Reference Guide

ManualsBrandsDell ManualsActive System ManageriDRAC9 - 4.xx Series

Table Of Contents

iDRAC9 Security Configuration Guide
1 Overview of iDRAC9 Security Configuration Guide
2 Built in iDRAC and PowerEdge Security
- 2.1 Silicon-based Root-of-Trust
  - 2.1.1 Let us look at the chain of trust in more detail. Each BIOS module contains a hash of the next module in the chain. The key modules in BIOS are the IBB (Initial Boot Block), SEC (Security), PEI (Pre-EFI Initialization), MRC (Memory Reference Cod...
  - 2.1.2 Also, AMD Secure Run Technology is designed to encrypt main memory, keeping it private from malicious intruders having access to the hardware. No application modifications are needed to use this feature, and the security processor never exposes ...
- 2.2 Cryptographically Verified Trusted Booting
- 2.3 SELinux
- 2.4 Signed Firmware Updates
- 2.5 Non-Root Support
- 2.6 iDRAC Credential Vault
- 2.7 BIOS Recovery and Hardware Root of Trust (RoT)
- 2.8 Live Scanning
3 Securely Configuring iDRAC Web Server
- 3.1 Webserver Information
- 3.2 Enabling HTTPS Redirection
- 3.3 Configuring TLS Protocol
- 3.4 Configuring Encryption Strength
- 3.5 Configuring Cipher Suite Selection
- 3.6 Setting Cipher Suite Selection using the iDRAC GUI
4 Securely Using TLS/SSL Certificate
- Table 1: TLS/SSL Certificate Analysis
5 Federal Information Processing Standards (FIPS)
- 5.1 Enabling FIPS Mode using iDRAC Web Interface
6 Secure Shell (SSH)
- 6.1 SSH Cryptography Configuration
- 6.2 Supported SSH Cryptography Schemes
  - Table 2. SSH cryptography schemes
- 6.3 Using Public Key Authentication for SSH
7 Network Security Configuration
- Table 3. Network Configurations from Web Interface and RACADM
- 7.1 Dedicated NIC and Shared LOM
- 7.2 OS to iDRAC Pass-through
- 7.3 VLAN Usage
- 7.4 IP Blocking
- 7.5 IP Range Filtering
- 7.6 Auto-discovery
- 7.7 Auto Config
- 7.8 iDRAC USB Interfaces
- 7.9 Configuring iDRAC Direct USB Connection Using the Webserver
8 Interfaces and Protocols to Access iDRAC
- Table 4. Interfaces and protocols to access iDRAC
9 iDRAC Port Configuration
- Table 5. Ports iDRAC listens for connections
- Table 6. Ports iDRAC uses as client
- 9.1 Security Recommendations for Interfaces, Protocols, and Services
- 9.2 Disabling IPMI over LAN using Web Interface
- 9.3 Disabling Serial Over LAN using Web Interface
- 9.4 Configuring Services using Web Interface
10 IPMI and SNMP Security Best Practices
- 10.1 SNMP Security Best Practices:
- 10.2 IPMI Security Best Practices:
- 10.3 Secure NTP
- 10.4 Redfish Session Login Authentication
11 Secure Enterprise Key Manager (SEKM) Security
- 11.1 Create or Change SEKM Security Keys
12 iDRAC9 Group Manager
- 12.1 Group Manager Enable/Disable
- 12.2 Group Manager Single Sign-On
- 12.3 Group Manager Networking
- 12.4 Group Manager Security Best Practices
13 Virtual Console and Virtual Media Security
- 13.1 Java vConsole Security
14 VNC Security
- 14.1 Setting up VNC Viewer with SSL Encryption
15 User Configuration and Access Control
- 15.1 Configuring Local Users
- 15.2 Disabling Access to Modify iDRAC Configuration Settings on Host System
- 15.3 iDRAC User Roles and Privileges
- 15.4 Recommended Characters in Usernames and Passwords
  - Table 8. Recommended characters for usernames
  - Table 9. Recommended characters for passwords
- 15.5 Password Policy
- 15.6 Secure Default Password
- 15.7 Changing the Default Login Password using Web Interface
- 15.8 Force Change of Password (FCP)
- 15.9 Simple 2-Factor Authentication (Simple 2FA)
- 15.10 RSA SecurID Two Factor Authentication (2FA) iDRAC9 Datacenter
- 15.11 Active Directory
- 15.12 LDAP
- 15.13 Customizable Security Banner
16 System Lockdown Mode
- Table 10. Items affected by Lockdown mode
17 Securely Configuring BIOS System Security
- Table 11 - BIOS Security Settings
18 Secure Boot Configuration
- Table 12. Acceptable file formats
19 Securely Erasing Data
- Table 13. System Erase methods
20 LCD Panel
21 Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export
- 21.1 Configuring Lifecycle Controller Logs Export using Web Interface and HTTPS
- 21.2 Using HTTPS with a Proxy Securely
22 Security Events Lifecycle Log
- Table 14. Security Event Descriptions
23 Default Configuration Values
- Table 15. Default Configuration Values
24
25 Network Vulnerability Scanning
- Table 16. Network Vulnerability Scanning
26 Security Licensing
- Table 17. Licensed security features in iDRAC9
27 Best Practices
28 Appendix - Whitepapers

