beautypg.com

Source of client and server certificates, Enabling or disabling certificate revocation check, Offline mode – HP Systems Insight Manager User Manual

Page 100: Alert on crl file expiration, Online mode, Offline mode online mode

background image

The SSO certificate is created during the upgrade. To reestablish the trust relationships with the
managed systems you might need to import the newly generated main certificate into the managed
systems. Also, you might need to import the trusted certificates back into HP SIM's trust store.

Certificate expiration and Certificate Revocation Check (CLR Check)

HP SIM provides the support for certificate revocation check. By default, the revocation check is
enabled for both client and server certificates. However, server certificates are checked for
revocation only if you have enabled Require Trusted Certificate
(Options

→Security→Credentials→Trusted Systems→Trusted Certificates).

The Certificate revocation check can be configured from the GUI by selecting
Options

→Security→Configure Certificate Revocation Check.

You can also configure certificate revocation check by entering: mxcert -L from the command
line.

Source of client and server certificates

The client certificates are sent to HP SIM by the Web portal, partner requests, and the WBEM
services.

The server certificates are sent to HP SIM by the managed systems.

Enabling or disabling certificate revocation check

HP SIM enables you to disable certificate revocation check for both server and client certificates.
Disabling revocation check for client certificate does not affect Two-Factor authentication, where
the client certificate (called as user certificate) is always checked for revocation.

Enabling certification revocation check might affect the performance of the system as it downloads
the Certificate Revocation List (CRL) file from the certificate server during the processing of revocation
check. The downloading of the CRL file happens only if a CRL file associated with the certificate
is not already cached in the server, or CRL file that is cached is expired.

Enabling or disabling certificate revocation check does not require restart of HP SIM.

Offline and online mode of certificate revocation check

The certificate revocation check is performed offline and/or online.

Offline mode

The offline mode is set as the default mode of checking the revocation. The offline mode expects
the CRL files to be cached in the system. You must regularly populate the CRL files associated with
the certificates in a directory maintained by HP SIM. In Windows, the directory is \data\crl,
and in Linux/HPUX, this directory is /var/opt/mx/data/crl.

Alert on CRL file expiration

If any of the CRL files present in this directory are expired, then HP SIM will send an alert to the
System. These alerts could be seen in "All Events" page.

The intent of this alert is to inform User to update the CRL directory with the latest CRL files.

Please see below to configure few of the CRL alert related settings.

Online mode

The online mode can optionally be enabled. Enabling online mode does not bypass the offline
mode of CRL check.

If the CRL file associated with a certificate is not present in the above directory, or if the cached
CRL file is expired, then HP SIM checks if online mode has been enabled. If online mode is enabled,
HP SIM tries to download the CRL file from the certificate server. After downloading the CRL file,
HP SIM caches the file in the above directory.

100 Understanding HP SIM security