HP Ilo 4 User Guide
Have a look at the manual HP Ilo 4 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
3.ProvidethefollowingdetailsintheGroupInformationsection: •GroupDN(SecurityGroupDN)—DNofagroupinthedirectory.Membersofthisgroup aregrantedtheprivilegessetforthegroup.Thespecifiedgroupmustexistinthedirectory, anduserswhoneedaccesstoiLOmustbemembersofthisgroup.EnteraDNfromthe directory(forexample,CN=Group1,OU=ManagedGroups,DC=domain,DC=extension). ShortenedDNsarealsosupported(forexample,Group1).TheshortenedDNisnota uniquematch.HPrecommendsusingthefully-qualifiedDN. •GroupSID(SecurityID)—MicrosoftSecurityIDisusedforKerberosandLDAPgroup authorization.ThisisrequiredforKerberos.TheformatisS-1-5-2039349. 4.Selectfromthefollowingprivilegeswhenyouaddoreditagroupaccount: •LoginPrivilege •RemoteConsoleAccess •VirtualMedia •VirtualPowerandReset •ConfigureiLOSettings •AdministerUserAccounts Formoreinformationabouteachprivilege,see“Viewingdirectorygroups”(page47). 5.Dooneofthefollowing: •ClickAddGrouptosavethenewdirectorygroup. •ClickUpdateGrouptosavethedirectorygroupchanges. ManagingiLOusersbyusingtheiLOwebinterface51
Deletingauseraccountoradirectorygroup Theprivilegerequiredforthisproceduredependsontheuseraccounttype. •Todeletealocaluseraccount,theAdministerUserAccountsprivilegeisrequired. •Todeleteadirectorygroup,theConfigureiLOSettingsprivilegeisrequired. Todeleteanexistinguseraccountordirectorygroup: 1.NavigatetotheAdministration→UserAdministrationpage. 2.Selectthecheckboxnexttotheuserorgroupthatyouwanttodelete. 3.ClickDelete. Apop-upwindowopenswithoneofthefollowingmessages: •Localuser:Are you sure you want to delete the selected user(s)? Warning: Always leave at least one administrator. •Directorygroup:Are you sure you want to delete the selected group(s)? 4.ClickOK. ConfiguringiLOFederation iLOusesmulticastdiscovery,peer-to-peercommunication,andiLOFederationgroupsto communicatewithotheriLOsystems. WhendataisloadedonaniLOFederationpageintheiLOwebinterface,arequestfordatais sentfromtheiLOsystemrunningthewebinterfacetoitspeers,andfromthosepeerstootherpeers untilallofthedatafortheselectediLOFederationgroupisretrieved. iLOFederationnetworkrequirements WhenyouuseiLOFederation,notethefollowingnetworkrequirements: •TheiLOFederationfeaturesarenotsupportedbytheiLOSharedNetworkPortconfiguration. •iLOFederationsupportsbothIPv4andIPv6. ToforceaniLOsystemtouseIPv4insteadofIPv6,cleartheiLOClientApplicationsuseIPv6 firstcheckboxontheNetwork→iLODedicatedNetworkPort→IPv6page. •YoucanmanageiLOsystemsinmultiplelocationsifthenetworkisconfiguredtoforward multicasttraffic. •Iftheswitchesinyournetworkincludetheoptiontoenableordisablemulticasttraffic,ensure thatmulticasttrafficisenabled.ThisisrequiredforiLOFederationandotherHPproductsto discovertheiLOsystemsonthenetwork. •ForiLOsystemsthatareseparatedbyLayer3switches,configuretheswitchestoforward SSDPmulticasttrafficbetweennetworks. •YoumustconfigureUDPport1900asafirewallexceptiontoallowiLOFederationmulticast traffic. •IfyouwanttouseserverbladesinanenclosurewithiLOFederation,youmustconfigure EnclosureiLOFederationSupportintheOnboardAdministratorwebinterface.Thisfeature issupportedinOnboardAdministrator4.11orlater.Formoreinformation,seetheHPiLO FederationUserGuide. •FornetworkswithmultipleVLANs,configuretheswitchestoallowmulticasttrafficbetween theVLANs. ◦ForIPv4networks:EnablePIMontheswitchandconfigureitforPIMDenseMode. ◦ForIPv6networks:ConfiguretheswitchforMLDsnooping. 52ConfiguringiLO
