Dell iDRAC Service Module 4.x Reference guide

Brand: Dell

Model: iDRAC Service Module 4.x

Type: Reference guide

This manual is also suitable for

Current Versions

Dell iDRAC Service Module 4.x is a powerful, secure, and flexible enterprise-class systems management solution that enables efficient management of Dell EMC PowerEdge servers. It provides comprehensive hardware monitoring and control, remote presence capabilities, and extensive automation features, making it an ideal choice for data center and IT infrastructure administrators. With advanced security features, including authentication, authorization, and data encryption, iDRAC Service Module 4.x ensures the integrity and confidentiality of managed systems.

Dell EMC iDRAC Service Module

Security Configuration Guide

May 2021

Rev. A00

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid

the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

trademarks may be trademarks of their respective owners.

Chapter 1: Overview...................................................................................................................... 5

Legal disclaimers..................................................................................................................................................................5

Reporting security vulnerabilities.....................................................................................................................................6

Chapter 2: Security quick reference.............................................................................................. 7

Deployment models............................................................................................................................................................. 7

Initial installation of iDRAC Service Module.............................................................................................................7

Security profiles................................................................................................................................................................... 7

Chapter 3: Product and subsystem security.................................................................................. 8

Security controls map.........................................................................................................................................................8

User interfaces and the minimum privileges........................................................................................................... 9

Authentication...................................................................................................................................................................... 9

Login security settings......................................................................................................................................................10

Login banner configuration........................................................................................................................................ 10

Failed login behavior.................................................................................................................................................... 10

Emergency user lockout............................................................................................................................................. 10

Authentication types and setup..................................................................................................................................... 10

Configuring local authentication sources............................................................................................................... 10

Configuring active directory...................................................................................................................................... 10

Certificate and key-based authentication...............................................................................................................11

Multi-factor Authentication........................................................................................................................................11

Other authentication sources.................................................................................................................................... 11

Unauthenticated interfaces........................................................................................................................................11

Selecting authentication sources.............................................................................................................................. 11

User and credential management................................................................................................................................... 11

Pre-loaded accounts................................................................................................................................................... 12

Default credentials....................................................................................................................................................... 12

Disabling accounts....................................................................................................................................................... 12

Managing credentials.................................................................................................................................................. 12

Securing credentials.................................................................................................................................................... 12

Password complexity...................................................................................................................................................12

Authentication to external systems...............................................................................................................................13

Configuring remote connections.............................................................................................................................. 13

Controlling access to remote systems....................................................................................................................13

Remote component authentication......................................................................................................................... 13

Authorization.......................................................................................................................................................................13

General authorization settings.................................................................................................................................. 13

Configuring authorization rules.................................................................................................................................13

Default authorizations................................................................................................................................................. 13

External authorization associations......................................................................................................................... 14

Entitlement export....................................................................................................................................................... 14

Actions not requiring authorization..........................................................................................................................14

RBAC privileges.................................................................................................................................................................. 14

Contents

Contents 3

Default roles.................................................................................................................................................................. 14

Configuring roles.......................................................................................................................................................... 14

Role mapping................................................................................................................................................................. 14

External role associations ..........................................................................................................................................14

Network security................................................................................................................................................................14

Network exposure........................................................................................................................................................14

Communication security settings............................................................................................................................. 15

Firewall settings............................................................................................................................................................15

Data security....................................................................................................................................................................... 15

Data storage security settings.................................................................................................................................. 15

Data at rest encryption...............................................................................................................................................15

Data erasure.................................................................................................................................................................. 15

Data integrity.................................................................................................................................................................16

Other data security features..................................................................................................................................... 16

Cryptography...................................................................................................................................................................... 16

Cryptographic configuration options.......................................................................................................................16

Certified cryptographic modules.............................................................................................................................. 17

Certificate management............................................................................................................................................. 17

Auditing and logging.......................................................................................................................................................... 17

Logs................................................................................................................................................................................. 17

Log management..........................................................................................................................................................18

Log protection...............................................................................................................................................................18

Logging format............................................................................................................................................................. 18

Alerting............................................................................................................................................................................18

Physical security.................................................................................................................................................................18

Physical interfaces....................................................................................................................................................... 18

Physical security options............................................................................................................................................19

