HP Integrity rx2800 System Management Homepage User Guide - Page 85

Other Problems, Start, All Programs, Administrative Tools, Certification Authority, W2003CA/certsrv

Get HP Integrity rx2800 - i2 PDF manuals and user guides View all HP Integrity rx2800 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 85 highlights

a. Select Request a certificate. b. Select Advanced certificate request. c. Select Submit a certificate request by using a base. d. Press the Ctrl+ V keys to paste the PKCS #10 data into the field. 4. From your Windows 2003 certificate authority system complete the following: a. Click Start→All Programs→Administrative Tools→Certification Authority. b. Click CA (Local) ⇒ W2003CA/certsrv ⇒ where W2003CA is the name of your Windows 2003 certificate authority system. c. Issue the pending request certificate. 5. Navigate to http://W2003CA/certsrv, where W2003CA is the name of your Windows 2003 certificate authority system and complete the following: a. Select View the status of a pending certificate request. b. Select Base64-encoded and Download certificate (not certificate chain). c. The file download is certnew.cer. d. Rename certnew.cer to cert.pem. 6.7 What are the security options when using Bastille? Bastille is a system hardening program that enhances the security of an HP-UX host. It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded services and tools such as rcp(1) and rlogin(1), and can help limit the vulnerability of common Internet services such as Web servers and DNS. NOTE: At this time, HP System Management Homepage does not support Partition Manager. One facility that Bastille uses to lock down a system is IP filtering. Refer to the Partition Manager Online Help for requirements when using IP filtering with Partition Manager. If Bastille's interactive user interface is used, be aware of these issues when answering the questions asked by Bastille. Bastille also has three install-time security options that are represented by the following files in /etc/opt/sec-mgmt/bastille. • HOST.config Host-based lockdown, without IPFilter configuration. Using this configuration has no impact on Partition Manager. • MANDMZ.config A fairly tight lockdown, but leaves select network ports open that are used by common management protocols and tools. For example, WBEM still functions when this configuration is used. Launching Partition Manager under this configuration requires the use of SSH or changes to enable ports 2301 and 2381. To enable launching Partition Manager on a system where ports 2301 and 2381 are disabled, adjust the IP filtering by adding entries such as: pass in quick proto tcp from any to any port = 2301 flags S/0xff keep state keep frags pass in quick proto tcp from any to any port = 2381 flags S/0xff keep state keep frags to /etc/opt/sec-mgmt/bastille/ipf.customrules prior to running Bastille. For more information, see ipf(5). • DMZ.config A tight lockdown. Launching Partition Manager under this configuration requires the use of SSH. Bastille also impacts Partition Manager when remotely managing a system where Bastille is enabled. After the normal transfer of certificates, Partition Manager works as described above if the HOST.config or MANDMZ.config configurations are used. However, the DMZ.config configuration blocks WBEM traffic and prevents Partition Manager from remotely managing the system. For more information about Bastille, see bastille(1M) and the Bastille User Guide, installed at /opt/sec-mgmt-bastille/docs/user-guide.txt. 7 Other Problems 7.1 I am having problems downgrading HP SMH from 3.x to 2.x. Troubleshooting 85

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
a.
Select
Request a certificate
.
b.
Select
Advanced certificate request
.
c.
Select
Submit a certificate request by using a base
.
d.
Press the
Ctrl
+
V
keys to paste the
PKCS #10
data into the field.
4.
From your Windows 2003 certificate authority system complete the following:
a.
Click
Start
All Programs
Administrative Tools
Certification Authority
.
b.
Click
CA (Local)
W2003CA/certsrv
where
W2003CA
is the name of your Windows
2003 certificate authority system.
c.
Issue the pending request certificate.
5.
Navigate to
http://
W2003CA
/certsrv
, where
W2003CA
is the name of your Windows 2003
certificate authority system and complete the following:
a.
Select
View the status of a pending certificate request
.
b.
Select
Base64-encoded
and
Download certificate
(not
certificate chain
).
c.
The file download is
certnew.cer
.
d.
Rename
certnew.cer
to
cert.pem
.
6.7
What are the security options when using Bastille?
Bastille is a system hardening program that enhances the security of an HP-UX host. It configures
daemons, system settings and firewalls to be more secure. It can shut off unneeded services and tools
such as rcp(1) and rlogin(1), and can help limit the vulnerability of common Internet services such as
Web servers and DNS.
NOTE:
At this time, HP System Management Homepage does not support Partition Manager.
One facility that Bastille uses to lock down a system is IP filtering. Refer to the Partition Manager Online
Help for requirements when using IP filtering with Partition Manager. If Bastille's interactive user interface
is used, be aware of these issues when answering the questions asked by Bastille. Bastille also has
three install-time security options that are represented by the following files in
/etc/opt/sec-mgmt/bastille
.
HOST.config
Host-based lockdown, without IPFilter configuration. Using this configuration has
no impact on Partition Manager.
MANDMZ.config
A fairly tight lockdown, but leaves select network ports open that are used by
common management protocols and tools. For example, WBEM still functions when this
configuration is used. Launching Partition Manager under this configuration requires the use of
SSH or changes to enable ports 2301 and 2381. To enable launching Partition Manager on a
system where ports 2301 and 2381 are disabled, adjust the IP filtering by adding entries such
as:
pass in quick proto tcp from any to any port = 2301 flags S/0xff keep state keep frags
pass in quick proto tcp from any to any port = 2381 flags S/0xff keep state keep frags
to
/etc/opt/sec-mgmt/bastille/ipf.customrules
prior to running Bastille.
For more information, see
ipf
(5).
DMZ.config
A tight lockdown. Launching Partition Manager under this configuration requires
the use of SSH.
Bastille also impacts Partition Manager when remotely managing a system where Bastille is
enabled. After the normal transfer of certificates, Partition Manager works as described above if
the HOST.config or MANDMZ.config configurations are used. However, the DMZ.config
configuration blocks WBEM traffic and prevents Partition Manager from remotely managing the
system.
For more information about Bastille, see
bastille
(1M) and the
Bastille User Guide
, installed at
/opt/sec-mgmt-bastille/docs/user-guide.txt
.
7 Other Problems
7.1
I am having problems downgrading HP SMH from 3.x to 2.x.
Troubleshooting
85