Dell Drac 5 User Manual
Have a look at the manual Dell Drac 5 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 327 Dell manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Using the DRAC 5 With Microsoft Active Directory131 Viewing an Active Directory CA Certificate Use the Active Directory Main Menu page to view a CA server certificate for your DRAC 5. 1 In the Active Directory Main Menu page, select View Active Directory CA Certificate and click Next. Table 6-14 describes the fields and associated descriptions listed in the Certificate window. 2Click the appropriate View Active Directory CA Certificate page button to continue. See Table 6-11. Enabling SSL on a Domain Controller When the DRAC 5 authenticates users against an Active Directory domain controller, it starts an SSL session with the domain controller. At this time, the domain controller should publish a certificate signed by the Certificate Authority (CA)—the root certificate of which is also uploaded into the DRAC 5. In other words, for DRAC 5 to be able to authenticate to any domain controller—whether it is the root or the child domain controller— that domain controller should have an SSL-enabled certificate signed by the domain’s CA. Table 6-14. Active Directory CA Certificate Information Field Description Serial NumberCertificate serial number. Subject InformationCertificate attributes entered by the subject. Issuer InformationCertificate attributes returned by the issuer. Valid FromCertificate issue date. Valid ToCertificate expiration date.
132Using the DRAC 5 With Microsoft Active Directory If you are using Microsoft Enterprise Root CA to automatically assign all your domain controllers to an SSL certificate, perform the following steps to enable SSL on each domain controller: 1 Enable SSL on each of your domain controllers by installing the SSL certificate for each controller. aClick Start→ Administrative Tools→ Domain Security Policy. bExpand the Public Key Policies folder, right-click Automatic Certificate Request Settings and click Automatic Certificate Request . cIn the Automatic Certificate Request Setup Wizard, click Next and select Domain Controller. dClick Next and click Finish. Exporting the Domain Controller Root CA Certificate to the DRAC 5 NOTE: If your system is running Windows 2000, the following steps may vary. 1Locate the domain controller that is running the Microsoft Enterprise CA service. 2Click Start→ Run. 3In the Run field, type mmc and click OK. 4In the Console 1 (MMC) window, click File (or Console on Windows 2000 machines ) and select Add/Remove Snap-in. 5In the Add/Remove Snap-In window, click Add. 6In the Standalone Snap-In window, select Certificates and click Add. 7Select Computer account and click Next. 8Select Local Computer and click Finish. 9Click OK. 10In the Console 1 window, expand the Certificates folder, expand the Pe r s o n a l folder, and click the Certificates folder. 11Locate and right-click the root CA certificate, select All Tasks, and click Export... . 12In the Certificate Export Wizard, click Next, and select No do not export the private key .
Using the DRAC 5 With Microsoft Active Directory133 13Click Next and select Base-64 encoded X.509 (.cer) as the format. 14Click Next and save the certificate to a directory on your system. 15Upload the certificate you saved in step 14 to the DRAC 5. To upload the certificate using RACADM, see Configuring the DRAC 5 With Extended Schema Active Directory and Web-Based Interface. To upload the certificate using the Web-based interface, perform the following procedure: aOpen a supported Web browser window. bLog in to the DRAC 5 Web-based interface. cExpand the System tree and click Remote Access. dClick the Configuration tab, and then click Security. eIn the Security Certificate Main Menu page, select Upload Server Certificate and click Apply. fIn the Certificate Upload screen, perform one of the following procedures: Click Browse and select the certificate Va l u e field, type the path to the certificate. gClick Apply. Importing the DRAC 5 Firmware SSL Certificate NOTE: If the Active Directory Server is set to authenticate the client during an SSL session initialization phase, you need to upload the DRAC 5 Server certificate to the Active Directory Domain controller as well. This additional step is not required if the Active Directory does not perform a client authentication during an SSL session’s initialization phase. Use the following procedure to import the DRAC 5 firmware SSL certificate to all domain controller trusted certificate lists. NOTE: If your system is running Windows 2000, the following steps may vary. NOTE: If the DRAC 5 firmware SSL certificate is signed by a well-known CA, you are not required to perform the steps in this section.
