HP 3PAR Policy Server Installation and Setup Guide Abstract This guide is intended to be used as a reference when installing and configuring HP 3PAR Policy Server. It contains administration-level information and some user configuration information for the Policy Server.
© Copyright 2011, 2012 Hewlett-Packard Development Company, L.P. Portions of this document are based on material copyrighted by Axeda Corporation © 2012. All rights reserved. Axeda is a registered trademark of Axeda Corporation. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S.
Contents 1 Introduction...............................................................................................4 2 HP 3PAR Policy Server and the HSQL Database..............................................5 Security...................................................................................................................................5 User Authentication..............................................................................................................
1 Introduction This document guides you through the steps of installing HP 3PAR Policy Server. After you have installed a new Policy Server, see the HP 3PAR Policy Server Administration Guide for information about starting the Policy Server components (if you did not start them at the end of installation), setting up user security, configuring asset groups and policies, backing up and restoring the Policy Server database, and troubleshooting Tomcat.
2 HP 3PAR Policy Server and the HSQL Database HP 3PAR Policy Server (Policy Server or HP3PS) provides a solution that is designed to ensure only authorized access to, and use of, assets that are running Agent gateways or Policy Agents. Policy Server is a server-based application that resides on your network. Through the Policy Server user interface, you can set and control all permissions for assets.
available: View and Add/Edit. For the Audit Log component, only the View privilege is available. For the Remote (Sessions) component, the two privileges are View and End. View provides read-only access to the pages of a component, while Add/Edit provides read, write, and delete access to the pages and features of the component. For remote sessions, the End privilege allows the user to end a remote session.
Figure 1 HP 3PAR Policy Server configured to manage policies How HP 3PAR Policy Server Works The HP 3PAR Enterprise Server can send commands to Agent gateways and Policy Agents and receive responses to those commands. A command is typically a request to perform an action, such as uploading a file, setting the value of a data item, restarting the Agent, or executing a package. If a particular asset is not managed by HP 3PAR Policy Server, the Agent performs the requested action automatically.
sends a message to Policy Server requesting approval and a message to the Enterprise Server saying that it is requesting approval. When an Agent requests permission to perform an action, Policy Server sends an e-mail notification to the specified Policy Server user(s). Once the Policy Server users are informed of a requested action; they need to accept or deny the action within a defined timeout period.
Figure 2 Three assets under HP 3PAR Policy Server management Essentials for Working with HSQL Database The HSQL database server provides a standalone, open source, Java-based relational database to store and manage the Policy Server configurations. For more information about HSQLDB v2.2, refer to the documentation list at http://www.hsqldb.org/doc/2.0. This section provides the basic information you need before using the HSQL database with HP 3PAR Policy Server.
3 Preparation for Installation This chapter explains what you need to know and do before running the Policy Server installer. If you are installing Policy Server for the first time, read through all of the following sections and collect the information you need. For information about silent installations, see “Silent Mode Installation and Uninstallation ” (page 24).
Policy Server Components The HP 3PAR Policy Server consists of three components: Policy Server, HSQL database, and OpenDS directory server, which all must be installed on the same system. Keep the following information in mind: • Installing the Policy Server components includes Policy Server (server and Web-based application), Apache Tomcat, and optionally the appropriate Java Runtime Environment (JRE) for Policy Server. • A JRE must exist on the machine where Policy Server is installed.
• SSL (HTTPS) - SSL encryption is strongly recommended for communications between your Policy Server and the Policy Agents and Agent gateways running on assets. This will require that a Certification Authority certificate is generated. Before running the installer, make sure of the following: ◦ Either port 443 or port 8443 is available. ◦ You know what the location of the certificate keystore file will be (for the "Keystore" property).
4 Installation This chapter assumes that you have read “Preparation for Installation” (page 10) and collected the information needed to install Policy Server. You can use either the GUI mode version of the installer (recommended), described in “Installing Policy Server Using the GUI-Mode Installer” (page 13), or the console mode version, described in “Installing Policy Server in Console Mode” (page 34).
NOTE: This port will be disabled in the post-installation instructions (described later in this document). 9. In the E-mail Server screen, type the URL for your outgoing e-mail server (for example, mailServer.myCompany.com), and then click Next to display the System Error Notification Settings screen, shown here: 10. In the System Error Notification Settings screen, three of the four fields have default information you can keep.
12. In the SSL Configuration screen, do the following: • In the Enter the HTTPS listening port field, keep the default HTTPS listening port (8443). • In the Keystore field, type the path to the certificate keystore file on the machine. For example, type c:\hp-3par\keystore-ps. • In the Key PassPhrase and Confirm Key PassPhrase fields, enter the passphrase that you created for the certificate keystore. NOTE: The keystore file and directory are not created during installation.
. Review your installation selections. If necessary, click Previous to return to previous screens and change the selections. 17. Click Install. You will see a progress bar while the installer copies the files to the machine. The installer also displays the following message while it installs, configures, and starts the OpenDS directory server: You may see additional messages while it installs the database and Policy Server; they pass by quickly.
