Have you secured your IPMI? | Nutanix Community
Skip to main content

Did you know you can secure your IMPI Web Interface with an SSL Certificate?

 

Securing the IPMI Web interface is recommended to help reduce susceptibility to attacks. You can further enhance security by installing your own customized certificate or a CA-signed certificate.

  • Nutanix recommends strong keys and signature algorithms. The IPMI module supports SHA2 and RSA 2048 bit SSL.
  • Avoid long certificate chains or large certificates. If the IPMI module shows the default or previously-installed certificate after you install a new one, or you are unable to log in to the IPMI web interface, the chain is too long (chain length longer than one) or certificate too large. As a test, create a simple self-signed certificate and install it to ensure the IPMI is working correctly before attempting to install larger certificates. 
  • You can use openssl or keytool to generate keys, certificates, and signing requests.

Similarly to any other certificate deployment, the process consists of two steps: generation of the certificate and its installation.

 

Installing the Certificate and Key on the IPMI module

  1. Log in the IPMI interface with administrator credentials.  
  2. Click Configuration > SSL Certification.
  3. The SSL Upload section is displayed. Here, you can upload the certificate and its private key
  4. Click Choose File (or Browse depending on the IPMI version) and select the Certificate file and the Private Key from your PC.
  5. The IPMI module will then restart so that the changes take effect. This will not impact the stability of the cluster or impact the availability of data.
  6. To verify that the certificate and key are now installed, log in to the IPMI web interface and click Configuration > SSL Certification.

The SSL Upload section must display the Certification Valid dates for each SSL component.

 

For more details including how to generate a certificate refer to KB-1820 Securing the IPMI Web Interface with an SSL Certificate

More on IPMI:

How to configure an IP address on IPMI via all possible means NX Series Hardware Administration Guide: Changing an IPMI IP Address

IPMI integration with Active Directory

IMPI password recovery: AHV, ESXi and no hypervisor (+bonus)