gwlmsslconfig(1M)gwlmsslconfig(1M)NAME
gwlmsslconfig, gwlmexportkey, gwlmimportkey, gwlmlistkeys,
gwlmdeletekey - secure network communications for Global Workload Man‐
ager (gWLM).
SYNOPSIS
gwlmsslconfig
gwlmexportkey [ -f file ]
gwlmimportkey-f file -a alias
gwlmlistkeys
gwlmdeletekey -a alias
AVAILABILITY
These commands are available on both gWLM Central Management Servers
(systems where you run gwlmcmsd) and managed nodes (systems where you
run gwlmagent). On HP-UX systems, they are in /opt/gwlm/bin/. On Mi‐
crosoft Windows systems, they are in C:\Program Files\HP\Virtual Server
Environment\bin\ by default. However, a different path may have been
selected at installation.
To run the command, you must be logged in as root on HP-UX or into an
account that is a member of the Administrators group on Windows.
DESCRIPTION
The gwlmsslconfig, gwlmexportkey, and gwlmimportkey commands help you
enable secure gWLM communications between the central management server
(CMS) and the managed nodes. Both the gWLM interface in HP Systems
Insight Manager and the gWLM command-line interface use the secure com‐
munications, once enabled.
The gwlmlistkeys and gwlmdeletekey commands are useful when you have
alias conflicts.
NOTE: By default, gWLM's communications are not secure, meaning:
+ The communications between the CMS and the managed nodes are
not encrypted
+ The source and destination of gWLM's communications are not
authenticated
NOTE: You can also secure Oracle communications. For information, see
the HP Global Workload Manager User's Guide section "Securing Database
Communications."
COMMANDS
The options, if any, for the commands are described below. The options
are the same on HP-UX and Microsoft Windows.
gwlmsslconfig
Run gwlmsslconfig on every system on which you are going to run gWLM.
(However, you do not need to run the command on your CMS, assuming you
have already run vseinitconfig (with no options) or vseinitcon‐
fig --initconfig there.)
This command sets values in the gWLM agent properties file so that the
keystore provided by HP Systems Insight Manager is used, if available.
Otherwise, the command creates a gWLM-specific keystore and sets the
gWLM properties file accordingly.
gwlmexportkey [ -f file ]
Exports a key from the local system. You later use gwlmimportkey to
import this key to the keystores on other systems.
Systems can initiate secure communications with any system from which
they have a key imported in their keystores.
Option
-f file
Places the exported key in file, instead of in the default host‐
name.cer.
gwlmimportkey-f file -a alias
Imports a key to the local keystore, allowing the local system to ini‐
tiate secure communications with the system from which the key origi‐
nated.
Options
-f file Imports a key from the specified file. You can only import
one key at a time.
-a alias Associates the name alias with the key. Given a particular
key, gWLM attempts to communicate with the associated sys‐
tem referring to it as alias.
The output of the command hostname, run on the system where
the key was generated, is often a good value to use for
alias. However, you can use values other than the host‐
name, especially if gwlmimportkey fails because the alias
already exists. You can also use gwlmlistkeys and
gwlmdeletekey to manage alias conflicts.
gwlmlistkeys
Lists all the keys in the local keystore.
gwlmdeletekey -a alias
Deletes the key associated with alias in the local keystore.
Options
-a alias Specifies the alias associated with the key to be deleted.
HOW TO SECURE COMMUNICATIONS
You can secure gWLM communications through the gWLM interface in HP
Systems Insight Manager, as described in the online help topic "Secur‐
ing gWLM Communications." Alternatively, you can secure communications
on the command line, as described below.
NOTE: The Windows path (C:\Program Files\HP\Virtual Server Environ‐
ment\) given below is the default. However, a different path may have
been selected at installation.
To secure gWLM communications on the command line:
1. Log in as root on HP-UX or into an account that is a member of the
Administrators group on Windows
2. Run gwlmsslconfig on every system on which you are going to run
gWLM:
# /opt/gwlm/bin/gwlmsslconfig
(On Windows, run C:\Program Files\HP\Virtual Server Environ‐
ment\bin\gwlmsslconfig.)
However, you do not have to run this command on CMS systems where
you have already run the command vseinitconfig (with no options) or
vseinitconfig --initconfig.
3. Edit the gWLM agent properties file to ensure the property
com.hp.gwlm.security.secureRMI is set to true:
com.hp.gwlm.security.secureRMI=true
in the file /etc/opt/gwlm/conf/gwlmagent.properties on every HP-UX
system--including the CMS--on which you are going to run gWLM. (Even
with gwlmagent not running on the CMS, gWLM makes use of the gwlma‐
gent.properties file for security purposes.) On Windows, the file is
C:\Program Files\HP\Virtual Server Environment\conf\gwlmagent.prop‐
erties.
The com.hp.gwlm.security.secureRMI property is added to the proper‐
ties file (with a value of 'false') when you run the gwlmsslconfig
command.
