The Dell OpenManage™ systems management software components provide the following security features:
Authentication for users through hardware-stored user IDs and passwords, or by using the optional Microsoft® Active Directory
Role-based authority that allows specific privileges to be configured for each user
User ID and password configuration through the Web-based interface or racadm command-line interface (CLI), in most cases
SSL encryption of 128 bit and 40 bit (for countries where 128 bit is not acceptable)
NOTE: Telnet does not support SSL encryption.
Session time-out configuration (in minutes) through the Web-based interface or CLI
Configuration of many of the commonly known ports
Built-in Security Features
Ports
Table 2-1 lists the ports used by the Dell OpenManage systems management software, other standard operating system services, and other agent applications. Correctly configured ports are necessary to allow Dell OpenManage systems management software to connect to a remote device through firewalls. If the attempt to communicate with a remote device fails, you may have specified an incorrect port number.
DRAC 4, DRAC III, DRAC I11/XT, ERA, ERA/O, ERA/MC, and DRAC/MC default port
Yes
161
SNMP (get/set)
SNMP agent port used by Dell OpenManage Array Manager, DRAC 4, DRAC III, DRAC I11/XT, ERA, ERA/O, ERA/MC, and DRAC/MC
No
162
SNMP (traps)
SNMP traps listener port
No
623
Telnet
Baseboard Management Controller (BMC) Management Utility default port
Yes
636
LDAP
Lightweight Directory Access Protocol (LDAP) port
No
443
HTTPS (SSL)
DRAC 4 default port
Yes
1311
HTTPS (SSL)
Dell OpenManage Server Administrator default port
Yes
2148
Used by Array Manager clients to connect
2606
TCP/IP
Communication between the Dell OpenManage IT Assistant connection service and network monitoring service
Yes
2607
HTTPS
Communication between the IT Assistant user interface and connection service
Yes
3269
LDAP
LDAP for global catalog (GC) port
No
3668
VMS
Virtual Media server
Yes
4995
TCP/IP
Dell OpenManage Client Connector (OMCC) default port
Yes
5869
spcmp server
Remote racadm spcmp server
No
5900
VNC proxy server
Console redirection default port for DRAC III, DRAC III/XT, ERA, and ERA/O
Yes
5900
Dell proprietary
DRAC 4
Yes
NOTE: CIM ports are also dynamic. See the Microsoft knowledge base at support.microsoft.com for
information on CIM port usage.
NOTE: If you are using a firewall, you must open all of the ports listed in the previous table to ensure that
IT Assistant and other Dell OpenManage applications function properly.
Security Management
Dell™ provides security and access administration through role-based access control (RBAC), authentication, and encryption, or through Microsoft Active Directory for both the Web-based and command-line interfaces.
Role-Based Access Control (RBAC)
RBAC manages security by determining the operations that can be executed by users in specific roles. Each user is assigned one or more roles, and each role is assigned one or more user privileges that are permitted to users in that role. With RBAC, security administration can correspond closely to an organization's structure. For information about setting up Dell OpenManage users, see "Assigning User Privileges."
User Privileges
Server Administrator grants different access rights based on the user's assigned group privileges. The three user levels are User, Power User, and Administrator.
Users can view most information.
Power Users can set warning threshold values, run diagnostic tests, and configure which alert actions are to be taken when a warning or failure event occurs.
Administrators can configure and perform shutdown actions, configure Auto Recovery actions in case a system has a hung operating system, and clear hardware, event, and command logs. Administrators can also send e-mail.
Server Administrator grants read-only access to users logged in with User privileges; read and write access to users logged in with Power User privileges; and read, write, and administrator access to users logged in with Administrator privileges. See Table 2-2.
Table 2-2. User Privileges
User Privileges
Access Type
Admin
Write
Read
User
X
Power User
X
X
Administrator
X
X
X
Admin access allows you to shut down the managed system.
Write access allows you to modify or set the values on the managed system.
Read access allows you to view the data reported by Server Administrator. Read access does not allow you to change or set the values on the managed system.
Privilege Levels to Access Server Administrator Services
Table 2-3 summarizes which user levels have privileges to access and manage Server Administrator Services.
Table 2-3. Server Administrator User Privilege Levels
Service
User Privilege Level Required
View
Manage
Instrumentation
U, P, A
P, A
Remote Access
U, P, A
A
Diagnostics
P, A
P, A
Update
U, P, A
A
Storage Management
U, P, A
NA
Table 2-4 defines the user privilege level abbreviations used in Table 2-3.
Table 2-4. Legend for Server Administrator User Privilege Levels
U
User
P
Power User
A
Administrator
NA
Not Applicable
Authentication
The Server Administrator authentication scheme ensures that the correct access types are assigned to the correct user privileges. Additionally, when you invoke the CLI, the Server Administrator authentication scheme validates the context within which the current process is running. This authentication scheme ensures that all Server Administrator functions, whether accessed through the Server Administrator home page or CLI, are properly authenticated.
Microsoft Windows Authentication
For supported Microsoft Windows® operating systems, Server Administrator authentication is based on the operating system's user authentication system using Windows NT® LAN Manager (NTLM) modules to authenticate. This underlying authentication system allows Server Administrator security to be incorporated in an overall security scheme for your network.
Red Hat Enterprise Linux Authentication
For supported Red Hat® Enterprise Linux operating systems, Server Administrator authentication is based on the Pluggable Authentication Modules (PAM) library. This documented library of functions allows an administrator to determine how individual applications authenticate users.
Novell NetWare Authentication
For supported Novell® NetWare® operating systems, Server Administrator authentication is based on the Novell Directory Services (NDS) library. This documented library of functions allows an administrator to determine how individual applications authenticate users.
Encryption
Server Administrator is accessed over a secure HTTPS connection using secure socket layer (SSL) technology to ensure and protect the identity of the system being managed. Java Secure Socket Extension (JSSE) is used by supported Microsoft Windows, Red Hat Enterprise Linux, and certain Novell NetWare operating systems to protect the user credentials and other sensitive data that is transmitted over the socket connection when a user accesses the Server Administrator home page. Supported Novell NetWare operating systems use Java SSL and Secure Authentication Services (SAS)-NetWare International Cryptographic Infrastructure (NICI).
Microsoft Active Directory
The Microsoft Active Directory® service software acts as the central authority for network security, letting the operating system readily verify a user's identity and control that user's access to network resources for Dell OpenManage applications running on supported Microsoft Windows platforms. Dell has modified the Active Directory database to support remote management authentication and authorization. IT Assistant, Server Administrator, and Dell remote access controllers can now interface with Active Directory to add and control users and privileges from one central database. For information about using Active Directory, see "Microsoft Active Directory."
