Wbem, Ldap, Credentials management – HP Systems Insight Manager User Manual
Page 99: Ssl certificates, Hp sim main certificate, Wbem certificate, Upgrading to hp sim 7.0, Wbem ldap rmi
In HP SIM, the Privilege Elevation feature enables tools to be run against HP-UX, Linux, and ESX
managed systems by first signing in as a non-root user, and then requesting privilege elevation to
run root-level tools. This can be configured under Options
→Security→Privilege Elevation.
WBEM
All WBEM access is over HTTPS for security. HP SIM is configured with a user name and password
for WBEM agent access. Using SSL, HP SIM can optionally authenticate the managed system using
its SSL certificate.
For HP-UX, certificates can be used instead of username and password for WBEM authentication.
You can configure WBEM authentication from the System Credentials
→WBEM tab by selecting
Options
→Security→Credentials→System Credentials. For more information, see the HP SIM online
help.
LDAP
When configured to use a directory service, HP SIM can be configured to use LDAP with SSL
(default) or without SSL, which would transmit credentials in clear-text. To enable LDAP over SSL
in Microsoft Active Directory, refer to
Additionally, the directory server can be authenticated using the Trusted
Certificate list in HP SIM.
RMI
Java RMI is secured by requiring digitally signed requests using the CMS
, which should
only be available to the local system. All communications use localhost to prevent the communication
from being visible on the network.
Credentials management
SSL certificates
There are several certificates used by HP SIM.
HP SIM main certificate
The HP SIM main certificate is used by the HP SIM SSL web server, the partner application SOAP
interface, and the WBEM indications receiver. This certificate is used to authenticate HP SIM in
the browser, in partner applications that communicate with HP SIM through SOAP, and in WBEM
agents that deliver indications to HP SIM.
By default the SIM main certificate is self-signed. Public Key Infrastructure (PKI) support is provided
so that the main certificate may be signed by an internal certificate server or by a third-party
(CA).
WBEM certificate
In HP SIM 7.0, the WBEM certificate uses the 2,048-bit key length. A new HP SIM 7.0 installation
creates a WBEM certificate with the 2,048-bit key length. The WBEM certificate can be regenerated
if required with the following commands:
mxcert -w(Distinguished Name)
mxcert -W
Upgrading to HP SIM 7.0
Upgrading from a previous version of HP SIM to 7.0 does not overwrite the main or WBEM
certificates. The existing certificates are maintained to preserve the trust relationships between the
CMS and managed systems. After the upgrade HP recommends you upgrade the HP SIM main
and WBEM certificates to use 2,048-bit keys.
Credentials management
99