HP Integrated Lights-Out 2 User Guide

More documents

Recommendations

Info

• Import Certificate—Use this button when you are returning to the Certificate Administration pagewith a certificate to import. Click Import Certificate to go directly to the Certificate Import screenwithout generating a new CR. A given certificate only works with the keys generated for the originalCR from which the certificate was generated. If the iLO 2 has been reset or another CR has beengenerated since the original CR was submitted to a CA, then a new CR must be generated andsubmitted to the CA.You can create a CR or import an existing certificate using RIBCL XML commands. These commandsenable you to script and automate certificate deployment on iLO 2 servers instead of manually deployingcertificates through the browser interface. For more information, see "CERTIFICATE_SIGNING_REQUEST"and "IMPORT_CERTIFICATE" in the "Remote Insight Command Language" section of the HP IntegratedLights-Out Management Processor Scripting and Command Line Resource Guide.CERTIFICATE_SIGNING_REQUEST and IMPORT_CERTIFICATE cannot be used with the standardCPQLOCFG utility. However, you can use the PERL version of CPQLOCFG in combination with thesecommands.Two-factor authenticationiLO 2 is a powerful tool for managing HP ProLiant servers. To prevent misuse of this tool, access to iLO 2requires reliable user authentication. This firmware release provides a stronger authentication scheme foriLO 2 using two factors of authentication: a password or PIN and a private key for a digital certificate.Using two-factor authentication requires users to verify their identities by providing both factors. Users canstore their digital certificates and private keys wherever they choose, for example, smart card, USB token,or hard disk.The Two-Factor Authentication tab in the Security section enables you to configure security settings andreview, import, and delete a trusted CA certificate.The Two-Factor Authentication Enforcement setting controls whether two-factor authentication is used foruser authentication during login. To require two-factor authentication, click Enabled. To turn off the twofactorauthentication requirement and allow login with user name and password only, click Disabled.You cannot change the setting to Enabled if a trusted CA certificate is not configured. To provide theConfiguring iLO 2 38
necessary security, the following configuration changes are made when two-factor authentication isenabled:• Telnet Access: Disabled• Secure Shell (SSH) Access: Disabled• Serial Command Line Interface Status: DisabledIf telnet, SSH, or Serial CLI access is required, re-enable these settings after two-factor authentication isenabled. However, because these access methods do not provide a means of two-factor authentication,only a single factor is required to access iLO 2 with telnet, SSH, or Serial CLI.When two-factor authentication is enabled, access with the CPQLOCFG utility is disabled becauseCPQLOCFG does not supply all authentication requirements. However, the HPONCFG utility is functionalbecause administrator privileges on the host system are required to execute the utility.A trusted CA certificate is required for two-factor authentication to function. You cannot change the Two-Factor Authentication Enforcement setting to Enabled if a trusted CA certificate has not been configured.Also, a client certificate must be mapped to a local user account if local user accounts are used. If iLO 2is using directory authentication, client certificate mapping to local user accounts is optional.To change two-factor authentication security settings for iLO 2:1. Log in to iLO 2 using an account that has the Configure iLO 2 Settings privilege. ClickAdministration>Security>Two-Factor Authentication.2. Change the settings as needed by entering your selections in the fields.3. After completing any parameter changes, click Apply to save the changes.The Certificate Revocation Checking setting controls whether iLO 2 uses the certificate CRL distributionpoints attribute to download the latest CRL and verify for revocation of the client certificate. If the clientcertificate is contained in the CRL or if the CRL cannot be downloaded for any reason, access is denied.The CRL distribution point must be available and accessible to iLO 2 when Certificate RevocationChecking is set to Yes.The Certificate Owner Field setting specifies which attribute of the client certificate to use whenauthenticating with the directory. If SAN is specified, iLO 2 extracts the User Principle Name from theSubject Alternative Name attribute and then uses the User Principle Name when authenticating with thedirectory (for example, username@domain.extension). If Subject is specified, iLO 2 derives the user'sdistinguished name from the subject name attribute. For example, if the subject name is/DC=com/DC=domain/OU=organization/CN=user, iLO 2 will deriveCN=user,OU=organization,DC=domain,DC=com.The Certificate Owner Field setting is only used if directory authentication is enabled. Configuration of theCertificate Owner Field depends on the version of directory support used, the directory configuration, andthe certificate issuing policy of your organization.Setting up two-factor authentication for the first timeWhen setting up two-factor authentication for the first time, you can use either local user accounts ordirectory user accounts. For more information on two-factor authentication settings, see the "Two-FactorAuthentication (on page 38)" section.Setting up local user accounts1. Obtain the public certificate from the CA that issues user certificates or smart cards in yourorganization.2. Export the certificate in Base64-encoded format to a file on your desktop (for example, CAcert.txt).3. Obtain the public certificate of the user who needs access to iLO 2.4. Export the certificate in Base64-encoded format to a file on your desktop (for example, Usercert.txt).5. Open the file CAcert.txt in Notepad, select all of the text, and copy it by pressing the Ctrl+C keys.Configuring iLO 2 39
