HPE Community
ProLiant Servers (ML,DL,SL)
1753759 Members
4752 Online
108799 Solutions
New Discussion

Re: ilo redfish

 
SOLVED
Go to solution
BradV
Esteemed Contributor

‎01-07-2021 09:19 AM

‎01-07-2021 09:19 AM

ilo redfish

I'm trying to find in the iLO Redfish documentation how to disable snmp v1, but not having any luck.  Does anyone know if this is possible?

0 Kudos
Reply
7 REPLIES 7
BradV
Esteemed Contributor

‎01-08-2021 02:16 AM

‎01-08-2021 02:16 AM

Re: ilo redfish

I figured out that sending: 

curl --insecure --header "X-Auth-Token: ${iLOAuth}" --request GET ${iLOSSO}/redfish/v1/Managers/1/snmpservice | jq -r '.SNMPv1Enabled'

gets me the value true.  Now, I just need to figure out how to set it to false?  I tried running the above adding "/SNMPv1Enabled" to the end of the GET, but get back "ResourceMissingAtURI.  My hope was that if that worked, I could just change the GET to a PUT and add a "false" as data.  Any ideas?

0 Kudos
Reply
ChrisLynch
HPE Pro

‎01-08-2021 03:28 PM

‎01-08-2021 03:28 PM

Re: ilo redfish

For OneView, the only way to disable SNMPv1 is to put it into FIPS or CNSA mode.  Keep in mind that once you do, any legacy iLO or other resource OneView requires SNMP to manage (i.e. external SAN manager) is no longer be manageable unless you configure SNMPv3 with it.

This is the current iLO Redfish documentation.  I don't see a method to changing the SNMPv1 status of an iLO4 or iLO5 device.  I'll reach out to some iLO engineers and find out the answer.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
BradV
Esteemed Contributor

‎01-09-2021 05:10 AM

‎01-09-2021 05:10 AM

Re: ilo redfish

Thanks Chris.  I guess at the very least if I change the snmp v1 community name to some random string, then at least we can say that their ability to discover what type of device they are attacking is severly hampered?  I'll look into how to change the community string via the oneview API on Monday.

0 Kudos
Reply
BradV
Esteemed Contributor

‎02-25-2021 02:50 AM

‎02-25-2021 02:50 AM

Re: ilo redfish

Sorry, took me a little while to get back to this.  Found a way to return the current community string, but it is a read only value.  Does not appear to be a method to set the SNMP v1 community string?

curl --insecure --header "X-Auth-Token: ${iLOAuth}" --request GET ${iLOSSO}/redfish/v1/Managers/1/snmpservice | jq -r '.ReadCommunities'

Gets an array with the currently set community strings.  We have hundreds of DL380 and 560 servers.  I'd like a scripted way to set the community string either through the iLO API, or OneView API.  Anyone know if it is possible? 

0 Kudos
Reply
ChrisLynch
HPE Pro

‎03-08-2021 11:05 AM

‎03-08-2021 11:05 AM

Re: ilo redfish

Sorry for the late reply.  Here is a sample script we developed you can use to change the SNMP communities.  It is a Python script, but you should be able to pick apart the API calls to make it a BASH shell script with cURL.


I am an HPE employee

Accept or Kudo

Reply
BradV
Esteemed Contributor

‎03-09-2021 05:14 AM

‎03-09-2021 05:14 AM

Solution

Re: ilo redfish

Hi Chris,

Figured it out! 

First, I get OneView session credentials then extract a list of all current hardware.  Then run: 

echo '{"ReadCommunities": ["jlsf9879j#(*UjOUEO8(&(#(","",""]}' | jq -c '.' > snmp-communities
HARDW=extracted-hardware-list
for SERVER in server{1..100)-ilo ; do
   UUID=$(jq -r '.members[] | select(.name="'${SERVER}'") | "\(.uuid)"' ${HARDW})
   read iLOSSO iLOAuth <<< $(curl --insecure --header "X-API-Version: ${currentVersion}" \
      --header "auth: ${sessionID}" \
      --request GET ${OneView}/rest/server-hardware/${UUID}/remoteConsoleUrl | \
      jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' \
      -e 's|^\(.*\)&sessionkey=\(.*\)$|\1 \2|')
   curl --insecure \
      --header "X-Auth-Token: ${iLOAuth}" \
      --header "Content-Type: application/json" \
      --location --include --data "@snmp-communities" \
      --request PATCH ${iLOSSO}/redfish/v1/Managers/1/snmpservice
done

I was able to get several hundred servers done in a few minutes! 

0 Kudos
Reply
BradV
Esteemed Contributor

‎05-11-2022 02:01 AM - edited ‎05-11-2022 02:02 AM

‎05-11-2022 02:01 AM - edited ‎05-11-2022 02:02 AM

Re: ilo redfish

Note: The previous answer just changed the snmp v1 community string to something other than public.  I have since figured out how to just disable snmp v1.  Run:

 

HARDW=extracted-hardware-list
for SERVER in server{1..100)-ilo ; do
   UUID=$(jq -r '.members[] | select(.name="'${SERVER}'") | "\(.uuid)"' ${HARDW})
   read iLOSSO iLOAuth <<< $(curl --insecure --header "X-API-Version: ${currentVersion}" \
      --header "auth: ${sessionID}" \
      --request GET ${OneView}/rest/server-hardware/${UUID}/remoteConsoleUrl | \
      jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' \
      -e 's|^\(.*\)&sessionkey=\(.*\)$|\1 \2|')
   curl --silent --insecure \
      --header "X-Auth-Token: ${iLOAuth}" \
      --header "Content-Type: application/json" \
      --location --data "@snmp" \
      --request PATCH ${iLOSSO}/redfish/v1/Managers/1/networkprotocol | jq -r '.'
   curl --silent --insecure \
      --header "X-Auth-Token: ${iLOAuth}" \
      --header "Content-Type: application/json" \
      --location --data "@snmpv1" \
      --request PATCH ${iLOSSO}/redfish/v1/Managers/1/SnmpService | jq -r '.'
   curl --silent --insecure \
      --header "X-Auth-Token: ${iLOAuth}" \
      --header "Content-Type: application/json" \
      --location --data "@resetiLO" \
      --request PATCH ${iLOSSO}/redfish/v1/Managers/1/Actions/Manager.Reset | jq -r '.'
done

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.