HP Ilo 3 User Guide

							objectsmeaningfulnames,suchasthedevicenetworkaddress,DNSname,hostservername,
orserialnumber.
•ConfigureLights-Outmanagementdevices
EveryLOMdevicethatusesthedirectoryservicetoauthenticateandauthorizeusersmustbe
configuredwiththeappropriatedirectorysettings.Forinformationonthespecificdirectory
settings,see“Configuringauthenticationanddirectoryserversettings”(page52).Ingeneral,
youcanconfigureeachdevicewiththeappropriatedirectoryserveraddress,LOMobject
DN,andanyusercontexts.TheserveraddressistheIPaddressorDNSnameofalocal
directoryserveror,formoreredundancy,amultihostDNSname.
Creatingrolestofolloworganizationalstructure
Often,administratorsinanorganizationareplacedinahierarchyinwhichsubordinate
administratorsmustassignrightsindependentlyofrankingadministrators.Inthiscase,itisuseful
tohaveonerolethatrepresentstherightsassignedbyhigher-leveladministrators,andtoallow
subordinateadministratorstocreateandmanagetheirownroles.
Usingexistinggroups
Manyorganizationshaveusersandadministratorsarrangedingroups.Inmanycases,itis
convenienttousetheexistinggroupsandassociatethemwithoneormoreLights-OutManagement
roleobjects.Whenthedevicesareassociatedwiththeroleobjects,theadministratorcontrols
accesstotheLights-Outdevicesassociatedwiththerolebyaddingordeletingmembersfromthe
groups.
WhenusingMicrosoftActiveDirectory,youcanplaceonegroupwithinanother(thatis,usenested
groups).Roleobjectsareconsideredgroupsandcanincludeothergroupsdirectly.Addtheexisting
nestedgroupdirectlytotherole,andassigntheappropriaterightsandrestrictions.Youcanadd
newuserstoeithertheexistinggrouportherole.
Whenyouareusingtrusteeordirectoryrightsassignmentstoextendrolemembership,usersmust
beabletoreadtheLOMobjectthatrepresentstheLOMdevice.Someenvironmentsrequirethat
thetrusteesofarolealsobereadtrusteesoftheobjecttosuccessfullyauthenticateusers.
Usingmultipleroles
Mostdeploymentsdonotrequirethatthesameuserbeinmultiplerolesmanagingthesamedevice.
However,theseconfigurationsareusefulforbuildingcomplexrightsrelationships.Whenusers
buildmultiple-rolerelationships,theyreceiveallrightsassignedbyeveryapplicablerole.Roles
canonlygrantrights,neverrevokethem.Ifonerolegrantsauseraright,thentheuserhasthe
right,eveniftheuserisinanotherrolethatdoesnotgrantthatright.
Typically,adirectoryadministratorcreatesabaserolewiththeminimumnumberofrightsassigned,
andthencreatesadditionalrolestoaddmorerights.Theseadditionalrightsareaddedunder
specificcircumstancesortoaspecificsubsetofthebaseroleusers.
Forexample,anorganizationcanhavetwotypesofusers:administratorsoftheLOMdeviceor
hostserver,andusersoftheLOMdevice.Inthissituation,itmakessensetocreatetworoles,one
fortheadministratorsandonefortheusers.Bothrolesincludesomeofthesamedevicesbutgrant
differentrights.Sometimes,itisusefultoassigngenericrightstothelesserroleandincludethe
LOMadministratorsinthatrole,aswellastheadministrativerole.
AnAdminusergainstheloginrightfromtheregularuserrole.Advancedrightsareassigned
throughtheAdminrole,whichassignstheadvancedrightsServerResetandRemoteConsole
(Figure103).
Directory-enabledremotemanagement191 
						

							Figure103Adminuser
TheAdminroleassignsallAdminrights:ServerReset,RemoteConsole,andLogin(Figure104).
Figure104Adminrole
Howdirectoryloginrestrictionsareenforced
Twosetsofrestrictionscanlimitadirectoryuser'saccesstoLOMdevices(Figure105).
