Home > Remote Lights Out, Server Management > Setting up SSL on Remote Lights Out Cards

Setting up SSL on Remote Lights Out Cards

May 19th, 2009 Andrew Rankin Leave a comment Go to comments

In an attempt to up security and stop sending our passwords over clear text, I recently setup an in house certificate authority at work. While I’m not going to go through setting up the actual CA (see g-loaded.eu), I am going to go through the steps of how to set up a few different hardware vendor/types to work with a signed certificate.  One thing I learned during this process is that almost every single product, even made by the same company, is different.

IBM BladeCenters

> Get the key from the BladeCenter

  1. Login to the BladeCenter
  2. Expand “MM Control”
  3. Click “Network Protocols”
  4. Click “Secure Shell (SSH) Server”
  5. Under the SSL for “Web Server click Generate” a “Generate a New Server Key and Certificate Signing Request (CSR)”
  6. You’ll need to fill out the requested information down to SurName, then click “Generate CSR”
  7. Save the key to your machine, prepend machine. (bladecenter.) to the beginning of the file name to denote where it came from

> SCP the file to root@server:/path/to/your/CA/requests/
> To convert the DER encoded CSR to a PEM encoded CSR, within the above folder, run:

cd /path/to/your/CA/requests
openssl req -inform DER -in bladecenter.csr_server.der -out bladecenter.csr.pem -outform PEM

> To sign the key, run:

cd /path/to/your/CA
openssl ca -config openssl.cnf -policy policy_anything -out certs/bladecenter.crt -infiles requests/bladecenter.csr.pem

> Convert the created .crt file to a .der file, run:

cd /path/to/your/CA/certs
openssl x509 -in bladecenter.crt -inform PEM -out bladecenter.crt.der -outform DER

> SCP the cert file (/path/to/your/CA/certs/bladecenter.crt.der) back to your system
> Import the cert into the AMM

  1. Click “Import a Signed Certificate to the Server”
  2. Browse for the file you just copied back from server (bladecenter.crt.der)
  3. Click “Import Server Certificate”

IBM RSA II

> Get the key from the RSA II Controller

  1. Login to the RSA II Controller
  2. Click “Security”
  3. Under the SSL for “Web Server click Generate” a “Generate a New Server Key and Certificate Signing Request (CSR)”
  4. You’ll need to fill out the requested information down to SurName, then click “Generate CSR”

> Save the key to your machine, prepend machine. (rsa.) to the beginning of the file name to denote where it came from
> SCP the file to root@server:/path/to/your/CA/requests/
> To convert the DER encoded CSR to a PEM encoded CSR, within the above folder, run:

cd /path/to/your/CA/requests
openssl req -inform DER -in rsa.csr_server.der -out rsa.csr.pem -outform PEM

> To sign the key, run:

cd /path/to/your/CA
openssl ca -config openssl.cnf -policy policy_anything -out certs/rsa.crt -infiles requests/rsa.csr.pem

> Convert the created .crt file to a .der file, run:

cd /path/to/your/CA/certs
openssl x509 -in rsa.crt -inform PEM -out rsa.crt.der -outform DER

> SCP the cert file (/path/to/your/CA/rsa.crt.der) back to your system
> Import the cert into the RSA II Controller

  1. Click “Import a Signed Certificate to the Server”
  2. Browse for the file you just copied back from server (rsa.crt.der)
  3. Click “Import Server Certificate”

HP iLO

> Get the Signing Request from the iLO

  1. Login to the iLO
  2. Hover over “Administration”
  3. Select “Certificate Administration”
  4. Click “Create Certificate Request”
  5. Copy and paste the request from the box and into server:/path/to/your/CA/requests/ilo.csr.pem

> To sign the key, run:

cd /path/to/your/CA
openssl ca -config openssl.cnf -policy policy_anything -out certs/ilo.crt -infiles requests/ilo.csr.pem

> Import the cert into the iLO

  1. Click “Import Certificate”
  2. Enter the contents of /path/to/your/CA/certs/ilo.crt into the provided box
  3. Click “Next”

Sun eLOM

> Get the Signing Request from the eLOM

  1. Login to the eLOM
  2. Click “Configuration”
  3. Click “System Management Access”
  4. Click “SSL Certificate”
  5. Select “Certificate” and click “Select”

> Generate the request:

cd /path/to/your/CA
openssl req -config openssl.cnf -new -nodes -keyout private/elom.key -out requests/elom.csr -days 365

You’ll be asked specific questions about the servers location, most of the defaults have been set in openssl.cnf, however you’ll need to make sure the domain name (CN) is correct.

> Sign the key:

cd /path/to/your/CA
openssl ca -config openssl.cnf -policy policy_anything -out certs/elom.crt -infiles requests/elom.csr

> Import the Key on the eLOM

  1. Upload the generated Certificate first (server:/path/to/your/CA/certs/elom.crt)
  2. Upload the generated Key Second (server:/path/to/your/CA/private/elom.key)

Dell DRAC

> Get the Signing Request from the DRAC

  1. Login to the DRAC
  2. Click the “Configuration” tab
  3. Click the “Security” tab
  4. Select “Generate a new Certificate Signing Request (CSR)”
  5. Click “Next”
  6. Complete the listed fields making sure that the “Common Name” (CN) is the full host name of the console
  7. Click “Generate”, wait for it to generate the request. It will pop up with a download for “csr.txt” when it is complete. Save the file.
  8. Rename csr.txt to include the hostname of the box, EX: drac.csr.txt
  9. SCP the file to root@server:/path/to/your/CA/requests

> To sign the key, run:

cd /path/to/your/CA
openssl ca -config openssl.cnf -policy policy_anything -out certs/drac.crt -infiles requests/drac.csr.txt

> Edit the crt file to remove everything above the “—–BEGIN CERTIFICATE—–” line
> Save the File with DOS-style Line-Ending CR-LF (:set ff=dos in vi)
> Import the cert into the DRAC

  1. Return to “Certificate Management”
  2. Select “Upload DRAC 4 server certificate”
  3. Click “Next”
  4. Select the certificate you just signed
  5. Click “Upload”
Categories: Remote Lights Out, Server Management Tags: , , , , , , , , , , , ,
  1. No comments yet.
  1. No trackbacks yet.