HP Integrity and HP 9000 iLO MP Operations Guide HP Part Number: 5991-6006 Published: January 2008 Edition: Fifth Edition
© Copyright 2008, Hewlett-Packard Development Company, L.P Legal Notices The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Printed in the U.S.
Table of Contents About This Document.......................................................................................................13 Intended Audience................................................................................................................................13 New and Changed Information in This Edition...................................................................................13 Publishing History..........................................................................
Resetting Local User Accounts and Passwords to Default Values..................................................28 3 Setting Up and Connecting the Console...................................................................29 Setup Checklist......................................................................................................................................29 Setup Flowchart.........................................................................................................................
DF: Display FRUID information...........................................................................................56 DI: Disconnect remote/Modem or LAN/Remote Serial Console.........................................57 DNS: Set DNS configuration..................................................................................................57 FW: Firmware upgrade..........................................................................................................
Administration > Directory Settings > LDAP Parameters.........................................................86 Administration > Directory Settings > Group Administration..................................................87 Administration > SNMP Settings...............................................................................................88 Accessing Online Help....................................................................................................................
Verifying Directory Services..........................................................................................................118 Configuring an Automatic Certificate Request.............................................................................118 Directory-Enabled Management.........................................................................................................118 Using Existing Groups...........................................................................................
List of Figures 2-1 2-2 2-3 2-4 2-5 3-1 4-1 4-2 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 6-9 6-10 6-11 6-12 6-13 6-14 6-15 6-16 6-17 6-18 6-19 7-1 7-2 7-3 7-4 7-5 7-6 7-7 7-8 7-9 7-10 7-11 7-12 7-13 7-14 7-15 7-16 7-17 7-18 7-19 7-20 7-21 7-22 7-23 7-24 7-25 Console Serial Port Connector.......................................................................................................25 iLO MP LAN Port...............................................................................................................
List of Tables 1 2 1-1 1-2 2-1 2-2 2-3 2-4 2-5 3-1 3-2 3-3 3-4 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 6-9 6-10 6-11 6-12 6-13 6-14 6-15 6-16 6-17 6-18 6-19 7-1 7-2 7-3 7-4 7-5 7-6 7-7 7-8 7-9 7-10 7-11 7-12 7-13 7-14 7-15 7-16 7-17 7-18 7-19 7-20 Publishing History Details............................................................................................................13 HP-UX 11i Releases....................................................................................................................
7-21 12 hpqLOMRightConfigureSettings................................................................................................
About This Document This document provides information and instructions on how to use the HP Integrated Lights Out Management Processor (iLO MP) for HP 9000 and Integrity servers. The document printing date and part number indicate the document’s current edition. The printing date changes when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number changes when extensive changes are made.
Table 1 Publishing History Details (continued) Document Manufacturing Part Number 5971-4289 Operating Systems Supported HP-UX Microsoft Windows Server 2003 Red Hat Enterprise Linux and SuSE Enterprise Linux Server 5971-4274 HP-UX Microsoft Windows Server 2003 Red Hat Enterprise Linux and SuSE Enterprise Linux Server E1104 HP-UX Microsoft Windows Server 2003 Red Hat Enterprise Linux and SuSE Enterprise Linux Server Supported Servers Publication Date rx1600, rx1620, rx2620, rx2600 cx2600, September 2
Typographic Conventions This document uses the following conventions. WARNING! A warning lists requirements that you must meet to avoid personal injury. CAUTION: A caution provides information required to avoid losing data or avoid losing system functionality. IMPORTANT: Important messages provide essential information to explain a concept or to complete a task. NOTE: A note highlights useful information such as restrictions, recommendations, or important details about HP product features.
Table 2 HP-UX 11i Releases (continued) Release Identifier Release Name Supported Processor Architecture B.11.22 HP-UX 11i v1.6 Intel Itanium B.11.23 HP-UX 11i v2 Intel Itanium Related Documents You can find other information on HP server hardware management, Microsoft Windows, and diagnostic support tools in the following publications. HP Technical Documentation Web Site Server Hardware Information http://docs.hp.com http://docs.hp.
1 Introduction to iLO MP Integrated Lights-Out Management Processor (iLO MP) for entry class HP 9000 and Integrity servers is an autonomous management subsystem embedded directly on the server. It is the foundation of the server’s High Availability (HA), embedded server, and fault management. It also provides system administrators secure remote management capabilities regardless of server status or location.
Always-on Capability The iLO MP is active and available through the LAN and the local console serial port as long as the power cord is plugged in. In the event of a complete power failure, the iLO MP data is protected by a battery backup. Virtual Front Panel The virtual front panel (VFP) presents a summary of the system using direct console addressing. Multiple Access Methods There are several access methods available to access the iLO MP: • • • • IPMI/LAN: Through the iLO MP MAC address.
IMPORTANT: Although the iLO MP can support multiple simultaneous connections of all types, to do so can impact performance. HP does not recommend running more than eight simultaneous connections.
Remote Power Control The iLO MP enables remote power cycle; power on and power off; and TOC. It also provides you with options to reset the system, the BMC, or iLO MP. Event Logging The iLO MP provides event logging, display, and keyword search of console history and system events. Advanced Features The advanced features require the iLO MP Advanced Pack license. See “iLO MP Advanced Pack License” (page 21).
iLO MP Advanced Pack License A free 30-day evaluation license is available for download on the HP web site http://h71028.www7.hp.com/enterprise/cache/279991-0-0-0-121.html The evaluation license activates and accesses iLO MP Advanced features. You can only install one evaluation license per iLO MP. After the evaluation period, an iLO MP Advanced Pack license is required to continue using the advanced features. iLO MP Advanced features automatically deactivate when the evaluation license key expires.
iLO MP Supported Browsers and Client Operating Systems iLO is an independent microprocessor running an embedded operating system. This architecture ensures that the majority of iLO functionality is available regardless of the host operating system. For graceful host operating system shutdown, HP Systems Insight Manager integration requires health drivers and management agents or remote console access. Table 1-2 lists the supported browsers and operating systems on the iLO MP.