4. Export the keys on the CMS and on each system in each shared
resource domain (SRD)
For example, if you have three systems, such as a CMS called system1
and an SRD with two managed nodes called system2 and system3, run
gwlmexportkey on each system:
system1# gwlmexportkey -f system1.cer
system2# gwlmexportkey -f system2.cer
system3# gwlmexportkey -f system3.cer
NOTE: When securing communications, you must do so for every managed
node in every SRD managed by a given CMS.
5. Distribute the exported keys
The CMS must have the key from every system it manages. Also, each
managed system must have the key from the CMS as well as the key
from every other system managed in the same SRD.
Distribute the keys using the secure cp command, scp:
system1# scp system1.cer system2:/tmp/keys
system1# scp system1.cer system3:/tmp/keys
system2# scp system2.cer system1:/tmp/keys
system2# scp system2.cer system3:/tmp/keys
system3# scp system3.cer system1:/tmp/keys
system3# scp system3.cer system2:/tmp/keys
NOTE: If scp is not available, you can exchange the keys through
other secure methods, such as by using physical media.
6. Import all the keys on the CMS; also, import the key from the CMS
and the keys from every other managed system in the same SRD on each
managed system:
system1# gwlmimportkey-f /tmp/keys/system2.cer -a system2
system1# gwlmimportkey-f /tmp/keys/system3.cer -a system3
system2# gwlmimportkey-f /tmp/keys/system1.cer -a system1
system2# gwlmimportkey-f /tmp/keys/system3.cer -a system3
system3# gwlmimportkey-f /tmp/keys/system1.cer -a system1
system3# gwlmimportkey-f /tmp/keys/system2.cer \
-a system2.CERTIFICATE
On system3, system2.cer was imported with the alias system2.CERTIFI‐
CATE. This alias was chosen to show that an alias does not have to
match the hostname of the system where it was generated.
7. Restart gWLM
Restart gWLM--on each system--so that it uses secure communications.
NOTE: Stopping gwlmcmsd disables HP Virtualization Manager and HP
Capacity Advisor.
On an HP-UX CMS:
# /opt/gwlm/bin/gwlmcmsd --stop
# /opt/gwlm/bin/gwlmcmsd
On a Windows CMS:
C:\Program Files\HP\Virtual Server Environment\bin\gwlmcmsd
--stop
C:\Program Files\HP\Virtual Server Environment\bin\gwlmcmsd
On each managed node:
# /opt/gwlm/bin/gwlmagent --restart
DISABLING SECURE COMMUNICATIONS
To disable gWLM's use of secure communications:
NOTE: The Windows path (C:\Program Files\HP\Virtual Server Environ‐
ment\) given below is the default. However, a different path may have
been selected at installation.
1. Edit the gWLM agent properties file
Ensure the property com.hp.gwlm.security.secureRMI is set to false:
com.hp.gwlm.security.secureRMI=false
in the file /etc/opt/gwlm/conf/gwlmagent.properties on every HP-UX
system--including the CMS. (Even with gwlmagent not running on the
CMS, gWLM makes use of the gwlmagent.properties file for security
purposes.) On Windows, the file is C:\Program Files\HP\Virtual
Server Environment\conf\gwlmagent.properties.
2. Restart HP Systems Insight Manager and gWLM
Restart the software--on each system--so that it stops using secure
communications.
NOTE: Stopping gwlmcmsd disables HP Virtualization Manager and HP
Capacity Advisor.
On an HP-UX CMS:
# /opt/mx/bin/mxstop
# /opt/mx/bin/mxstart
# /opt/gwlm/bin/gwlmcmsd --stop
# /opt/gwlm/bin/gwlmcmsd
On a Windows CMS:
C:\Program Files\HP\Systems Insight Manager\bin\mxstop
C:\Program Files\HP\Systems Insight Manager\bin\mxstart
C:\Program Files\HP\Virtual Server Environment\bin\gwlmcmsd
--stop
C:\Program Files\HP\Virtual Server Environment\bin\gwlmcmsd
On each managed node:
# /opt/gwlm/bin/gwlmagent --restart
RETURN VALUES
The return values for these commands are as follows:
0 Success
1 Failure
AUTHOR
gwlmsslconfig, gwlmexportkey, gwlmimportkey, gwlmlistkeys, and
gwlmdeletekey were developed by HP.
FEEDBACK
If you would like to comment on the current HP gWLM functionality or
make suggestions for future releases, please send email to:
gwlmfeedback@rsn.hp.com
FILES
/etc/opt/gwlm/conf/gwlmagent.properties
Properties file for the gWLM agent
C:\Program Files\HP\Virtual Server Environment\conf\gwlmagent.proper‐
ties
Properties file for the gWLM agent on a Windows CMS
SEE ALSOgwlm(5)gwlmsslconfig(1M)