20 understanding systems insight manager security, Securing communication, Secure sockets layer (ssl) – HP Systems Insight Manager User Manual

20 Understanding Systems Insight Manager security

This chapter provides an overview of the security features available in the Systems Insight Manager
framework. Systems Insight Manager runs on a CMS and communicates with managed systems
using various protocols. You can browse to the CMS or directly to the managed system.

Securing communication

Secure Sockets Layer (SSL)

SSL is an industry-standard protocol for securing communications across the Internet. It provides
for encryption to prevent eavesdropping as well as data integrity to prevent modification, and it
can also authenticate both the client and the server, leveraging public-key technology. All
communications between the browser and the CMS are protected by SSL. Systems Insight Manager
supports both SSL 3 and TLS 1.0.

Secure Shell (SSH)

SSH is an industry-standard protocol for securing communications. It provides for encryption to
prevent eavesdropping plus data integrity to prevent modification, and it can also authenticate
both the client and the server utilizing several mechanisms, including key-based authentication.
Systems Insight Manager supports SSH 2.

Hyper Text Transfer Protocol Secure (HTTPS)

HTTPS

refers to HTTP communications over SSL. All communications between the browser and

Systems Insight Manager are carried out over HTTPS. HTTPS is also used for much of the
communication between the CMS and the managed system.

Secure Task Execution (STE) and Single Sign-On (SSO)

STE

is a mechanism for securely executing a command against a managed system using the Web

agents. It provides authentication, authorization, privacy, and integrity in a single request. SSO
provides the same features but is performed when browsing a system. STE and SSO are implemented
in very similar ways. SSL is used for all communication during the STE and SSO exchange. A
single-use value is requested from the system prior to issuing the STE or SSO request to help prevent
against replay or delay intercept attacks. Afterwards, Systems Insight Manager issues the digitally
signed STE or SSO request. The managed system uses the digital signature to authenticate the
Systems Insight Manager server. Note that the managed system must have a copy of the CMS SSL
certificate imported into the Web agent and be configured to trust by certificate to validate the
digital signature. SSL can optionally authenticate the system to Systems Insight Manager, using the
system's certificate, to prevent Systems Insight Manager from inadvertently providing sensitive data
to an unknown system.

NOTE:

For SSO to web agents, the Replicate Agent Settings and Install Software and Firmware

tools each provide administrator-level access to the web agents. System Management Homepage
As Administrator, System Management Homepage As Operator, and System Management
Homepage As User each provide SSO access at the described level.

Distributed Task Facility (DTF)

DTF is used for custom command tools and multiple- and single-system aware tools. Commands
are issued securely to the managed system using SSH. Each managed system must have the CMS
SSH public key in its trusted key store so that it can authenticate the CMS. Managed systems are
also authenticated to the CMS by their SSH public key.

94

Understanding Systems Insight Manager security