drac/mc user management and security · pdf filedrac/mc user management and security...

www.dell.com/powersolutions Reprinted from Dell Power Solutions, November 2005. Copyright © 2005 Dell Inc. All rights reserved. DELL POWER SOLUTIONS 1

SYSTEMS MANAGEMENT

The Dell Remote Access Controller/Modular Chassis

(DRAC/MC) is the chassis and component manage-

ment module for the Dell Modular Server Enclosure.

Robust authentication and privilege-checking mecha-

nisms are incorporated into the DRAC/MC to enable

administrators to grant user privileges while preventing

unauthorized access. This article describes the different

techniques administrators can use to control user access

and enhance security.

Methods for accessing the DRAC/MCThe DRAC/MC provides administrators with the flexibility

to create system users and assign them various levels

of permissions. Administrators can control access to the

DRAC/MC remotely or locally using three types of con-

nections: Web, serial, and Telnet.

Web-based connection. The DRAC/MC incorporates

secure Web-based access using a standard browser sup-

porting 128-bit Secure Sockets Layer (SSL) encryption.

It also supports the secure-server certificate process to

further enhance the security of network communications.

Administrators must generate a certificate-signing request

(CSR) and obtain the signature of a Certificate Authority

(CA) to obtain a secure-server certificate. Secure-server

certificates help ensure the identity of a remote system

and verify that the information exchanged with the remote

system cannot be viewed or modified by others.

Serial connection. For local access, the DRAC/MC sup-

ports a serial connection using a standard terminal emulation

program such as HyperTerminal through a serial connector

on the back of the controller. Authentication is required to

log in. Authenticated users can then use the command-line

interface (CLI) that the DRAC/MC supports.

Telnet connection. A Telnet connection, which is dis-

abled by default, is also supported. After authentication,

users can access the CLI. Both local and remote access

sessions support a session time-out feature that closes the

session after a period of inactivity. This inactivity interval

is configurable through both Web and CLI access.

User management from the DRAC/MCThe DRAC/MC supports two kinds of users: DRAC/MC

local users and Microsoft® Active Directory® ® users. Support ®

for Active Directory users has been added in DRAC/MC

firmware version 1.2. This enables administrators to

manage DRAC/MC users and devices from within existing

Active Directory environments. The DRAC/MC supports

a maximum of 16 local users, and at least one local user

BY ANUSHA RAGUNATHAN AND SANJEEV S. SINGH

DRAC/MC User Management and Security Configuration

The Dell™ Remote Access Controller/Modular Chassis (DRAC/MC) is a critical infra-

structure component for authenticating and authorizing user access to the Dell

Modular Server Enclosure, the chassis that house Dell blade servers.

Related Categories:

Blade servers

Dell PowerEdge blade servers

Dell Remote Access Controller (DRAC)

Remote management

Security

Systems management

Visit www.dell.com/powersolutions

for the complete category index.

SYSTEMS MANAGEMENT

DELL POWER SOLUTIONS Reprinted from Dell Power Solutions, November 2005. Copyright © 2005 Dell Inc. All rights reserved. November 20052

must always be configured. For more information about configur-

ing Active Directory settings for the DRAC/MC, see the “Microsoft

Active Directory settings for the DRAC/MC” section in this article.

A valid username can be authenticated in different formats. In

the Username or Login field of the GUI or CLI login page, respec-

tively, administrators can enter one of the following:

• A DRAC/MC local username: username • A Microsoft Active Directory username in any of three

formats: domain\username, domain/username,e or

username@domain

The DRAC/MC username for local users is case-sensitive, but

the Active Directory username is not.

Permissions and groupsA permission is a privilege provided to a DRAC/MC user to perform

certain actions such as configuring the DRAC/MC settings, powering

the chassis up or down, configuring users, or clearing logs. A group

is a collection of permissions that can be assigned to DRAC/MC

users. The following four groups have predefined permissions in

the DRAC/MC:

• Administrator • Power User • Guest User • E-mail Alerts Only

If the permissions required for a user do not match any of these

groups, a fifth group—Custom—is available by which administrators

may provide the desired privileges to users. Figure 1 describes the

different groups and permissions associ-

ated with each group.