Integrity Privacy of iLO enables you to maintain network user accounts and security policies in a central, scalable database that supports thousands of users, devices, and management roles. Verifies that no one has altered incoming commands or data. iLO incorporates trusted Java applets to verify the integrity of data. iLO MP uses SSL for web connections, RSL-RC4 encryption for the remote serial console, and SSH-DES3/DES128 2.0 recommended encryption algorithms for SSH-based connections.
OVerview LIst TOPics HElp Q : : : : : : Launch the help overview Show the list of MP Main Menu commands Enter the command name for help on individual command Show all MP Help topics and commands Display this screen Quit help ==== MP:HE To display the Main Menu Command List, enter LI at the MP HE: prompt. To return to the MP Main Menu enter Q. Accessing Help Using the Web GUI To access help from the web GUI, click the Help tab.
2 Ports and LEDs All iLO MP functions are available through the server LAN and the local and remote console serial port. This chapter describes the available iLO MP port connectors, pinouts, and LEDs. This chapter addresses the following topics: • • “Console Serial Port” (page 25) “iLO MP LAN Port” (page 25) Console Serial Port Figure 2-1 shows the console serial port connector with numbered labels for each pin.
Table 2-2 iLO MP LAN Port Pinouts Pin Number Signal Description 1 TXP 2 TXN 3 RXP 4 Not used 5 Not used 6 RXN 7 Not used 8 Not used iLO MP LAN LEDs (rx4640; rp4410/4440) The internal iLO MP LAN uses an RJ-45 type connector. This connector has two LEDs, LAN link and LAN activity, that signal status and activity. Two versions of the (iLO MP) card exist for these servers. Depending on which version of the card is installed in the server, the iLO MP LAN port LEDs display differently.
Table 2-4 iLO MP LAN LED Status Descriptions (rx4640; rp4410/4440) Card Version 2 LED Condition Status 100M green On Linked at 100 MBs. No activity 100M green Blinking Linked at 100 MBs. Activity present 10M amber On Linked at 10 MBs. No activity 10M amber Blinking Linked at 10 MBs. Activity present iLO MP LAN LEDs (rx1600; rx1620; rx2600; rx2620; rp3410/3440) The iLO MP LAN has four LEDs that signal status and activity (Figure 2-5).
Resetting Local User Accounts and Passwords to Default Values If iLO MP user passwords have been lost, or iLO MP local user accounts have been disabled and logging in through LDAP directory server is unsuccessful because the directory server is down or directory settings have not been configured properly in LDAP command, you can rest local user accounts and passwords to their default values. To reset local user accounts and passwords to default values, follow these steps: 1. 2. 3.
3 Setting Up and Connecting the Console This chapter provides information on how to set up and connect the console.
Setup Flowchart Use this flowchart as a guide to help set up the iLO MP.
Preparing to Set Up iLO MP Perform the following tasks before you configure the iLO MP LAN. • • Determine the physical access method to connect cables. There are two physical connections to the Integrity iLO MP: RS-232 and LAN. Configure the Integrity iLO MP and assign an IP address if necessary. Though there are several methods to configuring the LAN, HP recommends DHCP with DNS. DHCP with DNS comes preconfigured with default factory settings, including a default user account and password.
Table 3-2 Console Connection Matrix (continued) Operating System Console Connection Method Windows VGA Port (no iLO MP 1. Monitor (VGA) access; EFI only) 2. Keyboard (USB) 3. Mouse (USB) LAN port Required Connection Components 10/100 LAN cable Determining the iLO MP LAN Configuration Method To access the iLO MP through the iLO MP LAN, the iLO MP must acquire an IP address.
• • • • DHCP must be enabled (DHCP is enabled by default). You are using a DHCP server that provides the domain name and the primary DNS server IP address. The primary DNS server accepts dynamic DNS (DDNS) updates. The primary DNS server IP address was configured through the DHCP server. To configure the iLO MP using DHCP and DNS, follow these steps: 1. Obtain the factory-set DNS name from the toe-tag on the server. The DNS name is 14 characters long.
Table 3-4 ARP Ping Commands ARP Command Description arp -s Assigns the IP address to the iLO MP MAC address. This ARP table entry maps the MAC address of the iLO MP LAN interface to the static IP address designated for that interface. ping Tests network connections and verifies that the iLO MP LAN port is configured with the appropriate IP address.
IMPORTANT: Ensure you have a console connection through the console serial port or a network connection through the LAN to access the iLO MP and use the LC command. 1. Ensure the emulation software device is properly configured. The terminal emulation device runs software that interfaces with the server. The software emulates console output as it would appear on an ASCII terminal screen and displays it on a console device screen.
2. Log in using the default the iLO MP user name and password (Admin/Admin). TIP: For security reasons, HP strongly recommends you modify the default settings during the initial login session. See “Modifying User Accounts and Default Password” (page 36).
it also acts as the first line of defense against security attacks. A separate network enables you to physically control which workstations are connected to the network. Setting Security Access Determine the security access required and what user accounts and privileges are needed. The iLO MP provides options to control user access.
4 Accessing the Host Console This chapter describes several ways to access the host console of the server: This chapter addresses the following topics: • “Accessing the iLO MP Using the Web GUI” (page 39) • “Accessing the Host Console Using the TUI” (page 40) • “Accessing the Graphic Console Using VGA ” (page 41) Accessing the iLO MP Using the Web GUI Web browser access is an embedded feature of the iLO MP.
NOTE: The iLO MP web GUI session times out after five minutes if there is no activity. If you open a remote console terminal window, the system remains open in the web GUI session until you sign out. Figure 4-2 Status Summary Page 4. 5. 6. To select the web GUI functions, click the function tabs at the top of the page. Each function lists options in the navigation bar on the left side of the page. To update the display, click an option link to display data in the display screen; and click Refresh.
