HP Ilo 4 User Guide
Have a look at the manual HP Ilo 4 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
TheEncryptionSettingspagedisplaysthecurrentencryptionsettingsforiLO. •CurrentNegotiatedCipher—Thecipherinuseforthecurrentbrowsersession.Afteryoulog intoiLOthroughthebrowser,thebrowserandiLOnegotiateaciphersettingtouseduring thesession. •EncryptionEnforcementSettings—ThecurrentencryptionsettingsforiLO: FIPSMode—IndicateswhetherFIPSModeisenabledordisabledforthisiLOsystem.◦ ◦EnforceAES/3DESEncryption—IndicateswhetherAES/3DESencryptionisenforcedfor thisiLO. Whenenabled,iLOacceptsonlythoseconnectionsthroughthebrowserandSSHinterface thatmeettheminimumcipherstrength.AcipherstrengthofatleastAESor3DESmust beusedtoconnecttoiLOwhenthissettingisenabled. ModifyingtheAES/DESencryptionsetting YoumusthavetheConfigureiLOSettingsprivilegetochangetheencryptionsettings. TomodifytheAES/DESencryptionsetting: 1.NavigatetotheAdministration→Security→Encryptionpage. 2.ChangetheEnforceAES/3DESEncryptionsettingtoEnabledorDisabled. IMPORTANT:JavaRuntimeEnvironment8orlaterisrequiredwhenEnforceAES/3DES EncryptionissettoEnabled. 3.ClickApplytoendyourbrowserconnectionandrestartiLO. Itmighttakeseveralminutesbeforeyoucanre-establishaconnection. WhenchangingtheEnforceAES/3DESEncryptionsettingtoEnabled,closeallopenbrowsers afterclickingApply.Anybrowsersthatremainopenmightcontinuetouseanon-AES/3DES cipher. ConfiguringiLOsecurity81
ConnectingtoiLObyusingAESor3DESencryption AfteryouenabletheEnforceAES/3DESEncryptionsetting,iLOrequiresthatyouconnectthrough securechannels(webbrowser,SSHconnection,orXMLchannel)byusingacipherstrengthofat leastAESor3DES. •Webbrowser—YoumustconfigurethebrowserwithacipherstrengthofatleastAESor3DES. IfthebrowserisnotusingAESor3DESciphers,iLOdisplaysanerrormessage.Theerrortext variesdependingontheinstalledbrowser. Differentbrowsersusedifferentmethodsforselectinganegotiatedcipher.Formoreinformation, seeyourbrowserdocumentation.YoumustlogoutofiLOthroughthecurrentbrowserbefore changingthebrowserciphersetting.Anychangesmadetothebrowserciphersettingwhile youareloggedintoiLOmightenablethebrowsertocontinueusinganon-AES/3DEScipher. •SSHconnection—Forinstructionsonsettingthecipherstrength,seetheSSHutility documentation. •XMLchannel—HPQLOCFGusesasecure3DEScipherbydefault.Forexample,HPQLOCFG displaysthefollowingcipherstrengthintheXMLoutput: Connecting to Server... Negotiated cipher: 128–bit Rc4 with 160–bit SHA1 and 2048–bit RsaKeyx EnablingFIPSMode YoumusthavetheConfigureiLOSettingsprivilegetochangetheencryptionsettings. ToenableFIPSModeforiLO: 1.Optional:CapturethecurrentiLOconfigurationbyusingHPONCFG. Formoreinformation,seetheHPiLO4ScriptingandCommandLineGuide. 2.Verifythatatrustedcertificateisinstalled. UsingiLOinFIPSModewiththedefaultself-signedcertificateisnotFIPS-compliant.For instructions,see“ObtainingandimportinganSSLcertificate”(page69). IMPORTANT:SomeinterfacestoiLO,suchassupportedversionsofIPMIandSNMP,are notFIPS-compliantandcannotbemadeFIPS-compliant.ForinformationabouttheiLOfirmware versionsthatareFIPSvalidated,seethefollowingdocument:http://csrc.nist.gov/groups/ STM/cmvp/documents/140-1/140-1val.zip. 3.Powerofftheserver. 