HP Software Universe Hamburg, Germany -12 th -14 th November Tutorial id: fr-1130/2
HP Software UniverseHamburg, Germany -12th -14th NovemberTutorial id: fr-1130/2
© 2003 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
HP Software Universe DCE daemonless and outbound-only communication with HP OpenView Operationsfr-1130/2
Volker Gaertner & Stefan Bergstein OpenView R&DNovember 14th 2003
page 3November 12th-14th, 2003 HP Software Universe
Agenda
Why bother? What’s the problem?
DCE-daemonless communication (Volker Gaertner)1. Current DCE RPC communication2. DCE RPC communication without endpoint mapper3. Configuration on managed nodes and management server(s)4. Examples
Outbound-only communication (Stefan Bergstein) 1. The problem: no inbound connections allowed2. SSH Functionality - concept of tunneling and port forwarding3. OVO outbound-only using SSH tunnel4. Configuring OVO - using SSH port forwarding
page 4November 12th-14th, 2003 HP Software Universe
Why bother? What’s the problem?
page 5November 12th-14th, 2003 HP Software Universe
Managed environment
OVO Sever
managed node
OVO Agentmanaged node
OVO Agentmanaged node
OVO Agent
Operator UI
managed node
OVO Agent
managed node
OVO Agent
managed node
OVO Agent
Firewall Firewall Firewall
outbound outbound outbound
InternetDMZcustomer site
Intranet
1
2
3
4
5
Normally, OVO requires inbound communication on port 135 and other ports, but this can be avoided with the daemonless communication and SSH tunnels
inbound135
inbound135
attack on port 135or DCE lookup and then attack on another port
page 6November 12th-14th, 2003 HP Software Universe
Current problems
• Recent virus attacks on port 135 (not only on Windows!)– Customers don’t want to open port 135 on their firewall at all– Shutdown the port mapper (dced) on system in the DMZ
• Inbound communication– Current concept: message agent sends alarm/message
immediately to inform operator as fast as possible (no polling) – Requires inbound communication (agent initiates communication)
page 7November 12th-14th, 2003 HP Software Universe
Current DCE RPC communication
page 8November 12th-14th, 2003 HP Software Universe
Current DCE RPC Communication
1. RPC server starts up.
Either the RPC server (via opcinfo variable) or the OS selects the port on which the RPC server will be listening.
The RPC server registers itself with this port at the local DCE endpoint mapper*.
2. The endpoint mapper stores this information in its database.
RPC client
endpointmapper (port 135)
RPC server
1
2
* dced on Unix, RPC Service on Windowsendpointmapper DB
page 9November 12th-14th, 2003 HP Software Universe
Current DCE RPC Communication
3. The RPC clients starts and does not know the server's port.It queries the endpoint mapper with
– the type of server it wants to contact
– and some additional interface specification uniquely identifying the target server.
4. The endpoint mapper returns the port number.
5. The RPC client can now contact the desired RPC server directly.
RPC client
endpointmapper (port 135)
RPC server
3 4
endpointmapper DB
5
page 10November 12th-14th, 2003 HP Software Universe
DCE RPC Communication without Endpoint Mapper
page 11November 12th-14th, 2003 HP Software Universe
DCE RPC Communication w/o Endpoint Mapper
A. The RPC server starts up.
It reads its port from the opcinfo variable (OVO agent) or registry key (OVO/W management server) OPC_COMM_PORT_RANGE.
It does not register anywhere and simply listens at this port.
RPC client
RPC server
A
opcinfoWin registry
page 12November 12th-14th, 2003 HP Software Universe
DCE RPC Communication w/o Endpoint Mapper (cont.)
B. The RPC client determines from its local configuration that the RPC server must be contacted without an endpoint mapper lookup. It reads the name of the server port specification file from opcinfo or the registry
C. The RPC client reads the desired RPC server port from the server port specification file, based on the server type and target node.
