HP Insight Control Server Provisioning 7.3 Update 1 Administrator Guide
The following table comprises a partial list of security best practices that HP recommends in both
physical and virtual environments. Differing security policies and implementation practices make
it difficult to provide a complete and definitive list.
Best PracticeTopic
Accounts
• Limit the number of local accounts. Integrate the appliance with an enterprise directory solution
such as Microsoft Active Directory or OpenLDAP.
Certificates
• Use certificates signed by a trusted certificate authority (CA), if possible.
IC server provisioning uses certificates to authenticate and establish trust relationships. One of
the most common uses of certificates is when a connection from a web browser to a web server
is established. The machine level authentication is carried out as part of the HTTPS protocol,
using SSL. Certificates can also be used to authenticate devices when setting up a communication
channel.
The appliance supports self-signed certificates and certificates issued by a CA.
The appliance is initially configured with self-signed certificates for the web server, database,
and message broker software. The browser will display a warning when browsing to the
appliance using self-signed certificates.
HP advises customers to examine their security needs (that is, to perform a risk assessment) and
consider the use of certificates signed by a trusted CA. For the highest level of security, HP
recommends that you use certificates signed by a trusted certificate authority:
◦ Ideally, you should use your company's existing CA and import their trusted certificates. The
trusted root CA certificate should be deployed to user’s browsers that will contact systems
and devices that will need to perform certificate validation
◦ If your company does not have its own certificate authority, then consider using an external
CA. There are numerous third-party companies that provide trusted certificates. You will need
to work with the external CA to have certificates generated for specific devices and systems
and then import these trusted certificates into the components that use them.
As the Infrastructure administrator, you can generate a CSR (certificate signing request) and,
upon receipt, upload the certificate to the appliance web server. This ensures the integrity and
authenticity of your HTTPS connection to the appliance. Certificates can also be uploaded for
the database and message broker.
For more information, see “Using a certificate authority” (page 67).
Network
• Use a separate deployment network. For security and performance reasons, HP recommends
the following:
◦ Establish a private deployment network separate from the production network.
◦ Grant only administrators access to the deployment network.
◦ Establish a private management network separate from your data network, and that only
administrators have access to that management network.
• Do not connect management systems (for example, the appliance, the iLO card, and Onboard
Administrator) directly to the Internet.
If you require access to the Internet, use a corporate VPN (virtual private network) that provides
firewall protection.
Nonessential
services
• The appliance is preconfigured so that nonessential services are removed or disabled in its
management environment. Ensure that you continue to minimize services when you configure
host systems, management systems, network devices (including network ports not in use) to
significantly reduce the number of ways your environment could be attacked.
Passwords
• For local accounts on the appliance, change the passwords periodically according to your
password policies.
• Ensure that passwords include at least three of these types of characters:
◦ Numeric character
Best practices for maintaining a secure appliance 61