HP Systems Insight Manager User Manual

Procedure 20-1 Setting security to strong

1.

Generate certificates from your certificate server for each managed system and the HP SIM
system. To do this, first generate a certificate signing request (CSR) from the various systems.
This generates a PKCS#7 file. This file should then be taken to the certificate server and signed,
and then the resulting file (generally a PKCS#10 response) should be imported into the each
managed system and the HP SIM system.

To maximize security, it is important that none of these steps be done over a network unless
all communications are already protected by some other mechanism.

Thus, in the case of the Insight Management Agent, a removable media (for example, USB
thumb drive, floppy disk) should be taken directly to the managed system, have the PKCS#7
file placed on it, and hand-carried to a secure system with access to the certificate server. The
PKCS#10 response file should similarly be placed on the removable media and returned to
the managed system to be imported into the Insight Management Agent.

2.

Take the root certificate (just the certificate, not the private key) of your certificate server and
import that into the HP SIM trusted certificate list. This allows HP SIM to trust all the managed
systems because they were signed with this root certificate.

3.

Take the certificate from the HP SIM system and import it into the Insight Management Agent
of each system. This allows the managed systems to trust the HP SIM system. This certificate
can be distributed using any of the methods available to distribute the HP SIM certificate.
However, the option to pull the certificate directly from the HP SIM system over the network
must be avoided due to the potential man-in-the-middle attack.

As in the Moderate option, you must redistribute the HP SIM SSL certificate to the managed
systems whenever a new HP SIM SSL certificate is generated.

4.

Once these steps have been completed, you can turn on the option in HP SIM to enable
Require Trusted Certificates. Select Options

→Security→Trusted Systems, and then click

Trusted Certificates

. The warnings presented around this option make it clear that any

managed system that does not have a certificate signed by your certificate server will not be
sent secure commands from the HP SIM system, although it will be monitored for hardware
status.

5.

For SSH, turn on the option to accept SSH connections only from specified systems. Select
Options

→Security→Trusted Systems, click SSH Host Keys, and then enable the The

central management server will accept an SSH connection only if the host key is in
list below

. Afterwards, you must manually import each managed system's public SSH key

into the list of keys in HP SIM.

To configure this in previous versions of HP SIM, add or modify the following line in the
Hmx.properties

file:

MX_SSH_ADD_UNKNOWN_HOSTS=false

and then restart HP SIM.

Afterwards, you must manually import each managed system's public SSH key into the list of
keys in HP SIM.

126

Understanding HP SIM security