How to set up a trust relationship between an HP Systems Insight Manager (HP SIM) CMS and a managed Windows server having ProLiant Agents installed.
Setting up the CMS to Trust Managed ProLiant Servers
Configuration at the Managed SystemFor Single Login and
Secure Task Execution (STE) to work, the managed system must be running a supported agent and be configured to trust the HP SIM server. The Trust Mode is configured in System Management Homepage.
Trust By Certificate. The Trust by Certificate mode sets the System Management Homepage to accept configuration changes only from HP SIM servers with trusted certificates. This mode requires the submitted server to provide authentication by means of a digital signature and certificates. This mode is the strongest method of security since it verifies the digital signature before allowing access. HP recommends this option.
Trust By Name. The Trust By Name mode sets the System Management Homepage to accept certain configuration changes only from servers with the HP SIM names designated in the Trust By Name field. The Trust By Name option is easy to configure, and prevents non-malicious access. For example, you might use this option if you have a secure network with two separate groups of administrators in two separate divisions. It prevents one group from installing software to the wrong system. This option verifies only the HP SIM server name submitted, not the digital signature.
Trust All. The Trust All mode sets the System Management Homepage to accept configuration changes from any system. For example, you could use the Trust All option if you have a secure network, and everyone in the network is trusted.
Setting Up the Managed Server Running System Management HomepageFrom a browser, open IE and browse to the managed server through https://managed-server:2381. The System Management Homepage appears.
Log into the System Management Homepage. Select Settings System Management Homepage Security. Click [Trust Mode]. The Trust Mode page appears. Select Trust by Certificate to Require trusted certificates.
Click [Trust Certificate] to access the Trusted Management server certificate.
Click [Save Configuration] to save the trust mode, or click [Reset Values] to cancel all changes.
Click the browser [Back] button.
In the text box, next to [Add Certificate From Server], enter the name of the HP SIM server that contains the certificate to be added. Click [Add Certificate From Server]. The certificate information is presented for verification before it is added to the list.
Note: Because this is a non-secure request over http, a malicious party could intercept the request and substitute a bogus certificate in response to the request. A more secure method for obtaining the HP SIM Certificate is described in "Importing the HP SIM Certificate" for more information. Verify the certificate information, and if you want to add it to the Trusted Certificate List, click [Add Certificate to Trust List].
Note: If you are setting up a trusted certificate on a cluster, refer to Troubleshooting - Cluster for more information.
Importing the HP SIM CertificateExport the HP SIM server certificate from the HP SIM server to a file. Refer to Server Certificates - Exporting a Server Certificate for more information. Place the certificate file in a file location that is accessible to the file system of the managed system. Browse to the managed system and using Notepad, open the HP SIM server certificate created in step 1. Highlight the entire contents of the file, including the Begin Certificate and End Certificate lines. Copy the highlighted contents of the certificate file to the clipboard. Return to the managed system browser and select the HP SIM Certificate Data box. Paste the contents of the certificate file into this box and click [Add Cert] underneath the box. A confirmation window appears with three links at the top. Click Options and scroll down to the Trusted Certificates section. There is now a list called Trusted Certificates: with the server name and two links: View Certificate and Remove Certificate, for the HP SIM Certificate that was just added.
Configuring HP SIM
Setting Up the Managed Server Running Management HTTP ServerImporting the HP SIM CertificateExport the HP SIM server certificate from the HP SIM server to a file. Refer to Server Certificates - Exporting a Server Certificate for more information. Place the certificate file in a file location that is accessible to the file system of the managed system. Browse to the managed system and using Notepad, open the HP SIM server certificate created in step 1. Highlight the entire contents of the file, including the Begin Certificate and End Certificate lines. Copy the highlighted contents of the certificate file to the clipboard. Return to the managed system browser and select the HP SIM Certificate Data box. Paste the contents of the certificate file into this box and click [Add Cert] underneath the box. A confirmation window appears with three links at the top. Click Options and scroll down to the Trusted Certificates section. There is now a list called Trusted Certificates: with the server name and two links: View Certificate and Remove Certificate, for the HP SIM Certificate that was just added.
Requesting the HP SIM CertificateEnter the HP SIM server name in the appropriate field, and click the corresponding [Get Cert] button. The managed system makes an HTTP request directly to the HP SIM server for its certificate.
Note: Because this is a non-secure request over http, a malicious party could intercept the request and substitute a bogus certificate in response to the request. A more secure method for obtaining the HP SIM Certificate is described in "Importing the HP SIM Certificate" for more information. Configuration at HP SIMA System Identification Task must be run at least once against any managed system for HP SIM to know that it supports Single Login and Secure Task Execution, or these features will not work. Certificates for Trusted SystemsIf you have enabled Require trusted certificates on the Trusted System Certificates page (select Options Security Certificates Trusted Certificate), import certificates that represent the managed systems you want the HP SIM server to trust into the Trusted System Certificates List of HP SIM. For the managed device certificate, you can use its certificate, or, if applicable, the certificate the Certificate Authority (CA) used to sign the system certificate. Before importing system certificates into the HP SIM Trusted System Certificates List, export the certificates to a file in DER or Base-64 encoded format. For obtaining the system certificate, you can: For systems running Windows for which you have access to the file system, copy the certificate in the file c:\compaq\wbem\cert.pem in Base-64 encoded format, to somewhere accessible by HP SIM or access it directly, if it is already accessible by HP SIM. Export the system certificate while browsing to the system. Select File Properties from the browser menu. Click [Certificates]. Select the Details tab, then, click [Copy to File]. Export the certificate as a Base-64 encoded X.509 file.
For obtaining the CA certificate, contact your CA, or, refer to documentation provided with your certificate server software.
To import managed system certificates into the HP SIM Trusted System Certificates List:
Select Options Security Certificates Trusted Certificates, and then click [Import]. The Import Trusted System Certificate section appears. Next to the Certificate Filename field, click [Browse]. The Choose file dialog box appears. Navigate to the location of the certificate to be imported, and select the file name. Click [Open]. The certificate is imported.
Note: If you are setting up a trusted certificate on a cluster, refer to Troubleshooting - Cluster for more information.
Managing Browser Warning MessagesTo have the browser warning messages stop displaying on the browser: From the browser, open Internet Explorer and browse to the managed server by https://managed_server:2381.
On the Internet Explorer Security Alert, click [View Certificate].
After reviewing the certificate, click [Install Certificate].
Click [Next].
Click [Place all certificates in the following store].
Click [Browse].
Select Trusted Root Certificate Authorities and click [OK].
Click [Next].
Click [Finish].
Click [OK].
Related Procedures
Related Topics
|