× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Yvan does a nice job here but there is one additional option: You can purchase a trusted certificate and import that into the HMC.

As Nathan says in a following post, don't worry too much about this because it is just internal usage. But if you must fix it then these are your choices!

- Larry "DrFranken" Bolhuis

www.frankeni.com
www.iDevCloud.com
www.iInTheCloud.com

On 7/17/2013 5:26 PM, Yvan Janssens wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Hello,

This error occurs because your browser doesn't trust the web server at
the HMC.

HTTPS works with SSL certificiates, which basically consists out of a
system of proving your identity. The Root Certificate Authority issues
certificates for Canonical Names (which is most probably the DNS name
of your web server when using HTTPS).
Translated to human terms, you can see a CA as a government, and a
certificate as an ID card: it is a proof that the CA recognizes your
identity and trusts you as a user. This way other people visiting the
server can be sure that the server is who he claims to be, after all,
the users trust the certificate authority and the CA trusts the server
using that certificate.

You can read more about that over here:
http://www.techrepublic.com/article/a-beginners-guide-to-public-key-infrastructure/

There are several tutorials/articles about PLI (Public Key
Infrastructure on the Internetworks, try to read through a few till
you think you have an idea of about what is going on).

To solve your problem, you must convince your browser that the Web
Server on the HMC is trusted, and there are a few ways to do this:

1. Confirm the exception every time.
This is what you do now, the browser doesn't trust the certificate,
since it doesn't know the Root CA (or the authority issuing the
certificate). In this case this is not IBM, but the server itself,
since it will use what they call a "self signed certificate" - this
means that the server uses a certificate trusted by the certificate
itself, which conforms to that you show a self-written note to the
customs office at the border of a country saying "I am a citizen of
Yvania. Signed, Yvan Janssens".

Since this basically proves nothing, since nobody would trust me that
I say that I am a citizen of Yvania, this has little value to
validating my identity, but on a computer this is also used to encrypt
the communication to the HTTPS service. This way nobody on the network
can read e.g. the login when the username/password is sent to the HMC
over the network, without putting a significant effort in it.

2. Use your company's PKI (if you have one).

Many corporations have a local CA, which is used for internal network
services. During the deployment/installation of devices to be used on
the network, this CA is trusted by the system administrator installing
the system. This way your local security officer or CISO can create
certificates which are trusted inside the office (since certificates
from a root CA such as GoDaddy/Verisign cost $$$$ each certificate,
and require special set up for each server according to their
requirements for being able to use the certificate).

Try to reach for your local security contact at the company you work
for, and ask about how to use PKI/HTTPS, and he'd be glad to help you
out - many CISOs/SecOfrs shudder by the thought of someone logging in
to a web server at the local network without using HTTPS, so you might
use that in your advantage.

3. Put the HMC certificate in the trusted store of your local computer.

This required considerable effort and reduces maintainability, since
this action must be carried out for every HMC you use, and every
laptop/desktop/tablet/<insert other device accessing the web interface
here>. Information about this can be found at


http://blogs.adobe.com/livecycle/2012/04/rights-management-how-to-get-windows-7-to-trust-a-self-signed-server-certificate.html



I hope you understand the use of HTTPS/SSL/PKI a little bit now,
and/or have pointers on where to look for when seeking
help/documentation/clarification. It is a tedious and quite
complicated thing, but you don't need to know every technical detail
of it to use it correctly.

As a sidenote, this email is signed using PGP - which uses a similar
system. The text in front and after my message contain the data from
which an email client with PGP support can be very assured that I sent
this email, and that nobody else spoofed my email address to send you
this message.


Yvan

PS: I work as a security engineer at a +12000 employee company, don't
hesitate to email specific questions related to this subject/this case
in reply to this tread.


On 17/07/13 22:01, Eric Lehti wrote:
I assume that your HMC displays the same behavior as mine when:

in web browser, I get to my HMC at https://10.0.0.105

The messages shown below appear, and I

click on: 'Continue to this website (not recommended)'

so as to get to the HMC admin screen.

Eric



IBM tech support explained to me long ago that the caution message
occurs because of the certificate IBM uses.

So, do you experience this with your HMC also, or did you manage
to eliminate the message?



<begin>

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued
by a trusted certificate authority.

The security certificate presented by this website was issued for
a different website's address.



Security certificate problems may indicate an attempt to fool you
or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to
this website.

Click here to close this webpage.

Continue to this website (not recommended).

</end>




-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJR5wwBAAoJEElyT3Tqk/MclY4IAJ1E+maSh2LQc5RVpuBs0aC6
c/3aampeLn2UmTHOElweme0H1Yzb/brizPDL41g3rKtEHtnfioEk8gpqCt+nm75Q
+3PVztTAyUmS2ZOpbmkxhqTQgLZDxsnGMXUrUSaoefhAVLXH2eWaR0vpjmBlrGGq
QIJrx4OzVxFcqqymJgxRC+wuZP9z48QszTyru6vGKZQebGfjS3tSmj67Z0M46KiP
+mFI7j0FtInmRuuDbkLTtlKsIvUOHv8E28wLqJBEtWTehtZ7FtJ5LMDAh0znAJ+g
M8xWvtSnlqTwrzDVm+U8gw6dkA/FDOFSEKSbgRaFu9nh/cYzzxajpfx1oFIpSw8=
=lxGU
-----END PGP SIGNATURE-----


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.