Manualshelf

White Papers

ManualsBrandsDell ManualsActive System ManagerEMC OpenManage Mobile - Current Version
12345678910
OpenManage Mobile at-the-server and at-the-chassis security
Dell EMC Technical White Paper
1 OpenManage Mobile at-the-server and at-the-chassis
security
OpenManage Mobile (OMM) can:
Communicate directly with an iDRAC while at-the-server by using the Quick Sync 2 module and
Quick Sync bezel technology. It can also communicate with MX7000 chassis using Quick Sync 2
module.
Read server or MX chassis health, inventory, and configuration information including the Lifecycle
Controller logs.
Provision iDRAC settings such as the network configuration, root credentials, first boot device, and
location information.
Administrators may power-cycle a system by using Quick Sync 2 or Quick Sync. Administrators who use
Quick Sync 2 to run RACADM commands have access to all the iDRAC troubleshooting capabilities.
1.1 Quick Sync 2 module security
On the latest generation of PowerEdge servers and MX chassis equipped with the Quick Sync 2 module,
OMM uses BLE and Wi-Fi technology to communicate. Quick Sync 2 modules support both Android and iOS.
Quick Sync 2 module technology provides a level of physical security. To activate a Quick Sync 2 module, an
administrator must be physically present at the server to press the activation button. Activation button is a
physical button on servers and a virtual button on MX Chassis LCD. Until Quick Sync 2 is activated, no
information can be exchanged or observed.
Before authenticating the server or chassis, Quick Sync 2 BLE communications are attenuated to about 1
meter in range for typical devices. After authentication, the range is extended; the typical range is 5 meters
but may vary based on the RF environment. The range of the Quick Sync Wi-Fi after activation is about 5
meters.
Quick Sync 2 BLE connections are limited to one mobile device per server at a time, and repeated attempts to
access a system with invalid credentials will trigger a lockout, thus requiring a manual reactivation (by
pressing the button) of the Quick Sync 2.
After connecting to a server by using Quick Sync 2 BLE, a specifically adapted version of the industry
standard TLS 1.2 protocol is used to communicate with the server. Diffie-Hellman key exchange is performed
by using 2048-bit or larger primes, and 128-bit symmetric AES keys are used to encrypt all subsequently
exchanged BLE data. The GCM Authenticated Encryption with Associated Data cipher mode is used with
unique sequence numbers to protect against tampering, information disclosure, and replay attacks.
Quick Sync 2 Wi-Fi is activated only when required for communications that require higher bandwidth or IP-
based communications. Whenever Quick Sync 2 Wi-Fi is activated, a new random WPA2PSK key is
generated and exchanged with OMM over the BLE connection. The relatively short key lifetime helps protect
Wi-Fi level communications. Diagnostics information, RACADM commands, and iDRAC GUI access are
further protected by HTTPS in the same manner as remote connections. Remote desktop connections may
be protected by using the VNC over SSH or VNC over TLS.
By default, Quick Sync 2 module users are authenticated to iDRAC by using the iDRAC credentials (same
goes for MX chassis). The 14th generation PowerEdge servers generally ship with a randomized secure
default password. If a legacy default password (root/calvin) is specifically requested, Quick Sync 2 requires