Administer > System security > Secure Sockets Layer (SSL) encryption and server certificates

Secure Sockets Layer (SSL) encryption and server certificates

HPE Service Manager supports Secure Hypertext Transfer Protocol (HTTPS), which encrypts and decrypts message requests and responses. Service Manager uses Secure Sockets Layer (SSL) for encryption only and relies on the server to authenticate each operator's user name and password. Service Manager supports SSL for the following connections:

  • SSL on the Service Manager server to encrypt all communications between clients and the server.
  • SSL on Service Manager clients to verify the client's identity and limit server connections to these identified clients

Enabling SSL on the Service Manager server

The primary reason to enable SSL on the Service Manager server is to protect operator user names and passwords that Service Manager clients send with each request as part of an HTTP Basic Authorization header. You can enable SSL on the Service Manager server but not require each client to present an individual client certificate. When you enable SSL on the server only, clients connect to the server using anonymous SSL.

Enabling SSL on Service Manager clients

The primary reason to enable SSL on Service Manager clients is to restrict access to the server to only those clients known and identified by the server. Enabling client-side SSL requires creating or purchasing signed certificates for each Service Manager client. The Service Manager Web Tier can share a single signed certificate for all Web Client connections. If you enable client-side SSL, HPE recommends you also enable server-SSL to encrypt all communications between clients and the server.

The client/server SSL handshake process

During the client/server handshake process, the client looks at the server certificate, determines which certificate authority signed the certificate, and compares the certificate signature to a list of trusted certificate authorities identified in the cacerts file. Service Manager includes a sample server certificate signed by a fictitious certificate authority and also includes a modified cacerts file that includes the certificate for the fictitious certificate authority.

The client also compares the IP address or host name of the server to the address encrypted in the server certificate. If they do not match, an alert appears and the user can stop the connection. When you start a new installation of Service Manager, it suppresses the alerts. To ensure a secure environment, remove the sample server certificate, install an actual certificate, and modify the cacerts file to list the appropriate certificate authority.