Fortanix IPMI Setup for FX3400

1.0 Introduction

The purpose of this article is to describe the steps required to set up the Intelligent Platform Management Interface (IPMI) for the Fortanix FX3400 appliance.

It also contains the information that an administrator needs to:

• Perform user authentication on IPMI

• Troubleshoot the IPMI setup process

1.1 Intended Audience

This Setup is intended to be used by technical stakeholders of Fortanix FX3400 who will be responsible for planning, performing, or maintaining the setup or deployment, such as the Systems Administrator, Chief Information Officer (CIO), Analysts, or Developers.

2.0 Terminology References

• IPMI – Intelligent Platform Management Interface

• DHCP – Dynamic Host Configuration Protocol

• BIOS – Basic Input/Output System

• LDAP – Lightweight Directory Access Protocol

• RADIUS – Remote Authentication Dial-In User Service

• PAM – Pluggable Authentication Modules

• BMC – Baseboard Management Controller

• KVM – Keyboard, Video (monitor), and Mouse

• DSM – Data Security Manager

• SOL – Serial Over LAN

• SSH – Secure Shell

• UDP – User Datagram Protocol

• HMAC – Hash-based Message Authentication Code

• MD5 – Message Digest Algorithm 5

3.0 Prerequisites

To set up IPMI for the FX3400 appliance, ensure you have the following:

• 1 monitor

• 1 keyboard

4.0 IPMI Setup

4.1 Setup IPMI for FX3400

By default, the FX3400 appliance is set to get an IPMI IP address from DHCP. If a DHCP IP address is assigned or if a static IP address is configured, the address will be visible on one of the BIOS boot screens as shown below.

To set a static IP address for the IPMI interface, follow these steps.

1. Connect a monitor and keyboard to the FX3400 appliance and allow the unit to complete the boot process. Wait until the login prompt appears.

2. Log in using the username “ipmiadmin”. This is a special user account that can only log in directly from the console (or solssh) and does not require a password and provides a restricted shell that can only be used to set and view the IPMI IP address configuration. When you log in as “ipmiadmin”, you will see the following shell:

   

3. From this restricted shell, you can run the following commands. To see a list of available commands, type “?”:  

   exit  Exit this CLI session
   help  Displays command line help for appliance cli
   ipmi  IPMI Network configuration. Usage: # ipmi show|set [PARAMS]

4. To set the desired IP address, subnet mask, and gateway for your network, run one of the following commands:  

   • For DHCP:

     ipmi set dhcp

   • For Static IP:

     ipmi set static ip IP_ADDRESS gateway GATEWAY_ADDRESS netmask SUBNET_MASK

     Replace IP_ADDRESS, GATEWAY_ADDRESS, and SUBNET_MASK with the appropriate values.
     For example:

     ipmi set static ip 192.168.1.212 gateway 192.168.1.254 netmask 255.255.255.0

5. After configuration, you can view the current IPMI IP address by running the following command:  

   ipmi show

   
   Example output:

   

6. After setting the IP address, the IPMI web page will be accessible at the specified IP address through any browser.

   Example:

   http://192.168.1.25/#login

   For the default credentials, contact Fortanix Support.

   • When you log in with active user privileges, you receive full administrative rights. It is strongly recommended that you change the username and password immediately after login, in accordance with your security team’s guidance.

   • You can create additional users and update passwords as required by your company policy or security team.

4.2 IPMI Authentication

User authentication into IPMI can be done using local users or by using external authentication services.

If using local users, the length of the password can be configured when adding or modifying the user.

• Password length of 16 bytes or 20 bytes is supported for local users.

• Password complexity, lockout configuration, and minimum length can be set for local users.

Perform the following steps to set the password length for local users in the IPMI interface:

1. Click Settings → User Management → Select User Card → User Management Configuration.

   

4.3 Set Password Policies

Better fine-grained control on user management, including password policies, can be achieved using external authentication services, which can leverage the enterprise’s existing user authentication service. The following external user services are supported:

• LDAP

• Active Directory

• RADIUS

The following screenshot shows all the available external services. To access these services in the user interface (UI).

Click Settings → External User Services.

4.3.1 LDAP Settings

Perform the following steps to set up LDAP as an external authentication service:

Click Settings → External User Services → LDAP/E-Directory Settings → General LDAP Settings.

4.3.2 Active Directory Settings

Perform the following steps to set up Active Directory as an external authentication service:

Click Settings → External User Services → Active directory Settings → General Active Directory Settings.

4.3.3 Radius Settings

Perform the following steps to set up RADIUS as an external authentication service:

Click Settings → External User Services → RADIUS Settings → General RADIUS Settings.

Perform the following steps to configure the PAM order for user authentication in the BMC:

The interface displays a list of PAM modules supported in the BMC. Drag and drop the PAM modules to change their position in the sequence

Click Settings → PAM Order settings.

5.0 Cipher Zero Authentication Bypass

This vulnerability grants local intruders the capability to intercept the data transmitting on the IPMI interface. Subsequently, the intruder gains complete control over the administrator’s session, affording them the ability to perform actions like toggling the server's power, configuring settings, and similar operations.

Solution:

1. Run the following command to disable this feature:

   ipmitool -H IPMI_IP -U USERNAME -P USERPASSWORD lan set 1 cipher_privs XXXXXXXXXXXaXXX

2. Run the following command to set remote server authentication to cipher 17. To connect through ipmitool using cipher suite 17, use the following command:

   ipmitool -I lanplus -U USERNAME -H IPMI -C17 sol info

   You must note that, using the regular command may result in the following error:

   root@us-west-eqsv2-cslab-1:~# ipmitool -I lanplus -U admin -H 10.197.192.58 sol info
   Password:
   Error in open session response message: no matching cipher suite
   Error: Unable to establish IPMI v2 / RMCP+ session
   Solution: No fixes are available for this issue within the IPMI protocol.
   The recommended course of action is to block or restrict access to IPMI port
   623.

6.0 Authentication HMAC Password Hash Exposure

The IPMI 2.0 specification facilitates HMAC-MD5 authentication, which involves transmitting a calculated hash to the client. This hash can potentially be exploited in an offline brute-force attack on the configured password. In simpler terms, the server can inadvertently disclose the password of any existing user to potential attackers, who only need to decipher the password and gain unauthorized access.

6.1 Securing FX3400 OOB Management Ports

It is important to note that there is no patch available for this vulnerability as it is an inherent issue with the specification for IPMI v2.0. Refer to Securing FX2200 OOB Management Ports for recommended mitigation measures for this vulnerability.

7.0 Troubleshooting

8.0 References

• To learn about the process of Securing the out-of-band (OOB) Management Ports, refer to Securing FX2200 OOB Management Ports.