•Useraccessrestrictionslimitauser'saccesstoauthenticatetothedirectory.
•Roleaccessrestrictionslimitanauthenticateduser'sabilitytoreceiveLOMprivilegesbased
onrightsspecifiedinoneormoreroles.
Figure105Directoryloginrestrictions
192DirectoryservicesAdmin UserUser Admin Role
Role Server Admin UserUser Admin Role
Role Server UserLOM
Client
Workstation Directory
Server
User restrictions must be met to 
authenticate to the directory.
Enforced by the directory
server. Role restrictions must be
met to receive rights
granted by 1 or more roles.
Enforced by LOM.
Role access
restrictions
User access
restrictions  
						

							Restrictingroles
Restrictionsallowadministratorstolimitthescopeofarole.Arolegrantsrightsonlytouserswho
satisfytherolerestrictions.Usingrestrictedrolesresultsinuserswhohavedynamicrightsthatcan
changebasedonthetimeofdayornetworkaddressoftheclient.
NOTE:Whendirectoriesareenabled,accesstoaparticulariLOisbasedonwhethertheuser
hasreadaccesstoaroleobjectthatcontainsthecorrespondingiLOobject.Thisincludes,butis
notlimitedto,thememberslistedintheroleobject.Iftheroleisconfiguredtoallowinheritable
permissionstopropagatefromaparent,membersoftheparentthathavereadaccessprivileges
willalsohaveaccesstoiLO.Toviewtheaccesscontrollist,navigatetoActiveDirectoryUsersand
Computers,openthePropertiespagefortheroleobject,andthenclicktheSecuritytab.The
AdvancedViewmustbeenabledinMMCinordertoviewtheSecuritytab.
Forinstructionsonhowtocreatenetworkandtimerestrictionsforarole,see“RoleRestrictions
tab”(page179)or“RoleRestrictionstab”(page187).
Roletimerestrictions
AdministratorscanplacetimerestrictionsonLOMroles.Usersaregrantedtherightsspecifiedfor
theLOMdeviceslistedintheroleonlyiftheyaremembersoftheroleandmeetthetimerestrictions
fortherole.LOMdevicesuselocalhosttimetoenforcetimerestrictions.IftheLOMdeviceclock
isnotset,theroletimerestrictionfailsunlessnotimerestrictionsarespecifiedfortherole.
Role-basedtimerestrictionscanbemetonlyifthetimeissetontheLOMdevice.Thetimeisnormally
setwhenthehostisbooted.ThetimesettingcanbemaintainedbyconfiguringSNTPorbyrunning
theagentsinthehostoperatingsystem,whichallowstheLOMdevicetocompensateforleap
yearsandminimizeclockdriftwithrespecttothehost.Events,suchasunexpectedpowerlossor
flashingLOMfirmware,cancausetheLOMdeviceclocktonotbeset.Also,thehosttimemustbe
correctfortheLOMdevicetopreservetimeacrossfirmwareflashes.
Roleaddressrestrictions
RoleaddressrestrictionsareenforcedbytheLOMfirmware,basedontheclientIPnetworkaddress.
Whentheaddressrestrictionsaremetforarole,therightsgrantedbytheroleapply.
Addressrestrictionscanbedifficulttomanageifaccessisattemptedacrossfirewallsorthrough
networkproxies.Eitherofthesemechanismscanchangetheapparentnetworkaddressofthe
client,causingtheaddressrestrictionstobeenforcedinanunexpectedmanner.
Userrestrictions
Youcanrestrictaccessusingaddressortimerestrictions.
Useraddressrestrictions
Administratorscanplacenetworkaddressrestrictionsonadirectoryuseraccount,whichare
enforcedbythedirectoryserver.Forinformationabouttheenforcementofaddressrestrictionson
LDAPclients,suchasauserloggingintoaLOMdevice,seethedocumentationforthedirectory
service.
