Manualshelf

HP Integrated Lights-Out Security, 7th edition

ManualsBrandsHP ManualsSoftwareInsight Software
12345678910
8
LO imposes delays after failed login attempts (Table 1). iLO displays an information page during
each delay. The delays will continue until you complete a valid login. This feature assists in defending
against possible dictionary attacks against the browser login port. iLO saves a detailed log entry for
failed login attempts.
Table 1. iLO response to failed login attempts
Failed attempt
Imposed delay
(seconds)
First 5
Second 10
Third 60
Subsequent 60
iLO uses 128-bit SSL encryption and the accompanying digital certificates to encrypt web pages
(HTTP data) transmitted across the network. SSL encryption occurs whether the login is through
directory services or a local account. SSL encryption ensures that all information and commands
issued through the web pages are private. An integral part of SSL is a digital certificate. iLO creates
its own self-signed certificate by default. You can also import a certificate from a third party
Certificate Authority (CA) or from your organization’s internal CA or PKI instead of using the self-
signed iLO certificate.
You can use iLO’s digital certificate capabilities to prevent malicious attacks (such as Trojan horse
attacks) where an impostor appears to be a trusted iLO web server. For example, if someone put a
server that emulated iLO onto a corporate network, that server would not have a legitimate iLO
certificate. If any user browsed to this emulated iLO device, the browser would flag the lack of a
recognized certificate. You can configure the browser to reject a connection to any unrecognized
certificates.
Login authentication begins after iLO establishes an SSL connection. iLO sends the user a login page
that includes a unique session ID and a random session key. The unique session ID points to a session
control block, a memory area where iLO stores all the session information for that user and that
session. The session control block eliminates the need to re-authenticate the user credentials for every
user request.
iLO time-stamps the session ID. It is valid only for the length of time defined by the
SESSION_TIMEOUT parameter. You can set this parameter to 15, 30, 60, or 120 minutes. iLO 2
firmware after v1.30 supports an Infinite Inactivity Timeout request that extends sessions indefinitely.
The combination of the session ID and the session key prevents another authenticated connection from
hijacking a session.
Figure 4 shows how the client browser generates a unique cookie (hp-iLO-Login) for authentication
and authorization. The browser encodes both the username and the password using a base-64 hash
function and incorporates it into the cookie. The cookie also includes the unique session ID and the
random session key sent with the login page.
The cookie links the browser window to the appropriate session in the firmware. The firmware tracks
browser logins as separate sessions listed in the Active Sessions section of the iLO Status page.