iDRAC9 Security Configuration Guide

Securely Using TLS/SSL Certificate

The iDRAC web server uses an TLS/SSL certificate to establish and maintain secure communications with remote clients. Web browsers and command-line utilities, such as RACADM and WS-Man, use this TLS/SSL certificate for server authentication and establishing an encrypted connection.

There are several options available to secure the network connection using an TLS/SSL certificate. iDRAC’s web server has a self-signed TLS/SSL certificate by default. The self-signed certificate can be replaced with a custom certificate, a custom signing certificate, or a certificate signed by a well-known Certificate Authority (CA). Whichever method is chosen, once iDRAC is configured and the TLS/SSL certificate is installed on the management stations, TLS/SSL enabled clients can access iDRAC securely and without certificate warnings.

For more information, see the white paper - Managing Web Server Certificates on iDRAC.

Certificate upload can be automated by using Redfish (ImportSSLCertificate action) (or RACADM (sslcertupload command) scripts. For details, refer to:

iDRAC9 Redfish API Documentation - api-marketplace.dell.com developer.dell.com.
iDRAC9 RACADM CLI Guide - https://www.dell.com/support/home/en-in/product-support/product/idrac9-lifecycle-controller-v4.x-series/docs

Table 1. TLS/SSL Certificate Analysis
Certificate	Description	Advantages	Disadvantages
Self-Signed TLS/SSL Certificate	This certificate is auto generated and self-signed by the iDRAC. Each iDRAC has a unique self-signed certificate by default.	Do not have to maintain a Certificate Authority. Certificates are auto generated by the iDRAC.	The certificate for each iDRAC must be added to the trusted certificates store on each management station. (Every iDRAC is its own Certificate Authority which must be trusted.)
CA Signed TLS/SSL Certificate with common Public/Private key pair	A certificate signing request (CSR) is generated and submitted to your in-house Certificate Authority or by a third-party Certificate Authority such as VeriSign, Thawte, Go Daddy, etc. for signing.	Can use a commercial Certificate authority. Can use a commercial Certificate authority. If a commercial CA is used, it is likely to be already trusted on your management stations and can be trusted for all iDRACs.	Must either purchase commercial certificates or maintain your own Certificate Authority Each iDRAC has same public/private key pair unless user can manage multiple key pairs.
CA Signed TLS/SSL Certificate	A certificate signing request (CSR) is generated by iDRAC and submitted to your in-house Certificate Authority or by a third-party Certificate Authority such as VeriSign, Thawte, Go Daddy, etc. for signing.	Can use a commercial Certificate authority. Only must trust one Certificate Authority for all iDRAC. If a commercial CA is used, it is likely to be already trusted on your management stations. Each iDRAC has a unique public/private key.	Must either purchase commercial certificates or maintain your own Certificate Authority. A CSR must be generated and submitted for every iDRAC.
Custom Signing TLS/SSL Certificate (CSC)	The certificate is auto generated and signed using a signing certificate that is uploaded from your in-house Certificate Authority.	Only must trust one Certificate Authority for all iDRAC. It is possible your in-house Certificate Authority is already trusted on your management stations. Certificates are auto generated by the iDRAC.	Must maintain your own Certificate Authority.

Refer to the white paper on Managing Web Server Certificates on iDRAC:https://downloads.dell.com/solutions/general-solution-resources/White%20Papers/Managing%20Web%20Server%20Certificates%20on%20iDRAC.pdf

Zapraszamy

Witamy w firmie Dell

iDRAC9 Security Configuration Guide

Securely Using TLS/SSL Certificate

Oceń tę zawartość