Version imprimable

Pilotes et logiciels

HP BladeSystem c-Class Onboard Administrator Firmware

En effectuant le téléchargement, vous acceptez les conditions du Contrat de licence logicielle Hewlett Packard Enterprise.
Remarque :  Certains logiciels nécessitent une garantie valide, un contrat d'assistance en cours avec Hewlett Packard Enterprise ou un paiement.

Type : Micrologiciel - Infrastructure Blade
Version : 4.40(31 mars 2015)
Système(s) d'exploitation : Asianux 3
CentOS 5
Citrix XenServer 4.x
Citrix XenServer 5.x
Debian GNU/Linux 4.0 (AMD64/EM64T)
Debian GNU/Linux 4.0 (x86)
Debian GNU/Linux 5.0 (AMD64/EM64T)
Debian GNU/Linux 5.0 (x86)
Debian GNU/Linux 6.0
HP-UX 11.31 (IA)
HP-UX 11.x
Microsoft Windows 2000
Microsoft Windows 8 (32-bit)
Microsoft Windows 8 (64-bit)
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows Server 2003 for 64-bit Extended Systems
Microsoft Windows Server 2008 Essential Business
Microsoft Windows Server 2008 Foundation Edition
Microsoft Windows Server 2008 Itanium
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008 R2 for Itanium-Based Systems
Microsoft Windows Server 2008 R2 Foundation Edition
Microsoft Windows Server 2008 Small Business
Microsoft Windows Server 2008 x64
Microsoft Windows Server 2012
Microsoft Windows Server 2012 Essentials
Microsoft Windows Server 2012 R2
Microsoft Windows Storage Server 2003
Microsoft Windows Vista (32-bit)
Microsoft Windows Vista (64-bit)
Microsoft Windows XP 64-Bit Edition
Microsoft Windows XP Professional
Microsoft Windows XP Professional x64 Edition
Novell NetWare 6.5
OpenVMS v8.2-1
OpenVMS v8.3
OpenVMS v8.4
Oracle Linux 5 (AMD64/EM64T)
Oracle Linux 5 (x86)
OS Independent
Red Hat Enterprise Linux 3 (AMD64/EM64T)
Red Hat Enterprise Linux 3 (Itanium)
Red Hat Enterprise Linux 3 (x86)
Red Hat Enterprise Linux 4 (AMD64/EM64T)
Red Hat Enterprise Linux 4 (Itanium)
Red Hat Enterprise Linux 4 (x86)
Red Hat Enterprise Linux 5 Desktop (x86-64)
Red Hat Enterprise Linux 5 Server (Itanium)
Red Hat Enterprise Linux 5 Server (x86)
Red Hat Enterprise Linux 5 Server (x86-64)
Red Hat Enterprise Linux 6 Server (x86)
Red Hat Enterprise Linux 6 Server (x86-64)
Red Hat Enterprise Linux 7 Server
Red Hat Linux 6.2
Solaris 10 for x86 Systems
Solaris 11.1
SUSE Linux Enterprise Server 10 (AMD64/EM64T)
SUSE Linux Enterprise Server 10 (Itanium)
SUSE Linux Enterprise Server 10 (x86)
SUSE Linux Enterprise Server 11 (AMD64/EM64T)
SUSE Linux Enterprise Server 11 (Itanium)
SUSE Linux Enterprise Server 11 (x86)
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 9 (AMD64/EM64T)
SUSE Linux Enterprise Server 9 (Itanium)
SUSE Linux Enterprise Server 9 (x86)
Ubuntu 13.10
Ubuntu 9.10 (AMD64/EM64T)
Ubuntu 9.10 (x86)
VMware ESX Server 3.0
VMware ESX/ESXi 4.0
VMware ESX/ESXi 4.1
VMware ESX/ESXi Server 3.5
VMware ESXi 5.0
VMware vSphere 5.1
VMware vSphere 5.5
Nom de fichier : hpoa440.bin (14 MB)
This file contains the firmware image for the HP BladeSystem c-Class Onboard Administrator. This firmware provides management capabilities for the HP BladeSystem c-Class Enclosure.

  • General
    • Cipher suites are now configured and displayed using their RFC 5246 standardized names. 

Prerequisites:
The Onboard Administrator Smart Component contains 32-bit executable binaries.  As a result, the client operating system upon which the OA Smart Component is installed and executed must either have native support for 32-bit executables or must have the 32-bit compatibility libraries installed.


To ensure the integrity of your download, HPE recommends verifying your results with this SHA-256 Checksum value:

8cc7f3c7ed7b7e8a15a8ed330e46d9dbafe684bce7b38181787b86a917396bb3 hpoa440.bin

Reboot Requirement:
Reboot is optional after installation. Updates will be effective after reboot. Hardware stability will be maintained without reboot.


Installation:
Place the firmware image file onto a system on the same network as the HP BladeSystem c-Class Onboard Administrator.

Log in to the Onboard Administrator’s web-based user interface as an administrator. Firmware Update is available under the Active Onboard Administrator category. You may select the firmware image by entering a path to the file in the "Local File" field or by clicking on the "Browse" button to locate the firmware image on the local machine, a mapped drive, or a network share.

Click "Upload" to begin the firmware update process.

The user guide for the Onboard Administrator is located here.
The user guide for the Onboard Administrator command line interface is located here.


End User License Agreements:
BladeSystem Onboard Administrator Software End User License Agreement


Upgrade Requirement:
Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.

Update to this firmware version if any documented fixes or enhanced functionality provided by this version would be useful to your system.


Important:

Important Notes

  • EFM  
    • The OA only supports SPP ISO images that are less than 4 GB in size, whether hosted directly via the Enclosure DVD feature or an attached USB key, or mounted remotely via a specified URL. If an ISO image exceeds 4 GB,  the CLI SHOW FIRMWARE MANAGEMENT command displays ISO URL Status as “Invalid URL.”
      • If an SPP ISO image exceeds 4 GB, it is necessary to create a custom ISO image that excludes components unnecessary to the OA EFM blade firmware update process.  At a minimum, the custom ISO must contain the firmware components for HP ProLiant BL servers. (When using HP SUM to create the custom ISO image, select Firmware as the Component Type, and select HP ProLiant BL Series as the Server Type.)  For information about creating a custom ISO image compatible for OA EFM functionality, see the HP BladeSystem Onboard Administrator User Guide. More HP SUM information can be found via HP Smart Update Manager online help or at http://www.hp.com/go/hpsum/documentation.
  • IPv6
    • When the Enable DHCPv6 or Enable SLAAC enclosure IPv6 settings are disabled on the Onboard Administrator, the respective DHCPv6 or SLAAC addresses of the iLOs in the enclosure are retained until these addresses expire automatically based on their respective configurations.  A manual reset of the iLO releases these addresses immediately.
  • ​Security
    • ​ Support for several cipher suites has been removed due to the generally acknowledged weakness of the associated encryption algorithms. The OA now supports only the cipher suites listed in the following table. To successfully establish a secure connection to the OA via SSL, clients must support one or more of these cipher suites.
      • Note specifically that Windows 2003 Active Directory and Internet Explorer might not successfully connect to the OA due to the lack of default support for at least one of the supported cipher suites.  
      • You can add the necessary support by installing and enabling Advanced Encryption Standard (AES) based cipher suites in Windows 2003. Refer to Microsoft hotfix available at http://support.microsoft.com/kb/948963.
 
