drac/mc user management and security · pdf filedrac/mc user management and security...
TRANSCRIPT
www.dell.com/powersolutions Reprinted from Dell Power Solutions, November 2005. Copyright © 2005 Dell Inc. All rights reserved. DELL POWER SOLUTIONS 1
SYSTEMS MANAGEMENT
The Dell Remote Access Controller/Modular Chassis
(DRAC/MC) is the chassis and component manage-
ment module for the Dell Modular Server Enclosure.
Robust authentication and privilege-checking mecha-
nisms are incorporated into the DRAC/MC to enable
administrators to grant user privileges while preventing
unauthorized access. This article describes the different
techniques administrators can use to control user access
and enhance security.
Methods for accessing the DRAC/MCThe DRAC/MC provides administrators with the flexibility
to create system users and assign them various levels
of permissions. Administrators can control access to the
DRAC/MC remotely or locally using three types of con-
nections: Web, serial, and Telnet.
Web-based connection. The DRAC/MC incorporates
secure Web-based access using a standard browser sup-
porting 128-bit Secure Sockets Layer (SSL) encryption.
It also supports the secure-server certificate process to
further enhance the security of network communications.
Administrators must generate a certificate-signing request
(CSR) and obtain the signature of a Certificate Authority
(CA) to obtain a secure-server certificate. Secure-server
certificates help ensure the identity of a remote system
and verify that the information exchanged with the remote
system cannot be viewed or modified by others.
Serial connection. For local access, the DRAC/MC sup-
ports a serial connection using a standard terminal emulation
program such as HyperTerminal through a serial connector
on the back of the controller. Authentication is required to
log in. Authenticated users can then use the command-line
interface (CLI) that the DRAC/MC supports.
Telnet connection. A Telnet connection, which is dis-
abled by default, is also supported. After authentication,
users can access the CLI. Both local and remote access
sessions support a session time-out feature that closes the
session after a period of inactivity. This inactivity interval
is configurable through both Web and CLI access.
User management from the DRAC/MCThe DRAC/MC supports two kinds of users: DRAC/MC
local users and Microsoft® Active Directory® ® users. Support ®
for Active Directory users has been added in DRAC/MC
firmware version 1.2. This enables administrators to
manage DRAC/MC users and devices from within existing
Active Directory environments. The DRAC/MC supports
a maximum of 16 local users, and at least one local user
BY ANUSHA RAGUNATHAN AND SANJEEV S. SINGH
DRAC/MC User Management and Security Configuration
The Dell™ Remote Access Controller/Modular Chassis (DRAC/MC) is a critical infra-
structure component for authenticating and authorizing user access to the Dell
Modular Server Enclosure, the chassis that house Dell blade servers.
Related Categories:
Blade servers
Dell PowerEdge blade servers
Dell Remote Access Controller (DRAC)
Remote management
Security
Systems management
Visit www.dell.com/powersolutions
for the complete category index.
SYSTEMS MANAGEMENT
DELL POWER SOLUTIONS Reprinted from Dell Power Solutions, November 2005. Copyright © 2005 Dell Inc. All rights reserved. November 20052
must always be configured. For more information about configur-
ing Active Directory settings for the DRAC/MC, see the “Microsoft
Active Directory settings for the DRAC/MC” section in this article.
A valid username can be authenticated in different formats. In
the Username or Login field of the GUI or CLI login page, respec-
tively, administrators can enter one of the following:
• A DRAC/MC local username: username • A Microsoft Active Directory username in any of three
formats: domain\username, domain/username,e or
username@domain
The DRAC/MC username for local users is case-sensitive, but
the Active Directory username is not.
Permissions and groupsA permission is a privilege provided to a DRAC/MC user to perform
certain actions such as configuring the DRAC/MC settings, powering
the chassis up or down, configuring users, or clearing logs. A group
is a collection of permissions that can be assigned to DRAC/MC
users. The following four groups have predefined permissions in
the DRAC/MC:
• Administrator • Power User • Guest User • E-mail Alerts Only
If the permissions required for a user do not match any of these
groups, a fifth group—Custom—is available by which administrators
may provide the desired privileges to users. Figure 1 describes the
different groups and permissions associ-
ated with each group.
Local user administrationAdministrators can access the DRAC/MC
using either the Web-based graphical
user interface (GUI) or the serial/Telnet
connection–based CLI.
