HP System Management Homepage
1. Create the PKCS #10 data packet by clicking Settings→SMH→Security→Local Server
Certificate page.
2. Press the Ctrl+ C keys to copy the data into a buffer.
3. Navigate to http://W2003CA/certsrv where W2003CA is the name of your Windows
2003 certificate authority system and complete the following:
a. Select Request a certificate.
b. Select Advanced certificate request.
c. Select Submit a certificate request by using a base.
d. Press the Ctrl+ V keys to paste the PKCS #10 data into the field.
4. From your Windows 2003 certificate authority system complete the following:
a. Click Start→All Programs→Administrative Tools→Certification Authority.
b. Click CA (Local) ⇒ W2003CA/certsrv ⇒ where W2003CA is the name of your
Windows 2003 certificate authority system.
c. Issue the pending request certificate.
5. Navigate to http://W2003CA/certsrv, where W2003CA is the name of your Windows
2003 certificate authority system and complete the following:
a. Select View the status of a pending certificate request.
b. Select Base64-encoded and Download certificate (not certificate chain).
c. The file download is certnew.cer.
d. Rename certnew.cer to cert.pem.
14.14.6.7 What are the security options when using Bastille?
Bastille is a system hardening program that enhances the security of an HP-UX host. It configures
daemons, system settings and firewalls to be more secure. It can shut off unneeded services
and tools such as rcp(1) and rlogin(1), and can help limit the vulnerability of common Internet
services such as Web servers and DNS.
NOTE: At this time, HP System Management Homepage does not support Partition Manager.
One facility that Bastille uses to lock down a system is IP filtering. Refer to the Partition Manager
Online Help for requirements when using IP filtering with Partition Manager. If Bastille's
interactive user interface is used, be aware of these issues when answering the questions asked
by Bastille. Bastille also has three install-time security options that are represented by the
following files in /etc/opt/sec-mgmt/bastille.
• HOST.config Host-based lockdown, without IPFilter configuration. Using this configuration
has no impact on Partition Manager.
• MANDMZ.config A fairly tight lockdown, but leaves select network ports open that are
used by common management protocols and tools. For example, WBEM still functions
when this configuration is used. Launching Partition Manager under this configuration
requires the use of SSH or changes to enable ports 2301 and 2381. To enable launching
Partition Manager on a system where ports 2301 and 2381 are disabled, adjust the IP
filtering by adding entries such as:
pass in quick proto tcp from any to any port = 2301 flags S/0xff keep state keep frags
pass in quick proto tcp from any to any port = 2381 flags S/0xff keep state keep frags
to /etc/opt/sec-mgmt/bastille/ipf.customrules prior to running Bastille.
For more information, see
ipf
(5).
• DMZ.config A tight lockdown. Launching Partition Manager under this configuration
requires the use of SSH.
Bastille also impacts Partition Manager when remotely managing a system where Bastille
is enabled. After the normal transfer of certificates, Partition Manager works as described
above if the HOST.config or MANDMZ.config configurations are used. However, the
DMZ.config configuration blocks WBEM traffic and prevents Partition Manager from
remotely managing the system.
77