Wbem, Ldap, Credentials management – HP Systems Insight Manager User Manual
Page 118: Ssl certificates, Hp sim main certificate, Hp sim single sigon-on (sso) certificate, Key length, Wbem ldap rmi
In HP SIM, the Privilege Elevation feature enables tools to be run against HP-UX, Linux, and ESX
managed systems by first signing in as a non-root user, and then requesting privilege elevation to
run root-level tools. This can be configured under Options
→Security→Privilege Elevation.
WBEM
All WBEM access is over HTTPS for security. HP SIM is configured with a user name and password
for WBEM agent access. Using SSL, HP SIM can optionally authenticate the managed system using
its SSL certificate.
For HP-UX, certificates can be used instead of username and password for WBEM authentication.
You can configure WBEM authentication from the System Credentials
→WBEM tab by selecting
Options
→Security→Credentials→System Credentials. For more information, see the HP SIM
online help.
LDAP
When configured to use a directory service, HP SIM can be configured to use LDAP with SSL
(default) or without SSL, which would transmit credentials in clear-text. To enable LDAP over SSL
in Microsoft Active Directory, refer to
Additionally, the directory server can be authenticated using
the Trusted Certificate list in HP SIM.
RMI
Java RMI is secured by requiring digitally signed requests using the CMS
, which should
only be available to the local system. All communications use localhost to prevent the communication
from being visible on the network.
Credentials management
SSL certificates
There are several certificates used by HP SIM.
HP SIM main certificate
The HP SIM main certificate is used by the HP SIM SSL web server, the partner application SOAP
interface, and the WBEM indications receiver. This certificate is used to authenticate HP SIM in
the browser, in partner applications that communicate with HP SIM through SOAP, and in WBEM
agents that deliver indications to HP SIM.
By default the SIM main certificate is self-signed. Public Key Infrastructure (PKI) support is provided
so that the main certificate may be signed by an internal certificate server or by a third-party
(CA).
HP SIM Single Sigon-On (SSO) certificate
This certificate is used to enable the trust relationship with managed systems for SSO. Managed
systems include System Management Homepage, Onboard Administrator, Integrated Lights-Out,
and CV.
The HP SIM SSO trust model uses the SSO certificate as a client certificate and uses the key to
encrypt the SSO client URL.
Key Length
In HP SIM 7.0 the main certificate, by default, uses a 2,048-bit key. The HP SIM SSO default
certificate uses a 1,024-bit key. The main certificate can be configured on managed systems to
replace the default HP SIM SSO certificate if the longer key is required. However, some SSO
118
Understanding HP SIM security