Welcome

Dell Sites

Dell Technologies
Premier Sign In
Partner Program Sign In
Dell Financial Services
Support

Dell Sites

Dell Technologies
Premier Sign In
Partner Program Sign In
Dell Financial Services
Support

My Account
Order Status
Profile Settings
My Products
Make a Payment
Dell Rewards Balance

Sign Out

Welcome to Dell

My Account

Place orders quickly and easily
View orders and track your shipping status
Enjoy members-only rewards and discounts
Create and access a list of your products

US/EN

Cart

Your Dell.com Carts

Products
Solutions
Services
Contact Us

Support Home
Product Support
Manuals

iDRAC10 Security Configuration Guide

Notes, cautions, and warnings
Overview
Built in iDRAC and PowerEdge Security
- Silicon-based Root-of-Trust
- Cryptographically Verified Trusted Booting
- Signed Firmware Updates
- Non-Root Support
- SELinux
- iDRAC Credential Vault
- BIOS Recovery and Hardware Root of Trust (RoT)
- Live Scanning
Securely Configuring iDRAC Web Server
- Webserver Information
- Enabling HTTPS Redirection
- Configuring the TLS Protocol
- Configuring Encryption Strength
- Configuring Cipher Suite Selection
  - Remote Syslog with TLS
- Setting Cipher Suite Selection using the iDRAC GUI
Secure Connection Using TLS/SSL Certificate
- Secure Connection Using TLS/SSL Certificate
Automatic Certificate Enrollment
Secure Shell (SSH)
- SSH Cryptography Configuration
- Supported SSH Cryptography Schemes
- Using Public Key Authentication for SSH
- Disable SSH in iDRAC
Network Security Configuration
- Dedicated NIC and Shared LOM
- OS to iDRAC Pass-through
- VLAN Usage
- IP Blocking
- IP Range Filtering
- Auto-Discovery
- Auto Config
- iDRAC USB Interfaces
- Configuring iDRAC Direct USB Connection Using the Webserver
Interfaces and Protocols to Access iDRAC
iDRAC Port Configuration
- Security Recommendations for Interfaces, Protocols, and Services
- Disabling IPMI over LAN using Web Interface
- Disabling Serial Over LAN using Web Interface
- Configuring Services using Web Interface
IPMI and SNMP Security Best Practices
- SNMP Security Best Practices
- IPMI Security Best Practices
- Secure NTP
- Redfish Session Login Authentication
Secure Enterprise Key Manager (SEKM) Security
- Create or Change SEKM Security Keys
Virtual Console and Virtual Media Security
VNC Security
- Setting up VNC Viewer with SSL Encryption
User Configuration and Access Control
- Configuring Local Users
- Disabling Access to Modify iDRAC Configuration Settings on Host System
- iDRAC User Roles and Privileges
  - Creating user roles
- Recommended Characters in Usernames and Passwords
- Password Strength Policy
- Secure Default Password
- Changing the Default Login Password using Web Interface
- Force Change of Password (FCP)
- Simple 2-Factor Authentication (Simple 2FA)
- RSA SecurID Two Factor Authentication (2FA) iDRAC10 Datacenter
- Active Directory
- LDAP
- Customizable Security Banner
System Lockdown Mode
Securely Configuring BIOS System Security
Secure Boot Configuration
Securely Erasing Data
Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export
- Configuring Lifecycle Controller Logs Export using Web Interface and HTTPS
- Using HTTPS with a Proxy Securely
Security Events Lifecycle Log
Default Configuration Values
Network Vulnerability Scanning
Security Licensing
Field Service Debug (FSD)
Security Protocol and Data Model
Best Practices
Appendix - References

PDF

Loading, Please wait

Secure NTP

NTP is a protocol that is designed to synchronize the clocks of systems over a network. As part of its secure NTP implementation, iDRAC has added options to upload security keys from external time servers. Secure NTP servers append a hash to the time information packet. The iDRAC compares a locally generated hash for the same data packet with its locally stored key corresponding to that time-server. If the locally computed hash matches the received hash, then the time packet is accepted.

iDRAC secure NTP implementation uses symmetric key approach, since that is the only option that is supported as per the government agency NIST National Institute of Standards and Technology (NIST). Details can be found on the NIST site. NIST only guarantees time accuracy up to 50 milliseconds according to their documentation.

MD5 and SHA1 are the most commonly used key types, since they meet basic security and provides time accuracy in millisecond level with timeservers within the company infrastructure. In theory, any encryption type that is supported by openssl can be used for symmetric keys, but higher encryption can result in high CPU usage and high latency in processing the time data.

Secure NTP Configuration

iDRAC group and property name to enable NTP is NTPConfigGroup.NTPEnable. When this property is set to Enabled, iDRAC uses the properties NTP1, NTP2, NTP3 to set up to three timeserver FQDN or IP addresses (IPv4 or IPv6).

The new additions in iDRAC NTPConfigGroup to support secure NTP are:

NTP1SecurityType
NTP1SecurityKeyNumber
NTP1SecurityKey
NTP2SecurityType
NTP2SecurityKeyNumber
NTP2SecurityKey
NTP3SecurityType
NTP3SecurityKeyNumber
NTP3SecurityKey

SecurityType is an enumeration with options Disabled, MD5, SHA1. Higher encryption options could be supported in the future.
SecurityKeyNumber is a number between 1 to 65534. It should be the same key number that is used in the NTP server corresponding to the selected key.
SecurityKey is the key that is configured in the NTP server corresponding to the SecurityKeyNumber.

