Data Encryption; Ssl Certificate Import; Data Integrity - HP AB500A - Integrated Lights-Out Advanced Technology Brief

Using directory services simplifies user administration in multiple ways:
• Provides a single repository for all user accounts and Lights-Out devices. This allows IT managers to
scale their infrastructure easily by managing all users' rights—including those for iLO management
processors—in a single database.
• Uses the same security (password) policies as the rest of the network. Because directory services
allow administrators to authenticate a user by means of the same login process employed
throughout the rest of the network, corporate standards for security can be enforced easily.
• Supports thousands of users rather than only the few that an iLO and iLO2 processor supports
without directory integration.
• Provides role-based administration with access and time restrictions, allowing administrators to
more closely control access rights to iLO devices.

Data encryption

The first-generation iLO management processor uses SSL, RC4, and SSH protocols to ensure privacy
of iLO actions, depending on the access modes and types of functions being performed:
• The iLO processor encrypts all HTTP web pages using 128-bit SSL encryption to ensure that all
information and commands issued through the web browser are private.
• The iLO processor uses the RC4 streaming cipher algorithm to encrypt the remote console and
virtual serial port sessions (if administrators enable the encryption).
• The CLP uses SSH to encrypt the data stream both to and from the host server.
The iLO 2 device provides additional security through two of the strongest available cipher strengths:
the Advanced Encryption Standard (AES) and the Triple Data Encryption Standard (3DES). If
configured to require maximum security, the iLO 2 processor enforces the use of AES/3DES over the
browser, the SSH port, and the XML port.

SSL Certificate Import

The iLO processor generates self-signed SSL certificates as a standard feature. However, an
administrator can replace the iLO SSL certificate by using CA-issued certificates based on an iLO
certificate signing request.

Data integrity

The iLO processor ensures the legitimacy and integrity of any iLO firmware images by including a
digital signature. A digital signature is generated using a private key, or encryption code, known only
to HP. The iLO firmware verifies the digital signature by using a corresponding public key. The
firmware contents cannot be modified without generating a new digital signature, which requires the
original private key from HP. If iLO cannot verify the digital signature, iLO will not execute or even
load the firmware. This safeguard prevents loading corrupt or rogue firmware.
The virtual media and remote console applets are also digitally signed. The digital signature ensures
that when administrators view the applet window, the code originated from the iLO processor and it
has not been altered or tampered with after the signature was applied.
After the digital signature has been accepted, the virtual media applet can read or write to the
management console's physical floppy, CD drive, or the associated image files. Likewise, after the
digital signature has been accepted, the remote console applet can automatically start the Microsoft
Terminal Services client.
18