The Settings tab provides you with the ability to access the agent options, and define the Management HTTP Server security settings.
The Settings section provides a listing of participating agents. Each of the participating agents has options already defined.
The Management HTTP Server section provides links that allow you to configure your Management HTTP Server settings. The Management HTTP Server section provides links to the following:
The Change Password option allows you to change the Management HTTP Server password.
Click Change Password to change the password for Management HTTP Server.
In the User field, select the user level from the drop-down list.
In the New Password field, enter the new password for the user level you selected.
In the Confirm Password field, enter the same password you entered in the Password field.
Click Change Password. A dialog box displays indicating whether or not the password was successfully changed.
The Credits link displays information regarding licensing and credit information.
The Options link accesses the Options page. The Options page allows you to change various Web-Based System Management settings. The System Management Setup Wizard initially allows you to set many of the options from this page, however you can access the Options page in order to edit any of the initial settings. The Page Sections divide the available options into three groups:
The Configuration Options section allows you to select the appropriate settings to include:
Anonymous Access - Anonymous Access is disabled by default. Enabling Anonymous Access allows a user to view HP Web Agents without logging in.
Select Anonymous Access from the Configuration Options page.
Click Save Configuration in the Configuration Options section to save your settings. The Configuration Options page refreshes.
Local Access - Local Access allow you to setup the Management HTTP Server to automatically configure local IP addresses as part of the selected group. This means that any user with access to the local console is granted full access if Administrator is selected. If Anonymous is selected, any user has access limited to unsecured pages without being challenged for a username and password.
NOTE: If this Management HTTP Server is running on the same machine as Insight Manager 7, Local Access (Anonymous) must be enabled for certain features of Insight Manager 7 to work. If Local Access (Administrator) or Anonymous Access is enabled, that also works, but is not necessary.
Logging - Logging allows you to specify the types of log entries you want to record, and whether or not you want to write to the log at all.
Select Logging to record information in the log file.
Select Security Error or Security Information as the type of log to be recorded.
Click Save Configuration in the Configuration Options section to save your settings.
IP Restricted Logins - The Management HTTP Server can restrict login access based on the IP address of the machine from which the login is attempted. These restrictions apply only to direct login attempts and not to logins attempted as part of a trusted Insight Manager 7 server's Single Login or Secure Task Execution features.
IP addresses can be explicitly excluded or explicitly included for each type of user. If an IP address is explicitly excluded it will be excluded even if it is also explicitly included. If there are any IP addresses in the inclusion list, then only those IP addresses will be allowed login access. If there are no IP addresses in the inclusion list, then login access will be allowed to any IP addresses not in the exclusion list.
IP address ranges should be listed with the lower end of the range followed by a hyphen followed by the upper end of the range. All ranges are inclusive in that the upper and lower bounds are considered part of the range. IP address ranges and single addresses are separated by semi-colons.
IP address ranges should be entered in the following format:
122.23.44.1-122.23.44.255;172.84.100.35;127.0.0.0-127.0.0.255
Trust Mode -The Trust Mode options allow you to select the security required by your system. There are some situations that require a higher level of security than others, so you are given the options as shown.
You can click Default Configuration, located in the Configuration Options section, to return all options back to their original settings.
Trust By Certificate - The Trust by Certificate mode sets the Management HTTP Server to only accept certain requests from Insight Manager 7 servers with Trusted Certificate as shown below. This mode will require the submitted server to provide authentication by means of certificates. This mode is the strongest method of security, since it requires certificate data and verifies the digital signature before allowing access.
Trust All - The Trust All mode sets the Management HTTP Server to accept certain requests from any server. For example, you could use the Trust All option if you have a secure network, and everyone in the network is trusted.
The Trust All option leaves your system vulnerable to security attacks.