Using the DRAC/MC GUIThe DRAC/MC GUI lets administrators
create new DRAC/MC users, delete existing
users, or modify existing user privileges.
The user configuration page is accessible
by going to Configuration>Users on
the DRAC/MC GUI. To create users and
establish their permissions, administrators
should click an “Available” link on the DRAC/MC Users page (see
Figure 2). This action opens a configurable DRAC/MC user privi-
leges screen with options available under General, User Permissions,
and Email Alerts (see Figure 3).
On this screen, administrators can enter the DRAC/MC user-
name and password. The DRAC/MC user group can be selected
from the User Group drop-down menu. The corresponding permis-
sions are automatically selected or unselected based on the user
group chosen. Administrators can either accept the preselected
user permissions associated with the user group or select and
unselect various permissions to customize the user’s options.
Other user settings such as e-mail paging and alert configurations
can also be specified on this page. Clicking the Apply Changes
button at the bottom of the screen creates the new user and sets
the privileges. Note: Selecting or unselecting group permissions
automatically changes the user’s group to Custom.
Permissions Groups
Administrator Power User Guest User E-mail Alerts Only Custom
Log in to DRAC/MC Yes Yes Yes Yes
Configure DRAC/MC Yes Yes
Configure users Yes Yes
Clear logs Yes Yes Yes
Execute server action commands Yes Yes Yes
Access console redirection Yes Yes Yes
Access virtual media Yes Yes Yes
Test alerts Yes Yes Yes
Execute diagnostic commands Yes Yes
Figure 1. DRAC/MC user permissions and groups
Figure 2. DRAC/MC Users screen in the DRAC/MC GUI
SYSTEMS MANAGEMENT
www.dell.com/powersolutions Reprinted from Dell Power Solutions, November 2005. Copyright © 2005 Dell Inc. All rights reserved. DELL POWER SOLUTIONS 3
To delete a user, administrators can select the “Remove User”
link on the DRAC/MC Users page beside the username they wish
to delete. Note: The first user cannot be deleted.
To modify permissions for an existing user, administrators can
select the username on the DRAC/MC Users page of the user whose
permissions they would like to modify. Then, on the user configu-
ration page, they can delete or add desired permissions and click
the Apply Changes button at the bottom of the screen to enact
the changes.
Using the DRAC/MC CLIAdministrators can access the DRAC/MC CLI either locally
through a serial connection or remotely using Telnet to create
usernames, assign users to groups, and assign permissions. The
following commands create a DRAC/MC user with a specified
username and password:
racadm config –g cfgUserAdmin
–o cfgUserAdminUserName –i index username
racadm config –g cfgUserAdmin
–o cfgUserAdminPassword –i index password
By default, this DRAC/MC user is granted all associated per-
missions of the DRAC/MC Administrator group. To change the
permissions for this user, administrators can enter the following
command:
racadm config –g cfgUserAdmin
–o cfgUserAdminPrivilege –i index privilege
Values for user permissions are specified in Figure 4.
To display an existing user, administrators can enter the follow-
ing command:
racadm getconfig –g cfgUserAdmin –i index
To delete an existing user, administrators should locate the
user’s index listing and enter the following command:
racadm config –g cfgUserAdmin
–o cfgUserAdminUserName –i index “”
To modify information about or privileges of an existing user,
administrators should locate the property that must be changed.
Figure 5 shows the types of properties that can be modified. Then,
administrators can enter the following command to modify the
specified property:
racadm config –g cfgUserAdmin –o <property name>
–i index <property value>
Figure 3. DRAC/MC user configuration screen in the DRAC/MC GUI
User permission Bit Value
Log in to DRAC/MC 0 0x80000001
Configure DRAC/MC 1 0x80000002
Configure users 2 0x80000004
Clear logs 3 0x80000008
Execute server action commands 4 0x80000010
Access console redirection 5 0x80000020
Access virtual media 6 0x80000040
Test alerts 7 0x80000080
Execute diagnostic commands 8 0x80000100
Reserved 9–21 0x80000xxx
Figure 4. User permissions and values configurable from the DRAC/MC CLI
Figure 5. User properties configurable from the DRAC/MC CLI
User property
cfgUserAdminPrivilege
cfgUserAdminUserName
cfgUserAdminAlertFilterSysMask
cfgUserAdminEmailEnable
cfgUserAdminEmailAddress
cfgUserAdminEmailCustomMsg
SYSTEMS MANAGEMENT
DELL POWER SOLUTIONS Reprinted from Dell Power Solutions, November 2005. Copyright © 2005 Dell Inc. All rights reserved. November 20054
E-mail alertingE-mail alert configuration is part of the user configuration process.
