3 creating a login session, 4 authentication for appliance access – HP OneView User Manual
Page 47
◦
Maintain a zone of trust, for example, a DMZ (demilitarized zone) that is separate from
production machines.
◦
Ensure proper access controls on Fibre Channel devices.
◦
Use LUN masking on both storage and compute hosts.
◦
Ensure that LUNs are defined in the host configuration, instead of being discovered.
◦
Use hard zoning (which restricts communication across a fabric) based on port WWNs
(Worldwide Names), if possible.
◦
Ensure that communication with the WWNs is enforced at the switch-port level.
•
Clearly define and use administrative roles and responsibilities; for example, the Infrastructure
administrator performs most administrative tasks.
•
Replace self-signed certificates with your organization's CA-issued certificates. To achieve a
higher level of security for components that are delivered with certificates, populate them with
trusted certificates at deployment time.
•
For local accounts on the appliance, change the passwords periodically according to your
password policies. Follow these guidelines:
◦
Limit the number of local accounts. Integrate the appliance with an enterprise directory
solution such as Microsoft Active Directory or OpenLDAP.
◦
Ensure that passwords include at least three of these types of characters:
–
Numeric character
–
Lowercase alphabetic character
–
Uppercase alphabetic character
–
Special character
•
Do not connect management systems (for example, the appliance, the iLO card, and Onboard
Administrator) directly to the Internet.
If you require access to the Internet, use a corporate VPN (virtual private network) that provides
firewall protection.
•
For service management, consider using the practices and procedures, such as those defined
by the Information Technology Infrastructure Library (ITIL). For more information, see the
following website:
3.3 Creating a login session
You create a login session when you log in to the appliance through the browser or some other
client (for example, using the REST API). Additional requests to the appliance use the session ID,
which must be protected because it represents the authenticated user.
A session remains valid until you log out or the session times out (for example, if a session is idle
for a longer period of time than the session idle timeout value).
3.4 Authentication for appliance access
Access to the appliance requires authentication using a user name and password. User accounts
are configured on the appliance or in an enterprise directory. All access (browser and REST APIs),
including authentication, occurs over SSL to protect the credentials during transmission over the
network.
3.3 Creating a login session
47