A.05.80 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2012)
Security Overview
Chapter 2: HP Insight Remote Support Advanced
l SSL and TLS
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are application-layer
protocols which provide data encryption and authentication. TLS is an updated version of SSL v3. SSL
and TLS use X.509 certificates, also known as “digital” certificates, for authentication. Although most
users are accustomed to working only with server certificates, SSL and TLS can be configured to
require client-side certificates which provides password-less two-way authentication. The CMS and
managed systems authenticate using X.509 certificates. Also, all communications between the client
browsers and the CMS are protected by SSL. The Remote Support Configuration Collector System
supports both SSL v3 and TLS 1.0.These two protocols are most ubiquitous in HTTPS on TCP port
443. Other protocols and applications also utilize SSL and TLS for security.
l WBEM
Web Based Enterprise Management (WBEM) is an initiative based on a set of management and
Internet standard technologies developed by the Distributed Management Task Force (DMTF) to unify
the management of enterprise computing environments. WBEM is really a collection of Internet
standards and DMTF open standards: CIM infrastructure and schema, CIM-XML, CIM operations over
HTTP, and WS-Management. The Common Information Model (CIM) provides a common definition of
management information for systems, networks, applications and services, and allows for vendor
extensions.WS-Management is a specification of a SOAP-based protocol for the management of
servers, devices, and applications. WBEM can be encapsulated inside either HTTP or HTTPS. HP
Insight Remote Support does not support unencrypted WBEM communications. All WBEM traffic is
encrypted using SSL over HTTPS on TCP port 5989.
WMI is the Microsoft proprietary implementation of WBEM. WMI runs as a DCOM (Distributed
Component Object Model) service which in turn uses RPC (Remote Procedure Call) and other
associated DCOM services. The WMI Mapper is an application that provides a two way translation
interface between DCOM and WBEM. WMI Mapper is required for any Windows managed system
supporting WBEM Indications to be monitored by HP SIM and Insight Remote Support.
Unsecured Communication
HP uses the following unsecure protocols only inside the customer’s internal network HP will not initiate
any external communications between the customer and HP using these protocols:
l HTTP
The Hypertext Transfer Protocol (HTTP) is an application-layer protocol used for exchanging data.
HTTP is described in RFC 2616. Its most popular usage is for transferring text, graphic images, sound,
video, and other multimedia files to Web browsers. HTTP’s capabilities are also general enough for
non-web applications. The CMS remote data collection can use HTTP to identify devices. Once
devices are identified, all other data transfers use HTTPS, a secure protocol. HTTP typically uses TCP
port 80; however some HP SIM components may use other TCP ports, in particular 5988 for WBEM.
l ICMP
Internet Control Message Protocol (ICMP), or IP protocol 1, is a network-layer control protocol that is
considered to be an integral part of IP, it is architecturally layered upon IP, i.e., it uses IP to carry its
data end-to-end just as a transport protocol like TCP or UDP does. ICMP provides error reporting,
congestion reporting, and first-hop gateway redirection [RFC1122]. The major feature of ICMP, though,
is its diagnostic capabilities. The PING command, for example, uses the ICMP ECHO message to
HP Insight Remote Support Advanced and Remote Device Access (A.05.80)Page 18 of 97