Accessing the Graphic Console Using VGA NOTE: You cannot access the iLO MP using VGA. You can only access the graphic console using VGA. Accessing the graphics console using VGA requires these three items: • • • Monitor (VGA connector) Keyboard (USB connector) Mouse (USB connector) The graphic console output displays on the monitor screen. IMPORTANT: The server console output does not display on the console device screen until the server boots to the EFI Shell.
5 Configuring DHCP, DNS, LDAP, and LDAP Lite This chapter provides information on how to configure DHCP, DNS, LDAP extended schema and LDAP Lite default schema. This chapter addresses the following topics: • “Configuring DHCP” (page 43) • “Configuring DNS” (page 44) • “Configuring LDAP Extended Schema” (page 44) • “Configuring LDAP Lite Default Schema” (page 46) Configuring DHCP DHCP enables you to automatically assign reusable IP addresses to DHCP clients.
• Modify MP gateway address: MP:CM> LC -g 192.0.2.1 (or LC -gateway 192.0.2.1) • Set link state to auto negotiate: MP:CM> LC –link auto (or LC –l a) • Set link state to 10 BaseT: MP:CM> LC –link t • Set Remote Serial Console port address: MP:CM> LC –web 2023 (or LC –w 2023) • Set SSH console port address: MP:CM> LC –ssh 22 (or LC –ss 22) Configuring DNS To use the DNS command to display and modify the DNS configuration, follow these steps: 1. 2.
NOTE: The LDAP connection times out after 30 minutes of inactivity. To configure using the web GUI, see “Administration > Directory Settings > LDAP Parameters” (page 86). NOTE: You can only use the LDAP feature if you have iLO MP Advanced Pack licensing. to configure the iLO MP to use a directory server to authenticate a user login, follow these steps: 1. 2. 3. To select command mode, enter CM at the MP Main Menu prompt (MP>). At the command mode prompt (MP:CM>), enter LDAP(for the LDAP configuration).
Login Process Using Directory Services with Extended LDAP You can choose to enable directory services to authenticate users and authorize user privileges for groups of the iLO MPs. The iLO MP directory services feature uses the industry-standard LDAP. HP layers LDAP on top of SSL to transmit the directory services information securely to the directory servers. More information about directory services is available from the HP web site at: http://www.hp.
Setting up Directory Security Groups The following procedures describes how to set up directory security groups in LDAP Lite using the iLO MP TUI. To use the web GUI, see “Administration > Directory Settings > Group Administration” (page 87). NOTE: You must select the default schema from the LDAP command for the LDAP Lite settings to work. To set up directory security groups, follow these steps. 1. At the command mode prompt (MP:CM>), enter LDAP. The screen displays the current LDAP options.
6 Using iLO This chapter provides information and instructions on how to use the iLO MP. This chapter addresses the following topics: • • “Text User Interface” (page 49) “Web GUI” (page 68) Text User Interface This section provides information on the TUI commands you can run in the iLO MP.
VFP (Virtual Front Panel) Displays the virtual front panel VFP presents a summary of the system by using direct console addressing. If the terminal is not recognized by the iLO MP, VFP mode is rejected. Each individual user gets this summary in order to avoid issues related to terminal type and screen display mode. CM (Command Mode) Enter command mode CM switches the console terminal from the MP Main Menu to mirrored command interface mode.
Table 6-2 Alert Levels Severity Definition 0 Minor forward progress 1 Major forward progress 2 Informational 3 Warning 5 Critical 7 Fatal HE (Help) Display help for the menu or command HE displays the iLO MP hardware and firmware version identity, and the date and time of firmware generation. If executed from the MP Main Menu, it displays general information about the iLO MP, and those commands available in the MP Main Menu.
Table 6-3 Command Menu Commands and Descriptions (continued) Command Description MS Displays the modem status PC Controls the remote power PG Paging parameter setup PR Configures the power restore policy PS Displays the power management module status RB Resets the BMC RS Resets the system through the RST signal SA Sets access options SNMP Configures SNMP parameters SO Configures security options SS Displays the system processor status SYSREV Displays all firmware revisions TC Rese
from a file local to your script. To automatically administer any part of the system during any stage of its operation, you can use the scripting tool to log in to the iLO MP, access the console, and send and receive commands in EFI or the operating system. NOTE: This guide is not meant as a substitute for instruction on various scripting tools that are available for automating command-line interfaces.
# PASSWORD- get password from terminal instead of storing it in the script stty -echo send_user "For user $mp_user\n" send_user "Password: " expect_user -re "(.
you are asked to confirm the changes. The only exception to this rule is when a password must be entered. In that case, you are prompted for a password separately. However, commands that require a password can have that password entered on the command line (FW, UC). If -nc is specified on a command with no other parameters or with only a specific multilevel selector, the command displays all or just the specific multilevel parameters.
MODEM PRESENCE When the modem might not always be connected, set this parameter to “not always connected.” Example: A modem attached through a switch. In mode “not always connected,” no dial-out functions are allowed: DIAL-BACK is disabled, and PAGING is not possible. The iLO MP mirrors the system console to the iLO MP local, remote/modem, and LAN ports. One console output stream is reflected to all connected console users.
DF displays FRUID information from the BMC for FRU devices. Information provided includes serial number, part number, model designation, name and version number, and manufacturer. Command line usage and scripting: DF [ -specific[ ] | -all ] [ -view ] [ -nc ] -? DI: Disconnect remote/Modem or LAN/Remote Serial Console Command access level: MP configuration access DI disconnects (hangs up) remote/modem, telnet, web SSL, or SSH users from the iLO MP. It does not disable the ports.
mode, HE displays a list of command interface commands available to the user. It also displays detailed help information in response to a topic or command at the help prompt. Command line usage and scripting: HE [ -topic | command ] [ -nc ] -? ID: Display or modify system information Command access level: MP configuration access ID displays and modifies the following: SNMP contact information SNMP server information SPU host name Name, telephone, email, and pager number. Location, rack ID, and position.