SSL/TLS cipher suites Standard names for SSL/TLS cipher suites
EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA
DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA
ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256


Notes:

Deliverable Name:

HP BladeSystem c-Class Onboard Administrator Firmware

Release Version:

Version 4.40

Previous Version of Firmware:

Version 4.30

Firmware Dependency

For firmware compatibility information please see HP Service Pack for ProLiant Information Library, http://www.hp.com/go/spp/documentation.

 Important Notes

  • EFM
The OA only supports SPP ISO images that are less than 4 GB in size, whether hosted directly via the Enclosure DVD feature or an attached USB key, or mounted remotely via a specified URL. If an ISO image exceeds 4 GB,  the CLI SHOW FIRMWARE MANAGEMENT command displays ISO URL Status as “Invalid URL.”

If an SPP ISO image exceeds 4 GB, it is necessary to create a custom ISO image that excludes components unnecessary to the OA EFM blade firmware update process.  At a minimum, the custom ISO must contain the firmware components for HP ProLiant BL servers. (When using HP SUM to create the custom ISO image, select Firmware as the Component Type, and select HP ProLiant BL Series as the Server Type.)  For information about creating a custom ISO image compatible for OA EFM functionality, see the HP BladeSystem Onboard Administrator User Guide. More HP SUM information can be found via HP Smart Update Manager online help or at http://www.hp.com/go/hpsum/documentation
  • FIPS
OA 3.71 has received FIPS 140-2 Certification  (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2014.htm#2174)  
  • IPv6
When the Enable DHCPv6, Enable Router Advertisements, or Enable SLAAC enclosure IPv6 settings are disabled on the Onboard Administrator, the respective DHCPv6 or SLAAC addresses of the iLOs in the enclosure are retained until these addresses expire automatically based on their respective configurations.  A manual reset of the iLO releases these addresses immediately.
  • Security
Support for several cipher suites has been removed due to the generally acknowledged weakness of the associated encryption algorithms. The OA now supports only the cipher suites listed in the following table. To successfully establish a secure connection to the OA via SSL, clients must support one or more of these cipher suites.
Note specifically that Windows 2003 Active Directory and Internet Explorer might not successfully connect to the OA due to the lack of default support for at least one of the supported cipher suites listed. You can add the necessary support by installing and enabling Advanced Encryption Standard (AES) based cipher suites in Windows 2003. Refer to Microsoft hotfix available at http://support.microsoft.com/kb/948963.  
SSL/TLS cipher suites Standard names for SSL/TLS cipher suites
EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA
DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA
ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
 
 
Enhancements/New Features


Problems Fixed
  • General
  • Devices with MAC addresses ending with “81:00” (such as f8:66:f2:6d:81:00) were unable to communicate with the OA. Some examples of the observed symptoms were:
Attempts to ping the OA from the device fail The OA cannot use such a device as a gateway
The OA GUI and CLI cannot be used from this device   "CERTS: Failed to open flash"
This had no functional impact; the entry could be ignored. 
  • Documentation
    •  In the September 2014 (Edition 23) HP BladeSystem Onboard Administrator CLI User Guide for OA 4.30, within the description of the SET HTTP REQUESTREADTIMEOUT command, a command showing recommended values had the BODY MINRATE value as 50 instead of the correct value 500. The command with the correct recommended values is as follows:
SET HTTP REQUESTREADTIMEOUT HEADER 3-8 MINRATE 500 BODY 5-10 MINRATE 500

This error was corrected in the October 2014 (Edition 24) document. 
  • EFM
    • In rare cases, the Active OA module would reboot expectedly during the update of the OA firmware on redundant OA modules.  When this issue occurred, the Active OA module would reboot during the transfer of the OA firmware image to the Standby OA module.  The OA firmware update would fail to complete successfully; a segmentation fault (SEGV) error would be logged in the Active OA system log.  This issue did not cause any firmware or data corruption, and the OA firmware update could be successful if retried following the occurrence of this issue. Note that this issue could only be encountered when updating OA modules running OA 4.30 firmware.  
    • Attempts to update the firmware failed on an HP ProLiant Gen9 server blade configured in UEFI Boot Mode or UEFI Optimized Boot Mode. When this failure occurred, the firmware log for the blade server would indicate an error similar to the following for each update attempt, including the two automatic retries that occur on failure:
Jul 15 09:34:19 Unable to detect ISOLINUX booting.
A final status report similar to the following would also be issued:
Jul 15 10:30:33 Firmware Management is incomplete on blade <bay number>.  Unable to mount ISO or validate version information. The URL or ISO is invalid.
  •  CLI commands affected include those that depend on the URL specification via the SET FIRMWARE MANAGEMENT URL command (such as the UPDATE FIRMWARE SERVER command and the UPDATE IMAGE FW_ISO command). 
  •  The EFM firmware log would indicate "Firmware Management successfully completed on blade x" even if the iLO firmware update failed to complete successfully.  
  • IPv6
    • Configuration scripts could not be applied to another OA properly when attempting to configure new EBIPA DNS IPv4/IPv6 addresses or IPv6 routes. Attempts to change the configurations could only add new addresses to those of the previous configuration. It was not possible to replace the existing addresses with the new ones.
The following CLI commands now include the ALL keyword to allow clearing of all unwanted addresses or routes:
REMOVE EBIPA SERVER DNS ALL
REMOVE EBIPAV6 SERVER DNS ALL
REMOVE OA ROUTE IPV6 <ACTIVE|STANDBY> ALL

