HP

HP Systems Insight Manager Technical Reference Guide

English
  Networking and Security  |  About Login   

About Login

»Table of Contents
»Index
»Notices
»Introduction
»Product Overview
»Getting Started
»Discovery and Identification
»Users and Authorizations
»Networking and Security
About Login
»About Secure Task Execution
»Configuring the System Link
»Configuring Login Events
»Configuring Browser Timeout Options
»Server Certificates
»Trusted Certificates
»Monitoring Systems, Clusters, and Events
»Storage Integration
»Managing with Tasks
»Tools that Extend Management
»Partner Applications
»Reporting
»Administering Systems and Events
»Troubleshooting
»Reference Information
»Printable version
»Glossary
»Using Help
» Single Login
» Signing In
» Login Authentication on Linux and HP-UX
» Related Topics

Single Login

Single Login allows a link within an HP Systems Insight Manager (HP SIM) page to establish an authenticated browser session to a managed system that supports Single Login without requiring users to re-enter their user names and passwords. However, if you are trying to establish an authenticated browser session with another instance of HP Systems Insight Manager running on another system, you must re-enter your user name and password. Single Login links exist wherever there is a link to another system.

HP SIM is the initial point of authentication, and browsing to another managed system must be from within HP SIM.

If you browse to a managed system using any method other than the links within HP SIM, Single Login is not supported, and you are required to enter the appropriate user name and password for each managed system. Managed systems must be set up to trust an HP SIM system before accepting a Single Login command. Trust is set up at the system by importing the HP SIM system certificate into the Trusted Management Servers List of the system. Refer to Trusted Certificates - Setting Up Trust Relationships for more information.

If you browse to a managed system using any method other than the links within HP SIM, Single Login is not supported, and you are required to enter the appropriate user name and password for each managed system.

Managed Systems must be set up to trust an HP SIM system before accepting a Single Login command. Trust is set up at the system by importing the HP SIM system certificate into the Trusted Management Systems List of the system. Refer to Trusted Certificates - Requiring Trusted Certificates for more information.

Single Login does not work on a Virtual Cluster System. However, it does work on the physical systems which compose the cluster.

Signing In

Signing into HP Systems Insight Manager allows access to HP SIM and determines what authorizations you have in HP SIM. Browsing to HP SIM using Secure Socket Layer (SSL) encrypts all information between the browser and HP SIM, including login credentials. SSL securely encrypts the password and helps prevent someone from capturing and replaying a valid login sequence.

The login page has three fields:

  • User Name. The name of the user.

  • Password. The password for the user name.

  • Domain Name. The Windows domain of the user. This field appears in Windows environments only.

In a Windows environment, administrators are selected from the operating system during the HP SIM installation. To sign into HP SIM, enter the appropriate information for the account in the fields provided. The User Name field specifies the user name, and the Domain Name specifies the Windows domain. These fields are required in a Windows environment.

After the credentials are securely received by HP SIM, HP SIM validates the account, verifies that browsing is being done from a valid IP address for that account, and authenticates the credentials against the Windows domain. Refer to HP Systems Insight Manager Technical Reference Guide - Users and Authorizations for details about accounts .

Some login failures are caused by failure in the operating system, some by failure within HP SIM. Use the operating system User Management tools to address these potential login failures:

  • login credentials are not entered correctly. Passwords are case-sensitive.

  • The account being entered has been deleted or has been disabled or locked out.

  • The password for the account has expired or must be changed.

The following reasons for login failure within HP SIM can be addressed on the Users and Authorizations pages:

  • The account being entered is not an account for HP SIM.

  • You are attempting to sign in from an IP address that is not valid for the specified account. Finally, the browser systems can also be the cause for login failures.

  • Browser not configured to accept cookies.

    Refer to the HP Systems Insight Manager Installation and User Guide at http://h18013.www1.hp.com/products/servers/management/hpsim/infolibrary.html for more information.

  • A cookie blocker is installed.

HP SIM can be configured to log an event in the HP SIM Event Database when a login attempt fails or succeeds and when a sign out occurs.

Login Authentication on Linux and HP-UX

HP SIM uses Pluggable Authentication Modules (PAM) to authenticate users who log into the Web server interface on Linux and HP-UX.

Configuring PAM on a Linux System

The administrator of a Linux CMS can customize the PAM that HP SIM uses. The file /etc/pam.d/mxpamauthrealm contains the authentication steps for the HP SIM Web server interface. The default for this file is:

  • #%PAM-1.0

  • auth required /lib/security/pam_unix.so

  • account required /lib/security/pam_unix.so

  • session required /lib/security/pam_unix.so

This default setup directs PAM to use the standard UNIX authentication module to authenticate users attempting to log into the HP SIM Web server interface. Standard calls from the system libraries are used to access account information usually read from /etc/password or /etc/shadow.

The administrator of the system can adjust these requirements to conform to the security requirements of the system. For example, if the security policy on the system is time dependent and /etc/security/time.conf is configured, you could adjust mxpamauthrealm to:

  • #%PAM-1.0

  • auth required /lib/security/pam_unix.so

  • account required /lib/security/pam_unix.so

  • session required /lib/security/pam_unix.so

Configuring PAM on an HP-UX System

Customizing PAM security on HP-UX is very similar. All of the PAM configurations are stored in /etc/pam.conf.

The lines for HP SIM on HP-UX 11i are:

  • mxpamauthrealm auth required /usr/lib/security/libpam_unix.1

  • mxpamauthrealm account required /usr/lib/security/libpam_unix.1

  • mxpamauthrealm session required /usr/lib/security/libpam_unix.1

The lines for HP SIM on HP-UX 11i 2.0 are:

  • mxpamauthrealm auth required /usr/lib/security/$ISA/libpam_unix.1

  • mxpamauthrealm account required /usr/lib/security/$ISA/libpam_unix.1

  • mxpamauthrealm session required /usr/lib/security/$ISA/libpam_unix.1

If you want the HP SIM Web server login model to match what is configured for your other login methods (telnet, rlogin, login, ssh, and so on), configure the same plug-in modules that are used by these other login methods. These should be defined by the login service name in the /etc/pam.conf file or the /etc/pam.d/login file.

Related Topics

» HP Systems Insight Manager Technical Reference Guide - Networking and Security
» Networking and Security - About Secure Task Execution
» Tools that Extend Management - Installing OpenSSH
» Administering Systems and Events - Managing SSH Keys