Best practices for maintaining a secure appliance

The following table comprises a partial list of security best practices that Hewlett Packard Enterprise recommends in both physical and virtual environments. Security best practices differ by customer and their specific or unique requirements. No one set of best practices is applicable for all customers.

Topic

Best Practice

Access
Accounts
  • Limit or disable the number of local accounts. Integrate the appliance with an Enterprise directory solution such as Microsoft Active Directory or OpenLDAP. Use the enterprise directory features for password expiration, complexity, history, and to disable local users and groups.
  • If local accounts are used, protect the built-in administrator account with a strong password.

  • Do not use the built-in Administrator account. All users must login using their own credentials to facilitate auditing.

Audit logs
  • Download the appliance audit logs at regular intervals.

Certificates
  • Use certificates signed by a trusted certificate authority (CA).

    HPE OneView uses certificates to authenticate and establish trust relationships. One of the most common uses of certificates is when a connection from a web browser to a web server is established. The machine level authentication is carried out as part of the HTTPS protocol, using SSL. Certificates can also be used to authenticate devices when setting up a communication channel.

    The appliance supports self-signed certificates and certificates signed by a CA.

    The appliance is initially configured with self-signed certificates for the web server and the State Change Message Bus (SCMB).

    The same CA signed appliance certificate used to secure access to HPE OneView is also used for the SCMB server certificate. A client certificate is not available for SCMB by default, but can be generated from the internal HPE OneView CA, or through another trusted CA.

    Hewlett Packard Enterprise advises customers to examine their security needs (that is, to perform a risk assessment) and consider the use of certificates signed by a trusted CA.

    • You should use your company's existing custom CA and import their trusted certificates. The trusted root CA certificate must be deployed to both HPE OneView and to the hardware devices that HPE OneView manages. HPE OneView performs the CA based certificate validation. All the devices that you are connecting to must have certificates that are trusted by that root CA.

    • If your company does not have its own certificate authority, then consider using a commercial CA. There are numerous third-party companies that provide trusted certificates. You will need to work with the external CA to have certificates generated for specific devices and systems and then import these trusted certificates into the components that use them.

    As the Infrastructure administrator, you can generate a certificate signing request (CSR) and, upon receipt, upload the certificate to the appliance web server. This ensures the integrity and authenticity of your HTTPS connection to the appliance. Certificates can also be uploaded for the SCMB.

    See Use a certificate authority.

Network
  • Hewlett Packard Enterprise recommends creating a private management LAN and keeping that separate, known as air-gapped, from production LANs, using VLAN or firewall technology (or both).

    • Management LAN

      Connect all management processor devices, including Onboard Administrators, iLOs, and iPDUs to the HPE OneView appliance by using the management LAN.

      Grant management LAN access to authorized personnel only. For example, Infrastructure administrators, Network administrators, and Server administrators.

    • Production LAN

      Connect all NICs for managed devices to the production LAN.

  • Hewlett Packard Enterprise recommends to not connect management systems such as, the appliance, the iLO, and the Onboard Administrator directly to the Internet.

    If you require inbound Internet access, use a corporate VPN (virtual private network) that provides firewall protection. For outbound Internet access (for example, for Remote Support), use a secured web proxy. To set the web proxy, see ”Preparing for remote support registration” or “Configure the proxy settings” in the online help for more information.

Passwords
  • Hewlett Packard Enterprise recommends that you integrate HPE OneView with an enterprise directory such as Microsoft Active Directory or OpenLDAP and disable local HPE OneView accounts, except for the Maintenance Console. Your enterprise directory can then enforce common password management policies such as password lifetime, password complexity, and minimum password length.

  • The appliance maintenance console uses a local administrator account. Hewlett Packard Enterprise recommends that you set a password for appliance maintenance console access.

Permissions

Permissions are used to control user access to the appliance and the resources managed by the appliance. The Infrastructure administrator grants rights to users and directory groups by assigning permissions. A permission consists of a role and an optional scope. The role grants access to resource categories. For more information about permissions, see HPE OneView Online help.

  • Role: HPE OneView defines a set of roles that describe the actions a user can perform on resource categories. When assigned to a user or directory group, a role grants the right to perform actions on categories of resources managed by the appliance. The Infrastructure administrator role should be reserved for the highest access. See "About user roles" in the online help.

    See About user roles.

  • Scope: Define a scope and assign a subset of resources representing the management domain of one or more users. A scope in a permission further restricts the rights granted by the role to particular resource instances. Thus, it is appropriate to use a common scope in permissions for users with differing roles.

Two-factor authentication
Updates
Virtual Environment
  • Restrict access to the appliance console to authorized users so that only authorized personnel can initiate HPE service requests, which can grant privileged access to the appliance.

  • If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution has visibility into network traffic in the virtual switches.

  • Follow your hypervisor software best practices.