topic Re: iLO5 v3.01 missing "high security" encryption mode in ProLiant Servers (ML,DL,SL)

iLO5 v3.01 missing "high security" encryption mode

tato386 — Fri, 23 Feb 2024 04:55:57 GMT

I have several iLO5's all running v3.01 firmware but they don't all have the same options for security state under encryption options. I would like to configure all for "high security" but some only have FIPS/CNSA options. The reason I need "high security" is because a Qualys vulnerability scan flags the FIPS iLOs with missing "strict-security-header for HTTP" but the iLOs configured with "high security" somehow aren't flagged for this even though my understanding is that FIPS should be a more secure option? I guess, the other option would be to figure out how to enable "strict security headers" on the FIPS iLOs but seems easier to try to get "high security" option going first. Any ideas?

Thanks,

Re: iLO5 v3.01 missing "high security" encryption mode

ManBha — Wed, 21 Feb 2024 05:05:37 GMT

Hello,

1. Please find the below options available in iLO 3.01

iLO Security States:
https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-258790EA-BD83-434C-809A-C150AD70946B.html
Enabling the High Security security state :
https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-AB1DA160-6EC8-4FE8-B646-8BF975DFC816.html

2. If the option is not available, please reset iLO.

iLO web interface
Use the Reset button on the Diagnostics page.

Thanks.

Re: iLO5 v3.01 missing "high security" encryption mode

thutchings — Wed, 21 Feb 2024 19:15:00 GMT

Hello,

I just checked an iLO 5 running 3.01 in the lab environment I have access to and it does have the High Security option.

I think one thing being overlooked here is the CURRENT security state. On the one that does not list High Security or Production you have it currently set for FIPS. When in FIPS or CNSA you cannot go back to High Security or Production. You must factory reset the iLO in order to get access back.

https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-D7147C7F-2016-0901-06D0-000000000E35.html

Regards

Re: iLO5 v3.01 missing "high security" encryption mode

thutchings — Wed, 21 Feb 2024 19:17:10 GMT

Also, prior to a factory reset, I would make sure you have the default password noted and the license key (if you have an additional license) as these will be lost.

Regards

Re: iLO5 v3.01 missing "high security" encryption mode

tato386 — Wed, 21 Feb 2024 21:10:19 GMT

I was afraid of that answer. I can certainly reset it but it's a PITA because the server(s) are in a colo center over 1 hour away. My fear is that it won't fix my problem with Qualys. Does it make sense that an iLO5 with latest firmware and running in FIPS mode would not have HTTP security headers enabled?? Below is the specific issue I am running into:

Qualys Scan / QID: 11827 / Category: CGI

RESULTS: Strict-Transport-Security HTTP Header missing on port 443.

GET / HTTP/1.1
Host: ilo5-myserver.mydomain.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 11007
Connection: keep-alive
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';
Date: Wed, 14 Feb 2024 00:47:34 GMT
ETag: "8001af65"
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block

Re: iLO5 v3.01 missing "high security" encryption mode

thutchings — Wed, 21 Feb 2024 23:23:12 GMT

Hello,

I believe all that should be required to get HSTS to work correctly is to perform the following:

1. Ensure you have a CA signed cert installed onto the iLO's

2. Enabled the option under the "Remote Console and Media" -> Security section for "IRC requires a trusted certificate in iLO"

Regards

Re: iLO5 v3.01 missing "high security" encryption mode

tato386 — Thu, 22 Feb 2024 00:02:54 GMT

I already have GoDaddy signed certs on these units so step #1 is good. Now I just enabled the setting that you suggsted. Next step is to wait because our auditing firm runs these scans only once a month and they just ran a cycle. I promise to post back with results after the next scan.

Thank you!

Re: iLO5 v3.01 missing "high security" encryption mode

thutchings — Thu, 22 Feb 2024 13:00:47 GMT

Hello,

I tested this out in my lab environment and I was able to enable HSTS using the procedure I indicated above. Using Nmap, I issued the following:

nmap -p 443 --script http-security-headers <iLO IP address>

This came back with the following result:

443/tcp open https

| http-security-headers:
| Strict_Transport_Security:
| HSTS not configured in HTTPS Server

I installed the cert from the CA and enabled the "IRC requires a trusted certificate in iLO" option. These are the results now:

443/tcp open https

| http-security-headers:
| Strict_Transport_Security:
| Header: Strict-Transport-Security: max-age=31536000; includeSubDomains

Regards

Re: iLO5 v3.01 missing "high security" encryption mode

tato386 — Thu, 22 Feb 2024 14:28:23 GMT

all my iLOs tested good for HSTS with nmap.

Thank you!

Re: iLO5 v3.01 missing "high security" encryption mode

Sunitha_Mod — Mon, 26 Feb 2024 07:18:10 GMT

Hello @tato386,

Perfect!

We are glad to know the problem has been resolved.