HP Remote Insight Lights-Out Edition II User Guide February 2006 (Sixth Edition) Part Number 232664-006
© Copyright 2002, 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Confidential computer software.
Contents Operational overview ................................................................................................................... 8 New in this release.................................................................................................................................... 8 RILOE II kit contents ................................................................................................................................... 8 Installing the RILOE II .............................
Terminal Services pass-through option ........................................................................................................ 41 Terminal Services Client requirements............................................................................................... 41 Enabling the Terminal Services Pass-Through option ........................................................................... 43 Remote Console and Terminal Services clients .......................................................
Schema installer ............................................................................................................................ 81 Management snap-in installer.......................................................................................................... 83 Directory services for Active Directory .............................................................................................. 83 Active Directory Lights-Out management ....................................................
LOGIN....................................................................................................................................... 140 USER_INFO ................................................................................................................................ 141 ADD_USER ................................................................................................................................. 141 DELETE_USER......................................................................
Interpreting LED indicators ............................................................................................................ 179 Invalid Source IP address.............................................................................................................. 179 Login name and password problems .............................................................................................. 180 Remote Console mouse control issue ................................................................
Operational overview In this section New in this release................................................................................................................................... 8 RILOE II kit contents ..................................................................................................................................
Item Description 5 Virtual Power Button cable (4-pin) 6 Remote Insight cable (30-pin) 7 Network settings tag 8 Keyboard/mouse adapter cable 9 Power cord System documentation and support software CDs (not shown) Operational overview 9
Installing the RILOE II In this section Preparing to install RILOE II ..................................................................................................................... 10 Remote Insight cable configuration ........................................................................................................... 11 Keyboard/mouse adapter cable configuration........................................................................................... 11 Installing RILOE II in the server ....
Remote Insight cable configuration For servers that use the Remote Insight cable, RILOE II connects to the host server, peripheral devices, power source, and LAN.
For servers that use the keyboard/mouse adapter cable, RILOE II connects to the host server, peripheral devices, power source, and LAN.
CAUTION: The screws shown are self-tapping, and some amount of force is required for installation. Use caution when installing the screws to prevent damage to the RILOE II. The extender should extend past the right edge of the board. 2. If you are installing RILOE II in a server that was previously configured with a RILOE and the server is running a Windows®-based operating system, upgrade the systems management driver with the Advanced System Management Driver found on the HP website (http://www.hp.
Installing a Virtual Power Button cable (4-pin) To enable the Virtual Power Button feature of the RILOE II on servers that use a four-pin connector on the server system board, install the Virtual Power Button cable (4-pin) (PN 160011-001): 1. Power down the server and disconnect all power cords to remove power from the server. 2. Connect the four-pin connector on the cable to the Virtual Power Button cable connector, located on the rear of the RILOE II. 3.
• Saving of video captures of reset sequences and failure sequences in the RILOE II memory for later replay • Simultaneous transmission of video to the server monitor and to a Remote Console monitor Item Description 1 AC power adapter connector 2 LAN connector 3 Video connector 4 Keyboard/mouse connector Keyboard/mouse adapter cable connection The keyboard and mouse signals must pass through RILOE II.
1. Disconnect the keyboard and mouse cables from the server. 2. Connect the keyboard and mouse cables to the color-coded T-shaped keyboard/mouse connector of the RILOE II keyboard/mouse adapter cable, as shown. 3. Connect the color-coded plugs of the keyboard mouse adapter cable to the keyboard and mouse connectors of the server. 4. Connect the black plug of the keyboard/mouse adapter cable to the RILOE II keyboard/mouse connector.
server onboard video. For instructions on disabling the server onboard video, See the documentation provided with the server. LAN cable connection To access RILOE II using TCP/IP across a 10-MB or 100-MB Ethernet network, connect one end of the LAN cable to the LAN connector on RILOE II to an active network jack. The green LED indicator that is located close to the AC power adapter connector indicates the speed of the connection. If the LED indicator is on, then the connection is 100-MB.
Connect the AC power adapter cable as shown. Powering up the server 1. Plug the AC main power cord into the server and then into a grounded AC outlet. WARNING: To reduce the risk of electric shock or damage to the equipment: • Disconnect power from the system by unplugging all power cords from the power supplies. • Do not disable the power cord grounding plug. The grounding plug is an important safety feature.
Configuring the RILOE II In this section Configuration options ............................................................................................................................. 19 Installing RILOE II device drivers............................................................................................................... 20 Disabling DNS/DHCP ............................................................................................................................
3. Make and save any necessary changes to the RILOE II. 4. Exit the RBSU. SmartStart setup of RILOE II Use RBSU F8 during SmartStart to configure the RILOE II. Configuring the RILOE II using SmartStart is not an option. Installing RILOE II device drivers The RILOE II Management Interface Driver enables system software, such as SNMP Insight Agents and the Terminal Services pass-through service, to communicate with RILOE II.
When updating RILOE II drivers, be sure RILOE II is running the latest version of RILOE II firmware. You can obtain the latest version as a Smart Component from the HP website (http://www.hp.com/servers/lights-out). To install the drivers download the PSP from the HP website (http://www.hp.com/support) to a NetWare server. After downloading the PSP follow the Novell NetWare component installation instructions to complete the installation.
5. Select Network, NIC, and TCP/IP, and press the Enter key. The Network Configuration screen displays. 6. Configure your network settings. 7. Press the F10 key to save the changes. NOTE: It will take a few minutes for the board to save the network changes and to reset. 8. Exit the RBSU.
Using the RILOE II In this section Accessing RILOE II for the first time ........................................................................................................... 23 Features of the RILOE II ........................................................................................................................... 25 Managing the user and configuration settings of the RILOE II....................................................................... 25 Using the Remote Console.................
1. Enter RILOE II IP address or DNS name in the address bar of the browser. A Security Alert page appears. 2. Perform one of the following actions: 3. • Click Yes to continue to the login page of RILOE II. • Click No to return to the Welcome page of RILOE II. • Click View Certificate to view the certificate information. Installing the certificate to your browser prevents the security alert message from displaying in the future.
Features of the RILOE II The RILOE II screen displays the following tabs: • System Status This section provides information about the server and the RILOE II. The information includes server status, RILOE II status, survey information, the Remote Insight Event Log, and the Integrated Management Log. • Remote Console This section gives you access to the Remote Console and enables you to define keystroke sequences that are transmitted to the remote host server at the press of a hot key.
Parameter Default value Definition Administer User Access Yes This privilege allows a user to add, modify, and delete user accounts. It also allows the user to alter privileges for all users, including granting all permissions to a user. Configure RILOE Access No This privilege enables a user to make changes to RILOE II settings, such as network settings and global settings, and to clear the event log. Login Access Yes This setting grants or denies the user login access.
NOTE: To clear the user profile form while entering a new user or to recover the user's original information, click Restore User Information. Network settings The Network Settings option on the Administration tab enables you to view and modify the NIC IP address, subnet mask, TCP/IP-related settings, and specify IP address or DNS name for web-based management agents. You can enable or disable DHCP and, for servers not using DHCP, you can configure a static IP address.
When you click Apply, RILOE II restarts. During the restart process, the connection from the browser to the board is terminated. To reestablish a connection, wait 60 seconds before launching another browser session and logging in to RILOE II. Parameter Default value Definition Transceiver Speed Autoselect Yes Autoselect detects the interface speed and sets the interface to operate at 10 Mb/s or 100 Mb/s and at half or full duplex.
Parameter Default value Definition Primary, N/A secondary, and tertiary DNS server Use this parameter to assign a unique DNS server IP address on the network. By default, the primary, secondary, and tertiary DNS servers are assigned by DHCP. Primary and secondary WINS server N/A Use this parameter to assign a unique WINS server IP address on the network. By default, the primary and secondary WINS servers are assigned by DHCP.
Parameter Default value Definition Session Timeout (minutes) 30 minutes This parameter specifies how many minutes a session can remain inactive before RILOE II the user is required to log in again. ROM configuration utility (F8) Enabled This parameter enables or disables the use of the F8 key, during POST, to access the Remote Insight ROM Configuration Utility. Emergency Management Services Enabled This parameter enables or disables the use of the Windows .NET EMS through RILOE II.
Parameter Default value Definition Level of Data Returned Medium This parameter configures how much data is returned to Insight Manager. View XML Reply N/A • None returns no data. • Low returns the current board status and the board type (RILOE II). • Medium returns the board status, the board type, and the serial number. • High returns the board status, the board type, the serial number and several other pieces of information. This parameter displays the XML reply sent to Insight Manager.
1. Log in to the RILOE II using an account with administrator privileges. 2. Click SNMP Settings on the Administration tab. 3. Click Yes for the alert types that you want to receive. 4. Enter the IP addresses to send the alerts to in the SNMP Trap Destinations field. 5. Click Apply SNMP Settings. Parameter Default Value Definition SNMP Trap Alert Destination(s) N/A Enter the IP address of the remote management PC that will receive SNMP trap alerts from RILOE II.
