background image

session that generated the cookie can access it. When the user closes the browser or logs out of iLO, 

the browser destroys the cookie. Therefore, users should close all browser instances to guarantee the 

cookie is destroyed. 
After the browser creates the cookie, it returns it to iLO with a request for a status page. The iLO 

device then begins the process of looking up the assigned user privileges. The iLO processor uses a 

generic login interface (application program interface, or API) to centralize the login functionality and 

abstract the local and directory user accounts. The common login API authenticates first against the 
directory, and then against local user accounts. Figure 5 shows the common login API that iLO 

performs using the authenticated credentials in the cookie.  

 

Figure 5.

 Common login API flowchart 

 

Start iLO 2 login process

Bad login

name or 

password

Directory 

enabled and 

local accounts 

disabled?

Found as

local user?

Scan local

user accounts

No

Single

Sign-On 

Enabled?

Compare with 

SSO proxy 

credentials

Erase

SSO proxy 

credentials

Match as 

SSO?

No

Yes

Directory 

integration?

Yes

No

No

Attempt directory 

authentication

Authenticated 

to directory?

iLO security 

override

switch set?

No

Yes

No

Login as

security override: 

login name

Exit (error)

No

Yes

No

Login as

Local user

Login as

SSO user

Login as

Directory user

Yes

Yes

Yes

Yes

Record login 

event

Record login 

failure

Log the event?

Yes

No

Exit (success)

Start iLO 2 login process

Bad login

name or 

password

Directory 

enabled and 

local accounts 

disabled?

Found as

local user?

Scan local

user accounts

No

Single

Sign-On 

Enabled?

Compare with 

SSO proxy 

credentials

Erase

SSO proxy 

credentials

Match as 

SSO?

No

Yes

Directory 

integration?

Yes

No

No

Attempt directory 

authentication

Authenticated 

to directory?

iLO security 

override

switch set?

No

Yes

No

Login as

security override: 

login name

Exit (error)

No

Yes

No

Login as

Local user

Login as

SSO user

Login as

Directory user

Yes

Yes

Yes

Yes

Record login 

event

Record login 

failure

Log the event?

Yes

No

Exit (success)

 

 
After authenticating the user, iLO calculates the current privileges, as described in the section titled 

Calculating current privileges

.” Then iLO sends the iLO Status Summary page to the client browser 

12

 

Summary of Contents for AB500A - Integrated Lights-Out Advanced

Page 1: ...cess using directory services with HP schema extensions 13 Login process using directory services with HP default schema 14 Calculating current privileges 15 Login process using two factor authentication 16 Login process for remote console and virtual serial port 18 Single Sign On SSO 20 Authentication and authorization processes for CLI access 23 Encryption 23 Secure Sockets Layer SSL 24 AES encr...

Page 2: ...PONCFG 30 CPQLODOS 31 Terminal services 31 Specific IT infrastructure concerns 31 Operating iLO servers in the DMZ 31 Lights Out Management Integration with Rapid Deployment Pack 33 Communication between iLO and server blades 33 Security Audits 34 General security recommendations 34 Conclusion 34 Appendix A Digital certificates 36 Appendix B SSH 2 support 38 Appendix C LDAP LDAPS definitions 40 Ap...

Page 3: ...e iLO processor and feature sets for particular iLO 2 and iLO products is available on the HP website at www hp com go iLO A glossary in the appendix includes some common computing acronyms not defined in the text Introduction Information technology IT administrators must plan for security across the IT infrastructure Because Integrated Lights Out iLO management processors have such powerful capab...

Page 4: ... iLO processor automatically enforces generation of new unique and site specific keys used by SSL once a customer deploys the server HP cannot determine these site specific keys The iLO management processor does not transmit these keys or any other information to HP from a customer location Comparing the iLO processor to other service processors The iLO management processor and feature set have be...

