Home » HP Manuals » Desktops » HP Xw460c » Manual Viewer

HP Xw460c HP Integrated Lights-Out 2 User Guide for Firmware 1.75 and 1.77 - Page 168

How directory login restrictions are enforced, Restricting roles, Role time restrictions

Add to My Manuals
Save this manual to your list of manuals

Page 168 highlights

How directory login restrictions are enforced Two sets of restrictions potentially limit a directory user's access to LOM devices. User access restrictions limit a user's access to authenticate to the directory. Role access restrictions limit an authenticated user's ability to receive LOM privileges based on rights specified in one or more Roles. Restricting roles Restrictions allow administrators to limit the scope of a role. A role only grants rights to those users that satisfy the role's restrictions. Using restricted roles results in users with dynamic rights that can change based on the time of day or network address of the client. IMPORTANT: When directories are enabled, access to a particular iLO 2 is based on whether the user has read access to a Role object that contains the corresponding iLO 2 object. This includes but is not limited to the members listed in the role object. If the Role is set up to allow inheritable permissions to propagate from a parent, then members of the parent which have read access privileges will also have access to iLO 2. To view the access control list, navigate to Users and Computers, open the properties screen for the Role object and select the Security tab. For step-by-step instructions on how to create network and time restrictions on a role, refer to "Active Directory Role Restrictions (on page 154)" or "eDirectory Role Restrictions (on page 162)" sections. Role time restrictions Administrators can place time restrictions on LOM roles. Users are granted the rights specified for the LOM devices listed in the role, only if they are members of the role and meet the time restrictions for that role. LOM devices use local host time to enforce time restrictions. If the LOM device clock is not set, the role time restriction fails unless no time restrictions are specified on the role. Role-based time restrictions can only be satisfied if the time is set on the LOM device. The time is normally set when the host is booted, and it is maintained by running the agents in the host operating system, which allows the LOM device to compensate for leap year and minimize clock drift with respect to the Directory-enabled remote management 168

