HP Adaptive Infrastructure Solution Security for BladeSystem Matrix

Figure 5: BladeSystem Matrix secure communications

The SSH protocol, used to securely execute commands on remote systems, is utilized when a terminal

window is used to communicate with the HP SIM CMS, iLO OA, and Virtual Connect. An SSH

connection can also be established between the HP SIM CMS and the managed systems (for

example, when using the HP SIM Distributed Task Facility or mxexec command). In this case, SSH

authenticates the remote system and allows the remote system to authenticate the user. By default the

managed system identity is not verified by HP SIM; the managed system SSH key is not verified.

However the CMS can be configured such that a managed system SSH key is verified to prevent man-

in-the-middle attacks. The managed system can authenticate HP SIM either through password

authentication or public keys. HP SIM provides a command (mxagentconfig) to copy the SSH user

or host authentication public key from the CMS to the managed system.

SNMP is supported but not required and has very limited security. Insight Software uses SNMP in a

read-only manner over the network and does not use SNMP SET operations. You can use a separate

management network to mitigate the limitations of SNMP or you can use the WBEM and WMI

protocols, which offer a higher degree of security, in place of SNMP.

The Web-Based Enterprise Management (WBEM) set of management standards supports secure

communication across disparate technologies and platforms. WBEM services are used by HP SIM for

secure instrumentation on HP-UX and Linux systems. WBEM utilizes the https protocol to ensure a

secure communications channel. Windows Management Instrumentation (WMI) is an implementation

of WBEM for Windows and uses https to communicate between the CMS and the WMI mapper. The

WMI mapper, which usually resides on the CMS but can be located elsewhere, uses Microsoft

DCOM, based on DCE RPC, for secure communication with the Windows server.