Page 5: ... failures as well as successful access to the device SSH access and failed attempts alike are logged Using the SSH key mode of authentication makes brute force attacks even less likely to be successful And iLO offers 2 factor authentication which provides an additional layer of security No awareness of attacks in progress iLO captures all login activity successful or not Additionally iLO implement...

Page 6: ...k searches memory for a viable image that contains a recognizable header If a viable image is found the iLO boot block decrypts the signed SHA1 hash using the RSA public key The boot block then computes the SHA1 hash over the entire image If the two SHA1 hashes are equivalent the image is valid and the boot block passes control to the iLO main image to begin executing During the firmware flash pro...

Page 7: ...neral registers which the host server can access through the PCI bus These PCI registers contain only non sensitive information The iLO processor does not secure or try to hide these registers from the host server Protected registers in which the iLO device can lock the write access These registers restrict unwanted behavior such as flashing rogue firmware but they do not restrict information Thes...

Page 8: ...ailable for most ProLiant servers with the iLO processor Even though network traffic and iLO management traffic both flow through the same port it is impossible for management data to flow to the host data stream To ensure that all packets travel to the appropriate destination the shared network port contains two separate Media Access Control MAC addresses inside the NIC one for the iLO traffic an...

Page 9: ...ized to make changes or access a requested environment Finally is it possible for data being sent through iLO to remain confidential The following sections identify the three essential techniques that iLO has or an iLO administrator can use to verify trust Authentication and authorization Encryption Disabling ports and changing port locations Every function of iLO such as the remote console virtua...

Page 10: ...it SSL encryption and the accompanying digital certificates to encrypt web pages HTTP data transmitted across the network SSL encryption ensures that all information and commands issued through the web pages are private An integral part of SSL is a digital certificate see Appendix A Digital certificates The iLO management processor creates its own self signed certificate by default Administrators ...

Page 11: ...n At the client browser the user enters his login credentials and the browser generates a unique cookie 4 called hp iLO Login The web server within iLO uses this cookie for authentication and authorization Figure 4 The browser encodes both the username and the password using a base 64 hash function and incorporates it into the cookie The cookie also includes the unique session ID and the random se...

Page 12: ...edentials Erase SSO proxy credentials Match as SSO No Yes Directory integration Yes No No Attempt directory authentication Authenticated to directory iLO security override switch set No Yes No Login as security override login name Exit error No Yes No Login as Local user Login as SSO user Login as Directory user Yes Yes Yes Yes Record login event Record login failure Log the event Yes No Exit succ...

Page 13: ... directory services is available from the HP website at http h18004 www1 hp com products servers management directorysupp index html Using directory services the login process includes the steps illustrated in Figure 7 After the web browser sends the cookie to iLO the iLO processor extracts the user credentials from the cookie and accesses the directory service to determine which roles are availab...

Page 14: ...s login credentials user name and password get session information from iLO and combine these into a security cookie iLO then uses this cookie to ensure that the user has access to the pages and resources he or she is trying to use If ActiveX is disabled in the browser or the call fails and the name used for login is a DN then the login script will work The login script will also work if this name...

Page 15: ...ces but authorized to access the system only between 8 a m and 5 p m XML scripts could alter privileges administrators could delete a user account directory settings could change and time or address based restrictions could apply Therefore every time a user makes a request iLO re evaluates the user s privileges see the flowchart in Figure 8 If the evaluation is successful the user s request procee...

Page 16: ...et Explorer only This authentication scheme involves using two factors of authentication The user is authenticated by providing both of these factors 1 Something the user knows a password or PIN 2 Something the user possesses the private key for their digital certificate Users have the ability to store their digital certificates and private keys wherever they choose It is likely however that smart...

Page 17: ...ss access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 SSL Port 443 XML traffic only all other traffic remains unaffected If the user wishes the SSH and or Telnet ports can be selectively re enabled through manual intervention It is important to know that the XML port CPQLOCFG access cannot be enabled while two factor authentication is enabled Performing group admini...

