HP Ilo 4 User Guide
Have a look at the manual HP Ilo 4 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Verifyingsinglesign-on(HPZeroSignIn)configuration ToverifythatHPZeroSignInisconfiguredcorrectly: 1.BrowsetotheiLOloginpage(forexample, http://iloname.example.net). 2.ClicktheHPZeroSignInbutton. Ifapromptforcredentialsappears,Kerberosauthenticationhasfailedandthesystemhas revertedtoNTLMauthentication.ClickCancel,andthenrepeattheproceduresin“Configuring singlesign-on”(page269). Loginbyname Toverifythatloginbynameisworkingproperly: 1.BrowsetotheiLOloginpage(forexample, http://iloname.example.net). 2.EntertheusernameintheKerberosSPNformat(forexample,[email protected]). 3.Entertheassociateddomainpassword. Ifapromptforcredentialsappears,Kerberosauthenticationhasfailed.ClickCanceltoclose thedialogbox. LoginbynamemightnotworkcorrectlyifthecomputeraccountforiLOispartofachild domain,buttheKerberosconfigurationparameters(KerberosRealm,KerberosKDCServer Address,andKerberosKDCServerPort)referencetheparentdomain. Schema-freedirectoryintegration Withschema-freedirectoryintegration,usersandgroupmembershipsresideinthedirectory,but groupprivilegesresideintheiLOsettings.iLOuseslogincredentialstoreadtheuserobjectinthe directoryandretrievetheusergroupmemberships,whicharecomparedtothosestorediniLO.If thecredentialsandmembershipmatch,authorizationisgranted,asshowninFigure6(page271). Figure6Schema-freedirectoryintegration Advantagesofusingschema-freedirectoryintegrationincludethefollowing: •Youdonothavetoextendthedirectoryschema. •Minimalsetupisrequiredforusersinthedirectory.Ifnosetupexists,thedirectoryusesexisting usersandgroupmembershipstoaccessiLO.Forexample,ifyouhaveadomainadministrator namedUser1,youcancopytheDNofthedomainadministratorsecuritygrouptoiLOand giveitfullprivileges.User1wouldthenhaveaccesstoiLO. Schema-freedirectoryintegration271User entersuser name and password iLO interface Credentials translated to a DN Login script validates user credentials User found inthe directory and veried in the iLO groups Directory iLO interface
Usingschema-freedirectoryintegrationhasthefollowingdisadvantage: •GroupprivilegesareadministeredoneachiLO.However,thisdisadvantagehasminimal impactbecausegroupprivilegesrarelychange,andthetaskofchanginggroupmembership isadministeredinthedirectoryandnotoneachiLO.HPprovidestoolsthatenableyouto makechangestoalargenumberofiLOsatthesametime. Settingupschema-freedirectoryintegration Ifyouwanttousetheschema-freedirectoryintegrationmethod,yoursystemmustmeetthe prerequisitesdescribedin“ActiveDirectoryprerequisites”(page272). ActiveDirectoryprerequisites SSLmustbeenabledatthedirectorylevel.ToenableSSL,installacertificateforthedomainin ActiveDirectory.iLOcommunicateswiththedirectoryonlyoverasecureSSLconnection. Tovalidatethesetup,youmusthavethedirectoryDNofatleastoneuserandtheDNofasecurity groupthattheuserisamemberof. IntroductiontoCertificateServices CertificateServicesisusedtoissuesigneddigitalcertificatestonetworkhosts.Thecertificatesare usedtoestablishSSLconnectionswiththehostandverifytheauthenticityofthehost. InstallingCertificateServicesenablesActiveDirectorytoreceiveacertificatethatallowsiLO processorstoconnecttothedirectoryservice.Withoutacertificate,iLOcannotconnecttothe directoryservice. EachdirectoryservicethatyouwantiLOtoconnecttomustbeissuedacertificate.Ifyouinstall anEnterpriseCertificateService,ActiveDirectorycanautomaticallyrequestandinstallcertificates forallActiveDirectorycontrollersonthenetwork. InstallingCertificateServices UsethefollowingprocedureforWindowsServer2008: 1.NavigatetoServerManager. 2.ClickRolesintheleftpane. 3.ClickAddRoles. 4.SelectActiveDirectoryCertificateServices. 5.Followtheonscreeninstructions.Ifyouarenotsurewhatvaluestouse,acceptthedefault values. VerifyingCertificateServices BecausemanagementprocessorscommunicatewithActiveDirectorybyusingSSL,youmustcreate acertificateorinstallCertificateServices.YoumustinstallanenterpriseCAbecauseyouwillissue certificatestoobjectsinyourorganizationaldomain. ToverifythatCertificateServicesisinstalled,selectStart→Programs→Administrative Tools→CertificationAuthority.AnerrormessageappearsifCertificateServicesisnotinstalled. ConfiguringAutomaticCertificateRequest Tospecifythatacertificatebeissuedtotheserver: 1.SelectStart→Run,andthenentermmc. 2.SelectFile→Add/RemoveSnap-in. 3.Toaddthesnap-intoMMC,selectGroupPolicyObject,andthenclickAdd. 4.ClickBrowse,andthenselecttheDefaultDomainPolicyobject.ClickOK. 5.ClickFinish,andthenclickCloseandOKtoclosetheremainingdialogboxes. 6.ExpandComputerConfiguration→WindowsSettings→SecuritySettings→PublicKey. 272Directoryservices
7.Right-clickAutomaticCertificateRequestsSettings,andselectNew→AutomaticCertificate
Request.