Customer service access........................................................................................................................................... 19

Tamper evidence and resistance..............................................................................................................................19

Serviceability....................................................................................................................................................................... 19

Chapter 4: Miscellaneous configuration and management elements.............................................20

Licensing..............................................................................................................................................................................20

Customer modification and customization..................................................................................................................20

Protect authenticity and integrity.................................................................................................................................20

Preventing malware..........................................................................................................................................................20

Specialized security devices ..........................................................................................................................................20

Installing client software..................................................................................................................................................20

Chapter 5: Internal security information...................................................................................... 21

Embedded component usage.......................................................................................................................................... 21

Internally discovered issues............................................................................................................................................. 21

Chapter 6: Resources and support...............................................................................................22

Chapter 7: Contacting Dell EMC ................................................................................................. 23

Contents

Overview

As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware.

Therefore, some functions described in this document might not be supported by all versions of the software or hardware

currently in use. The product release notes provide the most up-to-date information on product features.

Contact your Dell EMC technical support professional if a product does not function properly or does not function as described

in this document.

NOTE: This document was accurate at publication time. Go to Dell EMC Online Support (https://www.dell.com/support)

ensure that you are using the latest version of this document.

Purpose

This document describes the security configurations related to Dell EMC iDRAC Service Module (iSM), and its installation,

configuration, and functionality on the host operating system. The functionality might involve communication with other sub-

systems, which is out of scope for this document. The sub-systems within the host include:

● Integrated Dell Remote Access Controller (iDRAC)

● Dell EMC system firmware (BIOS)

● Operating system logging interface

● System chipset SATA controller

● NetSNMP configuration

● Microsoft Windows Registry

● Microsoft Windows certificate store

Sub-systems outside the host include the Dell EMC support server. The security posture of these subsystems is out of scope of

this document.

Audience

This document is intended for individuals who are responsible for managing security of Dell EMC iDRAC Service Module (iSM).

Legal disclaimers

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS-IS." DELL MAKES NO REPRESENTATIONS OR WARRANTIES

OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. In no event shall Dell Technologies, its

affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or

actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or

special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages.

The Security Configuration Guide intends to be a reference. The guidance is provided based on a diverse set of installed systems

and may not represent the actual risk or guidance to your local installation and individual environment. Dell EMC recommends

that all users determine the applicability of this information to their individual environments and take appropriate actions. All

aspects of this Security Configuration Guide are subject to change without notice and on a case-by-case basis. Your use of the

information contained in this document or materials linked herein is at your own risk. Dell reserves the right to change or update

this document in its sole discretion and without notice at any time.

Overview 5

Reporting security vulnerabilities

Dell EMC takes reports of potential security vulnerabilities in our products very seriously. If you discover a security vulnerability,

you are encouraged to report it to Dell EMC immediately.

For the latest on how to report a security issue to Dell EMC, see Dell Vulnerability Response Policy on the Dell.com site.

6 Overview

Security quick reference

Deployment models

iSM software can be deployed on all the supported operating systems referred to in the corresponding iSM version user's guide.

The installer can be invoked only by a local or domain system administrator. There are two ways widely used to deploy iSM

software on the host operating system.

● Using the iSM installer, download the software from the Dell EMC support site and run the installer on the host as an

administrator.

● Using iDRAC, iSM software can be installed on the host operating system. For more information, see Initial installation of

iDRAC Service Module.

Initial installation of iDRAC Service Module

You can install iDRAC Service Module (iSM) from the iDRAC Enterprise or Datacenter, or from the iDRAC Express interface

on Microsoft Windows and Linux operating systems. The installation procedure is the same for all three installation options,

requiring a single click to initiate the iDRAC installer package on the host system. Using this method rather than downloading the

installer from the Dell EMC support site or the OpenManage DVD ensures that you install a version of iSM that is compatible

with your iDRAC firmware.

About this task

Both an operating system and iSM must be installed on the host operating system.

Steps

1. Start the virtual console.

2. Log in to the host operating system as an administrator.

3. From the device list, select the mounted volume labeled SMINST, and then click the corresponding script to start the

installation. To install iSM, run the appropriate command for your system:

For Windows: ISM_Win.bat

For Linux: sh ISM_Lx.sh or . ISM_Lx.sh

For Ubuntu: bash ism_Lx.sh

After the installation is completed, iDRAC indicates that iSM is installed and specifies the latest installation date.