4.NavigatetotheAdministration→Security→Encryptionpage. 5.SetFIPSModetoEnabled. CAUTION:EnablingFIPSModeresetsiLOtothefactorydefaultsettings,andclearsalluser andlicensedata. 6.ClickApply. iLOrebootsinFIPSMode.Waitatleast90secondsbeforeattemptingtore-establisha connection. 7.Optional:RestoretheiLOconfigurationbyusingHPONCFG. Formoreinformation,seetheHPiLO4ScriptingandCommandLineGuide. TIP:YoucanusetheLoginSecurityBannerfeaturetonotifyiLOusersthatasystemisusingFIPS Mode.Formoreinformation,see“ConfiguringtheLoginSecurityBanner”(page89). YoucanalsouseXMLconfigurationandcontrolscriptstoenableFIPSmode.Formoreinformation, seetheHPiLO4ScriptingandCommandLineGuide. 82ConfiguringiLO
DisablingFIPSMode IfyouwanttodisableFIPSModeforiLO(forexample,ifaserverisdecommissioned),youmust setiLOtothefactorydefaultsettings.YoucanperformthistaskbyusingRIBCLscripts,iLORBSU, ortheiLO4ConfigurationUtility. Forinstructions,see“ResettingiLOtothefactorydefaultsettingsbyusingiLORBSU”(page311), “ResettingiLOtothefactorydefaultsettingsbyusingtheiLO4ConfigurationUtility”(page312), ortheHPiLO4ScriptingandCommandLineGuide. WhenyoudisableFIPSMode,allpotentiallysensitivedataiserased,includingalllogsandsettings. UsingHPSSO HPSSOenablesyoutobrowsedirectlyfromanHPSSO-compliantapplication(suchasHPSIM andHPOneView)toiLO,bypassinganintermediateloginstep.TouseSSO,youmusthavea supportedversionofanHPSSO-compliantapplication,youmightneediLO41.20orlater,and youmustconfiguretheiLOprocessortotrusttheSSO-compliantapplication. iLOcontainssupportforHPSSOapplicationstodeterminetheminimumSSOcertificate requirements.SomeHPSSO-compliantapplicationsautomaticallyimporttrustcertificateswhen theyconnecttoiLO.Forapplicationsthatdonotdothisautomatically,usetheHPSSOpageto configuretheSSOsettingsthroughtheiLOwebinterface.YoumusthavetheConfigureiLOSettings privilegetochangethesesettings. ThisfeatureandmanyothersarepartofaniLOlicensingpackage.Formoreinformationabout iLOlicensing,seethefollowingwebsite:http://www.hp.com/go/ilo/licensing. ConfiguringiLOsecurity83
ConfiguringiLOforHPSSO 1.NavigatetotheAdministration→Security→HPSSOpage. 2.MakesureyouhaveaniLOlicensekeyinstalled. 3.EnableSingleSign-OnTrustModebyselectingTrustbyCertificate,TrustbyName,orTrust All. TheiLOfirmwaresupportsconfigurabletrustmodes,whichenablesyoutomeetyoursecurity requirements.ThetrustmodeaffectshowiLOrespondstoHPSSOrequests.Ifyouenable supportforHPSSO,HPrecommendsusingtheTrustbyCertificatemode.Theavailablemodes follow: •TrustNone(SSOdisabled)(default)—RejectsallSSOconnectionrequests •TrustbyCertificate(mostsecure)—EnablesSSOconnectionsfromanHPSSO-compliant applicationbymatchingacertificatepreviouslyimportedtoiLO •TrustbyName—EnablesSSOconnectionsfromanHPSSO-compliantapplicationby matchinganIPaddressorDNSnameimporteddirectly,oranIPaddressorDNSname includedinacertificateimportedtoiLO •TrustAll(leastsecure)—AcceptsanySSOconnectioninitiatedfromanyHPSSO-compliant application. 84ConfiguringiLO
