HP Integrated Lights-Out Privileges, Login Security

138 User Guide Integrated Lights-Out

An alternative to local iLO user accounts is to integrate iLO user authentication into directory services. This configuration allows a virtually unlimited number of users, and easily scales to the number of Lights-Out devices in an enterprise. Additionally, the directory provides a central point of administration for Lights- Out devices and users, and the directory can enforce a stronger password policy. iLO enables you to use local users, directory users, or both.

Privileges

iLO allows the administrator to control user account access to iLO functions through the use of privileges. When a user attempts to use a function, the iLO system verifies that the user has the privilege before the user is allowed to perform the function.

Each feature available through iLO can be controlled through privileges, including Administer User Accounts, Remote Console Access, Virtual Power and Reset, Virtual Media, and Configure iLO Settings. Privileges for each user can be configured on the User Administration page of the Administration tab.

Login Security

iLO provides several login security features. After an initial failed login attempt, iLO imposes a delay of five seconds. After a second failed attempt, iLO imposes a delay of 10 seconds. After the third failed attempt, and any subsequent attempts, iLO imposes a delay of 60 seconds. All subsequent failed login attempts cycles through these values. An information page is displayed during each delay. This will continue until a valid login is completed. This feature assists in defending against possible dictionary attacks against the browser login port.

iLO saves a detailed log entry for failed login attempts, which imposes a delay of 60 seconds.

