├── .gitignore ├── deployment.config ├── ilo-proxy-scripts ├── ilo3-example-server1-ilo-192.168.150.1-proxy.sh ├── ilo3-example-server2-ilo-192.168.150.2-proxy.sh └── ilo3-example-server3-ilo-192.168.150.3-proxy.sh ├── ilo-ssh-scripts ├── ilo3-example-server1-ilo-192.168.150.1-ssh.sh ├── ilo3-example-server2-ilo-192.168.150.2-ssh.sh ├── ilo3-example-server3-ilo-192.168.150.3-ssh.sh ├── ilo4-example-server4-ilo-192.168.150.4-ssh.sh ├── ilo4-example-server5-ilo-192.168.150.5-ssh.sh └── ilo5-example-server6-ilo-192.168.150.6-ssh.sh ├── ilo3-mitmproxy.service ├── ilo-console-scripts ├── ilo3-example-server1-ilo-192.168.150.1-console.sh ├── ilo3-example-server2-ilo-192.168.150.2-console.sh ├── ilo3-example-server3-ilo-192.168.150.3-console.sh ├── ilo4-example-server4-ilo-192.168.150.4-console.sh ├── ilo4-example-server5-ilo-192.168.150.5-console.sh └── ilo5-example-server6-ilo-192.168.150.6-console.sh ├── openssl-conf.cnf ├── install-ilo3-proxy-service.sh ├── configure-java.sh ├── deployment.properties ├── ilo3-mitmproxy.sh ├── HONORABLE-MENTIONS.md ├── base-install.sh ├── LICENSE.md ├── ilo-proxy.sh ├── PREPARATIONS.md ├── generate-ilo-scripts.sh ├── ilo-console.sh └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | jre/** 2 | mitm* 3 | -------------------------------------------------------------------------------- /deployment.config: -------------------------------------------------------------------------------- 1 | deployment.config file://deployment.properties 2 | deployment.system.config.mandatory true 3 | -------------------------------------------------------------------------------- /ilo-proxy-scripts/ilo3-example-server1-ilo-192.168.150.1-proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ILO_SKIP_DEFAULTS=1 ILO_HOST=192.168.150.1 $( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../ilo-proxy.sh 3 | -------------------------------------------------------------------------------- /ilo-proxy-scripts/ilo3-example-server2-ilo-192.168.150.2-proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ILO_SKIP_DEFAULTS=1 ILO_HOST=192.168.150.2 $( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../ilo-proxy.sh 3 | -------------------------------------------------------------------------------- /ilo-proxy-scripts/ilo3-example-server3-ilo-192.168.150.3-proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ILO_SKIP_DEFAULTS=1 ILO_HOST=192.168.150.3 $( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../ilo-proxy.sh 3 | -------------------------------------------------------------------------------- /ilo-ssh-scripts/ilo3-example-server1-ilo-192.168.150.1-ssh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-ctr -l Administrator 192.168.150.1 "$@" 3 | -------------------------------------------------------------------------------- /ilo-ssh-scripts/ilo3-example-server2-ilo-192.168.150.2-ssh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-ctr -l Administrator 192.168.150.2 "$@" 3 | -------------------------------------------------------------------------------- /ilo-ssh-scripts/ilo3-example-server3-ilo-192.168.150.3-ssh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-ctr -l Administrator 192.168.150.3 "$@" 3 | -------------------------------------------------------------------------------- /ilo-ssh-scripts/ilo4-example-server4-ilo-192.168.150.4-ssh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-ctr -l Administrator 192.168.150.4 "$@" 3 | -------------------------------------------------------------------------------- /ilo-ssh-scripts/ilo4-example-server5-ilo-192.168.150.5-ssh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-ctr -l Administrator 192.168.150.5 "$@" 3 | -------------------------------------------------------------------------------- /ilo-ssh-scripts/ilo5-example-server6-ilo-192.168.150.6-ssh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-ctr -l Administrator 192.168.150.6 "$@" 3 | -------------------------------------------------------------------------------- /ilo3-mitmproxy.