DELL EMC OpenManage Enterprise 3.8.2

INTRODUCTION

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

Revision history

The following table shows the revision history of this document:

Log4Shell vulnerabilities (CVE-2021-45046 and CVE-2021-44228).

Preface

As part of an effort to improve product lines, we periodically release revisions of software. Therefore, some functions described in this document might not be supported by all versions of the software currently in use. The product release notes provide the most up-to-date information on product features. Contact your technical support professional if a product does not function properly or does not function as described in this document.

NOTE: This document was accurate at publication time. Go to Online Support (https://www.dell.com/support) to ensure that you are using the latest version of this document.

Purpose

This document includes conceptual information on managing OpenManage Enterprise.

Audience

This document is intended for use by administrators, device managers, and viewers who use OpenManage Enterprise for systems management and monitoring.

Related documentation

The following publications provide additional information:

• Open Manage Enterprise Support Matrix
• Open Manage Enterprise Release Notes
• Open Manage Enterprise Security Configuration Guide
• Open Manage Enterprise User’s Guide
• Open Manage Enterprise RESTful API Guide
• Open Manage Enterprise RESTful API at https://developer.dell.com/apis.
• Open Manage Enterprise Modular Edition Release Notes
• Open Manage Enterprise Modular Edition RESTful API Guide

In addition to the core documents, we also provide white papers, plugin documentation and demos on YouTube.

Typographical conventions

This document uses the following style conventions:

Bold

Used for names of interface elements, such as names of windows, dialog boxes, buttons, fields, tab names, key names, and menu paths (what the user specifically selects or clicks)

Italic Used for full titles of publications referenced in text

Monospace Used for:

• System code
• System output, such as an error message or script
• Path names, filenames, prompts, and syntax
• Commands and options

Monospace italic Used for variables

Monospace bold Used for user input

[ ]   Square brackets enclose optional values
| Vertical bar indicates alternate selections – the bar means “or”
{ } Braces enclose content that the user must specify, such as x or y or z
... Ellipses indicate nonessential information omitted from the example

Product documentation

NOTE: For video demos and tutorials, search for the Dell EMC OpenManage Enterprise playlist on YouTube.

• For Open Manage Enterprise, go to https://www.dell.com/openmanagemanuals.
  To display the documentation of:

  • Dell EMC Open Manage Enterprise, click
    Dell Open Manage Enterprise > Dell EMC Open Manage Enterprise > Documentation.

  • Dell EMC Open Manage Mobile, click
    Open Manage Mobile > Select the required version > Documentation.

• For Open Manage Enterprise plugins, go to https://www.dell.com/openmanagemanuals.
  To display the documentation of:

  • Dell EMC Open Manage Enterprise Services plugin, click
    **Open Manage Enterprise Connected Services > Open Manage Enterprise Services

    Documentation.**

  • Dell EMC Open Manage Enterprise Power Manager plugin, click
    Open Manage Enterprise Power Manager > Dell EMC Open Manage Enterprise Power Manager > **Documentation**.

  • Dell EMC Open Manage Enterprise Update Manager plugin, click
    Open Manage Enterprise Update Manager > Open Manage Enterprise Update Manager > Documentation.

  • Dell EMC Open Manage Enterprise CloudIQ plugin, click
    **Open Manage Enterprise Connected Services > Open Manage Enterprise CloudIQ

    Documentation
    **

• For Open Manage Enterprise APIs, go to https://developer.dell.com/products,
  To display the API documentation of:

  • Dell EMC Open Manage Enterprise, click Servers > Open Manage Enterprise API

  • Dell EMC Open Manage Enterprise Modular Edition, click Servers > Open Manage Enterprise Modular API

  • Dell EMC Open Manage Enterprise Services plugin, click Servers > Open Manage Enterprise Services API.

