Wbem, Ldap, Credentials management – HP Systems Insight Manager User Manual
Page 95: Ssl certificates, Certificate sharing, Wbem ldap rmi, Ssl certificates certificate sharing
In Systems Insight Manager, the Privilege Elevation feature enables tools to be run against HP-UX,
Linux, and ESX managed systems by first signing in as a non-root user, and then requesting privilege
elevation to run root-level tools. This can be configured under Options
→Security→Privilege Elevation.
WBEM
All WBEM access is over HTTPS for security. Systems Insight Manager is configured with a user
name and password for WBEM agent access. Using SSL, Systems Insight Manager can optionally
authenticate the managed system using its SSL certificate.
For HP-UX, certificates can be used instead of username and password for WBEM authentication.
You can configure WBEM authentication from the System Credentials
→WBEM tab by selecting
Options
→Security→Credentials→System Credentials. For more information, see the Systems Insight
Manager online help.
LDAP
When configured to use a directory service, Systems Insight Manager can be configured to use
LDAP with SSL (default) or without SSL, which would transmit credentials in clear-text. To enable
LDAP over SSL in Microsoft Active Directory, refer to
Additionally, the directory server can be authenticated using the Trusted
Certificate list in Systems Insight Manager.
RMI
Java RMI is secured by requiring digitally signed requests using the CMS
, which should
only be available to the local system. All communications use localhost to prevent the communication
from being visible on the network.
Credentials management
SSL certificates
Certificates generated by Systems Insight Manager and the Web Agents are self-signed. Public
Key Infrastructure (PKI) support is provided so that certificates may be signed by an internal certificate
server or a third-party
(CA). The Systems Insight Manager certificate supports
multiple names to help alleviate name-mismatch warnings in a browser.
There are several certificates used by Systems Insight Manager. The certificate described above
is the main certificate and is used by the Systems Insight Manager SSL web server, the partner
application
(SOAP) interface, and the WBEM indications receiver.
This is the certificate used to authenticate Systems Insight Manager, if necessary, in the browser,
in partner applications that communicate with Systems Insight Manager through SOAP, and in
WBEM agents that deliver indications to Systems Insight Manager. This certificate is also configured
in managed systems (for example, SMH, Onboard Administrator, Integrated Lights-Out, Storage
Essentials, CV) to enable a trust relationship with the managed system for SSO. A separate certificate
in Systems Insight Manager is used for authenticating Systems Insight Manager to HP-UX WBEM
Services 2.5 and later, when configured to do so for the WBEM protocol. Certificates from managed
systems can be imported into the Systems Insight Manager Trusted Certificates list, allowing Systems
Insight Manager to authenticate those systems. See the section
“How to: lockdown versus ease of
use on Windows systems” (page 101)
Certificate sharing
Systems Insight Manager supports a mechanism whereby other components installed on the system
can use the same certificate and private key, facilitating authentication of the system as a whole
instead of each individual component. This is currently used by the Web Agents and the WBEM
components on the CMS.
Credentials management
95