Automatic initial trust

The automatic initial trust approach applies to devices such as server hardware and onboard administrators (OA) that use self-signed certificates and are added to HPE OneView using a discovery process.

During the first discovery of the device, HPE OneView automatically adds the self-signed certificate of the device to the HPE OneView trust store. For this approach to be secure from man-in-the-middle attacks, the initial discovery has to be done in an isolated network segment. If not, you must validate the authenticity of the device certificates after the fact and out-of-band. The ease with which the authenticity is validated depends on the device. This approach only works for devices that allow you to securely view the certificate fingerprint for the device.

NOTE:

The automatic initial trust approach is used when HPE OneView first communicates with a device. Once the device is discovered or managed, if the self-signed certificate changes, HPE OneView is unable to communicate with the device. An alert is generated asking the administrator to add the new certificate for the device to the HPE OneView trust store.

To securely validate the certificate fingerprint and import the self-signed certificate for key HPE OneView devices, follow these steps:

Securely obtain the certificate fingerprint for the device using one of the prescribed methods in the following sections.
Compare the fingerprint you have obtained to the one from the device's certificate stored in the HPE OneView trust store after HPE OneView has discovered or added the device. Use the Settings > Security > Manage Certificates screen to view the certificates in the HPE OneView trust store.
If the fingerprints match, communications between HPE OneView and the device are secure.
If the fingerprints do not match, either the device certificate was changed after the initial communication session with HPE OneView or there is a possible man-in-the-middle-attack.

Cited below are a few examples:

Server iLOs
For a Gen10 rack mount server
Connect a serial cable and the terminal to the server. Use the following command on the iLO to identify the certificate fingerprint of the iLO’s self-signed certificate:
```
cd /map1/sslcert1/hpiLO
	show
```
If a serial connection is not available and the SSH host fingerprint has not been previously verified, disconnect the iLO from the management network and connect directly from another trusted device on an isolated, protected network. You can securely establish an SSH connection on an isolated network. Ensure that you note down the SSH host fingerprint of the iLO for use later by other administrators when the iLO is placed back on the management network.
For Gen9 and earlier rack mount servers
For Gen9 and earlier rack mount servers, the iLO command line interface (CLI) is not available. Instead, disconnect the iLO from the management network, and set it up temporarily on an isolated network with another client device operating a web browser. Use the web browser to connect to the iLO and note down the certificate fingerprint.
For BladeSystem blade servers
Establish trust with the onboard administrator (OA) and use the OA user interface to connect securely to each of the iLOs and view the certificate fingerprint using a web browser.
BladeSystem Onboard Administrators
The onboard administrator (OA) supports serial connection and the show oa certificate command. The OA also has a dedicated, secure, network service port for connecting to a laptop. You can use a browser from the laptop to display the user interface of the OA and the associated certificate fingerprint. You can now establish trust between a browser on the management network and the OA. From the OA, you can securely connect to each iLO and determine certificate fingerprint for it using the browser.