20 understanding hp sim security, Securing communication, Secure sockets layer (ssl) – HP Systems Insight Manager User Manual
Page 103: How to configure ciphers, Secure shell (ssh), Hyper text transfer protocol secure (https)
20 Understanding HP SIM security
This chapter provides an overview of the security features available in the HP SIM framework. HP
SIM runs on a CMS and communicates with managed systems using various protocols. You can
browse to the CMS or directly to the managed system.
Securing communication
Secure Sockets Layer (SSL)
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic
protocols that provide communication security. It provides encryption to prevent eavesdropping,
data integrity to prevent modification, and authentication for both client and server, leveraging
public-key technology.
All communications between the browser and the CMS are protected by SSL. HP SIM supports
SSLv3.0 and TLS 1.0 and uses stronger cipher suites, by default, for the web and the SOAP services.
However, the list of ciphers could be configured to suit the security needs. For more information,
see
“How to configure ciphers” (page 103)
. Also note that HP SIM does not enforce stronger cipher
suites for the WBEM indication receiver.
How to configure ciphers
Starting with version 7.2, HP SIM is capable of supporting user-defined ciphers to suit security
needs. While the default set of ciphers are limited to the ones available in the JRE, it can be
extended to support higher strengths by downloading and configuring Java Cryptography Extensions
(JCE) on top of the JRE distributed with HP SIM. For more information, see
1.
Use the mxcipher -d CLI command to view the existing ciphers configured in HP SIM.
2.
Use the mxcipher -e CLI command to change the ciphers to suit your security needs.
For more information, see the HP Systems Insight Manager CLI Guide at
Secure Shell (SSH)
SSH is an industry-standard protocol for securing communications. It provides for encryption to
prevent eavesdropping plus data integrity to prevent modification, and it can also authenticate
both the client and the server utilizing several mechanisms, including key-based authentication. HP
SIM supports SSH 2.
Hyper Text Transfer Protocol Secure (HTTPS)
refers to HTTP communications over SSL. All communications between the browser and HP
SIM are carried out over HTTPS. HTTPS is also used for much of the communication between the
CMS and the managed system.
Secure Task Execution (STE) and Single Sign-On (SSO)
is a mechanism for securely executing a command against a managed system using the Web
agents. It provides authentication, authorization, privacy, and integrity in a single request. SSO
provides the same features but is performed when browsing a system. STE and SSO are implemented
in very similar ways. SSL is used for all communication during the STE and SSO exchange. A
single-use value is requested from the system prior to issuing the STE or SSO request to help prevent
against replay or delay intercept attacks. Afterwards, HP SIM issues the digitally signed STE or
SSO request. The managed system uses the digital signature to authenticate the HP SIM server.
Note that the managed system must have a copy of the CMS SSO certificate imported into the
Securing communication 103