beautypg.com

Other problems, 7 other problems – HP System Management Homepage-Software User Manual

Page 85

background image

a.

Select Request a certificate.

b.

Select Advanced certificate request.

c.

Select Submit a certificate request by using a base.

d.

Press the Ctrl+ V keys to paste the PKCS #10 data into the field.

4.

From your Windows 2003 certificate authority system complete the following:
a.

Click Start

All ProgramsAdministrative ToolsCertification Authority.

b.

Click CA (Local)

W2003CA/certsrv ⇒ where W2003CA is the name of your Windows

2003 certificate authority system.

c.

Issue the pending request certificate.

5.

Navigate to http://W2003CA/certsrv, where W2003CA is the name of your Windows 2003
certificate authority system and complete the following:
a.

Select View the status of a pending certificate request.

b.

Select Base64-encoded and Download certificate (not certificate chain).

c.

The file download is certnew.cer.

d.

Rename certnew.cer to cert.pem.

6.7 What are the security options when using Bastille?

Bastille is a system hardening program that enhances the security of an HP-UX host. It configures
daemons, system settings and firewalls to be more secure. It can shut off unneeded services and tools
such as rcp(1) and rlogin(1), and can help limit the vulnerability of common Internet services such as
Web servers and DNS.

NOTE:

At this time, HP System Management Homepage does not support Partition Manager.

One facility that Bastille uses to lock down a system is IP filtering. Refer to the Partition Manager Online
Help for requirements when using IP filtering with Partition Manager. If Bastille's interactive user interface
is used, be aware of these issues when answering the questions asked by Bastille. Bastille also has
three install-time security options that are represented by the following files in
/etc/opt/sec-mgmt/bastille

.

HOST.config

Host-based lockdown, without IPFilter configuration. Using this configuration has

no impact on Partition Manager.

MANDMZ.config

A fairly tight lockdown, but leaves select network ports open that are used by

common management protocols and tools. For example, WBEM still functions when this
configuration is used. Launching Partition Manager under this configuration requires the use of
SSH or changes to enable ports 2301 and 2381. To enable launching Partition Manager on a
system where ports 2301 and 2381 are disabled, adjust the IP filtering by adding entries such
as:

pass in quick proto tcp from any to any port = 2301 flags S/0xff keep state keep frags

pass in quick proto tcp from any to any port = 2381 flags S/0xff keep state keep frags

to /etc/opt/sec-mgmt/bastille/ipf.customrules prior to running Bastille.

For more information, see

ipf(5).

DMZ.config

A tight lockdown. Launching Partition Manager under this configuration requires

the use of SSH.

Bastille also impacts Partition Manager when remotely managing a system where Bastille is
enabled. After the normal transfer of certificates, Partition Manager works as described above if
the HOST.config or MANDMZ.config configurations are used. However, the DMZ.config
configuration blocks WBEM traffic and prevents Partition Manager from remotely managing the
system.

For more information about Bastille, see

bastille(1M) and the Bastille User Guide, installed at

/opt/sec-mgmt-bastille/docs/user-guide.txt

.

7 Other Problems

7.1

I am having problems downgrading HP SMH from 3.x to 2.x.

Troubleshooting

85