Credentials, Use of management lan, Security properties for data center power control – HP Insight Control Software for Linux User Manual
Page 16
or by configuring HP Systems Insight Manager system-specific credentials. If no valid credentials are available,
power management will additionally attempt the factory default log-in credentials, admin/admin.
Credentials
Log-in credentials are presented to all systems as configured within the Systems Insight Manager Security
and power management options. Note that use of global credentials will cause all credentials to be presented
to systems during discovery. Untrusted or compromised systems may then observe the incoming credentials
and use them for attacks upon other systems. It is therefore recommended that only system-specific sign-in
credentials be utilized to limit potential disclosure of log-in credentials.
Use of management LAN
HP recommends that all communications between the Systems Insight Manager CMS and the management
processors be transmitted over a secure LAN isolated from the remainder of your network. This ensures
SNMP data collection (which is inherently insecure) cannot be observed/monitored by other entities, and
reduces the potential for external attacks on management processors by untrusted or compromised systems.
Security properties for Data Center Power Control
In order to define and manage rules, you need to have access to the Data Center Power Control Rules page.
Access to this tool is controlled by standard Systems Insight Manager tool authorizations. Alternatively, it is
possible to define and manage rules if you have write access to the directory on the CMS in which the rule
definitions are stored. Access to this directory is controlled by standard file system permissions of the underlying
operating system. Systems Insight Manager is installed with write access to this directory granted only to the
administrator of the CMS.
In order to invoke a rule, you must either have access to the Data Center Power Control Rules page or be
on the list of Systems Insight Manager users allowed to run the rule. Authentication of the user is performed
through standard Systems Insight Manager authentication mechanisms (GUI, SOAP, or CLI).
When running a rule, the rule acts with full authority (user "mxadmin") on all target systems, regardless of
the privileges of the user who invoked it. Rule execution therefore acts as a privilege elevation mechanism.
In particular:
•
The Shutdown tool is implemented by calling SSA tools run under users, 'Administrator' for the Windows
target systems and 'root' for the Linux and HP-UX target systems, with appropriate SSH credentials. For
target systems that do not allow the root SSH login, use Systems Insight Manager's privilege elevation
tool. You can log-in to target systems using appropriate SSH credentials stored in Systems Insight
Manager along with any privilege elevation credentials needed when the rule is executed. For information
on configuring SSH on target systems using Insight managed system setup wizard, see
shutdown through Data Center Power Control
For more information on SSH credentials and Systems Insight Manager's privilege elevation tool, see
the
Secure Shell (SSH) in Systems Insight Manager 5.x white paper and HP Systems Insight Manager
Installation and Configuration Guide for Microsoft Windows, Linux, and HP-UX at
.
•
The Power State tool is implemented by connections to the system iLOs that use the iLO credentials
stored in Systems Insight Manager.
•
The Power Switch action is implemented with a mix of SSA tool invocations, as with Shutdown above;
and calls to the Power State action, as described above.
•
The Run Script action runs scripts on the CMS as the Administrator/root user (that is, the user running
the Systems Insight Manager CMS process).
16
Key concepts