HP Ilo 2 User Guide

							•SupportforX.509CAsignedcertificates
•SupportforsecuringRBSU
•Encryptedcommunicationusing:
SSHkeyadministration—
—SSLcertificateadministration
•SupportforoptionalLDAP-baseddirectoryservices
Someoftheseoptionsarelicensedfeatures.Toverifyyouravailableoptions,see“Licensing”(page
26).
Generalsecurityguidelines
ThefollowingaregeneralguidelinesconcerningsecurityforiLO2:
•Formaximumsecurity,iLO2mustbesetuponaseparatemanagementnetwork.
•TheiLO2firmwaremustnotbeconnecteddirectlytotheInternet.
•A128-bitcipherstrengthbrowsermustbeused.
Passwordguidelines
Thefollowingisalistofrecommendedpasswordguidelines.Passwordsmust:
•Neverbewrittendownorrecorded
•Neverbesharedwithothers
•Notbewordsgenerallyfoundinadictionary,oreasytoguesswords,suchasthecompany
name,productnames,theuser'sname,ortheuser'sUserID
•Includeatleastthreeofthefourfollowingcharacteristics:
Atleastonenumericcharacter◦
◦Atleastonespecialcharacter
◦Atleastonelowercasecharacter
◦Atleastoneuppercasecharacter
PasswordsissuedforatemporaryuserID,passwordreset,oralocked-outuserIDmustalsoconform
tothesestandards.Eachpasswordmustbeaminimumlengthofzerocharactersandamaximum
lengthof39characters.Thedefaultminimumlengthissettoeightcharacters.Settingtheminimum
passwordlengthtofewerthaneightcharactersisnotrecommendedunlessyouhaveaphysically
securemanagementnetworkthatdoesnotextendoutsidethesecuredatacenter.
Security41 
						

							SecuringRBSU
iLO2RBSUenablesyoutoviewandmodifytheiLO2configuration.RBSUaccesssettingscan
beconfiguredusingRBSU,awebbrowser,RIBCLscripts,ortheiLO2SecurityOverrideSwitch.
Formoreinformation,see“Accessoptions”(page38).RBSUhasthreelevelsofsecurity:
•RBSULoginNotRequired(default)
AnyonewithaccesstothehostduringPOSTcanentertheiLO2RBSUtoviewandmodify
configurationsettings.Thisisanacceptablesettingifhostaccessiscontrolled.
•RBSULoginRequired(moresecure)
IfRBSUloginisrequired,thentheactiveconfigurationmenusarecontrolledbytheauthenticated
user'saccessrights.
•RBSUDisabled(mostsecure)
IfiLO2RBSUisdisabled,useraccessisprohibited.ThispreventsmodificationusingtheRBSU
interface.
iLO2SecurityOverrideSwitchadministration
TheiLO2SecurityOverrideSwitchallowstheadministratorfullaccesstotheiLO2processor.
Thisaccessmightbenecessaryforanyofthefollowingconditions:
•TheiLO2firmwaremustbere-enabledafterithasbeendisabled.
•AlluseraccountswiththeAdministerUserAccountsprivilegehavebeenlockedout.
•AbadconfigurationkeepstheiLO2fromdisplayingonthenetworkandRBSUhasbeen
disabled.
•Thebootblockmustbeflashed.
RamificationsofsettingtheSecurityOverrideSwitchinclude:
•Allsecurityauthorizationchecksaredisabledwhiletheswitchisset.
•TheiLO2firmwareRBSUrunsifthehostserverisreset.
•TheiLO2firmwareisnotdisabledandmightdisplayonthenetworkasconfigured.
•TheiLO2firmware,ifdisabledwhiletheSecurityOverrideSwitchisset,doesnotlogthe
useroutandcompletethedisableprocessuntilthepoweriscycledontheserver.
•Thebootblockisexposedforprogramming.
NOTE:TheiLO2SecurityOverrideSwitchislocatedinsidetheserverandcannotbeaccessed
withoutopeningtheserverenclosure.
AwarningmessageappearsoniLO2browserpagesindicatingthattheiLO2SecurityOverride
Switchiscurrentlyinuse.AniLO2logentryrecordstheuseoftheiLO2SecurityOverrideSwitch.
