HP Ilo 4 User Guide
Have a look at the manual HP Ilo 4 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•ShowiLOIPduringPOST—EnablesthedisplayoftheiLOnetworkIPaddressduringhost serverPOST.Thefollowingsettingsarevalid: ◦Enabled(default)—TheiLOIPaddressisdisplayedduringPOST. ◦Disabled—TheiLOIPaddressisnotdisplayedduringPOST. •SerialCommandLineInterfaceStatus—EnablesyoutochangetheloginmodeloftheCLI featurethroughtheserialport.Thefollowingsettingsarevalid: ◦Enabled-AuthenticationRequired(default)—EnablesaccesstotheSMASHCLP commandlinefromaterminalconnectedtothehostserialport.ValidiLOuser credentialsarerequired. ◦Enabled-NoAuthentication—EnablesaccesstotheSMASHCLPcommandlinefrom aterminalconnectedtothehostserialport.iLOusercredentialsarenotrequired. ◦Disabled—DisablesaccesstotheSMASHCLPcommandlinefromthehostserial port.Usethisoptionifyouareplanningtousephysicalserialdevices. •SerialCommandLineInterfaceSpeed—Enablesyoutochangethespeedoftheserial portfortheCLIfeature.Thefollowingspeeds(inbitspersecond)arevalid: ◦9600(default) ◦19200 ◦38400—ThisvalueisnotsupportedbytheiLORBSUortheiLO4Configuration Utility. ◦57600 ◦115200 Theserialportconfigurationmustbesettonoparity,8databits,and1stopbit(N/8/1) forcorrectoperation. Theserialportspeedsetbythisoptionshouldmatchtheserialportspeedconfiguredin theiLORBSUortheiLO4ConfigurationUtility. •VirtualSerialPortLog—EnablesordisablesloggingoftheVirtualSerialPort. Thefollowingsettingsarevalid: ◦Enabled—Whenenabled,VirtualSerialPortactivityisloggedtoa150-pagecircular bufferintheiLOmemory,andcanbeviewedusingtheCLIcommandvsp log. TheVirtualSerialPortbuffersizeis128KB. ◦Disabled(default)—VirtualSerialPortactivityisnotlogged. ThisfeatureispartofaniLOlicensingpackage.Formoreinformation,seethefollowing website:http://www.hp.com/go/ilo/licensing. •MinimumPasswordLength—Specifiestheminimumnumberofcharactersallowedwhen auserpasswordissetorchanged.Thecharacterlengthmustbeavaluefrom0to39 characterslong.Thedefaultvalueis8. •ServerName—Enablesyoutospecifythehostservername.Youcanassignthisvalue manually,butitmightbeoverwrittenbythehostsoftwarewhentheoperatingsystem loads. ◦Youcanenteraservernamethatisupto49bytes. ◦Toforcethebrowsertorefreshanddisplaythenewvalue,savethissetting,andthen pressF5. ConfiguringiLOaccesssettings61
•ServerFQDN/IPAddress—EnablesyoutospecifytheserverFQDNorIPaddress.You canassignthisvaluemanually,butitmightbeoverwrittenbythehostsoftwarewhenthe operatingsystemloads. ◦YoucanenteranFQDNorIPaddressthatisupto255bytes. ◦Toforcethebrowsertorefreshanddisplaythenewvalue,savethissetting,andthen pressF5. •AuthenticationFailureLogging—Enablesyoutoconfigureloggingcriteriaforfailed authentications.Alllogintypesaresupported;eachlogintypeworksindependently.The followingarevalidsettings: ◦Enabled-EveryFailure—Afailedloginlogentryisrecordedaftereveryfailedlogin attempt. ◦Enabled-Every2ndFailure—Afailedloginlogentryisrecordedaftereverysecond failedloginattempt. ◦Enabled-Every3rdFailure(default)—Afailedloginlogentryisrecordedafterevery thirdfailedloginattempt. ◦Enabled-Every5thFailure—Afailedloginlogentryisrecordedaftereveryfifthfailed loginattempt. ◦Disabled—Nofailedloginlogentryisrecorded. ForinformationaboutusingthissettingwithSSHclients,see“LoggingintoiLObyusing anSSHclient”(page62). 