- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- HP SANmanager HostAgent for OpenVMS & Security
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 01:32 AM
10-25-2004 01:32 AM
Our SAN manager (rightly) wishes to be able to monitor the SAN.
Therefor he uses HP SANmanager, which runs on a peecee, and has agents to supply it with the view of the SAN from the various systems using the SAN.
That includes an agent for VMS.
We were "not completely :-) :-)" happy upon trying to install it.
1. The package installs hard-coded in the SYS$SPECIFIC subdirectory structure. That includes a complete Java Runtime Environment.
--- what happened to the concept of SYS$COMMON ?
2. The installation needs the IP-address of the management station, and of the system.
While the management station is _intended_ to stay fixed, and at loss-and-replacement might well get the same IP number, our VMS systems all have multiple addresses.
Well, I guess in case of network maintenance and/or disturbance there is no need for SAN info?
Why should one have DNS anyway? Just overhead?
3. At the end of the installation the agent is starting up. Or tries to, and complains that it can ONLY be run by user SYSTEM.
Why would that be? We have a standard of having dedicated special priviliged users for each privileged system function that needs to be done, where each user gets all, but only, the needed privileges, AND is prohibited from interactive login.
btw: the only documentation (PeeCee's Help) about needed privs is that the account should have "Administrator or root" access.
So, for now, we (reluctantly) started the agent from the SYSTEM account.
And now for the BIG FUN part.
To access the agent, the managent PeeCee must be supplied with the IP address of the node, the account name Administrator, root, or SYSTEM) and.....
the password of the SYSTEM account!!!
And our "NO" is the current impasse.
So, questions:
- anybody know a good reason to keep the total JRE environment SPECIFIC, so as to force it to be present multiple times, demanding multiple maintenance etc.
- the agent environment contains just two images (DIALD & HOSTWATCHDOG).
Would INSTALLing those with some (but WHICH?) privs relieve the need for a privd account?
--- Has anybody solved this in an acceptable way already?
Cheers anyway,
Have one on me.
Jan
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 01:40 AM
10-25-2004 01:40 AM
Re: HP SANmanager HostAgent for OpenVMS & Security
The reason I was told for products including a JRE of their own was that if the sysman then upgraded the system wide JRE the product may stop working - apparently Jave does not have a good record for backward compatability and new versions break programs built for a older version.
Parhaps Uwe is best placed to comment but certainly send feedback to hp about this product.
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 02:06 AM
10-25-2004 02:06 AM
Re: HP SANmanager HostAgent for OpenVMS & Security
I know the argument about JRE upward compatibility.
Therefore it makes sence to have your JRE
___prduct___ specific.
(and that is what it is now: it is in a .JRE subdirectory of SANMGR),
but: WHY can SANMGR (including the JRE) not be a subdir of SYS$COMMON??
Or even MUCH more desired: WHY can it not be on ANY device of sysmgr's choice?
We try as much as possible to have our systemdisk to contain ONLY VMS itself, and everything else should go elsewhere.
PS
-- come to think of it: it is Willem's stick-horse.
We will probably soon meet this same issue as a CERT alert!
Cheers.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 05:05 AM
10-25-2004 05:05 AM
Re: HP SANmanager HostAgent for OpenVMS & Security
Username and Password are only required for the initial deployment of a host - the host agent receives the management server's UUID and is authorized back on the management server.
I haven't checked what services need to be opened for remote deployment (install from the management server) on OpenVMS, but you can install locally and then just 'add access' from the management server - at least on non-OpenVMS platforms ;-)
The problem with lots of different versions of Java that are each incompatible right down to the patch level, I think, can be fairly blamed on Sun. I've seen similar things when running multiple browser sessions.
Can't say anything about the SYS$SPECIFIC problem. I have done some OVSAM rollouts, but exactly the one with OpenVMS involved could not be finished, because we didn't have a HostAgent for OpenVMS V7.3-2 at that time. I haven't found time to play with this in our lab, yet.
I agree that some products are very badly adapted for OpenVMS - I really wonder if there is no cooperation in the company...
On other platforms, there are 3 processes:
- host agent
- hostwatchdog
- diald
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 05:43 AM
10-25-2004 05:43 AM
Re: HP SANmanager HostAgent for OpenVMS & Security
Username and Password are only required for the initial deployment of a host
at least you took away my GREATEST worry, hope.
Are you implying that the SYSTEM/password sequence is used only once (typed blind, I hope), and is GUARANTEED NOT saved in some peecee (&peecee-secure) file?
