HPE Community
HPE OneView
1820645 Members
2027 Online
109626 Solutions
New Discussion юеВ

Cmdlet to disable TLS 1.0 and 1.1 in iLO 5 without OneView

 
Prem_Kumar_S
Occasional Visitor

тАО01-11-2024 08:19 AM - last edited on тАО01-19-2024 12:00 AM by

тАО01-11-2024 08:19 AM - last edited on тАО01-19-2024 12:00 AM by

Cmdlet to disable TLS 1.0 and 1.1 in iLO 5 without OneView

Hi,

How to disable TLS1.0 and TLS 1.1 in production mode using REST API without OneView. So that I can use script to do that on multiple servers.

0 Kudos
Reply
6 REPLIES 6
support_s
System Recommended

тАО01-11-2024 09:20 AM

тАО01-11-2024 09:20 AM

Query: Cmdlet to disable TLS 1.0 and 1.1 in iLO 5

System recommended content:

1. HPE iLO 5 1.40 User Guide | iLO Service Port

2. HPE iLO 6 1.55 User Guide | iLO Service Port

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

0 Kudos
Reply
BPSingh
HPE Pro

тАО01-16-2024 08:08 AM

тАО01-16-2024 08:08 AM

Re: Cmdlet to disable TLS 1.0 and 1.1 in iLO 5 without OneView

Greetings!

It appears that you can send a raw rest call.
PATCH /redfish/v1/Managers/1/SecurityService/

It's discussed in this web-link: https://internal.support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00130372en_us 

If using ilorest, I would recommend using a rawpatch to change TLS Versions. To disable TLS 1.0 and 1.1, write the following json to a file (Lets say  disabletls.json):

{
    "/redfish/v1/managers/1/securityservice": {
        "TLSVersion": {
            "TLS1_0": "Disabled",
            "TLS1_1": "Disabled"
        }
    }
}

And run:
ilorest rawpatch disabletls.json 
iLOrest : RESTful Interface Tool version 4.0.0.0
Copyright (c) 2014-2022 Hewlett Packard Enterprise Development LP
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The operation completed successfully.


Please note that iLO will immediately reboot when you run that command.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Marcel_D
Advisor

тАО01-17-2024 01:28 AM

тАО01-17-2024 01:28 AM

Re: Cmdlet to disable TLS 1.0 and 1.1 in iLO 5 without OneView

If a Powershell-Script is the thing for you:

$ilocred = get-credential
$iloboard = "YOURILOBOARDNAME" 

$bodycred = @{
            "UserName"= $ilocred.UserName
            "Password"=$ilocred.GetNetworkCredential().Password
        } | ConvertTo-Json
  
        $session = Invoke-WebRequest -Uri "https://$iloboard/redfish/v1/Sessions" -Method Post -Body $bodycred -ContentType "application/json" -UseBasicParsing -ErrorAction Stop 
        $AuthHeaders = @{ "X-Auth-Token" = $Session.Headers.'X-Auth-Token' }
        $body =  '{
                        "TLSVersion": {
                            "TLS1_0":"Disabled",
                            "TLS1_1":"Disabled"
                        }
                    }' 

        Invoke-WebRequest -Uri "https://$iloboard/redfish/v1/Managers/1/SecurityService/" -Method Patch -Body $body -Headers $AuthHeaders -ContentType "application/json"
0 Kudos
Reply
MichelDE
Senior Member

тАО02-18-2025 05:23 AM

тАО02-18-2025 05:23 AM

Re: Cmdlet to disable TLS 1.0 and 1.1 in iLO 5 without OneView

I have tried this script from @Marcel_D . 
But i receive an Error:

 

Invoke-WebRequest:
{
"error": {
"code": "iLO.0.10.ExtendedInfo",
"message": "See @Message.ExtendedInfo for more information.",
"@Message.ExtendedInfo": [
{
"MessageId": "Base.1.18.NoValidSession"
}
]
}
}

 

Do you know, whats my Problem?

 

Thanks

0 Kudos
Reply
Cederberg
Honored Contributor

тАО02-21-2025 02:37 AM

тАО02-21-2025 02:37 AM

Re: Cmdlet to disable TLS 1.0 and 1.1 in iLO 5 without OneView

The NoValidSession seems to indicate that you failed to login to the ilo and create the session needed to execute the other command.
Do you use the selfsigned SSL certificates on your ilo? Powershell is by default checking for a trusted certificate and fails if you don't trust it.
in powershell 7 you can add -SkipCertificateCheck to your invoke-webrequest commands but in earlier versions you need something else to get powershell to ignore certificate checks

0 Kudos
Reply
MichelDE
Senior Member

тАО02-23-2025 11:01 PM

тАО02-23-2025 11:01 PM

Re: Cmdlet to disable TLS 1.0 and 1.1 in iLO 5 without OneView

Hey Cederberg,

thank you for reply.

I have tested with Parameter -SkipCertificateCheck. We also use signed certificates from our own CA. The Session displayed correctly in ILO. The connection is created with local admin PRIVs in ILO.

Anyway....

i tested the same configuration with curl and it runs:

$body =  '{
            "TLSVersion": {
                "TLS1_0":"Disabled",
                "TLS1_1":"Disabled"
            }
        }'
curl -d $body -H 'Content-Type: application/json' -X PATCH '$ILO/redfish/v1/Managers/1/SecurityService/ -u Username:Password
 
Thank you
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.