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=MITM Proxies for iLO3 servers 3 | After=network.target 4 | 5 | [Service] 6 | Type=forking 7 | ExecStart=ilo3-mitmproxy.sh 8 | 9 | [Install] 10 | WantedBy=multi-user.target 11 | -------------------------------------------------------------------------------- /ilo-console-scripts/ilo3-example-server1-ilo-192.168.150.1-console.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ILO_SKIP_DEFAULTS=1 ILO_LOGIN=Administrator ILO_HOST=192.168.150.1 ILO_VERSION=3 $( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../ilo-console.sh 3 | -------------------------------------------------------------------------------- /ilo-console-scripts/ilo3-example-server2-ilo-192.168.150.2-console.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ILO_SKIP_DEFAULTS=1 ILO_LOGIN=Administrator ILO_HOST=192.168.150.2 ILO_VERSION=3 $( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../ilo-console.sh 3 | -------------------------------------------------------------------------------- /ilo-console-scripts/ilo3-example-server3-ilo-192.168.150.3-console.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ILO_SKIP_DEFAULTS=1 ILO_LOGIN=Administrator ILO_HOST=192.168.150.3 ILO_VERSION=3 $( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../ilo-console.sh 3 | -------------------------------------------------------------------------------- /ilo-console-scripts/ilo4-example-server4-ilo-192.168.150.4-console.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ILO_SKIP_DEFAULTS=1 ILO_LOGIN=Administrator ILO_HOST=192.168.150.4 ILO_VERSION=4 $( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../ilo-console.sh 3 | -------------------------------------------------------------------------------- /ilo-console-scripts/ilo4-example-server5-ilo-192.168.150.5-console.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ILO_SKIP_DEFAULTS=1 ILO_LOGIN=Administrator ILO_HOST=192.168.150.5 ILO_VERSION=4 $( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../ilo-console.sh 3 | -------------------------------------------------------------------------------- /ilo-console-scripts/ilo5-example-server6-ilo-192.168.150.6-console.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ILO_SKIP_DEFAULTS=1 ILO_LOGIN=Administrator ILO_HOST=192.168.150.6 ILO_VERSION=5 $( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )/../ilo-console.sh 3 | -------------------------------------------------------------------------------- /openssl-conf.cnf: -------------------------------------------------------------------------------- 1 | openssl_conf = openssl_init 2 | 3 | [openssl_init] 4 | ssl_conf = ssl_sect 5 | 6 | [ssl_sect] 7 | system_default = system_default_sect 8 | 9 | [system_default_sect] 10 | CipherString = DEFAULT@SECLEVEL=0 11 | Options = UnsafeLegacyRenegotiation 12 | -------------------------------------------------------------------------------- /install-ilo3-proxy-service.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cp ilo3-mitmproxy.service /etc/systemd/system/ 4 | systemctl daemon-reload 5 | systemctl stop ilo3-mitmproxy.service 6 | cp ilo3-mitmproxy.sh /usr/bin 7 | cp mitmdump /usr/bin 8 | systemctl enable ilo3-mitmproxy.service 9 | systemctl start ilo3-mitmproxy.service 10 | -------------------------------------------------------------------------------- /configure-java.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # this script is just there to check that the correct Java config (TLS v1.1 etc.) has been correctly applied by the base install script 4 | # it should not be necessary to use it 5 | 6 | LOCATION=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 7 | 8 | PATH=$LOCATION:$LOCATION/jre/jre1.8.0_321/bin:$PATH 9 | JAVA_HOME=./jre/jre1.8.0_321 10 | JRE_HOME=./jre/jre1.8.0_321 11 | 12 | $LOCATION/jre/jre1.8.0_321/bin/ControlPanel 13 | -------------------------------------------------------------------------------- /deployment.properties: -------------------------------------------------------------------------------- 1 | deployment.webjava.enabled=true 2 | deployment.webjava.enabled.locked 3 | deployment.security.revocation.check=NO_CHECK 4 | deployment.security.revocation.check.locked 5 | deployment.security.blacklist.check=false 6 | deployment.security.blacklist.check.locked 7 | deployment.console.startup.mode=DISABLE 8 | deployment.security.TLSv1.1=true 9 | deployment.security.TLSv1.1.locked 10 | deployment.security.TLSv1.2=true 11 | deployment.security.TLSv1.2.locked 12 | deployment.security.tls.revocation.check=NO_CHECK 13 | deployment.security.tls.revocation.check.locked 14 | deployment.javaws.jre.0.enabled=true 15 | deployment.javaws.jre.0.enabled.locked 16 | 17 | -------------------------------------------------------------------------------- /ilo3-mitmproxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | firewall-cmd --add-port=34001/tcp 3 | mitmdump --set tls_version_server_min=TLS1_1 --set tls_version_server_max=TLS1_1 --set ciphers_server=AES128-SHA --ssl-insecure -p 34001 --mode reverse:https://192.168.150.1:443/ & 4 | firewall-cmd --add-port=34002/tcp 5 | mitmdump --set tls_version_server_min=TLS1_1 --set tls_version_server_max=TLS1_1 --set ciphers_server=AES128-SHA --ssl-insecure -p 34002 --mode reverse:https://192.168.150.2:443/ & 6 | firewall-cmd --add-port=34003/tcp 7 | mitmdump --set tls_version_server_min=TLS1_1 --set tls_version_server_max=TLS1_1 --set ciphers_server=AES128-SHA --ssl-insecure -p 34003 --mode reverse:https://192.168.150.3:443/ & 8 | -------------------------------------------------------------------------------- /HONORABLE-MENTIONS.md: -------------------------------------------------------------------------------- 1 | # Honorable Mentions 2 | 3 | The whole idea stems from this Github Gist (https://gist.github.com/kiler129/904fe463b008e740315c4abaf33c68af#file-ilo-console-sh). 4 | 5 | I used it as a starting point to modify the ilo-console.sh script (it needed quite some tweaking) and derive the ilo-proxy.sh script. 6 | It did not work out of the box on newer systems due to additional opnessl config needed by curl. Also the required Java setup is automated now and 7 | based on your server farm helper scripts get generated so you basically have a single command solution for all of your machines. 8 | But I think it is wise to keep the reference to the original file around to see where it all started from. Thanks kiler129. 9 | 10 | Also I wish to thank the guys from mitmproxy for their excellent tool. Give them some love as well! 11 | -------------------------------------------------------------------------------- /base-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | LOCATION=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 4 | 5 | echo "This script will now locally (within this repo) install mitmproxy and JRE8 to make iLO console and web access function. (Ctrl+C to abort, Enter to continue)" 6 | read -s 7 | 8 | echo "Download tool archives..." 9 | wget -O /tmp/mitmproxy.tar.gz "https://snapshots.mitmproxy.org/6.0.2/mitmproxy-6.0.2-linux.tar.gz" 10 | wget -O /tmp/jre.tar.gz "https://download.macromedia.com/pub/coldfusion/java/java8/8u321/jre/jre-8u321-linux-x64.tar.gz" 11 | 12 | echo "Extract..." 13 | mkdir -p $LOCATION/jre 14 | cd $LOCATION/jre 15 | tar xf /tmp/jre.tar.gz 16 | cd $LOCATION 17 | tar xf /tmp/mitmproxy.tar.gz 18 | 19 | echo "Remove archives from /tmp location..." 20 | rm -f /tmp/jre.tar.gz 21 | rm -f /tmp/mitmproxy.tar.gz 22 | 23 | echo "Install local Java config to allow TLSv1.1 and disable cert checking..." 