Understanding HP SIM 5.1 and 5.2 security (481362-003, January 2009)

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 6.x Linux Software

Understanding HP SIM 5.1 and 5.2 security

Overview............................................................................................................................................ 3

Architecture overview........................................................................................................................... 3

Communication protocols ..................................................................................................................... 3

Simple Network Management Protocol (SNMP) ................................................................................... 3

Hyper Text Transfer Protocol (HTTP).................................................................................................... 3

Web-Based Enterprise Management (WBEM)...................................................................................... 3

Desktop Management Interface (DMI)................................................................................................. 4

Remote Method Invocation (RMI)........................................................................................................ 4

Remote Wake-Up............................................................................................................................. 4

Internet Control Message Protocol (ICMP) ........................................................................................... 4

Lightweight Directory Access Protocol (LDAP)....................................................................................... 4

Simple Object Access Protocol (SOAP) ............................................................................................... 4

Securing communication....................................................................................................................... 4

Secure Sockets Layer (SSL) ................................................................................................................ 4

Secure Shell (SSH)............................................................................................................................ 4

HTTPS............................................................................................................................................. 5

Secure Task Execution and Single Login.............................................................................................. 5

Distributed Task Facility .................................................................................................................... 5

WBEM............................................................................................................................................ 5

LDAP .............................................................................................................................................. 5

RMI ................................................................................................................................................ 6

Credential management ....................................................................................................................... 6

SSL certificates................................................................................................................................. 6

Certificate sharing............................................................................................................................ 6

SSH keys ........................................................................................................................................ 6

Passwords....................................................................................................................................... 6

Configuring managed systems............................................................................................................... 7

Manage Communications ................................................................................................................. 7

Agent installation ............................................................................................................................. 7

Agent configuration.......................................................................................................................... 7

Authorizations ................................................................................................................................. 7

Summary of content (20 pages)

