Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HPjmeter: User's Guide > Chapter 2 Completing Installation of HPjmeter

Security Awareness
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Securing Communication Between the HPjmeter Node Agent and the Console

IMPORTANT: The data stream between the HPjmeter console and agents is not protected from tampering by a network attacker. You can help ensure that the data you view in HPjmeter visualizers is an accurate reflection of your application's operation and that data confidentiality is protected where needed.

Ensuring the Integrity of HPjmeter Console/Node Agent Data Transfer

For key applications in production, you may want increase your confidence that the data has not been tampered with en route between the agents and console before you take action based on HPjmeter metrics. Where you deem it necessary, confirm that the HPjmeter data looks reasonable according to the usual behavior of your application. You can also pursue using secure socket layer (SSL) tunneling to protect the integrity of data packets and to enhance the reliability of the data reaching the HPjmeter console.

Want to Know More About Secure Socket Layer Tunneling?:

HP-UX IPSec and HP-UX Secure Shell are two HP products that provide secure socket layer tunneling. To learn more:

Protecting Data Confidentiality During HPjmeter Console/Node Agent Communication

Data sent to the console is not encrypted by HPjmeter. If you are concerned about confidentiality of this data, you can protect confidentiality by using SSL tunneling to encrypt the header and data portion of each packet during transfer.

Working with Firewalls

The node agent has an open socket. Any HPjmeter console on any machine on the network (that is not blocked by a firewall) can communicate with this node agent. If you want to have a console contact a node agent through a firewall, you must provide a tunneling port so that the console can contact the node agent.

IMPORTANT: If you choose to open a port through a firewall to enable communication between a node agent and a console, secure the tunneling port using HP-UX Secure Shell or HP-UX IPSec.

Configuring User Access

The node agent must be started by either the same user or group as the running JVM (recommended) or root to establish contact.

IMPORTANT: Setting access for owner or group should not be considered a security solution because node agent to JVM communications are not secured by default—see below.

Securing Communication Between the JVM and the HPjmeter Node Agent

IMPORTANT: The data stream between the JVM and the node agent is not protected from tampering by a user logged into the system running the JVM. For key applications in production, you may want to increase your confidence that the data has not been tampered with en route between the JVM and agent before you take action based on HPjmeter metrics.

Where you deem it necessary, either secure the communication mechanism between the JVM and node agent (HP-UX 11i v2 or later only), or confirm that the HPjmeter data looks reasonable according to the usual behavior of your application by independently validating its output.

To secure the communication mechanism between the JVM and node agent on HP-UX 11i v2 or later operating systems, set the umask of the JVM process to 77 (no access except for the owner) by executing the command

% umask 77

before running the JVM.



Configuring your Application to Use the JVM Agent
  		 


Chapter 3 Getting Started  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2006 Hewlett-Packard Development Company, L.P.