4.ClickApplytoendyourbrowserconnectionandrestartiLO. Itmighttakeseveralminutesbeforeyoucanre-establishaconnection. LoggingintoiLObyusinganSSHclient WhenauserlogsintoiLObyusinganSSHclient,thenumberofloginnameandpassword promptsdisplayedbyiLOmatchesthevalueoftheAuthenticationFailureLoggingoption(3ifitis disabled).ThenumberofpromptsmightalsobeaffectedbyyourSSHclientconfiguration.SSH clientsalsoimplementdelaysafterloginfailure. Forexample,togenerateanSSHauthenticationfailurelogwiththedefaultvalue(Enabled-Every 3rdFailure),assumingthattheSSHclientisconfiguredwiththenumberofpasswordpromptsset to3,threeconsecutiveloginfailuresoccurasfollows: 1.RuntheSSHclientandloginwithanincorrectloginnameandpassword. Youreceivethreepasswordprompts.Afterthethirdincorrectpassword,theconnectionends andthefirstloginfailureisrecorded.TheSSHloginfailurecounterissetto1. 2.RuntheSSHclientandloginwithanincorrectloginnameandpassword. Youreceivethreepasswordprompts.Afterthethirdincorrectpassword,theconnectionends andthesecondloginfailureisrecorded.TheSSHloginfailurecounterissetto2. 3.RuntheSSHclientandloginwithanincorrectloginnameandpassword. Youreceivethreepasswordprompts.Afterthethirdincorrectpassword,theconnectionends andthethirdloginfailureisrecorded.TheSSHloginfailurecounterissetto3. TheiLOfirmwarerecordsanSSHfailedloginlogentry,andsetstheSSHloginfailurecounterto 0. 62ConfiguringiLO
ConfiguringiLOsecurity iLOprovidesthefollowingsecurityfeatures: •User-definedTCP/IPports.Formoreinformation,see“ConfiguringiLOaccesssettings” (page57). •UseractionsloggedintheiLOEventLog.Formoreinformation,see“UsingtheiLOEventLog” (page171). •Progressivedelaysforfailedloginattempts.Formoreinformation,see“Loginsecurity” (page66). •SupportforX.509CAsignedcertificates.Formoreinformation,see“AdministeringSSL certificates”(page69). •SupportforsecuringiLORBSUandtheiLO4ConfigurationUtility.Formoreinformation,see “iLORBSUandiLO4ConfigurationUtilitysecurity”(page63). •EncryptedcommunicationthatusesSSLcertificateadministration.Formoreinformation,see “AdministeringSSLcertificates”(page69). •SupportforoptionalLDAP-baseddirectoryservices.Formoreinformation,see“Directory services”(page265). Someoftheseoptionsarelicensedfeatures.Formoreinformation,see“iLOlicensing”(page44). Generalsecurityguidelines GeneralsecurityguidelinesforiLOfollow: •Formaximumsecurity,configureiLOonaseparatemanagementnetwork.Formoreinformation, see“ConnectingiLOtothenetwork”(page20). •DonotconnectiLOdirectlytotheInternet. •Useabrowserthathasa128-bitcipherstrength. iLORBSUandiLO4ConfigurationUtilitysecurity iLORBSUandtheiLO4ConfigurationUtilityenableyoutoviewandmodifytheiLOconfiguration. YoucanconfigureiLORBSUandiLOConfigurationUtilityaccesssettingsbyusingiLORBSU,the