LC displays and enables modification of the LAN configuration. IMPORTANT: If you are connected through a network and you make any changes to DHCP status, IP address, subnet mask, or gateway IP address, the iLO MP automatically resets once you confirm the change. If you are connected through a serial console and you make any changes, the iLO MP alerts you to manually reset the iLO MP. Configurable parameters include the following: • • iLO MP IP address.
NOTE: LDAP directory settings is an iLO MP Advanced Pack license feature that enables centralized user account administration using directory services. LDAP displays and enables modification of the following LDAP directory settings: • Directory Authentication: Activates or deactivates directory support on the iLO MP. — Enable with Extended Schema: Selects directory authentication and authorization using directory objects created with HP schema.
| -groups [ -2context ] [ -3context ] [ -change [ -dn ] [ rights ] ] [ -list ]] | -nc ] -? LDAP: LDAP group administration LDAP Group Administration enters one or more directory groups by specifying the distinguished name of the group and privileges to be granted to users who are members of that group. You must configure group administration information when the directory is enabled with the default schema.
LS: LAN status Command access level: Login access LS displays all parameters and the current status of the iLO MP LAN connections. The LAN parameters are not modified by this command. Command line usage and scripting: LS [ -nc ] -? See also: DNS, LC, SA MR: Modem reset Command access level: MP configuration access MR makes the iLO MP send an at z command to the modem, which resets it. Any modem connections are lost. You can view the initialization results by using the MS command.
PC [ -on | -off | -graceful | -cycle ] [ -nc ] -? Example: [gstlhpg1] MP:CM> pc -on -nc PC -on -nc System will be powered on. -> System is being powered on. -> Command successful. [gstlhpg1] MP:CM> See also: PR, PS PG: Paging parameter setup Command access level: MP configuration access PG configures the pagers and sets triggering events. When the iLO MP receives a new event, the paging list is checked to see if any pagers are enabled for that alert level.
Command line usage and scripting: PS [ -nc ] -? See also: PC, SS RB: Reset BMC Command access level: MP configuration access RB resets the BMC by toggling the GPIO BMC reset line. Command line usage and scripting: RB [ -nc ] -? See also: PC, SS RS: Reset system through RST signal Command access level: Power control access IMPORTANT: command. During normal system operation, shut down the OS before issuing the RS RS resets the system (except iLO MP) through the RST signal.
Command line usage and scripting SNMP [ -status ] [ -community [ ] ] [ -nc ] -? SO: Configure security options and access control Command access level: MP configuration access SO monitors and changes system wide security parameters. The following are SO command parameters: Login timeout: zero to five minutes This is the maximum time allowed to enter login name and password after the connection is established.
BMC FW : 01.20 EFI FW : 01.22 System FW : 01.40 Command line usage and scripting: SYSREV [ -nc ] -? TC: System reset through INIT or TOC signal Command access level: MP configuration access NOTE: During normal operation, shut down the OS before issuing this command. TC causes the system to be reset through the INIT or TOC signal. Running this command irrecoverably halts all system processing and I/O activity and restarts the computer system.
The following commands available to all users: CL, DATE, DF, HE, LS, MS, PS, SL, SS, SYSREV, TE, VFP, VDP, WHO, XD (status options). An iLO MP user can also have any (or all) of the following rights: • Console Access: Right to access the system console (the host OS).
NOTE: This command is restricted to rx4640 and rp4440 systems. WHO: Display a list of iLO MP connected users Command access level: Login access WHO displays the login name of the connected console client users, the ports on which they are connected, and the mode used for the connection. For LAN and Remote Serial Console clients, the command displays the remote IP address. When DNS is integrated, the host name displays as well. The local port now requires a login.
NOTE: Cookies must be enabled on the web browser in order to successfully log in to the iLO MP web GUI. System Status The System Status tab enables you to access the following pages: • Status Summary: General and Active Users • Server Status: General and Identification • System Event Log System Status > Status Summary General The Status Summary General page (Figure 6-1) displays a brief status summary of the system.
System Status > Status Summary > Active Users The Active Users page (Figure 6-2) displays information about the users currently logged in to the iLO MP. The Disconnect button enables a user with sufficient privileges to disconnect users of a certain access type. Figure 6-2 System Status Summary Active Users Page Table 6-5 lists the fields and descriptions. Table 6-5 Active Users Page Description Field Description Access Type Multiple access methods are available: Serial, telnet, SSH, SSL, or web.
Figure 6-3 System Status > Server Status General Page Table 6-6 lists the fields and descriptions. Table 6-6 Server Status General Page Description Field Description System Power The current power state of the system and the corresponding power LED state. Temperature The temperature status. Power Supplies Lists the power supplies and their status and type. Fans Lists the fans and fan status. System Processors Displays the status of the processor.
Figure 6-4 System Status > Server Status Identification Page Table 6-7 lists the fields and descriptions. Table 6-7 Server Status Identification Page Description Field Description Server Host Name The default host name is mp. Location Enter the location. Rack ID Enter the rack identifier. Position Enter the position. Contact Person Enter contact information in these fields.
Figure 6-5 System Status > System Event Log Page Table 6-8 lists the fields, buttons, and descriptions. Table 6-8 System Event Log Page Description Fields and Buttons Description System Event Log High attention events and errors. Reading the system event log turns off the attention LED (blinking yellow). Forward Progress Log All events. In a web GUI session you cannot view forward progress logs, only system event logs. Boot Log All events between “start of boot” and “boot complete”.
0: Minor forward progress 1: Major forward progress 2: Informational 3: Warning 5: Critical 7: Fatal Remote Console The Remote Serial Console tab enables you to access the following: • • Remote Serial Console Virtual Serial Port Remote Console > Remote Serial Console The Remote Serial Console page (Figure 6-6) enables you to securely view and manage a remote server. Only a user with console access right can use this feature.
mirrored users at a time has write access to the console. Write access is retained until another user requests console write access. To get console write access, enter Ctrl-Ecf. To ensure proper operation of the remote serial console, verify the following conditions: • Your emulator can run the supported terminal type. • The iLO MP terminal setting in the applet is correct. • The operating system environment settings and your client terminal type are set properly.
