--- title: "Fortanix IPMI Setup for FX2200 Series II" slug: "fortanix-ipmi-setup-for-fx2200-series-ii" updated: 2026-04-08T16:42:17Z published: 2026-04-08T16:42:17Z canonical: "support.fortanix.com/fortanix-ipmi-setup-for-fx2200-series-ii" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Fortanix IPMI Setup for FX2200 Series II ## 1.0 Introduction The purpose of this article is to describe the steps required to set up Intelligent Platform Management Interface (IPMI) for Fortanix FX2200 Series 2 appliance. It also contains the information that an administrator needs to: - Perform user authentication into IPMI - Troubleshoot the IPMI setup process ### 1.1 Intended Audience This Setup is intended to be used by technical stakeholders of Fortanix FX2200 Series 2 who will be responsible for planning, performing, or maintaining the setup or deployment, such as the Systems Administrator, Chief Information Officer (CIO), Analysts, or Developers. ## 2.0 Terminology References - **IPMI** – Intelligent Platform Management Interface - **DHCP** – Dynamic Host Configuration Protocol - **BIOS**– Basic Input/Output System - **LDAP**- Lightweight Directory Access Protocol - **RADIUS**– Remote Authentication Dial-In User Service - **PAM**– Pluggable Authentication Modules - **BMC**– Baseboard Management Controller - **KVM**– Keyboard, Video (monitor), and Mouse - **DSM** – Data Security Manager ## 3.0 Prerequisites To set up IPMI for the FX2200 Series 2 appliance, the following requirements must be met: - 1 monitor - 1 keyboard > [!WARNING] > WARNING > > It is widely known that IPMI is not a secure protocol and as such Fortanix recommends that customers do not rely solely on IPMI security features for IPMI access. Customers wanting to leverage the[out-of-band (OOB)](/v1/docs/securing-fx2200-oob-management-ports) access port should implement logical or physical isolation and access control for this port. ## 4.0 IPMI Setup ### 4.1 Setup IPMI for FX2200 By default, the FX2200 II appliance is set to get an IPMI IP address from DHCP. If a DHCP IP address is assigned or if a static IP address is configured, the address will be visible on one of the BIOS boot screens as shown below. ![boot_login.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360052228231.png) **Figure 1: BIOS boot screen** The easiest way to set a static IP address for the IPMI interface is through the BIOS setup. 1. Connect a monitor and keyboard to the FX2200 appliance, and while booting up, press the **Del** key repeatedly until the following screen is displayed. ![Boot_setup.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360052104032.png) **Figure 2: BIOS setup screen** 2. Using the keyboard arrow keys, move the highlight to the **Server Mgmt** tab, and then arrow down to **BMC network configuration**. When this is highlighted, press ****. ![BMC_network.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360052228451.png) **Figure 3: Select BMC network configuration** 3. In the BMC network configuration screen, you can set the desired BMC/IPMI network port settings. Highlight **Configuration Address source**using the keyboard arrows, and then press ****. Select **Static** in the second column. ![BMC_network_2.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360052228391.png) **Figure 4: BMC network configuration** 4. Now set the desired IP address, subnet mask, and gateway IP address as required for your network. When you are satisfied with the settings, press the **F10** key on the keyboard to save the changes, and then exit. The FX2200 will reboot. ![BMC_network_3.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360052104492.png) **Figure 5: BMC network configuration** 5. After rebooting, the IPMI web page will be accessible at the specified IP address through any browser. *http://192.168.1.25/#login* The default administrator credentials are: **Username**: `admin` **Password**: `password` > [!NOTE] > NOTE > > Starting with BMC firmware version 12.49.06, only one default user (admin) exists. ### 4.2 IPMI Users There are three users by default: - Username: `admin` and Password: `password `is in lower-case characters. - For BMC version older than 12.49 the following additional default user exists: - Username: `ADMIN` (backup) - Password: `ADMIN` is in upper-case characters. - Username: `anonymous `(disabled) and other users will be disabled. ![image__23_.