HPE Community
Operating System - OpenVMS
1752307 Members
4987 Online
108786 Solutions
New Discussion юеВ

Re: Securing the console port on an ES47

 
SOLVED
Go to solution
John A. Beard
Regular Advisor

тАО04-19-2010 07:56 AM

тАО04-19-2010 07:56 AM

Securing the console port on an ES47

Hi,

We want to prevent (as part of a test) users from being able to issue a CTL/P command from the console port on any of our ES47s (2P Drawer Control Panel). We currently connect to the console via MBM. Drawer 0 has had it's switch set to the "secure" position, but when we connected to the node we were still able to issue the CTL/P command and have the box down to the >>> prompt.

Can anyone please tell us what we may have missed in setting this up.
Glacann fear cr├нonna comhairle.
0 Kudos
Reply
38 REPLIES 38
Peter Zeiszler
Trusted Contributor

тАО04-19-2010 08:14 AM

тАО04-19-2010 08:14 AM

Re: Securing the console port on an ES47

Isn't there a "set control_P off" command available?
0 Kudos
Reply
John A. Beard
Regular Advisor

тАО04-19-2010 09:02 AM

тАО04-19-2010 09:02 AM

Re: Securing the console port on an ES47

Hi Peter,

I'm afraid that I have never seen or heard of that setting before.

Apart from that SRM setting, should the 'Secure' switch settng have prevented CTL/P from working?
Glacann fear cr├нonna comhairle.
0 Kudos
Reply
Peter Zeiszler
Trusted Contributor

тАО04-19-2010 02:16 PM

тАО04-19-2010 02:16 PM

Re: Securing the console port on an ES47

We normally don't use the secure setting since we have to work on systems remotely through terminal servers and have to be able to do the CTRL_P. We actually have in our setup "set control_p on" so we have that ability. Thats what made me think setting it off would disable the CTRL_P functions.
0 Kudos
Reply
Jur van der Burg
Respected Contributor

тАО04-19-2010 09:49 PM

тАО04-19-2010 09:49 PM

Re: Securing the console port on an ES47

I would never let any normal user on the console. It's used for more besides ctrl-p, for example if the uaf cannot be accessed you can login on the console without a password.

Jur.
0 Kudos
Reply
John A. Beard
Regular Advisor

тАО04-20-2010 03:41 AM

тАО04-20-2010 03:41 AM

Re: Securing the console port on an ES47


We are well aware of the issues surrounding security and console access. I am not going to go into the details here as to why we are attempting to prevent staff from issuing CTL/P, all I am asking is why when we set the switch on the front pannel to SECURE were we still able to issue CTL/P and bring the system down to the >>> prompt.

I cannot find anything that relates to setting contol_p to off, that is why I am seeking confirmatin on the issue.
Glacann fear cr├нonna comhairle.
0 Kudos
Reply
Art Wiens
Respected Contributor

тАО04-20-2010 04:38 AM

тАО04-20-2010 04:38 AM

Re: Securing the console port on an ES47

According to:

http://h18002.www1.hp.com/alphaserver/download/es47_es80_gs1280_ug_rev3.pdf

page 26 (pdf page 32)

"Secure - All partitions are powered on. Commands issued via the LAN, control panel, or the MBM CLI which change the state of the system are prevented and receive an error response. If main power fails and returns, the system will power up all partitions, regardless of its soft state at the time of the power failure."

A CTL/P could be definately be said to "change the state of the system", but I think it has more to do with the power state ie. you can't power off or delete a partition with the switch in the secure position.

I think you might be SOL but support may be able to give a better answer.

Hopefully those allowed physical console access will not do something stupid, but I imagine we're talking operators here ;-)

Cheers,
Art
Reply
Zeni B. Schleter
Regular Advisor

тАО04-20-2010 05:05 AM

тАО04-20-2010 05:05 AM

Re: Securing the console port on an ES47

I have not tested this in a long while but I thought that any input from the console was blocked including the control-P. We have VT420s as consoles. I know we had to enable the switch just to issue a "B" command. More than once I have powered off partitions when trying to enable the switch.

I did not modify in console settings.
0 Kudos
Reply
John A. Beard
Regular Advisor

тАО04-20-2010 05:22 AM

тАО04-20-2010 05:22 AM

Re: Securing the console port on an ES47

There is no physical terminal/console connected to the port, and we gain access via MBM (unles one of people working at the site gains entry to the computer room and connects via his laptop)

The confusion we have in place all started when we were told by HP that once the partition was set to SECURE nobody would be able to issue the likes of a CTL/P command....and obviousuly that is not the case.

Glacann fear cr├нonna comhairle.
0 Kudos
Reply
Art Wiens
Respected Contributor

тАО04-20-2010 05:38 AM

тАО04-20-2010 05:38 AM

Re: Securing the console port on an ES47

In our site we have a two nic Alpha Management Station, with one nic on our general network and the other nic in a private/closed VLAN with the SMC NAT routers to the ES47's.

The only way to gain access to the MBM/SRM is through the AMS and if you don't have the proper credentials in AMS, you don't get access to any console.

Cheers,
Art
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.