HPE Gen10 Security Reference Guide - Common Unity

HPE Gen10 Security Reference Guide

Abstract

This document describes the security and encryption mechanisms available in HPE Gen10

servers and embedded firmware. This document is intended for individuals who are responsible

for the secure configuration and operation of HPE servers for their organization.

Part Number: 882428-005

Published: February 2019

Edition: 1

?

Copyright 2017, 2019 Hewlett Packard Enterprise Development LP

Notices

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use,

or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under

vendor's standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel?, Itanium?, Pentium?, Xeon?, Intel Inside?, and the Intel Inside logo are trademarks of Intel Corporation

in the U.S. and other countries.

Microsoft? and Windows? are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

Adobe? and Acrobat? are trademarks of Adobe Systems Incorporated.

Java? and Oracle? are registered trademarks of Oracle and/or its affiliates.

UNIX? is a registered trademark of The Open Group.

Contents

Introduction..................................................................................................7

The importance of security.................................................................................................................. 7

HPE Gen10 platform security features and licensing.......................................................................... 7

HPE Gen10 product security features................................................................................................. 8

HPE iLO 5 Security Features....................................................................................................8

Unauthorized access prevention....................................................................................8

Phlashing protection...................................................................................................... 9

Protected Management ROM........................................................................................ 9

Protected PCI bus........................................................................................................10

Host Access Configuration Lock.................................................................................. 10

Network and management ports..................................................................................10

Security Override switch.............................................................................................. 11

Trusted Platform Module and Trusted Modules........................................................... 11

Operating iLO servers in the DMZ............................................................................... 12

Communication between iLO and server blades or Synergy systems.........................13

Security audits............................................................................................................. 13

Firmware verification....................................................................................................15

HPE Gen10 UEFI security features........................................................................................ 18

Intelligent Provisioning Security Features...............................................................................18

Intelligent Provisioning................................................................................................. 18

Intelligent Provisioning security through iLO................................................................19

Intelligent Provisioning security through UEFI............................................................. 19

iLO Amplifier Pack security features.......................................................................................19

HPE OneView security features............................................................................................. 19

HPE Gen10 recommended security settings.......................................... 21

Hardware security......................................................................................27

HPE Gen10 Server hardware security.............................................................................................. 27

HPE Gen10 security best practices......................................................... 29

Physical access security....................................................................................................................29

The HPE ProLiant Gen10 System Maintenance switch......................................................... 29

iLO security with the system maintenance switch........................................................30

HPE ProLiant Gen10 system intrusion detection....................................................................31

iLO Service Port......................................................................................................................31

Configuring the iLO Service Port settings.................................................................... 31

iLO Service Port supported devices.............................................................................32

Configuration security........................................................................................................................33

iLO settings for configuration security.....................................................................................34

Preparing to set up iLO................................................................................................ 34

IPMI/DCMI settings...................................................................................................... 38

iLO security.................................................................................................................. 39

Using the Security Dashboard..................................................................................... 41

iLO access settings......................................................................................................45

iLO user accounts........................................................................................................ 55

3

iLO directory groups.....................................................................................................60

Administering SSH keys.............................................................................................. 63

Administering SSL certificates..................................................................................... 66

HPE SSO..................................................................................................................... 69

Configuring the Login Security Banner........................................................................ 72

Installing a license key by using a browser..................................................................73

UEFI settings for configuration security.................................................................................. 75

HPE Gen10 UEFI security features............................................................................. 75

Using the iLO 5 Configuration Utility............................................................................ 76

iLO Amplifier Pack configuration security............................................................................... 83

Managed Servers Alerts.............................................................................................. 83

Activity Logs and Alerts................................................................................................85

Recovery Management................................................................................................86

Remote management security...........................................................................................................99

About the tasks in this section................................................................................................ 99

Configuring Remote Console Computer Lock settings...........................................................99

Remote Console Computer Lock options.................................................................... 99

Keys for configuring Remote Console computer lock keys and hot keys.................. 100

Configuring the Integrated Remote Console Trust setting (.NET IRC)................................. 101

HPE ProLiant Gen10 security states............................................................................................... 101

iLO security states................................................................................................................ 101

Configuring encryption settings............................................................................................ 103

Enabling the Production or High Security security state............................................ 103

Enabling the FIPS and CNSA security states............................................................ 104

Connecting to iLO when using higher security states................................................ 105

Configuring a FIPS-validated environment with iLO.................................................. 106

Disabling FIPS mode................................................................................................. 106

SSH cipher, key exchange, and MAC support...........................................................106

SSL cipher and MAC support.................................................................................... 107

