HP Ilo 4 User Guide
Have a look at the manual HP Ilo 4 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
2.UsethefollowingcommandtoconfiguretheEmbeddedUserPartitionforone-timeboot: boot -n settingvalue Wheresettingvalueisthebootnumberofthedevicetouseforone-timeboot. NOTE:Forinformationaboutusingthiscommand,seetheHPUEFIShellUserGuideforHP ProLiantGen9Servers. ConfiguringtheEmbeddedUserPartitionbootordersetting(HPRESTfulInterfaceTool) ForinformationaboutconfiguringtheEmbeddedUserPartitionbootordersettingwiththeHP RESTfulInterfaceTool,seetheRESTfulInterfaceTooldocumentationatthefollowingwebsite:http:// www.hp.com/go/restfulinterface/docs. ConfiguringtheEmbeddedUserPartitionforone-timeboot(HPRESTfulInterfaceTool) ForinformationaboutconfiguringtheEmbeddedUserPartitionone-timebootsettingswiththeHP RESTfulInterfaceTool,seetheRESTfulInterfaceTooldocumentationatthefollowingwebsite:http:// www.hp.com/go/restfulinterface/docs. UsingtheEmbeddedUserPartition261
5IntegratingHPSystemsInsightManager TheiLOfirmwareisintegratedwithHPSIMinkeyoperatingenvironments,providingasingle managementconsolefromastandardwebbrowser.Whiletheoperatingsystemisrunning,you canestablishaconnectiontoiLObyusingHPSIM. IntegrationwithHPSIMprovidesthefollowing: •SupportforSNMPtrapdeliverytoanHPSIMconsole—TheHPSIMconsolecanbeconfigured toforwardSNMPtrapstoapageroremailaddress. •Supportformanagementprocessors—AlliLOdevicesinstalledinserversonthenetworkare discoveredinHPSIMasmanagementprocessors. •GroupingofiLOmanagementprocessors—AlliLOdevicescanbegroupedlogicallyand displayedononepage. •HPManagementAgentsorAgentlessManagement—iLO,combinedwithAgentless ManagementortheHPManagementAgents,providesremoteaccesstosystemmanagement informationthroughtheiLOwebinterface. •SupportforSNMPmanagement—HPSIMcanaccessInsightManagementAgentinformation throughiLO. HPSIMfeatures HPSIMenablesyoutodothefollowing: •IdentifyiLOprocessors. •CreateanassociationbetweenaniLOprocessoranditsserver. •CreatelinksbetweenaniLOprocessoranditsserver. •ViewiLOandserverinformationandstatus. •ControltheamountofinformationdisplayedforiLO. Thefollowingsectionssummarizethesefeatures.Fordetailedinformation,seetheHPSystems InsightManagerUserGuide. EstablishingSSOwithHPSIM 1.ConfigureiLOforHPSIMSSOandaddHPSIMtrustedservers. Forinstructions,see“UsingHPSSO”(page83). 2.LogintotheHPSIMserverthatyouspecifiedinStep1,anddiscovertheiLOprocessor. Afteryoucompletethediscoveryprocess,SSOisenabledforiLO. FormoreinformationaboutHPSIMdiscoverytasks,seetheHPSystemsInsightManagerUser Guide. iLOidentificationandassociation HPSIMcanidentifyaniLOprocessorandcreateanassociationbetweeniLOandaserver.You canconfigureiLOtorespondtoHPSIMidentificationrequestsbysettingtheLevelofDataReturned valueontheAdministration→Managementpage.Formoreinformation,see“ConfiguringInsight Managementintegration”(page116). ViewingiLOstatusinHPSIM HPSIMidentifiesiLOasamanagementprocessor.HPSIMdisplaysthemanagementprocessor statusontheAllSystemspage. 262IntegratingHPSystemsInsightManager