4.ConfigureiLOprivilegesforeachroleintheSingleSign-OnSettingssection. WhenyoulogintoanHPSSO-compliantapplication,youareauthorizedbasedonyourHP SSO-compliantapplicationroleassignment.TheroleassignmentispassedtoiLOwhenSSO isattempted.Formoreinformationabouteachprivilege,see“ManagingiLOusersbyusing theiLOwebinterface”(page46). SSOattemptstoreceiveonlytheprivilegesassignedinthissection.iLOdirectorysettingsdo notapply.Defaultprivilegeassignmentsareasfollows: •User—Loginonly •Operator—Login,RemoteConsole,PowerandReset,andVirtualMedia •Administrator—Login,RemoteConsole,PowerandReset,VirtualMedia,ConfigureiLO, andAdministerUsers 5.ClickApplytosavetheSSOsettings. 6.IfyouselectedTrustbyCertificateorTrustbyName,addthetrustedcertificateorDNSname toiLO. ForinformationaboutaddingcertificatesandDNSnames,see“Addingtrustedcertificates” (page86). Thecertificaterepositorycanholdfivetypicalcertificates.However,iftypicalcertificatesare notissued,certificatesizesmightvary.Whenalloftheallocatedstorageisused,nomore importsareaccepted. 7.AfteryouconfigureSSOiniLO,logintoanHPSSO-compliantapplicationandbrowseto iLO.Forexample,logintoHPSIM,navigatetotheSystempagefortheiLOprocessor,and thenclicktheiLOlinkintheMoreInformationsection. NOTE:Althoughasystemmightberegisteredasatrustedserver,SSOmightberefused becauseofthecurrenttrustmodeorcertificatestatus.Forexample,ifanHPSIMservername isregistered,andthetrustmodeisTrustbyCertificate,butthecertificateisnotimported,SSO isnotallowedfromthatserver.Likewise,ifanHPSIMservercertificateisimported,butthe certificatehasexpired,SSOisnotallowedfromthatserver.Thelistoftrustedserversisnot usedwhenSSOisdisabled.iLOdoesnotenforceSSOservercertificaterevocation. ConfiguringiLOsecurity85
Viewingtrustedcertificates TheManageTrustedCertificatestableontheSingleSign-OnSettingspagedisplaysthestatusof thetrustedcertificatesconfiguredtouseSSOwiththecurrentiLOmanagementprocessor. •Status—Thestatusofthecertificate(ifanyareinstalled).Thepossiblestatusvaluesfollow: —Therecordisvalid.◦ ◦—ThereisaproblemwiththetrustsettingsortheiLOlicense.Possiblereasonsfollow: ThisrecordcontainsaDNSname,andthetrustmodeissettoTrustbyCertificate (onlycertificatesarevalid). – –TrustNone(SSOdisabled)isselected. –Avalidlicensekeyisnotinstalled. ◦—Therecordisnotvalid.Possiblereasonsfollow: –Anout-of-datecertificateisstoredinthisrecord.Checkthecertificatedetailsformore information. –TheiLOclockisnotsetorissetincorrectly. –TheiLOclockmustbeintheValidfromandValiduntilrange. •Certificate—Indicatesthattherecordcontainsastoredcertificate.Movethecursoroverthe icontoviewthecertificatedetails,includingsubject,issuer,anddates. •Description—Theservername(orcertificatesubject). Addingtrustedcertificates iLOuserswhohavetheConfigureiLOSettingsprivilegecaninstalltrustedcertificates. TheBase64-encodedX.509certificatedataresemblesthefollowing: -----BEGIN CERTIFICATE----- ...severallinesofencodeddata... -----END CERTIFICATE----- ToaddtrustedHPSSOrecordsbyusingtheiLOwebinterface: 1.NavigatetotheAdministration→Security→HPSSOpage. 