about_Two_Factor_Authentication - HewlettPackard/POSH-HPEOneView GitHub Wiki
TOPIC
about_Two_Factor_Authentication
SHORT DESCRIPTION
How to utilize two factor authentication with the HPE Oneview PowerShell
library.
LONG DESCRIPTION
Passwords, no matter how complex, provide insufficient security for many
applications. For additional security, use two-factor authentication. With
two-factor authentication, two factors are required for HPE OneView authentication.
The two factors are something the user possesses (a smart card), and something the
user knows (a personal identification number).
HPE OneView user/password authentication
----------------------------------------
Users can be configured in HPE OneView as local users, or remotely in an
enterprise directory.
The traditional user name and password login sequence is as follows:
1. The user types their user name and password.
2. HPE OneView authenticates the user name and password.
* If the user name is that of a local user configured in HPE OneView, HPE
OneView validates a manually specified user name and password using the HPE
OneView database.
* If your environment is configured to use an enterprise directory, HPE OneView
immediately forwards the user name and password to a configured directory
server for authentication.
3. Once authentication is successful, HPE OneView determines the authorization
permissions for the user.
* If it is a local user login, authorization permissions are decided based
on the roles associated with the user.
* If it is an enterprise directory login, HPE OneView sends a request to the
directory server to retrieve the group name associated with the user. It uses
the group name to determine the authorization permission for the user configured
in HPE OneView.
HPE OneView two-factor authentication
-------------------------------------
Enabling two-factor authentication allows you to use smart cards — for example,
Common Access Cards (CAC), or Personal Identity Verification (PIV) cards — to
authenticate within HPE OneView. The client certificate embedded in the smart
card is presented to HPE OneView by the library. The client certificate must be
signed by a root or intermediate Certificate Authority (CA) that has been
previously imported into HPE OneView. The appliance authenticates the client
certificate to validate that the user name specified in the certificate is that
of a valid user recognized by the directory server configuration in HPE OneView.
When two-factor authentication is enabled, HPE OneView uses a Microsoft Active
Directory service account set up and owned by the user to access an Active Directory
entry for the user, rather than using an account associated with the user name
received during first time login.
The certificates stored on CAC/PIV cards are X.509 security certificates. They
contain fields of information used to identify the certificate owner, the
certificate issuer, and other certificate identification elements. When you
enable two-factor authentication, you can specify which certificate fields HPE
OneView must use to validate a user.
An Infrastructure administrator also has the flexibility to customize the rules
HPE OneView applies during client certificate authentication. The Infrastructure
administrator can configure the locations within the certificate from which HPE
OneView retrieves the user name, domain name and the OIDs that must be present
for the certificate to be valid. See Set-HPOVApplianceTwoFactorAuthentication
help.
AUTHENTICATING USING A SMARTCARD
The users smart card or digital badge must be present on the PC. Using PowrShell's
native Certificate provider, the smart card can be accessed using the following:
PS C:\> $MyCertificate = gci Cert:\CurrentUser\my | ? { $_.EnhancedKeyUsageList.FriendlyName -match 'Smart Card Logon' }
Then, the $MyCertificate object can be passed into the Connect-HPOVMgmt
Cmdlet:
PS C:\> Connect-HPOVMgmt -Hostname Myappliance.domain.com -Certificate $MyCertificate
GLBOAL CONNECTION TRACKING OBJECT AND 2FA PROPERTIES
Contained in the $ConnectedSessions Global varilable, will be each
successful appliance connection object, HPOneView.Appliance.Connection.
When authenticating with a smart card, the AuthType property of the
HPOneView.Appliance.Connection object will be set to "Certificate".
The "Authentication" property will be set to the Active Directory
authentication directory that authenticated the request. The
"ActivePermissions" property will contain the available Scopes and
Roles.
To examine which Roles and Scopes are available for the logged in
account, examine the [HPOneView.Appliance.Connect].ActivePermissions
property. This property is a collection of HPOneView.Appliance.ActivePermissions
objects. The [String]ScopeName, [String]RoleName, and [Bool]Active
properties
The SessionID within HPOneView.Appliance.Connection object contains
the current users active permission set. To modify the active permission
set, use either the Pop-HPOVAppliancePermission or Push-HPOVAppliancePermission
Cmdlets.
HOW TO USE SCOPES IN CMDLETS
Scopes by default are managed by Infrastructure administrators, unless
the HPOneView.Appliance.ScopeCollection resource has been scoped to a
local user or directory user with Scope administrator role. Once a
scope has been created, it can be used to filter for supported resource
objets:
* Enclosures
* Server Hardware
* Networks (Ethernet, FC, and FCoE)
* Network Sets
* Interconnects, excluding SAS resources
* Logical Interconnects, excluding SAS resources
* Logical Interconnect Groups, excluding SAS resources
* Switches
* Logical Switches
* Logical Switch Groups
The supporting Cmdlets for the above resources include a -Scope parameter
that allowed the caller to supply one or more HPOneView.Appliance.ScopeCollection
resources to filter. By default, the appliance will return all available
resources that are part of the users Active Permissions Set.
For instance, Get-HPOVNetwork -Scope $MyScopeObject will return only the
network objects that are a member of the scope within the $MyScopeObject
variable:
PS C:\> $MyScopeObject = Get-HPOVScope -Name MyScope -ErrorAction Stop
PS C:\> Get-HPOVNetwork -Scope $MyScopeObject
Type: Ethernet
Name Status Purpose Type VlanID IPv4Subnet Smartlink PrivateNetwork PreferredBandwidth MaxBandwidth
---- ------ ------- ---- ------ ---------- --------- -------------- ------------------ ------------
Dev VLAN 101-A OK General Tagged 101 None True False 2500 20000
Dev VLAN 101-B OK General Tagged 101 None True False 2500 20000
Dev VLAN 102-A OK General Tagged 102 None True False 2500 20000
Dev VLAN 102-B OK General Tagged 102 None True False 2500 20000
Dev VLAN 103-A OK General Tagged 103 None True False 2500 20000
Dev VLAN 103-B OK General Tagged 103 None True False 2500 20000
Dev VLAN 104-A OK General Tagged 104 None True False 2500 20000
Dev VLAN 104-B OK General Tagged 104 None True False 2500 20000
Dev VLAN 105-A OK General Tagged 105 None True False 2500 20000
Dev VLAN 105-B OK General Tagged 105 None True False 2500 20000
Type: Fibre Channel
Name Status Type TypicalBandwidth MaxBandwidth AutoLoginRedistribution LinkStabilityInterval ManagedSAN
---- ------ ---- ---------------- ------------ ----------------------- --------------------- ----------
Fabric A OK FabricAttach 4000 20000 True 30 SA
Fabric B OK FabricAttach 4000 20000 True 30 SA
...
SEE ALSO
https://github.com/HewlettPackard/POSH-HPOneView
http://hp.com/go/oneviewcommunity
Get-Help about_HPOneView.400