134Using the DRAC 5 With Microsoft Active Directory The DRAC 5 SSL certificate is the identical certificate used for the DRAC 5 Web server. All DRAC 5 controllers are shipped with a default self-signed certificate. To access the certificate using the DRAC 5 Web-based interface, select Configuration→ Active Directory→ Download DRAC 5 Server Certificate. 1 On the domain controller, open an MMC Console window and select Certificates→ Trusted Root Certification Authorities. 2Right-click Certificates, select All Tasks and click Import. 3Click Next and browse to the SSL certificate file. 4Install the RAC SSL Certificate in each domain controller’s Trusted Root Certification Authority . If you have installed your own certificate, ensure that the CA signing your certificate is in the Trusted Root Certification Authority list. If the Authority is not in the list, you must install it on all your Domain Controllers. 5Click Next and select whether you would like Windows to automatically select the certificate store based on the type of certificate, or browse to a store of your choice. 6Click Finish and click OK. Setting the SSL Time on the DRAC 5 When the DRAC 5 authenticates an Active Directory user, the DRAC 5 also verifies the certificate published by the Active Directory server to ensure that the DRAC is communicating with an authorized Active Directory server. This check also ensures that the validity of the certificate is within the time range specified by the DRAC 5. However, there could be a mismatch between the time zones specified on the certificate and the DRAC 5. This could happen when the DRAC 5 time reflects the local system time and the certificate reflects time in GMT. To ensure that the DRAC 5 uses the GMT time to compare with the certificate times, you must set the time zone offset object. racadm config -g cfgRacTuning -o cfgRacTuneTimeZoneOffset < offset value> See cfgRacTuneTimezoneOffset (Read/Write) for more details.
Using the DRAC 5 With Microsoft Active Directory135 Supported Active Directory Configuration The Active Directory querying algorithm of the DRAC 5 supports multiple trees in a single forest. DRAC 5 Active Directory Authentication supports mixed mode (that is, the domain controllers in the forest run different operating systems, such as Microsoft Windows NT® 4.0, Windows 2000, or Windows Server 2003). However, all objects used by the DRAC 5 querying process (among user, RAC Device Object, and Association Object) should be in the same domain. The Dell-extended Active Directory Users and Computers snap-in checks the mode and limits users in order to create objects across domains if in mixed mode. DRAC 5 Active Directory supports multiple domain environments provided the domain forest function level is Native mode or Windows 2003 mode. In addition, the groups among Association Object, RAC user objects, and RAC Device Objects (including Association Object) must be universal groups. NOTE: The Association Object and the Privilege Object must be in the same domain. The Dell-extended Active Directory Users and Computers snap-in forces you to create these two objects in the same domain. Other objects can be in different domains. Using Active Directory to Log Into the DRAC 5 You can use Active Directory to log in to the DRAC 5 using one of the following methods: Web-based interface Remote RACADM Serial or telnet console. The login syntax is the same for all three methods: < username@domain> or < domain>\ or / where username is an ASCII string of 1–256 bytes.
136Using the DRAC 5 With Microsoft Active Directory White space and special characters (such as \, /, or @) cannot be used in the user name or the domain name. NOTE: You cannot specify NetBIOS domain names, such as Americas, because these names cannot be resolved. You can also log into the DRAC 5 using the Smart Card. For more information, see Logging Into the DRAC 5 Using Active Directory Smart Card Authentication. Using Active Directory Single Sign-On You can enable the DRAC 5 to use Kerberos—a network authentication protocol—to enable single sign-on and log into the DRAC 5. For more information on setting up the DRAC 5 to use the Active Directory Single Sign-On feature, see Enabling Kerberos Authentication. Configuring the DRAC 5 to Use Single Sign-On 1Navigate to Remote Access→ Configuration tab→ Active Directory subtab→ select Configure Active Directory. 2On the Active Directory Configuration and Management page, select Single Sign-On. This option enables you to log into the DRAC 5 directly after logging into your workstation. Logging Into the DRAC 5 Using Single Sign-On 1Log into your work station using your network account. 2Access DRAC Web page using https. https:// If the default HTTPS port number (port 443) has been changed, type: https://: where IP address is the IP address for the DRAC 5 and port number is the HTTPS port number. The DRAC 5 Single Sign-On page appears.
