Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 VSE Management Software Installation and Update Guide Version A.03.00.01 > Chapter 2 System Requirements

Compatibility with HP-UX Bastille and Other Network Firewalls
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Network firewall software such as HP-UX Bastille might block the communication protocols used by the VSE Management Software. If your CMS or VSE managed systems use firewall software, follow the configuration guidelines in the following sections.

VSE Management Software Network Communication Protocols

The VSE Management Software retrieves real-time and historical utilization data from managed systems and their associated applications using the following network communication protocols.

  • The SSH-2 (secure shell) protocol is used to install the VSE agent software from the CMS to support the visualization and configuration features of Virtualization Manager, and to collect utilization data for Capacity Advisor.

  • Web-Based Enterprise Management (WBEM) services are used to support the visualization and configuration features of Virtualization Manager and to collect utilization data for Capacity Advisor.

  • OpenSSL protocol is used to obtain application information from managed systems for Application Discovery.

HP Systems Insight Manager (SIM) uses additional communication protocols between the CMS and managed systems to provide real-time system status and WBEM indications, and for basic communication between the web-based applications and the end user.

If you are using firewall software such as HP-UX Bastille on the CMS or on managed systems, the firewall must be configured so that it does not block the required network communication. The following sections present detailed configuration instructions for HP-UX Bastille. Other network firewall software must be similarly configured.

For more information about SIM secure data transmission, see the “Secure data transmission” section of the HP Systems Insight Manager 5.1 Installation and Configuration Guide for HP-UX at:

http://docs.hp.com/en/418810-002/.

Additional information is available in an HP white paper entitled Understanding HP Systems Insight Manager security, available from the Information Library link at http://hp.com/go/hpsim.

Firewall Settings on the CMS

The following set of protocols should be allowed through firewalls between the CMS and the managed systems.

Communication Between the CMS and Managed Nodes

  • The Internet Control Message Protocol ICMPv4 Type 8 (Echo), the ping protocol.

  • HTTPS over port 5989, used by WBEM.

  • HTTPS over port 2381, used by web agents.

  • SSH-2 over port 22, used by the Distributed Task Facility (DTF).

  • OpenSSL over port 9143, used by Application Discovery.

  • Global Workload Manager uses ports 9617 and 9618 on the CMS. Refer to the “Communications Ports” section of the HP Integrity Essentials Global Workload Manager User's Guide Version A.03.00.00 for information about changing the default ports.

Communication Between the CMS and the Web Browser

  • HTTP over port 280 (initial communication).

  • HTTPS over port 50000 (subsequent user interface communication).

Bastille Settings on the CMS

If Bastille/Install-Time Security will be used to secure the CMS, use the “Managed DMZ” level for initial lockdown, and add the following IPFilter configuration rules to the top of the file: /etc/opt/sec_mgmt/bastille/ipf.customrules 

pass in quick proto icmp from any to any icmp-type 8 keep state
pass in quick proto tcp from any to any port = 280
pass in quick proto tcp from any to any port = 50000
pass in quick proto tcp from any to any port = 9617 flags S keep state keep frags
pass in quick proto tcp from any to any port = 9618 flags S keep state keep frags
pass in quick proto tcp from any to any port = 9143 flags S keep state keep frags

Then re-run Bastille using the bastille -b command.

Firewall Settings on Managed Systems

The following set of protocols should be allowed through the firewall:

  • The Internet Control Message Protocol ICMPv4 Type 8 (Echo), the ping protocol. Both inbound and outbound ping are needed for SIM discovery and system status.

  • HTTPS over port 5989, used by WBEM.

  • HTTPS over port 2381, used by web agents.

  • SSH-2 over port 22, used by the Distributed Task Facility (DTF).

  • Global Workload Manager uses port 9617 on managed nodes. Refer to the “Communications Ports” section of the HP Integrity Essentials Global Workload Manager User's Guide Version A.03.00.00 for information about changing the default ports.

Bastille Settings on the Managed System

If Bastille/Install-Time Security will be used to secure the managed system, use the “Managed DMZ” level for initial lockdown, and add the following IPFilter configuration rule to the top of the file: /etc/opt/sec_mgmt/bastille/ipf.customrules 

pass in quick proto icmp from any to any icmp-type 8 keep state
pass in quick proto tcp from any to any port = 9617 flags S keep state keep frags

Then re-run Bastille using the bastille -b command.



Additional Requirements for Using gWLM on Managed Systems
  		 


Additional requirements in the release notes  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2006-2007 Hewlett-Packard Development Company, L.P.