Manualshelf

HP Adaptive Infrastructure Solution Security for BladeSystem Matrix

ManualsBrandsHP ManualsSoftwareHP Insight Server Migration X2X Unlimited Migration 1yr Supp/Updates SW License
11121314151617181920
Communication protection
This section discusses traditional access controls on communications as well as methods for protecting
data in transit. Additionally, the communications examined are not limited to traffic flowing over a
local or wide area network (Ethernet traffic), but extend to communications that take place between
and within components, for example, between a management access point (iLO or OA) and a server
blade and within an HP BladeSystem c-Class enclosure.
Before diving into the communication security aspects of the BladeSystem Matrix solution components,
it is important to address an architectural configuration aspect of the deployment environment. HP
generally recommends that management traffic utilize a separate management network, with access
limited to administrators. A separate network enables administrators to physically control which
systems are connected to the management network and separates the flow of user and administrative
(often privileged data) traffic. Several components in the BladeSystem Matrix solution support this
separation as described in the enclosure communications section below. This separation of user and
management data traversing the network provides a first line of defense against attacks and creates a
layering for a defense in depth security strategy. An additional benefit can be improved performance
and responsiveness for management operations.
Management communication
Maintaining the confidentiality and integrity of management communications is critical. This is most
often achieved in the BladeSystem Matrix solution with the SSL (Secure Socket Layer) transport
protocol and the SSH network protocol. Both protocols encrypt the communications link to ensure the
confidentiality and integrity of the conversation and prevent a third party tapping into the
conversation. The SSL transport protocol is the foundation protocol for services such as secure https,
used between a browser and a web server. SSH (Secure Shell) is used to establish a command line
interface to a remote system and execute commands. In addition to encrypting communication traffic,
SSL and SSH support authentication services.
Web based communications between a client web browser and the HP SIM CMS, SMH, iLO, OA,
and Virtual Connect module all utilize https to ensure secure communications. Additionally, much of
the communication carried out between the CMS and managed systems also utilize the https protocol.
For instance, when Capacity Advisor collects data from server agents, all data that passes between
the monitored server and the CMS is encrypted over WEBM (which uses SSL over an HTTPS
connection). SSL supports mutual authentication of the two communications endpoints. One exception
to the use of encrypted communication is local access to the OA, which is achieved through the serial
port and is not encrypted.
The secure communications and operations between HP SIM and managed servers use a trust model
where the managed nodes can import the HP SIM certificate for validating HP SIM requests and
operations. If an even higher level of security is desired, HP SIM supports a two-way trust model
where HP SIM stores the certificates of all the trusted managed nodes.
19