iLO4ConfigurationUtility,theiLOwebinterface,orRIBCLscripts.Ifthesystemmaintenanceswitch issettodisableiLOsecurity,anyusercanaccessiLORBSUortheiLO4ConfigurationUtility, regardlessoftheconfiguredaccesssettings. •ForinformationaboutusingtheiLOwebinterfacetoconfigureiLORBSUortheiLO4 ConfigurationUtilityaccesssettings,see“Configuringaccessoptions”(page59). •ForinformationaboutusingiLORBSUortheiLO4ConfigurationUtilitytoconfigureiLORBSU oriLO4ConfigurationUtilityaccesssettings,see“ConfiguringiLObyusingtheROM-based utilities”(page133). •ForinformationaboutusingRIBCLscriptstoconfigureiLORBSUortheiLO4Configuration Utility,seetheHPiLO4ScriptingandCommandLineGuide. •Forinformationaboutusingthesystemmaintenanceswitch,see“ManagingiLOsecuritywith thesystemmaintenanceswitch”(page64). iLORBSUandtheiLO4ConfigurationUtilityhavethefollowingsecuritylevels: •LoginNotRequired(default) AnyonewhohasaccesstothehostduringPOSTcanenteriLORBSUortheiLO4Configuration Utilitytoviewandmodifyconfigurationsettings.Thisisanacceptablesettingifhostaccess ConfiguringiLOsecurity63
iscontrolled.Ifhostaccessisnotcontrolled,anyusercanmakechangesbyusingtheactive configurationmenus. •LoginRequired(moresecure) IfiLORBSUoriLO4ConfigurationUtilityloginisrequired,theactiveconfigurationmenus arecontrolledbytheauthenticateduseraccessrights. •Disabled(mostsecure) IfiLORBSUortheiLO4ConfigurationUtilityisdisabled,useraccessisprohibited.This preventsmodificationbyusingtheiLORBSUortheiLO4ConfigurationUtility. Tochangetheloginrequirement: •UsetheiLOwebinterfacetoedittheRequireLoginforiLORBSUorRequireLoginforiLO4 ConfigurationUtilitysetting.Forinstructions,see“Configuringaccessoptions”(page59). •UsetheiLORBSUortheiLO4ConfigurationUtilitytoedittheRequireiLO4RBSULoginor RequireLoginforiLO4ConfigurationUtilitysetting.Forinstructions,see“ConfiguringiLOby usingtheROM-basedutilities”(page133). ToenableordisableaccesstoiLORBSUortheiLO4ConfigurationUtility: •UsetheiLOwebinterfacetoedittheiLOROM-BasedSetupUtilityoriLO4Configuration Utilitysetting.Forinstructions,see“Configuringaccessoptions”(page59). •UsetheiLORBSUortheiLO4ConfigurationUtilitytoedittheiLO4ROM-BasedSetupUtility oriLO4ConfigurationUtilitysetting.Forinstructions,see“ConfiguringiLObyusingthe ROM-basedutilities”(page133). ManagingiLOsecuritywiththesystemmaintenanceswitch TheiLOsecuritysettingonthesystemmaintenanceswitchprovidesemergencyaccesstoan administratorwhohasphysicalcontrolovertheserversystemboard.DisablingiLOsecurityallows loginaccesswithallprivileges,withoutauserIDandpassword. Thesystemmaintenanceswitchislocatedinsidetheserverandcannotbeaccessedwithoutopening theserverenclosure.Whenyouworkwiththesystemmaintenanceswitch,ensurethattheserver ispoweredoffanddisconnectedfromthepowersource.SettheswitchtoenableordisableiLO security,andthenpowerontheserver. DisablingiLOsecurityenablesyoutoflashtheiLObootblock.HPdoesnotanticipatethatyouwill needtoupdatethebootblock.However,ifanupdateisrequired,youmustbephysicallypresent