AnSNMPalertcanalsobesentuponsettingorclearingtheiLO2SecurityOverrideSwitch.
SettingtheiLO2SecurityOverrideSwitchalsoenablesyoutoflashtheiLO2bootblock.HPdoes
notanticipateyouneedingtoupdatetheiLO2bootblock.IfaniLO2bootblockupdateis
required,youmustperformtheupdateattheserver,thenandresetiLO2.Thebootblockupdate
cannotbedoneremotely.ThebootblockisexposeduntiliLO2isreset.Formaximumsecurity,
HPrecommendsthatyoudisconnecttheiLO2fromthenetworkuntilyoucompletethereset.
TosettheiLO2SecurityOverrideSwitch:
1.Powerofftheserver.
2.Settheswitch.
3.Powerontheserver.
ReversetheproceduretocleartheiLO2SecurityOverrideSwitch.
42ConfiguringiLO2 
						

							Dependingontheserver,theiLO2SecurityOverrideSwitchmightbeasinglejumperoraspecific
switchpositiononadipswitchpanel.ToaccessandlocatetheiLO2SecurityOverrideSwitch,
seetheserverdocumentation.TheiLO2SecurityOverrideSwitchcanalsobelocatedusingthe
diagramsontheserveraccesspanel.
TrustedPlatformModulesupport
TPMisahardwarebasedsystemsecurityfeature.Itisacomputerchipthatsecurelystoresartifacts
usedtoauthenticatetheplatform.Theseartifactscanincludepasswords,certificates,orencryption
keys.YoucanalsouseaTPMtostoreplatformmeasurementstohelpensurethattheplatform
remainstrustworthy.iLO2providessupportfortheTPMmezzaninemoduleinProLiant100,300,
and500seriesservers.
Onasupportedsystem,iLO2decodestheTPMrecordandpassestheconfigurationstatustoiLO
2,CLP,andXMLinterface.TheSystemStatuspagedisplaystheTPMconfigurationstatus.Ifthe
hostsystemorSystemROMdoesnotsupportTPM,TPMStatusisnotdisplayedinStatusSummary
page.TheStatusSummarydisplaysthefollowingTPMstatusinformation:
•NotPresent–ATPMmoduleisnotinstalled.
•Present–when:
ATPMmoduleisinstalledbutitisdisabled.◦
◦ATPMmoduleisinstalledandenabled.
◦ATPMmoduleisinstalled,enabled,andExpansionROMmeasuringisenabled.If
ExpansionROMmeasuringisenabled,theUpdateiLO2Firmwarepagedisplaysalegal
warningmessagewhenyouclickSendfirmwareimage.
Useraccountsandaccess
TheiLO2firmwaresupportstheconfigurationofupto12localuseraccounts.Eachofthese
accountscanbemanagedthroughtheuseofthefollowingfeatures:
•“Privileges”(page43)
•“Loginsecurity”(page44)
TheiLO2firmwareiLO2canbeconfiguredtouseadirectorytoauthenticateandauthorizeits
users.Thisconfigurationenablesavirtuallyunlimitednumberofusers,andeasilyscalestothe
numberofLights-Outdevicesinanenterprise.Additionally,thedirectoryprovidesacentralpoint
ofadministrationforLights-Outdevicesandusers,andthedirectorycanenforceastrongerpassword
policy.iLO2enablesyoutouselocalusers,directoryusers,orboth.
Twoconfigurationoptionsareavailable:
•TouseadirectorythathasbeenextendedwithHPSchema,see“SettingupHPschema
directoryintegration”(page136).
•Tousethedirectorydefaultschema(schema-free),see“SettingupSchema-freedirectory
integration”(page132).
Privileges
TheiLO2firmwareenablestheadministratortocontroluseraccountaccesstoiLO2functions
throughtheuseofprivileges.Whenauserattemptstouseafunction,theiLO2systemverifies
thattheuserhastheprivilegebeforetheuserisallowedtoperformthefunction.
EachfeatureavailablethroughiLO2canbecontrolledthroughprivileges,includingAdminister
UserAccounts,RemoteConsoleAccess,VirtualPowerandReset,VirtualMedia,andConfigure
iLO2Settings.PrivilegesforeachusercanbeconfiguredontheUserAdministrationpageofthe
Administrationtab.
