Operating System - OpenVMS
1828189 Members
2634 Online
109975 Solutions
New Discussion

HP SANmanager HostAgent for OpenVMS & Security

 
SOLVED
Go to solution
Jan van den Ende
Honored Contributor

HP SANmanager HostAgent for OpenVMS & Security

A "nice" one this time, I am afraid.

Our SAN manager (rightly) wishes to be able to monitor the SAN.

Therefor he uses HP SANmanager, which runs on a peecee, and has agents to supply it with the view of the SAN from the various systems using the SAN.

That includes an agent for VMS.

We were "not completely :-) :-)" happy upon trying to install it.

1. The package installs hard-coded in the SYS$SPECIFIC subdirectory structure. That includes a complete Java Runtime Environment.
--- what happened to the concept of SYS$COMMON ?

2. The installation needs the IP-address of the management station, and of the system.
While the management station is _intended_ to stay fixed, and at loss-and-replacement might well get the same IP number, our VMS systems all have multiple addresses.
Well, I guess in case of network maintenance and/or disturbance there is no need for SAN info?
Why should one have DNS anyway? Just overhead?

3. At the end of the installation the agent is starting up. Or tries to, and complains that it can ONLY be run by user SYSTEM.
Why would that be? We have a standard of having dedicated special priviliged users for each privileged system function that needs to be done, where each user gets all, but only, the needed privileges, AND is prohibited from interactive login.
btw: the only documentation (PeeCee's Help) about needed privs is that the account should have "Administrator or root" access.

So, for now, we (reluctantly) started the agent from the SYSTEM account.

And now for the BIG FUN part.

To access the agent, the managent PeeCee must be supplied with the IP address of the node, the account name Administrator, root, or SYSTEM) and.....
the password of the SYSTEM account!!!

And our "NO" is the current impasse.

So, questions:

- anybody know a good reason to keep the total JRE environment SPECIFIC, so as to force it to be present multiple times, demanding multiple maintenance etc.

- the agent environment contains just two images (DIALD & HOSTWATCHDOG).
Would INSTALLing those with some (but WHICH?) privs relieve the need for a privd account?

--- Has anybody solved this in an acceptable way already?

Cheers anyway,

Have one on me.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
16 REPLIES 16
Ian Miller.
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Thats one bad product :-(

The reason I was told for products including a JRE of their own was that if the sysman then upgraded the system wide JRE the product may stop working - apparently Jave does not have a good record for backward compatability and new versions break programs built for a older version.

Parhaps Uwe is best placed to comment but certainly send feedback to hp about this product.
____________________
Purely Personal Opinion
Jan van den Ende
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Ian,

I know the argument about JRE upward compatibility.
Therefore it makes sence to have your JRE
___prduct___ specific.
(and that is what it is now: it is in a .JRE subdirectory of SANMGR),
but: WHY can SANMGR (including the JRE) not be a subdir of SYS$COMMON??
Or even MUCH more desired: WHY can it not be on ANY device of sysmgr's choice?
We try as much as possible to have our systemdisk to contain ONLY VMS itself, and everything else should go elsewhere.

PS
-- come to think of it: it is Willem's stick-horse.
We will probably soon meet this same issue as a CERT alert!


Cheers.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Uwe Zessin
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Ah, yes. The product is currently called 'HP OpenView Storage Area Manager' (OVSAM, or simply SAM). It requires a powerful Windows 2000 server, not a simple PC. Apart from some strange things I beleive it is a remarkable piece of software.

Username and Password are only required for the initial deployment of a host - the host agent receives the management server's UUID and is authorized back on the management server.

I haven't checked what services need to be opened for remote deployment (install from the management server) on OpenVMS, but you can install locally and then just 'add access' from the management server - at least on non-OpenVMS platforms ;-)


The problem with lots of different versions of Java that are each incompatible right down to the patch level, I think, can be fairly blamed on Sun. I've seen similar things when running multiple browser sessions.

Can't say anything about the SYS$SPECIFIC problem. I have done some OVSAM rollouts, but exactly the one with OpenVMS involved could not be finished, because we didn't have a HostAgent for OpenVMS V7.3-2 at that time. I haven't found time to play with this in our lab, yet.

I agree that some products are very badly adapted for OpenVMS - I really wonder if there is no cooperation in the company...

On other platforms, there are 3 processes:
- host agent
- hostwatchdog
- diald
.
Jan van den Ende
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Uwe,


Username and Password are only required for the initial deployment of a host

at least you took away my GREATEST worry, hope.
Are you implying that the SYSTEM/password sequence is used only once (typed blind, I hope), and is GUARANTEED NOT saved in some peecee (&peecee-secure) file?


The problem with lots of different versions of Java that are each incompatible right down to the patch level,

Well, that still does NOT explain why ONE and the same version of a product would need multiple copies of exactly the same JRE.


but exactly the one with OpenVMS involved could not be finished, because we didn't have a HostAgent for OpenVMS V7.3-2

.. but this _IS_ all about that HostAgent!!