Page 18: ...serial port The iLO remote console server monitors the remote console port for connections from the remote console and virtual serial port applets and possibly Telnet Figure 10 shows the steps in establishing a remote console session 1 The user launches the Java applet by clicking on a link in the client browser 2 The link opens a separate browser window 18 ...

Page 19: ...mote console session 6 Comparison of applet and user name permits l Figure 11 shows schematically how iLO constructs the one time login token 1 The original browser session contains a 40 character random session key Programming code stored in the remote console applet generates a 40 character random secret The random session key is concatenated with the random secret 2 The iLO device performs an M...

Page 20: ...s open as long as the server receives a heartbeat once every 30 seconds If the server does not receive a heartbeat within one minute the connection will be closed The iLO v1 91 and iLO 2 v1 30 and later releases include the Remote Console Computer Lock feature With Remote Console Computer Lock the operating system console self locks when the session is closed or is timed out Even though the sessio...

Page 21: ...dding the BladeSystem Integrated Manager 2 4 or later exposes SSO capability for iLO processors in blades The SIM SSO provides the following capabilities Importing one or more SIM certificates Automatic certificate importation to ease initial setup Manual SSO certificate importation Support for certificate revocation SIM role to user privilege mapping Redirect to the SIM console for SSO Modificati...

Page 22: ...ent replay attacks 4 HP SIM builds a signed link incorporating the resource secret user and HP SIM 5 Client browser redirects to the link at the Integrated Lights Out processor 6 iLO validates the request based on the request contents iLO configuration secret and HP SIM source Authenticated requests receive the resource SIM SSO does not affect the local iLO user SSO trust is iLO based and can be d...

Page 23: ... for exchanging the public and private keys during the SSH protocol negotiation 3 The protocol negotiation task completes the key exchange 4 The protocol negotiation task then spawns a task for checking authentication timeout and another task for performing the authentication The authentication task is also used for reading from the SSH port once authentication completes successfully 5 The task fo...

Page 24: ...ommunication and the LDAP server provides server side communication Popular AES cipher strengths are supported through the web browser XML and SSH Remote console and virtual serial port data encryption The iLO processor uses the RC4 streaming cipher algorithm a variable key size stream cipher with byte oriented operations to encrypt the remote console and virtual serial port sessions Unlike a bloc...

Page 25: ...s These new keys are used to create a new set of RC4 data The server sends a signal to the client indicating that it has generated the new RC4 data and will begin communicating using the new cipher The client will perform the same operation when it sees the signal It then sends a signal to the server indicating that it is using the new RC4 data The signal is implemented with a byte insertion proto...

Page 26: ...ntication is enabled for web browser access access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 XML Port 443 If desired the user can selectively re enable the SSH and or Telnet ports Table 1 Default port locations for iLO Port Number Protocol Can Port Number be Changed Supports Enabled by default 22 SSH Yes SSH Connections Yes 23 Telnet Yes Remote graphical console R...

Page 27: ...hat only administrators be granted access to that network This not only improves performance by reducing traffic load across the main network it also acts as the first line of defense against security attacks A separate network allows administrators to physically control which workstations are connected to the network Figure 14 The iLO processor relative to the network and host server Web browser ...

Page 28: ...he Disabled mode no application including the remote console or virtual serial port applet can connect to port 23 Finally any potential security risk of the Telnet port across the network is reduced because the remote console and virtual serial port applets have strong authentication and authorization processes Multi user Integrated Remote Console IRC Beginning with the iLO v1 91 and iLO 2 v1 30 r...

Page 29: ... allow inbound SNMP traffic into the host server only if it comes from a predetermined management workstation Administrators can also set the passwords community strings according to the same guidelines as administrative passwords Finally administrators can disable SNMP entirely Systems Insight Manager Systems Insight Manager checks for an iLO presence by starting an HTTP session The default port ...

Page 30: ...e server The iLO driver enables the other iLO integration services such as RBSU Terminal Services pass through HPONCFG and the agents RBSU RBSU allows users to initially configure iLO and iLO user accounts Every time the server boots RBSU is available to anyone with access to the server console Therefore RBSU requires strong security Administrators can configure RBSU to require valid user credenti...

