HP Systems Insight Manager 5.3 with Update 1 Installation and Configuration Guide for Linux HP Part Number: 418811-005 Published: April 2009 Edition: 5.3.1
environments. It provides access to both software data and hardware data that is readable by
WBEM-compliant applications.
HP SIM keeps a database of passwords for managed systems running WBEM. The database contains the
user names and passwords for each managed system, which are required to provide user authentication for
tools using this protocol. These accounts do not need to have other access capabilities, such as login rights.
They are only used for WBEM access by HP SIM. The WBEM user name and password can be set from the
CLI or GUI. For more information, see the "Administering the Software" section in the
HP Systems Insight
Manager 5.3 User Guide
at http://h18013.www1.hp.com/products/servers/management/hpsim/
infolibrary.html.
HP SIM uses HTTPS to access WBEM data, providing a secure path for system management data. For access
to Windows management data instrumented in
Windows Management Instrumentation
(WMI), a WMI
Mapper running on a Windows system converts the HTTPS WBEM requests into WMI requests, which use
Distributed Component Object Model
and NT security.
HTTPS HTTPS is simply HTTP over SSL, a protocol that supports sending data securely over the Web. HTTPS
is used to access WBEM data as explained in the previous section, and it is used to access ProLiant agent
information. Digital certificates are used instead of user names and passwords to establish trust between the
agent and the CMS. The certificate of the CMS should be loaded into each agent to be managed by that
CMS.
SNMP SNMP is a set of protocols for managing complex networks. SNMP works by sending messages,
called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents,
store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP
requesters. SNMP is available in several versions. SNMP Version 1, used by HP SIM, is not a secure protocol.
Therefore, anyone with access to your network can intercept and view SNMP transactions.
HP SIM keeps a database of read and write community names for managed systems running SNMP. The
community name must match those configured on the management system. The SNMP community names
and passwords can be set from the CLI or GUI. For more information, see the "Administering the Software"
section in the
HP Systems Insight Manager 5.3 User Guide
at http://h18013.www1.hp.com/products/
servers/management/hpsim/infolibrary.html.
HP SIM does not use SNMP SetRequests. By default, the supported operating system platforms have SNMP
SetRequests disabled. For improved security, do not enable SNMP SetRequests on the CMS or the managed
systems. Even SNMP GetRequest responses can be spoofed, so all information from SNMP should be regarded
as insecure.
Web server security
HP SIM uses the Tomcat web server on the CMS. Tomcat features that are not required by HP SIM are turned
off by default. These features include Server Side Includes and Common Gateway Interface scripts.
Self-signed certificates
The self-signed certificates used for WBEM and web server authentication make it possible for another system
to impersonate the CMS if the valid certificate is not securely imported into the client or browser, which is
known as
spoofing
. To prevent the possibility of spoofing, use a certificate signed by a trusted Certificate
Authority (CA) or securely export the certificate by browsing locally to the CMS and then securely importing
it into your browser. You can also obtain the server certificate by browsing remotely and saving it in the
browser the first time you access HP SIM, but this option is less secure and still susceptible to a possible
"man-in-the-middle" attack. Information about importing CA-signed certificates is available in the "Administering
the Software" section of the
HP Systems Insight Manager 5.3 User Guide
at http://h18013.www1.hp.com/
products/servers/management/hpsim/infolibrary.html.
X application security
The data exchanged between an X client (or application) running on a managed system and an X server
on the network client is transmitted in clear text over the network. HP does not recommend X clients in
environments in which security is a concern.
Secure data transmission 13