Security43 
						

							Loginsecurity
iLO2providesseveralloginsecurityfeatures.Afteraninitialfailedloginattempt,iLO2imposes
adelayoffiveseconds.Afterasecondfailedattempt,iLO2imposesadelayof10seconds.After
thethirdfailedattempt,andanysubsequentattempts,iLO2imposesadelayof60seconds.All
subsequentfailedloginattemptscyclesthroughthesevalues.Aninformationpageappearsduring
eachdelay.Thiscontinuesuntilavalidloginiscompleted.Thisfeatureassistsindefendingagainst
possibledictionaryattacksagainstthebrowserloginport.
TheiLO2firmwaresavesadetailedlogentryforfailedloginattempts,whichimposesadelayof
60seconds.
SSHkeyadministration
TheiLO2firmwareenablesyoutoauthorizeuptofourSSHkeysatonetimeontheSSHKeytab.
TheSSHKeytabalsodisplaystheowner(ifanykeysareauthorized)ofeachauthorizedSSHkey.
Multiplekeyscanbelongtoasingleuser.
ToaddanauthorizedkeytoiLO2,thepublickeypathmustbesubmittedtoiLO2.Thekeyfile
mustcontaintheusernameaftertheendofthekey.iLO2associateseachkeywithalocaluser
account.Ifthelocalaccountdoesnotexistorifitisdeleted,thekeyisinvalid(thekeyisnotlisted
ifthelocalaccountdoesnotexist).
Alternatively,youcanauthorizeSSHkeysforanHPSIMserverbyrunningthemxagentconfigtool
fromtheHPSIMserverandspecifyingtheaddressandusercredentialsforiLO2.SeeyourHP
SIMdocumentationformoredetails.
Toauthorizeanewkey:
1.IntheiLO2interface,clickAdministration>Security>SSHKey.
2.ClickBrowse,andlocatethekeyfile.
3.ClickAuthorizeKey.
Youcanviewordeleteanypreviouslyauthorizedkeybyselectingthekey,andclickingView
SelectedKeyorDeleteSelectedKey.TheViewSelectedKeyandDeleteSelectedKeybuttonsonly
appearwhenSSHkeysareinstalled.
SSLcertificateadministration
TheiLO2firmwareenablesyoutocreateacertificatesigningrequest(CSR)withcustomsubject
informationordefaultsettings,importacertificate,andviewcertificateadministrationinformation
associatedwithastoredcertificate.CertificateinformationisencodedinthecertificatebytheCA
andisextractedbyiLO2.
Bydefault,iLO2createsaself-signedcertificateforuseinSSLconnections.Thiscertificateenables
iLO2toworkwithoutanyadditionalconfigurationsteps.ThesecurityfeaturesoftheiLO2can
beenhancedbyimportingatrustedcertificate.Formoreinformationoncertificatesandcertificate
services,see“Introductiontocertificateservices”(page132)and“Installingcertificateservices”
(page132).
Toaccesscertificateinformation,clickAdministration>Security>SSLCertificate.TheSSLCertificate
tabdisplaysthefollowinginformation:
•TheIssuedTofieldliststheentitytowhichthecertificatewasissued.
•TheIssuedByfieldliststheCAthatissuedthecertificate.
•TheValidFromfieldliststhefirstdatethatthecertificateisvalid.
•TheValidUntilfieldliststhedatethatthecertificatewillexpire.
•TheSerialNumberfieldliststheserialnumberassignedtothecertificatebytheCA.
•TheDomainNamebuttontochoosebetweenthefullyqualifieddomainnameandthe
shortnameasCSRCommonName(CN).
44ConfiguringiLO2 
						

							•TheSSLKeyLengthbuttontochoosebetween2048or1024bitprivatekeylengthforCSR.
•TheCustomizedCSRradiobuttontochoosebetweenCSRwithcustomordefaultsubjectfields.
•TheCountryfieldforconfiguringtheCSRsubjectcountryname.
•TheStateorProvincefieldforconfiguringtheCSRsubjectstatename.