  • Dell EMC Open Manage Enterprise Update Manager plugin, click Servers > Open Manage Enterprise Update Manager API

  • Dell EMC Open Manage Enterprise Power Manager plugin, click Servers > Open Manage Enterprise Power Manager
    API

  • Dell EMC Open Manage Enterprise CloudIQ plugin, click CloudIQ Public API

• For Open Manage Enterprise White Papers , go to https://www.dell.com/openmanagemanuals and click
  Dell Open Manage Enterprise > Dell EMC Open Manage Enterprise > Documentation.
  The following white papers are available:

  • Dell EMC Open Manage Enterprise Scope Based Access Control (SBAC)
  • Dell EMC Open Manage Enterprise Login with PingFederate
  • Dell EMC Open Manage Enterprise Profile Management
  • Dell EMC Open Manage Enterprise Multihoming
  • Dell EMC Open Manage Enterprise Boot-from-SAN Deployment
  • Dell EMC Open Manage Enterprise Template Cloning
  • Dell EMC Open Manage Enterprise Auto-Deploy Provisioning
  • Dell EMC Open Manage Enterprise Remote Script Execution
  • Dell EMC Open Manage Enterprise Repository Manager Integration
  • Dell EMC Open Manage Enterprise Events Management
  • Dell EMC Open Manage Enterprise Scale and Performance
  • Dell EMC Open Manage Enterprise Advanced Server Configuration
  • Dell EMC Open Manage Enterprise End-to-End Automation with REST API
  • Dell EMC Open Manage Enterprise Deployment
  • Dell EMC OpenManage Enterprise Upgrade
  • Dell EMC OpenManage Enterprise Firmware Upgrade APIs
  • Dell EMC Open Manage Enterprise Firmware Baselines and Catalogs
  •  Dell EMC Open Manage Enterprise Custom Groups and Reports

Product information

For documentation, release notes, software updates, or information about products, go to Online Support at https:// www.dell.com/support.

Where to get help

Go to Online Support at www.dell.com/support and click Contact Support. To open a service request, you must have a valid support agreement. Contact your sales representative for details about obtaining a valid support agreement or with questions about your account.

Where to find the support matrix

Consult the Support Matrix on Dell Open Manage Enterprise at https://www.dell.com/openmanagemanuals and click Documentation.

Your comments

Your suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Send your opinions of this document to https://contentfeedback.dell.com/s.

Security quick reference

Topics:

• Deployment models
• Security profiles

Deployment models

Dell EMC Open Manage Enterprise is designed to be deployed as a virtual appliance for a variety of supported hypervisors (VMware, Hyper-V, and KVM). In general, it can be used in environments that support loading the VMDK or VHD formats. For more information about deploying OME, see the deployment whitepaper at Deploy Dell EMC Open Manage Enterprise Virtual Appliance on Different Hypervisors.

Security profiles

Dell EMC Open Manage Enterprise is configured by default to ensure secure user interactions with the  appliance .Customers need to configure the ‘admin’ user password through the TUI (Text User Interface) to access the OME User Interface(GUI) or rest APIs.
By default, the SSH service is disabled (not user configurable) and interaction with the appliance is limited to using the web UI or REST APIs. Also, OME redirects all HTTP requests to HTTPS and ensures that only secure encrypted connections are established with the OME appliance.

Enabling HTTPS Redirection

HTTP to HTTPS redirection redirects web server communication from HTTP port (default is 80) to HTTPS port (default is 443). This ensures that only secure encrypted connections are established when clients connect to OME. HTTPS redirection is enabled by default and is not user configurable.

Product and subsystem security

Topics

• Security controls map
• Authentication
• Login security settings
• Authentication types and setup considerations
• Authorization
• Data security
• Cryptography

Security controls map

Open Manage Enterprise is a systems management and monitoring application that provides a comprehensive view of the Dell EMC servers, chassis, storage, and network switches on the enterprise network. The following figure displays the Open Manage Enterprise security controls map:

Authentication

Open Manage Enterprise supports session and basic authentication to allow local users to access the application. By default, only admin user is configured on the newly installed appliances. The password for the built-in admin user must be changed via text user interface on first login. The built- in admin can create other users with different roles (Administrators, Device Managers, and Viewers). Administrators can configure to support AD/LDAP and/or OpenID Connect User authentication(s).
Open Manage Enterprise supports Roles and Privileges to restrict user access to certain features – for a full mapping of feature based access details, refer to the Open Manage Enterprise User Guide.

