Two-factor Authentication

Passwords, no matter how complex, provide insufficient security for many applications. For additional security, use two-factor authentication. With two-factor authentication, two factors are required for HPE OneView authentication. The two factors are something the user possesses (a smart card), and something the user knows (a personal identification number).

HPE OneView user and password authentication

Users can be configured in HPE OneView as local users, or remotely in an enterprise directory.

The traditional user name and password login sequence are as follows:

  1. The user enters their user name and password.

  2. HPE OneView authenticates the user name and password.

    • If the user name is that of a local user configured in HPE OneView, HPE OneView validates a manually specified user name and password using the HPE OneView database.

    • If your environment is configured to use an enterprise directory, HPE OneView immediately forwards the user name and password to a configured directory server for authentication.

  3. Once authentication is successful, HPE OneView determines the authorization permissions for the user.

    • If it is a local user login, authorization permissions are decided based on the roles associated with the user.

    • If it is an enterprise directory login, HPE OneView sends a request to the directory server to retrieve the group name associated with the user. It uses the group name to determine the authorization permission for the user configured in HPE OneView.

HPE OneView two-factor authentication

Enabling two-factor authentication allows you to use smart cards — for example, Common Access Cards (CAC), or Personal Identity Verification (PIV) cards — to authenticate within HPE OneView. The smart card reader plugin in the browser reads the smart card and accesses the certificate in the card using the PIN specified by the user. The client certificate embedded in the smart card is presented to HPE OneView by the browser. The client certificate must be signed by a root or intermediate Certificate Authority (CA) that has been previously imported into HPE OneView. The appliance authenticates the client certificate to validate that the user name specified in the certificate is that of a valid user recognized by the directory server configuration in HPE OneView.

When two-factor authentication is enabled, HPE OneView uses a Microsoft Active Directory service account setup and owned by the user to access an Active Directory entry for the user, rather than using an account associated with the user name received during first-time login.
NOTE:
  • The Active Directory is not part of the HPE OneView appliance. You must separately install an Active Directory in your environment.

  • In HPE OneView, two-factor authentication is supported on an Active Directory configured with service account binding type.

When you configure HPE OneView to use an enterprise directory such as Active Directory or OpenLDAP, the directory is assigned a name for use in the HPE OneView user interface. This directory can be serviced by multiple directory servers for high availability. Directory groups are assigned HPE OneView roles and the directory users that are members of those groups are assigned those HPE OneView roles. An HPE OneView directory with its corresponding directory servers can only be defined once, and use a single set to group role mappings. Assigning additional, different HPE OneView directory names for the same set of directory servers is not supported.

An Infrastructure administrator also has the flexibility to customize the rules HPE OneView applies during client certificate authentication. The Infrastructure administrator can configure the locations within the certificate from which HPE OneView retrieves the user name, domain name, and the OIDs that must be present for the certificate to be valid.

When the user logs in to the appliance using the two-factor authentication, by default, the revocation check on the user certificate is subject to the availability of the CRL in the appliance. If the CRL of the user certificate is not available, the first two-factor authentication login will not go through a revocation check. If the automatic CRL download user setting is enabled, during two-factor authentication login, the CRL DPs of the user certificate are retrieved and saved. The corresponding CRLs are downloaded against the issuer CA of the certificate. The issuer CA of the user certificate must be present in the appliance trust store. Once the CRL is available, revocation check takes place during the next two-factor authentication login.

The certificates stored on CAC/PIV cards are X.509 security certificates. They contain fields of information used to identify the certificate owner, the certificate issuer, and other certificate identification elements. When you enable two-factor authentication, you can specify which certificate fields HPE OneView must use to validate a user using the Client Login Certificate Configuration screen in the HPE OneView GUI.

NOTE:

When using REST APIs to authenticate smart card login, the REST client used must be capable of supporting client certificate authentication requested by HPE OneView.

Using the command line to login to HPE OneView based on two-factor authentication

You can remotely log into an appliance using the REST API /rest/login-sessions/smartcards. One possible way of doing this is to use curl-7.54.1-1 version or higher, which in turn uses libssh2. Here is an example command:
# curl -v -i -X POST -H "Accept-Language:en-US" -H "X-Api-Version:<version number>" --cert ./client-cert.pem:<PEM pass phrase> 
https://{appliance-IP}/rest/login-sessions/smartcards --cacert ./rootsplsintermediate.cer
NOTE:

The client-cert.pem file might be generated using OpenSSL or any other equivalent method. This file has both the client certificate and the pass phrase-protected private key. Replace <PEM passphrase> with the actual passphrase. The rootsplsintermediate.cer file contains the root and the chain of intermediate certificates that was used to sign the HPE OneView server certificate. Alternately the rootsplsintermediate.cer might have the self-signed certificate of the HPE OneView server.

For more information, see the HPE OneView API Reference for HPE Synergy.