Manualshelf

HP Servicecontrol Manager 3.0 User's Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU
11121314151617181920
HP Servicecontrol Manager Introduction
Security and Access
Chapter 1
20
Secure Transactions
The security of the transaction depends on your networking environment and on the
management application or protocol that each tool is using.
Java Remote Method Invocation (RMI) Transactions
The distributed task facility uses Java RMI to communicate with the DTF agents.
Transactions are digitally signed using the public keys, which provides authentication
protection but not encryption. Passwords should not be transmitted to or from DTF
tasks. For example, a DTF task command line should not contain a password and the
task results should not contain a password.
For information about how to add encryption, see Chapter 4, “Increasing Servicecontrol
Manager Security,” on page 55.
X Applications The data exchanged between an X client (or application) running on a
managed node and an X server on the network client is transmitted in clear text over the
network. X clients are not recommended in environments where security is a concern.
HTTPS Transactions
HTTPS provides secure communication for any tool or management application using
the Web Based Enterprise Management (WBEM) protocol. WBEM is an industry
standard that simplifies system management. It provides access to both software data
and hardware data that is readable by WBEM compliant applications.
SCM keeps a database of passwords for managed nodes running WBEM. The database
contains the user names and passwords for each managed node, which are required to
provide user authentication for tools using this protocol. These accounts do not need to
have other access capabilities, such as log on rights. They are only used for WBEM
access by SCM. The WBEM username and password can be set from the command line
or the graphical user interface. For more information, see administering nodes - editing
node security or administering node groups - editing node group security in the SCM
online help.
WBEM passwords for each user should be unique on each managed node for increased
security. This will prevent someone from gaining access to a user account on all managed
nodes.
Additional information about HP WBEM Services is available at:
http://docs.hp.com/hpux/netsys/index.html
Web Server Security SCM uses the Tomcat Web server on the CMS. Tomcat features
that are not required by SCM are turned off by default. This includes Server Side
Includes and Common Gateway Interface scripts.
Self-Signed Certificates The self-signed certificates used for WBEM and Tomcat Web
server authentication make it possible for another system operating with the same IP
address and hostname to impersonate the CMS. Use CA-signed certificates to prevent
this possibility. If CA-signed certificates are not used, save the certificate in the browser
the first time the browser is used to access SCM. This minimizes the chance of a possible
“man-in-the-middle” attack on certificate authority.
For information about how to upgrade to CA-signed certificates, see Chapter 4,
“Increasing Servicecontrol Manager Security,” on page 55.