Server Management - Remote Server Management
1748202 Members
2863 Online
108759 Solutions
New Discussion

Re: iLO3 - security issue. Jumping from port 80 to 443

 
wojcieh
Occasional Advisor

iLO3 - security issue. Jumping from port 80 to 443

Hi,

 

I have G7 blade with iLO3. I have current firmware 1.55 from 24.01.2013.

I have problem with accessing Integrated Remote Console (.NET) and Remote Console (Java).

 

Problem is already narroved to jumping from port 443 to 80 when I try to connect - please check screenshot.

https://www.dropbox.com/s/nbt7c1hx8hd73q1/iLO3.jpg

 

How this can be prevented? Why is it behaving like that? Is it possible to disable port 80?

5 REPLIES 5
Oscar A. Perez
Honored Contributor

Re: iLO3 - security issue. Jumping from port 80 to 443

In order to allow SSL/TLS protocol to work, iLO comes by default with a SSL Self-Signed Certificate that iLO presents to the browsers during the initial SSL/TLS handshake.

 

But, self-signed certificates are not to be trusted as anybody can create one and impersonate somebody else's webserver. This is why you are getting warnings from these browsers.  What you need to do, is to get a "real" SSL Certificate signed by a trusted Certificate Authority and import that certificate into iLO3.

 

Check the iLO3 User Guide, page 44 for more details:

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02774507/c02774507.pdf

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
wojcieh
Occasional Advisor

Re: iLO3 - security issue. Jumping from port 80 to 443

Hi Oscar,

 

I disagree. Self signed certificates are same as normal ones with exception that they are not signed by CA.

 

In iLO documentation there is no word that Self signed certificates are worse than CA signed. As I wrote - problem is that communication is jumping from 443 to 80 and then to 443 back.

 

I checked that with network team - see below:

 

Mar 15 16:36:42 NETWORKMGMT Mar 15 2013 16:36:41: %FWSM-4-106023: Deny tcp src inside:IPADDRESS/30750 dst DST-NET:IPADDRESS/80 by access-group "access-group" [0x0, 0x0]

 

I asked them to allow just for few minutes port 80 and iLO worked fine so certificate is not a case.

Jimmy Vance
HPE Pro

Re: iLO3 - security issue. Jumping from port 80 to 443

what happens if you go directly to the iLO instead of launching from within the OA? Trying to help isolate where port 80 might be getting thrown into the mix. I did check on a couple of my systems this morning launching from the OA and didn't get the unsecure warning, just the normal certificate check.

 

 

 

 

No support by private messages. Please ask the forum! 
wojcieh
Occasional Advisor

Re: iLO3 - security issue. Jumping from port 80 to 443

Well,

 

this warning I got only on IE6 (don't laugh ;) ) but I tested it on Firefox and IE8 / IE9 as well - no warning about "unsecure" but I am timed out.

 

Jimmy Vance
HPE Pro

Re: iLO3 - security issue. Jumping from port 80 to 443


@wojcieh wrote:

Well,

this warning I got only on IE6 (don't laugh ;) ) but I tested it on Firefox and IE8 / IE9 as well - no warning about "unsecure" but I am timed out.

OK, did you try accessing iLO direct, or are you still launching from the OA?

 

Also you can launch the .net IRC application directly as it is now a .exe file. Here is an article provides more detail and a link to the application

http://hpproliant.blogspot.com/2012/02/hp-lights-out-stand-alone-remote.html

No support by private messages. Please ask the forum!