Manualshelf

Understanding HP SIM 5.1 and 5.2 security (481362-003, January 2009)

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 6.x Linux Software
11121314151617181920
limited privileges for WMI access. You can configure the accounts accepted by each Windows
managed system by using the Computer Management tool:
1. First select the WMI Control item
2. Right-click WMI Control and select Properties
3. Select the Security tab, select Root namespace, and click Security.
4. Add a user to access WMI data along with their access rights. The enable account and
remote enable permissions must be enabled for correct operation of HP SIM.
5. The user name and password specified here must be configured in the CMS.
Set up user accounts for Insight Web Agents.
Add CMS SSH public key to the system’s trusted key store by running mxagentconfig on the
CMS.
Configure trust relationship option for Insight Web Agents; import CMS SSL certificate if set to trust
by certificate.
Configuring the CMS for managed systems
The CMS must be configured with the user name and password used for WBEM and WMI access,
and for the SNMP community names. These can be set using the Global Protocol Settings page if
a common user name and password or community name is used across all the systems in the network,
or individually for systems using the System Protocol Settings page. Both of these are accessible
from the OptionsÆProtocol Settings menu. The command line tool mxnodesecurity can also
be used to configure these settings. Refer to the man page or online documentation for details.
IMPORTANT: Any passwords specified in the Global Protocol Settings page are used during
system identification. Sensitive passwords, such as root or domain administrator passwords, should
not be specified here if there is a risk of sending these to untrustworthy systems.
How-to: lockdown versus ease of use
Moderate
The Insight Management Agents should be configured to trust by certificate. This requires distributing
the HP SIM certificate, which includes the public key, to all the managed systems. Once the systems
have been configured to trust the HP SIM system, they will accept secure commands from that
particular system only.
This certificate can be distributed in a number of different ways including:
1. Use the Web-based interface in an individual Insight Management Agent to specify the
HP SIM system to trust. This causes the agents to pull the digital certificate from the HP SIM
system immediately, enables you to verify it, and then sets up the trust relationship. While this
option does have some limited vulnerability, it would be possible to spoof the HP SIM system
at the time the certificate is pulled and thus set up an unexpected trust relationship. However, it
is reasonably secure for most networks.
2. Import the HP SIM certificate during initial installation of the Insight Management Agents. This
can be done manually during an attended installation or through the configuration file in an
unattended one. This method is more secure because there is little opportunity for the spoofing
attack described above.