HP Adaptive Infrastructure Solution Security for BladeSystem Matrix
Role Description
Hardware administrator Uses OA, iLO, and Virtual Connect login credentials to appropriately configure the
hardware for host, networking and storage components (configuring networking and
storage aspects within the BladeSystem c-Class enclosure).
Host system or operating
system administrator
Uses HP SIM, iLO, and SMH login credentials to manage a logical server, such as reboot
through the iLO and direct management of the OS configuration through SMH or remote
console.
Operator (HP SIM and HP
SMH monitoring
administrator)
Uses HP SIM login credentials on the CMS to view and monitor activity occurring on all
systems. Uses HP SMH login credentials to view and monitor activity occurring on all
systems.
Storage administrator
Uses HP SIM login credentials to utilize the HP StorageWorks CommandView EVA
software to manage storage arrays. Uses Virtual Connect Manager to define the storage
fabrics and Virtual Connect Enterprise Manager to manage the WWN pool and switch
management software to manage the fabric.
Network administrator Uses Virtual Connect Manager to define the networks and Virtual Connect Enterprise
Manager to perform activities such as managing the MAC address pool.
Virtualization
administrator
Uses HP SIM and uses HP Insight Dynamics – VSE suite for ProLiant login credentials to
manage logical servers and hypervisors.
Each of these types of administrators authenticates using a login and password. For a higher level of
security you can utilize two-factor authentication for OA and iLO. A two-factor authentication scheme
requires the use of a user password or PIN and private key with the user’s digital certificate.
Authentication executed through a web browser utilizes the https protocol (using SSL) and provides
machine level authentication. The SSL protocol can support mutual authentication. Mutual
authentication ensures each end of the connection is secure, making sure both the client side and
server side are authenticated. To use this functionality, SSL certificates must be loaded on each of the
clients (in the browser). You can also utilize mutual authentication to secure the command line
interface (CLI) using the SSH service.
Each of the authentication mechanisms must protect the authentication database and process. For
example, the user names for HP SIM access are stored in an encrypted form on the CMS in a
database protected by the platform file system permissions. Authentication of a user requesting to
login to the CMS is performed by the native Windows operating system.
Use of Active Directory is recommended with BladeSystem Matrix as this enables a consistent set of
user accounts to be used for authentication and authorization. Each of the BladeSystem Matrix
components supports Active Directory, removing the need to have separate user accounts and
databases on each component.
For environments utilizing directory servers, such as Active Directory, you can use the LDAP protocol
to authenticate credentials against the directory. LDAP sends the password using an SSL connection to
achieve a secure communications path with the directory. You can also utilize Kerberos with the
directory server to perform authentication. If configured, the directory also stores security policies such
as the privileges associated with a user account.
Using LDAP also provides additional security benefits. For instance, in an environment where you
utilize LDAP for Virtual Connect authentication, you can disable local authorization, preventing users
(including the local administrator account) from logging in. To set this configuration parameter, the
user must be logged in through LDAP and have the Virtual Connect domain administrator role. Note
11