HPE Community
ProLiant Servers (ML,DL,SL)
1756617 Members
2995 Online
108849 Solutions
New Discussion

ILO 4 - Disable Weak Ciphers

 
gil3
Occasional Visitor

‎08-18-2023 10:24 AM - last edited on ‎08-20-2023 09:02 PM by

‎08-18-2023 10:24 AM - last edited on ‎08-20-2023 09:02 PM by

ILO 4 - Disable Weak Ciphers

How do you disable the ciphers listed below on ILO 4 on  DL 380 Gen 9?

  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384 

I have upgraded ILO 4 firmware to version Windows 64bit --  2.82 .   I have also enabled AES/3DES enncryption enforement.    

 

Also , how do you enable TLS   v1.3. 

1 person had this problem.
Reply
7 REPLIES 7
support_s
System Recommended

‎08-18-2023 11:25 AM

‎08-18-2023 11:25 AM

Query: ILO 4 - Disable Weak Ciphers

System recommended content:

1. HPE iLO 5, 1.15 User Guide

2. HPE iLO 5 1.30 User Guide

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

0 Kudos
Reply
gil3
Occasional Visitor

‎08-18-2023 12:05 PM

‎08-18-2023 12:05 PM

Re: Query: ILO 4 - Disable Weak Ciphers

Thank you for responding yet you provided the ILO documentation for version 5.  Note,  I have a ILO V 4  and  have already looked at version 4 documentation yet unable to find solution. 

Thanks

 

Reply
shiva_jr
HPE Pro

‎08-18-2023 11:45 PM - edited ‎08-19-2023 12:34 AM

‎08-18-2023 11:45 PM - edited ‎08-19-2023 12:34 AM

Re: Query: ILO 4 - Disable Weak Ciphers

Hi gil3,
    Please refer the following iLO4 encryption details  and refer this for 'Modifying the AES/DES encryption setting'.
    Upgrade the Server's iLO 4 version  to 2.82.

Regards,
Shiva_JR
Please mark as 'Accepted solution' if my post worked and give me the Kudos.

I work for HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
gil3
Occasional Visitor

‎08-23-2023 12:59 PM - last edited on ‎08-23-2023 09:59 PM by

‎08-23-2023 12:59 PM - last edited on ‎08-23-2023 09:59 PM by

Re: Query: ILO 4 - Disable Weak Ciphers

@shiva_jr Re: Query: ILO 4 - Disable Weak Ciphers

 

Thank you for responding yet you provided the ILO documentation for version 5. Note, I have a ILO V 4 and have already looked at version 4 documentation yet unable to find solution. Thanks

0 Kudos
Reply
bradawk1
Trusted Contributor

‎08-24-2023 07:01 AM

‎08-24-2023 07:01 AM

Re: Query: ILO 4 - Disable Weak Ciphers

If you look at the first link Shiva provided, I don't think it is possible with iLO 4 (at least according to that document).  Even in FIPs mode those ciphers are used.  Maybe that will change with a newer firmware, but I would not count on it.

0 Kudos
Reply
trilee2
Occasional Advisor

‎08-30-2023 03:25 AM

‎08-30-2023 03:25 AM

Re: ILO 4 - Disable Weak Ciphers

Wonder if HPE has a way to do this with hponcfg and/or iLORest. Any smart iLO-4 engineers out there?
0 Kudos
Reply
Vinky_99
Esteemed Contributor

‎09-08-2023 01:57 AM

‎09-08-2023 01:57 AM

Re: ILO 4 - Disable Weak Ciphers

Good day! 

To disable weak ciphers on an HPE iLO 4 management interface on a DL380 Gen9 server, you'll typically need to access the iLO web interface and make changes in the SSL/TLS settings. Here's a step-by-step guide:

>> Access the iLO Web Interface:

a. Open a web browser on a computer connected to the same network as the server.
b. Enter the IP address or hostname of the iLO interface into the address bar.
c. Log in to the iLO web interface using your administrative credentials.

>> Once logged in, look for the SSL/TLS configuration settings. The exact location of these settings may vary slightly depending on the iLO firmware version and interface layout. Generally, you should find them under the Security or Security Settings section.

>> Disable Weak Ciphers.

a. In the SSL/TLS configuration settings, you should find a list of supported ciphers. Locate the entries for the ciphers you want to disable: DHE-RSA-AES128-GCM-SHA256 and DHE-RSA-AES256-GCM-SHA384.
b. Disable these ciphers by either unchecking their checkboxes or selecting an option that removes them from the list. The specific steps may vary depending on the iLO firmware version, but there should be an option to manage the list of ciphers.Save your changes.

>> TLS 1.3 support depends on both the iLO firmware version and the server's hardware capabilities. To enable TLS 1.3, you need to check if your iLO firmware supports it.

a. In the SSL/TLS configuration settings, look for an option to select the TLS version. If TLS 1.3 is supported and available, you should see it in the list of available versions.
b. If TLS 1.3 is available, select it as the preferred TLS version.Save your changes.

>> Some changes to SSL/TLS settings may require a reboot of the iLO for them to take effect. If prompted, follow the on-screen instructions to reboot the iLO.

>> After making these changes, it's a good practice to test the SSL/TLS configuration to ensure that the weak ciphers are disabled and TLS 1.3 is enabled as desired. You can use SSL/TLS testing tools or utilities like openssl to verify the configuration.

Make sure the exact steps and options may vary depending on your specific iLO firmware version, so refer to the user manual or documentation provided by HPE for your server and iLO version for the most accurate instructions. Additionally, always exercise caution when making changes to security settings on your server's management interface, as incorrect configurations could impact remote management access.

Hope this give some insights!

These are my opinions so use it at your own risk.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.