A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)
encryption and authentication with the HP Datacenter. HP CA certificates can be verified using the VeriSign
Certificate Authority.
2.8 Remote Support Client
The Remote Support Client is primarily responsible for providing secure and reliable communications with
the HP Remote Support Data Center to deliver hardware event information and configuration collection data.
Additionally, this component integrates as an HP SIM plug-in to provide the customer with an integrated
remote support user experience. This component is configured via the
Remote Support Configuration and
Services
option in HP SIM.
2.8.1 Installation and Setup
The Remote Support Client is installed via the Install Then Manage (ITM) software kit, and subsequently
managed via the Remote Support Software Management (RSSWM) application. The client installation creates
necessary application folders and establishes a local SYSTEM service. Access to the application folders is
write-restricted to Power Users and those in the Administrators group. The client has no communications with
the HP Data Center until it is configured via the HP SIM plug-in user interface.
During setup, the installer will be asked to enter company, contact and connection information. If the client
needs to access the public Internet via a proxy server, the installer can enter the relevant connection and
authentication data in the client interface. The proxy password is encrypted via 128-bit AES encryption and
stored on the file system in the folder:
<Client Install Location>\config
The AES key itself is compiled into the client service executable.
NOTE: Insight Remote Support Advanced supports connecting directly to the Internet or connecting through
a proxy server and supports all proxy servers conforming to the HTTP/1.0 Specification. Insight Remote
Support Advanced does not support proxies using proxy auto-configuration scripts, NTLM authentication
(also known as Integrated Windows Authentication), or Kerberos authentication.
2.8.2 Data Collection and Storage
For each device enabled for remote support, the client will collect a set of attributes used for identification
(the specific fields depend on the device) and send a registration event to HP. All data sent to HP is encrypted
using SSL/TLS encryption prior to transport to the HP Remote Support Data Center (RSDC) over HTTPS.
Confidential data elements in the information sent to HP and stored in the Remote Support Database and
on backup media are encrypted using the Advanced Encryption Standard (AES) symmetric block cipher with
a 192-bit key. To enable customers to see the information sent to HP, the client stores a copy of each data
submission. These are stored in the client folder structure under
<Client Install Location>\data
and are removed 14 days after the submission has been closed. (The customer can configure this retention
time). Access to this directory should be restricted to protect the client object code and sensitive data which
it manages.
2.8.3 User Interface - Integration with HP SIM
The Insight Remote Support Advanced user interface is a plug-in to HP SIM via the HP System Management
Homepage (HP SMH) and leverages the user account authentication provided by that application. All web
browser connections to the Insight Remote Support Advanced interface are available only through HTTPS.
The Remote Support Client interacts directly with several HP SIM web services during its operation. To
establish these secure connections, the client utilizes server and client certificate information managed by
the HP SMH tool, which is installed as a required product with HP SIM. As a part of its installation, HP SMH
stores HP SIM’s public server certificate as well as generates a client certificate and imports it for HP SIM’s
use.
24 HP Insight Remote Support Advanced