•TheOrganizationNamefieldforconfiguringtheCSRsubjectorganizationname.
•TheOrganizationUnitfieldforconfiguringtheCSRsubjectorganizationunitname.
•TheCityorLocalityfieldforconfiguringtheCSRsubjectcityorlocalityname.
•TheCommonNamefieldforconfiguringtheCSRsubjectcommonname.
ThefollowingoptionsareavailableontheSSLCertificatetab:
•ApplyButton–WhenyouclicktheApplybutton,customCSRdataisvalidatedandstoredin
iLO2.Duringthecertificategenerationrequest,thestoredCSRsettingsareusedbyiLO2.
•CreateCertificateRequest–Usethisbuttontocreateacertificaterequest.Whenyouclick
thisbutton,aCRiscreated(inPKCS#10format)thatcanbesenttoaCA.Thiscertificate
requestisBase64-encoded.ACAprocessesthisrequestandreturnsaresponse(X.509
certificate)thatcanbeimportedintoiLO2.
TheCRcontainsapublic/privatekeypairthatvalidatescommunicationsbetweentheclient
browserandiLO2.ThegeneratedCRisheldinmemoryuntilanewCRisgenerated,iLO2
isreset,oracertificateisimportedbythegenerationprocess.YoucangeneratetheCRand
copyittotheclientclipboard,leavetheiLO2websitetoretrievethecertificate,andthen
returntoimportthecertificate.
WhensubmittingtherequesttotheCA,besuretoperformthefollowingtasks:
1.UsetheiLO2nameaslistedontheSystemStatusscreenastheURLfortheserver.
2.RequestthatthecertificateisgeneratedintheRAWformat.
3.IncludetheBeginandEndcertificatelines.
EverytimeyouclickCreateCertificateRequest,anewcertificaterequestisgenerated,even
thoughtheiLO2nameisthesame.GenerallySSLkeyspairsarepre-generated.TheCSRis
generatedimmediatelyonclickingtheCreateCertificateRequestbutton.However,the
certificaterequestgenerationbuttonisgrayedoutwhilethekeygenerationisinprogress.In
thisscenario,youcancloseallactiveRemoteConsolesessionsandtryagainlater(around
2minutesfora1024-bitkey,and10minutesfor2048-bitkey).
•ImportCertificate–UsethisbuttonwhenyouarereturningtotheCertificateAdministration
pagewithacertificatetoimport.ClickImportCertificatetogodirectlytotheCertificateImport
screenwithoutgeneratinganewCR.Acertificateonlyworkswiththekeysgeneratedforthe
originalCRfromwhichthecertificatewasgenerated.IfiLO2hasbeenreset,oranotherCR
wasgeneratedsincetheoriginalCRwassubmittedtoaCA,thenanewCRmustbegenerated
andsubmittedtotheCA.
YoucancustomizeandcreateaCRorimportanexistingcertificateusingRIBCLXMLcommands.
ThesecommandsenableyoutoscriptandautomatecertificatedeploymentoniLO2serversinstead
ofmanuallydeployingcertificatesthroughthebrowserinterface.Formoreinformation,seeHP
IntegratedLights-OutManagementProcessorScriptingandCommandLineResourceGuideat
http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?
contentType=SupportManual&lang=en&cc=us&docIndexId=64179&taskId=135&
prodTypeId=18964&prodSeriesId=1146658.
Two-factorauthentication
AccesstoiLO2requiresuserauthentication.Thisfirmwarereleaseprovidesanenhanced
authenticationschemeforiLO2usingtwofactorsofauthentication:apasswordorPIN,anda
privatekeyforadigitalcertificate.Usingtwo-factorauthenticationrequiresthatyouverifyyour
Security45 
						

							identitybyprovidingbothfactors.Youcanstoreyourdigitalcertificatesandprivatekeyswherever
youchoose,forexample,onasmartcard,USBtoken,orharddrive.
