HP Ilo 3 User Guide
Have a look at the manual HP Ilo 3 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
2.Verifythatatrustedcertificateisinstalled. UsingiLOinFIPSModewiththedefaultself-signedcertificateisnotFIPScompliant.For instructions,see“ObtainingandimportinganSSLcertificate”(page49). IMPORTANT:SomeinterfacestoiLO,suchassupportedversionsofIPMIandSNMP,are notFIPScompliantandcannotbemadeFIPScompliant.ForinformationabouttheiLOfirmware versionsthatareFIPSvalidated,seethefollowingdocument:http://csrc.nist.gov/groups/ STM/cmvp/documents/140-1/140-1val.zip 3.Powerofftheserver. 4.NavigatetotheAdministration→Security→Encryptionpage,asshowninFigure25(page59). 5.SetFIPSModetoEnabled. CAUTION:EnablingFIPSModeresetsiLOtothefactorydefaultsettings,andclearsalluser andlicensedata. 6.ClickApply. iLOrebootsinFIPSMode.Waitatleast90secondsbeforeattemptingtore-establisha connection. 7.Optional:RestoretheiLOconfigurationbyusingHPONCFG. Formoreinformation,seetheHPiLO3ScriptingandCommandLineGuide. TIP:YoucanusetheLoginSecurityBannerfeaturetonotifyiLOusersthatasystemisusingFIPS Mode.Formoreinformation,see“ConfiguringtheLoginSecurityBanner”(page67). YoucanalsouseXMLconfigurationandcontrolscriptstoenableFIPSmode.Formoreinformation, seetheHPiLO3ScriptingandCommandLineGuide. DisablingFIPSMode IfyouwanttodisableFIPSModeforiLO(forexample,ifaserverisdecommissioned),youmust setiLOtothefactorydefaultsettings.YoucanperformthistaskbyusingRIBCLscriptsoriLORBSU. Forinstructions,see“ResettingiLOtothefactorydefaultsettingsbyusingiLORBSU”(page230)or theHPiLO3ScriptingandCommandLineGuide. WhenyoudisableFIPSMode,allpotentiallysensitivedataiserased,includingalllogsandsettings. ConfiguringiLOforHPSSO HPSSOenablesyoutobrowsedirectlyfromanHPSSO-compliantapplication(suchasHPSIM) toiLO,bypassinganintermediateloginstep.TouseSSO,youmusthaveasupportedversionof anHPSSO-compliantapplication,andyoumustconfiguretheiLOprocessortotrustthe SSO-compliantapplication. ThisfeatureandmanyothersarepartofaniLOlicensingpackage.Formoreinformationabout iLOlicensing,seethefollowingwebsite:http://www.hp.com/go/ilo/licensing. SomeHPSSO-compliantapplicationsautomaticallyimporttrustcertificateswhentheyconnectto iLO.Forapplicationsthatdonotdothisautomatically,usetheHPSSOpagetoconfiguretheSSO settingsthroughtheiLOwebinterface.YoumusthavetheConfigureiLOSettingsprivilegeto changethesesettings. ConfiguringiLOsecurity61
ConfiguringiLOforHPSSO 1.NavigatetotheAdministration→Security→HPSSOpage,asshowninFigure26(page62). Figure26Security–SingleSign-OnSettingspage 2.MakesureyouhaveaniLOlicensekeyinstalled. 3.EnableSingleSign-OnTrustModebyselectingTrustbyCertificate,TrustbyName,orTrust All. TheiLOfirmwaresupportsconfigurabletrustmodes,whichenablesyoutomeetyoursecurity requirements.ThetrustmodeaffectshowiLOrespondstoHPSSOrequests.Ifyouenable supportforHPSSO,HPrecommendsusingtheTrustbyCertificatemode.Theavailablemodes follow: •TrustNone(SSOdisabled)(default)—RejectsallSSOconnectionrequests •TrustbyCertificate(mostsecure)—EnablesSSOconnectionsfromanHPSSO-compliant applicationbymatchingacertificatepreviouslyimportedtoiLO •TrustbyName—EnablesSSOconnectionsfromanHPSSO-compliantapplicationby matchinganIPaddressorDNSnameimporteddirectly,oranIPaddressorDNSname includedinacertificateimportedtoiLO •TrustAll(leastsecure)—AcceptsanySSOconnectioninitiatedfromanyHPSSO-compliant application. 62ConfiguringiLO