Page 31: ...that any active security measures are established between the Microsoft terminal services client and Microsoft s RDP service The Terminal Services port is the second of two ports in iLO that allow traffic to be passed to the host OS through the iLO driver Administrators can disable the Terminal Services Pass Through port Specific IT infrastructure concerns Customers have questioned security issues...

Page 32: ...an initial line of defense Behind this router is a firewall system There is no direct connection from the Internet or the external router to the internal network All traffic to or from the internal network must pass through the firewall system An additional router which filters packets destined for the public services in the DMZ protects the internal network from public access The firewall is a mu...

Page 33: ... Altiris eXpress Deployment Solution and the ProLiant Integration Module The ProLiant Integration Module consists of software optimizations including the SmartStart Scripting Toolkit Configuration Events for leading industry standard operating systems sample unattended files and ProLiant Support Packs containing software drivers management agents and important documentation Servers can be deployed...

Page 34: ...hould be changed immediately to a more relevant password Administrators should change the iLO management passwords with the same frequency and according to the same guidelines as the server administrative passwords Passwords should include at least three of these four characteristics numeric character special character lowercase character and uppercase character Implement directory services This a...

Page 35: ...rver traffic A networked environment has inherent security risks The iLO processor mitigates many of these risks through authorization authentication and encryption Administrators can further decrease the chance of attacks by following security recommendations being aware of access points to the iLO devices and their host servers and configuring their networks to eliminate any unnecessary services...

Page 36: ... authority wJD3Wsm8VqCQSjK YpwOcVCcCG Ai drsqz4E Name of issuing certificate authority CA DN o ACME c US A digital signature typically uses the sophisticated encryption of the RSA encryption algorithm rather than a simple hashing signature Figure A 1 The RSA algorithm developed by Rivest Shamir and Adleman is widely used for encrypting data using a public key private key system Also known as asymm...

Page 37: ...Figure A 1 Example of how a digital signature works 37 ...

Page 38: ...fish192 cbc Optional Not supported twofish128 cbc Recommended Not supported aes256 cbc Optional Not supported aes192 cbc Optional Not supported aes128 cbc Recommended Supported serpent256 cbc Optional Not supported serpent192 cbc Optional Not supported serpent128 cbc Optional Not supported Arcfour Optional Not supported idea cbc Optional Not supported cast128 cbc Optional Not supported None Option...

Page 39: ...al Not supported Spki sign dss certificates Optional Not supported Pgp sign rsa certificates Optional Not supported Pgp sign dss certificates Optional Not supported Client User Authentication Method None Must not be listed Public key Required Not supported Host based Optional Not supported Password Supported Client User authentication parameters Default authentication timeout 10 minutes recommende...

Page 40: ...sting operations Schema is published in the directory for use by clients The LDAP protocol is used to read from and write to Active Directory By default LDAP traffic is transmitted unsecured System administrators can make LDAP traffic confidential and secure by using SSL Transport Layer Security TLS technology Administrators can enable LDAP over SSL LDAPS by installing a properly formatted certifi...

Page 41: ...s a sublayer of the data link layer in the OSI model of network communication In the Ethernet standard every network connection must support a unique MAC value NIC Network interface controller NVRAM Non volatile random access memory This is memory that maintains data across power cycles OSI model OSI stands for Open System Interconnection a seven layer protocol model for defining a networking fram...

Page 42: ...blic wires the Internet to connect nodes These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted Source www webopedia com XML Extensible markup language HTML and RIBCL are subsets of XML ...

Page 43: ...tml Software and drivers for lights out processors www hp com go ilo Lights out supported servers www hp com servers ilo supportedservers Information about iLO 2 Advanced licenses www hp com servers iloadv2 Call to action Send comments about this paper to TechCom HP com 2004 2006 2007 2008 Hewlett Packard Development Company L P The information contained herein is subject to change without notice ...

Reviews: