HP

System Management Homepage

English
  The Settings page  |  Security  |  Local Server Certificate   

Local Server Certificate

»Table of Contents
»Index
»Product overview
»Getting started
»Navigating the software
»The Home page
»The Settings page
»SMH Data Source management
»SNMP configuration
»UI options
»UI properties
»User preferences
»Security
»Anonymous/Local Access
»IP Binding
»IP Restricted Login
Local Server Certificate
»Alternative Names Certificates
»Port 2301 and Autostart (Linux only)
»Port 2301 (Windows only)
»Timeouts
»Trust Mode
»Trusted Management Servers
»Kerberos Authorization procedure (Windows Only)
»User Groups
»The Tasks page
»The Logs page
»The Installed Webapps page
»The Support page
»The Help page
»Legal notices
»Glossary
»Using Help

The Local Server Certificate link enables you to use certificates that are not generated by HP.

If you use the following process, the self-signed certificate that was generated by the HP SMH is replaced with one issued by a certificate authority (CA).

  • The first step of the process is to cause the HP SMH to create a Certificate Request (PKCS #10). This request uses the original private key associated with the self-signed certificate and generates data for the certificate request. The private key never leaves the server during this process.

  • After the Public Key Infrastructure PKCS #10 data is created, the next step is to send it to a certificate authority. Follow your company policies for sending secure requests for and receiving secure certificates.

  • After the certificate authority returns the PKCS #7 data, the final step is to import this into HP SMH.

  • After the PKCS #7 data is imported, the original \hp\sslshare\cert.pem certificate file for Windows and /opt/hp/sslshare/cert.pem (/etc/opt/hp/sslshare/cert.pem in HP SMH 2.1.3 and later on Linux x86 and x86-64) is overwritten with the system certificate from the PKCS #7 data envelope. The same private key is used for the new imported certificate that was used with the previous self-signed certificate. This private key is randomly generated at startup when no key file exists.

To create a certificate:

  1. Select Settings from the menu.

  2. In the System Management Homepage box, click the Security link.

  3. Click the Local Server Certificate link.

  4. Replace the default values in the Organization or Organizational Unit fields in the Create PKCS #10 Data box with your values, up to 64 characters.

    If not specified, they are filled in with Hewlett-Packard Company for the Organization and Hewlett-Packard Network Management Software (SMH) for the Organizational Unit.

  5. Click [Create] in the Create PKCS #10 Data box.

    A screen appears indicating that the PKCS #10 Certificate Request data has been generated and stored in /etc/opt/hp/sslshare/req_cr.pem on Linux x86 and x64, and systemdrive: \hp\sslshare\req_cr.pem for Windows.

  6. Copy the certificate data.

  7. Use a secure method to send PKCS #10 certificate request data to a certificate authority, request the certificate request reply data in PKCS #7 format, and request that the reply data is in Base64-encoded format.

    If your organization has its own Public Key Infrastructure (PKI) or Certificate Server implemented, send the PKCS #10 data to the CA manager and request the PKCS #7 reply data.

    A third-party certificate signer generally charges a fee.

  8. When the certificate signer sends the PKCS #7 encoded certificate request reply data to you, copy this data from the PKCS #7 certificate request reply and paste it into the PKCS #7 information field in the Import PKCS #7 Data box.

  9. Click [Import].

    A message appears indicating whether the customer-generated certificate was imported.

    If for any reason the HP SMH self-signed certificate gets corrupted or deleted, a new self-signed certificate is created with default settings, in which a few of the fields like the Country, State, and Location are hard-coded regardless of where the target system is geographically located.

    To modify these fields, command line option is available. Run the following command to modify the Country, State, and the Location: smhconfig -N|| --certificate-locality[=]    LOCALITYINFO where LOCALITYINFO is the locality information in Country; State; Locality format.

  10. Restart HP SMH.

  11. Browse to the managed system that contains the imported certificate.

  12. When prompted by the browser, select to view the certificate and verify that signer is listed as the signer you used, and not HP, before importing the certificate into your browser.

    If the certificate signer you choose sends you a certificate file in Base64-encoded form instead of PKCS #7 data, copy the Base64-encoded certificate file to /etc/opt/hp/sslshare/cert.pem on Linux x86 and x64, and systemdrive:\hp\sslshare\cert.pem for Windows; then restart HP SMH.

Related Procedures

»   HP System Management Homepage Online Help - Anonymous/Local Access
»   HP System Management Homepage Online Help - IP Binding
»   HP System Management Homepage Online Help - IP Restricted Login
»   HP System Management Homepage Online Help - Alternative Names Certificates
»   HP System Management Homepage Online Help - Port 2301 and Autostart (Linux only)
»   HP System Management Homepage Online Help - Port 2301 (Windows only)
»   HP System Management Homepage Online Help - Timeouts
»   HP System Management Homepage Online Help - Trust Mode
»   HP System Management Homepage Online Help - Trusted Management Servers
»   HP System Management Homepage Online Help - Kerberos Authorization procedure (Windows Only)
»   HP System Management Homepage Online Help - User Groups

Related Topic

»   HP System Management Homepage Online Help - The Settings page