24 | cp $LOCATION/deployment.config $LOCATION/jre/jre1.8.0_321/lib/ 25 | cp $LOCATION/deployment.properties $LOCATION/jre/jre1.8.0_321/lib/ 26 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | I am giving this to any fellow suffering IT admins without any guarantees, but also without any obligations. 2 | If you got here, you are smart enough to check administrative scripts before you run them and I will not be responsible for any damage caused directly or indirectly. 3 | 4 | Nevertheless, you will realize getting this to run was a lot of work, so if this is at all useful to you, please follow the ko-fi link on the top of the Github page of the README.md file and leave me a tip. If you are a bigger organization and this really helps you to keep running with your HP G7 servers a bit longer, maybe think about redirecting some of the money you saved in not having to buy new hardware. I know there are a lot of you out there, and we all suffer exactly the same from HPEs lagging support mentality. So at least let's support each other. 5 | 6 | Java 8 (which is not shipped with this repository but downloaded by a script to install everything) is subject to the license terms by Oracle. This also applies to their trademarks. 7 | 8 | iLO is owned by Hewlett Packard Enterprise. 9 | -------------------------------------------------------------------------------- /ilo-proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PATH=.:$PATH 4 | ILO_AUTOPROXY=1 5 | 6 | ### HOST 7 | echo -n 'iLO Host' 8 | if [[ ! -z "$ILO_HOST" ]]; then 9 | if [[ -z "$ILO_SKIP_DEFAULTS" ]]; then 10 | echo -n " [$ILO_HOST]: " 11 | read ILO_NEW_HOST 12 | if [[ ! -z $ILO_NEW_HOST ]]; then ILO_HOST=$ILO_NEW_HOST; fi; 13 | else 14 | echo ": $ILO_HOST" 15 | fi; 16 | else 17 | echo -n ': ' 18 | read ILO_HOST 19 | fi; 20 | if [[ -z "$ILO_HOST" ]]; then 21 | echo "Empty host - aborted." 22 | exit 1 23 | fi; 24 | 25 | ILO_ADDRESS="$ILO_HOST" 26 | if [[ ! "$ILO_ADDRESS" =~ ^"https://".* ]]; then ILO_ADDRESS="https://$ILO_ADDRESS"; fi; 27 | if [[ ! "$ILO_ADDRESS" =~ .*"/$" ]]; then ILO_ADDRESS="$ILO_ADDRESS/"; fi; 28 | 29 | ### AUTO-PROXY 30 | if [[ ! -z "$ILO_AUTOPROXY" ]]; then 31 | ILO_AUTOPROXY_HOST=$(echo $ILO_ADDRESS|cut -d/ -f3) 32 | 33 | if ! command -v mitmdump &> /dev/null; then 34 | echo "Cannot find mitmdump (part of mitmproxy package) - it is required for ILO_AUTOPROXY" 35 | exit 1 36 | fi 37 | 38 | if ! command -v socat &> /dev/null; then 39 | echo "Cannot find socat - it is required for ILO_AUTOPROXY" 40 | exit 1 41 | fi 42 | 43 | trap "kill 0" EXIT 44 | # See https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00045334en_us 45 | mitmdump --set tls_version_server_min=TLS1_1 --set tls_version_server_max=TLS1_1 --set ciphers_server=AES128-SHA --ssl-insecure -p 9443 --mode reverse:$ILO_ADDRESS & 46 | socat TCP4-LISTEN:17990,fork,reuseaddr,bind=127.0.0.1 TCP4:$ILO_AUTOPROXY_HOST:17990 & 47 | sleep 2 # let mitmdump start 48 | ILO_ADDRESS="https://127.0.0.1:9443/" 49 | echo "iLO3-Webpage served by iLO-Proxy:" 50 | echo $ILO_ADDRESS 51 | echo "Ctrl+C to exit" 52 | socat TCP4-LISTEN:17988,fork,reuseaddr,bind=127.0.0.1 TCP4:$ILO_AUTOPROXY_HOST:17988 53 | fi; 54 | -------------------------------------------------------------------------------- /PREPARATIONS.md: -------------------------------------------------------------------------------- 1 | # PREPARATIONS 2 | 3 | Make sure you have done/checked the things below, otherwise you might experience issues. 