Establishing initial trust with interconnects

Establishing initial trust with interconnects is applicable only for the HPE Virtual Connect SE 32Gb FC Module for Synergy interconnect.

By default, the HPE Virtual Connect SE 32Gb FC Module for Synergy contains a self-signed certificate.

For secure communication between HPE OneView and interconnects, based on a common root of trust, an administrator must ensure the following:
  • Generate a certificate signing request (CSR) to obtain an SSL certificate for the module from a certificate authority (CA). The CSR contains information that must be included in the certificate, such as, region (C), locality (L), common name (CN), organization name (O), and organization unit (OU).

  • Submit the CSR to a certificate authority to obtain a signed certificate in base64 encoded format.

  • Import the signed certificate along with the CA chain certificates in base64 encoded format into the interconnect.

The CA chain certificates and the server certificates are validated and then imported into the module. On successful import, the CA chain certificates are stored in the HPE OneView trust store.

The appliance generates expiration alerts for any certificates that are loaded in the trust store. If the module is replaced or if the certificate expires before it can be updated, disable Certificate validation across the appliance in the Security > Edit Security > Certificates panel. Then, perform the CSR steps, update the certificate, and re-enable Certificate validation.

Handling factory reset of interconnects

When you reset the module, it reverts to the factory-installed, self-signed certificate. Additionally, the module removes any in-progress CSR or certificate you have installed. If you bring the module under management again, you must reinitiate the whole process. Generate a new CSR, and then sign and upload the certificate because any previous certificate is cleaned up by the factory reset procedure.

While a factory reset removes the certificate from the module, it does not automatically remove the certificate from the trust store. Use the Security > Manage Certificates screen in the HPE OneView user interface or the REST API to remove the corresponding certificate from the trust store. See the HPE OneView API Reference for HPE Synergy in the online help for details.

When the signed certificates along with the CA chain certificates are uploaded or imported to the module, HPE OneView stores only the CA chain certificates into the trust store and not the signed certificate. To delete the CA chain certificates associated with the signed certificate, verify the CA chain certificates based on the common names.

To view the correct instance of the certificate to remove from the trust store, use the Security > Manage Certificates screen, and search for the certificate by the common name (CN). You can also filter by Expired state on this screen.

For more information on certificate management, see the HPE OneView User Guide for HPE Synergy.

Validation of signed certificates

You can enhance the security of the HPE Synergy frame using the signed certificates.

NOTE:

While you are signing the certificate, provide the mandatory Subject Alternate Name (SAN) information. The SAN must have at least one valid IP address of the interconnect to which the signed certificate is being imported.

HPE OneView validates the signed certificate with the SAN while importing the certificate into the interconnect. HPE OneView provides REST APIs to:
  • Initiate and generate a certificate signing request.

  • Upload a signed certificate.

For more information on REST APIs, see the HPE OneView API Reference for HPE Synergy.