Security/Edit Security screen details

The Security and Edit Security screens display the following key security information:

  • Whether two-factor authentication is enabled or disabled

  • Whether smart card only login authentication is enabled or disabled

  • Whether local logins are enabled or disabled

  • Whether emergency local login is enabled or disabled

  • The name of the directory service used, if applicable

  • An optional Login message and acknowledgment requirement

  • The HPE Public Key, a code signing key that is used to validate the digital signature of software updates

From this section, you can display the certificate settings and invoke the procedure to acquire the Hewlett Packard Enterprise public key.

Screen component

Description

   
Authentication
Two-factor authentication

Enables or disables two-factor authentication for the appliance.

As a prerequisite, directory servers added to HPE OneView must be configured with bind type set as "service account". The service account is a read-only account in the enterprise directory that has read access to the subtree under the base DN configured for the directory in HPE OneView. With bind type set to "Service account", HPE OneView uses the configured service account to query the directory to authenticate users.

Smart card only login

Allows smart card only login to HPE OneView through a browser. When enabled, user name and password login is not allowed.

NOTE:

User name and password login is still available through the appliance console.

Indicates if the smart card only login is enabled or disabled.

Enabled - displays only the two-factor authentication using a smart card and PIN on the HPE OneView login screen through a browser.

Disabled - displays a user name and password along with the smart card login option, if enabled, on the HPE OneView login screen.

Default value:

Disabled

Local login

Enables or disables configured local users to log in to the appliance. On disabling local users, logging in requires a directory service for authenticating logins. See Allow local logins.

Emergency local login

Enables or disables the use of the Administrator account when local logins are disabled and any directory servers are not reachable. The built-in Administrator account serves as an emergency login account when enabled. See About emergency local login.

Emergency local login via

Displays emergency local login options.

  • Appliance console only: Emergency local login is constrained to the appliance console.

  • Network and Appliance console: Emergency local login is allowed through both the appliance console and browser.

Default value:

Appliance console only

Default directory

Displays either the name of the preferred directory service or Local for local logins.

If no directory service is configured, Local is displayed.

See About directory service authentication.

Service console access

Enables or disables access to the appliance operating system for Authorized Service personnel.

Enforce complex passwords

Enables or disables whether users are required to have complex passwords. This option does not force existing users to change their passwords. After enabling this feature, password complexity is enforced when users change their password or create user accounts. See About complex passwords.

Default value:

Disabled

Complex passwords must contain the following:

  • Minimum of 14 characters
  • Minimum of one uppercase character
  • Minimum of one lowercase character
  • Minimum one number
  • Minimum of one special character. For example: !@#$^*_-=+,.?
  • No whitespace
SSH access

Enables or disables remote access through SSH to the appliance.

Certificates

Displays options to manage certificates. Certificates screen details provides details.

Login
Message

Text field for a custom message displayed in the login screen. The login message can be formatted using Markdown syntax.

Require acknowledgement

Indicates whether users must acknowledge the Message before logging in to the appliance.

Client Login Certificate Configuration Displays controls to configure the settings to validate a certificate for client login.
Directories

Lists the directory services for authenticating logins that are available.

If no directory service is added, No directories is displayed.

For each authentication directory service that is added to appliance:

To add a directory service, click Add directory. For more information, see Add a directory service

NOTE:

Hewlett Packard Enterprise recommends that you do not add a single directory multiple times with different names as doing so does not guarantee that the session will be mapped to the particular role mapping you require.

Cryptography

Displays options to change the cryptography mode and generate FIPS or CNSA compatibility reports to help you assess the impact of changing the mode of cryptography. From this section you can:

Compatibility report
  • View a FIPS or CNSA compatibility report, if the compatibility report is already created.
  • Generate a compatibility report that describes the potential impact of a cryptography mode change.
  • Delete an existing cryptography report.
  • Update an existing compatibility report.
NOTE:

At any point in time, there exists only one report for a specific cryptography mode.

Cryptography mode
  • View the active mode of cryptography.
  • Change the cryptography mode.
Hewlett Packard Enterprise Public Key

Use Display content to view the content of the public key, and to verify the authenticity of the updates.