Distributed task facility (dtf), Wbem, Ldap – HP Systems Insight Manager User Manual
Page 101: Credentials management, Ssl certificates, Hp sim main certificate, Distributed task facility (dtf) wbem ldap rmi
Web agent and be configured to trust by certificate to validate the digital signature. SSL can
optionally authenticate the system to HP SIM, using the system's certificate, to prevent HP SIM from
inadvertently providing sensitive data to an unknown system.
NOTE:
For SSO to web agents, the Replicate Agent Settings and Install Software and Firmware
tools each provide administrator-level access to the web agents. HP System Management Homepage
As Administrator, System Management Homepage As Operator, and System Management
Homepage As User each provide SSO access at the described level.
Distributed Task Facility (DTF)
DTF is used for custom command tools and multiple- and single-system aware tools. Commands
are issued securely to the managed system using SSH. Each managed system must have the CMS
SSH public key in its trusted key store so that it can authenticate the CMS. Managed systems are
also authenticated to the CMS by their SSH public key.
In HP SIM, the Privilege Elevation feature enables tools to be run against HP-UX, Linux, and ESX
managed systems by first signing in as a non-root user, and then requesting privilege elevation to
run root-level tools. This can be configured under Options
→Security→Privilege Elevation.
WBEM
All WBEM access is over HTTPS for security. HP SIM is configured with a user name and password
for WBEM agent access. Using SSL, HP SIM can optionally authenticate the managed system using
its SSL certificate.
For HP-UX, certificates can be used instead of username and password for WBEM authentication.
You can configure WBEM authentication from the System Credentials
→WBEM tab by selecting
Options
→Security→Credentials→System Credentials. For more information, see the HP SIM online
help.
LDAP
When configured to use a directory service, HP SIM can be configured to use LDAP with SSL
(default) or without SSL, which would transmit credentials in clear-text. To enable LDAP over SSL
in Microsoft Active Directory, refer to
Additionally, the directory server can be authenticated using the Trusted
Certificate list in HP SIM.
RMI
Java RMI is secured by requiring digitally signed requests using the CMS
, which should
only be available to the local system. All communications use localhost to prevent the communication
from being visible on the network.
Credentials management
SSL certificates
There are several certificates used by HP SIM.
HP SIM main certificate
The HP SIM main certificate is used by the HP SIM SSL web server, the partner application SOAP
interface, and the WBEM indications receiver. This certificate is used to authenticate HP SIM in
the browser, in partner applications that communicate with HP SIM through SOAP, and in WBEM
agents that deliver indications to HP SIM.
By default the SIM main certificate is self-signed. Public Key Infrastructure (PKI) support is provided
so that the main certificate may be signed by an internal certificate server or by a third-party
(CA). HP SIM suggests and supports certificate key sizes with 2,048-bit or
Credentials management
101