HP System Management Homepage-Software User Manual

Why can't I use a Windows 2003 certificate authority to grant my third-party certificate into
the HP SMH?

Solution: To use a Windows 2003 certificate authority to create a certificate for HP SMH:

1.

Create the PKCS #10 data packet by clicking Settings

→HP System Management

Homepage

→Security→Local Server Certificate page.

2.

Press the Ctrl+ C keys to copy the data into a buffer.

3.

Navigate to http://W2003CA/certsrv where W2003CA is the name of your Windows
2003 certificate authority system.

•

Select Request a certificate.

•

Select Advanced certificate request.

•

Select Submit a certificate request by using a base.

•

Press the Ctrl+ V keys to paste the PKCS #10 data into the field.

4.

From your Windows 2003 certificate authority system:

•

Click Start

→All Programs→Administrative Tools→Certification Authority.

•

Click CA (Local)

⇒ W2003CA/certsrv ⇒ where W2003CA is the name of your Windows

2003 certificate authority system.

•

Issue the pending request certificate.

5.

Navigate to http://W2003CA/certsrv where W2003CA is the name of your Windows
2003 certificate authority system.

•

Select View the status of a pending certificate request.

•

Select Base64-encoded and Download certificate (not certificate chain).

The file download is certnew.cer.

•

Rename certnew.cer to cert.pem.

What are the security options when using Bastille?

Solution: Bastille is a system hardening program which enhances the security of an HP-UX host.
It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded
services and tools such as rcp(1) and rlogin(1), and can help to limit the vulnerability of common
internet services such as Web servers and DNS.

One of the facilities that Bastille uses to lock down a system is IP filtering. Refer to the Partition
Manager Online Help for requirements when using IP filtering with Partition Manager. If Bastille's
interactive user interface is used, be aware of these issues when answering the questions asked
by Bastille. Bastille also has three install-time security options that are represented by the following
files in /etc/opt/sec_mgmt/bastille.

•

HOST.config

Host-based lockdown, without IPFilter configuration. Using this configuration has no impact
on Partition Manager.

•

MANDMZ.config

A fairly tight lockdown, but leaves open select network ports that are used by common
management protocols and tools. For example, WBEM still functions when this configuration
is used. Launching Partition Manager under this configuration requires the use of SSH or
changes to enable ports 2301 and 2381. To enable launching Partition Manager on a system
where ports 2301 and 2381 have been disabled, adjust the IP filtering by adding entries such
as:

pass in quick proto tcp from any to any port = 2301 flags S/0xff keep state keep frags

pass in quick proto tcp from any to any port = 2381 flags S/0xff keep state keep frags

to /etc/opt/sec_mgmt/bastille/ipf.customrules prior to running Bastille.

50

Troubleshooting