2.Useoneofthefollowingmethodstoaddatrustedcertificate: •Todirectlyimportatrustedcertificate,copytheBase64-encodedcertificateX.509data, pasteitintothetextboxabovetheImportCertificatebutton,andthenclickthebutton. •Toindirectlyimportatrustedcertificate,typetheDNSnameorIPaddressinthetextbox abovetheImportCertificatefromURLbutton,andthenclickthebutton.iLOcontactsthe HPSSO-compliantapplicationoverthenetwork,retrievesthecertificate,andthensaves it. •ToimportacertificatebyenteringthedirectDNSname,entertheDNSnameinthetext boxabovetheImportDirectDNSNamebutton,andthenclickthebutton. ForinformationabouthowtoextractanHPSIMcertificate,see“ExtractingtheHPSIMserver certificate”(page86). ForinformationabouthowtoextractcertificatesfromotherHPSSO-compliantapplications,see yourHPSSO-compliantapplicationdocumentation. ExtractingtheHPSIMservercertificate YoucanusethefollowingmethodstoextractHPSIMcertificates. 86ConfiguringiLO
NOTE:iLO41.20orlatermightberequiredtoinstallthelargercertificatesusedwithrecent versionsofHPSIM. NOTE:HPSIM7.3.2orlatersupports2048-bitcertificates. •Enteroneofthefollowinglinksinawebbrowser: ForHPSIMversionsearlierthan7.0: http://:280/GetCertificate ◦ https://:50000/GetCertificate ◦ForHPSIM7.0orlater: http://:280/GetCertificate?certtype=sso https://:50000/GetCertificate?certtype=sso NOTE:Allrequestparametersarecase-sensitive.Ifyoucapitalizethelowercase certtypeparameter,theparameterwillnotberead,andHPSIMwillreturnthedefault HPSIMservercertificateinsteadofatrustedcertificate. •ExportthecertificatefromHPSIM: ForHPSIMversionsearlierthan7.0: SelectOptions→Security→Certificates→ServerCertificate. ◦ ◦ForHPSIM7.0orlater: SelectOptions→Security→HPSystemsInsightManagerServerCertificate,andthenclick Export. •UsetheHPSIMcommand-linetools.Forexample,usingthealiastomcatfortheHPSIM certificate,entermxcert -l tomcat. Formoreinformation,seetheHPSIMdocumentation. Removingtrustedcertificates 1.NavigatetotheAdministration→Security→HPSSOpage. 2.SelectoneormorerecordsintheManageTrustedCertificatestable. 3.ClickDelete. Thefollowingmessageappears: Are you sure you want to remove the selected certificates? IMPORTANT:Ifyoudeletethecertificateofaremotemanagementsystem,youmight experienceimpairedfunctionalitywhenusingtheremotemanagementsystemwithiLO. 4.ClickYes. ConfiguringRemoteConsolesecuritysettings UsetheRemoteConsolesecuritysettingstocontroltheRemoteConsoleComputerLocksettings andtheIntegratedRemoteConsoleTrustsetting.YoumusthavetheConfigureiLOSettingsprivilege tochangethesesettings. ConfiguringiLOsecurity87
ConfiguringRemoteConsoleComputerLocksettings RemoteConsoleComputerLockenhancesthesecurityofaniLO-managedserverbyautomatically lockinganoperatingsystemorloggingoutauserwhenaRemoteConsolesessionendsorthe networklinktoiLOislost.Thisfeatureisstandardanddoesnotrequireanadditionallicense.As aresult,ifyouopena.NETIRCorJavaIRCwindowandthisfeatureisalreadyconfigured,the operatingsystemwillbelockedwhenyouclosethewindow,evenifaniLOlicenseisnotinstalled. TheRemoteConsoleComputerLockfeatureissettoDisabledbydefault. TochangetheRemoteConsoleComputerLocksettings: 1.NavigatetotheAdministration→Security→RemoteConsolepage. 