2 trusted certificates – HP Insight Control Software for Linux User Manual

•

secure boot mechanism

Virtual media support is provided as the secure boot mechanism. PXE booting provides no
authentication or encryption.

Data used to authenticate either the CMS or a managed system, or used to setup login
credentials on a management processor must be secured. This information is secured with
the virtual media mechanism. Specifically, the data includes the SSH public key and any

certificate

s needed to secure the communication between the CMS and the managed system.

An auxiliary RAM disk that can be appended to the normal Insight Control for Linux RAM
disk is created for this purpose.

This auxiliary RAM disk is used in one of two ways:

— It becomes part of the virtual media ISO boot image when booting a managed system

using virtual media.

— It is added in the pxelinux.cfg boot configuration file when booting by PXE.

•

HTTPS

Communication between the CMS and a managed node is performed using

HTTPS

.

•

Digital signature

HP software, firmware, drivers, applications, and other executables are delivered with an
electronic cryptographic signature. This electronic signature gives you an industry standard
method to verify the integrity and authenticity of the code you received before you deploy
it.

This digital signature is then used in a signature verification process to verify and validate
the following:

— To verify and validate the authenticity of the code.

That HP created the code in question.

— To verify and validate integrity of the code.

That the code in question was not altered since it was originally signed.

For the procedure to validate RPMs, see

“Validating RPM signatures” (page 17)

.

1.14.2 Trusted certificates

HP Insight Control for Linux conforms to the security features of HP SIM. There is a Trusted
Certificates

tab under Options

→Security→Credentials→Trusted Systems. By selecting that

tab, you access a web page that allows you to determine how SSL/HTTPS connections are handled;
there are two options, depending on the button selected:

•

Always Accept

This button is preselected by default. The CMS will always accept client connections without
validating them against

certificate

s in the HP SIM trust store.

•

Require

When this button is selected, only connections to systems with certificates in the HP SIM
trust store are allowed. Also, PXE based bare-metal discovery should fail; the systems may
appear in HP SIM, but the bare-metal task will fail when the task attempts to set the iLO
credentials.

Use the virtual media discovery method instead.

When performing any operation that communicates with an iLO-based management processor,
Insight Control for Linux has the ability to verify whether the target iLO is a trusted system,
meaning that it is presenting a certificate trusted by Insight Control for Linux. To enable this
security mechanism, make sure the Require radio button is selected.

22

Using HP Insight Control for Linux