Contents

Page Page Contents Operational Overview Configuring iLO Using iLO 4 User Guide Integrated Lights-Out iLO Security Directory Services Certificate Services Directory-EnabledRemote Management Lights-OutDirectories Migration Utilities Insight Manager 7 Integration Systems Insight Manager Integration Group Administration and iLO Scripting Lights-OutDOS Utility Perl Scripting HPONCFG Online Configuration Utility Remote Insight Command Language Page 10 User Guide Integrated Lights-Out Page iLO Parameters Directory Services Schema Troubleshooting iLO Page Technical Support Acronyms and Abbreviations Index Operational Overview New in This Version Usage Model Network Connection Overview Supported Server Operating System Software Supported Browsers Linux Browser Configuration Configuring Linux Font Size Page Configuring iLO iLO Configuration Options iLO RBSU Administer User Accounts>Configure iLO Settings Administer User Accounts Configure iLO Settings Network Browser-BasedSetup Installing iLO Device Drivers 2.Select Software and Drivers Microsoft Windows NT, Windows 2000, and Windows Server 2003 Driver Support iLO Pre-requisiteFiles for Microsoft® Installing or Updating the iLO Drivers for Microsoft® Novell NetWare Server Driver Support iLO Pre-RequisiteFiles for NetWare Installing or Updating iLO Drivers for NetWare Red Hat Linux and SuSE Linux Server Driver Support iLO Pre-requisiteFiles for Red Hat and SuSE Linux Files Instaling or Updating iLO Linux and SuSE Drivers Enabling iLO Advanced Functionality iLO Advanced Evaluation License iLO Advanced License Options Activating iLO Advanced Features Using a Browser Administration Licensing OK ProLiant BL p-ClassConfiguration Static IP Bay Configuration ProLiant BL p-ClassUser Requirements Configuring a ProLiant BL p-ClassBlade Enclosure Enable Static IP Settings Apply Configuring Static IP Bay Settings Page ProLiant BL p-ClassStandard Configuration Parameters Beginning IP Address (Bay Ending IP Address (Bay 16) Subnet Enable iLO IP Address Assignment RIBCL RACK_INFO Commands RIBCL RACK_INFO Command Examples Getting Static IP Bay Configuration Settings Modifying Static IP Bay Configuration Settings Modify Network Settings to Enable Static IP Bay Configuration Integration with RILOE II Accessory Boards Using iLO Logging in to iLO for the First Time Logging in to iLO for the First Time Using a Browser View Certificate 42 User Guide Integrated Lights-Out Install Certificate Next Next Finish Log In Progressive Delays for Failed Browser Login Attempts Help System Status Server Status iLO Event Log Clear Event Log Integrated Management Log Server and iLO Diagnostics POST Diagnostic Results for the Host Server 50 User Guide Integrated Lights-Out NVRAM Environment Variables Listing Virtual NMI Button iLO Self-TestResults Remote Console Remote Console Information Option Enhanced Features of the Remote Console Refresh Terminal Svcs Ctrl-Alt-Del •Remote Console •Mouse Properties Remote Console Linux Settings Character Set Lat1–16 Microsoft® Windows NT® 4.0 and Windows® 2000 Settings •Server Display Properties •Server Mouse Properties −Deselect Enable Pointer Shadow Motion Remote Console Hot Keys Remote Console Hot Keys Save Hot Keys Supported Hot Keys Single- and Dual-CursorModes for Graphical Remote Console Remote Console (Single-Cursor) Remote Console (Dual-Cursor) Ctrl Virtual Devices Virtual Power Virtual Power Momentary Press Momentary Press Virtual Power Press and Hold Cold Boot of Cold Boot of system 64 User Guide Integrated Lights-Out Operating System USB Support 66 User Guide Integrated Lights-Out Using iLO Virtual Media Devices Virtual Media iLO Virtual Floppy 1.Select Local Floppy Drive 68 User Guide Integrated Lights-Out 3.Click Connect Local Image File Browse Page Connect 1.Click Create Disk Image Create iLO Virtual CD-ROM 1.Select Local CD-ROMDrive Page Page Page Page Virtual Media Composite Device Support Configure Single Device Composite Device Page 4.Select Local CD-ROMDrive 6.Click Connect iLO Virtual Media Privilege Virtual Media Applet Timeout Virtual Media Scripting 80 User Guide Integrated Lights-Out Scripting Web Server Requirements Virtual Media Image Files CGI Helper Application Virtual Indicators Virtual Serial Port Windows® EMS Console Security Information Virtual Serial Port and Linux Administration Adding a New User Administration 88 User Guide Integrated Lights-Out Add Save User Information Restore User Information Viewing or Modifying an Existing User's Settings Global Settings 2.Click Global Settings 90 User Guide Integrated Lights-Out Network Settings 92 User Guide Integrated Lights-Out 2.Click Network Settings Apply iLO Diagnostic Port Configuration Parameters Recovering from a Failed iLO Firmware Update SNMP/Insight Manager Settings 96 User Guide Integrated Lights-Out Enabling SNMP Alerts 2.Select