| General |
| Q1. |
What user security is available to control iLO access? |
| A1. |
iLO user security provides flexible choices for enterprise and SMB environments. In enterprise accounts, iLO can be configured with industry leading security by requiring user authentication via directory services and two-factor authentication devices. With an iLO Advanced license, the logon process can be used in conjunction with both Microsoft Active Directory and Novell eDirectory and other LDAP compliant directory services. In addition, strong authentication using a smart card or USB key with a PIN and embedded digital certificate is supported.
In smaller environments such as labs or SMB's, up to twelve user names and passwords can be stored on each iLO to provide various levels of restricted access. This user security is referred to as local accounts since all of the account credentials are stored on the management processor. |
|
| Q2. |
What user security is available to control access to RILOE II management devices? |
| A2. |
RILOE II user security also provides flexible choices for enterprise and SMB environments. In enterprise accounts, RILOE II can be configured with industry leading security by requiring user authentication via directory services with Microsoft Active Directory and Novell eDirectory. RILOE II also offers local accounts for smaller environments such as labs or SMB's. |
|
| Q3. |
What Lights-Out management privileges can be assigned to individual users or groups of users? |
| A3. |
iLO privileges can be granted to individuals or groups enabling access to iLO remote consoles, virtual media, virtual power and iLO administration. Depending upon whether directory or local user accounts are used, these rights can be granted to enable role-based access with time and device restrictions. |
|
| Q4. |
Where can I find information to help setup iLO and RILOE II user security? |
| A4. |
The iLO User Guide and a variety of white papers are available to guide you through the implementation of all supported user access security methods. All of these documents are accessible from the HP Business Support Center web site. |
|
| Q5. |
What are the benefits of managing Lights-Out access through directory services? |
| A5. |
The key benefits are:
- Increases administrative efficiency by integrating user access management for lights-out management devices with centralized enterprise-class directory services
- Improves security by eliminating the use of shared user names and passwords
- Provides support for industry standard-based Microsoft Active Directory and Novell eDirectory
- Provides flexible implementation options using HP or directory default schema
|
|
| Schema-free Active Directory integration |
| Q1. |
How does iLO schema-free directory integration work? |
| A1. |
iLO schema-free directory integration allows the standard directory schema to be used instead of adding HP's schema to the directory database. This is accomplished by authenticating users from the directory database and authorizing iLO privileges based on matching groups and roles stored on each iLO management processor. |
|
| Q2. |
What are the benefits of iLO's schema-free integration? |
| A2. |
In addition to general directory integration benefits, iLO schema free integration provides the following advantages:
- Easy implementation without schema extensions - iLO schema-free integration is configured from any iLO user interface (browser, command line or script). In addition, the Lights-Out Directory Migration Utility provides automated implementation in existing network. The Migration Utility, which is downloadable from the HP support web site, automates firmware updates, configuration of groups and privileges on management processors and directory integration.
- Minimal administration - iLO schema-free directory integration requires minimal maintenance. After initial setup, only groups and permissions typically require maintenance support on management processors. Group and permission changes typically occur very infrequently. Also, the schema-free approach does not require updating directory databases with new iLO devices objects.
- Reliable security - iLO schema-free does not affect standard directory attributes avoiding conflicting use of attributes that may result over time.
- Complements two-factor authentication - iLO schema-free integration can be used in conjunction with iLO two-factor authentication to provide asset protection using strong authentication.
|
|
| Q3. |
If the HP schema extension has already been implemented, should I convert to the schema-free approach? |
| A3. |
No. If you have already extended your directory with HP schema, there is no need to switch to the schema-free approach. Schema extension provides the lowest maintenance approach for directory integration and once this process has taken place there is no advantage for the schema-free approach until a schema change is required. HP has no plans to update the HP iLO schema at this time. |
|
| Q4. |
Is there any difference in the reliability of schema-free and HP schema extension directory integration? |
| A4. |
iLO schema-free Active Directory integration provides the same reliability as the HP schema extension method. In both cases, the same security channels are used to link user interfaces, iLO and directories. Browser and XML scripting user interfaces use SSL and the command line interface uses SSH to establish secure channels for authentication and authorization. |
|
| Q5. |
Is schema-free support provided for Novell eDirectory or RILOE II? |
| A5. |
At this time, the HP schema directory integration is the only method supported on eDirectory. Also, RILOE II and RILOE management devices do not currently support schema-free integration. |
|
| HP schema directory integration |
| Q1. |
Now that HP supports schema-free Active Directory integration, should customers still consider the HP schema directory integration? |
| A1. |
Yes. The HP schema extension method of directory integration centralizes all user, group and role administration into a single, centralized directory database. Although both methods are equally effective, the HP schema method with centralized administration of users, groups and privileges is the most efficient approach. Also, the HP schema approach should be considered in environments where a consistent directory integration for iLO, RILOE II and RILOE is required. |
|
| Q2. |
What utilities do I need to enable the HP schema directory support for Lights-Out management devices? |
| A2. |
The following software and firmware are required to enable iLO directory support using HP schema: Schema Installer, Snap-ins, and Migration Utility. The Schema Installer will extend the customer's schema for hp products. The Snap-ins are added to Microsoft Management Console (for Active Directory) or Novell ConsoleOne (for eDirectory). The Migration Utility automates the integration of lights-out devices with directory services. All of these tools are available as a free download from the HP Software and Drivers web site. Look for the component package named HP Directories Support for Management Processors. |
|
| Q3. |
Where can I learn more about directory services? |
| A3. |
Both Microsoft and Novell have extensive information regarding their respective directory services at:
|
|
| Q4. |
Where can I learn more about the HP schema extensions? |
| A4. |
HP recognizes that customers have processes regarding directory schema extensions and HP provides a "Directory Services Schema Information Booklet" that fully describes the schema extensions to support the directory-enabled Lights-Out Management products. This and other documents related to iLO Advanced directory are accessible from the HP Business Support Center web site. |
|
| Two-factor authentication |
| Q1. |
How does iLO Advanced two-factor authentication work? |
| A1. |
iLO two-factor authentication requires users to logon to iLO with a PIN and private key. When logging on through a Microsoft Internet Explorer browser, users will be asked to verify their identity by providing both a password or PIN and private key for their digital certificate stored on a smart card, USB key, or hard disk. When used with iLO Active Directory security, the user then continues the logon process with the directory user name and password. |
|
| Q2. |
Can iLO two-factor authentication be used with both methods of directory integration supported by iLO? |
| A2. |
Yes. Two-factor authentication is compatible with schema-free and HP schema Active Directory integration. |
|
| Q3. |
What other methods of access are supported when two-factor authentication is enabled? |
| A3. |
When iLO two-factor authentication is enabled, all interfaces except iLO browser access (HTTPS) are disabled. The Telnet, SSH and SML ports are disabled so out-of band access only occurs via individual browser sessions. However, iLO group administration can still be performed using the iLO online configuration utility and HP Systems Insight Manager. This is described in the iLO User Guide. |
|
| Q4. |
Does iLO Advanced two-factor authentication support certificate revocation lists? |
| A4. |
Yes. Certificate revocation lists (CRL) can be used in the iLO Advanced two-factor authentication process to verify that an individuals smartcard or USB key is still authorized. If enabled, iLO will download a designated CRL and integrate it into the process. |
|
| Q5. |
What smartcards and USB keys are supported by iLO two-factor authentication? |
| A5. |
HP has tested iLO Advanced two-factor authentication with smart card and USB key identity tools available from all major vendors including Axalto, ActivCard and Gemplus. |
|
Printable version
