Transcription
HPE Gen10 Security Reference GuideAbstractThis document describes the security and encryption mechanisms available in HPE Gen10servers and embedded firmware. This document is intended for individuals who are responsiblefor the secure configuration and operation of HPE servers for their organization.Part Number: 882428-005Published: February 2019Edition: 1
Copyright 2017, 2019 Hewlett Packard Enterprise Development LPNoticesThe information contained herein is subject to change without notice. The only warranties for Hewlett PackardEnterprise products and services are set forth in the express warranty statements accompanying suchproducts and services. Nothing herein should be construed as constituting an additional warranty. HewlettPackard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use,or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer SoftwareDocumentation, and Technical Data for Commercial Items are licensed to the U.S. Government undervendor's standard commercial license.Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett PackardEnterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprisewebsite.AcknowledgmentsIntel , Itanium , Pentium , Xeon , Intel Inside , and the Intel Inside logo are trademarks of Intel Corporationin the U.S. and other countries.Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.Adobe and Acrobat are trademarks of Adobe Systems Incorporated.Java and Oracle are registered trademarks of Oracle and/or its affiliates.UNIX is a registered trademark of The Open Group.
ContentsIntroduction.7The importance of security. 7HPE Gen10 platform security features and licensing. 7HPE Gen10 product security features. 8HPE iLO 5 Security Features.8Unauthorized access prevention.8Phlashing protection. 9Protected Management ROM. 9Protected PCI bus.10Host Access Configuration Lock. 10Network and management ports.10Security Override switch. 11Trusted Platform Module and Trusted Modules. 11Operating iLO servers in the DMZ. 12Communication between iLO and server blades or Synergy systems.13Security audits. 13Firmware verification.15HPE Gen10 UEFI security features. 18Intelligent Provisioning Security Features.18Intelligent Provisioning. 18Intelligent Provisioning security through iLO.19Intelligent Provisioning security through UEFI. 19iLO Amplifier Pack security features.19HPE OneView security features. 19HPE Gen10 recommended security settings. 21Hardware security.27HPE Gen10 Server hardware security. 27HPE Gen10 security best practices. 29Physical access security.29The HPE ProLiant Gen10 System Maintenance switch. 29iLO security with the system maintenance switch.30HPE ProLiant Gen10 system intrusion detection.31iLO Service Port.31Configuring the iLO Service Port settings. 31iLO Service Port supported devices.32Configuration security.33iLO settings for configuration security.34Preparing to set up iLO. 34IPMI/DCMI settings. 38iLO security. 39Using the Security Dashboard. 41iLO access settings.45iLO user accounts. 553
iLO directory groups.60Administering SSH keys. 63Administering SSL certificates. 66HPE SSO. 69Configuring the Login Security Banner. 72Installing a license key by using a browser.73UEFI settings for configuration security. 75HPE Gen10 UEFI security features. 75Using the iLO 5 Configuration Utility. 76iLO Amplifier Pack configuration security. 83Managed Servers Alerts. 83Activity Logs and Alerts.85Recovery Management.86Remote management security.99About the tasks in this section. 99Configuring Remote Console Computer Lock settings.99Remote Console Computer Lock options. 99Keys for configuring Remote Console computer lock keys and hot keys. 100Configuring the Integrated Remote Console Trust setting (.NET IRC). 101HPE ProLiant Gen10 security states. 101iLO security states. 101Configuring encryption settings. 103Enabling the Production or High Security security state. 103Enabling the FIPS and CNSA security states. 104Connecting to iLO when using higher security states. 105Configuring a FIPS-validated environment with iLO. 106Disabling FIPS mode. 106SSH cipher, key exchange, and MAC support.106SSL cipher and MAC support. 107Directory integration, access control, and auditing.109Directory authentication and authorization. 109Prerequisites for configuring authentication and directory server settings.109Configuring Kerberos authentication settings in iLO.109Configuring schema-free directory settings in iLO. 110Configuring HPE Extended Schema directory settings in iLO.111Directory user contexts. 113Directory Server CA Certificate. 113Local user accounts with Kerberos authentication and directory integration. 113Running directory tests. 114CAC Smartcard Authentication. 117Kerberos authentication with iLO.121Configuring Kerberos authentication.121Configuring the iLO hostname and domain name for Kerberos authentication. 121Preparing the domain controller for Kerberos support. 122Generating a keytab file for iLO in a Windows environment. 122Verifying that your environment meets the Kerberos authentication timerequirement.124Configuring Kerberos support in iLO.125Configuring supported browsers for single sign-on.125Directory integration.127Choosing a directory configuration to use with iLO. 127Schema-free directory authentication. 128Prerequisites for using schema-free directory integration.129Process overview: Configuring iLO for schema-free directory integration. 129Schema-free nested groups (Active Directory only). 130HPE Extended Schema directory authentication.130Process overview: Configuring the HPE Extended Schema with Active Directory. 1304
