HP

HP Systems Insight Manager Technical Reference Guide

English
  Networking and Security  |  Trusted Certificates  |  Setting Up Trust Relationships   

Setting Up Trust Relationships

»Table of Contents
»Index
»Notices
»Introduction
»Product Overview
»Getting Started
»Discovery and Identification
»Users and Authorizations
»Networking and Security
»About Login
»About Secure Task Execution
»Configuring the System Link
»Configuring Login Events
»Configuring Browser Timeout Options
»Server Certificates
»Trusted Certificates
»Importing Trusted Certificates
»Exporting Trusted Certificates
»Deleting Trusted Certificates
»Requiring Trusted Certificates
Setting Up Trust Relationships
»Monitoring Systems, Clusters, and Events
»Storage Integration
»Managing with Tasks
»Tools that Extend Management
»Partner Applications
»Reporting
»Administering Systems and Events
»Troubleshooting
»Reference Information
»Printable version
»Glossary
»Using Help
» Setting up the CMS to Trust Managed ProLiant Servers
» Configuration at the Managed System
» Setting Up the Managed Server Running System Management Homepage
» Setting Up the Managed Server Running Management HTTP Server
» Managing Browser Warning Messages
» Related Procedures
» Related Topics

How to set up a trust relationship between an HP Systems Insight Manager (HP SIM) CMS and a managed Windows server having ProLiant Agents installed.

Setting up the CMS to Trust Managed ProLiant Servers

  1. In HP SIM, select OptionsSecurityCertificatesServer Certificates, and then click [Export]. Remember the location of the file (servcert.cert).

  2. (Optional) In HP SIM, select OptionsSecurityCertificatesTrusted Certificates, and then click [Import]. Locate and import the file which was exported in step 1.

    HP SIM uses the same keystore for the server certificate and trusted certificate.

  3. In Internet Explorer, select ToolsInternet OptionsContentCertificates and select the Trusted Root Certificate Authorities tab. Import the exported file in step 1 and select Automatically select the certificate store....

Configuration at the Managed System

For Single Login and Secure Task Execution (STE) to work, the managed system must be running a supported agent and be configured to trust the HP SIM server. The Trust Mode is configured in System Management Homepage.

Trust By Certificate. The Trust by Certificate mode sets the System Management Homepage to accept configuration changes only from HP SIM servers with trusted certificates. This mode requires the submitted server to provide authentication by means of a digital signature and certificates. This mode is the strongest method of security since it verifies the digital signature before allowing access. HP recommends this option.

If you do not want to enable any remote configuration changes by HP SIM, leave Trust by Certificate selected, and leave the list of trusted systems empty.

Trust By Name. The Trust By Name mode sets the System Management Homepage to accept certain configuration changes only from servers with the HP SIM names designated in the Trust By Name field. The Trust By Name option is easy to configure, and prevents non-malicious access. For example, you might use this option if you have a secure network with two separate groups of administrators in two separate divisions. It prevents one group from installing software to the wrong system. This option verifies only the HP SIM server name submitted, not the digital signature.

Trust All. The Trust All mode sets the System Management Homepage to accept configuration changes from any system. For example, you could use the Trust All option if you have a secure network, and everyone in the network is trusted.

For Trust By Certificate, the certificate from the HP SIM system can be installed during the initial support pack deployment. Refer to Version Control - Initial ProLiant Support Pack Install for more information.

Setting Up the Managed Server Running System Management Homepage

  1. From a browser, open IE and browse to the managed server through https://managed-server:2381. The System Management Homepage appears.

  2. Log into the System Management Homepage.

  3. Select SettingsSystem Management HomepageSecurity.

  4. Click [Trust Mode]. The Trust Mode page appears.

  5. Select Trust by Certificate to Require trusted certificates.

  6. Click [Trust Certificate] to access the Trusted Management server certificate.

  7. Click [Save Configuration] to save the trust mode, or click [Reset Values] to cancel all changes.

  8. Click the browser [Back] button.

  9. In the text box, next to [Add Certificate From Server], enter the name of the HP SIM server that contains the certificate to be added.

  10. Click [Add Certificate From Server]. The certificate information is presented for verification before it is added to the list.

    Note: Because this is a non-secure request over http, a malicious party could intercept the request and substitute a bogus certificate in response to the request. A more secure method for obtaining the HP SIM Certificate is described in  "Importing the HP SIM Certificate"  for more information.

  11. Verify the certificate information, and if you want to add it to the Trusted Certificate List, click [Add Certificate to Trust List].

    Note: If you are setting up a trusted certificate on a cluster, refer to Troubleshooting - Cluster for more information.

Importing the HP SIM Certificate

  1. Export the HP SIM server certificate from the HP SIM server to a file. Refer to Server Certificates - Exporting a Server Certificate for more information.

  2. Place the certificate file in a file location that is accessible to the file system of the managed system.

  3. Browse to the managed system and using Notepad, open the HP SIM server certificate created in step 1.

  4. Highlight the entire contents of the file, including the Begin Certificate and End Certificate lines. Copy the highlighted contents of the certificate file to the clipboard.

  5. Return to the managed system browser and select the HP SIM Certificate Data box.

  6. Paste the contents of the certificate file into this box and click [Add Cert] underneath the box. A confirmation window appears with three links at the top.

