HP Ilo 3 User Guide
Have a look at the manual HP Ilo 3 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
3.ClickOKtocontinue. iLOresetsandclosesyourbrowserconnection. Waitatleast30secondsbeforeyouattempttore-establishaconnection. iLOlicensing HPiLOstandardfeaturesareincludedineveryHPProLiantservertosimplifyserversetup,engage healthmonitoring,monitorpowerandthermalcontrol,andpromoteremoteadministration. HPiLOAdvancedandHPiLOAdvancedforBladeSystemlicensesactivatefunctionalitysuchas graphicalRemoteConsolewithmultiusercollaboration,videorecord/playback,andmanymore advancedfeatures. UnlockingiLOlicensedfeatureshasneverbeeneasier.Simplychooseandinstallthelicensethat bestsuitsyourcompany'sinfrastructure. iLOAdvanced—EnablesthefullsetofiLOfeatures. •iLOAdvancedSingleServerLicense •iLOAdvancedElectronicLicense •iLOAdvancedFlexibleQuantityLicense •iLOAdvancedVolumeLicense Fordetailsonpurchasinglicenses,seethefollowingwebsite:http://www.hp.com/go/ilo/licensing. Foralistofthefeaturesthatareincludedwitheachlicense,see“iLOlicenseoptions”(page238). ConsiderthefollowingaboutiLOlicenses: •iLOlicensesareversionless,meaning,regardlessoftheversionofiLOyouhaveenabled(iLO 2,iLO3,oriLO4),aniLOlicensecanbeapplied.Forfeaturesthatarespecifictotheversion ofiLOonyourProLiantserver,see“iLOlicenseoptions”(page238). •IfyoupurchaseaniLOlicensewithanyInsightControlsoftwaresuite,HPprovidestheTechnical SupportandUpdateService.Formoreinformation,see“Supportandotherresources” (page235). •IfyoupurchaseaniLOlicenseasaone-timeactivationoflicensedfeatures,youmustpurchase futurefunctionalupgrades. •OneiLOlicenseisrequiredforeachserveronwhichtheproductisinstalledandused.Licenses arenottransferable.YoucannotlicenseanHPProLiantSL/ML/DLserverbyusinga BladeSystemlicense. •HPwillcontinuetoprovidemaintenancereleaseswithfixes,aswellasiLOstandardfeature enhancements,atnoextracharge. FreeiLO60-dayevaluationlicense AfreeiLOevaluationlicenseisavailablefordownloadfromthefollowingHPwebsite:http:// www.hp.com/go/tryinsightcontrol. Whenusinganevaluationlicense,notethefollowing: •TheevaluationlicenseactivatesandenablesaccesstoiLOlicensedfeatures. •Theevaluationlicensekeyisa10-seatkey,meaningitcanbeusedon10differentservers. •Whentheevaluationperiodhasexpired,youriLOsystemwillreturntothestandard functionality. iLOlicensing31
•OnlyoneevaluationlicensecanbeinstalledforeachiLOsystem.TheiLOfirmwarewillnot acceptthereapplicationofanevaluationlicense. •Theevaluationlicenseexpires60daysaftertheinstallationdate.HPwillnotifyyoubyemail whenyourlicenseisabouttoexpire. InstallinganiLOlicensebyusingabrowser YoumusthavetheConfigureiLOSettingsprivilegetoinstallalicense. 1.NavigatetotheAdministration→LicensingpageintheiLOwebinterface. TheLicensingpageopens,asshowninFigure12(page32). Figure12Licensingpage 2.ReviewthelicenseagreementprovidedwithyourHPLicensePackoptionkit. 3.EnterthelicensekeyintheActivationKeyboxes. PresstheTabkeyorclickinsideaboxtomovebetweenboxes.Thecursoradvances automaticallywhenyouenterthelicensekeyintheActivationKeyboxes. 4.ClickInstall. TheEULAconfirmationopens.TheEULAdetailsareavailableintheHPLicensePackoption kit. 5.ClickOK. Thelicensekeyisnowenabled. Fortipsontroubleshootinglicenseinstallation,see“Troubleshootinglicenseinstallation”(page 218). ManagingiLOusersbyusingtheiLOwebinterface TheiLOfirmwareenablesyoutomanageuseraccountsstoredlocallyinthesecureiLOmemory anddirectorygroupaccounts.UseMMCorConsoleOnetomanagedirectory-baseduseraccounts. iLOsupportsupto12userswithcustomizableaccessrights,loginnames,andadvancedpassword encryption.Privilegescontrolindividualusersettings,andcanbecustomizedtomeetuseraccess requirements. Tosupportmorethan12users,youmusthaveaniLOlicense,whichenablesintegrationwithan unlimitednumberofdirectory-baseduseraccounts.FormoreinformationaboutiLOlicensing,see thefollowingwebsite:http://www.hp.com/go/ilo/licensing. 32ConfiguringiLO
