iLO security states

Production (default)

When iLO is set to this security state:

  • iLO uses the factory default encryption settings.

  • The system maintenance switch setting to bypass iLO security (sometimes called the iLO Security Override switch) disables the password requirement for logging in to iLO.

  • Remote console data uses AES-128 bidirectional encryption.

High Security

When iLO is set to this security state:

  • iLO enforces the use of AES ciphers over the secure channels, including secure HTTP transmissions through the following:

    • Browser

    • SSH port

    • iLO RESTful API

    • RIBCL

    Use a supported cipher to connect to iLO through these secure channels. This security state does not affect communications and connections over less-secure channels.

  • User name and password restrictions for the following commands executed from the host system are enforced:

    • iLO RESTful API

    • RIBCL

  • Remote console data uses AES-128 bidirectional encryption.

  • The HPQLOCFG utility negotiates an SSL connection to iLO and then uses the strongest available cipher to send RIBCL scripts to iLO over the network.

  • You cannot connect to the server with network-based tools that do not support TLS 1.2.

  • The system maintenance switch setting to bypass iLO security (sometimes called the iLO Security Override switch) does not disable the password requirement for logging in to iLO.

FIPS

The FIPS security state might be required for Common Criteria compliance, Payment Card Industry compliance, or other standards.

When iLO is set to this security state:

  • iLO operates in a mode intended to comply with the requirements of FIPS 140-2 level 1.

    FIPS is a set of computer security standards that are mandated for use by United States government agencies and contractors.

    The FIPS security state is not the same as FIPS validated. FIPS validated refers to software that received validation by completing the Cryptographic Module Validation Program.

  • iLO enforces the use of AES ciphers over the secure channels, including secure HTTP transmissions through the following:

    • Browser

    • SSH port

    • iLO RESTful API

    • RIBCL

    Use a supported cipher to connect to iLO through these secure channels. This security state does not affect communications and connections over less-secure channels.

  • User name and password restrictions for the following commands executed from the host system are enforced:

    • iLO RESTful API

    • RIBCL

  • Remote console data uses AES-128 bidirectional encryption.

  • The HPQLOCFG utility negotiates an SSL connection to iLO and then uses the strongest available cipher to send RIBCL scripts to iLO over the network.

  • You cannot connect to the server with network-based tools that do not support TLS 1.2.

  • The system maintenance switch setting to bypass iLO security (sometimes called the iLO Security Override switch) does not disable the password requirement for logging in to iLO.

CNSA

The CNSA security state (also called SuiteB mode) is available only when the FIPS security state is enabled.

When iLO is set to this security state:

  • iLO operates in a mode intended to comply with the CNSA requirements defined by the NSA.

  • iLO operates in a mode intended to secure systems that hold United States government top secret classified data.

  • You cannot connect to the server with network-based tools that do not support TLS 1.2.

  • The system maintenance switch setting to bypass iLO security (sometimes called the iLO Security Override switch) does not disable the password requirement for logging in to iLO.

  • Any software or utility that you use to connect to iLO must be CNSA-compliant.

    For example:

    • Firmware update utilities
    • SSH clients
    • HPE and third-party scripting and command-line tools
    • HPE and third-party management tools
    • AlertMail, syslog, LDAP, or key manager servers

    • Remote support software

  • Make sure that you use the HTML5 remote console. This console enforces the use of AES-256 bit CNSA-compliant ciphers. The .NET IRC and the Java IRC are not CNSA-compliant.

To verify compliance, check with your software vendor or use a utility such as Wireshark.

Synergy Security Mode

A special security state used by supported devices. You cannot change the security state on a device that uses this mode.