HP Ilo 2 User Guide
Have a look at the manual HP Ilo 2 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Creatingmultiplerestrictionsandroles Themostusefulapplicationofmultiplerolesincludesrestrictingoneormorerolessothatrightsdo notapplyinallsituations.Otherrolesprovidedifferentrightsunderdifferentconstraints.Using multiplerestrictionsandrolesenablestheadministratortocreatearbitrary,complexrights relationshipswithaminimumnumberofroles. Forexample,anorganizationmighthaveasecuritypolicyinwhichLOMadministratorsareallowed tousetheLOMdevicefromwithinthecorporatenetworkbutareonlyabletoresettheserver outsideofregularbusinesshours. Directoryadministratorsmightbetemptedtocreatetworolestoaddressthissituation,butextra cautionisrequired.Creatingarolethatprovidestherequiredserverresetrightsandrestrictingit toanafter-hoursapplicationmightallowadministratorsoutsidethecorporatenetworktoresetthe server,whichiscontrarytomostsecuritypolicies. Intheexample,securitypolicydictatesgeneraluseisrestrictedtoclientswithinthecorporate subnet,andserverresetcapabilityisadditionallyrestrictedtoafterhours. Alternatively,thedirectoryadministratorcouldcreatearolethatgrantstheloginrightandrestrict ittothecorporatenetwork,thencreateanotherrolethatgrantsonlytheserverresetrightand restrictittoafter-hoursoperation.Thisconfigurationiseasiertomanagebutmoredangerous becauseon-goingadministrationmightcreateanotherrolethatgrantsusersfromaddressesoutside thecorporatenetworktheloginright,whichcouldunintentionallygranttheLOMadministratorsin theserverResetroletheabilitytoresettheserverfromanywhere,providedtheysatisfythetime constraintsofthatrole. Thepreviousconfigurationmeetscorporatesecuritypolicy.However,addinganotherrolethat grantstheloginrightcaninadvertentlygrantserverresetprivilegesfromoutsidethecorporate subnetafterhours.AmoremanageablesolutionwouldbetorestricttheResetrole,aswellasthe GeneralUserole. Directory-enabledremotemanagement161
Usingbulkimporttools AddingandconfiguringlargenumbersofLOMobjectsistimeconsuming.HPprovidesseveral utilitiestoassistinthesetasks. •HPLights-OutMigrationutility TheHPLights-OutMigrationutility,HPQLOMIG.EXE,importsandconfiguresmultipleLOM devices.HPQLOMIG.EXEincludesaGUIthatprovidesastep-by-stepapproachtoimplementing orupgradinglargenumbersofmanagementprocessors.HPrecommendsusingthisGUI methodwhenupgradingnumerousmanagementprocessors.Formoreinformation,see “HPQLOMIGdirectorymigrationutility”(page162). •HPLights-OutMigrationCommandutility TheHPLights-OutMigrationCommandutility,HPQLOMGC.EXE,offersacommand-line approachtomigration,ratherthanaGUI-basedapproach.Thisutilityworksinconjunction withtheApplicationLaunchandqueryfeaturesofHPSIMtoconfiguremanydevicesata time.CustomersthatmustconfigureonlyafewLOMdevicestousedirectoryservicesmight alsopreferthecommand-lineapproach.Formoreinformation,see“HPQLOMIGdirectory migrationutility”(page162). •HPSIMutilities: ManagemultipleLOMdevices.◦ ◦DiscovertheLOMdevicesasmanagementprocessorsusingCPQLOCFGtosendaRIBCL XMLscriptfiletoagroupofLOMdevicestomanagethoseLOMdevices.TheLOM devicesperformtheactionsdesignatedbytheRIBCLfileandsendaresponsetothe CPQLOCFGlogfile.Formoreinformation,seetheHPIntegratedLights-OutManagement ProcessorScriptingandCommandLineResourceGuideathttp://h20000.www2.hp.com/ bizsupport/TechSupport/DocumentIndex.jsp?contentType=SupportManual&lang=en& cc=us&docIndexId=64179&taskId=135&prodTypeId=18964&prodSeriesId=1146658. •Traditionalimportutilities AdministratorsfamiliarwithtoolssuchasLDIFDEortheNDSImport/ExportWizardcanuse theseutilitiestoimportorcreatemanyLOMdeviceobjectsinthedirectory.However, administratorsmuststillconfigurethedevicesmanually,asdescribedpreviously,butcando soatanytime.ProgrammaticorscriptinginterfacescanalsobeusedtocreatetheLOMdevice objectsinthesamewayasusersorotherobjects.Fordetailsonattributesandattributedata formatswhencreatingLOMobjects,see“Directoryservicesschema”(page171). HPQLOMIGdirectorymigrationutility