Executive Summary

Serviceguard Manager plug-in is a web application to monitor and control a Serviceguard cluster. It is a "plug-in" to HP System Management Homepage framework (SMH). It runs on a node which is a member of the cluster being managed. The security model of SgmgrPI integrates tightly with that of SMH and Serviceguard. It depends on SMH to authenticate remote client, and collaborates with Serviceguard authorization system to control access to all Serviceguard operations and data.

Overview

Purpose of this Document

The web-based version of Serviceguard Manager, called the Serviceguard Manager plug-in (SgmgrPI), enables remote management of a Serviceguard cluster from a web browser. It is a "plug- in" to HP System Management Homepage (SMH) infrastructure as a web application. As such, many SgmgrPI operational tasks are delegated to SMH, including life cycle management, client authentication, user role identification, and secure session establishment.

To service a user request, SgmgrPI uses the Serviceguard command line interface (CLI) to manipulate the managed cluster on behalf of the remote user. It is critical that the Serviceguard access control policy is strictly observed and enforced through this web-based access path enabled by SgmgrPI. SgmgrPI must perform trusted operations within the Serviceguard security domain.

This paper describes the SgmgrPI security model in the context of its integration with SMH and Serviceguard.

Scope of this Document

This white paper focuses on the SgmgrPI security model with respect to its integration with SMH and Serviceguard. It inspects the complete access path as a request travels through SMH, SgmgrPI and Serviceguard. This paper will reference the SMH and Serviceguard security models, but not elaborate in detail. The "Related Documents" section provides a list of references that provide the relevant detailed information not covered here.

Audience

This white paper is intended to be used by an operator, system administrator, or anyone interested in reviewing the security of SgmgrPI.

Terms and Definitions

Term

Definition

 

 

Node

A host system or server that is configured to be a member of a Serviceguard cluster

 

 

PAM

Pluggable Authentication Module. It is an architecture that is specified in Open Group RFC 86.0.

 

PAM allows multiple authentication technologies to coexist. The /etc/pam.conf configuration file

 

determines the authentication module to use that is transparent to the applications

 

 

Package

Application services (individual Linux processes) grouped together and managed as a unit within

 

Serviceguard in the event that a failover is required

 

 

RBAC

Role Based Access Control. An access control policy used by Serviceguard Manager and

 

Serviceguard to authorize access to its data and operations

 

 

Page 2
Image 2
HP Serviceguard Manager manual Executive Summary, Overview