5 Post-Installation Tasks To complete the HP 3PAR Policy Server installation, you must take additional steps before the Policy Server can be used by a Service Processor. The following tasks must be completed before you configure a Service Processor to use this Policy Server: • Enable SSL for the Policy Server. • Update the Policy Server policies. Enabling SSL for the Policy Server The Service Processor (SP) communicates with the HP 3PAR Policy Server over SSL.
Updating Policy Server Policies Now that the Policy Server is up and running, the policies must be updated. To update the policies, use a supported web browser and connect to port 8443 by using the following URL: https://:8443 When you are connected to the Policy Server, you will be presented with a login screen. Sign in as the admin user. The default password is admin. NOTE: For information about how to change the default passwords, see “Changing Default Passwords” (page 26).
Figure 8 Start Remote Application For the Start Remote Application policy, configure to ask for approval. Figure 9 Start Remote Terminal Figure 10 Stop Remote Application NOTE: This policy is new for HP 3PAR Policy Server.
Figure 14 Data Item Values, Events, and Alarms Figure 15 Restart Agent Figure 16 Execute Figure 17 Timers Changing Passwords This procedure is optional. For more information about how to change user passwords, see “Changing Default Passwords” (page 26).
6 Support and other resources Contacting HP Before You Contact HP Be sure to have the following information available before you call contact HP: • Technical support registration number (if applicable) • Product serial number • Product model name and number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level HP Contact Information For the name of the nearest HP authorized reseller
Customer self repair HP products are designed with many Customer Self Repair parts to minimize repair time and allow for greater flexibility in performing defective parts replacement. If during the diagnosis period HP (or HP service providers or service partners) identifies that the repair can be accomplished by the use of a Customer Self Repair part, HP will ship that part directly to you for replacement.
7 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
A Silent Mode Installation and Uninstallation Currently, you can perform silent installations on Windows machines only. The installation package for HP 3PAR Policy Server is an InstallAnywhere installer. Keep in mind that if you are not using the default port for the OpenDS directory server (389), you will need to edit the OpenDS configuration file before starting the services. For any post-installation configuration, refer to the HP 3PAR Policy Server Administration Guide.
B Starting and Stopping Policy Server Manually If you did not install Policy Server as a service or daemon and need to start and stop it manually, use the following procedures. Starting Policy Server Components Manually These instructions assume that you did not install the Policy Server and HSQL database as services. NOTE: Due to limitations of Tomcat, the directory server MUST be running during startup or shutdown of Policy Server. Use the following sequence for starting and stopping the components. 1.
C Changing Default Passwords During the installation of the HP 3PAR Policy Server, three users are created, each with a default password.
Changing the LDAP Directory Administrator Password 1. 2. Stop the HP 3PAR Policy Server. On the server that is running HP 3PAR Policy Server, open a command prompt, and then use the following procedure to change the LDAP Directory Administrator’s password. NOTE: a. The LDAP Directory Server does not need to be stopped. Change to the C:\Program Files (x86)\HP 3PAR\PolicyServer\OpenDS-1.0.0\bat directory: C:\> cd C:\Program Files (x86)\HP 3PAR\PolicyServer\OpenDS-1.0.0\bat b.
5. 28 Start Policy Server.
D Configuring Service Processors to Use Policy Server Service Processors must be configured to use HP 3PAR Policy Server. Only Service Processors that are running SP version 4.1 and later are supported. Use the CPMAINT utility to reconfigure the Policy Server. 1. From the SP command line, log in to CPMAINT. 2. In CPMAINT, select option 6. 3. Enter the IP address and port number (8443) of your Policy Server.
E Configuring the Policy Sever for SSL by Using an Existing Certificate Infrastructure For environments that have an existing certificate infrastructure, configuring the Policy Sever for SSL requires the following procedures: • Create a Certificate Signing Request (CSR). • Using the CSR, have a Certificate Authority (CA) create an SSL certificate for the server. • Install the new certificate in the Policy Server keystore. • Install the CA certificate in the Policy Server keystore.
6. Create a certificate from the CSR that you just created. For example, on system with an OpenSSL CA: a. Using a secure method, such as the scp command for network transfer or physical media (such as a USB drive or CDROM), transfer the tomcat.csr file to the system where the OpenSSL CA was created. b. Create a certificate from the tomcat.csr file. # openssl x509 -req -days 365 -in /tmp/tomcat.csr -CA cacert.pem -CAkey private/cakey.pem -set_serial 01 -out /tmp/tomcat.
7. Install the new certificate and CA certificate in the Policy Server keystore file: a. Transfer both the new certificate (tomcat.crt) and the OpenSSL CA certificate (cacert.crt) to the Policy Server server. b. Install both certificates in the Policy Server keystore file. • SSL Certificate: C:\Program Files (x86)\HP 3PAR\PolicyServer\jre\bin>keytool -import -trustcacerts -alias tomcat -file c:\hp-3par\tomcat.
Comment out the non-SSL configuration section in lines 78 to 81 by adding the text in line 76 (begin comment) and line 82 (end comment), as shown in the following figure. Then, save the file. 75 76
