Dell Drac 5 User Manual
Have a look at the manual Dell Drac 5 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configuring Security Features201 NOTICE: These features severely limit the ability of the local user to configure the DRAC 5 from the local system, including performing a reset to default of the configuration. Dell recommends that you use these features with discretion and should disable only one interface at a time to help avoid losing login privileges altogether. NOTE: See the white paper on Disabling Local Configuration and Remote Virtual KVM in the DRAC on the Dell Support site at support.dell.com for more information. Although administrators can set the local configuration options using local racadm commands, for security reasons they can reset them only from an out-of-band DRAC 5 GUI or command-line interface. The cfgRacTuneLocalConfigDisable option applies once the system power-on self-test is complete and the system has booted into an operating system environment. The operating system could be one such as Microsoft ® Windows Server® or Enterprise Linux operating systems that can run local racadm commands, or a limited-use operating system such as Microsoft Windows ® Preinstallation Environment or vmlinux used to run Dell OpenManage Deployment Toolkit local racadm commands. Several situations might call for administrators to disable local configuration. For example, in a data center with multiple administrators for servers and remote access devices, those responsible for maintaining server software stacks may not require administrative access to remote access devices. Similarly, technicians may have physical access to servers during routine systems maintenance—during which they can reboot the systems and access password-protected BIOS—but should not be able to configure remote access devices. In such situations, remote access device administrators may want to disable local configuration. Administrators should keep in mind that because disabling local configuration severely limits local configuration privileges—including the ability to reset the DRAC 5 to its default configuration—they should only use these options when necessary, and typically should disable only one interface at a time to help avoid losing login privileges altogether. For example, if administrators have disabled all local DRAC 5 users and allow only Microsoft Active Directory ® directory service users to log in to the DRAC 5, and the Active Directory authentication infrastructure subsequently fails, the administrators may be unable to log in. Similarly, if administrators have disabled all local configuration and place a DRAC 5 with a static IP address on a network that already includes a Dynamic Host Configuration Protocol (DHCP) server, and the DHCP server subsequently assigns the DRAC 5
202Configuring Security Features IP address to another device on the network, the resulting conflict may disable the out-of-band connectivity of the DRAC, requiring administrators to reset the firmware to its default settings through a serial connection. Disabling DRAC 5 Remote Virtual KVM Administrators can selectively disable the DRAC 5 remote KVM, providing a flexible, secure mechanism for a local user to work on the system without someone else viewing the user’s actions through console redirection. Using this feature requires installing the DRAC managed node software on the server. Administrators can disable remote vKVM using the following command: racadm LocalConRedirDisable 1 The command LocalConRedirDisable disables existing remote vKVM session windows when executed with the argument 1 To help prevent a remote user from overriding the local users settings, this command is available only to local racadm. Administrators can use this command in operating systems that support local racadm, including Microsoft Windows Server 2003 and SUSE Linux Enterprise Server 10. Because this command persists across system reboots, administrators must specifically reverse it to re-enable remote vKVM. They can do so by using the argument 0: racadm LocalConRedirDisable 0 Several situations might call for disabling DRAC 5 remote vKVM. For example, administrators may not want a remote DRAC 5 user to view the BIOS settings that they configure on a system, in which case they can disable remote vKVM during the system POST by using the LocalConRedirDisable command. They may also want to increase security by automatically disabling remote vKVM every time an administrator logs in to the system, which they can do by executing the LocalConRedirDisable command from the user logon scripts. NOTE: See the white paper on Disabling Local Configuration and Remote Virtual KVM in the DRAC on the Dell Support site at support.dell.com for more information. For more information on logon scripts, see technet2.microsoft.com/windowsserver/en/library/31340f46-b3e5-4371- bbb9-6a73e4c63b621033.mspx.
Configuring Security Features203 Securing DRAC 5 Communications Using SSL and Digital Certificates This subsection provides information about the following data security features that are incorporated in your DRAC 5: Secure Sockets Layer (SSL) Certificate Signing Request (CSR) Accessing the SSL Main Menu Generating a New Certificate Signing Request Uploading a Server Certificate Uploading a Server Certificate Secure Sockets Layer (SSL) The DRAC includes a Web server that is configured to use the industry- standard SSL security protocol to transfer encrypted data over the Internet. Built upon public-key and private-key encryption technology, SSL is a widely accepted technique for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across a network. An SSL-enabled system: Authenticates itself to an SSL-enabled client Allows the client to authenticate itself to the server Allows both systems to establish an encrypted connection This encryption process provides a high level of data protection. The DRAC employs the 128-bit SSL encryption standard, the most secure form of encryption generally available for Internet browsers in North America. The DRAC Web server includes a Dell self-signed SSL digital certificate (Server ID). To ensure high security over the Internet, replace the Web server SSL certificate by submitting a request to the DRAC to generate a new Certificate Signing Request (CSR).