IntroductiontoHPQLOMIGutility TheHPQLOMIGutilityisforcustomerswithpreviouslyinstalledmanagementprocessorswhowant tosimplifythemigrationoftheseprocessorstomanagementbydirectories.HPQLOMIGautomates someofthemigrationstepsnecessaryforthemanagementprocessorstosupportDirectoryServices. HPQLOMIGcandothefollowing: •Discovermanagementprocessorsonthenetwork. •UpgradethemanagementprocessorfirmwaretotheversionthatsupportsDirectoryServices orschema-freedirectories. •Namethemanagementprocessorstoidentifytheminthedirectory. •Createobjectsinthedirectorycorrespondingtoeachmanagementprocessorandassociate themtoarole. •Configurethemanagementprocessorstoenablethemtocommunicatewiththedirectory. 162Directoryservices
Compatibility TheHPQLOMIGutilityoperatesonMicrosoftWindowsandrequiresMicrosoft.NETFramework. Foradditionalinformationandtodownload.NETframework,seetheMicrosoftwebsiteathttp:// www.microsoft.com/net.TheHPQLOMIGutilitysupportsthefollowingoperatingsystems: •ActiveDirectory Windows2000— —WindowsServer2003 •NovelleDirectory8.6.2 Windows2000— —WindowsServer2003 HPLights-Outdirectorypackage Allofthemigrationsoftware,aswellastheschemaextenderandmanagementsnap-ins,are packagedinanHPSmartComponent.Tocompletethemigrationofyourmanagementprocessors, youmustextendtheschemaandinstallthemanagementsnap-insbeforerunningthemigration tool.TheSmartComponentislocatedontheHPLights-Outmanagementwebsiteathttp:// www.hp.com/servers/lights-out. Toinstallthemigrationutilities,clickLDAPMigrationUtilityintheSmartComponent.AMicrosoft MSIinstallerlaunchesandinstallsHPQLOMIG,therequiredDLLs,thelicenseagreement,andother filesintotheC:\Program Files\Hewlett-Packard\HP Lights-Out Migration Tool directory.Youcanselectadifferentdirectory.TheinstallercreatesashortcuttoHPQLOMIGonthe StartmenuandinstallsasampleXMLfile. NOTE:Theinstallationutilitywillpresentanerrormessageandexitifitdetectsthatthe.NET Frameworkisnotinstalled. UsingHPQLOMIG TheHPQLOMIGutilityautomatestheprocessofmigratingmanagementprocessorsbycreating objectsinthedirectorycorrespondingtoeachmanagementprocessorandassociatingthemtoa role.HPQLOMIGhasaGUIandprovidestheuserwithawizardapproachtoimplementingor upgradinglargeamountsofmanagementprocessors. Findingmanagementprocessors Thefirststeptomigratingistodiscoverallmanagementprocessorsyouwanttoenablefordirectory services.YoucansearchformanagementprocessorsusingDNSnames,IPaddresses,orIPaddress wildcards.ThefollowingrulesapplytothevariablesenteredintheAddressesfield: •DNSnames,IPaddresses,andIPaddresswildcardsmustbedelimitedwithasemicolon. •TheIPaddresswildcardusesthe"*"characterinthethirdandfourthoctetfields.Forexample, IPaddress16.100.*.*isvalid,whereasIPaddress16.*.*.*isnot. •Rangescanalsobespecifiedusingahyphen.Forexample,192.168.0.2-10isavalidrange. Ahyphenisonlysupportedintherightmostoctet. •AfteryouclickFind,HPQLOMIGbeginspingingandconnectingtoport443(thedefaultSSL port).Thepurposeoftheseactionsistoquicklydetermineifthetargetnetworkaddressisa managementprocessor.Ifthedevicedoesnotrespondtothepingorconnectappropriately onport443,thenitisdeterminednottobeamanagementprocessor. IfyouclickNext,Back,orexittheapplicationduringdiscovery,operationsonthecurrentnetwork addressarecompleted,butthoseonsubsequentnetworkaddressesarecanceled. HPQLOMIGdirectorymigrationutility163
Tostarttheprocessofdiscoveringyourmanagementprocessors: 1.ClickStartandselectPrograms>Hewlett-Packard,Lights-OutMigrationUtilitytostartthe migrationprocess. 2.ClickNexttomovepasttheWelcomescreen. 3.EnterthevariablestoperformthemanagementprocessorsearchintheAddressesfield. 4.Enteryourloginnameandpassword,andclickFind.TheFindbuttonchangestoVerifywhen thesearchiscomplete. YoucanalsoinputalistofmanagementprocessorsbyclickingImport.Thefileisasimple textfilewithonemanagementprocessorlistedperline.Thefieldsaredelimitedwithsemicolons. Thefieldsareasfollows: •NetworkAddress •ManagementProcessorType •FirmwareVersion •DNSName •UserName •Password •DirectoryConfiguration Forexample,onelinecouldhave: 16.100.225.20;iLO;1.80;ILOTPILOT2210;user;password;Default Schema Ifforsecurityreasonstheusernameandpasswordcannotbeinthefile,thenleavethese fieldsblank,butkeepthesemicolons. 164Directoryservices