Thefollowingprivilegesarerequiredforuseranddirectorygroupadministration: •AdministerUserAccounts—Requiredforadding,modifying,anddeletingusers.Ifyoudonot havethisprivilege,youcanviewyourownsettingsandchangeyourpassword. •ConfigureiLOSettings—Requiredforadding,modifying,anddeletingdirectorygroups.Ifyou donothavethisprivilege,youcanviewdirectorygroups. NOTE:YoucanalsomanageuserswiththeiLORBSU.Formoreinformation,see“Managing iLOusersbyusingiLORBSU”(page18). Viewinglocaluseraccounts Toviewlocalusers,navigatetotheAdministration→UserAdministrationpage,asshownin Figure13(page33). Figure13UserAdministrationpage TheLocalUserstableshowstheloginnames,usernames,andassignedprivilegesofeach configureduser.Movethecursoroveranicontoseetheprivilegename.Theavailableprivileges follow: •RemoteConsoleAccess—EnablesausertoremotelyaccessthehostsystemRemoteConsole, includingvideo,keyboard,andmousecontrol. •VirtualMedia—EnablesausertousetheVirtualMediafeatureonthehostsystem. •VirtualPowerandReset—Enablesausertopower-cycleorresetthehostsystem.These activitiesinterruptthesystemavailability.Auserwiththisprivilegecandiagnosethesystem byusingtheGenerateNMItoSystembutton. •ConfigureiLOSettings—EnablesausertoconfiguremostiLOsettings,includingsecurity settings,andtoremotelyupdatetheiLOfirmware.Thisprivilegedoesnotenablelocaluser accountadministration. AfteriLOisconfigured,revokingthisprivilegefromalluserspreventsreconfigurationusing thewebinterface,HPQLOCFG,ortheCLI.UserswhohaveaccesstoiLORBSUandHPONCFG ManagingiLOusersbyusingtheiLOwebinterface33
canstillreconfigureiLO.OnlyauserwhohastheAdministerUserAccountsprivilegecan enableordisablethisprivilege. •AdministerUserAccounts—Enablesausertoadd,edit,anddeletelocaliLOuseraccounts. Auserwiththisprivilegecanchangeprivilegesforallusers.Ifyoudonothavethisprivilege, youcanviewyourownsettingsandchangeyourownpassword. Viewingdirectorygroups Toviewdirectorygroups,navigatetotheAdministration→UserAdministrationpage,asshownin Figure13(page33). TheDirectoryGroupstableshowsthegroupDN,groupSID,andtheassignedprivilegesforthe configuredgroups.Movethecursoroveranicontoseetheprivilegename.Theavailableprivileges follow: •LoginPrivilege—EnablesmembersofagrouptologintoiLO. •RemoteConsoleAccess—EnablesuserstoremotelyaccessthehostsystemRemoteConsole, includingvideo,keyboard,andmousecontrol. •VirtualMedia—EnablesuserstousetheVirtualMediafeatureonthehostsystem. •VirtualPowerandReset—Enablesuserstopower-cycleorresetthehostsystem.These activitiesinterruptthesystemavailability.Userswiththisprivilegecandiagnosethesystem byusingtheGenerateNMItoSystembutton. •ConfigureiLOSettings—EnablesuserstoconfiguremostiLOsettings,includingsecurity settings,andtoremotelyupdateiLOfirmware. AfteriLOisconfigured,revokingthisprivilegefromalluserspreventsreconfigurationusing thewebinterface,HPQLOCFG,ortheCLI.UserswhohaveaccesstoiLORBSUandHPONCFG canstillreconfigureiLO.OnlyauserwhohastheAdministerUserAccountsprivilegecan enableordisablethisprivilege. •AdministerUserAccounts—Enablesuserstoadd,edit,anddeletelocaliLOuseraccounts. Addingoreditinglocaluseraccounts UserswhohavetheAdministerUserAccountsprivilegecanaddoreditiLOusers. Toaddoreditalocaluser: 1.NavigatetotheAdministration→UserAdministrationpage,asshowninFigure13(page33). 2.Dooneofthefollowing: •ClickNewintheLocalUserssection. •SelectauserintheLocalUserssection,andthenclickEdit. TheAdd/EditLocalUserpageopens,asshowninFigure14(page35). 34ConfiguringiLO
