Using the main certificate for sso, Wbem certificate, Upgrading to hp sim 7.0 – HP Systems Insight Manager User Manual
Page 119: Certificate sharing, Ssh keys
enabled managed systems do not support the 2,048-bit key length. For those systems the default
1,024-bit SSO key must be used.
The certificate chosen for SSO, either the main certificate or the SSO default certificate, will be
used for all the managed systems selected for SSO.
Using the main certificate for SSO
The following command will select the main certificate for use as the SSO certificate:
mxcert -S 1
To switch back to the default 1,024-bit key length SSO certificate, use the following command:
mxcert -S 0
WBEM certificate
In HP SIM 7.0, the WBEM certificate uses the 2,048-bit key length. A new HP SIM 7.0 installation
creates a WBEM certificate with the 2,048-bit key length. The WBEM certificate can be regenerated
if required with the following commands:
mxcert -w(Distinguished Name)
mxcert -W
Upgrading to HP SIM 7.0
Upgrading from a previous version of HP SIM to 7.0 does not overwrite the main or WBEM
certificates. The existing certificates are maintained to preserve the trust relationships between the
CMS and managed systems. After the upgrade HP recommends you upgrade the HP SIM main
and WBEM certificates to use 2,048-bit keys.
The SSO certificate is created during the upgrade. To reestablish the trust relationships with the
managed systems you might need to import the newly generated main certificate into the managed
systems. Also, you might need to import the trusted certificates back into HP SIM's trust store.
Certificate expiration and Certificate Revocation Check (CLR Check)
HP SIM does not check for Certificate revocation of its trusted systems. The revocation of the trusted
system certificates must be done manually by removing them from HP SIM's trust store.
HP SIM's main self-signed certificate is valid for 10 years. Signing by a CA could set a different
expiration and add Certificate Revocation List (CRL).
Certificate sharing
HP SIM supports a mechanism whereby other components installed on the system can use the same
certificate and private key, facilitating authentication of the system as a whole instead of each
individual component. This is currently used by the Web Agents and the WBEM components on
the CMS.
SSH keys
An SSH key-pair is generated during initial configuration. The CMS public key is copied to the
managed system using the mxagentconfig tool. This key-pair is not the same as for SSL and requires
a manual process to regenerate a new pair. See the manpages or online documentation for
mxagentconfig for more details. See the Secure Shell (SSH) in HP SIM white paper located at
The SSH keys of the trusted systems do not expire. These keys can be removed manually from the
trust store.
Credentials management
119