Upgradingfirmwareonmanagementprocessors TheUpgradeFirmwarescreenenablesyoutoupdatethemanagementprocessorstothefirmware versionthatsupportsdirectories.Thisscreenalsoenablesyoutodesignatethelocationofthe firmwareimageforeachmanagementprocessorbyeitherenteringthepathorclickingBrowse. NOTE:Binaryimagesofthefirmwareforthemanagementprocessorsarerequiredtobeaccessible fromthesystemthatisrunningthemigrationutility.Thesebinaryimagescanbedownloadedfrom theHPwebsiteathttp://www.hp.com/servers/lights-out. MinimumfirmwareversionManagementprocessor 2.50RILOE 1.10RILOEII 1.40iLO 1.00iLO2 Theupgradeprocessmighttakealongtime,dependingonthenumberofmanagementprocessors selected.Thefirmwareupgradeofasinglemanagementprocessorcantakeaslongasfiveminutes tocomplete.Ifanupgradefails,amessageappearsintheResultscolumnandHPQLOMIGcontinues toupgradetheotherdiscoveredmanagementprocessors. NOTE:HPrecommendstestingtheupgradeprocessandverifyingtheresultsinatestenvironment beforerunningtheutilityonaproductionnetwork.Anincompletetransferofthefirmwareimage toamanagementprocessorcouldresultinhavingtolocallyreprogramthemanagementprocessor usingafloppydiskette. Toupgradethefirmwareonyourmanagementprocessors: 1.Selectthemanagementprocessorstobeupgraded. 2.Foreachdiscoveredmanagementprocessortype,enterthecorrectpathnametothefirmware imageorbrowsetotheimage. 3.ClickUpgradeFirmware.Theselectedmanagementprocessorsareupgraded.Althoughthis utilityenablesyoutoupgradehundredsofmanagementprocessors,only25management processorsareupgradedsimultaneously.Networkactivityisconsiderableduringthisprocess. 4.Aftertheupgradeiscomplete,clickNext. HPQLOMIGdirectorymigrationutility165
Duringthefirmwareupgradeprocess,allbuttonsaredeactivatedtopreventnavigation.Youcan stillclosetheapplicationusingthe"X"atthetoprightofthescreen.IftheGUIisclosedwhile programmingfirmware,theapplicationcontinuestoruninthebackgroundandcompletesthe firmwareupgradeonallselecteddevices. HPLOMIGsupportsfirmwareflashonserverswithaTPMchip.IfaTPMmoduleispresentand enabledintheserverandOptionalROMmeasuringisenabled,HPLOMIGdisplaysawarning message(shownbelow.)IfyouselectYes,HPLOMIGwillcontinuewiththeflashprocess.Otherwise firmwareflashontheselectedserverisskipped.Thismessagedisplayseverytimeaserverwitha TPMmoduleisdetectedduringfirmwareflash. Selectingadirectoryaccessmethod AftertheFirmwareUpgradepage,theSelectDirectoryAccessMethodpagedisplays.Youcan selectwhichmanagementprocessorstoconfigure(withrespecttoschemausage)andhowitwill beconfigured.TheSelectDirectoryAccessMethodpagehelpstopreventanaccidentaloverwrite ofiLO2salreadyconfiguredforHPschemaorthosethathavedirectoriesturnedoff. ThispagedeterminesiftheHPExtendedschema,schema-free(defaultschema),ornodirectories supportconfigurationpagesfollow. 166Directoryservices
Toconfigurethemanagementprocessorfor: •DirectoryServices,see“ConfiguringdirectorieswhenHPExtendedschemaisselected”(page 168). •Schema-free(defaultschema)directoriessupport,see“SettingupSchema-freedirectory integration”(page132). Namingmanagementprocessors ThisscreenenablesyoutonameLights-Outmanagementdeviceobjectsinthedirectoryandcreate correspondingdeviceobjectsforallmanagementprocessorstobemanaged.Youcancreate namesusingoneormoreofthefollowing: •Thenetworkaddress •TheDNSname •Anindex •Creatingthenamemanually •Addingaprefixtoall •Addingasuffixtoall Tonamethemanagementprocessors,clicktheNamefield,andenterthename,or: 1.SelectUseNetworkAddress,UseDNSNames,orCreateNameUsingIndex.Youcanalso nameeachmanagementprocessordirectoryobjectbyclickingtwiceinthenamefieldwith adelaybetweenclicks. 2.Enterthetexttoadd(suffixorprefix)toallnames(optional). 3.ClickGenerateNames.ThenamesdisplayintheNamecolumnastheyaregenerated.Atthis point,namesarenotwrittentothedirectoryorthemanagementprocessors.Thenamesare storeduntilthenextpage. HPQLOMIGdirectorymigrationutility167