Networkaddressrestrictionsplacedontheuserinthedirectorymightnotbeenforcedinthe
expectedmannerifthedirectoryuserlogsinthroughaproxyserver.Whenauserlogsintoa
LOMdeviceasadirectoryuser,theLOMdeviceattemptsauthenticationtothedirectoryasthat
user,whichmeansthataddressrestrictionsplacedontheuseraccountapplywhentheuseris
accessingtheLOMdevice.However,becausetheuserisproxiedattheLOMdevice,thenetwork
addressoftheauthenticationattemptisthatoftheLOMdevice,notthatoftheclientworkstation.
IPaddressrangerestrictions
IPaddressrangerestrictionsenabletheadministratortospecifynetworkaddressesthataregranted
ordeniedaccess.Theaddressrangeistypicallyspecifiedinalow-to-highrangeformat.Anaddress
Directory-enabledremotemanagement193 
						

							rangecanbespecifiedtograntordenyaccesstoasingleaddress.Addressesthatfallwithinthe
low-to-highIPaddressrangemeettheIPaddressrestriction.
IPaddressandsubnetmaskrestrictions
IPaddressandsubnetmaskrestrictionsenabletheadministratortospecifyarangeofaddresses
thataregrantedordeniedaccess.ThisformathassimilarcapabilitiesasanIPaddressrange,but
mightbemorenativetoyournetworkingenvironment.AnIPaddressandsubnetmaskrangeis
typicallyspecifiedthroughasubnetaddressandaddressbitmaskthatidentifiesaddressesonthe
samelogicalnetwork.
Inbinarymath,ifthebitsofaclientmachineaddress,combinedwiththebitsofthesubnetmask,
matchthesubnetaddressintherestriction,theclientmachinemeetstherestriction.
DNS-basedrestrictions
DNS-basedrestrictionsusethenetworknameservicetoexaminethelogicalnameoftheclient
machinebylookingupmachinenamesassignedtotheclientIPaddresses.DNSrestrictionsrequire
afunctionalnameserver.Ifthenameservicegoesdownorcannotbereached,DNSrestrictions
cannotbematchedandtheclientmachinefailstomeettherestriction.
DNS-basedrestrictionscanlimitaccesstoaspecificmachinenameortomachinesthatsharea
commondomainsuffix.Forexample,theDNSrestrictionwww.example.commatcheshoststhat
areassignedthedomainnamewww.example.com.However,theDNSrestriction*.example.com
matchesanymachinethatoriginatesfromtheexamplecompany.
DNSrestrictionscancauseambiguitybecauseahostcanbemulti-homed.DNSrestrictionsdonot
necessarilymatchonetoonewithasinglesystem.
UsingDNS-basedrestrictionscancreatesecuritycomplications.Nameserviceprotocolsarenot
secure.AnyindividualwhohasmaliciousintentandaccesstothenetworkcanplacearogueDNS
serviceonthenetworkandcreateafakeaddressrestrictioncriterion.Whenimplementing
DNS-basedaddressrestrictions,besuretotakeorganizationalsecuritypoliciesintoconsideration.
Usertimerestrictions
Administratorscanplaceatimerestrictionondirectoryuseraccounts(Figure106).Timerestrictions
limittheabilityoftheusertologin(authenticate)tothedirectory.Typically,timerestrictionsare
enforcedusingthetimeatthedirectoryserver.Ifthedirectoryserverislocatedinadifferenttime
zone,orifareplicainadifferenttimezoneisaccessed,time-zoneinformationfromthemanaged
objectcanbeusedtoadjustforrelativetime.
Thedirectoryserverevaluatesusertimerestrictions,butthedeterminationcanbecomplicatedby
time-zonechangesortheauthenticationmechanism.
Figure106Usertimerestrictions
194DirectoryservicesUserLOM
Client
Workstation Directory
Server User time restrictions are
enforced by the directory server  
						

							Creatingmultiplerestrictionsandroles
Themostusefulapplicationofmultiplerolesisrestrictingoneormorerolessothatrightsdonot
applyinallsituations.Otherrolesprovidedifferentrightsunderdifferentconstraints.Usingmultiple
restrictionsandrolesenablestheadministratortocreatearbitrary,complexrightsrelationships
withaminimumnumberofroles.
