White Papers

ManualsBrandsDell ManualsConverged InfrastructureEnterprise Solution Resources

16 Version 2.0.0

8.3 Provisioning Service Options

379

After TLS authentication, it is the provisioning servers responsibility to create an account on the iDRAC

380

that can be used to perform future configuration. The provisioning server only creates an account if the

381

server service tag matches its list of service tags to provision. Note that the account that the provisioning

382

server creates can be unique for each server, and that this account can be deleted or disabled once

383

Active Directory or LDAP is configured.

384

8.4 Auto-Discovery Re-Init

385

If a server is being moved to another provisioning service, then the user can use the current credentials to

386

load new certificates (the iDRAC certificate and the provisioning server CA cert mentioned in the

387

Authentication section). For more information refer to the Re-Initiate Auto-Discovery Whitepaper

388

(unreleased).

389

8.5 If Auto-Discovery fails

390

Auto-Discovery automatically retries up to 24 hours. After 24 hours if the issue is network related then

391

power-cycling the server restarts Auto-Discovery and it should complete. If the problem is related to the

392

TLS certificate, then you need to go into the BIOS and enable an admin account. Once this account is

393

enabled, you can manually add the server to the provisioning service or you can add new certificates on

394

the iDRAC using the Re-Initiate Auto-Discovery procedures detailed in the user guide.

395

8.6 Best Practices

396

It is recommended that the provisioning server validate the service tag sent in every request against the

397

CN of the iDRAC certificate. Additionally the service tag should be validated against your inventory. The

398

provisioning server should generate unique temporary credentials for each iDRAC and use them only

399

long enough to setup a directory method of authentication. After that those credentials should be

400

disabled and deleted. If customer provided certificates are used the certificates should be removed using

401

LCWipe if the system is decommissioned or sold. After provisioning is complete the provisioning server

402

can set a static IP on the iDRAC or enable IPChange notifications to make sure it always has

403

management connectivity.

404

9 IP Change Notification

405

After Auto-Discovery completes and a user account is created it will be disabled. If the system is power

406

cycled after that auto discovery will not run again. To handle a situation where a system would lose its

407

DHCP lease and the IP address of the iDRAC would change the provisioning server can request that the

408

iDRAC send IPChange Notification SOAP messages using the same mutually authenticated TLS method

409

if the IP address of the iDRAC changes. This makes sure the console always knows the IP of the

410

system’s iDRAC.

411