3 using a certificate authority, 11 browser best practices for a secure environment, 12 nonbrowser clients – HP OneView User Manual
Page 52: 1 passwords
3.10.3 Using a certificate authority
Use a trusted CA (certificate authority) to simplify certificate trust management; the CA issues
certificates that you import. If the browser is configured to trust the CA, certificates signed by the
CA are also trusted. A CA can be internal (operated and maintained by your organization) or
external (operated and maintained by a third party).
You can import a certificate signed by a CA, and using it instead of the self-signed certificate. The
overall steps are as follows:
1.
You generate a CSR (certificate signing request).
2.
You copy the CSR and submit it to the CA, as instructed by the CA.
3.
The CA authenticates the requestor.
4.
The CA sends the certificate to you, as stipulated by the CA.
5.
You import the certificate.
For information on generating the CSR and importing the certificate, see the UI help.
3.11 Browser best practices for a secure environment
Description
Best practice
See the HP OneView Support Matrix to ensure that your browser and browser version
are supported and the appropriate browser plug-ins and settings are configured.
Use supported browsers
In the browser, a cookie stores the session ID of the authenticated user. Although the
cookie is deleted when you close the browser, the session is valid on the appliance until
you log out. Logging out ensures that the session on the appliance is invalidated.
Log out of the appliance
before you close the browser
When you are logged in to the appliance, avoid clicking links to or from sites outside
the appliance UI, such as links sent to you in email or instant messages. Content outside
the appliance UI might contain malicious code.
Avoid linking to or from sites
outside of the appliance UI
When you are logged in to the appliance, avoid browsing to other sites using the same
browser instance (for example, via a separate tab in the same browser).
For example, to ensure a separate browsing environment, use Firefox for the appliance
UI, and use Chrome for non-appliance browsing.
Use a different browser to
access sites outside the
appliance
3.12 Nonbrowser clients
The appliance supports an extensive number of REST APIs. Any client, not just a browser, can issue
requests for REST APIs. The caller must ensure that they take appropriate security measures regarding
the confidentiality of credentials, including:
•
The session token, which is used for data requests.
•
Responses beyond the encryption of the credentials on the wire using HTTPS.
3.12.1 Passwords
Passwords are likely displayed and stored in clear text by a client like cURL. You can download
cURL
at the following web address:
Take care to prevent unauthorized users from:
•
Viewing displayed passwords
•
Viewing session identifiers
•
Having access to saved data
52
Understanding the security features of the appliance