Forexample,anorganizationmighthaveasecuritypolicyinwhichLOMadministratorsareallowed
tousetheLOMdevicefromwithinthecorporatenetwork,butcanresettheserveronlyafterregular
businesshours.
Directoryadministratorsmightbetemptedtocreatetworolestoaddressthissituation,butextra
cautionisrequired.Creatingarolethatprovidestherequiredserverresetrightsandrestrictingit
toafterhoursmightallowadministratorsoutsidethecorporatenetworktoresettheserver,which
iscontrarytomostsecuritypolicies.
IntheexampleshowninFigure107(page195),securitypolicydictatesthatgeneraluseisrestricted
toclientsinthecorporatesubnet,andserverresetcapabilityisrestrictedtoafterhours.
Figure107Creatingrestrictionsandroles
Alternatively,thedirectoryadministratormightcreatearolethatgrantstheloginrightandrestrict
ittothecorporatenetwork,andthencreateanotherrolethatgrantsonlytheserverresetrightand
restrictittoafter-hoursoperation.Thisconfigurationiseasiertomanagebutmoredangerous
becauseongoingadministrationmightcreateanotherrolethatgrantstheloginrighttousersfrom
addressesoutsidethecorporatenetwork.ThisrolemightunintentionallygranttheLOMadministrators
intheserverResetroletheabilitytoresettheserverfromanywhere,iftheysatisfytherole'stime
constraints.
Thepreviousconfiguration(Figure107)meetscorporatesecurityrequirements.However,adding
anotherrolethatgrantstheloginrightcaninadvertentlygrantserverresetprivilegesfromoutside
thecorporatesubnetafterhours.AmoremanageablesolutionwouldbetorestricttheResetrole
andtheGeneralUserole,asshowninFigure108(page195).
Figure108RestrictingtheResetandGeneralUseroles
Directory-enabledremotemanagement195UserGeneral Use
Role
Reset Role Assigns Login Right
IP Restrictions:
DENY except to corporate subnet
ServerAssigns Server Reset Right
Time Restriction:  Denied Monday
through Friday, 8 a.m. to 5 p.m. UserGeneral Use
Role
Reset Role Assigns Login Right
IP Restrictions:  DENY except to corporate 
subnet
ServerAssigns Server Reset Right AND Login Right
Time Restriction:  Denied Monday through
Friday, 8 a.m. to 5 p.m.
IP Restriction:  DENY except to corporate
subnet  
						

							Usingbulkimporttools
AddingandconfiguringlargenumbersofLOMobjectsistimeconsuming.HPprovidesseveral
utilitiestoassistwiththesetasks.
•HPLights-OutMigrationutility
TheHPLights-OutMigrationutilityimportsandconfiguresmultipleLOMdevices.Itincludes
aGUIthatprovidesastep-by-stepapproachtoimplementingorupgradinglargenumbersof
managementprocessors.HPrecommendsusingthisGUImethodwhenupgradingseveral
managementprocessors.Formoreinformation,see“UsingHPDirectoriesSupportforProLiant
ManagementProcessors”(page197).
•HPSIMutilities
TheHPSIMutilitiesenableyoutoperformthefollowingtasks:
◦ManagemultipleLOMdevices.
◦DiscovertheLOMdevicesasmanagementprocessorsbyusingHPQLOCFGtosenda
RIBCLXMLscriptfiletoagroupofLOMdevices.TheLOMdevicesperformtheactions
designatedbytheRIBCLfileandsendaresponsetotheHPQLOCFGlogfile.Formore
information,seetheHPiLO3ScriptingandCommandLineGuide.
•Traditionalimportutilities
AdministratorsfamiliarwithtoolssuchasLDIFDEortheNDSImport/ExportWizardcanuse
theseutilitiestoimportorcreatemanyLOMdeviceobjectsinthedirectory.Administrators
muststillconfigurethedevicesmanually,asdescribedearlier,butcandosoatanytime.
