ISS Technology Focus, Voume 10, Number 1
4
Resource
URL
HP Power Capping and Dynamic Power
Capping for ProLiant Servers
http://h20000.www2.hp.com/bc/docs/support/SupportMan
ual/c01549455/c01549455.pdf?jumpid=reg_R1002_USEN
VMware Knowledge Base article on ESX virtual
machine performance and hardware power
management
http://kb.vmware.com/selfservice/microsites/search.do?lang
uage=en_US&cmd=displayKC&externalId=1018206
Kerberos technology with HP Integrated Lights-Out 3 version 1.2
HP Integrated Lights-Out 3 (iLO 3) firmware version 1.2 supports Kerberos technology as a protocol for network
authentication. MIT (Massachusetts Institute of Technology) developed the Kerberos authentication protocol to address the
following network security issues for client/server applications:
Some client/server applications send unencrypted passwords over the network, making them extremely vulnerable to
malicious hackers who use tools to "sniff" passwords off the network.
Some applications rely on the client to deny access to unauthorized users without enforcement by the server.
Firewalls may protect networks from outside malicious attacks, but they ignore the damage that ―insiders‖ can inflict on
networks.
Kerberos enables a client to prove its identity to a server (and vice versa) across an insecure network connection by using
secret-key cryptography. In secret-key cryptography, the client and server agree on a single secret key. Kerberos can use OS
two-factor authentication, if configured, requiring the user to provide two means of identification. After they use Kerberos for
identification, all communications between them are authenticated and encrypted to assure privacy and data integrity.
After authentication in a Microsoft® Windows® environment, a user obtains a ―ticket‖ from the login domain. With this
ticket, the user can access authorized devices, like iLO, and does not have to re-enter login credentials as they move from
one iLO device to another. You can manage user access from a centralized location. All of this lowers IT costs.
In a Linux environment, you must configure Lightweight Directory Access Protocol (LDAP) for authorization to access iLO 3.
The Kerberos component of an iLO 3 solution includes two components:
Kerberos with Generic Security Services Application Programming Interface (GSSAPI)—GSSAPI is part of the Kerberos
client. It standardizes the interface between Kerberos (and other providers) and higher-level software.
Simple and Protected GSSAPI Negotiation (SPNEGO)—SPNEGO is part of the Windows client. It provides negotiation for
NT LAN Manager (NTLM) or Kerberos through HTTP headers.
The additional resources below provide further information on Kerberos technology.
Additional resources
Resource
URL
For more information on MIT and
Kerberos
http://web.mit.edu/kerberos/
For details on Windows 2000
Kerberos Authentication
http://technet.microsoft.com/en-us/library/bb742431.aspx
For more information on SPNEGO
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnsecure/html/http-sso-2.asp