| Oracle® Hierarchical Storage Manager and StorageTek QFS Software Security Guide Release 6.0 E61675-01 |
|
 Previous |
 Next |
| Oracle® Hierarchical Storage Manager and StorageTek QFS Software Security Guide Release 6.0 E61675-01 |
|
Previous |
Next |
This chapter provides an overview of the Oracle Hierarchical Storage Manager and StorageTek QFS Software product and explains the general principles of application security.
Oracle Hierarchical Storage Manager and StorageTek QFS Software is a shared file system with a hierarchical storage manager. The product consists of the following major components:
Includes the high-performance QFS file system that can be configured either standalone or shared. When configured as standalone, QFS is configured on a single system and not with shared clients. QFS uses standard VFS vnode operations to interface with the Oracle Solaris and Linux operating systems.
The QFS installation packages are SUNWqfsr and SUNWqfsu. These packages do not include the Oracle Hierarchical Storage Manager (HSM) component.
Configuring QFS standalone with no shared clients has the smallest security exposure. This configuration does not run daemons and does not have any remote connections other than Fibre Channel (FC) to disk. Configuring QFS shared includes FC connections to disk and a TCP/IP connection between clients and the metadata server (MDS).
Includes the QFS file system and the code that is required to run Oracle HSM. The Oracle HSM installation packages are SUNWsamfsr and SUNWsamfsu. If you do not need hierarchical storage management, install only the StorageTek QFS package.
Permits access to remote tape libraries and drives by means of TCP/IP wide area network (WAN) connections. StorageTek SAM-Remote provides a form of disaster recovery by remotely locating tape facilities. You can install SAM-Remote with either the QFS or SAM-QFS packages, but you must enable and configure SAM-Remote separately. For more information about SAM-Remote, see the Oracle Hierarchical Storage Manager and StorageTek QFS Software Release 6.0 Customer Documentation Library at: http://www.oracle.com/technetwork/documentation/tape-storage-curr-187744.html#samqfs
The Manager Graphical User Interface (GUI), fsmgr, runs on the MDS and is accessed remotely through a web browser. Access is granted through port 6789 (https://hostname:6789).
To use fsmgr, you must log in as a valid user on the MDS and add certain roles to the user account. For information about installing and configuring the Manager GUI, see the Oracle Hierarchical Storage Manager and StorageTek QFS Software Release 6.0 Customer Documentation Library at: http://www.oracle.com/technetwork/documentation/tape-storage-curr-187744.html#samqfs
The following sections describe the fundamental principles that are required to use any application securely.
Stay current with the version of Oracle HSM that you run. You can find current versions of the software for download at the Oracle Software Delivery Cloud (https://edelivery.oracle.com/).
Oracle HSM uses the following TCP/IP ports:
tcp/7105 is used for metadata traffic between the client and the MDS
tcp/1000 is used for SAM-Remote
tcp/6789 is the HTTP port that is used for a browser to contact to fsmgr
tcp/5012 is used for sam-rpcd
|
Note: For MDS bidirectional client traffic, consider setting up a separate network that is not interconnected to the outside WAN. This configuration prevents exposure from outside threats and also ensures that outside traffic does not limit MDS performance. |
Grant the user or administrator the least privilege that is required to accomplish the task to be performed. The Manager GUI has various roles that can be granted to users. These roles grant varying types and amounts of privilege. Performing administration tasks from the command line requires root permission.
For more information about using the Manager GUI, see the Oracle Hierarchical Storage Manager and StorageTek QFS Software Release 6.0 Customer Documentation Library at: http://www.oracle.com/technetwork/documentation/tape-storage-curr-187744.html#samqfs
Monitor system activity to determine how well Oracle HSM is operating and whether it is logging any unusual activity. Check the following log files:
/var/adm/messages
/var/opt/SUNWsamfs/sam-log
/var/opt/SUNWsamfs/archiver.log, see /etc/opt/SUNWsamfs/archiver.cmd
/var/opt/SUNWsamfs/recycler.log, see /etc/opt/SUNWsamfs/recycler.cmd
/var/opt/SUNWsamfs/releaser.log, see /etc/opt/SUNWsamfs/releaser.cmd
/var/opt/SUNWsamfs/stager.log, see /etc/opt/SUNWsamfs/stager.cmd
/var/opt/SUNWsamfs/trace/*
You can access several sources of security information. For security information and alerts for a large variety of software products, see http://www.us-cert.gov. For information specific to SAM-QFS, see https://communities.oracle.com/portal/server.pt/community/sam_qfs_storage_archive_manager_and_sun_qfs/401. The primary way to keep up to date on security matters is to run the most current version of the Oracle HSM software.