Directory integration, access control, and auditing..........................................................................109

Directory authentication and authorization........................................................................... 109

Prerequisites for configuring authentication and directory server settings.................109

Configuring Kerberos authentication settings in iLO..................................................109

Configuring schema-free directory settings in iLO..................................................... 110

Configuring HPE Extended Schema directory settings in iLO....................................111

Directory user contexts.............................................................................................. 113

Directory Server CA Certificate.................................................................................. 113

Local user accounts with Kerberos authentication and directory integration............. 113

Running directory tests.............................................................................................. 114

CAC Smartcard Authentication.................................................................................. 117

Kerberos authentication with iLO..........................................................................................121

Configuring Kerberos authentication..........................................................................121

Configuring the iLO hostname and domain name for Kerberos authentication......... 121

Preparing the domain controller for Kerberos support............................................... 122

Generating a keytab file for iLO in a Windows environment...................................... 122

Verifying that your environment meets the Kerberos authentication time

requirement................................................................................................................124

Configuring Kerberos support in iLO..........................................................................125

Configuring supported browsers for single sign-on....................................................125

Directory integration..............................................................................................................127

Choosing a directory configuration to use with iLO.............................................................. 127

Schema-free directory authentication................................................................................... 128

Prerequisites for using schema-free directory integration..........................................129

Process overview: Configuring iLO for schema-free directory integration................. 129

Schema-free nested groups (Active Directory only).................................................. 130

HPE Extended Schema directory authentication..................................................................130

Process overview: Configuring the HPE Extended Schema with Active Directory.... 130

4

Prerequisites for configuring Active Directory with the HPE Extended Schema

configuration.............................................................................................................. 131

Directory services support......................................................................................... 131

Installing the iLO directory support software..............................................................131

Running the Schema Extender.................................................................................. 133

Directory services objects.......................................................................................... 134

Directory-enabled remote management (HPE Extended Schema configuration)................ 134

Roles based on organizational structure....................................................................135

How role access restrictions are enforced................................................................. 136

User access restrictions.............................................................................................136

Role access restrictions............................................................................................. 138

Tools for configuring multiple iLO systems at a time.............................................................139

User login using directory services....................................................................................... 140

UEFI, passwords, and the Trusted Platform Module.......................................................................140

Server Security options.........................................................................................................140

Setting the power-on password............................................................................................ 141

Setting an administrator password....................................................................................... 141

Secure Boot.......................................................................................................................... 142

Enabling or disabling Secure Boot.............................................................................142

Configuring Trusted Platform Module options...................................................................... 143

Advanced Secure Boot Options............................................................................................144

Viewing Advanced Secure Boot Options settings......................................................144

Enrolling a Secure Boot certificate key or database signature.................................. 145

Deleting a Secure Boot certificate key or database signature................................... 146

Deleting all keys ........................................................................................................146

Exporting a Secure Boot certificate key or database signature................................. 147

Exporting all Secure Boot certificate keys..................................................................147

Resetting a Secure Boot certificate key or database signature to platform defaults..148

Resetting all Secure Boot certificate keys to platform defaults.................................. 148

TLS (HTTPS) Options...........................................................................................................148

Viewing TLS certificate details................................................................................... 148

Enrolling a TLS certificate.......................................................................................... 148

Deleting a TLS certificate...........................................................................................149

Deleting all TLS certificates....................................................................................... 149

Exporting a TLS certificate.........................................................................................149

Exporting all TLS certificates..................................................................................... 149

Resetting all TLS settings to platform defaults...........................................................150

Configuring advanced TLS security settings..............................................................150

Enabling or disabling Intel TXT support................................................................................151

Enabling or disabling the One-Time Boot Menu F11 prompt................................................ 152

Enabling or disabling processor AES-NI support..................................................................152

Enabling or disabling backup ROM image authentication.................................................... 152

Managing firmware, OS software, and language packs.................................................................. 153

Firmware updates................................................................................................................. 153

Online firmware update..............................................................................................153

Online firmware update methods............................................................................... 153

Offline firmware update..............................................................................................154

Offline firmware update methods............................................................................... 154

Viewing and updating firmware and software....................................................................... 154

Viewing installed firmware information.......................................................................155

Replacing the active system ROM with the redundant system ROM........................ 156

Viewing software information..................................................................................... 156

Updating iLO or server firmware by using the Flash Firmware feature......................157

Installing language packs with the Flash Firmware feature....................................... 161

iLO Federation Group Firmware Update....................................................................161

Maintenance windows.......................................................................................................... 163

Adding a maintenance window.................................................................................. 164

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download