A configuration script can now use these commands to clear the previous (unwanted) EBIPA DNS IP addresses and IPv6 static routes, and then add the new ones. 
  • KVM
    • Pressing Enter four times consecutively on a keyboard attached to the c7000 Enclosure integrated KVM module would cause the highlighted blade server on the KVM screen to power off or on, depending on its current power state. This issue has been fixed by interchanging the Ok/Confirm and Cancel buttons on the Confirm: Change Server Power and Change Server Power screens so that the Cancel button is highlighted by default instead of the OK or Confirm button. The default focus is set on the Cancel button. (QXCR1001357592)
  •  Security
    • The following security vulnerabilities were fixed:
    • This release of the OA resolves this security vulnerability by compiling OpenSSl with OPENSSL_NO_SRTP (the OA does not use DTLS and SRTP).
      • CVE-2014-0139: A vulnerability affecting SSL/TLS transactions that might allow a man-in-the-middle attacker to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certificate Authority.
      • CVE-2014-0015: A vulnerability when more than one authentication method is enabled and NTLM connections are reused, which might allow context-dependent attackers to authenticate as other users via a request.
      • CVE-2014-0138: A vulnerability affecting certain LDAP connections that might allow context-dependent attackers to connect as other users via a request (similar to issue CVE-2014-0015).
      • CVE-2014-2522: A vulnerability when running on Windows and using an SChannel/Winssl TLS backend. When accessing a URL that uses a numerical IP address, curl does not verify that the server host name matches a domain name in the subject’s CN or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
    • In addition, OpenSSL has been updated to version 1.0.1h to address multiple CVE fixes.
  • SSH/SSL keys
    • With OA firmware later than 4.0x, attempts to add an SSH key using the OA CLI ADD SSH KEY command might fail. Intermittently, after issuing the command, the user received an error message ("The submitted file is not a valid SSH key."), in which case the command failed. 
  • SNMP
  • SNMP alerts (or traps) sent from the OA to an IPv6 SNMP alert destination are sent incorrectly to destination port 161 instead of port 162 (per RFC 1157) when no destination port is explicitly specified as part of an IPv6 SNMP alert destination configuration. 
 Known Issues
  • Browsers
    • SSO-to-iLO connection from the OA using an iLO host name fails with Microsoft® Internet Explorer 11 on Windows 8. On a Windows 8 system with Internet Explorer 10 or Internet Explorer 11, if the OA web GUI session is loaded using a host name instead of an IP address, an attempt to open an iLO window using SSO from the OA web GUI might result in the iLO page loading in the OA web GUI window instead of the intended new window.
This issue was determined to be a bug in Internet Explorer and is expected to be fixed in a future release or update for  Internet Explorer.  To work around this issue, either use an IP address to load the OA Web GUI, or turn off Protected Mode for the appropriate zone in Internet Explorer’s settings. This issue occurs only on Internet Explorer browsers.    
  • FIPS
  • Certificates smaller than 2048 bits in size are not compliant with FIPS requirements as enforced by the OA firmware starting with OA 4.20.  When the OA running OA firmware version 4.40 or greater is operating in FIPS Mode ON or DEBUG and is configured with a  1024-bit LDAP certificate that was installed when running a previous version of OA firmware, FIPS Mode ON/DEBUG is considered to be operating in a degraded state due to the presence of the non-compliant certificate.  While operating in this degraded FIPS Mode operational state, attempts to set FIPS Mode OFF from the OA GUI Network Access > FIPS tab will fail and show the error message “The selected FIPS mode is already enabled”.  When the non-compliant certificate is removed, the degraded FIPS operational status is cleared, FIPS Mode can then be successfully set to OFF from the GUI interface.  Note that the OA CLI command SET FIPS MODE OFF can be successfully used to set FIPS Mode OFF even with non-compliant 1024-bit LDAP certificates installed in the OA.


Upgrade Requirement:
Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.

Update to this firmware version if any documented fixes or enhanced functionality provided by this version would be useful to your system.


General

  • Devices with MAC addresses ending with “81:00” (such as f8:66:f2:6d:81:00) were unable to communicate with the OA. Some examples of the observed symptoms were:
Attempts to ping the OA from the device fail The OA cannot use such a device as a gateway The OA GUI and CLI cannot be used from this device  This had no functional impact; the entry could be ignored. 
Documentation
  • In the September 2014 (Edition 23) HP BladeSystem Onboard Administrator CLI User Guide for OA 4.30, within the description of the SET HTTP REQUESTREADTIMEOUT command, a command showing recommended values had the BODY MINRATE value as 50 instead of the correct value 500. The command with the correct recommended values is as follows: SET HTTP REQUESTREADTIMEOUT HEADER 3-8 MINRATE 500 BODY 5-10 MINRATE 500
This error was corrected in the October 2014 (Edition 24) document.
  EFM
  • In rare cases, the Active OA module would reboot expectedly during the update of the OA firmware on redundant OA modules.  When this issue occurred, the Active OA module would reboot during the transfer of the OA firmware image to the Standby OA module.  The OA firmware update would fail to complete successfully; a segmentation fault (SEGV) error would be logged in the Active OA system log.  This issue did not cause any firmware or data corruption, and the OA firmware update could be successful if retried following the occurrence of this issue. Note that this issue could only be encountered when updating OA modules running OA 4.30 firmware.  o   Attempts to update the firmware failed on an HP ProLiant Gen9 server blade configured in UEFI Boot Mode or UEFI Optimized Boot Mode. When this failure occurred, the firmware log for the blade server would indicate an error similar to the following for each update attempt, including the two automatic retries that occur on failure: Jul 15 09:34:19 Unable to detect ISOLINUX booting. A final status report similar to the following would also be issued:
Jul 15 10:30:33 Firmware Management is incomplete on blade <bay number>.
  • When using an HP Firmware Management ISO image based on a URL that includes the HTTP port (for example, http://10.226.36.35:8080/bp-151ilo-2014-08-26-1.iso),  EFM failed to mount the image. The following error message would be displayed: Unable to mount ISO or validate version information. The URL or ISO is invalid.   CLI commands affected include those that depend on the URL specification via the SET FIRMWARE MANAGEMENT URL command (such as the UPDATE FIRMWARE SERVER command and the UPDATE IMAGE FW_ISO command).  o   The EFM firmware log would indicate "Firmware Management successfully completed on blade x" even if the iLO firmware update failed to complete successfully. 
 IPv6
  • Configuration scripts could not be applied to another OA properly when attempting to configure new EBIPA DNS IPv4/IPv6 addresses or IPv6 routes. Attempts to change the configurations could only add new addresses to those of the previous configuration. It was not possible to replace the existing addresses with the new ones. The following CLI commands now include the ALL keyword to allow clearing of all unwanted addresses or routes:
  • REMOVE EBIPA SERVER DNS ALL
  • REMOVE EBIPAV6 SERVER DNS ALL
  • REMOVE OA ROUTE IPV6 <ACTIVE|STANDBY> ALL
A configuration script can now use these commands to clear the previous (unwanted) EBIPA DNS IP addresses and IPv6 static routes, and then add the new ones.   
  KVM
  • Pressing Enter four times consecutively on a keyboard attached to the c7000 Enclosure integrated KVM module would cause the highlighted blade server on the KVM screen to power off or on, depending on its current power state. This issue has been fixed by interchanging the Ok/Confirm and Cancel buttons on the Confirm: Change Server Power and Change Server Power screens so that the Cancel button is highlighted by default instead of the OK or Confirm button. The default focus is set on the Cancel button.
  Security
  • The following security vulnerabilities were fixed:   
  • CVE-2014-3511: A vulnerability could be exploited by launching man-in-the-middle attacks to force the use of TSL 1.0 instead of the intended later version of TLS. This is documented in HP Security Bulletin HPSBMU03104 (https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04427546).
  • CVE-2007-2242: A vulnerability could be exploited by launching denial-of-service attacks via crafted IPv6 type 0 router headers between two routers, resulting in network congestion. This is documented in HP Security Bulletin HPSBMU03104 (https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04427546).
  • CVE-2014-3567: A vulnerability can be exploited to cause a DOS denial-of-service (memory consumption) attack via crafted session tickets that triggers an integrity check-failure.
  • CVE-2014-3513: A vulnerability can be exploited to cause a denial of service (memory consumption) via a crafted handshake message.
  • CVE-2014-3513: SRTP Memory Leak – a memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 (before 1.0.1j) allows remote attackers to cause denial of service (memory consumption) via a crafted handshake message.
  • This release of the OA resolves this security vulnerability by compiling OpenSSl with OPENSSL_NO_SRTP (the OA does not use DTLS and SRTP). 
  • CVE-2014-0139: A vulnerability affecting SSL/TLS transactions that might allow a man-in-the-middle attacker to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certificate Authority.
  • CVE-2014-0015: A vulnerability when more than one authentication method is enabled and NTLM connections are reused, which might allow context-dependent attackers to authenticate as other users via a request.
  • CVE-2014-0138: A vulnerability affecting certain LDAP connections that might allow context-dependent attackers to connect as other users via a request (similar to issue CVE-2014-0015).
  • CVE-2014-2522: A vulnerability when running on Windows and using an SChannel/Winssl TLS backend. When accessing a URL that uses a numerical IP address, curl does not verify that the server host name matches a domain name in the subject’s CN or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. 
  • In addition, OpenSSL has been updated to version 1.0.1h to address multiple CVE fixes.