attheservertoreprogramthebootblockandresetiLO.ThebootblockisexposeduntiliLOis reset.Formaximumsecurity,HPrecommendsdisconnectingiLOfromthenetworkuntiltheresetis complete. NOTE:ThesystemmaintenanceswitchpositionthatcontrolsiLOsecurityissometimescalledthe iLOSecurityOverrideswitch. ItmightbenecessarytodisableiLOsecurityforthefollowingreasons: •iLOFunctionalityisdisabledandmustbere-enabled. •AlluseraccountsthathavetheAdministerUserAccountsprivilegearelockedout. •AninvalidconfigurationpreventsiLOfrombeingdisplayedonthenetwork,andiLORBSU ortheiLO4ConfigurationUtilityisdisabled. •Thebootblockmustbeflashed. •TheiLONICisturnedoff,anditisnotpossibleorconvenienttoruniLORBSUortheiLO4 ConfigurationUtilitytoturnitbackon. •Onlyoneusernameisconfigured,andthepasswordisforgotten. 64ConfiguringiLO
WhenyoudisableiLOsecuritywiththesystemmaintenanceswitch: •Allsecurityauthorizationverificationsaredisabled. •iLORBSUortheiLO4ConfigurationUtilityrunsifthehostserverisreset. •iLOisnotdisabledandmightbedisplayedonthenetworkasconfigured. •IfiLOFunctionalitydisabled,iLOdoesnotlogoutactiveusersandcompletethedisable processuntilthepoweriscycledontheserver. •Thebootblockisexposedforprogramming. •AwarningmessageisdisplayedoniLOwebinterfacepages,indicatingthatiLOsecurityis disabled. •AniLOlogentryisaddedtorecordtheiLOsecuritychange. •WheniLOstartsafteryouusethesystemmaintenanceswitchtoenableordisableiLOsecurity, anSNMPalertissentifanSNMPAlertDestinationisconfigured. ForinformationabouthowtoenableanddisableiLOsecuritywiththesystemmaintenanceswitch, seetheMaintenanceandServiceGuideforyourserver. TPMsupport ATPMisacomputerchipthatsecurelystoresartifactsusedtoauthenticatetheplatform.These artifactscanincludepasswords,certificates,orencryptionkeys.YoucanalsouseaTPMtostore platformmeasurementstomakesurethattheplatformremainstrustworthy. Onasupportedsystem,iLOdecodestheTPMrecordandpassestheconfigurationstatustoiLO, theCLP,andtheXMLinterface.TheiLOOverviewpagedisplaysthefollowingTPMstatus information: •NotSupported—ATPMisnotsupported. •NotPresent—ATPMisnotinstalled. •Present—Thisindicatesoneofthefollowingstatuses: ATPMisinstalledbutisdisabled.◦ ◦ATPMisinstalledandenabled. ◦ATPMisinstalledandenabled,andExpansionROMmeasuringisenabled.IfExpansion ROMmeasuringisenabled,theUpdateFirmwarepagedisplaysalegalwarningmessage whenyouclickUpload. Useraccountsandaccess iLOsupportstheconfigurationofupto12localuseraccounts.Eachaccountcanbemanaged throughthefollowingfeatures: •Privileges •Loginsecurity YoucanconfigureiLOtouseadirectorytoauthenticateandauthorizeitsusers.Thisconfiguration enablesanunlimitednumberofusersandeasilyscalestothenumberofiLOdevicesinanenterprise. ThedirectoryalsoprovidesacentralpointofadministrationforiLOdevicesandusers,andthe directorycanenforceastrongerpasswordpolicy.iLOenablesyoutouselocalusers,directory users,orboth. Thefollowingdirectoryconfigurationoptionsareavailable: •AdirectoryextendedwithHPschema •Thedirectorydefaultschema ConfiguringiLOsecurity65