Login security settings

Dell EMC Open Manage Enterprise supports only secure connections to appliance over TLS v1.2 channel. OME redirects all HTTP requests to HTTPS and ensures that credentials are communicated through a secure channel.
OME security configuration settings are accessible in the Web UI using the Open Manage Enterprise > Application Settings > Security page. Incoming connections to the appliance can be restricted by providing network IP details in the Restrict
Allowed IP Range option or by selecting the Login Lockout Policy and providing details such as :

• Select the By Username check box to prevent a specific username from logging in to OpenManage Enterprise.
• Select the By IP Address check box to prevent a specific IP address from logging in to Open Manage Enterprise.
• In the Lockout Fail Count box, enter the number of unsuccessful attempts after which Open Manage Enterprise must prevent the user from further logging in. The default value is three attempts.
• In the Lockout Fail Window box, enter the duration for which OpenManage Enterprise must display information about a failed attempt.
• In the Lockout Penalty Time box, enter the duration for which the user is prevented from making any login attempt after multiple unsuccessful attempts.
  

Failed login behavior

For any Authentication failures, user can see the message The username or password you entered is incorrect.. When a user fails to successfully log in (and exceeds the Lockout Fail count on repeated login attempts), OME will lock the account in question for the period indicated by the Lockout Penalty Time.

Session configuration

Administrators can terminate any user sessions to limit the number of concurrent sessions. By default six concurrent GUI sessions and 100 API sessions are allowed, but, the administrator can change the number to limit the concurrent sessions and can configure up to 100 concurrent sessions. Administrators can terminate user sessions by going to Application Settings > User Session and by selecting one or more users. Administrators can also see how many users are logged in and can terminate the specific sessions under Application Settings > User tab. OME provides an option to restrict a specific IP address range to access the applianc

Inactive sessions are deleted when the admin configured inactivity timeout expires, and the user is logged out of the console.

Authentication types and setup considerations

Open Manage Enterprise supports local user authentication and authentication via AD/LDAP or OpenID Connect providers.
Open Manage Enterprise supports basic and session based (X-Auth) authentication types for Local users. For Directory and
OpenID Connection users, Open Manage Enterprise depends on the customer infrastructure. Administrator can configure customer AD/LDAP and OpenID connect in the Open Manage Enterprise and delegate the responsibility to these infrastructures.

Configuring active directory

User can configure active directory by navigating to Application Setting > Directory Service.

OIDC authentication

User can configure OpenID Connect providers by navigating to Application Setting > OIDC.

User and credential management

Administrator can create and manage users accounts from the Users page by navigating to Application Settings > Users in Open Manage Enterprise. Administrator can perform following tasks in this wizard:

• View add, enable, edit, disable, or delete the Open Manage Enterprise users (local users imported from AD and OIDC
  accounts).

• Assign Open Manage Enterprise roles to Active Directory users by importing the directory groups. For the device manager role, admin may limit the scope for the members of the imported directory group.

• View, add, enable, edit, disable, or delete OpenID connect providers (PingFederate and/or Key Cloak). Local user passwords are encrypted and stored in local database. The recommended characters for passwords are as follows:

• 0-9

• A-Z

• a-z

• ‘

• –

• !

• “

• $

• %

• &

• ( )

• ,

• .

• /

• :

• ;

• ?

• @

• [

• \

• ]

• ^

• _

• `

• {

• |

• }

• ~

• <

• =

•  >

Pre-loaded accounts

Open Manage Enterprise has admin as the default user. On first boot, after the EULA has been accepted, the password for the default admin account has to configured.

Default credentials

No default credentials are configured on Open Manage Enterprise. Admin need to configure the credentials on the TUI.

How to disable local accounts

Local users can be disabled from the user page which is accessible in Open Manage Enterprise through Application Settings > Users by selecting the user and clicking disable.

Managing credentials

After first boot, the system prompts the user to accept the EULA and forces the user to set the credentials via Text User Interface (TUI). Default admin user can change the administrator password from the same Text User Interface (TUI) in the future. Other user accounts can be managed from Application settings > Userspage.

