User guide
19
the client and the connection will be dropped. All virtual media data is encrypted with AES256 and key
exchanges via SSL, if an encrypted connection is selected. To keep virtual media operation going and still
have session idle timeout security, iDRAC6 locks the web session when a virtual media operation is
running and the web session is timed out. A user needs to re-authenticate to unlock the web session
after session timeout. The virtual media operation will not be interrupted during the lock-out period.
Console Redirection
KVM login
Login credentials (username/password) are two random 32bit numbers, in ASCII string representation.
They are not hashed. Credentials are used one time and have a configurable 60sec timeout. They are
transmitted across an already secured channel (JNLP using a Web-GUI SSL connection).
Authentication and Encryption
IDRAC6 can continuously redirect the managed system’s video, keyboard and mouse (KVM) to
the management station via a proprietary compression algorithm. It is a very powerful feature, is very
easy to use, and does not require any software installation on the managed system. A user can access
this feature to remotely manage the system as if they were sitting in front of the system. A security
authentication and encryption protocol has been implemented in console redirection to prevent a
hostile, rogue client from breaking into the console redirect path without authenticating though the
web server. 128-bit SSL encryption secures the keyboard keystrokes during the remote console
redirection and therefore does not allow unauthorized “snooping” of the network traffic. The following
sequence of security protocol operations is performed during the establishment of a console redirection
session:
1. A user logs into the main web GUI then clicks the “Open Consoles” tab.
2. The Web GUI sends a pre-authentication request to the iDRAC6 web server via the HTTPS
channel (SSL encrypted).
3. The iDRAC6 web server returns a set of secret data (including an encryption key) via the SSL
channel. The console redirection authentication key (32 bytes long) is dynamically generated to
prevent replay attack.
4. The Console redirection client sends a login command with an authentication key to a console
redirection server keyboard/mouse port for authentication via SSL channel.
5. If authentication is successful, a console redirection session and two console redirection pipes
(one for keyboard/mouse and one for video) are established. The keyboard/mouse pipe is
always SSL encrypted. The video pipe encryption is optional. (Users can choose to encrypt or
not to encrypt the video pipe before they start their console redirection session).
User Session Privacy
User session privacy is a security concern in the console redirection feature in iDRAC6. The following
techniques are supported to maintain user session privacy and prevent user sessions from being
hijacked:
• The default maximum number of console redirection sessions is limited to four. Administrators
can configure the maximum number of console redirection sessions to one to avoid another
remote user taking control of your console redirection session.