PAGE 1
Understanding HP SIM 5.1 and 5.2 security Overview............................................................................................................................................ 3 Architecture overview ........................................................................................................................... 3 Communication protocols .....................................................................................................................
PAGE 2
Browser .............................................................................................................................................. 7 SSL................................................................................................................................................. 7 Cookies .......................................................................................................................................... 7 Passwords .................................................
PAGE 3
Overview This document is provided as an overview of the security features available in the HP Systems Insight Manager (HP SIM) framework. More detailed documentation can be found in the HP Systems Insight Manager Technical Reference Guide. Architecture overview HP SIM runs on a central management server (CMS) and communicates with managed systems using various protocols. The customer can browse to the CMS or directly to the managed system. Figure 1.
PAGE 4
Desktop Management Interface (DMI) DMI is a legacy protocol for management data and has been largely superseded by WBEM. DMI is based on Distributed Computing Environment Remote Procedure Call (DCE/RPC) and is not secure. Remote Method Invocation (RMI) Java™ RMI is used within the CMS only for inter-process communication. Remote Wake-Up Remote Wake-Up refers to the ability to remotely turn on a system that is in a soft-off power state.
PAGE 5
HTTPS HTTPS (Hyper Text Transfer Protocol Secure) refers to HTTP communications over SSL. All communications between the browser and HP SIM are carried out over HTTPS. HTTPS is also used for much of the communication between the CMS and the managed system. Secure Task Execution and Single Login Secure Task Execution (STE) is a mechanism for securely executing a command against a managed system using the Web agents. It provides authentication, authorization, privacy, and integrity in a single request.
PAGE 6
RMI Java RMI is secured by requiring digitally signed requests using the CMS private key, which should only be available to the local system. All communications use localhost to prevent the communication from being visible on the network. Credential management SSL certificates Certificates generated by HP SIM and the Web Agents are self-signed.
PAGE 7
Configuring managed systems Manage Communications The Manage Communications tool can be used to diagnose and repair communication problems between HP SIM and managed systems. If communication problems are detected that might affect identification, receiving events, running tools, or version control, they are listed for each system. You can then reconfigure certain communication settings and credentials and install agents on target systems.
PAGE 8
Browser warnings There are several types of warnings that can be displayed by the browser or by the Java plug-in on the browser, most having to do with the SSL server certificate. Untrusted system This warning indicates the certificate was issued by an untrusted system. Since certificates are by default self-signed, this is likely if you have not already imported the certificate into your browser. In the case of CA-signed certificates, the signing root certificate must be imported.
PAGE 9
when browsing. You might need to configure Internet Explorer, or use a different name format when browsing. System link format To facilitate navigation to managed systems, HP SIM provides the System Link Configuration option to configure how links to managed systems are formed. Go to OptionsÆSecurityÆSystem Link Configuration.
PAGE 10
Background processes On Windows, HP SIM is installed and runs as a Windows service. The service account requires administrator privileges on the CMS and the database, and can be either a local or a domain account. For automatic sigh-in to HP SIM, a domain account must be used.. On UNIX, HP SIM is installed and runs as daemons running as root.
PAGE 11
Auditing The HP SIM audit log contains entries for important system activities, such as executed tasks, authorization modifications, user sign in and sign out, and so on. Tools by default are configured so that results are logged to the audit log, but their tool definition files can be modified so that this is not the case. Command-line interface Much of HP SIM’s functionality can be accessed through the command line.
PAGE 12
limited privileges for WMI access. You can configure the accounts accepted by each Windows managed system by using the Computer Management tool: 1. First select the WMI Control item 2. Right-click WMI Control and select Properties 3. Select the Security tab, select Root namespace, and click Security. 4. Add a user to access WMI data along with their access rights. The enable account and remote enable permissions must be enabled for correct operation of HP SIM. 5.
PAGE 13
3. If you have already deployed the Insight Management Agents, you can distribute the security settings file and the HP SIM certificate directly to the managed systems using OS security. IMPORTANT: When using the Trust by certificate option, the HP SIM SSL certificate must be redistributed if a new SSL certificate is generated for HP SIM. SSH on the managed system normally operates in a mode similar to trust by certificate in that it requires the SSH public key from the CMS.
PAGE 14
5. For SSH, turn on the option to accept SSH connections only from specified systems. Select OptionsÆSecurityÆSSH Keys and enable the option The central management server will accept an SSH connection only if the key is in list below. Afterwards, you must manually import each managed system’s public SSH key into the list of keys in HP SIM. Note: To configure this in previous version of HP SIM, add or modify the following line in H mx.properties: MX_SSH_ADD_UNKNOWN_HOSTS=false and then restart HP SIM.
PAGE 15
authentication (configurable7) Y 50003 HTTP HP SIM SOAP (configurable8) 50004 HTTPS/HTTP WBEM event receiver (configurable) Y 50005 WBEM WBEM Events Y 50006 PostgreSQL PostgreSQL Y 50008 SIM JMS JMS port Y 50009 SIM JNDI JNDI port 50010 DMI 50013 RMI Web Services RMI Loader 50014 JRMP JRMP Invoker 50015 Pooled invoker Pooled invoker Y Y Y Y 5 DMI Y 4 Y 411 HTTP IBM Director agent Y 4 Y 1311 HTTPS Server administrator Y 4 2069 HTTP OSEM Y 4 Y 3202
PAGE 16
Port number is configurable in mx.properties using MX_SOAP_HTTP_PORT; port can be enabled/disabled in globalsettings.props using HTTP_SOAP_PORT_ENABLE with “true” or “false.” 8 NOTE: It is not recommended that you enable management protocols such as SNMP or DMI on systems outside your firewall or directly connected to the Internet. Vulnerability and Patch Management Pack firewall ports HP SIM Server The following ports must be open on the HP SIM server.
PAGE 17
• http://download.microsoft.com/ • https://www.hp.com/ • http://managementsoftware.hp.
PAGE 18
For more information, refer to the following sources: • http://www.microsoft.com/sql/techinfo/administration/2000/security/winxpsp2faq.asp • http://support.microsoft.com/default.
PAGE 19
HP SIM Port Protocol Description 161 TCP/UDP SNMP 162 TCP/UDP SNMP traps 2301, 2381, 49400 TCP HP Proliant Agents Radia Patch Manager Port Protocol Description 3465 TCP Radia Agent 3463 (remote exec) TCP Agent deployment Virtual Machine Management Pack ports The Virtual Machine Management Pack uses the following ports: Port 1124 1125 1126 Protocol Description TCP and UDP HP VMM Control TCP and UDP HP VMM Agent TCP and UDP HP VMM Agent Note: This port is applicable to CMS onl
PAGE 20
Integrated Lights-Out (iLO) ports The following ports are used by iLO. Disabling certain features of iLO will affect the list of ports actually opened by iLO. Refer to the Integrated Lights-Out Security technology brief located at: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00212796/c00212796.