3. Click No for the alert types that you want to disable. 4. Click Apply SNMP Settings. Two-Factor Authentication Settings The Two-Factor Authentication Settings page displays the configuration of two-factor authentication settings, the trusted CA certificate information, and provides a method of changing the configuration and importing or deleting a trusted CA certificate.
directory, for example, username@domain.extension. If Subject is specified, RILOE II will derive the user's distinguished name from the subject name attribute. For example, if the subject name is /DC=com/DC=domain/OU=organization/CN=user, RILOE II will derive: CN=user,OU=organization,DC=domain,DC=com. The Certificate Owner Field setting is only used if directory authentication is enabled.
3. Follow the instructions on the firmware upgrade page. If you need additional assistance, click ?. Using the Remote Console The Remote Console tab provides access to different views of the Remote Console and enables you to define keystroke sequences that are transmitted to the remote host server by pressing a hot key. Standard RILOE II provides embedded hardware Remote Console capabilities on a text mode page.
For best performance, be sure to configure the host operating system display as described in "Optimizing performance for graphical Remote Console (on page 37)." Remote Console Information Option The Remote Console Information option displays information concerning the Remote Console options available, as well as a link to download an updated Java™ Runtime Environment, which is necessary for using Remote Console with the single cursor option.
Alt Lock The ALT key on the local keyboard is not passed from the client to the host server. To simulate pressing the ALT key on the host server, select ALT Lock. Character Set Use this option to change the default character set used by the Remote Console and the type of operating system to which the Remote Console is connected. Modifying the Remote Console settings ensures proper operation of the Remote Console and correct display of colors and characters.
Microsoft® Windows® Server 2003 settings To optimize performance, set the server Display Properties to plain background (no wallpaper pattern) and set the Server Mouse Properties to Disable Pointer Trails. Microsoft® Windows NT® 4.
The Remote Console Hot Keys page also contains a Reset Hot Keys option. The Reset Hot Keys option clears all entries in the hot key fields. Click Save Hot Keys to save the cleared fields. Supported hot keys The Program Remote Console Hot Keys page allows you to define up to 6 different sets of hot keys for use during a Remote Console session. Each hot key represents a combination of up to 5 different keys which are sent to the host machine whenever the hot key is pressed during a Remote Console session.
F1 / d | F2 0 e ; F3 1 f ’ F4 2 g L_CTRL F5 3 h R_CTRL F6 4 i NUM PLUS F7 5 j NUM MINUS F8 6 k SCRL LCK F9 7 l BACKSPACE F10 8 m SYS RQ F11 9 n Video replays of previous server Reset Sequences The Reset Sequences option on the Remote Console tab provides video replay of server reset sequences.
The Windows® EMS Console, if enabled, provides the ability to perform EMS in cases where video, device drivers, or other operating system features have prevented normal operation and normal corrective actions from being performed. The Windows® EMS serial port must be enabled through the host system RBSU. The configuration allows for the enabling or disabling of the EMS port, and the selection of the COM port.
On Windows® XP servers, the Terminal Services client and RDP connection is built in. The client is an integral part of the operating system and is executed by selecting Start>Programs>Accessories>Communications>Remote Desktop. The Terminal Services client in Windows® XP provides command line options and seamless launches from the Remote Console applet. Windows® RDP Pass-Through service To use the RILOE II Terminal Services Pass-Through feature, a service must be installed on the host system.
1. Start the Terminal Services Client Connection Manager, and create a new connection to the terminal server. 2. Highlight the icon created, and select File>Export. Rename the file with a .cns extension. For example: myilo.cns. 3. Edit the myilo.cns file by looking for the line Server Port=3389. Replace 3389 with your new port number and save the file. 4. From the Client Connection Manager, highlight the New Connection icon, and click File>Import. 5.
Terminal Services button display RILOE II firmware does not accurately display through the Terminal Services button. Even if the operating system is not enabled (for example, the host operating system is Linux, which does not support Terminal Services operation), the Terminal Services button might not appear inactive and might inaccurately imply that Terminal Services operation is available.
3. Verify if the RILOE II Management Interface Driver is installed on the host by selecting My Computer>Properties>Hardware>Device Manager>Multifunction Adapters. 4. Verify if Terminal Services pass-through service and the RILOE II proxy is installed and running on the host by selecting Control Panel>Administrative Tools>Services and attempting to restart the Terminal Service. 5. Determine if the Application Event Log is full.
Virtual power The Virtual Power button enables control of the power state of the remote server and simulates pressing the physical power button on the server. If the remote host server is not responding, the Virtual Power button feature allows you to initiate a cold or warm reboot to bring the server back online. Some of the following power options do not gracefully shut down the operating system. To initiate a graceful shutdown, use the Remote Console before using the Virtual Power button.
• If the Virtual Floppy capability is enabled, the floppy drive normally cannot be accessed from the client operating system. • If the Virtual CD-ROM capability is enabled, the CD-ROM drive cannot be accessed from the client operating system. Under certain conditions, you can access the Virtual Floppy drive from the client operating system while it is connected.
The connected drive icon and LED changes state to reflect the current status of the Virtual Floppy Drive. To use an image file: 1. Select Local Image File within the Virtual Floppy section of the Virtual Media applet. 2. Enter the path or file name of the image in the text box, or click Browse to locate the image file using the Choose Disk Image File dialog. To ensure the source diskette or image file is not modified during use, select the Force read-only access option. 3. Click Connect.
• Red Hat and SLES Linux Linux supports the use of USB diskette drives. Refer to the "Mounting USB Virtual Floppy in Linux ("Mounting USB Virtual Media Floppy in Linux" on page 49)" section for step-by-step instructions. Mounting USB Virtual Media Floppy in Linux 1. Access RILOE II through a browser. 2. Select Virtual Media in the Virtual Devices tab. 3. Select a diskette drive or diskette image and click Connect. 4.
NOTE: Image files of diskettes are created and stored locally on the hard drive or on a network drive with the Diskette Image Utility (on page 51). This utility is available for download from the HP website (http://www.hp.com/servers/lights-out). To upload a diskette image to RILOE II on the host server: 1. Click Virtual Floppy in the Virtual Devices tab. 2. Enter the location and name of the diskette image file, or click Browse and select the diskette image file you want to transfer to RILOE II. 3.
The Virtual Floppy Boot option has three settings: • Boot Always—This setting instructs the RILOE II to always boot the host server from the diskette image file in the Virtual Floppy Drive. If this setting is checked, the Virtual Floppy Status screen shows the virtual drive as active after the server has restarted. • Boot Once—This setting instructs the RILOE II to boot the host server one time from the diskette image file in the Virtual Floppy Drive.
4. Click Create to generate the image file in the specified location. To create a diskette from an image file 1. Launch the Diskette Image Utility and click the Create Diskette tab. 2. Insert a blank diskette into the diskette drive. CAUTION: If the diskette is not blank, all data on the diskette will be erased. 3. Enter the path and name of the image file and the target diskette drive. 4. To navigate to the location of the image file, click Browse. A page similar to the following appears.
5. Click Create to generate the diskette from the image file. To compare an image file with a diskette 1. Launch the Diskette Image Utility and click the Verify Image File tab. 2. Insert the diskette you want to compare against an image file into the diskette drive. 3. Enter the path and name of the image file and the target diskette drive or navigate to the location of the image file by clicking Browse. A page similar to the following appears.
4. Click Verify to start comparing the image file with the diskette. When the verification is complete, the results appears. RILOE II Virtual CD-ROM RILOE II Virtual CD-ROM is available at server boot time for operating systems specified in the "Operating system USB support (on page 57)" section. Booting from RILOE II Virtual CD-ROM enables you to deploy an operating system from network drives, and perform disaster recovery of failed operating systems, among other tasks.
3. Click Connect. To use an image file: 1. Select Local Image File within the Virtual CD-ROM section of the Virtual Media applet. 2. Enter the path or file name of the image in the text box or click Browse to locate the image file using the Choose Disk Image File dialog. 3. Click Connect. The connected drive icon and LED changes state to reflect the current status of the Virtual CD-ROM. When connected, virtual devices are available to the host server until you close the Virtual Media applet.
To resolve this problem, reboot the host server, and, after the operating system is available, the Virtual Media CD-ROM is ready for use. This problem only occurs on servers with no physical CDROM drive. • Linux • Red Hat Linux On servers with a locally attached IDE CD-ROM, the virtual CD-ROM device is accessible at /dev/cdrom1. However, on servers without a locally attached CD-ROM, such as the BL-class blade systems, the virtual CD-ROM is the first CD-ROM accessible at /dev/cdrom.