NOTE:

The installer is accessible by the host operating system for 30 minutes, within which you must start the

installation operation. Otherwise, you must restart the iSM Installer.

Security profiles

iDRAC Service Module (iSM) communication with iDRAC is TLS-encrypted from iSM version 3.4.0 and later. When iSM 3.4.0

or later is installed along with iDRAC firmware older than 3.30.30.00, the communication is not encrypted. Before loading, the

libraries installed by iSM are verified for integrity, source, and path. Access to configuration tasks is restricted to administrator-

level accounts.

Security quick reference 7

Product and subsystem security

Security controls map

iDRAC Service Module (iSM) uses Intelligent Platform Management Interface (IPMI) over Keyboard Controller Style (KCS)

to interact with iDRAC and to configure the Baseboard Management Controller (BMC) watchdog timer. The following figure

describes the transport and communication mode of iSM with iDRAC.

Figure 1. Security controls map

8 Product and subsystem security

User interfaces and the minimum privileges

The following table describes the user interface, interface access, the minimum required privilege, and subsystem of the

interfaces.

Table 1. User interfaces and the required privileges

Interface Local or

remote

CLI or UI Privilege Subsystem

dcismcfg Local CLI Administrator Operating system

dcism-sync Local CLI Administrator Operating system

Enable-

iDRACAccessHostRoute

Local CLI Administrator Operating system

Enable-iDRACSNMPTrap.sh Local or

remote

CLI Administrator Operating system

Invoke-FullPowerCycle Local or

remote

CLI Administrator Operating system

Invoke-iDRACHardReset Local or

remote

CLI Administrator Operating system

Invoke-iDRACLauncher Local UI Administrator and non-

administrator

Operating system

Invoke-

SupportAssistCollection

Local CLI Administrator Operating system

ismspdlogs Local CLI *Dell EMC service

personnel

Operating system

ismtech Local CLI *Dell EMC service

personnel

Operating system

Configure WSMan Local Installer and PowerShell

script

Administrator Operating system

Installer Local UI, Silent Administrator Operating system

NVMe Prepare to Remove Remote UI, CLI Administrator iDRAC interfaces

TechSupportReport

collection

Remote UI, CLI Administrator iDRAC interfaces

Enable or disable iSM

features

Local or

remote

UI, CLI Administrator iDRAC interfaces, iSM

Installer on operating

system

* ismspdlogs and ismtech interface privileges are recommended for Dell EMC service personnel as an administrator user.

Authentication

iDRAC Service Module (iSM) generates a self-signed certificate for authentication with iDRAC. iSM verifies the iDRAC

certificate during handshake before trying any data communication.

iSM uses a UNIX or local socket for interacting with iSM installed binaries. This involves a proprietary handshake before any data

communication takes place.

iSM does not perform user authentication. However, all the command line interfaces require administrator or root user role to

perform the operation.

Product and subsystem security

iDRAC Service Module (iSM) does not track or perform user authentication. However, to perform user authentication, all

command line interfaces require either administrator- or root-user-level roles. Any failure to comply with this is audited in

operating system logs or a console message is displayed.

iSM does not support any option to perform banner configuration.

Failed login behavior

iSM leverages the operating system authentication and authorization policies.

Emergency user lockout

Not applicable.

Authentication types and setup

● The iDRAC Service Module (iSM) and iDRAC authenticate each other using dynamically generated self-signed certificates.

The certificate exchanges over trusted channels such as Keyboard Controller Style (KCS) and USB NIC, which is a link-local

network. The validity period of certificates is ten years. The Public Key Infrastructure (PKI) used is RSA 2048.

● iSM supports creating an iDRAC session from the host operating system. The iDRAC session privilege can be configured by

the administrator at the point of iSM installation. The administrator can either:

○ Disable

○ Allow a ReadOnly session

○ Allow a session with administrator privileges on iDRAC

When the iDRAC Launcher is invoked from the host operating system, the iDRAC UI dashboard is rendered using the default

browser that is configured by the administrator. The privilege selected during the iSM installation process is enforced in this UI

session.