4.ConfigureiLOprivilegesforeachroleintheSingleSign-OnSettingssection. WhenyoulogintoanHPSSO-compliantapplication,youareauthorizedbasedonyourHP SSO-compliantapplicationroleassignment.TheroleassignmentispassedtoiLOwhenSSO isattempted.Formoreinformationabouteachprivilege,see“ManagingiLOusersbyusing theiLOwebinterface”(page32). SSOattemptstoreceiveonlytheprivilegesassignedinthissection.iLOdirectorysettingsdo notapply.Defaultprivilegeassignmentsareasfollows: •User—Loginonly •Operator—Login,RemoteConsole,PowerandReset,andVirtualMedia •Administrator—Login,RemoteConsole,PowerandReset,VirtualMedia,ConfigureiLO, andAdministerUsers 5.ClickApplytosavetheSSOsettings. 6.IfyouselectedTrustbyCertificateorTrustbyName,addthetrustedcertificateorDNSname toiLO. FormoreinformationaboutaddingcertificatesandDNSnames,see“Addingtrusted certificates”(page64). Thecertificaterepositorycanholdfivetypicalcertificates.However,iftypicalcertificatesare notissued,certificatesizesmightvary.Whenalloftheallocatedstorageisused,nomore importsareaccepted. 7.AfteryouconfigureSSOiniLO,logintoanHPSSO-compliantapplicationandbrowseto iLO.Forexample,logintoHPSIM,navigatetotheSystempagefortheiLOprocessor,and thenclicktheiLOlinkintheMoreInformationsection. NOTE:Althoughasystemmightberegisteredasatrustedserver,SSOmightberefused becauseofthecurrenttrustmodeorcertificatestatus.Forexample,ifanHPSIMservername isregistered,andthetrustmodeisTrustbyCertificate,butthecertificateisnotimported,SSO isnotallowedfromthatserver.Likewise,ifanHPSIMservercertificateisimported,butthe certificatehasexpired,SSOisnotallowedfromthatserver.Thelistoftrustedserversisnot usedwhenSSOisdisabled.iLOdoesnotenforceSSOservercertificaterevocation. Viewingtrustedcertificates TheManageTrustedCertificatestableontheSingleSign-OnSettingspagedisplaysthestatusof thetrustedcertificatesconfiguredtouseSSOwiththecurrentiLOmanagementprocessor. •Status—Thestatusoftherecord(ifanyareinstalled). ConfiguringiLOsecurity63
Table4HPtrustedcertificatestatus DescriptionIcon Therecordisvalid. ThereisaproblemwiththetrustsettingsortheiLOlicense.Possiblereasonsfollow: ◦ThisrecordcontainsaDNSname,andthetrustmodeissettoTrustbyCertificate(only certificatesarevalid). ◦TrustNone(SSOdisabled)isselected. ◦Avalidlicensekeyisnotinstalled. Therecordisnotvalid.Possiblereasonsfollow: ◦Anout-of-datecertificateisstoredinthisrecord.Checkthecertificatedetailsformore information. ◦TheiLOclockisnotsetorissetincorrectly. ◦TheiLOclockmustbeintheValidfromandValiduntilrange. •Certificate—Indicatesthattherecordcontainsastoredcertificate.Movethecursoroverthe icontoviewthecertificatedetails,includingsubject,issuer,anddates. •Description—Theservername(orcertificatesubject). Addingtrustedcertificates iLOuserswhohavetheConfigureiLOSettingsprivilegecaninstalltrustedcertificatesoradddirect DNSnames. TheBase64-encodedX.509certificatedataresemblesthefollowing: -----BEGIN CERTIFICATE----- ...severallinesofencodeddata... -----END CERTIFICATE----- ToaddtrustedHPSSOrecordsbyusingtheiLOwebinterface: 1.NavigatetotheAdministration→Security→HPSSOpage,asshowninFigure26(page62). 2.Useoneofthefollowingmethodstoaddatrustedcertificate: •Todirectlyimportatrustedcertificate,copytheBase64-encodedcertificateX.509data, pasteitintothetextboxabovetheImportCertificatebutton,andthenclickthebutton. •Toindirectlyimportatrustedcertificate,typetheDNSnameorIPaddressinthetextbox abovetheImportCertificatefromURLbutton,andthenclickthebutton.iLOcontactsthe HPSSO-compliantapplicationoverthenetwork,retrievesthecertificate,andthensaves it. •ToimportthedirectDNSname,entertheDNSnameinthetextboxabovetheImport DirectDNSNamebutton,andthenclickthebutton. ForinformationabouthowtoextractanHPSIMcertificate,see“ExtractingtheHPSIMserver certificate”(page65). ForinformationabouthowtoextractcertificatesfromotherHPSSO-compliantapplications,see yourHPSSO-compliantapplicationdocumentation. 64ConfiguringiLO
