Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP Servicecontrol Manager 3.0 User's Guide > Chapter 4 Increasing Servicecontrol Manager Security

Manage SCM Software
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Inspect the Audit Log Regularly

The SCM audit log contains a record of all tasks performed by SCM users on all managed nodes. This log should be inspected regularly for unexpected use of sensitive tools or for access to sensitive managed nodes. See administering SCM - audit log in the SCM online help for more information about the audit log.

Restrict root access on the CMS

It is essential to SCM security to restrict root access on the CMS. A user logged in as root can change the SCM configuration, add authorizations for others to run tools, and can run any tool on any managed node. To reduce the risk of unauthorized root access on the CMS, enforce strict password selection and change policies.

Change Generated Passwords

At installation time, SCM generates four passwords used for purposes described below. These passwords are assigned randomly generated values at least ten characters long when SCM is installed. For improved security, these passwords should be changed immediately after installation to a different value at least ten characters long. The mxpassword command is used to display or change the values for these passwords. See the mxpassword manual page for details.

  • There are two passwords that restrict access to the SCM database through MySQL.

    • The DBAdminPassword is analogous to the root password under HP-UX, and it protects all access to the databases under the control of MySQL.

    • The MxDBUserPassword protects access to just the SCM database under MySQL.

  • The MxConfigPassword is used to provide DTF Agent and CMS authentication. For convenience, this value should be changed before adding any managed nodes. If it is changed after adding managed nodes, all the DTF agents on the managed nodes will need to be re-authenticated using the mxagentconfig command.

  • The MxKeystorePassword is used for the Tomcat certificate keystore. If it is changed, you need to restart the Tomcat Web server using the command on “Disable the Tomcat Web Server”.

Closely Manage SCM Authorizations

Consider carefully the implications of allowing an SCM user to be a trusted user or assigning a user to the master role on the CMS.

  • An SCM trusted user can potentially run any tool on any managed node, including the CMS.

  • An SCM user assigned the master role on the CMS, can run any tool on the CMS.

In addition, the SCM model for allowing tools to be developed by non-trusted users requires that the user have the master role on the managed node being used to develop the tool. Do not use the CMS node for this purpose.



Disable the Tomcat Web Server
  		 


Verify Security Dependencies  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2002-2003 Hewlett-Packard Development Company, L.P.