Skip to content

Instantly share code, notes, and snippets.

@kiler129
Forked from seeker2921/ilo-console.sh
Last active August 30, 2024 14:51
Show Gist options
  • Save kiler129/904fe463b008e740315c4abaf33c68af to your computer and use it in GitHub Desktop.
Save kiler129/904fe463b008e740315c4abaf33c68af to your computer and use it in GitHub Desktop.
Run iLO remote console from shell

iLO Remote Console

This small script lets you start iLO Java-based console from shell.

But why not HTML5?

  • iLO 2/3 doesn't have HTML5 console
  • Mounting local (from the client computer) ISOs is PAINFULLY slow via HTML5 client

TL;DR

If you just start it, it will ask you for everything:

% ./ilo-console.sh
Connecting to iLO 4 (set ILO_VERSION to change)
iLO Host: foo
iLO Login: bar
iLO Password:

Config

You can set the following environment variables:

  • ILO_VERSION: iLO version, 2, 3, and 4 are supported
  • ILO_HOST: hostname/IP of the server, optionally with port (e.g. example.com, 10.0.0.3, example.com:1234)
  • ILO_LOGIN: username for iLO
  • ILO_SKIP_DEFAULTS: when set to anything it will auto-assume defaults

Examples

# Just use provided values
% ILO_SKIP_DEFAULTS=1 ILO_HOST=10.0.0.3 ./ilo-console.sh
Connecting to iLO 4 (set ILO_VERSION to change)
iLO Host: 10.0.0.3
iLO Login: foo
iLO Password:

# Suggest provided values
% ILO_LOGIN=foo ./ilo-console.sh
Connecting to iLO 4 (set ILO_VERSION to change)
iLO Host: 10.0.0.3
iLO Login [foo]:
iLO Password:

# Suggested values can be changed
% ILO_LOGIN=foo ./ilo-console.sh
Connecting to iLO 4 (set ILO_VERSION to change)
iLO Host: 10.0.0.3
iLO Login [foo]: bar
iLO Password:

Wait, what about ILO_PASSWORD?!

No.
Stop creating security nightmares.

ExitException: Unable to load resource ....

If you're getting an error similar to the one below:

java error

It means your JRE has TLSv1.1 disabled. Newer versions disable it automatically upon update. Old iLO versions (<4) cannot use TLSv1.2, so the JRE download fails.

To re-enable TLSv1.1 support open Java Control Panel (e.g. on macOS it's under  -> System Preferences -> Java). Navigate to the "Advanced" tab and check "Use TLS 1.1".

use TLSv1.1

It still doesn't work!

In this case you may be having JRE which doesn't support TLSv1.1 at all. The script has an option for that too - autoproxy. To make it work you need to have mitmdump (part of mitmproxy package) and socat installed in your system.

Then run the script with ILO_AUTOPROXY=1. It will automatically:

