HPE Gen10 Security Reference Guide - Common Unity
HPE Gen10 Security Reference Guide
Abstract
This document describes the security and encryption mechanisms available in HPE Gen10
servers and embedded firmware. This document is intended for individuals who are responsible
for the secure configuration and operation of HPE servers for their organization.
Part Number: 882428-005
Published: February 2019
Edition: 1
?
Copyright 2017, 2019 Hewlett Packard Enterprise Development LP
Notices
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use,
or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel?, Itanium?, Pentium?, Xeon?, Intel Inside?, and the Intel Inside logo are trademarks of Intel Corporation
in the U.S. and other countries.
Microsoft? and Windows? are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe? and Acrobat? are trademarks of Adobe Systems Incorporated.
Java? and Oracle? are registered trademarks of Oracle and/or its affiliates.
UNIX? is a registered trademark of The Open Group.
Contents
Introduction..................................................................................................7
The importance of security.................................................................................................................. 7
HPE Gen10 platform security features and licensing.......................................................................... 7
HPE Gen10 product security features................................................................................................. 8
HPE iLO 5 Security Features....................................................................................................8
Unauthorized access prevention....................................................................................8
Phlashing protection...................................................................................................... 9
Protected Management ROM........................................................................................ 9
Protected PCI bus........................................................................................................10
Host Access Configuration Lock.................................................................................. 10
Network and management ports..................................................................................10
Security Override switch.............................................................................................. 11
Trusted Platform Module and Trusted Modules........................................................... 11
Operating iLO servers in the DMZ............................................................................... 12
Communication between iLO and server blades or Synergy systems.........................13
Security audits............................................................................................................. 13
Firmware verification....................................................................................................15
HPE Gen10 UEFI security features........................................................................................ 18
Intelligent Provisioning Security Features...............................................................................18
Intelligent Provisioning................................................................................................. 18
Intelligent Provisioning security through iLO................................................................19
Intelligent Provisioning security through UEFI............................................................. 19
iLO Amplifier Pack security features.......................................................................................19
HPE OneView security features............................................................................................. 19
HPE Gen10 recommended security settings.......................................... 21
Hardware security......................................................................................27
HPE Gen10 Server hardware security.............................................................................................. 27
HPE Gen10 security best practices......................................................... 29
Physical access security....................................................................................................................29
The HPE ProLiant Gen10 System Maintenance switch......................................................... 29
iLO security with the system maintenance switch........................................................30
HPE ProLiant Gen10 system intrusion detection....................................................................31
iLO Service Port......................................................................................................................31
Configuring the iLO Service Port settings.................................................................... 31
iLO Service Port supported devices.............................................................................32
Configuration security........................................................................................................................33
iLO settings for configuration security.....................................................................................34
Preparing to set up iLO................................................................................................ 34
IPMI/DCMI settings...................................................................................................... 38
iLO security.................................................................................................................. 39
Using the Security Dashboard..................................................................................... 41
iLO access settings......................................................................................................45
iLO user accounts........................................................................................................ 55
3
iLO directory groups.....................................................................................................60
Administering SSH keys.............................................................................................. 63
Administering SSL certificates..................................................................................... 66
HPE SSO..................................................................................................................... 69
Configuring the Login Security Banner........................................................................ 72
Installing a license key by using a browser..................................................................73
UEFI settings for configuration security.................................................................................. 75
HPE Gen10 UEFI security features............................................................................. 75
Using the iLO 5 Configuration Utility............................................................................ 76
iLO Amplifier Pack configuration security............................................................................... 83
Managed Servers Alerts.............................................................................................. 83
Activity Logs and Alerts................................................................................................85
Recovery Management................................................................................................86
Remote management security...........................................................................................................99
About the tasks in this section................................................................................................ 99
Configuring Remote Console Computer Lock settings...........................................................99
Remote Console Computer Lock options.................................................................... 99
Keys for configuring Remote Console computer lock keys and hot keys.................. 100
Configuring the Integrated Remote Console Trust setting (.NET IRC)................................. 101
HPE ProLiant Gen10 security states............................................................................................... 101
iLO security states................................................................................................................ 101
Configuring encryption settings............................................................................................ 103
Enabling the Production or High Security security state............................................ 103
Enabling the FIPS and CNSA security states............................................................ 104
Connecting to iLO when using higher security states................................................ 105
Configuring a FIPS-validated environment with iLO.................................................. 106
Disabling FIPS mode................................................................................................. 106
SSH cipher, key exchange, and MAC support...........................................................106
SSL cipher and MAC support.................................................................................... 107
Directory integration, access control, and auditing..........................................................................109
Directory authentication and authorization........................................................................... 109
Prerequisites for configuring authentication and directory server settings.................109
Configuring Kerberos authentication settings in iLO..................................................109
