Passwords – HP Systems Insight Manager User Manual

The SSH keys of the trusted systems do not expire. These keys can be removed manually from the
trust store.

Passwords

Passwords configured on the HP SIM System Credentials and Global Credentials pages are stored
in the database encrypted using 128-bit Blowfish. These passwords can be further managed using
the CLI command mxnodesecurity. A few passwords might be stored in a file on the CMS that
are also encrypted using the same 128-bit Blowfish key. These passwords can be managed using
the mxpassword command. The password file and the Blowfish key file are restricted with operating
system file permissions to administrators or root.

Prior to HP SIM 5.3, passwords configured on the HP SIM protocol settings pages are stored in a
local file on the CMS, restricted with operating system file permissions to administrators or root.
These passwords can be further managed using the mxnodesecurity command.

For User accounts, HP SIM relies on the customer environment (for example, Windows Operating
System) to govern credential policy (expiration, lockout, and so on).

Insight Control for VMware vCenter Server server authorizations

To register the Insight Control for VMware vCenter Server, discover the Insight Control for VMware
vCenter Server itself, and then that discovery must include the UUID of the Insight Control for
VMware vCenter Server.

•

These credentials are typically set in discover task-specific credentials but can be system-specific
or global.

•

This does not have to be the same account that has access to Insight Control for VMware
vCenter Server resources but it could be

•

By default, to connect to WMI, Windows requires local admin access on the server (this is
configurable on the Insight Control for VMware vCenter Server)

•

Firewalls can block SNMP or WMI queries

•

UAC can prevent even administrator credentials from running WMI queries with administrator
privileges

•

SNMP does not require any credentials but the SNMP service security must allow packets
from the CMS

•

SNMP or WMI is sufficient. If both are available a more complete description of the server is
collected.

To communicate through Insight Control for VMware vCenter Server, proper permissions in vCenter
access appropriate resources.

•

vCenter uses Windows authentication and accounts

•

This account does not require access to all ESX resources, only those to be managed by your
Matrix

•

It is stored on a separate page in HP SIM, Insight Control for VMware vCenter Server settings
and may or may not match the server discovery credentials

•

Typically access is granted to one or more "datacenter". Other resource collections also work,
such as cluster.

NOTE:

If the Insight Control for VMware vCenter Server is a VM guest, it is not required to

discover its host. You can ignore warnings associated with an undiscovered host.

We require communications with WMI and/or SNMP.

For SNMP, a read community string must be known to the CMS. If SNMP packets are restricted
to specific hosts, the CMS must be included in that list of hosts. No further credentials are required.

108 Understanding HP SIM security