Home » HP Manuals » Desktops » HP Xw460c » Manual Viewer

HP Xw460c HP Integrated Lights-Out 2 User Guide for Firmware 1.75 and 1.77 - Page 46

Two-factor authentication, Serial Command Line Interface Status: Disabled

Add to My Manuals
Save this manual to your list of manuals

Page 46 highlights

Base64-encoded. A CA processes this request and returns a response (X.509 certificate) that can be imported into iLO 2. The CR contains a public/private key pair that validates communications between the client browser and iLO 2. The generated CR is held in memory until a new CR is generated, iLO 2 is reset, or a certificate is imported by the generation process. You can generate the CR and copy it to the client clipboard, leave the iLO 2 website to retrieve the certificate, and then return to import the certificate. When submitting the request to the CA, be sure to perform the following tasks: a. Use the iLO 2 name as listed on the System Status screen as the URL for the server. b. Request that the certificate is generated in the RAW format. c. Include the Begin and End certificate lines. Every time you click Create Certificate Request, a new certificate request is generated, even though the iLO 2 name is the same. • Import Certificate-Use this button when you are returning to the Certificate Administration page with a certificate to import. Click Import Certificate to go directly to the Certificate Import screen without generating a new CR. A certificate only works with the keys generated for the original CR from which the certificate was generated. If iLO 2 has been reset, or another CR was generated since the original CR was submitted to a CA, then a new CR must be generated and submitted to the CA. You can create a CR or import an existing certificate using RIBCL XML commands. These commands enable you to script and automate certificate deployment on iLO 2 servers instead of manually deploying certificates through the browser interface. For more information, see HP Integrated Lights-Out Management Processor Scripting and Command Line Resource Guide. Two-factor authentication Access to iLO 2 requires user authentication. This firmware release provides an enhanced authentication scheme for iLO 2 using two factors of authentication: a password or PIN, and a private key for a digital certificate. Using two-factor authentication requires that you verify your identity by providing both factors. You can store your digital certificates and private keys wherever you choose, for example, on a smart card, USB token, or hard drive. The Two-Factor Authentication tab enables you to configure security settings and review, import, or delete a trusted CA certificate. The Two-Factor Authentication Enforcement setting controls whether two-factor authentication is used for user authentication during login. To require two-factor authentication, click Enabled. To turn off the two-factor authentication requirement and allow login with user name and password only, click Disabled. You cannot change the setting to Enabled if a trusted CA certificate is not configured. To provide the necessary security, the following configuration changes are made when twofactor authentication is enabled: • Telnet Access: Disabled • Secure Shell (SSH) Access: Disabled • Serial Command Line Interface Status: Disabled If telnet, SSH, or Serial CLI access is required, re-enable these settings after two-factor authentication is enabled. However, because these access methods do not provide a means of two-factor authentication, only a single factor is required to access iLO 2 with telnet, SSH, or Serial CLI. Configuring iLO 2 46

