 4 Y 4096 HTTP CommandView SDM Y 4 Y 8000 HTTP HP Web letAdmin Y 4 Y 8008 HTTP Default home page Y 4 Y 8443 HTTPS HP Web JetAdmin Y 4 Y 9990 HTTP HPOSM Service Application Y 4 Y 9991 HTTP OSM Event Viewer Outbound (out) – Request or response sent from a server is called outbound 16 Inbound (in) – Request or response received by a server is called inbound 1 All ports are for TCP (except ICMP and SNMP). The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be configured to block these ports if the CMS is not to be managed from another system. 2 RMI port is used within the CMS for inter-process communication. Connections from outside the CMS are not accepted, and firewalls may block this port. 3 4 Many CMS outgoing ports are used for discovery. The exact UDP/TCP ports used by DMI are dynamic and vary from system to system, but they tend to be around 32,780 and higher. 5 6 50000 port number is configurable in server.xml (see Appendix B: Modifying default ports). 7 50004 port number is configurable in globalsettings.props (see Appendix B: Modifying default ports). Version Control This discussion is based on the assumption that the Version Control Repository (VCR) is behind the firewall with CMS, and likely on the CMS. Discovering the software available on the managed system requires SNMP over port 161. After receiving a command to update some component, the system must retrieve the component from the VCR, which it does using HTTPS over port 2381 to the VCR. To communicate its update status back to the CMS, the agent uses HTTP over port 280. Additionally, the CMS polls the system for its status every 15 minutes for up to 2 hours. Replicate Agent Settings Replicate Agent Settings require a source system whose configuration is copied and stored at the CMS for duplicating to other target systems. This function relies on HTTPS traffic via port 2381 and can operate over the firewall as long as the firewall is configured to pass this traffic. SSH SSH is used both locally on the HP SIM central management server and remotely to manage systems for various tools. Normally, SSH servers listen on TCP port 22. If, for some reason, this must be changed, the SSH port that HP SIM uses is configurable. Best Practices Systems can be made more secure by changing the default settings to the recommended Security Policies Baselines by ‘Microsoft Security Compliance Manager v. 2.0.20.0’. Reference: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16776 Below are the summary of the steps to be followed: • • • • Apply the “Member Server Security Compliance” Baseline Policies for “Windows Server 2008R2Sp1” to the system. Open the firewall ports as mentioned in Table 3. Install the pre-requisites required for installing IM DVD. Install IM DVD. 17 HP Insight Management Installer The HP Insight Management installer integrates installation of HP management software. The installer will install or upgrade individual product as well as suites. HP Systems Insight Manager • • • • • HP Systems Insight Manager Ports HP System Management Homepage Ports WMI Mapper HP Insight Control Licensing and Reports HP Version Control Repository Manager Ports HP Insight Control • • • • • • • • HP HP HP HP HP HP HP HP Insight Control licensing and reports Insight Control Performance management Ports Insight Control Power Management Ports Insight Control Server Deployment Ports Insight Control Server Migration Ports Insight Control Virtual Machine Management Ports Insight Managed System Setup Wizard Insight Management Advisor HP Matrix Operating Environment • • • • • HP Matrix Operating Environment Capacity Planning, Configuration and Workload Management and HP Insight Capacity Advisor Consolidation Software HP Matrix Recovery Management Ports HP Matrix Infrastructure Orchestration Ports HP Storage Provisioning Manager Ports HP SPM Storage module HP Insight Management Installer Ports Table 4 Ports for HP Insight Management Installer CMS 2 In Managed System ICMP Ping SSH SSH server (for DTF) Y Y 22 Y Y 161 SNMP (UDP) SNMP Agent 162 SNMP Trap (UDP) Trap listener 80 HTTP Management processor and other devices; standard Web server 280 HTTP Web server for HP SIM; Web agent autostart port 443 HTTPS Management processor and other devices; standard Web server 1433 TCP Microsoft SQL Server database 2301 HTTP Web agent Web server 2367 RMI HP SIM RMI connection Y Y 4 Y Y 4 Y Y 4 