18 understanding systems insight manager security, Securing communication, Secure sockets layer (ssl) – HP Systems Insight Manager User Manual

18 Understanding Systems Insight Manager security

This chapter provides an overview of the security features available in the Systems Insight Manager framework.
Systems Insight Manager runs on a CMS and communicates with managed systems using various protocols.
You can browse to the CMS or directly to the managed system.

Securing communication

Secure Sockets Layer (SSL)

SSL is an industry-standard protocol for securing communications across the Internet. It provides for encryption
to prevent eavesdropping as well as data integrity to prevent modification, and it can also authenticate both
the client and the server, leveraging public-key technology. All communications between the browser and
the CMS are protected by SSL. Systems Insight Manager supports both SSL 3 and TLS 1.0.

Secure Shell (SSH)

SSH is an industry-standard protocol for securing communications. It provides for encryption to prevent
eavesdropping plus data integrity to prevent modification, and it can also authenticate both the client and
the server utilizing several mechanisms, including key-based authentication. Systems Insight Manager supports
SSH 2.

Hyper Text Transfer Protocol Secure (HTTPS)

HTTPS

refers to HTTP communications over SSL. All communications between the browser and Systems Insight

Manager are carried out over HTTPS. HTTPS is also used for much of the communication between the CMS
and the managed system.

Secure Task Execution (STE) and Single Sign-On (SSO)

STE

is a mechanism for securely executing a command against a managed system using the Web agents.

It provides authentication, authorization, privacy, and integrity in a single request. SSO provides the same
features but is performed when browsing a system. STE and SSO are implemented in very similar ways. SSL
is used for all communication during the STE and SSO exchange. A single-use value is requested from the
system prior to issuing the STE or SSO request to help prevent against replay or delay intercept attacks.
Afterwards, Systems Insight Manager issues the digitally signed STE or SSO request. The managed system
uses the digital signature to authenticate the Systems Insight Manager server. Note that the managed system
must have a copy of the CMS SSL certificate imported into the Web agent and be configured to trust by
certificate to validate the digital signature. SSL can optionally authenticate the system to Systems Insight
Manager, using the system’s certificate, to prevent Systems Insight Manager from inadvertently providing
sensitive data to an unknown system.

NOTE:

For SSO to web agents, the Replicate Agent Settings and Install Software and Firmware tools each

provide administrator-level access to the web agents. System Management Homepage As Administrator,
System Management Homepage As Operator, and System Management Homepage As User each provide
SSO access at the described level.

Distributed Task Facility (DTF)

DTF is used for custom command tools and multiple- and single-system aware tools. Commands are issued
securely to the managed system using SSH. Each managed system must have the CMS SSH public key in
its trusted key store so that it can authenticate the CMS. Managed systems are also authenticated to the CMS
by their SSH public key.

In Systems Insight Manager, the Privilege Elevation feature enables tools to be run against HP-UX, Linux, and
ESX managed systems by first signing in as a non-root user, and then requesting privilege elevation to run
root-level tools. This can be configured under Options

→Security→Privilege Elevation.

Securing communication

77