4 | 5 | - set all ilo3 interfaces to enforce AES/DES encrpytion, not needed for ilo4/5 (they speak TLSv1.2) 6 | - see bottom of README.md about how to do this via CLI if you cannot get to the webpage at all anymore 7 | - this is required to make any reasonable OpenSSL version work at all, FIPS mode has NOT been tested 8 | - make sure your iLO interface firmwares are up to date and especially the same (iLO 3 should be at 1.94, iLO 4 min. at 2.79, iLO 5 min. at 2.63) 9 | - the name of the jar file to be downloaded for the console can change as the iLO version increases, so if you get a "cannot load resource" error, you might have to adapt it in ilo-console.sh 10 | - to know the name, you must download the .jnlp file from the webpage of the affected iLO and check the link within (you get it by clicking the Java webstart button in the Remote Console menu) 11 | - make sure your iLO machines have one common account name you use for login (e.g. Administrator) 12 | - this has all been tested on RedHat family distros (most stuff on Fedora 36, the iLO 3 proxy service on RockyLinux 8), your mileage may vary on others and require adaptations 13 | - if you plan to use the proxy service file, be mindful my implementation contains firewall-cmd settings, you might have to change this to fit your firewall 14 | - the place for the adaptation is the `generate-ilo-scripts.sh` 15 | - look over the scripts provided here before you execute them, you might see things you wish to adapt to your situation 16 | - you MUST stick to the Java 8 version downloaded by the base-install.sh script, OpenJDK webstart does NOT work, we unfortunately need original Java 17 | - base-install.sh will download an older version (6.0.2) of mitmproxy ON PURPOSE, this is because of cipher support in their packaged OpenSSL 18 | - I assume linux x86_64 for everything I download 19 | - make sure you have libnsl installed on your system (required by Java webstart) 20 | 21 | -------------------------------------------------------------------------------- /generate-ilo-scripts.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PROXY_IP=192.168.150.100 4 | PORT_PREFIX=34 5 | 6 | rm -f ilo-console-scripts/*-console.sh 7 | cat README.md | grep -E "ilo(3|4|5) " | xargs -l1 bash -c 'echo \#\!/bin/bash > ilo-console-scripts/$0-$1-$2-console.sh; echo ILO_SKIP_DEFAULTS=1 ILO_LOGIN=Administrator ILO_HOST=$2 ILO_VERSION=${0: -1} \$\( cd -- \"\$\( dirname -- \"\$\{BASH_SOURCE\[0\]\}\" \)\" \&\> /dev/null \&\& pwd \)/../ilo-console.sh >> ilo-console-scripts/$0-$1-$2-console.sh' 8 | chmod +x ilo-console-scripts/*-console.sh 9 | 10 | rm -f ilo-ssh-scripts/*-ssh.sh 11 | cat README.md | grep -E "ilo(3|4|5) " | xargs -l1 bash -c 'echo \#\!/bin/bash > ilo-ssh-scripts/$0-$1-$2-ssh.sh; echo ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-ctr -l Administrator $2 \"\$@\" >> ilo-ssh-scripts/$0-$1-$2-ssh.sh' 12 | chmod +x ilo-ssh-scripts/*-ssh.sh 13 | 14 | rm -f ilo-proxy-scripts/*-proxy.sh 15 | cat README.md | grep -E "ilo3 " | xargs -l1 bash -c 'echo \#\!/bin/bash > ilo-proxy-scripts/$0-$1-$2-proxy.sh; echo ILO_SKIP_DEFAULTS=1 ILO_HOST=$2 \$\( cd -- \"\$\( dirname -- \"\$\{BASH_SOURCE\[0\]\}\" \)\" \&\> /dev/null \&\& pwd \)/../ilo-proxy.sh >> ilo-proxy-scripts/$0-$1-$2-proxy.sh' 16 | chmod +x ilo-proxy-scripts/*-proxy.sh 17 | 18 | rm -f ilo3-mitmproxy.sh 19 | echo "#!/bin/bash" > ilo3-mitmproxy.sh; 20 | cat README.md | grep -E "ilo3 " | PORT_PREFIX=$PORT_PREFIX xargs -l1 bash -c 'echo firewall-cmd --add-port=$PORT_PREFIX$(echo $2 | cut -f4 -d. | xargs printf "%03d")/tcp >> ilo3-mitmproxy.sh; echo mitmdump --set tls_version_server_min=TLS1_1 --set tls_version_server_max=TLS1_1 --set ciphers_server=AES128-SHA --ssl-insecure -p 34$(echo $2 | cut -f4 -d. | xargs printf "%03d") --mode reverse:https://$2:443/ \& >> ilo3-mitmproxy.sh' 21 | chmod +x ilo3-mitmproxy.sh 22 | 23 | rm -f ilo3-mitmproxy.service 24 | echo "[Unit]" > ilo3-mitmproxy.service 25 | echo "Description=MITM Proxies for iLO3 servers" >> ilo3-mitmproxy.service 26 | echo "After=network.target" >> ilo3-mitmproxy.service 27 | echo "" >> ilo3-mitmproxy.service 28 | echo "[Service]" >> ilo3-mitmproxy.service 29 | echo "Type=forking" >> ilo3-mitmproxy.service 30 | echo "ExecStart=ilo3-mitmproxy.sh" >> ilo3-mitmproxy.service 31 | echo "" >> ilo3-mitmproxy.service 32 | echo "[Install]" >> ilo3-mitmproxy.service 33 | echo "WantedBy=multi-user.target" >> ilo3-mitmproxy.service 34 | 35 | # now patch the README.md to insert the links to all iLOs 36 | # this is some sed black magic. yes it's ugly, but it works. 