That still leaves the questions:
WHY does it have to run under the SYSTEM account?
WHY must the account have ALL privileges, instead of installing the images with the needed ones?

Looks like they took away all VMS-knowledge from the project just when it was most needed... :-) (oh me, slime, slime)

Cheers.

Have one on me.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
Erwin van Londen
Valued Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

The product it involves is HP Storage Node Manager which is a part of OVSAM (OpenView Storage Area Manager). The SNM part is also part of the OVSOM package wich is required to manage the EVA's. Another part of that package is Command View EVA. The SNM part is a replacement for Compaq Sanworks Network View which is currently end of life.
I used SNV quite a lot but it's not supported anynore.
The documentation on OVSNM and OVSAM is unfortunatly very bad. It contains no technical information beside some system requirements and administrator configuration guidelines. (HP should fix that too :-))

The same problem arises on Tru64 (also in a cluster) but there the installation doesn't even work. (strange grep calls for nothing, can't handle DNS aliases, cluster ID's above 2 are not accepted etc etc). This makes it very hard to manage the stuf.

I hope (as Jan does) somebody (preferably HP) fixes these issues so we can all be happy :-).

regards,
Erwin van Londen
HP Master ASE SAN Architect.
https://erwinvanlonden.net
Jan van den Ende
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

... and some of you might already have guessed: the SAN manager I mentioned at the start of this thread IS Erwin!

Cheers.

Have one on me.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
Uwe Zessin
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Of course I cannot GUARANTEE that the username/password is not saved somewhere on the management server - I didn't write the software!!

OVSAM is expected to be installed onto an NTFS drive to provide a certain security. The data used for managing the HA deployment can be deleted, but there is no GUARANTEE that some bits are not cached somewhere on the disk - a lot of information is stored in an embedded database.

If you don't like to hand your standard password over to Erwin/ the management server, why not set a temporary one, just for the duration of the HA installation?


I think we all agree that the programmers of the OpenVMS HA are not very experienced with OpenVMS and clusters. *nobody* outside of HP can definitely answer your question why it is implemented that way, but perhaps that was a rethoric question from you ...

Don't forget to complain to HP through your support channels - otherwise I think I can safely predict that *nothing* will happen.
.
Willem Grooters
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Uwe,


I think we all agree that the programmers of the OpenVMS HA are not very experienced with OpenVMS and clusters.


and not only in that area. There are quite some more.
Not only that they are not experienced (which can easily be overcome) but, and that is my greatest worry, they seem to miss even the slightest idea and attitude to security in all aspects.

It would be a good thing if these people were edutated BEFORE this 'junkware' was delivered. I cannot name it otherwise, since it does not fit into the VMS standards, as it ought to be. No matter the (probably great) functionality.

Jan,

That this program requires an account with privileges is evident. So they use the typical U*x way: take the root account - being SYSTEM on VMS. Installations, and certainly where it requires the SYSTEM account (there are more that need it...) should be conducted from the console onl, right? No wait - these U*x guys don't know the concept....

It's a clear miss by HP that installation of the agent _requires_ (as it seems) that PC-software.

I wouldn't mind too much if that PC was:
* standalone (not connected to the network, just to the VMS box)
* switched off when not needed
* requires a secure password (Idea: could you use authentication agains VMS? That would solve some problems!)

Willem
Willem Grooters
OpenVMS Developer & System Manager
Uwe Zessin
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Please, please, don't make such claims when you are not familiar at all with the OVSAM architecture.

The host agent (HA) does not require "that PC-software" - you can install it locally from a CD-ROM and then authenticate it once at the management server using the SYSTEM account. The HA is simply useless when it is not communicating with the management server.


It is the OVSAM management server that uses the host agents to:

- properly map the fibre channel adapters of the servers to the storage area network and report their WWNs and firmware revsions

- properly map the LUNs that the server has access to their storage arrays

- collect file system usage data when the Storage Builder component is installed

- collect performance data when the Storage Optimizer component is installed (it's a bit more complicated, but it does not matter for our discussion)

It can live fine without host agents, but of course some information is missing, then.


The management server is used to monitor the health of the SAN. It needs to be connected to the network so that it can talk to the host agents, the fibre channel switches and other devices to monitor. It puts data into a database to preserve a history and you can create triggers to spawn actions on specific events. If you're keen to switch it off, well, then you should even avoid the trouble to set it up - it is a great time saver ;-)
.
Jan van den Ende
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Willem,

it does not only require SYSTEM sto install, it REQUIRES the SYSTEM account to RUN!

And that means that anything auditted is also done by SYSTEM -- meaning, totally anonymous.
Well, as long as it IS the sole product running under system, anything deviant will be sought there first.
But: it SHOULD be so, that ANYTHING deviant by SYSTEM means deviant behavior by the system itself, and the quest for explanations should NOT be complicated by having to search any non-system activity!