TheTwo-FactorAuthenticationtabenablesyoutoconfiguresecuritysettingsandreview,import,
ordeleteatrustedCAcertificate.TheTwo-FactorAuthenticationEnforcementsettingcontrols
whethertwo-factorauthenticationisusedforuserauthenticationduringlogin.Torequiretwo-factor
authentication,clickEnabled.Toturnoffthetwo-factorauthenticationrequirementandallowlogin
withusernameandpasswordonly,clickDisabled.YoucannotchangethesettingtoEnabledifa
trustedCAcertificateisnotconfigured.Toprovidethenecessarysecurity,thefollowingconfiguration
changesaremadewhentwo-factorauthenticationisenabled:
•TelnetAccess:Disabled
•SecureShell(SSH)Access:Disabled
•SerialCommandLineInterfaceStatus:Disabled
IfTelnet,SSH,orSerialCLIaccessisrequired,re-enablethesesettingsaftertwo-factorauthentication
isenabled.However,becausetheseaccessmethodsdonotprovideameansoftwo-factor
authentication,onlyasinglefactorisrequiredtoaccessiLO2withTelnet,SSH,orSerialCLI.
Whentwo-factorauthenticationisenabled,accessbytheCPQLOCFGutilityisdisabledbecause
CPQLOCFGdoesnotmeetallauthenticationrequirements.However,theHPONCFGutilityworks
becauseadministratorprivilegesonthehostsystemarerequiredtoexecutetheutility.
AtrustedCAcertificateisrequiredfortwo-factorauthenticationtofunction.Youcannotchange
theTwo-FactorAuthenticationEnforcementsettingtoEnabledifatrustedCAcertificateisnot
configured.Also,youmustmapaclientcertificatetoalocaluseraccountiflocaluseraccounts
areused.IfiLO2isusingdirectoryauthentication,clientcertificatemappingtolocaluseraccounts
isoptional.
Tochangetwo-factorauthenticationsecuritysettingsforiLO2:
1.LogintoiLO2withanaccountthathastheConfigureiLO2Settingsprivilege.
2.ClickAdministration>Security>Two-FactorAuthentication.
3.Changethesettingsbyenteringyourselectionsinthefields.
4.Tosavethechanges,clickApplys.
TheCertificateRevocationCheckingsettingcontrolswhetheriLO2usesthecertificateCRL
distributionpointsattributetodownloadthelatestCRLandverifyrevocationoftheclientcertificate.
IftheclientcertificateiscontainedintheCRL,orifyoucannotdownloadtheCRL,accessisdenied.
TheCRLdistributionpointmustbeavailableandaccessibletoiLO2whenCertificateRevocation
CheckingissettoYes.
TheCertificateOwnerFieldsettingspecifieswhichattributeoftheclientcertificatetousewhen
authenticatingwiththedirectory.OnlyusetheCertificateOwnerFieldsettingifdirectory
authenticationisenabled.ConfigurationoftheCertificateOwnerFielddependsontheversionof
directorysupportused,thedirectoryconfiguration,andthecertificateissuancepolicyofyour
organization.IfSANisspecified,iLO2extractstheUserPrincipleNamefromtheSubjectAlternative
NameattributeandthenusestheUserPrincipleNamewhenauthenticatingwiththedirectory(for
example,[email protected]).Forexample,ifthesubjectnameis/DC=com/DC=domain/
OU=organization/CN=user,iLO2willderive
CN=user,OU=organization,DC=domain,DC=com.
Settinguptwo-factorauthenticationforthefirsttime
Whensettinguptwo-factorauthenticationforthefirsttime,youcanuseeitherlocaluseraccounts
ordirectoryuseraccounts.Formoreinformationontwo-factorauthenticationsettings,see“Two-factor
authentication”(page45).
Settinguplocaluseraccounts
46ConfiguringiLO2 
						

							1.ObtainthepubliccertificatefromtheCAthatissuesusercertificatesorsmartcardsinyour
organization.
2.ExportthecertificateinBase64-encodedformattoafileonyourdesktop(forexample,
CAcert.txt).
3.ObtainthepubliccertificateoftheuserwhoneedsaccesstoiLO2.
4.ExportthecertificateinBase64-encodedformattoafileonyourdesktop(forexample,
Usercert.txt).
5.OpenthefileCAcert.txtinNotepad,selectallofthetext,andcopyitbypressingtheCtrl+C
keys.
