HP 3PAR Policy Manager Software User Guide Abstract This guide is intended to be used as a reference when installing, configuring, and maintaining HP 3PAR Policy Manager (Policy Manager). It contains administration-level information and some user configuration information for the Policy Manager.
© Copyright 2011, 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Introduction...............................................................................................5 Related Documentation..............................................................................................................5 Typographical Conventions........................................................................................................5 Advisories......................................................................................................................
Editing Existing Group Configurations...................................................................................33 Configuring Group Notification Settings................................................................................34 Deleting Existing Groups.....................................................................................................35 Finding and Removing Missing Devices.................................................................................
1 Introduction Related Documentation The following document provides information related to HP 3PAR Secure Service Architecture: For information about… Read the… Configuring the Secure Service Custodian HP 3PAR Secure Service Custodian Configuration Utility Reference Typographical Conventions This guide uses the following typographical conventions : Typeface Meaning Example ABCDabcd Used for dialog elements such as titles, When prompted, click Finish to button labels, and other screen complete the i
2 Overview What is the HP 3PAR Policy Manager? The HP 3PAR Policy Manager (Policy Manager) is a server-based software application that enables customers to control and monitor communications between the HP 3PAR Secure Service Custodian (Custodian) and the HP 3PAR Secure Service Collector Server (Collector Server). This server-based application resides on a customer's network and sets and controls all Secure Service Architecture permissions for the Custodians on that network.
Figure 1 HP 3PAR Policy Manager Configured to Mange Custodian Policies How It All Works The Secure Service Collector Server communicates with the Secure Service Custodian by posting requests for the Custodian and receiving its responses. These can be requests to perform actions, including uploading files, running applications, restarting, executing packages, setting data values on the Custodians, and so forth. These requests are discovered by the Custodian Custodians upon subsequent pings.
recipients are informed of the requested action. They need to then accept or deny the action within a defined timeout period. • If the action is accepted, the Policy Manager notifies the Custodian that the action is accepted. If applicable, the Custodian notifies the Collector Server that the action as approved, and then it performs the action as requested. • If the user denies the action, the Policy Manager sends the action back to the Custodian as denied.
3 Installing the HP 3PAR Policy Manager The HP 3PAR Policy Manager installation includes all necessary components needed to manage polices on Custodians. The Policy Manager can be hosted from a computer running supported Windows operating system and connected to Custodians via a network connection. NOTE: The Secure Service Custodian is configured to connect to the Policy Manager at a specified IP address or host name.
4. 5. 6. After clicking Next at the Introduction, provide the following information when prompted: • Installation directory for all of the installed software components. • Port number (listening port) of the computer through which the Policy Manager communicates with Custodians. The default port is 8080. • Your organization’s email server and email domain name. • The sender’s email address. The source address is 3PAR_SSPM@3par.com. • The administrator’s email address.
4 Configuring Users Overview After installing the server, you need to configure the users and groups with privileges for the HP 3PAR Policy Manager, and modify the Policy Manager configuration settings for your specific use of the server. User configuration is performed through the Apache Tomcat file realm. To manage the user configuration, you need to start the server and then log into the Tomcat server. NOTE: One other Policy Manager configuration file, log4j.
1. Start the server on your local machine. a. Start your Web browser. b. Enter the local host IP address/listening port in the browser’s address bar, and then /admin (for example, 123.456.789.111/8080/admin), and press ENTER. The HP 3PAR Tomcat Server Administration Tool appears (Figure 2 (page 12)). Figure 2 HP 3PAR Tomcat Server Administration Tool 2. Type your Tomcat5 user name and password and click Login.
3. Under User Definition, click Users. The Users List pane appears. 4. From the User Actions list, select Create New User. NOTE: User names and passwords are case-sensitive. Figure 4 Creating a User 5. 6. 7. 8. 9. Enter the user name, password, and full name of the user for logging into the application. Select the groups and roles in which this user is to be defined. Each use can be defined in multiple groups and roles.
5 Starting the HP 3PAR Policy Manager Starting HP 3PAR Policy Manager By default, once HP 3PAR Policy Manager has been installed, Policy Manager is started as a service in Windows. In order to set policies in Policy Manager, you must start Policy Manager’s user interface. Starting the Policy Manager User Interface To start Policy Manager’s user interface, perform the following: 1. Open your Web browser. 2. Enter the local host IP address and/or listening port in the browser’s address bar and press enter.
