SOLVED
I have several iLO5's all running v3.01 firmware but they don't all have the same options for security state under encryption options. I would like to configure all for "high security" but some only have FIPS/CNSA options. The reason I need "high security" is because a Qualys vulnerability scan flags the FIPS iLOs with missing "strict-security-header for HTTP" but the iLOs configured with "high security" somehow aren't flagged for this even though my understanding is that FIPS should be a more secure option? I guess, the other option would be to figure out how to enable "strict security headers" on the FIPS iLOs but seems easier to try to get "high security" option going first. Any ideas?
Thanks,
Hello,
1. Please find the below options available in iLO 3.01
iLO Security States:
https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-258790EA-BD83-434C-809A-C150AD70946B.html
Enabling the High Security security state :
https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us&docLocale=en_US&page=GUID-AB1DA160-6EC8-4FE8-B646-8BF975DFC816.html
2. If the option is not available, please reset iLO.
iLO web interface
Use the Reset button on the Diagnostics page.
Thanks.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello,
I just checked an iLO 5 running 3.01 in the lab environment I have access to and it does have the High Security option.
I think one thing being overlooked here is the CURRENT security state. On the one that does not list High Security or Production you have it currently set for FIPS. When in FIPS or CNSA you cannot go back to High Security or Production. You must factory reset the iLO in order to get access back.
Regards
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Also, prior to a factory reset, I would make sure you have the default password noted and the license key (if you have an additional license) as these will be lost.
Regards
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello,
I believe all that should be required to get HSTS to work correctly is to perform the following:
1. Ensure you have a CA signed cert installed onto the iLO's
2. Enabled the option under the "Remote Console and Media" -> Security section for "IRC requires a trusted certificate in iLO"
Regards
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello,
I tested this out in my lab environment and I was able to enable HSTS using the procedure I indicated above. Using Nmap, I issued the following:
nmap -p 443 --script http-security-headers <iLO IP address>
This came back with the following result:
443/tcp open https
| http-security-headers:
| Strict_Transport_Security:
| HSTS not configured in HTTPS Server
I installed the cert from the CA and enabled the "IRC requires a trusted certificate in iLO" option. These are the results now:
443/tcp open https
| http-security-headers:
| Strict_Transport_Security:
| Header: Strict-Transport-Security: max-age=31536000; includeSubDomains
Regards
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello @tato386,
Perfect!
We are glad to know the problem has been resolved.
Thanks,
Sunitha G
I'm an HPE employee.
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]