You can import a certificate signed by a CA, and using it instead of the self-signed certificate. The overall steps are as follows:

1.You generate a CSR (certificate signing request).

2.You copy the CSR and submit it to the CA, as instructed by the CA.

3.The CA authenticates the requestor.

4.The CA sends the certificate to you, as stipulated by the CA.

5.You import the certificate.

For information on generating the CSR and importing the certificate, see the UI help.

3.10 Browser best practices for a secure environment

Best practice

Use supported browsers

Log out of the appliance before you close the browser

Avoid linking to or from sites outside of the appliance UI

Use a different browser to access sites outside the appliance

Description

See the HP OneView Support Matrix to ensure that your browser and browser version are supported and the appropriate browser plug-ins and settings are configured.

In the browser, a cookie stores the session ID of the authenticated user. Although the cookie is deleted when you close the browser, the session is valid on the appliance until you log out. Logging out ensures that the session on the appliance is invalidated.

When you are logged in to the appliance, avoid clicking links to or from sites outside the appliance UI, such as links sent to you in email or instant messages. Content outside the appliance UI might contain malicious code.

When you are logged in to the appliance, avoid browsing to other sites using the same browser instance (for example, via a separate tab in the same browser).

For example, to ensure a separate browsing environment, use Firefox for the appliance UI, and use Chrome for non-appliance browsing.

3.11 Nonbrowser clients

The appliance supports an extensive number of REST APIs. Any client, not just a browser, can issue requests for REST APIs. The caller must ensure that they take appropriate security measures regarding the confidentiality of credentials, including:

The session token, which is used for data requests

Responses beyond the encryption of the credentials on the wire using HTTPS.

3.11.1Passwords

Passwords are likely displayed and stored in clear text by a client like cURL. You can download cURL at the following web address:

http://curl.haxx.se/download.html

Take care to prevent unauthorized users from:

Viewing displayed passwords

Viewing session identifiers

Having access to saved data

3.11.2SSL connection

The client should specify HTTPS as the protocol to ensure SSL is used on the network to protect sensitive data. If the client specifies HTTP, it will be redirected to HTTPS to ensure that SSL is used.

The appliance certificate, which the client requires, allows the SSL connection to succeed. A convenient way to obtain a certificate is to use a browser pointed at the appliance; for more

52 Understanding the security features of the appliance

Page 52
Image 52
HP OneView manual Browser best practices for a secure environment, Nonbrowser clients, Passwords, SSL connection