Passwords, Browser, Cookies – HP Systems Insight Manager User Manual

Passwords

Passwords configured on the HP SIM System Credentials and Global Credentials pages are
stored in the database encrypted using 128-bit Blowfish. These passwords can be further managed
using the CLI command mxnodesecurity. A few passwords might be stored in a file on the CMS
that are also encrypted using the same 128-bit Blowfish key. These passwords can be managed
using the mxpassword command. The password file and the Blowfish key file are restricted with
operating system file permissions to administrators or root.

Prior to HP SIM 5.3, passwords configured on the HP SIM protocol settings pages are stored in a
local file on the CMS, restricted with operating system file permissions to administrators or root.
These passwords can be further managed using the mxnodesecurity command.

For User accounts, HP SIM relies on the customer environment (for example, Windows Operating
System) to govern credential policy (expiration, lockout, and so on).

Browser

SSL

All communication between the browser and the CMS or any managed server occurs using HTTPS
over SSL. Any navigation using HTTP (not using SSL) is automatically redirected to HTTPS.

Cookies

Although cookies are required to maintain a logged in session, only a session identifier is maintained
in the cookie. No confidential information is in the cookie. The cookie is marked as secure, so it
is only transmitted over SSL.

A strict separation between the content provided by unrelated sites must be maintained on the
client side to prevent the loss of data confidentiality or integrity. HP recommends you avoid links
or resources that have arrived from unauthorized sites when a valid HP SIM session is running on
browsers.

Passwords

Password fields displayed by HP SIM do not display the password. Passwords between the browser
and the CMS are transmitted over SSL.

Password warnings

There are several types of warnings that can be displayed by the browser or by the Java plug-in
on the browser, most having to do with the SSL server certificate.

•

Untrusted system

This warning indicates the certificate was issued by an untrusted system. Since certificates are
by default self-signed, this is likely if you have not already imported the certificate into your
browser. In the case of CA-signed certificates, the signing root certificate must be imported.
The certificate can be imported before browsing if you have obtained the certificate by some
other secure method. The certificate can also be imported when you get the warning, but is
susceptible to

spoofing

since the host system is not authenticated. Do this if you can

independently confirm the authenticity of the certificate or you are comfortable that the system
has not been compromised.

•

Invalid certificate>

If the certificate is invalid because it is not yet valid or it has expired, it could be a date or
time problem, which could be resolved by correcting the system's date and time. If the certificate
is invalid for some other reason, it might need to be regenerated.

120 Understanding HP SIM security