SNMP/Insight Manager Settings in the Administration tab 5.Click Apply Settings Generating Test Alerts Apply Settings 98 User Guide Integrated Lights-Out Upgrade iLO Firmware Upgrade iLO Firmware 4.Click Send firmware image 100 User Guide Integrated Lights-Out Licensing Certificate Administration ProLiant BL p-ClassAdvanced Management 102 User Guide Integrated Lights-Out Rack Settings Server Blade Management Module Power Management Module Redundant Power Management Module iLO Control of ProLiant BL p-ClassServer LEDs Hot-PlugKeyboard Hot-PlugKeyboard Recommended Usage Hot-PlugKeyboard Troubleshooting Page Terminal Services Pass-ThroughOption My Computer>Properties>Remote>Remote Desktop Start>Programs>Accessories>Communications>Remote Desktop Windows® RDP Pass-ThroughService Terminal Services Pass-ThroughInstallation Remote Windows® 2000 Terminal Services Port Change File>Export New Connection Enabling the Terminal Services Pass-ThroughOption Terminal Services Pass-ThroughStatus Terminal Services Warning Message Terminal Services Button Display Remote Console and Terminal Services Clients Terminal Services Troubleshooting Computer>Properties>Remote>Remote Desktop My Computer>Properties>Hardware>Device Manager>Multifunction Adapters Control Panel>Administrative Tools>Services HP ProLiant Essentials Rapid Deployment Pack Integration Telnet Support Using Telnet Enabled No Ctrl+] Telnet Simple Command Set Supported Key Sequences iLO VT100+ Key Map 120 User Guide Integrated Lights-Out Page 122 User Guide Integrated Lights-Out VT100+ Codes for the F-Keys Linux Codes for the F-Keys Secure Shell 124 User Guide Integrated Lights-Out Using OpenSSH Using PuTTY iLO Supported SSH Features iLO Shared Network Port iLO Shared Management Port Features and Restrictions Enabling the iLO Shared Network Port Feature Enabling the iLO Shared Network Port Feature through iLO RBSU Network>NIC>TCP/IP F10 File>Exit Enabling the iLO Shared Network Port Feature through the Web Interface 3.Select Administration>Network Settings Shared Network Port Re-enablingthe Dedicated iLO Management Port Command Line Interface CLI Commands •Power •UID •NMI •Remcons •Vsp •Vm •Exit Page iLO Security Security Features General Security Guidelines Encryption iLO Security Override Switch Administration User Accounts Privileges Login Security Password Guidelines Certificates Securing RBSU Page Directory Services Benefits of Directory Integration Features Supported by Directory Integration Installing Directory Services Schema Documentation Directory Services Support eDirectory Installation Prerequisites Schema Required Software Schema Installer Schema Preview 150 User Guide Integrated Lights-Out Setup Page Management Snap-InInstaller Directory Services for Active Directory Directory Services Preparation for Active Directory c.Right-click Active Directory Schema and select Operations Master d.Select The Schema may be modified on this Domain Controller b.Click Computer Configuration>Windows Settings>Security Settings>Public Key Policies Snap-InInstallation and Initialization for Active Directory Page NewHPObject Device New Object Role remoteAdmins Properties Page Apply 162 User Guide Integrated Lights-Out Directory Services Objects Active Directory Snap-Ins HP Devices Add Remove Members Active Directory Role Restrictions Page Time Restrictions Effective Hours Enforced Client IP Address or DNS Name Access Grant Deny Remove Active Directory Lights-OutManagement Directory Services for eDirectory hpqTarget New hpqTarget Select Object Subtype Lights Out Management Device hpqRole New hpqRole Lights Out Management Devices Select Objects OK Select Object Lights Out Management Device Rights HP Management Managed Devices Role Managed Devices 176 User Guide Integrated Lights-Out Directory Services Objects for eDirectory Role Managed Devices Delete Role Restrictions eDirectory Role Restrictions Page Allow Delete Lights-OutManagement Lights Out Management Device Rights subtab of the HP Management tab Page Configuring Directory Settings Test Settings Directory Tests User Login Using Directory Services 188 User Guide Integrated Lights-Out Certificate Services Introduction to Certificate Services Installing Certificate Services Verifying Directory Services Configuring Automatic Certificate Request Domain Controller Page Directory-EnabledRemote Management Introduction to Directory-EnabledRemote Management Using Bulk Import Tools Using Existing Groups Using Multiple Roles Page Creating Roles to Follow Organizational Structure Restricting Roles IP Address Range Restrictions IP Address and Subnet Mask Restrictions DNS-BasedRestrictions How Directory Login Restrictions are Enforced How User Time Restrictions are Enforced User Address Restrictions Creating Multiple Restrictions and Roles Page Page Lights-OutDirectories Migration Utilities