HP OneView User Manual

3.2 Best practices for maintaining a secure appliance

The following table comprises a partial list of security best practices that HP recommends in both
physical and virtual environments. Differing security policies and implementation practices make
it difficult to provide a complete and definitive list.

Best Practice

Topic

•

Limit the number of local accounts. Integrate the appliance with an enterprise directory solution
such as Microsoft Active Directory or OpenLDAP.

Accounts

•

Use certificates signed by a trusted certificate authority (CA), if possible.

HP OneView uses certificates to authenticate and establish trust relationships. One of the most
common uses of certificates is when a connection from a web browser to a web server is
established. The machine level authentication is carried out as part of the HTTPS protocol, using
SSL. Certificates can also be used to authenticate devices when setting up a communication
channel.

The appliance supports self-signed certificates and certificates issued by a CA.

The appliance is initially configured with self-signed certificates for the web server, database,
and message broker software. The browser will display a warning when browsing to the
appliance using self-signed certificates.

HP advises customers to examine their security needs (that is, to perform a risk assessment) and
consider the use of certificates signed by a trusted CA. For the highest level of security, HP
recommends that you use certificates signed by a trusted certificate authority:

◦

Ideally, you should use your company's existing CA and import their trusted certificates. The
trusted root CA certificate should be deployed to user’s browsers that will contact systems
and devices that will need to perform certificate validation.

◦

If your company does not have its own certificate authority, then consider using an external
CA. There are numerous third-party companies that provide trusted certificates. You will need
to work with the external CA to have certificates generated for specific devices and systems
and then import these trusted certificates into the components that use them.

As the Infrastructure administrator, you can generate a CSR (certificate signing request) and,
upon receipt, upload the certificate to the appliance web server. This ensures the integrity and
authenticity of your HTTPS connection to the appliance. Certificates can also be uploaded for
the database and message broker.

For more information, see

“Using a certificate authority” (page 56)

.

Certificates

•

HP recommends a strict separation of the management LAN and production LAN, using VLAN
or firewall technology (or both) to maintain the separation:

◦

Management LAN

Connect all management processor devices (including Onboard Administrators and virtual
connections through an Onboard Administrator, iLOs, and iPDUs) to the management LAN.

Grant management LAN access to authorized personnel only: Infrastructure administrators,
Network administrators, and Server administrators.

◦

Production LAN

Connect all NICs for managed devices to the production LAN.

•

Do not connect management systems (for example, the appliance, the iLO card, and Onboard
Administrator) directly to the Internet.

If you require access to the Internet, use a corporate VPN (virtual private network) that provides
firewall protection.

Network

3.2 Best practices for maintaining a secure appliance

51