Best practices for maintaining a secure appliance

The following table comprises a partial list of security best practices that Hewlett Packard Enterprise recommends in both physical and virtual environments. Security best practices differ by customer and their specific or unique requirements. No one set of best practices is applicable for all customers.

Topic

Best Practice

Access
Accounts
  • Limit or disable the number of local accounts. Integrate the appliance with an Enterprise directory solution such as Microsoft Active Directory or OpenLDAP. Use the enterprise directory features for password expiration, complexity, history, and to disable local users and groups.
  • If local accounts are used, protect the built-in administrator account with a strong password.

  • Do not use the built-in Administrator account. All users must log in using their own credentials to facilitate auditing.

Audit logs
  • Download the appliance audit logs at regular intervals.

Certificates
  • Use certificates signed by a trusted certificate authority (CA).

    HPE OneView uses certificates to authenticate and establish trust relationships. One of the most common uses of certificates is when a connection from a web browser to a web server is established. The machine level authentication is carried out as part of the HTTPS protocol, using SSL. Certificates can also be used to authenticate devices when setting up a communication channel.

    The appliance supports self-signed certificates and certificates signed by a CA.

    The appliance is initially configured with self-signed certificates for the web server and the State Change Message Bus (SCMB).

    The same CA signed appliance certificate used to secure access to HPE OneView is also used for the SCMB server certificate. A client certificate is not available for SCMB by default, but can be generated from the internal HPE OneView CA, or through another trusted CA.

    Hewlett Packard Enterprise advises customers to examine their security needs (that is, to perform a risk assessment) and consider the use of certificates signed by a trusted CA.

    • You should use your company's existing custom CA and import their trusted certificates. The trusted root CA certificate must be deployed to both HPE OneView and to the hardware devices that HPE OneView manages. HPE OneView performs the CA-based certificate validation. All the devices that you are connecting to must have certificates that are trusted by that root CA.

    • If your company does not have its own certificate authority, consider using a commercial CA. There are numerous third-party companies that provide trusted certificates. You will need to work with the external CA to have certificates generated for specific devices and systems and then import these trusted certificates into the components that use them.

    As the Infrastructure administrator, you can generate a certificate signing request (CSR) and, upon receipt, upload the certificate to the appliance web server. This ensures the integrity and authenticity of your HTTPS connection to the appliance. Certificates can also be uploaded for the SCMB.

    See Use a certificate authority.

The following considerations apply when you are looking to replace a self-signed certificate with a commercial CA-signed certificate:
  • Determine if you want to use commercial CA certificates for all of the devices in your environment, or just the appliance web server certificate.

  • Determine if you want to use a public key infrastructure (PKI) to generate your own CA-signed certificates, or purchase commercial CA-signed certificates for all your managed devices.

  • For the appliance web server certificate, you must request the CA to include the following:
    • Key usage with digital signature.

    • Key encipherment values.

    • Extended key usage with Server Authentication or Client Authentication as values.

    • Basic Constraints for Subject Type with End Entity as the value.

    • Expiration or validity of the certificates: Frequently expiring commercial certificates are difficult to manage. Therefore, Hewlett Packard Enterprise recommends a minimum validity period of one to two years.

    • The Enterprise Directory Server administrator must ensure that the Subject Alternative Name and the Subject of the Certificate Signing Request (CSR) that was used to obtain the CA-signed certificate for the managed device contains either the host (fully qualified domain name), resolved IP Address or the wildcard entry for the domain name.

      Anytime the IP address or hostname of the appliance changes, any CA-signed appliance certificate associated with the appliance is erased, and a new self-signed appliance certificate is generated. In this case, you must generate a new CSR, have it signed by a CA, and import it into the appliance.

    • If a commercial CA has a chain, such as, root CA and other intermediate CAs, you must load all the certificates in the chain to HPE OneView as the appliance expects all those certificates to be trusted.

    • The maximum number of certificates that can be present in the certificate chain is nine. The appliance fails to connect to any device or server if it has a certificate chain depth higher than the maximum limit. The maximum certificate chain depth is set by default on the appliance, and cannot be customized by the user.

    • If you want to perform certificate revocation checks, you must set up Certificate Revocation Lists (CRL) from the CAs, and refresh them periodically.

Network
  • Hewlett Packard Enterprise recommends creating a private management LAN and keeping that separate, known as air-gapped, from production LANs, using VLAN or firewall technology (or both).

    • Management LAN

      Connect all management processor devices, including Onboard Administrators, iLOs, and iPDUs to the HPE OneView appliance by using the management LAN.

      Grant management LAN access to authorized personnel only. For example, Infrastructure administrators, Network administrators, and Server administrators.

    • Production LAN

      Connect all NICs for managed devices to the production LAN.

  • Hewlett Packard Enterprise recommends to not connect management systems such as, the appliance, the iLO, and the Onboard Administrator directly to the Internet.

    If you require inbound Internet access, use a corporate VPN (virtual private network) that provides firewall protection. For outbound Internet access (for example, for Remote Support), use a secured web proxy. To set the web proxy, see ”Preparing for remote support registration” or “Configure the proxy settings” in the online help for more information.

Passwords
  • Hewlett Packard Enterprise recommends that you integrate HPE OneView with an enterprise directory such as Microsoft Active Directory or OpenLDAP and disable local HPE OneView accounts, except for the Maintenance Console. Your enterprise directory can then enforce common password management policies such as password lifetime, password complexity, and minimum password length.

  • The appliance maintenance console uses a local administrator account. Hewlett Packard Enterprise recommends that you set a password for appliance maintenance console access.

Permissions

Permissions are used to control user access to the appliance and the resources managed by the appliance. The Infrastructure administrator grants rights to users and directory groups by assigning permissions. A permission consists of a role and an optional scope. The role grants access to resource categories. For more information about permissions, see HPE OneView Online help.

  • Role: HPE OneView defines a set of roles that describe the actions a user can perform on resource categories. When assigned to a user or directory group, a role grants the right to perform actions on categories of resources managed by the appliance. The Infrastructure administrator role should be reserved for the highest access. See "About user roles" in the online help.

    See About user roles.

  • Scope: Define a scope and assign a subset of resources representing the management domain of one or more users. A scope in a permission further restricts the rights granted by the role to particular resource instances. Thus, it is appropriate to use a common scope in permissions for users with differing roles.

Two-factor authentication
Updates
Virtual Environment
  • Restrict access to the appliance console to authorized users so that only authorized personnel can initiate HPE service requests, which can grant privileged access to the appliance.

  • If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution has visibility into network traffic in the virtual switches.

  • Follow your hypervisor software best practices.