Changing admin password from Text User Interface

Securing credentials

User credentials are one-way hashed using the OpenBSD bcrypt scheme and stored in the database.

Password complexity

The recommended characters for passwords are as follows:

• 0-9
• A-Z
• a-z
• ‘
• –
• !
• “
• $
• %
• &
• ( )
• ,
• .
• /
• :
• ;
• ?
• @
•  [
• \
• ]
• ^
• _
• `
• {
• |
• }
• ~
• <
• =

Authentication to external systems

Open Manage Enterprise saves device credentials encrypted with AES encryption with a 128-bit key size using encryption key generated on Open Manage Enterprise. Device credentials are used to communicate with devices by using multiple supported protocols such as Redfish, WSMan, SSH, IPMI, and SNMP protocols.

Authorization

Open Manage Enterprise has Role Based Access Control that clearly defines the user privileges for the three built-in roles – Administrator, Device Manager, and Viewer. Additionally, using the Scope-Based Access Control (SBAC) an administrator can limit the device groups that a device manager has access to.

RBAC privileges

Open Manage Enterprise Users are assigned roles which determine their level of access to the appliance settings and device management features. This feature is termed as Role-Based Access Control (RBAC). The console enforces the privilege required for a certain action before allowing the action. Open Manage Enterprise comes with three built-in roles – Administrator, Device Manager, and Viewer.
With the use of Role-Based Access Control (RBAC) feature, administrators can assign roles while creating users. Roles determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC) is an extension of the RBAC feature, introduced in Open Manage Enterprise version 3.6.0, that allows an administrator to restrict a Device Manager role to a subset of device groups called scope.

Role mapping

console

• Full access (by using GUI and REST) to read, view, create, edit, delete, export, and remove information related to devices and groups monitored by Open Manage Enterprise
• Can create local, Microsoft Active Directory (AD), and LDAP users and assign suitable roles
• Enable and disable users
• Modify the roles of existing users
• Delete the users
• Change the user password

Device Manager (DM)| Run tasks, policies, and other actions on the devices (scope) assigned by the Administrator
Viewer|

• Can only view information displayed on Open Manage Enterprise and run reports
• y default, has read-only access to the console and all groups
• Cannot run tasks or create and manage policies

Network security

Supported protocols and ports on management stations
Table 1. Open Manage Enterprise Supported protocols and ports on management stations

Port Number| Protocol| Port Type| Maximum Encryption Level| Source| Direction| Destination| Usage
---|---|---|---|---|---|---|---
22| SSH| TCP| 256-bit| Management station| In| Open Manage Enterprise appliance|

• Required for incoming only if FSD is used. Open Manage Enterprise administrator must enable only if interacting with the Dell EMC support staff.

25| SMTP| TCP| None| OpenManage Enterprise appliance| Out| Management station|

• To receive email alerts ,from OpenManage Enterprise.

53| DNS| UDP/TCP| None| OpenManage Enterprise appliance| Out| Management station|

• For DNS queries.

68 / 546 (IPv6)| DHCP| UDP/TCP| None| OpenManage Enterprise appliance| Out| Management station|

• Network configuration.

80*| HTTP| TCP| None| Management station| In| OpenManage Enterprise appliance|

• The Web GUI landing page. This will redirect a user to HTTPS (Port 443).

123| NTP| TCP| None| OpenManage Enterprise appliance| Out| NTP Server|

• Time synchronization (if enabled).

137, 138,

139, 445

| CIFS| UDP/TCP| None| iDRAC/ CMC| In| Open Manage Enterprise appliance|

• To upload or download deployment templates.
• To upload TSR and diagnostic logs.
• To download firmware/driver DUPs, and FSD process.
• Boot to network ISO.

Open Manage Enterprise appliance| Out| CIFS share|

• To import firmware/driver catalogs from CIFS share.

Table 1. Open Manage Enterprise Supported protocols and ports on management stations (continued)

Port Number| Protocol| Port Type| Maximum Encryption Level| Source| Direction| Destination| Usage
---|---|---|---|---|---|---|---
111, 2049 (default)| NFS| UDP/TCP| None| Open Manage Enterprise appliance| Out| External NFS share|

• To download catalog and DUPs from the NFS share for firmware updates.
• For manual console upgrade from network share.

