Hyperic Security Features and Recommendations

SSL Best Practices for New Hyperic Installations

Hyperic 4.6 and later supports the use of SSL communication for both server-to-agent and agent-to-server communications. VMware recommends that you install trusted keystores from you CA for Hyperic 4.6.x components. If you do not configure your own SSL keystores for Hyperic Agents and the Hyperic Server, the components will generate keystores with self-signed certificates — this is not recommended.

For more information about SSL communications, configuration, and default behavior in Hyperic, see About SSL in Hyperic.

Agent-Initiated Communication

You can configure Hyperic such that Hyperic Agents initiate all communications with the Hyperic Server. This feature — referred to as unidirectional communication is useful if your network topology requires managed platforms to initiate all communication with processes outside a firewall.

You can configure unidirectional communication interactively at first agent startup, or with the agent.setup.unidirectional in the agent's agent.properties file. See the requirements described at agent.setup.unidirectional.

Password Encryption

This section has information about the credentials that the Hyperic Server and the Hyperic Agent must provide to related product components during normal operation, and how those credentials are supplied, saved, and secured.

Regardless of how the passwords used by the server or agent are supplied, or where they are saved, the password values are always encrypted. Specifically:

  • The Hyperic Server supplies a username and password to connect to the Hyperic database. In Hyperic 4.5 and later, the Hyperic installer prompts for the database credentials during the installation process, and saves them in ServerHome/conf/hq-server.conf. The value of the password is encrypted.

  • If the server and agent have user-managed keystores, each component stores the password to its keystore in its properties file.

    • The Hyperic's Server's keystore can be configured interactively at installation. The keystore path and password are saved in hq-server.conf, with the password encrypted. If you define the keystore password in the properties file yourself, after installation, In Hyperic 4.6.6 and later, the server will encrypt the password value at next startup.

    • The Hyperic's Agent's keystore can only be configured in the agent.properties file. In Hyperic 4.6.6 and later, you can add encrypted properties to agent.properties yourself, as described in Encrypt Agent Property Value. Otherwise, if you define the password in plain text in the properties file, the agent will encrypt the value at next startup.

Protection of Sensitive Data

In this version of Hyperic, the Hyperic installer writes some sensitive data to installation log files.

Sensitive Data Best Practices

After successfully installing Hyperic Server, delete InstallerHome/logs/hq-install.log and hq-install.log.verbose, or the whole the exploded installer.

Use LDAP Authentication

Hyperic Server encrypts user passwords using a encryption key you supply during installation. Note however, that Hyperic Server does not have a strength-of-password policy, or a lockout policy for failed login attempts. Best practice is to integrate Hyperic with your existing enterprise directory. For information about integrating Hyperic with LDAP, Active Directory, and Kerberos, see Configure LDAP Properties and Configure Kerberos Properties.