Y Y 3 Description In Y Y Out Protocol1 Out Y Y Port Y Y 18 Y Y 2381 Y HTTPS 5432 Web agent Web server ProstgreSQL Server database Y Y 5988 HTTP WBEM service Y Y 5989 HTTPS WBEM service Y 50000 HTTPS HP SIM Web server (configurable ) Y 50001 HTTPS HP SIM SOAP Y 50002 HTTPS HP SIM SOAP with client certificate authentication Y 50003 HTTP HP SIM SOAP 50004 HTTPS/HTTP WBEM event receiver (configurable7) Y 50005 WBEM WBEM Events Y 50006 PostgreSQL PostgreSQL Y 50008 SIM JMS JMS port Y 50009 SIM JNDI JNDI port 50010 DMI 50013 RMI Web Services RMI Loader 50014 JRMP JRMP Invoker 50015 Pooled invoker Pooled invoker Y Y Y Y 5 6 DMI Y 4 Y 411 HTTP IBM Director agent Y 4 Y 1311 HTTPS Server administrator Y 4 2069 HTTP OSEM Y 4 Y 3202 HTTPS StorageWorks NAS Y 4 Y 3257 HTTPS Rack & Power Manager Y 4 Y 4095 HTTP CommandView ESL Y 4 Y 4096 HTTP CommandView SDM Y 4 Y 8000 HTTP HP Web letAdmin Y 4 Y 8008 HTTP Default home page Y 4 Y 8443 HTTPS HP Web JetAdmin Y 4 Y 9990 HTTP HPOSM Service Application Y 4 Y 9991 HTTP OSM Event Viewer Y Y 80 TCP System Discovery1 Y Y 161 SNMP PMP/PPA Y Y 2381 HTTPS Web agent Web server Y Y 2301 HTTP Web agent Web server 19 Y Y 443 SSL 1780 Communication with iLO hpvmmsvc service Y Y 69 UDP PXE Client Y Y 1758 UDP PXE Client Y Y 1759 UDP (Multi cast) PXE Client Y Y 67 UDP PXE Client Y Y 68 UDP PXE Client Y Y 4011 UDP PXE Client Y Y 405 TCP PXEConfig Y Y 406 TCP PXECfg Service Y Y 407 TCP PXE Server and PXE MTFTP Y Y 8081 HTTP DSWeb Y Y 8080 HTTP DSWeb,Console Manager Y Y 505 TCP Win32 console,Axengine,PXEManager Y Y 402 TCP/UDP Agents, PXE Server, Data Manager, PXE Manager Y Y 5001 TCP Aclient Y Y 5002 TCP Aclient Y Y 415 TCP Remote Client Y Y 402 UDP Deployment Server Y Y 401 UDP Aclient (Wake-on-LAN Proxy) Y Y 80 TCP System Discovery1 Y Y 161 SNMP PMP/PPA 162 SNMP (UDP) SNMP Trap Y Y Y 514 UDP SYSLOG Y 16443 HTTPS XML or SOAP over HTTPS – Operations Orchestration (OO) GUI to OO Central Y 50002 HTTPS SOAP over HTTPS – LSU Controller to HP SIM and HTTPS HP Systems Insight Manager SOAP with client certificate Y 40420 HTTPS RMI over HTTPS – LSU Controller to VMM Y 51001 HTTPS RMI over HTTPS – LSU Controller to LSA (VSE logical server management) Y 50000 HTTPS SOAP over HTTPS – LSU Controller to LSU Deployment Service connector and HTTPS HP Systems Insight Manager Web Server Y 1433 HTTPS JDBC over TCP – talk via JDBC to SQL Server and HP Systems Insight Manager Web Server 50001 HTTPS HP Systems Insight Manager SOAP Y 20 Y Y Y Y Y Y HTTPS HTTPS WBEM, WBEM Service on EVA Command View Server, BNA port to connect SPM 5988 HTTP WBEM service HTTPS Used by web agents 2381 Y 20,21 Y 443 Y Y Y Y Y Y 2460024616 22 Y Y Y Y FTP - Used for upload and configuration backup from CLI SSL Graphical User Interface HTTPS Used for Web Management Interface Used by the Distributed Task Facility (DTF) 9143 OpenSSL Used by Application Discovery 9617,9 618 TCP Global Workload Manager uses on CMS 280 HTTP Web server for HP SIM; Web agent autostart port HTTPS HPSIM Webserver HTTPS LSA RMI port 50000 Y TCP SSH-2 Y 1 5989 51001 All ports are for TCP and UDP. The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be configured to block these ports if the CMS is not to be managed from another system. Discovery protocol is configurable between ICMP or TCP and a configurable port; default is 80. 2 RMI port is used within the CMS for inter-process communication. Connections from outside the CMS are not accepted, and firewalls may block this port. 3 4 Many CMS outgoing ports are used for discovery. 5 50000 port number is configurable in server.xml (see Appendix B: Modifying default ports). 6 50004 port number is configurable in globalsettings.props (see Appendix B: Modifying default ports). Ports for HP Systems Insight Manager Ports for HP Insight Control Ports for HP Matrix Operating Environment HP Smart Update Manager Ports Table 5 HP SUM ports for Windows CMS In 2 Managed System Port Protocol1 Description Out In Out Y Y 445 and 137/138/1 39 TCP and UDP These ports are needed to connect to the remote ADMIN$ share on target servers (port 137 only if you are using NetBIOS naming service) Y Y 6000060007 SSL Random ports are used in this range to pass messages back and forth between the local and remote systems via SSL Y Y 80, 6300063005 HTTPS Used for passing files to the target and retrieving the logs via an internal mini-https server. Uses port 80 if it is available or a random port between 63000 and 63005 if it is not. Allows updates of the iLO firmware without the need to 21 access the host server. This will allow servers running VMWare or other virtualization platforms to update their iLO without the need to reboot their server or migrate their VMs to other servers. 