Configuring local authentication sources

The iDRAC Service Module (iSM) does not support configuring any external authenticating sources such as Lightweight

Directory Access Protocol (LDAP). Below are the iSM features that use a username password for the relevant functionality.

● Route iDRAC SNMP alerts by the host operating system. This feature on Linux operating systems supports alert forwarding

over the SMUX protocol. The administrator can create a password for the SMUX protocol using the following interface:

/opt/dell/srvadmin/iSM/bin/Enable-iDRACSNMPTrap.sh changesmuxpasswd <password>

● The iSM feature InbandSNMPGet allows administrators to perform an SNMP Get and Walk of the iDRAC supported MIB

by the host operating system. This feature creates an SNMP v3 user in iDRAC in ReadOnly mode. The username is

iSMSNMPv3.

Configuring active directory

Not applicable.

Product and subsystem security

Certificate and key-based authentication

The iDRAC Service Module (iSM) generates the TLS self-signed certificates. iSM does not support custom certificate

configurations. Both iDRAC and iSM authenticate each other using certificates over trusted channel such as Intelligent Platform

Management Interface (IPMI) over Keyboard Controller Style (KCS). The minimum TLS version that is required for a successful

handshake is TLS 1.2.

While communicating to Dell EMC support servers, iSM validates the server certificate before any data exchange. Also, every

client of Dell EMC SupportAssist is authenticated using a client-unique credential, which is an offline process.

Multi-factor Authentication

Not applicable.

Other authentication sources

To facilitate launching of the iDRAC UI from within the host operating system, iSM uses Dell EMC proprietary token-based

session creation process.

Unauthenticated interfaces

Not applicable.

Selecting authentication sources

Not applicable.

User and credential management

● ismtech is a CLI command on all iSM supported operating systems. This command creates a user in iDRAC with

username ismtech to enable a Dell EMC service personnel to perform support-related actions. This utility is restricted

to administrator users only. It requests a password as input and sends a request to iDRAC for user account creation. iDRAC

uses its process to manage credentials. This password is not stored on the host operating system.

● For the feature InBandSNMPTraps, if the administrator has chosen the SMUX protocol with password to enable iDRAC

alert forwarding through the operating system as SNMP traps, then the password is managed in an administrator-restricted

file system location in the operating system.

● For the feature InBandSNMPGet, iSM creates an iDRAC local user with read-only privileges. These credentials are managed

by iDRAC.

Product and subsystem security

Pre-loaded accounts

Not applicable.

Default credentials

Not applicable.

Disabling accounts

● The ismtech utility installed by iSM can be used to create an iDRAC user for support purposes. From the host operating

system, the ismtech utility can be used to delete the user so created. As a security measure, the iSM service deletes the

ismtech user account automatically after 24 hours.

● If the administrator has created an SMUX peer password while enabling the InBandSNMPTraps feature; then this

password can be cleaned up by disabling the feature using the following command:

/opt/dell/srvadmin/iSM/bin/Enable-iDRACSNMPTrap.sh

● The iDRAC SNMP user created for the InBandSNMPGet feature can be deleted by disabling this feature using iSM installer

or iDRAC interfaces.

Managing credentials

The ismtech utility can be used to change the password for the ismtech local account that was created in iDRAC.

Securing credentials

It is recommended to install iSM on the file system that is accessible only by the system administrator. iSM stores the

certificates in the native store of the operating system on the Microsoft Windows operating system. On other operating

systems, the certificates are stored in the file system area restricted to only administrator users. The credentials created for

creating an iDRAC local user are stored in iDRAC. Example: ismtech utility.

Password complexity

The password complexity for iDRAC local user creation using ismtech utility can be configured in iDRAC interfaces and is

enforced accordingly. To create the secure passwords, follow the iDRAC recommendations provided in Integrated Dell Remote

Access Controller 9 User's Guide at https://www.dell.com/idracmanuals.

Product and subsystem security

Authentication to external systems

Apart from communication with iDRAC, iSM tries to communicate with Dell EMC SupportAssist servers to upload the support

logs from the node, fetch the system warranty, or open a case against a potential issue. The SupportAssist server certificate is

authenticated before transaction of the data.

Configuring remote connections

A successful connection to Dell EMC support servers need an active internet connection with outbound port number 443. If a

proxy is configured on the host operating system, then the appropriate credentials must be provided through iDRAC.

