HPE Community
Server Management - Remote Server Management
1827448 Members
5949 Online
109965 Solutions
New Discussion

Re: SSL Certificate for iLO connection time is so long

 
maxim315
Occasional Advisor

‎09-30-2013 11:04 PM

‎09-30-2013 11:04 PM

SSL Certificate for iLO connection time is so long

Hi.

 

I have servers with iLO 1,2, 3. By default iLo uses self-signed cert. I have a Internal CA based on Win 2008R2. So I create a CSR on iLo b retrieve a certificate and the to import it on iLo.

 

On servers with iLo 3 I have no problem. But on servers with iLo 1, 2 i have VERY (abut 5-10 minutes) long connection time to logon screen and then VERY long time to logon.

 

I have noticed that self-signed cert is have md5rsa but my CA is sha1rsa hash. Could be this is a reason? Or something else?

 Thanks

0 Kudos
Reply
18 REPLIES 18
Casper42
Respected Contributor

‎10-01-2013 11:31 PM

‎10-01-2013 11:31 PM

Re: SSL Certificate for iLO connection time is so long

I am not entiely sure, but I would say follow the process starting around the middle of page 44 here and see if that leads you to a certificate that doesn't give you problems.

http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02845760/c02845760.pdf
0 Kudos
Reply
maxim315
Occasional Advisor

‎10-02-2013 02:50 AM - edited ‎10-02-2013 02:52 AM

‎10-02-2013 02:50 AM - edited ‎10-02-2013 02:52 AM

Re: SSL Certificate for iLO connection time is so long

thanks for the doc.

 

I do all the same. Click create request and then import certificate and restart iLo.

Cert is installing corectly but logon proccess is so long time. Have no idea whats wrong.

Certificate only 1024 and from standart template WebServer.

 

I have install certifacate from this CA and template for the HP bladesystems onboard administator and all is OK.

0 Kudos
Reply
maxim315
Occasional Advisor

‎10-03-2013 07:27 PM

‎10-03-2013 07:27 PM

Re: SSL Certificate for iLO connection time is so long

Have noticed that in iLo status "key generation underway remote console performance may be temporarily diminished". maybe that is the reason?  But I dont kmow wthat to do. I have just click request certificate.

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎10-04-2013 07:08 AM

‎10-04-2013 07:08 AM

Re: SSL Certificate for iLO connection time is so long

Every time you try to create a certificate request, iLO needs a new RSA key pair (Private Key and Public key).  Generating RSA key pairs is CPU intensive so, it could takes minutes. 

 

iLO2 has a 66Mhz RISC processor so, key generation in iLO2 could take a long time. Depending of the how big the key is,  it could take from just 1 minute to 20 minutes (There is a randomness factor in RSA key generation, this is why sometimes one RSA key pair could take few seconds to generate, next time it could take up to 20 minutes). 1024 bits RSA key pairs usually take just a couple of minutes to generate.  2048 bits RSA key pairs on the other hand could easily take up to 20 minutes to generate. 

 

Because of this, in iLO2 we added a pool where we store a couple of 1024 RSA key pairs plus a couple of 2048 RSA key pairs so, there will always be one ready to be used. If the pool gets depleted (user generates CSRs over and over), or iLO2 is reset to factory defaults, new RSA key pairs will be generated in the background and stored in the pool. As long as the Remote Console remains closed, the background key generation thread would fill up the pool with new RSA keys.

 

iLO3 and iLO4 have more powerful processors, therefore work differently.  They don't need a key pool like iLO2, just one 2048bit RSA key pair that is ready to be used. If consumed, iLO3/4 will have to generate a new one in the background. Still could take few minutes to generate.

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Reply
maxim315
Occasional Advisor

‎10-07-2013 07:16 PM

‎10-07-2013 07:16 PM

Re: SSL Certificate for iLO connection time is so long

thanks for your answer. I can accept this "slow ley generation" about 30 min - 1 hour but cert is successfully installed a week ago and still have an issue "long connection time" about 3-5 minites. It is not a normai. 