Figure 6 Policy Manager User Interface WARNING! You need to modify the list of users and their passwords in Tomcat5; when doing so, you should remove this default user name and password to ensure security is not at risk. Stopping HP 3PAR Policy Manager To stop HP 3PAR Policy Manager, perform the following: 1. Click Start→Control Panel→Administrative Tools→Services. 2. In the Services window, select HP 3PAR Policy Manager. 3. Click Stop the service.
6 Understanding the User Interface Overview of the User Interface The HP 3PAR Policy Manager user interface allows you to set and control all permissions for the HP 3PAR Secure Service Custodians on your network, and allows you to enable only authorized access and use of managed Custodians.
Home Tab The Home tab is the first viewable tab upon logging into HP 3PAR Policy Manager (Figure 8 (page 17)). Figure 8 The Home Tab The Home tab provides quick links to commonly performed tasks within Policy Manager. These links are described in Table 1 (page 17). Table 1 Home Tab Links Link Description View All Requests Displays the most recent permission requests received from the managed devices for approval. Up to five pending requests for all groups are displayed.
Policy Tab The Policy tab allows you to view and modify policy settings for each HP 3PAR Policy Manager action (Figure 9 (page 18)). For instructions on using the Policy tab, see “Working in the Policy Tab” (page 24). Figure 9 Policy Tab By default, the policy settings for the parent group are displayed on the Policy tab. To display the policy settings for a different group, click Explore Device Groups and select from the listed groups.
Table 2 Policy Tab Column Descriptions (continued) Column Name Description right of Ask for Approval is not available for the following actions: • Set Time • Alarms • Events • Data Item Values • Emails Inheritance Identifies the group level from which permissions inherit their access rights and settings. For example, if the Inheritance column displays ITGroup for the permissions of the Emails action, then the permissions settings are inherited from the ITGroup group policy.
Sorting Policy Columns The contents of the Action, Permission, Access Right, Inheritance, and Lock columns can be sorted to facilitate locating specific actions and their parameters. • The Action, Permission, and Inheritance columns can be sorted alphabetically by clicking the column headers. Once sorted, an arrow (up or down) is displayed next to the column header. displays the Action column after clicking the header.
Figure 13 Pending Requests Tab The list of requests is generated in a table, which is described as follows: Column Name Description Device The name of the device (alias name) sending the request. Device Description A user-defined definition, or default description created by Policy Manager, of the device. The device description includes the model name and serial number. Request Date A time stamp of when the action was initiated on the device.
Figure 14 Audit Log Tab Audit messages consist of any activity Policy Manager audits during operation, and can include the following: • All requests and commands from the HP 3PAR Secure Service Collector Server that are processed by agents (including remote access sessions), including all successful, failed, or denied commands.
preexisting group, a new group is created for that device. For information on how this tab is used in Policy Manager tasks, see “Using HP 3PAR Policy Manager” (page 24).
7 Using HP 3PAR Policy Manager Policy Inheritance and Hierarchy HP 3PAR Policy Manager manages device policies and notification settings through a hierarchy of groups and standard parent-child relationships. There is one global group, named Global by default (this name can be changed). The Global group is a parent (or grandparent, depending upon the child group's level in the hierarchy) group to all other groups defined in Policy Manager.
For example: • The Restart Agent action controls whether or not the device will perform a requested hard restart; there are no specific parameters for this action. • The Package action controls whether or not a device can accept a Software Management package from the Secure Service Collector Server. The Collector Server package actions support the name of the package and version of the package. Each parameter can use explicit values or wild cards.
Table 3 Actions with Base Installation (continued) Action Description Modify Ping Update Rate Determines whether or not the Custodian accepts a new ping rate (frequency, in seconds, that the Custodian contacts the Collector Server) from the Collector Server, or needs to receive approval for the permission first rate. This action has no specific parameters.
2. Click a group to view that group’s policy settings. The View or change the policy settings for page appears displaying the selected group’s policy information. Figure 19 Viewing Policies for a Selected Group Editing Permissions As stated earlier, each action requires a permission. By default, each action has a permission that is made up of set of parameters and an associated access right.
1. On the View or change the policy settings for page in the Policy tab, click the permission you wish to modify. The Edit the selected permission for page appears (Figure 20 (page 28)). Figure 20 Editing Permissions 2. Enter a new name and permission description in the Name and Description fields, respectively, and click Next. The Edit the parameters for of page appears (Figure 21 (page 28)).
3. Enter the new parameter (for example, a script name or a file name) and click Finish. NOTE: You can use partial values in conjunction with wildcards (*) to specify all applicable values. For example, for a Run Script action you can type a script name of ACME*.pl. This policy will apply to all Run Script actions that are defined to run Perl-based scripts with names starting with "ACME". Other examples include *.log, which applies to all .log files on the device, and notepad.
