A.05.80 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2012)
Security Overview
Chapter 2: HP Insight Remote Support Advanced
authentication data in the client interface. The proxy password is encrypted via 128-bit AES encryption
and stored on the file system in the folder:
<Client Install Location>\config
The AES key itself is compiled into the client service executable.
Note: Insight Remote Support Advanced supports connecting directly to the Internet or connecting
through a proxy server and supports all proxy servers conforming to the HTTP/1.0 Specification.
Insight Remote Support Advanced does not support proxies using proxy auto-configuration scripts,
NTLM authentication (also known as Integrated Windows Authentication), or Kerberos authentication.
Data Collection and Storage
For each device enabled for remote support, the client will collect a set of attributes used for identification
(the specific fields depend on the device) and send a registration event to HP. All data sent to HP is
encrypted using SSL/TLS encryption prior to transport to the HP Remote Support Data Center (RSDC)
over HTTPS. Confidential data elements in the information sent to HP and stored in the Remote Support
Database and on backup media are encrypted using the Advanced Encryption Standard (AES) symmetric
block cipher with a 192-bit key. To enable customers to see the information sent to HP, the client stores a
copy of each data submission. These are stored in the client folder structure under
<Client Install Location>\data
and are removed 14 days after the submission has been closed. (The customer can configure this
retention time). Access to this directory should be restricted to protect the client object code and sensitive
data which it manages.
User Interface - Integration with HP SIM
The Insight Remote Support Advanced user interface is a plug-in to HP SIM via the HP System
Management Homepage (HP SMH) and leverages the user account authentication provided by that
application. All web browser connections to the Insight Remote Support Advanced interface are available
only through HTTPS.
The Remote Support Client interacts directly with several HP SIM web services during its operation. To
establish these secure connections, the client utilizes server and client certificate information managed by
the HP SMH tool, which is installed as a required product with HP SIM. As a part of its installation, HP
SMH stores HP SIM’s public server certificate as well as generates a client certificate and imports it for
HP SIM’s use.
Important: The implementation of HP-UX Advanced Configuration Collector (via SMH) introduces a
potential privilege elevation security vulnerability for the monitored HP-UX servers. Once the SMH
Certificates are exchanged between SMH and HP SIM, any HP SIM user with permissions to view
the device status (in HP SIM) has the ability to execute privileged user commands on the HP-UX
server as the root user.
HP Insight Remote Support Advanced and Remote Device Access (A.05.80)Page 23 of 97