Manualshelf

HP WBEM Services Version A.02.09.12 Release Notes (5900-2121, March 2012)

ManualsBrandsHP ManualsSoftwareHP-UX 11i WBEM Software
12345678910
The wbemexec command uses the trust store for server certificate verification. Be sure to import
the certificate in the /etc/opt/hp/sslshare/cert.pem file from the system where the CIM
Server is running to the client system’s trust store.
For more information about the wbemexec command, see the wbemexec manpage.
For more information about certificates, see “Importing server certificates to trust store (page 10).
The wbemexec command SSL connection to the CIM Server will fail if the server certificate is not
found and verified in the trust store.
The wbemexec command is not recommended for use in high-threat environments because
wbemexec does not provide any additional certificate verifications, such as host-name or
certificate-depth verification.
Managing certificates
During the installation process, if the /etc/opt/hp/sslshare/cert.pem and /etc/opt/
hp/sslshare/file.pem files are found on the system, the following messages is generated in
the install log:
NOTE: /etc/opt/hp/sslshare/cert.pem - SSL Certificate file already
exists. New certificates are not created.
The existing files, /etc/opt/hp/sslshare/cert.pem and /etc/opt/hp/sslshare/
file.pem might have been created by an earlier installation of HP WBEM Services A.02.05 or
an installation of other management applications on the system. These files will not be overwritten.
HP-UX example:
The following examples describe how to update certificates when an earlier version of HP WBEM
Services is already installed:
Scenario 1: Using the default installed certificates from HP WBEM Services version A.01.05.
HP recommends that after installing HP WBEM Services version A.02.07, you do the following:
1. Delete the existing /var/opt/wbem/server_2048.pem and /var/opt/wbem/
server.pem files and use the certificates in the /etc/opt/hp/sslshare directory.
Or
2. Overwrite the new certificate in the /etc/opt/hp/sslshare/cert.pem file and the
private key in the /etc/opt/hp/sslshare/file.pem file with the existing certificate
and key in either /var/opt/wbem/server_2048.pem or /var/opt/wbem/
server.pem files. Before overwriting the /etc/opt/hp/sslshare/cert.pem and
/etc/opt/hp/sslshare/file.pem files ensure other products are not using the
certificates in these files.
If the server certificate was copied to any other systems, then the certificate in new the
/etc/opt/hp/sslshare/cert.pem file should be copied to the trust store on those
other systems replacing the earlier certificate.
NOTE: Use the ssltrustmgr command to add or remove certificates in a trust store.
For more information about the ssltrustmgr command, see the ssltrustmgr manpage.
Scenario 2: Using custom certificates.
If you are using either the self-signed or root-signed 512-bit or 1024-bit encryption certificates,
then HP recommends that you create new certificates with 2048-bit encryption.
If you using CA certificates that are using 2048-bit encryption, then HP recommends that you
retain them. If the CA certificates are not using 2048-bit encryption, HP recommends that you
create new CA certificates with 2048-bit encryption.
Security 9