HP Insight Control Power Management 6.2 User Guide
Security properties
Protocols and ports numbers
Insight Control power management uses the following ports or external interfaces to aid administrators in
deployment and proper operation of the power management features:
Default port numberProtocolSystem/Device
443SSLHP ProLiant and Integrity iLO
443SSLHP c-Class Onboard Administrator
22SSHServers
5989WBEM HTTPSIntegrity Servers
161SNMPPDU/PDR
50443SSLHP Intelligent PDU (iPDU)
Credentials
Log-in credentials are presented to all systems as configured within the Systems Insight Manager Security
and power management options. Note that use of global credentials will cause all credentials to be presented
to systems during discovery. Untrusted or compromised systems may then observe the incoming credentials
and use them for attacks upon other systems. It is therefore recommended that only system-specific sign-in
credentials be utilized to limit potential disclosure of log-in credentials.
Use of management LAN
HP recommends that all communications between the Systems Insight Manager CMS and the management
processors be transmitted over a secure LAN isolated from the remainder of your network. This ensures
SNMP data collection (which is inherently insecure) cannot be observed/monitored by other entities, and
reduces the potential for external attacks on management processors by untrusted or compromised systems.
Security properties for Data Center Power Control
In order to define and manage rules, you need to have access to the Data Center Power Control Rules page.
Access to this tool is controlled by standard Systems Insight Manager tool authorizations. Alternatively, it is
possible to define and manage rules if you have write access to the directory on the CMS in which the rule
definitions are stored. Access to this directory is controlled by standard file system permissions of the underlying
operating system. Systems Insight Manager is installed with write access to this directory granted only to the
administrator of the CMS.
In order to invoke a rule, you must either have access to the Data Center Power Control Rules page or be
on the list of Systems Insight Manager users allowed to run the rule. Authentication of the user is performed
through standard Systems Insight Manager authentication mechanisms (GUI, SOAP, or CLI).
When running a rule, the rule acts with full authority (user "mxadmin") on all target systems, regardless of
the privileges of the user who invoked it. Rule execution therefore acts as a privilege elevation mechanism.
In particular:
• The Shutdown tool is implemented by calling SSA tools run under users, 'Administrator' for the Windows
target systems and 'root' for the Linux and HP-UX target systems, with appropriate SSH credentials. For
target systems that do not allow the root SSH login, use Systems Insight Manager's privilege elevation
tool. You can log-in to target systems using appropriate SSH credentials stored in Systems Insight
Manager along with any privilege elevation credentials needed when the rule is executed.
For more information on SSH credentials and Systems Insight Manager's privilege elevation tool, see
the
Secure Shell (SSH) in Systems Insight Manager 5.x
white paper and
HP Systems Insight Manager
Installation and Configuration Guide for Microsoft Windows, Linux, and HP-UX
at http://
h18013.www1.hp.com/products/servers/management/hpsim/infolibrary.html.
• The Power State tool is implemented by connections to the system iLOs that use the iLO credentials
stored in Systems Insight Manager.
Security properties 13