Section	Page
HP Integrated Lights-Out 2 User Guide	1
Notice	2
Contents	3
Operational overview	9
Guide overview	9
New in this release of iLO 2	9
iLO 2 overview	10
Differences between iLO 2 and iLO	10
HP Insight Essentials Rapid Deployment Pack integration	11
Server management through IPMI version 2.0 compliant applications	11
WS-Management compatibility overview	12
iLO 2 browser interface overview	13
Supported browsers and client operating systems	13
Supported server operating system software	14
iLO 2 setup	16
Quick setup	16
Preparing to setup iLO 2	16
Connecting to the network	18
Configuring the IP address	18
Logging in to iLO 2 for the first time	19
Setting up user accounts	19
Setting up iLO 2 using iLO 2 RBSU	20
Setting up iLO 2 using the browser-based option	20
Activating iLO 2 licensed features using a browser	20
Installing iLO 2 device drivers	21
Microsoft device driver support	21
Linux device driver support	22
Novell NetWare device driver support	22
Configuring iLO 2	24
iLO 2 configuration overview	24
Upgrading iLO 2 firmware	24
Upgrading iLO 2 using a browser	25
Updating the firmware using the maintenance CD	26
Recovering from a failed iLO 2 firmware update	26
Downgrading the iLO 2 firmware	26
Licensing	26
User administration	28
Adding a new user	29
Viewing or modifying an existing user's settings	31
Deleting a user	31
Group administration	32
Configuring iLO 2 access	33
Services options	33
Terminal Services Passthrough option	35
Enabling the Terminal Services Passthrough option	37
Remote Console and Terminal Services clients	37
Terminal Services troubleshooting	38
Access options	39
iLO 2 Remote Console and Remote Serial Console access	41
Security	41
General security guidelines	42
Password guidelines	42
Securing RBSU	42
iLO 2 Security Override Switch administration	43
Trusted Platform Module support	43
User accounts and access	44
Privileges	44
Login security	44
SSH key administration	45
SSL certificate administration	45
Two-factor authentication	46
Setting up two-factor authentication for the first time	47
Setting up a user for two-factor authentication	49
Two-factor authentication login	49
Using two-factor authentication with directory authenticatio	50
Directory settings	51
Configuring directory settings	52
Directory tests	54
Encryption	54
Encryption settings	55
Connecting to the iLO 2 using AES/3DES encryption	55
HP SIM single sign-on (SSO)	56
Setting up iLO 2 for HP SIM SSO	56
Adding HP SIM trusted servers	57
Setting up HP SIM SSO	58
Remote Console Computer Lock	59
Network	60
Network Settings	61
iLO 2 subsystem name limitations	62
iLO 2 Shared Network Port	62
DHCP/DNS Settings	65
SNMP/Insight Manager settings	66
Enabling SNMP alerts	66
SNMP generated trap definitions	67
Configuring Insight Manager integration	68
ProLiant BL pClass configuration	69
ProLiant BL pClass user requirements	69
Static IP bay configuration	69
Configuring a ProLiant BL pClass blade enclosure	70
Configuring static IP bay settings	70
ProLiant BL pClass standard configuration parameters	71
ProLiant BL pClass advanced configuration parameters	71
Enabling iLO 2 IP address assignment	72
HP BladeSystem setup	72
iLO 2 configuration screen	73
Verify Server RAID Configuration screen	73
Connect Virtual Media screen	74
Install Software screen	74
iLO 2 diagnostic port configuration parameters	74
Using iLO 2	76
System status and status summary information	76
System Information Summary	78
Fans	78
Temperatures	79
Power	79
Processors	80
Memory	80
NIC	80
iLO 2 Log	80
IML	80
Diagnostics	81
Insight Agents	82
iLO 2 Remote Console	83
Remote Console overview and licensing options	84
Remote Console settings	84
Remote console hot keys	86
Supported hot keys	86
Hot keys and international keyboards	88
Hot keys and Virtual Serial Port	88
Integrated Remote Console Fullscreen	88
Integrated Remote Console option	88
Optimizing mouse performance for Remote Console or Integrated Remote Console	91
High Performance Mouse settings	91
Shared Remote Console	93
Using Console Capture	93
Using HP iLO Video Player	94
iLO Video Player user interface	94
iLO Video Player controls	95
Acquiring the Remote Console	96
Remote Console	96
Remote Console features and controls	97
Recommended client settings	98
Recommended server settings	98
Text-based remote console overview	98
Text-based console during POST	99
Text-based console after POST	99
Virtual serial port and remote serial console	102
Virtual media	107
Using iLO 2 Virtual Media devices	108
Virtual Media and Windows 7	108
iLO 2 Virtual Floppy/USBKey	108
iLO 2 Virtual CD/DVD-ROM	112
Creating iLO 2 disk image files	114
Virtual folder	115
Virtual folder operating system notes	115
Power management	116
Server power settings	117
Server power data	119
Processor states	120
Power efficiency	121
Graceful shutdown	122
ProLiant BL pClass Advanced management	122
Rack View	123
Blade configuration and information	124
Enclosure information	125
Power enclosure information	126
Network component information	126
iLO 2 control of ProLiant BL pClass server LEDs	127
Server POST tracking	127
Insufficient power notification	127
ProLiant BL pClass alert forwarding	127
ProLiant BladeSystem HP Onboard Administrator	127
iLO 2 BL c-Class tab	128
Enclosure bay IP addressing	128
Dynamic power capping for server blades	130
iLO 2 Virtual Fan	131
iLO option	131
Web Administration	132
BL pClass and BL c-Class features	132
Directory services	134
Overview of directory integration	134
Benefits of directory integration	134
Advantages and disadvantages of schema-free directories and HP schema directory	135
Schema-free directory integration	136
HP schema directory integration	136
Setup for Schema-free directory integration	138
Active Directory preparation	138
Introduction to certificate services	138
Installing certificate services	138
Verifying certificate services	139
Configuring Automatic Certificate Request	139
Schema-free browser-based setup	139
Schema-free scripted setup	140
Schema-free HPLOMIG-based setup	140
Schema-free setup options	140
Schema-free nested groups	141
Setting up HP schema directory integration	142
Features supported by HP schema directory integration	142
Setting up directory services	142
Schema documentation	143
Directory services support	143
Schema required software	144
Schema installer	144
Schema Preview	145
Setup	145
Results	146
Management snap-in installer	147
Directory services for Active Directory	147
Active Directory installation prerequisites	147
Installing Active Directory on Windows Server 2008	148
Directory services preparation for Active Directory	148
Snap-in installation and initialization for Active Directory	149
Example: Creating and configuring directory objects for use with iLO 2 in Active Directory	150
