HP Ilo 4 User Guide
Have a look at the manual HP Ilo 4 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•OrganizationalUnit(OU)—(Optional)Theunitwithinthecompanyororganizationthat ownsthisiLOsubsystem •CommonName(CN)—TheFQDNofthisiLOsubsystem 4.ClickGenerateCSR. Thefollowingmessageappears: The iLO subsystem is currently generating a Certificate Signing Request (CSR). This may take 10 minutes or more. In order to view the CSR, wait 10 minutes or more, and then click the Generate CSR button again. 5.After10minutesormore,clicktheGenerateCSRbuttonagain. AnewwindowdisplaystheCSR. TheCSRcontainsapublicandprivatekeypairthatvalidatescommunicationsbetweenthe clientbrowserandiLO.iLOsupportskeysizesupto2,048bits.ThegeneratedCSRisheld inmemoryuntilanewCSRisgenerated,iLOisreset,oracertificateisimported. 6.SelectandcopytheCSRtext. 7.Openabrowserwindowandnavigatetoathird-partyCA. 8.FollowtheonscreeninstructionsandsubmittheCSRtotheCA. TheCAwillgenerateacertificateinPKCS#10format. 9.Afteryouobtainthecertificate,makesurethat: •TheCNmatchestheiLOFQDN. ThisislistedastheiLOHostnameontheInformation→Overviewpage. •ThecertificateisgeneratedasaBase64-encodedX.509certificate. •Thefirstandlastlinesareincludedinthecertificate. 10.ReturntotheSSLCertificateCustomizationpageintheiLOwebinterface. 11.ClicktheImportCertificatebutton. TheImportCertificatewindowopens. 12.Pastethecertificateintothetextbox,andthenclickImport. iLOsupportsDER-encodedSSLcertificatesthatareupto3KBinsize(includingthe609or 1,187bytesusedbytheprivatekey,for1,024-bitand2,048-bitcertificates,respectively). ConfiguringiLOsecurity71
13.ResetiLO. Forinstructions,see“UsingiLOdiagnostics”(page180). Configuringdirectorysettings TheiLOfirmwareconnectstoMicrosoftActiveDirectoryforuserauthenticationandauthorization. YoucanconfigureiLOtoauthenticateandauthorizeusersbyusingtheHPExtendedSchema directoryintegrationortheschema-freedirectoryintegration.TheHPExtendedSchemaworksonly withMicrosoftWindows.TheiLOfirmwareconnectstodirectoryservicesbyusingSSLconnections tothedirectoryserverLDAPport.ThedefaultsecureLDAPportis636. FormoreinformationaboutusingdirectoryauthenticationwithiLO,see“Directoryservices”(page 265). Locallystoreduseraccounts(listedontheUserAdministrationpage)canbeactivewheniLO directorysupportisenabled.Thisenablesbothlocal-basedanddirectory-baseduseraccess. Typically,youcandeletelocaluseraccounts(withtheexceptionofanemergencyaccessaccount) afteriLOisconfiguredtoaccessthedirectoryservice.Youcanalsodisableaccesstotheseaccounts whendirectorysupportisenabled. YoumusthavetheConfigureiLOSettingsprivilegetochangethedirectorysettings. ThisfeatureandmanyothersarepartofaniLOlicensingpackage.Formoreinformationabout iLOlicensing,seethefollowingwebsite:http://www.hp.com/go/ilo/licensing. 72ConfiguringiLO
