Wbem, Ldap, Credentials management – HP Systems Insight Manager User Manual

In HP SIM, the Privilege Elevation feature enables tools to be run against HP-UX, Linux, and ESX
managed systems by first signing in as a non-root user, and then requesting privilege elevation to
run root-level tools. This can be configured under Options

→Security→Privilege Elevation.

WBEM

All WBEM access is over HTTPS for security. HP SIM is configured with a user name and password
for WBEM agent access. Using SSL, HP SIM can optionally authenticate the managed system using
its SSL certificate.

For HP-UX, certificates can be used instead of username and password for WBEM authentication.
You can configure WBEM authentication from the System Credentials

→WBEM tab by selecting

Options

→Security→Credentials→System Credentials. For more information, see the HP SIM

online help.

LDAP

When configured to use a directory service, HP SIM can be configured to use LDAP with SSL
(default) or without SSL, which would transmit credentials in clear-text. To enable LDAP over SSL
in Microsoft Active Directory, refer to

http://support.microsoft.com/

default.aspx?scid=kb;en-us;321051

. Additionally, the directory server can be authenticated using

the Trusted Certificate list in HP SIM.

RMI

Java RMI is secured by requiring digitally signed requests using the CMS

private key

, which should

only be available to the local system. All communications use localhost to prevent the communication
from being visible on the network.

Credentials management

SSL certificates

There are several certificates used by HP SIM.

HP SIM main certificate

The HP SIM main certificate is used by the HP SIM SSL web server, the partner application SOAP
interface, and the WBEM indications receiver. This certificate is used to authenticate HP SIM in
the browser, in partner applications that communicate with HP SIM through SOAP, and in WBEM
agents that deliver indications to HP SIM.

By default the SIM main certificate is self-signed. Public Key Infrastructure (PKI) support is provided
so that the main certificate may be signed by an internal certificate server or by a third-party

Certificate Authority

(CA).

HP SIM Single Sigon-On (SSO) certificate

This certificate is used to enable the trust relationship with managed systems for SSO. Managed
systems include System Management Homepage, Onboard Administrator, Integrated Lights-Out,
and CV.

The HP SIM SSO trust model uses the SSO certificate as a client certificate and uses the key to
encrypt the SSO client URL.

Key Length

In HP SIM 7.0 the main certificate, by default, uses a 2,048-bit key. The HP SIM SSO default
certificate uses a 1,024-bit key. The main certificate can be configured on managed systems to
replace the default HP SIM SSO certificate if the longer key is required. However, some SSO

118

Understanding HP SIM security