Using Strong Passwords; Time-Based Passwords; Encrypted Ciphertext Passwords; Exporting Ciphertext - HP 3PAR StoreServ 7450 Service Manual

3 Using Strong Passwords

This chapter explains the strong password functionality in 3PAR operating systems beginning with
the HP 3PAR OS 3.2.2 release. The industry-wide use of static vendor-only service user passwords
is not advised in today's security- and compliance-aware sites. This functionality replaces those
types of passwords in StoreServ systems. There are two modes of support: time-based passwords
and encrypted ciphertext passwords.

Time-based Passwords

Time-based passwords are unique to each service user account and StoreServ. They change each
hour and can only be generated in the HP support center to authorized HP employees and
contractors. If you are operating in time-based mode, you cannot change passwords since they
change automatically each hour.
If you choose time-based passwords, you do not need to change your HP support processes. Service
personnel from HP can acquire the password when needed without your interaction required.

Encrypted Ciphertext Passwords

Encrypted ciphertext passwords are randomly created on the StoreServ for each service user
account. You can change these passwords any time; however, the passwords are not known to
your or to HP. Recovery is only possible by exporting the ciphertext for transmission to HP, where
an authorized support center user can decrypt the ciphertext to provide the password to on-site
HP service personnel or contractors.
If you choose encrypted ciphertext passwords, you need to export the ciphertext and provide it to
the HP personnel working with you. The ciphertext is pasted into a tool at HP that can unwrap and
decrypt the ciphertext to recover the password. After the support activity is complete, you can
change the password so that the recovered password is no longer valid.

Exporting Ciphertext

In the encrypted ciphertext mode, use the controlrecoveryauth ciphertext <user>
command to export the ciphertext for a service account. This command displays the ciphertext
associated with the specified service user account. You can copy and paste that ciphertext into an
email to the HP support center or to the HP support engineer who is working with you.
The ciphertext is protected from exposure if you email it. The random credential contained in the
ciphertext is first encrypted and is then wrapped using a public key. This makes the ciphertext
secure for transmission, because only the corresponding private key at HP can unwrap the encrypted
credential.

Changing the Ciphertext Password

To change passwords in encrypted ciphertext mode, use the controlrecoveryauth rollcred
<user> command. This causes a new random password to be generated and assigned to the
specified service user account.
The two accounts that are affected are root and console. On the StoreServ, these user accounts
are not used for most maintenance actions.
46 Using Strong Passwords