Setting security to strong – HP Systems Insight Manager User Manual
Page 102
Procedure 23 Setting security to strong
1.
Generate certificates from your certificate server for each managed system and the Systems
Insight Manager system. To do this, first generate a certificate signing request (CSR) from the
various systems. This generates a PKCS#7 file. This file should then be taken to the certificate
server and signed, and then the resulting file (generally a PKCS#10 response) should be
imported into the each managed system and the Systems Insight Manager system.
To maximize security, it is important that none of these steps be done over a network unless
all communications are already protected by some other mechanism.
Thus, in the case of the Insight Management Agents, a removable media (for example, USB
thumb drive, floppy disk) should be taken directly to the managed system, have the PKCS#7
file placed on it, and hand-carried to a secure system with access to the certificate server. The
PKCS#10 response file should similarly be placed on the removable media and returned to
the managed system to be imported into the Insight Management Agents.
2.
Take the root certificate (just the certificate, not the private key) of your certificate server and
import that into the Systems Insight Manager trusted certificate list. This allows Systems Insight
Manager to trust all the managed systems because they were signed with this root certificate.
3.
Take the certificate from the Systems Insight Manager system and import it into the Insight
Management Agents of each system. This allows the managed systems to trust the Systems
Insight Manager system. This certificate can be distributed using any of the methods available
to distribute the Systems Insight Manager certificate. However, the option to pull the certificate
directly from the Systems Insight Manager system over the network must be avoided due to
the potential man-in-the-middle attack.
As in the Moderate option, you must redistribute the Systems Insight Manager SSL certificate
to the managed systems whenever a new Systems Insight Manager SSL certificate is generated.
4.
Once these steps have been completed, you can turn on the option in Systems Insight Manager
to enable Require Trusted Certificates. Select Options
→Security→Trusted Systems, and then
click Trusted Certificates. The warnings presented around this option make it clear that any
managed system that does not have a certificate signed by your certificate server will not be
sent secure commands from the Systems Insight Manager system, although it will be monitored
for hardware status.
5.
For SSH, turn on the option to accept SSH connections only from specified systems. Select
Options
→Security→Trusted Systems, click SSH Host Keys, and then enable the The central
management server will accept an SSH connection only if the host key is in list below.
Afterwards, you must manually import each managed system's public SSH key into the list of
keys in Systems Insight Manager.
To configure this in previous versions of Systems Insight Manager, add or modify the following
line in the Hmx.properties file:
MX_SSH_ADD_UNKNOWN_HOSTS=false
and then restart Systems Insight Manager.
Afterwards, you must manually import each managed system's public SSH key into the list of
keys in Systems Insight Manager.
102 Understanding Systems Insight Manager security