Is it just the additional hardware card that needs to be installed to upgrade an idrac6 from express to enterprise or are there additional licensing costs too?

Hi there

I have a Dell 620 server, where the iDrac will not login, I get the login page and add the credential, but it just never responds. Anyway I know I can reset the iDrac by holding in the little 'i' button on the front panel, but I need to know the consequences of doing so...

Will this re boot the server?

Will this reset the iDrac settings back to default?

If it resets it, does it just restart the iDrac and let me using previous settings?

Many thanks people,

Kev

We have an r710 that hadn't been updated in a long time. Updated the drac via the SBU/SUU on USB, and now everything is up to date. But, now the Drac shows nothing but "undefined" for all values, links, etc... 

Our system has some new R720 servers with iDrac7 Enterprise. Today, I noticed that the iDrac7's IP didn't respond (cannot ping, ssh, web GUI...) after three fail logins in the Web GUI (I typed wrong password). I had to unplug the power cord to reset the iDrac and access it again.

The factory iDrac firmware is 1.57.57. I've tried to upgrade to lastest 1.66.65 but can not solve problem.

So how can I solve it?

Regards,

This wiki post is written by Shine KA and Hareesh V from Dell iDRAC team

Introduction

     iDRAC includes a Web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data over a network. Built upon asymmetric encryption technology, SSL is widely accepted for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across a network. iDRAC Web GUI, Remote Racadm, WSMAN and VMCLI uses SSL certificate for communication.

     The encryption process provides a high level of data protection. iDRAC employs the 128-bit SSL encryption standard, the most secure form of encryption generally available for Internet browsers.

     iDRAC Web server has a Dell self-signed unique SSL digital certificate by default. You can replace the default SSL certificate with a certificate signed by a well-known Certificate Authority (CA). A Certificate Authority is a business entity that is recognized in the Information Technology industry for meeting high standards of reliable screening, identification, and other important security criteria. Examples of CAs include Thawte and VeriSign. This document will describe different methods supported by iDRAC for replacing default self-signed certificate of iDRAC.

1. Uploading SSL/Signing Certificate to iDRAC

There are three different ways where you can upload custom SSL certificate to iDRAC. We can user iDRAC WEB GUI, Racadm or WSMAN interface for uploading SSL certificate to iDRAC.

• Uploading SSL Certificate to iDRAC using CSR created from iDRAC
• Uploading SSL Certificate to iDRAC using private / public key
• Uploading Signing certificate to iDRAC

Note : iDRAC will restart and will not be available for some time after upload.

1.1.  Uploading SSL Certificate to iDRAC using CSR method

     This method will use CSR (Custom Signed Certificate) created from iDRAC for uploading SSL certificate to iDRAC. You need to sign the CSR file created from iDRAC and upload it back to iDRAC. iDRAC will support only certificate in Base 64 format. You can use Racadm or Web GUI interface for configuring SSL on iDRAC using this method. Before creating CSR from iDRAC, you can specify following certificate properties in iDRAC. These properties will be used by iDRAC for creating CSR.

CommonName

OrganizationName

OrganizationUnit

LocalityName

StateName

CountryCode

EmailAddr

KeySize

Note: Key size can be configured only through racadm

Using Racadm

            You need to follow below four steps if you want to upload SSL certificate to iDRAC using racadm

Step 1: Configure Certificate properties on iDRAC

If you have iDRAC7 with 1.30.30 or above firmware or iDRAC8, you can run following racadm commands also to configure certificate properties.

Configuring the iDRAC security CSR key size

The command that is used to configure this property is:

racadm set iDRAC.Security.CsrKeySize <Key size>

Configuring the iDRAC security CSR common name

The command that is used to configure this property is:

racadm set iDRAC.Security.CsrCommonName <common name>

Configuring the iDRAC security CSR organization name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrOrganizationName <Organization Name>

Configuring the iDRAC security CSR organization unit

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrOrganizationUnit <Organization Unit>

Configuring the iDRAC security CSR Locality Name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrLocalityName <Location>

Configuring the iDRAC security CSR State Name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrStateName <State Name>

Configuring the iDRAC security CSR Country Code

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrCountryCode <Country Code>

Configuring the iDRAC security CSR Email Address

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrEmailAddr<Email Address>

Once all the Sub-Attributes of the group “iDRAC.Security” had been configured, you can run below command to verify the setting

 If you have iDRAC6 or  iDRAC7 with firmware level less than 1.30.30 you can run following Racadm command to configure certificate properties. These commands can be run from Local, Remote or Firmware Racadm.