TheiLOmanagementprocessorisdisplayedasanicononthesamerowasitshostserver.The coloroftheiconrepresentsthestatusofthemanagementprocessor. Foralistofdevicestatuses,seetheHPSystemsInsightManagerUserGuide. iLOlinksinHPSIM Foreaseofmanagement,HPSIMcreateslinkstothefollowing: •iLOandthehostserverfromanySystem(s)list •TheserverfromtheSystempageforiLO •iLOfromtheSystempagefortheserver TheSystem(s)listpagesdisplayiLO,theserver,andtherelationshipbetweeniLOandtheserver. •ClickastatusicontodisplaytheiLOwebinterface. •ClicktheiLOorservernametodisplaytheSystempageofthedevice. ViewingiLOinHPSIMSystem(s)lists iLOmanagementprocessorscanbeviewedinHPSIM.Auserwhohasfullconfigurationrights cancreateandusecustomizedsystemcollectionstogroupmanagementprocessors.Formore information,seetheHPSystemsInsightManagerUserGuide. ReceivingSNMPalertsinHPSIM YoucanconfigureiLOtoforwardalertsfromthemanagementagentsofthehostoperatingsystem andtosendiLOalertstoHPSIM. HPSIMsupportsfullSNMPmanagement.iLOsupportsSNMPtrapdeliverytoHPSIM.Youcan viewtheeventlog,selecttheevent,andviewadditionalinformationaboutthealert. ConfiguringthereceiptofSNMPalertsinHPSIM: 1.ToenableiLOtosendSNMPtraps,navigatetotheAdministration→Managementpageand configurethesettingsforSNMP,SNMPalerting,andInsightManagementIntegration.Enter theIPaddressoftheHPSIMcomputerintheSNMPAlertDestination(s)box. Formoreinformation,see“ConfiguringiLOManagementsettings”(page106). 2.TodiscoveriLOinHPSIM,configureiLOasamanageddeviceforHPSIM. ThisenablestheNICinterfaceoniLOtofunctionasadedicatedmanagementport,isolating managementtrafficfromtheNICinterfacefortheremotehostserver.Forinstructions,seethe HPSystemsInsightManagerUserGuide. Formajoreventsthatarenotcleared,iLOtrapsappearinAllEvents.Toobtainmore informationabouttheevent,clickEventType. HPSIMportmatching HPSIMisconfiguredtostartanHTTPsessiontocheckforiLOatport80.Ifyouwanttochange theportnumber,youmustchangeitinbothiLOandHPSIM. •TochangetheportiniLO,navigatetotheAdministration→AccessSettingspage,andthen enterthenewportnumberintheWebServerNon-SSLPortbox. •TochangetheportnumberinHPSIM,addtheporttotheconfig\identification\ additionalWsDisc.propsfileintheHPSIMinstallationdirectory.IfiLOusesthedefault port(80),youdonotneedtoeditthisfile. Theportentrymustbeonasinglelinewiththeportnumberfirst,andwithallotheritems identicaltothefollowingexample(includingcapitalization).Thisexampleshowsthecorrect entryfordiscoveringiLOatport55000. ReceivingSNMPalertsinHPSIM263
55000=iLO 4, ,true,false,com.hp.mx.core.tools.identification.mgmtproc.MgmtProcessorParser ReviewingiLOlicenseinformationinHPSIM HPSIMdisplaysthelicensestatusoftheiLOmanagementprocessors.Youcanusethisinformation todeterminehowmanyandwhichiLOdeviceshaveanoptionallicenseinstalled. Toviewlicenseinformation,selectDeploy→LicenseManager.Toensurethatthedisplayeddata iscurrent,runtheIdentifySystemstaskforyourmanagementprocessors.Formoreinformation, seetheHPSystemsInsightManagerUserGuide. 264IntegratingHPSystemsInsightManager
