Hp sim sso certificate, Wbem certificate, Upgrading to hp sim 7.3.1 – HP Systems Insight Manager User Manual
Page 106: Source of client and server certificates
higher. In the case of fresh install scenarios, the HP SIM certificate will be a 2,048-bit self-signed
certificate.
HP SIM SSO certificate
For Single Sign-On operations, HP SIM uses SSO certificate only; this is the self-signed 1,024-bit
certificate. HP SIM does not support any other third party certificate or CA-signed certificate for
SSO.
NOTE:
Though the 2048/4096-bit certificate is suggested by HP SIM, since not all managed
systems support it, HP SIM uses 1024-bit certificate for SSO, especially considering backward
compatibility and upgrades.
WBEM certificate
In HP SIM 7.0 and later, the WBEM certificate uses the 2,048-bit key length. A new HP SIM 7.0
or later installation creates a WBEM certificate with the 2,048-bit key length. The WBEM certificate
can be regenerated if required with the following commands:
mxcert -w(Distinguished Name)
mxcert -W
Upgrading to HP SIM 7.3.1
The HP SIM main certificate is automatically upgraded to a 2,048-bit self-signed certificate, if the
previous certificate is a self-signed 1,024-bit certificate. However, if the previous certificate is a
2,048-bit certificate or above or it is a CA-signed certificate, HP SIM will retain the existing certificate
and will not recreate a new certificate. Also, you may need to import the trusted certificates back
into HP SIM's trust store.
The HP SIM SSO certificate is created if, and only if, there is no prior SSO certificate.
NOTE:
•
An SSO certificate is used by HP SIM 7.0 and later. Therefore, there is a possibility that the
previous version of HP SIM may not contain an SSO certificate. Only in these cases, the SSO
certificate will be created during the upgrade process.
•
Once the SSO certificate is created, the trust relationship with the managed systems must be
re-established, by importing the new SSO certificate into the managed systems.
The HP SIM WBEM certificate is a self-signed 2,048-bit certificate and will not be overwritten upon
upgrade to HP SIM 7.3.1.
Certificate expiration and Certificate Revocation Check (CRL Check)
HP SIM provides the support for certificate revocation check. By default, the revocation check is
enabled for both client and server certificates. However, server certificates are checked for
revocation only if you have enabled Require Trusted Certificate
(Options
→Security→Credentials→Trusted Systems→Trusted Certificates).
The Certificate revocation check can be configured from the GUI by selecting
Options
→Security→Certificate Revocation Configuration Check.
You can also configure certificate revocation check by entering: mxcert -L from the command
line.
Source of client and server certificates
The client certificates are sent to HP SIM by the Web portal, partner requests, and the WBEM
services.
The server certificates are sent to HP SIM by the managed systems.
106 Understanding HP SIM security