Manualshelf

Understanding HP SIM 5.1 and 5.2 security (481362-003, January 2009)

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 6.x Linux Software
11121314151617181920
3. If you have already deployed the Insight Management Agents, you can distribute the security
settings file and the HP SIM certificate directly to the managed systems using OS security.
IMPORTANT: When using the Trust by certificate option, the HP SIM SSL certificate must be
redistributed if a new SSL certificate is generated for HP SIM. SSH on the managed system
normally operates in a mode similar to trust by certificate in that it requires the SSH public key
from the CMS. Note that the SSH public key is not the same as the SSL certificate. The command
mxagentconfig is used on the CMS to copy the key to the managed system. This must be done
for each user account that is to be used on the managed system since the root or Administrator
account is used by default.
IMPORTANT: The HP SIM SSH public key must be redistributed if the SSH key-pair is
regenerated.
Strong
The strong security option lets you take advantage of every security feature. This option provides the
highest level of security available within the HP SIM security framework, but there are some additional
procedural steps you must make in your server operations. Also, this option is facilitated by using your
own PKI that includes a certificate authority and certificate server.
1. First, you must generate certificates from your certificate server for each managed system and
the HP SIM system. To do this, first generate a certificate signing request (CSR) from the
various systems. This generates a PKCS#7 file. This file should then be taken to the certificate
server and signed, and then the resulting file (generally a PKCS#10 response) should be
imported into the each managed system and the HP SIM system.
IMPORTANT: To maximize security, it is important that none of these steps be done over a
network unless all communications are already protected by some other mechanism.
Thus, in the case of the Insight Management Agents, a removable media (for example, USB
thumb drive, floppy disk) should be taken directly to the managed system, have the PKCS#7
file placed on it, and hand-carried to a secure system with access to the certificate server. The
PKCS#10 response file should similarly be placed on the removable media and returned to
the managed system to be imported into the Insight Management Agents.
2. Take the root certificate (just the certificate, not the private key) of your certificate server and
import that into the HP SIM trusted certificate list. This allows HP SIM to trust all the managed
systems because they were signed with this root certificate.
3. Take the certificate from the HP SIM system and import it into the Insight Management Agents
of each system. This allows the managed systems to trust the HP SIM system. This certificate
can be distributed using any of the methods available to distribute the HP SIM certificate.
However, the option to pull the certificate directly from the HP SIM system over the network
must be avoided due to the potential man-in-the-middle attack.
IMPORTANT: As in the Moderate option, you must redistribute the HP SIM SSL certificate to
the managed systems whenever a new HP SIM SSL certificate is generated.
4. Once these steps have been completed, you can turn on the option in HP SIM to enable
Require Trusted Certificates. Select OptionsÆSecurityÆCertificatesÆTrusted
Certificate. The warnings presented around this option make it clear that any managed
system that does not have a certificate signed by your certificate server will not be sent secure
commands from the HP SIM system, although it will be monitored for hardware status.