6Directoryservices ThischapterdescribeshowtoconfigureiLOtouseKerberoslogin,schema-freedirectory authentication,andHPextendedschemadirectoryauthentication. Directoryintegrationbenefits DirectoryintegrationwithiLOprovidesthefollowingbenefits: •Scalability—Thedirectorycanbeleveragedtosupportthousandsofusersonthousandsof iLOprocessors. •Security—Robustuser-passwordpoliciesareinheritedfromthedirectory.User-password complexity,rotationfrequency,andexpirationarepolicyexamples. •Useraccountability—Insomeenvironments,usersshareiLOaccounts,whichmakesitdifficult todeterminewhoperformedanoperation. •Role-basedadministration—Youcancreateroles(forexample,clerical,remotecontrolofthe host,completecontrol)andassociateusersorusergroupswiththoseroles.Achangetoa singleroleappliestoallusersandiLOdevicesassociatedwiththatrole. •Singlepointofadministration—YoucanusenativeadministrativetoolslikeMMCand ConsoleOnetoadministeriLOusers. •Immediacy—AsinglechangeinthedirectoryrollsoutimmediatelytoassociatediLOprocessors. Thiseliminatestheneedtoscriptthisprocess. •Simplercredentials—Youcanuseexistinguseraccountsandpasswordsinthedirectorywithout havingtorecordanewsetofcredentialsforiLO. •Flexibility—YoucancreateasingleroleforasingleuseronasingleiLOprocessor,asingle roleformultipleusersonmultipleiLOprocessors,oracombinationofrolesassuitedtoyour enterprise. •Compatibility—iLOdirectoryintegrationsupportsActiveDirectory. •Standards—iLOdirectorysupportisbasedontheLDAP2.0standardforsecuredirectory access. ChoosingadirectoryconfigurationtousewithiLO SomedirectoryconfigurationpracticesworkbetterwithiLOthanothers.BeforeyouconfigureiLO fordirectories,youmustdecidewhethertousetheschema-freedirectoryintegrationmethodor theHPextendedschemadirectoryintegrationmethod.Answerthefollowingquestionstohelp evaluateyourdirectoryintegrationrequirements: 1.Canyouapplyschemaextensionstoyourdirectory? •No—YouareusingActiveDirectory,andyourcompanypolicyprohibitsapplying extensions. No—Directoryintegrationdoesnotfityourenvironment.Considerdeployinganevaluation servertoassessthebenefitsofdirectoryintegration. Usegroup-basedschema-freedirectoryintegration.Formoreinformation,see“Schema-free directoryintegration”(page271). •Yes—Proceedtoquestion2. Directoryintegrationbenefits265
2.Isyourconfigurationscalable? •No—Deployaninstanceoftheschema-freedirectoryintegrationtoevaluatewhetherthis methodmeetsyourpolicyandproceduralrequirements.Ifnecessary,youcandeployHP schemadirectoryintegrationlater.Formoreinformation,see“Schema-freedirectory integration”(page271). •Yes—UseHPschemadirectoryintegration.Formoreinformation,see“SettingupHP extendedschemadirectoryintegration”(page275). Thefollowingquestionscanhelpyoudeterminewhetheryourconfigurationisscalable: •Areyoulikelytochangetherightsorprivilegesforagroupofdirectoryusers? •WillyouregularlyscriptiLOchanges? •DoyouusemorethanfivegroupstocontroliLOprivileges? Formoreinformation,seethecomprehensivelistofbenefitsin“Directoryintegrationbenefits” (page265).