The key number, type and key value should match in the NTP server and iDRAC, for secure NTP to work.

The NTP configuration has a limitation that the key numbers must be unique. Hence NTP1SecurityKeyNumber, NTP2SecurityKeyNumber and NTP3SecurityKeyNumber should be different values. This limitation comes from open-source ntpd code usage on iDRAC, even though in theory, different NTP servers could issue the same key number. If the same key number is repeated in a configuration, the second instance of the key number is ignored.

Even though iDRAC can support up to three secure NTP server addresses, the guidance is to use only one secure NTP server and leave the other two entries as nonpopulated for best iDRAC performance. It is a common practice to use multiple timeservers when using plain unencrypted NTP, however the present secure NTP installations mostly use a single secure NTP server.

iDRAC allows mixing secure and unsecure NTP servers in the configuration. However, this is not advised, since unencrypted NTP packets always become the primary NTP source, with the current ntpd implementation.

For security reasons, the SecurityKey attribute is write only. If SecurityType is set to Disabled (default setting), the corresponding key entry is ignored.

Example showing RACADM script to set security configuration in NTP group:

racadm set idrac.ntpconfiggroup.NTPEnable 1

racadm set idrac.ntpconfiggroup.ntp1 100.64.25.20

racadm set idrac.ntpconfiggroup.NTP1SecurityKey calvin

racadm set idrac.ntpconfiggroup.NTP1SecurityType 1

racadm set idrac.ntpconfiggroup.NTP1SecurityKeyNumber 65

racadm set idrac.ntpconfiggroup.ntp2 100.64.24.202

racadm set idrac.ntpconfiggroup.NTP2SecurityKey da39a3ee5e6b4b0d3255bfef95601890afd80709

racadm set idrac.ntpconfiggroup.NTP2SecurityType 2

racadm set idrac.ntpconfiggroup.NTP2SecurityKeyNumber 17

racadm set idrac.ntpconfiggroup.ntp3 100.64.24.26

racadm set idrac.ntpconfiggroup.NTP3SecurityKey carlos

racadm set idrac.ntpconfiggroup.NTP3SecurityType MD5

racadm set idrac.ntpconfiggroup.NTP3SecurityKeyNumber 13

Example showing RACADM script to disable secure NTP (default configuration in iDRAC)

racadm set idrac.ntpconfiggroup.NTPEnable 0

racadm set idrac.ntpconfiggroup.ntp1 ""

racadm set idrac.ntpconfiggroup.NTP1SecurityKey ""

racadm set idrac.ntpconfiggroup.NTP1SecurityType 0

racadm set idrac.ntpconfiggroup.NTP1SecurityKeyNumber 1

racadm set idrac.ntpconfiggroup.ntp2 ""

racadm set idrac.ntpconfiggroup.NTP2SecurityKey ""

racadm set idrac.ntpconfiggroup.NTP2SecurityType 0

racadm set idrac.ntpconfiggroup.NTP2SecurityKeyNumber 1

racadm set idrac.ntpconfiggroup.ntp3 ""

racadm set idrac.ntpconfiggroup.NTP3SecurityKey ""

racadm set idrac.ntpconfiggroup.NTP3SecurityType 0

racadm set idrac.ntpconfiggroup.NTP3SecurityKeyNumber 1

Data is not available for the Topic

Rate this content

All fields are required unless marked otherwise.

Accurate

not accurate

somewhat accurate

mostly accurate

accurate

very accurate

Useful

not useful

somewhat useful

mostly useful

useful

very useful

Easy to understand

not easy

somewhat easy

mostly easy

easy

very-easy

Was this article helpful?

Yes

Send us feedback (Optional)

0/3000 characters

Comments cannot contain these special characters: <>()\

Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.

Please provide ratings (1-5 stars).

Please select whether the article was helpful or not.

Comments cannot contain these special characters: <>()\

US/EN

Site Map

Account

My Account
Order Status
Profile Settings
My Products
Make a Payment
Dell Rewards Balance

Support

Support Home
Contact Technical Support
Returns

Connect with Us

Community
Contact Us
X (Twitter)
LinkedIn
Instagram
YouTube

Site Map

US/EN

Our Offerings

Artificial Intelligence
Products
Solutions
Services
Deals

Our Company

Who We Are
Careers
Dell Technologies Capital
Investors
Newsroom
Recycling
Corporate Impact
Customer Stories

Our Partners

Find a Partner
Find a Reseller
OEM Solutions
Partner Program

Resources

Blog
Dell Rewards
Events
Email Sign-Up
Specialty Product Collections
Privacy Center
Security & Trust Center
Trial Software Downloads

Dell Technologies
Dell Premier for Business
Dell Financial Services

Terms of Sale
Privacy Statement
My Privacy Choices
Cookies, Ads & Emails
Legal & Regulatory
Accessibility
Anti-Slavery, Human Trafficking & Child Labor