Manualshelf

Understanding HP Systems Insight Manager 6.3 Security

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager for Windows
11121314151617181920
This certificate can be distributed in a number of different ways including:
1. Use the Web-based interface in an individual Insight Management Agent to specify the
HP SIM system to trust. This causes the agents to pull the digital certificate from the HP SIM
system immediately, enables you to verify it, and then sets up the trust relationship. While this
option does have some limited vulnerability, it would be possible to spoof the HP SIM system
at the time the certificate is pulled and thus set up an unexpected trust relationship. However, it
is reasonably secure for most networks.
2. Import the HP SIM certificate during initial installation of the Insight Management Agents. This
can be done manually during an attended installation or through the configuration file in an
unattended one. This method is more secure because there is little opportunity for the spoofing
attack described above.
3. If you have already deployed the Insight Management Agents, you can distribute the security
settings file and the HP SIM certificate directly to the managed systems using OS security.
IMPORTANT: When using the Trust by certificate option, the HP SIM SSL certificate must be
redistributed if a new SSL certificate is generated for HP SIM. SSH on the managed system
normally operates in a mode similar to trust by certificate in that it requires the SSH public key
from the CMS. Note that the SSH public key is not the same as the SSL certificate. The command
mxagentconfig is used on the CMS to copy the key to the managed system. This must be done
for each user account that is to be used on the managed system since the root or Administrator
account is used by default.
IMPORTANT: The HP SIM SSH public key must be redistributed if the SSH key-pair is
regenerated.
Strong
The strong security option lets you take advantage of every security feature. This option provides the
highest level of security available within the HP SIM security framework, but there are some additional
procedural steps you must make in your server operations. Also, this option is facilitated by using your
own PKI that includes a certificate authority and certificate server.
1. First, you must generate certificates from your certificate server for each managed system and
the HP SIM system. To do this, first generate a certificate signing request (CSR) from the
various systems. This generates a PKCS#7 file. This file should then be taken to the certificate
server and signed, and then the resulting file (generally a PKCS#10 response) should be
imported into the each managed system and the HP SIM system.
IMPORTANT: To maximize security, it is important that none of these steps be done over a
network unless all communications are already protected by some other mechanism.
Thus, in the case of the Insight Management Agents, a removable media (for example, USB
thumb drive, floppy disk) should be taken directly to the managed system, have the PKCS#7
file placed on it, and hand-carried to a secure system with access to the certificate server. The
PKCS#10 response file should similarly be placed on the removable media and returned to
the managed system to be imported into the Insight Management Agents.
2. Take the root certificate (just the certificate, not the private key) of your certificate server and
import that into the HP SIM trusted certificate list. This allows HP SIM to trust all the managed
systems because they were signed with this root certificate.