Automatic initial trust
The automatic initial trust approach applies to devices such as server hardware, frame link modules, and HPE Synergy 12Gb SAS Connection Modules that use self-signed certificates. These devices are added to HPE OneView using a discovery process.
During the first discovery of the device, HPE OneView automatically adds the self-signed certificate of the device to the HPE OneView trust store. For this approach to be secure from man-in-the-middle attacks, the initial discovery has to be done in an isolated network segment. If not, you must validate the authenticity of the device certificates after the fact and out-of-band. The ease with which the authenticity is validated depends on the device. This approach only works for devices that allow you to securely view the certificate fingerprint for the device.
The automatic initial trust approach is used when HPE OneView first communicates with a device. Once the device is discovered or managed, if the self-signed certificate changes, HPE OneView is unable to communicate with the device. An alert is generated asking the administrator to add the new certificate for the device to the HPE OneView trust store.
Discovery
Firmware upgrade (when the firmware version is upgraded from a version earlier than 1.5.x).
Appliance upgrade (when the version is upgraded from a version earlier than HPE OneView 5.0).
Securely obtain the certificate fingerprint for the device using one of the prescribed methods in the following sections.
Compare the fingerprint you have obtained to the one from the device's certificate stored in the HPE OneView trust store after HPE OneView has discovered or added the device. Use the Settings > Security > Manage Certificates screen to view the certificates in the HPE OneView trust store.
If the fingerprints match, communications between HPE OneView and the device are secure.
If the fingerprints do not match, either the device certificate was changed after the initial communication session with HPE OneView or there is a possible man-in-the-middle-attack.
Synergy frame link topology
To establish initial trust in an HPE Synergy system using only self-signed certificate, perform hardware discovery of the initial frame link topology before connecting the frame link modules to the management network. When all the devices are isolated from the management network, there is no possibility of a man-in-the-middle attack and all the self-signed certificates are stored securely in the HPE OneView trust store.
NOTE:This approach is only applicable during setup of the original frame link topology. As additional frames, remote frame link topologies, or additional compute modules are inserted, the self-signed certificates for those devices must be individually validated using the automatic initial trust approach.
For Synergy Gen10 compute modules
SSH to HPE OneView and use the following command to connect serially to each of the iLOs and obtain the certificate fingerprint:
In order for the SSH connection itself to be trusted, the HPE OneView SSH host key must be saved during the initial Synergy configuration, before the frame link topology is connected to the management network. This approach only works for compute modules in the 'Production' security mode of the iLO. Alternate approaches require that the iLO be isolated from the management network as described in the Gen9 compute modules section.cd /map1/sslcert1/hpiLO showFor Synergy Gen9 compute modules
For the Gen9 compute module, the only way to securely obtain a self-signed certificate is to connect to the iLO when the frame is isolated from the frame link topology and is disconnected from the management network. Connect a device with a web browser (such as a laptop) to the management network port of the iLO and browse each iLO to view its certificate fingerprint.
Frame Link Modules
The console user interface of the Frame Link Module displays the fingerprint of its certificate. Frame Link Modules are automatically trusted initially and also after a factory reset of the Frame Link Module.