Section	Page
HP Integrated Lights-Out 2 User Guide	1
Notice	2
Contents	3
Operational overview	9
Guide overview	9
New in this release of iLO 2	9
iLO 2 overview	10
Differences between iLO 2 and iLO	10
HP Insight Essentials Rapid Deployment Pack integration	11
Server management through IPMI version 2.0 compliant applications	11
WS-Management compatibility overview	12
iLO 2 browser interface overview	13
Supported browsers and client operating systems	13
Supported server operating system software	14
iLO 2 setup	16
Quick setup	16
Preparing to setup iLO 2	16
Connecting to the network	18
Configuring the IP address	18
Logging in to iLO 2 for the first time	19
Setting up user accounts	19
Setting up iLO 2 using iLO 2 RBSU	20
Setting up iLO 2 using the browser-based option	20
Activating iLO 2 licensed features using a browser	20
Installing iLO 2 device drivers	21
Microsoft device driver support	21
Linux device driver support	22
Novell NetWare device driver support	22
Configuring iLO 2	24
iLO 2 configuration overview	24
Upgrading iLO 2 firmware	24
Upgrading iLO 2 using a browser	25
Updating the firmware using the maintenance CD	26
Recovering from a failed iLO 2 firmware update	26
Downgrading the iLO 2 firmware	26
Licensing	26
User administration	28
Adding a new user	29
Viewing or modifying an existing user's settings	31
Deleting a user	31
Group administration	32
Configuring iLO 2 access	33
Services options	33
Terminal Services Passthrough option	35
Enabling the Terminal Services Passthrough option	37
Remote Console and Terminal Services clients	37
Terminal Services troubleshooting	38
Access options	39
iLO 2 Remote Console and Remote Serial Console access	41
Security	41
General security guidelines	42
Password guidelines	42
Securing RBSU	42
iLO 2 Security Override Switch administration	43
Trusted Platform Module support	43
User accounts and access	44
Privileges	44
Login security	44
SSH key administration	45
SSL certificate administration	45
Two-factor authentication	46
Setting up two-factor authentication for the first time	47
Setting up a user for two-factor authentication	49
Two-factor authentication login	49
Using two-factor authentication with directory authenticatio	50
Directory settings	51
Configuring directory settings	52
Directory tests	54
Encryption	54
Encryption settings	55
Connecting to the iLO 2 using AES/3DES encryption	55
HP SIM single sign-on (SSO)	56
Setting up iLO 2 for HP SIM SSO	56
Adding HP SIM trusted servers	57
Setting up HP SIM SSO	58
Remote Console Computer Lock	59
Network	60
Network Settings	61
iLO 2 subsystem name limitations	62
iLO 2 Shared Network Port	62
DHCP/DNS Settings	65
SNMP/Insight Manager settings	66
Enabling SNMP alerts	66
SNMP generated trap definitions	67
Configuring Insight Manager integration	68
ProLiant BL pClass configuration	69
ProLiant BL pClass user requirements	69
Static IP bay configuration	69
Configuring a ProLiant BL pClass blade enclosure	70
Configuring static IP bay settings	70
ProLiant BL pClass standard configuration parameters	71
ProLiant BL pClass advanced configuration parameters	71
Enabling iLO 2 IP address assignment	72
HP BladeSystem setup	72
iLO 2 configuration screen	73
Verify Server RAID Configuration screen	73
Connect Virtual Media screen	74
Install Software screen	74
iLO 2 diagnostic port configuration parameters	74
Using iLO 2	76
System status and status summary information	76
System Information Summary	78
Fans	78
Temperatures	79
Power	79
Processors	80
Memory	80
NIC	80
iLO 2 Log	80
IML	80
Diagnostics	81
Insight Agents	82
iLO 2 Remote Console	83
Remote Console overview and licensing options	84
Remote Console settings	84
Remote console hot keys	86
Supported hot keys	86
Hot keys and international keyboards	88
Hot keys and Virtual Serial Port	88
Integrated Remote Console Fullscreen	88
Integrated Remote Console option	88
Optimizing mouse performance for Remote Console or Integrated Remote Console	91
High Performance Mouse settings	91
Shared Remote Console	93
Using Console Capture	93
Using HP iLO Video Player	94
iLO Video Player user interface	94
iLO Video Player controls	95
Acquiring the Remote Console	96
Remote Console	96
Remote Console features and controls	97
Recommended client settings	98
Recommended server settings	98
Text-based remote console overview	98
Text-based console during POST	99
Text-based console after POST	99
Virtual serial port and remote serial console	102
Virtual media	107
Using iLO 2 Virtual Media devices	108
Virtual Media and Windows 7	108
iLO 2 Virtual Floppy/USBKey	108
iLO 2 Virtual CD/DVD-ROM	112
Creating iLO 2 disk image files	114
Virtual folder	115
Virtual folder operating system notes	115
Power management	116
Server power settings	117
Server power data	119
Processor states	120
Power efficiency	121
Graceful shutdown	122
ProLiant BL pClass Advanced management	122
Rack View	123
Blade configuration and information	124
Enclosure information	125
Power enclosure information	126
Network component information	126
iLO 2 control of ProLiant BL pClass server LEDs	127
Server POST tracking	127
Insufficient power notification	127
ProLiant BL pClass alert forwarding	127
ProLiant BladeSystem HP Onboard Administrator	127
iLO 2 BL c-Class tab	128
Enclosure bay IP addressing	128
Dynamic power capping for server blades	130
iLO 2 Virtual Fan	131
iLO option	131
Web Administration	132
BL pClass and BL c-Class features	132
Directory services	134
Overview of directory integration	134
Benefits of directory integration	134
Advantages and disadvantages of schema-free directories and HP schema directory	135
Schema-free directory integration	136
HP schema directory integration	136
Setup for Schema-free directory integration	138
Active Directory preparation	138
Introduction to certificate services	138
Installing certificate services	138
Verifying certificate services	139
Configuring Automatic Certificate Request	139
Schema-free browser-based setup	139
Schema-free scripted setup	140
Schema-free HPLOMIG-based setup	140
Schema-free setup options	140
Schema-free nested groups	141
Setting up HP schema directory integration	142
Features supported by HP schema directory integration	142
Setting up directory services	142
Schema documentation	143
Directory services support	143
Schema required software	144
Schema installer	144
Schema Preview	145
Setup	145
Results	146
Management snap-in installer	147
Directory services for Active Directory	147
Active Directory installation prerequisites	147
Installing Active Directory on Windows Server 2008	148
Directory services preparation for Active Directory	148
Snap-in installation and initialization for Active Directory	149
Example: Creating and configuring directory objects for use with iLO 2 in Active Directory	150