 SSH/SSL keys
  • With OA firmware later than 4.0x, attempts to add an SSH key using the OA CLI ADD SSH KEY command might fail. Intermittently, after issuing the command, the user received an error message ("The submitted file is not a valid SSH key."), in which case the command failed. 

SNMP 
  • SNMP alerts (or traps) sent from the OA to an IPv6 SNMP alert destination are sent incorrectly to destination port 161 instead of port 162 (per RFC 1157) when no destination port is explicitly specified as part of an IPv6 SNMP alert destination configuration.
    •  The OA HTTP service would become unresponsive and communication to the OA would be lost after removing a local user account with OA administrator level privileges.  This issue in only occurred when the removed user account had previously been used to configure network services on the OA module.  

Important Notes

  • EFM  
    • The OA only supports SPP ISO images that are less than 4 GB in size, whether hosted directly via the Enclosure DVD feature or an attached USB key, or mounted remotely via a specified URL. If an ISO image exceeds 4 GB,  the CLI SHOW FIRMWARE MANAGEMENT command displays ISO URL Status as “Invalid URL.”
      • If an SPP ISO image exceeds 4 GB, it is necessary to create a custom ISO image that excludes components unnecessary to the OA EFM blade firmware update process.  At a minimum, the custom ISO must contain the firmware components for HP ProLiant BL servers. (When using HP SUM to create the custom ISO image, select Firmware as the Component Type, and select HP ProLiant BL Series as the Server Type.)  For information about creating a custom ISO image compatible for OA EFM functionality, see the HP BladeSystem Onboard Administrator User Guide. More HP SUM information can be found via HP Smart Update Manager online help or at http://www.hp.com/go/hpsum/documentation.
  • IPv6
    • When the Enable DHCPv6 or Enable SLAAC enclosure IPv6 settings are disabled on the Onboard Administrator, the respective DHCPv6 or SLAAC addresses of the iLOs in the enclosure are retained until these addresses expire automatically based on their respective configurations.  A manual reset of the iLO releases these addresses immediately.
  • ​Security
    • ​ Support for several cipher suites has been removed due to the generally acknowledged weakness of the associated encryption algorithms. The OA now supports only the cipher suites listed in the following table. To successfully establish a secure connection to the OA via SSL, clients must support one or more of these cipher suites.
      • Note specifically that Windows 2003 Active Directory and Internet Explorer might not successfully connect to the OA due to the lack of default support for at least one of the supported cipher suites.  
      • You can add the necessary support by installing and enabling Advanced Encryption Standard (AES) based cipher suites in Windows 2003. Refer to Microsoft hotfix available at http://support.microsoft.com/kb/948963.
 
SSL/TLS cipher suites Standard names for SSL/TLS cipher suites
EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA
DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA
ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256

