メイン コンテンツに進む
ログアウト

Dellへようこそ

マイアカウント
  • すばやく簡単にご注文が可能
  • 注文内容の表示、配送状況をトラック
  • 会員限定の特典や割引のご利用
  • 製品リストの作成とアクセスが可能
  • 「Company Administration(会社情報の管理)」では、お使いのDell EMCのサイトや製品、製品レベルでのコンタクト先に関する情報を管理できます。
ログイン アカウントの新規作成 プレミアログイン パートナー プログラム サインイン
お問い合わせ

Dell.comカート

文書番号: 000189996

iDRAC8 firmware version 2.81.81.81: HTTP or HTTPS FQDN Connection Failures

概要: The Dell EMC Integrated Dell Remote Access Controller 8 (iDRAC9) firmware version 2.81.81.81 blocks HTTP or HTTPS access through Fully Qualified Domain Name (FQDN) when the FQDN is not defined as the iDRAC RAC Name. ...

この記事は自動翻訳されたものである可能性があります。品質に関するフィードバックがある場合は、このページの下部にあるフォームを使用してお知らせください。

文書の内容

現象

The Dell EMC Integrated Dell Remote Access Controller 8 (iDRAC8) firmware version 2.81.81.81 introduced HTTP or HTTPS connection changes that may impact user connections when specifying Fully Qualified Domain Name (FQDN) address. Due to these changes,  iDRAC9 users may encounter connection errors, redirection, or '400 - Bad Request' errors. These connection sightings occur when the specified FQDN does not match the iDRAC 'DNSRacName' or 'DNSDomainName' values.

Browser Error Example:

iDRAC8-Mozilla-Unable2Connect.png

Curl Error Example: 

	root@rhel7-vm:~$ curl -k https://iR630-A.dell.com/
	<!DOCTYPE html>
	<head>
	    <title>Bad Request</title>
	    <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon">
	</head>
	<body>
	<h2>Access Error: 400 -- Bad Request</h2>
	<pre></pre>
	</body>
</html>

原因

The webserver in iDRAC8 firmware version 2.81.81.81 enforces an HTTP or HTTPS Host Header check by default. Additional information is available in the Dell Security Advisory: DSA-2021-041: Dell iDRAC 8 Security Update for a host header injection vulnerability.

解決方法

By default, iDRAC8 checks the HTTP or HTTPS Host Header and compares it to the defined 'DNSRacName' and 'DNSDomainName'. When the values do not match, the iDRAC refuses the HTTP or HTTPS connection. In iDRAC8 2.81.81.81, this Host Header enforcement can be disabled with the following RACADM command:

#Disable host header check
racadm set idrac.webserver.HostHeaderCheck 0

Note: Only set the HostHeaderCheck value to '0' when manual Host Record exists within DNS environment.

When the HTTP or HTTPS Host Header check is enabled (more secure), iDRAC can be accessed using the IPv4or IPv6 address, the RAC Name, or the defined iDRAC FQDN (DNSRacName.DNSDomainName). If end user is accessing with hostnames that iDRAC may not be aware of (such as a manual DNS entry added in DNS records), iDRAC8 2.81.81.81 firmware version introduced a new attribute 'ManualDNSEntry'. This new setting can be updated with up to four IP addresses, host names, or FQDNs to provide an allow-list of Host Headers. This ensures that incoming requests are not dropped when the HTTP or HTTPS Host Header carries one of the entries in the 'ManualDNSEntry' setting.
 
# Add manual entry to allow list
racadm set idrac.webserver.ManualDNSEntry 192.168.20.30
racadm set idrac.webserver.ManualDNSentry 192.168.20.30,idrac.mydomain.com

This additional configuration is required in cases when:

  • End user is using manual DNS configuration to access iDRAC (Manual DNS Host Record.
  • Subject Alternative Name or Wild-card certificate is used to access the iDRAC.
  • Accessing iDRAC using host IP address directly (by ISM).
Note: To resolve ISM connection issues, disabling the host header check feature is the only mitigation. Manual DNS Entries do not resolve ISM connections. 

文書のプロパティ

影響を受ける製品

iDRAC8 with Lifecycle Controller version 2.81.81.81

最後に公開された日付

11 1月 2022

バージョン

11

文書の種類

Solution

トップに戻る