4.Tochangethenames(optional),clickClearAllNames,andrenamethemanagement processors. 5.Afterthenamesarecorrect,clickNext. ConfiguringdirectorieswhenHPExtendedschemaisselected TheConfigureDirectoryscreenenablesyoutocreateadeviceobjectforeachdiscovered managementprocessorandtoassociatethenewdeviceobjecttoapreviouslydefinedrole.For example,thedirectorydefinesauserasamemberofarole(suchasadministrator)whohasa collectionofprivilegesonaspecificdeviceobject(suchasaRILOEIIcard). ThefieldsintheConfigureDirectoryscreenare: •NetworkAddress–Thenetworkaddressofthedirectoryserverandcaneitherbeavalid DNSnameorIPaddress. •Port–TheSSLporttothedirectory.Thedefaultentryis636.Managementprocessorscan onlycommunicatewiththedirectoryusingSSL. •LoginNameandPassword–Thesefieldsareusedtologinwithanaccountthathasdomain administratoraccesstothedirectory. •ContainerDN–Afteryouhavethenetworkaddress,port,andlogininformation,youcan clickBrowsetonavigateforthecontainerandroledistinguishedname.Thecontainer DistinguishedNameiswherethemigrationutilitywillcreateallofthemanagementprocessor objectsinthedirectory. •RoleDN–Theroledistinguishednameiswheretheroletobeassociatedwiththedevice objectsresidesandmustbecreatedbeforetorunningthisutility. Toconfigurethedeviceobjectstobeassociatedwitharole: 168Directoryservices
1.Enterthenetworkaddress,loginname,andpasswordforthedesignateddirectoryserver. 2.EnterthecontainerdistinguishednameintheContainerDNfield,orclickBrowse. 3.Associatedeviceobjectswithamemberofarolebyenteringtheroledistinguishednamein theRoleDNfield,orclickBrowse. 4.ClickUpdateDirectory.Thetoolconnectstothedirectory,createsthemanagementprocessor objects,andaddsthemtotheselectedroles. 5.Afterthedeviceobjectshavebeenassociatedwitharole,clickNext. Configuringdirectorieswhenschema-freeintegrationisselected ThefieldsintheConfigureManagementProcessorsscreenare: •NetworkAddress–Thenetworkaddressofthedirectoryserver,whichcanbeavalidDNS nameorIPaddress. •LoginNameandPassword–Thesefieldsareusedtologinwithanaccountthathasdomain administratoraccesstothedirectory. •SecurityGroupDistinguishedName–Thedistinguishednameofthegroupinthedirectory thatcontainsasetofiLO2userswithacommonsetofprivileges.Ifthedirectoryname,login name,andpasswordarecorrect,youcanclicktheBrowsebuttontonavigatetoandselect thegroup. •Privileges–TheiLO2privilegesassociatedwiththeselectedgroup.Theloginprivilegeis impliediftheuserisamemberofthegroup. ConfigureManagementProcessorssettingsarestoreduntilthenextpageinthewizard. HPQLOMIGdirectorymigrationutility169
Settingupmanagementprocessorsfordirectories Thelaststepinthemigrationprocessistoconfigurethemanagementprocessorstocommunicate withthedirectory.Thisscreenenablesyoutocreateusercontexts. Usercontextsenabletheusertouseshortoruserobjectnamestologin,ratherthanthefull distinguishedname.Forexample,havingausercontextsuchasCN=Users,DC=RILOETEST2,DC=HP enablesuser"JohnSmith"tologinusingJohnSmith,ratherthanCN=JohnSmith,CN=Users, DC=RILOETEST2,[email protected],@RILOETEST2.HPina contextfieldenablestheusertologinusingjsmith(assumingthatjsmithistheuser'sshortname). Toconfigurethemanagementprocessorstocommunicatewiththedirectory: 1.Entertheusercontexts,orclickBrowse. 2.ForDirectoriesSupportandLocalAccountsoption,selectEnabledorDisabled. RemoteaccessisdisabledifbothDirectorySupportandLocalAccountsaredisabled.To reestablishaccess,reboottheserveranduseRBSUF8torestoreaccess. 3.ClickConfigure.Themigrationutilityconnectstoalloftheselectedmanagementprocessors andupdatestheconfigurationasyouhavespecified.HPLOMIGsupportsconfiguring15user contexts.Toaccesstheusercontextfields,usethescrollbar. 170Directoryservices