beautypg.com

10 browser best practices for a secure environment, 11 nonbrowser clients, 1 passwords – HP OneView User Manual

Page 52: 2 ssl connection, 1 passwords 3.11.2 ssl connection

background image

You can import a certificate signed by a CA, and using it instead of the self-signed certificate. The
overall steps are as follows:

1.

You generate a CSR (certificate signing request).

2.

You copy the CSR and submit it to the CA, as instructed by the CA.

3.

The CA authenticates the requestor.

4.

The CA sends the certificate to you, as stipulated by the CA.

5.

You import the certificate.

For information on generating the CSR and importing the certificate, see the UI help.

3.10 Browser best practices for a secure environment

Description

Best practice

See the HP OneView Support Matrix to ensure that your browser and browser version
are supported and the appropriate browser plug-ins and settings are configured.

Use supported browsers

In the browser, a cookie stores the session ID of the authenticated user. Although the
cookie is deleted when you close the browser, the session is valid on the appliance until
you log out. Logging out ensures that the session on the appliance is invalidated.

Log out of the appliance
before you close the browser

When you are logged in to the appliance, avoid clicking links to or from sites outside
the appliance UI, such as links sent to you in email or instant messages. Content outside
the appliance UI might contain malicious code.

Avoid linking to or from sites
outside of the appliance UI

When you are logged in to the appliance, avoid browsing to other sites using the same
browser instance (for example, via a separate tab in the same browser).

For example, to ensure a separate browsing environment, use Firefox for the appliance
UI, and use Chrome for non-appliance browsing.

Use a different browser to
access sites outside the
appliance

3.11 Nonbrowser clients

The appliance supports an extensive number of REST APIs. Any client, not just a browser, can issue
requests for REST APIs. The caller must ensure that they take appropriate security measures regarding
the confidentiality of credentials, including:

The session token, which is used for data requests

Responses beyond the encryption of the credentials on the wire using HTTPS.

3.11.1 Passwords

Passwords are likely displayed and stored in clear text by a client like cURL. You can download
cURL

at the following web address:

http://curl.haxx.se/download.html

Take care to prevent unauthorized users from:

Viewing displayed passwords

Viewing session identifiers

Having access to saved data

3.11.2 SSL connection

The client should specify HTTPS as the protocol to ensure SSL is used on the network to protect
sensitive data. If the client specifies HTTP, it will be redirected to HTTPS to ensure that SSL is used.

The appliance certificate, which the client requires, allows the SSL connection to succeed. A
convenient way to obtain a certificate is to use a browser pointed at the appliance; for more

52

Understanding the security features of the appliance