HP Integrated Lights-Out Security, 7th edition

3. iLO sends a secure one-time login token to the second browser window. The token contains

base-64 encoded hash values of a random secret key and a random session key. iLO sends

this token securely over SSL so a LAN sniffer cannot capture it.

4. The Java applet in the second browser window (using base-64) decodes the information

within the token.

5. The Java applet passes the decoded information back to the remote console applet as the

username and password.

6. The remote console applet compares the original login token with the decoded username and

password from the Java applet, and allows a login if the data match.

This process is identical for the Integrated Remote Console ActiveX control.

Figure 9. Process for initiating a remote console session

Figure 10 illustrates the steps required to construct the one-time login token for Java applet login:

1. The original browser session contains a 40-character random session key. Programming code

stored in the remote console applet generates a 40-character random secret. The code

concatenates the random session key with the random secret.

1. The iLO device performs an MD5 hash on the concatenated line, and then converts the MD5 hash

to ASCII. An MD5 hash is a one-way encryption method that converts a message into a 32-digit

hexadecimal number, also called a message digest. This step guarantees that the session key

remains obscured and prevents a user from hijacking another session by using his valid session

key to reattach to a different user’s session.

2. The session ID is concatenated with the 32-character ASCII hash to obtain a second new line.

3. The result is base-64 encoded and sent to the applet.