Manualshelf

HP WBEM Services for HP-UX System Administrator Guide (5900-1624, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i WBEM Software
31323334353637383940
If using CA certificates that are using 2048-bit encryption, HP recommends that you keep
them. If the CA certificates are not using 2048-bit encryption, HP recommends that you get
new CA certificates with 2048-bit encryption.
Importing server certificates to the Trust Store
CIM client applications must maintain a trust store in a <trust_store-name>.pem file. The
CIM client applications must import the certificates stored in the /etc/opt/hp/sslshare/
cert.pem file, from all CIM Server systems that it needs to connect to, into a trust store file on the
client system.
With C++ CIM client libraries, the trust store must be in the PEM format.
To import a server certificate, copy the public certificate from the server to the client:
1. Copy the certificate (/etc/opt/hp/sslshare/cert.pem) from the system where HP
WBEM Services is installed.
NOTE: Do not copy the key in the /etc/opt/hp/sslshare/file.pem file. Copy only
the public certificate in the /etc/opt/hp/sslshare/cert.pem file.
2. Use the ssltrustmgr command to add the certificate from cert.pem file to the trust store
<trust_store-name>.pem on the client machine.
NOTE: The wbemexec and the osinfo commands use the file /etc/opt/hp/sslshare/
client.pem as their trust store. Import the server certificates for these clients into this file.
Verifying certificates
This section discusses the methods in which you can verify certificates.
Using CIM clients
The CIM Client Interface supports the trust store and verification callback function as mechanisms
for server certificate verification. The CIM Client applications can use one or both of these
mechanism to verify the server certificate.
Using the wbemexec client
The wbemexec command provides a command-line interface to a CIM Server.
The wbemexec command uses the trust store for server certificate verification. Be sure to import
the certificate in the /etc/opt/hp/sslshare/cert.pem from the system where the CIM Server
is running to the client system's trust store.
For more information about certificates, see “Importing server certificates to the Trust Store
(page 39).
The SSL connection of the wbemexec client to the CIM Server fails if the server certificate is not
found and verified in the trust store.
For more information about the wbemexec command, see the wbemexec manpage.
IMPORTANT: The use of the wbemexec client is not recommended in high-threat environments
because this client does not perform any additional certificate verifications, such as host-name or
certificate-depth verification.
Using the gen_wbem_certs command
The gen_wbem_certs command is used in HP WBEM Services Version A.02.07.04 to verify
certificates. Use the following command:
# gen_wbem_certs verify
Managing certificates 39