Configuring the iDRAC security CSR Key Size

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrKeySize <Key size>

Configuring the iDRAC security CSR CommonName

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrCommonName <Common Name>

Configuring the iDRAC security Organization name

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationName <Organisation Name>

Configuring the iDRAC security CSR Organization Unit

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationUnit <Organisation Unit>

Configuring the iDRAC security Locality name

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrLocalityName <Location>

Configuring the iDRAC security State name

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrStateName <State Name>

Configuring the iDRAC security CSR Country Code

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrCountryCode <Country Code>

Configuring the iDRAC security CSR Email Address

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrEmailAddr <Email Address>

Once all the Sub-Attributes of the group “cfgRacSecurity” had been configured, you can run below command to verify the setting

Step 2: Create and Download CSR from iDRAC

You can run the following command to generate and download CSR from iDRAC. This command is only supported from Local and Remote Racadm

The sslcsrgen command has the following option:

Racadm sslcsrgen –g –f < filename.txt>

-g: Generate new Certificate signing request(CSR).

-f: Specifies the file which will hold the CSR.

Step 3: Get CSR signed by using any third party certificate authority

Get the CSR file got from iDRAC signed by any third party certificate authority.

Step 4: Upload signed certificate back to iDRAC

Once you have signed certificate, you can upload signed certificate back to iDRAC using following Racadm command. This command is only supported from Local and Remote Racadm. Once you upload the certificate, iDRAC will reboot and will not be accessible for some time.

Using WEBGUI

Step 1: Configure Certificate properties on iDRAC

To upload certificate using CSR you need to first configure certificate properties on GUI. Login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and select “Generate Certificate Signing Request (CSR)” option for creating CSR. On “Generate Certificate Signing Request (CSR)” page update all fields with certificate information

Step 2: Create and Download CSR from iDRAC

To generate and save CSR from iDRAC click on the “Generate” button and save the file

Step 3: Get CSR signed by using any third party certificate authority

Get the CSR file got from iDRAC signed by any third party certificate authority.

Step 4: Upload signed certificate back to iDRAC

You can traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select “Upload Server Certificate” option to upload the certificate. Browse the signed certificate file and click on Apply to upload signed certificate. iDRAC will reset once certificate is uploaded

1.2.  Uploading SSL Certificate to iDRAC using Key Pair

     In this method you need to create private key and signed certificate with public key from a CA. Once key and certificate is created you can use Racadm, WSMAN or Web GUI interfaces to upload the key and certificate to iDRAC.

Using Racadm

In Racadm first you need to upload private key to iDRAC. This private key should not have a passphrase. Once you upload the private key you can upload the corresponding certificate using Racadm.

Step 1: Uploading private key to iDRAC

      You can run “sslkeyupload” racadm command to upload private key to iDRAC. This command is supported from Local and Remote Racadm interface.

Step 2: Uploading certificate to iDRAC

You can run “sslcertupload” racadm command to upload the certificate to iDRAC. This command is supported from Local and Remote Racadm interface.

Using Web GUI

Using Web GUI you cannot upload private key. So you need to first upload the key using racadm as mentioned in above step. Once private key is uploaded you can use iDRAC Web GUI to upload certificate. You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select “Upload Server Certificate” option to upload the certificate. iDRAC will reset once certificate is uploaded

Using WSMAN

For uploading certificate using WSMAN you first need to create base64 format PKCS file with certificate and private key. This private key should not have a passphrase. Once private key and certificate is created follow below steps for uploading certificate to iDRAC.

Step 1: Create a base64 format PKCS file with private key and certificate

In this step you will create a PKCS file of private key and certificate in base 64 format using. You need to use openssl commands to achieve this.

1. 1. Combined private key and certificate to a single file

      Use Linux cat command to combine custom certificate and private key without pass phrase to a single file

   2. Create PKCS file

      Use Linux openssl pkcs command to create pkcs12 file from certificate and private key file. Provide a password when asked.

   3. Convert PKCS file to Base 64 format

1. 1. “pkcsCertificateb64.p12” is the base64 encoded PKCS file. Content of this file will be used while uploading certificate using WSMAN.

