White Papers
Version 2.0.0 15
credentials. These iDRAC admin credentials are used for subsequent remote access and configuration
339
using WS‐Man Web service requests or remote IPMI, CLI, and iDRAC GUI interfaces. The deployment
340
console can optionally check the service tag against a pre‐approved list of service tags that are
341
authorized to be provisioned. At this point in the process, the deployment console knows which service
342
tags have come online.
343
Two certificates are used for the mutually authenticated encrypted TLS (Transport Layer Security)
344
connection between the Lifecycle Controller and the Provisioning Service. The iDRAC handshake client
345
encryption certificate is signed with a Dell certificate authority root certificate for which the public key is
346
made available by Dell to console software partners that incorporate an Auto‐Discovery Provisioning
347
Service. The handshake client encryption certificate is generated during the factory build of the server
348
and is unique to every system. The default hostname (Common Name) embedded in the handshake
349
client encryption certificate will be the service tag of the server.
350
A DellProvisioningServer certificate signed by Dell Lifecycle Controller Provisioning Server Root CA and
351
private key is provided by Dell to console software partners. During the initial handshake connection, the
352
iDRAC will verify that the certificate provided by the Provisioning Server is properly signed.
353
8.1 Authentication Options
354
Auto-Discovery uses full TLS mutual authentication. This means that the iDRAC must authenticate the
355
provisioning server and the server must authenticate the iDRAC before any information is exchanged.
356
8.1.1 Dell Provisioning default server certificate
357
When Auto-Discovery is enabled with no additional configuration the iDRAC authenticates the
358
provisioning server with the Dell Provisioning Server CA cert. In this mode, the iDRAC can not validate
359
the CN of the provisioning server certificate against the hostname of the machine.
360
8.1.2 Dell iDRAC default CA
361
When Auto-discovery is enabled with no additional configuration the provisioning server authenticates the
362
iDRAC using the default iDRAC CA cert and the service tag of iDRAC. Each iDRAC has a client
363
certificate based on its service tag which is created in the factory. If the service tag of the machine does
364
not match the certificate it will not authenticate. Additionally the provisioning server checks the service
365
tag against a list of configured service tags before creating an admin account on the iDRAC.
366
8.1.3 Customer provided server CA certificate
367
A customer may optionally provide a provisioning server CA. If a provisioning server CA is provided, only
368
servers with credentials signed by this CA are allowed by the iDRAC for the purposes of Auto-Discovery.
369
The iDRAC addionally validates the CN of the server certificate against the hostname used to make the
370
TLS connection.
371
8.1.4 Customer provided iDRAC CA
372
A customer may optionally provide an iDRAC CA certificate. If an iDRAC CA is provided, only iDRACs
373
with credentials signed by this CA are allowed by provisioning server purposes of Auto-Discovery. See
374
the Web Services Interface Guide for details on how to sign an iDRAC Auto-Discovery client certificate.
375
8.2 Factory Options
376
You can order Dell Servers with Auto-Discovery enabled out of the factory. When Auto-Discovery is
377
enabled the default iDRAC admin account is disabled.
378