204Configuring Security Features Certificate Signing Request (CSR) A CSR is a digital request to a Certificate Authority (CA) for a secure server certificate. Secure server certificates protect the identity of a remote system and ensure that information exchanged with the remote system cannot be viewed or changed by others. To ensure security for your DRAC, it is strongly recommended that you generate a CSR, submit the CSR to a CA, and upload the certificate returned from the CA. A CA is a business entity that is recognized in the IT industry for meeting high standards of reliable screening, identification, and other important security criteria. Examples of CAs include Thawte and VeriSign. After the CA receives your CSR, they review and verify the information the CSR contains. If the applicant meets the CA’s security standards, the CA issues a certificate to the applicant that uniquely identifies that applicant for transactions over networks and on the Internet. After the CA approves the CSR and sends you a certificate, you must upload the certificate to the DRAC firmware. The CSR information stored on the DRAC firmware must match the information contained in the certificate. Accessing the SSL Main Menu 1Expand the System tree and click Remote Access. 2Click the Configuration tab and then click SSL. Use the SSL Main Menu page options (see Table 11-1) to generate a CSR to send to a CA. The CSR information is stored on the DRAC 5 firmware. Table 11-2 describes the buttons available on the SSL Main Menu page. Table 11-1. SSL Main Menu Options Field Description Generate a New Certificate Signing Request (CSR)Click Next to open the Certificate Signing Request Generation page that enables you to generate a CSR to send to a CA to request a secure Web certificate. NOTICE: Each new CSR overwrites any pervious CSR on the firmware. For a CA to accept your CSR, the CSR in the firmware must match the certificate returned from the CA.
Configuring Security Features205 Generating a New Certificate Signing Request NOTE: Each new CSR overwrites any previous CSR on the firmware. Before a certificate authority (CA) can accept your CSR, the CSR in the firmware must match the certificate returned from the CA. Otherwise, the DRAC 5 will not upload the certificate. 1In the SSL Main Menu page, select Generate a New Certificate Signing Request (CSR) and click Next. 2In the Generate Certificate Signing Request (CSR) page, type a value for each CSR attribute value. Table 11-3 describes the Generate Certificate Signing Request (CSR) page options. 3Click Generate to save or view the CSR. 4Click the appropriate Generate Certificate Signing Request (CSR) page button to continue. Table 11-4 describes the buttons available on the Generate Certificate Signing Request (CSR). Upload Server CertificateClick Next to upload an existing certificate that your company has title to, and uses to control access to the DRAC 5. NOTICE: Only X509, Base 64 encoded certificates are accepted by the DRAC 5. DER encoded certificates are not accepted. Upload a new certificate to replace the default certificate you received with your DRAC 5. View Server CertificateClick Next to view an existing server certificate. Table 11-2. SSL Main Menu Buttons Button Description PrintPrints the SSL Main Menu page. NextNavigates to the next page. Table 11-1. SSL Main Menu Options (continued) Field Description
206Configuring Security Features Table 11-3. Generate Certificate Signing Request (CSR) Page Options Field Description Common NameThe exact name being certified (usually the Web servers domain name, for example, www.xyzcompany.com). Only alphanumeric characters, hyphens, underscores, and periods are valid. Spaces are not valid. Organization NameThe name associated with this organization (for example, XYZ Corporation). Only alphanumeric characters, hyphens, underscores, periods and spaces are valid. Organization UnitThe name associated with an organizational unit, such as a department (for example, Enterprise Group). Only alphanumeric characters, hyphens, underscores, periods, and spaces are valid. LocalityThe city or other location of the entity being certified (for example, Round Rock). Only alphanumeric characters and spaces are valid. Do not separate words using an underscore or some other character. State NameThe state or province where the entity who is applying for a certification is located (for example, Texas). Only alphanumeric characters and spaces are valid. Do not use abbreviations. Country CodeThe name of the country where the entity applying for certification is located. Use the drop-down menu to select the country. EmailThe e-mail address associated with the CSR. You can type your company’s e-mail address, or any e-mail address you desire to have associated with the CSR. This field is optional. Table 11-4. Generate Certificate Signing Request (CSR) Page Buttons Button Description PrintPrint the Generate Certificate Signing Request (CSR) page. Go Back to Security Main MenuReturn to the SSL Main Menu page. GenerateGenerate a CSR.
