Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
HPE OneView 4.0 introduces improved security features related to certificate checking for all HTTPS (HTTP Secure) / TLS (Transport Layer Security) communications with managed or monitored devices. One of those new features includes improved alerting and policy controls for communicating with devices that have expired self-signed certificates. When upgrading to HPE OneView 4.0, in order to preserve compatibility with HPE OneView prior to 4.0, HPE OneView will post alerts for server hardware Integrated Lights-Outs (iLOs) with expired self-signed certificates but continue to allow communications with those iLOs by default. Similarly, for new HPE OneView 4.0 installations on a HPE Synergy compute module, HPE OneView 4.0 will post alerts however, will allow discovery and communications with computes module iLOs that have expired certificates. Security setting that controls this is "Check for expiration of self-signed certificates". There are cases where HPE OneView 4.0 does not correctly process the iLO's certificate as self-signed. Instead, the certificate is incorrectly processed as a certificate authority-signed (CA-signed) certificate. Expiration for CA-signed certificates is always strictly enforced. For these cases, communication with iLO fails and locked alerts with a critical status are displayed for the expired iLO certificates. An example alert is shown below: The issue described above is different from a related issue from the HPE OneView 4.0 release notes titled: "Expired certificate alerts created incorrectly as critical, locked alerts instead of warning alerts" HPE OneView's "Check for expiration of self-signed certificates" setting is disabled by default. When disabled, a warning alert is displayed for any device with an expired certificate on the device's resource page (e.g. server hardware page). Additionally, separate alerts for expired certificates are displayed on the Settings/Activity page. These latter alerts are created incorrectly as critical, locked alerts (red alerts) for self-signed certificates instead of warning alerts. This issue is different than the one described above. In this case, communications with iLOs is not impacted by these critical alerts. Both the warning and the critical alerts are cleared automatically when the expired certificates are fixed. The certificate alert can be fixed by either generating a new self-signed certificate for the iLO and placing that in the HPE OneView certificate trust store or by performing a certificate signing request and using a certificate authority-issued certificate for the iLO.
Any HPE OneView 4.0 virtual appliances and HPE OneView 4.0 on Synergy compute modules. The may occur during HPE OneView 4.0 upgrades, during automatic hardware discovery on a new HPE OneView 4.0 Synergy compute module, or any time new server hardware is added for managing or monitoring. iLO 2, iLO 3, and iLO 4 are affected. iLO 5 is not affected.
To resolve this, perform any of the following three options: If using a public key infrastructure (PKI) specific to the system environment, issue an iLO certificate signing request and install a CA-signed certificate on the iLO. Ensure the CA-root certificate and any intermediate certificates are placed in the OneView trust store. a) Use the Settings->Security->Manage Certificates->Add Certificates screen shown below and paste in the base64-encoded CA-root certificate and any intermediates. b) Refresh or re-add the server hardware. Update the expired self-signed certificate. a) Generate a new iLO self-signed SSL certificate by changing the iLO hostname. In some cases, an iLO factory reset may also be required. b) After updating the certificate, add it to the OneView trust store using the Settings->Security->Manage Certificates-> Add Certificates page shown below. Select the "Add certificate from an IP address or hostname" option and specify the IP address or hostname of the ILO and port 443. Another option is to select the "Paste certificate" option and paste the ILO self-signed certificate. In both cases, remember to enable the "Force trust leaf certificate" checkbox. c) Refresh or re-add the server hardware. If Option 2 above does not resolve the issue, proceed to Option 3. 3) Some iLO firmware revisions have a known issue where the default self-signed certificate is pre-expired. The Valid From date is earlier than the Valid To date in the certificate. To correct the issue, refer to the customer advisory "HP Integrated Lights-Out (iLO) - iLO 3 and iLO 4 Self-Signed SSL Certificate May Have an Expiration Date Earlier Than the Issued Date" located at the following URL: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00042194en_us RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form. NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document . SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips Document .