The problem with lots of different versions of Java that are each incompatible right down to the patch level,
Well, that still does NOT explain why ONE and the same version of a product would need multiple copies of exactly the same JRE.
but exactly the one with OpenVMS involved could not be finished, because we didn't have a HostAgent for OpenVMS V7.3-2
.. but this _IS_ all about that HostAgent!!
That still leaves the questions:
WHY does it have to run under the SYSTEM account?
WHY must the account have ALL privileges, instead of installing the images with the needed ones?
Looks like they took away all VMS-knowledge from the project just when it was most needed... :-) (oh me, slime, slime)
Cheers.
Have one on me.
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 08:24 PM
10-25-2004 08:24 PM
Re: HP SANmanager HostAgent for OpenVMS & Security
I used SNV quite a lot but it's not supported anynore.
The documentation on OVSNM and OVSAM is unfortunatly very bad. It contains no technical information beside some system requirements and administrator configuration guidelines. (HP should fix that too :-))
The same problem arises on Tru64 (also in a cluster) but there the installation doesn't even work. (strange grep calls for nothing, can't handle DNS aliases, cluster ID's above 2 are not accepted etc etc). This makes it very hard to manage the stuf.
I hope (as Jan does) somebody (preferably HP) fixes these issues so we can all be happy :-).
regards,
Erwin van Londen
HP Master ASE SAN Architect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 09:27 PM
10-25-2004 09:27 PM
Re: HP SANmanager HostAgent for OpenVMS & Security
Cheers.
Have one on me.
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2004 09:47 PM
10-25-2004 09:47 PM
Re: HP SANmanager HostAgent for OpenVMS & Security
OVSAM is expected to be installed onto an NTFS drive to provide a certain security. The data used for managing the HA deployment can be deleted, but there is no GUARANTEE that some bits are not cached somewhere on the disk - a lot of information is stored in an embedded database.
If you don't like to hand your standard password over to Erwin/ the management server, why not set a temporary one, just for the duration of the HA installation?
I think we all agree that the programmers of the OpenVMS HA are not very experienced with OpenVMS and clusters. *nobody* outside of HP can definitely answer your question why it is implemented that way, but perhaps that was a rethoric question from you ...
Don't forget to complain to HP through your support channels - otherwise I think I can safely predict that *nothing* will happen.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2004 05:41 AM
10-26-2004 05:41 AM
Re: HP SANmanager HostAgent for OpenVMS & Security
I think we all agree that the programmers of the OpenVMS HA are not very experienced with OpenVMS and clusters.
and not only in that area. There are quite some more.
Not only that they are not experienced (which can easily be overcome) but, and that is my greatest worry, they seem to miss even the slightest idea and attitude to security in all aspects.
It would be a good thing if these people were edutated BEFORE this 'junkware' was delivered. I cannot name it otherwise, since it does not fit into the VMS standards, as it ought to be. No matter the (probably great) functionality.
Jan,
That this program requires an account with privileges is evident. So they use the typical U*x way: take the root account - being SYSTEM on VMS. Installations, and certainly where it requires the SYSTEM account (there are more that need it...) should be conducted from the console onl, right? No wait - these U*x guys don't know the concept....
It's a clear miss by HP that installation of the agent _requires_ (as it seems) that PC-software.
I wouldn't mind too much if that PC was:
* standalone (not connected to the network, just to the VMS box)
* switched off when not needed
* requires a secure password (Idea: could you use authentication agains VMS? That would solve some problems!)
Willem
OpenVMS Developer & System Manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2004 06:45 AM
10-26-2004 06:45 AM
Re: HP SANmanager HostAgent for OpenVMS & Security
The host agent (HA) does not require "that PC-software" - you can install it locally from a CD-ROM and then authenticate it once at the management server using the SYSTEM account. The HA is simply useless when it is not communicating with the management server.
It is the OVSAM management server that uses the host agents to:
- properly map the fibre channel adapters of the servers to the storage area network and report their WWNs and firmware revsions
- properly map the LUNs that the server has access to their storage arrays
- collect file system usage data when the Storage Builder component is installed
- collect performance data when the Storage Optimizer component is installed (it's a bit more complicated, but it does not matter for our discussion)
It can live fine without host agents, but of course some information is missing, then.
The management server is used to monitor the health of the SAN. It needs to be connected to the network so that it can talk to the host agents, the fibre channel switches and other devices to monitor. It puts data into a database to preserve a history and you can create triggers to spawn actions on specific events. If you're keen to switch it off, well, then you should even avoid the trouble to set it up - it is a great time saver ;-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2004 04:20 AM
10-27-2004 04:20 AM
Re: HP SANmanager HostAgent for OpenVMS & Security
it does not only require SYSTEM sto install, it REQUIRES the SYSTEM account to RUN!
And that means that anything auditted is also done by SYSTEM -- meaning, totally anonymous.
