Manualshelf

HP Integrated Lights-Out Security, 7th edition

ManualsBrandsHP ManualsSoftwareInsight Software
11121314151617181920
19
minutes. During this time, iLO response to other functionality is slow
and the iLO status page displays a message indicating that key
generation is in progress.
2. The iLO processor listens for a request on the SSH port. When it gets a request, it starts a protocol
negotiation task for exchanging the public and private keys during the SSH protocol negotiation.
3. The protocol negotiation task completes the key exchange.
4. The protocol negotiation task then creates a task for checking authentication timeout and another
task for performing the authentication. The authentication task also reads from the SSH port once
authentication completes successfully.
5. The task for protocol negotiation then terminates while the authentication task and authentication
timeout task continue to run.
6. The authentication timeout task waits for one minute. If authentication does not complete
successfully during that time, iLO will terminate the connection.
7. The authentication task will attempt to authenticate the user. iLO allows a maximum of three
attempts. If authentication is unsuccessful, iLO terminates the connection. If authentication is
successful, the CLI session task for the SSH session and the SSH task for writing to the SSH socket
will start. After initiating the CLI and SSH tasks, the authentication task becomes the read task for
the SSH socket.
8. The write task for the SSH connection will write data to the socket. If there is no session activity for
a period equal to the session timeout, the SSH session will close.
Authentication process for IPMI-Over-LAN access
The iLO 3 processor conforms to the Intelligent Platform Management Interface (IPMI) 2.0 specification
for IPMI-over-LAN capability. This access method uses Remote Management Control Protocol (RMCP)
that authenticates with a standard Message Authentication Code. For more information on the IPMI-
over-LAN, consult the IPMI 2.0 Specification available at the IPMI website.
Encryption
The iLO management processor uses 128-bit SSL and SSH frameworks to ensure iLO privacy actions
depending on the access modes and types of functions being performed. Within these frameworks,
various ciphers can be used for encrypting network traffic.
The purpose of a cipher is to make data private so that only parties to the cipher and keys can read
the data. The frameworks allow cipher negotiation and secure exchange of keys used to initiate
encrypted communication within the cipher algorithm.
iLO supports RC4, 3DES, and AES ciphers for encrypting network traffic. Key exchange uses
RSA/Diffie-Hellman, and keys are rotated every 3 minutes. Certificates are generated by iLO using
1024-bit RSA keys signed with MD5RSA and using a SHA1 fingerprint.
Secure sockets layer (SSL)
The iLO management processor encrypts all web pages using 128-bit SSL encryption. This ensures
that all information and commands issued through the web browser are private. See “
Authentication
and authorization processes for browser access” for more information.
SSL allows the client (browser) and server (iLO) to compare a list of ciphers. Generally, they negotiate
to use the strongest common cipher. A client may include a long list of ciphers, but iLO 2 v1.30 and
iLO 3 can restrict the cipher list if desired.