Version :4.95 (6 Nov 2019)
Version :4.90 (2 Apr 2019)
Version :4.85 (26 Jun 2018)
Version :4.80 (5 Feb 2018)
Version :4.71 (16 Jan 2018)
Version :4.70 (12 Jul 2017)
Version :4.60 (24 Oct 2016)
Version :4.50 (1 Oct 2015)
Version :4.40 (31 Mar 2015)
Version :4.30 (9 Sep 2014)
Version :4.23 (19 Jun 2015)
Version :4.22 (23 Jun 2014)
Version :4.21 (18 Apr 2014)
Version :4.13 (24 Jul 2014)
Version :4.12 (16 Apr 2014)
Version :4.02 (12 Aug 2014)
Version :4.01 (10 Sep 2013)
Version :3.71 (19 Feb 2013)
Version :3.70 (26 Oct 2012)
Version :3.60 (4 Sep 2012)
Version :3.56 (7 Jun 2012)
Version :3.55 (27 Mar 2012)
Version :3.50 (26 Mar 2012)
Version :3.32 (3 Oct 2011)
Version :3.31 (1 Jun 2011)
Version :3.30 (28 Apr 2011)
Version :3.21 (19 Nov 2010)
Version :3.20(A) (15 Nov 2010)
Version :3.11 (25 Aug 2010)
Version :3.10 (21 Jun 2010)
Version :3.00 (30 Mar 2010)
Version :2.60 (4 Sep 2009)
Version :2.52 (31 Jul 2009)
Version :2.51 (29 May 2009)
Version :2.50 (22 May 2009)
Version :2.41 (26 Feb 2009)
Version :2.32 (12 Dec 2008)
Version :2.31 (14 Nov 2008)
Version :2.26 (29 Aug 2008)
Version :2.25 (1 Aug 2008)
Version :2.21 (13 Jun 2008)
Version :2.20 (17 Apr 2008)
Version :2.13 (15 Feb 2008)
Version :2.12 (17 Jan 2008)
Version :2.11 (20 Dec 2007)
Version :2.10 (28 Nov 2007)
Version :2.04 (19 Sep 2007)
Version :2.02(a) (31 Jul 2007)
Version :2.01 (29 Jun 2007)
Version :1.30 (15 Feb 2007)
Version :1.20 (5 Dec 2006)
Version :1.12 (8 Nov 2006)
Version :1.11 (11 Oct 2006)
Version :1.1 (3 Oct 2006)
Version :1.01 (24 Aug 2006)
Version :1.00 (23 Aug 2006)
Type : Micrologiciel - Infrastructure Blade
Version : 4.40(31 mars 2015)
Système(s) d'exploitation :
Asianux 3
CentOS 5
Citrix XenServer 4.x
Citrix XenServer 5.x
Debian GNU/Linux 4.0 (AMD64/EM64T)
Debian GNU/Linux 4.0 (x86)
Debian GNU/Linux 5.0 (AMD64/EM64T)
Debian GNU/Linux 5.0 (x86)
Debian GNU/Linux 6.0
HP-UX 11.31 (IA)
HP-UX 11.x
Microsoft Windows 2000
Microsoft Windows 8 (32-bit)
Microsoft Windows 8 (64-bit)
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows Server 2003 for 64-bit Extended Systems
Microsoft Windows Server 2008 Essential Business
Microsoft Windows Server 2008 Foundation Edition
Microsoft Windows Server 2008 Itanium
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008 R2 for Itanium-Based Systems
Microsoft Windows Server 2008 R2 Foundation Edition
Microsoft Windows Server 2008 Small Business
Microsoft Windows Server 2008 x64
Microsoft Windows Server 2012
Microsoft Windows Server 2012 Essentials
Microsoft Windows Server 2012 R2
Microsoft Windows Storage Server 2003
Microsoft Windows Vista (32-bit)
Microsoft Windows Vista (64-bit)
Microsoft Windows XP 64-Bit Edition
Microsoft Windows XP Professional
Microsoft Windows XP Professional x64 Edition
Novell NetWare 6.5
OpenVMS v8.2-1
OpenVMS v8.3
OpenVMS v8.4
Oracle Linux 5 (AMD64/EM64T)
Oracle Linux 5 (x86)
OS Independent
Red Hat Enterprise Linux 3 (AMD64/EM64T)
Red Hat Enterprise Linux 3 (Itanium)
Red Hat Enterprise Linux 3 (x86)
Red Hat Enterprise Linux 4 (AMD64/EM64T)
Red Hat Enterprise Linux 4 (Itanium)
Red Hat Enterprise Linux 4 (x86)
Red Hat Enterprise Linux 5 Desktop (x86-64)
Red Hat Enterprise Linux 5 Server (Itanium)
Red Hat Enterprise Linux 5 Server (x86)
Red Hat Enterprise Linux 5 Server (x86-64)
Red Hat Enterprise Linux 6 Server (x86)
Red Hat Enterprise Linux 6 Server (x86-64)
Red Hat Enterprise Linux 7 Server
Red Hat Linux 6.2
Solaris 10 for x86 Systems
Solaris 11.1
SUSE Linux Enterprise Server 10 (AMD64/EM64T)
SUSE Linux Enterprise Server 10 (Itanium)
SUSE Linux Enterprise Server 10 (x86)
SUSE Linux Enterprise Server 11 (AMD64/EM64T)
SUSE Linux Enterprise Server 11 (Itanium)
SUSE Linux Enterprise Server 11 (x86)
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 9 (AMD64/EM64T)
SUSE Linux Enterprise Server 9 (Itanium)
SUSE Linux Enterprise Server 9 (x86)
Ubuntu 13.10
Ubuntu 9.10 (AMD64/EM64T)
Ubuntu 9.10 (x86)
VMware ESX Server 3.0
VMware ESX/ESXi 4.0
VMware ESX/ESXi 4.1
VMware ESX/ESXi Server 3.5
VMware ESXi 5.0
VMware vSphere 5.1
VMware vSphere 5.5

Description

This file contains the firmware image for the HP BladeSystem c-Class Onboard Administrator. This firmware provides management capabilities for the HP BladeSystem c-Class Enclosure.

Améliorations

  • General
    • Cipher suites are now configured and displayed using their RFC 5246 standardized names. 

Instructions d’installation

Prerequisites:
The Onboard Administrator Smart Component contains 32-bit executable binaries.  As a result, the client operating system upon which the OA Smart Component is installed and executed must either have native support for 32-bit executables or must have the 32-bit compatibility libraries installed.


To ensure the integrity of your download, HPE recommends verifying your results with this SHA-256 Checksum value:

8cc7f3c7ed7b7e8a15a8ed330e46d9dbafe684bce7b38181787b86a917396bb3 hpoa440.bin

Reboot Requirement:
Reboot is optional after installation. Updates will be effective after reboot. Hardware stability will be maintained without reboot.


Installation:
Place the firmware image file onto a system on the same network as the HP BladeSystem c-Class Onboard Administrator.

Log in to the Onboard Administrator’s web-based user interface as an administrator. Firmware Update is available under the Active Onboard Administrator category. You may select the firmware image by entering a path to the file in the "Local File" field or by clicking on the "Browse" button to locate the firmware image on the local machine, a mapped drive, or a network share.

Click "Upload" to begin the firmware update process.

The user guide for the Onboard Administrator is located here.
The user guide for the Onboard Administrator command line interface is located here.


Notes de version

End User License Agreements:
BladeSystem Onboard Administrator Software End User License Agreement


Upgrade Requirement:
Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.

Update to this firmware version if any documented fixes or enhanced functionality provided by this version would be useful to your system.


Important:

Important Notes

  • EFM  
    • The OA only supports SPP ISO images that are less than 4 GB in size, whether hosted directly via the Enclosure DVD feature or an attached USB key, or mounted remotely via a specified URL. If an ISO image exceeds 4 GB,  the CLI SHOW FIRMWARE MANAGEMENT command displays ISO URL Status as “Invalid URL.”
      • If an SPP ISO image exceeds 4 GB, it is necessary to create a custom ISO image that excludes components unnecessary to the OA EFM blade firmware update process.  At a minimum, the custom ISO must contain the firmware components for HP ProLiant BL servers. (When using HP SUM to create the custom ISO image, select Firmware as the Component Type, and select HP ProLiant BL Series as the Server Type.)  For information about creating a custom ISO image compatible for OA EFM functionality, see the HP BladeSystem Onboard Administrator User Guide. More HP SUM information can be found via HP Smart Update Manager online help or at http://www.hp.com/go/hpsum/documentation.
  • IPv6
    • When the Enable DHCPv6 or Enable SLAAC enclosure IPv6 settings are disabled on the Onboard Administrator, the respective DHCPv6 or SLAAC addresses of the iLOs in the enclosure are retained until these addresses expire automatically based on their respective configurations.  A manual reset of the iLO releases these addresses immediately.
  • ​Security
    • ​ Support for several cipher suites has been removed due to the generally acknowledged weakness of the associated encryption algorithms. The OA now supports only the cipher suites listed in the following table. To successfully establish a secure connection to the OA via SSL, clients must support one or more of these cipher suites.
      • Note specifically that Windows 2003 Active Directory and Internet Explorer might not successfully connect to the OA due to the lack of default support for at least one of the supported cipher suites.  
      • You can add the necessary support by installing and enabling Advanced Encryption Standard (AES) based cipher suites in Windows 2003. Refer to Microsoft hotfix available at http://support.microsoft.com/kb/948963.
 
