Manualshelf

HP Adaptive Infrastructure Solution Security for BladeSystem Matrix

ManualsBrandsHP ManualsSoftwareHP Insight Server Migration X2X Unlimited Migration 1yr Supp/Updates SW License
21222324252627282930
Many components that utilize certificates are delivered with certificates signed by the provider (for
instance HP SIM and SMH components). To achieve a higher level of security for these components,
populate them with trusted certificates at deployment time.
Implement directory services. Directory services enable a consistent authentication and
authorization process throughout the environment. You can also use directories for role-based
access control.
HP recommends that you do not use local accounts. However, if you do use these accounts,
periodically change the passwords.
Default passwords should be changed immediately to a more relevant and secure password.
Administrators should change management device passwords with the same frequency and
according to the same guidelines as the server administrative passwords.
Passwords should include at least three of these four characteristics: numeric character, special
character, lowercase character, and uppercase character.
Utilize mutual device authentication (to validate endpoints), when available, and user authentication
mechanisms.
Do not give operating system credentials to accounts or account groups to be used for only SMH
management.
Protect SNMP traffic. Even though only read-only access through SNMP is utilized by the
BladeSystem Matrix components, Administrators must reset the community strings according to the
same guidelines as the administrative passwords. Administrators must also set firewalls or routers to
accept only specific source and destination addresses. If SNMP is not desired, administrators can
disable this feature at the host. Administrators can also disable the iLO SNMP pass-through.
WBEM provides a greater degree of security than SNMP and should be used when available
(WBEM is widely used in the BladeSystem Matrix Solution).
Restrict access to iLO remote console port.
For iLO 2: Disable telnet access to iLO 2.
For First-generation iLO: Require Remote Console data encryption and set Remote Console Port
Configuration to Automatic.
These changes force remote console sessions to be encrypted and leave the port closed except
when attaching the remote console.
Do not connect iLO or OA devices directly to the Internet. The OA and iLO processors are designed
as management and administration tools, not as an Internet gateway. If you must connect to the
Internet utilize a corporate VPN that provides firewall protection.
For service management, consider using the practices and procedures, such as those defined by ITIL
(Information Technology Infrastructure Library)
http://www.itil.org.uk/index.htm.
Consider using The Center for Internet Security Benchmarks available at
http://www.cisecurity.org/bench.html. Benchmarks are included for HP-UX, Windows, Linux, Citrix
Xen Server and VMware Server.
29