4. Click Create. The virtual media applet begins the process of creating the image file. The process is complete when the progress bar reaches 100%. To cancel the creation of an image file, click Cancel. The Disk>>Image option is used to create image files from physical diskettes or CD-ROMs. The Image>>Disk option is not valid for a Virtual CD-ROM image. The Disk>>Image button changes to Image>>Disk when clicked.
Getting help Assistance for all RILOE II options is available by means of the Remote Insight Help hyperlink. This link provides summary information about the features of the board and helpful information for optimizing the operation of the RILOE II. Pocket PC access with RILOE II RILOE II provides support for network access from HP handheld devices supporting Pocket Internet Explorer. RILOE II provides a special user interface for connecting to RILOE II from the HP iPAQ Pocket PC.
1. Tap Tap here to login to RILOE name. An SSL session is negotiated and a certificate warning appears. 2. Tap Yes to proceed to the login page.
3. Enter a valid user ID and password in the login page, and tap Go. Do not enable the Save Password option. If the user ID and password are valid, you are logged in to RILOE II and a web page similar to the following appears. At a minimum, the HP iPAQ browser interface supports the Virtual Power button, rebooting the server, changing the Virtual Floppy status, viewing the logs, and display status information.
If Pocket PC access is disabled, a page similar to the following appears. User authentication is required for access to RILOE II. After authentication, the Pocket PC user remains logged in until the session is ended by closing the Pocket PC browser. To close the browser, tap the Q key, tap Close active task, and close the browser.
RILOE II security In this section General security guidelines ..................................................................................................................... 62 Two-factor authentication ........................................................................................................................ 63 Introduction to certificate services ............................................................................................................. 66 Securing RBSU................
Two-factor authentication RILOE II is a powerful tool for managing HP ProLiant servers. To prevent misuse of this tool, access to RILOE II requires reliable user authentication. This firmware release provides a stronger authentication scheme for RILOE II using two factors of authentication: a password or PIN and a private key for a digital certificate. Users are asked to verify their identities by providing both factors.
20. Choose the certificate that was added to the user in RILOE II. Click OK. 21. If prompted to do so, insert your smart card, or enter your PIN or password. After completing the authentication process, you have access to RILOE II. Setting up directory user accounts: 1. Obtain the public certificate from the CA that issues user certificates or smart cards in your organization. 2. Export the certificate in bas64 encoded format to a file on your desktop, for example, CAcert.txt. 3.
Two-factor authentication login When you connect to RILOE II and two-factor authentication is required, the Client Authentication page prompts you to select the certificate you want to use. The Client Authentication page displays all of the certificates available to authenticate a client. Select your certificate. The certificate can be a certificate mapped to a local user in RILOE II, or a user specific certificate issued for authenticating to the domain.
Owner is set to SAN, RILOE II obtains the directory user's login name from the UPN attribute of the SAN. If the Certificate Owner setting is set to Subject, RILOE II obtains the directory user's distinguished name from the subject of the certificate. Which one of these settings to choose depends on which directory integration method is used, how the directory architecture is designed, and what information is contained in user certificates that are issued.
Each directory server that you want RILOE II to connect to must be issued a certificate. If you install an Enterprise Certificate Service, Active Directory can automatically request and install certificates for all of the Active Directory controllers on the network. Certificates By default, RILOE II creates a self-signed certificate for use in SSL connections. The self-signed certificate enables RILOE II to work without any additional configuration steps.
Every time you click Generate Certificate Request, a new certificate request is generated, even though the RILOE II name is the same. • Import Certificate—If you are returning to the Create Certificate Request page with a certificate to import, click Import Certificate to go directly to the Certificate Import page without generating a new CR. A given certificate only works with the keys contained in the CR from which the certificate was generated.
6. Expand Computer Configuration>Windows Settings>Security Settings>Public Key Policies. 7. Right-click Automatic Certificate Requests Settings, and select New>Automatic Certificate Request. 8. Click Next when the Automatic Certificate Request Setup wizard starts. 9. Select the Domain Controller template, and click Next. 10. Select the certificate authority listed. (It is the same CA defined during the Certificate Services installation.) Click Next. 11. Click Finish to close the wizard.
Systems Insight Manager integration In this section Integrating RILOE II with Systems Insight Manager...................................................................................... 70 Systems Insight Manager functional overview ............................................................................................ 70 Systems Insight Manager identification and association ..............................................................................
• Identify RILOE II processors. • Create an association between RILOE II and its server. • Create links between RILOE II and its server. • View RILOE II and server information and status. • Control the amount of detailed information displayed for RILOE II. • Draw a visualization of the ProLiant BL p-Class rack infrastructure. The following sections give a summary of each function.
• RILOE II from the System Page of the server The Systems List pages display RILOE II, the server, and the relationship between RILOE II and server. For example, the page can display the server, the RILOE II name next to the server, and RILOE II name IN server in the System Name field for RILOE II. Clicking on a status icon for RILOE II takes you to the RILOE II Web interface. Clicking on the hardware status icon takes you to the Insight Management Agents for the device.
Receiving SNMP alerts in Systems Insight Manager You can configure RILOE II to forward alerts from the host operating system management agents, and to send RILOE II-generated alerts to Systems Insight Manager. Systems Insight Manager provides support for full SNMP management, and RILOE II supports SNMP trap delivery to Systems Insight Manager. You can view the event log, select the event, and view the additional information about the alert.
The following example shows what the entry is if RILOE II is to be discovered at port 55000 (this should all be on one line in the file): 55000=RILOE II, ,true,false,com.hp.mx.core.tools.identification.mgmtproc.
Directory services In this section Overview of directory integration ............................................................................................................. 75 Benefits of directory integration................................................................................................................ 75 How directory integration works ..............................................................................................................
• Standards—Lights-Out directory support builds on top of the LDAP 2.0 standard for secure directory access. How directory integration works Schema-free At the login page, enter a login name and a password. If ActiveX is enabled in the browser, the login name is converted to the directories DN format and stored in a security cookie in the browser. The browser then loads the home page for RILOE II. RILOE II reads the security cookie and extracts the DN for each page displayed.
Setup for Schema-free directory integration Before setting up the Schema-free option, your system must meet all the prerequisites outlined in the "Active Directory preparation (on page 77)" section. You can set up RILOE II for directories in three ways: • Manually using a browser ("Schema-free browser-based setup" on page 77). • Using a script ("Schema-free scripted setup" on page 77). • Using HPLOMIG ("Schema-free HPLOMIG-based setup" on page 78).
Schema-free HPLOMIG-based setup HPLOMIG is the easiest way to set up a large number of LOM processors for directories. To use HPLOMIG, download the HPQLOMIG utility and additional documentation from the HP website (http://www.hp.com/servers/lights-out). HP recommends using HPLOMIG when configuring many LOM processors for directories.
In some cases, you might not be able to get the maximum login flexibility option to work. For instance, if the client and RILOE II are in different DNS domains, one of the two might not be able to resolve the directory server name to an IP address. Setting up HP schema directory integration When using the HP schema directory integration, RILOE II supports both Active Directory and eDirectory. However, these directory services require the schema being extended.
For more information on managing the directory service, See "Directory-enabled remote management (on page 103)." Examples are available in the "Directory services for Active Directory (on page 83)" and "Directory services for eDirectory (on page 92)" sections. 5. Handle exceptions: • Lights-Out migration utilities are easier to use with a single Lights-Out role.
Schema installer Bundled with the schema installer are one or more .xml files. These files contain the schema that will be added to the directory. Typically, one of these files will contain core schema that is common to all the supported directory services. Additional files contain only product-specific schemas. The schema installer requires the use of the .NET framework.
will only succeed if the user has rights to do this. Write access to the schema is automatically enabled on Windows® Server 2003. The Directory Login section of the Setup screen enables you to enter your login name and password. These might be required to complete the schema extension. The Use SSL during authentication option sets the form of secure authentication to be used. If selected, directory authentication using SSL is used.
Results The Results screen displays the results of the installation, including whether the schema could be extended and what attributes were changed. Management snap-in installer The management snap-in installer installs the snap-ins required to manage RILOE II objects in a Microsoft® Active Directory Users and Computers directory or Novell ConsoleOne directory.
• Extending the Schema in the Microsoft® Windows® 2000 Server Resource Kit, available at http://msdn.microsoft.com • Installing Active Directory in the Microsoft® Windows® 2000 Server Resource Kit • Microsoft® Knowledge Base Articles • 216999 Installing the remote server administration tools in Windows® 2000 • 314978 Using the Adminpak.
6. Download the Smart Component, which contains the installers for the schema extender and the snapins. The Smart Component can be downloaded from the HP website (http://www.hp.com/servers/lights-out). 7. Run the schema installer application to extend the schema, which extends the directory schema with the proper HP objects. The schema installer associates the Active Directory snap-ins with the new schema.
