Authentication And Authorization Processes For Cli Access; Encryption - HP AB500A - Integrated Lights-Out Advanced Technology Brief

iLO, but there is limited space to store certificates. When full, no additional records may be added
unless other records are first removed. Record removal occurs when the buffer rolls over and any
earlier certificate information is lost.

Authentication and authorization processes for CLI access

The iLO command-line interface gives customers another way (in addition to the web browser) to
access critical iLO functions such as the virtual power capability, text-based remote console, and
virtual serial port. The iLO CLI uses the industry-standard Secure Shell (SSH) protocol to encrypt the
data stream and all keystrokes sent between iLO and the client.
When a user requests an SSH session, the iLO processor performs the following negotiation steps to
ensure a secure login:
1. The iLO processor retrieves the encryption keys from NVRAM. If the keys are not present or are
invalid, the iLO processor generates the keys.
NOTE:
The keys are preloaded at the HP factory. However, in the case
of a field upgrade, there could be up to a 25 minute delay after
upgrading the firmware before the keys are created. If users try
to login through SSH immediately after upgrading, they could
experience a wait of up to 25 minutes. During this time, iLO
response to other functionality is slow and the iLO status page
displays a message indicating that key generation is in progress.
The iLO processor listens for a request on the SSH port. When it gets a request, it starts a protocol
2.
negotiation task for exchanging the public and private keys during the SSH protocol negotiation.
The protocol negotiation task completes the key exchange.
3.
The protocol negotiation task then spawns a task for checking authentication timeout and another
4.
task for performing the authentication. The authentication task is also used for reading from the
SSH port once authentication completes successfully.
The task for protocol negotiation then terminates while the authentication task and authentication
5.
timeout task continue to run.
The authentication timeout task waits for one minute. If authentication does not complete
6.
successfully during that time, this task will terminate the connection.
The authentication task will attempt to authenticate the user. The iLO device allows a maximum of
7.
three attempts. If authentication is unsuccessful, iLO terminates the connection. If authentication is
successful, this task will start the CLI session task for the SSH session and the SSH task for writing
to the SSH socket. After initiating the CLI and SSH tasks, the authentication task becomes the read
task for the SSH socket.
The write task for the SSH connection will write data to the socket. If there is no session activity for
8.
a period equal to the session timeout, the SSH session will close.
The iLO management processor supports only version 2 (SSH-2) of the protocol. "Appendix B: SSH-2
support" lists the SSH features supported.

Encryption

The iLO management processor uses 128-bit SSL and SSH frameworks to ensure privacy of iLO
actions depending on the access modes and types of functions being performed. Within these
frameworks, various ciphers can be used for encrypting network traffic.
23