Manualshelf

HP WBEM Services Version A.02.07 Release Notes, March 2009

ManualsBrandsHP ManualsSoftwareHP-UX 11i WBEM Software
12345678910
Security Considerations
Keep in mind the following security considerations if you plan to make use of SNMP as well as
PRM and WLM:
You can use tools such as Process Resource Manager (PRM) and Workload Manager (WLM)
to limit computing resources used by the WBEM Services processes. You can purchase these
products from http://www.software.hp.com.
However, limiting or restricting the computing resources of the WBEM Services processes,
depending on the configured limits and WBEM Services utilization, may constantly reach
its limits, causing undesirable results.
Due to known security vulnerabilities and limitations of the SNMP protocol, we do not
recommend the utilization of the SNMP indication handler.
SSL Support
With HTTPS connections enabled, HP WBEM Services uses SSL (Secure Sockets Layer) for all
communications, with server-side certificates that are trusted by the management application.
HP WBEM Services uses OpenSSL to support HTTPS connections.
NOTE: OpenSSL is an open source cryptography toolkit that implements the network protocols
and related cryptography standards of SSL v2/v3 and TLS (Transport Layer Security). For more
information about OpenSSL, go to http://www.openssl.org.
HP WBEM Services supports only SSL v3 and TLS protocols.
On the HTTPS port, CIM clients are required to use SSL to establish connections with the CIM
Server and to send CIM requests.
To disable the HTTPS port, use the cimconfig command to set the planned value of the CIM
Server configuration property enableHttpsConnection to false. Be sure the planned value
for enableHttpConnection is set to true and restart the CIM Server.
To disable the Export HTTPS port, use the cimconfig command to set the planned value of the
configuration property enableSSLExportClientVerification to false and restart the
CIM Server.
Local User Authentication
The CIM Server automatically authenticates local connections - that is connections established
using the connectLocal method in the CIMClient interface. This eliminates the need for the
user to specify a user name or password when issuing management commands on the local
system.
The UNIX domain socket connection point is used for local connections, so this traffic is not
visible on the network interconnect.
Remote User Authentication
The CIM Server can authenticate remote users by:
HTTP Basic Authentication
Certificate Based Authentication (CBA)
The following table details each remote authentication option in greater detail.
Security 9