Configuring schema-free directory settings in iLO..................................................... 110
Configuring HPE Extended Schema directory settings in iLO....................................111
Directory user contexts.............................................................................................. 113
Directory Server CA Certificate.................................................................................. 113
Local user accounts with Kerberos authentication and directory integration............. 113
Running directory tests.............................................................................................. 114
CAC Smartcard Authentication.................................................................................. 117
Kerberos authentication with iLO..........................................................................................121
Configuring Kerberos authentication..........................................................................121
Configuring the iLO hostname and domain name for Kerberos authentication......... 121
Preparing the domain controller for Kerberos support............................................... 122
Generating a keytab file for iLO in a Windows environment...................................... 122
Verifying that your environment meets the Kerberos authentication time
requirement................................................................................................................124
Configuring Kerberos support in iLO..........................................................................125
Configuring supported browsers for single sign-on....................................................125
Directory integration..............................................................................................................127
Choosing a directory configuration to use with iLO.............................................................. 127
Schema-free directory authentication................................................................................... 128
Prerequisites for using schema-free directory integration..........................................129
Process overview: Configuring iLO for schema-free directory integration................. 129
Schema-free nested groups (Active Directory only).................................................. 130
HPE Extended Schema directory authentication..................................................................130
Process overview: Configuring the HPE Extended Schema with Active Directory.... 130
4
Prerequisites for configuring Active Directory with the HPE Extended Schema
configuration.............................................................................................................. 131
Directory services support......................................................................................... 131
Installing the iLO directory support software..............................................................131
Running the Schema Extender.................................................................................. 133
Directory services objects.......................................................................................... 134
Directory-enabled remote management (HPE Extended Schema configuration)................ 134
Roles based on organizational structure....................................................................135
How role access restrictions are enforced................................................................. 136
User access restrictions.............................................................................................136
Role access restrictions............................................................................................. 138
Tools for configuring multiple iLO systems at a time.............................................................139
User login using directory services....................................................................................... 140
UEFI, passwords, and the Trusted Platform Module.......................................................................140
Server Security options.........................................................................................................140
Setting the power-on password............................................................................................ 141
Setting an administrator password....................................................................................... 141
Secure Boot.......................................................................................................................... 142
Enabling or disabling Secure Boot.............................................................................142
Configuring Trusted Platform Module options...................................................................... 143
Advanced Secure Boot Options............................................................................................144
Viewing Advanced Secure Boot Options settings......................................................144
Enrolling a Secure Boot certificate key or database signature.................................. 145
Deleting a Secure Boot certificate key or database signature................................... 146
Deleting all keys ........................................................................................................146
Exporting a Secure Boot certificate key or database signature................................. 147
Exporting all Secure Boot certificate keys..................................................................147
Resetting a Secure Boot certificate key or database signature to platform defaults..148
Resetting all Secure Boot certificate keys to platform defaults.................................. 148
TLS (HTTPS) Options...........................................................................................................148
Viewing TLS certificate details................................................................................... 148
Enrolling a TLS certificate.......................................................................................... 148
Deleting a TLS certificate...........................................................................................149
Deleting all TLS certificates....................................................................................... 149
Exporting a TLS certificate.........................................................................................149
Exporting all TLS certificates..................................................................................... 149
Resetting all TLS settings to platform defaults...........................................................150
Configuring advanced TLS security settings..............................................................150
Enabling or disabling Intel TXT support................................................................................151
Enabling or disabling the One-Time Boot Menu F11 prompt................................................ 152
Enabling or disabling processor AES-NI support..................................................................152
Enabling or disabling backup ROM image authentication.................................................... 152
Managing firmware, OS software, and language packs.................................................................. 153
Firmware updates................................................................................................................. 153
Online firmware update..............................................................................................153
Online firmware update methods............................................................................... 153
Offline firmware update..............................................................................................154
Offline firmware update methods............................................................................... 154
Viewing and updating firmware and software....................................................................... 154
Viewing installed firmware information.......................................................................155
Replacing the active system ROM with the redundant system ROM........................ 156
Viewing software information..................................................................................... 156
Updating iLO or server firmware by using the Flash Firmware feature......................157
Installing language packs with the Flash Firmware feature....................................... 161
iLO Federation Group Firmware Update....................................................................161
Maintenance windows.......................................................................................................... 163
Adding a maintenance window.................................................................................. 164
5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- interactive led display owner s operating manual
- 1970 volume issue feb 1970 about hp labs
- hp exstream software download and licensing guide
- forticlient vpn guide for connecting to hp z
- hpe gen10 security reference guide common unity
- hp bios configuration utility bcu
- troubleshooting guide hp envy 6200 7100 7800 printers
- maintenance and service guide
- hp protecttools password guidelines
- it policies and procedures manual template
Related searches
- sba quick reference guide 2019
- hospice pocket reference guide pdf
- excel reference guide free pdf
- security classification guide army
- security classification guide dod
- a security classification guide scg is
- vba language reference guide pdf
- python reference guide pdf
- python quick reference guide pdf
- quick reference guide template word
- sql reference guide pdf
- essential oil reference guide pdf