beautypg.com

1 securing the appliance – HP OneView User Manual

Page 49

background image

3 Understanding the security features of the appliance

Most security policies and practices used in a traditional environment are applicable in a virtualized
environment. However, in a virtualized environment, these policies might require modifications
and additions.

3.1 Securing the appliance

CATA (Comprehensive Applications Threat Analysis) is a powerful HP security quality assessment
tool designed to substantially reduce the number of latent security defects. The design of the
appliance employed CATA fundamentals and underwent CATA review.

The following factors secured (hardened) the appliance and its operating system:

Best practice operating system security guidelines were followed.

The appliance operating system minimizes its vulnerability by running only the services required
to provide functionality. The appliance operating system enforces mandatory access controls
internally.

The appliance maintains a firewall that allows traffic on specific ports and blocks all
unused ports. See

“Ports required for HP OneView” (page 57)

for the list of network ports

used.

Key appliance services run only with the required privileges; they do not run as privileged
users.

The operating system bootloader is password protected. The appliance cannot be
compromised by someone attempting to boot in single-user mode.

The appliance is designed to operate entirely on an isolated management LAN. Access to the
production LAN is not required.

The appliance enforces a password change at first login. The default password cannot be
used again.

The appliance supports self-signed certificates and certificates issued by a certificate authority.

The appliance is initially configured with a self-signed certificate. As the Infrastructure
administrator, you can generate a CSR (certificate signing request) and, upon receipt, upload
the certificate to the appliance. This ensures the integrity and authenticity of your HTTPS
connection to the appliance.

All browser operations and REST API calls use HTTPS. All weak SSL (Secure Sockets Layer)
ciphers are disabled.

The appliance supports secure updating. HP digitally signs all updates to ensure integrity and
authenticity.

Backup files and transaction logs are encrypted.

Support dumps are encrypted by default, but you (as Infrastructure administrator) have the
option to not encrypt them. Support dumps are automatically encrypted when a user with
another role creates them.

3.1 Securing the appliance

49