Skip to content

Enable HPOVCertificateValidation

Chris Lynch edited this page Dec 10, 2020 · 15 revisions

HPE OneView 4.10 Library

Enable-HPOVCertificateValidation

Enable appliance TLS/SSL certificate validation.

SYNTAX

Enable-HPOVCertificateValidation[ [-CheckForSelfSignedExpiry] <Bool>][ [-ApplianceConnection] <Array>][ [-WhatIf] <SwitchParameter>][ [-Confirm] <SwitchParameter>] [<CommonParameters>]

Detailed Description

HPE OneView performs certificate validation for all Transport Layer Security (TLS) communications between the appliance and external servers or devices. These checks guarantee confidentiality, integrity, and authentication with the remote end-point.

In production environments, Hewlett Packard Enterprise strongly recommends that certificate validation be enabled. In environments where security is not a concern, such as a testing environment, certificate validation can optionally be disabled.

If certificate validation is disabled, any sensitive data such as credentials are transmitted insecurely. Make sure to use only local user accounts and not enterprise directory-based accounts to avoid transmitting enterprise login credentials over the network when certificate validation is disabled.

NOTE: When upgrading from earlier releases, the certificates in use by the currently monitored or managed devices are imported into the HPE OneView trust store and alerts are generated for issues such as expired certificates. These automatically added certificates are either a device"s self-signed certificate or the leaf certificate for a certificate authority (CA) signed certificate. Using CA-signed certificates can simplify the device trust process.

Certificate checking is enabled by default, but some of the stricter validation checks are relaxed to maintain communications with all devices, even those with certificate issues. The relaxed checking includes:

* Not performing expiration checks for self-signed certificates
* For certificate authority (CA) signed certificates, relaxed certificate revocation list (CRL) checking.

The relaxed checking gives the administrator time to address any expired certificates, to upload trusted CA root and intermediate certificates, and upload the appropriate CRLs.

Hewlett Packard Enterprise strongly recommends that you enable strict certificate validation checks after completing an update as appropriate for your enterprise security policies. See Manage Certificates for additional information on certificate management.

HPE OneView supports devices using self-signed certificates and devices using formal CA-signed certificates. CA-signed certificates offer benefits such as revocation checking and overall simplified management.

HPE OneView enables users to import a CA CRL file and to perform the appropriate revocation checking on existing certificates in the trust store and for certificates received during communication with a managed device or external server.

WARNING: Modifying the appliance setting will require the appliance to be rebooted.

Required: Infrastructure administrator

Parameters

-ApplianceConnection <Array>

Aliases [-Appliance]

Specify one or more HPOneView.Appliance.Connection object(s) or Name property value(s).

Default Value: ${Global:ConnectedSessions} | ? Default

Aliases Appliance
Required? False
Position? named
Default value (${Global:ConnectedSessions} | ? Default)
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters?    False

-CheckForSelfSignedExpiry <Bool>

Enable ($true) or Disable ($false) the option to check for expiration of self-signed certificates if you want to perform expiration checks for self-signed certificates. By default, self-signed certiifcate expiry is not enabled.

Aliases None
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?    False

-Confirm <SwitchParameter>

Override the confirmation prompt.

Aliases cf
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?    False

-WhatIf <SwitchParameter>

Aliases wi
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?    False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216)

Input Types

None. You cannot pipe objects to this cmdlet.

Return Values

System.Management.Automation.PSCustomObject

Appliance global security settings.

Examples

 -------------------------- EXAMPLE 1 --------------------------

Enable-HPOVCertificateValidation

Enable certificate validation setting on the appliance.

Related Links


HPE OneView 4.00 Library

Enable-HPOVCertificateValidation

Enable appliance TLS/SSL certificate validation.

SYNTAX

Enable-HPOVCertificateValidation[ [-CheckForSelfSignedExpiry] <Bool>][ [-ApplianceConnection] <Array>][ [-WhatIf] <SwitchParameter>][ [-Confirm] <SwitchParameter>] [<CommonParameters>]

Detailed Description

HPE OneView performs certificate validation for all Transport Layer Security (TLS) communications between the appliance and external servers or devices. These checks guarantee confidentiality, integrity, and authentication with the remote end-point.

In production environments, Hewlett Packard Enterprise strongly recommends that certificate validation be enabled. In environments where security is not a concern, such as a testing environment, certificate validation can optionally be disabled.

If certificate validation is disabled, any sensitive data such as credentials are transmitted insecurely. Make sure to use only local user accounts and not enterprise directory-based accounts to avoid transmitting enterprise login credentials over the network when certificate validation is disabled.

NOTE: When upgrading from earlier releases, the certificates in use by the currently monitored or managed devices are imported into the HPE OneView trust store and alerts are generated for issues such as expired certificates. These automatically added certificates are either a device's self-signed certificate or the leaf certificate for a certificate authority (CA) signed certificate. Using CA-signed certificates can simplify the device trust process.

Certificate checking is enabled by default, but some of the stricter validation checks are relaxed to maintain communications with all devices, even those with certificate issues. The relaxed checking includes:

* Not performing expiration checks for self-signed certificates 
* For certificate authority (CA) signed certificates, relaxed certificate revocation list (CRL) checking. 

The relaxed checking gives the administrator time to address any expired certificates, to upload trusted CA root and intermediate certificates, and upload the appropriate CRLs.

Hewlett Packard Enterprise strongly recommends that you enable strict certificate validation checks after completing an update as appropriate for your enterprise security policies. See Manage Certificates for additional information on certificate management.

HPE OneView supports devices using self-signed certificates and devices using formal CA-signed certificates. CA-signed certificates offer benefits such as revocation checking and overall simplified management.

HPE OneView enables users to import a CA CRL file and to perform the appropriate revocation checking on existing certificates in the trust store and for certificates received during communication with a managed device or external server.

WARNING: Modifying the appliance setting will require the appliance to be rebooted.

Required: Infrastructure administrator

Parameters

-ApplianceConnection <Array>

Aliases [-Appliance]

Specify one or more HPOneView.Appliance.Connection object(s) or Name property value(s).

Default Value: ${Global:ConnectedSessions} | ? Default

Aliases Appliance
Required? False
Position? named
Default value (${Global:ConnectedSessions} | ? Default)
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters?    False

-CheckForSelfSignedExpiry <Bool>

Enable ($true) or Disable ($false) the option to check for expiration of self-signed certificates if you want to perform expiration checks for self-signed certificates. By default, self-signed certiifcate expiry is not enabled.

Aliases None
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?    False

-Confirm <SwitchParameter>

Override the confirmation prompt.

Aliases cf
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?    False

-WhatIf <SwitchParameter>

Aliases wi
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?    False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216)

Input Types

None. You cannot pipe objects to this cmdlet.

Return Values

System.Management.Automation.PSCustomObject

Appliance global security settings.

Examples

 -------------------------- EXAMPLE 1 --------------------------

Enable-HPOVCertificateValidation

Enable certificate validation setting on the appliance.

Related Links


Wiki Table of Contents

Clone this wiki locally