Controlling access to remote systems

The Dell EMC support servers are accessible through iDRAC to perform a designated set of operations such as:

● Server registration

● Warranty query

● Upload a TechSupportReport

● Update communication details

For more information about supported operations, see iDRAC Service Module User's Guide available at https://www.dell.com/

idracmanuals.

Remote component authentication

Access to the Dell EMC support servers is restricted to personnel or products owning the support client confidential information

dedicated to that entity. The iSM as a SupportAssist client verifies the certificate of the Dell EMC support server before

proceeding with further communication.

Authorization

General authorization settings

A default installation of iSM by the administrator installs the iDRAC User Interface (UI) launcher feature in read-only mode.

This facilitates opening an iDRAC UI session as a read-only user. iSM exposed features are configurable only by the system

administrator.

Configuring authorization rules

iSM does not support configuration or modification of the existing authorization rules published by interfaces installed by iSM.

Default authorizations

The ismtech utility creates an iDRAC user account only for the following capabilities in the iDRAC UI.

● Login to iDRAC

● Configure iDRAC

● Control and configure system

● Access virtual console

● Access virtual media

● Test alerts

● Execute debug commands

Product and subsystem security

External authorization associations

Not applicable.

Entitlement export

iSM does not support any separate or distinguished way of generating an entitlement report.

Actions not requiring authorization

Not applicable.

RBAC privileges

iSM does not support any explicit way to configure or modify the roles applied to a user. However, iSM runs as a root service on

Linux and as a local service on Microsoft Windows operating systems. For more information, see Table 1 under User interfaces

and the minimum privileges.

Default roles

Not applicable.

Configuring roles

Not applicable.

Role mapping

Not applicable.

External role associations

Not applicable.

Network security

iSM communicates over a network with various sub-systems such as iDRAC, Dell EMC support server, and SNMP trap

destinations.

Network exposure

Depending on the feature configuration, iSM uses some or all the ports listed below.

Table 2. Network ports in-use by iSM

Port Number Protocol Direction Subsystem

5000 TCP Outbound iDRAC

443 HTTPS Outbound iDRAC, Dell EMC support server

14 Product and subsystem security

Table 2. Network ports in-use by iSM (continued)

Port Number Protocol Direction Subsystem

161 UDP Inbound iDRAC

162 UDP Outbound Trap destination

1266 TCP Inbound Remote management station

5986 HTTPS Inbound WSMan

Communication security settings

Not applicable.

Firewall settings

Depending on the feature configuration the iSM service adds the necessary firewall rules for the following ports to establish a

successful communication with the peer entity.

Table 3. Permitted network ports

Port Number Protocol Direction Subsystem

5000 TCP Outbound iDRAC

443 HTTPS Outbound iDRAC, Dell EMC support server

161 UDP Inbound iDRAC

1266 (Default) TCP Inbound Remote management station

5986 HTTPS Inbound WSMan

Data security

iSM has few features that require data to be stored on the file system of the operating system. iSM stores iSM-specific

configuration files in a location that is accessible only to administrators or root users. iSM configuration includes feature states

and other intermediate files necessary for providing uninterrupted services.

Data storage security settings

iSM stores all the artifacts such as iSM binaries and configuration files on the operating system file system that is restricted to

administrator accounts only.

Data at rest encryption

iSM artifacts are stored unencrypted on the file system that is restricted to administrator access.

Data erasure

iSM uninstall erases all iSM-specific configuration data and intermediate files. Explicit SupportAssist collections saved in a

different path are not cleaned up. On Linux operating systems and Debian-based operating systems, uninstalling iSM retains

configuration files as per RedHat Package Manager (RPM) and Debian Package (dpkg) specifications respectively.

Product and subsystem security

Data integrity

iSM log collection artifacts such as SPD logs are checked for integrity before they are used for any task.

Other data security features

Not applicable.

Cryptography

iSM supports TLS 1.2 and generates self-signed certificates to communicate with iDRAC. The following sections indicate the set

of algorithms supported by iSM and iDRAC during TLS handshake.

Cryptographic configuration options

There are no interface options in iSM to configure cryptographic algorithms. iSM relies on the native algorithms available for

handshake on the operating system. These algorithms should be selected by the administrator based on security best practices.