Configuringthemulticastoptions YoumustconfigurethemulticastoptionsforeachiLOsystemthatwillbeaddedtoaniLOFederation group. UsethefollowingproceduretoconfiguremulticastoptionsforoneiLOsystematatime.Touse RIBCLscriptstoviewandconfiguremulticastoptionsformultipleiLOsystems,seetheHPiLO4 ScriptingandCommandLineGuide. YoumusthavetheConfigureiLOSettingsprivilegetoconfigurethemulticastoptions. 1.NavigatetotheAdministration→iLOFederationpage. 2.ForiLOFederationManagement,selectEnabledorDisabled. ThedefaultsettingisEnabled.SelectingDisableddisablestheiLOFederationfeaturesforthe localiLOsystem. 3.ForMulticastDiscovery,selectEnabledorDisabled. SelectingDisableddisablestheiLOFederationfeaturesforthelocaliLOsystem. 4.EnteravalueforMulticastAnnouncementInterval(seconds/minutes). ThisvaluesetsthefrequencyatwhichtheiLOsystemannouncesitselfonthenetwork.Each multicastannouncementisapproximately300bytes.Selectavalueof30secondsto30 minutes.Thedefaultvalueis10minutes. Networkchangesandchangesyoumakeonthispagetakeeffectafterthenextmulticast announcement. SelectingDisableddisablestheiLOFederationfeaturesforthelocaliLOsystem. 5.SelectavalueforIPv6MulticastScope. ValidvaluesareLink,Site,andOrganization. ConfiguringiLOFederation53
6.EnteravalueforMulticastTimeToLive(TTL). Thisvaluespecifiesthenumberofswitchesthatcanbetraversedbeforemulticastdiscovery isstopped.Thedefaultvalueis5. 7.ClickApplytosavethesettings. IMPORTANT:Toensurethatmulticastdiscoveryworkscorrectly,makesurethatalliLOsystems inthesamegroupusethesamevaluesforMulticastTimetoLive(TTL)andIPv6MulticastScope. UnderstandingiLOFederationgroups •iLOFederationgroupsallowiLOsystemstoencryptandsignmessagestootheriLOsystems inthesamegroup. •AlliLOsystemsareautomaticallyaddedtotheDEFAULTgroup,whichisgrantedtheLogin privilegeforeachgroupmember.YoucaneditordeletetheDEFAULTgroupmembership. •iLOFederationgroupscanoverlap,spanracksanddatacenters,andgroupserversofthe sametype. •AniLOsystemcanbeamemberofupto10iLOFederationgroups. •ThereisnolimitonthenumberofiLOsystemsthatcanbeinagroup. •YoumusthavetheConfigureiLOSettingsprivilegetoconfiguregroupmemberships. •YoucanusetheiLOwebinterfacetoconfiguregroupmembershipsforalocaliLOsystemor agroupofiLOsystems: ◦ToconfiguregroupmembershipsforalocaliLOsystem,see“ManagingiLOFederation groupmembershipsforthelocaliLOsystem”(page55). ◦ToconfiguregroupmembershipsforagroupofiLOsystems,see“Configuringgroup membershipsforaniLOFederationgroup”(page200). •YoucanuseRIBCLXMLscriptstoviewandconfiguregroupmemberships.Formoreinformation, seetheHPiLO4ScriptingandCommandLineGuide. •iLOsystemsinthesameiLOFederationgroupmustusethesameversionoftheiLO4firmware. •Whenyouconfiguregroupmemberships,youmustspecifytheprivilegesthatmembersofa grouphaveforconfiguringthelocalmanagedserverortheothermembersofthegroup. Forexample,ifyouaddthelocaliLOsystemtogroup1andassigntheVirtualPowerand Resetprivilege,theusersofotheriLOsystemsingroup1canusetheGroupPowerfeaturesto changethepowerstateofthemanagedserver. IfthelocaliLOsystemdoesnotgranttheVirtualPowerandResetprivilegetogroup1,the usersofotheriLOsystemsingroup1cannotusetheGroupPowerfeaturestochangethe powerstateofthemanagedserver. IfthesystemmaintenanceswitchissettodisableiLOsecurityonthemanagedserver,the usersofotheriLOsystemsingroup1canuseanyiLOFederationfeaturetochangethestate ofthemanagedserver,regardlessoftheassignedgroupprivileges. ViewingiLOFederationgroupmemberships UsetheiLOwebinterfacetoviewthegroupmembershipsofalocaliLOsystem. YoucanalsouseRIBCLscriptstoviewinformationaboutgroups.Formoreinformation,seethe HPiLO4ScriptingandCommandLineGuide. ToviewthegroupmembershipsofalocaliLOsystem,navigatetotheAdministration→iLO Federationpage. 54ConfiguringiLO
