HP Ilo 4 User Guide
Have a look at the manual HP Ilo 4 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Thedirectoryserverevaluatesusertimerestrictions,butthedeterminationcanbecomplicatedby time-zonechangesortheauthenticationmechanism. Figure10Usertimerestrictions Creatingmultiplerestrictionsandroles Themostusefulapplicationofmultiplerolesisrestrictingoneormorerolessothatrightsdonot applyinallsituations.Otherrolesprovidedifferentrightsunderdifferentconstraints.Usingmultiple restrictionsandrolesenablestheadministratortocreatearbitrary,complexrightsrelationships withaminimumnumberofroles. Forexample,anorganizationmighthaveasecuritypolicyinwhichLOMadministratorsareallowed tousetheLOMdevicefromwithinthecorporatenetwork,butcanresettheserveronlyafterregular businesshours. Directoryadministratorsmightbetemptedtocreatetworolestoaddressthissituation,butextra cautionisrequired.Creatingarolethatprovidestherequiredserverresetrightsandrestrictingit toafterhoursmightallowadministratorsoutsidethecorporatenetworktoresettheserver,which iscontrarytomostsecuritypolicies. IntheexampleshowninFigure11(page291),securitypolicydictatesthatgeneraluseisrestricted toclientsinthecorporatesubnet,andserverresetcapabilityisrestrictedtoafterhours. Figure11Creatingrestrictionsandroles Alternatively,thedirectoryadministratormightcreatearolethatgrantstheloginrightandrestrict ittothecorporatenetwork,andthencreateanotherrolethatgrantsonlytheserverresetrightand restrictittoafter-hoursoperation.Thisconfigurationiseasiertomanagebutmoredangerous becauseongoingadministrationmightcreateanotherrolethatgrantstheloginrighttousersfrom addressesoutsidethecorporatenetwork.ThisrolemightunintentionallygranttheLOMadministrators Directory-enabledremotemanagement291UserLOM Client Workstation Directory Server User time restrictions are enforced by the directory server UserGeneral Use Role Reset Role Assigns Login Right IP Restrictions: DENY except to corporate subnet ServerAssigns Server Reset Right Time Restriction: Denied Monday through Friday, 8 a.m. to 5 p.m.
intheserverResetroletheabilitytoresettheserverfromanywhere,iftheysatisfytherole'stime constraints. Thepreviousconfiguration(Figure11)meetscorporatesecurityrequirements.However,adding anotherrolethatgrantstheloginrightcaninadvertentlygrantserverresetprivilegesfromoutside thecorporatesubnetafterhours.AmoremanageablesolutionwouldbetorestricttheResetrole andtheGeneralUserole,asshowninFigure12(page292). Figure12RestrictingtheResetandGeneralUseroles Usingbulkimporttools AddingandconfiguringlargenumbersofLOMobjectsistimeconsuming.HPprovidesseveral utilitiestoassistwiththesetasks. •HPLights-OutMigrationutility TheHPLights-OutMigrationutilityimportsandconfiguresmultipleLOMdevices.Itincludes aGUIthatprovidesastep-by-stepapproachtoimplementingorupgradinglargenumbersof managementprocessors.HPrecommendsusingthisGUImethodwhenupgradingseveral managementprocessors.Formoreinformation,see“UsingHPDirectoriesSupportforProLiant ManagementProcessors”(page294). •HPSIMutilities TheHPSIMutilitiesenableyoutoperformthefollowingtasks: ◦ManagemultipleLOMdevices. ◦DiscovertheLOMdevicesasmanagementprocessorsbyusingHPQLOCFGtosenda RIBCLXMLscriptfiletoagroupofLOMdevices.TheLOMdevicesperformtheactions designatedbytheRIBCLfileandsendaresponsetotheHPQLOCFGlogfile.Formore information,seetheHPiLO4ScriptingandCommandLineGuide. •Traditionalimportutilities AdministratorsfamiliarwithtoolssuchasLDIFDEortheNDSImport/ExportWizardcanuse theseutilitiestoimportorcreatemanyLOMdeviceobjectsinthedirectory.Administrators