Manualshelf

Understanding HP SIM 5.1 and 5.2 security (481362-003, January 2009)

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 6.x Linux Software
12345678910
HTTPS
HTTPS (Hyper Text Transfer Protocol Secure) refers to HTTP communications over SSL. All
communications between the browser and HP SIM are carried out over HTTPS. HTTPS is also used for
much of the communication between the CMS and the managed system.
Secure Task Execution and Single Login
Secure Task Execution (STE) is a mechanism for securely executing a command against a managed
system using the Web agents. It provides authentication, authorization, privacy, and integrity in a
single request. Single Login provides the same features but is performed when browsing a system.
Secure Task Execution and Single Login are implemented in very similar ways. SSL is used for all
communication during the STE and Single Login exchange. A single-use value is requested from the
system prior to issuing the STE or Single Login request to help prevent against replay or delay
intercept attacks. Afterwards, HP SIM issues the digitally signed Secure Task Execution or Single Login
request. The managed system uses the digital signature to authenticate the HP SIM server. Note that
the managed system must have a copy of the CMS SSL certificate imported into the Web agent and
be configured to “trust by certificate” to validate the digital signature. SSL can optionally authenticate
the system to HP SIM, using the system’s certificate, to prevent HP SIM from inadvertently providing
sensitive data to an unknown system.
Note to Insight Manager 7 users: Insight Manager 7 used the Automatic Device Authentication
setting to control STE and Single Login access levels; these are replaced by tools in the new HP SIM
authorization model. Any tool that requires STE access to the Web Agents includes it implicitly. For
Single Login to Web Agents, the Replicate Agent Settings and Install Software and Firmware tools
each provide administrator-level access to the Web Agents. System Management Homepage As
Administrator, System Management Homepage As Operator, and System Management Homepage
As User each provide Single Login access at the described level.
Distributed Task Facility
The Distributed Task Facility (DTF) is used for Custom Command tools and multiple- and single-system
aware tools. Commands are issued securely to the managed system using SSH. Each managed
system must have the CMS SSH public key in its trusted key store so that it can authenticate the CMS.
Managed systems are also authenticated to the CMS by their SSH public key.
Note to HP Servicecontrol Manager Users: SSH replaces the existing signed RMI connections used
by the DTF in HP Servicecontrol Manager. This adds a level of encryption and data integrity over
signed RMI that was previously only available through the use of a secure network protocol such as
IPSec.
WBEM
All WBEM access is over HTTPS for security. HP SIM is configured with a user name and password
for WBEM agent access. Using SSL, HP SIM can optionally authenticate the managed system using its
SSL certificate.
LDAP
When configured to use a directory service, HP SIM can be configured to use LDAP with SSL (default)
or without SSL, which would transmit credentials in clear-text. To enable LDAP over SSL in Microsoft
Active Directory, refer to http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
.
Additionally, the directory server can be authenticated using the Trusted Certificate list in HP SIM.