Understanding HPE ProLiant Gen10 & iLO 5 security modes

As threats move from network security to the hardware and firmware layers, customers need advanced features help protect their hardware, firmware, and network components from unauthorized access and unapproved use. Thankfully, HPE offers an array of embedded and optional software and firmware for HPE Gen10 servers that enable your customers to institute the best mix of remote access and control for their network and data center.

In recent blogs we have discussed how HPE Gen10 servers keep your customers’ infrastructure secure with the security features found in the HPE Secure Compute Lifecycle and HPE Integrated Lights-Out (iLO) 5. Today, we’re going to take a closer look into iLO 5 to discuss the varying degrees of encryption and security that Gen10 servers offer.  

With HPE iLO 5 standard edition, included with every ProLiant Gen10 Server, customers get the ability to configure their servers in one of three security modes: Production Mode, High Security Mode, and FIPS Mode. With the iLO Advanced Premium Security Edition license, customers who need the highest-level encryption capabilities have a fourth mode available to them: CNSA Mode

As you move up the scale in security (with Production Mode at the bottom, and CNSA Mode at the top), the server enforces stronger encryption rules for webpages, SSH, and network communications.

4 iLO 5 security modes.JPG

Let’s take a deeper dive into each security mode and learn how they work to help your customers keep their server infrastructure secure.

Production Mode
HPE ProLiant Gen10 servers ship in production mode, which allows the broadest interoperability with existing software. When set to this security mode, iLO uses the factory default encryption settings. The system maintenance switch setting to bypass iLO security (sometimes called the iLO Security Override switch) disables the password requirement for logging in to iLO.  

High Security Mode
High Security mode increases the sophistication of the encryption ciphers compared to production mode and uses the same encryption ciphers as FIPS mode. However, it does not require the same initialization steps that FIPS mode does. It also locks down the host interface by requiring authentication from the host OS side. High security mode enforces stricter security policies such as requiring valid iLO 5 credentials to use RBSU or other host-based utilities.

FIPS  Mode
In FIPS Mode, iLO 5 operates in a mode intended to comply with the requirements of FIPS 140-2 level 1. FIPS (Federal Information Processing Standards) is a set of computer security standard mandated for use by United States government agencies and contractors. FIPS Mode not only implements validated encryption ciphers (as High Security Mode does) but also closes down insecure interfaces that do not meet the government standard. Because interfaces like IPMI and SNMP v1 are shut off, potential attack surfaces are reduced. When entering FIPS mode, all the iLO 5 settings are reinitialized to operate as a FIPS validated environment.

CNSA mode is available only when FIPS mode is enabled. In addition to the security standards already mentioned in the first three security modes, HPE Gen10 servers also support the highest-level cryptographic standard available for commercial use, the Commercial National Security Algorithm Suite (CNSA). CNSA is a suite of cryptographic algorithms approved for use by the US National Security Agency for protecting secret and top secret information with the U.S. government, and is the highest-level cryptographic algorithm available for commercial systems.


Whether your customers need the most basic security, or the highest level of commercial encryption capabilities, HPE Gen10 servers have the perfect security mode for them!

Don’t forget, pairing HPE Gen10 servers with Windows Server 2016 licensing from HPE offers your customers even more protection. Learn more about Windows Server security features, and how they can further boost HPE Gen10 security, in our Cyber Crime 101 videos.


Have questions about HPE OEM Microsoft products/solutions, Windows Server 2016, or HPE Servers? Join the Coffee Coaching community to keep up with the latest HPE OEM Microsoft news and interact with HPE and Microsoft experts.

Follow us on Twitter | Join our LinkedIn group | Like us on Facebook | Watch us on YouTube | Email us a question

0 Kudos
About the Author


Willa manages the HPE | Microsoft Coffee Coaching program. Follow along to learn more about the latest HPE OEM Microsoft product releases and how the HPE Microsoft partnership can benefit partners and customers.