Dell Drac 5 User Guide
Have a look at the manual Dell Drac 5 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configuring Security Features211 12 Configuring Security Features The DRAC 5 provides the following security features: • Advanced Security options for the DRAC administrator: • The Console Redirection disable option allows the local system user to disable console redirection using the DRAC 5 Console Redirection feature. • The local configuration disable features allows the remote DRAC administrator to selectively disable the ability to configure the DRAC 5 from: – BIOS POST option-ROM – operating system using the local racadm and Dell OpenManage Server Administrator utilities • RACADM CLI and Web-based interface operation, which supports 128-bit SSL encryption and 40-bit SSL encryption (for countries where 128-bit is not acceptable) NOTE: Telnet does not support SSL encryption. • Session time-out configuration (in seconds) through the Web-based interface or RACADM CLI • Configurable IP ports (where applicable) • Secure Shell (SSH), which uses an encrypted transport layer for higher security. • Login failure limits per IP address, with login blocking from the IP address when the limit is exceeded. • Limited IP address range for clients connecting to the DRAC 5
212Configuring Security Features Security Options for the DRAC Administrator Disabling the DRAC 5 Local Configuration Administrators can disable local configuration through the DRAC 5 graphical user interface (GUI) by selecting Remote Access Configuration Services. When the Disable the DRAC local Configuration using option ROM check box is selected, the Remote Access Configuration Utility— accessed by pressing Ctrl+E during system boot—operates in read-only mode, preventing local users from configuring the device. When the administrator selects the Disable the DRAC local Configuration using RACADM check box, local users cannot configure the DRAC 5 through the racadm utility, or the Dell OpenManage Server Administrator, a l t h o u g h t h e y can still read the configuration settings. Administrators can enable one or both of these options at the same time. In addition to enabling them through the GUI, administrators can do so using local racadm commands. Disabling Local Configuration During System Reboot This feature disables the ability of the managed system’s user to configure the DRAC 5 during system reboot. racadm config -g cfgRacTune -o cfgRacTuneCtrlEConfigDisable 1 NOTE: This option is supported only on the Remote Access Configuration Utility version 1.13 and later. To upgrade to this version, upgrade your BIOS using the BIOS update package from the Dell Server Updates DVD or the Dell Support website at support.dell.com.
Configuring Security Features213 Disabling Local Configuration From Local racadm This feature disables the ability of the managed system’s user to configure the DRAC 5 using the local racadm or the Dell OpenManage Server Administrator utilities. racadm config -g cfgRacTune -o cfgRacTuneLocalConfigDisable 1 CAUTION: These features severely limit the ability of the local user to configure the DRAC 5 from the local system, including performing a reset to default of the configuration. Dell recommends that you use these features with discretion and should disable only one interface at a time to help avoid losing login privileges altogether. NOTE: See the white paper on Disabling Local Configuration and Remote Virtual KVM in the DRAC on the Dell Support site at support.dell.com/manuals for more information. Although administrators can set the local configuration options using local racadm commands, for security reasons they can reset them only from an out-of-band DRAC 5 GUI or command-line interface. The cfgRacTuneLocalConfigDisable option applies once the system power-on self-test is complete and the system has booted into an operating system environment. The operating system could be one such as Microsoft Windows Server or Enterprise Linux operating systems that can run local racadm commands, or a limited-use operating system such as Microsoft Windows Preinstallation Environment or vmlinux used to run Dell OpenManage Deployment Toolkit local racadm commands. Several situations might call for administrators to disable local configuration. For example, in a data center with multiple administrators for servers and remote access devices, those responsible for maintaining server software stacks may not require administrative access to remote access devices. Similarly, technicians may have physical access to servers during routine systems maintenance—during which they can reboot the systems and access password-protected BIOS—but should not be able to configure remote access devices. In such situations, remote access device administrators may want to disable local configuration. Administrators should keep in mind that because disabling local configuration severely limits local configuration privileges—including the ability to reset the DRAC 5 to its default configuration—they should only use these options when necessary, and typically should disable only one interface
