Print | Rate this content

Advisory: (Revision) HPE Integrity - SHA2 Certificates May Be Required for HPE Integrity BL8x0c i2/i4, Integrity rx2800 i2/i4, or Integrity rx2900 i4 Servers for Continued Access to the Integrity Lights-out 3 (iLO 3) Web GUI After January 1, 2017

SUPPORT COMMUNICATION - CUSTOMER ADVISORY

Document ID: c05315789

Version: 4

Advisory: (Revision) HPE Integrity - SHA2 Certificates May Be Required for HPE Integrity BL8x0c i2/i4, Integrity rx2800 i2/i4, or Integrity rx2900 i4 Servers for Continued Access to the Integrity Lights-out 3 (iLO 3) Web GUI After January 1, 2017
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2016-10-20

Last Updated: 2017-01-18


DESCRIPTION

Document Version
Release Date
Details
4
01/17/2017
Updated document with additional information
3
12/20/2016
Updated document with additional information on user impact and how to identify which type of certificate is installed
2
12/06/2016
Updated Title, Description and Resolution sections with additional information
1
10/25/2016
Original document release

SHA-1 certificates may no longer be accepted by the newer versions of Firefox and Internet Explorer browsers beginning on January 1, 2017. Although most browsers will be offering a user-override process that will allow a SHA-1 certificate to be used after displaying a warning, HPE recommends that users switch to using SHA-2 certificates on or before that date for continued secure access to the HPE Integrated Lights-Out 3 (iLO 3) web GUI and Integrated Remote Console (IRC) applications.

Note: iLO CLI and other iLO features will not be impacted.

Note: Not all browsers will change their behavior as of Jan 1, 2017, some browsers may not change until later in February. This is subject to change, depending on the vendor strategy.

The iLO 3 on the below firmware versions generates self-signed certificates with SHA128 (SHA1)or md5:

  • Integrity rx2800 i4/rx2900 i4 servers with firmware version 46.00 (or earlier)
  • Integrity rx2800 i2 servers with firmware version 27.00 (or earlier)
  • Integrity BL8x0c i4 servers with firmware version 46.01 (or earlier)
  • Integrity BL8x0c i2 servers with firmware version 27.00 (or earlier)

Users on these versions may import an SSL certificate from Trusted Certificate Authorities which is signed with SHA256 (or SHA2) to ensure continued secure access to the iLO Web GUI, IRC and vMedia applications when using the latest browser versions starting on January 1, 2017.

Note: The iLO 3 on the below firmware versions allows generating self-signed certificates with SHA256 (SHA2):

  • Integrity rx2800 i4/rx2900 i4 servers with firmware version 47.00 (or later)
  • Integrity BL8x0c i4 servers with firmware version 47.00 (or later)
  • Integrity rx2800 i2 servers with firmware version 28.00 (or later)
  • Integrity BL8x0c i2 servers with firmware version 28.00 (or later)

Expected impact to users:

From the information available at various web sources, the impact of using SHA1 certificates after January 1, 2017 is as follows:

  • Most browsers will show a major security warning, but still allow the user to bypass the security warning and use the service. Users may not be blocked from using the web service.
  • Some browsers will not change behavior until later in February, 2017
  • If users are running older versions of browsers, then they will not be impacted in any way (see table below)
  • iLO will be functional, and secure access to other interfaces (CLI) will not change in any way.

For accurate and up to date information on the browsers behavior, contact the browser vendors or check the information published in their web sites

Based on the announcements available to HPE from the different browser vendors, the impact could potentially be as shown below. Note that this could be subject to change by the browser vendors:

Browser
SHA1 certificate impact to iLO
IE8
Not affected
IE10 (with update)
Security warning, access allowed bypassing this warning
IE11(with update)
Security warning, access allowed bypassing this warning
Microsoft Edge
Security warning, access allowed bypassing this warning
Firefox 39 (qualified browser for iLO)
Security warning, access allowed bypassing this warning.
Chrome 44 (qualified browser for iLO)
Security alert (affirmatively insecure), access allowed bypassing the alert.
Firefox 43+
Untrusted connection. (unclear if access will be blocked)
Chrome 41+
Security alert (affirmatively insecure), access allowed bypassing the alert.

Identifying which type of certificate is installed:

Self-signed versus imported certificate:

From the iLO 3 CLI, display the SSL certificate status using the command "SO –ssl –nc"

  • If the SSL certificate status is "Generated," then it is an iLO generated self-signed certificate.
  • If the SSL certificate status is "Imported," then it is signed by a trusted Certificate Authority and imported into iLO.

SHA1 or SHA2 signature:

View the certificate details in the browser running iLO: the signature algorithm in Certificate details will indicate the type used: SHA256, SHA512 or SHA384 indicate that SHA2 was used.

SCOPE

Any Integrated Lights-Out 3 (iLO 3) firmware in HPE Integrity BL8x0c i2 servers, Integrity BL8x0c i4 servers, Integrity rx2800 i2, Integrity rx2800 i4, or Integrity rx2900 i4 servers.

RESOLUTION

HPE recommends one of the following options:

Either >upgrade firmware to version 47.00 (or later)on BL8xc i4, rx2800 i4 and rx2900 i4 or version 28.00 (or later) on BL8xc i2 and rx2800 i2,and use iLO CLI/webGUI interface to generate a new SHA2 based SSL certificate

Or import a SHA2 based SSL certificate signed by trusted Certificate Authorities into iLO for continued secure access to iLO webGUI, IRC and vMedia (while remaining on a prior firmware version).

Note: Importing a SHA2 signed SSL certificate from Trusted Entities will ensure continued support of iLO Web GUI, IRC and vMedia beginning on January 1, 2017 for impacted browser versions as detailed in the Description section above.

For details on how to generate and import a certificate, consult the HPE Integrity iLO 3 Operations Guide available at: http://h20628.www2.hpe.com/km-ext/kmcsdirect/emr_na-c02111169-8.pdf (under "Using iLO3," in the Administration section, see "Certificate Settings," Table 31 Import Certificate Description.

RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document .

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips document .


Hardware Platforms Affected: HPE Integrity BL860c i2 Server Blade, HPE Integrity BL870c i2 Server Blade, HPE Integrity BL890c i2 Server Blade, HPE Integrity rx2800 i2 Server, HPE Integrity BL860c Server Blade, HPE Integrity BL870c i4 Server Blade, HPE Integrity BL890c i4 Server Blade, HPE Integrity rx2800 i4 Server, HPE Integrity rx2900 Server
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: IA05315789
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Advisory: (Revision) HPE Integrity - SHA2 Certificates May Be Required for HPE Integrity BL8x0c i2/i4, Integrity rx2800 i2/i4, or Integrity rx2900 i4 Servers for Continued Access to the Integrity Lights-out 3 (iLO 3) Web GUI After January 1, 2017
Document ID: emr_na-c05315789-4
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.