Encryption settings – HP Integrated Lights-Out User Manual

Configuring iLO 2 56

transmitted across the network. iLO 2 provides support for two of the strongest available cipher strengths;

the Advanced Encryption Standard (AES) and the Triple Data Encryption Standard (3DES). iLO 2 supports
the following cipher strengths:

•

256-bit AES with RSA, DHE and a SHA1 MAC

•

256-bit AES with RSA and a SHA1 MAC

•

128-bit AES with RSA, DHE and a SHA1 MAC

•

128-bit AES with RSA and a SHA1 MAC

•

168-bit Triple DES with RSA and a SHA1 MAC

•

168-bit Triple DES with RSA, DHE and a SHA1 MAC

iLO 2 also provides enhanced encryption through the SSH port for secure CLP transactions. iLO 2
supports AES128-CBC and 3DES-CBC cipher strengths through the SSH port.
If enabled, iLO 2 enforces the usage of these enhanced ciphers (both AES and 3DES) over the secure

channels, including secure HTTP transmissions through the browser, SSH port, and XML port. When

AES/3DES encryption is enabled, you must use a cipher strength equal to or greater than AES/3DES to
connect to iLO 2 through these secure channels. Communications and connections over less secure

channels (such as the telnet port) are not affected by the AES/3DES encryption enforcement setting.
By default, remote console data uses 128-bit RC4 bi-directional encryption. The CPQLOCFG utility uses a

168-bit Triple DES with RSA and a SHA1 MAC cipher to securely send RIBCL scripts to iLO 2 over the

network.

Encryption settings

You can view or modify the current encryption settings using the iLO 2 interface, CLP, or RIBCL.
To view or modify current encryption settings using the iLO 2 interface:

1.

Click Administration>Security>Encryption.
The Encryption page appears, displaying the current encryption settings for iLO 2. Both the current
negotiated cipher and the encryption enforcement settings appear on this page.

o

Current Negotiated Cipher displays the cipher in use for the current browser session. After
logging into iLO 2 through the browser, the browser and iLO 2 negotiate a cipher setting to use

during the session. The Encryption page Current Negotiated Cipher section displays the

negotiated cipher.
Encryption Enforcement Settings displays the current encryption settings for iLO 2. Enforce
AES/3DES Encryption (if enabled) enables iLO 2 to only accept connections through the browser

and SSH interface that meet the minimum cipher strength. A cipher strength of at least AES or

3DES must be used to connect to iLO 2 if this setting is enabled. Enforce AES/3DES Encryption

can be enabled or disabled.

2.

To save changes, click Apply.
When changing the Enforcement setting to Enable, close all open browsers after clicking Apply. Any
browsers that remain open might continue to use a non-AES/3DES cipher.

To view or modify current encryption settings through the CLP or RIBCL, see the HP Integrated Lights-Out

Management Processor Scripting and Command Line Resource Guide.