1 Y Y 50116 TCP This is port is used in CMS Y Y 51268 TCP This port is used in target machine Y Y 6100061007 These ports are used from the target server back to the system running HP Smart Update Manager. The same mechanism is used by the remote access code as the 60000 ports, with the first trial port as 61000. There is no guarantee that the upper limit is 61007 when a conflict occurs. For the case of ipv4-only and one NIC, the lowest available one is used by HP Smart Update Manager to pass information between processes on the local workstation where HP Smart Update Manager is executed, and the next available one is used to receive messages from remote servers. Y 62000 and 62001 These ports (or the first two ports available after 62000) are used for internal process communications on the system running HPSUM on each target Y 62286 This port is the default for some internal communications. It is the listening on the remote side if there is no conflict. If a conflict occurs, the next available one is used. All ports are for TCP and UDP. The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be configured to block these ports if the CMS is not to be managed from another system. 2 Table 6 HP SUM ports for Linux CMS In 2 Managed System Port Protocol1 Description Out In Out Y Y 22 SSH This port is needed to establish a connection to the remote Linux server through SSH Y Y 6000060007 SSL Random ports are used in this range to pass messages back and forth between the local and remote systems via SSL Y Y 80, 6300063005 HTTPS Used for passing files to the target and retrieving the logs via an internal mini-https server. Uses port 80 if it is available or a random port between 63000 and 63005 if it is not. Allows updates of the iLO firmware without the need to access the host server. This will allow servers running VMWare or other virtualization platforms to update their iLO without the need to reboot their server or migrate their VMs to other servers. Y Y 6100061007 These ports are used from the target server back to the system running HP Smart Update Manager. The same mechanism is used by the remote access code as the 60000 ports, with the first trial port as 61000. There is no guarantee that the upper limit is 61007 when a conflict occurs. For the case of ipv4-only and one NIC, the lowest 22 available one is used by HP Smart Update Manager to pass information between processes on the local workstation where HP Smart Update Manager is executed, and the next available one is used to receive messages from remote servers. Y 1 Y 62000 and 62001 These ports (or the first two ports available after 62000) are used for internal process communications on the system running HPSUM on each target Y 62286 This port is the default for some internal communications. It is the listening on the remote side if there is no conflict. If a conflict occurs, the next available one is used. Y 7 ICMP ICMP Echo Reply/Request is used to determine if target devices have successfully rebooted or not All ports are for TCP and UDP. 2 The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be configured to block these ports if the CMS is not to be managed from another system. HP Insight Control for VCenter Ports This section is based on the assumption that HP Insight Control for VCenter is behind the firewall with the CMS. Table 7 Ports for HP Insight Control for VCenter CMS In 2 Managed System Out In Y Y Y 1 Protocol1 Description 80 TCP Discovery Out Y 161 SNMP (UDP) SNMP Agent Y 162 SNMP Trap (UDP) Trap listener Y Y Port 443 SSL Communication with iLO, HPOA, HPVCM Common Services default WBEM indications listening port Y Y 50028 HTTPS Y Y 50025 HTTPS Y Y 50026 TCP/Block Y Y 50027 Common Services secondary web port Y Y 50029 Common Services secondary WBEM indications listening web port Y 5989 HTTPS Y 5990 HTTPS Common Services default web port HTTPS WBEM, WBEM Service on EVA Command View Server All ports are for TCP and UDP. The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be configured to block these ports if the CMS is not to be managed from another system. 