Introduction to Lights-OutMigration Utilities Compatibility Pre-MigrationChecklist HP Lights-OutDirectory Package HPQLOMIG Operation Next, Back 210 User Guide Integrated Lights-Out Find Upgrading Firmware on Management Processors Browse Upgrade Firmware Naming Management Processors 1.Select either Use Network Address or Create Name Using Index Generate Names Clear All Names Configuring Directories Address— Port— Password— Container DN— Setting Up Management Processors for Directories enabled or disabled 3.Click Configure Done HPQLOMGC Operation 218 User Guide Integrated Lights-Out 1.The firmware version is validated and updated if necessary 2.The management processor directory settings are updated 3.The directory is updated Launching HPQLOMGC Using Application Launch Tasks New Control Task Application Launch <network address HPQLOMGC Command Language ILO_CONFIG Page Insight Manager 7 Integration Integrating iLO with Insight Manager Functional Overview Identification and Association Status Queries Links Configuring Identification of iLO Receiving SNMP Alerts in Insight Manager Port Matching Reviewing iLO Advanced License Information in Insight Manager Page ProLiant BL p-ClassRack Visualization Page Systems Insight Manager Integration Integrating iLO with Systems Insight Manager Systems Insight Manager Functional Overview System Insight Manager Identification and Association Configuring System Insight Manager Identification of iLO Receiving SNMP Alerts in Systems Insight Manager System Insight Manager Port Matching Reviewing iLO Advanced Pack License Information in Systems Insight Manager System Insight Manager ProLiant BL p-ClassRack Visualization Page Group Administration and iLO Scripting Lights-OutConfiguration Utility Group Administration Using the Lights-OutConfiguration Utility Using the Lights-OutConfiguration Utility with Insight Manager Query Definition in Insight Manager Queries Device Create Category 244 User Guide Integrated Lights-Out Overview Application Launch Using Insight Manager Lights-OutConfiguration Utility for Systems Insight Manager Create a Customized List Customize New List Search for Name, Description Comments Create A Task All systems in the list Batch Processing Using the Lights-Out Configuration Utility Lights-OutConfiguration Utility Parameters 248 User Guide Integrated Lights-Out Lights-OutDOS Utility Overview of the Lights-OutDOS Utility CPQLODOS Recommended Usage CPQLODOS General Guidelines Command Line Arguments Lights-OutDOS Utility RIBCL XML Commands for CPQLODOS ADD_USER ADD_USER Parameters ADD_USER Runtime Errors SET_LICENSE SET_LICENSE Parameter SET_LICENSE Runtime Errors Perl Scripting Using Perl with the XML Scripting Interface XML Enhancements 256 User Guide Integrated Lights-Out print $client '<LOCFG version="2.21">' . "\r\n"; <LOCFG version="2.21"/> <RIBCL version="2.0 </LOCFG Opening an SSL Connection Sending the XML Header and Script Body Page Page HPONCFG Online Configuration Utility HPONCFG HPONCFG Supported Operating Systems HPONCFG Requirements HPONCFG Installation and Usage Windows Server Installation Linux Server Installation HPONCFG Command Line Parameters HPONCFG Usage Model 266 User Guide Integrated Lights-Out Creating a User Account Page Page Remote Insight Command Language Overview of the Remote Insight Board Command Language RIBCL and ProLiant BL p-ClassServers RIBCL Sample Scripts RIBCL General Guidelines XML Header Data Types Response Definitions RIBCL LOGIN USER_INFO ADD_USER Page ADD_USER Runtime Errors DELETE_USER GET_USER MOD_USER 282 User Guide Integrated Lights-Out MOD_USER Parameters MOD_USER Runtime Errors GET_ALL_USERS GET_ALL_USER_INFO RIB_INFO RESET_RIB GET_NETWORK_SETTINGS MOD_NETWORK_SETTINGS 290 User Guide Integrated Lights-Out MOD_NETWORK_SETTINGS Parameters Page GET_GLOBAL_SETTINGS MOD_GLOBAL_SETTINGS MOD_GLOBAL_SETTINGS Parameters Page Page GET_SNMP_IM_SETTINGS MOD_SNMP_IM_SETTINGS MOD_SNMP_IM_SETTINGS Runtime Errors CLEAR_EVENTLOG UPDATE_RIB_FIRMWARE GET_FW_VERSION HOTKEY_CONFIG LICENSE LICENSE Parameters LICENSE Runtime Errors DIR_INFO GET_DIR_CONFIG 308 User Guide Integrated Lights-Out GET_DIR_CONFIG Parameters GET_DIR_CONFIG Runtime Errors GET_DIR_CONFIG Return Messages MOD_DIR_CONFIG RACK_INFO MOD_BLADE_RACK 312 User Guide Integrated Lights-Out MOD_BLADE_RACK Parameters GET_DIAGPORT_SETTINGS MOD_DIAGPORT_SETTINGS GET_TOPOLOGY SERVER_INFO GET_HOST_POWER_STATUS SET_HOST_POWER RESET_SERVER PRESS_PWR_BTN HOLD_PWR_BTN COLD_BOOT_SERVER WARM_BOOT_SERVER GET_UID_STATUS UID_CONTROL INSERT_VIRTUAL_MEDIA 326 User Guide Integrated Lights-Out INSERT_VIRTUAL_FLOPPY Runtime Errors EJECT_VIRTUAL_MEDIA GET_VM_STATUS SET_VM_STATUS SET_VM_STATUS Runtime Errors iLO Parameters iLO Parameters Table 332 User Guide Integrated Lights-Out iLO Parameters 334 User Guide Integrated Lights-Out Page iLO Status Server