To enable e-mail alerting, administrators should select the “Enable
Email Alerts” check box in the “Email Alerts Settings” section of
the DRAC/MC Configuration>Network page and enter the SMTP
(e-mail) server address (see Figure 6).
For e-mail alerts to operate properly, information must be pro-
vided in the following fields on the Configuration>Users page
shown in Figure 3:
• “Enable Email Alerts” check box: Enables the e-mail alert
feature and allows selection of events that trigger e-mail
message transmission to the designated e-mail address. • Email Address field: Designates the target e-mail address
for alerts. • Message field: Specifies the text of the e-mail alert. • “Alert Description” section: Selects conditions that generate
the e-mail alert.
E-mail alerts can be configured by severity or alert description.
The following severity levels are available:
• Informational: Lowest severity • Warning: Medium severity • Severe: Highest severity
Alerts are configurable for the following sensors:
• All sensors • System temperature • System voltage • System fans • Miscellaneous system sensors
Microsoft Active Directory settings for the DRAC/MCAdministrators can configure settings for the Microsoft Active
Directory service through the DRAC/MC GUI or CLI.1
Configuring Active Directory via the DRAC/MC GUIAdministrators should first log in to the DRAC/MC Web-based
GUI using the default username (“root”) and password and then
go to the Configuration>Active Directory page (see Figure 7).
From this page, administrators can perform the following steps
to enable Active Directory:
1. Select the “Enable Active Directory” check box.
2. In the DRAC/MC Name field, enter the common name of the
remote access controller (RAC) device object that was created
in the domain controller.
3. In the ROOT Domain Name field, enter the fully qualified
root domain name for the domain forest.
4. In the DRAC/MC Domain Name field, enter the fully quali-
fied domain name of the subdomain where the RAC device
object resides (for example, “dracmc.com”); do not use the
NetBIOS name.
5. Click the Apply Changes button to save the Active Directory
settings.
Figure 6. DRAC/MC network configuration screen in the DRAC/MC GUI
1 For more information about using Microsoft Active Directory with Dell remote access controllers, see “Using Microsoft Active Directory Authentication with the DRAC 4” by Jon McGary and Bradley Bransom in Dell Power
Solutions, October 2004, www.dell.com/downloads/global/power/ps4q04-20040123-McGary.pdf.
Figure 7. DRAC/MC Active Directory Configuration screen in the DRAC/MC GUI
SYSTEMS MANAGEMENT
www.dell.com/powersolutions Reprinted from Dell Power Solutions, November 2005. Copyright © 2005 Dell Inc. All rights reserved. DELL POWER SOLUTIONS 5
Administrators must then upload the Active Directory certificate
to the DRAC/MC by performing the following steps:
1. Click the Upload Active Directory CA Certificate button. The
Upload Certificate screen will appear (see Figure 8).
2. Click the Browse button to locate the full path and file name
of the domain forest root CA certificate, or type it in. The
domain forest root CA certificate should be available on the
local system and must have previously been accepted by the
domain forest’s domain-controller SSL certificates.
3. Click the Upload button to upload the root CA certificate to
the DRAC/MC firmware. The DRAC/MC Web server should
then automatically restart.
4. Log in again to complete the DRAC/MC Active Directory
feature configuration.
The next step is to configure the Domain Name System (DNS)
server. On the Configuration>Network page shown in Figure 6,
if “Enable NIC” and “Use DHCP (for the NIC IP address)” are
enabled, administrators should select the “Use DHCP to obtain
DNS server addresses” check box. To input a DNS server IP address
manually, administrators can unselect the “Use DHCP to obtain
DNS server addresses” check box and type in the preferred and
alternate DNS server IP addresses. Then, administrators should
click the Apply Changes button to complete the DRAC/MC Active
Directory configuration.
