Article Options
Technical Support Services Blog
Discover the latest trends in technology, and the technical issues customers are overcoming with the aid of HP Technology Services.

DPTIPS: When is default security too much?

Mr_T| February 28, 2013 - last edited March 14, 2013
6 Comments
0

I should have suspected trouble was brewing when I realized how proud I was of my own cleverness:  Set up a Unix IS for a customer using a Linux VM.  That would eliminate the need to use one of their three HP-UX clients as an IS.  The one we had anticipated using turned out to be back at 11i v1 (11.11), so it was not a viable IS platform.  The remaining two 11i v3 (11.31) clients were production cluster nodes, and the powers-that-be were not receptive to the idea of tinkering with either one regardless of how benign the DP IS function might be.

 

No problem.  One Linux VM later, we had an IS installed and patched.  Now it was time to import it into the cell.

 

[root@neelix ~]# omnicc -import_is neelix.localdomain
[12:1660] Import Installation Server failed.

When the Installation Server (IS) import failed, I said, "Aha!  I know what it is.  Most of the time, failed client imports are the product of inconsistent name resolution."  So I quickly set about verifying that the Cell Manager (CM) could resolve the new IS by FQDN and IP address.  Okay, that looks good.  The problem must be with the new IS.  I pop over there and verified that the new IS could resolve the CM both forwards and backwards.  Well well well, now what?

 

Time to drop back to some basic DP troubleshooting.  From the CM, can I telnet to port 5555 on the new IS?  Survey says . . . . . . . . . . no, I cannot.  Good.  No, really -- good.  This means we have something concrete to track down.  Why am I unable to telnet to port 5555 on the new IS?  There are no hardware firewalls in the network path between CM and IS.  BUT, my default install of Linux may have included iptables.  Did it?  Was the service running?

 

[root@neelix ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Well, there's our problem!  I stopped iptables momentarily and repeated my my telnet test.  Now it works.  So I tried my IS import again.

 

[root@neelix ~]# omnicc -import_is neelix.localdomain
Import host successful.

There we go!  I restarted the iptables service while I mulled over my options.

 

Does my IS really need firewall protection?  Should I go to the trouble to port-limit DP and create firewall rules for the IS?  In a word:  NO.  I'm not hosting nuclear launch codes on the IS -- it's just an install depot for Unix-flavored DP components.

 

The steps required to save the current iptables config, stop the service, and disable it from starting at system boot are fairly straightforward.

 

[root@neelix ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

[root@neelix ~]# service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

[root@neelix ~]# chkconfig iptables off

[root@neelix ~]# chkconfig --list iptables
iptables       	0: off   1: off   2: off   3: off   4: off   5: off   6: off

That last command simple allowed me to verify that iptables was not set to start automatically at any runlevel.

 

So there you have it.  Your list of likely culprits for jamming a good client import should include both faulty name resolution and firewalls.  Have you overcome other roadblocks that prevented a successful client import?  If so, please share your experience in the comments below!

Tags: DataProtector
Labels: Data Protector
Labels:
Comments
ztuba(anon) | ‎02-28-2013 07:54 AM
Options

Alternative to iptables, host based control is used on occassions with tcp wrapper on UNIX clients, and "/etc/hosts.deny" can have entries like

 

"ALL : ALL" 

 

Adding the entry 

 

"inet : ALL"

 

to the "/etc/hosts.allow" file will let the client import through.

 

(With iptables, connection is refused upfront. With wrapper, connection is made, but service is not allowed to start.)

0
ztuba(anon) | ‎03-01-2013 08:35 AM
Options

Alternative to iptables, on occassions host based control is used with tcp wrapper, and /etc/hosts.deny is having entries like  "ALL : ALL".  Adding the entry  "inet : ALL" to the /etc/hosts.allow file, would let DP communication through.

 

(While iptables blocks connection attempt upfront, the wrapper lets the connection made, but services, like inet in our case, are not allowed to start.)

0
Mr_T | ‎03-01-2013 12:28 PM
Options

Hello Zoltan,

 

You bring up a very good case.  Let me ask, would tcpwrappers without inet:ALL in /etc/hosts.allow create a condition where I could connect to 5555 on a client but not get the normal DP banner before disconnect?  I ask because I had a case just this week where I installed DP 7 (omnicf and da) on an old 11.11 box.  The install was error-free, and a netstat indicated that it was in fact listening on 5555.  Yet when I telnet to 5555 either locally or from the network, I get a connection, a delay of several seconds, then a disconnect -- WITHOUT the normal DP banner message being displayed.

 

To make matters even more unusual, an attempt to import the client resulted in the CM's name being written to the client's cell_server file, but the import failed to add the client to the CM's cell_info file.  Never in 14+ years have I seen behavior like this.

 

Any ideas?

 

Thanks,

Mr_T

0
ztuba(anon) | ‎03-01-2013 04:58 PM
Options

For the telnet 5555, and hosts.deny set, it displays exactly the behaviour you describe, i.e. connection made, then timeout without the banner.  Client import would fail too, however haven't seen any tampering with cell_server file on the client side.

 

0
JohnMcL(anon) | ‎03-03-2013 09:32 PM
Options

Why does a link to this blog piece about Unix appear on the OpenVMS forum web page?