1. Use the HP provided Active Directory Users and Computers snap-ins to create Lights-Out Management objects in the RILOES organizational unit for several RILOE II devices. a. Right-click the RILOES organizational unit found in the testdomain.local domain, and select NewHPObject. b. Select Device in the Create New HP Management Object dialog box. c. Enter an appropriate name in the Name field of the dialog box.
c. Using the Select Users dialog box, select the Lights-Out Management object created in step 2, rib-email-server in folder testdomain.local/RILOES. Click OK to close the dialog, then click Apply to save the list. d. Add users to the role. Click the Members tab, and add users using the Add button and the Select Users dialog box. The devices and users are now associated. 4. Use the Lights Out Management tab to set the rights for the role.
Directory User Context 1 = cn=Users,dc=testdomain,dc=local For example, to gain access, user Mel Moore, with the unique ID MooreM, located in the users organizational unit within the testdomain.local domain, who is also a member of one of the remoteAdmins or remoteMonitors roles, would be allowed to log in to the RILOE II. Mel would enter testdomain\moorem, or moorem@testdomain.
HP Devices The HP Devices tab is used to add the HP devices to be managed within a role. Clicking Add enables you to browse to a specific HP device and add it to the list of member devices. Clicking Remove enables you to browse to a specific HP device and remove it from the list of member devices. Members After user objects are created, the Members tab enables you to manage the users within the role. Clicking Add enables you to browse to the specific user you want to add.
• DNS name Time restrictions You can manage the hours available for logon by members of the role by clicking Effective Hours in the Role Restrictions tab. In the Logon Hours pop-up window, you can select the times available for logon for each day of the week in half-hour increments. You can change a single square by clicking it, or you can change a section of squares by clicking and holding the mouse button, dragging the cursor across the squares to be changed, and releasing the mouse button.
4. Click OK to save the changes. To remove any of the entries, highlight the entry in the display list and click Remove. Active Directory Lights-Out management After a role is created, rights for the role can be selected. Users and group objects can now be made members of the role, giving the users or group of users the rights granted by the role. Rights are managed on the Lights Out Management tab.
• Administer Local Device Settings—This option enables the user to configure the RILOE II management processor settings. These settings include the options available on the Global Settings, Network Settings, SNMP Settings, and Directory Settings screens of the RILOE II Web browser. Directory services for eDirectory The following sections provide installation prerequisites, preparation, and a working example of Directory Services for eDirectory.
Assume samplecorp has an enterprise directory arranged according to the following screen. 1. Begin by creating organizational units in each region, which will contain the Lights-Out Management devices and roles specific to that region. In this example, two organizational units are created, called roles and hp devices, in each organizational unit, region1 and region2. 2.
Repeat the process for several more RILOE II devices with DNS names rib-nntp-server and rib-file-serverusers1 in hp devices under region1, and rib-file-server-users2 and rib-app-server in hp devices under region2. 1. Use the HP provided ConsoleOne snap-ins to create HP Role objects in the roles organizational units. a. Right-click the roles organizational unit found in the region2 organizational unit, and select New then Object. b. Select hpqRole from the list of classes and click OK. c.
e. The devices and users are now associated. Use the Lights Out Management Device Rights subtab of the HP Management tab to set the rights for the role. All users within a role will have the rights assigned to the role on all of the RILOE II devices managed by the role. In this example, the users in the remoteAdmins role will be given full access to the RILOE II functionality. Select the boxes next to each right, and click Apply. Click Close to close the property sheet. 3.
Role managed devices The Role Managed Devices subtab under the HP Management tab is used to add the HP devices to be managed within a role. Clicking Add allows you to browse to the specific HP device and add it as a managed device. Members After user objects are created, the Members tab allows you to manage the users within the role. Clicking Add allows you to browse to the specific user you want to add. Highlighting an existing user and clicking Delete removes the user from the list of valid members.
eDirectory Role Restrictions The Role Restrictions subtab allows you to set login restrictions for the role. These restrictions include: • Time restrictions • IP network address restrictions • • IP/mask • IP range DNS name Time restrictions You can manage the hours available for logon by members of the role by using the time grid displayed in the Role Restrictions subtab. You can select the times available for logon for each day of the week in halfhour increments.
To remove any of the entries, highlight the entry in the display field and click Delete. Lights-Out Management After a role is created, rights for the role can be selected. Users and group objects can now be made members of the role, giving the users or group of users the rights granted by the role. Rights are managed on the Lights Out Management Device Rights subtab of the HP Management tab. The available rights are: • Login—This option controls whether users can to log in to the associated devices.
• Remote Console—This option allows the user access to the Remote Console. • Virtual Media—This option allows the user access to the RILOE II Virtual Floppy and Virtual Media functionality. • Server Reset and Power—This option allows the user to remotely reset the server or power it down. • Administer Local User Accounts—This option allows the user to administer accounts. The user can modify their account settings, modify other user account settings, add users, and delete users.
Test Settings allows you to test the communication between the directory server and RILOE II. Parameter Default value Definition Disable Directory Authentication No This parameter enables or disables directory authentication. If this parameter is set to Yes and directory support is properly configured, this parameter enables user login to RILOE II using directory credentials. Use Directory Default Schema Yes This parameter enables or disables the use of schema-free directories.
Parameter Default value Definition Directory User Context 1, Directory User Context 2, Directory User Context 3 N/A This parameter enables you to specify up to three searchable contexts used to locate the user when the user is trying to authenticate using the directory. Directory User Contexts are limited to 128 characters each. Directory User Contexts enable you to specify directory user containers that are automatically searched when an RILOE II login is attempted.
Directory tests To validate current directory settings for RILOE II: 1. Click Test Settings on the Directory Settings page. The Directory Tests page appears. 2. Enter the distinguished name and password of a directory administrator. A good choice would be the same credentials used when creating RILOE II objects in the directory. These credentials are not stored by RILOE II. They are used to verify the RILOE II object and user search contexts. 3. Click Test Directory Settings. 4.
Directory-enabled remote management In this section Introduction to directory-enabled remote management .............................................................................. 103 Creating roles to follow organizational structure ...................................................................................... 103 How directory login restrictions are enforced........................................................................................... 105 Using bulk import tools....................
When using Microsoft® Active Directory, it is possible to place one group within another or nested groups. Role objects are considered groups and can include other groups directly. Add the existing nested group directly to the role, and assign the appropriate rights and restrictions. New users can be added to either the existing group or the role. Novell eDirectory does not allow nested groups. In eDirectory, any user that can read a role is considered a member of that role.
How directory login restrictions are enforced Two sets of restrictions potentially limit a directory user's access to LOM devices. User access restrictions limit a user's access to authenticate to the directory. Role access restrictions limit an authenticated user's ability to receive LOM privileges based on rights specified in one or more Roles. Restricting roles Restrictions allow administrators to limit the scope of a role. A role only grants rights to those users that satisfy the role's restrictions.
User restrictions You can restrict access using address or time restrictions. User address restrictions Administrators can place network address restrictions on a directory user account, and these restrictions are enforced by the directory server. Refer to the directory service documentation for details on the enforcement of address restrictions on LDAP clients, such as a user logging in to a LOM device.
the directory server, but if the directory server is located in a different time zone or a replica in a different time zone is accessed, then time zone information from the managed object can be used to adjust for relative time. The directory server evaluates user time restrictions, but the determination can be complicated by time zone changes or authentication mechanism.
Alternatively, the directory administrator could create a role that grants the login right and restrict it to the corporate network, then create another role that grants only the server reset right and restrict it to afterhours operation.
Programmatic or scripting interfaces can also be used to create the LOM device objects in the same way as users or other objects. The "Directory services schema (on page 187)" section provides details on attributes and attribute data formats when creating LOM objects.
Scripting, command line, and utility options In this section Overview of the Lights-Out DOS utility .................................................................................................... 110 Lights-Out directories migration utilities ................................................................................................... 113 Lights-Out Configuration Utility...............................................................................................................
Command line argument Description /RESET_RILOE Resets the RILOE II management processor to default factory settings. /DETECT Detects the RILOE II management processor on the target server. /RESET_RILOE Resets the RILOE II management processor. /VIRT_FLOPPY Ignores the virtual floppy inserted error. /MIN_FW-xxx Enables you to set the minimum firmware version on which the RILOE II management processor runs. /GET_STATUS Returns the status of the RILOE II management processor.
CPQLODOS parameter VERSION is a numeric string that indicates the version of CPQLODOS necessary to process this script. The VERSION string is compared to the version that CPQLODOS can process. An error is returned if the version of CPQLODOS and the version of the script do not match. The VERSION parameter can never be blank. CPQLODOS runtime error The possible CPQLODOS error messages include Version must not be blank. ADD_USER This command is used to add a user to the RILOE II.
