| Accounts |
|
| Certificates |
-
Use certificates signed by a trusted certificate authority (CA), if possible.
HPE OneView uses certificates to authenticate and establish trust relationships. One of the most common uses of certificates is when a connection from a web browser to a web server is established. The machine level authentication is carried out as part of the HTTPS protocol, using SSL. Certificates can also be used to authenticate devices when setting up a communication channel.
The appliance supports self-signed certificates and certificates issued by a CA.
The appliance is initially configured with self-signed certificates for the web server, database, and message broker software. The browser will display a warning when browsing to the appliance using self-signed certificates.
Hewlett Packard Enterprise advises customers to examine their security needs (that is, to perform a risk assessment) and consider the use of certificates signed by a trusted CA. For the highest level of security, Hewlett Packard Enterprise recommends that you use certificates signed by a trusted certificate authority:
-
Ideally, you should use your company's existing CA and import their trusted certificates. The trusted root CA certificate should be deployed to user’s browsers that will contact systems and devices that will need to perform certificate validation.
-
If your company does not have its own certificate authority, then consider using an external CA. There are numerous third-party companies that provide trusted certificates. You will need to work with the external CA to have certificates generated for specific devices and systems and then import these trusted certificates into the components that use them.
As the Infrastructure administrator, you can generate a CSR (certificate signing request) and, upon receipt, upload the certificate to the appliance web server. This ensures the integrity and authenticity of your HTTPS connection to the appliance. Certificates can also be uploaded for the database and message broker.
For more information, see Using a certificate authority.
|
| Network |
-
Hewlett Packard Enterprise recommends a strict separation of the management LAN and production LAN, using VLAN or firewall technology (or both) to maintain the separation:
-
Management LAN
Connect all management processor devices (including Onboard Administrators and virtual connections through an Onboard Administrator, iLOs, and iPDUs) to the management LAN.
Grant management LAN access to authorized personnel only: Infrastructure administrators, Network administrators, and Server administrators.
-
Production LAN
Connect all NICs for managed devices to the production LAN.
-
Do not connect management systems (for example, the appliance, the iLO card, and the Onboard Administrator) directly to the Internet.
If you require access to the Internet, use a corporate VPN (virtual private network) that provides firewall protection.
|
| Nonessential services |
-
The appliance is preconfigured so that nonessential services are removed or disabled in its management environment. Ensure that you continue to minimize services when you configure host systems, management systems, network devices (including network ports not in use) to significantly reduce the number of ways your environment could be attacked.
|
| Passwords |
-
For local accounts on the appliance, change the passwords periodically according to your password policies.
-
Ensure that passwords include at least three of these types of characters:
|
| Roles |
-
Clearly define and use administrative roles and responsibilities; for example, the Infrastructure administrator performs most administrative tasks.
For more information on roles, see About user roles
|
| Service Management |
|
| Updates |
|
| Virtual Environment |
-
Educate administrators about changes to their roles and responsibilities in a virtual environment.
-
Restrict access to the appliance console to authorized users. For more information, see Restricting console access.
-
If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution has visibility into network traffic in the virtual switch.
-
Turn off promiscuous mode in the hypervisor and encrypt traffic flowing over the VLAN to lessen the effect on any VLAN traffic sniffing.
|
|
|
|
NOTE: In most cases, if promiscuous mode is disabled in the hypervisor, it cannot be used on a VM (Virtual Machine) guest. The VM guest can enable promiscuous mode, but it will not be functional.
|
|
|
-
Maintain a zone of trust, for example, a DMZ (demilitarized zone) that is separate from production machines.
-
Ensure proper access controls on Fibre Channel devices.
-
Use LUN masking on both storage and compute hosts.
-
Ensure that LUNs are defined in the host configuration, instead of being discovered.
-
Use hard zoning (which restricts communication across a fabric) based on port WWNs (Worldwide Names), if possible.
-
Ensure that communication with the WWNs is enforced at the switch-port level.
|
![[NOTE: ]](images/note.gif)