Table 4. Default cryptographic configuration

Attribute Strength

Protocol TLS 1.2

Cipher Operating system default ciphers are honored.

Cipher strength 256

Hash SHA-384

Key exchange RSA

Table 5. TLS ciphers supported by iDRAC firmware older than version 4.40.10

iDRAC older than 4.40.10

TLSv1.2:

ciphers:

TLS_RSA_WITH_3DES_EDE_CBC_SHA(rsa 2048)-C

TLS_RSA_WITH_AES_128_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_AES_128_CBC_SHA256(rsa 2048)-A

TLS_RSA_WITH_AES_128_GCM_SHA256(rsa 2048)-A

TLS_RSA_WITH_AES_256_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_AES_256_CBC_SHA256(rsa 2048)-A

TLS_RSA_WITH_AES_256_GCM_SHA384(rsa 2048)-A

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_IDEA_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_RC4_128_MD5(rsa 2048)-C

TLS_RSA_WITH_RC4_128_SHA(rsa 2048)-C

TLS_RSA_WITH_SEED_CBC_SHA(rsa 2048)-A

Table 6. TLS ciphers supported by iDRAC firmware version 4.40.10 and later

iDRAC 4.40.10 and later

TLSv1.2:

16 Product and subsystem security

Table 6. TLS ciphers supported by iDRAC firmware version 4.40.10 and later

iDRAC 4.40.10 and later

ciphers

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(secp256r1)-C

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(secp256r1)-A

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(secp256r1)-A

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(secp256r1)-A

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(secp256r1)-A

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(secp256r1)-A

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(secp256r1)-A

LS_ECDHE_RSA_WITH_RC4_128_SHA(secp256r1)-C

TLS_RSA_WITH_3DES_EDE_CBC_SHA(rsa 2048)-C

TLS_RSA_WITH_AES_128_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_AES_128_CBC_SHA256(rsa 2048)-A

TLS_RSA_WITH_AES_128_GCM_SHA256(rsa 2048)-A

TLS_RSA_WITH_AES_256_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_AES_256_CBC_SHA256(rsa 2048)-A

TLS_RSA_WITH_AES_256_GCM_SHA384(rsa 2048)-A

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_IDEA_CBC_SHA(rsa 2048)-A

TLS_RSA_WITH_RC4_128_MD5(rsa 2048)-C

TLS_RSA_WITH_RC4_128_SHA(rsa 2048)-C

TLS_RSA_WITH_SEED_CBC_SHA(rsa 2048)-A

Certified cryptographic modules

Not applicable.

Certificate management

iSM does not support custom certificate import. The self-signed certificates created by iSM and iDRAC are imported by iSM

into the operating system native certificate store.

Auditing and logging

iSM has audit logging in order to check an issue in the certificate handshake for any communication between iSM and iDRAC.

The following messages in the operating system logs indicate a TLS error. iSM logs comply with the event and error message

reports. For more information, see Event and Error Message Reference Guide for 14th Generation Dell EMC PowerEdge Servers

available at https://www.dell.com/idracmanuals.

Logs

iDRAC Service Module (iSM) uses the platform and operating system logging interface: syslog and Windows event log.

ISM0048

iDRAC is unable to communicate with the iSM because of a Transport Layer Security (TLS) issue. The

issue details: <TLS error details>.

Resolution Reinstall the latest available iSM on the host operating system and retry the operation. If the issue

persists, contact your service provider.

ISM0049 The iSM is unable to communicate to the iDRAC because the client certificate is either unavailable or

invalid.

Resolution Reinstall the latest available iSM on the host operating system and retry the operation. If the issue

persists, contact your service provider. For information about the installation procedure, see iDRAC

Service Module User's Guide available at https://www.dell.com/idracmanuals.

Product and subsystem security 17

SEC0704 The authentication check operation that is done by iSM has failed for the following module or application

because either the binary load path is incorrect or the binary configuration file is tampered with, replaced,

or untrusted <list of app and modules>.

Log management

iSM supports specific warning logging for SupportAssist functionality. The logs can be enabled runtime using the following

utility. The logs rotate after 1 MB of logs are filled.

