Moderate, Strong, Moderate strong – HP Systems Insight Manager User Manual
Page 101: How to: lockdown versus ease of
How to: lockdown versus ease of use on Windows systems
Moderate
The Insight Management Agents should be configured to trust by certificate. This requires distributing
the Systems Insight Manager certificate, which includes the public key, to all the managed systems.
After the systems have been configured to trust the Systems Insight Manager system, they will accept
secure commands from that particular system only.
This certificate can be distributed in a number of different ways, including:
•
Use the Configure or Repair Agents Set Trust Relationship option in Systems Insight Manager
to deploy the Systems Insight Manager certificate to the managed systems. Depending on the
managed system, this might use SSL or Windows network connections to copy files and
configure the managed systems.
•
Use the Web-based interface in an individual Insight Management Agents to specify the
Systems Insight Manager system to trust. This causes the agents to pull the digital certificate
from the Systems Insight Manager system immediately, enables you to verify it, and then sets
up the trust relationship. While this option does have some limited vulnerability, it would be
possible to spoof the Systems Insight Manager system at the time the certificate is pulled and
thus set up an unexpected trust relationship. However, it is reasonably secure for most networks.
•
Import the Systems Insight Manager certificate during initial installation of the Insight
Management Agents. This can be done manually during an attended installation or through
the configuration file in an unattended one. This method is more secure because there is little
opportunity for the spoofing attack described above.
•
If you have already deployed the Insight Management Agents, you can distribute the security
settings file and the Systems Insight Manager certificate directly to the managed systems using
operating system security.
IMPORTANT:
When using the Trust by certificate option, the Systems Insight Manager SSL
certificate must be redistributed if a new SSL certificate is generated for Systems Insight Manager.
SSH on the managed system normally operates in a mode similar to trust by certificate in that it
requires the SSH public key from the CMS. Note that the SSH public key is not the same as the
SSL certificate. The command mxagentconfig is used on the CMS to copy the key to the managed
system. This must be done for each user account that is to be used on the managed system since
the root or Administrator account is used by default.
The Systems Insight Manager SSH public key must be redistributed if the SSH key-pair is regenerated.
Strong
The strong security option lets you take advantage of every security feature. This option provides
the highest level of security available within the Systems Insight Manager security framework, but
there are some additional procedural steps you must make in your server operations. Also, this
option is facilitated by using your own PKI that includes a certificate authority and certificate server.
How to: lockdown versus ease of use on Windows systems
101