Local user administrationAdministrators can access the DRAC/MC

using either the Web-based graphical

user interface (GUI) or the serial/Telnet

connection–based CLI.

Using the DRAC/MC GUIThe DRAC/MC GUI lets administrators

create new DRAC/MC users, delete existing

users, or modify existing user privileges.

The user configuration page is accessible

by going to Configuration>Users on

the DRAC/MC GUI. To create users and

establish their permissions, administrators

should click an “Available” link on the DRAC/MC Users page (see

Figure 2). This action opens a configurable DRAC/MC user privi-

leges screen with options available under General, User Permissions,

and Email Alerts (see Figure 3).

On this screen, administrators can enter the DRAC/MC user-

name and password. The DRAC/MC user group can be selected

from the User Group drop-down menu. The corresponding permis-

sions are automatically selected or unselected based on the user

group chosen. Administrators can either accept the preselected

user permissions associated with the user group or select and

unselect various permissions to customize the user’s options.

Other user settings such as e-mail paging and alert configurations

can also be specified on this page. Clicking the Apply Changes

button at the bottom of the screen creates the new user and sets

the privileges. Note: Selecting or unselecting group permissions

automatically changes the user’s group to Custom.

Permissions Groups

Administrator Power User Guest User E-mail Alerts Only Custom

Log in to DRAC/MC Yes Yes Yes Yes

Configure DRAC/MC Yes Yes

Configure users Yes Yes

Clear logs Yes Yes Yes

Execute server action commands Yes Yes Yes

Access console redirection Yes Yes Yes

Access virtual media Yes Yes Yes

Test alerts Yes Yes Yes

Execute diagnostic commands Yes Yes

Figure 1. DRAC/MC user permissions and groups

Figure 2. DRAC/MC Users screen in the DRAC/MC GUI

SYSTEMS MANAGEMENT


To delete a user, administrators can select the “Remove User”

link on the DRAC/MC Users page beside the username they wish

to delete. Note: The first user cannot be deleted.

To modify permissions for an existing user, administrators can

select the username on the DRAC/MC Users page of the user whose

permissions they would like to modify. Then, on the user configu-

ration page, they can delete or add desired permissions and click

the Apply Changes button at the bottom of the screen to enact

the changes.

Using the DRAC/MC CLIAdministrators can access the DRAC/MC CLI either locally

through a serial connection or remotely using Telnet to create

usernames, assign users to groups, and assign permissions. The

following commands create a DRAC/MC user with a specified

username and password:

racadm config –g cfgUserAdmin

–o cfgUserAdminUserName –i index username


–o cfgUserAdminPassword –i index password

By default, this DRAC/MC user is granted all associated per-

missions of the DRAC/MC Administrator group. To change the

permissions for this user, administrators can enter the following

command:


–o cfgUserAdminPrivilege –i index privilege

Values for user permissions are specified in Figure 4.

To display an existing user, administrators can enter the follow-

ing command:

racadm getconfig –g cfgUserAdmin –i index

To delete an existing user, administrators should locate the

user’s index listing and enter the following command:


–o cfgUserAdminUserName –i index “”

To modify information about or privileges of an existing user,

administrators should locate the property that must be changed.

Figure 5 shows the types of properties that can be modified. Then,

administrators can enter the following command to modify the

specified property:

racadm config –g cfgUserAdmin –o <property name>

–i index <property value>

Figure 3. DRAC/MC user configuration screen in the DRAC/MC GUI

User permission Bit Value

Log in to DRAC/MC 0 0x80000001

Configure DRAC/MC 1 0x80000002

Configure users 2 0x80000004

Clear logs 3 0x80000008

Execute server action commands 4 0x80000010

Access console redirection 5 0x80000020

Access virtual media 6 0x80000040

Test alerts 7 0x80000080

Execute diagnostic commands 8 0x80000100

Reserved 9–21 0x80000xxx

Figure 4. User permissions and values configurable from the DRAC/MC CLI

Figure 5. User properties configurable from the DRAC/MC CLI

User property

cfgUserAdminPrivilege

cfgUserAdminUserName

cfgUserAdminAlertFilterSysMask

cfgUserAdminEmailEnable

cfgUserAdminEmailAddress

cfgUserAdminEmailCustomMsg

SYSTEMS MANAGEMENT


E-mail alertingE-mail alert configuration is part of the user configuration process.

