Algorithms for securing the appliance

Local user passwords

SHA-384 Hashing algorithm with 64-bit Salt and 1000 iterations are used to hash the password

Backup files

Backup files are encrypted with a simple symmetric key cryptography and the key is unique per appliance. This form of encryption helps prevent casual attempts at reading or tampering the backup files. Hewlett Packard Enterprise strongly recommends that you encrypt backup files on the backup server with an encryption key that you generate to ensure confidentiality and the integrity of the backup file.

Managed device credentials

Passwords of managed devices and external servers are encrypted with AES-256 algorithm.

Updates

HPE OneView Update binary (update.bin) and the Red Hat package managers (RPM) contained in the update.bin are signed using SHA-512 and 4096-bit RSA key.

Support dumps

Support dumps are encrypted using AES/CTR/No Padding:256 algorithm and the AES key is encrypted separately using 3072-bit RSA asymmetric key pair.

Certificates

By default, on a fresh installation of the HPE OneView appliance, the self-signed certificate is signed using SHA-256 digital signature algorithm with a 2048 bit RSA key. On an upgraded appliance any existing self-signed certificates are retained. If a user has a certificate authority-signed SHA1 certificate, then the SHA1 certificate is retained post upgrade. The user is notified with an alert to regenerate or re-import a higher strength certificate.

Administrator password reset and Hewlett Packard Enterprise support access

S/KEY: A one-time challenge-response password scheme

Supported SSL cipher suites


ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
DH-RSA-AES256-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA256
AES128-SHA256
DH-RSA-AES256-SHA
DH-RSA-AES128-SHA
DH-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA
AES256-SHA
ECDHE-RSA-AES128-SHA
ECDH-RSA-AES128-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DHE-DSS-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
ECDH-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
DHE-DSS-SEED-SHA
DH-RSA-SEED-SHA
DHE-RSA-SEED-SHA
CAMELLIA128-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA
SEED-SHA
DH-DSS-CAMELLIA256-SHA
DH-DSS-AES256-SHA
DHE-DSS-AES128-SHA
DH-DSS-AES256-SHA256
DH-RSA-CAMELLIA256-SHA
KRB5-IDEA-CBC-MD5
DH-DSS-AES128-SHA
DHE-RSA-CAMELLIA256-SHA
DH-DSS-AES128-SHA256
DHE-RSA-CAMELLIA128-SHA
PSK-AES128-CBC-SHA
DHE-DSS-CAMELLIA256-SHA
DHE-DSS-AES256-SHA256
DH-DSS-SEED-SHA
DHE-DSS-CAMELLIA128-SHA
DH-RSA-CAMELLIA128-SHA
DH-DSS-CAMELLIA128-SHA
KRB5-IDEA-CBC-SHA
DHE-DSS-AES256-SHA
IDEA-CBC-SHA
ECDH-ECDSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA

Supported SSH cipher suites

SSH service Algorithms and ciphers supported
Ciphers

aes256-ctr

aes256-cbc

aes192-cbc

aes192-ctr

aes128-ctr

Message Authentication Code (MAC)

hmac-sha2-512

hmac-sha2-256

hmac-sha1

hmac-sha1-96

hmac-md5

hmac-md5-96

Key Exchange

ecdh-sha2-nistp384:384

diffie-hellman-group-exchange-sha256

ecdh-sha2-nistp256

ecdh-sha2-nistp521

diffie-hellman-group-exchange-sha1

diffie-hellman-group14-sha1

diffie-hellman-group1-sha1

Host Key algorithms (for clients)

ssh-rsa:3072

ssh-rsa:2048

ssh-rsa:4096

ssh-dss:1024

ecdsa-sha2-nistp384:384

ecdsa-sha2-nistp256:256

ecdsa-sha2-nistp521:521

Host Key algorithms (HPE OneView host key algorithms)

ssh-rsa:2048

ssh-dsa:1024

HPE OneView Key-based authentication

rsa:2048

Supported RabbitMQ cipher suites


ecdhe_ecdsa,aes_256_cbc,sha384,sha384
ecdhe_rsa,aes_256_cbc,sha384,sha384
ecdh_ecdsa,aes_256_cbc,sha384,sha384
ecdh_rsa,aes_256_cbc,sha384,sha384
dhe_rsa,aes_256_cbc,sha256
rsa,aes_256_cbc,sha256
ecdhe_ecdsa,aes_128_cbc,sha256,sha256
ecdhe_rsa,aes_128_cbc,sha256,sha256
dhe_rsa,aes_128_cbc,sha256
ecdh_ecdsa,aes_128_cbc,sha256,sha256
ecdh_rsa,aes_128_cbc,sha256,sha256
rsa,aes_128_cbc,sha256
ecdhe_rsa,aes_256_cbc,sha
dhe_rsa,aes_256_cbc,sha
rsa,aes_256_cbc,sha
ecdhe_rsa,aes_128_cbc,sha
ecdh_rsa,aes_128_cbc,sha
dhe_rsa,aes_128_cbc,sha
rsa,aes_128_cbc,sha
dhe_dss,aes_128_cbc,sha256
ecdhe_ecdsa,aes_256_cbc,sha
ecdh_ecdsa,aes_256_cbc,sha
ecdh_rsa,aes_256_cbc,sha
ecdhe_ecdsa,aes_128_cbc,sha
ecdh_ecdsa,aes_128_cbc,sha
dhe_dss,aes_128_cbc,sha
dhe_dss,aes_256_cbc,sha256
dhe_dss,aes_256_cbc,sha
ecdh_ecdsa,'3des_ede_cbc',sha
ecdhe_ecdsa,'3des_ede_cbc',sha
ecdhe_rsa,'3des_ede_cbc',sha
ecdh_rsa,'3des_ede_cbc',sha

Supported SNMP authentication protocols for interconnects

MD5
SHA1
SHA-256
SHA-384
SHA-512

Supported SNMP privacy protocols for interconnects


MD5
DES
3DES
AES-128
AES-192
AES-256

Supported SNMP authentication protocols for trap forwarding

MD5
SHA1
SHA256
SHA384
SHA512

Supported SNMP privacy protocols for trap forwarding

DES
3DES
AES-128
AES-192
AES-256

SNMP server management

For SNMP Server management, wherever device support is available, SNMPv3 is used. The authentication and privacy protocols used vary based on the protocols supported by the specific version of the device.