Environment Specific Security Procedures

Depending on your environment needs, you may wish to perform any of the following for additional security:

Using SSL (HTTPS) for Secured Remote Server Manager Administration

Use the following steps to configure SSL (HTTPS):

Generate a certificate for Tomcat to establish the SSL connection. Use the following steps to create a "self-signed" certificate with the Java command line utility "keytool":
1. Remove $HOME/.keystore if it already exists
2. Enter the following command: export JAVA_HOME=/opt/java1.4
3. Enter the following command:
  $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
4. Enter a password for the key store when prompted.
5. Enter the certificate information (company, contact name, etc.), when prompted. This information must be accurate because it will be displayed to users who attempt to administer Server Manager.
6. Enter a password for the key when prompted. Use the same password you used for the key store

Uncomment the following underlined comments in /opt/hpws/tomcat/conf/server.xml:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
               acceptCount="10" debug="0" scheme="https" secure="true"
               useURIValidationHack="false"
    <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
    clientAuth="false" protocol="TLS" />
</Connector>
-->

Add the keystorePass attribute to the uncommented field in /opt/hpws/tomcat/conf/server.xml to establish the key store and key password on Tomcat. Add the keystorePass attribute as shown in the following:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystorePass="<password>" />
IMPORTANT: Replace "<password>" with the password used to generate the keystore in Step 1.
Stop and start Tomcat:
- Stop - /opt/hpws/tomcat/bin/shutdown.sh
- Start - /opt/hpws/tomcat/bin/startup.sh
Point your web browser to: https://<hostname>:8443/aaa

Creating a Tomcat Identity Specifically for the HP-UX AAA Server

If several applications use Tomcat, you may want to configure Tomcat to have a user name and password specifically for the AAA Server. All other applications using Tomcat will have a different user name and password. Use the following steps:

Search for the following line in /opt/hpws/tomcat/conf/server.xml:

Add the following above this line:

 <Context path="/aaa" docBase="aaa" debug="0"
           reloadable="false" crossContext="false">
 
      <Realm className="org.apache.catalina.realm.MemoryRealm"
              debug="0" pathname="conf/aaa-users.xml"/>
 
</Context>

Open /opt/hpws/tomcat/conf/aaa-users.xml
Replace "adminaaa" with the new user name and password
Enter the following command: export JAVA_HOME=/opt/java1.4
Stop Tomcat if it is running: /opt/hpws/tomcat/bin/shutdown.sh
Start Tomcat: /opt/hpws/tomcat/bin/startup.sh
Stop the RMI objects if they are running: /opt/aaa/remotecontrol/rmistop.sh
Start the RMI objects: /opt/aaa/remotecontrol/rmistart.sh
Point your web browser to: http://<hostname>:8081/aaa
Login with the new AAA Server-specific user name and password

Running the HP-UX AAA Server as a Non-Root User

Some organizations require network server processes to run as the non-root user. Use the following steps to run the AAA server as a non-root user:

Login to the system as the root user.
Use the following command to start the RMI objects as the aaa user:
su - aaa -c /opt/aaa/remotecontrol/rmistart.sh

Use the following command to start Tomcat as the www user:

su - www -c "export JAVA_HOME=/opt/java1.4; /opt/hpws/tomcat/bin/startup.sh"

Point your web browser to: http://<hostname>:8081/aaa




	NOTE: Any log files created when the AAA server was running as the root user will not be accessible after performing this procedure. To view these logfiles, change the ownership to match the UID of when the log files were created. See the chown man page for more information (man chown).

Setting the HP-UX AAA Server to Start as Non-Root User After Reboot

Use the following steps:

Set the RADIUSD variable to 1 in /etc/rc.config.d/radiusd.conf.

Open /sbin/init.d/radiusd.rc and look for the following entry:

DAEMONNM=radiusd
CONFFILE=$AAAPATH/clients
DAEMONEXE=/opt/aaa/bin/${DAEMONNM}

Change the DAEMONEXE line as follows to set radiusd to start as the aaa user after reboot:
Change: DAEMONEXE=/opt/aaa/bin/${DAEMONNM}
To: DAEMONEXE="/usr/bin/su - aaa -c /opt/aaa/bin/${DAEMONNM}"

Look for the following entry:

echo "$DAEMONNM started with <$retval>"
if  [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then
     /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1
fi

Change the then statement as follows to start the RMI objects as the aaa user after reboot:

Change:

if  [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then
     /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1
fi

To:

if  [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then
     /usr/bin/nohup /usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1
fi

Look for the following entry:

# stop the daemon!!!
if  [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then
    /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1
fi

Change the then statement as follows to stop the RMI objects as the aaa user during shutdown:

Change:

if  [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then
    /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1
fi

To:

if  [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then
    /usr/bin/su - aaa -c  /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1
fi

Environment Specific Security Procedures

Technical documentation

» Table of Contents

» Glossary

» Index

Using SSL (HTTPS) for Secured Remote Server Manager Administration

Creating a Tomcat Identity Specifically for the HP-UX AAA Server

Running the HP-UX AAA Server as a Non-Root User

Setting the HP-UX AAA Server to Start as Non-Root User After Reboot