Configuringauthenticationanddirectoryserversettings 1.NavigatetotheAdministration→Security→Directorypage. 2.Configurethefollowingoptions: •LDAPDirectoryAuthentication—Enablesordisablesdirectoryauthentication.Ifdirectory authenticationisenabledandconfiguredcorrectly,userscanloginbyusingdirectory credentials. Choosefromthefollowingoptions: ◦Disabled—Usercredentialsarenotvalidatedbyusingadirectory. ◦UseHPExtendedSchema—Selectsdirectoryauthenticationandauthorizationby usingdirectoryobjectscreatedwiththeHPExtendedSchema.Selectthisoption whenthedirectoryhasbeenextendedwiththeHPExtendedSchema. ◦UseDirectoryDefaultSchema—Selectsdirectoryauthenticationandauthorization byusinguseraccountsinthedirectory.Selectthisoptionwhenthedirectoryisnot extendedwiththeHPExtendedSchema.Useraccountsandgroupmembershipsare usedtoauthenticateandauthorizeusers.Afteryouenterandsavethedirectory ConfiguringiLOsecurity73
networkinformation,clickAdministerGroups,andthenenteroneormorevalid directoryDNsandprivilegestograntusersaccesstoiLO. •KerberosAuthentication—EnablesordisablesKerberoslogin.IfKerberosloginisenabled andconfiguredcorrectly,theHPZeroSignInbuttonappearsontheloginpage. •LocalUserAccounts—Enablesordisableslocaluseraccountaccess. Enabled—Ausercanloginbyusinglocallystoredusercredentials.HPrecommends enablingthisoptionandconfiguringauseraccountwithadministratorprivileges. ThisaccountcanbeusedifiLOcannotcommunicatewiththedirectoryserver. ◦ ◦Disabled—Useraccessislimitedtovaliddirectorycredentials. Accessthroughlocaluseraccountsisenabledwhendirectorysupportisdisabledoran iLOlicenseisrevoked.Youcannotdisablelocaluseraccesswhenyouareloggedin throughalocaluseraccount. •KerberosRealm—ThenameoftheKerberosrealminwhichtheiLOprocessorisoperating. Thisstringcanbeupto128characters.ArealmnameisusuallytheDNSnameconverted touppercase.Realmnamesarecasesensitive. •KerberosKDCServerAddress—TheIPaddressorDNSnameoftheKDCserver.This stringcanbeupto128characters.EachrealmmusthaveatleastoneKDCthatcontains anauthenticationserverandaticketgrantserver.Theseserverscanbecombined. •KerberosKDCServerPort—TheTCPorUDPportnumberonwhichtheKDCislistening. ThedefaultKDCportis88. •KerberosKeytab—Abinaryfilethatcontainspairsofserviceprincipalnamesand encryptedpasswords.IntheWindowsenvironment,thekeytabfileisgeneratedbythe ktpassutility.ClickBrowse(InternetExplorerorFirefox)orChooseFile(Chrome),and thenfollowtheonscreeninstructionstoselectafile. IMPORTANT:ThecomponentsoftheserviceprincipalnamestoredintheKerberos keytabfilearecasesensitive.Theprimary(servicetype)mustbeinuppercaseletters,for example,(HTTP).Theinstance(iLOhostname)mustbeinlowercaseletters,forexample, iloexample.example.net.Therealmnamemustbeinuppercase,forexample, EXAMPLE.NET. 3.Enterthedirectoryserversettings. •DirectoryServerAddress—SpecifiesthenetworkDNSnameorIPaddressofthedirectory server.Thedirectoryserveraddresscanbeupto127characters. IMPORTANT:HPrecommendsusingDNSround-robinwhenyoudefinethedirectory server. •DirectoryServerLDAPPort—SpecifiestheportnumberforthesecureLDAPserviceonthe server.Thedefaultvalueis636.Youcanspecifyadifferentvalueifyourdirectoryservice isconfiguredtouseadifferentport. 74ConfiguringiLO
