Wednesday, 29 April 2020

HPE OneView 5.0 SSL & LDAP integration

HPE OneView 5.0 SSL & LDAP integration


It's been a while since I looked at the HPE OneView Appliance in my Lab.

Note: HPE_OneView_5.00.02_ESXi_Z7550-96801.ova used in this Lab.

I have a need to configure LDAP in a customer site so I thought I'd take a fresh look at this in my lab first and throw in replacing the default self signed SSL certificate while I was at it.

First for the LDAP. This is straight forward enough. About 10 - 15 minutes should cover it. Go to Settings and then Security.

Scroll down and Click Add Directory

You're aiming for something like this. I chose a service account so I'd have a dedicated AD account with a complex password and no password expiration for this purpose. NOTE: do NOT test the OneView Logon with this account, use a different one!! It fails!! 


You will need to add an AD server here, I know DNS is up so I choose the domain name which will resolve to one of the two DCs in my customer environment, here it will only ever resolve to my single Lab AD but the principal is valid. If you rebuild / change AD servers you won't need to revisit this. 


Trust the Cert, Trust the Leaf etc as appropriate.


 Now you should have something like the following:
 Next for permissions. We can try to add a user but we only get a local user option, we can't reference an AD user directly, only an AD Group
 This is the dialog to point to an AD Group:
 You can browse to AD now and pick out the right group which also proves the service account works
 There a few roles - Infrastructure Administrator is the top level one with all permissions.
 That's the one I chose
 I've added in Domain Users here but you'll probably have a more suitable AD group to select
 I changed default directory to lab.local here and it then is the default on the logon page.

The log page is shown below. I'm testing with a different user here as my service account fails to logon, even though its in the same group so be warned! The user1 account worked fine. 
Now, for the Certificate.

There are two main steps - import your root / intermediate certs from your CA, then generate a CSR and import the signed certificate.

Go to Security and you see where it states Manage Certificates? This is where you import your CA root and intermediate certificates. It's NOT for importing your oneview signed certificate! Click into Manage Certificates.
Now we click on Add certificates. The top one listed is just a self signed one you can ignore. 
Now get your Root Certificate in Base 64 and paste it in here. I've ticked the box just to be sure. Click Validate.  
Click Add

Now add in any Intermediate CA Certificates the same way. My CA is now listed below. 

Back into Security and click on Create appliance certificate signing request
Fill in the top half detail, the bottom half is optional. 

Copy the CSR and get your CA to sign it. 

 On the previous menu click on Import appliance certificate and paste in the signed base-64 data

Give it 2 minutes and you're done! 

Now, just two Caveats - the errors below I'd encountered before getting the order of business above sorted out so to save you a headache here's how to avoid: 

 The Server 2019 CA web server template I'd used to originally sign the CSR didn't have the required attributes. I thought it was only missing the client authentication element but my screenshot below indicates it was worse than that. I duplicated the web server template, added in both elements and then published the new template so I could re-request and sign the CSR and paste in the required elements, then it worked.


 The other issue was I went straight to the oneview cert and didn't import the root certificate first. That's when I got the following error: 

If you follow my steps above you'll avoid this.

That's it - 2 minutes later and you're running on a signed certificate for your OneView Appliance version 5.02. Hope this helps somebody!!