Step 2: Upload base 64 PKCS certificate to iDRAC

            Now you need to upload the base 64 format PKCS certificate to iDRAC using WSMAN command. For this we will create one xml file with certificate data then upload the file to iDRAC using WSMAN command

1. 1. Create XML file with certificate details

In this step you need to create an xml file with certificate details. Refer screenshot below for sample xml file

Note: Type need to be “server”. Between <p:PKCS12> and </p:PKCS12> Copy content of base 64 PKCS certificate file obtained in Step 1c. You need to mentioned PKCS file password in PKCS12pin field

b.  Upload certificate to iDRAC using WSMAN

Run below wasman command to upload certificate to iDRAC.

Note: “uploadCertificate.xml” is the file with certificate content as shown in previous step 2a

1.3.  Uploading Signing Certificate to iDRAC

This feature is only supported on iDRAC7 from 1.30.30 firmware onwards. Using this method, you can make sure every iDRAC have a unique signed SSL certificate. This can be achieved without creating and uploading separate unique signed certificate to iDRAC. You need to upload signing certificate from CA to each iDRAC. iDRAC will create a certificate using iDRAC DNS name or host name (if DNS name is not available) or IPv4 address (if DNS name or hostname is not available) as common name. This certificate will be signed by uploaded signing certificate.

Signing certificate need to be in PKCS12 format and PKCS file should have private key as well. PKCS file can be with or without pass phrase.

Using Racadm

            You need to use “sslcertupload” racadm command to upload signing certificate to iDRAC. This command is only supported from Local or Remote racadm.

Upload signing certificate without pass phrase     

Upload signing certificate with pass phrase

Using Web GUI

You can upload signing certificate using iDRAC Web GUI also. PKCS#12 password is an option field and is only required if the PKCS file have a password

2. Viewing SSL/Signing certificate on iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can use Racadm and iDRAC GUI interface to check currently uploaded SSL and singing certificate

2.1.  Viewing SSL certificate on iDRAC

To view SSL certificate on iDRAC you can use racadm or web GUI. You can use this method to view SSL certificate regardless of method used for uploading the certificate.

Using Racadm

You can use racadm sslcertview command to view iDRAC SSL certificate. This command can be executed from Local, Remote or Firmware racadm

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view current iDRAC SSL Certificate.

2.2.  Viewing Signing certificate on iDRAC

Viewing signing certificate on iDRAC is only supported through web GUI.

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view signing Certificate. Signing certificate information will be shown under “Custom SSL Certificate Signing Certificate” section.

3. Downloading SSL/Signing certificate from iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can download these certificate back from iDRAC. You can use Racadm Web GUI and WSMAN interface to download certificates.

3.1.  Downloading SSL certificate from iDRAC

You can use Racadm and Web GUI to download SSL certificate from iDRAC.

Using Racadm

You can use racadm sslcertdownload command to download SSL certificate from iDRAC. This command is only supported from Local and Remote Racadm.

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Download SSL Certificate” option to download SSL certificate from iDRAC.

3.2.  Downloading Signing Certificate from iDRAC

You can use Racadm, Web GUI and WSMAN interface to download “Custom SSL Certificate Signing Certificate” from iDRAC.

Using Racadm

You can use racadm sslcertdownload command to download “Custom SSL Certificate Signing Certificate” from iDRAC. This command is only supported from Local and Remote Racadm.

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Download Custom SSL Certificate Signing Certificate” option to download “Custom SSL Certificate Signing Certificate” from iDRAC.

Using WSMAN

You can also use WSMAN to download Custom SSL Certificate Signing Certificate from iDRAC. You need to use “DCIM_LCService.ExportCertificate” method to download certificate from iDRAC. This method will download Custom SSL Certificate Signing Certificate to CIFS or NFS share

Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to CIFS share

Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to NFS share

 Run below WSMAN command to check job status

4. Deleting SSL/Signing certificate from iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can delete this certificate to load iDRAC default certificate.

4.1.  Deleting Custom SSL certificate from iDRAC

Using Racadm

You can use racadm sslresetcfg command to delete custom SSL certificate and load default self-signed certificate back to iDRAC. This command can be executed from Local, Remote and Firmware racadm.

4.2.  Deleting Signing Certificate from iDRAC

You can delete “Custom SSL Certificate Signing Certificate” using racadm or Web GUI. Once you delete custom SSL certificate signing certificate, default self-signed certificate will be loaded on iDRAC.

Using Racadm

You can run racadm sslcertdelete command to delete “Custom SSL Certificate Signing Certificate” This command can be executed from Local, Remote and Firmware racadm. After deleting Custom SSL Certificate Signing Certificate iDRAC will reboot to apply the setting.

