https://community.hpe.com/t5/server-management-systems/hp-sim-certificate-security-flaw/m-p/5576265#M53510 <P>Hi,</P><P>&nbsp;</P><P>For a project I'm trying to setup a HP SIM environment where 2 fictive company's can each login (with their own useraccount)&nbsp;and administer their own ILO's. I've managed to create seperate system collections, so that's working fine.</P><P>&nbsp;</P><P>I've currently added a&nbsp;few Integrated Lights-Out cards (version 2 and 3 as well) and have succesfully setup a HP SIM SSO on each of them. In the ILO, Single Sign-On Settings are "Trust by Certificate" and I've added the hpsim-server as a trusted server. So far, so good.</P><P>&nbsp;</P><P>However, it seems that a user who (for example) may only manage the ILO with ip 192.168.1.142, can change the url to open another ILO...</P><P><A href="https://ip-of-hp-sim-server:50000/SSO?DID=bunchofnumbers&amp;APP=ILO&amp;FRM=3&amp;URL=http://192.168.1.152:80" target="_blank">https://ip-of-hp-sim-server:50000/SSO?DID=bunchofnumbers&amp;APP=ILO&amp;FRM=3&amp;URL=http://192.168.1.152:80</A>,<BR /><BR />... so he gets autosigned in into an ILO he may not administer!<BR /><BR />I've tried adding the user to the ILO without giving it any rights, but that isn't working. I've also tried to limit his rights on&nbsp;the x.152 ILO&nbsp;using the "Users and Authorizations" in HP SIM, but that isn't working either...</P><P>&nbsp;</P><P>Now, what is the best way to fix this?</P><P>&nbsp;</P><P>Thanks in advance,<BR />Dries</P> Wed, 07 Mar 2012 16:11:07 GMT driesken 2012-03-07T16:11:07Z https://community.hpe.com/t5/server-management-systems/hp-sim-certificate-security-flaw/m-p/5576265#M53510 <P>Hi,</P><P>&nbsp;</P><P>For a project I'm trying to setup a HP SIM environment where 2 fictive company's can each login (with their own useraccount)&nbsp;and administer their own ILO's. I've managed to create seperate system collections, so that's working fine.</P><P>&nbsp;</P><P>I've currently added a&nbsp;few Integrated Lights-Out cards (version 2 and 3 as well) and have succesfully setup a HP SIM SSO on each of them. In the ILO, Single Sign-On Settings are "Trust by Certificate" and I've added the hpsim-server as a trusted server. So far, so good.</P><P>&nbsp;</P><P>However, it seems that a user who (for example) may only manage the ILO with ip 192.168.1.142, can change the url to open another ILO...</P><P><A href="https://ip-of-hp-sim-server:50000/SSO?DID=bunchofnumbers&amp;APP=ILO&amp;FRM=3&amp;URL=http://192.168.1.152:80" target="_blank">https://ip-of-hp-sim-server:50000/SSO?DID=bunchofnumbers&amp;APP=ILO&amp;FRM=3&amp;URL=http://192.168.1.152:80</A>,<BR /><BR />... so he gets autosigned in into an ILO he may not administer!<BR /><BR />I've tried adding the user to the ILO without giving it any rights, but that isn't working. I've also tried to limit his rights on&nbsp;the x.152 ILO&nbsp;using the "Users and Authorizations" in HP SIM, but that isn't working either...</P><P>&nbsp;</P><P>Now, what is the best way to fix this?</P><P>&nbsp;</P><P>Thanks in advance,<BR />Dries</P> Wed, 07 Mar 2012 16:11:07 GMT https://community.hpe.com/t5/server-management-systems/hp-sim-certificate-security-flaw/m-p/5576265#M53510 driesken 2012-03-07T16:11:07Z https://community.hpe.com/t5/server-management-systems/hp-sim-certificate-security-flaw/m-p/5580365#M53542 <P>No one who has a solution to this security issue?</P> Mon, 12 Mar 2012 08:45:20 GMT https://community.hpe.com/t5/server-management-systems/hp-sim-certificate-security-flaw/m-p/5580365#M53542 driesken 2012-03-12T08:45:20Z