Encryption settings, Connecting to the ilo 2 using aes/3des encryption – HP Integrated Lights-Out 2 User Manual
Page 54
iLO 2 also provides enhanced encryption through the SSH port for secure CLP transactions. iLO 2
supports AES128-CBC and 3DES-CBC cipher strengths through the SSH port.
If enabled, iLO 2 enforces the usage of these enhanced ciphers (both AES and 3DES) over the
secure channels, including secure HTTP transmissions through the browser, SSH port, and XML
port. When AES/3DES encryption is enabled, you must use a cipher strength equal to or greater
than AES/3DES to connect to iLO 2 through these secure channels. Communications and connections
over less secure channels (such as the Telnet port) are not affected by the AES/3DES encryption
enforcement setting.
By default, remote console data uses 128-bit RC4 bi-directional encryption. The CPQLOCFG utility
uses a 168-bit Triple DES with RSA and a SHA1 MAC cipher to securely send RIBCL scripts to iLO
2 over the network.
Encryption settings
You can view or modify the current encryption settings using the iLO 2 interface, CLP, or RIBCL.
To view or modify current encryption settings using the iLO 2 interface:
1.
Click Administration>Security>Encryption.
The Encryption page appears, displaying the current encryption settings for iLO 2. Both the
current negotiated cipher and the encryption enforcement settings appear on this page.
•
Current Negotiated Cipher displays the cipher in use for the current browser session.
After logging in to iLO 2 through the browser, the browser and iLO 2 negotiate a cipher
setting to use during the session. The Encryption page Current Negotiated Cipher section
displays the negotiated cipher.
Encryption Enforcement Settings displays the current encryption settings for iLO 2. Enforce
AES/3DES Encryption (if enabled) enables iLO 2 to only accept connections through the
browser and SSH interface that meet the minimum cipher strength. A cipher strength of
at least AES or 3DES must be used to connect to iLO 2 if this setting is enabled. Enforce
AES/3DES Encryption can be enabled or disabled.
2.
To save changes, click Apply.
When changing the Enforcement setting to Enable, close all open browsers after clicking
Apply. Any browsers that remain open might continue to use a non-AES/3DES cipher.
To view or modify current encryption settings through the CLP or RIBCL, see the HP Integrated
Lights-Out Management Processor Scripting and Command Line Resource Guide at
.
Connecting to the iLO 2 using AES/3DES encryption
After enabling the Enforce AES/3DES Encryption setting, iLO 2 requires you to connect through
secure channels (web browser, SSH, or XML port) using a cipher strength of at least AES or 3DES.
To connect to iLO 2 through a browser, the browser must be configured with a cipher strength of
at least AES or 3DES. If the web browser is not using AES or 3DES ciphers, iLO 2 displays an
error message informing you to close the current connection and select the correct cipher.
See your browser documentation to select a cipher strength of at least AES or 3DES. Different
browsers use different methods of selecting a negotiated cipher. You must log out of iLO 2 through
the current browser before changing the browser cipher strength. Any changes made to the browser
cipher setting while logged in to iLO 2 might enable the browser to continue using a non-AES/3DES
cipher.
All client operating systems and browsers supported by iLO 2, support the iLO 2 AES/3DES
Encryption feature except when using Windows 2000 Professional with Internet Explorer. By
default, Windows 2000 Professional does not support AES or 3DES ciphers. If a client uses
Windows 2000 Professional, you must use another browser, or update the operating system.
54
Configuring iLO 2