Ways of enabling online mode, Crl distribution points, Warning or error – HP Systems Insight Manager User Manual

Ways of enabling online mode

There are two ways of enabling online mode. One is through Proxy settings, and the other is
directly.

In the former method, you must save the host address and the port of the proxy server.

The latter method assumes that the certificate server is reachable from the CMS server without the
need for the proxy settings. Example, the certificate server is located in the same intranet as the
CMS server.

In the future, the proxy settings will be configured in a common location in HP SIM.

CRL distribution points

HP SIM expects the CRL distribution points to be present in the certificate and the CRL distribution
point URLs are valid. There is a possibility that revocation check might fail if any of the distribution
points contains an invalid URL.

HP SIM processes only HTTP distribution point URLs. If a certificate does not contain a HTTP
distribution point URL, then the CRL check for the certificate will fail.

Warning or error

If the certificate revocation check cannot be performed successfully, then HP SIM logs that as a
warning, but it does not cease the connection with the peer system. The connection will be ceased
only if HP SIM identifies the certificate as revoked.

In Two-Factor authentication, if the revocation check did not succeed or if the certificate is revoked,
then the user is not allowed to log-in to the CMS.

Conditions for warning

•

If the CRL distribution point is not available in the certificate

•

If the CRL distribution point does not contain HTTP URL

•

If the CRL file is not available in the CRL directory (or expired), and if the file cannot be
downloaded from the CRL distribution point URL

Customizable properties

There are few CRL properties that can be configured through the globalsettings.properties
file present under HP SIM’s \config directory. The CRL GUI or the command line might not support
all these settings.

•

Download timeout of CRL file:

Property name: CRL_FETCH_TIMEOUT

The default value is 10000 (10s)

•

The expiring delay is 1 day by default. This can be customized using:

Property name: CRLExpirationStart

The default value is 1

•

If you do not want to receive alerts on CRL expiration:

Property name: CRLAlert

1 — Enable

Credentials management

101