ProgrammaticorscriptinginterfacescanalsobeusedtocreatetheLOMdeviceobjectsin
thesamewayasusersorotherobjects.Forinformationaboutattributesandattributedata
formatswhenyouarecreatingLOMobjects,see“Directoryservicesschema”(page239).
HPDirectoriesSupportforProLiantManagementProcessorsutility
Youcandownloadthisutilityfromhttp://www.hp.com/support/ilo3.
TheHPDirectoriesSupportforProLiantManagementProcessorsutility(HPLOMIG.exe)isfor
customerswhoinstalledmanagementprocessorsandwanttosimplifythemigrationofthese
processorstomanagementbydirectories.Theutilityautomatessomeofthemigrationstepsnecessary
forthemanagementprocessorstosupportdirectoryservices.Theutilitycandothefollowing:
•Discovermanagementprocessorsonthenetwork.
•Upgradethemanagementprocessorfirmware.
•Namethemanagementprocessorstoidentifytheminthedirectory.
•Createobjectsinthedirectorythatcorrespondtoeachmanagementprocessor,andassociate
themwitharole.
•Configurethemanagementprocessorstoenablethemtocommunicatewiththedirectory.
Compatibility
TheHPDirectoriesSupportforProLiantManagementProcessorsutilityoperatesonMicrosoft
WindowsandrequirestheMicrosoft.NETFramework.Theutilitysupportsthefollowingoperating
systems:
•WindowsServer200332-bit,64-bit
•WindowsServer200832-bit,64-bit
•WindowsServer2008R2
•WindowsVista
196Directoryservices 
						

							•Windows7
•Windows2012
HPDirectoriesSupportforProLiantManagementProcessorspackage
Themigrationsoftware,schemaextender,andmanagementsnap-insareincludedintheHP
DirectoriesSupportforProLiantManagementProcessorspackage.Youcandownloadtheinstaller
fromhttp://www.hp.com/support/ilo3.Tocompletethemigrationofyourmanagementprocessors,
youmustextendtheschemaandinstallthemanagementsnap-insbeforerunningthemigration
tool.
Toinstallthemigrationutilities,starttheinstaller,andthenclickHPDirectoriesSupportforProLiant
ManagementProcessors,asshowninFigure109(page197).
Figure109HPDirectoriesSupportforProLiantManagementProcessorsinstaller
TheHPLOMIG.exefile,therequiredDLLs,thelicenseagreement,andotherfilesareinstalledin
thedirectoryC:\Program Files\Hewlett-Packard\HP Directories Support for
ProLiant Management Processors.Youcanselectadifferentdirectory.Theinstallercreates
ashortcuttoHPDirectoriesSupportforProLiantManagementProcessorsontheStartmenuand
installsasampleXMLfile.
NOTE:Iftheinstallationutilitydetectsthatthe.NETFrameworkisnotinstalled,itdisplaysan
errormessageandexits.
UsingHPDirectoriesSupportforProLiantManagementProcessors
TheHPDirectoriesSupportforProLiantManagementProcessorsutilityautomatestheprocessof
migratingmanagementprocessorsbycreatingobjectsinthedirectorythatcorrespondtoeach
managementprocessorandassociatingthemwitharole.HPDirectoriesSupportforProLiant
ManagementProcessorshasaGUIandprovidesawizardforimplementingorupgradingmultiple
managementprocessors.
Findingmanagementprocessors
Thefirstmigrationstepistodiscoverallmanagementprocessorsthatyouwanttoenablefor
directoryservices.YoucansearchformanagementprocessorsbyusingDNSnames,IPaddresses,
orIPaddresswildcards.ThefollowingrulesapplytothevaluesenteredintheAddressesbox:
•DNSnames,IPaddresses,andIPaddresswildcardsmustbedelimitedwithsemicolons.
