HPE Gen10 Security Reference Guide - Common Unity

1 HPE Gen10 Security Reference GuidePart Number: 882428-005 Published: February 2019 Edition: 1 AbstractThis document describes the Security and encryption mechanisms available in HPE Gen10servers and embedded firmware. This document is intended for individuals who are responsiblefor the secure configuration and operation of HPE servers for their organization. Copyright 2017, 2019 Hewlett Packard Enterprise Development LPNoticesThe information contained herein is subject to change without notice. The only warranties for Hewlett PackardEnterprise products and services are set forth in the express warranty statements accompanying suchproducts and services. Nothing herein should be construed as constituting an additional warranty. HewlettPackard Enterprise shall not be liable for technical or editorial errors or omissions contained computer software.

2 Valid license from Hewlett Packard Enterprise required for possession, use,or copying. Consistent with FAR and , Commercial Computer Software, Computer SoftwareDocumentation, and Technical Data for Commercial Items are licensed to the Government undervendor's standard commercial to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett PackardEnterprise has no control over and is not responsible for information outside the Hewlett Packard , Itanium , Pentium , Xeon , Intel Inside , and the Intel Inside logo are trademarks of Intel Corporationin the and other and Windows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other and Acrobat are trademarks of Adobe Systems and Oracle are registered trademarks of Oracle and/or its is a registered trademark of The Open importance of Gen10 platform Security features and Gen10 product Security iLO 5 Security access 9 Protected Management PCI Access Configuration and management Override 11 Trusted Platform Module and Trusted 11 Operating iLO servers in the 12 Communication between iLO and server blades or Synergy 13 Firmware Gen10 UEFI Security Provisioning Security Provisioning Security through Provisioning Security through Amplifier Pack Security OneView Security

3 19 HPE Gen10 recommended Security Gen10 Server hardware 27 HPE Gen10 Security best 29 Physical access HPE ProLiant Gen10 System Maintenance 29iLO Security with the system maintenance ProLiant Gen10 system intrusion Service the iLO Service Port Service Port supported settings for configuration to set up the Security access user directory SSH 63 Administering SSL the Login Security a license key by using a settings for configuration Gen10 UEFI Security 75 Using the iLO 5 Configuration Amplifier Pack configuration Servers 83 Activity Logs and management the tasks in this Remote Console Computer Lock Console Computer Lock for configuring Remote Console computer lock keys and hot 100 Configuring the Integrated Remote Console Trust setting (.NET IRC)..101 HPE ProLiant Gen10 Security Security encryption 103 Enabling the Production or High Security Security the FIPS and CNSA Security to iLO when using higher Security a FIPS-validated environment with 106 Disabling FIPS cipher, key exchange, and MAC cipher and MAC 107 Directory integration, access control.

4 And authentication and 109 Prerequisites for configuring authentication and directory server Kerberos authentication settings in schema-free directory settings in 110 Configuring HPE Extended Schema directory settings in user 113 Directory Server CA user accounts with Kerberos authentication and directory 113 Running directory 114 CAC Smartcard 117 Kerberos authentication with Kerberos the iLO hostname and domain name for Kerberos 121 Preparing the domain controller for Kerberos a keytab file for iLO in a Windows that your environment meets the Kerberos authentication Kerberos support in supported browsers for single a directory configuration to use with 127 Schema-free directory for using schema-free directory overview: Configuring iLO for schema-free directory nested groups (Active Directory only).

5 130 HPE Extended Schema directory overview: Configuring the HPE Extended Schema with Active for configuring Active Directory with the HPE Extended 131 Directory services 131 Installing the iLO directory support the Schema services remote management (HPE Extended Schema configuration).. 134 Roles based on organizational role access restrictions are access access for configuring multiple iLO systems at a login using directory , passwords, and the Trusted Platform Security the power-on an administrator 141 Secure or disabling Secure Trusted Platform Module 143 Advanced Secure Boot Advanced Secure Boot Options a Secure Boot certificate key or database 145 Deleting a Secure Boot certificate key or database 146 Deleting all keys ..146 Exporting a Secure Boot certificate key or database 147 Exporting all Secure Boot certificate a Secure Boot certificate key or database signature to platform all Secure Boot certificate keys to platform (HTTPS)

