Manualshelf

White Papers

ManualsBrandsDell ManualsActive System ManagerDRAC5 Version 1.60
15161718192021222324
PAGE 22 OF 24
Managed System
Web Server
Virtual Media
Server
Management Station
Client
Virtual Media
Client
SSL Channel
Connection Request
VM Info with Authentication Key
SSL if VM encryption enabled
Open session request
(authentication key)
Session established
Authentication Key Authentication Key
Figure 4: Virtual Media Architecture
Console Redirection Security
Authentication and Encryption
DRAC 5 can continuously redirect the managed system’s video, keyboard and mouse (KVM) to
the management station. It is a very powerful feature, is very easy to use, and does not require any
software installation on the managed system. A user can access this feature to remotely manage
the system as if they were sitting in front of the system.
A security authentication and encryption protocol has been implemented in console redirection to
prevent a hostile, rogue client from breaking into the console redirect path without authenticating
though the web server. 128-bit SSL encryption secures the keyboard keystrokes during the remote
console redirection and therefore does not allow unauthorized “snooping” of the network traffic.
The following sequence of security protocol operations is performed during the establishment of a
console redirection session:
1) A user logs into the main web GUI then clicks the “Open Consoles” tab.
2) The Web GUI sends a pre-authentication request to the DRAC 5 web server via the HTTPS
channel (SSL encrypted).
3) The DRAC 5 web server returns a set of secret data (including an encryption key) via the SSL
channel. The console redirection authentication key (32 bytes long) is dynamically generated
to prevent replay attack.
4) The Console redirection client sends a login command with an authentication key to a console
redirection server keyboard/mouse port for authentication via SSL channel.
5) If authentication is successful, a console redirection session and two console redirection pipes
(one for keyboard/mouse and one for video) are established. The keyboard/mouse pipe is
always SSL encrypted. The video pipe encryption is optional. (Users can choose to encrypt or
not to encrypt the video pipe before they start their console redirection session).