The remote serial console provides the console, and the GUI provides the iLO MP menu functionality. Output from the console is stored in nonvolatile memory in the console log, regardless of whether or not any users are connected to a console. The remote serial console option relies on the virtual serial port. Virtual Serial Port The iLO MP contains a virtual serial port that enables it to actually be the console hardware device for the OS.
Figure 6-8 Virtual Devices > Power & Reset Page Table 6-9 lists the fields, buttons, and descriptions. Table 6-9 Power & Reset Page Description Fields and Buttons Description System Power The current power state of the system. System Power Control A user with power control access can issue the following options for remote control of the system power: • Power Cycle: Turns system power off and on. The delay between off and on is 30 seconds.
Table 6-9 Power & Reset Page Description (continued) Fields and Buttons Description System Reset This feature has the following options: • Reset through RST signal: This option causes the system to reset through the RST signal. Under normal operation, shut down the OS before issuing this command. Execution of this command irrecoverably halts all system processing and I/O activity and restarts the computer system.
Figure 6-9 User Administration Page There are two default users: 1. Admin: The Admin user has all four rights (console access, power control, MP configuration, user administration). 2. Oper: The Oper user has the login and console access rights by default. Table 6-10 lists the fields and descriptions. Table 6-10 User Administration Page Description Field Description Select User Select an existing user from the list of user names to edit or delete that account or select New User to add a new user.
Administration > Access Settings > LAN The LAN page (Figure 6-10) enables you to modify the LAN settings. Only a user with configuration access right can use this feature. Figure 6-10 Administration > Access Settings > LAN Page Table 6-11 lists the fields, buttons, and descriptions. Use the following options to modify the LAN settings: Table 6-11 LAN Page Description Fields and Buttons Description Telnet These options are used to enable or disable telnet access to the iLO MP.
Administration > Access Settings > Serial The Serial page (Figure 6-11) enables you to set the serial port parameters. Only a user with configuration access right can use this feature. Figure 6-11 Administration > Access Settings > Serial Page Table 6-12 lists the fields, buttons, and descriptions. Table 6-12 Serial Page Description Fields and Buttons Description Bit Rate in Bits per Second This option enables you to set the baud rate. Input and output data rates are the same.
Figure 6-12 Administration > Access Settings > Login Options Page Table 6-13 lists the fields, buttons, and descriptions. Table 6-13 Login Options Page Description Fields and Buttons Description Login Timeout in Minutes The timeout value in minutes is effective on all ports, including local ports. Password Faults Allowed This sets a limit on the number of password faults allowed when logging into the iLO MP. The default number of password faults allowed is three. Submit Submits the information.
Figure 6-13 Administration > Network Settings > Standard Page Table 6-14 lists the fields, buttons, and descriptions Table 6-14 Standard Page Description Fields and Buttons Description MAC Address The 12 digit (hexadecimal) MAC address. DHCP Status Enable or Disable. iLO MP Host Name The host name set here is displayed at the iLO MP Command interface prompt. IP Address The iLO MP IP address. If DHCP is being used, the IP address is automatically supplied.
NOTE: You can only configure the DNS server if DHCP is enabled. Figure 6-14 Administration > Network Settings > Domain Name Service Page Table 6-15 lists the fields, buttons, and descriptions. Table 6-15 DNS Page Description Fields and Buttons Description Use DHCP supplied domain name Use the DHCP server-supplied domain name. Domain name This represents the factory-default DNS name of the subsystem, for example, “hp.com” in “ilo.hp.com”. You can enter a new DNS name.
IMPORTANT: When performing a firmware upgrade that contains system programmable hardware, you must properly shut down any OS that is running before starting the firmware upgrade process. Select the download for the firmware package you need and follow the directions provided in the release notes. After the upgrade, reconnect and log in as user Admin and password Admin (case sensitive).
Table 6-16 Licensing Page Description Fields and Buttons Description Licensing Key Status The status of the license - inactive if no license has been installed, the type of the license (Evaluation or Permanent), and the number of days remaining if the license installed is an Evaluation license. Licensing Key Enter the 25-character license key used to enable the iLO MP Advanced Pack features. Fields are case sensitive. Submit Submits the key for activation. Cancel Cancels the action.
Table 6-17 LDAP Parameters Page Description Field Description Directory Authentication Choosing enable or disable, activates or deactivates directory support on the iLO MP: • Enable with Extended Schema: selects directory authentication and authorization using directory objects created with HP schema. Select this option if the directory server has been extended with the HP schema.
Figure 6-17 Administration > Directory Settings > Group Administration Page Table 6-18 lists the fields, buttons, and descriptions. Table 6-18 Group Administration Page Description Fields and Buttons Description Administrator Click the Administrator radio button and click the Edit button to open the Group Settings page and enter information. User Click the User radio button and click the Edit button to open the Group Settings page and enter information.
Figure 6-18 Administration > SNMP Settings Page Table 6-19 lists the fields and descriptions. Table 6-19 SNMP Settings Page Description Field Description SNMP Choosing Enable or Disable, activates or deactivates the SNMP feature support on this iLO MP. Community String Configure the community string to secure the access to the management information base (MIB) objects. The default is public. Submit Submits the information. Cancel Cancels the action.
Figure 6-19 Online Help Page Select any of the topics listed in the left navigation bar to access that particular help screen.
7 Installing and Configuring Directory Services You can install and configure iLO MP directory services to leverage the benefits of a single point of administration for iLO MP user accounts. This chapter provides information about the features and functions, installation, and configuration of iLO MP directory services.
Features Supported by Directory Integration iLO MP directory services functionality enables you to: • • • Authenticate users from a shared, consolidated, scalable user database. Control user privileges (authorization) using the directory service. Use roles in the directory service for group-level administration of iLO MP and iLO MP users. To install Directory Services for the iLO MP a schema administrator must extend the directory schema. The local user database is retained.
