HP Adaptive Infrastructure Solution Security for BladeSystem Matrix
that this approach avoids the potential error of locking out all users (the case where LDAP is not
configured correctly and local users are locked out). Similar functionality is also supported for iLO.
To streamline the number of separate logins that are required as an administrator performs different
tasks (such as moving from HP SIM to the iLO or OA) HP SIM provides single sign-on. Single sign-on
enables the administrator to authenticate to HP SIM, which acts as a central control point, providing
transparent access to authorized management components, supported through the use of trusted
certificates. To use single sign-on, the CMS certificate must be available on the managed target; the
user will be prompted for credentials if this is not configured. Single Sign-On is supported for Storage
Essentials, System Management Homepage, Onboard Administrator, iLO, and CommandView EVA.
HP SIM and SMH also support the use of the Kerberos authentication protocol for authentication from
the client to the CMS. This functionality enables a user to transparently login to HP SIM using the same
account used to login to their desktop and bypass the normal HP SIM login page. Kerberos is built
into most browsers and deployed on many UNIX, Linux, and Windows operating systems. Additional
components are expected to adopt Kerberos support in the future enabling transparent access to a
wider range of devices.
Authentication is required not only for user access directly to the CMS or a managed system but also
for requests sent to managed systems by management applications running on the CMS. Many of
these requests can occur as background tasks with no logged-on user, and yet the managed system
must authenticate the requester (the CMS). The most effective means of performing this authentication
is through the use of certificates. This is built into the negotiation of the SSL protocol used for most
requests.
In most cases, the device authenticates the CMS using a user name and password included in the
request; the SSL protocol encrypts the communications link to ensure the confidentiality and integrity of
the conversation and prevent a third party tapping into the conversation. SSL supplies a certificate that
identifies the device and can be used by the CMS to authenticate the device. This mutual
authentication ensures that both ends of the communication link are who they claim to be and
eliminates the possibility of spoofing.
The BladeSystem Matrix components, including HP SIM, SMH, iLO, OA, and Virtual Connect, by
default create their own self signed certificate when installed. These components also support import
of a certificate from a certificate authority providing a higher level of security. Utilizing certificates
from a guaranteed certificate authority prevents the possible introduction of a Trojan horse and is
highly recommended.
Another important aspect of the BladeSystem Matrix solution authentication mechanisms is the
delivered configuration. HP Virtual Connect is shipped with an unpredictable randomly generated
administrator password, printed on a label, and physically attached to the hardware. This mitigates
the many attacks staged using a common or default password. The password can be changed by
appropriately privileged administrators. Similar protections are provided with the OA and iLO.
HP SIM Is not distributed with a default password, and depends on the host platform administrator to
configure the appropriate HP SIM accounts. The iLO and Virtual Connect modules also contain
additional protections through a maintenance switch, requiring physical access. You can use this
switch to reset some parameters, such as the administrator password, or to restore default values.
Password restoration is accomplished during the power up sequence, when the switch is in the reset
position. You can use this approach if the password is unknown, forgotten, or lost.
At initial deployment, the iLO processor enforces generation of new site specific SSL keys. The values
of these newly generated keys are not known or conveyed to HP.
12