3 Understanding the security features of the appliance

Most security policies and practices used in a traditional environment are applicable in a virtualized environment. However, in a virtualized environment, these policies might require modifications and additions.

3.1 Securing the appliance

CATA (Comprehensive Applications Threat Analysis) is a powerful HP security quality assessment tool designed to substantially reduce the number of latent security defects. The design of the appliance employed CATA fundamentals and underwent CATA review.

The following factors secured (hardened) the appliance and its operating system:

Best practice operating system security guidelines were followed.

The appliance operating system minimizes its vulnerability by running only the services required to provide functionality. The appliance operating system enforces mandatory access controls internally.

The appliance maintains a firewall that allows traffic on specific ports and blocks all unused ports. See “Ports needed for HP OneView” (page 53) for the list of network ports used.

Key appliance services run only with the required privileges; they do not run as privileged users.

The operating system bootloader is password protected. The appliance cannot be compromised by someone attempting to boot in single-user mode.

The appliance is designed to operate entirely on an isolated management LAN. Access to the production LAN is not required.

The appliance enforces a password change at first login. The default password cannot be used again.

The appliance supports self-signed certificates and certificates issued by a certificate authority.

The appliance is initially configured with a self-signed certificate. As the Infrastructure administrator, you can generate a CSR (certificate signing request) and, upon receipt, upload the certificate to the appliance. This ensures the integrity and authenticity of your HTTPS connection to the appliance.

All browser operations and REST API calls use HTTPS. All weak SSL (Secure Sockets Layer) ciphers are disabled.

The appliance supports secure updating. HP digitally signs all updates to ensure integrity and authenticity.

Backup files and transaction logs are encrypted.

Support dumps are encrypted by default, but you have the option to not encrypt them.

3.1 Securing the appliance

45