ExtractingtheHPSIMservercertificate YoucanusethefollowingmethodstoextractHPSIMcertificates. •Enteroneofthefollowinglinksinawebbrowser: ForHPSIMversionsearlierthan7.0: http://:280/GetCertificate ◦ https://:50000/GetCertificate ◦ForHPSIM7.0orlater: http://:280/GetCertificate?certtype=sso https://:50000/GetCertificate?certtype=sso NOTE:Allrequestparametersarecase-sensitive.Ifyoucapitalizethelowercase certtypeparameter,theparameterwillnotberead,andHPSIMwillreturnthedefault HPSIMservercertificateinsteadofatrustcertificate. •ExportthecertificatefromHPSIM: ForHPSIMversionsearlierthan7.0: SelectOptions→Security→Certificates→ServerCertificate. ◦ ◦ForHPSIM7.0orlater: SelectOptions→Security→HPSystemsInsightManagerServerCertificate,andthenclick Export. •UsetheHPSIMcommand-linetools.Forexample,usingthealiastomcatfortheHPSIM certificate,entermxcert -l tomcat. Formoreinformation,seetheHPSIMdocumentation. Removingtrustedcertificates 1.NavigatetotheAdministration→Security→HPSSOpage,asshowninFigure26(page62). 2.SelectoneormorerecordsintheManageTrustedCertificatestable. 3.ClickDelete. Thefollowingmessageappears: Are you sure you want to remove the selected certificates? 4.ClickYes. ConfiguringRemoteConsolesecuritysettings UsetheRemoteConsolesecuritysettingstocontroltheRemoteConsoleComputerLocksettings andtheIntegratedRemoteConsoleTrustsetting.YoumusthavetheConfigureiLOSettingsprivilege tochangethesesettings. ConfiguringRemoteConsoleComputerLocksettings RemoteConsoleComputerLockenhancesthesecurityofaniLO-managedserverbyautomatically lockinganoperatingsystemorloggingoutauserwhenaRemoteConsolesessionendsorthe networklinktoiLOislost.Thisfeatureisstandardanddoesnotrequireanadditionallicense.As aresult,ifyouopena.NETIRCorJavaIRCwindowandthisfeatureisalreadyconfigured,the operatingsystemwillbelockedwhenyouclosethewindow,evenifaniLOlicenseisnotinstalled. TheRemoteConsoleComputerLockfeatureissettoDisabledbydefault. ConfiguringiLOsecurity65
TochangetheRemoteConsoleComputerLocksettings: 1.NavigatetotheAdministration→Security→RemoteConsolepage,asshowninFigure27(page 66). Figure27RemoteConsoleComputerLockSettings 2.ModifytheRemoteConsoleComputerLocksettingsasrequired: •Windows—UsethisoptiontoconfigureiLOtolockamanagedserverrunningaWindows operatingsystem.TheserverautomaticallydisplaystheComputerLockeddialogbox whenaRemoteConsolesessionendsortheiLOnetworklinkislost. •Custom—UsethisoptiontoconfigureiLOtouseacustomkeysequencetolockamanaged serverorlogoutauseronthatserver.Youcanselectuptofivekeysfromthelist.The selectedkeysequenceissentautomaticallytotheserveroperatingsystemwhenaRemote ConsolesessionendsortheiLOnetworklinkislost. •Disabled(default)—UsethisoptiontodisabletheRemoteConsoleComputerLockfeature. TerminatingaRemoteConsolesessionorlosinganiLOnetworklinkwillnotlockthe operatingsystemonthemanagedserver. YoucancreateaRemoteConsoleComputerLockkeysequencebyusingthekeyslistedin Table5(page66): Table5RemoteConsoleComputerLockkeys g1SCRLLCKESC h2SYSRQL_ALT i3F1R_ALT j4F2L_SHIFT k5F3R_SHIFT l6F4L_CTRL m7F5R_CTRL n8F6L_GUI o9F7R_GUI p;F8INS q=F9DEL r[F10HOME s\F11END t]F12PG_UP u'""(space)PG_DN va'ENTER wb,TAB 66ConfiguringiLO
Table5RemoteConsoleComputerLockkeys(continued) xc-BREAK yd.BACKSPACE ze/NUMPLUS f0NUMMINUS 3.ClickApplytosavethechanges. ConfiguringtheIntegratedRemoteConsoleTrustsetting(.NETIRC) The.NETIRCislaunchedthroughMicrosoftClickOnce,whichispartoftheMicrosoft.NET Framework.ClickOncerequiresthatanyapplicationinstalledfromanSSLconnectionbefroma trustedsource.IfabrowserisnotconfiguredtotrustaniLOprocessor,andtheIntegratedRemote ConsoleTrustsettingissettoEnabled,ClickOncedisplaysthefollowingerrormessage: Cannot Start Application – Application download did not succeed... TospecifywhetherallclientsthatbrowsetothisiLOrequireatrustediLOcertificatetorunthe.NET