Strong – HP Systems Insight Manager User Manual

IMPORTANT:

When using the Trust by certificate option, the HP SIM SSL certificate must be

redistributed if a new SSL certificate is generated for HP SIM. SSH on the managed system normally
operates in a mode similar to trust by certificate in that it requires the SSH public key from the
CMS. Note that the SSH public key is not the same as the SSL certificate. The command
mxagentconfig

is used on the CMS to copy the key to the managed system. This must be done

for each user account that is to be used on the managed system since the root or Administrator
account is used by default.

The HP SIM SSH public key must be redistributed if the SSH key-pair is regenerated.

Strong

The strong security option lets you take advantage of every security feature. This option provides
the highest level of security available within the HP SIM security framework, but there are some
additional procedural steps you must make in your server operations. Also, this option is facilitated
by using your own PKI that includes a certificate authority and certificate server.

Procedure 24 Setting security to strong

1.

Generate certificates from your certificate server for each managed system and the HP SIM
system. To do this, first generate a certificate signing request (CSR) from the various systems.
This generates a PKCS#7 file. This file should then be taken to the certificate server and signed,
and then the resulting file (generally a PKCS#10 response) should be imported into the each
managed system and the HP SIM system.

To maximize security, it is important that none of these steps be done over a network unless
all communications are already protected by some other mechanism.

Thus, in the case of the Insight Management Agent, a removable media (for example, USB
thumb drive, floppy disk) should be taken directly to the managed system, have the PKCS#7
file placed on it, and hand-carried to a secure system with access to the certificate server. The
PKCS#10 response file should similarly be placed on the removable media and returned to
the managed system to be imported into the Insight Management Agent.

2.

Take the root certificate (just the certificate, not the private key) of your certificate server and
import that into the HP SIM trusted certificate list. This allows HP SIM to trust all the managed
systems because they were signed with this root certificate.

3.

Take the certificate from the HP SIM system and import it into the Insight Management Agent
of each system. This allows the managed systems to trust the HP SIM system. This certificate
can be distributed using any of the methods available to distribute the HP SIM certificate.
However, the option to pull the certificate directly from the HP SIM system over the network
must be avoided due to the potential man-in-the-middle attack.

As in the Moderate option, you must redistribute the HP SIM SSL certificate to the managed
systems whenever a new HP SIM SSL certificate is generated.

4.

Once these steps have been completed, you can turn on the option in HP SIM to enable
Require Trusted Certificates. Select Options

→Security→Trusted Systems, and then click Trusted

Certificates. The warnings presented around this option make it clear that any managed system
that does not have a certificate signed by your certificate server will not be sent secure
commands from the HP SIM system, although it will be monitored for hardware status.

108 Understanding HP SIM security