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎10-07-2013 08:25 PM

‎10-07-2013 08:25 PM

Re: SSL Certificate for iLO connection time is so long

That doesn't sound right.  What servers are these? Are you using iLO dedicated NIC or shared NIC? Are the iLOs in a remote location, VPN is being used?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
maxim315
Occasional Advisor

‎10-07-2013 09:04 PM - edited ‎10-07-2013 09:04 PM

‎10-07-2013 09:04 PM - edited ‎10-07-2013 09:04 PM

Re: SSL Certificate for iLO connection time is so long

I have various model of the server with iLo 2, like ProLiant BL680c G5, ProLiant DL360 G6, ProLiant BL460c G6

 

Link type is automatic, dhcp is disabled (static IP), iLo in our network without VPN

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎10-08-2013 06:54 AM

‎10-08-2013 06:54 AM

Re: SSL Certificate for iLO connection time is so long

What firmware version do you have on these iLO2s? Can you capture a network trace showing your browser opening iLO2 login page on that DL360 G6?  No need to login. Just need to see the that TCP traffic.  Send me a PM with the capture attached. What browser are you using anyway?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
maxim315
Occasional Advisor

‎10-08-2013 07:07 PM - edited ‎10-08-2013 08:04 PM

‎10-08-2013 07:07 PM - edited ‎10-08-2013 08:04 PM

Re: SSL Certificate for iLO connection time is so long

iLo ver 2.05. Have tried IE10 on Win 7 x64 and Chrome.

 

Hmm, I have try to dump netword traffic. Good idea. Already sending captured traffic to PM.

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎10-09-2013 08:45 AM - edited ‎10-09-2013 08:48 AM

‎10-09-2013 08:45 AM - edited ‎10-09-2013 08:48 AM

Re: SSL Certificate for iLO connection time is so long

I don't see anything wrong in the network trace. However, I did notice few things that could explain what is happening here.


iLO2 has a limit of 7 simultaneous SSL sessions. Some browsers like to open multiple simultaneous SSL sessions to the target. Apparently, browsers do this in order to download webpages faster.


Also, iLO2 webserver has a 2 minutes timeout for each HTTP/HTTPS session. If no web traffic is seen on one session after 120 seconds, iLO2 will close the socket and free up that SSL session.


If you have something else in that network that is constantly opening SSL connections to your iLOs, your iLOs might not have enough SSL sessions left for you when you use your browser.


Check how many concurrent connections is your IE currently using and try tweaking its values.
http://www.mr2t.com/tweaks-ie-connections

By the way, Chrome is not supported in iLO2.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
maxim315
Occasional Advisor

‎10-09-2013 07:36 PM - edited ‎10-09-2013 08:52 PM

‎10-09-2013 07:36 PM - edited ‎10-09-2013 08:52 PM

Re: SSL Certificate for iLO connection time is so long

Thanks for the answer.
But with selfsigned cert I have no problem - loading is fast. With cert from Internal CA having speed issue after logon...

Checking registry parameters - having default value. have no problem on the other ssl web-pages.

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎10-10-2013 07:51 AM

‎10-10-2013 07:51 AM

Re: SSL Certificate for iLO connection time is so long

iLO2 self-signed certs come with 1024bit RSA key pairs only.
Doubling the RSA key length means that encryption will be 6-7 times slower. If the imported SSL cert signed by your CA is 2048 bit then, iLO2 is going to take 6-7 times longer to do initial SSL handshakes every time your browser establishes a new SSL session. Since some browsers out there can open up to 6 simultaneous SSL sessions, your iLO2 is going to get really slow, spending most of its time doing nothing but public key encryption computations.

Other SSL webservers have more powerful processors that can handle multiple SSL connections without breaking a sweat. iLO2 is a 8 years product designed at a time when 1024bit RSA was good enough. It has clearly outlived its usefulness.



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
maxim315
Occasional Advisor

‎10-10-2013 07:07 PM

‎10-10-2013 07:07 PM

Re: SSL Certificate for iLO connection time is so long

I have installed 1024 cert from my CA not a 2048.

0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎10-11-2013 06:53 AM

‎10-11-2013 06:53 AM

Re: SSL Certificate for iLO connection time is so long

Then, forget what I said.

 

If you remove that cert (by changing iLO hostname), does iLO become faster?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎10-21-2013 02:02 PM

‎10-21-2013 02:02 PM

Re: SSL Certificate for iLO connection time is so long

Interesting.

 

I'm able to reproduce this issue now that I have imported a SSL Cert signed by my company CA.  I'm debugging it right now.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎10-22-2013 02:08 PM

‎10-22-2013 02:08 PM

Re: SSL Certificate for iLO connection time is so long

Ok, I found the bug. We are going to fix it in the next iLO2 release.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎10-28-2013 10:39 AM

‎10-28-2013 10:39 AM

Re: SSL Certificate for iLO connection time is so long

Hi Maxim,

Could you please test an iLO2 v2.23 that I've uploaded to my temp FTP site?

ftp://ilo4me:G!v3t2me@ftp.usa.hp.com/iLO2



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
Oscar A. Perez
Honored Contributor

‎11-18-2013 07:06 AM

‎11-18-2013 07:06 AM

Re: SSL Certificate for iLO connection time is so long

Hi Maxim,

We fixed your problem in a new iLO2 v2.23 release. It is on the web.

Thanks
Oscar



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.