HP Systems Insight Manager 7.3 Update 1 User Guide

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 6.x Windows Software

111

112

113

114

115

116

117

118

119

120

IMPORTANT: If creating operating system accounts exclusively for HP SIM accounts, give users

the most limited set of operating system privileges required. Any root or administrator accounts

should be properly guarded. Configure any password restrictions, lock-out policies, and so on, in

the operating system.

File system

Access to the file system should be restricted to protect the object code of HP SIM. Inadvertent

modifications to the object code can adversely affect the operation of HP SIM. Malicious

modification can allow for covert attacks, such as capturing sign in credentials or modifying

commands to managed systems. Read-level access to the file system should also be controlled to

protect sensitive data such as private keys and passwords, which are stored in a recoverable

format on the file system. HP SIM does not store user account passwords for users signing into HP

SIM.

IMPORTANT: HP SIM sets appropriate restrictions on the application files. These restrictions

should not be changed because this could affect the operation of HP SIM or allow unintended

access to the files.

Background processes

On Windows, HP SIM is installed and runs as a Windows service. The service account requires

administrator privileges on the CMS and the database, and can be either a local or a domain

account. For automatic sign-in to HP SIM, a domain account must be used. On UNIX, HP SIM is

installed and runs as daemons running as root.

Windows Cygwin

The version of Cygwin provided with the SSH server for Windows, for CMS and the managed

systems, has been modified with security enhancements to restrict access to the shared memory

segment. As a result, it does not interoperate with the generally available version of Cygwin. Only

administrative users can connect to a system running the modified SSH server.

HP-UX and Linux

The device /dev/random command is used, if available on the CMS, as a source for random

numbers within HP SIM.

HP SIM database

Access to the database server should be restricted to protect HP SIM data. Specify appropriate

non-blank passwords for all database accounts, including the system administrator (sa) account

for SQL Server. Changes to the operating data, such as authorizations, tasks, and collection

information, can affect the operation of HP SIM. System data contains detailed information about

the managed systems, some of which might be considered restricted including asset information,

configuration, and so on. Task data might contain extremely sensitive data, such as user names

and passwords.

Configuring the SQL Server to enable SSL connection on database in HP SIM

To enable SSL DB communication in HP SIM, you must complete the following:

• “Installing a certificate on a server with Microsoft Management Console (MMC)” (page 113)

• “Configuring SSL for SQL Server” (page 113)

• “Configuration of client to enable trust” (page 114)

• “HP SIM database property settings to enable SSL for SQL Server” (page 114)

112 Understanding HP SIM security