Welcome

Dell Sites

Dell Technologies
Premier Sign In
Partner Program Sign In
Support

Dell Sites

Dell Technologies
Premier Sign In
Partner Program Sign In
Support

Sign Out

Welcome to Dell

My Account

Place orders quickly and easily
View orders and track your shipping status
Create and access a list of your products
Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

TH/EN

Products
Solutions
Services
Contact Us

Support
Product Support
Manuals

iDRAC9 Security Configuration Guide

Notes, cautions, and warnings
Overview
Built in iDRAC and PowerEdge Security
- Silicon-based Root-of-Trust
- Cryptographically Verified Trusted Booting
- SELinux
- Signed Firmware Updates
- Non-Root Support
- iDRAC Credential Vault
- BIOS Recovery and Hardware Root of Trust (RoT)
- Live Scanning
Securely Configuring iDRAC Web Server
- Webserver Information
- Enabling HTTPS Redirection
- Configuring TLS Protocol
- Configuring Encryption Strength
- Configuring Cipher Suite Selection
- Setting Cipher Suite Selection using the iDRAC GUI
Securely Using TLS/SSL Certificate
- Remote Syslog with TLS
Federal Information Processing Standards (FIPS)
- Enabling FIPS Mode using iDRAC Web Interface
Secure Shell (SSH)
- SSH Cryptography Configuration
- Supported SSH Cryptography Schemes
- Using Public Key Authentication for SSH
Network Security Configuration
- Dedicated NIC and Shared LOM
- OS to iDRAC Pass-through
- VLAN Usage
- IP Blocking
- IP Range Filtering
- Auto-discovery
- Auto Config
- iDRAC USB Interfaces
- Configuring iDRAC Direct USB Connection Using the Webserver
Interfaces and Protocols to Access iDRAC
iDRAC Port Configuration
- Security Recommendations for Interfaces, Protocols, and Services
- Disabling IPMI over LAN using Web Interface
- Disabling Serial Over LAN using Web Interface
- Configuring Services using Web Interface
IPMI and SNMP Security Best Practices
- SNMP Security Best Practices:
- IPMI Security Best Practices:
- Secure NTP
- Redfish Session Login Authentication
Secure Enterprise Key Manager (SEKM) Security
- Create or Change SEKM Security Keys
iDRAC9 Group Manager
- Group Manager Enable/Disable
- Group Manager Single Sign-On
- Group Manager Networking
- Group Manager Security Best Practices
Virtual Console and Virtual Media Security
- Java vConsole Security
VNC Security
- Setting up VNC Viewer with SSL Encryption
User Configuration and Access Control
- Configuring Local Users
- Disabling Access to Modify iDRAC Configuration Settings on Host System
- iDRAC User Roles and Privileges
- Superroot User
- Recommended Characters in Usernames and Passwords
- Password Strength Policy
- Secure Default Password
- Changing the Default Login Password using Web Interface
- Force Change of Password (FCP)
- Simple 2-Factor Authentication (Simple 2FA)
- RSA SecurID Two Factor Authentication (2FA) iDRAC9 Datacenter
- Active Directory
- LDAP
- Customizable Security Banner
System Lockdown Mode
Securely Configuring BIOS System Security
Secure Boot Configuration
Securely Erasing Data
LCD Panel
Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export
- Configuring Lifecycle Controller Logs Export using Web Interface and HTTPS
- Using HTTPS with a Proxy Securely
Security Events Lifecycle Log
Default Configuration Values
Network Vulnerability Scanning
Security Licensing
Field Service Debug (FSD)
Best Practices
Appendix - White papers

PDF

Loading, Please wait

Secure Enterprise Key Manager (SEKM) Security

The OpenManage SEKM enables you to use an external Key Management Server (KMS) to manage keys that can then be used by iDRAC to lock and unlock storage devices on a Dell PowerEdge server. iDRAC requests the KMS to create a key for each storage controller, and then fetches and provides that key to the storage controller on every host boot so that the storage controller can then unlock the SEDs. The advantages of using SEKM over Local Key Management (LKM) are:

In addition to the LKM–supported “Theft of an SED” use case, SEKM protects from a “Theft of a server” use case. Because the keys used to lock and unlock the SEDs are not stored on the server, attackers cannot access data even if they steal a server.
Centralized key management at the external Key Management Server.
SEKM supports the industry standard OASIS KMIP protocol thus enabling use of any external third-party KMIP server.

For more information, see Enable OpenManage Secure Enterprise Key Manager (SEKM) on Dell PowerEdge Servers

You can configure SEKM from iDRAC Settings page. Click iDRAC Settings > Services > SEKM Configuration.

NOTE:When Security (Encryption) mode is changed from None to SEKM, Real-Time job is not available. But it is added to Staged job list. However, Real-Time job is successful when the mode is changed from SEKM to None.

Verify the following when changing the value of the Username Field in Client Certificate section on the KeySecure server (for ex: Changing the value from Common Name (CN) to User ID (UID))

While using an existing account:
- Verify in the iDRAC TLS/SSL certificate that instead of the Common Name field, the Username field now matches the existing username on the KMS. If they do not, then you must set the username field and regenerate the TLS/SSL certificate again, get it signed on the KMS, and reupload to iDRAC.
While using a new user account:
- Ensure the Username string matches the username field in the iDRAC TLS/SSL certificate.
- If they do not match, then you must reconfigure the iDRAC KMS attributes Username and Password.
- Once the certificate is verified to contain the username, then the only change that must be made is to change the key ownership from the old user to the new user to match the newly created KMS username.

While using Vormetric Data Security Manager as KMS, ensure that the Common Name (CN) field in iDRAC TLS/SSL certificate matches with the hostname added to Vormetric Data Security Manager. Otherwise, the certificate may not import successfully.

NOTE:Rekey option is disabled when racadm sekm getstatus reports as Failed.

NOTE:SEKM only supports Common name, User ID, or Organization Unit for Username field under Client certificate.

NOTE:If you are using a third-party CA to sign the iDRAC CSR, ensure that the third-party CA supports the value UID for Username field in Client certificate. If it is not supported, use Common Name as the value for Username field.

NOTE:If you are using Username and Password fields, ensure that KMS server supports those attributes.

Data is not available for the Topic

Rate this content

All fields are required unless marked otherwise.

Accurate

not accurate

somewhat accurate

mostly accurate

accurate

very accurate

Useful

not useful

somewhat useful

mostly useful

useful

very useful

Easy to understand

not easy

somewhat easy

mostly easy

easy

very-easy

Was this article helpful?

Yes

Send us feedback (Optional)

0/3000 characters

Comments cannot contain these special characters: <>()\

Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.

Please provide ratings (1-5 stars).

Please select whether the article was helpful or not.

Comments cannot contain these special characters: <>()\

TH/EN

Site Map

Support

Support Home
Contact Technical Support

Connect with Us

Community
Contact Us

Site Map

TH/EN

Our Offerings

APEX
Products
Solutions
Services

Our Company

Who We Are
Careers
Dell Technologies Capital
Investors
Newsroom
Perspectives
Recycling
ESG & Impact
Customer Stories

Our Partners

Find a Partner
OEM Solutions
Partner Program

Resources

Blog
Events
Privacy Centre
Resource Library
Security & Trust Centre
Trial Software Downloads

Dell Technologies
Dell Premier

Terms of Sale
Privacy Statement
Legal & Regulatory
Accessibility