SSL/TLS cipher suites Standard names for SSL/TLS cipher suites
EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA
DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA
ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256


Notes:

Deliverable Name:

HP BladeSystem c-Class Onboard Administrator Firmware

Release Version:

Version 4.40

Previous Version of Firmware:

Version 4.30

Firmware Dependency

For firmware compatibility information please see HP Service Pack for ProLiant Information Library, http://www.hp.com/go/spp/documentation.

 Important Notes

  • EFM
The OA only supports SPP ISO images that are less than 4 GB in size, whether hosted directly via the Enclosure DVD feature or an attached USB key, or mounted remotely via a specified URL. If an ISO image exceeds 4 GB,  the CLI SHOW FIRMWARE MANAGEMENT command displays ISO URL Status as “Invalid URL.”

If an SPP ISO image exceeds 4 GB, it is necessary to create a custom ISO image that excludes components unnecessary to the OA EFM blade firmware update process.  At a minimum, the custom ISO must contain the firmware components for HP ProLiant BL servers. (When using HP SUM to create the custom ISO image, select Firmware as the Component Type, and select HP ProLiant BL Series as the Server Type.)  For information about creating a custom ISO image compatible for OA EFM functionality, see the HP BladeSystem Onboard Administrator User Guide. More HP SUM information can be found via HP Smart Update Manager online help or at http://www.hp.com/go/hpsum/documentation
  • FIPS
OA 3.71 has received FIPS 140-2 Certification  (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2014.htm#2174)  
  • IPv6
When the Enable DHCPv6, Enable Router Advertisements, or Enable SLAAC enclosure IPv6 settings are disabled on the Onboard Administrator, the respective DHCPv6 or SLAAC addresses of the iLOs in the enclosure are retained until these addresses expire automatically based on their respective configurations.  A manual reset of the iLO releases these addresses immediately.
  • Security
Support for several cipher suites has been removed due to the generally acknowledged weakness of the associated encryption algorithms. The OA now supports only the cipher suites listed in the following table. To successfully establish a secure connection to the OA via SSL, clients must support one or more of these cipher suites.
Note specifically that Windows 2003 Active Directory and Internet Explorer might not successfully connect to the OA due to the lack of default support for at least one of the supported cipher suites listed. You can add the necessary support by installing and enabling Advanced Encryption Standard (AES) based cipher suites in Windows 2003. Refer to Microsoft hotfix available at http://support.microsoft.com/kb/948963.  
SSL/TLS cipher suites Standard names for SSL/TLS cipher suites
EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA
DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA
ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
 
 
Enhancements/New Features


Problems Fixed
  • General
  • Devices with MAC addresses ending with “81:00” (such as f8:66:f2:6d:81:00) were unable to communicate with the OA. Some examples of the observed symptoms were:
Attempts to ping the OA from the device fail The OA cannot use such a device as a gateway
The OA GUI and CLI cannot be used from this device   "CERTS: Failed to open flash"
This had no functional impact; the entry could be ignored. 
  • Documentation
    •  In the September 2014 (Edition 23) HP BladeSystem Onboard Administrator CLI User Guide for OA 4.30, within the description of the SET HTTP REQUESTREADTIMEOUT command, a command showing recommended values had the BODY MINRATE value as 50 instead of the correct value 500. The command with the correct recommended values is as follows:
SET HTTP REQUESTREADTIMEOUT HEADER 3-8 MINRATE 500 BODY 5-10 MINRATE 500

This error was corrected in the October 2014 (Edition 24) document. 
  • EFM
    • In rare cases, the Active OA module would reboot expectedly during the update of the OA firmware on redundant OA modules.  When this issue occurred, the Active OA module would reboot during the transfer of the OA firmware image to the Standby OA module.  The OA firmware update would fail to complete successfully; a segmentation fault (SEGV) error would be logged in the Active OA system log.  This issue did not cause any firmware or data corruption, and the OA firmware update could be successful if retried following the occurrence of this issue. Note that this issue could only be encountered when updating OA modules running OA 4.30 firmware.  
    • Attempts to update the firmware failed on an HP ProLiant Gen9 server blade configured in UEFI Boot Mode or UEFI Optimized Boot Mode. When this failure occurred, the firmware log for the blade server would indicate an error similar to the following for each update attempt, including the two automatic retries that occur on failure:
Jul 15 09:34:19 Unable to detect ISOLINUX booting.
A final status report similar to the following would also be issued:
Jul 15 10:30:33 Firmware Management is incomplete on blade <bay number>.  Unable to mount ISO or validate version information. The URL or ISO is invalid.
  •  CLI commands affected include those that depend on the URL specification via the SET FIRMWARE MANAGEMENT URL command (such as the UPDATE FIRMWARE SERVER command and the UPDATE IMAGE FW_ISO command). 
  •  The EFM firmware log would indicate "Firmware Management successfully completed on blade x" even if the iLO firmware update failed to complete successfully.  
  • IPv6
    • Configuration scripts could not be applied to another OA properly when attempting to configure new EBIPA DNS IPv4/IPv6 addresses or IPv6 routes. Attempts to change the configurations could only add new addresses to those of the previous configuration. It was not possible to replace the existing addresses with the new ones.
The following CLI commands now include the ALL keyword to allow clearing of all unwanted addresses or routes:
REMOVE EBIPA SERVER DNS ALL
REMOVE EBIPAV6 SERVER DNS ALL
REMOVE OA ROUTE IPV6 <ACTIVE|STANDBY> ALL