37 | rm -f .ilolist.tmp 38 | echo "" > .ilolist.tmp 39 | cat README.md | grep -E "ilo3 " | PROXY_IP=$PROXY_IP PORT_PREFIX=$PORT_PREFIX xargs -l1 bash -c 'echo \- $1 - https://$PROXY_IP:$PORT_PREFIX$(echo $2 | cut -f4 -d. | xargs printf "%03d")/ >> .ilolist.tmp' 40 | cat README.md | grep -E "ilo(4|5) " | PROXY_IP=$PROXY_IP PORT_PREFIX=$PORT_PREFIX xargs -l1 bash -c 'echo \- $1 - https://$2/ >> .ilolist.tmp' 41 | echo "" >> .ilolist.tmp 42 | # this contraption clears everything between the markers before we insert our file contents 43 | sed -i '/^DO NOT EDIT - AUTOGENERATED/,/^END DO NOT EDIT - AUTOGENERATED/{/^DO NOT EDIT - AUTOGENERATED/!{/^END DO NOT EDIT - AUTOGENERATED/!d}}' README.md 44 | sed -i -e '/^DO NOT EDIT - AUTOGENERATED/r .ilolist.tmp' README.md 45 | rm -f .ilolist.tmp 46 | -------------------------------------------------------------------------------- /ilo-console.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | LOCATION=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 4 | 5 | PATH=$LOCATION:$LOCATION/jre/jre1.8.0_321/bin:$PATH 6 | JAVA_HOME=./jre/jre1.8.0_321 7 | JRE_HOME=./jre/jre1.8.0_321 8 | 9 | ### ILO VERSION 10 | echo -n 'iLO Version' 11 | if [[ ! -z "$ILO_VERSION" ]]; then 12 | if [[ -z "$ILO_SKIP_DEFAULTS" ]]; then 13 | echo -n " [$ILO_VERSION]: " 14 | read ILO_NEW_VERSION 15 | if [[ ! -z $ILO_NEW_VERSION ]]; then ILO_VERSION=$ILO_NEW_VERSION; fi; 16 | else 17 | echo ": $ILO_VERSION" 18 | fi; 19 | else 20 | echo -n ': ' 21 | read ILO_VERSION 22 | fi; 23 | if [[ -z "$ILO_VERSION" ]]; then 24 | echo "Empty host - aborted." 25 | exit 1 26 | fi; 27 | 28 | ### HANDLE VERSION PICK 29 | case $ILO_VERSION in 30 | "2") 31 | ILO_JAR=html/intgapp_228.jar; ;; 32 | "3") 33 | ILO_JAR=html/intgapp3_231.jar; ;; 34 | "4") 35 | ILO_JAR=html/intgapp4_232.jar; ;; 36 | "5") 37 | ILO_JAR=html/intgapp4_252.jar; ;; 38 | *) 39 | echo "iLO $ILO_VERSION is not supported" 40 | exit 1; 41 | esac 42 | 43 | ### HOST 44 | echo -n 'iLO Host' 45 | if [[ ! -z "$ILO_HOST" ]]; then 46 | if [[ -z "$ILO_SKIP_DEFAULTS" ]]; then 47 | echo -n " [$ILO_HOST]: " 48 | read ILO_NEW_HOST 49 | if [[ ! -z $ILO_NEW_HOST ]]; then ILO_HOST=$ILO_NEW_HOST; fi; 50 | else 51 | echo ": $ILO_HOST" 52 | fi; 53 | else 54 | echo -n ': ' 55 | read ILO_HOST 56 | fi; 57 | if [[ -z "$ILO_HOST" ]]; then 58 | echo "Empty host - aborted." 59 | exit 1 60 | fi; 61 | 62 | ### LOGIN 63 | # While -i exists it's not portable 64 | echo -n 'iLO Login' 65 | if [[ ! -z "$ILO_LOGIN" ]]; then 66 | if [[ -z "$ILO_SKIP_DEFAULTS" ]]; then 67 | echo -n " [$ILO_LOGIN]: " 68 | read ILO_NEW_LOGIN; 69 | if [[ ! -z $ILO_NEW_LOGIN ]]; then ILO_LOGIN=$ILO_NEW_LOGIN; fi; 70 | else 71 | echo ": $ILO_LOGIN" 72 | fi; 73 | else 74 | echo -n ': ' 75 | read ILO_LOGIN 76 | fi; 77 | if [[ -z "$ILO_LOGIN" ]]; then 78 | echo "Empty login - aborted." 79 | exit 1 80 | fi; 81 | 82 | ### PASSWORD 83 | echo -n 'iLO Password: ' 84 | read -s ILO_PASSWORD 85 | echo; 86 | 87 | ILO_ADDRESS="$ILO_HOST" 88 | if [[ ! "$ILO_ADDRESS" =~ ^"https://".* ]]; then ILO_ADDRESS="https://$ILO_ADDRESS"; fi; 89 | if [[ ! "$ILO_ADDRESS" =~ .