“Directory-enabledremotemanagement”(page287)explainshowroles,groups,and securityareenabledandenforcedthroughdirectories. Kerberossupport KerberossupportenablesausertologintoiLOwithoutsupplyingausernameandpasswordif theclientworkstationisloggedintothedomainandtheuserisamemberofadirectorygroup forwhichiLOisconfigured.Iftheworkstationisnotloggedintothedomain,theusercanalso logintoiLObyusingtheKerberosusernameanddomainpassword.Kerberossupportcanbe configuredthroughthewebinterface,XML(RIBCL),orSSH(partialsupportforCLI). BecauseatrustrelationshipbetweeniLOandthedomainisestablishedbyasystemadministrator beforeusersign-on,anyformofauthentication(includingtwo-factorauthentication)issupported. Forinstructionsonconfiguringausertosupporttwo-factorauthentication,seetheserveroperating systemdocumentation. Domaincontrollerpreparation InaWindowsServerenvironment,Kerberossupportispartofthedomaincontroller. Realmnames TheKerberosrealmnameforaDNSdomainisusuallythedomainnameconvertedtouppercase. Forexample: •Parentdomainname:example.net •Kerberosrealmname:EXAMPLE.NET Computeraccounts AcomputeraccountmustbepresentandenabledinthedomaindirectoryforeachiLOaccount. InWindows,createtheuseraccountintheActiveDirectoryUsersandComputerssnap-in.For example: •iLOhostname:iloname •Parentdomainname:example.net •iLOdomainname(fullyqualified):iloname.example.net Useraccounts Auseraccountmustbepresentandenabledinthedomaindirectoryforeachuserwhoisallowed tologintoiLO. 266Directoryservices
Generatingakeytab ThissectiondescribeshowtogenerateakeytabfileforiLOinaWindowsenvironment. TheiLOhostnamethatyouuseforkeytabgenerationmustbeidenticaltotheconfigurediLOhost name.iLOhostnamesarecasesensitive. 1.Usethektpasscommandtogenerateakeytabandsetthesharedsecret. Thecommandiscasesensitiveandhasspecialcharacters. ktpass -out iloname.keytab +rndPass -ptype KRB5_NT_SRV_HST -mapuser [email protected] -princ HTTP/[email protected] Theoutputshouldbesimilartothefollowing: Targeting domain controller: domaincontroller.example.net Using legacy password setting method Successfully mapped HTTP/iloname.example.net to iloname. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to iloname. keytab: Keytab version: 0x502 keysize 69 HTTP/[email protected] ptype 3 (KRB5 _NT_SRV_HST) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x5a5c7c18ae23559acc2 9d95e0524bf23) NOTE:Thektpasscommandmightdisplayamessageaboutnotbeingabletosetthe UPN.ThisisacceptablebecauseiLOisaservice,notauser.Youmightbepromptedto confirmthepasswordchangeonthecomputerobject.ClickOKtoclosethewindowand continuecreatingthekeytabfile.Donotusethe-kvnooptionofthektpasscommand.This optioncausestheknvointhekeytabfiletobeoutofsyncwiththekvnoinActiveDirectory. 2.UsetheSetSPNcommandtoassigntheKerberosSPNtothecomputerobject.Forexample: SetSPN -A HTTP/iloname.example.net iloname IftheSetSPNcommanddisplaysanerrormessage,dothefollowing: a.UseMMCwiththeADSIEditsnap-inandfindthecomputerobjectforiLO. b.SettheDNSHostNamepropertytotheiLODNSname.Forexample: cn=iloname,ou=us,ou=clients,dc=example,dc=net 3.UsetheSetSPN -L ilonamecommandtodisplaytheSPNsandDNfortheiLO. VerifythattheHTTP/iloname.example.netserviceisdisplayed. NOTE:TheSetSPNcommandmightdisplayamessageaboutnotbeingabletosetthe UPN.ThisisacceptablebecauseiLOisaservice,notauser.Youmightbepromptedto confirmthepasswordchangeonthecomputerobject.ClickOKtoclosethewindowand continuecreatingthekeytabfile. Keyversionnumber IfadomaincontrollerOSisreinstalled,thekeyversionnumbersequenceresets.Youmustregenerate andreinstallthekeytabfilesthatiLOusesfordevicesassociatedwiththatdomaincontroller. WindowsVista TogeneratekeytabfilesonWindowsVista,useMicrosofthotfixKB960830andktpass.exe version6.0.6001.22331orlater. Kerberossupport267