Directory services objects	152
Active Directory Lights-Out management	156
Directory services for eDirectory	157
eDirectory installation prerequisites	157
Snap-in installation and initialization for eDirectory	157
Example: Creating and configuring directory objects for use with LOM devices in eDirectory	157
Directory Services objects for eDirectory	161
eDirectory Role Restrictions	162
eDirectory Lights-Out Management	164
User login using directory services	165
Directory-enabled remote management	166
Introduction to directory-enabled remote management	166
Creating roles to follow organizational structure	166
Using existing groups	166
Using multiple roles	167
How directory login restrictions are enforced	168
Restricting roles	168
Role time restrictions	168
Role address restrictions	169
User restrictions	169
User address restrictions	169
How user time restrictions are enforced	170
Creating multiple restrictions and roles	170
Using bulk import tools	171
HPQLOMIG directory migration utility	173
Introduction to HPQLOMIG utility	173
Compatibility	173
HP Lights-Out directory package	173
Using HPQLOMIG	174
Finding management processors	174
Upgrading firmware on management processors	176
Selecting a directory access method	177
Naming management processors	178
Configuring directories when HP Extended schema is selected	179
Configuring directories when schema-free integration is selected	180
Setting up management processors for directories	181
HP Systems Insight Manager integration	183
Integrating iLO 2 with HP SIM	183
HP SIM functional overview	183
Establishing SSO with HP SIM	184
HP SIM identification and association	184
HP SIM status	184
HP SIM links	185
HP SIM systems lists	185
Receiving SNMP alerts in HP SIM	186
HP SIM port matching	186
Reviewing Advanced Pack license information in HP SIM	187
Troubleshooting iLO 2	188
iLO 2 POST LED indicators	188
Event log entries	189
Hardware and software link-related issues	192
JVM support	193
Login issues	193
Login name and password not accepted	193
Directory user premature logout	194
iLO 2 Management Port not accessible by name	194
iLO 2 RBSU unavailable after iLO 2 and server reset	194
Inability to access the login page	195
Inability to access iLO 2 using telnet	195
Inability to access virtual media or graphical remote console	195
Inability to connect to iLO 2 after changing network settings	195
Inability to connect to the iLO 2 Diagnostic Port	195
Inability to connect to the iLO 2 processor through the NIC	196
Inability to log in to iLO 2 after installing the iLO 2 certificate	196
Firewall issues	196
Proxy server issues	196
Two-factor authentication error	197
Troubleshooting alert and trap problems	197
Inability to receive HP SIM alarms (SNMP traps) from iLO 2	198
iLO 2 Security Override switch	198
Authentication code error message	198
Troubleshooting directory problems	198
Domain/name format login issues	199
ActiveX controls are enabled and I see a prompt but the domain/name login format does not work	199
User contexts do not appear to work	199
Directory user does not logout after the directory timeout has expires	199
Troubleshooting Remote Console problems	199
Remote Console applet has a red X when running Linux client browser	200
Inability to navigate the single cursor of the Remote Consol to corners of the Remote Console window	200
Remote Console no longer opens on the existing browser session	200
Remote console text window not updating properly	200
Remote Console turns gray or black	201
Remote Serial Console troubleshooting	201
Troubleshooting Integrated Remote Console problems	201
Internet Explorer 7 and a flickering remote console screen	201
Configuring Apache to accept exported capture buffers	202
No console replay while server is powered down	203
Skipping information during boot and fault buffer playback	203
Out of Memory error starting Integrated Remote Console	203
Session leader does not receive connection request when IRC is in replay mode	203
Keyboard LED does not display correctly	203
Inactive IRC	204
IRC Failed to connect to server error message	204
IRC toolbar icons do not update	204
GNOME interface does not lock	205
Repeating keys on the Remote Console	205
Remote Console playback does not work when the host server is powered down	205
Troubleshooting SSH and Telnet problems	205
Initial PuTTY input slow	205
PuTTY client unresponsive with Shared Network Port	205
SSH text support from a Remote Console session	206
Troubleshooting terminal services problems	206
Terminal Services button is not working	206
Terminal Services proxy stops responding	206
Troubleshooting video and monitor problems	206
General guidelines	206
Telnet displays incorrectly in DOS®	206
Video applications not displaying in the Remote Console	207
User interface is not displaying correctly	207
Troubleshooting Virtual Media problems	207
Virtual Media applet has a red X and will not display	207
Virtual Floppy media applet is unresponsive	207
Troubleshooting iLO Video Player problems	207
Video capture file does not play	207
Video capture file plays erratically	208
Troubleshooting Remote Text Console problems	208
Viewing the Linux installer in the text console	208
Passing data through an SSH terminal	208
Troubleshooting miscellaneous problems	208
Cookie sharing between browser instances and iLO 2	208
Shared instances	208
Cookie order behavior	209
Displaying the current session cookie	209
Preventing cookie-related user issues	210
Inability to access ActiveX downloads	210
Inability to get SNMP information from HP SIM	210
Incorrect time or date of the entries in the event log	210
Inability to upgrade iLO 2 firmware	210
Diagnostic steps	211
iLO 2 does not respond to SSL requests	211
Testing SSL	211
Resetting iLO 2	212
Server name still present after ERASE utility is executed	212
Troubleshooting a remote host	212
Directory services schema	213
HP Management Core LDAP OID classes and attributes	213
Core classes	213
Core attributes	213
Core class definitions	213
hpqTarget	213
hpqRole	214
hpqPolicy	214
Core attribute definitions	214
hpqPolicyDN	214
hpqRoleMembership	215
hpqTargetMembership	215
hpqRoleIPRestrictionDefault	215
hpqRoleIPRestrictions	215
hpqRoleTimeRestriction	216
Lights-Out Management specific LDAP OID classes and attributes	217
Lights-Out Management classes	217
Lights-Out Management attributes	217
Lights-Out Management class definitions	217
hpqLOMv100	217
Lights-Out Management attribute definitions	218
hpqLOMRightLogin	218
hpqLOMRightRemoteConsole	218
hpqLOMRightVirtualMedia	218
hpqLOMRightServerReset	219
hpqLOMRightLocalUserAdmin	219
hpqLOMRightConfigureSettings	219
Technical support	220
Support information	220
HP contact information	221
Before you contact HP	221
Acronyms and abbreviations	222