A configuration script can now use these commands to clear the previous (unwanted) EBIPA DNS IP addresses and IPv6 static routes, and then add the new ones. 
  • KVM
    • Pressing Enter four times consecutively on a keyboard attached to the c7000 Enclosure integrated KVM module would cause the highlighted blade server on the KVM screen to power off or on, depending on its current power state. This issue has been fixed by interchanging the Ok/Confirm and Cancel buttons on the Confirm: Change Server Power and Change Server Power screens so that the Cancel button is highlighted by default instead of the OK or Confirm button. The default focus is set on the Cancel button. (QXCR1001357592)
  •  Security
    • The following security vulnerabilities were fixed:
    • This release of the OA resolves this security vulnerability by compiling OpenSSl with OPENSSL_NO_SRTP (the OA does not use DTLS and SRTP).
      • CVE-2014-0139: A vulnerability affecting SSL/TLS transactions that might allow a man-in-the-middle attacker to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certificate Authority.
      • CVE-2014-0015: A vulnerability when more than one authentication method is enabled and NTLM connections are reused, which might allow context-dependent attackers to authenticate as other users via a request.
      • CVE-2014-0138: A vulnerability affecting certain LDAP connections that might allow context-dependent attackers to connect as other users via a request (similar to issue CVE-2014-0015).
      • CVE-2014-2522: A vulnerability when running on Windows and using an SChannel/Winssl TLS backend. When accessing a URL that uses a numerical IP address, curl does not verify that the server host name matches a domain name in the subject’s CN or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
    • In addition, OpenSSL has been updated to version 1.0.1h to address multiple CVE fixes.
  • SSH/SSL keys
    • With OA firmware later than 4.0x, attempts to add an SSH key using the OA CLI ADD SSH KEY command might fail. Intermittently, after issuing the command, the user received an error message ("The submitted file is not a valid SSH key."), in which case the command failed. 
  • SNMP
  • SNMP alerts (or traps) sent from the OA to an IPv6 SNMP alert destination are sent incorrectly to destination port 161 instead of port 162 (per RFC 1157) when no destination port is explicitly specified as part of an IPv6 SNMP alert destination configuration. 
 Known Issues
  • Browsers
    • SSO-to-iLO connection from the OA using an iLO host name fails with Microsoft® Internet Explorer 11 on Windows 8. On a Windows 8 system with Internet Explorer 10 or Internet Explorer 11, if the OA web GUI session is loaded using a host name instead of an IP address, an attempt to open an iLO window using SSO from the OA web GUI might result in the iLO page loading in the OA web GUI window instead of the intended new window.
This issue was determined to be a bug in Internet Explorer and is expected to be fixed in a future release or update for  Internet Explorer.  To work around this issue, either use an IP address to load the OA Web GUI, or turn off Protected Mode for the appropriate zone in Internet Explorer’s settings. This issue occurs only on Internet Explorer browsers.    
  • FIPS
  • Certificates smaller than 2048 bits in size are not compliant with FIPS requirements as enforced by the OA firmware starting with OA 4.20.  When the OA running OA firmware version 4.40 or greater is operating in FIPS Mode ON or DEBUG and is configured with a  1024-bit LDAP certificate that was installed when running a previous version of OA firmware, FIPS Mode ON/DEBUG is considered to be operating in a degraded state due to the presence of the non-compliant certificate.  While operating in this degraded FIPS Mode operational state, attempts to set FIPS Mode OFF from the OA GUI Network Access > FIPS tab will fail and show the error message “The selected FIPS mode is already enabled”.  When the non-compliant certificate is removed, the degraded FIPS operational status is cleared, FIPS Mode can then be successfully set to OFF from the GUI interface.  Note that the OA CLI command SET FIPS MODE OFF can be successfully used to set FIPS Mode OFF even with non-compliant 1024-bit LDAP certificates installed in the OA.


Corrections

Upgrade Requirement:
Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.

Update to this firmware version if any documented fixes or enhanced functionality provided by this version would be useful to your system.


General

  • Devices with MAC addresses ending with “81:00” (such as f8:66:f2:6d:81:00) were unable to communicate with the OA. Some examples of the observed symptoms were:
Attempts to ping the OA from the device fail The OA cannot use such a device as a gateway The OA GUI and CLI cannot be used from this device  This had no functional impact; the entry could be ignored. 
Documentation
  • In the September 2014 (Edition 23) HP BladeSystem Onboard Administrator CLI User Guide for OA 4.30, within the description of the SET HTTP REQUESTREADTIMEOUT command, a command showing recommended values had the BODY MINRATE value as 50 instead of the correct value 500. The command with the correct recommended values is as follows: SET HTTP REQUESTREADTIMEOUT HEADER 3-8 MINRATE 500 BODY 5-10 MINRATE 500
This error was corrected in the October 2014 (Edition 24) document.
  EFM
  • In rare cases, the Active OA module would reboot expectedly during the update of the OA firmware on redundant OA modules.  When this issue occurred, the Active OA module would reboot during the transfer of the OA firmware image to the Standby OA module.  The OA firmware update would fail to complete successfully; a segmentation fault (SEGV) error would be logged in the Active OA system log.  This issue did not cause any firmware or data corruption, and the OA firmware update could be successful if retried following the occurrence of this issue. Note that this issue could only be encountered when updating OA modules running OA 4.30 firmware.  o   Attempts to update the firmware failed on an HP ProLiant Gen9 server blade configured in UEFI Boot Mode or UEFI Optimized Boot Mode. When this failure occurred, the firmware log for the blade server would indicate an error similar to the following for each update attempt, including the two automatic retries that occur on failure: Jul 15 09:34:19 Unable to detect ISOLINUX booting. A final status report similar to the following would also be issued:
Jul 15 10:30:33 Firmware Management is incomplete on blade <bay number>.
  • When using an HP Firmware Management ISO image based on a URL that includes the HTTP port (for example, http://10.226.36.35:8080/bp-151ilo-2014-08-26-1.iso),  EFM failed to mount the image. The following error message would be displayed: Unable to mount ISO or validate version information. The URL or ISO is invalid.   CLI commands affected include those that depend on the URL specification via the SET FIRMWARE MANAGEMENT URL command (such as the UPDATE FIRMWARE SERVER command and the UPDATE IMAGE FW_ISO command).  o   The EFM firmware log would indicate "Firmware Management successfully completed on blade x" even if the iLO firmware update failed to complete successfully. 
 IPv6
  • Configuration scripts could not be applied to another OA properly when attempting to configure new EBIPA DNS IPv4/IPv6 addresses or IPv6 routes. Attempts to change the configurations could only add new addresses to those of the previous configuration. It was not possible to replace the existing addresses with the new ones. The following CLI commands now include the ALL keyword to allow clearing of all unwanted addresses or routes:
  • REMOVE EBIPA SERVER DNS ALL
  • REMOVE EBIPAV6 SERVER DNS ALL
  • REMOVE OA ROUTE IPV6 <ACTIVE|STANDBY> ALL
A configuration script can now use these commands to clear the previous (unwanted) EBIPA DNS IP addresses and IPv6 static routes, and then add the new ones.   
  KVM
  • Pressing Enter four times consecutively on a keyboard attached to the c7000 Enclosure integrated KVM module would cause the highlighted blade server on the KVM screen to power off or on, depending on its current power state. This issue has been fixed by interchanging the Ok/Confirm and Cancel buttons on the Confirm: Change Server Power and Change Server Power screens so that the Cancel button is highlighted by default instead of the OK or Confirm button. The default focus is set on the Cancel button.
  Security
  • The following security vulnerabilities were fixed:   
  • CVE-2014-3511: A vulnerability could be exploited by launching man-in-the-middle attacks to force the use of TSL 1.0 instead of the intended later version of TLS. This is documented in HP Security Bulletin HPSBMU03104 (https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04427546).
  • CVE-2007-2242: A vulnerability could be exploited by launching denial-of-service attacks via crafted IPv6 type 0 router headers between two routers, resulting in network congestion. This is documented in HP Security Bulletin HPSBMU03104 (https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04427546).
  • CVE-2014-3567: A vulnerability can be exploited to cause a DOS denial-of-service (memory consumption) attack via crafted session tickets that triggers an integrity check-failure.
  • CVE-2014-3513: A vulnerability can be exploited to cause a denial of service (memory consumption) via a crafted handshake message.
  • CVE-2014-3513: SRTP Memory Leak – a memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 (before 1.0.1j) allows remote attackers to cause denial of service (memory consumption) via a crafted handshake message.
  • This release of the OA resolves this security vulnerability by compiling OpenSSl with OPENSSL_NO_SRTP (the OA does not use DTLS and SRTP). 
  • CVE-2014-0139: A vulnerability affecting SSL/TLS transactions that might allow a man-in-the-middle attacker to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certificate Authority.
  • CVE-2014-0015: A vulnerability when more than one authentication method is enabled and NTLM connections are reused, which might allow context-dependent attackers to authenticate as other users via a request.
  • CVE-2014-0138: A vulnerability affecting certain LDAP connections that might allow context-dependent attackers to connect as other users via a request (similar to issue CVE-2014-0015).
  • CVE-2014-2522: A vulnerability when running on Windows and using an SChannel/Winssl TLS backend. When accessing a URL that uses a numerical IP address, curl does not verify that the server host name matches a domain name in the subject’s CN or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. 
  • In addition, OpenSSL has been updated to version 1.0.1h to address multiple CVE fixes.

