2 HP 3PAR Policy Server and the HSQL Database
HP 3PAR Policy Server (Policy Server or HP3PS) provides a solution that is designed to ensure only
authorized access to, and use of, assets that are running Agent gateways or Policy Agents. Policy
Server is a server-based application that resides on your network. Through the Policy Server user
interface, you can set and control all permissions for assets.
You can use the browser-based user interface of Policy Server to configure policies and monitor
requests for operations. Through the Policies component of the application, authenticated users
can manage policies and accept or deny requests to perform operations on assets. The Audit
component displays a history of actions by Policy Server users and communications with assets
managed by Policy Server. Through the Users component, administrators of Policy Server can
assign privileges to profiles, profiles to roles, and roles to user accounts to control access to the
components of the Policy Server application.
HSQL Database provides a standalone, open-source, Java-based relational database to store and
manage the Policy Server configurations. For complete information about HSQLDB, refer to the
documentation list at
http://www.hsqldb.org/doc/2.0
. The HSQL database can be installed and
set up for use with Policy Server through the installation program for Policy Server.
Apache Tomcat provides the Web application and file realm component for Policy Server. OpenDS
directory server provides an "internal" directory server for managing access to the Policy Server
application. OpenDS is an open source directory server; for more information, visit
http://
www.opends.org/
. Tomcat is installed with Policy Server.
Security
For secure communications with your assets, HP 3PAR Policy Server supports the Secure Socket
Layer/Transport Layer Security (SSL/TLS) protocols. Before installation, you should know the name
and the passphrase of the certificate keystore file that you plan to create for the machine where
Policy Server will run, and you should make sure that either port 443 or port 8443 is available
for Policy Server. During installation, you will configure Policy Server to use SSL.
User Authentication
To secure access to the Policy Server application, you use an internal directory server, the OpenDS
directory server. When you use this server, the installer creates users and user groups for you.
Once Policy Server is running, the Users component of the Policy Server application communicates
with your designated directory server for user authentication. In addition, users can edit their e-mail
addresses through the Edit User Attributes option of the Policy Server application. If the user account
was created through the Policy Server, users can also edit their passwords through the Edit User
Attributes option. All user information created in the Policy Server application is stored on your
designated directory server.
The Policy Server application user needs to type a valid user name and password in a secure login
page and then submit that information to Policy Server for approval. The server matches the user
name and password against the information configured in the directory server. For approved users,
the server determines the Policy Server group(s) in which the users are defined in the directory
server (these groups are not visible in the Policy Server application). Based on the group membership
and the privileges assigned to a user (by means of the roles assigned to the user), Policy Server
displays or hides components of the application for an authenticated user.
From the Users component of the Policy Server application, you can set up the security for the
Policy Server application. You can control access to each main component (Policies, Pending
Requests, Audit Log, Assets, Remote [Sessions], and Users) but not to the individual pages or
features within a component. Policy Server provides the following objects for configuring security:
•
Privileges
– These are the base units for the security architecture, and they are built into the
system. For most of the main components of the Policy Server application, two privileges are
Security
5