No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionServer G5500 Server iBMC (V300 or Later) User Guide 04

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Management

Security Management

Security Features

The iBMC security is ensured from the following aspects:

  • Isolation between the management plane and the service plane

    A server generally has two network planes: management plane and service plane. The iBMC ensures only the security of the management plane. The security of the service and control planes is ensured by other server components or the customer's solution.

    The Network Controller Sideband Interface (NC-SI) allows the iBMC and the service plane to share the same network interface card (NIC). Although the management and service planes share a physical network port, they are logically isolated by VLANs and are invisible to each other.
    NOTE:
    Only the G560 V5 supports NC-SI.

    On the iBMC WebUI, choose Configuration > Network to configure the network port sharing and isolation between the management plane and the service plane. For details, see Network.

  • Protocol and port protection against attacks

    The iBMC provides the minimum required network service ports. By default, unnecessary services are disabled, network service ports for debugging are disabled during server normal operation, and network ports for insecure protocols are disabled.

    Servers support services, including Web, Secure Shell (SSH), Remote Control, SNMP Agent, and RMCP/RMCP+. The Remote Management Control Protocol (RMCP) is disabled by default. To change the settings, choose Configuration > Services on the iBMC WebUI. For details, see Services.

  • Condition-based login restrictions

    The iBMC restricts web access based on user roles and login rules. A role specifies rights of a user, and login rules implement time- and location-based access.

    A maximum of three login rules can be configured. Each login rule contains three conditions: login duration, source IP address segment, and source MAC address segment. A login rule is complied with only when all three conditions are met. Logged-in users are forcibly logged out once the login duration expires.

    By default, login rules are not applied to users. If required, login rules can be applied to local users and LDAP users, but not to the emergency administrator account. Users who comply with any one of three rules can log in to the iBMC.

    NOTE:

    The user with ID 1 is a reserved user defined in IPMI specifications. This user has no rights and is not allowed to log in to the iBMC.

    To configure login rules, choose Configuration > Local Users on the iBMC WebUI. For details, see Local Users.

  • User account security

    User account security settings include the password complexity rule, password validity period, number of restricted previous passwords, and maximum number of login failures before account lockout.

    The password validity period (in days) applies to all local users. A user can log in to the iBMC only within the validity period. When the user password has expired, the user is not allowed to log in to iBMC, but a logged-in user whose password has expired can continue using the iBMC until the next logout.

    The password validity period can be set to a value from 0 to 365. The value 0 indicates that the password will never expire. The validity period starts from the date on which a user is created. The validity period includes the number of days when the server is powered off, and changes if the iBMC system time is changed. If the iBMC system time changes, the iBMC automatically updates the start time of the validity period for each user password. When the remaining password validity period is 10 days or fewer, the iBMC displays the message "Password will expire after xx days. Please change the password immediately!" when the user logs in to the iBMC WebUI. After a user password has expired, the iBMC records a security log.

    To change user account security settings, choose Configuration > Security on the iBMC WebUI. For details, see Security Settings.

    The iBMC provides the following password-related features:

    • The password of the emergency administrator has no expiry date.
    • The password of the iBMC administrator can be changed on the basic input/output system (BIOS). By default, the user with ID 2 on the BIOS is the iBMC administrator.
  • Certificate management

    The iBMC supports management of Secure Sockets Layer (SSL) and LDAP certificates.

    On the iBMC WebUI, the administrators can update the SSL certificates, whereas other users can only view basic certificate information. It is recommended that the original certificate and keys be replaced with customized certificate and public and private key pairs in time for security purposes.

    To manage an SSL certificate, choose Configuration > SSL Certificate on the iBMC WebUI. For details, see SSL Certificate.

    The iBMC supports import of an LDAP certificate, which makes LDAP data transmission confidential and secure. To import an LDAP certificate, choose Configuration > LDAP on the iBMC WebUI. For details, see LDAP Settings.

