Run iLO remote console from shell

README.md

iLO Remote Console

This small script lets you start iLO Java-based console from shell.

But why not HTML5?

• iLO 2/3 doesn't have HTML5 console
• Mounting local (from the client computer) ISOs is PAINFULLY slow via HTML5 client

TL;DR

If you just start it, it will ask you for everything:

% ./ilo-console.sh
Connecting to iLO 4 (set ILO_VERSION to change)
iLO Host: foo
iLO Login: bar
iLO Password:

Config

You can set the following environment variables:

• ILO_VERSION: iLO version, 2, 3, and 4 are supported
• ILO_HOST: hostname/IP of the server, optionally with port (e.g. example.com, 10.0.0.3, example.com:1234)
• ILO_LOGIN: username for iLO
• ILO_SKIP_DEFAULTS: when set to anything it will auto-assume defaults

Examples

# Just use provided values
% ILO_SKIP_DEFAULTS=1 ILO_HOST=10.0.0.3 ./ilo-console.sh
Connecting to iLO 4 (set ILO_VERSION to change)
iLO Host: 10.0.0.3
iLO Login: foo
iLO Password:

# Suggest provided values
% ILO_LOGIN=foo ./ilo-console.sh
Connecting to iLO 4 (set ILO_VERSION to change)
iLO Host: 10.0.0.3
iLO Login [foo]:
iLO Password:

# Suggested values can be changed
% ILO_LOGIN=foo ./ilo-console.sh
Connecting to iLO 4 (set ILO_VERSION to change)
iLO Host: 10.0.0.3
iLO Login [foo]: bar
iLO Password:

Wait, what about ILO_PASSWORD?!

No.
Stop creating security nightmares.

ExitException: Unable to load resource ....

If you're getting an error similar to the one below:

It means your JRE has TLSv1.1 disabled. Newer versions disable it automatically upon update. Old iLO versions (<4) cannot use TLSv1.2, so the JRE download fails.

To re-enable TLSv1.1 support open Java Control Panel (e.g. on macOS it's under  -> System Preferences -> Java). Navigate to the "Advanced" tab and check "Use TLS 1.1".

It still doesn't work!

In this case you may be having JRE which doesn't support TLSv1.1 at all. The script has an option for that too - autoproxy. To make it work you need to have mitmdump (part of mitmproxy package) and socat installed in your system.

Then run the script with ILO_AUTOPROXY=1. It will automatically:

• Setup local proxy to your iLO web ignoring ancient TLS & self-signed certificates error
• Setup local proxy for iLO remote console
• Setup local proxy for iLO virtual media connection

ilo-console.sh

#!/bin/bash

### HANDLE VERSION PICK
if [[ -z "$ILO_VERSION" ]]; then ILO_VERSION="4"; fi;
case $ILO_VERSION in
    "2")
        ILO_JAR=html/intgapp_228.jar; ;;
    "3")
        ILO_JAR=html/intgapp3_231.jar; ;;
    "4")
        ILO_JAR=html/intgapp4_231.jar; ;;
    *)
        echo "iLO $ILO_VERSION is not supported"
        exit 1;
esac
echo "Connecting to iLO $ILO_VERSION (set ILO_VERSION to change)"

### HOST
echo -n 'iLO Host'
if [[ ! -z "$ILO_HOST" ]]; then
    if [[ -z "$ILO_SKIP_DEFAULTS" ]]; then
        echo -n " [$ILO_HOST]: "
        read ILO_NEW_HOST
        if [[ ! -z $ILO_NEW_HOST ]]; then ILO_HOST=$ILO_NEW_HOST; fi;
    else
        echo ": $ILO_HOST"
    fi;
else
    echo -n ': '
    read ILO_HOST
fi;
if [[ -z "$ILO_HOST" ]]; then
    echo "Empty host - aborted."
    exit 1
fi;

### LOGIN
# While -i exists it's not portable
echo -n 'iLO Login'
if [[ ! -z "$ILO_LOGIN" ]]; then
    if [[ -z "$ILO_SKIP_DEFAULTS" ]]; then
        echo -n " [$ILO_LOGIN]: "
        read ILO_NEW_LOGIN;
        if [[ ! -z $ILO_NEW_LOGIN ]]; then ILO_LOGIN=$ILO_NEW_LOGIN; fi;
    else
        echo ": $ILO_LOGIN"
    fi;
else
    echo -n ': '
    read ILO_LOGIN
fi;
if [[ -z "$ILO_LOGIN" ]]; then
    echo "Empty login - aborted."
    exit 1
fi;

### PASSWORD
echo -n 'iLO Password: '
read -s ILO_PASSWORD
echo;

ILO_ADDRESS="$ILO_HOST"
if [[ ! "$ILO_ADDRESS" =~ ^"https://".* ]]; then ILO_ADDRESS="https://$ILO_ADDRESS"; fi;
if [[ ! "$ILO_ADDRESS" =~ .*"/$" ]]; then ILO_ADDRESS="$ILO_ADDRESS/"; fi;