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/360073478452.png) **Figure 6: User Management** - When you log in using active user privileges, you get full administrative rights. You are advised to change your username and password once you login as per your needs/security team advice. - You can also disable the other username, that is, `ADMIN` (backup). - You can create as many users as your company policy/security team advises and change the password accordingly. ### 4.3 IPMI Authentication User authentication into IPMI can be done using local users or by using external user services. If using local users, the length of the password can be configured when adding or modifying the user. - Password length of 16 bytes or 20 bytes is supported for local users. - Password strength and expiration time are not supported for local users. To set password size for local users, navigate to **Settings** → **User Management** → **Select User Card** → **User Management Configuration**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_BMC_User Management Configuration.png) **Figure 7: Set password size for local users** ### 4.4 Set Password Policies Better fine-grained control on user management including password policies, can be achieved using external user services which can leverage the enterprise’s existing user authentication service. The following external user services are supported: - LDAP - Active Directory - RADIUS To access all the available external services in the UI, navigate to **Settings***→***External User Services***.* ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_BMC_External User Services.png) **Figure 8: External user services** #### 4.4.1 LDAP Settings To set up LDAP as an external user service, navigate to **Settings** → **External User Services** → **LDAP/E-Directory Settings** → **General LDAP Settings**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_BMC_General LDAP Settings.png) **Figure 9: LDAP settings** #### 4.4.2 Active Directory Settings To set up Active Directory as an external user service, navigate to **Settings** → **External User Services** → **Active directory Settings** → **General Active Directory Settings**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_BMC_General AD Settings.png) **Figure 10: Active Directory settings** #### 4.4.3 Radius Settings To setup RADIUS as an external user service, navigate to **Settings** → **External User Services** → **RADIUS Settings** → **General RADIUS Settings**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_BMC_General Radius Settings.png) **Figure 11: RADIUS settings** To configure the PAM order for user authentication into the BMC, navigate to **Settings***→***PAM Order**settings. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_BMC_PAM Order Settings(1).png) **Figure 12: PAM Order Settings** It displays the list of PAM modules supported in the BMC. Drag and drop the PAM modules to change their position in the sequence. ## 5.0 Cipher Zero Authentication Bypass This vulnerability grants local intruders the capability to intercept the data transmitting on the IPMI interface. Subsequently, the intruder gains complete control over the administrator’s session, affording them the ability to perform actions like toggling the server's power, configuring settings, and similar operations. **Solution:** 1. Run the following command to disable this feature: ```bash ipmitool -H IPMI_IP -U USERNAME -P USERPASSWORD lan set 1 cipher_privs XXXXXXXXXXXaXXX ``` 2. Run the following command to remote server authentication to cipher 17. To connect through ipmitool using cipher suite 17: ```bash ipmitool -I lanplus -U USERNAME -H IPMI -C17 sol info ``` You must note that, using the regular command may result in the following error: ```bash root@us-west-eqsv2-cslab-1:~# ipmitool -I lanplus -U admin -H 10.197.192.58 sol info Password: Error in open session response message: no matching cipher suite Error: Unable to establish IPMI v2 / RMCP+ session Solution: No fixes are available for this issue within the IPMI protocol. The recommended course of action is to block or restrict access to IPMI port 623. ``` ## 6.0 Authentication HMAC Password Hash Exposure The IPMI 2.0 specification facilitates HMAC-MD5 authentication, which involves transmitting a calculated hash to the client. This hash can potentially be exploited in an offline brute-force attack on the configured password. In simpler terms, the server can inadvertently disclose the password of any existing user to potential attackers, who only need to decipher the password and gain unauthorized access. It's important to note that there is no patch available for this vulnerability as it is an inherent issue with the specification for IPMI v2.0. *Refer to*[*Securing FX2200 OOB Management Ports*](/v1/docs/securing-fx2200-oob-management-ports)*for recommended mitigation measures for this vulnerability.* ## 7.0 BMC Firmware Upgrade on FX2200 Series II ### 7.1 Prerequisites Check the version of BMC firmware on your FX2200 by looking at the version number displayed in the top-left corner in the UI, as shown below. > [!NOTE] > NOTE > > The latest BMC firmware version 12.72.04 is supported in Fortanix DSM versions [4.36 Patch 4](https://fortanix.zendesk.com/hc/en-us/articles/10644636415380-DSM-Installation-Package-Downloads-on-prem), [5.0 Patch 3](https://fortanix.zendesk.com/hc/en-us/articles/10644636415380-DSM-Installation-Package-Downloads-on-prem), and later. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_BMC_Maintenance.png) **Figure 13: BMC version** Upgrade the BMC firmware after upgrading or installing Fortanix DSM software version 3.25 or later version. > [!NOTE] > NOTE > > - This BMC upgrade is only for FX2200 series 2 units. > - Upgrading the BMC will cause all IPMI settings (users, TLS certificate, IP, and so on) to be lost. You will need to re-configure the IP address and then log in through IPMI Web UI to add/change users and passwords. > - Make sure the unit is not powered off or rebooted during the process of BMC firmware update. > - After the BMC firmware upgrade, there will only be one default user “admin” and the default password of this user will be “password”. ### 7.2 BMC Upgrade Procedure 1. Run the following command to navigate to `/opt/fortanix/sdkms/bmc/utility/fwud/linux`: ```bash cd /opt/fortanix/sdkms/bmc/utility/fwud/linux ``` 2. Run the following command to upgrade the BMC firmware: ```bash sudo ./flashall64.sh ``` Wait for the command mentioned above to complete. After the command completes, wait for the BMC to restart and become operational again. This process will reset the BMC settings to their factory defaults, resulting in the loss of any custom changes made, including IP addresses, users, TLS certificates, and so on. > [!WARNING] > WARNING > > - Use extreme caution when running this script. **Do not press any keys, interrupt the process, or run any other commands while the script is executing**. If the script is stopped midway, it may corrupt the BMC, prevent it from running again, and leave the system in an unrecoverable state. > - If the script becomes unresponsive or terminates unexpectedly, contact Fortanix Support for assistance before attempting any further actions. 3. Run the following command to check the status of BMC and wait until `Set in Progress : Set Complete` is displayed: ```bash sudo ipmitool lan print 1 ``` 4. Run the following commands from the shell if you want to set up a static IP address on the BMC: ```bash sudo ipmitool lan set 1 ipsrc static sudo ipmitool lan set 1 ipaddr w.x.y.z sudo ipmitool lan set 1 netmask w.x.y.z sudo ipmitool lan set 1 defgw ipaddr w.x.y.z ``` ## 8.0 Troubleshooting | **PROBLEM**: Unable to open KVM remote session: Error - “Maximum number of allowable sessions reached. Please close other sessions and try again”. **RESOLUTION**: - BMC firmware allows only 2 active KVM connections at a time. The error below indicates you already have two active sessions. It is possible at some point someone opened the connection, and it was not closed properly. - You can see active connections and terminate them by going to **Settings** → **Services**, and you will see a screen as follows: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_BMC_Services.png) **Figure 14: BMC services** - Click the hamburger icon in the "kvm" row, to see the active kvm sessions as seen above: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_BMC_Services Sessions.png) **Figure 15: BMC service sessions** - Click the red delete buttons to terminate the currently active sessions as seen above. After this, you should be able to open a new KVM session. - If no active sessions are detected and you still get the error about max connections, then restart the KVM service. | | --- | ## 9.0 References - *To learn about the process of securing the FX2200 out-of-band (OOB) management ports, refer to*[*Securing FX2200 OOB Management Ports*](/v1/docs/securing-fx2200-oob-management-ports)*.* - *To learn about the IPMI SSL certificate renewal, refer to*[*Fortanix IPMI SSL Certificate Renewal For FX2200 Series II.*](https://support.fortanix.com/docs/fortanix-ipmi-ssl-certificate-renewal-for-fx2200-series-ii) ## Related - [Managing Fortanix DSM Keys with OpenSSL and PKCS#11 Tool](/managing-fortanix-dsm-keys-with-openssl-and-pkcs11-tool.md) - [Cluster Management Quick Reference](/fortanix-data-security-manager-cluster-management-quick-reference.md) - [Restoration Guide - Automated](/fortanix-dsm-restoration-guide-automated.md) - [Securing FX2200 OOB Management Ports](/securing-fx2200-oob-management-ports.md)