Prerequisites for configuring Active Directory with the HPE Extended Schemaconfiguration. 131Directory services support. 131Installing the iLO directory support software.131Running the Schema Extender. 133Directory services objects. 134Directory-enabled remote management (HPE Extended Schema configuration). 134Roles based on organizational structure.135How role access restrictions are enforced. 136User access restrictions.136Role access restrictions. 138Tools for configuring multiple iLO systems at a time.139User login using directory services. 140UEFI, passwords, and the Trusted Platform Module.140Server Security options.140Setting the power-on password. 141Setting an administrator password. 141Secure Boot. 142Enabling or disabling Secure Boot.142Configuring Trusted Platform Module options. 143Advanced Secure Boot Options.144Viewing Advanced Secure Boot Options settings.144Enrolling a Secure Boot certificate key or database signature. 145Deleting a Secure Boot certificate key or database signature. 146Deleting all keys .146Exporting a Secure Boot certificate key or database signature. 147Exporting all Secure Boot certificate keys.147Resetting a Secure Boot certificate key or database signature to platform defaults.148Resetting all Secure Boot certificate keys to platform defaults. 148TLS (HTTPS) Options.148Viewing TLS certificate details. 148Enrolling a TLS certificate. 148Deleting a TLS certificate.149Deleting all TLS certificates. 149Exporting a TLS certificate.149Exporting all TLS certificates. 149Resetting all TLS settings to platform defaults.150Configuring advanced TLS security settings.150Enabling or disabling Intel TXT support.151Enabling or disabling the One-Time Boot Menu F11 prompt. 152Enabling or disabling processor AES-NI support.152Enabling or disabling backup ROM image authentication. 152Managing firmware, OS software, and language packs. 153Firmware updates. 153Online firmware update.153Online firmware update methods. 153Offline firmware update.154Offline firmware update methods. 154Viewing and updating firmware and software. 154Viewing installed firmware information.155Replacing the active system ROM with the redundant system ROM. 156Viewing software information. 156Updating iLO or server firmware by using the Flash Firmware feature.157Installing language packs with the Flash Firmware feature. 161iLO Federation Group Firmware Update.161Maintenance windows. 163Adding a maintenance window. 1645
Removing a maintenance window. 164Removing all maintenance windows.165Viewing maintenance windows. 165iLO Repository. 166Installing a component from the iLO Repository. 166Removing a component from the iLO Repository. 166Removing all components from the iLO Repository.167Viewing iLO Repository summary and component details.167Using the Upload to iLO Repository pane.168Install sets.169Installing an install set.169Removing an Install Set. 170Removing all install sets. 170Viewing Install Sets.171System Recovery Set. 171Creating a System Recovery Set.172Operating system security provisioning. 175Intelligent Provisioning, UEFI, and server boot security. 175Lifecycle security.176Updates and patches.176Secure decommissioning. 176Decommissioning a server. 176Using Secure Erase.176Securely erasing server data. 176System Erase and Reset options. 177iLO Backup & Restore. 177Support and other resources. 179Accessing Hewlett Packard Enterprise Support. 179Accessing updates. 179Customer self repair. 180Remote support. 180Warranty information. 180Regulatory information. 180Documentation feedback.181Frequently asked questions. 1826
IntroductionThe importance of securityAs threats move from network security to the hardware and firmware layers, HPE Gen10 security featureshelp protect your hardware, firmware, and network components from unauthorized access and unapproveduse. HPE offers an array of embedded and optional software and firmware for HPE Gen10 that enables youto institute the best mix of remote access and control for your network and data center.HPE Gen10 servers are offered with the following security aware components: HPE iLO 5The HPE iLO subsystem, a standard component of HPE ProLiant servers, simplifies server setup, healthmonitoring, power and thermal optimization, and remote server administration. With an intelligentmicroprocessor, secure memory, and dedicated network interface, iLO offers varying degrees of encryptionand security. Ranging from a standard open level (Production) up to the Federal Information ProcessingStandard (FIPS) and the Commercial National Security