Algorithms for securing the appliance
Local user passwords
SHA-384 Hashing algorithm with 64-bit Salt and 1000 iterations are used to hash the password
Backup files
Backup files are encrypted with a simple symmetric key cryptography and the key is unique per appliance. This form of encryption helps prevent casual attempts at reading or tampering the backup files. Hewlett Packard Enterprise strongly recommends that you encrypt backup files on the backup server with an encryption key that you generate to ensure confidentiality and the integrity of the backup file.
Managed device credentials
Passwords of managed devices and external servers are encrypted with AES-256 algorithm.
Updates
HPE OneView Update binary (update.bin) and the Red Hat package managers (RPM) contained in the update.bin are signed using SHA-512 and 4096-bit RSA key.
Support dumps
Support dumps are encrypted using AES/CTR/No Padding:256 algorithm and the AES key is encrypted separately using 3072-bit RSA asymmetric key pair.
Certificates
By default, on a fresh installation of the HPE OneView appliance, the self-signed certificate is signed using SHA-256 digital signature algorithm with a 2048 bit RSA key. On an upgraded appliance any existing self-signed certificates are retained. If a user has a certificate authority-signed SHA1 certificate, then the SHA1 certificate is retained post upgrade. The user is notified with an alert to regenerate or re-import a higher strength certificate.
Administrator password reset and Hewlett Packard Enterprise support access
S/KEY: A one-time challenge-response password scheme
Supported SSL cipher suites
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
DH-RSA-AES256-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA256
AES128-SHA256
DH-RSA-AES256-SHA
DH-RSA-AES128-SHA
DH-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA
AES256-SHA
ECDHE-RSA-AES128-SHA
ECDH-RSA-AES128-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DHE-DSS-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
ECDH-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
DHE-DSS-SEED-SHA
DH-RSA-SEED-SHA
DHE-RSA-SEED-SHA
CAMELLIA128-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA
SEED-SHA
DH-DSS-CAMELLIA256-SHA
DH-DSS-AES256-SHA
DHE-DSS-AES128-SHA
DH-DSS-AES256-SHA256
DH-RSA-CAMELLIA256-SHA
KRB5-IDEA-CBC-MD5
DH-DSS-AES128-SHA
DHE-RSA-CAMELLIA256-SHA
DH-DSS-AES128-SHA256
DHE-RSA-CAMELLIA128-SHA
PSK-AES128-CBC-SHA
DHE-DSS-CAMELLIA256-SHA
DHE-DSS-AES256-SHA256
DH-DSS-SEED-SHA
DHE-DSS-CAMELLIA128-SHA
DH-RSA-CAMELLIA128-SHA
DH-DSS-CAMELLIA128-SHA
KRB5-IDEA-CBC-SHA
DHE-DSS-AES256-SHA
IDEA-CBC-SHA
ECDH-ECDSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
Supported SSH cipher suites
SSH service | Algorithms and ciphers supported |
---|---|
Ciphers | aes256-ctr |
aes256-cbc |
|
aes192-cbc |
|
aes192-ctr |
|
aes128-ctr |
|
Message Authentication Code (MAC) | hmac-sha2-512 |
hmac-sha2-256 |
|
hmac-sha1 |
|
hmac-sha1-96 |
|
hmac-md5 |
|
hmac-md5-96 |
|
Key Exchange | ecdh-sha2-nistp384:384 |
diffie-hellman-group-exchange-sha256 |
|
ecdh-sha2-nistp256 |
|
ecdh-sha2-nistp521 |
|
diffie-hellman-group-exchange-sha1 |
|
diffie-hellman-group14-sha1 |
|
diffie-hellman-group1-sha1 |
|
Host Key algorithms (for clients) | ssh-rsa:3072 |
ssh-rsa:2048 |
|
ssh-rsa:4096 |
|
ssh-dss:1024 |
|
ecdsa-sha2-nistp384:384 |
|
ecdsa-sha2-nistp256:256 |
|
ecdsa-sha2-nistp521:521 |
|
Host Key algorithms (HPE OneView host key algorithms) | ssh-rsa:2048 |
ssh-dsa:1024 |
|
HPE OneView Key-based authentication | rsa:2048 |
Supported RabbitMQ cipher suites
ecdhe_ecdsa,aes_256_cbc,sha384,sha384
ecdhe_rsa,aes_256_cbc,sha384,sha384
ecdh_ecdsa,aes_256_cbc,sha384,sha384
ecdh_rsa,aes_256_cbc,sha384,sha384
dhe_rsa,aes_256_cbc,sha256
rsa,aes_256_cbc,sha256
ecdhe_ecdsa,aes_128_cbc,sha256,sha256
ecdhe_rsa,aes_128_cbc,sha256,sha256
dhe_rsa,aes_128_cbc,sha256
ecdh_ecdsa,aes_128_cbc,sha256,sha256
ecdh_rsa,aes_128_cbc,sha256,sha256
rsa,aes_128_cbc,sha256
ecdhe_rsa,aes_256_cbc,sha
dhe_rsa,aes_256_cbc,sha
rsa,aes_256_cbc,sha
ecdhe_rsa,aes_128_cbc,sha
ecdh_rsa,aes_128_cbc,sha
dhe_rsa,aes_128_cbc,sha
rsa,aes_128_cbc,sha
dhe_dss,aes_128_cbc,sha256
ecdhe_ecdsa,aes_256_cbc,sha
ecdh_ecdsa,aes_256_cbc,sha
ecdh_rsa,aes_256_cbc,sha
ecdhe_ecdsa,aes_128_cbc,sha
ecdh_ecdsa,aes_128_cbc,sha
dhe_dss,aes_128_cbc,sha
dhe_dss,aes_256_cbc,sha256
dhe_dss,aes_256_cbc,sha
ecdh_ecdsa,'3des_ede_cbc',sha
ecdhe_ecdsa,'3des_ede_cbc',sha
ecdhe_rsa,'3des_ede_cbc',sha
ecdh_rsa,'3des_ede_cbc',sha
Supported SNMP authentication protocols for interconnects
MD5
SHA1
SHA-256
SHA-384
SHA-512
Supported SNMP privacy protocols for interconnects
MD5
DES
3DES
AES-128
AES-192
AES-256
Supported SNMP authentication protocols for trap forwarding
MD5
SHA1
SHA256
SHA384
SHA512
Supported SNMP privacy protocols for trap forwarding
DES
3DES
AES-128
AES-192
AES-256
SNMP server management
For SNMP Server management, wherever device support is available, SNMPv3 is used. The authentication and privacy protocols used vary based on the protocols supported by the specific version of the device.