HP Web Jetadmin Software - Application Security Frequently Asked Questions
|
NOTE:
|
This FAQ document pertains to HP Web Jetadmin 10.X software. More detailed information can be found in the various user guides and white papers downloadable from
http://www.hp.com/go/webjetadmin
. |
Question: What methods of application security are offered to protect against unlimited or unauthorized access to HP Web Jetadmin?
Answer:
HP Web Jetadmin has several features that make it easy to secure the application.
Single Sign-on –
Users don’t have to provide password and user details in order to access the application. Utilizing normal Microsoft domain credentials eliminates the need for separate user id and password access.
.NET Remoting –
The client displays through a local application that uses .NET Remoting as a secure means of communicating with the server. .Net Remoting allows secure client access to the HP WEB JETADMIN server that might happen to reside in a different domain, on any platform, with different security credentials.
Active Directory Integration –
Domain accounts are used to identify who has access to application and features.
Low Privilege Service –
HP Web Jetadmin does not run as system and has no direct access to key OS components (Client application runs under user credentials).
Secure On-line Downloads –
Product update packages are signed ensuring integrity and authenticity of files and components downloaded from the web.
Optional SSL/TLS –
ClickOnce client deployment can have added security applied via certificates.
Question: How is the initial HP Web Jetadmin Administrator role determined?
Answer:
Following the server installation of HP Web Jetadmin, all accounts that possess Microsoft local administrator group credentials will have full HP Web Jetadmin administrative account access, as well. The default (non-modifiable) role of HP Web Jetadmin administrator is automatically assigned to the local administrator group.
Question: I would like to grant helpdesk access to HP Web Jetadmin. How do I limit access to diagnostic capabilities only?
Answer:
The first step would be to create a new HP Web Jetadmin role tailored for helpdesk usage. You might refer to this new role as “helpdesk�?. This role could be created and defined as new or copied from an existing role template and modified accordingly. After the role is defined appropriately for helpdesk use, (in this case, diagnostic related capabilities only) the next step would be to add the designated helpdesk user accounts to HP Web Jetadmin. This might also be accomplished by just adding the group that all the helpdesk users might belong to. After completing this step, assign the helpdesk role to the newly added helpdesk user accounts or group. After logging into HP Web Jetadmin, helpdesk agents will have access to only the capabilities assigned in the helpdesk role.
Question: Does HP Web Jetadmin role assignment support domain groups within domain groups?
Answer:
Not at this time. For example, assume User A is a member of Group A and Group A is a member of Group B. If it is Group B assigned to a role, User A will not have access to that role. User A would have to be a member of Group B to have access to that role.
Question: Can a single user be assigned multiple roles?
Answer:
Yes. Scenarios may exist where a specific user on a team may require more capabilities than other members of the team. A new role with extended capabilities can be created and additionally assigned to that specific user. The ability to easily assign or remove capabilities of HP Web Jetadmin users is the primary advantage of creating and maintaining roles.
Question: Is there an easy way to review the HP Web Jetadmin capabilities that are granted to a user?
Answer:
Yes. Select Diagnostics under Application Management. Enter the user identification and you will be presented with a list of the capabilities assigned to that user.
Question: My environment requires SSL when an HTTP service is being used for communication. Is HP Web Jetadmin capable of this?
Answer:
Yes. HP Web Jetadmin administrators can enable the SSL (Secure Sockets Layer) at the host after the software is installed. This will force browser communication to the more secure HTTPS protocol. SSL was enabled by default on earlier versions of HP Web Jetadmin. It is an option on WJA for the following reasons:
- WJA does not use a browser as the primary application interface.
- The HTTP service is not core to client/server communication.
- .NET Remoting provides the necessary data encryption and user authentication.
- Self-signed certificates cannot be used unless all clients have the appropriate CA installed. Please refer to the HP WJA Security Whitepaper for more detail regarding the enabling of SSL.
Question: I am installing HP Web Jetadmin on a Dell Server and have received the message “Application download did not succeed�?. Why do I receive this message?
Answer:
HP Web Jetadmin and the Dell Secure Port Server both use default TCP port 8000. To resolve this conflict, change the default port on either side to something other than 8000. Please refer to the list below additional port reference.
| Port #
|
Type
|
I/O
|
Details
|
|---|
| 0 |
UDP |
I/O |
TFTP Send/Receive Request Handling |
| 0 |
UDP |
O |
SNMP |
| 0 |
TCP |
O |
WMI Communication |
| 0 |
TCP |
O |
Firmware Upgrade |
| 69 |
UDP |
I |
TFTP Incoming Port |
| 427 |
UDP |
I |
SLP |
| 3702 |
UDP |
I |
WS Discovery Listen |
| 4088 |
UDP |
I/O |
Client Remoting |
| 8000 |
UDP |
I |
HP Web Jetadmin Discovery Listen |
| 8000 |
TCP |
I |
WebServer (http) |
| 8443 |
TCP |
I |
WebServer (https) |
| 27892 |
UDP |
I |
Traps Listener |
| 161 |
UDP |
I |
SNMP |
| 445 |
TCP |
I |
WMI Communication |
| 9100 |
TCP |
I |
Firmware Upgrade/TCPIP Printing |
Question: With HP Web Jetadmin, will I be able to view who is logged on and utilizing the application?
Answer:
Yes. The Active Clients task module can be activated and viewed within the Task Module Docking area or from the Application Management > Overview area. This task module shows clients that are logged into HP Web Jetadmin, as well as the number of active client applications that are being run by each client. This feature helps the Administrator determine which clients are logged into the system prior to running Product Updates or performing tasks that may burden the system and cause slow performance.
Question: If I allow HP Web Jetadmin server internet access, what security is deployed for application plug-in download and installation?
Answer:
HP Web Jetadmin uses digital signatures for all of its packages and plug-in descriptor files to ensure the integrity and authenticity of these files. All files downloaded from hp.com for the purpose of Product Updating are digitally signed. HP Web Jetadmin verifies the digital signatures by using our Verisign-managed root certification authority. If file authentication fails, HP Web Jetadmin will refuse to load it.
Printable version
