HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

HPE OneView Custom Certificat

 
SOLVED
Go to solution
PhS-
Advisor

HPE OneView Custom Certificat

Hello,

I have been experiencing that any changes in the networking of OneView Appliance (running 4.10.01) is triggering a "reset" of the certificate.

Change the DNS, the Subnetmask, what ever ...  and the VALID custom certificate is replaced by a self signed one !

Is this an expected behaviour ?

 

Another request regarding Certificate. I uploaded in Manage certificates a valid certificate that include the CRL url, which is reachable by the oneview appliance.  But OneView seems to ignore it completely and only offer to upload a CRL. 

Can some one help me or repport this bug.

 

PhS

7 REPLIES
BhaskarV
Frequent Advisor

Re: HPE OneView Custom Certificat

Hi @PhS- 

If the appliance hostname or IP address change, CA signed certificate if any on the appliance would be replaced by a self-signed certificate. The rationale being the hostname or IP address are typically included in the certificate Subject and/or SAN fields. For change in subnet mask, gateway, DNS servers - will check. What version of OneView are you using?

For CRLs, you are right, there is no automatic extraction of the CRL from the CRL DP URL specified in the CA certificate.
You need to manually upload the CRL file and keep it refreshed.

However, we do have two variants of scripts based on python / powershell that you could use.

  1. The python shell script is here: https://github.com/HewlettPackard/oneview-python-samples/tree/master/crl_helper
    There is a readme file that describes how to use the script.
    It can be scheduled on a Windows or a Linux machine outside the OneView appliance to keep CRLs on the appliance updated.
  2. The powershell command let of interest works with any CA that contains a CRL DP, requires POSH for HPE OneView and is located here:
    https://github.com/HewlettPackard/oneview-powershell-samples/blob/master/Security/Update-CertificateAuthorityCRL.ps1
    It works with CRLs that have expired on the appliance and updates them.


The automatic CRL update - likely to appear in a future release.

Regards,
Bhaskar



I am a HPE Employee
BhaskarV
Frequent Advisor

Re: HPE OneView Custom Certificat

Noticed you have mentioned version as 4.10.01, thanks.



I am a HPE Employee
Highlighted
BhaskarV
Frequent Advisor
Solution

Re: HPE OneView Custom Certificat

Thank you @PhS-

You are right, just verified. Acknolwedge the defect. 
We'll take this up to address in a future release of OneView.
Thank you for notifying us about this. 



I am a HPE Employee
PhS-
Advisor

Re: HPE OneView Custom Certificat

I just received "Notice: HPE OneView - Script Available for OneView Administrators to Manage Certificate Revocation Lists (CRLs)" via email in the Critical Alert for your Servers news

This perfectly explains the existing behavior which we observed, and provides a workaround—to upload the CRL manually. (With the web interface or a script, as you suggest.)

It does not answer, however, why the hell they cannot download the CRL themselves from a CDP. Just like any other PKI participant does.
Moreover, it looks like they can do this for pre-installed certificates (e.g. Symantec) but not for others.I understand that you cannot locate the CDP by just looking at the CA certificate. That’s normal and that’s by design. However, normally you should be able to locate the CDP by looking at any certificate issues by such CA—e.g. when you perform validation of this certificate.

BhaskarV
Frequent Advisor

Re: HPE OneView Custom Certificat

Hi @PhS-

You are right. It is doable but non-trivial.
The CRL that needs to be fetched to check for revocation of a device certificate is not the one specified in the CA cert that signed the device certificate but the CRL DP URL that is present in the actual device certificate that is being fetched. The CRL URL specified in the CA's certificate only helps check for revocation of the CA cert itself, not the device cert that the CA signed. As a result, a little more involved than a straight forward fetch the CRL from the URL. 
Having said this, it is an inconvenience and we are working on improving it. 
Thank you for your candid feedback. 



I am a HPE Employee
ishouli
Occasional Visitor

Re: HPE OneView Custom Certificat


@BhaskarV wrote:

Hi @PhS-

You are right. It is doable but non-trivial.
The CRL that needs to be fetched to check for revocation of a device certificate is not the one specified in the CA cert that signed the device certificate but the CRL DP URL that is present in the actual device certificate that is being fetched. The CRL URL specified in the CA's certificate only helps check for revocation of the CA cert itself, not the device cert that the CA signed. As a result, a little more involved than a straight forward fetch the CRL from the URL.  Torrent TurboTax Gogoanime
Having said this, it is an inconvenience and we are working on improving it. 
Thank you for your candid feedback.  


I have been encountering that any adjustments in the systems administration of OneView Appliance (running 4.10.01) is setting off a "reset" of the authentication.

Change the DNS, the Subnetmask, what ever ... furthermore, the VALID custom authentication is supplanted by a self marked one !

BhaskarV
Frequent Advisor

Re: HPE OneView Custom Certificat

Hi @ishouli

When you mean custom authentication getting replaced by a self marked one, you did mean
CA signed certificate on the appliance being replaced by the self-signed certiicate, is that correct?
Same issue as noted by @PhS- at the beginning of this thread.
Let us know.

Regards
Bhaskar



I am a HPE Employee