6 TLS certificate a TLS a TLS all TLS 149 Exporting a TLS all TLS 149 Resetting all TLS settings to platform advanced TLS Security or disabling Intel TXT or disabling the One-Time Boot Menu F11 or disabling processor AES-NI or disabling backup ROM image firmware, OS software, and language firmware firmware update firmware firmware update and updating firmware and installed firmware the active system ROM with the redundant system 156 Viewing software iLO or server firmware by using the Flash Firmware language packs with the Flash Firmware 161iLO Federation Group Firmware 163 Adding a maintenance a maintenance all maintenance maintenance a component from the iLO a component from the iLO all components from the iLO iLO Repository summary and component the Upload to iLO Repository an install an Install all install 170 Viewing Install Recovery 171 Creating a System Recovery system Security Provisioning, UEFI.

7 And server boot and 176 Decommissioning a 176 Using Secure erasing server Erase and Reset 177iLO Backup & and other 179 Accessing Hewlett Packard Enterprise 179 Customer self 180 Regulatory 180 Documentation asked importance of securityAs threats move from network Security to the hardware and firmware layers, HPE Gen10 Security featureshelp protect your hardware, firmware, and network components from unauthorized access and unapproveduse. HPE offers an array of embedded and optional software and firmware for HPE Gen10 that enables youto institute the best mix of remote access and control for your network and data Gen10 servers are offered with the following Security aware components: HPE iLO 5 The HPE iLO subsystem, a standard component of HPE ProLiant servers, simplifies server setup, healthmonitoring, power and thermal optimization, and remote server administration.

8 With an intelligentmicroprocessor, secure memory, and dedicated network interface, iLO offers varying degrees of encryptionand Security . Ranging from a standard open level (Production) up to the Federal Information ProcessingStandard (FIPS) and the Commercial National Security Algorithm (SuiteB/CNSA) Security , iLO offersadministrators a reliable way to integrate HPE ProLiant servers into existing Security environments. Intelligent ProvisioningIntelligent Provisioning is a single-server deployment tool embedded in ProLiant Gen10 servers and HPES ynergy compute modules that simplifies server setup, providing a reliable way to deploy Provisioning prepares the system for installing original, licensed vendor media and HewlettPackard Enterprise-branded versions of OS software, and integrates optimized server support softwarefrom the Service Pack for ProLiant (SPP).

9 Intelligent Provisioning also provides an alternative method ofconfiguring HPE iLO 5, including the range of Security settings iLO offers. Smart Update Manager (SUM)SUM is a tool for firmware and driver maintenance which provides a browser-based GUI or a command-line scriptable interface for increased flexibility and adaptability for your needs. SUM includes a discoveryengine that finds the installed hardware and current versions of firmware and software in use on targetnodes. SUM identifies associated targets you can update at the same time to avoid interdependencyissues. SUM deploys updates in the correct order and ensures that all dependencies are met beforedeploying an update. If SUM finds version-based dependencies it cannot resolve, SUM preventsdeployment. UEFI System UtilitiesThe UEFI System Utilities is embedded in the system ROM.

10 Unified Extensible Firmware Interface (UEFI)defines the interface between the operating system and platform firmware during the boot, or start-upprocess. UEFI supports advanced pre-boot user interfaces and extended Security control. Features suchas Secure Boot enable platform vendors to implement an OS-agnostic approach to securing systems inthe pre-boot environment. The ROM-Based Setup Utility (RBSU) functionality is available from the UEFIS ystem Utilities along with additional configuration Gen10 platform Security features and licensingHPE iLO licensingHPE iLO Security features, introduced in Gen10 , build on the world's most Security industry standard serversby providing premium Security capabilities that protect your Hewlett Packard Enterprise servers from attacks,detect intrusions, and allow you to recover your firmware securely. These features are available on all HPEProLiant Gen10 Servers with iLO (Standard) is preconfigured on Hewlett Packard Enterprise servers without an additional cost or that enhance productivity are licensed.