Configuring Security Features207 Uploading a Server Certificate 1In the SSL Main Menu page, select Upload Server Certificate and click Next. The Certificate Upload page appears. 2In the File Path field, type the path of the certificate in the Va l u e field or click Browse to navigate to the certificate file. NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension 3Click Apply. 4Click the appropriate page button to continue. Viewing a Server Certificate 1In the SSL Main Menu page, select View Server Certificate and click Next. Table 11-5 describes the fields and associated descriptions listed in the Certificate window. 2Click the appropriate View Server Certificate page button to continue. Using the Secure Shell (SSH) Only four SSH sessions are supported at any given time. The session time-out is controlled by the cfgSsnMgtSshIdleTimeout property as described in the DRAC 5 Property Database Group and Object Definitions. You can enable the SSH on the DRAC 5 with the command: racadm config -g cfgSerial -o cfgSerialSshEnable 1 Table 11-5. Certificate Information Field Description Serial NumberCertificate serial number Subject InformationCertificate attributes entered by the subject Issuer InformationCertificate attributes returned by the issuer Valid FromIssue date of the certificate Valid ToExpiration date of the certificate
208Configuring Security Features You can change the SSH port with the command: racadm config -g cfgRacTuning -o cfgRacTuneSshPort For more information on cfgSerialSshEnable and cfgRacTuneSshPort properties, see DRAC 5 Property Database Group and Object Definitions. The DRAC 5 SSH implementation supports multiple cryptography schemes, as shown in Table 11-6. NOTE: SSHv1 is not supported. Table 11-6. Cryptography Schemes Scheme Type Scheme Asymmetric Cryptography Diffie-Hellman DSA/DSS 512-1024 (random) bits per NIST specification Symmetric Cryptography AES256-CBC RIJNDAEL256-CBC AES192-CBC RIJNDAEL192-CBC AES128-CBC RIJNDAEL128-CBC BLOWFISH-128-CBC 3DES-192-CBC ARCFOUR-128 Message Integrity HMAC-SHA1-160 HMAC-SHA1-96 HMAC-MD5-128 HMAC-MD5-96 Authentication Password
Configuring Security Features209 Configuring Services NOTE: To modify these settings, you must have Configure DRAC 5 permission. Additionally, the remote RACADM command-line utility can only be enabled if the user is logged in as root. 1Expand the System tree and click Remote Access. 2Click the Configuration tab and then click Services. 3 Configure the following services as required: Local Configuration (Table 11-7) Web server (Table 11-8) SSH (Table 11-9) Telnet (Table 11-10) Remote RACADM (Table 11-11) SNMP agent (Table 11-12) Automated System Recovery Agent (Table 11-13) Use the Automated Systems Recovery Agent to enable the Last Crash Screen functionality of the DRAC 5. NOTE: Server Administrator must be installed with its Auto Recovery feature activated by setting the Action to either: Reboot System, Power Off System, or Power Cycle System, for the Last Crash Screen to function in the DRAC 5. 4Click Apply Changes. 5Click the appropriate Services page button to continue. See Table 11-14. Table 11-7. Local Configuration Settings Setting Description Disable the DRAC local configuration using option ROMDisables local configuration of the DRAC 5 using option ROM. The option ROM prompts you to enter the setup module by pressing during system reboot. Disable the DRAC local configuration using RACADMDisables local configuration of the DRAC 5 using local RACADM.
210Configuring Security Features Table 11-8. Web Server Settings Setting Description EnabledEnables or disables the Web server. Checked=Enabled; Unchecked=Disabled. Max SessionsThe maximum number of simultaneous sessions allowed for this system. Active SessionsThe number of current sessions on the system, less than or equal to the Max Sessions. TimeoutThe time in seconds that a connection is allowed to remain idle. The session is cancelled when the timeout is reached. Changes to the timeout setting do not affect the current session. When you change the timeout setting, you must log out and log in again to make the new setting effective. Timeout range is 60 to 1920 seconds. HTTP Port NumberThe port used by the DRAC that listens for a server connection. The default setting is 80. HTTPS Port NumberThe port used by the DRAC that listens for a server connection. The default setting is 443. Table 11-9. SSH Settings Setting Description EnabledEnables or disables SSH. Checked=Enabled; Unchecked=Disabled. Max SessionsThe maximum number of simultaneous sessions allowed for this system. Up to four sessions are supported. Active SessionsThe number of current sessions on the system, less than or equal to the Max Sessions. TimeoutThe Secure Shell idle timeout, in seconds. Range = 60 to 1920 seconds. Enter 0 seconds to disable the Timeout feature. The default setting is 300. Port NumberThe port used by the DRAC that listens for a server connection. The default setting is 22.