Secure data transmission

Management protocols

The basic supported management protocols and applications are SSH, Web-Based Enterprise Management (WBEM), Secure HTTP (HTTPS), Desktop Management Interface (DMI), and SNMP. Tools are not limited to these protocols, and they can provide a custom management protocol. SSH is the only protocol that must be installed on every managed system. Tools require specific protocols, and they can only be run on a managed system if the protocol they require is installed and configured correctly.

SSH . SSH is a program that enables you to log in to another system over a network and execute commands on that system. It also enables you to move files from one system to another, and it provides authentication and secure communications over insecure channels. SSH uses a public/private key pair to provide a secure mechanism to authenticate and encrypt communication. SSH keys are used to identify the execute-as user on the managed system. Typically, the execute-as user is either root or administrator, but other users can be configured, depending on the tool that will be executed on the managed system. The private key is kept secure on the CMS, while the public key is installed on each managed system.

The SSH-2 protocol is used by the Distributed Task Facility (DTF) to communicate with managed systems. The DTF improves operator efficiency by replicating operations across the systems or system groups within the management domain using a single command. This functionality reduces the load on administrators in multisystem environments. X Window and CLI tools use the DTF to execute and support the following tasks:

The DTF connects the CMS to the SSH server software running on each managed system. The DTF tells the SSH server what tasks must be performed on the system. The SSH server then performs the tasks and returns the results to the DTF. The DTF consolidates the feedback it receives from all the managed systems.

WBEM.  WBEM is an industry standard that simplifies system management. It is based on a set of management and Internet standard technologies developed to unify the management of enterprise computing environments. It provides access to both software data and hardware data that is readable by WBEM-compliant applications.

HP SIM keeps a database of passwords for managed systems running WBEM. The database contains the user names and passwords for each managed system, which are required to provide user authentication for tools using this protocol. These accounts do not need to have other access capabilities, such as login rights. They are only used for WBEM access by HP SIM. The WBEM user name and password can be set from the CLI or GUI. For more information, see the "Administering systems and events" section in the HP SIM User Guide at http://docs.hp.com/en/index.html.

HP SIM uses HTTPS to access WBEM data, providing a secure path for system management data. For access to Windows management data instrumented in Windows Management Instrumentation (WMI), a WMI Mapper running on a Windows system converts the HTTPS WBEM requests into WMI requests, which use Distributed Component Object Model and NT security.

A new SSL certificate is created during CMS initialization that is used as a client credential in Web-Based Enterprise Management (WBEM) requests (instead of the CMS certificate).

	NOTE: The WBEM client certificate authentication feature is only supported on HP-UX systems, that have WBEM Services 2.5 installed for HP SIM.

HTTPS. HTTPS is simply HTTP over SSL, a protocol that supports sending data securely over the Web. HTTPS is used to access WBEM data as explained in the previous section, and it is used to access ProLiant agent information. Digital certificates are used instead of user names and passwords to establish trust between the agent and the CMS. The certificate of the CMS should be loaded into each agent to be managed by that CMS.

Desktop Management Interface. DMI is an industry-standard protocol, primarily used in client management, established by the Desktop Management Task Force. DMI provides an efficient means of reporting client system problems. DMI-compliant computers can send status information to a CMS over a network. DMI is supported for system inventory collection where the information is not available from WBEM and SNMP. A Windows CMS uses DMI to gather information from third-party servers. DMI is not a secure protocol. Therefore, anyone with access to your network can intercept and view DMI transactions.

SNMP. SNMP is a set of protocols for managing complex networks. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters. SNMP is available in several versions. SNMP Version 1, used by HP SIM, is not a secure protocol. Therefore, anyone with access to your network can intercept and view SNMP transactions.

HP SIM keeps a database of read and write community names for managed systems running SNMP. The community name must match those configured on the management system. The SNMP community names and passwords can be set from the CLI or GUI. For more information, see the "Administering systems and events" section in the HP SIM User Guide at http://docs.hp.com/en/index.html.

HP SIM does not use SNMP SetRequests. By default, the supported operating system platforms have SNMP SetRequests disabled. For improved security, do not enable SNMP SetRequests on the CMS or the managed systems. Even SNMP GetRequest responses can be spoofed, so all information from SNMP should be regarded as insecure.

Web server security

HP SIM uses the Tomcat web server on the CMS. Tomcat features that are not required by HP SIM are turned off by default. These features include Server Side Includes and Common Gateway Interface scripts.

Self-signed certificates

The self-signed certificates used for WBEM and web server authentication make it possible for another system to impersonate the CMS if the valid certificate is not securely imported into the client or browser, which is known as spoofing. To prevent the possibility of spoofing, use a certificate signed by a trusted Certificate Authority (CA) or securely export the certificate by browsing locally to the CMS and then securely importing it into your browser. You can also obtain the server certificate by browsing remotely and saving it in the browser the first time you access HP SIM, but this option is less secure and still susceptible to a possible "man-in-the-middle" attack. Information about importing CA-signed certificates is available in the "Administering systems and events" section of the HP SIM User Guide at http://docs.hp.com/en/index.html.

X application security

The data exchanged between an X client (or application) running on a managed system and an X server on the network client is transmitted in clear text over the network. HP does not recommend X clients in environments in which security is a concern.

Managing servers behind a firewall

HP SIM supports managing servers that are located behind a firewall when using the SSH, HTTPS, and WBEM protocols. HP does not recommend the SNMP and DMI protocols for this purpose because they are not secure protocols. The firewall must be configured to allow this traffic through the firewall. The following ports are used:

For a complete list of ports used by HP SIM, see the Understanding HP SIM Security white paper. This white paper is available at http://www.hp.com/go/hpsim/.