Algorithm (SuiteB/CNSA) security, iLO offersadministrators a reliable way to integrate HPE ProLiant servers into existing security environments. Intelligent ProvisioningIntelligent Provisioning is a single-server deployment tool embedded in ProLiant Gen10 servers and HPESynergy compute modules that simplifies server setup, providing a reliable way to deploy servers.Intelligent Provisioning prepares the system for installing original, licensed vendor media and HewlettPackard Enterprise-branded versions of OS software, and integrates optimized server support softwarefrom the Service Pack for ProLiant (SPP). Intelligent Provisioning also provides an alternative method ofconfiguring HPE iLO 5, including the range of security settings iLO offers. Smart Update Manager (SUM)SUM is a tool for firmware and driver maintenance which provides a browser-based GUI or a commandline scriptable interface for increased flexibility and adaptability for your needs. SUM includes a discoveryengine that finds the installed hardware and current versions of firmware and software in use on targetnodes. SUM identifies associated targets you can update at the same time to avoid interdependencyissues. SUM deploys updates in the correct order and ensures that all dependencies are met beforedeploying an update. If SUM finds version-based dependencies it cannot resolve, SUM preventsdeployment. UEFI System UtilitiesThe UEFI System Utilities is embedded in the system ROM. Unified Extensible Firmware Interface (UEFI)defines the interface between the operating system and platform firmware during the boot, or start-upprocess. UEFI supports advanced pre-boot user interfaces and extended security control. Features suchas Secure Boot enable platform vendors to implement an OS-agnostic approach to securing systems inthe pre-boot environment. The ROM-Based Setup Utility (RBSU) functionality is available from the UEFISystem Utilities along with additional configuration options.HPE Gen10 platform security features and licensingHPE iLO licensingHPE iLO security features, introduced in Gen10, build on the world's most security industry standard serversby providing premium security capabilities that protect your Hewlett Packard Enterprise servers from attacks,detect intrusions, and allow you to recover your firmware securely. These features are available on all HPEProLiant Gen10 Servers with iLO 5.Introduction7
iLO (Standard) is preconfigured on Hewlett Packard Enterprise servers without an additional cost or license.Features that enhance productivity are licensed. For more information, see the iLO licensing guide at thefollowing website: http://www.hpe.com/support/ilo-docs.To activate iLO licensed features, install an iLO license.HPE Gen10 software beyond iLOSome installable Gen10 software product features depend on iLO licenses beyond the standardpreconfigured license. Refer to the documentation for those software products for iLO license requirements.HPE Gen10 product security featuresHewlett Packard Enterprise security features are designed to meet challenges such as attacks on firmware bycontinually improving the hardware and firmware security of Gen10 platforms and related hardwareenvironments-ensuring that every link in the chain of security provides effective security protections.HPE focused on increasing the level of security in the three critical pillars of the security environment-protect,detect, and recover-so you can be confident that your server hardware infrastructure is secure from threats,and that any potential vulnerabilities will be addressed quickly.The HPE ProLiant Gen10 servers with the iLO 5 and its silicon root of trust undergo a server boot processthat authenticates from the hardware itself and undergoes a series of trusted handshakes before fullyinitializing the UEFI and the OS. The silicon root of trust enables the detection of previously undetectablecompromised firmware or malware. The advanced capabilities of iLO 5 enable daily automatic scanning offirmware and automatic recovery to authentic good states. Combining the Gen10 security features withselected server options allows you to design a resilient and hardened industry-standard server infrastructure.HPE iLO 5 Security FeaturesHPE iLO 5 includes the following security features: Unauthorized access prevention Phlashing protection Protected Management ROM Protected PCI bus Host Access Configuration Lock Network and management port control Security override switch Trusted Platform Module and Trusted Modules Compliant with DMZ zones Secure communication between iLO and server blades Extensive logging to enable efficient security auditsFor more information, see the HPE iLO 5 User Guide available from the HPE Information Library at ed access preventionAccess through an iLO porta
To activate iLO licensed features, install an iLO license. HPE Gen10 software beyond iLO Some installable Gen10 software product features depend on iLO licenses beyond the standard preconfigured license. Refer to the documentation for those software products for iLO license
