Manualshelf

HP Integrated Lights-Out Security, 7th edition

ManualsBrandsHP ManualsSoftwareInsight Software
21222324252627282930
24
You can change the telnet port number to any unused port number or disable the telnet port entirely.
When the remote console port is in the “Disabled” mode, no application can connect to port 23.
Finally, the strong authentication and authorization processes of the remote console and virtual serial
port applets reduce any potential security risk for telnet port across the network.
Multi-user Integrated Remote Console
iLO v1.90, iLO 2 v1.30, and iLO 3 offer IRC as an iLO Advanced and iLO Select feature. The IRC is
a user-configurable setting that supports up to four simultaneous remote console sessions on the same
server.
The first user to initiate a remote console session becomes the session host. The session host can deny
access, grant full access, or allow read only access. Participant sessions end when the host session
ends. iLO encrypts all console sessions. For added security, the Remote Console Computer Lock
feature can self-lock the operating system when the session closes or times out.
Windows and Linux operating systems support IRC. The client browser on the management console
must use a Windows Internet Explorer browser because the IRC uses the ActiveX code, not Java.
SSH for the command-line interface
Administrators with access to the CLI can access most iLO functions; however, they access iLO in text
mode rather than in graphical mode. To ensure data and keystroke integrity, the SSH data stream is
encrypted. Administrators can disable the SSH/CLI functionality, change the SSH port number, or
restrict user privileges to ensure that only authorized persons can access the CLI.
CPQLOCFG utility
The CPQLOCFG utility connects to the iLO processor across the network using the encrypted SSL port.
Users can only access the CPQLOCFG utility with valid user credentials and privileges authorized by
the strong iLO authorization process. Administrators can change the HTTPS port number to reduce the
likelihood of unauthorized persons accessing iLO.
Directory services
iLO uses SSL-protected LDAP to communicate with the directory server. Using directory services is
more secure than using local iLO user accounts for these reasons:
It eliminates the practice of sharing administrator accounts among multiple people.
The directory enforces password protection.
Role-based access allows access restriction by detailed time and place.
You can perform maintenance functions (such as changing rights for multiple users) once at the
directory rather than once for each iLO device.
Administrators using the Lights-Out migration utility to migrate from local accounts to directory
accounts access iLO through the network. HP built the Lights-Out migration utility on top of the XML
infrastructure of CPQLOCFG, so it has the same security advantages as CPQLOCFG: strong
authentication, ability to change port numbers, and encryption.
SNMP
iLO acts strictly as a pass-thru service for SNMP functions. The SNMP port is one of only two ports in
iLO that pass traffic to the OS through the iLO driver. Remember that SNMP does not encrypt data.
You can disable SNMP if you are concerned about data that iLO passes from the server, such as the
OS, type of processor, and number of I/O devices. If you want to use SNMP, you can set firewalls
and routers to accept only specific source and destination addresses. You can also set passwords
(community strings) according to the same guidelines as administrative passwords.