Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP Servicecontrol Manager 3.0 User's Guide > Chapter 4 Increasing Servicecontrol Manager Security

Enable WBEM Certificate Validation
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

By default, all WBEM transactions are encrypted, but the identity of the managed node is not validated. Certificates passed from target nodes are automatically trusted. Enabling certificate validation will increase the level of security for WBEM transactions. You can use self-signed certificates for medium security or CA-signed certificates for high security. The certificate manager inspects credentials for each transaction and either approves or denies the WBEM data exchange based on the credentials.

This security enhancement uses the Java keytool from Sun Microsystems. For more information on the keytool, go to http://java.sun.com and search for summary of security tools.

NOTE: Additional information about HP WBEM Services is available on the Web at:

http://docs.hp.com/hpux/netsys/index.html

You can use:

  • self-signed certificates for a medium security level

  • CA-signed certificates for a high security level

The self-signed certificates are generated by WBEM on each managed node when SSL is enabled. See the appropriate procedure to enable WBEM certificate validation for your certificate type.

Procedure 4-2 To enable WBEM certificate validation with self-signed certificates:

  1. Log on to the CMS as root.

  2. Identify the MxKeystorePassword:

    mxpassword -l -x MxKeystorePassword

  3. Create a copy the self-signed certificate on a managed node:

    /opt/wbem/sbin/openssl x509 -in /var/opt/wbem/server.pem -out node.cer

    where node is the hostname of the managed node.

  4. Securely copy the certificate to the /etc/opt/mx/config/security/ directory on the CMS.

  5. Import the certificate into the trust store on the CMS:

    keytool - import -alias node -file node.cer -keystore /etc/opt/mx/config/security/certificates -keypass password

    where node is the hostname of the managed node and password is the MxKeystorePassword.

  6. Repeat this process for each managed node running WBEM.

  7. Edit the WBEM configuration files on the CMS to enable certificate validation. The files are located at:

    • /opt/hpwebadmin/bin/cim.properties

    • /etc/opt/mx/config/collectors/cimclient.properties

    Comment out the following line that sets the trust manager in each file.

    TrustManager=orig.snia.wbemcmd.xml.DontValidateCertificate

  8. Restart SCM and Tomcat on the CMS:

    /opt/mx/bin/mxstop

    /opt/mx/bin/mxstart

Procedure 4-3 To enable WBEM certificate validation with CA-signed certificates:

NOTE: You must have a certificate server available on the network to use CA-signed certificates.

  1. Log on to the CMS as root.

  2. Identify the MxKeystorePassword:

    mxpassword -l -x MxKeystorePassword

  3. Generate a CA-signed certificate on the certificate server, save it as ca_certificate.cer.

  4. Securely copy the generated CA certificate to the /etc/opt/mx/config/security/ directory on the CMS.

  5. Import the CA-signed certificate into the trust store on the CMS:

    keytool -import -alias caroot -file ca_certificate.cer -keystore /etc/opt/mx/config/security/certificates -keypass password

    where password is the MxKeystorePassword.

  6. On a managed node that is running WBEM, generate a certificate request to be signed by CA on the certificate server.

    /opt/wbem/sbin/openssl req -new -key /var/opt/wbem/server.pem -out cert.csr -config /var/opt/wbem/ssl.cnf

  7. Securely copy the generated certificate request from the managed node to the certificate server.

  8. Retrieve the signed certificate in base64 x509 format.

  9. Replace the certificate on the managed node with the new certificate generated from the certificate server. The certificate on each node is at /var/opt/wbem/server.pem.

  10. Restart WBEM on the managed node:

    kill -9 cimserver_pid

  11. Repeat steps 6-10 for each managed node running WBEM.

  12. Edit the WBEM configuration files on the CMS to enable certificate validation. The files are located at:

    • /opt/hpwebadmin/bin/cim.properties

    • /etc/opt/mx/config/collectors/cimclient.properties

    Comment out the following line that sets the trust manager in each file.

    TrustManager=orig.snia.wbemcmd.xml.DontValidateCertificate

  13. Restart SCM and Tomcat on the CMS:

    /opt/mx/bin/mxstop

    /opt/mx/bin/mxstart



Replace Self-Signed Tomcat Certificates
  		 


Encrypt Java RMI Transactions  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2002-2003 Hewlett-Packard Development Company, L.P.