Lights-Out directories migration utilities For customers with previously installed management processors, HP created two utilities to simplify the migration of these processors to management by directories. The two utilities are the HPQLOMIG utility and the HPQLOMGC utility. These utilities automate some of the migration steps necessary for the management processors to support directory services.
6. Create a role for the users of the management processor using the HP Lights-Out management snapin. HP Lights-Out directory package All of the migration software, as well as the schema extender and management snap-ins, are packaged together in an HP Smart Component. To complete the migration of your management processors, the schema must be extended and the management snap-ins must be installed before the migration tool is run.
If you click Next, or Back, or exit the application during discovery, operations on the current network address are completed, but those on subsequent network addresses are canceled. To start the process of discovering your management processors: 1. Click Start and select Programs>Hewlett-Packard, Lights-Out Migration Utility. 2. Click Next to move past the Welcome page. 3. Enter the address or address range you want to search for management processors in the Addresses field. 4.
After the discovery process is complete, you can click Verify to verify the displayed list of management processors or click Next to continue. Upgrading firmware on management processors The Upgrade Firmware page displays after you have completed the discovery p enables you to update the management processors to the firmware version that supports directories or designate the location of the firmware image for each management processor by either entering the path or clicking Browse.
4. After the upgrade is completed, click Next. Selecting a directory access method After completing the firmware upgrade process, the Select Directory Access Method page appears. You can select which management processors to configure (with respect to schema usage) and how they will be configured. The Select Directory Access Method page helps to prevent an accidental overwrite of RILOE IIs already configured for HP schema or those that have directories turned off.
The Select Directory Access Method page determines if the HP Extended schema, schema-free (default schema), or no directories support configuration pages follow. To configure the management processor for: • Directory services, See the "Configuring directories when HP Extended schema is selected (on page 119)" section. • Schema-free (default schema) directories support, See the "Setup for Schema-free directory integration (on page 77)" section.
1. Select Use Network Address, Use DNS Names, or Create Name Using Index. You can also name each management processor directory object manually by clicking twice in the Name check box with a short delay between clicks. 2. If you want to prepend or append the same identifying text to the name of the management processors, enter text in the Prefix or Suffix fields as required. The Prefix and Suffix options are useful in naming groups of related management processors. 3. Click Generate Names.
• Port is the SSL port to the directory. The default entry is 636. Management processors can only communicate with the directory only by using SSL. • Login Name and Password fields are used to log in with an account that has domain administrator access to the directory. • Container DN is location of all the management processor objects in the directory created by the migration utility.
Configuring directories when schema-free integration is selected The Configure Management Processors page appears after selecting to use the directory's default schema and clicking Next on the Select Directory Access Method page. The Configure Management Processors page allows you to configure: • Network Address is the network address of the directory server. The address is either a valid DNS name or IP address.
Smith to log in using John Smith, rather than CN=John Smith,CN=Users, DC=RILOETEST2,DC=HP. The @ format is also supported. For example, @RILOETEST2.HP in a context field enables the user to log in using jsmith (assuming that jsmith is the user's short name). To configure the management processors to communicate with the directory: 1. Enter the user contexts, or click Browse. 2. For Directories Support and Local Accounts option, select Enabled or Disabled.
IMPORTANT: Installing directory support for any management processor requires downloading the HP Smart Component. Refer to the "Pre-migration checklist (on page 113)" and the "HP Lights-Out directory package" sections for additional information. Extending the schema must be completed by a Schema Administrator. To implement directory support on a few management processors. 1. Use Systems Insight Manager to locate all of the management processors in the network. 2. Execute the HPQLOMGC utility. 3.
-V—This switch is optional and sets the HPQLOMGC to Verbose mode. -L —This switch defines where the log file is generated. This switch causes an error if an IP address is not designated. -Q—This switch is optional and sets the HPQLOMGC to Quiet mode. 7. Click Next. A screen is displayed with options for naming the task, defining the query association, and setting a schedule for the task. 8. Enter a task name in the Enter a name for this task field. 9.
RILOE2_CONFIG RIBCL allows for only one firmware image per XML file. The command language for HPQLOMGC has been modified to allow for each management processor to have a specified firmware image within a single XML file. These commands must be displayed within a DIR_INFO block, and DIR_INFO must be in write mode. The management processor is reset after the firmware upgrade is complete.
• Creating a Custom Command ("Create a custom command" on page 126) • Creating a Task ("Create a task" on page 126) Create a customized list A customized list allows you to create a list of a group of management processors and run a task on that list. To create a customized list: 1. In the Systems List pane in the left window, click Customize. 2. In the Customize Lists window, select System List using the Show dropdown menu and click New List. 3.
The Schedule option is available only if the tool can be scheduled. • If you click Run Now, the Task Results screen appears with a summary of the task, the target details, and the status. Query definition in Systems Insight Manager To group all of the RILOE II devices, log in to Systems Insight Manager and create a query. To create the query: 1. Log in to Systems Insight Manager. 2. Click Device in the navigation bar on the top left side of the screen. 3. Click Queries>Device. 4.
NOTE: The -L parameter cannot designate an output log file. A default log file named with the DNS name or the IP address is created in the same directory where CPQLOCFG is launched. 6. Click Next. A screen displays the options for naming the task, defining the query association, and setting a schedule for the task. 7. Enter a task name in the Enter a name for this task field. 8. Select the query that had been created earlier, for example "Mgmt Processors." 9.
Do not use this switch if launching from Systems Insight Manager. NOTE: The output values might need to be modified to match the RIBCL syntax. NOTE: The -L parameter cannot designate an output log file. A default log file named with the DNS name or the IP address is created in the same directory where CPQLOCFG is launched. • -V is the optional switch that turns on the verbose message return.
print $client '' . "\r\n"; … • XML script modification Opening an SSL connection Perl scripts must open an SSL connection to the device's HTTPS port, by default port 443.
$ctx = Net::SSLeay::CTX_new() or die_now("ERROR: Failed to create SSL_CTX $! "); Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL); die_if_ssl_error("ERROR: ssl ctx set options"); $ssl = Net::SSLeay::new($ctx) or die_now("ERROR: Failed to create SSL $!"); Net::SSLeay::set_fd($ssl, fileno(S)); Net::SSLeay::connect($ssl) and die_if_ssl_error("ERROR: ssl connect"); print STDERR 'SSL Connected '; print 'Using Cipher: ' .
$n++; $reply .= $lastreply; $lastreply = Net::SSLeay::read($ssl); die_if_ssl_error("ERROR: ssl read"); if($lastreply eq "") { sleep(2); # wait 2 sec for more text. $lastreply = Net::SSLeay::read($ssl); last READLOOP if($lastreply eq ""); } sleep(2); # wait 2 sec for more text. $lastreply = Net::SSLeay::read($ssl); last READLOOP if($lastreply eq ""); } print "READ: $lastreply\n" if $debug; if($lastreply =~ m/STATUS="(0x[0-9A-F]+)"[\s]+MESSAGE= '(.*)'[\s]+\/>[\s]*(([\s]|.
• The device will not accept additional XML tags after a syntax error occurs. To send additional XML, a new connection must be established. HPONCFG The HPONCFG utility is an online configuration tool used to set up and configure the iLO management processor and RILOE II from within the Windows® and Linux operating systems without requiring a reboot of the server operating system.
Installing HPONCFG The HPONCFG utility is delivered in separate packages for Windows® and Linux systems. For Windows® systems, it is delivered as a smart component. For Linux systems, it is delivered as an RPM package file. HPONCFG 1.1 is part of SmartStart 7.30. Windows server installation HPONCFG will be installed automatically when ProLiant support pack version 7.30 is installed. The individual HPONCFG 1.1 component cp005299.exe can be downloaded from the HP website (http://h18023.www1.hp.
Typical usage is to select a script that is similar to the desired functionality and modify it for the exact desired functionality. Note that, although no authentication to the iLO management processor or the RILOE II is required, the XML syntax requires that the USER_LOGIN and PASSWORD tags be present in the LOGIN tag, and that these fields contain data. Any data will be accepted in these fields.
Using HPONCFG on Windows servers Start the HPONCFG configuration utility from the command line. When using Microsoft® Windows®, cmd.exe is available by selecting Start>Run>cmd. HPONCFG displays a usage page if HPONCFG is entered with no command line parameters. HPONCFG accepts a correctly formatted XML script. Refer to the "Remote Insight Command Language (on page 138)" section for more information on formatting XML scripts. HPONCFG sample scripts are included in the HPONCFG package.
For security reasons, the user passwords are not returned.
Setting a configuration A specific configuration can be sent to RILOE II by using the command format: HPONCFG /f add_user.xml /l log.
