| Access | |
| Accounts | - Limit or disable the number of local accounts. Integrate the appliance with an enterprise directory solution such as Microsoft Active Directory or OpenLDAP. Use the enterprise directory features for password expiration, complexity, history, and to disable local users and groups.
If local accounts are used, protect the built-in administrator account with a strong password.
Do not use the built-in Administrator account. All users must log in using their own credentials to facilitate auditing.
|
| Audit logs | |
| Certificates | Use certificates signed by a trusted certificate authority (CA).
HPE OneView uses certificates to authenticate and establish trust relationships. One of the most common uses of certificates is when a connection from a web browser to a web server is established. The machine level authentication is carried out as part of the HTTPS protocol, using SSL. Certificates can also be used to authenticate devices when setting up a communication channel.
The appliance supports self-signed certificates and certificates signed by a CA.
The appliance is initially configured with self-signed certificates for the web server and the State Change Message Bus (SCMB).
The same CA signed appliance certificate used to secure access to HPE
OneView is also used for the SCMB server certificate. A
client certificate is not available for SCMB by default,
but can be generated from the internal HPE OneView CA or
through another trusted CA. Hewlett Packard Enterprise advises customers to examine their security needs (that is, to perform a risk assessment) and consider the use of certificates signed by a trusted CA.
You should use your company's existing custom CA and import their trusted certificates. The trusted root CA certificate must be deployed to both HPE OneView and to the hardware devices that HPE OneView manages. HPE OneView performs the CA-based certificate validation. All the devices that you are connecting to must have certificates that are trusted by that root CA.
If your company does not have its own certificate authority, consider using a commercial CA. There are numerous third-party companies that provide trusted certificates. You will need to work with the external CA to have certificates generated for specific devices and systems and then import these trusted certificates into the components that use them.
As the
Infrastructure administrator, you can generate a certificate signing request (CSR) and, upon receipt, upload the certificate to the appliance web server. This ensures the integrity and authenticity of your HTTPS connection to the appliance. Certificates can also be uploaded for the SCMB.
The following considerations apply when you are looking to replace a self-signed certificate with a commercial CA-signed certificate:
Determine if you want to use commercial CA certificates for all of the devices in your environment, or just the appliance web server certificate.
Determine if you want to use a public key infrastructure (PKI) to generate your own CA-signed certificates, or purchase commercial CA-signed certificates for all your managed devices.
For the appliance web server certificate, you must request the CA to include the following:
Key usage with digital signature.
Key encipherment values.
Extended key usage with
Server Authentication or
Client Authentication as values.
Basic Constraints for
Subject Type with
End Entity as the value.
Expiration or validity of the certificates: Frequently expiring commercial certificates are difficult to manage. Therefore,
Hewlett Packard Enterprise recommends a minimum validity period of one to two years.
The
Subject Alternative Name contains either the host (fully qualified domain name) or resolved IP Address.
NOTE: Wildcard characters in
Subject Alternative Name of the appliance web server certificate are not supported.
Anytime the IP address or hostname of the appliance changes, any CA-signed appliance certificate associated with the appliance is erased, and a new self-signed appliance certificate is generated. In this case, you must generate a new CSR, have it signed by a CA, and import it into the appliance.
If a commercial CA has a chain, such as, root CA and other intermediate CAs, you must load all the certificates in the chain to HPE OneView as the appliance expects all those certificates to be trusted.
The maximum number of certificates that can be present in the certificate chain is nine. The appliance fails to connect to any device or server if it has a certificate chain depth higher than the maximum limit. The maximum certificate chain depth is set by default on the appliance, and cannot be customized by the user.
If you want to perform certificate revocation checks, you must set up Certificate Revocation Lists (CRLs) from the CAs, and refresh them periodically.
|
| Network | Hewlett Packard Enterprise recommends creating a private management LAN and keeping that separate, known as air-gapped, from production LANs, using VLAN or firewall technology (or both).
Management LAN
Connect all management processor devices, including Onboard Administrators, iLOs, and iPDUs to the HPE OneView appliance by using the management LAN.
Grant management LAN access to authorized personnel only. For example,
Infrastructure administrators,
Network administrators, and
Server administrators.
Production LAN
Connect all NICs for managed devices to the production LAN.
Hewlett Packard Enterprise recommends to not connect management systems such as, the appliance, the iLO, and the Onboard Administrator directly to the Internet.
If you require inbound Internet access, use a corporate virtual private
network (VPN) that provides firewall protection. For
outbound Internet access (for example, for Remote
Support), use a secured web proxy.
|
| Passwords | Hewlett Packard Enterprise recommends that you integrate HPE OneView with an enterprise directory such as Microsoft Active Directory or OpenLDAP and disable local HPE OneView accounts, except for the Maintenance Console. Your enterprise directory can then enforce common password management policies such as password lifetime, password complexity, and minimum password length.
The appliance maintenance console uses a local administrator account.
Hewlett Packard Enterprise recommends that you set a password for appliance maintenance console access.
|
| Permissions
| Permissions are used to control user access to the appliance and the resources
managed by the appliance. The Infrastructure administrator grants rights to users
and directory groups by assigning permissions. A permission
consists of a role and an optional scope. The role grants access
to resource categories. Role: HPE OneView defines a set of roles that describe the actions a
user can perform on resource categories. When assigned
to a user or directory group, a role grants the right to
perform actions on categories of resources managed by
the appliance. The Infrastructure administrator role should be
reserved for the highest access. Scope:
Define a scope and assign a subset of resources representing the management domain of one or more users. A scope in a permission further restricts the rights granted by the role to particular resource instances. Thus, it is appropriate to use a common scope in permissions for users with differing roles.
|
| Two-factor authentication | |
| Updates | |
| Virtual Environment | Restrict access to the appliance console to authorized users so that only authorized personnel can initiate
HPE service requests, which can grant privileged access to the appliance.
If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution has visibility into network traffic in the virtual switches.
Follow your hypervisor software best practices.
|
