- Community Home
- >
- Servers and Operating Systems
- >
- Legacy
- >
- Server Management (Insight Manager 7)
- >
- how to harden login on managed system home page ?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-07-2004 03:15 AM
тАО09-07-2004 03:15 AM
how to harden login on managed system home page ?
Can anyone tell me why the login on managed systemy home page is only protected by a username password ? I was expecting to be able to set up SSL client authentication, i mean autorise only login for clients providing a trusted certificate (the administrators workstations with a trusted certificated for exemple)
Thanks for your help
Angelo
- Tags:
- certificate
- SSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-07-2004 02:17 PM
тАО09-07-2004 02:17 PM
Re: how to harden login on managed system home page ?
The Windows and Linux management agents ("systems management home page") use SSL security with a self-signed certificate. When you connect to the agent it presents that certificate for you to continue or install it as a trusted certificate. You must then log in with a password that has been configured at installation as part of the ProLiant Support Pack. There are 3 valid users, administrator, operator and user, and the level of access to each can be specified in a .ini file.
The agents can also be configured with a trust relationship such as trust by name or trust by certificate, for use when being contacted through an application such as IM7 or HP SIM. This is used when launching a web agent interactively from IM7/HP SIM or when a transaction (e.g. software update) is performed.
There is no way to configure a trust to an interactive browser session to avoid having to log in.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-07-2004 08:40 PM
тАО09-07-2004 08:40 PM
Re: how to harden login on managed system home page ?
Yes sorry for not mentionning the OS I'm running.
It's windows server 2003 SE for the CMS (I installed Insight amnager 7) and our managed servers are Windows 2000 and 2003.
For me the agents are runnnig on the managed servers and to access them I use this kind of URL:
https://managed_server:2381
(which brings me to a page with an access to a lot of info about the system hardware and more)
Now my problem is that I can access this page without providing any SSL certificate, i mean I can access the page from a workstation (without certificate) with a basic user account (without any rights in Insight). The only think I have to provide is the username/password defined at installation time. For this operation I was expecting to be forced to use a certificate... why not ? I know that this certificate is necessary to push "drivers" or "PSP" to the managed systems through the STE (Secure Task Execution) process... why not in the former ?
Moreover, the web page discussed above is reachable without the HP Web Agent service running on the managed, I was expecting this web agent to be the web server (responding to https requests)... what is its role ?
Best Regards
Angelo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2004 07:56 AM
тАО09-08-2004 07:56 AM
Re: how to harden login on managed system home page ?
For base functionality of the agent, the certificate is used for interaction with IM7/HPSIM and the username/password specificed at login is what gets you into the system. Coming in about the January timeframe, the agents will convert to using OS based authentication rather than those accounts.
In addition, you can setup the agents to require "2 way trust" for certs, but that doesn't affect the login directly into "2381" - only interaction with IM7/HPSIM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2004 07:58 AM
тАО09-08-2004 07:58 AM
Re: how to harden login on managed system home page ?
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-08-2004 08:35 PM
тАО09-08-2004 08:35 PM
Re: how to harden login on managed system home page ?
Therefore, everyone is able to access the login page, the only step befor being able to interact with the server is the username/password.
Can you tell me few things more ? What kind bad things can be done through the web console, reboot, stop some hardware, reset the array ?
And then, is there a way to strengthen the access to this page ? restrict by ip ? and so on..
An finally, what is the role of the HP Web Agent service on my windows servers ? I noticed that when it is disabled, few data if not at all is available through the web console (i mean 2381), but server states en infos are retrieved by the CMS, through SNMP ? through WMI ? through WBEM ? What data(state, hardware, software) infos is retieved by SNMP, what is got by WMI or WBEM ?
Best Regards
PS: to tell you the truth I'm a little bit afraid to keep a web console opened on all my servers...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2004 06:41 AM
тАО09-09-2004 06:41 AM
Re: how to harden login on managed system home page ?
YES! You can lock down the ability to log into the system by IP address, do IP binding to only certain NICs, etc. Rolling forward, it will only be OS Authentication, so that will be another level of protection. All web connections are done via SSL.
Yes, the web agent is the "GUI" portion to the SNMP data; if that service is not running, then you won't get the "data boxes" filled out. You will still be able to get device status and data collection from IM7/HPSIM via SNMP though. Events will still be sent to the mgmt console provided you setup trap destinations.
Today, HPSIM (not IM7) can get generic WMI data from the OS; however, the agents today rely on SNMP. In the future, that will probably change.
One thing that is probably not widely known is that we do a significant amount of security testing internally, PLUS we go to outside vendors from the "ethical hacking" community for validation of our web agents for security. For servers within the Intranet, you should feel comfortable running the agents.
For servers in the DMZ, we have a white paper in the INformation Library of HPSIM, http://www.hp.com/go/hpsim/, that talks about how to manage those servers adequately from HPSIM.
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-22-2004 02:56 AM
тАО09-22-2004 02:56 AM
Re: how to harden login on managed system home page ?
Thanks a lot
Angelo