Closed downtownle closed 3 months ago
Hi @downtownle
Your iDRAC FQDN string are you able to use it to access the iDRAC GUI and only Redfish curl command is failing or unable to access the iDRAC using any interface?
Also based off the article link did you try to disable hot header check in iDRAC and curl command still fails?
Thanks Tex
Hello Texas,
I had thought there was a curl redfish command you could recommend to turn it off or on before resetting the idrac to get around it? Kind of, turn off host header check Reset idrac9 Switch it back on later if possible host header check. I can currently only find racadm commands to deactivate it and set DNS entry.
GET and PATCH example for iDRAC attribute WebServer.1.HostHeaderCheck.
[root@localhost]# curl -k -X GET -u root:calvin 'https://idrac-BZ01345/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1?$select=Attributes/WebServer.1.HostHeaderCheck' --insecure | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 274 100 274 0 0 200 0 0:00:01 0:00:01 --:--:-- 200
{
"@odata.context": "/redfish/v1/$metadata#DellAttributes.DellAttributes",
"@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1",
"@odata.type": "#DellAttributes.v1_0_0.DellAttributes",
"Attributes": {
"WebServer.1.HostHeaderCheck": "Enabled"
}
}
[root@localhost]# curl -k -X PATCH -u root:calvin 'https://idrac-BZ01345/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1' --insecure -d '{"Attributes":{"WebServer.1.HostHeaderCheck":"Disabled"}}' -i -H "Content-Type: application/json"
HTTP/1.1 200 OK
Date: Tue, 14 May 2024 02:47:44 GMT
Server: Apache
OData-Version: 4.0
Cache-Control: no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 506
Vary: Accept-Encoding
Content-Type: application/json;odata.metadata=minimal;charset=utf-8
{"@Message.ExtendedInfo":[{"Message":"The request completed successfully.","MessageArgs":[],"MessageArgs@odata.count":0,"MessageId":"Base.1.12.Success","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"None","Severity":"OK"},{"Message":"The operation successfully completed.","MessageArgs":[],"MessageArgs@odata.count":0,"MessageId":"IDRAC.2.9.SYS413","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"No response action is required.","Severity":"Informational"}]}
[root@localhost]# curl -k -X GET -u root:calvin 'https://idrac-BZ01345/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1?$select=Attributes/WebServer.1.HostHeaderCheck' --insecure | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 275 100 275 0 0 222 0 0:00:01 0:00:01 --:--:-- 222
{
"@odata.context": "/redfish/v1/$metadata#DellAttributes.DellAttributes",
"@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1",
"@odata.type": "#DellAttributes.v1_0_0.DellAttributes",
"Attributes": {
"WebServer.1.HostHeaderCheck": "Disabled"
}
}
Thanks Tex
That doesn't really help me. Because I can't get to the iDRAC via FQDN. What needs to be set via DHCPv6 for it to work?
[a758240@m4bxvmvs02cd ~]$ curl -k -X GET -u root:calvin 'https://bn461com5i6x.inf.ref.bm4x.telekom.de/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1?$select=Attributes/WebServer.1.HostHeaderCheck [bn461com5i6x.inf.ref.bm4x.telekom.de]' --insecure | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 638 100 638 0 0 3987 0 --:--:-- --:--:-- --:--:-- 3987 { "error": { "code": "Base.1.8.GeneralError", "message": "A general error has occurred. See ExtendedInfo for more information.", "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_0.Message", "MessageId": "Base.1.8.QueryNotSupported", "Description": "Indicates that query is not supported on the implementation.", "Message": "Querying is not supported by the implementation.", "Severity": "Warning", "Resolution": "Remove the query parameters and resubmit the request if the operation failed." } ] } } [a758240@m4bxvmvs02cd ~]$
I also get an error via the browser:
Can you confirm you can access GUI and run Redfish calls using iDRAC IPv4 address? Also can you ping your iDRAC DNS name and confirm ping request passes, returns the IPv4 address.