Using WebGUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Delete Custom SSL Certificate Signing Certificate” option to delete “Custom SSL Certificate Signing Certificate” from iDRAC.

hi there,

one of my R620 has problem and I can not login normally,  so I try to login iDRAC7 card (it has dedicated eth port and ip)  with IE browser, it always display something like "no more sessions..."

I then execute the CLI "racadm"  on redhat linux,  the racadm verison is 8.1.0. but got a message like this: 

--->  ERROR: Unable to connect to RAC at specified IP address. 

I am pretty sure I am using the right ip and password.  Then I tried to "ssh" to the iDRAC ip directly, but  got a message as below

 ---> "No more sessions are available for this type of connection!"  

I am pretty sure I never ssh logged in this iDRAC before. What can I do now, please help.

Hi,

Problem is same as descripted in here:

http://en.community.dell.com/support-forums/servers/f/956/t/19273095

"Drac module doesn't respond to http or https requests"

I scanned servers IP with nmap and only ports 22 and 5900 are open.

So it is answering to ssh and telnet but not hosting web service.

Tried everything that was suggested in this thread.

http://community.spiceworks.com/topic/318572-drac-5-issue-not-responding-to-http-https

• soft reset (racadm racreset)
• hard reset (racadm racresetcfg)
• clearing RAC logs (racadm clrraclog)
• clearing SEL (racadm clrsel)
• updating firmware (RACADM FWUPDATE -g -p -a IP_ADDRESS)

So is there command to start web service or something else i should try before giving up and buying external kvm?

We've observed problem with new R320 that came with pre-loaded firmware 2.10.10.10. After setting password in iDRAC7 it was rejected on login. After spending some time on diagnosis we've discovered that only first 20 characters of full password (40 characters) were stored and can be used to login.

Dell R720 with old firmware (1.57.57) works fine - full length password (40 characters) is properly stored and accepted on login.

Password was changed in iDRAC Settings -> User Authentication section.

we had scripts setup to connect the virtual CD to an image file on a windows server, this was working fine as we had an NFS share setup with anonymous access.  Recently they changed policy and we cannot use the NFS share so I need to connect to a secured Windows share but I'm having trouble with the command, specifically I can't get the authentication working, keep getting invalid username or password on the windows server, tried using domain acct and local acct, it does not like the id in domainserver\userid format, drops the backslash, have tried /\ but only sees the forward slash.  Here is the command line:

racadm -r mydrac -u dracid -p dracpassword remoteimage -c -u somedomain\mydomainuser -p mypw -l /\/\someserver.someplace.com/\test$/\servername.ISO

also tried:

racadm -r mydrac -u dracid -p dracpassword remoteimage -c -u localserveruser -p mypw -l /\/\someserver.someplace.com/\test$/\servername.ISO

racadm -r mydrac -u dracid -p dracpassword remoteimage -c -u somedomain/\mydomainuser -p mypw -l /\/\someserver.someplace.com/\test$/\servername.ISO

Thank you,

I'm trying to run the iDRAC7 virtual Console java applet.

After clicking thru several popups, it croaks "Connecting to virtual console server.... CONNECTION FAILED".

How to resolve  this?

- The machine is PowerEdge R620 with fully licensed iDRAC (connected thru a shared LAN port).

- iDRAC Firmware version 1.40.40 (build 17) , Lifecycle Controller Firmware 1.1.1.18

- Host OS: Win7 x64, Firefox 27.0.1,

- Java  1.7.0_51, security level set to minimum, internet connection set to DIRECT.

- iDRAC virtual console settings: plugin type=java, port 5900

- ActiveX plugin on 32-bit Windows XP with IE 8 works almost well (IE11 on Win7 is useless because of certificate issue).

Do I need a firmware update? Java applet update?

Thanks in advance

-- ddbug

Good Morning,

Customer has a growing estate of 12G servers, and make good use of the iDRAC

They are implementing 13G servers - new iDRAC look and feel :-) - Very slick

Can we upgrade the 12G iDRAC's to the (13G) code - so that the estate has a standard look and feel?

I seem to remember seeing a iDRAC Web Session where they said you could..

This wiki post is written by Shine KA and Hareesh V from Dell iDRAC team

Introduction

     iDRAC includes a Web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data over a network. Built upon asymmetric encryption technology, SSL is widely accepted for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across a network. iDRAC Web GUI, Remote Racadm, WSMAN and VMCLI uses SSL certificate for communication.