Directory services objects	152
Active Directory Lights-Out management	156
Directory services for eDirectory	157
eDirectory installation prerequisites	157
Snap-in installation and initialization for eDirectory	157
Example: Creating and configuring directory objects for use with LOM devices in eDirectory	157
Directory Services objects for eDirectory	161
eDirectory Role Restrictions	162
eDirectory Lights-Out Management	164
User login using directory services	165
Directory-enabled remote management	166
Introduction to directory-enabled remote management	166
Creating roles to follow organizational structure	166
Using existing groups	166
Using multiple roles	167
How directory login restrictions are enforced	168
Restricting roles	168
Role time restrictions	168
Role address restrictions	169
User restrictions	169
User address restrictions	169
How user time restrictions are enforced	170
Creating multiple restrictions and roles	170
Using bulk import tools	171
HPQLOMIG directory migration utility	173
Introduction to HPQLOMIG utility	173
Compatibility	173
HP Lights-Out directory package	173
Using HPQLOMIG	174
Finding management processors	174
Upgrading firmware on management processors	176
Selecting a directory access method	177
Naming management processors	178
Configuring directories when HP Extended schema is selected	179
Configuring directories when schema-free integration is selected	180
Setting up management processors for directories	181
HP Systems Insight Manager integration	183
Integrating iLO 2 with HP SIM	183
HP SIM functional overview	183
Establishing SSO with HP SIM	184
HP SIM identification and association	184
HP SIM status	184
HP SIM links	185
HP SIM systems lists	185
Receiving SNMP alerts in HP SIM	186
HP SIM port matching	186
Reviewing Advanced Pack license information in HP SIM	187
Troubleshooting iLO 2	188
iLO 2 POST LED indicators	188
Event log entries	189
Hardware and software link-related issues	192
JVM support	193
Login issues	193
Login name and password not accepted	193
Directory user premature logout	194
iLO 2 Management Port not accessible by name	194
iLO 2 RBSU unavailable after iLO 2 and server reset	194
Inability to access the login page	195
Inability to access iLO 2 using telnet	195
Inability to access virtual media or graphical remote console	195
Inability to connect to iLO 2 after changing network settings	195
Inability to connect to the iLO 2 Diagnostic Port	195
Inability to connect to the iLO 2 processor through the NIC	196
Inability to log in to iLO 2 after installing the iLO 2 certificate	196
Firewall issues	196
Proxy server issues	196
Two-factor authentication error	197
Troubleshooting alert and trap problems	197
Inability to receive HP SIM alarms (SNMP traps) from iLO 2	198
iLO 2 Security Override switch	198
Authentication code error message	198
Troubleshooting directory problems	198
Domain/name format login issues	199
ActiveX controls are enabled and I see a prompt but the domain/name login format does not work	199
User contexts do not appear to work	199
Directory user does not logout after the directory timeout has expires	199
Troubleshooting Remote Console problems	199
Remote Console applet has a red X when running Linux client browser	200
Inability to navigate the single cursor of the Remote Consol to corners of the Remote Console window	200
Remote Console no longer opens on the existing browser session	200
Remote console text window not updating properly	200
Remote Console turns gray or black	201
Remote Serial Console troubleshooting	201
Troubleshooting Integrated Remote Console problems	201
Internet Explorer 7 and a flickering remote console screen	201
Configuring Apache to accept exported capture buffers	202
No console replay while server is powered down	203
Skipping information during boot and fault buffer playback	203
Out of Memory error starting Integrated Remote Console	203
Session leader does not receive connection request when IRC is in replay mode	203
Keyboard LED does not display correctly	203
Inactive IRC	204
IRC Failed to connect to server error message	204
IRC toolbar icons do not update	204
GNOME interface does not lock	205
Repeating keys on the Remote Console	205
Remote Console playback does not work when the host server is powered down	205
Troubleshooting SSH and Telnet problems	205
Initial PuTTY input slow	205
PuTTY client unresponsive with Shared Network Port	205
SSH text support from a Remote Console session	206
Troubleshooting terminal services problems	206
Terminal Services button is not working	206
Terminal Services proxy stops responding	206
Troubleshooting video and monitor problems	206
General guidelines	206
Telnet displays incorrectly in DOS®	206
Video applications not displaying in the Remote Console	207
User interface is not displaying correctly	207
Troubleshooting Virtual Media problems	207
Virtual Media applet has a red X and will not display	207
Virtual Floppy media applet is unresponsive	207
Troubleshooting iLO Video Player problems	207
Video capture file does not play	207
Video capture file plays erratically	208
Troubleshooting Remote Text Console problems	208
Viewing the Linux installer in the text console	208
Passing data through an SSH terminal	208
Troubleshooting miscellaneous problems	208
Cookie sharing between browser instances and iLO 2	208
Shared instances	208
Cookie order behavior	209
Displaying the current session cookie	209
Preventing cookie-related user issues	210
Inability to access ActiveX downloads	210
Inability to get SNMP information from HP SIM	210
Incorrect time or date of the entries in the event log	210
Inability to upgrade iLO 2 firmware	210
Diagnostic steps	211
iLO 2 does not respond to SSL requests	211
Testing SSL	211
Resetting iLO 2	212
Server name still present after ERASE utility is executed	212
Troubleshooting a remote host	212
Directory services schema	213
HP Management Core LDAP OID classes and attributes	213
Core classes	213
Core attributes	213
Core class definitions	213
hpqTarget	213
hpqRole	214
hpqPolicy	214
Core attribute definitions	214
hpqPolicyDN	214
hpqRoleMembership	215
hpqTargetMembership	215
hpqRoleIPRestrictionDefault	215
hpqRoleIPRestrictions	215
hpqRoleTimeRestriction	216
Lights-Out Management specific LDAP OID classes and attributes	217
Lights-Out Management classes	217
Lights-Out Management attributes	217
Lights-Out Management class definitions	217
hpqLOMv100	217
Lights-Out Management attribute definitions	218
hpqLOMRightLogin	218
hpqLOMRightRemoteConsole	218
hpqLOMRightVirtualMedia	218
hpqLOMRightServerReset	219
hpqLOMRightLocalUserAdmin	219
hpqLOMRightConfigureSettings	219
Technical support	220
Support information	220
HP contact information	221
Before you contact HP	221
Acronyms and abbreviations	222

