System Manager Security

System Manager Security ensures that HMC can operate securely in the client-server mode. Managed machines are servers and the managing users are clients. Servers and clients communicate over the Secure Sockets Layer (SSL) protocol, which provides server authentication, data encryption, and data integrity. Each HMC System Manager server has its own private key and a certificate of its public key signed by a Certificate Authority (CA) that is trusted by the System Manager clients. The private key and the server certificate are stored in the server's private key ring file. Each client must have a public key ring file that contains the certificate of the trusted CA.

This section describes tasks associated with System Manager Security. For additional information about System Manager Security, see the HMC Operations Guide.

Overview and Status

The Overview and Status window displays the following information about the secure system manager server:

• Whether the secure system manager server is configured.
• Whether the private key for this system manager server is installed.
• Whether this system is configured as a Certificate Authority.

Certificate Authority Tasks

Configuring HMC System Manager servers and clients for secure operation

Configuring the HMC system manager servers and clients involves the following tasks:

• Configuring an HMC system as a Certificate Authority.
• Generating private key ring files for your servers.
• Installing the private key ring files and configure your servers as secure system manager servers.
• Distributing the Certificate Authority's public key to your clients.

The following procedure defines a system as an internal Certificate Authority and creates a public key ring file for the Certificate Authority that you can distribute to all of the clients that access the HMC servers.

1. Configure an HMC system as a Certificate Authority.

   The Certificate Authority verifies the identities of the HMC servers to ensure secure communications between clients and servers.

   1. Log on as the hscroot user at the machine being defined as the internal Certificate Authority, then start HMC.

   2. In the navigation area, select System Manager Security, then select Certificate Authority.

   3. In the System Manager Security:Certificate Authority window, select Configure This System as a Web-based System Manager Certificate Authority.

   4. Use the wizard to complete the task.

2. Generate private key ring files for your servers.

   Each HMC server must have its private key and a certificate of its public key signed by a Certificate Authority that is trusted by the HMC clients. The private key and the server certificate are stored in the server's private key ring file.

   1. In the System Manager Security:Certificate Authority window, select Generate Servers' Private Key Ring Files.

   2. In the Password dialog, type the certificate authority private key file password, then click OK.

   3. In the Generate Server's Private Key Ring Files dialog, use the dialog help to guide you through completing the task.

3. Install the private key ring files and configure your servers as secure system manager servers.
   1. Copy the servers' private key ring files to a tar diskette.
      1. In the navigation area, select Certificate Authority.

      2. In the System Manager Security:Certificate Authority window, select Copy Servers' Private Key Ring files to diskette.

      3. When the Copy Servers' Private Key to Diskette dialog displays, insert a diskette. Use the dialog help to guide you through completing the task.

   2. Install the private key ring files from the tar diskette onto each server. Repeat the following steps for every server for which you generated a private key ring file.
      1. In the navigation area, select Server Security.

      2. In the System Manager Security:Server Security window, select Install the private key ring for this server.

      3. When the Install Private Key Ring File dialog displays, insert the tar diskette, then select tar diskette as the source for the server private key ring files. Use the dialog help to guide you through completing the task.

   3. Configure the system as a system secure server. Repeat the following steps for every server on which you installed a private key ring file.
      1. In the System Manager Security:Server Security window, select Configure this system as a Secure Web-based System Manager Server..

      2. Use the wizard to complete the task.

4. Distribute the Certificate Authority's public key to your clients.

   Each client must have a copy of the Certificate Authority's public key ring file (SM.pubkr) installed in its System Manager codebase directory. You can copy the public key ring file from the Certificate Authority to a tar diskette or as a PC DOS file, then copy it from the diskette onto an HMC client, AIX client, or a PC client.

   1. Copy the Certificate Authority's public key ring file to diskette.
      1. In the navigation area, select System Manager Security, then select Certificate Authority.

      2. In the System Manager Security:Certificate Authority window, select Copy this Certificate Authority's Public Key Ring File to diskette.

      3. When the Copy CA Public Key to Diskette dialog displays, insert a diskette. Use the dialog help to guide you through completing the task.

   2. Copy the Certificate Authority's public key ring file from diskette onto a client.
      • To copy the Certificate Authority's public key ring file from diskette to an HMC client:
        1. In the System Manager Security:Certificate Authority window, select Copy another Certificate Authority's Public Key Ring File from diskette.

