Wbem, Ldap, Credentials management – HP Systems Insight Manager User Manual
Page 78: Ssl certificates, Certificate sharing, Ssh keys, Passwords, Wbem ldap rmi
WBEM
All WBEM access is over HTTPS for security. Systems Insight Manager is configured with a user name and
password for WBEM agent access. Using SSL, Systems Insight Manager can optionally authenticate the
managed system using its SSL certificate.
For HP-UX, certificates can be used instead of username and password for WBEM authentication. You can
configure WBEM authentication from the System Credentials
→WBEM tab by selecting
Options
→Security→Credentials→System Credentials. For more information, see the Systems Insight
Manager online help.
LDAP
When configured to use a directory service, HP SIM can be configured to use LDAP with SSL (default) or
without SSL, which would transmit credentials in clear-text. To enable LDAP over SSL in Microsoft Active
Directory, refer to
. Additionally, the
directory server can be authenticated using the Trusted Certificate list in Systems Insight Manager.
RMI
Java RMI is secured by requiring digitally signed requests using the CMS
, which should only be
available to the local system. All communications use localhost to prevent the communication from being
visible on the network.
Credentials management
SSL certificates
Certificates generated by Systems Insight Manager and the Web Agents are self-signed. Public Key
Infrastructure (PKI) support is provided so that certificates may be signed by an internal certificate server or
a third-party
(CA). The Systems Insight Manager certificate supports multiple names to
help alleviate name-mismatch warnings in a browser.
There are several certificates used by Systems Insight Manager. The certificate described above is the main
certificate and is used by the Systems Insight Manager SSL web server, the partner application
(SOAP) interface, and the WBEM indications receiver. This is the certificate used to
authenticate Systems Insight Manager, if necessary, in the browser, in partner applications that communicate
with Systems Insight Manager through SOAP, and in WBEM agents that deliver indications to Systems Insight
Manager. This certificate is also configured in managed systems (for example, SMH, Onboard Administrator,
Integrated Lights-Out, Storage Essentials, CV) to enable a trust relationship with the managed system for
SSO. A separate certificate in Systems Insight Manager is used for authenticating Systems Insight Manager
to HP-UX WBEM Services 2.5 and later, when configured to do so for the WBEM protocol. Certificates from
managed systems can be imported into the Systems Insight Manager Trusted Certificates list, allowing Systems
Insight Manager to authenticate those systems. See the section
How to: lockdown versus ease of use on
.
Certificate sharing
Systems Insight Manager supports a mechanism whereby other components installed on the system can use
the same certificate and private key, facilitating authentication of the system as a whole instead of each
individual component. This is currently used by the Web Agents and the WBEM components on the CMS.
SSH keys
An SSH key-pair is generated during initial configuration. The CMS public key is copied to the managed
system using the mxagentconfig tool. This key-pair is not the same as for SSL and requires a manual process
to regenerate a new pair. See the manpages or online documentation for mxagentconfig for more details.
See the
Secure Shell (SSH) in HP SIM 5.3 or greater white paper located at
.
Passwords
Passwords configured on the Systems Insight Manager System Credentials and Global Credentials pages
are stored in the database encrypted using 128-bit Blowfish. These passwords can be further managed using
78
Understanding Systems Insight Manager security