muststillconfigurethedevicesmanually,asdescribedearlier,butcandosoatanytime. ProgrammaticorscriptinginterfacescanalsobeusedtocreatetheLOMdeviceobjectsin thesamewayasusersorotherobjects.Forinformationaboutattributesandattributedata formatswhenyouarecreatingLOMobjects,see“Directoryservicesschema”(page344). HPDirectoriesSupportforProLiantManagementProcessorsutility Youcandownloadthisutilityfromhttp://www.hp.com/support/ilo4. TheHPDirectoriesSupportforProLiantManagementProcessorsutility(HPLOMIG.exe)isfor customerswhoinstalledmanagementprocessorsandwanttosimplifythemigrationofthese 292DirectoryservicesUserGeneral Use Role Reset Role Assigns Login Right IP Restrictions: DENY except to corporate subnet ServerAssigns Server Reset Right AND Login Right Time Restriction: Denied Monday through Friday, 8 a.m. to 5 p.m. IP Restriction: DENY except to corporate subnet
processorstomanagementbydirectories.Theutilityautomatessomeofthemigrationstepsnecessary forthemanagementprocessorstosupportdirectoryservices.Theutilitycandothefollowing: •Discovermanagementprocessorsonthenetwork. •Upgradethemanagementprocessorfirmware. •Namethemanagementprocessorstoidentifytheminthedirectory. •Createobjectsinthedirectorythatcorrespondtoeachmanagementprocessor,andassociate themwitharole. •Configurethemanagementprocessorstoenablethemtocommunicatewiththedirectory. Compatibility TheHPDirectoriesSupportforProLiantManagementProcessorsutilityoperatesonMicrosoft WindowsandrequirestheMicrosoft.NETFramework.Theutilitysupportsthefollowingoperating systems: •WindowsServer200332-bit,64-bit •WindowsServer200832-bit,64-bit •WindowsServer2008R2 •WindowsVista •Windows7 •Windows2012 HPDirectoriesSupportforProLiantManagementProcessorspackage Themigrationsoftware,schemaextender,andmanagementsnap-insareincludedintheHP DirectoriesSupportforProLiantManagementProcessorspackage.Youcandownloadtheinstaller fromhttp://www.hp.com/support/ilo4.Tocompletethemigrationofyourmanagementprocessors, youmustextendtheschemaandinstallthemanagementsnap-insbeforerunningthemigration tool. Toinstallthemigrationutilities,starttheinstaller,andthenclickHPDirectoriesSupportforProLiant ManagementProcessors. TheHPLOMIG.exefile,therequiredDLLs,thelicenseagreement,andotherfilesareinstalledin thedirectoryC:\Program Files\Hewlett-Packard\HP Directories Support for ProLiant Management Processors.Youcanselectadifferentdirectory.Theinstallercreates ashortcuttoHPDirectoriesSupportforProLiantManagementProcessorsontheStartmenuand installsasampleXMLfile. HPDirectoriesSupportforProLiantManagementProcessorsutility293
NOTE:Iftheinstallationutilitydetectsthatthe.NETFrameworkisnotinstalled,itdisplaysan errormessageandexits. UsingHPDirectoriesSupportforProLiantManagementProcessors TheHPDirectoriesSupportforProLiantManagementProcessorsutilityautomatestheprocessof migratingmanagementprocessorsbycreatingobjectsinthedirectorythatcorrespondtoeach managementprocessorandassociatingthemwitharole.HPDirectoriesSupportforProLiant ManagementProcessorshasaGUIandprovidesawizardforimplementingorupgradingmultiple managementprocessors. Findingmanagementprocessors Thefirstmigrationstepistodiscoverallmanagementprocessorsthatyouwanttoenablefor directoryservices.YoucansearchformanagementprocessorsbyusingDNSnames,IPaddresses, orIPaddresswildcards.ThefollowingrulesapplytothevaluesenteredintheAddressesbox: •DNSnames,IPaddresses,andIPaddresswildcardsmustbedelimitedwithsemicolons. •TheIPaddresswildcardusestheasterisk(*)characterinthethirdandfourthoctetfields.For example,IPaddress16.100.