D. The RPC client now contacts the RPC server directly.
RPC client
RPC server
D
opcinfoWin registry
opcinfoWin registry
port configC
B
page 13November 12th-14th, 2003 HP Software Universe
OVOW deamonless communication
OVOW server
1
server• message action server is using one
customer defined port• message action server and the deployer
can communicate directly to agent (without remote DCE lookup)
agent• no endpoint mapper on agent• control agent (opcctla) is using one
customer defined port• control agent does not register at local
endpoint mapper• message agent can communicate directly
to server (without remote DCE lookup)
Available remote functionality:No change – everything is possible 1) start action, tools (apps),
start/stop/status of agent,HPB via RPC only
2) deliver messages, action status, annotations
3) remote policy/instrumentation deployment OVO agent
opcctla
msg/actserverdeployer
opcmsga
rpcd
2Firewall inside
outside
port 135
policies,act,cmd,monitor
3
port 12001
port 12003port 135
rpcd
RPC Server
Endpoint mapper
RPC Client
page 14November 12th-14th, 2003 HP Software Universe
OVOU deamonless communication
OVOU server
RPC ServerEndpoint mapper RPC Client
1
server• message receiver (opcmsgrd) is using one
customer defined inbound port• distribution manager (opcmsgrd) is using one
customer defined inbound port• request sender can communicate directly to
agent (without remote DCE lookup) using only outbound ports
agent• no endpoint mapper on agent• control agent (opcctla) is using one customer
defined outbound port• message and distribution agent can
communicate directly to server (without remote DCE lookup) using each one inbound port
Available remote functionalityNo change – everything is possible 1) start action, tools (apps),
start/stop/status of agent,HPB via RPC only
2) deliver messages, action status, annotations3) remote policy/instrumentation deployment
(RPC only)
OVO agent
opcctla
opcmsgrdovoareqsdr
opcmsga
rpcd
2Firewall inside
outside
port 135
policies,act,cmd,monitor
3
port 12001
port 12003
opcdistm
opcdista
port 12002
port 135
rpcd
page 15November 12th-14th, 2003 HP Software Universe
OVOU deamonless communication w/o deployment
OVOU server
RPC Server
Endpoint mapper
RPC Client
1
server
• message receiver (opcmsgrd) is using one customer defined inbound port
• request sender can communicate directly to agent (without remote DCE lookup) using only outbound ports
agent
• no endpoint mapper on agent
• control agent (opcctla) is using one customer defined outbound port
• message agent can communicate directly to server (without remote DCE lookup) using one inbound port
• manual policy/instrumentation deployment (via opctmpldwn) [3]
Available remote functionality
1) start action, tools (apps),start/stop/status of agent,HPB via RPC only
2) deliver messages, action status, annotations OVO agent
opcctla
opcmsgrdovoareqsdr
opcmsga
rpcd
2Firewall inside
outside
port 135
policies,act,cmd,monitor
3
port 12001
port 135
rpcd
port 12003
page 16November 12th-14th, 2003 HP Software Universe
Configuration
page 17November 12th-14th, 2003 HP Software Universe
White papers
• Detailed configuration information can be found in the corresponding white papers for OVOW and OVOX: “DCE RPC Communication Without Endpoint Mapper”
• OVOW:– http://openview.hp.com/sso/getdoc?doc=/500/products/oper
ations_for_windows/tech_whitepaper/ovowin72_twp_dce_comm_jul03.pdf (channel web / ask your HP representative)
• OVOX:– http://ovweb.external.hp.com/ovnsmdps/pdf/dce_em_unix_a07
15.pdf (or http://ovweb.external.hp.com/lpe/doc_serv )
page 18November 12th-14th, 2003 HP Software Universe
New configuration variables
try to contact the server’s endpoint mapper if no local configuration is foundKey Type Value Explanation
COMM_REGISTER_RPC_SRV String TRUE or FALSE
Register/do not register RPC interfaces with endpoint mapper
OPC_COMM_LOOKUP_RPC_SRV Bool TRUE or FALSE
Contact/do not contact endpoint mapper (if no local configuration is found)
OPC_COMM_PORT_MSGR Int One number
Specifies at which port the message interface of the Message Action Server is listening on the Management Server(s).
OPC_COMM_PORT_DISTM Int One number
Specifies at which port the distribution interface of the Message Action Server is listening on the Management Server(s).
OPC_COMM_RPC_PORT_FILE String Full path If set, it points to a port specification file with dedicated ..msgrd, …distm and opcctla entries per target
page 19November 12th-14th, 2003 HP Software Universe
• File syntax:– Standard OVO patterns can be used. – Empty lines are accepted.– Comments start with “#” but must be the very first character – Configuration data must be specified using 4 standard elements, separated
with white spaces:– SelectionCriteria
NODE_NAME Node name pattern or exact match1NODE_ADDRESS IP Addresses pattern or exact match1
– SrvTypeopcctla Management Server contacting the Agentopcmsgrd Message Agent contacting the Mgmt. Serveropcdistm Distribution Agent contacting the Mgmt. Server
– Port Port number to contact this RPC server– Node Node name or address pattern for this rule.