Match case Limit results 1 per page

Configuring iLO 2 46

Base64-encoded. A CA processes this request and returns a response (X.509 certificate) that can be

imported into iLO 2.

The CR contains a public/private key pair that validates communications between the client browser

and iLO 2. The generated CR is held in memory until a new CR is generated, iLO 2 is reset, or a

certificate is imported by the generation process. You can generate the CR and copy it to the client

clipboard, leave the iLO 2 website to retrieve the certificate, and then return to import the certificate.

When submitting the request to the CA, be sure to perform the following tasks:

Use the iLO 2 name as listed on the System Status screen as the URL for the server.

Request that the certificate is generated in the RAW format.

Include the

Begin

and

End

certificate lines.

Every time you click

Create Certificate Request,

a new certificate request is generated, even though

the iLO 2 name is the same.

•

Import Certificate—Use this button when you are returning to the Certificate Administration page

with a certificate to import. Click

Import Certificate

to go directly to the Certificate Import screen

without generating a new CR. A certificate only works with the keys generated for the original CR

from which the certificate was generated. If iLO 2 has been reset, or another CR was generated

since the original CR was submitted to a CA, then a new CR must be generated and submitted to the

CA.

You can create a CR or import an existing certificate using RIBCL XML commands. These commands

enable you to script and automate certificate deployment on iLO 2 servers instead of manually deploying

certificates through the browser interface. For more information, see

HP Integrated Lights-Out

Management Processor Scripting and Command Line Resource Guide

Two-factor authentication

Access to iLO 2 requires user authentication. This firmware release provides an enhanced authentication

scheme for iLO 2 using two factors of authentication: a password or PIN, and a private key for a digital

certificate. Using two-factor authentication requires that you verify your identity by providing both factors.

You can store your digital certificates and private keys wherever you choose, for example, on a smart

card, USB token, or hard drive.

The Two-Factor Authentication tab enables you to configure security settings and review, import, or delete

a trusted CA certificate. The Two-Factor Authentication Enforcement setting controls whether two-factor

authentication is used for user authentication during login. To require two-factor authentication, click

Enabled

. To turn off the two-factor authentication requirement and allow login with user name and

password only, click

Disabled

. You cannot change the setting to Enabled if a trusted CA certificate is not

configured. To provide the necessary security, the following configuration changes are made when two-

factor authentication is enabled:

•

Telnet Access: Disabled

•

Secure Shell (SSH) Access: Disabled

•

Serial Command Line Interface Status: Disabled

If telnet, SSH, or Serial CLI access is required, re-enable these settings after two-factor authentication is

enabled. However, because these access methods do not provide a means of two-factor authentication,

only a single factor is required to access iLO 2 with telnet, SSH, or Serial CLI.