2.ModifytheRemoteConsoleComputerLocksettingsasrequired: •Windows—UsethisoptiontoconfigureiLOtolockamanagedserverrunningaWindows operatingsystem.TheserverautomaticallydisplaystheComputerLockeddialogbox whenaRemoteConsolesessionendsortheiLOnetworklinkislost. •Custom—UsethisoptiontoconfigureiLOtouseacustomkeysequencetolockamanaged serverorlogoutauseronthatserver.Youcanselectuptofivekeysfromthelist.The selectedkeysequenceissentautomaticallytotheserveroperatingsystemwhenaRemote ConsolesessionendsortheiLOnetworklinkislost. •Disabled(default)—UsethisoptiontodisabletheRemoteConsoleComputerLockfeature. TerminatingaRemoteConsolesessionorlosinganiLOnetworklinkwillnotlockthe operatingsystemonthemanagedserver. YoucancreateaRemoteConsoleComputerLockkeysequencebyusingthekeyslistedin Table1(page88): Table1RemoteConsoleComputerLockkeys g1SCRLLCKESC h2SYSRQL_ALT i3F1R_ALT j4F2L_SHIFT k5F3R_SHIFT l6F4L_CTRL m7F5R_CTRL n8F6L_GUI o9F7R_GUI p;F8INS q=F9DEL r[F10HOME 88ConfiguringiLO
Table1RemoteConsoleComputerLockkeys(continued) s\F11END t]F12PG_UP u'""(space)PG_DN va'ENTER wb,TAB xc-BREAK yd.BACKSPACE ze/NUMPLUS f0NUMMINUS 3.ClickApplytosavethechanges. ConfiguringtheIntegratedRemoteConsoleTrustsetting(.NETIRC) The.NETIRCislaunchedthroughMicrosoftClickOnce,whichispartoftheMicrosoft.NET Framework.ClickOncerequiresthatanyapplicationinstalledfromanSSLconnectionbefroma trustedsource.IfabrowserisnotconfiguredtotrustaniLOprocessor,andtheIntegratedRemote ConsoleTrustsettingissettoEnabled,ClickOncedisplaysthefollowingerrormessage: Cannot Start Application – Application download did not succeed... TospecifywhetherallclientsthatbrowsetothisiLOrequireatrustediLOcertificatetorunthe.NET IRC: 1.NavigatetotheAdministration→Security→RemoteConsolepage. 2.SelectoneofthefollowingintheIntegratedRemoteConsoleTrustSettingsection: •Enabled—The.NETIRCisinstalledandrunsonlyifthisiLOcertificateandtheissuer certificatehavebeenimportedandaretrusted. •Disabled(default)—Whenyoulaunchthe.NETIRC,thebrowserinstallstheapplication fromanon-SSLconnection.SSLisstillusedafterthe.NETIRCstartstoexchangeencryption keys. 3.ClickApply. ConfiguringtheLoginSecurityBanner TheLoginSecurityBannerfeatureallowsyoutoconfigurethesecuritybannerdisplayedonthe iLOloginpage.Forexample,youcouldenteramessageindicatingthataniLOsystemusesFIPS Mode. YoumusthavetheConfigureiLOSettingsprivilegetomakechangesontheLoginSecurityBanner page. ToenabletheLoginSecurityBanner: ConfiguringiLOsecurity89
1.NavigatetotheAdministration→Security→LoginSecurityBannerpage. 2.SelecttheEnableLoginSecurityBannercheckbox. iLOusesthefollowingdefaulttextfortheLoginSecurityBanner: This is a private system. It is to be used solely by authorized users and may be monitored for all lawful purposes. By accessing this system, you are consenting to such monitoring. 3.Optional:Tocustomizethesecuritymessage,enteracustommessageintheSecurityMessage textbox. Thebytecounterabovethetextboxindicatestheremainingnumberofbytesallowedforthe message.Themaximumis1,500bytes. TIP:ClickUseDefaultMessagetorestorethedefaulttextfortheLoginSecurityBanner. 90ConfiguringiLO