TheAutomaticCertificateRequestSetupwizardstarts.
8.ClickNext.
9.SelecttheDomainControllertemplate,andclickNext.
10.Selectthelistedcertificateauthority(itisthesameCAthatwasdefinedduringtheCertificate
Servicesinstallation).ClickNext.
11.ClickFinishtoclosethewizard.
Schema-freesetupusingtheiLOwebinterface
Youcansetupaschema-freeconfigurationbyusingtheiLOwebinterface.Onlyuserswhohave
theConfigureiLOSettingsprivilegecanchangethesesettings.UserswhodonothavetheConfigure
iLOSettingsprivilegecanonlyviewtheassignedsettings.
1.NavigatetotheAdministration→Security→Directorypage.
2.SelectUseDirectoryDefaultSchemaintheAuthenticationandDirectoryServerSettingssection.
Formoreinformation,see“Schema-freesetupoptions”(page274).
3.ClickApplySettings.
4.TotestthecommunicationbetweenthedirectoryserverandiLO,clickTestSettings.
Schema-freesetupusingscripts
Tosetupaschema-freedirectoryconfigurationbyusingXMLconfigurationandcontrolscripts:
1.ReviewtheHPiLO4ScriptingandCommandLineGuide.
2.WriteandexecuteascriptthatconfiguresiLOforschema-freedirectorysupport.
Usethefollowingscriptasatemplate:
Schema-freesetupwithHPDirectoriesSupportforProLiantManagementProcessors
HPrecommendsusingHPDirectoriesSupportforProLiantManagementProcessors(HPLOMIG.exe)
whenyouareconfiguringmultipleiLOprocessorsfordirectories.
Formoreinformation,see“HPDirectoriesSupportforProLiantManagementProcessorsutility”
(page292).
Schema-freedirectoryintegration273
Schema-freesetupoptions Theschema-freesetupoptionsarethesame,regardlessofthemethodyouusetoconfigurethe directory. Toreviewtheavailablemethods,see“Schema-freesetupusingtheiLOwebinterface”(page273), “Schema-freesetupusingscripts”(page273),and“Schema-freesetupwithHPDirectoriesSupport forProLiantManagementProcessors”(page273). Afteryouenabledirectoriesandselecttheschema-freeoption,youhavethefollowingoptions: Minimumloginflexibility •EnterthedirectoryserverDNSnameorIPaddressandLDAPport.Typically,theLDAPport foranSSLconnectionis636. •EntertheDNforatleastonegroup.Thisgroupcanbeasecuritygroup(forexample, CN=Administrators,CN=Builtin,DC=HP,DC=com)oranyothergroupaslongasthe intendediLOusersaremembersofthegroup. Withaminimumconfiguration,youcanlogintoiLObyusingyourfullDNandpassword. YoumustbeamemberofagroupthatiLOrecognizes. Betterloginflexibility Inadditiontotheminimumsettings,enteratleastonedirectoryusercontext. Atlogintime,theloginnameandusercontextarecombinedtomaketheuserDN.Forexample, iftheuserlogsinasJOHN.SMITH,andausercontextissetupasCN=USERS,DC=HP,DC=COM, theDNthatiLOtriesisCN=JOHN.SMITH,CN=USERS,DC=HP,DC=COM. Maximumloginflexibility ConfigureiLOwithaDNSname,andnotanIPaddress,forthedirectoryservernetworkaddress. TheDNSnamemustberesolvabletoanIPaddressfrombothiLOandtheclientsystem. ConfiguringiLOwithmaximumloginflexibilityenablesyoutologinusingyourfullDNand password,yournameasitappearsinthedirectory,NetBIOSformat(domain/login_name),or emailformat(login_name@domain). Insomecases,themaximumloginflexibilityoptionmightnotwork.Forexample,iftheclientand iLOareindifferentDNSdomains,oneofthetwomightnotbeabletoresolvethedirectoryserver nametoanIPaddress. Schema-freenestedgroups Manyorganizationshaveusersandadministratorsarrangedingroups.Thisarrangementofexisting groupsisconvenientbecauseyoucanassociatethemwithoneormoreiLOmanagementrole objects.WheniLOdevicesareassociatedwiththeroleobjects,youcanusetheadministrator controlstoaccessthedevicesassociatedwiththerolebyaddingordeletingmembersfromthe groups. WhenusingMicrosoftActiveDirectory,youcanplaceonegroupinanothergrouptocreatea