Manualshelf

HP Adaptive Infrastructure Solution Security for BladeSystem Matrix

ManualsBrandsHP ManualsSoftwareHP Insight Server Migration X2X Unlimited Migration 1yr Supp/Updates SW License
11121314151617181920
the appropriate operating system patches based on the results of security scans. VPM is especially
useful in smaller IT environments where HP Server Automation has not been implemented.
The VPM scanner probes its targets using multiple protocols (including SSH for Linux and DCOM for
Windows) searching for operating system and selected application security vulnerabilities. The VPM
patch agent can then apply patches for detected vulnerabilities. HP Vulnerability and Patch Manager
software supports both server and client systems.
The preceding paragraphs discussed security on general purpose server systems. The same security
issues apply to servers that act as management control points. Since management control points
facilitate privileged actions across the computing environment, it is critical that these servers have a
high degree of security. The server on which the core HP SIM functionality operates is the CMS.
Given the sensitive nature of the operations carried out by the CMS, it is imperative that this system is
configured securely. The CMS is also required to store and protect sensitive information to support
administrative tasks. The HP SIM CMS functionality for BladeSystem Matrix runs on a Windows
server.
HP SIM provides core security services (discussed in other sections of this paper) and it utilizes core
security services provided by the host operating system on which it resides (for instance, permissions
for files system access).
Several pieces of authentication information utilized by HP SIM must be stored on the CMS. These
pieces include the CMS server certificate and the server private key and are stored in a file on the
CMS. This information is protected by file system access controls of the host server. The CMS must
have access to a certificate to perform authentication of SSL sessions. Rather than create numerous
certificates, a single SSL certificate, which is protected by file system access controls, is shared by all
SSL server instances for management applications on the CMS. The CMS also stores the passwords
that are required for SNMP and WBEM access to managed systems. The passwords are encrypted
using the 128-bit blowfish encryption algorithm and stored in the HP SIM database.
From the managed systems perspective, the system must have a trust relationship with the HP SIM
CMS. Each managed system is responsible for protecting its own SSL server certificate and private
key, with file system access controls.
Other management components, such as CommandView storage management, can reside on the
CMS with HP SIM or be deployed on other servers. Wherever deployed, these management servers
must maintain a high degree of security, as compromise of these components can affect the entire
computing environment.
Physical access to servers and management access points is another important aspect of security in a
computing environment. Anyone with physical access to a host server and management access points
(the CMS OA, iLO, and enclosure bays) might be able to bypass security mechanisms. Examples of
potential issues include:
Theft of data, drive and tapes.
Use of a USB key to copy data or install unauthorized software.
Tampering with equipment.
Connection of unauthorized networking equipment such as network sniffers.
The ability to bypass the iLO by connecting directly to the physical serial port on the host server and
making modifications to the server.
Changing the iLO security override jumper enables changes to the host configuration.
Therefore, only trusted personnel should have physical access. In shared environments, additional
security mechanisms, such as locked enclosures, might be necessary.
18