Fortanix IPMI Setup for FX2200 Series II

1.0 Introduction

The purpose of this article is to describe the steps required to set up IPMI for Fortanix FX2200 Series 2 appliance. It also contains the information that an administrator needs to:

  • Perform user authentication into IPMI
  • Troubleshoot the IPMI setup process

1.1 Intended Audience

This Setup is intended to be used by technical stakeholders of Fortanix FX2200 Series 2 who will be responsible for planning, performing, or maintaining the setup or deployment, such as the Systems Administrator, Chief Information Officer (CIO), Analysts, or Developers.

2.0 Terminology References

  • IPMI – Intelligent Platform Management Interface
  • DHCP – Dynamic Host Configuration Protocol
  • BIOS – Basic Input/Output System
  • LDAP - Lightweight Directory Access Protocol
  • RADIUS – Remote Authentication Dial-In User Service
  • PAM – Pluggable Authentication Modules
  • BMC – Baseboard Management Controller
  • KVM – Keyboard, Video (monitor), and Mouse
  • DSM – Data Security Manager

3.0 Prerequisites

To set up IPMI for the FX2200 Series 2 appliance, the following requirements have to be met:

  • 1 monitor and 1 keyboard
It is widely known that IPMI is not a secure protocol and as such Fortanix recommends that customers do not rely solely on IPMI security features for IPMI access. Customers wanting to leverage the out-of-band (OOB) access port should implement logical or physical isolation and access control for this port.

4.0 IPMI Setup

4.1 Setup IPMI for FX2200

By default, the FX2200 II appliance is set to get an IPMI IP address from DHCP. If a DHCP IP address is assigned or if a static IP address is configured, the address will be visible on one of the BIOS boot screens as shown below.

Figure 1: BIOS Boot Screen

 The easiest way to set a static IP address for the IPMI interface is through the BIOS setup.

  1. Connect a monitor and keyboard to the FX2200 appliance and while booting up, press the <DEL> key repeatedly until the following screen is displayed. Boot_setup.png
    Figure 2: BIOS Setup Screen
  2. Using the keyboard arrow keys, move the highlight to the Server Mgmt tab, and then arrow down to BMC network configuration. When this is highlighted, press <Enter>. BMC_network.png
    Figure 3: Select BMC network configuration
  3. In the BMC network configuration screen, you can set the desired BMC/IPMI network port settings. Highlight Configuration Address source using the keyboard arrows, and then press <Enter>. Select Static in the second column. BMC_network_2.png
    Figure 4: BMC Network Configuration
  4. Now set the desired IP address, subnet mask, and gateway IP address as required for your network. When you are satisfied with the settings, press the F10 key on the keyboard to save the changes, and then exit. The FX2200 will reboot. BMC_network_3.png
    Figure 5: BMC Network Configuration
  5. After rebooting, the IPMI web page will be accessible at the specified IP address through any browser. 
    The default administrator credentials are:
    Username: admin
    Password: password
    Starting with BMC firmware version 12.49.06, only one default user (admin) exists.

4.2 IPMI Users

There are three users by default:

  • Username: admin and Password: password is in lower-case characters.
  • For BMC version older than 12.49 the following additional default user exists:
    • Username: ADMIN (backup) and Password: ADMIN is in upper-case characters.
  • Username: anonymous (disabled) and other users will be disabled.

Figure 6: User Management

  • When you log in using active user privileges, you get full administrative rights. You are advised to change your username and password once you login as per your needs/security team advice.
  • You can also disable the other username, that is, ADMIN (backup).
  • You can create as many users as your company policy/security team advises and change the password accordingly.

4.3 IPMI Authentication

User authentication into IPMI can be done using local users or by using external user services.

If using local users, the length of the password can be configured when adding or modifying the user.

  • Password length of 16 bytes or 20 bytes is supported for local users.
  • Password strength and expiration time are not supported for local users.

The following screenshot in the IPMI interface shows you how to set password size for local users.

To do this:

  1. Click SettingsUser ManagementSelect User CardUser Management Configuration. Set_password_size.png
    Figure 7: Set Password Size for Local Users

4.4 Set Password Policies

Better fine-grained control on user management including password policies can be achieved using external user services which can leverage the enterprise’s existing user authentication service. The following external user services are supported:

  • LDAP
  • Active Directory

The following screenshot shows all the available external services. To access these services in the UI:

Click Settings External User Services

Figure 8: External User Services

4.4.1 LDAP Settings

The following screenshot shows how to set up LDAP as an external user service.

To do this:

  1. Click SettingsExternal User ServicesLDAP/E-Directory SettingsGeneral LDAP Settings LDAP_settings.png
    Figure 9: LDAP Settings

4.4.2 Active Directory Settings

The following screenshot shows how to set up Active Directory as an external user service.

To do this:

Click SettingsExternal User ServicesActive directory SettingsGeneral Active Directory Settings.

