Manualshelf

HP-UX WBEM Services Release Notes (B8465-90045, March 2011)

ManualsBrandsHP ManualsSoftwareHP-UX 11i WBEM Software
12345678910
The wbemexec command is not recommended for use in high-threat environments because
wbemexec does not provide any additional certificate verifications, such as host-name or
certificate-depth verification.
Managing certificates
During the installation process, if the /etc/opt/hp/sslshare/cert.pem and /etc/opt/
hp/sslshare/file.pem files are found on the system, the following messages is generated in
the install log:
NOTE: /etc/opt/hp/sslshare/cert.pem - SSL Certificate file already
exists. New certificates are not created.
The existing files, /etc/opt/hp/sslshare/cert.pem and /etc/opt/hp/sslshare/
file.pem might have been created by an earlier installation of HP WBEM Services A.02.05 or
an installation of other management applications on the system. These files will not be overwritten.
HP-UX example:
The following examples describe how to update certificates when an earlier version of HP WBEM
Services is already installed:
Scenario 1: Using the default installed certificates from HP WBEM Services version A.01.05.
HP recommends that after installing HP WBEM Services version A.02.07, you do the following:
1. Delete the existing /var/opt/wbem/server_2048.pem and /var/opt/wbem/
server.pem files and use the certificates in the /etc/opt/hp/sslshare directory.
Or
2. Overwrite the new certificate in the /etc/opt/hp/sslshare/cert.pem file and the
private key in the /etc/opt/hp/sslshare/file.pem file with the existing certificate
and key in either /var/opt/wbem/server_2048.pem or /var/opt/wbem/
server.pem files. Before overwriting the /etc/opt/hp/sslshare/cert.pem and
/etc/opt/hp/sslshare/file.pem files ensure other products are not using the
certificates in these files.
If the server certificate was copied to any other systems, then the certificate in new the
/etc/opt/hp/sslshare/cert.pem file should be copied to the trust store on those
other systems replacing the earlier certificate.
NOTE: Use the ssltrustmgr command to add or remove certificates in a trust store.
For more information about the ssltrustmgr command, see the ssltrustmgr manpage.
Scenario 2: Using custom certificates.
If you are using either the self-signed or root-signed 512-bit or 1024-bit encryption certificates,
then HP recommends that you create new certificates with 2048-bit encryption.
If you using CA certificates that are using 2048-bit encryption, then HP recommends that you
retain them. If the CA certificates are not using 2048-bit encryption, HP recommends that you
create new CA certificates with 2048-bit encryption.
Importing server certificates to trust store
CIM client applications must maintain a trust store in the <trust_store-name>.pem file. The
CIM client applications must import the certificates stored in /etc/opt/hp/sslshare/cert.pem
to a trust store file on the client machine from various CIM Server machines (ones the client wants
to connect to).
With C++ CIM client libraries, the trust store should be in PEM format.
To import a server certificate, copy the public certificate from the server to the client application:
Security 9