A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)
to authenticate the Central Management Server. Note that the managed system must have a copy of
the CMS SSL certificate imported into the Web agent and be configured to “trust by certificate” to
validate the digital signature. STE uses TCP port 2381.
• SSH
The Secure Shell (SSH) protocol is an application-layer protocol which permits secure remote access
over a network from one computer to another. SSH negotiates and establishes an encrypted, and
authenticated connection between an SSH client and an SSH managed server. SSH provides data
integrity checks, prevents eavesdropping, and modification of sensitive data transferred between the
CMS and managed systems. SSH typically uses TCP port 22, but alternative port numbers may be
assigned to the SSH server.
Although the SSH protocol is typically used to log into a remote machine and execute commands, it
also supports tunneling, forwarding arbitrary TCP ports and X11 connections. It can transfer files using
the associated SFTP or SCP protocols.
The SSH protocol exists in two versions. Several security vulnerabilities have been identified in the
original SSH protocol version 1, therefore it should be considered insecure and should not be used in
a secure environment. Its successor, SSH protocol version 2, strengthened security by changing the
protocol and adding Diffie-Hellman key exchange and strong integrity checking via message
authentication codes. HP RDA uses SSH protocol version 2 for most connections.
• SSL and TLS
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are application-layer
protocols which provide data encryption and authentication. TLS is an updated version of SSL v3. SSL
and TLS use X.509 certificates, also known as “digital” certificates, for authentication. Although most
users are accustomed to working only with server certificates, SSL and TLS can be configured to require
client-side certificates which provides password-less two-way authentication. The CMS and managed
systems authenticate using X.509 certificates. Also, all communications between the client browsers
and the CMS are protected by SSL. The Remote Support Configuration Collector System supports both
SSL v3 and TLS 1.0.These two protocols are most ubiquitous in HTTPS on TCP port 443. Other protocols
and applications also utilize SSL and TLS for security.
• WBEM
Web Based Enterprise Management (WBEM) is an initiative based on a set of management and Internet
standard technologies developed by the Distributed Management Task Force (DMTF) to unify the
management of enterprise computing environments. WBEM is really a collection of Internet standards
and DMTF open standards: CIM infrastructure and schema, CIM-XML, CIM operations over HTTP, and
WS-Management. The Common Information Model (CIM) provides a common definition of management
information for systems, networks, applications and services, and allows for vendor
extensions.WS-Management is a specification of a SOAP-based protocol for the management of servers,
devices, and applications. WBEM can be encapsulated inside either HTTP or HTTPS. HP Insight Remote
Support does not support unencrypted WBEM communications. All WBEM traffic is encrypted using
SSL over HTTPS on TCP port 5989.
WMI is the Microsoft proprietary implementation of WBEM. WMI runs as a DCOM (Distributed
Component Object Model) service which in turn uses RPC (Remote Procedure Call) and other associated
DCOM services. The WMI Mapper is an application that provides a two way translation interface
between DCOM and WBEM. WMI Mapper is required for any Windows managed system supporting
WBEM Indications to be monitored by HP SIM and Insight Remote Support.
2.5.2 Unsecured Communication
HP uses the following unsecure protocols only inside the customer’s internal network HP will not initiate any
external communications between the customer and HP using these protocols:
• HTTP
The Hypertext Transfer Protocol (HTTP) is an application-layer protocol used for exchanging data. HTTP
is described in RFC 2616. Its most popular usage is for transferring text, graphic images, sound, video,
and other multimedia files to Web browsers. HTTP’s capabilities are also general enough for non-web
applications. The CMS remote data collection can use HTTP to identify devices. Once devices are
20 HP Insight Remote Support Advanced