Schema Documentation To assist with the planning and approval process, HP documents the changes made to the schema during the schema setup process. To review the changes made to your existing schema, see “Directory Services Schema (LDAP)” (page 124). Directory Services Support The iLO MP supports the following directory services: • • Microsoft Active Directory Microsoft Windows Server 2003 Active Directory • • Novell® eDirectory 8.6.2 Novell eDirectory 8.
Schema Installer One or more.xml files are bundled with the schema installer. These files contain the schema that is added to the directory. Typically, one of these files contains core schema that is common to all the supported directory services. Additional files contain only product-specific schema. The schema installer requires the use of the .NET Framework.
Figure 7-2 Schema Setup Screen The Directory Server section of the Setup screen enables you to select whether to use Active Directory or eDirectory, and to set the computer name and the port to be used for LDAP communications. IMPORTANT: To extend the schema on Active Directory, you must be an authenticated Schema Administrator, the schema must not be write protected, and the directory must be the flexible single master operation (FSMO) role owner in the tree.
Figure 7-3 Schema Results Screen Management Snap-In Installer The management snap-in installer installs the snap-ins required to manage iLO MP objects in a Microsoft Active Directory Users and Computers directory or in a Novell ConsoleOne directory. To create an iLO MP directory using iLO MP snap-ins, perform the following tasks: • • Create and manage iLO MP objects and role objects. Make the associations between iLO MP objects and role objects.
IMPORTANT: To install directory services for the iLO MP, an Active Directory administrator must extend the Active Directory schema. • • • Extending the Schema in the Microsoft Windows 2000 Server Resource Kit, available at: http://www.microsoft.com/mspress/books/1394.aspx. Installing Active Directory in the Microsoft Windows 2000 Server Resource Kit, available at: http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx/.
c. d. e. Right-click Active Directory Schema and select Operations Master. Select The Schema may be modified on this Domain Controller. Click OK. The Active Directory Schema folder may need to be expanded for the checkbox to be available. 4. 5. 6. 7. Create a certificate or install certificate services. This step is necessary because the iLO MP uses SSL to communicate with Active Directory. Install Active Directory before installing certificate services.
NOTE: Roles, such as hpqTargets, and so on are for extended schema LDAP only. They are not used in LDAP Lite. Assume that a company has an enterprise directory including the domain mpiso.com, arranged as shown in Figure 7-4. Figure 7-4 Directory Example for mpiso.com 1. 2. Create an organizational unit to contain the iLO MP devices managed by the domain. In this example, two organizational units are created, Roles and MPs.
b. In the Create New HP Management Object dialog box (Figure 7-5), select Device for the type of object. Figure 7-5 Create New HP Management Object Dialog Box c. d. e. 3. 4. 5. 100 In the Name field of the dialog box, enter an appropriate name. In this example, the DNS host name of the iLO MP device, lpmp, is used as the name of the iLO MP object, and the surname is iLO MP. Enter and confirm a password in the Device LDAP Password and Confirm fields (this is optional). Click OK.
c. From the Select Users dialog box (Figure 7-6), select the iLO MP object created in step 2: (lpmp in folder mpiso.com/MPs). Click OK. Figure 7-6 Select Users Dialog Box d. e. 6. To save the list, click Apply. To add users to the role, click the Members tab, and use the Add button and the Select Users dialog box. Devices and users are now associated. Use the Lights Out Management tab (Figure 7-7) to set the rights for the role.
10. Click Apply and click OK. Members of the remoteMonitors role are able to authenticate and view the server status. User rights to any iLO MP are calculated as the sum of all the rights assigned by all the roles in which the user is a member and the iLO MP is a managed device. Following the preceding examples, if a user is included in both the remoteAdmins and remoteMonitors roles, the user has all the rights of those roles, because the remoteAdmins role also has those rights.
Figure 7-8 HP Devices Tab • • To browse to a specific HP device and add it to the list of member devices, click Add. To browse to a specific HP device and remove it from the list of member devices, click Remove. Managing Users in a Role After user objects are created, use the Members tab (Figure 7-9) to manage the users within the role.
Figure 7-9 Members Tab • • To add a user, browse to the specific user you want to add and click Add. To remove a user from the list of valid members, highlight an existing user and click Remove. Setting Login Restrictions The Role Restrictions tab (Figure 7-10) enables you to set login restrictions for a role.
Figure 7-10 Role Restrictions Tab • • Time Restrictions IP Network Address Restrictions — IP/Mask — IP Range — DNS Name Setting Time Restrictions You can set the following time restrictions from the Role Restrictions tab. • To manage the hours available for login by members of the role, click the Effective Hours button. The Logon Hours screen appears.
• change a section of squares by clicking and holding the mouse button, dragging the cursor across the squares to be changed, and releasing the mouse button. Use the default setting to allow access at all times. Defining Client IP Address or DNS Name Access You can grant or deny access to an IP address, IP address range, or DNS names.
Figure 7-13 Lights Out Management Tab Table 7-1 lists the available rights. Table 7-1 Lights Out Management Rights Right Description Login This option controls whether users can log in to the associated devices and execute Status or Read-only commands (view event logs and console logs, check system status, power status, and so on) but not execute any commands that would alter the state of the iLO MP or the system.
NOTE: After you install snap-ins, restart ConsoleOne and MMC to show the new entries. Creating and Configuring Directory Objects for Use with iLO MP Devices in eDirectory The following example demonstrates how to set up roles and HP devices in a company called samplecorp, which consist of two regions: region1 and region2. Assume that samplecorp has an enterprise directory arranged according to that inFigure 7-14.