  7. Click Options and scroll down to the Trusted Certificates section. There is now a list called Trusted Certificates: with the server name and two links: View Certificate and Remove Certificate, for the HP SIM Certificate that was just added.

Configuring HP SIM

  1. In Internet Explorer, select ToolsInternet OptionsContentCertificates and select the Trusted Root Certificate Authorities tab. Import the exported file and select Automatically select the certificate store....

  2. (Optional) In HP SIM, select OptionsSecurityCertificatesTrusted Certificates, and then click [Import]. Locate and import the file which was exported in Step 1.

    HP SIM uses the same keystore for the server certificate and trusted certificate.

  3. Open HP SIM and select OptionsSecurityCertificatesTrusted Certificates, and enable the Require trusted certificates option.

Setting Up the Managed Server Running Management HTTP Server

Importing the HP SIM Certificate

  1. Export the HP SIM server certificate from the HP SIM server to a file. Refer to Server Certificates - Exporting a Server Certificate for more information.

  2. Place the certificate file in a file location that is accessible to the file system of the managed system.

  3. Browse to the managed system and using Notepad, open the HP SIM server certificate created in step 1.

  4. Highlight the entire contents of the file, including the Begin Certificate and End Certificate lines. Copy the highlighted contents of the certificate file to the clipboard.

  5. Return to the managed system browser and select the HP SIM Certificate Data box.

  6. Paste the contents of the certificate file into this box and click [Add Cert] underneath the box. A confirmation window appears with three links at the top.

  7. Click Options and scroll down to the Trusted Certificates section. There is now a list called Trusted Certificates: with the server name and two links: View Certificate and Remove Certificate, for the HP SIM Certificate that was just added.

Requesting the HP SIM Certificate

Enter the HP SIM server name in the appropriate field, and click the corresponding [Get Cert] button. The managed system makes an HTTP request directly to the HP SIM server for its certificate.

Note: Because this is a non-secure request over http, a malicious party could intercept the request and substitute a bogus certificate in response to the request. A more secure method for obtaining the HP SIM Certificate is described in  "Importing the HP SIM Certificate"  for more information.

Configuration at HP SIM

System Identification

A System Identification Task must be run at least once against any managed system for HP SIM to know that it supports Single Login and Secure Task Execution, or these features will not work.

Certificates for Trusted Systems

If you have enabled Require trusted certificates on the Trusted System Certificates page (select OptionsSecurityCertificatesTrusted Certificate), import certificates that represent the managed systems you want the HP SIM server to trust into the Trusted System Certificates List of HP SIM. For the managed device certificate, you can use its certificate, or, if applicable, the certificate the Certificate Authority (CA) used to sign the system certificate.

If Require trusted certificates is disabled, the Trusted System Certificates List is not used, and you may omit this section.

Before importing system certificates into the HP SIM Trusted System Certificates List, export the certificates to a file in DER or Base-64 encoded format. For obtaining the system certificate, you can:

  • For systems running Windows for which you have access to the file system, copy the certificate in the file c:\compaq\wbem\cert.pem in Base-64 encoded format, to somewhere accessible by HP SIM or access it directly, if it is already accessible by HP SIM.

  • Export the system certificate while browsing to the system. Select FileProperties from the browser menu. Click [Certificates]. Select the Details tab, then, click [Copy to File]. Export the certificate as a Base-64 encoded X.509 file.

For obtaining the CA certificate, contact your CA, or, refer to documentation provided with your certificate server software. To import managed system certificates into the HP SIM Trusted System Certificates List:

  1. Select OptionsSecurityCertificatesTrusted Certificates, and then click [Import].

  2. The Import Trusted System Certificate section appears.

  3. Next to the Certificate Filename field, click [Browse].

    The Choose file dialog box appears.

  4. Navigate to the location of the certificate to be imported, and select the file name. Click [Open].

    The certificate is imported.

Note: If you are setting up a trusted certificate on a cluster, refer to Troubleshooting - Cluster for more information.

Managing Browser Warning Messages

To have the browser warning messages stop displaying on the browser:

  1. From the browser, open Internet Explorer and browse to the managed server by https://managed_server:2381.

  2. On the Internet Explorer Security Alert, click [View Certificate].

  3. After reviewing the certificate, click [Install Certificate].

  4. Click [Next].

  5. Click [Place all certificates in the following store].

  6. Click [Browse].

  7. Select Trusted Root Certificate Authorities and click [OK].

  8. Click [Next].

  9. Click [Finish].

  10. Click [OK].

Related Procedures

» Server Certificates - Creating a Certificate Signing Request
» Server Certificates - Submitting a Certificate Signing Request
» Server Certificates - Importing a CA-Signed Certificate
» Server Certificates - Exporting a Server Certificate
» Administering Systems and Events - Setting Up Managed Systems

Related Topics

» Networking and Security - Server Certificates
» Networking and Security - Trusted Certificates
» HP Systems Insight Manager Technical Reference Guide - Networking and Security
» Replicate Agent Settings - Creating a Replicate Agent Settings Task
» Tools that Extend Management - Installing OpenSSH
» Administering Systems and Events - Managing SSH Keys