162*| SNMP| UDP| None| Management station| In/Out| Open Manage Enterprise appliance|

• Event reception through SNMP. The direction is ‘outgoing’ only if using the Trap forward policy.

443 (default)| HTTPS| TCP| 128-bit SSL| Management station| In/Out| OpenManage Enterprise appliance|

• Web GUI.
• To download updates and warranty information from Dell.com. 256-bit encryption is allowed when communicating with the OpenManage Enterprise by using HTTPS for the web GUI.
• Server-initiated discovery.

514| Syslog| TCP| None| Open Manage Enterprise appliance| Out| Syslog server|

• To send alert and audit log information to Syslog server.

3269| LDAPS| TCP| None| Open Manage Enterprise appliance| Out| Management station|

• AD/ LDAP login for Global Catalog.

636| LDAPS| TCP| None| Open Manage Enterprise appliance| Out| Management station|

• AD/ LDAP login for Domain Controller.

*Port can be configured up to 499 excluding the port numbers that are already allocated.

Supported protocols and ports on managed nodes

Table 2. Open Manage Enterprise supported protocols and ports on the managed nodes

Port Number| Protocol| Port Type| Maximum Encryption Level| Source| Directio n| Destinatio n| Usage
---|---|---|---|---|---|---|---
22| SSH| TCP| 256-bit| Open Manage Enterprise appliance| Out| Managed node|

• For the Linux OS, Windows, and Hyper-V discovery.

Table 2. Open Manage Enterprise supported protocols and ports on the managed nodes (continued)

Port Number| Protocol| Port Type| Maximum Encryption Level| Source| Directio n| Destinatio n| Usage
---|---|---|---|---|---|---|---
161| SNMP| UDP| None| Open Manage Enterprise appliance| Out| Managed node|

• For SNMP queries.

162*| SNMP| UDP| None| Open Manage Enterprise appliance| In/ Out| Managed node|

• Send and receive SNMP traps.

443| Proprietar y/ WS- Man/ Redfish| TCP| 256-bit| Open Manage Enterprise appliance| Out| Managed node|

• Discovery and inventory of iDRAC7 and later versions.
• For the CMC management.

623| IPMI/ RMCP| UDP| None| OpenManage Enterprise appliance| Out| Managed node|

• IPMI access through LAN.

69| TFTP| UDP| None| CMC| In| Manageme nt station|

• For updating CMC firmware.

• Port can be configured up to 499 excluding the port numbers that are already allocated.

NOTE: In an IPv6 environment, you must enable IPv6 and disable IPv4 in the Open Manage Enterprise appliance to ensure all the features work as expected.

Internal network share

Many server operations such as Firmware Update, Template Extraction and Deployment, obtaining the Diagnostics or Tech Support Report from a server require access to an external network share (NFS / CIFS / HTTPS). Typically, it’s the user’s responsibility to set up and provide access to the network share. Open Manage Enterprise includes a built-in appliance file share, to reduce the work required to set up an external network share and thus improves customer experience. Access to the network share is further protected by credentials, that are rotated periodically. By default, the appliance file share is made available through CIFS (v2) and is made available to the devices that need to access it per operation. By default, a running Open Manage Enteprise instance will have samba (samba daemon) listening on ports 139/445. With Open Manage Enterprise 3.8, the administrator has a choice of using HTTPS as the protocol to make the internal file share available. This can be done using the Application Settings page as follows:

Once the switch to use HTTPS for the internal file share is made, smbd is shutdown, and the OME appliance no longer functions as a CIFS server.
OME supports 12-15G servers, but only the later versions of server firmware support all operations via HTTPS shares. The table below identifies if the operation can be supported for servers, and the minimum FW version required to support it