 SSH/SSL keys
  • With OA firmware later than 4.0x, attempts to add an SSH key using the OA CLI ADD SSH KEY command might fail. Intermittently, after issuing the command, the user received an error message ("The submitted file is not a valid SSH key."), in which case the command failed. 

SNMP 
  • SNMP alerts (or traps) sent from the OA to an IPv6 SNMP alert destination are sent incorrectly to destination port 161 instead of port 162 (per RFC 1157) when no destination port is explicitly specified as part of an IPv6 SNMP alert destination configuration.
    •  The OA HTTP service would become unresponsive and communication to the OA would be lost after removing a local user account with OA administrator level privileges.  This issue in only occurred when the removed user account had previously been used to configure network services on the OA module.  

Remarque importante

Important Notes

  • EFM  
    • The OA only supports SPP ISO images that are less than 4 GB in size, whether hosted directly via the Enclosure DVD feature or an attached USB key, or mounted remotely via a specified URL. If an ISO image exceeds 4 GB,  the CLI SHOW FIRMWARE MANAGEMENT command displays ISO URL Status as “Invalid URL.”
      • If an SPP ISO image exceeds 4 GB, it is necessary to create a custom ISO image that excludes components unnecessary to the OA EFM blade firmware update process.  At a minimum, the custom ISO must contain the firmware components for HP ProLiant BL servers. (When using HP SUM to create the custom ISO image, select Firmware as the Component Type, and select HP ProLiant BL Series as the Server Type.)  For information about creating a custom ISO image compatible for OA EFM functionality, see the HP BladeSystem Onboard Administrator User Guide. More HP SUM information can be found via HP Smart Update Manager online help or at http://www.hp.com/go/hpsum/documentation.
  • IPv6
    • When the Enable DHCPv6 or Enable SLAAC enclosure IPv6 settings are disabled on the Onboard Administrator, the respective DHCPv6 or SLAAC addresses of the iLOs in the enclosure are retained until these addresses expire automatically based on their respective configurations.  A manual reset of the iLO releases these addresses immediately.
  • ​Security
    • ​ Support for several cipher suites has been removed due to the generally acknowledged weakness of the associated encryption algorithms. The OA now supports only the cipher suites listed in the following table. To successfully establish a secure connection to the OA via SSL, clients must support one or more of these cipher suites.
      • Note specifically that Windows 2003 Active Directory and Internet Explorer might not successfully connect to the OA due to the lack of default support for at least one of the supported cipher suites.  
      • You can add the necessary support by installing and enabling Advanced Encryption Standard (AES) based cipher suites in Windows 2003. Refer to Microsoft hotfix available at http://support.microsoft.com/kb/948963.
 
SSL/TLS cipher suites Standard names for SSL/TLS cipher suites
EDH-RSA-DES-CBC3-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA
DHE-RSA-AES256-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA
ECDHE-RSA-DES-CBC3-SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256

Historique des révisions

Version :4.95 (6 Nov 2019)
Version :4.90 (2 Apr 2019)
Version :4.85 (26 Jun 2018)
Version :4.80 (5 Feb 2018)
Version :4.71 (16 Jan 2018)
Version :4.70 (12 Jul 2017)
Version :4.60 (24 Oct 2016)
Version :4.50 (1 Oct 2015)
Version :4.40 (31 Mar 2015)
Version :4.30 (9 Sep 2014)
Version :4.23 (19 Jun 2015)
Version :4.22 (23 Jun 2014)
Version :4.21 (18 Apr 2014)
Version :4.13 (24 Jul 2014)
Version :4.12 (16 Apr 2014)
Version :4.02 (12 Aug 2014)
Version :4.01 (10 Sep 2013)
Version :3.71 (19 Feb 2013)
Version :3.70 (26 Oct 2012)
Version :3.60 (4 Sep 2012)
Version :3.56 (7 Jun 2012)
Version :3.55 (27 Mar 2012)
Version :3.50 (26 Mar 2012)
Version :3.32 (3 Oct 2011)
Version :3.31 (1 Jun 2011)
Version :3.30 (28 Apr 2011)
Version :3.21 (19 Nov 2010)
Version :3.20(A) (15 Nov 2010)
Version :3.11 (25 Aug 2010)
Version :3.10 (21 Jun 2010)
Version :3.00 (30 Mar 2010)
Version :2.60 (4 Sep 2009)
Version :2.52 (31 Jul 2009)
Version :2.51 (29 May 2009)
Version :2.50 (22 May 2009)
Version :2.41 (26 Feb 2009)
Version :2.32 (12 Dec 2008)
Version :2.31 (14 Nov 2008)
Version :2.26 (29 Aug 2008)
Version :2.25 (1 Aug 2008)
Version :2.21 (13 Jun 2008)
Version :2.20 (17 Apr 2008)
Version :2.13 (15 Feb 2008)
Version :2.12 (17 Jan 2008)
Version :2.11 (20 Dec 2007)
Version :2.10 (28 Nov 2007)
Version :2.04 (19 Sep 2007)
Version :2.02(a) (31 Jul 2007)
Version :2.01 (29 Jun 2007)
Version :1.30 (15 Feb 2007)
Version :1.20 (5 Dec 2006)
Version :1.12 (8 Nov 2006)
Version :1.11 (11 Oct 2006)
Version :1.1 (3 Oct 2006)
Version :1.01 (24 Aug 2006)
Version :1.00 (23 Aug 2006)

Avis juridique : Les produits vendus avant le 1er novembre 2015, date de la séparation de Hewlett-Packard Company en Hewlett Packard Enterprise Company et HP Inc. peuvent avoir d'autres noms et des numéros de modèle différents des versions actuelles.