Well, as long as it IS the sole product running under system, anything deviant will be sought there first.
But: it SHOULD be so, that ANYTHING deviant by SYSTEM means deviant behavior by the system itself, and the quest for explanations should NOT be complicated by having to search any non-system activity!
Well, after Uwe's explanation, I guess we can give Erwin what he needs (and we definitely see the advantages, also to us, if he has access to the info the Agent supplies him with!).
Cheers.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-27-2004 07:43 PM
10-27-2004 07:43 PM
Re: HP SANmanager HostAgent for OpenVMS & Security
Mea Culpa. Just deducting on Jan's remarks. It gave me the impression that the product could only be installed from the PC. I should have read better.
Back to the issue:
To access the agent, the managent PeeCee must be supplied with the IP address of the node, the account name Administrator, root, or SYSTEM) and.....
the password of the SYSTEM account!!!
That OVSAM requires a privileged account in VMS is, as stated before, evident. IMHO, it could be any account with _sufficient_ privileges - and restricted access (NETWORK only, for instance). Using the SYSTEM account is the route taken by the innocent ;-).
On the PC side, I do NOT see the requirement of ADMINISTRATOR either. It could actually be ANY user there - with sufficient privileges, but, again, as little as possible.
Of course, the person in charge will have to be trusted as a system manager (at least, he's managing a part of the system) but that does not mean that ALL privileges will be required on ALL systems. Just the ones needed - as for ANY system manager.
But this potential security leak and the inability to pinpoint the offending user should be noted. So I am with Jan that "NO" is in fact the ONLY REASONABLE answer here. This is a case where HP should come with a good, proper solution for the VMS world.
Willem
OpenVMS Developer & System Manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2005 11:54 PM
01-05-2005 11:54 PM
SolutionThanks to HP, there is a new version of all the products wich is cluster-aware. Runtime env. SYS$COMMON, specific env. in SYS$SPECIFIC.
But be happy, HP named the kits the same as the former ones. So you don't know which kit is on your system. the filenames are
HP-AXPVMS-V73173_HPOVSAMJR-V0301--1.PCSI
HP-AXPVMS-V73_HPOVSAMCA-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMCP-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMDA-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMHA-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMHB-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMSG-V0302--1.PCSI
But the newer ones are slight bigger in size !
(resp. 99824, 352, 272, 480, 8304, 128 and 160 blocks)
To get this correct up and running: Remove all the old kits, procedures etc. and instal using OVMS_LOCAL_INSTALL.COM . I modified this file because this procedure asumes you are logged in as SYSTEM, what we never do !
So start all the needed processes using SUBMIT/USER=SYSTEM ...
So thank you HP for the new version, but which person has lost his mind by using the same filenames ! Maybe this (possible these) person(s) can be helpfull in other OSes but they are sure not thinking with OpenVMS reliability !
AvR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2005 12:27 AM
01-06-2005 12:27 AM
Re: HP SANmanager HostAgent for OpenVMS & Security
we finally have it more-or-less as desired.
Some more notes on the "SYSTEM" issue:
It has become clear that there are two ways to activate & configure the stuff:
1 - Which is in Erwin's expertise, and is the way a SAN manager with little VMS sysmgt support can do it, targetted at different platforms:
Activate install & config from the SAN mgt station. Indeed, that requires remote access to the SYSTEM account.
2 - (And I consider it our fault that we did not find out earlier, but maybe the install documentation could also have made it clearer)
Install and configure from VMS, by any sufficiently priv'd user. Of course, this ONLY configures the VMS view; but gives VMS-level control.
---- ANY decent VMS & SAN site should be using method 2 exclusively!
Mea Culpa:
most of the ranting in the above stream seems to stem from ignorance.
The SYS$COMMON vs SYS$SPECIFIC issue was real but has been resolved by the new patch version. If only they would also have updated the kit name, things would be perfect!
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2005 09:09 AM
02-08-2005 09:09 AM
Re: HP SANmanager HostAgent for OpenVMS & Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2005 11:06 PM
02-09-2005 11:06 PM
Re: HP SANmanager HostAgent for OpenVMS & Security
I've installed it and it works fine. The kits are mentioned in my previous answers.
Whe did installed it on VMS 7.3-2 with a lot of ECO's (i think till august 2004). But the kits are for 7.3, this should cover 7.3-1 as well.
One of the kits is DIALD, i don't know whitch, but you will notice.
Just install ALL the kits i mentioned.
AvR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2005 11:39 PM
02-09-2005 11:39 PM
Re: HP SANmanager HostAgent for OpenVMS & Security
New issies: new thread please.
Proost.
Have one on me.
Jan