Use Case / Operation| YX2X (12G) or YX3X (13G) servers| YX4X (14G) and above servers
---|---|---
Firmware Update| Supported using: HTTPS URI 2.70.70.70 (October 2019)| Supported using: HTTPS URI 3.00.00.00
Driver Update| DSU 1.9.1| DSU 1.9.1
Server Configuration Profile (SCP) for template capture, deployment, configuration inventory, and remediation)| 2.70.70.70| 3.00.00.00
Technical Support Report (TSR)| N/A| 3.21.21.21 (December 2018)
Remote Diagnostics| N/A| 3.00.00.00

• Windows Driver update is effected over the DSU / DUEC / IC (D3 deliverables) that OME carries. DSU 1.9.1 offers HTTPS support.
• Template extraction and Profile Deployment is also supported on Chassis and IOAs. NPS Chassis does not support HTTPS (per Dev team interlocks) and will only work with NFS or CIFS shares. NGM supports HTTPS / NFS / CIFS shares.

Regardless of protocol choice (CIFS or HTTPS), access to the built-in network share is controlled by credentials, that are periodically rotated every 6 hours. This interval is not configurable. The share location and credentials are provided to the devices that need them within the context of each OME workflow. This share is used only for internal communication to the devices and there is no external method to get the share details.

Field service debug (FSD)

In Open Manage Enterprise, you can authorize console debugging by using the Field Service Debug (FSD) option. FSD enables root level access to appliance via SSH. This process can only be authorized through Dell-EMC Support services. For more information, see Field service debug workflow section in the user’s guide.

Open Manage Enterprise update

Users can upgrade to the next version of Open Manage Enterprise by downloading the latest bundle from dell.com. For more information, see Update Open Manage Enterprise section in the user’s guide.

Data security

OME stores all sensitive data encrypted with the OME generated encryption key. All user credentials are stored with a one-way hash and cannot be decrypted.
All Device credentials are encrypted with AES 128 bit key encryption. All other data on the appliance is protected by privileges and provides access based on the privileges. Also, OME pre-configured SeLinux policies ensure data protection and access to the OME workflows.

Cryptography

Internal services are configured with specific Access Control Lists (ACL) and ensures only required services can have access .

Open Manage Enterprise supports industry-proven crypto algorithms for client communication. OME only allows communication via the TLS v1.2 protocol with clients. Clients can negotiate to communicate with OME using the below cipher:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

NOTE: Selection of ciphers is NOT user configurable.

Certificate management

By default, OME is configured to use self-signed certificates. Admins can configure the CA signed certificate under Application Settings > Security > Certificates.
Users can view all view information about the currently available SSL certificate for the device by navigating to Application Settings > Security > Certificates. By default, OpenManage Enterprise comes with self-signed certificates.

User can also generate CSR, get it signed, and then upload the signed certificate to OpenManage Enterprise console.

Auditing and logging

Auditing provides a historical view of the users and activity on the system. Audit logs page lists the log data to help you or the Dell EMC Support teams in troubleshooting and analysis. An audit log is recorded when:

• A group is assigned, or access permission is changed.
• User role is modified.
• Actions that were performed on the devices monitored by Open Manage Enterprise. The audit log files can be exported to the CSV file format.
  

Logs

User can access all OME services logs and audit logs from the UI. Navigate to Monitor > Audit logs > Export Console logs/Audit logs. Support can use these logs for analyzing the customer issues. By default, these logs are at INFO (or above) level.

Administrator can change log levels from Text User Interface.

OpenManage Enterprise has a size-based log roll-over policy. The maximum size of the log file can go up to 10 MB. Users can find up to 10 rollover log files for any service.

Network vulnerability scanning

certificate issues with the default certificate on OME. As a best practice, customers can choose to upload the CA trusted certificate to the production environment.
SSL certificate chain ends in an unrecognized self-signed certificate
SSL certificate – Computer Name (CN) does not match FQDN
SSL certificate – Invalid Maximum validity date detected
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the target machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.| Security scans on OME may show the issue with ICMP configuration. Knowledge of Open Manage Enterprise’s uptime is not considered a risk and its operating system is well-known and documented.
Unfiltered Ports on NMAP scans| Security scans may report some of the ports on OME as Unfiltered. All unfiltered ports are closed other than all documented ports.

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>