Server Management - Remote Server Management
1748010 Members
4725 Online
108757 Solutions
New Discussion

Re: SSL Certificate for iLO connection time is so long

 
maxim315
Occasional Advisor

SSL Certificate for iLO connection time is so long

Hi.

 

I have servers with iLO 1,2, 3. By default iLo uses self-signed cert. I have a Internal CA based on Win 2008R2. So I create a CSR on iLo b retrieve a certificate and the to import it on iLo.

 

On servers with iLo 3 I have no problem. But on servers with iLo 1, 2 i have VERY (abut 5-10 minutes) long connection time to logon screen and then VERY long time to logon.

 

I have noticed that self-signed cert is have md5rsa but my CA is sha1rsa hash. Could be this is a reason? Or something else?

 Thanks

18 REPLIES 18
Casper42
Respected Contributor

Re: SSL Certificate for iLO connection time is so long

I am not entiely sure, but I would say follow the process starting around the middle of page 44 here and see if that leads you to a certificate that doesn't give you problems.

http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02845760/c02845760.pdf
maxim315
Occasional Advisor

Re: SSL Certificate for iLO connection time is so long

thanks for the doc.

 

I do all the same. Click create request and then import certificate and restart iLo.

Cert is installing corectly but logon proccess is so long time. Have no idea whats wrong.

Certificate only 1024 and from standart template WebServer.

 

I have install certifacate from this CA and template for the HP bladesystems onboard administator and all is OK.

maxim315
Occasional Advisor

Re: SSL Certificate for iLO connection time is so long

Have noticed that in iLo status "key generation underway remote console performance may be temporarily diminished". maybe that is the reason?  But I dont kmow wthat to do. I have just click request certificate.

Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

Every time you try to create a certificate request, iLO needs a new RSA key pair (Private Key and Public key).  Generating RSA key pairs is CPU intensive so, it could takes minutes. 

 

iLO2 has a 66Mhz RISC processor so, key generation in iLO2 could take a long time. Depending of the how big the key is,  it could take from just 1 minute to 20 minutes (There is a randomness factor in RSA key generation, this is why sometimes one RSA key pair could take few seconds to generate, next time it could take up to 20 minutes). 1024 bits RSA key pairs usually take just a couple of minutes to generate.  2048 bits RSA key pairs on the other hand could easily take up to 20 minutes to generate. 

 

Because of this, in iLO2 we added a pool where we store a couple of 1024 RSA key pairs plus a couple of 2048 RSA key pairs so, there will always be one ready to be used. If the pool gets depleted (user generates CSRs over and over), or iLO2 is reset to factory defaults, new RSA key pairs will be generated in the background and stored in the pool. As long as the Remote Console remains closed, the background key generation thread would fill up the pool with new RSA keys.

 

iLO3 and iLO4 have more powerful processors, therefore work differently.  They don't need a key pool like iLO2, just one 2048bit RSA key pair that is ready to be used. If consumed, iLO3/4 will have to generate a new one in the background. Still could take few minutes to generate.

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
maxim315
Occasional Advisor

Re: SSL Certificate for iLO connection time is so long

thanks for your answer. I can accept this "slow ley generation" about 30 min - 1 hour but cert is successfully installed a week ago and still have an issue "long connection time" about 3-5 minites. It is not a normai. 

Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

That doesn't sound right.  What servers are these? Are you using iLO dedicated NIC or shared NIC? Are the iLOs in a remote location, VPN is being used?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
maxim315
Occasional Advisor

Re: SSL Certificate for iLO connection time is so long

I have various model of the server with iLo 2, like ProLiant BL680c G5, ProLiant DL360 G6, ProLiant BL460c G6

 

Link type is automatic, dhcp is disabled (static IP), iLo in our network without VPN

Oscar A. Perez
Honored Contributor

Re: SSL Certificate for iLO connection time is so long

What firmware version do you have on these iLO2s? Can you capture a network trace showing your browser opening iLO2 login page on that DL360 G6?  No need to login. Just need to see the that TCP traffic.  Send me a PM with the capture attached. What browser are you using anyway?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
maxim315
Occasional Advisor

Re: SSL Certificate for iLO connection time is so long

iLo ver 2.05. Have tried IE10 on Win 7 x64 and Chrome.

 

Hmm, I have try to dump netword traffic. Good idea. Already sending captured traffic to PM.