Trust By Name - The Trust By Name mode sets the Management HTTP Server to only accept certain requests from servers with the Insight Manager 7 names designated in the Trust By Name field. The Trust By Name option is easy to configure, and will prevent non-malicious access. For example, you could use the Trust By Name option if you have a secure network with two separate groups of administrators in two separate divisions. It would prevent one group from installing software to the wrong system. This option will not verify anything other than the Insight Manager 7 server name submitted.
Select Trust By Name.
Enter the name of the server you want to allow access. If you want to trust more than one Insight Manager 7 servers, then you can separate the server names with a semi-colon.
Although Trust By Name mode is a slightly stronger method of security than the Trust All mode, it still leaves your system vulnerable to security attacks.
The Trusted Certificates section allows you to manage your certificates in the Trusted Certificates list.
In the Insight Manager 7 Server Name field, enter the name of the server you wish to receive a certificate from.
Click Get Cert. The certificate data displays.
Click Add Cert to add the displayed certificate to the Trusted Certificates List.
If you have the base64 encoded certificate file for Insight Manager 7, cut and past this certificate information into the Insight Manager 7 Certificate Data box, and click Submit Cert.
If Insight Manager 7 is reinstalled or a new certificate is re-generated, you must remove the trusted servers and start again with step a. Even though the Insight Manager 7 server name is the same in the list, the underlying certificate has changed.
The Customer Generated Certificates option allows you to use certificates that are not generated by HP. If this option is selected, the self-signed certificate that was originally generated by the Management HTTP Server will be replaced with one that was issued by a Certificate Authority. The first step of the process is to cause the Management HTTP Server to create a Certificate Request (PKCS #10). This request utilizes the original private key that was associated with the self-signed certificate and generates the appropriate data for certificate request (the private key never leaves the server during any of this process). Once the PKCS #10 data has been created, the next step is for the user to send that off to a Certificate Authority. Once the Certificate Authority has returned PKCS #7 data, the final step is to import this into the Management HTTP Server. Once the PKCS #7 data has been successfully imported, the original \compaq\wbem\cert.pem certificate file will be overwritten with the device's certificate from that PKCS #7 envelope. The same private key is used for the new imported certificate as was used with the previous self signed certificate.
Click Create PKCS #10 Data. A screen displays indicating that the PKCS #10 Certificate Request data has been successfully generated.
Copy the certificate data.
Send PKCS #10 certificate request data to a Certificate Authority and ask them to send you the certificate request reply data in the form of PKCS #7 format. Request that the reply data be in base64 encoded format. If you organization has its own PKI/Certificate Server implemented, send the PKCS #10 data to the Certificate Authority manager and request the PKCS #7 reply data.
The selected certificate signer generally charges a fee.
When the certificate signer sends the PKCS #7 certificate request reply data to you, copy the data from the PKCS #7 certificate request and paste the copied data in the PKCS #7 Data field.
Click Import PKCS #7 Data. A message displays indicating whether or not the "customer generated certificate" was successfully imported.
Stop the services.
Restart the services.
Browse to the managed device that contains the imported certificate.
Select view the certificate when prompted by the browser. Be sure the signer is listed as the signer you used, and not listed as HP, before importing the certificate into your browser. Alternatively, you can import root CA cert into all the browsers on your network to avoid being prompted.
If the certificate issuer's organizational unit (OU) is still listed as Compaq Management HTTP Server, you will need to start over with step a.
If the certificate signer of your choice sends you the certificate data in base64 encoded form instead of PKCS #7 data, you must copy the base64 encoded file to the filename /compaq/WBEM/Cert.pem and reboot the machine.
Click Default Configuration to revert to default settings. This will not remove imported Trusted Insight Manager 7 certificates or imported Customer Generated certificates.
Once you have successfully imported the PKCS#7 certificate, you may see a dialog box. In order to eliminate this box, you will need to import the Certificate.
Authority’s certificate into your browser as a Trusted Root Certification Authority. Your Certificate Authority can provide you with their certificate and you can import it into your browser via the normal process. Refer to the help files that came with your browser for details on how to import a certificate.
To refresh the page, click Refresh in your browser.
Related Topic