Operating System - HP-UX
1839270 Members
2133 Online
110138 Solutions
New Discussion

Re: IgniteUX and security

 
Gisela Raether
Occasional Contributor

IgniteUX and security

IginteUX uses tftp and bootps for ignite and make_net_recovery and the security team is concerned with the use of these services.

Could you please let me know if there is any alternate to tftp and bootps in ignite ?

3 REPLIES 3
Armin Kunaschik
Esteemed Contributor

Re: IgniteUX and security

tftp and bootps is necessary for booting clients.. At least bootps is not routed so you need to set this up in the same subnet, e.g. with an Ignite boot helper.
The only alternative is a local CD/DVD media.
But you need additional protocols for doing a net recovery archive!
- make_net_recovery uses NFS to put the recovery archive to the Ignite Server. Therefore you need rpc and NFS for doing so.
- If you want to install from an OS depot (and not from an golden Image) you need additionl ports like swagentd (2121) and some more dynamicaly assigned ports to make swinstall work.
Check http://docs.hp.com/en/SD/fwcookbook.html and http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1233836370260+28353475&threadId=1171473 for detail.

My 2 cents,
Armin

PS: Please assign points if you find answers useful!
And now for something completely different...
bright image
Frequent Advisor

Re: IgniteUX and security

As far as I am aware, Ignite only uses bootp and tftp for network installs and recoveries.

You could disable these protocols and only enable them when you need to do a recovery or network install.

You should still be able to make_net_recovery as this uses nfs to store the image on the ignite server.

Re: IgniteUX and security

No, there is no alternative.

Have you looked at the security section in the Ignite admin guide?

http://www.docs.hp.com/en/5992-5309/ch08.html

So the question for your organisation is, what is more important? Running with the potential security issues of these tools (allbeit you have them documented and understood), or running without Ignite and the automated provisioning and recovery features it offers.

HTH

Duncan

I am an HPE Employee
Accept or Kudo