  • Setup local proxy to your iLO web ignoring ancient TLS & self-signed certificates error
  • Setup local proxy for iLO remote console
  • Setup local proxy for iLO virtual media connection
#!/bin/bash
### HANDLE VERSION PICK
if [[ -z "$ILO_VERSION" ]]; then ILO_VERSION="4"; fi;
case $ILO_VERSION in
"2")
ILO_JAR=html/intgapp_228.jar; ;;
"3")
ILO_JAR=html/intgapp3_231.jar; ;;
"4")
ILO_JAR=html/intgapp4_231.jar; ;;
*)
echo "iLO $ILO_VERSION is not supported"
exit 1;
esac
echo "Connecting to iLO $ILO_VERSION (set ILO_VERSION to change)"
### HOST
echo -n 'iLO Host'
if [[ ! -z "$ILO_HOST" ]]; then
if [[ -z "$ILO_SKIP_DEFAULTS" ]]; then
echo -n " [$ILO_HOST]: "
read ILO_NEW_HOST
if [[ ! -z $ILO_NEW_HOST ]]; then ILO_HOST=$ILO_NEW_HOST; fi;
else
echo ": $ILO_HOST"
fi;
else
echo -n ': '
read ILO_HOST
fi;
if [[ -z "$ILO_HOST" ]]; then
echo "Empty host - aborted."
exit 1
fi;
### LOGIN
# While -i exists it's not portable
echo -n 'iLO Login'
if [[ ! -z "$ILO_LOGIN" ]]; then
if [[ -z "$ILO_SKIP_DEFAULTS" ]]; then
echo -n " [$ILO_LOGIN]: "
read ILO_NEW_LOGIN;
if [[ ! -z $ILO_NEW_LOGIN ]]; then ILO_LOGIN=$ILO_NEW_LOGIN; fi;
else
echo ": $ILO_LOGIN"
fi;
else
echo -n ': '
read ILO_LOGIN
fi;
if [[ -z "$ILO_LOGIN" ]]; then
echo "Empty login - aborted."
exit 1
fi;
### PASSWORD
echo -n 'iLO Password: '
read -s ILO_PASSWORD
echo;
ILO_ADDRESS="$ILO_HOST"
if [[ ! "$ILO_ADDRESS" =~ ^"https://".* ]]; then ILO_ADDRESS="https://$ILO_ADDRESS"; fi;
if [[ ! "$ILO_ADDRESS" =~ .*"/$" ]]; then ILO_ADDRESS="$ILO_ADDRESS/"; fi;
### AUTO-PROXY
if [[ ! -z "$ILO_AUTOPROXY" ]]; then
ILO_AUTOPROXY_HOST=$(echo $ILO_ADDRESS|cut -d/ -f3)
if ! command -v mitmdump &> /dev/null; then
echo "Cannot find mitmdump (part of mitmproxy package) - it is required for ILO_AUTOPROXY"
exit 1
fi
if ! command -v socat &> /dev/null; then
echo "Cannot find socat - it is required for ILO_AUTOPROXY"
exit 1
fi
trap "kill 0" EXIT
# See https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00045334en_us
mitmdump --ssl-insecure -p 9443 --mode reverse:$ILO_ADDRESS &
socat TCP4-LISTEN:17988,fork,reuseaddr,bind=127.0.0.1 TCP4:$ILO_AUTOPROXY_HOST:17988 &
socat TCP4-LISTEN:17990,fork,reuseaddr,bind=127.0.0.1 TCP4:$ILO_AUTOPROXY_HOST:17990 &
sleep 2 # let mitmdump start
ILO_ADDRESS="https://127.0.0.1:9443/"
fi;
ILO_SESSKEY=$(
curl -fsS \
--insecure \
"${ILO_ADDRESS}json/login_session" \
--data "{\"method\":\"login\",\"user_login\":\"$ILO_LOGIN\",\"password\":\"$ILO_PASSWORD\"}" |
sed 's/.*"session_key":"\([a-f0-9]\{32\}\)".*/\1/'
);
if [[ -z "$ILO_SESSKEY" ]]; then
echo "Failed to retrieve key. Wrong password or banned?"
exit 1
fi;
# normal mktemp will not work with higher Java security settings
ILO_JNLP="$HOME/.iLO.jnlp"
cat >"$ILO_JNLP" <<eof
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="$ILO_ADDRESS" href="">
<information>
<title>Integrated Remote Console</title>
<vendor>HPE</vendor>
<offline-allowed></offline-allowed>
</information>
<security>
<all-permissions></all-permissions>
</security>
<resources>
<j2se version="1.5+" href="http://java.sun.com/products/autodl/j2se"></j2se>
<jar href="${ILO_ADDRESS}${ILO_JAR}" main="false" />
</resources>
<property name="deployment.trace.level property" value="basic"></property>
<applet-desc main-class="com.hp.ilo2.intgapp.intgapp" name="iLOJIRC" documentbase="${ILO_ADDRESS}html/java_irc.html" width="1" height="1">
<param name="RCINFO1" value="$ILO_SESSKEY"/>
<param name="RCINFOLANG" value="en"/>
<param name="INFO0" value="7AC3BDEBC9AC64E85734454B53BB73CE"/>
<param name="INFO1" value="17988"/>
<param name="INFO2" value="composite"/>
</applet-desc>
<update check="background"></update>
</jnlp>
eof
echo "Starting iLO console..."
if [[ ! -z "$ILO_AUTOPROXY" ]]; then
echo "Console will appear soon. DO NOT close this window! (using autoproxy)"
javaws -wait $ILO_JNLP; rm $ILO_JNLP
else
nohup sh -c "/usr/bin/env javaws -wait $ILO_JNLP; rm $ILO_JNLP" >/dev/null 2>&1 &
echo "Console started. You CAN close this window."
fi;
@abcbarryn
Copy link

On my ILO2 server I get:
++ curl -fsS --insecure https://host-redacted/json/login_session --data '{"method":"login","user_login":"barryn","password":"=1-v2/c2"}'
++ sed 's/."session_key":"([a-f0-9]{32})"./\1/'
curl: (22) The requested URL returned error: 404

  • ILO_SESSKEY=
  • [[ -z '' ]]
  • echo 'Failed to retrieve key. Wrong password or banned?'
    Failed to retrieve key. Wrong password or banned?
  • exit 1

When I try to open the URL https://host-redacted/json/login_session in Firefox which I am able to use to login and access my ILO page using the URL https://host-redacted/ I also get a 404 on https://host-redacted/json/login_session but logging in to https://host-redacted/ in Firefox works fine.

@ilium007
Copy link

Not working unfortunately..macOS

Connecting to iLO 4 (set ILO_VERSION to change)
iLO Host: 192.168.5.115
iLO Login: Administrator
iLO Password:
[00:50:00.848] reverse proxy to https://192.168.x.x/ listening at *:9443.
[00:50:02.437][127.0.0.1:62765] client connect
[00:50:02.588][127.0.0.1:62765] server connect 192.168.x.x:443
[00:50:02.824][127.0.0.1:62765] Server TLS handshake failed. OpenSSL Error([('SSL routines', '', 'unsupported protocol')])
[00:50:02.825][127.0.0.1:62765] Unable to establish TLS connection with server (OpenSSL Error([('SSL routines', '', 'unsupported protocol')])). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting `connection_strategy` to `lazy` to suppress early connections.
[00:50:02.852][127.0.0.1:62765] server disconnect 192.168.x.x:443
127.0.0.1:62765: POST https://192.168.5.115/json/login_session HTTP/2.0
 << OpenSSL Error([('SSL routines', '', 'unsupported protocol')])
curl: (22) The requested URL returned error: 502
[00:50:02.905][127.0.0.1:62765] client disconnect
Failed to retrieve key. Wrong password or banned?
2024/08/31 00:50:02 socat[40999] W exiting on signal 15
2024/08/31 00:50:02 socat[40998] W exiting on signal 15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment