we've just had our quarterly scan of possible security risks. This is automated software than goes round scanning all IP addresses and ports against known risks. This quarter it has picked the iDRAC management on our R710, R620 & R720 servers as having a security risk. Not all of our iDRAC is at the same firmware level, but one of the affected servers (an R720) is at the latest version currently available - version 22.214.171.124
Does anyone have any ideas / top tips?
What you would need to generate a CSR (Certificate Signing Request) for the iDrac. Then you need to get it approved by a CA (Certification Authority). After that then you would load that to the iDrac and it shouldn't report further.
Let me know how it goes.
Here's a guide on CSR's - <ADMIN NOTE: Broken link has been removed from this post by Dell>
I have 12 R710's all with the 1.92 iDRAC6 firmware. Only 6 of my 12 are returning that security issue from a Nessus scan even though all 12 are using the Dell self-signed certificate. I have rescanned them multiple times and always the same results. They are all on the same network with no firewall. So I am almost certain that paying hundred$ for a SSL cert is not the only option to fix this. I also have the issue were 6 of the 12 self signed certs use MD5 and others use SHA1 on identical R710's (not the same 6 as above). I have a feeling it has more to do with the original iDRAC version that the server shipped with, regardless of which version it is currently running. I am going to try re-applying the 1.92 and un-checking the retain settings option. This supposedly will regenerate the SSL certs. Hopefully that will fix it without having to spend a ton of money on un-necessary SSL certs.
I have not tried wiping my config yet since I am remote from the datacenter and would have to manually reconfigure my iDRAC IPs. I did however do an iDRAC reboot on all 6 of my R710s that has the Nessus 61396 warning. I SSH'd into them and ran the "racadm racreset" command. After the iDRAC came back up on all servers I manually rescanned them with Nessus and the 61396 warnings are gone on all of them.