Universalandglobalusergroups(forauthorization) TosetpermissionsiniLO,youmustcreateagroupinthedomaindirectory.Userswhologinto iLOaregrantedthesumofthepermissionsforallgroupsofwhichtheyareamember.Only universalandglobalusergroupscanbeusedtosetpermissions.Domainlocalgroupsarenot supported. ConfiguringiLOforKerberoslogin ThissectiondescribestheiLOrequirementsforKerberoslogin.YoucanconfigureiLOforKerberos loginusingtheiLOwebinterface,XMLconfigurationandcontrolscripts,ortheCLI,CLP,orSSH interface. UsingtheiLOwebinterface ToconfiguretheiLOparametersbyusingthewebinterface: 1.NavigatetotheNetwork→iLODedicatedNetworkPortorSharedNetworkPort→General pagetoconfiguretheiLOHostnameparameterintheiLOSubsystemName(HostName)box. ThecaseoftheiLOhostnameusedforkeytabgenerationmustbeidenticaltothecaseofthe configurediLOhostname. Formoreinformation,see“Configuringgeneralnetworksettings”(page93). 2.NavigatetotheAdministration→Security→Directorypagetoconfigurethefollowing Kerberos-specificparameters: •KerberosAuthentication •KerberosRealm •KerberosKDCServerAddress •KerberosKDCServerPort •KerberosKeytab FormoreinformationabouttheKerberos-specificparameters,see“Configuringdirectory settings”(page72). 3.NavigatetotheAdministration→UserAdministrationpagetoconfiguredirectorygroups. EachDirectoryGroupincludesaDN,SID,andpermissions.ForKerberoslogin,theSIDsof groupsofwhichtheuserisamemberarecomparedtotheSIDsfordirectorygroupsforwhich iLOisconfigured.Theuserisgrantedthesumofthepermissionsforallgroupsofwhichthe userisamemberof. Youcanonlyuseglobalanduniversalgroupstosetpermissions.Domainlocalgroupsare notsupported. Formoreinformation,see“ManagingiLOusersbyusingtheiLOwebinterface”(page46). 4.NavigatetotheInformation→OverviewpagetochecktheCurrentiLODate/Time. Formoreinformation,see“ViewingiLOoverviewinformation”(page148). 5.NavigatetotheAdministration→Network→SNTPSettingspageifyouwanttochangethe dateandtime. ForKerberosauthenticationtofunctionproperly,thedateandtimemustbesynchronized betweentheiLOprocessor,theKDC,andtheclientworkstation.SetthedateandtimeiniLO withtheserver,orobtainthedateandtimefromthenetworkbyenablingtheSNTPSettings featureiniLO. Formoreinformation,see“ConfiguringSNTPsettings”(page103). 268Directoryservices
UsingXMLconfigurationandcontrolscripts ThefollowingsamplescriptsshowhowtosettheiLOparametersfordirectories: •Set_Server_Name.xmlshowshowtosettheiLOhostname. •Mod_Schemaless_Directory.xmlshowshowtoconfiguredirectorygroups. •Mod_Network_Settings.xmlshowshowtoconfigureSNTPsettings. •Mod_Kerberos_Config.xmlshowshowtoconfigureKerberos-specificparameters. NOTE:YoucandownloadsampleXMLscriptsfromhttp://www.hp.com/support/ilo4.Formore information,seetheHPiLO4ScriptingandCommandLineGuide. UsingtheCLI,CLP,orSSHinterface ToconfiguretheiLOparametersbyusingtheCLI,CLP,orSSHinterface: •iLOHostname—YoucanchangetheiLOhostnameintheHostnamepropertyofthe /map1/dnsendpt1target. •Directorygroups—Youcanconfiguredirectorygroupnamesandpermissionsintheproperties ofthe/map1/oemhp_dircfg1target.ThegroupSIDscannotbeconfiguredthroughthis interface. •iLODate/Time,SNTPSettings—ThecurrentdateandtimeandtheSNTPsettingscannotbe displayedthroughthisinterface. •Kerberos-specificconfigurationparameters—YoucanconfigureKerberosparametersinthe propertiesoftheoemhp_dircfg1,target. NOTE:FormoreinformationaboutconfiguringtheiLOparametersbyusingtheCLI,CLP,or SSH,seetheHPiLO4ScriptingandCommandLineGuide. Timerequirement TologintoKerberossuccessfully,ensurethatthedateandtimeofthefollowingaresettowithin 5minutesofoneanother: •TheiLOserver •Theclientrunningthewebbrowser •Theserversperformingtheauthentication Configuringsinglesign-on UserswhoareallowedtologintoiLOmustbemembersofthegroupsforwhichpermissionsare assigned.ForWindowsclients,lockingandunlockingtheworkstationrefreshesthecredentials thatareusedtologintoiLO.HomeversionsoftheWindowsoperatingsystemdonotsupport Kerberoslogin. InternetExplorer Thissectiondescribestheprocedureforenablingsinglesign-onwithInternetExplorer.Thefollowing stepsenableloginifActiveDirectoryisconfiguredcorrectlyforiLO,andiLOisconfiguredcorrectly forKerberoslogin. NOTE:ThisprocedureisbasedonInternetExplorer7.Newerbrowserversionsmighthave differentsteps. Kerberossupport269
1.EnableauthenticationinInternetExplorer: a.SelectTools→InternetOptions. b.ClicktheAdvancedtab. c.ScrolltotheSecuritysection. d.VerifythattheEnableIntegratedWindowsAuthenticationoptionisselected. e.ClickOK. 2.AddtheiLOdomaintotheIntranetzone: a.SelectTools→InternetOptions. b.ClicktheSecuritytab. c.ClicktheLocalintraneticon. d.ClicktheSitesbutton. e.ClicktheAdvancedbutton. f.EnterthesitetoaddintheAddthiswebsitetothezonebox. Onacorporatenetwork,*.example.netissufficient. g.ClickAdd. h.ClickClose. i.ClickOKtoclosetheLocalintranetdialogbox. j.ClickOKtoclosetheInternetOptionsdialogbox. 3.EnableAutomaticlogononlyinIntranetzone: a.SelectTools→InternetOptions. b.ClicktheSecuritytab. c.ClicktheLocalintraneticon. d.ClickCustomlevel. e.ScrolltotheUserAuthenticationsection. f.VerifythattheAutomaticlogononlyinIntranetzoneoptionisselected. g.ClickOKtoclosetheSecuritySettings—LocalIntranetZonewindow. h.ClickOKtoclosetheInternetOptionsdialogbox. 4.Ifanyoptionswerechanged,closeandrestartInternetExplorer. 5.UsetheFQDNtobrowsetoiLO(forexample,iloname.example.net). 6.ClicktheHPZeroSignInbutton. Firefox Thissectiondescribestheprocedureforenablingsinglesign-onwithFirefox.Thefollowingsteps enableloginifActiveDirectoryisconfiguredcorrectlyforiLO,andiLOisconfiguredcorrectlyfor Kerberoslogin: 1.Enterabout:configinthebrowserlocationbartoopenthebrowserconfigurationpage. IfthemessageThis might void your warranty!appears,clicktheI'llbecareful,I promise!button. 2.Enternetwork.negotiateintheFilterbox. 3.Double-clicknetwork.negotiate-auth.trusted-uris. 4.EntertheiLODNSdomainname(forexample,example.net),andthenclickOK. 5.UsetheFQDNtobrowsetoiLO(forexample,iloname.example.net). 6.ClicktheHPZeroSignInbutton. Chrome NospecialsettingsarerequiredfortheChromebrowser. 270Directoryservices