iDRAC9 Security Configuration Guide

Use the iDRAC Settings utility to perform pre-OS operations. It has a subset of the features that are available in iDRAC web interface along with other features.

To access iDRAC Settings utility, press <F2> during boot and then click iDRAC Settings on the System Setup Main Menu page.

Use Lifecycle Controller to perform iDRAC configurations. To access Lifecycle Controller, press <F10> during boot and go to System Setup > Advanced Hardware Configuration > iDRAC Settings. For more information, see Lifecycle Controller User’s Guide available at www.dell.com/idracmanuals.

Use the iDRAC web interface to manage iDRAC and monitor the managed system. The browser connects to the web server through the HTTPS port. Data streams are encrypted using 128-bit/168-bit/256-bit TLS/SSL to provide privacy and integrity. Any connection to the HTTP port is redirected to HTTPS if the https redirect feature is enabled. Administrators can upload their own webserver certificate.

Use this command-line utility to perform iDRAC and server management. You can use RACADM locally and remotely.

• Local RACADM command-line interface runs on the managed systems that have Server Administrator installed. Local RACADM communicates with iDRAC through its in-band IPMI host interface. Since it is installed on the local managed system, users are required to log in to the operating system to run this utility. A user must have a full administrator privilege or be a root user to use this utility.
• Remote RACADM is a client utility that runs on a management station. It uses the out-of-band network interface to run RACADM commands on the managed system and uses the HTTPs channel. The –r option runs the RACADM command over a network.
• Firmware RACADM is accessible by logging in to iDRAC using SSH. You can run the firmware RACADM commands without specifying the iDRAC IP, username, or password.

You do not have to specify the iDRAC IP, username, or password to run the firmware RACADM commands. After you enter the RACADM prompt, you can directly run the commands without the RACADM prefix.

The Redfish Scalable Platforms Management API is a standard that is defined by the Distributed Management Task Force (DMTF). Redfish is a next-generation systems management interface standard, which enables scalable, secure, and open server management. It is a new interface that uses RESTful interface semantics to access data that is defined in model format to perform out-of-band systems management. It is suitable for a wide range of servers ranging from stand-alone servers to rack mount and bladed environments and for large-scale cloud environments.

Redfish provides the following benefits over existing server management methods:

• Increased simplicity and usability
• High data security
• Programmable interface that can be easily scripted
• Follows widely used standards
• For more information, see the iDRAC Redfish API Guide available at www.dell.com/idracmanuals.

Virtual Console provides a mechanism for iDRAC user to remotely view the host’s console and perform operations such as power cycle, change boot order, attach virtual media etc.

The LC-Remote Service is based on the WSMan protocol to do one-to-many systems management tasks.

You must use WSMan client such as WinRM client (Windows) or the OpenWSMan client (Linux) to use the LC-Remote Services functionality. You can also use Power Shell or Python to script to the WSMan interface.

Web Services for Management (WSMan) is a Simple Object Access Protocol (SOAP)–based protocol that is used for systems management. iDRAC uses WSMan to convey Distributed Management Task Force (DMTF) Common Information Model (CIM)–based management information. The CIM information defines the semantics and information types that can be modified in a managed system. The data available through WSMan is provided by iDRAC instrumentation interface that is mapped to the DMTF profiles and extension profiles.

For more information, see the following:

• Lifecycle Controller Remote Services Quick Start Guide available at www.dell.com/idracmanuals .
• MOFs and Profiles — http://downloads.dell.com/wsman.

  DMTF website — dmtf.org/standards/profiles

Use SSH to run RACADM and SMCLP commands. It provides the same capabilities as the Telnet console using an encrypted transport layer for higher security. The SSH service is enabled by default on iDRAC. The SSH service can be disabled in iDRAC. iDRAC only supports SSH version 2 with the RSA host key algorithm.

• A unique 1024-bit RSA host key is generated when you power-up iDRAC for the first time.

Use the IPMITool to access the remote system’s basic management features through iDRAC. The interface includes local IPMI, IPMI over LAN, IPMI over Serial, and Serial over LAN. For more information about IPMITool, see the Dell OpenManage Baseboard Management Controller User's Guide available at www.dell.com/idracmanuals

iDRAC allows NTLM to provide authentication, integrity, and confidentiality to the users. NT LAN Manager (NTLM) is a suite of Microsoft security protocols, and it works in a Windows network.

iDRAC9 supports the Server Message Block (SMB) Protocol. This is a network file sharing protocol and the default minimum SMB version supported is 2.0, SMBv1 is no longer supported.

iDRAC9 supports Network File System (NFS). This is a distributed file system protocol that enables users to mount remote directories on the servers.

iDRAC9 supports Simple Network Management Protocol (SNMP) v1, v2, and v3 for GETs and TRAPs.