Manualshelf

HP WBEM Services for HP-UX System Administrator Guide (5900-1624, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i WBEM Software
31323334353637383940
NOTE: Basic Authentication requires the client to pass both the user name and password, in
Base64 encoding. This encoding is not secure. SSL (enableHttpsConnection) must be disabled
only in a highly secure environment where transferring clear text passwords does not pose a security
threat.
HP WBEM Services uses OpenSSL to support HTTPS connections. OpenSSL is a cryptography
toolkit that implements the network protocols and related cryptography standards of SSL v2/v3
and TLS (Transport Layer Security). For more information about OpenSSL, see http://
www.openssl.org/docs.
On the HTTPS port, CIM clients are required to use SSL (Secure Socket Layer) to establish connections
with the CIM Server and to send or receive CIM requests.
Managing certificates
During the install process, if /etc/opt/hp/sslshare/cert.pem and /etc/opt/hp/
sslshare/file.pem files are found on the system, the following messages are generated in
the install log:
NOTE: /etc/opt/hp/sslshare/cert.pem - SSL Certificate file already
exists. New certificates are not created.
The existing files, /etc/opt/hp/sslshare/cert.pem and /etc/opt/hp/sslshare/
file.pem might have been created by an earlier installation of HP WBEM Services A.02.05 or
an installation of other management applications on the system. These files will not be overwritten.
Following are a couple of scenarios that illustrate updating certificates when an earlier version of
HP WBEM Services is already installed on an HP-UX system:
Scenario 1
Using the default installed certificates from HP WBEM Services version A.01.05.
HP recommends that after installing HP WBEM Services version A.02.07, you complete the
following steps:
1. Delete the existing /var/opt/wbem/server_2048.pem and /var/opt/wbem/
server.pem files and use the certificates in /etc/opt/hp/sslshare directory.
OR
2. Overwrite the new certificate in /etc/opt/hp/sslshare/cert.pem and the private
key in /etc/opt/hp/sslshare/file.pem with the existing certificate and key in
either /var/opt/wbem/server_2048.pem or /var/opt/wbem/server.pem files.
Before overwriting /etc/opt/hp/sslshare/cert.pem and /etc/opt/hp/
sslshare/file.pem make sure other products are not using the certificates in these
files.
If the server certificate was copied to any other system, then the new certificate in /etc/
opt/hp/sslshare/cert.pem must be copied over to the trust store on those other
systems to replace the earlier certificate.
NOTE: Use the ssltrustmgr command to add or remove certificates in a trust store.
For more information about the ssltrustmgr command, see the ssltrustmgr manpage.
Scenario 2
Using custom certificates:
If using either self-signed or root-signed 512-bit or 1024-bit encryption certificates, HP
recommends that you create new certificates with 2048-bit encryption.
38 Authentication methods in HP WBEM Services