HP Systems Insight Manager User Manual

Procedure 18-1 Setting security to strong

1.

Generate certificates from your certificate server for each managed system and the Systems Insight
Manager system. To do this, first generate a certificate signing request (CSR) from the various systems.
This generates a PKCS#7 file. This file should then be taken to the certificate server and signed, and
then the resulting file (generally a PKCS#10 response) should be imported into the each managed
system and the Systems Insight Manager system.

To maximize security, it is important that none of these steps be done over a network unless all
communications are already protected by some other mechanism.

Thus, in the case of the Insight Management Agents, a removable media (for example, USB thumb drive,
floppy disk) should be taken directly to the managed system, have the PKCS#7 file placed on it, and
hand-carried to a secure system with access to the certificate server. The PKCS#10 response file should
similarly be placed on the removable media and returned to the managed system to be imported into
the Insight Management Agents.

2.

Take the root certificate (just the certificate, not the private key) of your certificate server and import that
into the Systems Insight Manager trusted certificate list. This allows Systems Insight Manager to trust all
the managed systems because they were signed with this root certificate.

3.

Take the certificate from the Systems Insight Manager system and import it into the Insight Management
Agents of each system. This allows the managed systems to trust the Systems Insight Manager system.
This certificate can be distributed using any of the methods available to distribute the Systems Insight
Manager certificate. However, the option to pull the certificate directly from the Systems Insight Manager
system over the network must be avoided due to the potential man-in-the-middle attack.

As in the Moderate option, you must redistribute the Systems Insight Manager SSL certificate to the
managed systems whenever a new Systems Insight Manager SSL certificate is generated.

4.

Once these steps have been completed, you can turn on the option in Systems Insight Manager to enable
Require Trusted Certificates. Select Options

→Security→Trusted Systems, and then click Trusted

Certificates

. The warnings presented around this option make it clear that any managed system that

does not have a certificate signed by your certificate server will not be sent secure commands from the
Systems Insight Manager system, although it will be monitored for hardware status.

5.

For SSH, turn on the option to accept SSH connections only from specified systems. Select
Options

→Security→Trusted Systems, click SSH Host Keys, and then enable the The central

management server will accept an SSH connection only if the host key is in list below

. Afterwards,

you must manually import each managed system’s public SSH key into the list of keys in Systems Insight
Manager.

To configure this in previous versions of Systems Insight Manager, add or modify the following line in
the Hmx.properties file:

MX_SSH_ADD_UNKNOWN_HOSTS=false

and then restart Systems Insight Manager.

Afterwards, you must manually import each managed system's public SSH key into the list of keys in
Systems Insight Manager.

84

Understanding Systems Insight Manager security