beautypg.com

HP Insight Control Software for Linux User Manual

Page 26

background image

pdsh Keys

The pdsh command uses public host keys to authenticate remote hosts and supports public
key authentication to authenticate users.

cmfd Keys

The console command uses SSL keys to connect to the console management facility daemon
(cmfd) for console access.

secure boot mechanism

Virtual media support is provided as the secure boot mechanism. PXE booting provides no
authentication or encryption.

Data used to authenticate either the CMS or a managed system, or used to setup login
credentials on a management processor must be secured. This information is secured with
the virtual media mechanism. Specifically, the data includes the SSH public key and any

certificate

s needed to secure the communication between the CMS and the managed system.

An auxiliary RAM disk that can be appended to the normal Insight Control for Linux RAM
disk is created for this purpose.

This auxiliary RAM disk is used in one of two ways:

— It becomes part of the virtual media ISO boot image when booting a managed system

using virtual media.

— It is added in the pxelinux.cfg boot configuration file when booting by PXE.

HTTPS

Communication between the CMS and a managed node is performed using

HTTPS

.

Digital signature

HP software, firmware, drivers, applications, and other executables are delivered with an
electronic cryptographic signature. This electronic signature gives you an industry standard
method to verify the integrity and authenticity of the code you received before you deploy
it.

This digital signature is then used in a signature verification process to verify and validate
the following:

— To verify and validate the authenticity of the code.

That HP created the code in question.

— To verify and validate integrity of the code.

That the code in question was not altered since it was originally signed.

For the procedure to validate RPMs, see

“Validating RPM signatures” (page 27)

.

Privilege elevation

Insight Control for Linux does not support privilege elevation. Install, capture, and deploy
operations are unaffected; they are transient operations that do not allow for the creation of
a privileged user on the target server.

Access to system monitoring information

HP recommends the use of a trusted network environment because metric data that Nagios
collects from Supermon and mond is not encrypted.

Issues relating to scalable deployment

The scalable deployment feature of Insight Control for Linux uses HTTP to transfer a Linux
image from the CMS to a group leader and FTP to transfer that image from the group leader
to individual servers. There is no mechanism for verifying the identity of the server providing
the image; neither method protects from a man in the middle attack.

26

Security