An opening command opens a database. The database remains open until the matching closing command is sent. All changes made within a single command block are applied simultaneously when the database is closed. Any errors within the block cause the enclosed changes to be discarded. An example of an opening command and its matching closing command are as follows: In all examples, the opening and closing commands are displayed.
This tag name indicates that the RILOE II is sending a response to the previous commands back to the client application to indicate the success or failure of the commands that have been sent to the RILOE II. • STATUS This parameter contains an error number. The number 0x0000 indicates that there is no error. • MSG This element contains a message describing the error that happened. If no error occurred, the message No error appears. RIBCL This command is used to start and end an RIBCL session.
LOGIN runtime errors The possible runtime error messages include: • User login name was not found. • Password must not be blank. • Logged-in user does not have required privilege for this command. USER_INFO The USER_INFO command can only appear within a LOGIN command block. When the command is parsed, it reads the local user information database into memory and prepares to edit it. Only commands that are USER_INFO type commands are valid inside the USER_INFO command block.
ADD_USER parameters USER_NAME is the actual name of the user. This parameter can be a combination of any printable characters up to a maximum length of 39 characters. This parameter is case sensitive and must never be blank. USER_LOGIN is the name used to gain access to the respective RILOE II. This parameter can be a combination of any printable characters up to a maximum length of 39 characters.
EMS_PRIV is a Boolean parameter that gives the user permission to use the Windows® Server 2003 EMS service. This parameter is optional, and the Boolean string must be set to "Yes" if the user should be allowed to use EMS services. If this parameter is used, the Boolean string value must never be blank. ADD_USER runtime errors The possible ADD_USER error messages include: • Login name is too long. • Password is too short. • Password is too long. • User table is full. No room for new user.
GET_USER The GET_USER command will return a local user's information, excluding the password. The USER_LOGIN parameter must exist in the current user database. For this command to parse correctly, the command must appear within a USER_INFO command block, and USER_INFO MODE can be in read or write. The user must have the administrative privilege to retrieve other user accounts; else the user can only view their individual account information. Example: PAGE 145MOD_USER The MOD_USER command is used to modify an existing local user’s information. You are not required to enter any of the fields except for the first one, which specifies which user to modify. If any parameter does not need to be modified, you should omit it. MOD_USER must be displayed within a USER_INFO parameter, and USER_INFO must be in write mode. The user login name used to gain access cannot be modified. Example: PAGE 146REMOTE_CONS_PRIV is a Boolean parameter that gives permission for the user to access the Remote Console functionality. This parameter is optional, and the Boolean string must be set to "Yes" if the user should have Remote Console privileges. If this parameter is used, the Boolean string value must never be left blank. Leaving out this privilege will deny the user access to any Remote Console functionality.
GET_ALL_USERS parameters None GET_ALL_USERS runtime errors The possible GET_ALL_USERS error messages include: User does not have correct privilege for action. ADMIN_PRIV required.
command block, and USER_INFO MODE can be in read or write. The user must have administrative privilege to execute this command. Example: GET_ALL_USER_INFO parameters None GET_ALL_USER_INFO runtime errors The possible GET_ALL_USER_INFO error message include: User does not have correct privilege for action. ADMIN_PRIV required.
Example: ……… RIB_INFO commands …… RIB_INFO parameters MODE is a specific string parameter with a maximum length of 10 characters that specifies what you intend to do with the information. Valid arguments are "read" and "write." Write mode enables both reading and writing of RILOE II information. Read mode prevents modification of RILOE II information. RIB_INFO runtime errors None RESET_RIB The RESET_RIB command is used to reset RILOE II.
GET_NETWORK_SETTINGS Parameters There are no parameters for this command. GET_NETWORK_SETTINGS Runtime Errors There are no errors for this command. GET_NETWORK_SETTINGS Return Messages A possible GET_NETWORK_SETTINGS return message is: PAGE 151MOD_NETWORK_SETTINGS The MOD_NETWORK_SETTINGS command modifies certain network settings. This command is only valid inside a RIB_INFO block. The logged-in user must have the configure RILOE privilege, and the mode of the containing RIB_INFO block must be "write." All of these elements are optional and may be left out. If an element is left out, then the current setting is preserved. Example: PAGE 152IP_ADDRESS is used to select the IP address for the RILOE II if DHCP is not enabled. If an empty string is entered, the current value is deleted. SUBNET_MASK is used to select the subnet mask for the RILOE II if DHCP is not enabled. If an empty string is entered, the current value is deleted. GATEWAY_IP_ADDRESS is used to select the default gateway IP address for the RILOE II if DHCP is not enabled. If an empty string is entered, the current value is deleted.
NOTE: The RILOE II is rebooted to apply the changes after MOD_NETWORK_SETTINGS has been closed. MOD_NETWORK_SETTINGS Runtime Errors The possible MOD_NETWORK_SETTINGS error messages include: • RIB information is open for read-only access. Write access is required for this operation. • User does not have correct privilege for action. • Logged-in user does not have required privilege for this command. GET_GLOBAL_SETTINGS The GET_GLOBAL_SETTINGS command requests the respective RILOE II global settings.
MSG = "Error Message"/> MOD_GLOBAL_SETTINGS This command modifies certain global settings. This command is only valid inside a RIB_INFO block. The logged-in user must have the configure RILOE privilege, and RIB_INFO must be in write mode. All of these elements are optional and may be left out. If an element is left out, then the current setting is preserved. Example: PAGE 155• 0 = No Change • 1 = Disabled • 2 = Automatic • 3 = Enabled In the Automatic setting, the Remote Console port is enabled only when a Remote Console session through a browser is in progress, and is disabled otherwise. POCKETPC_ACCESS determines if the PocketPC access is allowed. The possible values are "Yes" or "No." REMOTE_CONSOLE_ENCRYPTION determines if Remote Console Data Encryption is enabled or disabled. The possible values are "Yes" and "No.
Each value indicates the level of data returned to an Systems Insight Manager request. MOD_GLOBAL_SETTINGS runtime errors The possible MOD_GLOBAL_SETTINGS error messages include: • RIB information is open for read-only access. Write access is required for this operation. • The remote console port status value specified is invalid. It needs to be either 0, 1, 2, or 3. • Invalid SSL Encryption Strength specified. The valid values are 40 and 128. • User does not have correct privilege for action.
UPDATE_RIB_FIRMWARE parameters IMAGE_LOCATION takes the full path file name of the firmware upgrade file. UPDATE_RIB_FIRMWARE runtime errors The possible UPDATE_RIB_FIRMWARE error messages include: • RIB information is open for read-only access. Write access is required for this operation. • Unable to open the firmware image update file. • Unable to read the firmware image update file. • The firmware upgrade file size is too big.
FIRMWARE_DATE = MANAGEMENT_PROCESSOR = /> HOTKEY_CONFIG The HOTKEY_CONFIG command configures the remote console hot key settings in RILOE II. For this command to parse correctly, the command must appear within a RIB_INFO command block, and RIB_INFO MODE must be set to write. The user must have the configure RILOE II privilege to execute this command. Uppercase letters are not supported, and they will be converted automatically to lowercase.
HOTKEY_CONFIG runtime errors The possible HOTKEY_CONFIG error messages include: • RIB information is open for read-only access. Write access is required for this operation. • The hot key parameter specified is not valid. • Invalid number of hot keys. The maximum allowed is five. • User does not have correct privilege for action. CONFIG_ILO_PRIV required. DIR_INFO The DIR_INFO command can only appear within a LOGIN command block.
GET_DIR_CONFIG runtime errors None GET_DIR_CONFIG return messages Starting with RILOE II 1.80, directory integration can work with HP Lights-Out schema with or without extensions (schema-free). Depending on your directory configuration, the response to GET_DIR_CONFIG contains different data.
MOD_DIR_CONFIG MOD_DIR_CONFIG command is used modify the directory settings on RILOE II. For this command to parse correctly, the MOD_DIR_CONFIG command must appear within a DIR_INFO command block, and DIR_INFO MODE must be set to write. The user must have the configure RILOE II privilege to execute this command. Examples: • Extended schema (directory services) configuration example: PAGE 162NOTE: When using schema-free directories, the following tags must not be used: • DIR_OBJECT_DN • DIR_OBJECT_PASSWORD MOD_DIR_CONFIG parameters All of the following parameters are optional. If a parameter is not specified, then the parameter value for the specified setting is preserved. DIR_AUTHENTICATION_ENABLED enables or disables directory authentication. The possible values are "Yes" and "No." DIR_ENABLE_GRP_ACCT causes RILOE II to use schama-less directory integration.
The values for these parameters are obtained from the directory administrator. Directory User Contexts are limited to 128 characters each. MOD_DIR_CONFIG runtime errors The possible MOD_DIR_CONFIG error messages include: • Directory information is open for read-only access. Write access is required for this operation. • User does not have correct privilege for action. CONFIG_ILO_PRIV required.