•LOMObjectDistinguishedName—SpecifieswherethisiLOinstanceislistedinthedirectory tree(forexample,cn=iLO Mail Server,ou=Management Devices,o=hp).This optionisavailablewhenUseHPExtendedSchemaisselected. UsersearchcontextsarenotappliedtotheLOMobjectDNwheniLOaccessesthe directoryserver. •DirectoryUserContexts—Theseboxesenableyoutospecifycommondirectorysubcontexts sothatusersdonotneedtoentertheirfullDNsatlogin.Directoryusercontextscanbe upto128characters. YoucanidentifytheobjectslistedinadirectorybyusinguniqueDNs.However,DNs canbelong,andusersmightnotknowtheirDNsormighthaveaccountsindifferent directorycontexts.iLOattemptstocontactthedirectoryservicebyDN,andthenapplies thesearchcontextsinorderuntilsuccessful. ◦Example1—Ifyouenterthesearchcontextou=engineering,o=hp,youcanlog inasuserinsteadoflogginginascn=user,ou=engineering,o=hp. ◦Example2—IfasystemismanagedbyInformationManagement,Services,and Training,searchcontextssuchasthefollowingenableusersinanyofthese organizationstologinbyusingtheircommonnames: Directory User Context 1:ou=IM,o=hp Directory User Context 2:ou=Services,o=hp Directory User Context 3:ou=Training,o=hp IfauserexistsinboththeIMorganizationalunitandtheTrainingorganizational unit,loginisfirstattemptedascn=user,ou=IM,o=hp. ◦Example3(ActiveDirectoryonly)—MicrosoftActiveDirectoryallowsanalternate [email protected],inwhich caseasearchcontextof@domain.example.comallowstheusertologinasuser. Onlyasuccessfulloginattemptcantestsearchcontextsinthisformat. 4.ClickApplySettings. 5.TotestthecommunicationbetweenthedirectoryserverandiLO,clickTestSettings. Formoreinformation,see“Runningdirectorytests”(page75). 6.Optional:ClickAdministerGroupstonavigatetotheUserAdministrationpage,whereyou canconfiguredirectorygroups. Forinformationaboutgroupadministration,see“Administeringdirectorygroups”(page50). Runningdirectorytests Directorytestsenableyoutovalidatetheconfigureddirectorysettings.Thedirectorytestresults areresetwhendirectorysettingsaresaved,orwhenthedirectorytestsarestarted. Tovalidatetheconfigureddirectorysettings: ConfiguringiLOsecurity75
1.ClickTestSettingsontheSecurity→Directorypage. TheDirectoryTestspageopens. Thispagedisplaystheresultsofaseriesofsimpletestsdesignedtovalidatethecurrentdirectory settings.Also,itincludesatestlogthatshowstestresultsanddetectedissues.Afteryour directorysettingsareconfiguredcorrectly,youdonotneedtorerunthesetests.TheDirectory Testspagedoesnotrequireyoutologinasadirectoryuser. 2.IntheDirectoryTestControlssection,entertheDNandpasswordofadirectoryadministrator. •DirectoryAdministratorDistinguishedName—SearchesthedirectoryforiLOobjects, roles,andsearchcontexts.Thisusermusthavetherighttoreadthedirectory. •DirectoryAdministratorPassword—Authenticatesthedirectoryadministrator. HPrecommendsthatyouusethesamecredentialsthatyouusedwhencreatingtheiLOobjects inthedirectory.ThesecredentialsarenotstoredbyiLO;theyareusedtoverifytheiLOobject andusersearchcontexts. 3.IntheDirectoryTestControlssection,enteratestusernameandpassword. •TestUserName—TestsloginandaccessrightstoiLO.Thisnamedoesnotneedtobe fullydistinguishedbecauseusersearchcontextscanbeapplied.Thisusermustbe associatedwitharoleforthisiLO. •TestUserPassword—Authenticatesthetestuser. Typically,thisaccountisusedtoaccesstheiLOprocessorbeingtested.Itcanbethedirectory administratoraccount,butthetestscannotverifyuserauthenticationwithasuperuseraccount. ThesecredentialsarenotstoredbyiLO. 4.ClickStartTest. Severaltestsbegininthebackground,startingwithanetworkpingofthedirectoryuserby establishinganSSLconnectiontotheserverandevaluatinguserprivileges. 76ConfiguringiLO
