HP Integrity iLO 2 Operations Guide
Table Of Contents
- HP Integrity iLO 2 Operations Guide
- Contents
- About This Document
- 1 Introduction to iLO 2
- Features
- Standard Features
- Always-On Capability
- Virtual Front Panel
- Multiple Access Methods
- Security
- User Access Control
- Multiple Users
- IPMI over LAN
- System Management Homepage
- Firmware Upgrades
- Internal Subsystem Information
- DHCP and DNS Support
- Group Actions
- Group Actions Using HP SIM
- SNMP
- SMASH
- SM CLP
- Mirrored Console
- Remote Power Control
- Power Regulation
- Event Logging
- Advanced Features
- Standard Features
- Obtaining and Activating iLO 2 Advanced Pack Licensing
- Supported Systems and Required Components and Cables
- Integrity iLO 2 Supported Browsers and Client Operating Systems
- Security
- Features
- 2 Ports and LEDs
- 3 Getting Connected to iLO 2
- 4 Logging In to iLO 2
- 5 Adding Advanced Features
- Lights-Out Advanced KVM Card for sx2000 Servers
- Lights-Out Advanced KVM card Requirements
- Configuring the Lights-Out Advanced KVM Card
- Lights-Out Advanced KVM Card IRC Feature
- Lights-Out Advanced KVM Card vMedia Feature
- Installing the Lights-Out Advanced KVM Card in a Server
- Lights-Out Advanced KVM Card Quick Setup Steps
- Using Lights-Out Advanced KVM Features
- Mid Range PCI Backplane Power Behavior
- Troubleshooting the Lights-Out Advanced KVM Card
- Core I/O Card Configurations
- Supported PCI-X Slots
- Upgrading the Lights-Out Advanced KVM Card Firmware
- Lights-Out Advanced KVM Card for sx2000 Servers
- 6 Accessing the Host (Operating System) Console
- 7 Configuring DHCP, DNS, LDAP, and Schema-Free LDAP
- 8 Using iLO 2
- Text User Interface
- MP Command Interfaces
- MP Main Menu
- MP Main Menu Commands
- CO (Console): Leave the MP Main Menu and enter console mode
- VFP (Virtual Front Panel): Simulate the display panel
- CM (Command Mode): Enter command mode
- SMCLP (Server Management Command Line Protocol): Switch to the SMASH SMCLP
- CL (Console Log): View the history of the console output
- SL (Show Logs): View events in the log history
- HE (Help): Display help for the menu or command in the MP Main Menu
- X (Exit): Exit iLO 2
- MP Main Menu Commands
- Command Menu
- Command Line Interface Scripting
- Command Menu Commands and Standard Command Line Scripting Syntax
- BP: Reset BMC passwords
- BLADE: Display BLADE parameters
- CA: Configure asynchronous local serial port
- DATE: Display date
- DC (Default Configuration): Reset all parameters to default configurations
- DF: Display FRU information
- DI: Disconnect LAN, WEB, SSH, or Console
- DNS: DNS settings
- FW: Upgrade the MP firmware
- HE: Display help for menu or command in command menu interface
- ID: System information settings
- IT: Inactivity timeout settings
- LC: LAN configuration usage
- LDAP: LDAP directory settings
- LM: License management
- LOC: Locator UID LED configuration
- LS: LAN status
- PC: Power control access
- PM: Power regulator mode
- PR: Power restore policy configuration
- PS: Power status
- RB: Reset BMC
- RS: Reset system through the RST signal
- SA: Set access LAN/WEB/SSH/IPMI over LAN ports
- SNMP: Configure SNMP parameters
- SO: Security option help
- SS: System Status
- SYSREV: Firmware revisions
- TC: System reset through INIT or TOC signal
- TE: Send a message to other mirroring terminals
- UC: User Configuration (users, passwords, and so on)
- WHO: Display a list of iLO 2 connected users
- XD: iLO 2 Diagnostics or reset
- Web GUI
- System Status
- Remote Serial Console
- Integrated Remote Console
- Virtual Media
- Power Management
- Administration
- BL c-Class
- Help
- SMASH Server Management Command Line Protocol
- SM CLP Features and Functionality Overview
- Accessing the SM CLP Interface
- Using the SM CLP Interface
- SM CLP Syntax
- System1 Target
- System Reset Power Status and Power Control
- Map1 (iLO 2) Target
- Text Console Services
- Firmware Revision Display and Upgrade
- Remote Access Configuration
- Network Configuration
- User Accounts Configuration
- LDAP Configuration
- Text User Interface
- 9 Installing and Configuring Directory Services
- Directory Services
- Directory Services for Active Directory
- Directory Services for eDirectory
- Installing and Initializing Snap-In for eDirectory
