Manualshelf

Understanding HP Systems Insight Manager 6.3 Security

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 5.x Windows Software
12345678910
HTTPS
HTTPS (Hyper Text Transfer Protocol Secure) refers to HTTP communications over SSL. All
communications between the browser and HP SIM are carried out over HTTPS. HTTPS is also used for
much of the communication between the CMS and the managed system.
Secure Task Execution and Single Sign-On
Secure Task Execution (STE) is a mechanism for securely executing a command against a managed
system using the Web agents. It provides authentication, authorization, privacy, and integrity in a
single request. Single Sign-On provides the same features but is performed when browsing a system.
Secure Task Execution and Single Sign-On are implemented in very similar ways. SSL is used for all
communication during the STE and Single Sign-On exchange. A single-use value is requested from the
system prior to issuing the STE or Single Sign-On request to help prevent against replay or delay
intercept attacks. Afterwards, HP SIM issues the digitally signed Secure Task Execution or Single Sign-
On request. The managed system uses the digital signature to authenticate the HP SIM server. Note
that the managed system must have a copy of the CMS SSL certificate imported into the Web agent
and be configured to trust by certificate to validate the digital signature. SSL can optionally
authenticate the system to HP SIM, using the system’s certificate, to prevent HP SIM from inadvertently
providing sensitive data to an unknown system.
Note to Insight Manager 7 users: Insight Manager 7 used the Automatic Device Authentication
setting to control STE and Single Sign-On access levels; these are replaced by tools in the new HP
SIM authorization model. Any tool that requires STE access to the Web Agents includes it implicitly.
For Single Sign-On to Web Agents, the Replicate Agent Settings and Install Software and Firmware
tools each provide administrator-level access to the Web Agents. System Management Homepage
As Administrator, System Management Homepage As Operator, and System Management
Homepage As User each provide Single Sign-On access at the described level.
Distributed Task Facility
The Distributed Task Facility (DTF) is used for Custom Command tools and multiple- and single-system
aware tools. Commands are issued securely to the managed system using SSH. Each managed
system must have the CMS SSH public key in its trusted key store so that it can authenticate the CMS.
Managed systems are also authenticated to the CMS by their SSH public key.
Privilege Elevation: In HP SIM 5.3, the Privilege Elevation feature allows tools to be run against
HP-UX, Linux, and ESX managed systems by first signing in as a non-root user, and then requesting
privilege elevation to run root-level tools. This can be configured under Options->Security-
>Privilege Elevation.
Note to HP Servicecontrol Manager Users: SSH replaces the existing signed RMI connections used
by the DTF in HP Servicecontrol Manager. This adds a level of encryption and data integrity over
signed RMI that was previously only available through the use of a secure network protocol such as
IPSec.
WBEM
All WBEM access is over HTTPS for security. HP SIM is configured with a user name and password
for WBEM agent access. Using SSL, HP SIM can optionally authenticate the managed system using its
SSL certificate.