HPE OneView

Re: Best Practice for SPP Updates through OneView

 
Marcel_D
Advisor

Best Practice for SPP Updates through OneView

Hi all,

I would like to ask you for best practices, providing SPP-Updates through Oneview, when iLo is in Higher Mode than Production.

While iLo SecurityMode=Production, SPP-Baselines mostly are installed without any Problems.

Now we have the Security Issue, that TLS 1.0 and 1.1 should be disabled, which means iLo Security Mode should be set to at least "High Security",, which means, I have to set the Passwort for SUT on a lots of Servers with different OS's, so it's able to communicate to iLo and install the Patches. Every iLo-User has it's own unique Password and it has to be changed several times a year.

Changing the iLo Password is Scripted, so it's not a big thing. But Setting the Password for SUT on different Operating Systems is nearly impossible, as there are also different Teams to contact, which have the Logon Rights to these Servers.

So here's my question about a best practice in that case. How am I able to easy deploy Baselineupudates through OneView when "High Security" Mode is activated?  In the End, I just want to have TLS1.0, TLS1.1 and weak Cyphers disabled.

OneView: 6.2

iLo4, iLo5: newest FW-Version

OS: Windows Linux, ESXi

2 REPLIES 2
tech3d
HPE Pro

Re: Best Practice for SPP Updates through OneView

Hi  Marcel_D,

Thanks for posting your query.

We understand that configuring SUT on the OS end is manual and not automated through OneView or SUM or iLO Amplefier pack.

This is done to maintain security restrictions at customer sites and isolate data and management access to the servers.

As per best practice, whenever ther's a driver + firmware (SPP) patching planned, the respective OS teams will need to update the iLO login credentials to SUT.

To avoid repetition of tasks, its recommended to create a iLO admin user on all servers using the server profile,  and configure SUT on all servers (at OS level), at the time of deployment.  If this was not done during deployment, then it will be an one time task for IT to implement it, and then the settings will be there until the server's OS is re-reployed for any reason.


I work for HPE

Accept or Kudo


Marcel_D
Advisor

Re: Best Practice for SPP Updates through OneView

Thanks for your answer.

To avoid repetition of tasks, its recommended to create a iLO admin user on all servers using the server profile,  and configure SUT on all servers (at OS level), at the time of deployment.

Thats what we do.

and then the settings will be there until the server's OS is re-reployed for any reason

I Understand, that the settings will be there. Anyways, when the iLo-Passwords are changed i.e. every 60 days, it has to be set in SUT(OS), which involves a lot of people.

----------------

Easiest way would be another Security Profile on the iLo, which disables TLS1.0/1.1 plus weak Cyphers and avoids using Credentials for SUT on OS-Level. OR having an option to deactivate these manually in iLo GUI.