Assigning Access Rights After setting an action and its permission, you assign it an access right. An access right specifies how you want the individual devices to handle the related permission. There are three types of access rights: • Always Allow - the Secure Service Custodian can execute these permissions without asking for approval or sending the action information to Policy Manager. To see which actions of Always Allow rights were performed on a device, refer to the device's log file.
access right, and a Package action has an Always Allow access right, and a script is created in a package, the package permission supersedes that script’s access right. The Custodian sees the Package action and executes it automatically (because it has an Always Allow access right). The Custodian and Policy Manager do not see the script in the package. The action of accepting or denying the execution of a package on a device applies to the entire contents of the package.
Setting Access Rights for All Policy Permissions If you want to change the access rights for all permissions in a policy to a single right, perform the following: 1. On the View or change the policy settings for page, select the Set All Permissions check box. 2. Select an access right from drop-down list. 3. Click Done. All permissions are set to a selected access right for the current policy only.
2. In the Create new group configurations page, type or select the properties to define this group (see Figure 26 (page 33)). NOTE: The next time an agent connects to Policy Manager, you can change the parent group of that device so that it inherits the policy and notification settings defined for your new group. Figure 26 Entering Group Information Editing Existing Group Configurations You can change the name of a device or group to be more meaningful to your purposes.
1. On the Select a group to view its group configuration settings page in the Configure tab, select the group you wish to edit. The View and edit the settings for page appears (Figure 27 (page 34)). Figure 27 Editing a Group 2. 3. Edit the group information and hierarchy as necessary by editing the Name and Description fields. You can also select a new parent group from the Parent Group list. Click Submit to commit the changes.
2. In the Notification Information section of the page, define the following: • To - The recipient(s) (identified by Email address) of the Email notification. • From - The Email address of the individual or server sending the Email notification. • Subject - Subject line for the Email message. • Body - Body or actual content for the Email message. Within the subject line or body of the notification, you can include one or more supported substitution parameters.
2. Click Delete Group and then OK when prompted for confirmation to delete the selected group (Figure 28 (page 36)). Figure 28 Deleting a Group Finding and Removing Missing Devices If a device is not online or connected to Policy Manager, Policy Manager may be enforcing an out-dated policy. This could mean the device is permitting actions that should be denied or denying actions that it should be performing.
1. On Configure tab, click Search→Missing Devices. Figure 29 Searching for Missing Devices The View and remove missing devices page appears. Any devices shown on this page have missed their last contact (ping) with Policy Manager and are considered offline. Figure 30 Viewing Missing Devices 2. 3. 4. Select the check box next to the missing device(s) you wish to remove. Click Remove Selected Missing Devices. Click OK when prompted for confirmation to delete the selected device(s).
Pending requests are shown in the Pending Requests tab. You can view all requests pending for the following: • All groups • A selected group • A selected device. Accepting and Denying Requests To accept or deny a request, perform the following: 1. On the View all pending single or container requests for page in the Pending Requests tab select Accept or Deny from the drop-down list (Figure 31 (page 39)). Figure 31 Accepting and Denying Pending Requests 2.
The View all actions in selected pending requests page appears displaying all actions packaged in the pending action container. From this page you can view additional information for an action, as well as accept or deny a pending action container. Working in the Audit Log Tab The audit log shows all activity generated by Policy Manager and activity as sent in XML messages from the Custodian. You can view all audit log entries, entries for a selected group, or a selected device (Figure 31 (page 39)).
Viewing Audit Logs As stated earlier, you can view all audit log entries, entries for a selected group, or a selected device. By default, audit log entries are displayed for the Global (parent) group and all of its subgroups (children), as shown in Figure 31 (page 39). • To view audit log entries for only the Global (parent) group, on the View audit log entries for page in the Audit Log tab, click Show audit log entries for the selected group only.
• A Policy Manager user modifies a policy. • A Policy Manager user creates, modifies, or deletes an action permission from a policy. Custodian entries are generated when: • An agent registers with Policy Manager. • An agent forwards a message or command received from the Collector Server; for example, messages about operations that were successful, failed, and denied. • An agent sends a request to perform an action that has a permission access right of Ask for Approval.
8 Troubleshooting and Maintenance When Tomcat5 is operating in standalone mode, you may need to troubleshoot for the following functionality: Troubleshooting Problem Solution Another web server or other 1. Modify the server.xml file and replace port 8080 with another, unused port greater process is operating on port than 1024 (because ports of 1024 or less require super user access for binding). 8080, which is the default 2.