     The encryption process provides a high level of data protection. iDRAC employs the 128-bit SSL encryption standard, the most secure form of encryption generally available for Internet browsers.

     iDRAC Web server has a Dell self-signed unique SSL digital certificate by default. You can replace the default SSL certificate with a certificate signed by a well-known Certificate Authority (CA). A Certificate Authority is a business entity that is recognized in the Information Technology industry for meeting high standards of reliable screening, identification, and other important security criteria. Examples of CAs include Thawte and VeriSign. This document will describe different methods supported by iDRAC for replacing default self-signed certificate of iDRAC.

1. Uploading SSL/Signing Certificate to iDRAC

There are three different ways where you can upload custom SSL certificate to iDRAC. We can user iDRAC WEB GUI, Racadm or WSMAN interface for uploading SSL certificate to iDRAC.

• Uploading SSL Certificate to iDRAC using CSR created from iDRAC
• Uploading SSL Certificate to iDRAC using private / public key
• Uploading Signing certificate to iDRAC

Note : iDRAC will restart and will not be available for some time after upload.

1.1.  Uploading SSL Certificate to iDRAC using CSR method

     This method will use CSR (Custom Signed Certificate) created from iDRAC for uploading SSL certificate to iDRAC. You need to sign the CSR file created from iDRAC and upload it back to iDRAC. iDRAC will support only certificate in Base 64 format. You can use Racadm or Web GUI interface for configuring SSL on iDRAC using this method. Before creating CSR from iDRAC, you can specify following certificate properties in iDRAC. These properties will be used by iDRAC for creating CSR.

CommonName

OrganizationName

OrganizationUnit

LocalityName

StateName

CountryCode

EmailAddr

KeySize

Note: Key size can be configured only through racadm

Using Racadm

            You need to follow below four steps if you want to upload SSL certificate to iDRAC using racadm

Step 1: Configure Certificate properties on iDRAC

If you have iDRAC7 with 1.30.30 or above firmware or iDRAC8, you can run following racadm commands also to configure certificate properties.

Configuring the iDRAC security CSR key size

The command that is used to configure this property is:

racadm set iDRAC.Security.CsrKeySize <Key size>

Configuring the iDRAC security CSR common name

The command that is used to configure this property is:

racadm set iDRAC.Security.CsrCommonName <common name>

Configuring the iDRAC security CSR organization name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrOrganizationName <Organization Name>

Configuring the iDRAC security CSR organization unit

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrOrganizationUnit <Organization Unit>

Configuring the iDRAC security CSR Locality Name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrLocalityName <Location>

Configuring the iDRAC security CSR State Name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrStateName <State Name>

Configuring the iDRAC security CSR Country Code

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrCountryCode <Country Code>

Configuring the iDRAC security CSR Email Address

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrEmailAddr<Email Address>

Once all the Sub-Attributes of the group “iDRAC.Security” had been configured, you can run below command to verify the setting

 If you have iDRAC6 or  iDRAC7 with firmware level less than 1.30.30 you can run following Racadm command to configure certificate properties. These commands can be run from Local, Remote or Firmware Racadm.

Configuring the iDRAC security CSR Key Size

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrKeySize <Key size>

Configuring the iDRAC security CSR CommonName

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrCommonName <Common Name>

Configuring the iDRAC security Organization name

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationName <Organisation Name>

Configuring the iDRAC security CSR Organization Unit

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationUnit <Organisation Unit>

Configuring the iDRAC security Locality name

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrLocalityName <Location>

Configuring the iDRAC security State name

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrStateName <State Name>

Configuring the iDRAC security CSR Country Code

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrCountryCode <Country Code>

Configuring the iDRAC security CSR Email Address

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrEmailAddr <Email Address>

Once all the Sub-Attributes of the group “cfgRacSecurity” had been configured, you can run below command to verify the setting

Step 2: Create and Download CSR from iDRAC

You can run the following command to generate and download CSR from iDRAC. This command is only supported from Local and Remote Racadm

The sslcsrgen command has the following option:

Racadm sslcsrgen –g –f < filename.txt>

-g: Generate new Certificate signing request(CSR).

-f: Specifies the file which will hold the CSR.

Step 3: Get CSR signed by using any third party certificate authority

Get the CSR file got from iDRAC signed by any third party certificate authority.

