1 securing the appliance – HP OneView User Manual
Page 49
3 Understanding the security features of the appliance
Most security policies and practices used in a traditional environment are applicable in a virtualized
environment. However, in a virtualized environment, these policies might require modifications
and additions.
3.1 Securing the appliance
CATA (Comprehensive Applications Threat Analysis) is a powerful HP security quality assessment
tool designed to substantially reduce the number of latent security defects. The design of the
appliance employed CATA fundamentals and underwent CATA review.
The following factors secured (hardened) the appliance and its operating system:
•
Best practice operating system security guidelines were followed.
The appliance operating system minimizes its vulnerability by running only the services required
to provide functionality. The appliance operating system enforces mandatory access controls
internally.
◦
The appliance maintains a firewall that allows traffic on specific ports and blocks all
unused ports. See
“Ports required for HP OneView” (page 57)
for the list of network ports
used.
◦
Key appliance services run only with the required privileges; they do not run as privileged
users.
◦
The operating system bootloader is password protected. The appliance cannot be
compromised by someone attempting to boot in single-user mode.
•
The appliance is designed to operate entirely on an isolated management LAN. Access to the
production LAN is not required.
•
The appliance enforces a password change at first login. The default password cannot be
used again.
•
The appliance supports self-signed certificates and certificates issued by a certificate authority.
The appliance is initially configured with a self-signed certificate. As the Infrastructure
administrator, you can generate a CSR (certificate signing request) and, upon receipt, upload
the certificate to the appliance. This ensures the integrity and authenticity of your HTTPS
connection to the appliance.
•
All browser operations and REST API calls use HTTPS. All weak SSL (Secure Sockets Layer)
ciphers are disabled.
•
The appliance supports secure updating. HP digitally signs all updates to ensure integrity and
authenticity.
•
Backup files and transaction logs are encrypted.
•
Support dumps are encrypted by default, but you (as Infrastructure administrator) have the
option to not encrypt them. Support dumps are automatically encrypted when a user with
another role creates them.
3.1 Securing the appliance
49