Dell Remote Access Controller

From Leo's Notes
Last edited on 26 January 2023, at 20:56.

Dealing with a Dell iDRAC is always fun. Here are some notes on how to use it.

Tasks

Access the serial console

Access RAC via SSH, then run:

$ console com2

Hit Ctrl - \ to exit.

Restart the server

$ racadm serveraction powercycle

Other actions include:

  • powerdown to halt system
  • powerup to start the system
  • powercycle to stop and start the system
  • powerstatus to display the system status (either ON or OFF)
  • hardreset to force a power reset

Restart the remote access controller

$ racadm racreset soft

You may also choose to use a hard reset or force the reset with -f. Eg:

$ racadm racreset hard -f

Updating the BIOS

You can either use the Linux's .bin file or trigger the update using the iDRAC command line.

To update with iDRAC, download the BIOS update file from Dell's website and place it on a local web server. Next, login to the iDRAC and trigger the update:

> racadm update -f BIOS_0CD33_WN64_2.5.4.EXE -l http://10.1.1.234/ --reboot

Updating the iDRAC firmware

Obtain the iDRAC with lifecycle controller firmware package from dell's website and extract the iDRAC firmware file.

# ./iDRAC-with-Lifecycle-Controller_Firmware_HFMCV_LN_3.36.36.36_A00.BIN --extract idrac
## Copy it to tftp server, under the /updates directory
# cp ./idrac/payload/firmimgFIT.d9 /var/lib/tftpboot/updates

Update the firmware by logging in to the iDrac and running:

> racadm fwupdate -g -u -a 10.1.1.234 -d /c6420

Updating the chassis management firmware

Download the chassis firmware from Dell's website. It's usually a .zip file containing a cm.sc. Place the file on a web server on the network.

Access the iDrac, then run racadm update -f cm.sc -l <url to root of file>. It shold report that the update is initiated.

## Obtain the update file from http://10.1.1.234/cm.sc
> racadm update -f cm.sc -l http://10.1.1.234
....Copying completed.                                       
RAC1066: Firmware update for cm.sc initiated successfully.

Verify the chassis firmware after a couple minutes.

> racadm get system.chassisinfo.Firmwareversion
[Key=system.Embedded.1#ChassisInfo.1]
FirmwareVersion=3.51.0.0.0.0

You can also verify the chassis firmware version with ipmitool raw 0x30 0x12.

## The 4th to 5th byte contain the version number in hex (3.51 in this example)
# ipmitool raw 0x30 0x12
 01 da 1b 03 33 01 00 00 00 04 02 00 01 2d 37 ff
 ff 08 c2 00 00 00 08 01 08 10 64 23 fa 01

Accessing old iDRAC

On modern systems, accessing old iDRAC interfaces is problematic. The problem is twofold: The browser refuses to connect to old SSL (pre TLS 1.2) and the Java applet for KVM access relies on now-deprecated TLS algorithms. As a result, trying to access these old iDRAC/iLO interfaces will result in a SSL_ERROR_UNSUPPORTED_VERSION error which you can't bypass and the Java applet you try to launch won't connect properly.

To fix the web browser issue, the best option is to load up an old standalone version of Firefox. Use the following script to help you get this running:

# Credit to bmaupin. Originally from:
# https://gist.github.com/bmaupin/731fc12a178114883ff6e7195a133563

## Firefox 33 was the last version to support SSLv3 (https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/)
firefox_version=33.0
## Firefox 51 was the last version to support NPAPI plugins (e.g. Java) (https://support.mozilla.org/en-US/kb/npapi-plugins)
##firefox_version=51.0
## Firefox 56 was the last version to support XPCOM- and XUL-based add-ons (https://blog.mozilla.org/addons/2016/11/23/add-ons-in-2017/)
##firefox_version=56.0

$ wget https://ftp.mozilla.org/pub/firefox/releases/$firefox_version/linux-x86_64/en-US/firefox-$firefox_version.tar.bz2
$ tar -xvf firefox-$firefox_version.tar.bz2
$ mv firefox firefox-$firefox_version
$ cd firefox-$firefox_version
$ mkdir profile
$ # Disable automatic updates and default browser check
$ echo "user_pref(\"app.update.enabled\", false);
$ user_pref(\"browser.shell.checkDefaultBrowser\", false);" > profile/user.js
$ ./firefox --profile profile

To get Java working, do the following:

  1. Download Java at https://www.java.com/en/download/manual.jsp. I use the oldest supported version.
  2. Extract the .tar.gz package somewhere.
  3. Edit ./lib/security/java.security and comment out all lines containing 'disabledAlgorithms'. (This is likely not optimal, but we just want this working)
  4. Run ./bin/ControlPanel. Navigate to the 'Security' tab and add in both the HTTP and HTTPS URL of your iDRAC. Eg: http://172.21.0.60:80 and https://172.21.0.60:443. The HTTPS one is required to download the jar files from the iDRAC interface while the HTTP one is required for the KVM connection.

You should be able to launch a Java KVM application (the downloads that end with the .jlnp extension) using the ./bin/javaws binary.

Disable host header check

Newer iDracs will have the host header check enabled. What this means is that when accessing the iDrac using a hostname, it must match the server name. Alternatively, you can use the IP address directly.

When the check fails, the iDrac web server will return a "Bad Request" 400 error.

To disable this, run:

racadm set idrac.webserver.HostHeaderCheck 0

See: https://www.dell.com/support/kbdoc/en-ca/000189996/idrac8-https-fqdn-connection-failures-on-2-81-81-81

Troubleshooting

Older iDRACs require Java. That's always fun.

Network connection has dropped

iDRAC Network connection has been dropped
iDRAC Network connection has been dropped

Install icedtea-web or the official JDK from oracle. Because the iDRAC uses RC4 for SSL/TLS, you will get an error "The viewer has terminated. Reason: The network connection has dropped." if you try to connect. To work around this, you will need to edit /usr/java/jdk1.8.0_202-amd64/jre/lib/security/java.security (change the java version as required) and edit jdk.tls.disabledAlgorithms to not include RC4. Save the file and try launching the java web start applet again.

644 #jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
645 #    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
646 jdk.tls.disabledAlgorithms=SSLv3, DES, MD5withRSA, DH keySize < 1024, \
647     EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Java application blocked
Java application blocked

Java application blocked

On an even older Dell iDRAC (version 2.2), when trying to launch the java web start application, I got an "Application Blocked by Java Security".


To fix this, you need to open the Java security control panel by running /usr/java/jdk1.8.0_202-amd64/jre/bin/ControlPanel, go to the "Security" tab, and then click 'Edit Site List...'. Add your iDRAC's address into the exception list. For example, http://ipmi-nn1:80 or https://ipmi-nn1:443.

Duplicate exists

killall java and try again.