Manualshelf

HP Insight Control Server Provisioning 7.2 Administrator Guide

ManualsBrandsHP ManualsSoftwareHP Insight Control including 1yr 24x7 Technical Support and Updates Single Server License
21222324252627282930
Certificates, then Import. When prompted for the certificate store, choose the Place…option and
select the Trusted Root Certification Authoritiesstore.
4.9.4 Browser best practices
Logout before closing the browser. In the browser, a cookie is used to store the authenticated
user’s session ID. A memory-based cookie is used so it is deleted upon closing the browser;
however this does not affect the session on the appliance. Logging out ensures the session on
the appliance is invalidated.
Avoid links from outside the appliance GUI. Avoid clicking links, for example from email or
IM, while logged in to the appliance. The links may be malicious and take advantage of your
logged in session. For the same reason, avoid browsing to other sites using the same browser
instance, for example separate tabs in the same browser. Use a different browser to ensure
a separate browsing process, for example use Firefox for the appliance, and Internet Explorer
for non-appliance browsing.
4.10 Credentials
Local user account passwords are stored in a salted hash. Password fields in the browser are
masked so the passwords are not shown, and passwords are protected over the network using
SSL between the appliance and the browser. Local user account passwords must be at least eight
characters in length. Additional password complexity rules are not enforced by the system. Password
strength and expiration must be controlled via the site security policy (see “Security best practices
(page 31)).
The matrixuser account is not a local user account that can access the UI. It is used through a
different channel to drive the underlying SA Foundation from the Matrix Operating Environment.
The password may be set through the UI and is never displayed. It can be reentered as often as
needed in case the value is lost. This password is not stored in clear text and is not retrievable.
iLO credentials entered in the UI are stored in a recoverable form as they must be passed to iLO.
Media server credentials are stored in a recoverable form as they must be used to connect to the
Media Server share.
The default passwords for OS installations can be stored in encrypted form. Please refer to the
Insight Control server provisioning online help for more information on the default passwords for
OSBPs.
4.11 Non-browser clients
The appliance supports a limited number of REST APIs. Requests for these may be issued by any
client, not just a browser. In this case, it is up to the caller to ensure appropriate security measures
are followed regarding the confidentiality of credentials, including the session token, used for data
requests and responses beyond the encryption of the credentials on the wire using HTTPS.
4.11.1 Passwords
Passwords are likely displayed and stored in clear text by a client like cURL. Care should be taken
to prevent unauthorized users from viewing displayed passwords or having access to saved data.
Likewise for session identifiers, though they may be used in a transient fashion, they should not be
accessible to unauthorized users.
The primary use of a REST connection is for scripted automated backup. A limited rights role for
that purpose, the backup administrator, is provided so that the credentials stored with an automated
backup script have only the rights necessary to perform the backup.
4.11.2 SSL/certificate
The client should specify HTTPS as the protocol to ensure SSL is used on the network to protect
sensitive data. The appliance certificate may be required by the client to allow the SSL connection
28 Security considerations