Moderate, Strong, Moderate strong – HP Systems Insight Manager User Manual

CAUTION:

Establishing the trust by certificate for HP SMH enables any HP SIM user to gain

administrative access to the HP SMH hosts. This enables the HP SIM user to execute any command
remotely on the HP SMH host.

How to: lockdown versus ease of use on Windows systems

Moderate

The Insight Management Agents should be configured to trust by certificate. This requires distributing
the HP SIM certificate, which includes the public key, to all the managed systems. After the systems
have been configured to trust the HP SIM system, they will accept secure commands from that
particular system only.

This certificate can be distributed in a number of different ways, including:

•

Use the Configure or Repair Agents Set Trust Relationship option in HP SIM to deploy the
HP SIM certificate to the managed systems. Depending on the managed system, this might
use SSL or Windows network connections to copy files and configure the managed systems.

•

Use the Web-based interface in an individual Insight Management Agent to specify the HP
SIM system to trust. This causes the agents to pull the digital certificate from the HP SIM system
immediately, enables you to verify it, and then sets up the trust relationship. While this option
does have some limited vulnerability, it would be possible to spoof the HP SIM system at the
time the certificate is pulled and thus set up an unexpected trust relationship. However, it is
reasonably secure for most networks.

•

Import the HP SIM certificate during initial installation of the Insight Management Agents. This
can be done manually during an attended installation or through the configuration file in an
unattended one. This method is more secure because there is little opportunity for the spoofing
attack described above.

•

If you have already deployed the Insight Management Agent, you can distribute the security
settings file and the HP SIM certificate directly to the managed systems using operating system
security.

IMPORTANT:

When using the Trust by certificate option, the HP SIM SSL certificate must be

redistributed if a new SSL certificate is generated for HP SIM. SSH on the managed system normally
operates in a mode similar to trust by certificate in that it requires the SSH public key from the
CMS. Note that the SSH public key is not the same as the SSL certificate. The command
mxagentconfig

is used on the CMS to copy the key to the managed system. This must be done

for each user account that is to be used on the managed system since the root or Administrator
account is used by default.

The HP SIM SSH public key must be redistributed if the SSH key-pair is regenerated.

Strong

The strong security option lets you take advantage of every security feature. This option provides
the highest level of security available within the HP SIM security framework, but there are some
additional procedural steps you must make in your server operations. Also, this option is facilitated
by using your own PKI that includes a certificate authority and certificate server.

How to: lockdown versus ease of use on Windows systems

125