- Notes, cautions, and warnings
- Overview
- Built in iDRAC and PowerEdge Security
- Securely Configuring iDRAC Web Server
- Securely Using TLS/SSL Certificate
- Federal Information Processing Standards (FIPS)
- Secure Shell (SSH)
- Network Security Configuration
- Interfaces and Protocols to Access iDRAC
- iDRAC Port Configuration
- IPMI and SNMP Security Best Practices
- Secure Enterprise Key Manager (SEKM) Security
- iDRAC9 Group Manager
- Virtual Console and Virtual Media Security
- VNC Security
- User Configuration and Access Control
- Configuring Local Users
- Disabling Access to Modify iDRAC Configuration Settings on Host System
- iDRAC User Roles and Privileges
- Superroot User
- Recommended Characters in Usernames and Passwords
- Password Strength Policy
- Secure Default Password
- Changing the Default Login Password using Web Interface
- Force Change of Password (FCP)
- Simple 2-Factor Authentication (Simple 2FA)
- RSA SecurID Two Factor Authentication (2FA) iDRAC9 Datacenter
- Active Directory
- LDAP
- Customizable Security Banner
- System Lockdown Mode
- Securely Configuring BIOS System Security
- Secure Boot Configuration
- Securely Erasing Data
- LCD Panel
- Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export
- Security Events Lifecycle Log
- Default Configuration Values
- Network Vulnerability Scanning
- Security Licensing
- Field Service Debug (FSD)
- Best Practices
- Appendix - White papers
iDRAC9 Security Configuration Guide
Using HTTPS with a Proxy Securely
When using HTTPS with a proxy, the connection between the iDRAC and the proxy is not as secure as the connection between the iDRAC and the HTTPS server. The connection between the iDRAC and the HTTPS server is encrypted, and credentials that are used to log in to the server (if any) are carried over the encrypted connection. The connection between the iDRAC and the proxy is not encrypted. The credentials used to log in to the proxy (if any) are transferred before the encrypted connection is started. Because of this the credentials that are used to log in to the proxy should not be the same credentials that are used to log in to the server. That way if the proxy credentials are compromised it means the HTTPS server credentials are also not compromised.
The following attributes are also used in interfaces other than the LC-UI. Attributes are available to allow values to be set when an interface is not able to set them itself. One set of these is for proxy settings.
LifeCycleController.LCAttributes.UserProxyPassword
LifeCycleController.LCAttributes.UserProxyPort
LifeCycleController.LCAttributes.UserProxyServer
LifeCycleController.LCAttributes.UserProxyType
LifeCycleController.LCAttributes.UserProxyUserName
These attributes are used with both HTTP and HTTPS.
The UserProxyServer is an important attribute. If it is not set, then the other attributes cannot be used, and the behavior is as if none of them are set.
The LifeCycleController.LCAttributes.IgnoreCertWarning attribute is used only with HTTPS. If set to "On" then certificate warnings are ignored. This is another way of saying HTTPS server certificate validation is not going to be done. It recommended from a security perspective to set this configuration to “Off” so that certificate validation is performed as part of the HTTPS communication.
Security recommendations if a proxy is required:
- Set IgnoreCertWarning to “Off”
- If proxy credentials are used, they should be different than the remote HTTPS server
- HTTP Proxy or socks4
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\