Port Specification File - Syntax
page 20November 12th-14th, 2003 HP Software Universe
Examples
page 21November 12th-14th, 2003 HP Software Universe
Port Specification File (Managed Node)
Example port specification file on a managed node:
## SelectionCriteria SrvType Port Node# ----------------------------------------------------------------NODE_NAME opcmsgrd 5000 primaryserver.hp.comNODE_NAME opcdistm 5000 primaryserver.hp.comNODE_NAME opcmsgrd 6000 backupserver.hp.comNODE_NAME opcdistm 6001 backupserver.hp.com
Primaryserver.hp.com is an OVOW server where the distm and msgrd interface are using the same port (5000)
Backupserver.hp.com is an OVOX server where the opcdistm process is listening on a different port (6001) than the opcmsgrd (6000).
page 22November 12th-14th, 2003 HP Software Universe
Port Specification File (Server)
Example port specification file on the management server:
## SelectionCriteria SrvType Port Node# ----------------------------------------------------------------NODE_NAME opcctla 12345 <*>.hp.comNODE_ADDRESS opcctla 12346 15.136.<*>NODE_ADDRESS opcctla 12347 ^192.<1 -lt <#> -lt 10>.<*>NODE_ADDRESS opcctla 12347 1.2.3.4
On all nodes ending with hp.com the opcctla can be found on port 12345.On nodes out of the IP-range 15.136.<*> it uses 12346.etc…
page 23November 12th-14th, 2003 HP Software Universe
COMM_PORT_RANGE "5000"
COMM_REGISTER_RPC_SRVTRUE
COMM_LOOKUP_RPC_SRV TRUE
OVO managed node “A” OVOW mgmt server “X”
registry
COMM_RPC_PORT_FILE "/tmp/ports"
/tmp/ports
# Entry type Server Port Node# -----------------------------------------------------NODE_NAME opcctla 11111 ANODE_NAME opcctla 22222 B
OVO managed node “B”
opcinfo
..RESTRICT_TO "opcctla"
..PORT_RANGE "11111"
..MGMT_SERVER "X"
..PORT_DISTM “5000"..PORT_MSGR "5000"
opcdista
opcctla
opcmsga
OvEpMsgActSrv
Example A: one OVOW mgmt server
..RESTRICT_TO "opcctla"
..PORT_RANGE “22222"
..MGMT_SERVER "X"
..PORT_DISTM “5000"..PORT_MSGR "5000"
opcdista
opcctla
opcmsga
page 24November 12th-14th, 2003 HP Software Universe
Example B: one OVOW, one OVOU mgmt server
opcmsga
opcdista
OVO managed node "A"
opcinfo..MGMT_SERVER "X"
OvEpMsgActSrv
COMM_PORT_RANGE "5000"
registry
opcmsgrd
opcdistm
OVOU mgmt server "Y“
RESTRICT_TO "opcmsgrd"PORT_RANGE "5555"
RESTRICT_TO "opcdistm"PORT_RANGE "6000"
opcsvinfomgrconf
/tmp/svports
# Entry type Server Port Node# -----------------------------------------------------NODE_NAME opcmsgrd 5000 XNODE_NAME opcmsgrd 5555 YNODE_NAME opcdistm 5000 XNODE_NAME opcdistm 6000 Y
..PORT_FILE "/tmp/svports"
RESPMGRCONFIGSSECONDARYMANAGER
NODE IP "0.0.0.0" XSECONDARYMANAGER
NODE IP "0.0.0.0" Y[...]
