Set up CNSA mode

This procedure is optional. If your HPE OneView appliance is configured in CNSA mode, you must also configure your external repository.

Procedure
  1. Obtain OpenSSL, mod_ssl, and Apache's interface to OpenSSL.

    yum install mod_ssl openssl

  2. Add the Subject Alternative Name (SAN) field with the IP address of the Linux external repository in the section titled [v3_req], in /etc/pki/tls/openssl.cnf.

    If it is an IPv4 repository, [v3_req] must look like the following example: 

    [v3_req]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = IP:172.20.5.55

    If it is an IPv6 repository, add the IPv6 address in the DNS attribute along with parentheses.

    For example, subjectAltName DNS=[1::3] IP=1::3

    [v3_req] must look like the following example: 

    [v3_req]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName DNS=[1::3] IP=1::3
  3. Generate the required certificates for the web server using OpenSSL. 
    openssl genrsa -out key.pem 3072
openssl req -new  -sha384 -key key.pem -out certreq.csr -subj '/CN=firmwareRepo/C=US/ST=State/L=City/O=Customer/OU=IT'
openssl req -x509  -sha384 -key key.pem -out cert.pem -nodes -days 3650 -extensions v3_req -in certreq.csr
  4. Update /etc/httpd/conf.d/ssl.conf and set the allowed protocols in CNSA mode. 
    #SSLProtocol all -SSLv2 -SSLv3
SSLProtocol  -all +TLSv1.2
  5. Update /etc/httpd/conf.d/ssl.conf and add the cipher suites. 
    #   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
#SSLCipherSuite ECDHE-ECDSA-AES256-SHA:HIGH:MEDIUM:!aNULL:!MD5
 
#Setup cipher suites to work with OV in CNSA mode
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
  6. Copy the generated certificates and key to the correct location.

    cp cert.pem /etc/pki/tls/certs/localhost.crt

    cp key.pem /etc/pki/tls/private/localhost.key

  7. Restart the Apache httpd web server.

    service httpd restart

  8. Connect to the web server using a browser. If you used a self-signed certificate, you will see a certificate error. To proceed, accept the certificate exception and confirm the CN matches.
  9. Optional. Enable CNSA mode in the OS (CentOS) and restart the OS.

    echo1 >> /proc/sys/crypto/cnsa_enabled