To enable e-mail alerting, administrators should select the “Enable

Email Alerts” check box in the “Email Alerts Settings” section of

the DRAC/MC Configuration>Network page and enter the SMTP

(e-mail) server address (see Figure 6).

For e-mail alerts to operate properly, information must be pro-

vided in the following fields on the Configuration>Users page

shown in Figure 3:

• “Enable Email Alerts” check box: Enables the e-mail alert

feature and allows selection of events that trigger e-mail

message transmission to the designated e-mail address. • Email Address field: Designates the target e-mail address

for alerts. • Message field: Specifies the text of the e-mail alert. • “Alert Description” section: Selects conditions that generate

the e-mail alert.

E-mail alerts can be configured by severity or alert description.

The following severity levels are available:

• Informational: Lowest severity • Warning: Medium severity • Severe: Highest severity

Alerts are configurable for the following sensors:

• All sensors • System temperature • System voltage • System fans • Miscellaneous system sensors

Microsoft Active Directory settings for the DRAC/MCAdministrators can configure settings for the Microsoft Active

Directory service through the DRAC/MC GUI or CLI.1

Configuring Active Directory via the DRAC/MC GUIAdministrators should first log in to the DRAC/MC Web-based

GUI using the default username (“root”) and password and then

go to the Configuration>Active Directory page (see Figure 7).

From this page, administrators can perform the following steps

to enable Active Directory:

1. Select the “Enable Active Directory” check box.

2. In the DRAC/MC Name field, enter the common name of the

remote access controller (RAC) device object that was created

in the domain controller.

3. In the ROOT Domain Name field, enter the fully qualified

root domain name for the domain forest.

4. In the DRAC/MC Domain Name field, enter the fully quali-

fied domain name of the subdomain where the RAC device

object resides (for example, “dracmc.com”); do not use the

NetBIOS name.

5. Click the Apply Changes button to save the Active Directory

settings.

Figure 6. DRAC/MC network configuration screen in the DRAC/MC GUI

1 For more information about using Microsoft Active Directory with Dell remote access controllers, see “Using Microsoft Active Directory Authentication with the DRAC 4” by Jon McGary and Bradley Bransom in Dell Power

Solutions, October 2004, www.dell.com/downloads/global/power/ps4q04-20040123-McGary.pdf.

Figure 7. DRAC/MC Active Directory Configuration screen in the DRAC/MC GUI

SYSTEMS MANAGEMENT


Administrators must then upload the Active Directory certificate

to the DRAC/MC by performing the following steps:

1. Click the Upload Active Directory CA Certificate button. The

Upload Certificate screen will appear (see Figure 8).

2. Click the Browse button to locate the full path and file name

of the domain forest root CA certificate, or type it in. The

domain forest root CA certificate should be available on the

local system and must have previously been accepted by the

domain forest’s domain-controller SSL certificates.

3. Click the Upload button to upload the root CA certificate to

the DRAC/MC firmware. The DRAC/MC Web server should

then automatically restart.

4. Log in again to complete the DRAC/MC Active Directory

feature configuration.

The next step is to configure the Domain Name System (DNS)

server. On the Configuration>Network page shown in Figure 6,

if “Enable NIC” and “Use DHCP (for the NIC IP address)” are

enabled, administrators should select the “Use DHCP to obtain

DNS server addresses” check box. To input a DNS server IP address

manually, administrators can unselect the “Use DHCP to obtain

DNS server addresses” check box and type in the preferred and

alternate DNS server IP addresses. Then, administrators should

click the Apply Changes button to complete the DRAC/MC Active

Directory configuration.