0
Mr_T | ‎03-04-2013 01:56 PM
Options
I'm not sure, John. I posted a link to the Data Protector Support and News Forum at http://h30499.www3.hp.com/t5/Data-Protector-Support-and-News/bd-p/itrc-251
0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author
  • More than 30 years in Sales and Marketing in IT services business. Currently managing global campaigns for Datacenter Care.
  • I graduated in Software Engineering. Joined HP family five years ago, I deliver Insight Remote Support technical consulting for HP customers, in North America, Canada and Latin America. Assist setting up, installing and configuring the solution in customers' IT environments.
  • I am an identical twin. My brother’s name is Greg Tinker and we have been extremely fortunate working similar careers within HP, known to our HP colleagues and many of our customers as "The Tinkers". Our job is to be the technical lead on major business operational outages with millions of Dollars/Euros hanging in the balance. We both have a complete background in architectural, Infrastructure and application environments from both the proactive and reactive side of HP Enterprise Service (HP ES), and HP Enterprise Business (HP EB).
  • I am an identical twin. My brother’s name is Chris Tinker and we have been extremely fortunate working similar careers within HP, known to our HP colleagues and many of our customers as "The Tinkers". Our job is to be the technical lead on major business operational outages with millions of Dollars/Euros hanging in the balance. We both have a complete background in architectural, Infrastructure and application environments from both the proactive and reactive side of HP Enterprise Service (HP ES), and HP Enterprise Business (HP EB). We have always attended the same schools, studied the same material (big surprise, as we are identical twins), and have always worked as a close team and strive to demonstrate our teaming ability’s to others. We each have more than 11 years experience supporting mission-critical enterprise customers on a broad range of technologies. We’ve both won the HP MVP award multiple times as well as coauthored books, programs, and whitepapers in our spare time.
  • More than 25 years in the IT industry, managing ITSM, service development and delivery projects in Technology Services. Specialized in end2end support for ISV based business solutions. Certified ITIL and project management expert.
  • Eduardo Zepeda, WW TS Social Media Program Manager & Internal Communications for WW Technology Services Blogging on behalf of HP Technology Services (TS_Guest)
  • I have been with HP for 13 years, always in Services - first as a Services Channel Sales rep, then a Channel Services Segment Manager, and now, in WW Technology Services Marketing. These may be my formal job titles, but I'm really a Cheerleader for HP Services! I feel that HP has great services, exceptional Technical Experts and Delivery teams, and so many cool things are going on at HP Services. So, stay tuned...
  • I have 27 years of system, storage, and networking experience including detailed work with Data Protector (formerly Omniback II) for the past 14 years. My expertise includes StoreOnce deduplication technology, D2D appliances, performance tuning, complex remediation, and online backup integration with applications like Oracle and infrastructure like VMware. Traveling across the United States and Canada as a Sr. Technical Consultant, I deliver specialized consulting for a broad variety of HP customers.
  • MrCollaboration (aka Jim Evans) is an HP Global Services Alliance Manager. He has worked in the IT industry for more than 30 years, 22 of which were spent with Digital Equipment Corporation, Compaq and HP. He works with many third party vendors and partners to develop processes to facilitate excellent support and service for mutual customers. Jim is also HP’s representative to the Technical Support Alliance Network (TSANet).
  • I've been working in Customer Service for over 20 years. During my career I've provided support services for Languages, Programming Libraries and Operating Systems. During the last 10 years I've provide support for Linux and more recently VMware. My current role is as a Technical Account Manager working in the HP Custom Mission Critical Services Industry Standard Operating Systems team. I provide both reactive and proactive operating system support for proLiant servers and blades. Our services in the Custom teams are built on statement of work contracts for large HP customers who need a customized mission critical support offering.
  • I've been working in HP since 2007 like IT agent, developer, Web designer and then like Web Project Manager
  • I like to listen as much as I like to talk. Why? My 25+ years in the technology industry has taught me that the key to delivering value to customers is to understand what they value in the first place! I developed this passion for customers and consultative selling during my 12 years with Accenture, and I have continued to approach customers in a consultative way during my 12+ year tenure with HP. I also have a passion for HP given my knowledge of our Product and Service Portfolio and the differentiators we possess that position us as a leader in the areas our customers are telling us they want to go. Converged Infrastructure, Converged Cloud, Big Data – and the associated Service and Support implications – all such exciting technology trends where our success will hinge upon our ability to differentiate ourselves versus others in the areas that matter most to our customers. Right up my alley, and I am proud to be part of the great HP team where I know we have the best solutions in the industry!
  • Tom Clement has over 30 years experience in the areas of adult learning, secondary education, and leadership development. During this time Tom has been a consistent champion of “non-traditional” training delivery methods, including blended learning, virtual delivery (self paced and instructor led), the use of training games and simulations, and experiential learning. Tom has spent the past 25 years of his career at Hewlett Packard, focused most recently on HP’s global Virtualization, Cloud, and Converged Infrastructure customer training programs. Tom manages the strategic direction and overall performance of these training programs, ensuring these worldwide programs help HP’s customers capitalize on the business opportunities made available by IT advancements in each of these subject areas. Tom and his global teammates utilize best in class instructors, course content and supporting equipment infrastructure to deliver these training programs to HP’s customers. The team prides itself on providing the Virtualization, Cloud, and Converged Infrastructure content customers need when and where they need it, anywhere in the world. Tom is based in the Washington, DC suburbs and can be reached at tom.clement@hp.com.
Follow Us