*"/$" ]]; then ILO_ADDRESS="$ILO_ADDRESS/"; fi; 90 | 91 | ### AUTO-PROXY 92 | if [[ ! -z "$ILO_AUTOPROXY" ]]; then 93 | ILO_AUTOPROXY_HOST=$(echo $ILO_ADDRESS|cut -d/ -f3) 94 | 95 | if ! command -v mitmdump &> /dev/null; then 96 | echo "Cannot find mitmdump (part of mitmproxy package) - it is required for ILO_AUTOPROXY" 97 | exit 1 98 | fi 99 | 100 | if ! command -v socat &> /dev/null; then 101 | echo "Cannot find socat - it is required for ILO_AUTOPROXY" 102 | exit 1 103 | fi 104 | 105 | trap "kill 0" EXIT 106 | # See https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00045334en_us 107 | mitmdump --ssl-insecure -p 9443 --mode reverse:$ILO_ADDRESS & 108 | socat TCP4-LISTEN:17990,fork,reuseaddr,bind=127.0.0.1 TCP4:$ILO_AUTOPROXY_HOST:17990 & 109 | socat TCP4-LISTEN:17988,fork,reuseaddr,bind=127.0.0.1 TCP4:$ILO_AUTOPROXY_HOST:17988 & 110 | sleep 2 # let mitmdump start 111 | ILO_ADDRESS="https://127.0.0.1:9443/" 112 | fi; 113 | 114 | ILO_SESSKEY=$( 115 | OPENSSL_CONF=$LOCATION/openssl-conf.cnf curl -fsS\ 116 | --insecure \ 117 | "${ILO_ADDRESS}json/login_session" \ 118 | --data "{\"method\":\"login\",\"user_login\":\"$ILO_LOGIN\",\"password\":\"$ILO_PASSWORD\"}" | 119 | sed 's/.*"session_key":"\([a-f0-9]\{32\}\)".*/\1/' 120 | ); 121 | if [[ -z "$ILO_SESSKEY" ]]; then 122 | echo "Failed to retrieve key. Wrong password or banned?" 123 | exit 1 124 | fi; 125 | 126 | 127 | # normal mktemp will not work with higher Java security settings 128 | ILO_JNLP="$HOME/.iLO.jnlp" 129 | 130 | cat >"$ILO_JNLP" < 132 | 133 | 134 | Integrated Remote Console 135 | HPE 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | eof 156 | 157 | 158 | echo "Starting iLO console..." 159 | if [[ ! -z "$ILO_AUTOPROXY" ]]; then 160 | echo "Console will appear soon. DO NOT close this window! (using autoproxy)" 161 | javaws -wait $ILO_JNLP; rm $ILO_JNLP 162 | else 163 | # javaws -wait $ILO_JNLP; rm $ILO_JNLP 164 | nohup sh -c "/usr/bin/env javaws -wait $ILO_JNLP; rm $ILO_JNLP" >/dev/null 2>&1 & 165 | #echo "Console started. You CAN close this window." 166 | fi; 167 | 168 | 169 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ilo-utils - How to make managing iLO sane under Linux 2 | 3 | If this is in any way shape or form helpful to you: Please also check LICENSE.md and consider leaving me a tip on ko-fi: 4 | 5 | [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/R6R8DQO8C) 6 | 7 | ![image](https://user-images.githubusercontent.com/25175069/178159517-26c0ddef-30bc-4c48-ad57-1b4eeb40206e.png) 8 | 9 | ## Installation 10 | 11 | - check PREPARATIONS.md 12 | - update the 3 iLO-sections below after having read the IMPORTANT HINTS section directly above them to make your servers known to the generator 13 | - run base-install.sh to get mitmproxy and the right Java version 14 | - run generate-ilo-scripts.sh to update all scripts and the autogen section in this README file 15 | - read the Quick Start, be happy :D 16 | 17 | ## Quick Start 18 | 19 | NOTE for iLO 2 users: If you really still have one of these ancient specimen: iLO 2 is not covered by the script generator, but after performing the setup above you can give '2' as a version when prompted directly to the ./ilo-console.sh script. The jar File is covered in there, so generally that should work as well. 20 | 21 | To run a remote console for an iLO server, run the corresponding script in 'ilo-console-scripts'. 22 | 23 | To ssh to the CLI of any iLO server, run the corresponding script in 'ilo-ssh-scripts'. 24 | 25 | If you update any of the iLO server lists below (please mind the IMPORTANT HINTS section!), re-run the `generate-ilo-scripts.sh` script and commit the results after checking them. 26 | This script takes care about updating everything. If you happen to use the generated iLO 3 proxy service, make sure to pull in this repository on the server where the proxy runs 27 | and re-run the install script to update the service with any new potential iLO 3 machines or (more likely) remove old ones that have been decommissioned. 28 | 29 | To locally connect to an iLO 3 webpage, which normally does not open in modern browsers, run the corresponding script from 'ilo-proxy-scripts' and then connect to the displayed 30 | local URL. (https://127.0.0.1:9443) 31 | If running this fails, make sure you have `socat` installed on your system (in Fedora it can be simply installed using `dnf`). 