Solved: Locking Management Processor ( MP )

Darrell Tschakert · ‎02-22-2007

Hi,
We have a number of Itanium servers running HP-UX 11.23. The Itaniums all have an RS232 Management Processor (MP) port to which we connect a terminal. We can access any/all of the Itaniums through their MP port.

These MP's have there own IP addresses and some can currently be accessed over the LAN. Whenever our security people do a security scan with a program called Retna, certain of the MP's (the same ones that are LAN accessable with the CSP command ) kick off alarms stating that:

"A default community name is enabled in this SNMP service"

I could change the community name, but think that it would be easier and better simply to lock ALL of the MP to LAN connection. After spending some time in the MP menus, I have given up trying to disable the ports
to LAN traffic. Can anyone tell me how to disable LAN access to the MP's?

Thanks,

Darrell Tschakert

I'll add a quote when I think of one.

Hoff · ‎02-22-2007

It's unfortunate, but there appears to be no way to stealth the iLO MP.

If you are using the serial connection and are not using the iLO MP NIC, the most obvious course would seem to be unplugging the MP NIC from the network.

If you need access via the MP NIC, park a cheap firewall between the network and the MP would seem reasonable.

If it's specifically SNMP you're after, there is an iLO Adminstrative -> SNMP Settings page around where you can selectively disable SNMP.

There's an iLO manual around with details of this widget; the Integrated Lights-Out (iLO) Management Processor Operations Guide. I'm looking at the 3rd edition. Here's the direct path into the document: http://docs.hp.com/en/5971-4289/5971-4289.pdf

Stephen Hoffman
HoffmanLabs

rick jones · ‎02-22-2007

You could disable DHCP on them (if it is enabled) and then simply not configure a static IP address on them. At least I think you can do that. Otherwise, you could give them quasi-bogus IP addresses outside of your regular IP address ranges and no default gateway and unless the scanners are changed to be in that IP subnet the traffic back from the MPs won't reach them.

Of course, simply disconnecting the LAN port on the MP would work too...

there is no rest for the wicked yet the virtuous have no pillows

Torsten. · ‎02-22-2007

Hi,

depending on the server model and firmware you can disable telnet, enable ssh and modify the snmp string away from the default.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Darrell Tschakert · ‎02-26-2007

Thank you all for the repies.
I went to the iLO PDF file that Stephen listed. According to this documentation, it should be easy to set the Community Strings. Just login over the web, select "Administration" and then select "SNMP Settings". The problem is that the "SNMP Settings" option is not listed. Only the first six options are listed.

If I telnet into the port or login via the MP/RS232 port, I should have access to a command named "SNMP". However, this command is not available, nor does Help talk about it.

At this time, I would rather just set the SNMP strings, but there appears to be no way to do this. Any ideas?

Thanks,
Darrell Tschakert

I'll add a quote when I think of one.

Torsten. · ‎02-27-2007

The availibility may depend on your server model and -of course- firmware.
Please post more details.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Darrell Tschakert · ‎02-27-2007

These are the particulars of our HP's:

1. This is part of the opening window when I do a web login to one of the MP's:
--------------------------
Firmware Revisions:
iLO MP: E.03.15
BMC : 03.49
EFI : 03.14
System Firmware: 03.17
--------------------------
2. The Itaniums are four rx4640's and two rx2620's.

3. They all run HP-UX 11.23.

I beleive that I just updated the firmware on the MP a few months ago.
Please let me know if there is anything else that I can provide.
Thanks,

Darrell Tschakert

I'll add a quote when I think of one.

Torsten. · ‎02-27-2007

You need to upgrade the firmware!

The release notes says about enhancements:

iLO MP E.03.30
Added the capability to disable SNMP.
Added the capability to set the SNMP Community String. The default Community String is set to "public".
Added LDAP-lite functionality.

So you need MP firmware E.03.30 (including other components):

Read and download:

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=15351&prodSeriesId=88837&swItem=ux-41801-1&prodNameId=346361&swEnvOID=54&swLang=13&taskId=135&mode=4&idx=0

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Locking Management Processor ( MP )

Locking Management Processor ( MP )

Re: Locking Management Processor ( MP )

Re: Locking Management Processor ( MP )

Re: Locking Management Processor ( MP )

Re: Locking Management Processor ( MP )

Re: Locking Management Processor ( MP )

Re: Locking Management Processor ( MP )

Re: Locking Management Processor ( MP )

Hewlett Packard Enterprise International