*.*isvalid,andIPaddress16.*.*.*isinvalid. •Rangescanalsobespecifiedusingahyphen.Forexample,192.168.0.2-10isavalid range.Ahyphenissupportedonlyintherightmostoctet. •AfteryouclickFind,theutilitybeginspingingandconnectingtoport443(thedefaultSSL port)todeterminewhetherthetargetnetworkaddressisamanagementprocessor.Ifthedevice doesnotrespondtothepingorconnectappropriatelyonport443,theutilitydeterminesthat itisnotamanagementprocessor. IfyouclickNext,clickBack,orexittheutilityduringdiscovery,operationsonthecurrentnetwork addressarecompleted,butthoseonsubsequentnetworkaddressesarecanceled. Todiscoveryourmanagementprocessors: 1.SelectStart→AllPrograms→Hewlett-Packard→HPDirectoriesSupportforProLiantManagement Processors. TheWelcomepageopens. 2.ClickNext. TheFindManagementProcessorswindowopens. 3.IntheAddressesbox,enterthevaluestoperformthemanagementprocessorsearch. 294Directoryservices
4.EnteryouriLOloginnameandpassword,andthenclickFind. Whenthesearchiscomplete,themanagementprocessorsarelistedandtheFindbutton changestoVerify. YoucanalsoenteralistofmanagementprocessorsfromafilebyclickingImport.Thefileis asimpletextfilewithonemanagementprocessorlistedperline.Thecolumns,whichare delimitedwithsemicolons,areasfollows: •NetworkAddress •Product •F/WVersion •DNSName •UserName •Password •LDAPStatus •KerberosStatus Forexample,onelinemighthavethefollowinginformation: 16.100.225.20;iLO;1.10;ILOTPILOT2210;user;password;Default Schema;Kerberos Disabled If,forsecurityreasons,theusernameandpasswordcannotbeincludedinthefile,leavethese columnsblank,butenterthesemicolons. Upgradingfirmwareonmanagementprocessors TheUpgradeFirmwarepageenablesyoutoupdatethefirmwareonyouriLOmanagement processors.Italsoenablesyoutodesignatethelocationofthefirmwareimageforeachmanagement processorbyenteringthepathorclickingBrowse. HPDirectoriesSupportforProLiantManagementProcessorsutility295
NOTE:Binaryimagesofthefirmwareforthemanagementprocessorsmustbeaccessiblefrom thesystemthatisrunningthemigrationutility.Thesebinaryimagescanbedownloadedfrom http://www.hp.com/support/ilo4. Theupgradeprocessmighttakealongtime,dependingonthenumberofmanagementprocessors selected.Thefirmwareupgradeofasinglemanagementprocessorcantakeaslongas5minutes tocomplete.Ifanupgradefails,amessageisdisplayedintheResultscolumn,andtheutility continuestoupgradetheotherdiscoveredmanagementprocessors. IMPORTANT:HPrecommendsthatyoutesttheupgradeprocessandverifytheresultsinatest environmentbeforerunningtheutilityonaproductionnetwork.Anincompletetransferofthe firmwareimagetoamanagementprocessormightresultinhavingtolocallyreprogramthe managementprocessor. Toupgradethefirmwareonyourmanagementprocessors: 1.NavigatetotheUpgradeFirmwareonManagementProcessorswindow. 2.Selectthemanagementprocessorstoupgrade. 3.Foreachdiscoveredmanagementprocessortype,enterthecorrectpathnametothefirmware imageorbrowsetotheimage. 4.ClickUpgradeFirmware. Theselectedmanagementprocessorsareupgraded.Althoughthisutilityenablesyouto upgradehundredsofmanagementprocessors,only25managementprocessorsareupgraded simultaneously.Networkactivityisconsiderableduringthisprocess. 5.Aftertheupgradeiscomplete,clickNext. Duringthefirmwareupgradeprocess,allbuttonsaredeactivatedtopreventnavigation.Youcan stillclosetheapplicationbyclickingtheXatthetoprightofthepage.IftheGUIisclosedduring programmingoffirmware,theapplicationcontinuestoruninthebackgroundandcompletesthe firmwareupgradeonallselecteddevices. 296Directoryservices
