Hello,

1. Please find the below options available in iLO 3.01

iLO Security States:
https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-258790EA-BD83-434C-809A-C150AD70946B.html
Enabling the High Security security state :
https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-AB1DA160-6EC8-4FE8-B646-8BF975DFC816.html

2. If the option is not available, please reset iLO.

iLO web interface
Use the Reset button on the Diagnostics page.

Thanks.

Hello,

I just checked an iLO 5 running 3.01 in the lab environment I have access to and it does have the High Security option.

I think one thing being overlooked here is the CURRENT security state. On the one that does not list High Security or Production you have it currently set for FIPS. When in FIPS or CNSA you cannot go back to High Security or Production. You must factory reset the iLO in order to get access back.

https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-D7147C7F-2016-0901-06D0-000000000E35.html

Regards

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Also, prior to a factory reset, I would make sure you have the default password noted and the license key (if you have an additional license) as these will be lost.

Regards

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

I was afraid of that answer.  I can certainly reset it but it's a PITA because the server(s) are in a colo center over 1 hour away.  My fear is that it won't fix my problem with Qualys.  Does it make sense that an iLO5 with latest firmware and running in FIPS mode would not have HTTP security headers enabled??  Below is the specific issue I am running into:

Qualys Scan  /  QID: 11827 / Category: CGI

RESULTS:  Strict-Transport-Security HTTP Header missing on port 443.

GET / HTTP/1.1
Host: ilo5-myserver.mydomain.com
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 11007
Connection: keep-alive
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';
Date: Wed, 14 Feb 2024 00:47:34 GMT
ETag: "8001af65"
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block

I already have GoDaddy signed certs on these units so step #1 is good.  Now I just enabled the setting that you suggsted.  Next step is to wait because our auditing firm runs these scans only once a month and they just ran a cycle.  I promise to post back with results after the next scan.

Thank you!

Hello,

I tested this out in my lab environment and I was able to enable HSTS using the procedure I indicated above. Using Nmap, I issued the following:

nmap -p 443 --script http-security-headers <iLO IP address>

This came back with the following result:

443/tcp open https

| http-security-headers:
| Strict_Transport_Security:
| HSTS not configured in HTTPS Server

I installed the cert from the CA and enabled the "IRC requires a trusted certificate in iLO" option. These are the results now:

443/tcp open https

| http-security-headers:
| Strict_Transport_Security:
| Header: Strict-Transport-Security: max-age=31536000; includeSubDomains

Regards

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

all my iLOs tested good for HSTS with nmap.

Thank you!

Hello @tato386,

Perfect! 

We are glad to know the problem has been resolved.