        2. When the Copy CA Public Key from Diskette dialog displays, insert the diskette that contains the Certificate Authority's public key ring file. Use the dialog help to guide you through completing the task.

      • To copy the Certificate Authority's public key ring file from a tar diskette to an AIX client, you can use the tar command to extract the SM.pubkr file to the /usr/websm/codebase directory.

      • To copy a Certificate Authority's public key ring file from diskette to a PC Client, you can use a DOS copy command to copy the SM.pubkr file to the Program Files/websm/codebase directory.

Displaying the Certificate Authority's properties

The Certificate Authority Properties dialog displays read-only information about the Certificate Authority such as its distinguished name, organization name, ISO country code, creation date, expiration date, and fingerprint.

To display the properties of a Certificate Authority:

1. In the navigation area, select System Manager Security, then select Certificate Authority.

2. In the System Manager Security:Certificate Authority window, select Properties. You can also select Properties... from the Certificate Authority menu.

   To view help in the dialog, click Help to open the Help window, then move the cursor over the item for which you want to display help.

Configuring a system as a System Manager Certificate Authority

A Certificate Authority verifies the identities of the HMC servers to ensure secure communications between clients and servers. This procedure defines a system as an internal Certificate Authority for HMC security and creates a public key ring file for the Certificate Authority that you can distribute to all of the clients that access the HMC servers.

To define a system in the network as a Certificate Authority, you must be logged on as the hscroot user at the machine being defined as the internal Certificate Authority.

To configure a system as a Certificate Authority:

1. In the navigation area, select System Manager Security, then select Certificate Authority.

2. In the System Manager Security:Certificate Authority window, select Configure This System as a Web-based System Manager Certificate Authority. You can also select Configure... from the Certificate Authority menu.

3. Use the wizard panels to complete the task.

Unconfiguring a Certificate Authority

To unconfigure a system as a Certificate Authority:

1. In the navigation area, select System Manager Security, then select Certificate Authority .

2. In the System Manager Security:Certificate Authority window, select Unconfigure Certificate Authority. You can also select Unconfigure... from the Certificate Authority menu.

3. In the Unconfigure Certificate Authority dialog, click OK. This action removes the definition of the system as an internal Certificate Authority and deletes the Certificate Authority private key ring file and the certificate number file.

   To view help in the dialog, click Help to open the Help window, then move the cursor over the item for which you want to display help.

Generating private key ring files for your servers

After you define the internal Certificate Authority server, you can create the private key ring files for your servers.

To generate the server's private key ring files:

1. In the navigation area, select System Manager Security, then select Certificate Authority.

2. In the System Manager Security:Certificate Authority window, select Generate Servers' Private Key Ring Files. You can also select Generate Keys... from the Certificate Authority menu.

3. In the Password dialog, type the certificate authority private key file password, then click OK. This password was created when the system was configured as the Certificate Authority.

4. In the Generate Server's Private Key Ring Files dialog, use the help to guide you through completing the task. To view help in the dialog, click Help to open the Help window, then move the cursor over the item for which you want to display help. When you you are finished, click OK.

   A private key ring file is created for each server that you specified.

Copying the Certificate Authority's public key ring file to diskette

Each client must have a copy of the Certificate Authority's public key ring installed in its System Manager codebase directory. The public key ring file can be copied to diskette as a tar file or as a PC DOS file, then copied from the diskette onto a client.

To copy the Certificate Authority's public key ring file to diskette:

1. In the navigation area, select System Manager Security, then select Certificate Authority.

2. In the System Manager Security:Certificate Authority window, select Copy this Certificate Authority's Public Key Ring File to diskette. You can also select Copy out CA Public Key... from the Certificate Authority menu.

3. When the Copy CA Public Key to Diskette dialog displays, insert a diskette.

4. Select the type of client on which the copied public key ring file will be installed:
   • HMC or AIX client: Writes the file to diskette using the tar command
   • PC client: Writes the file to a DOS format file

   Use the help to guide you through completing the task. To view help in the dialog, click Help to open the Help window, then move the cursor over the item for which you want to display help.

5. Click OK to copy the public key ring file.

Copying the Certificate Authority's public key ring file from diskette to a client

Each client must have a copy of the Certificate Authority's public key ring installed in its System Manager codebase directory. The public key ring file can be copied from a diskette to an HMC system, AIX system, or PC that will be used as a client.