Formoreinformationaboutusingdirectoryauthentication,see“Directoryservices”(page265). Userprivileges iLOallowsyoutocontroluseraccountaccesstoiLOfeaturesthroughtheuseofprivileges.When auserattemptstouseafeature,iLOverifiesthattheuserhastheproperprivilegetousethat feature. Forinformationabouttheavailableuseraccountanddirectorygroupprivileges,see“Managing iLOusersbyusingtheiLOwebinterface”(page46). Loginsecurity iLOprovidesseveralloginsecurityfeatures.Afteraninitialfailedloginattempt,iLOimposesa delayoftenseconds.Eachsubsequentfailedattemptincreasesthedelaybytenseconds.An informationpageisdisplayedduringeachdelay;thiscontinuesuntilavalidloginoccurs.This featurehelpstopreventdictionaryattacksagainstthebrowserloginport. iLOsavesadetailedlogentryforfailedloginattempts.YoucanconfiguretheAuthenticationFailure LoggingfrequencyontheAdministration→AccessSettingspage.Formoreinformation,see “Configuringaccessoptions”(page59). AdministeringSSHkeys TheSecureShellKeypagedisplaysthehashoftheSSHpublickeyassociatedwitheachuser. Eachusercanhaveonlyonekeyassigned.Usethispagetoview,add,ordeleteSSHkeys. YoumusthavetheAdministerUserAccountsprivilegetoaddanddeleteSSHkeys. AboutSSHkeys WhenyouaddanSSHkeytoiLO,youpastetheSSHkeyfileintoiLOasdescribedin“Authorizing anewSSHkey”(page67)and“AuthorizinganewkeybyusingtheCLI”(page68).Thefilemust containtheuser-generatedpublickey.TheiLOfirmwareassociateseachkeywiththeselected localuseraccount.IfauserisremovedafteranSSHkeyisauthorizedforthatuser,theSSHkey isremoved. ThefollowingSSHkeyformatsaresupported: •RFC4716 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "Administrator" AAAAB3NzaC1kc3MAAACAT27C04Dy2zr7fWhUL7TwHDKQdEdyuAlNLIivLFP3IoKZ ZtzF0VInP5x2VFVYmTvdVjD92CTlxxAtarOPON2qUqoOajKRtBWLmxcfqsLCT3wI 3ldxQvPYnhTYyhPQuoeJ/vYhoam+y0zi8D03pDv9KaeNA3H/zEL5mf9Ktgts8/UA AAAVAJ4efo8ffq0hg4a/eTGEuHPCb3INAAAAgCbnhADYXu+Mv4xuXccXWP0Pcj47 7YiZgos3jt/Z0ezFX6/cN/RwwZwPC1HCsMuwsVBIqi7bvn1XczFPKOt06gVWcjFt eBY3/bKpQkn61SGPC8AhSu8ui0KjyUZrxL4LdBrtp/K2+lm1fqXHnzDIEJ0RHg8Z JazhY920PpkD4hNbAAAAgDN3lba1qFVl0UlRjj21MjXgr6em9TETSOO5b7SQ8hX/ Z/axobbrHCj/2s66VA/554chkVimJT2IDRRKVkcV8OVC3nb4ckpfFEZvKkAWYaiF DLqRbHhh4qyRBIfBKQpvvhDj1aecdFbaO2UvZltMir4n8/E0hh19nfi3tjXAtSTV ---- END SSH2 PUBLIC KEY ---- •OpenSSHkeyformat—Thesekeysmustbeonelineonly. ssh-dss AAAAB3NzaC1kc3MAAACAYjEd8Rk8HLCLqDIlI+RkA1UXjVS28hNSk8YDljTaJpw1VOlBirrLGPdSt0avNSz0DNQuU7gTPfjj/8c XyHe3y95Oa3Rics1fARyLiNFGqFjr7w2ByQuoYUaXBzzghIYMQcmpc/W/kDMC0dVOf2XnfcLpcVDIm3ahVPRkxFV9WKkAAAAVAI 3J61F+oVKrbNovhoHh8pFfUa9LAAAAgA8pU5/M9F0s5QxqkEWPD6+FVz9cZ0GfwIbiuAI/9ARsizkbwRtpAlxAp6eDZKFvj3ZIy NjcQODeYYqOvVU45AkSkLBMGjpF05cVtnWEGEvrW7mAvtG2zwMEDFSREw/V526/jR9TKzSNXTH/wqRtTc/oLotHeyV2jFZFGpxD OvNWAAAAgFf6pvWaco3CDELmH0jT3yUkRSaDztpqtoo4D7ev7VrNPPjnKKKmpzHPmAKRxz3g5S80SfWSnWM3n/pekBa9QI9lH1r 3Lx4JoOVwTpkbwb0by4eZ2cqDw20KQ0A5J84iQE9TbPNecJ0HJtZH/K8YnFNwwYy2NSJyjLwA0TSmQEOW Administrator 66ConfiguringiLO