2. From the region1 organizational unit, right-click the hp devices organizational unit. Select New, and select Object. a. Select hpqTarget from the list of classes, and click OK. b. Enter an appropriate name and surname in the New hpqTarget dialog box. In this example, the DNS host name of the iLO MP device, rib-email-server, is used as the name of the iLO MP object, and the surname is RILOEII (iLO MP). Click OK. The Select Object Subtype dialog box (Figure 7-15) appears.
a. b. c. d. e. f. Right-click the remoteAdmins role in the roles organizational unit in the region1 organizational unit, and select Properties. Select Role Managed Devices on the HP Management tab, and click Add. Using the Select Objects dialog box, browse to the HP devices organizational unit in the region1 organizational unit. Select the three iLO MP objects created in step 2. Click OK and click Apply. Add users to the role.
devices,ou=region1,o=samplecorp Directory User Context 1 = ou=users,o=samplecorp For example, user CSmith (located in the users organizational unit within the samplecorp organization, who is also a member of one of the remoteAdmins or remoteMonitors roles) would be allowed to log in to the iLO MP. He would enter csmith (case insensitive) in the Login Name field of the iLO MP login, and use his eDirectory password in the Password field to gain access.
Figure 7-18 Members Tab (eDirectory) Setting Role Restrictions The Role Restrictions subtab (Figure 7-19) enables you to set login restrictions for a role. These restrictions include the following: • • Time Restrictions IP Network Address Restrictions — IP/Mask — IP Range • DNS Name Figure 7-19 Role Restrictions Subtab (eDirectory) Setting Time Restrictions You can manage the hours available for login by members of a role using the time grid displayed in the Role Restrictions subtab (Figure 7-19).
day of the week in half-hour increments. You can change a single square by clicking it or change a section of squares by clicking and holding the mouse button, dragging the cursor across the squares to be changed, and releasing the mouse button. The default setting is to allow access at all times. Defining Client IP Address or DNS Name Access You can grant or deny access to an IP address, IP address range, or DNS names.
Figure 7-21 Lights-Out Management Device Rights Tab Table 7-2 describes the rights available. Table 7-2 Lights-Out Management Device Rights Right Description Login This option controls whether users can log in to the associated devices and execute status or read-only commands (view event logs and console logs, check system status, power status, and so on) but not execute any commands that would alter the state of the iLO MP or the system.
To ensure you have the correct version of JRE installed on your system, follow these steps: 1. To determine the Java version, execute the following command: # java -version The Java version installed on your system is displayed. 2. If Java is not installed on your system, execute the following command: # rpm –iv j2re-1_4_2_04-linux-i586.rpm NOTE: 3. You can download this rpm file from Java website at http://java.sun.com.
1. 2. Run ConsoleOne and log on to the tree. Verify the new classes by opening the Schema Manager from the Tools menu. All the classes related to the HP Directory Services must be present in the classes list. The classes are hpqRole, hpqTarget, hpqPolicy, and hpqLOMv100. Using the LDAP Command to Configure Directory Settings in iLO MP To configure iLO MP LDAP directory settings, use the LDAP Command Menu in the iLO MP CLI.
Current -> o=mp Enter new value, or Q to Quit: -> Current User Search Context 1 has been retained User Search Context 2: Current -> o=demo Enter new value, or Q to Quit: -> Current User Search Context 2 has been retained User Search Context 3: Current -> o=test Enter new value, or Q to Quit: -> Current User Search Context 3 has been retained New Directory Configuration (* modified values): *L – LDAP Directory Authentication: Enabled M – Local MP User database : Enabled *I - Directory Server I
Certificate Services The following sections provide instructions for installing Certificate Services, verifying directory services, and configuring automatic certificate requests. Installing Certificate Services To install Certificate Services, follow these steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. Select Start>Settings>Control Panel. Double-click Add/Remove Programs. Click Add/Remove Windows Components to start the Windows Components wizard. Select the Certificate Services checkbox. Click Next.
Directory-enabled remote management enables you to: • Create iLO MP objects Each device object created represents each device that will use the directory service to authenticate and authorize users. For additional information on creating iLO MP device objects for Active Directory, see “Directory Services” (page 91), “Directory Services for Active Directory” (page 96), and eDirectory “Directory Services for eDirectory” (page 107). In general, you can use the snap-ins provided by HP to create objects.
The following figure shows one way that an administrative user gains Admin Role right. The Admin User’s initial login right is granted through the regular user role. After the initial login, more advanced rights are assigned to the Admin User through the Admin Role such as Server Reset and Remote Console. In the following figure, the Admin User gains the Admin Role right in a different way.
MP firmware can cause the iLO MP device clock not to be set. Also, the host time must be correct for the iLO MP device to preserve time across firmware flashes. IP Address Range Restrictions IP address range restrictions enable you to specify network addresses that are granted or denied access by the restriction. The address range is typically specified in a low-to-high range format. You can specify an address range to grant or deny access to a single address.
Figure 7-22 Directory Login Enforcement How User Time Restrictions Are Enforced You can place a time restriction on directory user accounts. Time restrictions limit the ability of the user to log in (authenticate) to the directory.
iLO MP device as a directory user, the iLO MP device attempts authentication to the directory as that user, which means that address restrictions placed on the user account apply when accessing the iLO MP device. However, because the user is proxied at the iLO MP device, the network address of the authentication attempt is that of the iLO MP device, not that of the client workstation.
Figure 7-25 Restricting Reset Role Directory Services Schema (LDAP) A directory schema specifies the types of objects that a directory can have and the mandatory and optional attributes of each object type. The following sections describe both the HP management core, and the LDAP object identifier classes and attributes that are specific to iLO MP.
