beautypg.com

Ssh keys, Passwords, Browser – HP Systems Insight Manager User Manual

Page 96: Cookies, Password warnings, Ssh keys passwords, Ssl cookies passwords password warnings

background image

SSH keys

An SSH key-pair is generated during initial configuration. The CMS public key is copied to the
managed system using the mxagentconfig tool. This key-pair is not the same as for SSL and requires
a manual process to regenerate a new pair. See the manpages or online documentation for
mxagentconfig for more details. See the Secure Shell (SSH) in HP SIM white paper located at

http://h18013.www1.hp.com/products/servers/management/hpsim/infolibrary.html

.

Passwords

Passwords configured on the Systems Insight Manager System Credentials and Global Credentials
pages are stored in the database encrypted using 128-bit Blowfish. These passwords can be further
managed using the CLI command mxnodesecurity. A few passwords might be stored in a file
on the CMS that are also encrypted using the same 128-bit Blowfish key. These passwords can
be managed using the mxpassword command. The password file and the Blowfish key file are
restricted with operating system file permissions to administrators or root.

Prior to Systems Insight Manager 5.3, passwords configured on the Systems Insight Manager
protocol settings pages are stored in a local file on the CMS, restricted with operating system file
permissions to administrators or root. These passwords can be further managed using the
mxnodesecurity

command.

Browser

SSL

All communication between the browser and the CMS or any managed server occurs using HTTPS
over SSL. Any navigation using HTTP (not using SSL) is automatically redirected to HTTPS.

Cookies

Although cookies are required to maintain a logged in session, only a session identifier is maintained
in the cookie. No confidential information is in the cookie. The cookie is marked as secure, so it
is only transmitted over SSL.

Passwords

Password fields displayed by Systems Insight Manager do not display the password. Passwords
between the browser and the CMS are transmitted over SSL.

Password warnings

There are several types of warnings that can be displayed by the browser or by the Java plug-in
on the browser, most having to do with the SSL server certificate.

Untrusted system

This warning indicates the certificate was issued by an untrusted system. Since certificates are
by default self-signed, this is likely if you have not already imported the certificate into your
browser. In the case of CA-signed certificates, the signing root certificate must be imported.
The certificate can be imported before browsing if you have obtained the certificate by some
other secure method. The certificate can also be imported when you get the warning, but is
susceptible to

spoofing

since the host system is not authenticated. Do this if you can

independently confirm the authenticity of the certificate or you are comfortable that the system
has not been compromised.

Invalid certificate>

If the certificate is invalid because it is not yet valid or it has expired, it could be a date or
time problem, which could be resolved by correcting the system's date and time. If the certificate
is invalid for some other reason, it might need to be regenerated.

96

Understanding Systems Insight Manager security