Step 4: Upload signed certificate back to iDRAC

Once you have signed certificate, you can upload signed certificate back to iDRAC using following Racadm command. This command is only supported from Local and Remote Racadm. Once you upload the certificate, iDRAC will reboot and will not be accessible for some time.

Using WEBGUI

Step 1: Configure Certificate properties on iDRAC

To upload certificate using CSR you need to first configure certificate properties on GUI. Login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and select “Generate Certificate Signing Request (CSR)” option for creating CSR. On “Generate Certificate Signing Request (CSR)” page update all fields with certificate information

Step 2: Create and Download CSR from iDRAC

To generate and save CSR from iDRAC click on the “Generate” button and save the file

Step 3: Get CSR signed by using any third party certificate authority

Get the CSR file got from iDRAC signed by any third party certificate authority.

Step 4: Upload signed certificate back to iDRAC

You can traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select “Upload Server Certificate” option to upload the certificate. Browse the signed certificate file and click on Apply to upload signed certificate. iDRAC will reset once certificate is uploaded

1.2.  Uploading SSL Certificate to iDRAC using Key Pair

     In this method you need to create private key and signed certificate with public key from a CA. Once key and certificate is created you can use Racadm, WSMAN or Web GUI interfaces to upload the key and certificate to iDRAC.

Using Racadm

In Racadm first you need to upload private key to iDRAC. This private key should not have a passphrase. Once you upload the private key you can upload the corresponding certificate using Racadm.

Step 1: Uploading private key to iDRAC

      You can run “sslkeyupload” racadm command to upload private key to iDRAC. This command is supported from Local and Remote Racadm interface.

Step 2: Uploading certificate to iDRAC

You can run “sslcertupload” racadm command to upload the certificate to iDRAC. This command is supported from Local and Remote Racadm interface.

Using Web GUI

Using Web GUI you cannot upload private key. So you need to first upload the key using racadm as mentioned in above step. Once private key is uploaded you can use iDRAC Web GUI to upload certificate. You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select “Upload Server Certificate” option to upload the certificate. iDRAC will reset once certificate is uploaded

Using WSMAN

For uploading certificate using WSMAN you first need to create base64 format PKCS file with certificate and private key. This private key should not have a passphrase. Once private key and certificate is created follow below steps for uploading certificate to iDRAC.

Step 1: Create a base64 format PKCS file with private key and certificate

In this step you will create a PKCS file of private key and certificate in base 64 format using. You need to use openssl commands to achieve this.

1. 1. Combined private key and certificate to a single file

      Use Linux cat command to combine custom certificate and private key without pass phrase to a single file

   2. Create PKCS file

      Use Linux openssl pkcs command to create pkcs12 file from certificate and private key file. Provide a password when asked.

   3. Convert PKCS file to Base 64 format

1. 1. “pkcsCertificateb64.p12” is the base64 encoded PKCS file. Content of this file will be used while uploading certificate using WSMAN.

Step 2: Upload base 64 PKCS certificate to iDRAC

            Now you need to upload the base 64 format PKCS certificate to iDRAC using WSMAN command. For this we will create one xml file with certificate data then upload the file to iDRAC using WSMAN command

1. 1. Create XML file with certificate details

In this step you need to create an xml file with certificate details. Refer screenshot below for sample xml file

Note: Type need to be “server”. Between <p:PKCS12> and </p:PKCS12> Copy content of base 64 PKCS certificate file obtained in Step 1c. You need to mentioned PKCS file password in PKCS12pin field

b.  Upload certificate to iDRAC using WSMAN

Run below wasman command to upload certificate to iDRAC.

Note: “uploadCertificate.xml” is the file with certificate content as shown in previous step 2a

1.3.  Uploading Signing Certificate to iDRAC

This feature is only supported on iDRAC7 from 1.30.30 firmware onwards. Using this method, you can make sure every iDRAC have a unique signed SSL certificate. This can be achieved without creating and uploading separate unique signed certificate to iDRAC. You need to upload signing certificate from CA to each iDRAC. iDRAC will create a certificate using iDRAC DNS name or host name (if DNS name is not available) or IPv4 address (if DNS name or hostname is not available) as common name. This certificate will be signed by uploaded signing certificate.

Signing certificate need to be in PKCS12 format and PKCS file should have private key as well. PKCS file can be with or without pass phrase.

Using Racadm

            You need to use “sslcertupload” racadm command to upload signing certificate to iDRAC. This command is only supported from Local or Remote racadm.