Configuring Active Directory via the DRAC/MC CLIAdministrators can also configure Active Directory settings by
using the Racadm command-line utility. To do so, they should
open a Telnet or serial console session to access the DRAC/MC
and enter the following Racadm commands:
racadm config -g cfgActiveDirectory
-o cfgADEnable 1
racadm config -g cfgActiveDirectory
-o cfgADRacDomain
fully qualified RAC domain name
racadm config -g cfgActiveDirectory
-o cfgADRootDomain fully qualified root
domain name
racadm config -g cfgActiveDirectory
-o cfgADRacName RAC common name
Next, administrators must upload the Active Directory certifi-
cate using a Web browser, as described in the preceding section
in this article. After that process is completed, administrators can
configure the DNS server. If DHCP is enabled on the DRAC/MC and
administrators wish to use the DNS service provided by the DHCP
server, they can issue the following command:
racadm config -g cfgLanNetworking
-o cfgDNSServersFromDHCP 1
If DHCP is disabled on the DRAC/MC or administrators wish
to input the DNS IP address manually, they can issue the follow-
ing commands:
racadm config -g cfgLanNetworking
-o cfgDNSServersFromDHCP 0
racadm config -g cfgLanNetworking
-o cfgDNSServer1 primary DNS IP address
racadm config -g cfgLanNetworking
-o cfgDNSServer2 secondary DNS IP address
Then, administrators can press Enter to complete the DRAC/MC
Active Directory feature configuration.
Active Directory authenticationMicrosoft Active Directory houses information about network
objects and helps deploy these objects to users, computers, and
applications.
Discovering the domain controllerThe client system discovers the Microsoft Active Directory service
using an algorithm called the Domain Controller Locator.2 In the
case of the DRAC/MC, the client is the DRAC/MC module that is
trying to authenticate the given username and password on the
Active Directory server.
Figure 8. DRAC/MC Upload Certificate screen in the DRAC/MC GUI
22 For more information about Microsoft Active Directory and the Domain Controller Locator operation, visit www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/
documentation/Windows/2000/server/reskit/en-us/distrib/dsbi_add_afsl.asp.
SYSTEMS MANAGEMENT
DELL POWER SOLUTIONS Reprinted from Dell Power Solutions, November 2005. Copyright © 2005 Dell Inc. All rights reserved. November 20056
Note: The user trying to log in to the Active Directory server should
already exist in the Association object that contains the Dell User
object(s), Dell Privilege object(s), and Dell RAC Device object(s).3
In Windows, the Domain Controller Locator is part of the Net
Logon service; on the DRAC/MC, the Domain Controller Locator
is part of the login service. This service on the DRAC/MC
queries the DNS server for a domain controller hosting the
Lightweight Directory Access Protocol (LDAP) service over
TCP. The query requests a service location record (SRV) and
uses the format of _ldap._tcp._DNSDomainName—where
DNSDomainName is the root domain name that the adminis-
trator used when configuring the Active Directory settings, as
described earlier in this article. The DNS server is the static
preferred DNS server, the alternate DNS server, or the DNS
server address provided by the DHCP server.
After this query is resolved, the DNS server responds to the
client—that is, the DRAC/MC—with the identity of one or more
domain controllers that are registered under the given domain name.
The client sends an LDAP User Datagram Protocol (UDP) lookup
to one or more of the domain controllers listed in the response to
the DNS query to ensure their availability. Finally, the Net Logon
service caches the discovered domain controller to aid in resolving
future requests.
Understanding DNS requirementsMicrosoft Active Directory is fully integrated with DNS and TCP/IP. A
DNS server is required for the proper functioning of Active Directory.
The extra dimension of DNS with Active Directory is the SRV
resource records (RRs). It is essential for the DNS server to sup-
port SRV RRs. Dell also recommends that the DNS server be able to
support dynamic updates, because domain controllers continually
register new records in DNS.
