HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

HP SIM certificate security flaw?

 
driesken
Occasional Contributor

HP SIM certificate security flaw?

Hi,

 

For a project I'm trying to setup a HP SIM environment where 2 fictive company's can each login (with their own useraccount) and administer their own ILO's. I've managed to create seperate system collections, so that's working fine.

 

I've currently added a few Integrated Lights-Out cards (version 2 and 3 as well) and have succesfully setup a HP SIM SSO on each of them. In the ILO, Single Sign-On Settings are "Trust by Certificate" and I've added the hpsim-server as a trusted server. So far, so good.

 

However, it seems that a user who (for example) may only manage the ILO with ip 192.168.1.142, can change the url to open another ILO...

https://ip-of-hp-sim-server:50000/SSO?DID=bunchofnumbers&APP=ILO&FRM=3&URL=http://192.168.1.152:80,

... so he gets autosigned in into an ILO he may not administer!

I've tried adding the user to the ILO without giving it any rights, but that isn't working. I've also tried to limit his rights on the x.152 ILO using the "Users and Authorizations" in HP SIM, but that isn't working either...

 

Now, what is the best way to fix this?

 

Thanks in advance,
Dries

1 REPLY
driesken
Occasional Contributor

Re: HP SIM certificate security flaw?

No one who has a solution to this security issue?