Manualshelf

HP WBEM Services for HP-UX System Administrator Guide (5900-1624, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i WBEM Software
31323334353637383940
To disable the Export HTTPS port, use the cimconfig command to set the planned value of the
configuration property enableSSLExportClientVerification to false and restart the
CIM Server.
HP WBEM Services configuration options security disclaimer
As a security best practice, HP recommends that you disable any network daemon that you do not
use in your environment. Any daemon that is in use must be configured securely according to the
threat environment in which they are located. This is a functionality vs. security risk tradeoff. The
optimal configuration varies depending on local threats and functionality requirements.
Default security information
For ease-of-manageability, HP WBEM Services defaults to a 'functional' out-of-the-box configuration,
but also provides you with several configuration options such that security risks are minimized.
Following are some of these options:
You can configure the CIM Server to only accept connections from the local UNIX domain
sockets. This is appropriate if you have users on your network who are not trusted and if you
do not plan to use HP WBEM Services for remote management.
You can configure HP WBEM Services to only allow access from a trusted subset of system
users such as root, and application users such as Oracle, using a UNIX group.
Setting up this user group is recommended if you intend to use HP WBEM Services in an
environment where local users are not trusted, or if HP WBEM Services acts as a second line
of defense against break-ins and other security threats.
NOTE: After creating a UNIX group, if an application fails to authenticate, you might have
to add an application or associated system users.
HP WBEM Services supports the use of other protective measures for high-threat environments.
For example, IPSEC, HP-UX Secure Shell, or hardware solutions can be used to create a VPN
to increase security. A VPN is recommended if you intend to use HP WBEM Services for
management across a network that is not trusted, such as, an exposed DMZ or the public
Internet.
34 Security considerations