214Configuring Security Features at a time to help avoid losing login privileges altogether. For example, if administrators have disabled all local DRAC 5 users and allow only Microsoft Active Directory directory service users to log in to the DRAC 5, and the Active Directory authentication infrastructure subsequently fails, the administrators may be unable to log in. Similarly, if administrators have disabled all local configuration and place a DRAC 5 with a static IP address on a network that already includes a Dynamic Host Configuration Protocol (DHCP) server, and the DHCP server subsequently assigns the DRAC 5 IP address to another device on the network, the resulting conflict may disable the out-of-band connectivity of the DRAC, requiring administrators to reset the firmware to its default settings through a serial connection. Disabling DRAC 5 Remote Virtual KVM Administrators can selectively disable the DRAC 5 remote KVM, providing a flexible, secure mechanism for a local user to work on the system without someone else viewing the user’s actions through console redirection. Using this feature requires installing the DRAC managed node software on the server. Administrators can disable remote vKVM using the following command: racadm LocalConRedirDisable 1 The command LocalConRedirDisable disables existing remote vKVM session windows when executed with the argument 1 To help prevent a remote user from overriding the local users settings, this command is available only to local racadm. Administrators can use this command in operating systems that support local racadm, including Microsoft Windows Server 2003 and SUSE Linux Enterprise Server 10. Because this command persists across system reboots, administrators must specifically reverse it to re-enable remote vKVM. They can do so by using the argument 0: racadm LocalConRedirDisable 0
Configuring Security Features215 Several situations might call for disabling DRAC 5 remote vKVM. For example, administrators may not want a remote DRAC 5 user to view the BIOS settings that they configure on a system, in which case they can disable remote vKVM during the system POST by using the LocalConRedirDisable command. They may also want to increase security by automatically disabling remote vKVM every time an administrator logs in to the system, which they can do by executing the LocalConRedirDisable command from the user logon scripts. NOTE: See the white paper on Disabling Local Configuration and Remote Virtual KVM in the DRAC on the Dell Support site at support.dell.com/manuals for more information. For more information on logon scripts, see technet2.microsoft.com/windowsserver/en/library/31340f46-b3e5-4371- bbb9-6a73e4c63b621033.mspx. Securing DRAC 5 Communications Using SSL and Digital Certificates This subsection provides information about the following data security features that are incorporated in your DRAC 5: • Secure Sockets Layer (SSL) on page 215 • Certificate Signing Request (CSR) on page 216 • Accessing the SSL Main Menu on page 216 • Generating a New Certificate Signing Request on page 218 • Uploading a Server Certificate on page 219 • Uploading a Server Certificate on page 219 Secure Sockets Layer (SSL) The DRAC includes a Web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data over the Internet. Built upon public-key and private-key encryption technology, SSL is a widely accepted technique for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across anetwork.
216Configuring Security Features An SSL-enabled system: • Authenticates itself to an SSL-enabled client • Allows the client to authenticate itself to the server • Allows both systems to establish an encrypted connection This encryption process provides a high level of data protection. The DRAC employs the 128-bit SSL encryption standard, the most secure form of encryption generally available for Internet browsers in North America. The DRAC Web server includes a Dell self-signed SSL digital certificate (Server ID). To ensure high security over the Internet, replace the Web server SSL certificate by submitting a request to the DRAC to generate a new Certificate Signing Request (CSR). Certificate Signing Request (CSR) A CSR is a digital request to a Certificate Authority (CA) for a secure server certificate. Secure server certificates protect the identity of a remote system and ensure that information exchanged with the remote system cannot be viewed or changed by others. To ensure security for your DRAC, it is strongly recommended that you generate a CSR, submit the CSR to a CA, and upload the certificate returned from the CA. A CA is a business entity that is recognized in the IT industry for meeting high standards of reliable screening, identification, and other important security criteria. Examples of CAs include Thawte and VeriSign. After the CA receives your CSR, they review and verify the information the CSR contains. If the applicant meets the CA’s security standards, the CA issues a certificate to the applicant that uniquely identifies that applicant for transactions over networks and on the Internet. After the CA approves the CSR and sends you a certificate, you must upload the certificate to the DRAC firmware. The CSR information stored on the DRAC firmware must match the information contained in the certificate. Accessing the SSL Main Menu 1Expand the System tree and click Remote Access. 2Click the Configuration tab and then click SSL.