  • Operation log management

    The iBMC records all non-query operations performed on the iBMC. The operation logs are classified into Linux system process logs and user process logs. Each user process log contains the time when the operation was performed, the interface on which the operation was performed, source IP address, user name, and operation.

    An operation log file is automatically backed up when the file size reaches 200 KB. The system supports only one backup operation log file. If there is more than one backup operation log file, the earliest operation log file will be deleted.

    To view, export and manage operation logs, choose System > Operation Logs on the iBMC WebUI. For details, see Operation Logs.

  • Encrypted transmission

    The iBMC allows you to enable Transport Layer Security (TLS) for Simple Mail Transfer Protocol (SMTP) to ensure data transmission security. To enable TLS for SMTP, choose Alarm&SEL > Alarm Settings on the iBMC WebUI. For details, see Alarm Settings.

    The iBMC also allows you to enable the KVM data encryption function, which encrypts data transmitted to and from the Remote Virtual Console. To enable the KVM data encryption function, choose Remote Console on the iBMC WebUI. For details, see Remote Console.

Application Guidelines

  • Use a private network to configure data on the iBMC.
  • Never connect the iBMC to the Internet.
  • Disable unnecessary and insecure protocols and ports.
  • Periodically audit operation logs.

Initial Parameters

  • iBMC user name and password

    By default, the user name is root for the G560 and Administrator for the G530 V5 and G560 V5 and the initial password is on the product nameplate.

    For security purposes, change the initial password at the first login and change the password periodically. Ensure that the new password meets password complexity requirements.

    To change a user password, choose Configuration > Local Users on the iBMC WebUI. For details, see Local Users.

  • U-Boot password

    The default U-Boot password of the G560 is Huawei12#$ and Admin@9000 for the G530 V5 and G560 V5. For security purposes, contact Huawei technical support for changing the password upon first login and at subsequent periodic intervals.

  • SNMP versions and community names

    By default, SNMPv3 is enabled, and SNMPv1 and SNMPv2c are disabled because they pose security risks. When using SNMPv1, SNMPv2c, and trap services, change the initial community names and update the community names periodically to ensure system security. Ensure that the new community names meet password complexity requirements.

    Table 2-1 lists the default SNMP community names.

    Table 2-1  Default SNMP community names

    Community Name

    Default Value for the G560

    Default Value for the G530 V5 and G560 V5

    SNMP read-only community name

    roAdmin12#$

    roAdministrator@9000

    SNMP read-write community name

    rwAdmin12#$

    rwAdministrator@9000

    Trap community name

    TrapAdmin12#$

    TrapAdmin12#$

    To change community names, choose Configuration > System on the iBMC WebUI. For details, see System.

  • Protocols and services disabled by default

    RMCP is disabled by default because it poses security risks due to defects in its security mechanisms. Exercise caution when using the RMCP service.

    To enable or disable services, choose Configuration > Services on the iBMC WebUI. For details, see Services.

  • Encryption and authentication

    By default, the SNMPv3 authentication algorithm is SHA and the SNMPv3 encryption algorithm is AES. You can use a variety of algorithms with SNMPv3; however, if you use insecure algorithms such as SHA1, MD5, or DES, ensure that you are aware of the potential security risks. To change the SNMPv3 algorithms, choose Configuration > System on the iBMC WebUI. For details, see System.

    The TLS function is enabled for SMTP by default for security purposes. To enable or disable this function, choose Alarm&SEL > Alarm Settings on the iBMC WebUI. For details, see Alarm Settings.

    The KVM data encryption function is disabled by default. Enable this function to ensure the security of KVM data transmission. To enable or disable this function, choose Remote Console on the iBMC WebUI. For details, see Remote Console.

    When using the email function for the first time, enable the user authentication function of SMTP to ensure email transmission security. To enable or disable this function, choose Alarm&SEL > Alarm Settings on the iBMC WebUI. For details, see Alarm Settings.

Translation
Download
Updated: 2018-10-31

Document ID: EDOC1100031438

Views: 89729

Downloads: 49

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next