nestedgroup.Roleobjectsareconsideredgroupsandcanincludeothergroupsdirectly.Youcan addtheexistingnestedgroupdirectlytotheroleandassigntheappropriaterightsandrestrictions. Youcanaddnewuserstoeithertheexistinggrouportherole. Inschema-freeintegration,userswhoareindirectmembers(amemberofagroupthatisanested groupoftheprimarygroup)areallowedtologintoiLO. Whenyouareusingtrusteeordirectoryrightsassignmentstoextendrolemembership,usersmust beabletoreadtheobjectthatrepresentstheiLOdevice.Someenvironmentsrequirethatthe trusteesofarolealsobereadtrusteesoftheobjecttosuccessfullyauthenticateusers. 274Directoryservices
SettingupHPextendedschemadirectoryintegration WhenyouuseHPschemadirectoryintegration,iLOsupportsActiveDirectory.Thisdirectoryservice requiresthattheschemabeextended. FeaturessupportedbyHPschemadirectoryintegration UsingtheHPschemaenablesyoutodothefollowing: •Authenticateusersfromashared,consolidated,scalableuserdatabase. •Controluserprivileges(authorization)byusingthedirectoryservice. •Userolesinthedirectoryserviceforgroup-leveladministrationofiLOmanagementprocessors andiLOusers. Aschemaadministratormustcompletethetaskofextendingtheschema.Thelocaluserdatabase isretained.Youcandecidenottousedirectories,touseacombinationofdirectoriesandlocal accounts,ortousedirectoriesexclusivelyforauthentication. NOTE:WhenyouareconnectedthroughtheDiagnosticsPort,thedirectoryserverisnotavailable. Youloginusingalocalaccount. AdvantagesofusingtheHPextendedschemaincludethefollowing: •Thereismoreflexibilityincontrollingaccess.Forexample,accesscanbelimitedtoatimeof dayoracertainrangeofIPaddresses. •Groupsaremaintainedinthedirectory,notoneachiLO. Settingupdirectoryservices Tosuccessfullyimplementdirectory-enabledmanagementonanyiLOmanagementprocessor: 1.Plan Reviewthefollowingsections: •Directoryservices.Formoreinformation,see“Directoryservices”(page265). •Directory-enabledremotemanagement.Formoreinformation,see“Directory-enabled remotemanagement”(page287). •Directoryservicesschema.Formoreinformation,see“Directoryservicesschema” (page344). 2.Install a.DownloadtheHPDirectoriesSupportforProLiantManagementProcessorspackagethat containstheschemainstaller,themanagementsnap-ininstaller,andthemigrationutilities fromhttp://www.hp.com/support/ilo4. b.Runtheschemainstalleroncetoextendtheschema. c.Runthemanagementsnap-ininstallerandinstalltheappropriatesnap-inforyourdirectory serviceononeormoremanagementworkstations. 3.Update a.SetdirectoryserversettingsandtheDNofthemanagementprocessorobjectsonthe DirectorySettingspageintheiLOwebinterface.Formoreinformation,see“Configuring directorysettings”(page72). b.Ifyouareusingtheschema-freeintegrationorKerberosZeroSignIn,configuredirectory groups.Formoreinformation,see“ManagingiLOusersbyusingtheiLOwebinterface” (page46). SettingupHPextendedschemadirectoryintegration275
4.Manage a.Createamanagementdeviceobjectandaroleobjectbyusingthesnap-in. b.Assignrightstotheroleobject,asnecessary,andassociatetherolewiththemanagement deviceobject. c.Adduserstotheroleobject. Formoreinformationaboutmanagingthedirectoryservice,see“Directory-enabledremote management”(page287).Examplesareavailablein“DirectoryservicesforActiveDirectory” (page279). 