Security Mgmt

System Lock

iBMC system lock mode, which can be enabled or disabled.

By default, this parameter is disabled.

After this parameter is enabled, only the following operations are allowed:

• Power on or off the server.
• Turn on or off the UID indicator or a drive indicator; or make the indicator blinking.
• Use the HTML5 or Java Integrated Remote Console.
• Use virtual media.
• Test the syslog, SNMP, and SMTP functions and simulate alarms.

OS User Management

Function of user management on the service system.

If this function is enabled, the service system can send user management commands, such as adding or deleting users, user roles, and passwords, to manage iBMC users.

It is enabled by default.

• If it is enabled, the service side can manage the iBMC users.
• If it is disabled, the service side cannot manage the iBMC users.

For security purposes, set this parameter to Disable.

Password Check

Password check verifies whether the passwords meet complexity requirements. It is enabled by default.

SSH Password Authentication

SSH password authentication allows users to log in to the iBMC over SSH by using the password or public key.

• Disable: allows users to log in over SSH by using only public keys.
• Enable: allows users to log in over SSH by using passwords or public keys.

It is enabled by default.

TLS Versions

TLS protocol version used to ensure data security and integrity during communication between two applications.

TLS can be enabled to ensure a secure connection between a web browser and a web server.

• TLS 1.2 or later: TLS 1.2 or 1.3 is supported.
• TLS 1.3 only: Only TLS 1.3 is supported.

Password Validity (days)

Validity period (in days) of a user password.

Value range: 0 to 365

The value 0 indicates that the password never expires.

Default value: 0

Minimum Password Length

Minimum length of the local user password or SNMPv3 encryption password.

This parameter is valid only when the password check function is enabled.

Value range: 8 to 20

Default value: 8

Minimum Password Age (days)

Minimum time (in days) for which the password must be used. The password cannot be changed during this period.

Value range: 0 to 365

The value 0 indicates that the passwords do not have a minimum password age.

Default value: 0

Inactive Timelimit (days)

Maximum idle period (in days) after which the user account will be disabled.

Value:

• 0
• 30 to 365

The value 0 indicates unlimited time, that is, idle user accounts will never be disabled.

Default value: 0

Emergency Login User

User name for logging in to the iBMC in emergencies.

This user is not restricted by any login rules or login interfaces, and the password of this user will never expire.

Previous Passwords Disallowed

Number of previous passwords that cannot be reused as a new password.

Value range: 0 to 5

The value 0 indicates that all previous passwords are allowed.

Default value: 5

User Lockout Policy

Maximum number of consecutive invalid login attempts allowed and the account locking duration.

• The maximum number of consecutive invalid login attempts allowed is an integer ranging from 1 to 6 or Unlimited (account locking disabled), and the default value is 5.
• The account locking duration (in minutes) is an integer ranging from 1 to 30, and the default value is 5.

After a user account is locked, the user can attempt to log in only after the account locking duration expires.

Certificate Expiry Notification (days)

Number of days in advance users are notified that the iBMC certificates are about to expire. For example, if it is set to 7, an alarm will be reported when the certificate expiry time is less than or equal to 7 days.

Value range: 7 to 180

Default value: 90

Time

Time period in which users are allowed to log in.

The value can be in one of the following formats:

• YYYY-MM-DD:

  Example value: 2013-08-30 to 2013-12-30

• HH:MM:

  Example value: 08:30 to 20:30

• YYYY-MM-DD HH:MM:

  Example value: 2013-08-30 08:30 to 2013-12-30 20:30

IP

IP address or IP address range allowed for login. The value can be in one of the following formats:

• IPv4 (xxx.xxx.xxx.xxx) address: indicates an IP address.
• IPv4/subnet mask (xxx.xxx.xxx.xxx/mask): indicates an IP address segment.

MAC

MAC address or MAC address range allowed for login. The value can be in one of the following formats:

• xx:xx:xx:xx:xx:xx: indicates a MAC address.
• xx:xx:xx: indicates a MAC address segment.

Administrator

User who can perform all operations.

The permissions of Administrator cannot be changed.

Operator

User who can perform basic management, KVM management, VMM management, and power control, query information, and configure their own passwords.

The permissions of Operator cannot be changed.

Common User

User who can query information and configure their own passwords.

The permissions of Common User cannot be changed.

Custom Role 1 to 4

User who can perform the specified operations.

User Mgmt

Perform user and password configuration.

User Mgmt includes the following:

• Configuration of local, online, LDAP, and Kerberos users
• Configuration of two-factor authentication and SSH password authentication
• License management and rights management
• SNMPv1/v2c/v3 configuration
• OS user management
• Switch from the KVM/VMM page to the Online Users page
• Restoration of factory settings

Basic Mgmt

Perform basic configuration of server out-of-band management.

Basic Mgmt includes the following:

• Configuration of product information
• Performance monitoring
• Storage management, network configuration, firmware update, and language management
• NTP & time zone settings
• Smart cooling
• Alarm and event management
• Web session mode and timeout period settings
• Alarm settings (SMTP/trap settings)

Remote Console

• Perform remote server management using the HTML5 or Java integrated remote console, independent remote console, or VNC client.
• Set the KVM timeout period, communication encryption, local KVM, persistent virtual keyboard and mouse, maximum number of sessions, and number of active sessions
• Set the VNC timeout period, keyboard layout, VNC password, login rules, and SSL encryption
• Configure the serial port redirection

VMM

• Set the VMM communication encryption and forcibly disconnect sessions
• Use virtual media

Security Mgmt

Perform configuration and query of security features.

Security Mgmt includes the following:

• Operation log management
• Security log management
• Security enhancement settings
• Configuration of login rules
• Login security banner configuration
• Port service management
• Web service management (setting HTTP and port, HTTPS and port, and server certificates)
• KVM settings (enabling or disabling the KVM and setting the KVM port)
• VMM settings (enabling or disabling the VMM and setting the VMM port)
• VNC settings (enabling or disabling the VNC and setting the VNC port)
• SNMP settings (enabling or disabling the NMP and setting the NMP port)
• Alarm settings (syslog settings)
• One-click information collection

Power Control

• PSU settings
• Power capping settings
• Power-on and power-off of the server
• CPU adjustment

Diagnostics

Perform fault locating and commissioning operations.

Diagnostics includes the following:

• FDM
• System log management
• Access to the maintenance and commissioning interface
• Sensor simulation
• Configuration of automatic video recording
• Manual and automatic screenshots
• Serial port data
• Black box

Query

Query information excepting security settings, diagnostics, two-factor authentication settings, online user settings, and system information.

Own password & SSH

Configure their own passwords and manage the SSH public key, SNMPv3 encryption password, and SNMPv3 encryption and authentication algorithms.

System default users have this permission by default. Custom users can be assigned with this permission.

Security Banner

Login security banner, which can be enabled or disabled.

If it is set to , security information configured here will be displayed on the iBMC login page.

It is enabled by default.

Security Banner Text

Security banner text to be displayed on the login page.

Value: a string of up to 1024 characters.