When working with HPE server systems, we come across terms like SUM and SUT.
So, today we will go through the basics and differences among those two. Most of us know SUM, which stands for Smart Update Manager. HP Smart Update Manager is a product which updates firmware and software on HPE Synergy Compute Modules, HPE ProLiant servers, and firmware on HPE Integrity and HPE ProLiant Moonshot servers. HP SUM has a browser-based GUI; as well as a scriptable interface using legacy command line interface, input file, and interactive command line interface modes. Typically this ISO is burned into a DVD or flash drive. Once the media has been created we typically boot from that media and carry out the installation as required.
Now lets look at SUT (Smart Update Tools)
Continue reading “What is SUM and SUT”
Integrated Smart Update Tools (iSUT) is the smart update solution for performing online firmware and driver updates. iSUT is used with iLO 4, iLO 5, and with update solutions (management appliances such as iLO Amplifier Pack or HPEOneView and Smart Update Manager (SUM) to stage, install, and activate firmware and driver updates.
This solution basically reduces the downtime and manual work which is required by the IT support personnel. In order to SUT work, the toolkit should be installed on the host Operating System (ex: esxi, windows, linux). SUT is really useful if your environment is having multiple servers. Unlike in SUM, the SUT configuration requires additional steps and some knowledge on FIPS security levels. HPE provides a great guide on SUT configuration, if need to learn more about FIPS, you may have a quick look on that as well.
As IT professionals we are suposed to work on server systems. Also there are instances where we need to harden the server hardware infrastrcture. With HPE iLO 5 standard edition, included with every ProLiant Gen10 Server, customers get the ability to configure their servers in one of three security modes. The default is the "Production Mode"
Production Mode, High Security Mode, and FIPS Mode. With the iLO Advanced Premium Security Edition license, customers who need the highest-level encryption capabilities have a fourth mode available to them: CNSA Mode
Lets deep dive into the FIPS modes that most of the vendors support.
When set to this security mode, iLO uses the factory default encryption settings. The system maintenance switch setting to bypass iLO security (sometimes called the iLO Security Override switch) disables the password requirement for logging in to iLO.
High Security Mode
This locks down the host interface by requiring authentication from the host OS side. High security mode enforces stricter security policies such as requiring valid iLO 5 credentials to use RBSU or other host-based utilities.
FIPS Mode not only implements validated encryption ciphers (as High Security Mode does) but also closes down insecure interfaces that do not meet the government standard. Because interfaces like IPMI and SNMP v1 are shut off, potential attack surfaces are reduced. When entering FIPS mode, all the iLO 5 settings are reinitialized to operate as a FIPS validated environment.
CNSA is a suite of cryptographic algorithms approved for use by the US National Security Agency for protecting secret and top secret information with the U.S. government, and is the highest-level cryptographic algorithm available for commercial systems.