32 | In Firefox you will have to accept the clamped certificate by the proxy which is used to mask the old TLSv1.1 cipher on the iLO 3 interfaces. 33 | 34 | You can also use the proxies running on one of your servers, which are installed there using the provided install script in this repo. 35 | If you do this, please adapt the 'PROXY_IP' setting in `generate-ilo-scripts.sh` so that the links below will be correct for iLO 3. 36 | For your convenience, here are all the iLO webpage links the generator could derive. 37 | 38 | DO NOT EDIT - AUTOGENERATED 39 | 40 | - example-server1-ilo - https://192.168.150.100:34001/ 41 | - example-server2-ilo - https://192.168.150.100:34002/ 42 | - example-server3-ilo - https://192.168.150.100:34003/ 43 | - example-server4-ilo - https://192.168.150.4/ 44 | - example-server5-ilo - https://192.168.150.5/ 45 | - example-server6-ilo - https://192.168.150.6/ 46 | 47 | END DO NOT EDIT - AUTOGENERATED 48 | 49 | 50 | ## IMPORTANT HINTS about this file 51 | 52 | ATTENTION: The 3 following sections for iLO3, 4 and 5 are a living/executable spec. 53 | These are grepped by the `generate-ilo-scripts.sh` tool to generate remote console, ssh and (for iLO 3) proxy scripts to make iLO easily usable under Linux. 54 | So if any IPs or names change, or Servers are added or removed, keep them consistent here and re-run the script, commit these changed files afterwards. 55 | 56 | DO NOT USE THE PREFIXES in small letters and the attached iLO version as seen below without the space anywhere in this file except for the lists below. 57 | We grep for these, and if they are used outside the lists below the resulting scripts will be garbage. 58 | Use the official 'iLO' name instead and attach the version with a space, e.g. 'iLO 3' in the remaining text. 59 | 60 | ## List of old iLO 3 devices in our network 61 | 62 | ``` 63 | # follow exactly this syntax - iLO-tag with version name-of-the-servers-ilo-without-spaces IP 64 | # the name doesn't have to be any known DNS name in your network, it is just for conventient identification and 65 | # will be used in naming the scripts and the links above 66 | ilo3 example-server1-ilo 192.168.150.1 67 | ilo3 example-server2-ilo 192.168.150.2 68 | ilo3 example-server3-ilo 192.168.150.3 69 | ``` 70 | 71 | ## List of iLO 4 devices where using java console might be favorable (HTML5 virtual media is laggy) 72 | 73 | ``` 74 | # comments can be used here 75 | ilo4 example-server4-ilo 192.168.150.4 76 | ilo4 example-server5-ilo 192.168.150.5 77 | ``` 78 | 79 | ## List of iLO 5 devices, these should be usable without any hacks, but the ./ilo-console.sh works anyway 80 | 81 | ``` 82 | ilo5 example-server6-ilo 192.168.150.6 83 | ``` 84 | 85 | ## List of other/special hosts 86 | 87 | ``` 88 | # here you can keep anything for your doc puposes which doesn't have an iLO, it will not be picked up 89 | example-hpc7000-mgmt 192.168.150.249 Blade Center, no remote console 90 | example-supermicro-ipmi 192.168.150.100 Supermicro Server, use HTML5 console from web interface 91 | ``` 92 | 93 | 94 | ## ilossh Info 95 | 96 | Use ilossh alias or one of the generated ilossh scripts to login to older iLO 3: 97 | 98 | ``` 99 | alias ilossh='ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-ctr -l Administrator ' 100 | ``` 101 | 102 | When logged in, you can navigate the config using the `show` command, and manipulate the setting using `set`. 103 | 104 | E.g. to enable the AES ciphers so that the remote console can work under linux, do this: 105 | 106 | ``` 107 | show map1/config1 108 | set /map1/config1 oemhp_enforce_aes=yes 109 | ``` 110 | 111 | Or to change the ilo hostname: 112 | 113 | ``` 114 | show /map1/enetport1 115 | set /map1/enetport1 SystemName=your-hostname-that-you-want-to-set 116 | ``` 117 | --------------------------------------------------------------------------------