Network ports – HP Onboard Administrator User Manual
Page 22
Introduction 22
•
Securing the Insight Display LCD panel
The Insight Display LCD panel allows for configuration and monitoring of key Onboard Administrator
settings: network address configuration and power up/down of server blade bays to name a few
critical BladeSystem functions. HP recommends securing the Insight Display LCD panel with a PIN,
particularly in a multi-tenant datacenter. Furthermore, certain regulatory or industry standards, such as
PCI, might require that all interfaces be secured with a PIN/password, regardless of requiring physical
access.
The Insight Display LCD panel buttons are locked by default in FIPS Mode ON/DEBUG. For more
information, see "FIPS tab (on page
)."
Set factory defaults before hardware redeployment
The very nature of redundant hardware is to ensure that all settings are present so that if a failure occurs on
the Active Onboard Administrator, the Standby Onboard Administrator can take over the active role. This
means that local user account information is duplicated on the Standby Onboard Administrator. If Enclosure
IP mode is configured, then the private key used for SSL communications is also stored on the Standby
Onboard Administrator. (Enclosure IP mode is not configured by default.) Depending on the security
requirements for the datacenter, critical security parameters should be cleared from the hardware before
decommissioning or reprovisioning an enclosure or components inside the enclosure, such as the Onboard
Administrator, VC, and iLO for HP BladeSystem.
To ensure all critical security parameters are cleared, SET FACTORY defaults. Additionally, the Administrator
password can be set to factory “toe-tag” value by manually changing the password or connecting a serial
cable and invoking the lost password recovery procedure. For instructions, see "Recovering the administrator
)."
Isolate the management network
No matter how secure a device might appear to be, there will always be some sort of new attack or
vulnerability. As a preventative measure and to follow industry best practices, HP strongly recommends that
the management network be separate from the production network. Furthermore, do not place the
management network on the open internet or firewall DMZ without requiring additional access
authentication, such as using a VPN/tunnel.
Network ports
For more information on ports, see "Access requirements (on page
)."
For more information on managing HP software through a firewall, see the Managing HP Servers Through
Firewalls with Insight Management White Paper. This document may be downloaded from the HP Insight
Management Information Library
Default FIPS Mode settings compared to strong encryption
Beginning with version 3.70, Onboard Administrator significantly upgrades the Onboard Administrator
cryptographic capabilities by adding a new FIPS Mode of operation. FIPS Mode enforces a number of
requirements that differ significantly from the Enforce Strong Encryption setting in Onboard Administrator
version 3.60 and prior releases. As of version 3.70, the default security settings in Onboard Administrator
have been upgraded and are now equivalent to the version 3.60 Enforce Strong Encryption setting. The
security improvements remove weak algorithms for message authentication, default the SSL hash signature
algorithm to SHA-256, and support use of only FIPS 140-2 approved ciphers. For more information, see the
following table. A list of supported SSH ciphers, SSH key exchange algorithms, and SSH Message
Authentication Code algorithms follows the table.