Modifying the aes/des encryption setting, Connecting to ilo by using aes or 3des encryption, Enabling fips mode – HP Integrated Lights-Out 4 User Manual
Page 79
The Encryption Settings page displays the current encryption settings for iLO.
•
Current Negotiated Cipher—The cipher in use for the current browser session. After you log
in to iLO through the browser, the browser and iLO negotiate a cipher setting to use during
the session.
•
Encryption Enforcement Settings—The current encryption settings for iLO:
FIPS Mode—Indicates whether FIPS Mode is enabled or disabled for this iLO system.
◦
◦
Enforce AES/3DES Encryption—Indicates whether AES/3DES encryption is enforced for
this iLO.
When enabled, iLO accepts only those connections through the browser and SSH interface
that meet the minimum cipher strength. A cipher strength of at least AES or 3DES must
be used to connect to iLO when this setting is enabled.
Modifying the AES/DES encryption setting
You must have the Configure iLO Settings privilege to change the encryption settings.
To modify the AES/DES encryption setting:
1.
Navigate to the Administration
→Security→Encryption page, as shown in
.
2.
Change the Enforce AES/3DES Encryption setting to Enabled or Disabled.
3.
Click Apply to end your browser connection and restart iLO.
It might take several minutes before you can re-establish a connection.
When changing the Enforce AES/3DES Encryption setting to Enabled, close all open browsers
after clicking Apply. Any browsers that remain open might continue to use a non-AES/3DES
cipher.
Connecting to iLO by using AES or 3DES encryption
After you enable the Enforce AES/3DES Encryption setting, iLO requires that you connect through
secure channels (web browser, SSH connection, or XML channel) by using a cipher strength of at
least AES or 3DES.
•
Web browser—You must configure the browser with a cipher strength of at least AES or 3DES.
If the browser is not using AES or 3DES ciphers, iLO displays an error message. The error text
varies depending on the installed browser.
Different browsers use different methods for selecting a negotiated cipher. For more information,
see your browser documentation. You must log out of iLO through the current browser before
changing the browser cipher setting. Any changes made to the browser cipher setting while
you are logged in to iLO might enable the browser to continue using a non-AES/3DES cipher.
•
SSH connection—For instructions on setting the cipher strength, see the SSH utility
documentation.
•
XML channel—HPQLOCFG uses a secure 3DES cipher by default. For example, HPQLOCFG
displays the following cipher strength in the XML output:
Connecting to Server...
Negotiated cipher: 128–bit Rc4 with 160–bit SHA1 and 2048–bit RsaKeyx
Enabling FIPS Mode
You must have the Configure iLO Settings privilege to change the encryption settings.
To enable FIPS Mode for iLO:
1.
Optional: Capture the current iLO configuration by using HPONCFG.
For more information, see the HP iLO 4 Scripting and Command Line Guide.
Configuring iLO security
79