Settings: Security > Access to the appliance console

  

 next

Access to the appliance console

Use the hypervisor management software to restrict access to the appliance, which prevents unauthorized users from accessing the password reset and service access features. See Restricting console access.

Typical legitimate uses for access to the console are:

  • Troubleshooting network configuration issues.

  • Resetting an appliance administrator password.

    For information on how to reset the administrator password, see the online help.

  • Enabling service access by an on-site authorized support representative.

The virtual appliance console is displayed in a graphical console; password reset and HP Services access use a non-graphical console.

Switching from one console to another (VMware vSphere)

  1. Open the virtual appliance console from vSphere.

  2. Press and hold Ctrl+Alt.

  3. Press and release the space bar.

  4. Press and release F1 to select the non-graphical console or F2 to select the graphical console.

Switching from one console to another (KVM)

  1. Open the Virtual Machine Manager.

  2. In the Menu bar, select Send KeyCtrl+Alt+F1 for the non-graphical console or select Send KeyCtrl+Alt+F2 for the graphical console.

Restricting console access

For the virtual appliance, you can restrict console access through secure management practices of the hypervisor itself.

This information is available from the VMware website:

http://www.vmware.com/support/pubs

In particular, search for topics related to vSphere's Console Interaction privilege and best practices for managing VMware's roles and permissions.

Protecting credentials

Local user account passwords are stored using a salted hash; that is, they are combined with a random string, and then the combined value is stored as a hash. A hash is a one-way algorithm that maps a string to a unique value so that the original string cannot be retrieved from the hash.

Passwords are masked in the browser. When transmitted between appliance and the browser over the network, passwords are protected by SSL.

Local user account passwords must be a minimum of eight characters, with at least one uppercase character. The appliance does not enforce additional password complexity rules. Password strength and expiration are dictated by the site security policy. If you integrate an external authentication directory service (also known as an enterprise directory) with the appliance, the directory service enforces password strength and expiration.

Algorithms for securing the appliance

  • SSL (see Supported SSL cipher suites)

  • SHA-256 for hashing local user account passwords

  • Other passwords are encrypted using 128-bit Blowfish

  • Support dumps:

    • Encryption: 128-bit AES

    • Hash: SHA-256

    • The AES key is encrypted separately using 2,048-bit RSA.

  • Updates:

    • Not encrypted; digitally signed using SHA-256 and 2,048-bit RSA

The following SSL cipher suites are enabled on the HP CloudSystem appliance web server. The cipher suites support the connection among the browser, other clients, and the appliance.

Supported SSL cipher suites

SSL cipher suite SSL version Kx Au Enc Mac
DHE-RSA-AES256-SHA SSL v3 DH RSA AES (256) SHA1
AES256-SHA SSL v3 RSA RSA AES (256) SHA1
EDH-RSA-DES-CBC3-SHA SSL v3 DH RSA 3DES (168) SHA1
DES-CBC3-SHA SSL v3 RSA RSA 3DES (168) SHA1
DHE-RSA-AES128-SHA SSL v3 DH RSA AES (128) SHA1
AES128-SHA SSL v3 RSA RSA AES (128) SHA1

prev

 

up

 next

About directory service authentication 

home

 Security screen details

Copyright © 2014 Hewlett-Packard Development Company, L.P.