Users Guide
Table Of Contents
- Dell EMC iDRAC Service Module 4.0.1 User’s Guide
- Contents
- Introduction
- Preinstallation setup
- Installing iDRAC Service Module
- Initial installation of iDRAC Service Module through iDRAC Enterprise or Datacenter or iDRAC Express on Microsoft Windows and Linux
- Installing iDRAC Service Module on Microsoft Windows operating systems
- Silent installation of iDRAC Service Module on Microsoft Windows
- Modifying iDRAC Service Module components on Microsoft Windows operating systems
- Repairing iDRAC Service Module running on Microsoft Windows operating systems
- Uninstalling iDRAC Service Module running on Microsoft Windows operating systems
- Installing the iDRAC Service Module on VMware ESXi
- Installing iDRAC Service Module on supported Linux operating systems
- Installing iDRAC Service Module when System Configuration Lock Down Mode is enabled in iDRAC
- Configuring iDRAC Servcie Module
- Security configurations and compatibility
- iSM monitoring features
- S.M.A.R.T monitoring
- Operating system information
- Lifecycle Controller log replication into operating system
- Automatic system recovery
- Windows Management Instrumentation Providers
- Prepare to remove a NVMe PCIe SSD device
- Remote iDRAC hard reset
- iDRAC access via Host OS
- Accessing iDRAC via GUI, WS-Man, Redfish, and Remote RACADM
- In-Band support for iDRAC SNMP alerts
- Enable WS-Man remotely
- Autoupdating iSM
- FullPowerCycle
- SupportAssist on the box
- Configuring the In-Band SNMP Get feature—Linux
- Configuring the In-Band SNMP Get feature—Windows
- iDRAC GUI Launcher
- Single sign-on to iDRAC UI from host operating system administrators desktop
- IPv6 communication between iSM and iDRAC over OS-BMC Passthru
- Frequently asked questions
- Linux and Ubuntu installer packages
- Resources and support
- Contacting Dell EMC
Security configurations and compatibility
iDRAC Service Module (iSM) is deployed with the default security configuration to protect against certain incidents like DLL
hijacking, DLL tampering, information disclosure. This section briefs about the security configuration that iSM is installed with.
Topics:
• Enhanced security between iSM and iDRAC communication using the TLS protocol
• Authenticate DLLs and shared objects before loading
Enhanced security between iSM and iDRAC
communication using the TLS protocol
Data communication between iSM and iDRAC uses TLS protected USBNIC INET sockets. This ensures protection of all the data
that transports from iDRAC to iSM over USBNIC. iSM and iDRAC use self-signed certificates to control authentication. The
self-signed certificates are valid for 10 years. New self-signed certificates are generated at each new installation of new iSM
every time. Reinstall the iSM when the certificates expire.
NOTE:
iSM reinstall (repair) does not work on Linux operating systems. You must uninstall and then install iSM on Linux
operating systems.
NOTE: When iSM's TLS-client certificate expires, communication between iSM and iDRAC fails and an operating system
audit log is generated. You are then required to reinstall iSM on the host operating system.
NOTE: When Federal Information Processing Standards (FIPS) mode is enabled either on the host operating system or
iDRAC, the communication between iSM and iDRAC is not established.
Policy settings for OS-BMC Passthru on VMware ESXi
Following are the commands and the affected parameters of policy settings for OS-BMC Passthru interface on VMware ESXi:
esxcli network vswitch standard portgroup policy security set -u -p "iDRAC Network"
Allow Promiscuous: false
Allow MAC Address Change: false
Allow Forged Transmits: false
esxcli network vswitch standard policy security set -v vSwitchiDRACvusb -f false -m false
Override vSwitch Allow Promiscuous: false
Override vSwitch Allow MAC Address Change: false
Override vSwitch Allow Forged Transmits: false
Authenticate DLLs and shared objects before loading
The secure loading of libraries in iSM prevent the attacks such as DLL hijacking, DLL preloading, and binary planting. To secure
iSM from such attacks, this feature will not:
● load dynamic libraries from any arbitrary path.
● load any unsigned library.
5
24 Security configurations and compatibility