Manualshelf

Technical data

ManualsBrandsCompaq ManualsComputer equipmentIntegrity NonStop NB54000c
21222324252627282930
The total number of IP addresses visible with SCF INFO SUBNET <TCPIP process
name>.* could be larger than the number of IP addresses a Certificate Authority allows in
the SAN field. To restrict the IP addresses used by the OSM Service Connection, you must use
the following specialized syntax for the OSMCONF stack parameter:
stack = <TCPIP process name>:<IP address>
A similar syntax holds for the evtstack parameter, which affects the OSM Event Viewer.
See “Configuring Additional TCP/IP Processes for OSM Connectivity” (page 18).
NOTE: If the OSM Service Connection or OSM Event Viewer client uses an IP address for
the NonStop server which is not listed in the SAN field of the signed SSL certificate (for example,
not listed in the verisign_SERVER and alt_names_SERVER section of the config.txt
example above), you will see a security warning in the web browser session for the OSM
tool.
Wildcards are allowed in DNS names only.
RSA key lengths can be up to 2048 bits.
Although MD5 hashing is supported, SHA1 is recommended as much more secure.
Starting with T0682 H02 ADF, HP has signed new versions of the default self-signed OSM
certificate files SERVCERT and CACERT by using the SHA1 digest algorithm instead of the
MD5 algorithm. These new certificates provide more secure fingerprints, while avoiding
compatibility problems when connecting to the OSM Service Connection or OSM Event Viewer
from a PC with an older Microsoft operating system. You can notice changes in the detailed
Internet Explorer warning when using the OSM Event Viewer, since these are new certificates.
A warning is expected from OSM Event Viewer sessions, since modern versions of Internet
Explorer do not trust self-signed certificates.
When signing your private SSL certificates for OSM, security standards for your servers can
prescribe use of an even stronger SHA2 digest algorithm such as SHA256. Note that Microsoft
Internet Explorer versions before IE7 are not compatible with SHA2 algorithms. Windows XP
and Windows Server 2003 require updates to support SHA2. Windows XP Service Pack 3
should be sufficient, but Windows Server 2003 can require a special update from Microsoft.
Be prepared to retire older PCs or to update software.
For more information on Windows XP and Windows Server 2003 certificate support, refer
to:
http://support.microsoft.com/kb/968730
For an example of one method for generating a private certificate, see “Example: How To Generate
a Private SSL Certificate Using OpenSSL.
Once acquired, the certificate must be placed on the server for use. Three files and five settings in
OSMCONF must be configured. OSM needs to know the certificate used for SSL and also the
Certificate Authority (CA) certificate that signed the server’s certificate. Additionally, the server’s
private key file is needed to encrypt the communications. The requirements for these files are:
The server certificate and the CA certificate must be in binary DER format.
The server key file must also be in binary DER format, but must also be in PKCS#8 format.
The server certificate, the CA certificate, and the server key file must be binary code 0 files.
Be sure to FTP in binary mode.
The server key file must be encrypted with a password.
Configuring OSM for SSL support requires adding the following settings to your OSMCONF:
UseSSL = On
SERVCERT = <server certificate filename>
Optional OSM Configuration 25