Two-factor authentication

RILOE II is a powerful tool for managing HP ProLiant servers. To prevent misuse of this tool, access to RILOE II requires reliable user authentication. This firmware release provides a stronger authentication scheme for RILOE II using two factors of authentication: a password or PIN and a private key for a digital certificate. Users are asked to verify their identities by providing both factors. Users can store their digital certificates and private keys wherever they choose, for example, smart card, USB token, or hard disk.

Setting up two-factor authentication for the first time

When setting up two-factor authentication for the first time you can use either local user accounts or directory user accounts. For more information on two-factor authentication settings, See the "Two-Factor Authentication Settings (on page 33)" section.

Setting up local user accounts:

1.Obtain the public certificate from the CA that issues user certificates or smart cards in your organization.

2.Export the certificate in Base64 encoded format to a file on your desktop, for example, CAcert.txt.

3.Obtain the public certificate of the user who needs access to RILOE II.

4.Export the certificate in Base64 encoded format to a file on your desktop, for example, Usercert.txt.

5.Open the file CAcert.txt in Notepad, select all of the text, and copy by pressing the Ctrl+C keys.

6.Log in to RILOE II and browse to the Two-Factor Authentication Settings page.

7.Click Import Trusted CA Certificate. Another page appears.

8.Click the white text area so that your cursor is in the text area, and paste the contents of the clipboard by pressing the Ctrl+V keys.

9.Click Import Root CA Certificate. The Two-Factor Authentication Settings page appears again with information displayed under Trusted CA Certificate Information.

10.From your desktop, open the file for the user certificate in Notepad, select all the text, and copy the text to the clipboard by pressing the Ctrl+C keys.

11.Browse to the User Administration page on RILOE II, and select the user for which you have obtained a public certificate or create a new user.

12.Click View/Modify.

13.Click Add a certificate.

14.Click the white text area so that your cursor is in the text area, and paste the contents of the clipboard by pressing the CTRL+V keys.

15.Click Add user Certificate. The Modify User page appears again with a 40 digit number in the Thumbprint field. You can compare the number to the thumbprint displayed for the certificate by using Microsoft® Certificate Viewer.

16.Browse to the Two-Factor Authentication Settings page.

17.Change Enforce Two-Factor Authentication to Yes.

18.Change Check for Certificate Revocation to No (default).

19.Click Apply. RILOE II is reset. When RILOE II attempts to go to the login page again, the browser displays the Client Authentication page with a list of certificates that are available to the system.

If the user certificate is not registered on the client machine, you will not see it in the list. The user certificate must be registered on the client system before you can use it. If there are no client certificates on the client system you may not see the Client Authentication page and instead see a Page cannot be displayed error. To resolve the error, the client certificate must be registered on the client machine. For more information on exporting and registering client certificates, See the documentation for your smart card, or certificate authority.

RILOE II security 63