Simpler Navigation for Servers and Operating Systems
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

Systems Mangement Homepage

Highlighted
Josef Roth_2
Occasional Visitor

Systems Mangement Homepage

I have the following security vulnerabilities on several hundred proliant servers.

- SSL Server Supports Weak Encryption
- SSL Server Uses Weak Encryption
- SSL Server Has SSLv2 Enabled
- SSL Certificate - Signature Verification Failed
- SSL Certificate - Self-Signed Certificate
- SSL Certificate - Subject Common Name Does Not Match Server FQDN

All of them are caused by the HP System Management Homepage (v2.0.1.104) which listens on SSL port 2381. Is there a way to enable SSLv3 and turn-off SSLv2 and also restrict access to strong encryption only?

I got stuck and it seams it is not possible to disable v2. My attempts to change the config file "C:\hp\hpsmh\conf\smhpd.conf" was without success. The file gets dumped when the SysMgmtHP service starts up. Therefore, I assume configuration settings are hard coded somewhere.

A look at the SSLCipherSuite entry shows that v2 is enabled.
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:-LO
W:+eNULL

This should be changed to:
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:-SSLv2:+SSLv3:
+EXP:-LOW:+eNULL

see attachment

Thanks

 

 

 P.S.This thread has been moved from ITRC server mgmt (Insight Manager 7) Forum to ITRC HP Systems Insight Manager Forum- HP Forums Moderator