Well, after Uwe's explanation, I guess we can give Erwin what he needs (and we definitely see the advantages, also to us, if he has access to the info the Agent supplies him with!).

Cheers.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Willem Grooters
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Uwe,
Mea Culpa. Just deducting on Jan's remarks. It gave me the impression that the product could only be installed from the PC. I should have read better.

Back to the issue:


To access the agent, the managent PeeCee must be supplied with the IP address of the node, the account name Administrator, root, or SYSTEM) and.....
the password of the SYSTEM account!!!


That OVSAM requires a privileged account in VMS is, as stated before, evident. IMHO, it could be any account with _sufficient_ privileges - and restricted access (NETWORK only, for instance). Using the SYSTEM account is the route taken by the innocent ;-).

On the PC side, I do NOT see the requirement of ADMINISTRATOR either. It could actually be ANY user there - with sufficient privileges, but, again, as little as possible.

Of course, the person in charge will have to be trusted as a system manager (at least, he's managing a part of the system) but that does not mean that ALL privileges will be required on ALL systems. Just the ones needed - as for ANY system manager.

But this potential security leak and the inability to pinpoint the offending user should be noted. So I am with Jan that "NO" is in fact the ONLY REASONABLE answer here. This is a case where HP should come with a good, proper solution for the VMS world.

Willem
Willem Grooters
OpenVMS Developer & System Manager
Anton van Ruitenbeek
Trusted Contributor
Solution

Re: HP SANmanager HostAgent for OpenVMS & Security

Jan,

Thanks to HP, there is a new version of all the products wich is cluster-aware. Runtime env. SYS$COMMON, specific env. in SYS$SPECIFIC.
But be happy, HP named the kits the same as the former ones. So you don't know which kit is on your system. the filenames are
HP-AXPVMS-V73173_HPOVSAMJR-V0301--1.PCSI
HP-AXPVMS-V73_HPOVSAMCA-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMCP-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMDA-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMHA-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMHB-V0302--1.PCSI
HP-AXPVMS-V73_HPOVSAMSG-V0302--1.PCSI
But the newer ones are slight bigger in size !
(resp. 99824, 352, 272, 480, 8304, 128 and 160 blocks)

To get this correct up and running: Remove all the old kits, procedures etc. and instal using OVMS_LOCAL_INSTALL.COM . I modified this file because this procedure asumes you are logged in as SYSTEM, what we never do !
So start all the needed processes using SUBMIT/USER=SYSTEM ...

So thank you HP for the new version, but which person has lost his mind by using the same filenames ! Maybe this (possible these) person(s) can be helpfull in other OSes but they are sure not thinking with OpenVMS reliability !

AvR
NL: Meten is weten, maar je moet weten hoe te meten! - UK: Measuremets is knowledge, but you need to know how to measure !
Jan van den Ende
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

So,

we finally have it more-or-less as desired.

Some more notes on the "SYSTEM" issue:

It has become clear that there are two ways to activate & configure the stuff:

1 - Which is in Erwin's expertise, and is the way a SAN manager with little VMS sysmgt support can do it, targetted at different platforms:
Activate install & config from the SAN mgt station. Indeed, that requires remote access to the SYSTEM account.

2 - (And I consider it our fault that we did not find out earlier, but maybe the install documentation could also have made it clearer)
Install and configure from VMS, by any sufficiently priv'd user. Of course, this ONLY configures the VMS view; but gives VMS-level control.

---- ANY decent VMS & SAN site should be using method 2 exclusively!


Mea Culpa:

most of the ranting in the above stream seems to stem from ignorance.

The SYS$COMMON vs SYS$SPECIFIC issue was real but has been resolved by the new patch version. If only they would also have updated the kit name, things would be perfect!

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
JKrucus
Frequent Advisor

Re: HP SANmanager HostAgent for OpenVMS & Security

I tried twice to install ovsam for VMS 7.3-1, but the diald pcsi file is missing. Did anyone else have this problem, and solve it?
Anton van Ruitenbeek
Trusted Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Jkrucus,

I've installed it and it works fine. The kits are mentioned in my previous answers.
Whe did installed it on VMS 7.3-2 with a lot of ECO's (i think till august 2004). But the kits are for 7.3, this should cover 7.3-1 as well.
One of the kits is DIALD, i don't know whitch, but you will notice.
Just install ALL the kits i mentioned.

AvR
NL: Meten is weten, maar je moet weten hoe te meten! - UK: Measuremets is knowledge, but you need to know how to measure !
Jan van den Ende
Honored Contributor

Re: HP SANmanager HostAgent for OpenVMS & Security

Time to close this thread.

New issies: new thread please.

Proost.

Have one on me.

Jan
Don't rust yours pelled jacker to fine doll missed aches.