Security

Relationship between host name and SSL certificates

SSL certificates are created when you install WLM. This enables WLM to run in secure mode within the system on which it is installed. As of Version A.03.01, when you start WLM using the “/sbin/init.d/wlm start” script, the script uses secure mode by default. This requires that you distribute security certificates to all systems or partitions being managed by the same WLM global arbiter (wlmpard). In addition, if you upgrade WLM and the /etc/rc.config.d/wlm script had been modified prior to the upgrade, you must check that the following variables in /etc/rc.config.d/wlm are enabled (set to 1):

WLMD_SECURE_ENABLE

WLMPARD_SECURE_ENABLE

WLMCOMD_SECURE_ENABLE

The name of each certificate created when you install WLM is based on the name of the host where the certificate is generated. Thus, on host1, the certificate is named host1.pem. This makes it easier for you to identify trusted systems. If you have not yet assigned a host name to the system where WLM is being installed, the certificate is given the default name loopback.pem. When you assign a name to the host, security will continue to work even if the host name differs from the certificate name. To achieve a match between the host and certificate names, you can use the wlmcert command to remove the current certificate and then to reset the certificates so that the host and certificate names match. For more information on security certificates and the wlmcert command, see wlmcert(1M). This and other WLM manpages are also available at the following location:

http://www.hp.com/go/wlm

When using WLM to manage partitions, each partition must have in its truststore the certificate of every other partition with which it is being managed.

	NOTE: If you use Serviceguard on the system running wlmpard, any systems to which wlmpard might fail over must have the same certificates installed in their truststores as does the primary wlmpard node. Therefore, be sure to install the certificates from the systems managed by that wlmpard on any systems to which wlmpard might fail over. Also, install the certificates from all failover systems to the systems being managed by that wlmpard.

Data collectors

Data collectors invoked by WLM run as root and can pose a security threat. Hewlett-Packard makes no claims of any kind with regard to the security of data collectors not provided by Hewlett-Packard. Furthermore, Hewlett-Packard shall not be liable for any security breaches resulting from the use of said data collectors.

wlmgui and wlmcomd

WLM and the WLM GUI allow you to set up secure communications as described in wlmcert(1M). If you choose not to use secure communications, here are several security tips:

Partitions

WLM manages virtual partitions and nPartitions through a global arbiter. WLM’s global arbitration uses non-secured communications. A rogue user could manipulate the communications, resulting in one or more partitions being granted an incorrect number of cores. Use global arbitration only on trusted local area networks.

By default, wlmpard communicates to the partitions on a system through port 9691.

If the partitions use a firewall or if you are using the HP-UX Bastille product on the partitions, it is likely that communications on this port are being blocked. To use wlmpard in your environment, specifically allow port 9691 or another port to be open to incoming connections. If you use a port other than 9691, be sure to restart wlmpard to communicate on the new port.

If you use Bastille or the Install-Time-Security Levels to configure the IPFilter firewall, you may want to put the rules regarding which port to leave open in the following file:

/etc/opt/sec_mgmt/bastille/ipf.customrules

After that, run bastille -b to load the rules and make sure that Bastille does not remove them later during subsequent runs/lockdowns.