- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- ProLiant Servers (ML,DL,SL)
- >
- Re: ilo redfish
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2021 09:19 AM
01-07-2021 09:19 AM
I'm trying to find in the iLO Redfish documentation how to disable snmp v1, but not having any luck. Does anyone know if this is possible?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2021 02:16 AM
01-08-2021 02:16 AM
Re: ilo redfish
I figured out that sending:
curl --insecure --header "X-Auth-Token: ${iLOAuth}" --request GET ${iLOSSO}/redfish/v1/Managers/1/snmpservice | jq -r '.SNMPv1Enabled'
gets me the value true. Now, I just need to figure out how to set it to false? I tried running the above adding "/SNMPv1Enabled" to the end of the GET, but get back "ResourceMissingAtURI. My hope was that if that worked, I could just change the GET to a PUT and add a "false" as data. Any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2021 03:28 PM
01-08-2021 03:28 PM
Re: ilo redfish
For OneView, the only way to disable SNMPv1 is to put it into FIPS or CNSA mode. Keep in mind that once you do, any legacy iLO or other resource OneView requires SNMP to manage (i.e. external SAN manager) is no longer be manageable unless you configure SNMPv3 with it.
This is the current iLO Redfish documentation. I don't see a method to changing the SNMPv1 status of an iLO4 or iLO5 device. I'll reach out to some iLO engineers and find out the answer.
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2021 05:10 AM
01-09-2021 05:10 AM
Re: ilo redfish
Thanks Chris. I guess at the very least if I change the snmp v1 community name to some random string, then at least we can say that their ability to discover what type of device they are attacking is severly hampered? I'll look into how to change the community string via the oneview API on Monday.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2021 02:50 AM
02-25-2021 02:50 AM
Re: ilo redfish
Sorry, took me a little while to get back to this. Found a way to return the current community string, but it is a read only value. Does not appear to be a method to set the SNMP v1 community string?
curl --insecure --header "X-Auth-Token: ${iLOAuth}" --request GET ${iLOSSO}/redfish/v1/Managers/1/snmpservice | jq -r '.ReadCommunities'
Gets an array with the currently set community strings. We have hundreds of DL380 and 560 servers. I'd like a scripted way to set the community string either through the iLO API, or OneView API. Anyone know if it is possible?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2021 11:05 AM
03-08-2021 11:05 AM
Re: ilo redfish
Sorry for the late reply. Here is a sample script we developed you can use to change the SNMP communities. It is a Python script, but you should be able to pick apart the API calls to make it a BASH shell script with cURL.
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2021 05:14 AM
03-09-2021 05:14 AM
SolutionHi Chris,
Figured it out!
First, I get OneView session credentials then extract a list of all current hardware. Then run:
echo '{"ReadCommunities": ["jlsf9879j#(*UjOUEO8(&(#(","",""]}' | jq -c '.' > snmp-communities
HARDW=extracted-hardware-list
for SERVER in server{1..100)-ilo ; do
UUID=$(jq -r '.members[] | select(.name="'${SERVER}'") | "\(.uuid)"' ${HARDW})
read iLOSSO iLOAuth <<< $(curl --insecure --header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--request GET ${OneView}/rest/server-hardware/${UUID}/remoteConsoleUrl | \
jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' \
-e 's|^\(.*\)&sessionkey=\(.*\)$|\1 \2|')
curl --insecure \
--header "X-Auth-Token: ${iLOAuth}" \
--header "Content-Type: application/json" \
--location --include --data "@snmp-communities" \
--request PATCH ${iLOSSO}/redfish/v1/Managers/1/snmpservice
done
I was able to get several hundred servers done in a few minutes!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2022 02:01 AM - edited 05-11-2022 02:02 AM
05-11-2022 02:01 AM - edited 05-11-2022 02:02 AM
Re: ilo redfish
Note: The previous answer just changed the snmp v1 community string to something other than public. I have since figured out how to just disable snmp v1. Run:
HARDW=extracted-hardware-list
for SERVER in server{1..100)-ilo ; do
UUID=$(jq -r '.members[] | select(.name="'${SERVER}'") | "\(.uuid)"' ${HARDW})
read iLOSSO iLOAuth <<< $(curl --insecure --header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--request GET ${OneView}/rest/server-hardware/${UUID}/remoteConsoleUrl | \
jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' \
-e 's|^\(.*\)&sessionkey=\(.*\)$|\1 \2|')
curl --silent --insecure \
--header "X-Auth-Token: ${iLOAuth}" \
--header "Content-Type: application/json" \
--location --data "@snmp" \
--request PATCH ${iLOSSO}/redfish/v1/Managers/1/networkprotocol | jq -r '.'
curl --silent --insecure \
--header "X-Auth-Token: ${iLOAuth}" \
--header "Content-Type: application/json" \
--location --data "@snmpv1" \
--request PATCH ${iLOSSO}/redfish/v1/Managers/1/SnmpService | jq -r '.'
curl --silent --insecure \
--header "X-Auth-Token: ${iLOAuth}" \
--header "Content-Type: application/json" \
--location --data "@resetiLO" \
--request PATCH ${iLOSSO}/redfish/v1/Managers/1/Actions/Manager.Reset | jq -r '.'
done