To copy a Certificate Authority's public key ring file from diskette to an HMC client:

1. In the navigation area, select System Manager Security, then select Certificate Authority.

2. In the System Manager Security:Certificate Authority window, select Copy another Certificate Authority's Public Key Ring File from diskette. You can also select Copy in CA Public Key... from the Certificate Authority menu.

3. When the Copy CA Public Key from Diskette dialog displays, insert the diskette that contains the Certificate Authority's public key ring file.

   To view help in the dialog, click Help to open the Help window, then move the cursor over the item for which you want to display help.

4. Click OK to copy the public key ring file. The Working dialog displays detailed information as the copy occurs.

To copy the Certificate Authority's public key ring file from a tar diskette to an AIX client, you can use the tar command to extract the SM.pubkr file to the /usr/websm/codebase directory.

To copy a Certificate Authority's public key ring file from diskette to a PC Client, you can use a DOS copy command to copy the SM.pubkr file to the Program Files/websm/codebase directory.

Copying the servers' private key ring files to diskette

This procedure copies the servers' private key ring files to a tar diskette so that you can install them on all your HMC servers.

To copy the servers' private key ring files to a diskette:

1. In the navigation area, select System Manager Security, then select Certificate Authority.

2. In the System Manager Security:Certificate Authority window, select Copy Servers' Private Key Ring files to diskette. You can also select Copy servers' keys... from the Certificate Authority menu.

3. When the Copy Servers' Private Key to Diskette dialog displays, insert a diskette.

   To view help in the dialog, click Help to open the Help window, then move the cursor over the item for which you want to display help.

4. Click OK to copy the servers' private key ring files.

Server Security Tasks

Displaying the server's properties

The Server Security's properties dialog displays read-only information about the server such as the server's distinguished name, certificate number, private key information, Certificate Authority distinguished name, creation date, and expiration date. To display the server's properties:

1. In the navigation area, select System Manager Security, then select Server Security.

2. In the System Manager Security:Server Security window, select Properties. You can also select View Properties for this Server... from the Server Security menu.

   To view help in the dialog, click Help to open the Help window, then move the cursor over the item for which you want to display help.

Installing private key ring files on a server

A server must have a private key ring file installed on it. This file must first be generated (see Generating private key ring files for your servers). This procedure installs the generated private key ring file on a server. Repeat these steps for every server for which you generated a private key ring file.

To install the private key ring files:

1. In the navigation area, select System Manager Security, then select Server Security.

2. In the System Manager Security:Server Security window, select Install the private key ring for this server. You can also select Install key... from the Server Security menu.

3. When the Install Private Key Ring File dialog displays, insert the tar diskette, then select tar diskette as the source for the server private key ring files.

   Use the help to guide you through completing the task. To view help in the dialog, click Help to open the Help window, then move the cursor over the item for which you want to display help.

4. Click OK.

Configuring a system as a system secure server

This procedure defines a system as a secure server. Before you can perform this task, you must first have completed the following tasks:

• Generate or obtain a private key ring file
• Install the private key ring file

Repeat these steps for every server on which you installed a private key ring file.

To configure a server as a secure server:

1. In the navigation area, select System Manager Security, then select Server Security.

2. In the System Manager Security:Server Security window, select Configure this system as a Secure Web-based System Manager Server.. You can also select Configure... from the Server Security menu.

3. Use the wizard panels to complete the task.

Object Manager Security

Configure Object Manager Security

The HMC Object Manager Security mode can be configured as either Plain Socket or Secure Sockets Layer (SSL). By default, Plain Sockets mode is used. For SSL mode, the Object Manager reuses the HMC System Manager server's private key ring. Please make sure that both the server's private key ring and the CA's public key ring are installed when establishing the SSL connection. To do so, see Server Security Tasks and Certificate Authority Tasks.

To configure the Object Manager Security mode:

1. In the navigation area, select System Manager Security, then select Object Manager Security.

2. In the System Manager Security:Object Manager Security window, select Configure Object Manager Security. You can also select Configure... from the Object Manager Security menu.

3. When the Configure Object Manager Security dialog displays, select either Plain Socket or Secure Sockets Layer.

4. Click OK.