Whilethetestsarerunning,thepagerefreshesperiodically.Youcanstopthetestsormanually refreshthepageatanytime. Viewingdirectorytestresults TheDirectoryTestResultssectionshowsthedirectoryteststatuswiththedateandtimeofthelast update. •OverallStatus—Summarizestheresultsofthetests. NotRun—Notestswererun.◦ ◦Inconclusive—Noresultswerereported. ◦Passed—Nofailureswerereported. ◦ProblemDetected—Aproblemwasreported. ◦Failed—Aspecificsubtestfailed.Checktheonscreenlogtoidentifytheproblem. ◦Warning—OneormoreofthedirectorytestsreportedaWarningstatus. •Test—Thenameofeachtest. FormoreinformationabouttheiLOdirectorytests,see“AbouttheiLOdirectorytests”(page 78). •Result—Reportsstatusforaspecificdirectorysettingoranoperationthatusesoneormore directorysettings.Theseresultsaregeneratedwhenasequenceoftestsisrun.Theresultsstop whenthetestsruntocompletion,whenatestfailurepreventsfurtherprogress,orwhenthe testsarestopped.Testresultsfollow: ◦Passed—Thetestransuccessfully.Ifmorethanonedirectoryserverwastested,allservers thatranthistestweresuccessful. ◦NotRun—Thetestwasnotrun. ◦Failed—Thetestwasunsuccessfulononeormoredirectoryservers.Directorysupport mightnotbeavailableonthoseservers. ◦Warning—Thetestranandreportedawarningcondition,forexample,acertificateerror. ChecktheNotescolumnforsuggestedactionstocorrectthewarningcondition. •Notes—Indicatestheresultsofvariousphasesofthedirectorytests.Thedataisupdatedwith failuredetailsandinformationthatisnotreadilyavailable,likethedirectoryservercertificate subjectandwhichroleswereevaluatedsuccessfully. Usingthedirectorytestcontrols TheDirectoryTestControlssectionenablesyoutoviewthecurrentstateofthedirectorytests,adjust thetestparameters,startandstopthetests,andrefreshthepagecontents. •InProgress—Indicatesthatdirectorytestsarecurrentlybeingperformedinthebackground. ClickStopTesttocancelthecurrenttests,orclickRefreshtoupdatethecontentsofthepage withthelatestresults.UsingtheStopTestbuttonmightnotstopthetestsimmediately. •NotRunning—Indicatesthatdirectorytestsarecurrent,andthatyoucansupplynewparameters torunthetestsagain.UsetheStartTestbuttontostartthetestsandusethecurrenttestcontrol values.Directorytestscannotbestartedaftertheyarealreadyinprogress. •Stopping—Indicatesthatdirectorytestshavenotyetreachedapointwheretheycanstop. YoucannotrestarttestsuntilthestatuschangestoNotRunning.UsetheRefreshbuttonto determinewhetherthetestsarecomplete. Forinformationabouttheparametersyoucanenter,see“Runningdirectorytests”(page75). ConfiguringiLOsecurity77
