Skip to content
Grant Curell's Projects

Update iDRAC Cipher Suite with Redfish

How to do this is detailed in this article

You can obtain all of the iDRAC attributes with the below script:

import requests
import json
import base64


# iDRAC Credentials and Information
IDRAC_IP = "YOUR_IP"  # Change this to your iDRAC IP
USERNAME = "root"
PASSWORD = "calvin"


# Redfish API Endpoint for iDRAC Attributes
URL = f"https://{IDRAC_IP}/redfish/v1/Managers/iDRAC.Embedded.1/Attributes"


# Construct the Authentication Header
headers = {
    "Authorization": "Basic " + base64.b64encode(f"{USERNAME}:{PASSWORD}".encode()).decode(),
    "Content-Type": "application/json"
}


# Disable SSL warnings (iDRAC typically uses self-signed certificates)
requests.packages.urllib3.disable_warnings()


# Send GET request to retrieve all attributes
try:
    response = requests.get(URL, headers=headers, verify=False)


    if response.status_code == 200:
        data = response.json()
        print("\nāœ… Successfully retrieved iDRAC attributes:\n")
        print(json.dumps(data, indent=4))  # Pretty print JSON response


        # Extract Cipher Select related attributes
        print("\nšŸ” Cipher Select Related Settings:\n")
        for key, value in data.get("Attributes", {}).items():
            if "Cipher" in key or "TLS" in key or "Encryption" in key:
                print(f"{key}: {value}")


    else:
        print(f"\nāŒ Failed to retrieve attributes. HTTP {response.status_code}")
        print("Response:", response.text)


except requests.exceptions.RequestException as e:
    print(f"\nāŒ Error retrieving iDRAC attributes: {e}")

You can change the cipher suite properties with the below. Simply change the string NEW_CIPHERS to whatever you need it to be.

import requests
import json
import base64


# iDRAC Credentials and Information
IDRAC_IP = "YOUR_IP"  # Change to your iDRAC IP
USERNAME = "root"
PASSWORD = "calvin"


# Redfish API Endpoint for iDRAC Attributes
URL = f"https://{IDRAC_IP}/redfish/v1/Managers/iDRAC.Embedded.1/Attributes"


# New Cipher String to Apply
NEW_CIPHERS = "aes256-gcm@openssh.com"  # Change this to the desired cipher string


# Construct the Authentication Header
headers = {
    "Authorization": "Basic " + base64.b64encode(f"{USERNAME}:{PASSWORD}".encode()).decode(),
    "Content-Type": "application/json"
}


# Construct the JSON payload for updating the ciphers
payload = {
    "Attributes": {
        "SSHCrypto.1.Ciphers": NEW_CIPHERS
    }
}


# Disable SSL warnings (iDRAC typically uses self-signed certificates)
requests.packages.urllib3.disable_warnings()


# Send PATCH request to update cipher settings
try:
    response = requests.patch(URL, headers=headers, data=json.dumps(payload), verify=False)


    if response.status_code in [200, 204]:
        print("\nāœ… Successfully updated iDRAC SSH ciphers.")
    else:
        print(f"\nāŒ Failed to update SSH ciphers. HTTP {response.status_code}")
        print("Response:", response.text)


except requests.exceptions.RequestException as e:
    print(f"\nāŒ Error updating iDRAC SSH ciphers: {e}")

Example output:

Terminal window
python.exe "update_cipher_suite.py"


āœ… Successfully updated iDRAC SSH ciphers.


Process finished with exit code 0

Here it is in PowerShell:

Terminal window
# iDRAC Credentials and Information
$IDRAC_IP = "YOUR_IP"   # Change this to your iDRAC IP
$USERNAME = "root"
$PASSWORD = "calvin"


# Redfish API Endpoint for iDRAC Attributes
$URL = "https://$IDRAC_IP/redfish/v1/Managers/iDRAC.Embedded.1/Attributes"


# New Cipher String to Apply
$NEW_CIPHERS = "aes256-gcm@openssh.com"  # Change this to the desired cipher string


# Construct the Basic Authentication Header
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$USERNAME`:$PASSWORD"))
$headers = @{
    "Authorization" = "Basic $base64AuthInfo"
    "Content-Type"  = "application/json"
}


# Construct the JSON payload for updating the ciphers
$body = @{
    "Attributes" = @{
        "SSHCrypto.1.Ciphers" = $NEW_CIPHERS
    }
} | ConvertTo-Json -Depth 3


# Ignore SSL certificate errors (iDRAC often has a self-signed certificate)
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }


# Send PATCH request to update cipher settings
try {
    $response = Invoke-RestMethod -Uri $URL -Method Patch -Headers $headers -Body $body -ContentType "application/json"


    Write-Host "`nāœ… Successfully updated iDRAC SSH ciphers." -ForegroundColor Green
}
catch {
    Write-Host "`nāŒ Failed to update SSH ciphers." -ForegroundColor Red
    Write-Host "Error: $($_.Exception.Message)"
    if ($_.Exception.Response) {
        $errorResponse = $_.Exception.Response.GetResponseStream()
        $reader = New-Object System.IO.StreamReader($errorResponse)
        Write-Host "`nResponse:`n$($reader.ReadToEnd())" -ForegroundColor Yellow
    }
}