•iLOlegacyformat—TheseareOpenSSHkeyssurroundedbytheBEGIN/ENDheadersneeded forRIBCL.ThisformatmustbeonelinebetweentheBEGINSSHKEYandENDSSHKEYtext. -----BEGIN SSH KEY----- ssh-dss AAAAB3NzaC1kc3MAAACBANA45qXo9cM1asav6ApuCREt1UvP7qcMbw+sTDrx9lV22XvonwijdFiOM/0VvuzVhM9oKdGMC7sCGQr FV3zWDMJcIb5ZdYQSDt44X6bvlsQcAR0wNGBN9zHL6YsbXvNAsXN7uBM7jXwHwrApWVuGAI0QnwUYvN/dsE8fbEYtGZCRAAAAFQ DofA47q8pIRdr6epnJXSNrwJRvaQAAAIBY7MKa2uH82I0KKYTbNMi0o5mOqmqy+tg5s9GC+HvvYy/S7agpIdfJzqkpHF5EPhm0j KzzVxmsanO+pjju7lrE3xUxojevlokTERSCM xLa+OVVbNcgTe0xpvc/cF6ZvsHs0UWz6gXIMCQ9Pk118VMOw/tyLp42YXOaLZzG fi5pKAAAAIEAl7FsO7sDbPj02a5jO3qFXa762lWvu5iPRZ9cEt5WJEYwMO/ICaJVDWVOpqF9spoNb53Wl1pUARJg1ss8Ruy7YBv 8Z1urWWAF3fYy7R/SlQqrsRYDPLM5eBkkLO28B8C6++HjLuc+hBvj90tsqeNVhpCfO9qrjYomYwnDC4m1IT4= ASmith -----END SSH KEY----- NotethefollowingwhenworkingwithSSHkeys: •ThepreviouslylistedsampleformatsaresupportedwiththeiLOwebinterfaceandtheCLI. OnlytheiLOlegacyformatissupportedwithRIBCLscripts. •AnySSHconnectionauthenticatedthroughthecorrespondingprivatekeyisauthenticatedas theownerofthekeyandhasthesameprivileges. •TheiLOfirmwareprovidesstoragetoaccommodateSSHkeysthathavealengthof1366 bytesorless.Ifthekeyislargerthan1366bytes,theauthorizationmightfail.Ifthisoccurs, usetheSSHclientsoftwaretogenerateashorterkey. •IfyouusetheiLOwebinterfacetoenterthepublickey,youselecttheuserassociatedwith thepublickey.IfyouusetheCLItoenterthepublickey,thepublickeyislinkedtotheuser namethatyouenteredtologintoiLO.IfyouuseHPQLOCFGtoenterthepublickey,you appendtheiLOusernametothepublickeydata.Thepublickeyisstoredwiththatusername. AuthorizinganewSSHkey 1.Generatea2,048-bitDSAorRSAkeybyusingssh-keygen,puttygen.exe,oranother SSHkeyutility. 2.Createthekey.pubfile. 3.NavigatetotheAdministration→Securitypage. 4.ClicktheSecureShellKeytab. 5.SelectthecheckboxtotheleftoftheusertowhichyouwanttoaddanSSHkey. 6.ClickAuthorizeNewKey. 7.CopyandpastethepublickeyintothePublicKeyImportDatabox. ConfiguringiLOsecurity67
Thekeymustbea2,048-bitDSAorRSAkey. 8.ClickImportPublicKey. AuthorizinganewkeybyusingtheCLI 1.Generatea2,048-bitDSAorRSASSHkeybyusingssh-keygen,puttygen.exe,or anotherSSHkeyutility. 2.Createthekey.pubfile. 3.VerifythatSecureShell(SSH)AccessisenabledontheAccessSettingspage. Formoreinformation,see“ConfiguringiLOaccesssettings”(page57). 4.UsePutty.exetoopenanSSHsessionusingport22. 5.Changetothecd /Map1/Config1directory. 6.Enterthefollowingcommand: load sshkey type "oemhp_loadSSHkey -source " Whenyouusethiscommand: •TheprotocolvalueisrequiredandmustbeHTTPorHTTPS. •Thehostnameandfilenamevaluesarerequired. •Theusername:passwordandportvaluesareoptional. •oemhp_loadSSHkeyiscase-sensitive. TheCLIperformsacursorysyntaxverificationofthevaluesyouenter.Youmustvisuallyverifythat theURLisvalid.Thefollowingexampleshowsthecommandstructure: oemhp_loadSSHkey -source http://192.168.1.1/images/path/sshkey.pub DeletingSSHkeys 1.NavigatetotheAdministration→Securitypage. 68ConfiguringiLO