Active Directory registration in DNS serversWhen a Microsoft Windows Server™ 2003–based domain controller™
boots up, the Net Logon service uses dynamic updates to register
SRV and “A” RRs in the DNS database, as described in the Internet
Engineering Task Force (IETF) RFC 2782.4 Windows Server 2003 also
employs secure dynamic updates using the GSS-TSIG algorithm, as
described in IETF RFC 3645.5
Service records reveal not only the server’s IP address but also
the services that it offers. The following is the standard format of
an SRV record in the DNS server:
_service._protocol.name ttl class SRV priority
weight port target
For example, if the client query is _ldap._tcp.test.com, the SRV
record in the DNS server could appear as follows:
ad1.test.com A 11.11.11.11
_ldap._tcp.test.com 600 IN SRV 0 100 3268
ad1.test.com
_ldap._tcp.example.com SRV 0 0 389
austin.example.com
_kerberos._tcp.test.com SRV 0 0 88 ad1.test.com
The DNS response for the client query would return the
11.11.11.11 IP address of ad1.test.com to the client.
Nslookup.exeService records and related entries can be verified by querying
DNS using Nslookup.exe. The syntax to query a DNS server for a
list of all service records for a given domain is as follows:
C:\Nslookup <enter>
>ls -t SRV test.com
This can be very helpful to administrators when they must find
the correct DNS server to be configured on the DRAC/MC network
configuration page.
Active Directory certificate managementVarious certificates must be installed in the proper locations before
an Active Directory user can be authenticated on a DRAC/MC.
Active Directory Certificate Authority certificate. The
CA certificate must be downloaded from the Active Directory
server and uploaded to each DRAC/MC module that supports
Active Directory authentication for that domain. This X.509
version 3 base-64–encoded certificate is created from an organi-
zation’s Active Directory environment. The Active Directory CA
certificate allows the DRAC/MC to communicate securely with
the DNS server to authenticate a DRAC/MC user in the Active
Directory database. All SSL certificates of the Active Directory
servers in the domain forest must be signed by the same root
CA, because the DRAC/MC allows uploading only one trusted
CA SSL certificate.
3 For more information about Active Directory schema extensions, installing the Dell schema extension to the Active Directory Users and Computers snap-in, using Dell’s predefined Active Directory objects in the Active Directory
server, and other aspects of the Active Directory schema, see “Using Microsoft Active Directory Authentication with the DRAC 4” by Jon McGary and Bradley Bransom in Dell Power Solutions, October 2004, www.dell.com/
downloads/global/power/ps4q04-20040123-McGary.pdf.
4 For more information about IETF RFC 2782 and the SRV RR format, see “A DNS RR for specifying the location of services (DNS SRV)” by A. Gulbrandsen, P. Vixie, and L. Esibov at www.faqs.org/rfcs/rfc2782.html.
5 For more information about IETF RFC 3645, see “Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)” by S. Kwan et al. at www.rfc-archive.org/getrfc.php?rfc=3645.
SYSTEMS MANAGEMENT
www.dell.com/powersolutions Reprinted from Dell Power Solutions, November 2005. Copyright © 2005 Dell Inc. All rights reserved. DELL POWER SOLUTIONS 7
DRAC/MC server certificate. This certificate lets the DRAC/MC
communicate securely with the DNS server to authenticate a
DRAC/MC user in the Active Directory database. The DRAC/MC
certificate is downloaded to a file and then uploaded to the Active
Directory domain being accessed. If the DRAC/MC SSL certificate
is signed by a well-known CA, and the CA is in the Trusted Root
Certificate Authority for the Active Directory server, the DRAC/MC
server certificate does not need to be uploaded to the Active
Directory server.
Simplified user management for Dell blade server environmentsUser administration and network security are two major concerns
of systems administrators. The DRAC/MC provides a robust, secure
infrastructure to help administrators manage users and enhance
security for the Dell Modular Server Enclosure that houses Dell
blade servers. The DRAC/MC supports 128-bit SSL-encrypted Web
sessions and allows administrators to install certificates signed by
a trusted CA to further enhance security. The DRAC/MC also lets
administrators assign the necessary level of privileges to selected
users. In addition, support for Microsoft Active Directory authentica-
tion helps simplify central administration of user databases.
Anusha Ragunathan is a firmware engineer in the Chassis Management Group for Dell PowerEdge™ blade servers within the Dell Product Group. She has a bachelor’s degree in Computer Science Engineering from Bharathiyar University in India and a master’s degree in Computer Science Engineering from Arizona State University.
Sanjeev S. Singh is a senior software engineer at Dell. Previously, he was a software engineer at Hewlett-Packard and NCR. He has a bachelor’s degree in Electrical Engineering and a master’s degree in Computer Engineering from North Carolina State University.
FOR MORE INFORMATION
Dell Remote Access Controller/Modular Chassis User’s Guide:support.dell.com/support/edocs/software/smdrac3/dracmc/index.htm