Table 7-4 Core Attributes (continued) Attribute Name Assigned OID hpqRoleIPRestrictions 1.3.6.1.4.1.232.1001.1.1.2.5 hpqRoleTimeRestriction 1.3.6.1.4.1.232.1001.1.1.2.6 Core Class Definitions Table 7-5, Table 7-6, and Table 7-7 define the HP management core classes. hpqTarget Table 7-5 hpqTarget OID 1.3.6.1.4.1.232.1001.1.1.1.1 Description This class defines Target objects, providing the basis for HP products using directory-enabled management.
hpqPolicyDN Table 7-8 hpqPolicyDN OID 1.3.6.1.4.1.232.1001.1.1.2.1 Description This attribute provides the Distinguished Name of the policy that controls the general configuration of this target. Syntax Distinguished Name—1.3.6.1.4.1.1466.115.121.1.12 Options Single Valued Remarks None hpqRoleMembership Table 7-9 hpqRoleMembership OID 1.3.6.1.4.1.232.1001.1.1.2.2 Description This attribute provides a list of hpqTarget objects to which this object belongs. Syntax Distinguished Name—1.3.6.1.4.
hpqRoleIPRestrictions Table 7-12 hpqRoleIPRestrictions OID 1.3.6.1.4.1.232.1001.1.1.2.5 Description This attribute provides a list of IP addresses, DNS names, domain, address ranges, and subnets, which partially specify right restrictions under an IP network address constraint. Syntax Octet String—1.3.6.1.4.1.1466.115.121.1.40 Options Multi Valued Remarks This attribute is only used on Role objects.
iLO MP Attributes Table 7-15 iLO MP Attributes Class Name Assigned OID hpqLOMRightLogin 1.3.6.1.4.1.232.1001.1.8.2.1 hpqLOMRightRemoteConsole 1.3.6.1.4.1.232.1001.1.8.2.2 hpqLOMRightVirtualMedia 1.3.6.1.4.1.232.1001.1.8.2.3 hpqLOMRightServerReset 1.3.6.1.4.1.232.1001.1.8.2.4 hpqLOMRightLocalUserAdmin 1.3.6.1.4.1.232.1001.1.8.2.5 hpqLOMRightConfigureSettings 1.3.6.1.4.1.232.1001.1.8.2.6 iLO MP Class Definitions Table 7-16 defines the iLO MP core class. hpqLOMv100 Table 7-16 hpqLOMv100 OID 1.3.
hpqLOMRightRemoteConsole Table 7-18 hpqLOMRightRemoteConsole OID 1.3.6.1.4.1.232.1001.1.8.2.2 Description Remote console right for iLO MP products. Meaningful only on Role objects. Syntax Boolean—1.3.6.1.4.1.1466.115.121.1.7 Options Single valued Remarks This attribute is only used on Role objects. If this attribute is TRUE, members of the role are granted the right. hpqLOMRightServerReset Table 7-19 hpqLOMRightServerReset OID 1.3.6.1.4.1.232.1001.1.8.2.
Glossary A Address In networking, a unique code that identifies a node in the network. Names such as host1.hp.com are translated to dot-quad addresses like 168.124.3.4 by the Domain Name Service (DNS). Address Path An address path is one in which each term has the appropriate intervening addressing association. Administrator A person managing a system through interaction with management clients, transport clients, and other policies and procedures. ARP Address Resolution Protocol.
DNS Domain Name Server. The server that typically manages host names in a domain. DNS servers translate host names, such as www.example.com, into Internet Protocol (IP) addresses, such as 030.120.000.168. Domain Name Service. The data query service that searches domains until a specified host name is found. Domain Name System. A distributed, name resolution system that enables computers to locate other computers on a network or the Internet by domain name.
Host Name The name of a particular machine within a domain. Host names always map to a specific Internet Protocol (IP) address. HTTP The Internet protocol that retrieves hypertext objects from remote hosts. HTTP messages consist of requests from client to server and responses from server to client. HTTP is based on Transmission Control Protocol/Internet Protocol (TCP/IP).
N Network Interface Card (NIC) An internal circuit board or card that connects a workstation or server to a networked device. Network mask A number used by software to separate a local subnet address from the rest of an Internet Protocol (IP) address. Node An addressable point or device on a network. A node can connect a computing system, a terminal, or various peripheral devices to the network. O Options Options control command verb behavior.
Subnet Mask A bit mask used to select bits from an Internet address for subnet addressing. The mask is 32 bits long, and selects the network portion of the Internet address and one or more bits of the local portion. Also called an address mask. System Event Log (SEL) A log that provides nonvolatile storage for system events that are logged autonomously by the service processor, or directly with event messages sent from the host.
Index A access options, 64 access settings LAN, 80 login options, 81 serial, 81 accessing iLO using the web GUI, 39 advanced features, 20 advanced pack license activating using web GUI, 85 obtaining and activating, 21 alert levels, system status logs, 50 ARP ping commands, 33 using to configure the iLO MP LAN, 33 authentication, 22 authorization, 23 B BMC command, 55 password resetting, 55 resetting, 64 boot log, 50, 73 boot sequence, view and interact, 75 broadcast messages, sending, 66 C CA command, 55
preparation, 97 setting login restrictions, 104 setting time restrictions, 106 setting user or group role rights, 106 snap-in installation and initialization, 98 snap-ins, 102 directory services for eDirectory, 107–116 adding members, 111 adding role-managed devices, 111 creating and configuring directory objects, 107–111 creating objects, 108 creating roles, 109 defining client IP address or DNS name access, 113 directory services objects, 111–116 installation prerequisites, 96 preparation, 97 setting ligh
fully distinguished names (FDN), 117 modifying settings, 60 LDAP Lite, 20, 87 LDAP Lite, configuring default schema, 46 license management, displaying the current status, 61 licensing, Advanced Pack features, 85 Linux eDirectory snap-ins and schema extension installing the Java runtime environment, 115 schema extension, 115 snap-ins, 115 verification, 116 LM command, 61 LOC command, 61 local serial port, configuring, 55 locator LED, 61 logging in, 35 login ID, 66 login timeout in minutes, 82 logs boot, 73 d
enforcing login restrictions, 121 enforcing user time restrictions, 122 IP address and subnet mask restrictions, 121 IP address range restrictions, 121 restricting, 120 time restrictions, 120 user address restrictions, 122 using multiple, 119 RS command, 64 RST signal, 64 S SA command, 64 schema directory services, 124–129 installer, 94 preview, 94 required software, 93 results, 95 setup, 94 scripting, 52 security authentication, 22 authorization, 23 integrity, 23 privacy, 23 setup, 23 security parameters,