RESET_SERVER parameters None INSERT_VIRTUAL_FLOPPY The INSERT_VIRTUAL_FLOPPY command copies a floppy image to the RILOE II. The INSERT_VIRTUAL_FLOPPY command must be displayed within a RIB_INFO element, and RIB_INFO must be in write mode. The user must be logged in with virtual media privilege to execute this command. Example: PAGE 165 EJECT_VIRTUAL_FLOPPY Parameters There are no parameters for this command. EJECT_VIRTUAL_FLOPPY Runtime Errors The possible EJECT_VIRTUAL_FLOPPY error messages are: • RIB information is open for read-only access. Write access is required for this operation. • No image present in the Virtual Floppy drive. • User does not have correct privilege for action. • Logged-in user does not have required privilege for this command.
Example: GET_VF_STATUS Parameters There are no parameters for this command. GET_VF_STATUS Runtime Errors There are no errors for this command.
SET_VF_STATUS Runtime Errors The possible SET_VF_STATUS error messages are: • RIB information is open for read-only access. Write access is required for this operation. • An invalid Virtual Floppy option has been given. • User does not have correct privilege for action. • Logged-in user does not have required privilege for this command. GET_HOST_POWER_STATUS The GET_HOST_POWER_STATUS command displays the server power state from the Virtual Power Button cable.
SET_HOST_POWER Parameters HOST_POWER enables or disables the Virtual Power Button. The possible values are "Yes" or "No." SET_HOST_POWER Runtime Errors The possible SET_HOST_POWER error messages include: • Server information is open for read-only access. Write access is required for this operation. • Virtual Power Button feature is not supported on this server. • Host power is already ON. • Host power is already OFF.
GET_ALL_CABLES_STATUS The GET_ALL_CABLES_STATUS command displays the status of all the cables on the RILOE II. The GET_ALL_CABLES_STATUS command must be contained within a SERVER_INFO block. Example: GET_ALL_CABLES_STATUS Parameters There are no parameters for this command. GET_ALL_CABLES_STATUS Runtime Errors There are no errors for this command.
GET_TWOFACTOR_SETTINGS parameters None GET_TWOFACTOR_SETTINGS runtime errors None GET_TWOFACTOR_SETTINGS return messages Starting with RILOE II 1.20, users can be authenticated with a digital certificate. Depending on the RILOE II Two-Factor Authentication settings, the response to GET_TWOFACTOR_SETTINGS will contain different data.
If telnet, SSH or Serial CLI access is required, re-enable these settings after Two-Factor Authentication is enabled. However, because these access methods do not provide a means of Two-Factor Authentication, only a single factor is required to access the RILOE II with telnet, SSH or serial CLI. When Two-Factor Authentication is enabled, access with the CPQLOCFG utility is disabled, because CPQLOCFG does not supply all authentication requirements.
MOD_TWOFACTOR_SETTINGS parameters All of the following parameters are optional. If a parameter is not specified, then the parameter value for the specified setting is preserved. AUTH_TWOFACTOR_ENABLE enables or disables Two-Factor authentication. The possible values are "Yes" and "No." CERT_REVOCATION_CHECK causes RILOE II to use the CRL distribution point attribute of the client certificate, to download the CRL and check against revocation. The possible values are "Yes" and "No.
Troubleshooting the RILOE II In this section Supported client operating systems and browsers..................................................................................... 173 Supported hardware and software ......................................................................................................... 173 Server PCI Slot and Cable Matrix........................................................................................................... 174 Network connection problems ................
• Red Hat Enterprise Linux ES 2.1 • Red Hat AS 2.1 (including Update 6 & 7) • Red Hat EL 3.0 - WS, ES, AS (including Update 4 & 5) • SLES 8 (was UL 1.0) • SLES 9 (base edition and SP1) Server PCI Slot and Cable Matrix For the most recent information, refer to the matrix at the HP website (http://www.hp.com/servers/lightsout). IMPORTANT: All servers support the keyboard/mouse external cable as well as the AC adapter.
Server PCI Slot Virtual Power Button Cable USB Virtual Floppy/ CD AC Power Adapter (see legend) ProLiant ML330 4, 5 B ProLiant ML330 G2 5 G Yes (see note 1) ProLiant ML330 G3 Any G Yes ProLiant ML330e 4, 5 B Yes ProLiant ML350, 600-933 MHz 4, 5, 6 A Yes ProLiant ML350, 1 GHz 6, 7 B Yes ProLiant ML350 G2 6 G Yes (see note 1) ProLiant ML350 G3 Any G Yes ProLiant ML370 1, 2 A ProLiant ML370 G2 6 G Yes (see note 1) ProLiant ML370 G3, 2.4-2.
• D = P/N 195254-B21 (split 4-pin cable) available as a spare kit P/N 195724-001. • E = P/N 162816-001 (split 4-pin cable) available as a spare kit P/N 166655-001. • F = P/N 233736-001 (16-to 30-pin cable) Not used with RILOE II. • G = P/N 241793-010 (30-pin cable) ships with the RILOE II kit. • H = P/N 216373-001 (16-pin to 13-pin cable) ships with the ProLiant DL760 server. Notes: 1. The USB Virtual Floppy/CD works under an operating system that natively supports USB.
If you have installed the drivers and agents for the RILOE II, verify that the RILOE II and the management PC are on the same subnet. You can verify this quickly by pinging the Remote Insight board from the management PC. See your network administrator for proper routes to access the network interface of the RILOE II. Web browser not connecting to the RILOE II IP address If the Web browser software is configured to use a proxy server, it will not connect to the RILOE II IP address.
NetWare error message table Error message Action Adapter IRQ or memory settings not set Run the System Configuration Utility. Unable to allocate resource tag Apply any relevant NetWare patches. Contact your service provider. Unable to register NetWare hardware options Apply any relevant NetWare patches. Run Diagnostics on the RILOE II. Remote Insight interface type unknown Upgrade CPQRI.NLM to a newer version. Unable to initialize the RILOE II Run Diagnostics on the RILOE II.
When using the Virtual Power Button feature, verify that the Remote Insight internal cable or Virtual Power Button cable is installed correctly. Inability to upgrade the RILOE II firmware If you attempt to upgrade the firmware of the RILOE II, and the board does not respond or does not accept the firmware upgrade, you must force the ROM upgrade procedure by changing the default switch settings of SW3 ("Switch settings (SW3) to force ROM upgrade" on page 179).
the cache tab of the Java™ Plug-in Control Panel applet. This should be done for all clients that connect to RILOE II. Login name and password problems If you have connected to the board but it does not accept your login name and password, you must verify that your login information is configured correctly. Connect to the RILOE II using your browser, log in with a user name that has administrative access, and reenter the login name and password that are not being accepted.
Video Problems The RILOE II contains an integrated VGA controller. When the RILOE II is first installed, the server detects this controller and attempts to use it by switching video from the embedded video controller of the server. To avoid this problem, be sure that your monitor is connected to the RILOE II. Refer to "Monitor Cable Connection" for more information. Some servers contain PCI-based VGA controllers. These controllers must be removed to configure the VGA controller on the RILOE II board.
such as a server power outage or a server reset, and Remote Insight events, such as a loose cable or an unauthorized login attempt. Integrated Management Log RILOE II manages the IML of the server, which can be accessed by using a supported browser, even when the server is not operational. This capability can be helpful when troubleshooting remote host server problems. The IML enables you to view logged remote server events.
Event Log Display Event Log Explanation Remote Insight Board reset Appears when the board is reset. Remote Insight ROM upgrade to # Is displayed when the ROM has been upgraded. Remote Insight Board reset for ROMPAQ upgrade Appears when the board is reset for the ROM upgrade. Remote Insight Board reset by user diagnostics Is displayed when the board is reset by a user diagnostics session. Power restored to Remote Insight Board Appears when the power is restored to the board.
Event Log Display Event Log Explanation External power adapter disconnected Appears when the external power adapter is disconnected. RIB Firmware upgrade started from browser by: USER Appears when a user starts a firmware upgrade. Remote Floppy Inserted by: USER Is displayed when a user inserts the remote floppy. Host server reset by: USER Appears when a user resets the host server. Host server powered OFF by: USER Appears when a user powers off a host server.
Code 1 2 VGA PCI initialization error IRC PCI initialization error • HOST server PCI bus is not functioning correctly • RILOE II PCI bus is not functioning correctly • VGA is not functioning correctly • HOST server PCI bus is not functioning correctly • RILOE II PCI bus is not functioning correctly • IRC is not functioning correctly 3 IRC initialization error IRC is not functioning correctly 4 Video initialization error Video is not functioning correctly 5 Keyboard system initializati
• Unauthorized, couldn't find RIB object • Unauthorized, no readable roles • Unable to read restrictions on object • Time Restriction Not Satisfied • IP Restriction Not Satisfied • Unauthorized Directory Server connect failed The RILOE II was not able to connect to the LDAP server. Be sure that the Directory Server Address on the RILOE II Directory Settings Screen is correct, and that the port number corresponds to the LDAP SSL port number used by that directory server, usually port 636.