TheGroupMembershipforthisiLOtableliststhenameofeachgroupthatincludesthelocaliLO system,andtheprivilegesgrantedtothegroupbythelocaliLOsystem.Theavailableprivileges follow: •LoginPrivilege—EnablesmembersofagrouptologintoiLO. •RemoteConsoleAccess—Enablesmembersofagrouptoremotelyaccessthehostsystem RemoteConsole,includingvideo,keyboard,andmousecontrol. •VirtualMedia—EnablesmembersofagrouptousescriptedVirtualMediawiththelocal iLOsystem. •VirtualPowerandReset—Enablesmembersofagrouptopower-cycleorresetthelocaliLO system. •ConfigureiLOSettings—EnablesmembersofagrouptoconfiguremostiLOsettings,including securitysettings,andtoremotelyupdatefirmware. •AdministerUserAccounts—Enablesmembersofagrouptoadd,edit,anddeleteiLOuser accounts. ManagingiLOFederationgroupmembershipsforthelocaliLOsystem YoucanconfiguregroupmembershipsforthelocaliLOsystem,oryoucanconfigurethemforall ofthemembersofaselectediLOFederationgroup.Thistopicdescribestheprocedureforworking withindividualiLOsystems.ForinformationaboutmanagingthegroupmembershipsofiLO Federationgroups,see“ConfiguringgroupmembershipsforaniLOFederationgroup”(page200). FormoreinformationaboutiLOFederationgroups,see“UnderstandingiLOFederationgroups” (page54). ToconfiguregroupmembershipsforthelocaliLOsystem: 1.NavigatetotheAdministration→iLOFederationpage. 2.Dooneofthefollowing: •ClickJoinGrouptoaddanewgroupmembership. •Selectagroupmembership,andthenclickEdit. 3.Enterthefollowinginformation: •GroupName—Thegroupname,whichcanbe1to31characterslong. •GroupKey—Thegrouppassword,whichcanbe3to39characterslong. •GroupKeyConfirm—Confirmthegrouppassword. Ifyouenterthenameandkeyforanexistinggroup,thelocaliLOsystemisaddedtothat group.Ifyouenterthenameandkeyforagroupthatdoesnotexist,thegroupiscreated andthelocaliLOsystemisaddedtothenewgroup. 4.Selectfromthefollowingpermissionswhenyouaddoreditagroupmembership: •AdministerUserAccounts •RemoteConsoleAccess •VirtualPowerandReset •VirtualMedia •ConfigureiLOSettings •LoginPrivilege ThepermissionsgrantedtothegroupbythelocaliLOsystemcontrolthetasksthatusersof otheriLOsystemsinthegroupcanperformonthemanagedserver. Foradescriptionofthesepermissions,see“ViewingiLOFederationgroupmemberships” (page54). ConfiguringiLOFederation55
5.ClickJoinGrouporUpdateGrouptosavethesettings. RemovinganiLOsystemfromaniLOFederationgroup UsethefollowingproceduretoremovethelocaliLOsystemfromaniLOFederationgroup. TouseRIBCLscriptstoremovegroupmemberships,seetheHPiLO4ScriptingandCommandLine Guide. 1.NavigatetotheAdministration→iLOFederationpage. 2.Selectthecheckboxnexttothegroupmembershipthatyouwanttodelete. 3.ClickDelete. Thefollowingmessageappears: Are you sure you want to delete the selected group(s)? 4.ClickOK. ConfiguringenclosuresupportforiLOFederation IfyouwanttousetheiLOFederationfeatureswithserverbladesinanenclosure,theEnclosure iLOFederationSupportsettingmustbeenabledintheOnboardAdministratorsoftware.Thissetting isrequiredtoallowpeer-to-peercommunicationbetweentheserverbladesinanenclosure.Enclosure iLOFederationSupportisenabledbydefault.OnboardAdministrator4.11orlaterisrequiredto usethisfeature. UsingOnboardAdministratortoconfigureEnclosureiLOFederationSupport UsethefollowingproceduretoconfigureanenclosureforiLOFederationsupport: 1.LogintotheOnboardAdministratorwebinterface(https://). 2.NavigatetotheEnclosureInformation→NetworkAccesspage,andthenclicktheProtocols tab. 3.SelecttheEnableEnclosureiLOFederationSupportcheckbox,andthenclickApply. 56ConfiguringiLO
TIP:YoucanalsousetheCLItoenableordisableEnclosureiLOFederationSupport.Toenable thesetting,enterENABLE ENCLOSURE_ILO_FEDERATION_SUPPORT.Todisablethesetting, enterDISABLE ENCLOSURE_ILO_FEDERATION_SUPPORT.Forinformationaboutusingthe OnboardAdministratorCLI,seetheHPBladeSystemOnboardAdministratorCommandLine InterfaceUserGuideatthefollowingwebsite:http://www.hp.com/go/oa. VerifyingserverbladesupportforiLOFederation UsethefollowingproceduretoverifythataserverbladeisconfiguredforiLOFederationsupport: 1.LogintotheOnboardAdministratorwebinterface(https://). 2.NavigatetotheDeviceBays→→iLOpage. 3.VerifythatiLOFederationCapableissettoYes. ConfiguringiLOaccesssettings YoucanmodifyiLOaccesssettings,includingservice,IPMI/DCMI,andaccessoptions.Thevalues youenterontheAccessSettingspageapplytoalliLOusers.YoumusthavetheConfigureiLO Settingsprivilegetomodifyaccesssettings. Thedefaultconfigurationissuitableformostoperatingenvironments.Thevaluesyoucanmodify ontheAccessSettingspageallowcompletecustomizationoftheiLOexternalaccessmethodsfor specializedenvironments. ConfiguringiLOaccesssettings57
Configuringservicesettings TheServicesectionontheAccessSettingspageshowstheSecureShell(SSH)AccessandSNMP AccesssettingsandtheTCP/IPportvalues. TheTCP/IPportsusedbyiLOareconfigurable,whichenablescompliancewithsiterequirements andsecurityinitiativesforportsettings.Thesesettingsdonotaffectthehostsystem. Changingthesesettingsusuallyrequiresconfigurationofthewebbrowserusedforstandardand SSLcommunication.Whenthesesettingsarechanged,iLOinitiatesaresettoactivatethechanges. ToconfigureServicesettings: 1.NavigatetotheAdministration→AccessSettingspage 2.Updatethefollowingsettingsasneeded: •SecureShell(SSH)Access—AllowsyoutoenableordisabletheSSHfeature. SSHprovidesencryptedaccesstotheiLOCLP.ThedefaultvalueisEnabled. •SecureShell(SSH)Port—Thedefaultvalueis22. •RemoteConsolePort—Thedefaultvalueis17990. •WebServerNon-SSLPort(HTTP)—Thedefaultvalueis80. •WebServerSSLPort(HTTPS)—Thedefaultvalueis443. •VirtualMediaPort—Thedefaultvalueis17988. •SNMPAccess—SpecifieswhetheriLOshouldrespondtoexternalSNMPrequests.The defaultvalueisEnabled. IfyousetSNMPAccesstoDisabled,iLOcontinuestooperate,andtheinformation displayedintheiLOwebinterfaceisupdated,butnoalertsaregeneratedandSNMP accessisnotpermitted.WhenSNMPAccessissettoDisabled,mostoftheboxesonthe Administration→Management→SNMPSettingspageareunavailableandwillnotaccept input. 58ConfiguringiLO