Upload signing certificate without pass phrase     

Upload signing certificate with pass phrase

Using Web GUI

You can upload signing certificate using iDRAC Web GUI also. PKCS#12 password is an option field and is only required if the PKCS file have a password

2. Viewing SSL/Signing certificate on iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can use Racadm and iDRAC GUI interface to check currently uploaded SSL and singing certificate

2.1.  Viewing SSL certificate on iDRAC

To view SSL certificate on iDRAC you can use racadm or web GUI. You can use this method to view SSL certificate regardless of method used for uploading the certificate.

Using Racadm

You can use racadm sslcertview command to view iDRAC SSL certificate. This command can be executed from Local, Remote or Firmware racadm

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view current iDRAC SSL Certificate.

2.2.  Viewing Signing certificate on iDRAC

Viewing signing certificate on iDRAC is only supported through web GUI.

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view signing Certificate. Signing certificate information will be shown under “Custom SSL Certificate Signing Certificate” section.

3. Downloading SSL/Signing certificate from iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can download these certificate back from iDRAC. You can use Racadm Web GUI and WSMAN interface to download certificates.

3.1.  Downloading SSL certificate from iDRAC

You can use Racadm and Web GUI to download SSL certificate from iDRAC.

Using Racadm

You can use racadm sslcertdownload command to download SSL certificate from iDRAC. This command is only supported from Local and Remote Racadm.

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Download SSL Certificate” option to download SSL certificate from iDRAC.

3.2.  Downloading Signing Certificate from iDRAC

You can use Racadm, Web GUI and WSMAN interface to download “Custom SSL Certificate Signing Certificate” from iDRAC.

Using Racadm

You can use racadm sslcertdownload command to download “Custom SSL Certificate Signing Certificate” from iDRAC. This command is only supported from Local and Remote Racadm.

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Download Custom SSL Certificate Signing Certificate” option to download “Custom SSL Certificate Signing Certificate” from iDRAC.

Using WSMAN

You can also use WSMAN to download Custom SSL Certificate Signing Certificate from iDRAC. You need to use “DCIM_LCService.ExportCertificate” method to download certificate from iDRAC. This method will download Custom SSL Certificate Signing Certificate to CIFS or NFS share

Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to CIFS share

winrm I ExportCertificate cimv2/2/root/dcim/DCIM_LCService?__cimnamespace=root/dcim+SystemCreationClassName=DCIM_ComputerSystem+SystemName=DCIM:ComputerSystem+CreationClassName=DCIM_LCService+Name=DCIM:LCService -u:root -p:calvin -r:https://10.94.195.107/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic @{Type="2";IPAddress="10.94.194.31";ShareName="/nfs";ShareType="0"}

This command will initiate Custom Certificate download process and return Job ID.

Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to NFS share

winrm I ExportCertificate cimv2/2/root/dcim/DCIM_LCService?__cimnamespace=root/dcim+SystemCreationClassName=DCIM_ComputerSystem+SystemName=DCIM:ComputerSystem+CreationClassName=DCIM_LCService+Name=DCIM:LCService -u:root -p:calvin -r:https://10.94.195.107/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic @{Type="2";IPAddress="10.94.194.31";ShareName="Share";ShareType="2";Username="Share Username";Password="Share Password"}

This command will initiate Custom Certificate download process and return Job ID.

 Run below WSMAN command to check job status

4. Deleting SSL/Signing certificate from iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can delete this certificate to load iDRAC default certificate.

4.1.  Deleting Custom SSL certificate from iDRAC

Using Racadm

You can use racadm sslresetcfg command to delete custom SSL certificate and load default self-signed certificate back to iDRAC. This command can be executed from Local, Remote and Firmware racadm.

4.2.  Deleting Signing Certificate from iDRAC

You can delete “Custom SSL Certificate Signing Certificate” using racadm or Web GUI. Once you delete custom SSL certificate signing certificate, default self-signed certificate will be loaded on iDRAC.

Using Racadm

You can run racadm sslcertdelete command to delete “Custom SSL Certificate Signing Certificate” This command can be executed from Local, Remote and Firmware racadm. After deleting Custom SSL Certificate Signing Certificate iDRAC will reboot to apply the setting.

Using WebGUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Delete Custom SSL Certificate Signing Certificate” option to delete “Custom SSL Certificate Signing Certificate” from iDRAC.