Page 1 and 2: HP Integrated Lights-Out 2User Guid
Page 3 and 4: ContentsOperational overview ......
Page 5: Schema-free HPLOMIG-based setup ...
Page 9 and 10: iLO 2 overviewiLO 2 Standard provid
Page 11 and 12: functionality can be provided by va
Page 13 and 14: A separate network increases the se
Page 15 and 16: 4. Select Network>NIC>TCP/IP, press
Page 17 and 18: Install iLO 2 device driversThe iLO
Page 19 and 20: Configuring iLO 2In this sectioniLO
Page 21 and 22: 3. Click Upgrade iLO 2 Firmware.4.
Page 23 and 24: • Scripted virtual media• Apple
Page 25 and 26: 3. Click Add.4. Complete the fields
Page 27 and 28: Group administrationThe Group Accou
Page 29 and 30: Parameter Default value Description
Page 31 and 32: If the iLO 2 installation is comple
Page 33 and 34: 4. Verify that the iLO Management I
Page 35 and 36: Password guidelinesEncryptionThe fo
Page 37: By default, iLO 2 creates a self-si
Page 41 and 42: 10. Change Certificate Owner Field
Page 43 and 44: Owner Field is set to SAN, iLO 2 ob
Page 45 and 46: The test page displays the results
Page 47 and 48: To change network settings for iLO
Page 49 and 50: After iLO 2 resets, the Shared Netw
Page 51 and 52: 5. Navigate to the Virtual LAN ID f
Page 53 and 54: • Verify NSLOOKUP correctly resol
Page 55 and 56: On select p-Class blades in enclosu
Page 57 and 58: Subnet Mask—Assigns the subnet ma
Page 59 and 60: This configuration causes the iLO 2
Page 61 and 62: Using iLO 2In this sectioniLO 2 bro
Page 63 and 64: • Last Used Remote Console displa
Page 65 and 66: Temperaturesfan failure, some fan o
Page 67 and 68: DiagnosticsThe iLO 2 processor reco
Page 69 and 70: The status of these self-tests is i
Page 71 and 72: Remote Console Information screenRe
Page 73 and 74: Supported hot keysThe Program Remot
Page 75 and 76: • Ctrl-Alt-Del—Enters the key s
Page 77 and 78: Security informationIf Remote Conso
Page 79 and 80: High-Performance Mouse option. You
Page 81 and 82: Graceful shutdown• No—Server wi
Page 83 and 84: Processor StatesSelecting the Proce
Page 85 and 86: You can access virtual media on a h
Page 87 and 88: Virtual Floppy and USB key drives d
Page 89 and 90:
3. Click Connect.To use an image fi
Page 91 and 92:
4. Click Create. The virtual media
Page 93 and 94:
Rack ViewThe Rack View page present
Page 95 and 96:
Enclosure informationEnclosure info
Page 97 and 98:
Power component informationSelectin
Page 99 and 100:
Enclosure bay IP addressingDuring t
Page 101 and 102:
Field Possible value DescriptionDNS
Page 103 and 104:
BL p-Class and BL c-Class featuresT
Page 105 and 106:
• Flexibility—You can create a
Page 107 and 108:
10. Select the certificate authorit
Page 109 and 110:
NOTE: When connected through the Di
Page 111 and 112:
Schema PreviewThe Schema Preview sc
Page 113 and 114:
Management snap-in installerThe man
Page 115 and 116:
Snap-in installation and initializa
Page 117 and 118:
d. Add users to the role. Click the
Page 119 and 120:
MembersAfter user objects are creat
Page 121 and 122:
Active Directory Lights-Out managem
Page 123 and 124:
e. Repeat the process for several m
Page 125 and 126:
Role managed devicesThe Role Manage
Page 127 and 128:
To remove any of the entries, highl
Page 129 and 130:
Directory-enabled remote management
Page 131 and 132:
How directory login restrictions ar
Page 133 and 134:
Using DNS-based restrictions can cr
Page 135 and 136:
• HP SIM can:• Manage multiple
Page 137 and 138:
• Windows® Server 2003• Novell
Page 139 and 140:
1. Click Start and select Programs>
Page 141 and 142:
This page determines if the HP Exte
Page 143 and 144:
• Role DN—The role distinguishe
Page 145 and 146:
NOTE: The feature associated with t
Page 147 and 148:
HP Systems Insight Manager integrat
Page 149 and 150:
Clicking on a status icon for iLO 2
Page 151 and 152:
Troubleshooting iLO 2In this sectio
Page 153 and 154:
LED indicatorPOST code(activitycomp
Page 155 and 156:
Event log displayEvent log explanat
Page 157 and 158:
The DHCP server must be configured
Page 159 and 160:
• The use of the diagnostic port
Page 161 and 162:
AlertFailed Login AttemptGeneral Er
Page 163 and 164:
2. On the Level of Privacy screen,
Page 165 and 166:
Terminal Services proxy stops respo
Page 167 and 168:
For example, when User1 logs in, th
Page 169 and 170:
1. Attempt to connect to iLO 2 thro
Page 171 and 172:
Directory services schemaIn this se
Page 173 and 174:
SyntaxOptionsRemarksDistinguished N
Page 175 and 176:
Lights-Out Management specific LDAP
Page 177 and 178:
DescriptionSyntaxOptionsRemarksLoca
Page 179 and 180:
Acronyms and abbreviationsACPIAdvan
Page 181 and 182:
HPONCFGHP Lights-Out Online Configu
Page 183 and 184:
RASremote access serviceRBSUROM-Bas
Page 185 and 186:
IndexAaccess options 23, 28, 33acce
Page 187 and 188:
memory 66Microsoft software 104, 11
Page 189:
virtual media 59, 84, 85, 87, 91, 1
show all

HP Integrated Lights-Out 2 User Guide

Create successful ePaper yourself

Delete template?

Save as template?