Manualshelf

Understanding HP SIM 5.1 and 5.2 security (481362-003, January 2009)

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 6.x Linux Software
12345678910
RMI
Java RMI is secured by requiring digitally signed requests using the CMS private key, which should
only be available to the local system. All communications use localhost to prevent the communication
from being visible on the network.
Credential management
SSL certificates
Certificates generated by HP SIM and the Web Agents are self-signed. Public Key Infrastructure (PKI)
support is provided so that certificates may be signed by an internal certificate server or a third-party
Certificate Authority (CA). The HP SIM certificate supports multiple names to help alleviate name-
mismatch warnings in a browser.
There are several certificates used by HP SIM. The certificate described above is the main certificate
and is used by the HP SIM SSL web server, the partner application SOAP interface, and the WBEM
indications receiver. This is the certificate used to authenticate HP SIM, if necessary, in the browser, in
partner applications that communicate with HP SIM through SOAP, and in WBEM agents that deliver
indications to HP SIM. This certificate is also configured in managed systems (for example, SMH, OA,
iLO, SE, CV) to enable a trust relationship with the managed system for Single Login (SSO). A
separate certificate in HP SIM is used for authenticating HP SIM to HP-UX WBEM Services 2.5 and
later, when configured to do so for the WBEM protocol. Certificates from managed systems can be
imported into the HP SIM Trusted Certificates list, allowing HP SIM to authenticate those systems. See
the section How-to: lockdown versus ease of use.
Certificate sharing
HP SIM supports a mechanism whereby other components installed on the system can use the same
certificate and private key, facilitating authentication of the system as a whole instead of each
individual component. This is currently used by the Web Agents and the WBEM components on the
CMS.
SSH keys
An SSH key-pair is generated during initial configuration. The CMS public key is copied to the
managed system using the mxagentconfig tool. This key-pair is not the same as for SSL and
requires a manual process to regenerate a new pair. See to the manpages or online documentation
for mxagentconfig for more details. See the Secure Shell (SSH) in HP SIM 5.1 and 5.2 white
paper for more information
(
http://h18013.www1.hp.com/products/servers/management/hpsim/infolibrary.html).
Passwords
Passwords configured on the HP SIM protocol settings pages are stored in a local file on the CMS,
restricted with operating system file permissions to administrators or root. These passwords can be
further managed using the CLI command mxnodesecurity.