Configuring Active Directory via the DRAC/MC CLIAdministrators can also configure Active Directory settings by

using the Racadm command-line utility. To do so, they should

open a Telnet or serial console session to access the DRAC/MC

and enter the following Racadm commands:

racadm config -g cfgActiveDirectory

-o cfgADEnable 1


-o cfgADRacDomain

fully qualified RAC domain name


-o cfgADRootDomain fully qualified root

domain name


-o cfgADRacName RAC common name

Next, administrators must upload the Active Directory certifi-

cate using a Web browser, as described in the preceding section

in this article. After that process is completed, administrators can

configure the DNS server. If DHCP is enabled on the DRAC/MC and

administrators wish to use the DNS service provided by the DHCP

server, they can issue the following command:

racadm config -g cfgLanNetworking

-o cfgDNSServersFromDHCP 1

If DHCP is disabled on the DRAC/MC or administrators wish

to input the DNS IP address manually, they can issue the follow-

ing commands:


-o cfgDNSServersFromDHCP 0


-o cfgDNSServer1 primary DNS IP address


-o cfgDNSServer2 secondary DNS IP address

Then, administrators can press Enter to complete the DRAC/MC

Active Directory feature configuration.

Active Directory authenticationMicrosoft Active Directory houses information about network

objects and helps deploy these objects to users, computers, and

applications.

Discovering the domain controllerThe client system discovers the Microsoft Active Directory service

using an algorithm called the Domain Controller Locator.2 In the

case of the DRAC/MC, the client is the DRAC/MC module that is

trying to authenticate the given username and password on the

Active Directory server.

Figure 8. DRAC/MC Upload Certificate screen in the DRAC/MC GUI

22 For more information about Microsoft Active Directory and the Domain Controller Locator operation, visit www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/

documentation/Windows/2000/server/reskit/en-us/distrib/dsbi_add_afsl.asp.

SYSTEMS MANAGEMENT


Note: The user trying to log in to the Active Directory server should

already exist in the Association object that contains the Dell User

object(s), Dell Privilege object(s), and Dell RAC Device object(s).3

In Windows, the Domain Controller Locator is part of the Net

Logon service; on the DRAC/MC, the Domain Controller Locator

is part of the login service. This service on the DRAC/MC

queries the DNS server for a domain controller hosting the

Lightweight Directory Access Protocol (LDAP) service over

TCP. The query requests a service location record (SRV) and

uses the format of _ldap._tcp._DNSDomainName—where

DNSDomainName is the root domain name that the adminis-

trator used when configuring the Active Directory settings, as

described earlier in this article. The DNS server is the static

preferred DNS server, the alternate DNS server, or the DNS

server address provided by the DHCP server.

After this query is resolved, the DNS server responds to the

client—that is, the DRAC/MC—with the identity of one or more

domain controllers that are registered under the given domain name.

The client sends an LDAP User Datagram Protocol (UDP) lookup

to one or more of the domain controllers listed in the response to

the DNS query to ensure their availability. Finally, the Net Logon

service caches the discovered domain controller to aid in resolving

future requests.

Understanding DNS requirementsMicrosoft Active Directory is fully integrated with DNS and TCP/IP. A

DNS server is required for the proper functioning of Active Directory.

The extra dimension of DNS with Active Directory is the SRV

resource records (RRs). It is essential for the DNS server to sup-

port SRV RRs. Dell also recommends that the DNS server be able to

support dynamic updates, because domain controllers continually

register new records in DNS.

Active Directory registration in DNS serversWhen a Microsoft Windows Server™ 2003–based domain controller™

boots up, the Net Logon service uses dynamic updates to register

SRV and “A” RRs in the DNS database, as described in the Internet

Engineering Task Force (IETF) RFC 2782.4 Windows Server 2003 also

employs secure dynamic updates using the GSS-TSIG algorithm, as

described in IETF RFC 3645.5

Service records reveal not only the server’s IP address but also

the services that it offers. The following is the standard format of

an SRV record in the DNS server:

_service._protocol.name ttl class SRV priority

weight port target

For example, if the client query is _ldap._tcp.test.com, the SRV

record in the DNS server could appear as follows:

ad1.test.com A 11.11.11.11

_ldap._tcp.test.com 600 IN SRV 0 100 3268

ad1.test.com

_ldap._tcp.example.com SRV 0 0 389

austin.example.com

_kerberos._tcp.test.com SRV 0 0 88 ad1.test.com

The DNS response for the client query would return the

11.11.11.11 IP address of ad1.test.com to the client.

Nslookup.exeService records and related entries can be verified by querying

DNS using Nslookup.exe. The syntax to query a DNS server for a

list of all service records for a given domain is as follows:

C:\Nslookup <enter>

>ls -t SRV test.com

This can be very helpful to administrators when they must find

the correct DNS server to be configured on the DRAC/MC network

configuration page.

Active Directory certificate managementVarious certificates must be installed in the proper locations before

an Active Directory user can be authenticated on a DRAC/MC.

Active Directory Certificate Authority certificate. The

CA certificate must be downloaded from the Active Directory

server and uploaded to each DRAC/MC module that supports

Active Directory authentication for that domain. This X.509

version 3 base-64–encoded certificate is created from an organi-

zation’s Active Directory environment. The Active Directory CA

certificate allows the DRAC/MC to communicate securely with

the DNS server to authenticate a DRAC/MC user in the Active

Directory database. All SSL certificates of the Active Directory

servers in the domain forest must be signed by the same root

CA, because the DRAC/MC allows uploading only one trusted

CA SSL certificate.

3 For more information about Active Directory schema extensions, installing the Dell schema extension to the Active Directory Users and Computers snap-in, using Dell’s predefined Active Directory objects in the Active Directory

server, and other aspects of the Active Directory schema, see “Using Microsoft Active Directory Authentication with the DRAC 4” by Jon McGary and Bradley Bransom in Dell Power Solutions, October 2004, www.dell.com/

downloads/global/power/ps4q04-20040123-McGary.pdf.

4 For more information about IETF RFC 2782 and the SRV RR format, see “A DNS RR for specifying the location of services (DNS SRV)” by A. Gulbrandsen, P. Vixie, and L. Esibov at www.faqs.org/rfcs/rfc2782.html.

5 For more information about IETF RFC 3645, see “Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)” by S. Kwan et al. at www.rfc-archive.org/getrfc.php?rfc=3645.

SYSTEMS MANAGEMENT


DRAC/MC server certificate. This certificate lets the DRAC/MC

communicate securely with the DNS server to authenticate a

DRAC/MC user in the Active Directory database. The DRAC/MC

certificate is downloaded to a file and then uploaded to the Active

Directory domain being accessed. If the DRAC/MC SSL certificate

is signed by a well-known CA, and the CA is in the Trusted Root

Certificate Authority for the Active Directory server, the DRAC/MC

server certificate does not need to be uploaded to the Active

Directory server.

Simplified user management for Dell blade server environmentsUser administration and network security are two major concerns

of systems administrators. The DRAC/MC provides a robust, secure

infrastructure to help administrators manage users and enhance

security for the Dell Modular Server Enclosure that houses Dell

blade servers. The DRAC/MC supports 128-bit SSL-encrypted Web

sessions and allows administrators to install certificates signed by

a trusted CA to further enhance security. The DRAC/MC also lets

administrators assign the necessary level of privileges to selected

users. In addition, support for Microsoft Active Directory authentica-

tion helps simplify central administration of user databases.

Anusha Ragunathan is a firmware engineer in the Chassis Management Group for Dell PowerEdge™ blade servers within the Dell Product Group. She has a bachelor’s degree in Computer Science Engineering from Bharathiyar University in India and a master’s degree in Computer Science Engineering from Arizona State University.

Sanjeev S. Singh is a senior software engineer at Dell. Previously, he was a software engineer at Hewlett-Packard and NCR. He has a bachelor’s degree in Electrical Engineering and a master’s degree in Computer Engineering from North Carolina State University.

FOR MORE INFORMATION

Dell Remote Access Controller/Modular Chassis User’s Guide:support.dell.com/support/edocs/software/smdrac3/dracmc/index.htm

drac/mc user management and security · pdf filedrac/mc user management and security...

Documents