Manualshelf

Users Guide

ManualsBrandsDell ManualsActive System ManageriDRAC7 with Lifecycle Controller Version 2.10.10.10
51525354555657585960
Using hash passwords for improved security
On PowerEdge servers with version 2.xx.xx.xx, you can set user passwords and BIOS passwords using a
one-way hash format. The user authentication mechanism is not affected (except for SNMPv3 and IPMI)
and you can provide the password in plain text format.
With the new password hash feature:
You can generate your own SHA256 hashes to set iDRAC user passwords and BIOS passwords. This
allows you to have the SHA256 values in the server configuration profile, RACADM, and WSMAN.
When you provide the SHA256 password values, you cannot authenticate through SNMPv3 and IPMI.
You can set up a template server including all the iDRAC user accounts and BIOS passwords using the
current plain text mechanism. After the server is set up, you can export the server configuration profile
with the password that has hash values. The export includes the hash values required for SNMPv3 and
IPMI authentication.
NOTE: When downgrading a Dell 12th generation PowerEdge server from version 2.xx.xx.xx to
1.xx.xx, if the server is set with hash authentication, then you will not be able to log in to any
interface unless the password is set to default.
You can generate the hash password with and without Salt using SHA256.
You must have Server Control privileges to include and export hash passwords.
If access to all accounts is lost, use iDRAC Settings Utility or local RACADM and perform reset iDRAC to
default task.
If the iDRAC user account’s password is set with the SHA256 password hash only and not the other
hashes (SHA1v3Key or MD5v3Key), then authentication through SNMP v3 and IPMI is not available.
Hash password using RACADM
Use the following objects with the set racadm sub command to set hash passwords:
iDRAC.Users.SHA256Password
iDRAC.Users.SHA256PasswordSalt
Use the following command to include the hash password in the exported server configuration profile:
racadm get -f <file name> -l <NFS / CIFS share> -u <username> -p <password> -t
<filetype> --includePH
You must set the Salt attribute when the associated hash is set.
NOTE: The attributes are not applicable to the INI configuration file.
Hash password in server configuration profile
The new hash passwords can be optionally exported in the server configuration profile.
When importing server configuration profile, you can uncomment the existing password attribute or the
new password hash attribute(s). If both are uncommented an error is generated and the password is not
set. A commented attribute is not applied during an import.
54