Figure14Add/EditLocalUserpage 3.ProvidethefollowingdetailsintheUserInformationsection: •UserNameappearsintheuserlistontheUserAdministrationpage.Itdoesnothaveto bethesameastheLoginName.Themaximumlengthforausernameis39characters. Theusernamemustuseprintablecharacters.Assigningdescriptiveusernamescanhelp youtoeasilyidentifytheownerofeachloginname. •LoginNameisthenameyouusewhenloggingintoiLO.Itappearsintheuserlistonthe UserAdministrationpage,ontheiLOOverviewpage,andiniLOlogs.TheLoginName doesnothavetobethesameastheUserName.Themaximumlengthforaloginname is39characters.Theloginnamemustuseprintablecharacters. •PasswordandPasswordConfirmsetandconfirmthepasswordthatisusedforlogging intoiLO.TheminimumlengthforapasswordissetontheAccessSettingspage (Figure16).Themaximumlengthforapasswordis39characters.Enterthepassword twiceforverification. Formoreinformationaboutpasswords,see“Passwordguidelines”(page36). 4.Selectfromthefollowingprivileges. •RemoteConsoleAccess •VirtualMedia •VirtualPowerandReset •ConfigureiLOSettings •AdministerUserAccounts ManagingiLOusersbyusingtheiLOwebinterface35
TIP:Clicktheselectallcheckboxtoselectalloftheavailableuserprivileges. Formoreinformationabouteachprivilege,see“Viewinglocaluseraccounts”(page33). 5.Dooneofthefollowing: •ClickAddUsertosavethenewuser. •ClickUpdateUsertosavetheuseraccountchanges. Passwordguidelines HPrecommendsthatyoufollowthesepasswordguidelines: •Passwordsshould: Neverbewrittendownorrecorded◦ ◦Neverbesharedwithothers ◦Notbewordsfoundinadictionary ◦Notbeobviouswords,suchasthecompanyname,productname,username,orlogin name •Passwordsshouldhaveatleastthreeofthefollowingcharacteristics: Onenumericcharacter◦ ◦Onespecialcharacter ◦Onelowercasecharacter ◦Oneuppercasecharacter DependingontheMinimumPasswordLengthsettingontheAccessSettingspage,thepassword canhaveaminimumofzerocharacters(nopassword)andamaximumof39characters.The defaultMinimumPasswordLengthiseightcharacters. IMPORTANT:HPdoesnotrecommendsettingtheMinimumPasswordLengthtofewerthaneight charactersunlessyouhaveaphysicallysecuremanagementnetworkthatdoesnotextendoutside thesecuredatacenter.ForinformationaboutsettingtheMinimumPasswordLength,see “Configuringaccessoptions”(page40). IPMI/DCMIusers TheiLOfirmwarefollowstheIPMI2.0specification.WhenyouareaddingIPMI/DCMIusers,the loginnamemustbeamaximumof16characters,andthepasswordmustbeamaximumof20 characters. 36ConfiguringiLO
WhenyouselectiLOuserprivileges,theequivalentIPMI/DCMIuserprivilegeisdisplayedinthe IPMI/DCMIPrivilegebasedonabovesettingsbox. •User—Auserhasread-onlyaccess.AusercannotconfigureorwritetoiLO,orperformsystem actions. ForIPMIUserprivileges:Disableallprivileges.Anycombinationofprivilegesthatdoesnot meettheOperatorlevelisanIPMIUser. •Operator—Anoperatorcanperformsystemactions,butcannotconfigureiLOormanageuser accounts. ForIPMIOperatorprivileges:EnableRemoteConsoleAccess,VirtualPowerandReset,and VirtualMedia.AnycombinationofprivilegesgreaterthanOperatorthatdoesnotmeetthe AdministratorlevelisanIPMIOperator. •Administrator—Anadministratorhasreadandwriteaccesstoallfeatures. ForIPMIAdministratorprivileges:Enableallprivileges. Administeringdirectorygroups iLOenablesyoutoviewiLOgroupsandmodifysettingsforthosegroups.Youmusthavethe ConfigureiLOSettingsprivilegetoaddoreditdirectorygroups.UsetheAdd/EditDirectoryGroup pagetoaddoreditiLOdirectorygroups. Toaddoreditadirectorygroup: 1.NavigatetotheAdministration→UserAdministrationpage,asshowninFigure13(page33). 2.Dooneofthefollowing: •ClickNewintheDirectoryGroupssection. •SelectagroupintheDirectoryGroupssection,andthenclickEdit. TheAdd/EditDirectoryGrouppageopens,asshowninFigure15(page38). ManagingiLOusersbyusingtheiLOwebinterface37
