HP Operations Manager for Windows

C-API Security


An event subscription service API is a window that enables applications to view generic system-wide activity. Applications must be prevented from unauthorized snooping of system behavior at this access point. In addition, access to the HPOM message flow in read-write mode allows an external application to discard messages, without users being made aware that a message was generated. The APIs must, therefore, apply authentication mechanisms to prevent users and applications from unauthorized access to the HPOM message flow.

Automatic and Operator-initiated Actions

One important and critical issue arising from these security considerations is whether external applications using the interfaces are allowed to define automatic actions, operator-initiated actions, or both. If HPOM allows access to these message attributes, any user who is authorized to call the APIs is also able to execute actions on HPOM managed nodes.

According to the current HPOM concept, which regards HPOM as an open application providing a high level of flexibility to integrate applications, HPOM allows external programs to define actions for messages that are passed to the message agent. Event correlation can be seen as an advance on the existing concept of message conditions ("if attributes match then set attributes and actions") to a higher level ("if rule fires then set attributes and actions"). It is, therefore, essential that these external applications are allowed to perform these modifications.

An appropriate authorization mechanism at the API level guarantees that only authorized users can apply the APIs. However, as the checking of a user ID belongs to the OS level with its super user concept, this conflicts somewhat with the existing HPOM concept in which the administrator is responsible for the configuration of user roles.

HPOM for Windows makes it possible for you to enable and disable the interface functionality. In addition, you can configure whether actions can be defined by an application that is writing to the interface. This affects all interface types.

You can also define whether each message is allowed for output to the Message Stream Interface in the HPOM for Windows policy editors. For example, an administrator can prevent the output of certain messages so external applications do not receive secure information by reading these messages from the HPOM message flow.

Enabling and Disabling Interfaces and Actions

HPOM allows users with a user ID of zero (uid 0), typically root, on UNIX, as well as users that are in the Administrators group on Windows, to access the HPOM Interface APIs, and to define actions for messages that are sent to the management server. The HPOM for Windows administrator can enable or disable the interface functionality of the interface types that affect the message flow, and allow or disallow actions that are read from the interface. By default, these interfaces are disabled, and are not allowed to define actions.

To enable the MSI on a managed node, create a nodeinfo policy containing OPC_AGTMSI_ENABLE TRUE and deploy it to the managed nodes.

If actions are disallowed, an appropriate error text is added to the annotations field, and the action is disabled.

To allow the definition of automatic actions, add the following to the nodeinfo policy:

OPC_AGTMSI_ALLOW_AA TRUE

To allow the definition of operator-initiated actions, add the following to the nodeinfo policy:

OPC_AGTMSI_ALLOW_OA TRUE