Authentication for appliance access

You can authenticate users to access HPE OneView using any one of the following methods:

  • User name and password login: You can configure the appliance to perform authentication using a user name and password.
    NOTE:

    If you had opted for a customer-provided password using the Factory Express process, the default administrator / admin login password fails. In this case, use the user name and password that you specified in the Factory Express process form.

  • Two-factor login: You can configure the appliance to perform smart certificate authentication using the two-factor login. When two-factor authentication is enabled in the Security settings screen, you must use a smart card and a valid personal identification number (PIN) to authenticate access to HPE OneView.

    IMPORTANT:

    When Smart card only login is enabled in the Security settings screen, only the two-factor login option is displayed on the HPE OneView login screen. Customers who require the highest level of security mandate the use of the Smart card only login.

    NOTE:

    If you are unable to login to the appliance using two-factor authentication, check the Directory domain configuration under Edit security > Client Login Certificate Configuration. If the certificates are missing the directory domain information, use the Manually specify option to manually enter your domain details.

The following are the prerequisites to log into the HPE OneView appliance using a smart card:

  • The user, when prompted by their browser, must enter a valid PIN.

    NOTE:

    A valid PIN allows the browser to access the certificate contents and pass them to HPE OneView.

  • The certificate must be valid (properly signed, not expired, proper X.509 format).

  • The certificate must not have been revoked.

  • The certificate must contain at least one user name that can be extracted from the configured certificate fields.

  • At least one user name from the certificate must be a valid user in one of the configured directories.

  • The certificate must contain the directory domain information or the administrator must have manually specified the same.

If all these requirements are met, HPE OneView retrieves the list of groups to which the user belongs from the enterprise directory. HPE OneView uses the group membership information to determine which role to assign to the user. The role informs HPE OneView which resources the user must have access to and what operations they can perform.

User accounts are configured on the appliance or in an enterprise directory(required for two-factor authentication). All access (browser and REST APIs), including authentication, occurs over Transport Layer Security (TLS) to protect the credentials during a transmission over the network.

More information