6.LogintoiLO2,andbrowsetotheTwo-FactorAuthenticationSettingspage.
7.ClickImportTrustedCACertificate.TheImportRootCACertificatepageappears.
8.Clickinsidethewhitetextareasothatyourcursorisinthetextarea,andpastethecontents
oftheclipboardbypressingtheCtrl+Vkeys.
9.ClickImportRootCACertificate.TheTwo-FactorAuthenticationSettingspageappearsagain
withinformationdisplayedunderTrustedCACertificateInformation.
10.Fromyourdesktop,openthefilefortheusercertificateinNotepad,selectallthetext,and
copythetexttotheclipboardbypressingtheCtrl+Ckeys.
11.BrowsetotheUserAdministrationpageoniLO2,andselecttheuserforwhichyouhave
obtainedapubliccertificateorcreateanewuser.
12.ClickView/Modify.
13.ClickAddacertificate.
14.Clickinsidethewhitetextareasothatyourcursorisinthetextarea,andpastethecontents
oftheclipboardbypressingtheCTRL+Vkeys.
15.ClickAddUserCertificate.TheModifyUserpageappearsagainwitha40-digitnumberin
theThumbprintfield.Youcancomparethenumbertothethumbprintdisplayedforthecertificate
byusingMicrosoftCertificateViewer.
16.BrowsetotheTwo-FactorAuthenticationSettingspage.
17.SelectEnabledfortheTwo-FactorAuthenticationoption.
18.SelectDisabledfortheCertificateRevocationCheckingoption.Thisvalueisthedefault.
19.ClickApplytoresetiLO2.WheniLO2attemptstogototheloginpageagain,thebrowser
displaystheClientAuthenticationpagewithalistofcertificatesthatareavailabletothe
system.
Iftheusercertificateisnotregisteredontheclientmachine,youwillnotseeitinthelist.The
usercertificatemustberegisteredontheclientsystembeforeyoucanuseit.Ifthereareno
clientcertificatesontheclientsystemyoumightnotseetheClientAuthenticationpageand
insteadseeaPagecannotbedisplayederror.Toresolvetheerror,theclientcertificatemust
beregisteredontheclientmachine.Formoreinformationonexportingandregisteringclient
certificates,seethedocumentationforyoursmartcardorcontactyourcertificateauthority.
20.SelectthecertificatethatwasaddedtotheuseriniLO2.ClickOK.
21.Ifpromptedtodoso,insertyoursmartcard,orenteryourPINorpassword.
Aftercompletingtheauthenticationprocess,youhaveaccesstoiLO2.
Settingupdirectoryuseraccounts
1.ObtainthepubliccertificatefromtheCAthatissuesusercertificatesorsmartcardsinyour
organization.
2.ExportthecertificateinBase64-encodedformattoafileonyourdesktop(forexample,
CAcert.txt).
3.OpenthefileinNotepad,selectallthetext,andcopythecontentstotheclipboardbypressing
theCtrl+Ckeys.
4.LogintoiLO2,andbrowsetotheTwo-FactorAuthenticationSettingspage.
5.ClickImportTrustedCACertificate.Anotherpageappears.
Security47 
						

							6.Clickinsidethewhitetextareasothatyourcursorisinthetextarea,andpastethecontents
oftheclipboardbypressingtheCtrl+Vkeys.
7.ClickImportRootCACertificate.TheTwo-FactorAuthenticationSettingspageappearsagain
withinformationdisplayedunderTrustedCACertificateInformation.
8.ChangeEnforceTwo-FactorauthenticationtoYes.
9.ChangeCertificateRevocationCheckingtoNo (default).
10.ChangeCertificateOwnerFieldtoSAN.Formoreinformation,see“Two-factorauthentication”
(page45).
11.ClickApply.iLO2isreset.WheniLO2attemptstogototheloginpageagain,thebrowser
displaystheClientAuthenticationpagewithalistofcertificatesthatareavailabletothe
system.
12.SelectthecertificateaddedtotheuseriniLO2.ClickOK.
13.Ifpromptedtodoso,insertyoursmartcard,orenteryourPINorpassword.Theloginpage
appearswiththee-mailaddressfortheuserintheDirectoryUserfield.Youcannotchange
theDirectoryUserfield.