Figure 10: Active Directory Settings

4.4.3 Radius Settings

The following screenshot shows how to setup RADIUS as an external user service.

To do this:

  1. Click SettingsExternal User ServicesRADIUS SettingsGeneral RADIUS Settings radius_settings.png
    Figure 11: RADIUS Settings

The following page is used to configure the PAM order for user authentication into the BMC. It shows the list of PAM modules supported in the BMC. Drag and drop the PAM modules to change their position in the sequence.

To do this:

  1. Click Settings PAM Order settings. PAM_order_settings.png
    Figure 12: PAM Order Settings

5.0 Cipher Zero Authentication Bypass

This vulnerability grants local intruders the capability to intercept the data transmitting on the IPMI interface. Subsequently, the intruder gains complete control over the administrator’s session, affording them the ability to perform actions like toggling the server's power, configuring settings, and similar operations.


  1. Run the following command to disable this feature:E -
    ipmitool -H IPMI_IP -U USERNAMP USERPASSWORD lan set 1 cipher_privs XXXXXXXXXXXaXXX
  2. Run the following command to remote server authentication to cipher 17. To connect through ipmitool using cipher suite 17, run the following command:
    ipmitool -I lanplus -U USERNAME -H IPMI -C17 sol info
    You must note that, using the regular command may result in the following error:
    root@us-west-eqsv2-cslab-1:~# ipmitool -I lanplus -U admin -H sol info
    Error in open session response message: no matching cipher suite
    Error: Unable to establish IPMI v2 / RMCP+ session
    Solution: No fixes are available for this issue within the IPMI protocol.
    The recommended course of action is to block or restrict access to IPMI port

6.0 Authentication HMAC Password Hash Exposure

The IPMI 2.0 specification facilitates HMAC-MD5 authentication, which involves transmitting a calculated hash to the client. This hash can potentially be exploited in an offline brute-force attack on the configured password. In simpler terms, the server can inadvertently disclose the password of any existing user to potential attackers, who only need to decipher the password and gain unauthorized access.

It's important to note that there is no patch available for this vulnerability as it is an inherent issue with the specification for IPMI v2.0. Refer to Securing FX2200 OOB Management Ports for recommended mitigation measures for this vulnerability.

7.0 BMC Firmware Upgrade on FX2200 Series II

7.1 Prerequisites

Check the version of BMC firmware on your FX2200 by looking at the version number displayed in the top-left corner in the WebUI as shown below.

Figure 13: BMC version

Upgrade the BMC firmware after upgrading or installing Fortanix DSM software version 3.25 or later version.

  • This BMC upgrade is only for FX2200 series 2 units.
  • Upgrading the BMC will cause all IPMI settings (users, TLS certificate, IP, and so on) to be lost. You will need to re-configure the IP address and then log in through IPMI Web UI to add/change users and passwords.
  • Make sure the unit is not powered off or rebooted during the process of BMC firmware update.
  • After the BMC firmware upgrade, there will only be one default user “admin” and the default password of this user will be “password”.

7.2 BMC Upgrade Procedure

  1. Go to the folder “/opt/fortanix/sdkms/bmc/utility/fwud/linux”.
    cd /opt/fortanix/sdkms/bmc/utility/fwud/linux
  2. Run the following command to upgrade the BMC firmware:
    sudo ./
    Wait for the command mentioned above to complete. After the command completes, wait for the BMC to restart and become operational again. This process will reset the BMC settings to their factory defaults, resulting in the loss of any custom changes made, including IP addresses, users, TLS certificates, and so on.
  3. You can check the status of BMC by running the following command and wait until you see “Set in Progress : Set Complete”.
    sudo ipmitool lan print 1
  4. If you had set up a static IP address on the BMC, then you can set it by running the following commands from the shell.
    sudo ipmitool lan set 1 ipsrc static
    sudo ipmitool lan set 1 ipaddr w.x.y.z
    sudo ipmitool lan set 1 netmask w.x.y.z
    sudo ipmitool lan set 1 defgw ipaddr w.x.y.z

8.0 Troubleshooting

PROBLEM: Unable to open KVM remote session:

Error - “Maximum number of allowable sessions reached. Please close other sessions and try again”.


  • BMC firmware allows only 2 active KVM connections at a time. The error below indicates you already have two active sessions. It is possible at some point someone opened the connection, and it was not closed properly.
  • You can see active connections and terminate them by going to Settings->Services, and you will see a screen as follows:
  • Click the  hamburger icon in the "kvm" row , to see the active kvm sessions as seen above:
  • Click the red delete buttons to terminate the currently active sessions as seen above. After this, you should be able to open a new KVM session.
  • If no active sessions are detected and you still get the error about max connections, then restart the KVM service.

9.0 Securing FX2200 OOB Management Ports

To learn about the process of Securing the FX2200 out-of-band (OOB) Management Ports, refer to the guide:


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful