Re: HPE OneView Custom Certificat

PhS- · ‎11-16-2018

Hello,

I have been experiencing that any changes in the networking of OneView Appliance (running 4.10.01) is triggering a "reset" of the certificate.

Change the DNS, the Subnetmask, what ever ... and the VALID custom certificate is replaced by a self signed one !

Is this an expected behaviour ?

Another request regarding Certificate. I uploaded in Manage certificates a valid certificate that include the CRL url, which is reachable by the oneview appliance. But OneView seems to ignore it completely and only offer to upload a CRL.

Can some one help me or repport this bug.

PhS

BhaskarV · ‎11-18-2018

Hi @PhS-

If the appliance hostname or IP address change, CA signed certificate if any on the appliance would be replaced by a self-signed certificate. The rationale being the hostname or IP address are typically included in the certificate Subject and/or SAN fields. For change in subnet mask, gateway, DNS servers - will check. What version of OneView are you using?

For CRLs, you are right, there is no automatic extraction of the CRL from the CRL DP URL specified in the CA certificate.
You need to manually upload the CRL file and keep it refreshed.

However, we do have two variants of scripts based on python / powershell that you could use.

The python shell script is here: https://github.com/HewlettPackard/oneview-python-samples/tree/master/crl_helper
There is a readme file that describes how to use the script.
It can be scheduled on a Windows or a Linux machine outside the OneView appliance to keep CRLs on the appliance updated.
The powershell command let of interest works with any CA that contains a CRL DP, requires POSH for HPE OneView and is located here:
https://github.com/HewlettPackard/oneview-powershell-samples/blob/master/Security/Update-CertificateAuthorityCRL.ps1
It works with CRLs that have expired on the appliance and updates them.

The automatic CRL update - likely to appear in a future release.

Regards,
Bhaskar

I am an HPE employee

BhaskarV · ‎11-18-2018

Noticed you have mentioned version as 4.10.01, thanks.

I am an HPE employee

BhaskarV · ‎11-18-2018

Thank you @PhS-

You are right, just verified. Acknolwedge the defect.
We'll take this up to address in a future release of OneView.
Thank you for notifying us about this.

I am an HPE employee

PhS- · ‎11-22-2018

I just received "Notice: HPE OneView - Script Available for OneView Administrators to Manage Certificate Revocation Lists (CRLs)" via email in the Critical Alert for your Servers news

This perfectly explains the existing behavior which we observed, and provides a workaround—to upload the CRL manually. (With the web interface or a script, as you suggest.)

It does not answer, however, why the hell they cannot download the CRL themselves from a CDP. Just like any other PKI participant does.
Moreover, it looks like they can do this for pre-installed certificates (e.g. Symantec) but not for others.I understand that you cannot locate the CDP by just looking at the CA certificate. That’s normal and that’s by design. However, normally you should be able to locate the CDP by looking at any certificate issues by such CA—e.g. when you perform validation of this certificate.

BhaskarV · ‎11-22-2018

Hi @PhS-

You are right. It is doable but non-trivial.
The CRL that needs to be fetched to check for revocation of a device certificate is not the one specified in the CA cert that signed the device certificate but the CRL DP URL that is present in the actual device certificate that is being fetched. The CRL URL specified in the CA's certificate only helps check for revocation of the CA cert itself, not the device cert that the CA signed. As a result, a little more involved than a straight forward fetch the CRL from the URL.
Having said this, it is an inconvenience and we are working on improving it.
Thank you for your candid feedback.

I am an HPE employee

ishouli · ‎12-02-2018

@BhaskarV wrote:
Hi @PhS-
You are right. It is doable but non-trivial.
The CRL that needs to be fetched to check for revocation of a device certificate is not the one specified in the CA cert that signed the device certificate but the CRL DP URL that is present in the actual device certificate that is being fetched. The CRL URL specified in the CA's certificate only helps check for revocation of the CA cert itself, not the device cert that the CA signed. As a result, a little more involved than a straight forward fetch the CRL from the URL. Torrent TurboTax Gogoanime
Having said this, it is an inconvenience and we are working on improving it.
Thank you for your candid feedback.

I have been encountering that any adjustments in the systems administration of OneView Appliance (running 4.10.01) is setting off a "reset" of the authentication.

Change the DNS, the Subnetmask, what ever ... furthermore, the VALID custom authentication is supplanted by a self marked one !

BhaskarV · ‎12-02-2018

Hi @ishouli

When you mean custom authentication getting replaced by a self marked one, you did mean
CA signed certificate on the appliance being replaced by the self-signed certiicate, is that correct?
Same issue as noted by @PhS- at the beginning of this thread.
Let us know.

Regards
Bhaskar

I am an HPE employee

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: HPE OneView Custom Certificat

HPE OneView Custom Certificat