14.Enterthepasswordforthedirectoryuser.ClickLogin.
Aftercompletingtheauthenticationprocess,youhaveaccesstoiLO2.Formoreinformationon
configuringdirectoryusersandprivileges,see“Directorysettings”(page50).
Settingupauserfortwo-factorauthentication
ToauthenticateauserwithalocaliLO2account,acertificatemustbeassociatedwiththeuser's
localusername.OntheAdministration>ModifyUserpage,ifacertificatehasbeenmappedto
theuser,athumbprint(anSHA1hashofthecertificate)appearswithabuttonthatremovesthe
certificate.Ifacertificatehasnotbeenmappedtotheuser,thefollowingmessagedisplays,as
wellasabuttonthatstartsthecertificateimportprocess:
Thumbprint: A certificate has NOT been mapped to this user
Tosetupauserfortwo-factorauthenticationandaddausercertificate:
1.LogintoiLO2usinganaccountthathastheConfigureiLO2Settingsprivilege.
2.ClickAdministration>UserAdministration.Selectauser.
3.ClickView/Modify.
4.UndertheUserCertificateInformationsection,clickAddacertificate.
5.OntheMapUserCertificatepage,pastetheusercertificateintothetext-box,andclickImport
Certificate.Formoreinformationoncreating,copying,andpastingcertificateinformation,
see“Settinguptwo-factorauthenticationforthefirsttime”(page46).
Two-factorauthenticationlogin
WhenyouconnecttoiLO2andtwo-factorauthenticationisrequired,theClientAuthentication
pagepromptsyoutoselectthecertificateyouwanttouse.TheClientAuthenticationpagedisplays
allofthecertificatesavailabletoauthenticateaclient.Selectyourcertificate.Thecertificatecan
beacertificatemappedtoalocaluseriniLO2,orauserspecificcertificateissuedforauthenticating
tothedomain.
48ConfiguringiLO2 
						

							Afteryouhaveselectedacertificate,ifthecertificateisprotectedwithapassword,orifthecertificate
isstoredonasmartcard,asecondpageappearspromptingyoutoenterthePINorpassword
associatedwiththechosencertificate.
ThecertificateisexaminedbyiLO2toensureitwasissuedbyatrustedCAbycheckingthe
signatureagainsttheCAcertificateconfigurediniLO2.iLO2determinesifthecertificatehas
beenrevokedandifitmapstoauserintheiLO2localuserdatabase.Ifallofthesetestspass,
thenthenormaliLO2userinterfaceappears.
Ifyourcredentialauthenticationfails,theLoginFailedpageappears.Ifloginfails,youareinstructed
toclosethebrowser,openanewbrowserpage,andthentryconnectingagain.Ifdirectory
authenticationisenabled,andlocaluserauthenticationfails,iLO2displaysaloginpagewiththe
directoryusernamefieldpopulatedwitheithertheUserPrincipalNamefromthecertificateorthe
DistinguishedName(derivedfromthesubjectofthecertificate).iLO2requeststhepasswordfor
theaccount.Afterprovidingthepassword,youareauthenticated.
Usingtwo-factorauthenticationwithdirectoryauthentication
Insomecases,configuringtwo-factorauthenticationwithdirectoryauthenticationiscomplicated.
iLO2canuseHPExtendedschemaorDefaultDirectoryschematointegratewithdirectoryservices.
Toensuresecuritywhentwo-factorauthenticationisenforced,iLO2usesanattributefromthe
clientcertificateasthedirectoryuser'sloginname.WhichclientcertificateattributeiLO2usesis
determinedbytheCertificateOwnerFieldconfigurationsettingontheTwo-FactorAuthentication
Settingspage.IfCertificateOwnerFieldissettoSAN,iLO2obtainsthedirectoryuser'slogin
namefromtheUPNattributeoftheSAN.IftheCertificateOwnerFieldsettingissettoSubject,
iLO2obtainsthedirectoryuser'sdistinguishednamefromthesubjectofthecertificate.
WhichCertificateOwnerFieldsettingtochoosedependsonthedirectoryintegrationmethodused,
thedirectoryarchitecture,andwhatinformationiscontainedintheusercertificatesthatareissued.
