20 understanding hp sim security, Securing communication, Secure sockets layer (ssl) – HP Systems Insight Manager User Manual

20 Understanding HP SIM security

This chapter provides an overview of the security features available in the HP SIM framework. HP
SIM runs on a CMS and communicates with managed systems using various protocols. You can
browse to the CMS or directly to the managed system.

Securing communication

Secure Sockets Layer (SSL)

SSL is an industry-standard protocol for securing communications across the Internet. It provides
for encryption to prevent eavesdropping as well as data integrity to prevent modification, and it
can also authenticate both the client and the server, leveraging public-key technology. All
communications between the browser and the CMS are protected by SSL. HP SIM supports both
SSL 3 and TLS 1.0 and enforces stronger cipher suites for the HP SIM SSL web server and the
partner application SOAP servers. HP SIM does not enforce stronger cipher suites for the WBEM
indication receiver..

Secure Shell (SSH)

SSH is an industry-standard protocol for securing communications. It provides for encryption to
prevent eavesdropping plus data integrity to prevent modification, and it can also authenticate
both the client and the server utilizing several mechanisms, including key-based authentication. HP
SIM supports SSH 2.

Hyper Text Transfer Protocol Secure (HTTPS)

HTTPS

refers to HTTP communications over SSL. All communications between the browser and HP

SIM are carried out over HTTPS. HTTPS is also used for much of the communication between the
CMS and the managed system.

Secure Task Execution (STE) and Single Sign-On (SSO)

STE

is a mechanism for securely executing a command against a managed system using the Web

agents. It provides authentication, authorization, privacy, and integrity in a single request. SSO
provides the same features but is performed when browsing a system. STE and SSO are implemented
in very similar ways. SSL is used for all communication during the STE and SSO exchange. A
single-use value is requested from the system prior to issuing the STE or SSO request to help prevent
against replay or delay intercept attacks. Afterwards, HP SIM issues the digitally signed STE or
SSO request. The managed system uses the digital signature to authenticate the HP SIM server.
Note that the managed system must have a copy of the CMS SSL certificate imported into the Web
agent and be configured to trust by certificate to validate the digital signature. SSL can optionally
authenticate the system to HP SIM, using the system's certificate, to prevent HP SIM from inadvertently
providing sensitive data to an unknown system.

NOTE:

For SSO to web agents, the Replicate Agent Settings and Install Software and Firmware

tools each provide administrator-level access to the web agents. HP System Management Homepage
As Administrator, System Management Homepage As Operator, and System Management
Homepage As User each provide SSO access at the described level.

Distributed Task Facility (DTF)

DTF is used for custom command tools and multiple- and single-system aware tools. Commands
are issued securely to the managed system using SSH. Each managed system must have the CMS
SSH public key in its trusted key store so that it can authenticate the CMS. Managed systems are
also authenticated to the CMS by their SSH public key.

98

Understanding HP SIM security