HP Service Manager Architecture and Security HP Software-as-a-Service Introduction...2 Architecture...2 Infrastructure Setup...4 Security Setup...4 Customer Infrastructure Requirements...5
Introduction The purpose of this document is furnishing an overview of the architecture and security setup for HP Service Manager service center at Software-as-a-Service (HP SaaS). Architecture HP Service Manager has a multi-tier architecture with presentation, application, and database layers. The following is a description of the tiers. Client Tier The Client tier consists of two components: Web client Windows client (only available in the Dev instance) The Web client allows users to connect to the HP Service Manager server via a Web browser. The customer does not need to install or download any additional software on the user s desktop. The Windows client allows users to connect to the HP Service Manager server via a dedicated client. The customer must install the Windows client separately on each system that it wants to connect to HP Service Manager. The windows client is for configuration users exclusively. Server Tier (Application) The Server tier consists of: One or more HP Service Manager servers The HP Service Manager server runs the HP Service Manager applications and manages the connections between the Client (Windows and Web) and Application tier, also from the Application tier to the Database tier. Database Tier The Database tier consists of: Oracle database technology Optional Servers The Supporting servers are optional features consisting of the following components: Help Server The Help Server is a pre-configured Web server that provides HTML help to HP Service Manager clients and as a stand-alone Web page. Report Server The Report Server is a near real-time replication of the production Oracle database which is accessible to the customer for generating reports. In many cases generation of reports can
CIS CO Po we r CIS CO Po we r S S Y STE M S SYS Y STE M S SYS Cis co3600 Se ries Cis co3600 Se ries PROLI ANT PROLI ANT 1 85 0R 1 85 0R S D S D A V i i O N result in extensive queries which result in noticeable impacts upon end-user performance. Moving these queries over to a separate server results in the ability to access the data in a timely manner without negatively impacting the user community. Figure 1. HP Service Manager Architecture at HP Software-as-a-Service Internet The Service Manager managed service architecture may be described as follows: Infrastructure setup Security setup Customer infrastructure requirements
Infrastructure Setup HP SaaS is responsible for the availability of the overall system and controlling access to the systems, including the setup of infrastructure, network, hardware and software. HP Service Manager managed service infrastructure salient features are as follows: Provide 3 instances: DEV, TEST, and PROD Every customer is setup in their own separate subnet that may contain one or more Service Manager servers. The application servers reside behind HP s corporate firewall. The database servers are secured behind another firewall and access to these servers is limited to HP SaaS infrastructure team. The Reporting DB server is a non Production DB offered as additional paid service. Here customers can have direct access (port 1521) to their DB schema. Database servers are setup in an Oracle RAC (real application cluster) with each customer schema setup with unique user access. The RAC is mirrored for failover every fifteen minutes. Client access to the application is via HTTP or HTTPS (default) and additionally through windows client for configuration tasks in the development environment. Third party tool integrations within the customer s network may require a Site-to-Site Virtual Private Network (VPN) to be setup. For this setup to work, specific ports need to be opened up from known public source internet protocol (IP) address(es) at the customer site. Such a setup provides for secure communication between the customer s network and HP SaaS network and to facilitate the external integrations to the customer s hosted Service Manager instances. Nightly backups of database and files systems, failover, archive, recovery, and application patch management for the Production system. Monitor application and infrastructure 24/7 using industry-leading system monitors for availability; includes firewalls, hardware, server side software and security. Security Setup HP Service Manager managed service security salient features are as follows: Each customer is setup in their own separate subnet with internal and external IP addresses for each of their application servers. Routers use access control lists and the systems are protected by NAT and non-routable IP address control schemes. Network contains intrusion detection systems to monitor activity and audits are run quarterly. The database servers are behind two firewalls that are centrally managed by HP SaaS infrastructure. Database access is not granted to anyone except the HP SaaS infrastructure team to manage the backend database tier. In cases where the customer is entitled to the Reporting DB, standard access is through direct, port 1521, through VPN. Qualified consultants and/or customer developers are furnished access to the DEV application server. Direct accesses to database schemas are not granted.
SaaS Application Engineers have access to the customer s DEV application servers. Default access to the Service Manager is HTTPS or SSL Site-to-Site VPN can also be setup for third party integrations or to access the application server (in addition to serving other purposes), if requested by the customer Consultants and SaaS Application Engineers may remotely access the application servers via a Clientless VPN solution using VASCO software setup by HP SaaS. Consultants and SaaS Application Engineers may also access the appropriate application servers using Remote Desktop or PCAnywhere (for file transfers) from the SaaS network Customer Infrastructure Requirements Customer infrastructure requirements are typically around network port configurations to allow the customer to access their hosted Service Manager instances. The following ports are typically opened up INBOUND on HP SaaS firewall to allow access to the customer s application server from a given source IP, IP addresses, or range of IP addresses from the customer s network via the internet or the instances can be open to the internet with no specific public IPs from the customer: Service Manager Prod Standard User Access: o TCP 80 web client o TCP 443 (for SSL) web client Service Manager Test Application Server Access: o TCP 80 web client o TCP 443 (for SSL) web client Service Manager Dev Application Server Access: o TCP 13080 windows client o TCP 80 web client o TCP 443 (for SSL) web client o TCP 3389 - RDP o TCP 5631 PCAnywhere from Symantec for Remote Access and File Transfer o UDP 5632 Also for PCAnywhere from Symantec Customer Note: The customer is required to configure the same ports indicated above on their firewall for OUTBOUND traffic, from the specified source IP, IP addresses or range of IP addresses. HP SaaS will furnish the customer with the requisite external IP addresses of the relevant Service Manager application servers to the customer as part of the setup phase of the service initialization. Exceptions to these general guidelines may be discussed during the pre-sales phase or during service initialization.
2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. HP SaaS SM Architecture Security Document, February 2009