Figure15Add/EditDirectoryGrouppage 3.ProvidethefollowingdetailsintheGroupInformationsection: •GroupDN(SecurityGroupDN)—DNofagroupinthedirectory.Membersofthisgroup aregrantedtheprivilegessetforthegroup.Thespecifiedgroupmustexistinthedirectory, anduserswhoneedaccesstoiLOmustbemembersofthisgroup.EnteraDNfromthe directory(forexample,CN=Group1,OU=ManagedGroups,DC=domain,DC=extension). ShortenedDNsarealsosupported(forexample,Group1).TheshortenedDNisnota uniquematch.AnygroupnamedGroup1isdisplayed.HPrecommendsusingthefully qualifiedDN. •GroupSID(SecurityID)—MicrosoftSecurityIDisusedforKerberosandLDAPgroup authorization.ThisisrequiredforKerberos.TheformatisS-1-5-2039349. 4.Selectfromthefollowingprivilegeswhenyouareaddingoreditingagroupaccount: •LoginPrivilege •RemoteConsoleAccess •VirtualMedia •VirtualPowerandReset •ConfigureiLOSettings •AdministerUserAccounts Formoreinformationabouteachprivilege,see“Viewingdirectorygroups”(page34). 5.Dooneofthefollowing: •ClickAddGrouptosavethenewdirectorygroup. •ClickUpdateGrouptosavethedirectorygroupchanges. 38ConfiguringiLO
Deletingauseraccountoradirectorygroup Theprivilegerequiredforthisproceduredependsontheuseraccounttype. •Todeletealocaluseraccount,theAdministerUserAccountsprivilegeisrequired. •Todeleteadirectorygroup,theConfigureiLOSettingsprivilegeisrequired. Todeleteanexistinguseraccountordirectorygroup: 1.NavigatetotheAdministration→UserAdministrationpage,asshowninFigure13(page33). 2.Selectthecheckboxnexttotheuserorgroupthatyouwanttodelete. 3.ClickDelete. Apop-upwindowopenswithoneofthefollowingmessages: •Localuser:Are you sure you want to delete the selected user(s)? Warning: Always leave at least one administrator. •Directorygroup:Are you sure you want to delete the selected group(s)? 4.ClickOK. ConfiguringiLOaccesssettings YoucanmodifyiLOaccesssettings,includingservice,IPMI/DCMI,andaccessoptions.Thevalues thatyouenterontheAccessSettingspageapplytoalliLOusers.YoumusthavetheConfigureiLO Settingsprivilegetomodifyaccesssettings. Thedefaultconfigurationissuitableformostoperatingenvironments.Thevaluesthatyoucan modifyontheAccessSettingspageallowcompletecustomizationoftheiLOexternalaccessmethods forspecializedenvironments. Configuringservicesettings TheServicesectionshowstheSSHAccesssettingandtheTCP/IPportvalues. TheTCP/IPportsusedbyiLOareconfigurable,whichenablescompliancewithanysiterequirements orsecurityinitiativesforportsettings.Thesesettingsdonotaffectthehostsystem. Changingthesesettingsusuallyrequiresconfigurationofthewebbrowserusedforstandardand SSLcommunication.Whenthesesettingsarechanged,iLOinitiatesaresettoactivatethechanges. ToconfigureServicesettings: ConfiguringiLOaccesssettings39
1.NavigatetotheAdministration→AccessSettingspage,asshowninFigure16(page40) Figure16AccessSettingspage 2.Updatethefollowingsettingsasneeded: Table1Servicesettings DefaultvalueServicesetting EnablesyoutospecifywhethertheSSHfeatureoniLOisenabledor disabled. SecureShell(SSH)Access SSHprovidesencryptedaccesstotheiLOCLP.ThedefaultisEnabled. 22SecureShell(SSH)Port 17990RemoteConsolePort 80WebServerNon-SSLPort(HTTP) 443WebServerSSLPort(HTTPS) 17988VirtualMediaPort 3.ClickApplytoendyourbrowserconnectionandrestartiLO. Waitatleast30secondsbeforeyouattempttore-establishaconnection. ConfiguringIPMI/DCMIsettings iLOenablesyoutosendindustry-standardIPMIandDCMIcommandsovertheLAN.TheIPMI/DCMI portissetto623andisnotconfigurable. ToenableordisableIPMI/DCMI,selectorcleartheEnableIPMI/DCMIoverLANonPort623 checkbox,andthenclickApply. •Enabled(default)—EnablesyoutosendIPMI/DCMIcommandsovertheLANbyusinga client-sideapplication. •Disabled—DisablesIPMI/DCMIovertheLAN.Server-sideIPMI/DCMIapplicationsarestill functionalwhenIPMI/DCMIoverLANisdisabled. Configuringaccessoptions TheAccessOptionssectionenablesyoutomodifysettingsthataffectalliLOusers. 40ConfiguringiLO