Match case Limit results 1 per page

Directory-enabled remote management 168

How directory login restrictions are enforced

Two sets of restrictions potentially limit a directory user's access to LOM devices. User access restrictions

limit a user's access to authenticate to the directory. Role access restrictions limit an authenticated user's

ability to receive LOM privileges based on rights specified in one or more Roles.

Restricting roles

Restrictions allow administrators to limit the scope of a role. A role only grants rights to those users that

satisfy the role's restrictions. Using restricted roles results in users with dynamic rights that can change

based on the time of day or network address of the client.

IMPORTANT:

When directories are enabled, access to a particular iLO 2 is based on whether

the user has read access to a Role object that contains the corresponding iLO 2 object. This

includes but is not limited to the members listed in the role object. If the Role is set up to allow

inheritable permissions to propagate from a parent, then members of the parent which have

read access privileges will also have access to iLO 2. To view the access control list, navigate

to Users and Computers, open the properties screen for the Role object and select the

Security

tab.

For step-by-step instructions on how to create network and time restrictions on a role, refer to "Active

Directory Role Restrictions (on page

154

)" or "eDirectory Role Restrictions (on page

162

)" sections.

Role time restrictions

Administrators can place time restrictions on LOM roles. Users are granted the rights specified for the

LOM devices listed in the role, only if they are members of the role and meet the time restrictions for that

role.

LOM devices use local host time to enforce time restrictions. If the LOM device clock is not set, the role

time restriction fails unless no time restrictions are specified on the role.

Role-based time restrictions can only be satisfied if the time is set on the LOM device. The time is normally

set when the host is booted, and it is maintained by running the agents in the host operating system,

which allows the LOM device to compensate for leap year and minimize clock drift with respect to the