Selectingadirectoryaccessmethod AfteryouclickNextintheUpgradeFirmwareonManagementProcessorswindow,theSelectthe DesiredConfigurationwindowappears. Youcanselectwhichmanagementprocessorstoconfigure(withrespecttoschemausage)and howtoconfigurethem.TheSelecttheDesiredConfigurationwindowhelpstopreventanaccidental overwriteofiLOsalreadyconfiguredforHPschema,oriLOsthathavedirectoriesturnedoff. Theselectionsyoumakeinthiswindowdeterminethewindowsthataredisplayedwhenyouclick Next. Toconfigurethemanagementprocessorfordirectoryservices,see“Configuringdirectorieswhen HPextendedschemaisselected”(page298).ToconfigurethemanagementprocessorforSchema-free (defaultschema)directoriessupport,see“Configuringdirectorieswhenschema-freeintegrationis selected”(page302). Namingmanagementprocessors TheNamethemanagementprocessorswindowenablesyoutonameiLOmanagementdevice objectsinthedirectoryandcreatecorrespondingdeviceobjectsforallmanagementprocessors tobemanaged.Youcancreatenamesbyusingoneormoreofthefollowing: •Thenetworkaddress •TheDNSname •Anindex •Manualcreationofthename •Theadditionofaprefixtoall •Theadditionofasuffixtoall Tonamethemanagementprocessors,clicktheObjectNamecolumnandenterthename,ordo thefollowing: 1.SelectUseiLONames,CreateNameUsingIndex,orUseNetworkAddress. 2.Optional:Enterthetexttoadd(suffixorprefix)toallnames. HPDirectoriesSupportforProLiantManagementProcessorsutility297
3.ClickCreateNames. ThenamesappearintheObjectNamecolumnastheyaregenerated.Atthispoint,names arenotwrittentothedirectoryorthemanagementprocessors.Thenamesarestoreduntilthe nextHPDirectoriesSupportforProLiantManagementProcessorswindowisdisplayed. 4.Optional:Tochangethenames,clickClearNames,andrenamethemanagementprocessors. 5.Whenthenamesarecorrect,clickNext. ConfiguringdirectorieswhenHPextendedschemaisselected TheConfigureDirectorywindowenablesyoutocreateadeviceobjectforeachdiscovered managementprocessorandtoassociatethenewdeviceobjectwithapreviouslydefinedrole.For example,thedirectorydefinesauserasamemberofarole(suchasadministrator)whohasa collectionofprivilegesonaspecificdeviceobject. 298Directoryservices
TheboxesontheConfigureDirectorywindowfollow: •NetworkAddress—Thenetworkaddressofthedirectoryserver,whichcanbeavalidDNS nameorIPaddress. •Port—TheSSLporttothedirectory.Thedefaultportis636.Managementprocessorscan communicatewiththedirectoryonlybyusingSSL. •LoginNameandPassword—Entertheloginnameandpasswordforanaccountthathas domainadministratoraccesstothedirectory. •ContainerDN—Afteryouhavethenetworkaddress,port,andlogininformation,youcanclick BrowsetosearchforthecontainerDN.Thecontaineriswherethemigrationutilitywillcreate themanagementprocessorobjectsinthedirectory. •Role(s)DN—Afteryouhavethenetworkaddress,port,andlogininformation,youcanclick BrowsetosearchfortheroleDN.Theroleiswheretheroletobeassociatedwiththedevice objectsresides.Therolemustbecreatedbeforeyourunthisutility. Toconfigurethedeviceobjectstobeassociatedwitharole: 1.Enterthenetworkaddress,loginname,andpasswordforthedesignateddirectoryserver. 2.EnterthecontainerDNintheContainerDNbox,orclickBrowsetoselectacontainerDN. HPDirectoriesSupportforProLiantManagementProcessorsutility299
3.AssociatedeviceobjectswithamemberofarolebyenteringtheroleDNintheRole(s)DN box,orclickBrowsetoselectaroleDN. 4.ClickUpdateDirectory. Theutilityconnectstothedirectory,createsthemanagementprocessorobjects,andadds themtotheselectedroles. 5.Afterthedeviceobjectshavebeenassociatedwitharole,clickNext. ThevaluesyouenteredaredisplayedintheConfigureDirectorywindow. 300Directoryservices