Moderate, Strong, Moderate strong – HP Systems Insight Manager User Manual

4.

Add a user to access WMI data along with their access rights. The enable account and remote
enable permissions

options must be enabled for correct operation of Systems Insight Manager.

5.

The user name and password specified here must be configured in the CMS.

•

Set up user accounts for Insight Web Agents

•

Add the CMS SSH public key to the system’s trusted key store by running mxagentconfig on the
CMS.

•

Configure trust relationship option for Insight Web Agents; import the CMS SSL certificate if set to trust
by certificate.

How to: lockdown versus ease of use on Windows systems

Moderate

The Insight Management Agents should be configured to trust by certificate. This requires distributing the
Systems Insight Manager certificate, which includes the public key, to all the managed systems. After the
systems have been configured to trust the Systems Insight Manager system, they will accept secure commands
from that particular system only.

This certificate can be distributed in a number of different ways, including:

•

Use the Configure or Repair Agents Set Trust Relationship option in Systems Insight Manager to
deploy the Systems Insight Manager certificate to the managed systems. Depending on the managed
system, this might use SSL or Windows network connections to copy files and configure the managed
systems.

•

Use the Web-based interface in an individual Insight Management Agents to specify the Systems Insight
Manager system to trust. This causes the agents to pull the digital certificate from the Systems Insight
Manager system immediately, enables you to verify it, and then sets up the trust relationship. While
this option does have some limited vulnerability, it would be possible to spoof the Systems Insight
Manager system at the time the certificate is pulled and thus set up an unexpected trust relationship.
However, it is reasonably secure for most networks.

•

Import the HP SIM certificate during initial installation of the Insight Management Agents. This can be
done manually during an attended installation or through the configuration file in an unattended one.
This method is more secure because there is little opportunity for the spoofing attack described above.

•

If you have already deployed the Insight Management Agents, you can distribute the security settings
file and the Systems Insight Manager certificate directly to the managed systems using operating system
security.

IMPORTANT:

When using the Trust by certificate option, the Systems Insight Manager SSL certificate

must be redistributed if a new SSL certificate is generated for Systems Insight Manager. SSH on the managed
system normally operates in a mode similar to trust by certificate in that it requires the SSH public key from
the CMS. Note that the SSH public key is not the same as the SSL certificate. The command mxagentconfig
is used on the CMS to copy the key to the managed system. This must be done for each user account that
is to be used on the managed system since the root or Administrator account is used by default.

IMPORTANT:

The Systems Insight Manager SSH public key must be redistributed if the SSH key-pair is

regenerated.

IMPORTANT:

The Systems Insight Manager SSH public key must be redistributed if the SSH key-pair is

regenerated.

Strong

The strong security option lets you take advantage of every security feature. This option provides the highest
level of security available within the Systems Insight Manager security framework, but there are some
additional procedural steps you must make in your server operations. Also, this option is facilitated by using
your own PKI that includes a certificate authority and certificate server.

How to: lockdown versus ease of use on Windows systems

83