2 23 HP Onboard Administrator Ports This section is based on the assumption that HP Onboard Administrator is behind the firewall with the CMS. Table 8 Ports for HP Onboard Administrator CMS In 2 Managed System Out In Protocol1 Description 443 SSL Communication with iLO, HPVCM Out Y 1 Port Y Y 22 SSH This port is needed to establish a connection through SSH Y Y 80 HTTP Management processor and other devices; standard Web server Y Y 161 SNMP (UDP) SNMP Agent All ports are for TCP and UDP. The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be configured to block these ports if the CMS is not to be managed from another system. 2 HP Virtual Connect Manager Ports This section is based on the assumption that HP Virtual Connect Enterprise Manager is behind the firewall with the CMS. Table 9 Ports for HP Virtual Connect Enterprise Manager CMS Port Protocol1 Description Y 443 SSL Graphical User Interface Y 22 SSH This port is needed to establish a connection through SSH using Command line Interface In Y 1 2 Managed System Out In Out Y 161 SNMP (UDP) SNMP Agent/Poll Y 162 SNMP Trap (UDP) Trap listener Y 69 UDP TFTP- Used for upload and configuration backup from CLI Y 20,21 TCP FTP - Used for upload and configuration backup from CLI Y 636 TCP LDAP Authentication Y 514 UDP SYSLOG Y 1812,1813 UDP RADIUS server if configured Y 49 TCP TACACS server if configured All ports are for TCP and UDP. 2 The CMS will normally have all managed system ports open, as the CMS is a managed system itself. Firewalls may be configured to block these ports if the CMS is not to be managed from another system. 24 Policies required for IM DVD Installation The following security policies are mandatorily to be enabled before proceeding with the DVD Installation. If the below policies are enabled and proceed with the installation then DVD installation will complete successfully. Table 10 Security Policies required for IM DVD Installation User rights assignments Security Options Why it’s required Bypass traverse checking Everyone, LOCAL SERVICE, NETWORK SERVICE, For to fetch the details from the IIS server manager. Administrators, Users, Backup Operators Access this computer from the network Everyone, Administrators, Users, Backup Operators To pass the service credentials screen in installer Log on as a service NT SERVICE\ALL SERVICES, Classic .NET AppPool, DefaultAppPool To pass the service credentials screen in installer Debug Programs Administrators SQL Express 2008 R2 installation Manage auditing and security logs Administrators SQL Express 2008 R2 installation Back up files and directories Administrators, Backup Operators RDP Installation Load and unload device drivers Administrators RDP Installation Restore files and directories Administrators, Backup Operators RDP Installation Take ownership of files or other objects Administrators RDP Installation Additional policies required for proper operations of the system Below are the additional polices needed to be enabled for the proper functioning of the system. Table 11 Additional Policies need to be enabled User rights assignments Security Options Why it’s required Allow log on locally Administrators, Account Operators, Server Operators, Print Operators, Backup Operators Determines which users can log on to the computer Allow log on through Remote Desktop Services Administrators This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Force shutdown from a remote system Administrators, Server Operators Shut down the system Administrators, Server Operators, Print Operators, Backup Operators This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This security setting determines which 25 users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. Conclusion This has paper identified various options available for managing HP systems in a secure environment. The solutions explained here are intended only as a framework for exploring the options. Each system administrator can and should tailor a solution for his network based on these options. 