I've installed the RAC tool on a Win8 workstation for use configuring four "new" R610 servers.  The RAC tool discovers the iDRAC6s fine, but it won't verify the admin accounts.  

The servers are currently on a small work group LAN so I've not configured AD or DNS, and haven't added accounts beyond the "root" account.  So root is what i'm giving RAC as the administrator account.  The iDRAC has been updated to the latest version (as well as the BIOS and LC).  The Web UI works great. 

Suggestions?

In the BIOS section Boot Settings -> BIOS Boot Settings:

Is there a way to use RACADM (or another tool within the deployment toolkit) to enable and disable different boot devices? I can use RACADM to set the Boot Sequence and the Hard-Disk Drive Sequence, but i can't find a way to enable or disable the actual boot devices themselves.

Hi,

could someone tell me what this "kit" contains?

Will I be able to run iDRAC6 Enterpirse on my Dell R210II ?

This blog post is written by Shine KA and Meghna Taneja from Dell iDRAC team.

We are excited to announce that the iDRAC7’s latest release(1.30.30 firmware onwards) now supports Safari and Chrome browser in addition to IE and FF.

Google Chrome Browser

            You can use Chrome browser (Version 22) from Windows 8 or Windows 2012 to manage and monitor iDRAC7. All iDRAC7 GUI features can be enjoyed through Chrome as well.

Apple Mac Book as iDRAC7 Client

            Now you can use Mac system to Manage and Monitor Dell Servers using iDRAC7. You can use either Firefox or Safari (Version 5.X) Browser to Manage iDRAC from Mac.  All iDRAC7 features accessible from the iDRAC GUI, example vConsole (Java Plugin), vMedia (Java Plugin), Boot Capture etc. can be accessed from Mac client.

 How to Configure Apple MacBook as an iDRAC7 Client

Launching iDRAC using IPv6 Address

       You can not launch iDRAC GUI when IPv6 address is used to launch iDRAC and iDRAC have deafult certificate. To use IPv6 to launch iDRAC, the user needs to either

1). Upload a SSL certificate from valid Certificate Authority to iDRAC and use IPv6 Address to launch iDRAC

Or

2). Register iDRAC on DNS and use iDRAC DNS name (FQDN) to launch iDRAC GUI.

“SingleCursor” and “Pass All Keystroke” mode in vConsole for iDRAC

          “Single Cursor” and “Pass All Keystroke” mode will not work if “Enable access for assistive devices” id disabled on MAC Client. This option can be enabled by selecting “Enable access for assistive devices” checkbox on the Universal Access System Properties page (see screenshot below).  If this option is not selected a warning message will be shown when user tries to launch Virtual Console.

Virtual Media – Mapping USB Key as Read Write

       When user connected a USB Key to MAC client and if it is mounted to MAC as R/W, then iDRAC Virtual Media can use this device as Read Only and R/W will not be supported from virtual media. To connect USB Key as R/W from virtual media, user needs unmount USB key from MAC client:

1). Open terminal window from MAC

2). Run the command to unmount: Diskutil unmountdrive /Volumes/drivename (sudo may be required for access).

Additional Information:

iDRAC7 1.30.30 Firmware can be downloaded from here

iDRAC7 1.30.30 User Guide

More information on iDRAC

I have a bunch of M630 blades with DRAC8 in them. Ultimately I am trying to replace the self signed certificate with a internal signed certificate. I looked through the menu and can't find the option to replace the cert. I see on older DRACs that I can do this via SSH? If that is necessary how do I enable SSH on the DRAC? It doesn't seem responsive via TCP/22. Thanks.

We usually update our iDRAC firmware using racadm commands when SSH'd into the DRAC allowing the update to pull the firming file from our tftp server.

Since the new version is DRAC and LC combined am I still able to do this or do I have to run the .BIN file from the OS?

Hello all ,

first sorry for my broken English  .

So we have few Dell r720s . We add few new components to them and we are ready to give them to our customers .
But before that we want to clear Lifecycle Logs for all the old logs that are there. I already try : omconfig system [alertlog , cmdlog , esmlog] action=clear  command , and also to reset the idrac .But noting helps .
Does anyone know how I can get rid of them ?

Thanks

Mitko

Trying to generate a new self-signed cert via the DRAC, but keep the size to 2048 bits.

racadm config -g cfgRacSecurity -o cfgRacSecCsrKeySize 2048

sslresetcfg sets the cert back to 1024... 

racadm sslresetcfg

Any advise on how to get a 2048 self-signed certificate?