5.Handleexceptions iLOmigrationutilitiesareeasiertousewithasinglerole.Ifyouplantocreatemultipleroles inthedirectory,youmightneedtousedirectoryscriptingutilities,likeLDIFDEorVBScript utilities.Theseutilitiescreatecomplexroleassociations.Formoreinformation,see“Usingbulk importtools”(page292). Aftertheschemahasbeenextended,youcancompletethedirectoryservicessetupbyusingHP migrationutilities,whichareincludedintheHPDirectoriesSupportforProLiantManagement Processorspackage. Schemadocumentation Toassistwiththeplanningandapprovalprocess,HPprovidesdocumentationaboutthechanges madetotheschemaduringtheschemasetupprocess.Toreviewthechangesmadetoyourexisting schema,see“Directoryservicesschema”(page344). Directoryservicessupport iLOsoftwareisdesignedtorunwiththeMicrosoftActiveDirectoryUsersandComputerssnap-in, enablingyoutomanageuseraccountsthroughthedirectory. iLOsupportsthefollowingdirectoryservicesforHPschemadirectoryintegration: •MicrosoftActiveDirectory •MicrosoftWindowsServerActiveDirectory Schemarequiredsoftware iLOrequiresspecificsoftwarethatextendstheschemaandprovidessnap-instomanagetheiLO network.TheHPDirectoriesSupportforProLiantManagementProcessorspackagecontainsthe schemainstallerandthemanagementsnap-ininstaller.Youcandownloadthesoftwarefromhttp:// www.hp.com/support/ilo4. YoucannotruntheschemainstalleronadomaincontrollerthathostsWindowsServerCore.For securityandperformancereasons,WindowsServerCoredoesnotuseaGUI.Tousetheschema 276Directoryservices
installer,youmustinstallaGUIonthedomaincontrolleroruseadomaincontrollerthathostsan earlierversionofWindows. SchemaExtender Several.xmlfilesarebundledwiththeSchemaExtender.Thesefilescontaintheschemasthat areaddedtothedirectory.Typically,oneofthesefilescontainsacoreschemathatiscommonto allofthesupporteddirectoryservices.Additionalfilescontainproduct-specificschemas.Theschema installerrequiresthe.NETFramework. TheSchemaExtenderinstallerincludesthreeimportantwindows: •SchemaPreview •Setup •Results SchemaPreviewwindow TheSchemaPreviewwindowenablestheusertoviewtheproposedextensionstotheschema.The installerreadstheselectedschemafiles,parsestheXML,anddisplaysitasatreeview.Itlistsall detailsoftheinstalledattributesandclasses. Setupwindow YouusetheSetupwindowtoentertheappropriateinformationbeforeextendingtheschema. SettingupHPextendedschemadirectoryintegration277
TheDirectoryServersectionoftheSetupwindowenablesyoutoselectActiveDirectory,andto setthecomputernameandtheporttobeusedforLDAPcommunications. NOTE:WhenyouarerunningtheSchemaExtendertool,youmustusetheAdministrator loginalongwiththedomainname,forexample,[email protected]\ Administrator. ExtendingtheschemaforActiveDirectoryrequiresthattheuserisanauthenticatedschema administrator,thattheschemaisnotwriteprotected,andthatthedirectoryistheFSMOroleowner inthetree.TheinstallerattemptstomakethetargetdirectoryservertheFSMOschemamasterof theforest. TheDirectoryLoginsectionoftheSetupwindowenablesyoutoenteryourloginnameand password.Thesemightberequiredtocompletetheschemaextension.TheUseSSLforthisSession optionsetstheformofsecureauthenticationtobeused.Ifthisoptionisselected,directory authenticationthroughSSLisused.IfthisoptionisnotselectedandActiveDirectoryisselected, WindowsNTauthenticationisused. Resultswindow TheResultswindowdisplaystheresultsoftheinstallation,includingwhethertheschemacouldbe extendedandwhatattributeswerechanged. 278Directoryservices
Managementsnap-ininstaller Themanagementsnap-ininstallerinstallsthesnap-insrequiredtomanageiLOobjectsinaMicrosoft ActiveDirectoryUsersandComputersdirectoryorNovellConsoleOnedirectory. iLOsnap-insareusedtoperformthefollowingtasksincreatinganiLOdirectory: •CreatingandmanagingtheiLOobjectsandroleobjects •MakingtheassociationsbetweentheiLOobjectsandtheroleobjects DirectoryservicesforActiveDirectory Thefollowingsectionsprovideinstallationprerequisites,preparationinstructions,andaworking exampleofdirectoryservicesforActiveDirectory.HPprovidesautilitytoautomatemuchofthe