•SNMPPort—Theindustry-standard(default)SNMPportis161forSNMPaccess. IfyoucustomizetheSNMPPortvalue,someSNMPclientsmightnotworkcorrectlywith iLOunlessthoseclientssupporttheuseofanonstandardSNMPport. •SNMPTrapPort—Theindustry-standard(default)SNMPtrapportis162forSNMPalerts (ortraps). IfyoucustomizetheSNMPTrapPortvalue,someSNMPmonitoringapplications(such asHPSIM)mightnotworkcorrectlywithiLOunlessthoseapplicationssupporttheuse ofanonstandardSNMPtrapport. 3.ClickApplytoendyourbrowserconnectionandrestartiLO. Itmighttakeseveralminutesbeforeyoucanre-establishaconnection. ConfiguringIPMI/DCMIsettings iLOenablesyoutosendindustry-standardIPMIandDCMIcommandsovertheLAN.TheIPMI/DCMI portissetto623andisnotconfigurable. ToenableordisableIPMI/DCMI,selectorcleartheEnableIPMI/DCMIoverLANonPort623 checkbox,andthenclickApply. •Enabled(default)—EnablesyoutosendIPMI/DCMIcommandsovertheLANbyusinga client-sideapplication. •Disabled—DisablesIPMI/DCMIovertheLAN.Server-sideIPMI/DCMIapplicationsarestill functionalwhenIPMI/DCMIoverLANisdisabled. Configuringaccessoptions TheAccessOptionssectionenablesyoutomodifysettingsthataffectalliLOusers. NOTE:YoucanconfiguresomeofthesesettingsbyusingiLORBSUortheiLOConfiguration Utility.Forinstructions,see“UsingtheiLORBSU”(page134)and“UsingtheUEFISystemUtilities iLO4ConfigurationUtility”(page138). ToviewormodifyiLOaccessoptions: 1.NavigatetotheAdministration→AccessSettingspage. 2.ClicktheAccessSettingstabandscrolltotheAccessOptionssectionoftheAccessSettings page. ConfiguringiLOaccesssettings59
3.Updatethefollowingsettingsasneeded: •IdleConnectionTimeout(minutes)—Specifieshowlongausercanbeinactivebeforethe iLOwebinterfaceandRemoteConsolesessionendautomatically.Thefollowingsettings arevalid: ◦15,30,60,or120minutes—Thedefaultvalueis30minutes. ◦Infinite—Inactiveusersarenotloggedout. FailuretologoutofiLObyeitherbrowsingtoadifferentsiteorclosingthebrowseralso resultsinanidleconnection.TheiLOfirmwaresupportsafinitenumberofiLOconnections. MisuseoftheInfinitetimeoutoptionmightmakeiLOinaccessibletootherusers.Idle connectionsarerecycledaftertheytimeout. Thissettingappliestolocalanddirectoryusers.Directoryservertimeoutsmightpreempt theiLOsetting. Changestothesettingmightnottakeeffectimmediatelyincurrentusersessions,butwill beenforcedimmediatelyinallnewsessions. •iLOFunctionality—SpecifieswhetheriLOfunctionalityisavailable.Thefollowingsettings arevalid: ◦Enabled(default)—TheiLOnetworkisavailableandcommunicationswithoperating systemdriversareactive. ◦Disabled—TheiLOnetworkandcommunicationswithoperatingsystemdriversare terminatedwheniLOFunctionalityisdisabled. Tore-enableiLOfunctionality,disableiLOsecuritywiththesystemmaintenance switch,andthenusetheiLORBSUortheiLO4ConfigurationUtility(intheUEFI SystemUtilities)tosetiLOFunctionalitytoEnabled.Formoreinformationaboutusing thesystemmaintenanceswitch,seetheMaintenanceandServiceGuideforyour servermodel. iLOfunctionalitycannotbedisabledonserverblades. •iLOROM-BasedSetupUtilityoriLO4ConfigurationUtility—EnablesordisablestheiLO RBSUortheiLO4ConfigurationUtility.Thefollowingsettingsarevalid: ◦Enabled(default)—OnserversthatsupporttheiLORBSU,pressingF8duringPOST startstheiLORBSU.OnserversthatsupportUEFI,theiLO4ConfigurationUtilityis availablewhenyouaccesstheUEFISystemUtilities. ◦Disabled—OnserversthatsupporttheiLORBSU,pressingF8duringPOSTwillnot starttheiLORBSU.OnserversthatsupportUEFI,theiLO4ConfigurationUtilityis notavailablewhenyouaccesstheUEFISystemUtilities. •RequireLoginforiLORBSUorRequireLoginforiLO4ConfigurationUtility—Determines whetherauser-credentialpromptisdisplayedwhenauseraccessestheiLORBSUorthe iLO4ConfigurationUtility.Thefollowingsettingsarevalid: ◦Enabled—AlogindialogboxopenswhenauseraccessestheiLORBSUortheiLO 4ConfigurationUtility. ◦Disabled(default)—NologinisrequiredwhenauseraccessestheiLORBSUorthe iLO4ConfigurationUtility. 60ConfiguringiLO