26 Appendix A: Configuring a separate management network To configure a separate management network using HP Systems Insight Manager, install HP Systems Insight Manger on the secondary network by completing the following steps: 1. Configure SNMP to accept packets only from the IP addresses used on the management network, or bind SNMP to the secondary network interface (if the operating system allows this): • On Windows systems: From the Control Panel, open the Services menu. Open the Properties for the SNMP Service. Under the Security tab, add IP addresses to the list of IP Addresses that can accept SNMP packets. • On systems running Linux or HP-UX: Modify the configuration file snmpd.conf to accept SNMP packets only from the desired hosts. Do the same with any other OS service needed on the network. 2. If a firewall is used on the CMS or managed systems, configure the firewall rules to only allow SNMP WMI and WBEM requests from address in the management network. Use the ports in Appendix B: Modifying default ports to determine which rules to configure. 3. Configure the HP Insight Management Agents to allow access only from IP addresses on the management network: Log into the agent with administrator privileges. Go to the Settings/Options page, and modify the IP Restricted Logins settings. 4. Configure HP Systems Insight Manager to discover the systems on the secondary network: In HP Insight Manager, go to Options Discovery Automatic Discovery. Add the IP addresses for the systems on the secondary network. You can disable WMI, WBEM, and DMI on the primary network by configuring a firewall on the system to disable each of the protocols on the primary NIC. The method of accomplishing this varies for each firewall. 27 Appendix B: Modifying default ports To modify the default port 50000 used by HP System Insight Manger to different port, install HP System Insight Manger and complete the following steps: 1. Modify the default port value to the required port value from the following lines in server.xml file under <HPSIM_Installed Dir>\jboss\server\hpsim\deploy\jbossweb.deployer <Connector port="280" scheme="http" protocol="HTTP/1.1" maxThreads="50" minSpareThreads="5" maxSpareThreads="15" enableLookups="false" acceptCount="10" debug="0" redirectPort="50000" connectionTimeout="60000" /> <Connector port="50000" scheme="https" secure="true" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200" minSpareThreads="10" maxSpareThreads="25" enableLookups="false" acceptCount="10" debug="5" clientAuth="false" URIEncoding="utf-8" useBodyEncodingForURI="true" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/javascript,tex t/css" keystoreFile="C:\Program Files\HP\Systems Insight Manager\config\certstor\hp.keystore" keystorePass="U6sjMQ0JllhXXCeVioBH" /> Example: To modify the value of port 50000 to <Custom_port_no>, change port="50000" to port="<Custom_port_no>" and redirectPort="50000" to redirectPort="<Custom_port_no>" 2. Restart HP System Insight Manager service. To modify the default WBEM event Receiver port 50004 to a different port, install HP System Insight Manger and complete the following steps: 1. Unsubscribe to WBEM Events for all the managed nodes which are already subscribed using default WBEM event Receiver port 50004. 2. Modify the default port value to the required port value in the line WBEM_Indications_Listener_Port=50004 in globalsettings.props file under <HPSIM_Installed Dir>\config Example: To modify the value of port 50000 to <Custom_port_no>, Change WBEM_Indications_Listener_Port=50004 to WBEM_Indications_Listener_Port=60004 3. Restart HP System Insight Manager service. 4. Re-subscribe to WBEM Events. 28 For more information For additional information, refer to the resources listed below. Source Hyperlink ProLiant server management http://h18013.www1.hp.com/products/servers/management/index.html HP Systems Insight Manager http://www.hp.com/go/hpsim Understanding HP Systems Insight Manager Security http://h10018.www1.hp.com/wwsolutions/misc/hpsimhelpfiles/HPSIM_53_Security.pdf WBEM Providers for HP SIM www.hp.com/go/hpwbem/ HP Insight Control performance management See the HP Insight Control Environnent User Guide located at HP WEBM Services for HP-UX http://h18004.www1.hp.com/products/servers/management/hpsim/downl oad.html Integrated Lights-Out 2 (iLO) www.hp.com/go/ilo HP OpenView www.openview.hp.com/ http://www.hp.com/go/insight Call to action To help us better understand and meet your needs for ISS technology information, send comments about this paper to: [email protected]. Technology for better business outcomes © Copyright 2010, 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 481364-005, March 2012
© Copyright 2024