Using the DRAC 5 With Microsoft Active Directory137
3Click Login.
The DRAC 5 logs you in, using your credentials that were cached in the
operating system when you logged in using your valid Active Directory
account
.
Frequently Asked Questions
Are there any restrictions on Domain Controller SSL configuration?
Yes. All Active Directory servers’ SSL certificates in the forest must be signed
by the same root CA since DRAC 5 only allows uploading one trusted CA
SSL certificate.
I created and uploaded a new RAC certificate and now the Web-based
interface does not launch.
If you use Microsoft Certificate Services to generate the RAC certificate, one
possible cause of this is you inadvertently chose User Certificate instead of
Web Certificate when creating the certificate.
To recover, generate a CSR and then create a new web certificate from
Microsoft Certificate Services and load it using the RACADM CLI from the
managed system by using the following racadm commands:
racadm sslcsrgen [-g] [-u] [-f {filename}]
racadm sslcertupload -t 1 -f {web_sslcert}
What can I do if I cannot log into the DRAC 5 using Active Directory
authentication? How do I troubleshoot the issue?
1
Ensure that you use the correct user domain name during a login and not
the NetBIOS name.
2If you have a local DRAC user account, log into the DRAC 5 using your
local credentials.
After you are logged in:
aEnsure that you have checked the Enable Active Directory box on the
DRAC 5 Active Directory configuration page.
bEnsure that the DNS setting is correct on the DRAC 5 Networking
configuration page.
cEnsure that you have uploaded the Active Directory certificate from
your Active Directory root CA to the DRAC 5.
138Using the DRAC 5 With Microsoft Active Directory dCheck the Domain Controller SSL certificates to ensure that they have not expired. eEnsure that your DRAC Name, Root Domain Name, and DRAC Domain Name match your Active Directory environment configuration. fEnsure that the DRAC 5 password has a maximum of 127 characters. While the DRAC 5 can support passwords of up to 256 characters, Active Directory only supports passwords that have a maximum length of 127 characters.
Configuring Smart Card Authentication139 Configuring Smart Card Authentication The Dell™ Remote Access Controller 5 (DRAC 5) version 1.30 and later support the two-factor-authentication for logging into the DRAC 5 Web interface. This support is provided by the Smart Card Logon feature on the DRAC 5. The traditional authentication schemes use user name and password to authenticate users. This provides minimal security. Two-factor-authentication, on the other hand, provides a higher-level of security by requiring users to have a password or PIN and a private key for a digital certificate. The two-factor authentication requires users to verify their identities by providing both factors. Configuring Smart Card Login in DRAC 5 Enable the DRAC 5 Smart Card logon feature from Remote Access→ Configuration→ Smart Card. If you: Disable Smart Card configuration, you are prompted for a Microsoft® Active Directory® or local logon username and password. Enable or Enable with Remote Racadm, you are prompted for a Smart Card logon during any subsequent logon attempts using the GUI. When you select Enable, all command line interface (CLI) out-of-band interfaces, such as telnet, ssh, serial, remote racadm, and IPMI over LAN, are disabled. This is because these services support only single-factor authentication. When you select Enable with Remote Racadm, all CLI out-of-band interfaces, except remote racadm, are disabled.
140Configuring Smart Card Authentication NOTE: Dell recommends that the DRAC 5 administrator use the Enable with Remote Racadm setting only to access the DRAC 5 user interface to run scripts using the remote racadm commands. If the administrator does not need to use the remote racadm, Dell recommends the Enabled setting for Smart Card logon. Also, ensure that the DRAC 5 local user configuration and/or Active Directory configuration is complete before enabling Smart Card Logon. Enable CRL check for Smart Card Logon, the users DRAC certificate, which is downloaded from the Certificate Revocation List (CRL) distribution server is checked for revocation in the CRL. NOTE: The CRL distribution servers are listed in the Smart Card certificates of the users.