Thanks Tex
In the test we are currently using IPv4, later in production it will be IPv6 only. A ping works:
[a758240@m4bxvmvs02cd ~]$ ping bn461com5i6x.inf.ref.bm4x.telekom.de PING bn461com5i6x.inf.ref.bm4x.telekom.de (10.1.3.9) 56(84) bytes of data. 64 bytes from 10.1.3.9 (10.1.3.9): icmp_seq=1 ttl=57 time=12.8 ms
When you call WebGUI this is what happens:
Using IPv4 address can you run Redfish GET and PATCH calls for attribute WebServer.1.HostHeaderCheck, confirm this works. If yes can you disable this attribute and then try accessing iDRAC again using iDRAC DNS name.
Thanks Tex
Hello Texas,
my question is, do these two values have to be the same? So that it works again via DNS name calling. 'DNSRacName' and 'DNSDomainName'. If so, can you set these two values via Redfish via IPv4 and IPV6? If yes can you add two examples for it for ipv4 and ipv6 to set this via ip
yes, if we use the IPv4 address, then it works. But we want to go beyond the name, otherwise it makes no sense for us to give the iDRAC a name.
All automation is based on names, so IPv4 and IPv6 can act independently.
Can you please try using IPv4 address to run PATCH to disable host header check, then try any GET command using DNS name and confirm it passes.
Example:
[root@localhost]# curl -k -X PATCH -u root:calvin 'https://192.168.0.120/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1' --insecure -d '{"Attributes":{"WebServer.1.HostHeaderCheck":"Disabled"}}' -i -H "Content-Type: application/json"
HTTP/1.1 200 OK
Date: Tue, 14 May 2024 02:47:44 GMT
Server: Apache
OData-Version: 4.0
Cache-Control: no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 506
Vary: Accept-Encoding
Content-Type: application/json;odata.metadata=minimal;charset=utf-8
{"@Message.ExtendedInfo":[{"Message":"The request completed successfully.","MessageArgs":[],"MessageArgs@odata.count":0,"MessageId":"Base.1.12.Success","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"None","Severity":"OK"},{"Message":"The operation successfully completed.","MessageArgs":[],"MessageArgs@odata.count":0,"MessageId":"IDRAC.2.9.SYS413","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"No response action is required.","Severity":"Informational"}]}
[root@localhost]# curl -k -X GET -u root:calvin 'https://idrac-BZ01345/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1?$select=Attributes/WebServer.1.HostHeaderCheck' --insecure | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 275 100 275 0 0 222 0 0:00:01 0:00:01 --:--:-- 222
{
"@odata.context": "/redfish/v1/$metadata#DellAttributes.DellAttributes",
"@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1",
"@odata.type": "#DellAttributes.v1_0_0.DellAttributes",
"Attributes": {
"WebServer.1.HostHeaderCheck": "Disabled"
}
}
Thanks Tex
Hello Texas,
which fields need to be filled for the host header check to work? We are currently using DHCP IPV4 and IPV6 DHCP ONLY! We would like to know the fields that need to be filled (is it the RACNAME or IDRAC9 FQDN name or other suffix fields? We would like to know this in order to set it and test it. Therefore we need an overview of the fields that need to be filled for the host header check to work.
Hi @downtownle
Please see article below which goes into detail about host header check iDRAC behavior.
Thanks Tex
Hello Texas,
who can help me with the question which the customer would like to have answered?
Topic: HTTPS-Hostheader Can the fields "DNSRacName" and "DNSDomainName" also be filled by DHCP v6? If so, which DHCP options must be set for this?
try to solve it over idm module
Hello Texas,
if you have and ideas to use redfish for it without racadm let us know. 16G System with idrac9 latest firmware level installed.
We are currently trying to address the iDRACs via FQDN because we don't want them via IP addresses. Unfortunately we get this nice error:
The iDRAC is reset to factory default and got its IP address via DHCP. There is also an entry in your community about this: https://www.dell.com/community/en/conversations/systems-management-general/idrac9-6000-and-redfish/647f9dc9f4ccf8a8de23c724
It is a security feature that the header is checked and this check fails because DNS Domain is not configured. How do we get ahead here without addressing the iDRACs via IP address?