AbouttheiLOdirectorytests Descriptionsofthedirectorytestsfollow: •DirectoryServerDNSName—IfthedirectoryserverisdefinedinFQDNformat (directory.company.com),iLOresolvesthenamefromFQDNformattoIPformat,and queriestheconfiguredDNSserver. Ifthetestissuccessful,iLOobtainedanIPaddressfortheconfigureddirectoryserver.IfiLO cannotobtainanIPaddressforthedirectoryserver,thistestandallsubsequenttestsfail. IfthedirectoryserverisconfiguredwithanIPaddress,iLOskipsthistest. Ifafailureoccurs: 1.VerifythattheDNSserverconfigurediniLOiscorrect. 2.VerifythatthedirectoryserverFQDNiscorrect. 3.Asatroubleshootingtool,useanIPaddressinsteadoftheFQDN. 4.Iftheproblempersists,checktheDNSserverrecordsandnetworkrouting. •PingDirectoryServer—iLOinitiatesapingtotheconfigureddirectoryserver. ThetestissuccessfulifiLOreceivesthepingresponse;itisunsuccessfulifthedirectoryserver doesnotreplytoiLO. Ifthetestfails,iLOwillcontinuewiththesubsequenttests. Ifafailureoccurs: 1.Checktoseeifafirewallisactiveonthedirectoryserver. 2.Checkfornetworkroutingissues. •ConnecttoDirectoryServer—iLOattemptstonegotiateanLDAPconnectionwiththedirectory server. Ifthetestissuccessful,iLOwasabletoinitiatetheconnection. Ifthetestfails,iLOwasnotabletoinitiateanLDAPconnectionwiththespecifieddirectory server.Subsequenttestswillstop. Ifafailureoccurs: 1.Verifythattheconfigureddirectoryserveristhecorrecthost. 2.VerifythatiLOhasaclearcommunicationpathtothedirectoryserverthroughport636 (consideranyroutersorfirewallsbetweeniLOandthedirectoryserver). 3.Verifythatanylocalfirewallonthedirectoryserverisenabledtoallowcommunications throughport636. •ConnectusingSSL—iLOinitiatesSSLhandshakeandnegotiationandLDAPcommunications withthedirectoryserverthroughport636. Ifthetestissuccessful,theSSLhandshakeandnegotiationbetweeniLOandthedirectory serverweresuccessful. Ifafailureoccurs,thedirectoryserverisnotenabledforSSLnegotiations. IfyouareusingMicrosoftActiveDirectory,verifythatActiveDirectoryCertificateServicesare installed. •BindtoDirectoryServer—Thistestbindstheconnectionwiththeusernamespecifiedinthe testboxes.Ifnouserisspecified,iLOdoesananonymousbind. Ifthetestissuccessful,thedirectoryserveracceptedthebinding. Ifafailureoccurs: 1.Verifythatthedirectoryserverallowsanonymousbinding. 2.Ifyouenteredausernameinthetestboxes,verifythatthecredentialsarecorrect. 78ConfiguringiLO
3.Ifyouverifiedthattheusernameiscorrect,tryusingotheruser-nameformats;forexample, [email protected],DOMAIN\username,username(calledDisplayNameinActive Directory),oruserlogin. 4.Verifythatthespecifieduserisallowedtologinandisenabled. •DirectoryAdministratorLogin—IfDirectoryAdministratorDistinguishedNameandDirectory AdministratorPasswordwerespecified,iLOusesthesevaluestologintothedirectoryserver asanadministrator.Theseboxesareoptional. •UserAuthentication—iLOauthenticatestothedirectoryserverwiththespecifiedusername andpassword. Ifthetestissuccessful,thesuppliedusercredentialsarecorrect. Ifthetestfails,theusernameand/orpasswordisincorrect. Ifafailureoccurs: 1.Ifyouverifiedthattheusernameiscorrect,tryusingotheruser-nameformats;forexample, [email protected],DOMAIN\username, username(calledDisplayNameinActive Directory),oruserlogin. 2.Verifythatthespecifieduserisallowedtologinandisenabled. 3.ChecktoseeifthespecifiedusernameisrestrictedbylogonhoursorIP-basedlogging. •UserAuthorization—Thistestverifiesthatthespecifiedusernameispartofthespecified directorygroup,andispartofthedirectorysearchcontextspecifiedduringdirectoryservices configuration. Ifafailureoccurs: 1.Verifythatthespecifiedusernameispartofthespecifieddirectorygroup. 