- Example: Creating and Configuring Directory Objects for Use with iLO 2 Devices in eDirectory
- Directory Services Objects for eDirectory
- Setting Role Restrictions
- Setting Time Restrictions
- Setting Lights-Out Management Device Rights
- Installing Snap-Ins and Extending Schema for eDirectory on a Linux Platform
- Using the LDAP Command to Configure Directory Settings in iLO 2
- User Login Using Directory Services
- Certificate Services
- Directory-Enabled Remote Management
- Directory Services Schema (LDAP)
- Glossary
- Index
Role Time Restrictions
You can place time restrictions on iLO 2 roles. Users are only granted rights that are specified for
the iLO 2 devices listed in the role if they are members of the role and meet the time restrictions
for that role.
The iLO 2 devices use local host time to enforce time restrictions. If the iLO 2 device clock is not
set, the role time restriction fails (unless no time restrictions are specified on the role).
Role-based time restrictions can only be enforced if the time is set on the iLO 2 device. The time is
normally set when the host is booted and is maintained by running the agents in the host operating
system, which enables iLO 2 device to compensate for leap years and minimize clock drift with
respect to the host. Events such as unexpected power loss or the flashing of MP firmware can cause
the iLO 2 device clock not to be set. Also, the host time must be correct for the iLO 2 device to
preserve time across firmware flashes.
IP Address Range Restrictions
IP address range restrictions enable you to specify network addresses that are granted or denied
access by the restriction. The address range is typically specified in a low-to-high range format.
You can specify an address range to grant or deny access to a single address. Addresses that fall
within the low-to-high IP address range meet the IP address restriction.
IP Address and Subnet Mask Restrictions
IP address and subnet mask restrictions enable you to specify a range of addresses that are granted
or denied access by the restriction. This format has similar capabilities to those in an IP address
range but can be more native to your networking environment. An IP address and subnet mask
range is typically specified using a subnet address and address bit mask that identifies addresses
on the same logical network.
In binary math, if the bits of a client machine address are added to the bits of the subnet mask,
and these bits match the restriction subnet address, the client machine meets the restriction.
DNS-Based Restrictions
DNS-based restrictions use the network naming service to examine the logical name of the client
machine by looking up machine names assigned to the client IP addresses. DNS restrictions require
a functional name server. If the name service fails or cannot be reached, DNS restrictions cannot
be matched and will fail.
DNS-based restrictions can limit access to a single, specific machine name or to machines sharing
a common domain suffix. For example, the DNS restriction www.hp.com matches hosts that are
assigned the domain name www.hp.com. However, the DNS restriction *.hp.com matches any
machine originating from HP.
DNS restrictions can cause some ambiguity because a host can be multi-homed. DNS restrictions
do not necessarily match one-to-one with a single system.
Using DNS-based restrictions can create some security complications. Name service protocols are
insecure. Any individual with malicious intent and access to the network can place a rogue DNS
service on the network, creating fake address restriction criteria. Organizational security policies
should be taken into consideration when implementing DNS-based address restrictions.
Role Address Restrictions
Role address restrictions are enforced by the MP firmware, based on the client's IP network address.
When the address restrictions are met for a role, the rights granted by the role apply.
Address restrictions can be difficult to manage if access is attempted across firewalls or through
network proxies. Either of these mechanisms can change the apparent network address of the
client, causing the address restrictions to be enforced in an unexpected manner.
198 Installing and Configuring Directory Services