OVOW mgmt server "X"
page 25November 12th-14th, 2003 HP Software Universe
Required patches
Server side: V HP-UX 11.0/11.11 PHSS_28962 05-MAY-03 V Solaris ITOSOL_00226 09-MAY-03
Agent side: on HP-UX 11.0/11.11 server
V AIX PHSS_28949 14-MAY-03 V HP-UX 10.20 PHSS_28959 07-JUL-03 V HP-UX 11.0/11.11 PHSS_28958 06-MAY-03 V HP-UX 11.22 PHSS_28960 07-JUL-03 V Linux PHSS_28951 30-MAY-03 V NTIntel PHSS_28943 08-MAY-03 V Solaris PHSS_28948 12-MAY-03 V Tru64 PHSS_28950 30-MAY-03
on Solaris serverV AIX ITOSOL_00220 09-MAY-03 V HP-UX 10.20 ITOSOL_00224 04-AUG-03 R HP-UX 11.0/11.11 ITOSOL_00239 (planned)V HP-UX 11.22 ITOSOL_00225 31-JUL-03 V Linux ITOSOL_00222 30-MAY-03 V NTIntel ITOSOL_00217 23-MAY-03 V Solaris ITOSOL_00219 09-MAY-03 V Tru64 ITOSOL_00221 30-MAY-03
Server side: V Windows A.07.20
Agent side: on Windows server
HP-UX agent A.07.20Windows agent A.07.20Solaris agent A.07.20AIX agent OVOW_00035
page 26November 12th-14th, 2003 HP Software Universe
Outbound-only communication using SSH port forwarding- An advanced use case -
page 27November 12th-14th, 2003 HP Software Universe
Overview
• The Problem: No inbound connections allowed• SSH Functionality and Benefits• Concept of SSH tunneling and port forwarding• OVO outbound-only using SSH tunnel• Configuring OVO• Using SSH port forwarding• Summary and FAQ
page 28November 12th-14th, 2003 HP Software Universe
The Problem: No inbound connections allowed
OVO Sever
managed node
OVO Agentmanaged node
OVO Agentmanaged node
OVO Agent
Firewall Firewall
outbound outboundDMZIntranet
managed node
OVO Agentmanaged node
OVO Agentmanaged node
OVO Agent
Inte
rnet
outbound only• Some companies don’t allow any
inbound connections into their Intranet• Firewall administrators don’t open any
inbound port.
OVO agent• message agent sends messages,
annotations, actions status, etc to the management server
• distribution agent requests configurations (templates, actions, cmds, etc) from to the management server
• both are inbound connections because the agent initiates the communication
objective• get rid of the inbound connection with
the DCE daemon-less feature and SSH port forwarding
• full functional agent
page 29November 12th-14th, 2003 HP Software Universe
SSH Functionality and Benefits
SSH Functionality:• SSH secure command shells• SSH port forwarding• Secure file transfer protocol
The Benefits of SSH:• Network security• Strong authentication• Public key cryptography • Password authentication• Host authentication• Data encryption
page 30November 12th-14th, 2003 HP Software Universe
The Features of SSH
The major features of SSH are:• Customization: Can be customized to meet network or user requirements.• Authentication: Provides strong authentication by using rhosts combined with RSA.• X11 Sessions: Secures X11 sessions.• Encryption: Encrypts data being transferred across the network. SSH uses various
types of ciphers, such as IDEA, DES, and triple−DES for encrypting data.• Secures the network against various attacks, such as spoofing and packet sniffing.• Arbitrary TCP/IP ports: Redirects ports through the encrypted channel in both
directions.• Replacing traditional rlogin, rsh, and rcp services• Replacing insecure programs• Provides improved privacy encryption of all communications.• User and Host authentication key: Uses 1024−bit host authentication keys.
page 31November 12th-14th, 2003 HP Software Universe
mypc
Concept of SSH tunneling and port forwarding
8880
50123
SSH tunnel
#
#ssh -n –N -R 50123:hello:8880 mypc
Example with a web server and browser:
WWW Serverhello.com:8880
http://hello.com:8880
http://hello.com:8880
http://localhost:50123
http://localhost:50123
page 32November 12th-14th, 2003 HP Software Universe
OVO outbound-only using SSH tunnel
OVOU server
RPC ServerEndpoint mapper RPC Client
1
server• message receiver (opcmsgrd) is using one
customer defined port• distribution manager (opcdistm) is using one
customer defined port• request sender can communicate directly to
agent (without remote DCE lookup) using only outbound ports
ssh tunnel• message receiver and distribution manager
port are forwarded to the managed node• tunnel is imitated from the server (outbound)
agent• no endpoint mapper on agent needed• control agent (opcctla) is using one customer
defined outbound port• message and distribution agent communicate
to localhost (127.0.0.1)
OVO agent
opcctla
opcmsgrdovoareqsdr
opcmsga
rpcd
2
Firewall inside
outside
port 135
3
port 12001
port 12003
opcdistm
opcdista
port 12002
port 135
rpcdport 12001port 12002
OutboundSSH tunnel
