beautypg.com

Wbem, Ldap, Credentials management – HP Systems Insight Manager User Manual

Page 80: Ssl certificates, Certificate sharing, Ssh keys, Passwords, Wbem ldap rmi

background image

WBEM

All WBEM access is over HTTPS for security. Systems Insight Manager is configured with a user name and
password for WBEM agent access. Using SSL, Systems Insight Manager can optionally authenticate the
managed system using its SSL certificate.

For HP-UX, certificates can be used instead of username and password for WBEM authentication. You can
configure WBEM authentication from the System Credentials

WBEM tab by selecting

Options

SecurityCredentialsSystem Credentials. For more information, see the Systems Insight

Manager online help.

LDAP

When configured to use a directory service, HP SIM can be configured to use LDAP with SSL (default) or
without SSL, which would transmit credentials in clear-text. To enable LDAP over SSL in Microsoft Active
Directory, refer to

http://support.microsoft.com/default.aspx?scid=kb;en-us;321051

. Additionally, the

directory server can be authenticated using the Trusted Certificate list in Systems Insight Manager.

RMI

Java RMI is secured by requiring digitally signed requests using the CMS

private key

, which should only be

available to the local system. All communications use localhost to prevent the communication from being
visible on the network.

Credentials management

SSL certificates

Certificates generated by Systems Insight Manager and the Web Agents are self-signed. Public Key
Infrastructure (PKI) support is provided so that certificates may be signed by an internal certificate server or
a third-party

Certificate Authority

(CA). The Systems Insight Manager certificate supports multiple names to

help alleviate name-mismatch warnings in a browser.

There are several certificates used by Systems Insight Manager. The certificate described above is the main
certificate and is used by the Systems Insight Manager SSL web server, the partner application

Simple Object

Access Protocol

(SOAP) interface, and the WBEM indications receiver. This is the certificate used to

authenticate Systems Insight Manager, if necessary, in the browser, in partner applications that communicate
with Systems Insight Manager through SOAP, and in WBEM agents that deliver indications to Systems Insight
Manager. This certificate is also configured in managed systems (for example, SMH, Onboard Administrator,
Integrated Lights-Out, Storage Essentials, CV) to enable a trust relationship with the managed system for
SSO. A separate certificate in Systems Insight Manager is used for authenticating Systems Insight Manager
to HP-UX WBEM Services 2.5 and later, when configured to do so for the WBEM protocol. Certificates from
managed systems can be imported into the Systems Insight Manager Trusted Certificates list, allowing Systems
Insight Manager to authenticate those systems. See the section

How to: lockdown versus ease of use on

Windows systems

.

Certificate sharing

Systems Insight Manager supports a mechanism whereby other components installed on the system can use
the same certificate and private key, facilitating authentication of the system as a whole instead of each
individual component. This is currently used by the Web Agents and the WBEM components on the CMS.

SSH keys

An SSH key-pair is generated during initial configuration. The CMS public key is copied to the managed
system using the mxagentconfig tool. This key-pair is not the same as for SSL and requires a manual process
to regenerate a new pair. See the manpages or online documentation for mxagentconfig for more details.
See the

Secure Shell (SSH) in HP SIM 5.3 or greater white paper located at

http://h18013.www1.hp.com/

products/servers/management/hpsim/infolibrary.html

.

Passwords

Passwords configured on the Systems Insight Manager System Credentials and Global Credentials pages
are stored in the database encrypted using 128-bit Blowfish. These passwords can be further managed using

80

Understanding Systems Insight Manager security