● For Linux and VMware ESXi operating systems:

/opt/dell/srvadmin/iSM/bin/dchosmicli

● For Microsoft Windows operating systems:

<iSM Install Path>\shared\bin\dchosmicli.exe

Log protection

iSM uses the platform and operating system-provided interfaces for logging audit messages. There is no explicit handling of log

message with encryption.

Logging format

The following format is used to log the iSM relevant messages into the operating system logs:

● <DateTime> <hostname> <processname>[PID]: <iSM MessageID> EventID="<eventID>"

EventCategory="Audit" EventSeverity="<severity>"

● IsPastEvent="<True/False>" language="en-US" <Message Description>

● <DateTime> format: <mmm> <dd> <hh:mm:ss>

● The operating system logs can be filtered using the process name of iSM, which is "dsm_ism_srvmgrd"

Alerting

Not applicable.

Physical security

Not applicable.

Physical interfaces

iSM needs network connectivity to use the SupportAssist-on-the-Box feature that can connect to the Dell EMC support

site. iSM uses the operating system to BMC pass through in USBNIC mode for communication with iDRAC. This is a wired

connection embedded on the motherboard. This device is emulated as a network interface on the operating system. This uses

link local IPv4 or IPv6 addresses and is therefore not routable.

Product and subsystem security

Physical security options

Not applicable.

Customer service access

iSM does not use any service specific accounts. The logged-in operating system administrator account will be used for the

invoked operations.

Tamper evidence and resistance

The binaries installed by iSM are signed and the signature is verified by the iSM process at run time before loading. Any failure

to verify the signature of the library prompts an audit logging with critical severity. The iSM service exits after logging the audit

message as a security measure. This is logged in the default operating system log location. The message is as follows:

SEC 0704: The authentication check operation performed by iSM has failed for the

following module or application because either the binary load path is incorrect or the

binary or configuration file is tampered, replaced, or untrusted : <list of app and

modules>. iSM has integrity verification for certain TechSupport Report artifacts like

SPD logs.

Serviceability

iSM does not install specific tools for maintenance. The Dell EMC support team is entitled for the following iSM utilities, but

not restricted only to the following utilities. When a user is logged in as an administrator, the utilities can be used to invoke or

perform any other necessary action.

Table 7. Widely-used iSM utilities

iSM utility name Command line interface User account

ismspdlogs CLI Service personnel as administrator

ismtech CLI Service personnel as administrator

When UEFI Secure Boot is enabled from BIOS interface, the SPD log collection attempts to use the Windows SMM Security

Mitigation Table (WSMT) method.

Security updates and patching

Dell EMC recommends immediate check and installation of any security patch. You can download the latest version of the

product at iDRAC Service Module User's Guide available at https://www.dell.com/idracmanuals.

Customer requirements and updates

Step-by-step instructions are documented in the latest version of the product documentation, iDRAC Service Module User's

Guide available at https://www.dell.com/idracmanuals.

Product and subsystem security

Miscellaneous configuration and

management elements

Licensing

Not applicable.

Customer modification and customization

Customers or administrators can modify or update the iDRAC Service Module configuration to the most current version

available.

Protect authenticity and integrity

The binaries installed by iSM are signed, and the signature is verified by the iSM process at run time and before loading. The

public certificate is packaged and installed by iSM on the file system. Any verification failure of the iSM digital signature will be

logged with a critical severity. The iSM service will exit after logging the audit message as a security measure.

This is logged in the default operating system log location. The message is as follows:

SEC 0704: The authentication check operation performed by iSM has failed for the

following module or application because either the binary load path is incorrect or

the binary or configuration file is tampered, replaced, or untrusted: <list of app and

modules>.

Preventing malware

Not applicable.

Specialized security devices

Not applicable.

Installing client software

For more information on installation and configuration of the supported operating systems, see iDRAC Service Module User's

Guide available at https://www.dell.com/idracmanuals.

20 Miscellaneous configuration and management elements

Page is loading ...

Dell iDRAC Service Module 4.x Reference guide

Brand: Dell

Model: iDRAC Service Module 4.x

Type: Reference guide

This manual is also suitable for

Current Versions

Download PDF

report

Dell iDRAC Service Module 4.x Reference guide

This manual is also suitable for

Dell iDRAC Service Module 4.x Reference guide

Related papers

Other documents