MD5 and SHA1 are the most commonly used key types, since they meet basic security and provides time accuracy in millisecond

level with timeservers within the company infrastructure. In theory, any encryption type that is supported by openssl can be used

for symmetric keys, but higher encryption can result in high CPU usage and high latency in processing the time data.

Secure NTP Configuration

iDRAC group and property name to enable NTP is “NTPConfigGroup.NTPEnable”. When this property is set to “Enabled”, iDRAC

uses the properties NTP1, NTP2, NTP3 to set up to three timeserver FQDN or IP addresses (IPv4 or IPv6).

The new addition in iDRAC NTPConfigGroup to support secure NTP are:

1. NTP1SecurityType

2. NTP1SecurityKeyNumber

3. NTP1SecurityKey

4. NTP2SecurityType

5. NTP2SecurityKeyNumber

6. NTP2SecurityKey

7. NTP3SecurityType

8. NTP3SecurityKeyNumber

9. NTP3SecurityKey

• SecurityType is an enumeration with options Disabled, MD5, SHA1. Higher encryption options could be supported in the

future.

• SecurityKeyNumber is a number between 1 to 65534. It should be the same key number that is used in the NTP server

corresponding to the selected key.

• SecurityKey - The key is a hex-encoded ASCII string of up to 40 characters.

The key number, type and key value should match in the NTP server and iDRAC, for secure NTP to work.

The NTP configuration has a limitation that the key numbers must be unique. Hence NTP1SecurityKeyNumber,

NTP2SecurityKeyNumber and NTP3SecurityKeyNumber should be different values. This limitation comes from open-source ntpd

code usage on iDRAC, even though in theory, different NTP servers could issue the same key number. If the same key number is

repeated in a configuration, the second instance of the key number is ignored.

Even though iDRAC can support up to three secure NTP server addresses, Dell guidance is to use only one secure NTP server

and leave the other two entries that are not populated for best iDRAC performance. It is a common practice to use multiple

timeservers when using plain unencrypted NTP, however the present secure NTP installations mostly use a single secure NTP

server.

iDRAC allows mixing secure and unsecure NTP servers in the configuration. However, this is not advised, since unencrypted NTP

packets always become the primary NTP source, with the current ntpd implementation.

For security reasons, the SecurityKey attribute is write-only. If SecurityType is set to Disabled (default setting), the corresponding

key entry is ignored.

Note: For MX blade servers, there is also a “chassis” option, where NTP is set to synchronize time with the chassis Management

Module (MM). Chassis option continues to use unencrypted NTP, to listen to chassis MM. This is already a secure path since the

communication between iDRAC and MM is through a chassis private VLAN.

Example showing RACADM script to set security configuration in NTP group:

racadm set idrac.ntpconfiggroup.NTPEnable 1

racadm set idrac.ntpconfiggroup.ntp1 100.64.25.20

racadm set idrac.ntpconfiggroup.NTP1SecurityKey calvin

racadm set idrac.ntpconfiggroup.NTP1SecurityType 1

racadm set idrac.ntpconfiggroup.NTP1SecurityKeyNumber 65

racadm set idrac.ntpconfiggroup.ntp2 100.64.24.202

racadm set idrac.ntpconfiggroup.NTP2SecurityKey da39a3ee5e6b4b0d3255bfef95601890afd80709