•TheIPaddresswildcardusestheasterisk(*)characterinthethirdandfourthoctetfields.For
example,IPaddress16.100.*.*isvalid,andIPaddress16.*.*.*isinvalid.
HPDirectoriesSupportforProLiantManagementProcessorsutility197 
						

							•Rangescanalsobespecifiedusingahyphen.Forexample,192.168.0.2-10isavalid
range.Ahyphenissupportedonlyintherightmostoctet.
•AfteryouclickFind,theutilitybeginspingingandconnectingtoport443(thedefaultSSL
port)todeterminewhetherthetargetnetworkaddressisamanagementprocessor.Ifthedevice
doesnotrespondtothepingorconnectappropriatelyonport443,theutilitydeterminesthat
itisnotamanagementprocessor.
IfyouclickNext,clickBack,orexittheutilityduringdiscovery,operationsonthecurrentnetwork
addressarecompleted,butthoseonsubsequentnetworkaddressesarecanceled.
Todiscoveryourmanagementprocessors:
1.SelectStart→AllPrograms→Hewlett-Packard→HPDirectoriesSupportforProLiantManagement
Processors.
TheWelcomepageopens.
2.ClickNext.
TheFindManagementProcessorswindowopens.
3.IntheAddressesbox,enterthevaluestoperformthemanagementprocessorsearch.
198Directoryservices 
						

							4.EnteryouriLOloginnameandpassword,andthenclickFind.
Whenthesearchiscomplete,themanagementprocessorsarelistedandtheFindbutton
changestoVerify,asshowninFigure110(page199).
Figure110FindManagementProcessorswindow
YoucanalsoenteralistofmanagementprocessorsfromafilebyclickingImport.Thefileis
asimpletextfilewithonemanagementprocessorlistedperline.Thecolumns,whichare
delimitedwithsemicolons,areasfollows:
•NetworkAddress
•Product
•F/WVersion
•DNSName
•UserName
•Password
•LDAPStatus
•KerberosStatus
Forexample,onelinemighthavethefollowinginformation:
16.100.225.20;iLO;1.10;ILOTPILOT2210;user;password;Default
Schema;Kerberos Disabled
If,forsecurityreasons,theusernameandpasswordcannotbeincludedinthefile,leavethese
columnsblank,butenterthesemicolons.
HPDirectoriesSupportforProLiantManagementProcessorsutility199 
						

							Upgradingfirmwareonmanagementprocessors
TheUpgradeFirmwarepageenablesyoutoupdatethefirmwareonyouriLOmanagement
processors.Italsoenablesyoutodesignatethelocationofthefirmwareimageforeachmanagement
processorbyenteringthepathorclickingBrowse.
NOTE:Binaryimagesofthefirmwareforthemanagementprocessorsmustbeaccessiblefrom
thesystemthatisrunningthemigrationutility.Thesebinaryimagescanbedownloadedfrom
http://www.hp.com/support/ilo3.
Theupgradeprocessmighttakealongtime,dependingonthenumberofmanagementprocessors
selected.Thefirmwareupgradeofasinglemanagementprocessorcantakeaslongas5minutes
tocomplete.Ifanupgradefails,amessageisdisplayedintheResultscolumn,andtheutility
continuestoupgradetheotherdiscoveredmanagementprocessors.
IMPORTANT:HPrecommendsthatyoutesttheupgradeprocessandverifytheresultsinatest
environmentbeforerunningtheutilityonaproductionnetwork.Anincompletetransferofthe
firmwareimagetoamanagementprocessormightresultinhavingtolocallyreprogramthe
managementprocessor.
Toupgradethefirmwareonyourmanagementprocessors:
1.NavigatetotheUpgradeFirmwareonManagementProcessorswindow,asshownin
Figure111(page200).
Figure111UpgradeFirmwareonManagementProcessorswindow
2.Selectthemanagementprocessorstoupgrade.
3.Foreachdiscoveredmanagementprocessortype,enterthecorrectpathnametothefirmware
imageorbrowsetotheimage.
200Directoryservices