Status Parameters User Administration Parameters Password Administer User Accounts Remote Console Access Virtual Power and Reset Configure iLO Settings 340 User Guide Integrated Lights-Out Idle Connection Timeout (Minutes) Enable Lights-OutFunctionality Enable iLO RBSU Require Login for iLO RBSU Require Login for iLO RBSU Show iLO During POST Remote Console Port Configuration Remote Console Data Encryption SSL Encryption Strength Web Server Non-SSLPort Web Server SSL Port Virtual Media Port Remote Console Port Terminal Services Port Secure Shell (SSH) Status Serial Command Line Interface Status Serial Command Line Interface Speed (bits/second) Minimum Password Length Remote Keyboard Model 344 User Guide Integrated Lights-Out Enable NIC Shared Network Port Transceiver Speed Autoselect Speed Registering with WINS Server Registering with DNS Server Ping Gateway on Startup iLO IP Address iLO Subnet Mask iLO Gateway IP Address iLO Subsystem Name Domain Name DHCP Server Primary, Secondary, and Tertiary DNS Server SNMP/Insight Manager Settings Parameters SNMP Alert Destinations Enable iLO SNMP Alerts Forward Insight Manager Agent SNMP Alerts Enable SNMP Pass-Through Insight Manager Web Agent URL Level of Data Returned iLO Advanced License Activation Settings iLO Advanced Pack License Key ProLiant BL p-ClassParameters Rack Name Enclosure Name Bay Name Bay Rack Serial Number 350 User Guide Integrated Lights-Out Blade Serial Number Power Source Rack Provides Power Facility Provides Enable Directory Authentication Enable Local User Accounts Directory Server Address Directory Server LDAP Port LOM Object Distinguished Name Directory User Context 1, Directory User Context 2, Directory User Context Testing Directory Settings 2.Click Test Settings 5.Click Start Test Directory Services Schema HP Management Core LDAP OID Classes and Attributes 354 User Guide Integrated Lights-Out Core Class Definitions hpqTarget hpqRole Directory Services Schema hpqPolicy Core Attribute Definitions hpqPolicyDN hpqRoleMembership 356 User Guide Integrated Lights-Out hpqTargetMembership hpqRoleIPRestrictionDefault hpqRoleIPRestrictions hpqRoleTimeRestriction Lights-OutManagement Specific LDAP OID Classes and Attributes Lights-OutManagement Class Definitions hpqLOMv100 Lights-OutManagement Attribute Definitions 360 User Guide Integrated Lights-Out hpqLOMRightLogin hpqLOMRightRemoteConsole hpqLOMRightVirtualMedia hpqLOMRightServerReset hpqLOMRightLocalUserAdmin hpqLOMRightConfigureSettings Page Troubleshooting iLO Minimum Requirements iLO POST LED Indicators Troubleshooting iLO Event Log Entries Page 368 User Guide Integrated Lights-Out Page MS-DOS®Error Codes Hardware and Software Link-RelatedIssues Login Issues Login Name and Password Not Accepted Directory User Premature Logout iLO Management Port Not Accessible by Name Network Settings iLO RBSU Unavailable after iLO and Server Reset Inability to Access the Login Page Inability to Access iLO Using Telnet Inability to Access Virtual Media or Graphical Remote Console Inability to Connect to iLO after Changing Network Settings Inability to Connect to the iLO Diagnostic Port Inability to Connect to the iLO Processor through the NIC 376 User Guide Integrated Lights-Out Inability to Log into iLO after Installing the iLO Certificate Firewall Issues Troubleshooting Alert and Trap Problems iLO Security Override Switch Authentication Code Error Message Troubleshooting Mouse Problems 380 User Guide Integrated Lights-Out Mouse Issue Using SuSE Linux Remote Console Mouse Control Issue Troubleshooting Remote Console Problems Page Remote Console No Longer Opens on the Existing Browser Session Remote Console Text Window not Updating Properly Troubleshooting SSH and Telnet Problems Troubleshooting Terminal Services Problems Troubleshooting Video and Monitor Problems Troubleshooting Virtual Media Problems Troubleshooting Miscellaneous Problems Cookie Sharing Between Browser Instances and iLO Shared Instances File>New>Window Ctrl+N Cookie Order Behavior Page Displaying the Current Session Cookie View Refresh Preventing Cookie-RelatedUser Issues Log Out Incorrect Time or Date of the Entries in the Event Log Inability to Upgrade iLO Firmware iLO Network Flash Recovery Diagnostic Steps Flash Recovery Process ROMPaq iLO Management Esc iLO Does Not Respond to SSL Requests Testing SSL Computer Account Personal>Certificates Request New Certificate Resetting iLO Reset Server Name Still Present after ERASE Utility is Executed Troubleshooting a Remote Host Technical Support HP Contact Information Before You Contact HP Page Acronyms and Abbreviations DAV DDNS DHCP DLL DNS FSMO GUI HPONCFG HPQLOMGC HPQLOMIG JVM LAN LDAP LED LOM MTU NIC NMI NVRAM PERL RDP RIB RIBCL RSA RSM SSL TCP UART UID USB Page Index 408 User Guide Integrated Lights-Out Index 410 User Guide Integrated Lights-Out