Unauthorized, no readable roles An error occurred while reading a ROLE object. The object does not exist, or the current user is not authorized to read it. This error is common for users that are not members of all the roles that are managing the RILOE II. Unable to read restrictions on object A ROLE object had no readable value for the Time Restriction attribute. The role was subsequently invalidated. This error is common for users that are not members of all the roles that are managing the RILOE II.
Core attributes Attribute name Assigned OID hpqPolicyDN 1.3.6.1.4.1.232.1001.1.1.2.1 hpqRoleMembership 1.3.6.1.4.1.232.1001.1.1.2.2 hpqTargetMembership 1.3.6.1.4.1.232.1001.1.1.2.3 hpqRoleIPRestrictionDefault 1.3.6.1.4.1.232.1001.1.1.2.4 hpqRoleIPRestrictions 1.3.6.1.4.1.232.1001.1.1.2.5 hpqRoleTimeRestriction 1.3.6.1.4.1.232.1001.1.1.2.6 Core class definitions The following defines the HP Management core classes. hpqTarget OID 1.3.6.1.4.1.232.1001.1.1.1.
SuperClasses top Attributes hpqPolicyDN—1.3.6.1.4.1.232.1001.1.1.2.1 Remarks None Core attribute definitions The following defines the HP Management core class attributes. hpqPolicyDN OID 1.3.6.1.4.1.232.1001.1.1.2.1 Description Distinguished Name of the policy that controls the general configuration of this target. Syntax Distinguished Name—1.3.6.1.4.1.1466.115.121.1.12 Options Single Valued Remarks None hpqRoleMembership OID 1.3.6.1.4.1.232.1001.1.1.2.
Remarks If this attribute is TRUE, then IP restrictions will be satisfied for unexceptional network clients. If this attribute is FALSE, then IP restrictions will be unsatisfied for unexceptional network clients. hpqRoleIPRestrictions OID 1.3.6.1.4.1.232.1001.1.1.2.5 Description Provides a list of IP addresses, DNS names, domain, address ranges, and subnets which partially specify right restrictions under an IP network address constraint. Syntax Octet String—1.3.6.1.4.1.1466.115.121.1.
Remarks This attribute is only used on ROLE objects. Time restrictions are satisfied when the bit corresponding to the current local side real time of the device is 1 and unsatisfied when the bit is 0. • The least significant bit of the first byte corresponds to Sunday, from 12 midnight to Sunday 12:30 AM. • Each more significant bit and sequential byte corresponds to the next consecutive half-hour blocks within the week.
Attributes hpqLOMRightConfigureSettings— 1.3.6.1.4.1.232.1001.1.8.2.1 hpqLOMRightLocalUserAdmin— 1.3.6.1.4.1.232.1001.1.8.2.2 hpqLOMRightLogin—1.3.6.1.4.1.232.1001.1.8.2.3 hpqLOMRightRemoteConsole— 1.3.6.1.4.1.232.1001.1.8.2.4 hpqLOMRightServerReset— 1.3.6.1.4.1.232.1001.1.8.2.5 hpqLOMRightVirtualMedia— 1.3.6.1.4.1.232.1001.1.8.2.6 Remarks None Lights-Out Management attribute definitions The following defines the Lights-Out Management core class attributes. hpqLOMRightLogin OID 1.3.6.1.4.1.232.1001.1.
hpqLOMRightServerReset OID 1.3.6.1.4.1.232.1001.1.8.2.4 Description Remote Server Reset and Power Button Right for HP LightsOut Management products Syntax Boolean—1.3.6.1.4.1.1466.115.121.1.7 Options Single valued Remarks This attribute is only used on ROLE objects. If this attribute is TRUE, members of the role are granted the right. hpqLOMRightLocalUserAdmin OID 1.3.6.1.4.1.232.1001.1.8.2.5 Description Local User Database Administration Right for HP Lights-Out Management products.
Technical support In this section Before you contact HP........................................................................................................................... 194 HP contact information..........................................................................................................................
Regulatory compliance notices In this section Federal Communications Commission notice ........................................................................................... 195 Canadian notice (Avis Canadien) .......................................................................................................... 196 European Union regulatory notice .......................................................................................................... 196 BSMI notice ..............................
• Consult the dealer or an experienced radio or television technician for help. Modifications The FCC requires the user to be notified that any changes or modifications made to this device that are not expressly approved by Hewlett-Packard Company may void the user’s authority to operate the equipment. Declaration of conformity for products marked with the FCC logo, United States only This device complies with Part 15 of the FCC Rules.
• EMC Directive 89/336/EEC CE Compliance of this product is valid only if powered with the correct HP-provided and CE marked AC adapter. If this product has telecommunication functionality, it also complies with the essential requirements of: • R&TTE Directive 1999/5/EC *For a notified body number refer to the product regulatory label.
BSMI notice Japanese notice Regulatory compliance notices 198
Acronyms and abbreviations ASCII American Standard Code for Information Interchange ASM Advanced Server Management CA certificate authority CR Certificate Request DHCP Dynamic Host Configuration Protocol DLL dynamic link library DNS domain name system EMS Emergency Management Services GUI graphical user interface HPQLOMGC HP Lights-Out Migration Command Line HPQLOMIG HP Lights-Out Migration iLO Integrated Lights-Out Acronyms and abbreviations 199
IML Integrated Management Log IP Internet Protocol LDAP Lightweight Directory Access Protocol LED light-emitting diode LOM Lights-Out Management MMC Microsoft® Management Console NIC network interface controller PCI peripheral component interface PERL Practical Extraction and Report Language POST Power-On Self Test PSP ProLiant Support Pack RBSU ROM-Based Setup Utility RDP Remote Desktop Protocol RIB Remote Insight Board Acronyms and abbreviations 200
RIBCL Remote Insight Board Command Language RILOE Remote Insight Lights-Out Edition RSM Remote Server Management SNMP Simple Network Management Protocol SSL Secure Sockets Layer UID unit identification USB universal serial bus XML extensible markup language Acronyms and abbreviations 201
Index A accessing software, browser 35, 177 Active Directory 66, 68, 76, 80, 81, 83, 84, 85, 99, 103, 105, 113, 186 Active Directory integration 66, 76, 83, 103 ActiveX 76, 78 ADD_USER 63, 79, 85, 88, 92, 111, 112, 135, 136, 138, 141, 143 administration 25, 70, 125, 127, 128 Advanced Server Management (ASM) 20, 21 alert and trap problems 173, 177 alert messages 23, 32 alerts 23, 25, 26, 31, 32, 73, 177, 181, 182 ASCII (American Standard Code for Information Interchange) 190 ASM (Advanced Server Management)
Dynamic Host Configuration Protocol (DHCP) 19, 21, 27, 110, 136, 199 dynamic link library (DLL) 114, 133, 134, 199 E eDirectory 75, 76, 79, 80, 81, 92, 95, 96, 97, 98, 103, 105, 113, 186 Emergency Management Services (EMS) 25, 27, 29, 35, 40, 41, 70, 80, 137, 153, 154, 181, 184 EMS (Emergency Management Services) 25, 27, 29, 35, 40, 41, 70, 80, 137, 153, 154, 181, 184 enabling 31, 75 error messages 112, 138, 140, 141, 143, 144, 146, 147, 148, 149, 153, 157, 159, 160, 163, 173 event log 29, 102, 179, 181, 1
P PCI (peripheral component interface) 8, 10, 12, 15, 173, 174, 176, 178, 181, 182, 184, 200 peripheral component interface (PCI) 8, 10, 12, 15, 173, 174, 176, 178, 181, 182, 184, 200 Perl (Practical Extraction and Report Language) 37, 58, 67, 70, 99, 113, 129, 130, 131, 178, 179, 186, 200 phone numbers 194 port matching 73 powering on/off 46 Practical Extraction and Report Language (Perl) 37, 58, 67, 70, 99, 113, 129, 130, 131, 178, 179, 186, 200 preinstallation, guidelines 77, 80 preparation procedures 10
user certificates, two-factor authentication 64 user profile 25 user roles 89, 90, 97, 104, 105, 106, 107 USER_INFO 141 using, Virtual Media 40, 45, 46, 49, 57 utilities 114, 122 V video problems 173 virtual CD-ROM 56 virtual devices 45, 57 virtual floppy 49 Virtual Media 45, 49, 50, 57 virtual power 46 Virtual Serial port 40 W Windows server support 20 X XML (Extensible Markup Language) 129, 139, 201 Index 205