directorysetupprocess.YoucandownloadHPDirectoriesSupportforProLiantManagement Processorsfromhttp://www.hp.com/support/ilo4. ActiveDirectoryinstallationprerequisites •ActiveDirectorymusthaveadigitalcertificateinstalledtoenableiLOtoconnectsecurelyover thenetwork. •ActiveDirectorymusthavetheschemaextendedtodescribeiLOobjectclassesandproperties. •AniLOlicensemustbeinstalled. FormoreinformationaboutiLOlicensinggotohttp://www.hp.com/go/ilo/licensing. •InstallingdirectoryservicesforiLOrequiresextendingtheActiveDirectoryschema.AnActive Directoryschemaadministratormustextendtheschema. •directoryservicesforiLOusesLDAPoverSSLtocommunicatewiththedirectoryservers.Before youinstallsnap-insandschemaforActiveDirectory,readandhaveavailablethefollowing documentation: ◦MicrosoftKnowledgeBaseArticles Thesearticlesareavailableathttp://support.microsoft.com/. –321051EnablingLDAPoverSSLwithaThird-PartyCertificateAuthority –299687MS01-036:FunctionExposedByUsingLDAPoverSSLCouldEnable PasswordstoBeChanged ◦iLOrequiresasecureconnectiontocommunicatewiththedirectoryservice.Thisconnection requirestheinstallationoftheMicrosoftCA.Formoreinformation,seetheMicrosoft SettingupHPextendedschemadirectoryintegration279
KnowledgeBaseArticle321051:HowtoEnableLDAPoverSSLwithaThird-Party CertificationAuthority. InstallingActiveDirectory Fortheschema-freeconfiguration 1.InstallActiveDirectory,DNS,andtherootCA. 2.LogintoiLOandenterthedirectorysettingsanddirectoryusercontextsonthe Administration→Security→Directorypage. Formoreinformation,see“Configuringdirectorysettings”(page72). 3.ClickApplySettingstosavethechanges. 4.ClicktheAdministerGroupsbutton,andthencreatedirectorygroupsfortheiLOusers. Formoreinformation,see“ManagingiLOusersbyusingtheiLOwebinterface”(page46). 5.NavigatetotheiLODedicatedNetworkPortorSharedNetworkPortGeneralSettingspage, andthenentertheenvironmentsettingsintheDomainNameandPrimaryDNSserverboxes. Formoreinformation,see“ConfiguringIPv4settings”(page97). ForHPextendedschema 1.InstallActiveDirectory,DNS,andtherootCA. 2.Verifythatversion2.0orlaterofthe.NETFrameworkisinstalled.Thissoftwareisrequired bytheiLOLDAPcomponent. 3.InstallthelatestHPDirectoriesSupportforProLiantManagementProcessorssoftwarefrom http://www.hp.com/support/ilo4. 4.ExtendtheschemabyusingtheSchemaExtender. Formoreinformation,see“Schemarequiredsoftware”(page276). 5.InstalltheHPLDAPcomponentsnap-ins. Formoreinformation,see“Schemarequiredsoftware”(page276). 6.CreatetheHPdeviceandHProle. 7.LogintoiLOandenterthedirectorysettingsanddirectoryusercontextsonthe Administration→Security→Directorypage. Formoreinformation,see“Configuringdirectorysettings”(page72). 8.NavigatetotheiLODedicatedNetworkPortorSharedNetworkPortGeneralSettingspage, andthenentertheenvironmentsettingsintheDomainNameandPrimaryDNSserverboxes. Formoreinformation,see“ManagingtheiLOnetworksettings”(page91). NOTE:TheLDAPcomponentdoesnotworkwithaWindowsServerCoreinstallation. Snap-ininstallationandinitializationforActiveDirectory 1.Runthesnap-ininstallationapplicationtoinstallthesnap-ins. 2.ConfigurethedirectoryservicetohavetheappropriateobjectsandrelationshipsforiLO management. a.Usethemanagementsnap-insfromHPtocreateiLO,policy,admin,anduserroleobjects. b.Usethemanagementsnap-insfromHPtobuildassociationsbetweentheiLOobject,the policyobject,andtheroleobject. c.PointtheiLOobjecttotheadminanduserroleobjects.(Adminanduserrolesautomatically pointbacktotheiLOobject.) FormoreinformationaboutiLOobjects,see“Directoryservicesobjects”(page282). 280Directoryservices