HP Servicecontrol Manager 3.0 User's Guide

Increasing Servicecontrol Manager Security

Enable WBEM Certificate Validation

Chapter 4

• /etc/opt/mx/config/collectors/cimclient.properties

Comment out the following line that sets the trust manager in each file.

TrustManager=orig.snia.wbemcmd.xml.DontValidateCertificate

Step 8. Restart SCM and Tomcat on the CMS:

/opt/mx/bin/mxstop

/opt/mx/bin/mxstart

To enable WBEM certificate validation with CA-signed certificates:

NOTE You must have a certificate server available on the network to use CA-signed certificates.

Step 1. Log on to the CMS as root.

Step 2. Identify the MxKeystorePassword:

mxpassword -l -x MxKeystorePassword

Step 3. Generate a CA-signed certificate on the certificate server, save it as

ca_certificate.cer.

Step 4. Securely copy the generated CA certificate to the /etc/opt/mx/config/security/

directory on the CMS.

Step 5. Import the CA-signed certificate into the trust store on the CMS:

keytool -import -alias caroot -file ca_certificate.cer -keystore

/etc/opt/mx/config/security/certificates -keypass password

where password is the MxKeystorePassword.

Step 6. On a managed node that is running WBEM, generate a certificate request to be signed

by CA on the certificate server.

/opt/wbem/sbin/openssl req -new -key /var/opt/wbem/server.pem -out

cert.csr -config /var/opt/wbem/ssl.cnf

Step 7. Securely copy the generated certificate request from the managed node to the certificate

server.

Step 8. Retrieve the signed certificate in base64 x509 format.

Step 9. Replace the certificate on the managed node with the new certificate generated from the

certificate server. The certificate on each node is at /var/opt/wbem/server.pem.

Step 10. Restart WBEM on the managed node:

kill -9 cimserver_pid

Step 11. Repeat steps 6-10 for each managed node running WBEM.

Step 12. Edit the WBEM configuration files on the CMS to enable certificate validation. The files

are located at:

• /opt/hpwebadmin/bin/cim.properties