Configuring Security Features217 Use the SSL Main Menu page options (see Table 12-1) to generate a CSR to send to a CA. The CSR information is stored on the DRAC 5 firmware. Table 12-2 describes the buttons available on the SSL Main Menu page. Table 12-1. SSL Main Menu Options Field Description Generate a New Certificate Signing Request (CSR)Click Next to open the Certificate Signing Request Generation page that enables you to generate a CSR to send to a CA to request a secure Web certificate. CAUTION: Each new CSR overwrites any pervious CSR on the firmware. For a CA to accept your CSR, the CSR in the firmware must match the certificate returned from the CA. Upload Server CertificateClick Next to upload an existing certificate that your company has title to, and uses to control access to the DRAC 5. CAUTION: Only X509, Base 64 encoded certificates are accepted by the DRAC 5. DER encoded certificates are not accepted. Upload a new certificate to replace the default certificate you received with your DRAC 5. Vi e w S e r v e r CertificateClick Next to view an existing server certificate. Table 12-2. SSL Main Menu Buttons Button Description PrintPrints the SSL Main Menu page. NextNavigates to the next page.
218Configuring Security Features Generating a New Certificate Signing Request NOTE: Each new CSR overwrites any previous CSR on the firmware. Before a certificate authority (CA) can accept your CSR, the CSR in the firmware must match the certificate returned from the CA. Otherwise, the DRAC 5 will not upload the certificate. 1In the SSL Main Menu page, select Generate a New Certificate Signing Request (CSR) and click Next. 2In the Generate Certificate Signing Request (CSR) page, type a value for each CSR attribute value. Table 12-3 describes the Generate Certificate Signing Request (CSR) page options. 3Click Generate to save or view the CSR. 4Click the appropriate Generate Certificate Signing Request (CSR) page button to continue. Table 12-4 describes the buttons available on the Generate Certificate Signing Request (CSR). Table 12-3. Generate Certificate Signing Request (CSR) Page Options Field Description Common NameThe exact name being certified (usually the Web servers domain name, for example, www.xyzcompany.com). Only alphanumeric characters, hyphens, underscores, and periods are valid. Spaces are not valid. Organization NameThe name associated with this organization (for example, XYZ Corporation). Only alphanumeric characters, hyphens, underscores, periods and spaces are valid. Organization UnitThe name associated with an organizational unit, such as a department (for example, Enterprise Group). Only alphanumeric characters, hyphens, underscores, periods, and spaces are valid. LocalityThe city or other location of the entity being certified (for example, Round Rock). Only alphanumeric characters and spaces are valid. Do not separate words using an underscore or some other character.
Configuring Security Features219 Uploading a Server Certificate 1In the SSL Main Menu page, select Upload Server Certificate and click Next. The Certificate Upload page appears. 2In the File Path field, type the path of the certificate in the Va l u e field or click Browse to navigate to the certificate file. NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension. NOTE: A Server Certificate can be uploaded only once. If you try to upload a Server Certificate that is already uploaded once, DRAC displays the error message, Unable to find a valid certificate. 3Click Apply. 4Click the appropriate page button to continue. State NameThe state or province where the entity who is applying for a certification is located (for example, Texas). Only alphanumeric characters and spaces are valid. Do not use abbreviations. Country CodeThe name of the country where the entity applying for certification is located. Use the drop-down menu to select the country. EmailThe e-mail address associated with the CSR. You can type your company’s e-mail address, or any e-mail address you desire to have associated with the CSR. This field is optional. Table 12-4. Generate Certificate Signing Request (CSR) Page Buttons Button Description PrintPrint the Generate Certificate Signing Request (CSR) page. Go Back to Security Main MenuReturn to the SSL Main Menu page. GenerateGenerate a CSR. Table 12-3. Generate Certificate Signing Request (CSR) Page Options (continued) Field Description
220Configuring Security Features Viewing a Server Certificate 1In the SSL Main Menu page, select View Server Certificate and click Next. Table 12-5 describes the fields and associated descriptions listed in the Certificate window. 2Click the appropriate View Server Certificate page button to continue. Using the Secure Shell (SSH) Only four SSH sessions are supported at any given time. The session time-out is controlled by the cfgSsnMgtSshIdleTimeout property as described in the DRAC 5 Property Database Group and Object Definitions on page 345. You can enable the SSH on the DRAC 5 with the command: racadm config -g cfgSerial -o cfgSerialSshEnable 1 You can change the SSH port with the command: racadm config -g cfgRacTuning -o cfgRacTuneSshPort For more information on cfgSerialSshEnable and cfgRacTuneSshPort properties, see DRAC 5 Property Database Group and Object Definitions on page 345. The DRAC 5 SSH implementation supports multiple cryptography schemes, as shown in Table 12-6. Table 12-5. Certificate Information Field Description Serial NumberCertificate serial number Subject InformationCertificate attributes entered by the subject Issuer InformationCertificate attributes returned by the issuer Va l i d F r o mIssue date of the certificate Va l i d ToExpiration date of the certificate