2.ChecktoseeifthespecifiedusernameisrestrictedbylogonhoursorIP-basedlogging. •DirectoryUserContexts—IfDirectoryAdministratorDistinguishedNamewasspecified,iLO triestosearchthespecifiedcontext. Ifthetestissuccessful,iLOfoundthecontextbyusingtheadministratorcredentialstosearch forthecontainerinthedirectory. Contextsthatbeginwith"@"canbetestedonlybyuserlogin. Afailureindicatesthatthecontainercouldnotbelocated. •LOMObjectExists—ThistestsearchesfortheiLOobjectinthedirectoryserverbyusingthe LOMObjectDistinguishedNameconfiguredontheSecurity→Directorypage. NOTE:YoucanenteraLOMObjectDistinguishedNameontheSecurity→Directorypage onlywhenUseHPExtendedSchemaisselected.ThistestisrunevenifLDAPDirectory Authenticationisdisabled. Ifthetestissuccessful,iLOfoundtheobjectthatrepresentsitself. Ifafailureoccurs: 1.VerifythattheLDAPFQDNoftheLOMobjectiscorrect. 2.TrytoupdatetheHPExtendedSchemaandsnap-insinthedirectoryserverbyupdating theHPDirectoriesSupportforProLiantManagementProcessorssoftware. ConfiguringiLOsecurity79
Usingencryption iLOprovidesenhancedsecurityforremotemanagementindistributedITenvironments.SSL encryptionprotectswebbrowserdata.SSLencryptionofHTTPdataensuresthatthedataissecure asitistransmittedacrossthenetwork.iLOsupportsthefollowingcipherstrengths: •256-bitAESwithRSA,DHE,andaSHA1MAC •256-bitAESwithRSA,andaSHA1MAC •128-bitAESwithRSA,DHE,andaSHA1MAC •128-bitAESwithRSA,andaSHA1MAC •168-bit3DESwithRSA,andaSHA1MAC •168-bit3DESwithRSA,DHE,andaSHA1MAC iLOalsoprovidesenhancedencryptionthroughtheSSHportforsecureCLPtransactions.iLO supportsAES256-CBC,AES128-CBC,and3DESCBCcipherstrengthsthroughtheSSHport. Ifenabled,iLOenforcestheuseoftheseenhancedciphers(bothAESand3DES)overthesecure channels,includingsecureHTTPtransmissionsthroughthebrowser,SSHport,andXMLport.When AES/3DESencryptionisenabled,youmustuseacipherstrengthequaltoorgreaterthanAES/3DES toconnecttoiLOthroughthesesecurechannels.TheAES/3DESencryptionenforcementsetting doesnotaffectcommunicationsandconnectionsoverless-securechannels. Bydefault,RemoteConsoledatauses128-bitRC4bidirectionalencryption.TheHPQLOCFGutility uses128-bitRC4with160-bitSHA1and2048-bitRSAKeyXencryptiontosecurelysendRIBCL scriptstoiLOoverthenetwork. Version1.20andlateroftheiLO4firmwaresupportsFIPSMode. NOTE:ThetermFIPSModeisusedinthisdocumentandiniLOtodescribethefeature,notits validationstatus. •FIPSisasetofstandardsmandatedforusebyUnitedStatesgovernmentagenciesand contractors. •FIPSModeiniLO41.20andlaterisintendedtomeettherequirementsofFIPS140-2level 1.ThisversionoranyotherversionoftheiLOfirmwaremighthavethisfeaturebutmightor mightnotbeFIPSvalidated.TheFIPSvalidationprocessislengthy,sonotalliLOfirmware versionswillbevalidated.ForinformationaboutthecurrentFIPSstatusofthisoranyother versionoftheiLOfirmware,seethefollowingdocument:http://csrc.nist.gov/groups/STM/ cmvp/documents/140-1/140InProcess.pdf. Viewingencryptionenforcementsettings NavigatetotheAdministration→Security→Encryptionpage. 80ConfiguringiLO