2 validating rpm signatures, 3 trusted certificates – HP Insight Control Software for Linux User Manual
Page 24
to individual servers. There is no mechanism for verifying the identity of the server providing
the image; neither method protects from a man in the middle attack.
Standard Linux deployment, which uses SSH to push an image to the target systems is a less
scalable but more secure method than large scale deployment.
HP recommends the use of a dedicated management LAN for large scale Linux deployments.
For more information on scalable deployment, see
•
Logging RAM disk connections and operations
With a few minor modifications, you can log who has connected to the RAM disk . For more
information, see
Logging RAM disk connections and operations (page 199)
.
2.2 Validating RPM signatures
The
s for Insight Control for Linux, Insight Control virtual machine management, and Insight
Control power management are digitally signed with a private key. You have the option of using
the public key shipped on the Insight Control for Linux ISO image to validate and verify the RPMs.
Although this verification process is optional for you, it ensures that HP is the creator of the code
and that the code was not modified since it was signed.
For more information on validating RPM signatures, see the HP Insight Control for Linux Installation
Guide.
2.3 Trusted certificates
Insight Control for Linux conforms to the security features of HP SIM. There is a Trusted Certificates
tab under Options
→Security→Credentials→Trusted Systems. By selecting that tab, you access a
web page that allows you to determine how SSL/HTTPS connections are handled; there are two
options, depending on the button selected:
•
Always Accept
This button is preselected by default. The CMS establishes SSL connections with managed
systems without validating them against
s in the HP SIM trusted certificate list.
•
Require
When this button is selected, the CMS only establishes SSL connections with managed systems
whose certificates are represented in the HP SIM trusted certificate list.
When performing any operation that communicates with an iLO-based management processor,
Insight Control for Linux has the ability to verify whether the target iLO is a trusted system, meaning
that it is presenting a certificate that Insight Control for Linux trusts. To enable this security
mechanism, make sure the Require radio button is selected.
Use the Import button to import the iLO’s self-signed certificate. You can obtain the iLO’s self-signed
certificate by connecting to the iLO using your browser. In Microsoft Internet Explorer for Windows
Vista, for example:
1.
Select Page
→Security Report.
2.
Select View Certificates.
3.
Select the Details tab.
4.
Select the Copy to File... button.
5.
In the Certificate Export Wizard, select the Base-64 encoded X.509 (.CER) radio button and
proceed to save your file. This is the file that you specify in HP SIM when you select the
Importbutton.
You must repeat this procedure for every iLO whose certificate you want to add to the HP SIM trust
storage.
24
Security