2.ClicktheSecureShellKeytab. 3.SelectthecheckboxtotheleftoftheuserforwhichyouwanttodeleteanSSHkey. 4.ClickDeleteSelectedKey(s). TheselectedSSHkeyisremovedfromiLO.WhenanSSHkeyisdeletedfromiLO,anSSH clientcannotauthenticatetoiLObyusingthecorrespondingprivatekey. AuthorizingSSHkeysfromanHPSIMserver ThemxagentconfigutilityenablesyoutoauthorizeSSHkeysfromanHPSIMserver. •SSHmustbeenabledoniLObeforeyouusemxagentconfigtoauthorizeakey. •TheusernameandpasswordenteredinmxagentconfigmustcorrespondtoaniLOuser whohastheConfigureiLOSettingsprivilege.Theusercanbeadirectoryuseroralocaluser. •ThekeyisauthorizedoniLOandcorrespondstotheusernamespecifiedinthe mxagentconfigcommand. Formoreinformationaboutmxagentconfig,seetheHPiLO4ScriptingandCommandLine Guide. AdministeringSSLcertificates SSLprotocolisastandardforencryptingdatasothatitcannotbeviewedormodifiedwhilein transitonthenetwork.Thisprotocolusesakeytoencryptanddecryptthedata.Thelongerthe key,thebettertheencryption. AcertificateisasmalldatafilethatconnectsanSSLkeytoaserver.Itcontainsthenameofthe serverandtheserver'spublickey.Onlytheserverhasthecorrespondingprivatekey,andthisis howtheserverisauthenticated. Acertificatemustbesignedtobevalid.IfitissignedbyaCA,andthatCAistrusted,allcertificates signedbytheCAarealsotrusted.Aself-signedcertificateisoneinwhichtheownerofthecertificate actsasitsownCA. Bydefault,iLOcreatesaself-signedcertificateforuseinSSLconnections.Thiscertificateenables iLOtoworkwithoutadditionalconfigurationsteps.Importingatrustedcertificatecanenhancethe iLOsecurityfeatures.UserswiththeConfigureiLOSettingsprivilegecancustomizeandimporta trustedcertificatethatissignedbyaCA. ViewingSSLcertificateinformation Toviewcertificateinformation,navigatetotheAdministration→Security→SSLCertificatepage. Thefollowingcertificatedetailsaredisplayed: •IssuedTo—Theentitytowhichthecertificatewasissued •IssuedBy—TheCAthatissuedthecertificate •ValidFrom—Thefirstdatethatthecertificateisvalid •ValidUntil—Thedatethatthecertificateexpires •SerialNumber—TheserialnumberthattheCAassignedtothecertificate ObtainingandimportinganSSLcertificate UserswhohavetheConfigureiLOSettingsprivilegecancustomizeandimportatrustedcertificate. AcertificateworksonlywiththekeysgeneratedwithitscorrespondingCSR.IfiLOisresettothe factorydefaultsettings,oranotherCSRisgeneratedbeforethecertificatethatcorrespondstothe previousCSRisimported,thecertificatedoesnotwork.Inthatcase,anewCSRmustbegenerated andusedtoobtainanewcertificatefromaCA. Toobtainandimportacertificate: ConfiguringiLOsecurity69
1.NavigatetotheAdministration→Security→SSLCertificatepage. 2.ClickCustomizeCertificate. TheSSLCertificateCustomizationpageopens. 3.EnterthefollowinginformationintheCertificateSigningRequestInformationsection.The requiredboxesaremarkedwithanasterisk(*). •Country(C)—Thetwo-charactercountrycodethatidentifiesthecountrywherethecompany ororganizationthatownsthisiLOsubsystemislocated •State(ST)—ThestatewherethecompanyororganizationthatownsthisiLOsubsystemis located •CityorLocality(L)—Thecityorlocalitywherethecompanyororganizationthatownsthis iLOsubsystemislocated •OrganizationName(O)—ThenameofthecompanyororganizationthatownsthisiLO subsystem 70ConfiguringiLO