page 33November 12th-14th, 2003 HP Software Universe
Configuring OVO
OVO Sever
DMZ
Intranet
Firewall
outbound
Firewalloutbound
Internet
privpub
managed node
OVO Agent pub
managed node
OVO Agent pub
ssh tunnel OPC_RESOLVE_IP 127.0.0.1OPC_DIST_MODE DIST_RPCOPC_COMM_LOOKUP_RPC_SRV FALSEOPC_COMM_PORT_MSGR 5000OPC_COMM_PORT_DISTM 5002OPC_RESTRICT_TO_PROCS opcctlaOPC_COMM_PORT_RANGE 12345
opcinfo
ACTIONALLOWMANAGERSNODE IP ip_adr_of_mgr ““
mgrconf
OPC_RESTRICT_TO_PROCS opcdistmOPC_COMM_PORT_RANGE 5002OPC_COMM_REGISTER_RPC_SRV TRUE
OPC_RESTRICT_TO_PROCS opcmsgrdOPC_COMM_PORT_RANGE 5000OPC_COMM_REGISTER_RPC_SRV TRUE
opcsvinfo
for all nodes in DMZssh –n –N \–R 5000:ovoserver:5000 \–R 5002:ovoserver:5002 \
node
page 34November 12th-14th, 2003 HP Software Universe
Using SSH port forwarding
• SSH2 must be installed and configured on all systems• Port forwarding is initiated on the OVO server. E.g.,
# ssh -R 5000:mgmt_srv:5000 -R 5002:mgmt_srv:5002 managed_node
• Tunnel must be started for each node in DMZ.• Useful ssh options:-v : Verbose mode. ssh prints debugging messages.-l login_name : user to log in as on the remote machine. -N : Do not execute a remote command. Just forwarding ports.-n : Redirects stdin from /dev/null. This must be used when ssh is
run in the background.Note, don’t use –g. This allows remote hosts to connect to forwarded ports.
• Public key of ‘server user’ shall be installed on managed nodes, so that login without password can be done.
page 35November 12th-14th, 2003 HP Software Universe
Create and exchange SSH user keys
Create and exchange user keys so that the management server can login into the managed node without entering a password:
• Create on the management server user keys:# ssh-keygen -t rsa# ssh-keygen -t dsa
• Copy public keys to agent:# cd ~/.ssh/# scp *.pub agent
if needed, accept fingerprint this will add the agent in ~/.ssh/known_hosts• Add public keys on agent:# ssh agent# cat id_rsa.pub >> .ssh/authorized_keys# cat id_dsa.pub >> .ssh/authorized_keys# rm id_rsa.pub id_dsa.pub# exit
• You should now be able to connect from "server" to "agent" without a password prompt.
page 36November 12th-14th, 2003 HP Software Universe
OVO SSH tunneling at a Glance
The major benefits are:• Outbound-only communication• All standard agent features are available like on any other system.• Customization on agent and server uses ordinary OVO Firewall and DCE
daemon-less features.• Additional buffering and encoding of messages etc is not required.
Prerequisites to use this solution:• SSH2 on all participating systems• Certain custom code to start, stop, and monitor your SSH tunnels is
required• Firewall must allow outbound SSH communication
page 37November 12th-14th, 2003 HP Software Universe
FAQ (1)
•Does this work also with OVOW?Since the DCE Daemon-less works equally, you can do this with OVOW, but you have to consider that policy deployment works differently. Furthermore, the Service Discovery agent has additional in-inbound connection.
• Is outbound-only communication with SSH port forwarding a supported OVO feature?This is not a feature. It is an use case of the DCE Daemon-less functionality. All shown OVO keys and parameters are well-known features. OVO neither bundles nor deliver any SSH. HP OpenView does not provide any support for SSH itself.
•Does OVO provide any functionality to manage the SSH keys?No. You have to configure, run, and maintain your SSH by your own.
• Is there any SSH recommended for this use case?No, but tests were successful with:HP-UX 11.0 T1471AA A.03.50.000 HP-UX Secure ShellHP-UX 11.11 T1471AA A.03.50.000 HP-UX Secure ShellWin 2000 OpenSSH for Win 3.6.2p1 (Cygwin)
page 38November 12th-14th, 2003 HP Software Universe
FAQ (2)
• Can I use port forwarding for M2M messages forwarding?Yes. Note that you have to configure on the source server an OPC_COMM_RPC_PORT_FILE with NODE_NAME opcmsgrd 5000 localhost.
•How is the scalability and performance of this use case?Be aware that you have to start for each managed node a ssh client on the management server. The ssh client does not need much resources, but you have to manage these processes by your own.
•Do I have to run the tunnels under root/Administrator? No.•Where can I find further information about SSH?
E.g., OpenSSH Manual pages: http://www.openssh.org/manual.html•Where can I find further information about used OVO parameters?
– OVO DCE RPC Communication without Endpoint Mapper White Paper– OVO Firewall Configuration White Paper
page 39November 12th-14th, 2003 HP Software Universe