Thefollowingexamplesassumeyouhavetheappropriatepermissions.
Security49 
						

							AuthenticationusingDefaultDirectorySchema,part1:Thedistinguishednameforauserinthe
directoryisCN=John Doe,OU=IT,DC=MyCompany,DC=com,andthefollowingaretheattributes
ofJohnDoe'scertificate:
•Subject: DC=com/DC=MyCompany/OU=IT/CN=John Doe
•SAN/UPN: [email protected]
AuthenticatingtoiLO2withusername:[email protected]
two-factorauthenticationisnotenforced.Aftertwo-factorauthenticationisenforced,ifSANis
selectedontheTwo-FactorAuthenticationSettingspage,theloginpageautomaticallypopulates
theDirectoryUserfieldwithjohn.doe@MyCompany.com.Thepasswordcanbeentered,butthe
userisnotauthenticated.Theuserisnotauthenticatedbecause [email protected],
whichwasobtainedfromthecertificate,isnotthedistinguishednamefortheuserinthedirectory.
Inthiscase,youmustselectSubjectontheTwo-FactorAuthenticationSettingspage.TheDirectory
Userfieldontheloginpageisthenpopulatedwiththeuser'sactualdistinguishedname,asfollows:
CN=John Doe,OU=IT,DC=MyCompany,DC=com
Ifthecorrectpasswordisentered,theuserisauthenticated.
AuthenticationusingDefaultDirectorySchema,part2:Thedistinguishednameforauserinthe
[email protected],OU=IT,DC=MyCompany,DC=com,andthefollowing
aretheattributesofJohnDoe'scertificate:
•Subject: DC=com/DC=MyCompany/OU=Employees/CN=John Doe/
[email protected]
•SAN/UPN: [email protected]
•SearchcontextontheDirectorySettingspageissetto:OU=IT,DC=MyCompany,DC=com
Inthisexample,ifSANisselectedontheTwo-FactorAuthenticationSettingspage,theDirectory
Userfieldontheloginpageispopulatedwithjohn.doe@MyCompany.com.Afterthecorrect
passwordisentered,theuserisauthenticated.Theuserisauthenticatedeventhough
john.doe@MyCompany.comisnotthedistinguishednamefortheuser.Theuserisauthenticated
becauseiLO2attemptstoauthenticateusingthesearchcontextfields
([email protected],OU=IT, DC=MyCompany, DC=com)configuredonthe
DirectorySettingspage.Becausethisisthecorrectdistinguishednamefortheuser,iLO2successfully
findstheuserinthedirectory.
NOTE:SelectingSubjectontheTwo-FactorAuthenticationSettingspagecausesauthentication
tofail,becausethesubjectofthecertificateisnotthedistinguishednamefortheuserinthedirectory.
WhenauthenticatingusingtheHPExtendedSchemamethod,HPrecommendsselectingtheSAN
optionontheTwo-factorAuthenticationSettingspage.
Directorysettings
iLO2connectstoMicrosoftActiveDirectory,Novelle-Directory,andotherLDAP3.0-compliant
directoryservicesforuserauthenticationandauthorization.YoucanconfigureiLO2toauthenticate
andauthorizeusersusingtheHPschemadirectoryintegrationortheschema-freedirectory
integration.iLO2onlyconnectstodirectoryservicesusingSSL-securedconnectionstothedirectory
serverLDAPport.ThedefaultsecureLDAPportis636.Directoryservicessupportisalicensed
featureavailablewiththepurchaseofoptionallicenses.Formoreinformation,see“Licensing”
(page26)and“Directoryservices”(page130).
Locally-storeduseraccounts(foundontheUserAdministrationpage)canbeactivewhileiLO2
directorysupportisenabled.Thissupportenablesbothlocal-anddirectory-baseduser
directory-baseduseraccesses.Typically,anadministratorcandeletelocaluseraccounts(except
requiredaccounts,suchasanemergencyaccessaccount)afteriLO2issuccessfullyconfigured
toaccessthedirectoryservice.Youcanalsodisableaccesstotheseaccountsifdirectorysupport
isenabled.
50ConfiguringiLO2