IRC: 1.NavigatetotheAdministration→Security→RemoteConsolepage,asshowninFigure28(page 67). Figure28RemoteConsoleTrustSettings 2.SelectoneofthefollowingintheIntegratedRemoteConsoleTrustSettingsection: •Enabled—The.NETIRCisinstalledandrunsonlyifthisiLOcertificateandtheissuer certificatehavebeenimportedandaretrusted. •Disabled(default)—Whenyoulaunchthe.NETIRC,thebrowserinstallstheapplication fromanon-SSLconnection.SSLisstillusedafterthe.NETIRCstartstoexchangeencryption keys. 3.ClickApply. ConfiguringtheLoginSecurityBanner TheLoginSecurityBannerfeatureallowsyoutoconfigurethesecuritybannerdisplayedonthe iLOloginpage.Forexample,youcouldenteramessageindicatingthataniLOsystemusesFIPS Mode. YoumusthavetheConfigureiLOSettingsprivilegetomakechangesontheLoginSecurityBanner page. ToenabletheLoginSecurityBanner: ConfiguringiLOsecurity67
1.NavigatetotheAdministration→Security→LoginSecurityBannerpage,asshowninFigure29 (page68). Figure29Security–LoginSecurityBannerSettingspage 2.SelecttheEnableLoginSecurityBannercheckbox. iLOusesthefollowingdefaulttextfortheLoginSecurityBanner: This is a private system. It is to be used solely by authorized users and may be monitored for all lawful purposes. By accessing this system, you are consenting to such monitoring. 3.Optional:Tocustomizethesecuritymessage,enteracustommessageintheSecurityMessage textbox. Thebytecounterabovethetextboxindicatestheremainingnumberofbytesallowedforthe message.Themaximumis1,500bytes. TIP:ClickUseDefaultMessagetorestorethedefaulttextfortheLoginSecurityBanner. 68ConfiguringiLO
4.ClickApply. Thesecuritymessageisdisplayedatthenextlogin,asshowninFigure30(page69). Figure30Securitymessageexample ConfiguringiLOnetworksettings UsethetabsontheNetworkpagetoviewandconfiguretheiLOnetworksettings. YoumusthavetheConfigureiLOSettingsprivilegetoviewandchangethesesettings. Viewingnetworksettings Toviewasummaryoftheconfigurednetworksettings,selectNetwork→iLODedicatedNetwork PortorNetwork→SharedNetworkPorttonavigatetotheNetworkSummarypage.SeeFigure31 (page70). ConfiguringiLOnetworksettings69
Figure31NetworkSummarypage(iLODedicatedNetworkPort) TheiLOSharedNetworkPortandtheiLODedicatedNetworkPortcannotoperatesimultaneously. IfyouenabletheiLODedicatedNetworkPort,youwilldisabletheiLOSharedNetworkPort.If youenabletheiLOSharedNetworkPort,youwilldisabletheiLODedicatedNetworkPort. TheNetworkSummarypagefortheinactiveportdisplaysthemessageiLO is not configured to use this NIC. Thesummaryinformationfollows: •NICinUse—ThenameoftheselectediLOnetworkinterface(iLODedicatedNetworkPortor SharedNetworkPort). •iLOHostName—ThefullyqualifiednetworknameassignedtotheiLOsubsystem.Bydefault, theiLOhostnameisILOfollowedbythesystemserialnumberandthecurrentdomainname. ThisvalueisusedfortheiLOnetworknameandmustbeunique. •MACAddress—TheMACaddressoftheselectediLOnetworkinterface. •LinkState—ThecurrentlinkspeedoftheselectediLOnetworkinterface.Thedefaultvalueis Auto-Negotiate. •DuplexOption—ThecurrentlinkduplexselectionfortheselectediLOnetworkinterface.The defaultvalueisAuto-Negotiate. YoucanconfiguretheiLOhostnameandNICsettingsontheNetworkGeneralSettingspage.For instructions,see“Configuringgeneralnetworksettings”(page72). IPv6issupportedbyiLO31.50andlaterintheiLODedicatedNetworkPortconfiguration.The IPv6protocolwasintroducedbytheIETFinresponsetotheongoingdepletionoftheIPv4address pool.InIPv6,addressesareincreasedto128bitsinlength,toavoidanaddressshortageproblem. iLOsupportsthesimultaneoususeofbothprotocolsthroughadual-stackimplementation.All previouslyavailableiLOfeaturesarestillsupportedinIPv4. NOTE:IPv6isnotsupportedintheSharedNetworkPortconfiguration. 70ConfiguringiLO