### AUTO-PROXY
if [[ ! -z "$ILO_AUTOPROXY" ]]; then
    ILO_AUTOPROXY_HOST=$(echo $ILO_ADDRESS|cut -d/ -f3)

   if ! command -v mitmdump &> /dev/null; then
       echo "Cannot find mitmdump (part of mitmproxy package) - it is required for ILO_AUTOPROXY"
       exit 1
   fi

   if ! command -v socat &> /dev/null; then
       echo "Cannot find socat - it is required for ILO_AUTOPROXY"
       exit 1
   fi

   trap "kill 0" EXIT
   # See https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00045334en_us
   mitmdump --ssl-insecure -p 9443 --mode reverse:$ILO_ADDRESS &
   socat TCP4-LISTEN:17988,fork,reuseaddr,bind=127.0.0.1 TCP4:$ILO_AUTOPROXY_HOST:17988 &
   socat TCP4-LISTEN:17990,fork,reuseaddr,bind=127.0.0.1 TCP4:$ILO_AUTOPROXY_HOST:17990 &
   sleep 2 # let mitmdump start
   ILO_ADDRESS="https://127.0.0.1:9443/"
fi;

ILO_SESSKEY=$(
  curl -fsS \
    --insecure \
    "${ILO_ADDRESS}json/login_session" \
    --data "{\"method\":\"login\",\"user_login\":\"$ILO_LOGIN\",\"password\":\"$ILO_PASSWORD\"}" |
      sed 's/.*"session_key":"\([a-f0-9]\{32\}\)".*/\1/'
);
if [[ -z "$ILO_SESSKEY" ]]; then
    echo "Failed to retrieve key. Wrong password or banned?"
    exit 1
fi;


# normal mktemp will not work with higher Java security settings
ILO_JNLP="$HOME/.iLO.jnlp"

cat >"$ILO_JNLP" <<eof
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="$ILO_ADDRESS" href="">
<information>
    <title>Integrated Remote Console</title>
    <vendor>HPE</vendor>
    <offline-allowed></offline-allowed>
</information>
<security>
    <all-permissions></all-permissions>
</security>
<resources>
    <j2se version="1.5+" href="http://java.sun.com/products/autodl/j2se"></j2se>
    <jar href="${ILO_ADDRESS}${ILO_JAR}" main="false" />
</resources>
<property name="deployment.trace.level property" value="basic"></property>
<applet-desc main-class="com.hp.ilo2.intgapp.intgapp" name="iLOJIRC" documentbase="${ILO_ADDRESS}html/java_irc.html" width="1" height="1">
    <param name="RCINFO1" value="$ILO_SESSKEY"/>
    <param name="RCINFOLANG" value="en"/>
    <param name="INFO0" value="7AC3BDEBC9AC64E85734454B53BB73CE"/>
    <param name="INFO1" value="17988"/>
    <param name="INFO2" value="composite"/>
</applet-desc>
 <update check="background"></update>
</jnlp>
eof



echo "Starting iLO console..."
if [[ ! -z "$ILO_AUTOPROXY" ]]; then
    echo "Console will appear soon. DO NOT close this window! (using autoproxy)"
    javaws -wait $ILO_JNLP; rm $ILO_JNLP
else
    nohup sh -c "/usr/bin/env javaws -wait $ILO_JNLP; rm $ILO_JNLP" >/dev/null 2>&1 &
    echo "Console started. You CAN close this window."
fi;

after spitting some blood about openssl v1.1 which disable the connection with a protocol lower than TLSv1.2 (openssl.cnf on linux),
On the login page i get:

$ curl -fsS --insecure https://realurl:alternateport/json/login_session --data '{"method":"login","user_login":"root","password":"xxxxx"}'
curl: (22) The requested URL returned error: 404

I'm still investigating, but if this is well known... more than keen to hear about it.

It works only on 32bit java, donwload and unpack jdk1.8.0_202 on script path and replace 139 string to nohup sh -c "/usr/bin/env ./jdk1.8.0_202/bin/javaws -wait $ILO_JNLP; rm $ILO_JNLP" >/dev/null 2>&1 &

For me the solution was to tell mitmproxy that the TLS version could be anything instead of requiring TLS1.2
On line 82 add --set tls_version_server_min=UNBOUNDED

mitmdump --ssl-insecure -p 9443 --set tls_version_server_min=UNBOUNDED --mode reverse:$ILO_ADDRESS &

This works for my ilo4 servers, thanks!

However, what I really need it for is the ancient ilo3 servers! Especially since I'm running the latest os x and latest Java.

When running on an ilo3 server where I have to use AUTO_PROXY, I still get complaints. I've even added in:
mitmdump --ssl-insecure -p 9443 --set tls_version_server_min=UNBOUNDED --mode reverse:$ILO_ADDRESS &

[20:46:53.431][127.0.0.1:56044] Server TLS handshake failed. OpenSSL Error([('SSL routines', '', 'unsupported protocol')])
[20:46:53.431][127.0.0.1:56044] Unable to establish TLS connection with server (OpenSSL Error([('SSL routines', '', 'unsupported protocol')])). Trying to establish TLS with client anyway. If you plan to redirect requests away from this server, consider setting connection_strategy to lazy to suppress early connections.

I hope someone can help! @CoolSaet @Rocco83