HP Integrated Lights-Out 3 User Manual

HP iLO 3 User Guide

Abstract
This guide provides information about configuring, updating, and operating HP ProLiant servers by using the HP iLO 3 firmware. This document is intended for system administrators, HP representatives, and HP Authorized Channel Partners who are involved in configuring and using HP iLO 3 and HP ProLiant servers.
This guide discusses HP iLO for HP ProLiant servers and HP ProLiant BladeSystem server blades. For information about iLO for Integrity servers and server blades, see the HP website at http://www.hp.com/go/integrityiLO.
HP Part Number: 616301-006 Published: March 2014 Edition: 1
© Copyright 2011, 2014 Hewlett-Packard Development Company, L.P
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Acknowledgements
Microsoft, Windows, Windows NT, Windows XP, and Windows Vista are U.S. registered trademarks of Microsoft Corporation.
Intel is a trademark of Intel Corporation in the U.S. and other countries.
Java is a registered trademark of Oracle and/or its affiliates.

Contents

1 Introduction to iLO....................................................................................12
iLO web interface...................................................................................................................12
iLO RBSU...............................................................................................................................13
iLO mobile app......................................................................................................................13
iLO scripting and command line...............................................................................................13
2 Setting up iLO..........................................................................................14
Preparing to set up iLO............................................................................................................14
Connecting iLO to the network.................................................................................................16
Setting up iLO by using iLO RBSU.............................................................................................16
Configuring a static IP address by using iLO RBSU..................................................................17
Managing iLO users by using iLO RBSU................................................................................18
Adding user accounts....................................................................................................18
Editing user accounts.....................................................................................................20
Removing user accounts.................................................................................................20
Setting up iLO by using the iLO web interface............................................................................21
Logging in to iLO for the first time.............................................................................................21
Activating iLO licensed features................................................................................................22
Installing the iLO drivers...........................................................................................................22
Microsoft device driver support............................................................................................23
Linux device driver support..................................................................................................23
VMware device driver support.............................................................................................24
3 Configuring iLO.......................................................................................25
Updating firmware..................................................................................................................25
Updating firmware by using an online method.......................................................................25
Performing an in-band firmware update............................................................................25
Performing an out-of-band firmware update.......................................................................26
Updating firmware by using an offline method.......................................................................26
Obtaining the iLO firmware image file..................................................................................26
Updating the iLO firmware by using a browser......................................................................27
Using language packs............................................................................................................28
Installing a language pack..................................................................................................28
Selecting a language pack.................................................................................................29
Configuring the default language settings..............................................................................30
Configuring the current language settings..............................................................................30
Uninstalling a language pack..............................................................................................30
iLO licensing..........................................................................................................................31
Free iLO 60-day evaluation license.......................................................................................31
Installing an iLO license by using a browser..........................................................................32
Managing iLO users by using the iLO web interface....................................................................32
Viewing local user accounts................................................................................................33
Viewing directory groups....................................................................................................34
Adding or editing local user accounts...................................................................................34
Password guidelines......................................................................................................36
IPMI/DCMI users..........................................................................................................36
Administering directory groups............................................................................................37
Deleting a user account or a directory group.........................................................................39
Configuring iLO access settings................................................................................................39
Configuring service settings.................................................................................................39
Configuring IPMI/DCMI settings..........................................................................................40
Configuring access options.................................................................................................40
Contents 3
Logging in to iLO by using an SSH client...............................................................................43
Configuring iLO security..........................................................................................................43
General security guidelines.................................................................................................43
iLO RBSU security..........................................................................................................44
iLO Security Override Switch administration......................................................................44
TPM support......................................................................................................................45
User accounts and access...................................................................................................46
User privileges..............................................................................................................46
Login security................................................................................................................46
Administering SSH keys......................................................................................................46
About SSH keys............................................................................................................46
Authorizing a new SSH key............................................................................................47
Deleting SSH keys.........................................................................................................48
Authorizing SSH keys from an HP SIM server....................................................................48
Administering SSL certificates..............................................................................................48
Viewing SSL certificate information..................................................................................49
Obtaining and importing an SSL certificate......................................................................49
Configuring directory settings..............................................................................................51
Configuring authentication and directory server settings.....................................................52
Running directory tests...................................................................................................54
Viewing directory test results......................................................................................56
Using the directory test controls .................................................................................58
Using encryption................................................................................................................58
Viewing encryption enforcement settings...........................................................................59
Modifying the AES/DES encryption setting.......................................................................60
Connecting to iLO by using AES or 3DES encryption.....................................................60
Enabling FIPS Mode......................................................................................................60
Disabling FIPS Mode.....................................................................................................61
Configuring iLO for HP SSO................................................................................................61
Configuring iLO for HP SSO...........................................................................................62
Viewing trusted certificates.............................................................................................63
Adding trusted certificates..............................................................................................64
Extracting the HP SIM server certificate........................................................................65
Removing trusted certificates...........................................................................................65
Configuring Remote Console security settings.........................................................................65
Configuring Remote Console Computer Lock settings..........................................................65
Configuring the Integrated Remote Console Trust setting (.NET IRC)......................................67
Configuring the Login Security Banner..................................................................................67
Configuring iLO network settings..............................................................................................69
Viewing network settings.....................................................................................................69
Configuring general network settings....................................................................................72
Configuring IPv4 settings....................................................................................................74
Configuring IPv6 settings....................................................................................................76
Configuring SNTP settings...................................................................................................79
Configuring and using the iLO Shared Network Port....................................................................80
Enabling the iLO Shared Network Port feature.......................................................................81
Enabling the iLO Shared Network Port feature through iLO RBSU.........................................82
Enabling the iLO Shared Network Port feature through the iLO web interface........................82
Re-enabling the iLO Dedicated Network Port.........................................................................83
Enabling the iLO Dedicated Network Port through iLO RBSU...............................................83
Enabling the iLO Dedicated Network Port through the web interface....................................83
Configuring iLO Management settings.......................................................................................84
Installing the Insight Management Agents..............................................................................84
Configuring SNMP alerts....................................................................................................84
SNMP traps..................................................................................................................85
4 Contents
Configuring SNMP alert destinations....................................................................................85
Configuring Insight Management integration.........................................................................86
Using the iLO RBSU................................................................................................................87
Accessing the iLO RBSU......................................................................................................87
Configuring NIC and TCP/IP settings....................................................................................87
Configuring DNS/DHCP settings.........................................................................................88
Configuring global settings by using iLO RBSU.......................................................................89
Configuring serial CLI options by using iLO RBSU...................................................................90
4 Using iLO................................................................................................92
Using the iLO web interface.....................................................................................................92
Browser support.................................................................................................................92
Logging in to iLO...............................................................................................................92
Handling an unknown authority...........................................................................................93
Using the iLO controls.........................................................................................................94
Language pack support......................................................................................................94
Viewing iLO overview information.............................................................................................94
Viewing system information.................................................................................................94
Viewing status information...................................................................................................96
Viewing the active iLO sessions............................................................................................96
Viewing iLO system information................................................................................................97
Viewing health summary information....................................................................................97
Viewing fan information......................................................................................................98
Viewing temperature information .......................................................................................100
Viewing temperature sensor data...................................................................................100
Viewing power information...............................................................................................101
Viewing processor information...........................................................................................103
Viewing memory information.............................................................................................104
Viewing network information.............................................................................................104
Viewing drive information.................................................................................................105
Using the iLO Event Log.........................................................................................................106
Viewing the iLO Event Log.................................................................................................106
Saving the iLO Event Log...................................................................................................108
Clearing the iLO Event Log................................................................................................108
Using the Integrated Management Log....................................................................................109
Viewing the IML...............................................................................................................109
Marking a log entry as repaired........................................................................................111
Adding a maintenance note to the IML...............................................................................111
Saving the IML................................................................................................................111
Clearing the IML..............................................................................................................112
Using iLO diagnostics............................................................................................................112
Resetting iLO through the web interface..............................................................................113
Using the HP Insight Management Agents................................................................................114
Using the Integrated Remote Console......................................................................................114
.NET IRC requirements......................................................................................................115
Microsoft .NET Framework............................................................................................115
Microsoft ClickOnce....................................................................................................115
Java IRC requirements......................................................................................................115
Recommended client settings........................................................................................116
Recommended server settings.......................................................................................116
Configuring the Java IRC keyboard layout for Linux systems..........................................116
Starting the Remote Console..............................................................................................116
Acquiring the Remote Console...........................................................................................118
Using the Remote Console power switch.............................................................................119
Using iLO Virtual Media from the Remote Console................................................................119
Contents 5
Using Shared Remote Console (.NET IRC only)....................................................................119
Using Console Capture (.NET IRC only)..............................................................................120
Viewing Server Startup and Server Prefailure sequences...................................................121
Saving Server Startup and Server Prefailure video files.....................................................121
Capturing video files...................................................................................................122
Viewing saved video files.............................................................................................122
Using Remote Console hot keys..........................................................................................122
Creating a hot key......................................................................................................122
Resetting hot keys........................................................................................................124
Using the text-based Remote Console......................................................................................124
Using the iLO Virtual Serial Port.........................................................................................124
Configuring the iLO Virtual Serial Port in the host system RBSU..........................................125
Configuring the iLO Virtual Serial Port for Linux...............................................................128
Configuring the iLO Virtual Serial Port for the Windows EMS Console................................129
Using the Text-based Remote Console (Textcons)..................................................................129
Customizing the Text-based Remote Console...................................................................130
Using the Text-based Remote Console............................................................................131
Using Linux with the Text-based Remote Console..............................................................131
Using iLO Virtual Media........................................................................................................131
Virtual Media operating system information.........................................................................133
Operating system USB requirement................................................................................133
Using Virtual Media with Windows 7............................................................................133
Operating system considerations: Virtual Floppy/USB key................................................133
Changing diskettes.................................................................................................133
Operating system considerations: Virtual CD/DVD-ROM..................................................134
Mounting a USB Virtual Media CD/DVD-ROM on Linux systems...................................134
Operating system considerations: Virtual Folder .............................................................134
Using iLO Virtual Media from the iLO web interface.............................................................135
Viewing and modifying the Virtual Media port................................................................135
Viewing and ejecting local media.................................................................................136
Connecting scripted media...........................................................................................136
Viewing and ejecting scripted media.............................................................................136
Using iLO Virtual Media from the Remote Console................................................................137
Using a Virtual Drive...................................................................................................137
Using a physical drive on a client PC........................................................................137
Using an image file................................................................................................137
Using an image file through a URL (IIS/Apache).........................................................137
Using the Create Media Image feature (Java IRC only).....................................................137
Creating an iLO disk image file................................................................................138
Copying data from an image file to a physical disk....................................................138
Using a Virtual Folder (.NET IRC only)............................................................................139
Setting up IIS for scripted Virtual Media..............................................................................139
Configuring IIS............................................................................................................139
Configuring IIS for read/write access.............................................................................140
Inserting Virtual Media with a helper application............................................................141
Sample Virtual Media helper application.......................................................................141
Configuring Virtual Media Boot Order................................................................................142
Changing the server boot order....................................................................................142
Changing the one-time boot status................................................................................143
Using the additional options.........................................................................................143
About server power..............................................................................................................143
Brownout recovery...........................................................................................................143
Graceful shutdown...........................................................................................................144
Power efficiency...............................................................................................................144
Using iLO Power Management...............................................................................................144
6 Contents
Managing the server power..............................................................................................144
Configuring the System Power Restore Settings.....................................................................146
Viewing server power usage..............................................................................................146
Viewing the current power state.........................................................................................148
Viewing the server power history........................................................................................149
Configuring power settings................................................................................................149
Configuring Power Regulator settings.............................................................................149
Configuring power capping settings..............................................................................151
Configuring SNMP alert settings...................................................................................151
Configuring the persistent mouse and keyboard..............................................................152
Using iLO with Onboard Administrator....................................................................................152
Using the Active Onboard Administrator.............................................................................152
Starting the Onboard Administrator GUI.............................................................................153
Toggling the enclosure UID light.........................................................................................153
Enclosure bay IP addressing..............................................................................................154
Dynamic Power Capping for server blades..........................................................................154
iLO virtual fan.................................................................................................................154
iLO option.......................................................................................................................154
IPMI server management.......................................................................................................155
Using iLO with HP Insight Control server deployment ................................................................156
5 Integrating HP Systems Insight Manager....................................................157
HP SIM features....................................................................................................................157
Establishing SSO with HP SIM................................................................................................157
iLO identification and association...........................................................................................157
Viewing iLO status in HP SIM.............................................................................................157
iLO links in HP SIM..........................................................................................................158
Viewing iLO in HP SIM System(s) lists..................................................................................158
Receiving SNMP alerts in HP SIM...........................................................................................158
HP SIM port matching...........................................................................................................158
Reviewing iLO license information in HP SIM............................................................................159
6 Directory services...................................................................................160
Directory integration benefits..................................................................................................160
Choosing a directory configuration to use with iLO....................................................................160
Kerberos support..................................................................................................................161
Domain controller preparation...........................................................................................161
Realm names..............................................................................................................161
Computer accounts......................................................................................................161
User accounts.............................................................................................................161
Generating a keytab...................................................................................................162
Key version number................................................................................................162
Windows Vista.......................................................................................................162
Universal and global user groups (for authorization)........................................................163
Configuring iLO for Kerberos login.....................................................................................163
Using the iLO web interface..........................................................................................163
Using XML configuration and control scripts....................................................................164
Using the CLI, CLP, or SSH interface..............................................................................164
Time requirement.............................................................................................................164
Configuring single sign-on................................................................................................164
Internet Explorer..........................................................................................................164
Firefox.......................................................................................................................165
Chrome.....................................................................................................................165
Verifying single sign-on (HP Zero Sign In) configuration.........................................................166
Login by name................................................................................................................166
Schema-free directory integration............................................................................................166
Contents 7
Setting up schema-free directory integration.........................................................................167
Active Directory prerequisites........................................................................................167
Introduction to Certificate Services............................................................................167
Installing Certificate Services....................................................................................167
Verifying Certificate Services....................................................................................167
Configuring Automatic Certificate Request.................................................................167
Schema-free setup using the iLO web interface................................................................168
Schema-free setup using scripts.....................................................................................168
Schema-free setup with HP Directories Support for ProLiant Management Processors.............168
Schema-free setup options............................................................................................169
Minimum login flexibility.........................................................................................169
Better login flexibility..............................................................................................169
Maximum login flexibility.........................................................................................169
Schema-free nested groups...........................................................................................169
Setting up HP extended schema directory integration................................................................170
Features supported by HP schema directory integration.........................................................170
Setting up directory services..............................................................................................170
Schema documentation.....................................................................................................171
Directory services support.................................................................................................171
Schema required software.................................................................................................171
Schema Extender........................................................................................................172
Schema Preview window.........................................................................................172
Setup window........................................................................................................173
Results window......................................................................................................173
Management snap-in installer.......................................................................................174
Directory services for Active Directory.................................................................................174
Active Directory installation prerequisites........................................................................174
Installing Active Directory.............................................................................................175
For the schema-free configuration.............................................................................175
For HP extended schema.........................................................................................175
Snap-in installation and initialization for Active Directory..................................................176
Creating and configuring directory objects for use with iLO in Active Directory....................176
Directory services objects.............................................................................................177
Active Directory snap-ins.........................................................................................178
Role Restrictions tab................................................................................................179
Lights Out Management tab.........................................................................................181
Directory services for eDirectory.........................................................................................182
eDirectory installation prerequisites................................................................................182
Snap-in installation and initialization for eDirectory..........................................................182
Example: Creating and configuring directory objects for use with iLO devices in eDirectory...182
Directory services objects for eDirectory.........................................................................186
Role Managed Devices...........................................................................................186
Members tab.........................................................................................................186
Role Restrictions tab.....................................................................................................187
Time restrictions......................................................................................................188
Enforced client IP address or DNS name access.........................................................188
eDirectory Lights-Out Management................................................................................189
User login using directory services..........................................................................................190
Directory-enabled remote management....................................................................................190
Creating roles to follow organizational structure...................................................................191
Using existing groups..................................................................................................191
Using multiple roles.....................................................................................................191
How directory login restrictions are enforced.......................................................................192
Restricting roles...........................................................................................................193
Role time restrictions...............................................................................................193
8 Contents
Role address restrictions..........................................................................................193
User restrictions...........................................................................................................193
User address restrictions..........................................................................................193
User time restrictions...............................................................................................194
Creating multiple restrictions and roles...........................................................................195
Using bulk import tools.....................................................................................................196
HP Directories Support for ProLiant Management Processors utility...............................................196
Compatibility..................................................................................................................196
HP Directories Support for ProLiant Management Processors package.....................................197
Using HP Directories Support for ProLiant Management Processors.........................................197
Finding management processors...................................................................................197
Upgrading firmware on management processors.............................................................200
Selecting a directory access method..............................................................................201
Naming management processors..................................................................................202
Configuring directories when HP extended schema is selected...........................................202
Configuring directories when schema-free integration is selected........................................206
Setting up management processors for directories............................................................207
7 Troubleshooting......................................................................................209
iLO 3 POST LED indicators.....................................................................................................209
Kernel debugging.................................................................................................................209
Event log entries...................................................................................................................210
Hardware and software link-related issues................................................................................213
Login issues.........................................................................................................................213
Login name and password not accepted.............................................................................214
Directory user premature logout.........................................................................................214
iLO management port not accessible by name.....................................................................214
iLO RBSU unavailable after iLO and server reset...................................................................214
Unable to access the login page........................................................................................215
Secure Connection Failed error when using Firefox browser...................................................215
Unable to return to login page after an iLO flash or reset......................................................216
Unable to access Virtual Media or graphical Remote Console................................................216
Unable to connect to iLO after changing network settings......................................................216
Unable to connect to iLO processor through NIC..................................................................216
Unable to log in to iLO after installing iLO certificate............................................................216
Unable to connect to iLO IP address...................................................................................216
Blocked iLO ports.............................................................................................................217
Troubleshooting alert and trap issues.......................................................................................217
Unable to receive HP SIM alarms (SNMP traps) from iLO.......................................................217
Incorrect authentication code..................................................................................................217
Using the iLO Security Override Switch for emergency access.....................................................218
Troubleshooting license installation..........................................................................................218
Troubleshooting directory issues .............................................................................................218
User contexts do not appear to work..................................................................................218
Directory user does not log out after directory timeout has expired.........................................218
Problems generating keytab by using ktpass.exe..................................................................218
Directory login fails...............................................................................................................219
Troubleshooting Remote Console issues...................................................................................219
Java IRC applet displays red X when Firefox is used to run Java IRC on Linux client ..................219
Unable to navigate single cursor of Remote Console to corners of Remote Console window.......219
Remote Console text window not updated correctly..............................................................219
Mouse or keyboard not working in .NET IRC or Java IRC......................................................219
.NET IRC sends characters continuously after switching windows ...........................................220
Java IRC does not display correct floppy and USB-key device.................................................220
Caps Lock out of sync between iLO and Java IRC.................................................................221
Contents 9
Num Lock out of sync between iLO and Shared Remote Console............................................222
Keystrokes repeat unintentionally during Remote Console session............................................222
Session leader does not receive connection request when .NET IRC is in replay mode...............222
Keyboard LED does not work correctly................................................................................222
Inactive .NET IRC.............................................................................................................222
.NET IRC failed to connect to server...................................................................................223
File not present after copy from .NET IRC virtual drives to USB key..........................................223
.NET IRC takes a long time to verify application requirements................................................223
.NET IRC fails to start.......................................................................................................224
.NET IRC cannot be shared...............................................................................................224
Troubleshooting SSH issues....................................................................................................225
Initial PuTTY input slow.....................................................................................................225
PuTTY client unresponsive..................................................................................................225
SSH text support from text-based Remote Console session......................................................225
Troubleshooting video and monitor issues................................................................................225
User interface does not display correctly.............................................................................225
iLO Virtual Floppy media applet unresponsive..........................................................................225
Troubleshooting text-based Remote Console issues....................................................................225
Unable to view Linux installer in text-based Remote Console...................................................225
Unable to pass data through SSH terminal..........................................................................226
VSP-driven selection during the serial timeout window sends output to BIOS redirect instead of
VSP................................................................................................................................226
Scrolling and text appear irregular during BIOS redirection...................................................226
Troubleshooting miscellaneous issues.......................................................................................226
Cookie sharing between browser instances and iLO.............................................................226
Shared instances.........................................................................................................226
Cookie order..............................................................................................................227
Displaying the current session cookie.............................................................................227
Preventing cookie-related issues....................................................................................227
Unable to get SNMP information from HP SIM.....................................................................228
Unable to upgrade iLO firmware........................................................................................228
Recovering from a failed iLO firmware update......................................................................228
iLO network Failed Flash Recovery.....................................................................................229
Testing SSL......................................................................................................................229
Resetting iLO...................................................................................................................230
Resetting iLO to the factory default settings by using iLO RBSU...............................................230
Server name still present after System Erase Utility is executed................................................231
Certificate error when navigating to iLO web interface..........................................................231
Resolving a browser certificate error: Internet Explorer......................................................232
Resolving a browser certificate error: Firefox...................................................................233
8 Support and other resources....................................................................235
Information to collect before you contact HP.............................................................................235
How to contact HP................................................................................................................235
Registering for Software Technical Support and Update Service..................................................235
How to use Software Technical Support and Update Service..................................................235
HP Support Center................................................................................................................235
HP authorized resellers..........................................................................................................236
Related information...............................................................................................................236
9 Documentation feedback.........................................................................237
A iLO license options.................................................................................238
B Directory services schema........................................................................239
HP Management Core LDAP OID classes and attributes.............................................................239
Core classes....................................................................................................................239
10 Contents
Core attributes.................................................................................................................239
Core class definitions.......................................................................................................239
hpqTarget..................................................................................................................239
hpqRole.....................................................................................................................240
hpqPolicy...................................................................................................................240
Core attribute definitions...................................................................................................240
hpqPolicyDN..............................................................................................................240
hpqRoleMembership....................................................................................................240
hpqTargetMembership.................................................................................................241
hpqRoleIPRestrictionDefault...........................................................................................241
hpqRoleIPRestrictions...................................................................................................241
hpqRoleTimeRestriction.................................................................................................242
Lights-Out Management specific LDAP OID classes and attributes................................................242
Lights-Out Management classes.........................................................................................242
Lights-Out Management attributes......................................................................................242
Lights-Out Management class definitions.............................................................................242
hpqLOMv100.............................................................................................................242
Lights-Out Management attribute definitions........................................................................243
hpqLOMRightLogin......................................................................................................243
hpqLOMRightRemoteConsole........................................................................................243
hpqLOMRightVirtualMedia...........................................................................................243
hpqLOMRightServerReset..............................................................................................243
hpqLOMRightLocalUserAdmin.......................................................................................244
hpqLOMRightConfigureSettings.....................................................................................244
C OID support for certificates......................................................................245
Glossary..................................................................................................247
Index.......................................................................................................250
Contents 11

1 Introduction to iLO

The iLO software can remotely perform most functions that otherwise require a visit to the servers at the data center, computer room, or remote location. iLO allows you to do the following:
Monitor server health. iLO monitors temperatures in the server and sends corrective signals to
the fans to maintain proper server cooling. iLO also monitors firmware versions and the status of fans, memory, the network, processors, power supplies, and server hard drives.
Access a high-performance and secure Integrated Remote Console to the server from anywhere
in the world if you have a network connection to the server. There are two versions of the Integrated Remote Console:
.NET IRC
Java IRC
General references to the Remote Console apply to both the .NET IRC and Java IRC, unless otherwise specified.
Use the shared .NET IRC to collaborate with multiple server administrators.
Remotely mount high-performance Virtual Media devices to the server.
Use Virtual Power and Virtual Media from the GUI, the CLI, or the iLO scripting toolkit for
many tasks, including the automation of deployment and provisioning.
Securely and remotely control the power state of the managed server.
Monitor the power consumption and server power settings.
Use local or directory-based user accounts to log in to iLO.
Configure Kerberos authentication, which adds the HP Zero Sign In button to the login screen.
Use iLO language packs to switch between English and another supported language.
For more information about the iLO 3 features, see http://www.hp.com/go/iLO3.

iLO web interface

The iLO web interface groups similar tasks for easy navigation and workflow. It is organized in a navigational tree view located on the left side of the page. The top-level branches are Information, Remote Console, Virtual Media, Power Management, Network, and Administration. If you have a ProLiant server blade, the BL c-Class branch is included.
When using the iLO web interface, note the following:
Each high-level iLO branch has a submenu that you can display by clicking the + icon to the
left of that branch. Each menu topic displays a page title that describes the information or settings available on that page. The page title might not reflect the name that is displayed on the menu option.
Assistance for all iLO pages is available from the iLO help pages. To access page-specific
help, click the ? icon on the upper right side of the page.
Typical administrator tasks are available from the Administration and Network branches of
the iLO web interface. These tasks are described in “Setting up iLO” (page 14) and
“Configuring iLO” (page 25).
Typical user tasks are available from the Information, Remote Console, Virtual Media, Power
Management, and BL c-Class branches of the iLO web interface. These tasks are described
in “Using iLO” (page 92).
12 Introduction to iLO
For more information about iLO functionality and integration, see the following:
“Integrating HP Systems Insight Manager” (page 157)
“Directory services” (page 160)
“Troubleshooting” (page 209)

iLO RBSU

You can use the iLO ROM-based setup utility to configure network parameters, global settings, and user accounts. iLO RBSU is designed for the initial iLO setup, and is not intended for continued iLO administration. iLO RBSU is available whenever the server is booted, and can be run remotely through the Remote Console. Press F8 during POST to enter iLO RBSU.
You can disable iLO RBSU in the iLO RBSU Global Settings preferences or in the iLO web interface. Disabling iLO RBSU prevents reconfiguration from the host unless the iLO Security Override Switch is set.
For more information about using iLO RBSU, see the following:
“Setting up iLO by using iLO RBSU” (page 16)
“iLO RBSU security” (page 44)
“Using the iLO RBSU” (page 87)

iLO mobile app

The HP iLO mobile app provides access to the Remote Console of your HP ProLiant server from your mobile device. The mobile app interacts directly with the iLO processor on HP ProLiant servers, providing total control of the server at all times as long as the server is plugged in. For example, you can access the server when it is in a healthy state or when it is powered off with a blank hard drive. As an IT administrator, you can troubleshoot problems and perform software deployments from almost anywhere.
For more information about the iLO mobile app, see http://www.hp.com/go/ilo/mobileapp.

iLO scripting and command line

You can use the iLO scripting tools to configure multiple iLO systems, to incorporate a standard configuration into the deployment process, and to control servers and subsystems.
The HP iLO Scripting and Command Line Guide describes the syntax and tools available to use iLO 3 through a command line or scripted interface.
iLO RBSU 13

2 Setting up iLO

The iLO default settings enable you to use most features without additional configuration. However, the configuration flexibility of iLO enables customization for multiple enterprise environments. This chapter discusses the initial iLO setup steps. For information about additional configuration options, see “Configuring iLO” (page 25).
Complete the initial setup steps:
1. Decide how you want to handle networking and security. For more information, see “Preparing
to set up iLO” (page 14).
2. Connect iLO to the network. For more information, see “Connecting iLO to the network”
(page 16).
3. If you are not using dynamic IP addressing, configure a static IP address by using iLO RBSU. For more information, see “Setting up iLO by using iLO RBSU” (page 16).
4. If you are using the local accounts feature, set up your user accounts by using iLO RBSU or the iLO web interface. For more information, see “Setting up iLO by using iLO RBSU” (page 16) or “Setting up iLO by using the iLO web interface” (page 21).
5. Install an iLO license. For more information, see “Activating iLO licensed features” (page 22).
6. If required, install the iLO drivers. For more information, see “Installing the iLO drivers”
(page 22).

Preparing to set up iLO

Before setting up an iLO management processor, you must decide how to handle networking and security. The following questions can help you configure iLO:
1. How should iLO connect to the network? For a graphical representation and explanation of the available connections, see “Connecting
iLO to the network” (page 16).
Typically, iLO is connected to the network through one of the following:
A corporate network that both the NIC and the iLO port are connected to. This connection
enables access to iLO from anywhere on the network and reduces the amount of networking hardware and infrastructure required to support iLO. However, on a corporate network, traffic can hinder iLO performance.
A dedicated management network with the iLO port on a separate network. A separate
network improves performance and security because you can physically control which workstations are connected to the network. A separate network also provides redundant access to the server when a hardware failure occurs on the corporate network. In this configuration, iLO cannot be accessed directly from the corporate network.
2. How will iLO acquire an IP address? To access iLO after connecting it to the network, the iLO management processor must acquire
an IP address and subnet mask by using either a dynamic or static process.
A dynamic IP address is set by default. iLO obtains the IP address and subnet mask from
DNS or DHCP servers. This method is the simplest.
A static IP address is used if DNS or DHCP servers are not available on the network. A
14 Setting up iLO
static IP address can be configured by using iLO RBSU. For more information, see
“Configuring a static IP address by using iLO RBSU” (page 17).
IMPORTANT: If you plan to use a static IP address, you must have the IP address before
starting the iLO setup process.
3. What access security is required, and what user accounts and privileges are needed?
iLO provides several options to control user access. Use one of the following methods to prevent unauthorized access:
Local accounts—Up to 12 user names and passwords can be stored in iLO. This is ideal
for small environments such as labs and small-sized or medium-sized businesses.
Directory services—Use the corporate directory to manage iLO user access. This is ideal
for environments with a large number of users. If you plan to use directory services, consider enabling at least one local administrator account for alternate access.
For more information about iLO access security, see “Configuring iLO security” (page 43).
4. How do you want to configure iLO?
iLO supports various interfaces for configuration and operation. This guide discusses the following interfaces:
Use iLO RBSU when the system environment does not use DHCP, DNS, or WINS. For
more information, see “Setting up iLO by using iLO RBSU” (page 16).
Use the iLO web interface when you can connect to iLO on the network by using a web
browser. You can also use this method to reconfigure an iLO management processor. For more information, see “Setting up iLO by using the iLO web interface” (page 21).
Other configuration options not discussed in this guide follow:
HP Scripting Toolkit—This toolkit is a server deployment product for IT experts that provides
unattended automated installation for high-volume server deployments. For more information, see the HP Scripting Toolkit for Linux User Guide and the HP Scripting Toolkit for Windows User Guide.
Scripting—You can use scripting for advanced setup of multiple iLO management
processors. Scripts are XML files written for a scripting language called RIBCL. You can use RIBCL scripts to configure iLO on the network during initial deployment or from an already deployed host.
The following methods are available:
HP Lights-Out Configuration Utility (HPQLOCFG)—The HPQLOCFG.EXE utility replaces
the previously used CPQLOCFG.EXE utility. It is a Windows command line utility that sends XML configuration and control scripts over the network to iLO.
HP Lights-Out Online Configuration Utility (HPONCFG)—A local online scripted setup
utility that runs on the host and passes RIBCL scripts to the local iLO. HPONCFG requires the HP iLO Channel Interface Driver.
Custom scripting environments—The iLO scripting samples include a Perl sample that
can be used to send RIBCL scripts to iLO over the network.
SMASH CLP—A command-line protocol that can be used when a command line is
accessible through SSH or the physical serial port.
For more information about these methods, see the HP iLO 3 Scripting and Command Line Guide.
iLO sample scripts are available at the following website: http://www.hp.com/support/
iLO3.
Preparing to set up iLO 15

Connecting iLO to the network

Main NIC
iLO
Main NIC
Hub/Switch
Client PCs
Corporate
Network
Management Client
iLO
Hub/Switch
Main NIC
iLO
iLO
Main NIC
Hub/Switch
Client PCs
Corporate
Network
Dedicated
iLO Management
Network
Management Client
You can connect iLO to the network through a corporate network or a dedicated management network.
In a corporate network, the server has two network port types (server NICs and one iLO NIC)
connected to the corporate network, as shown in Figure 1 (page 16).
Figure 1 Corporate network diagram
In a dedicated management network, the iLO port is on a separate network, as shown in
Figure 2 (page 16).
Figure 2 Dedicated management network diagram

Setting up iLO by using iLO RBSU

HP recommends using iLO RBSU to set up iLO for the first time and to configure iLO network parameters for environments that do not use DHCP, DNS, or WINS.
16 Setting up iLO

Configuring a static IP address by using iLO RBSU

This procedure is required only if you are using a static IP address. When you are using dynamic IP addressing, your DHCP server automatically assigns an IP address for iLO.
NOTE: To simplify installation, HP recommends using DNS or DHCP with iLO.
To configure a static IP address:
1. Optional: If you access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen. The iLO RBSU screen appears.
4. Disable DHCP: a. Select NetworkDNS/DHCP, and then press Enter.
The Network Autoconfiguration window opens.
b. Select DHCP Enable, as shown in Figure 3 (page 17).
Figure 3 iLO RBSU Network Autoconfiguration window
c. Press the spacebar to set DHCP Enable to OFF, and then press F10 to save the changes.
Setting up iLO by using iLO RBSU 17
5. Enter the network settings:
a. Select NetworkNIC and TCP/IP, and then press Enter.
The Network Configuration window opens.
b. Enter the appropriate information in the IP Address, Subnet Mask, and Gateway IP Address
fields, as shown in Figure 4 (page 18).
Figure 4 iLO RBSU Network Configuration window
c. Press F10 to save the changes.
6. Select FileExit to exit iLO RBSU.
The changes take effect when you exit iLO RBSU.

Managing iLO users by using iLO RBSU

You can use iLO RBSU to perform the following user management tasks:
“Adding user accounts” (page 18)
“Editing user accounts” (page 20)
“Removing user accounts” (page 20)
Adding user accounts
To add local iLO user accounts:
1. Optional: If you access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen. iLO RBSU starts.
4. Select UserAdd, and then press Enter. The Add User screen appears, as shown in Figure 5 (page 19).
18 Setting up iLO
Figure 5 iLO RBSU Add User window
5. Enter the following user account details:
User name appears in the user list on the User Administration page. It does not have to
be the same as the Login name. The maximum length for a user name is 39 characters. The user name must use printable characters. Assigning descriptive user names can help you to easily identify the owner of each login name.
Login name is the name you must use when logging in to iLO. It appears in the user list
on the User Administration page, on the iLO Overview page, and in iLO logs. The Login name does not have to be the same as the User name. The maximum length for a login name is 39 characters. The login name must use printable characters.
Password and Verify password set and confirm the password that is used for logging in
to iLO. The maximum length for a password is 39 characters. Enter the password twice for verification.
6. Select from the following iLO privileges. To enable a privilege, set it to Yes. To disable a privilege, set it to No.
Administer User Accounts—Enables a user to add, edit, and delete local iLO user accounts.
A user with this privilege can change privileges for all users. If you do not have this privilege, you can view your own settings and change your own password.
Remote Console Access—Enables a user to remotely access the host system Remote
Console, including video, keyboard, and mouse control.
Virtual Power and Reset—Enables a user to power-cycle or reset the host system. These
activities interrupt the system availability. A user with this privilege can diagnose the system by using the Generate NMI to System button.
Virtual Media—Enables a user to use the Virtual Media feature on the host system.
Configure iLO Settings—Enables a user to configure most iLO settings, including security
settings, and to remotely update the iLO firmware. This privilege does not enable local user account administration.
After iLO is configured, revoking this privilege from all users prevents reconfiguration using the web interface, HPQLOCFG, or the CLI. Users who have access to iLO RBSU or
Setting up iLO by using iLO RBSU 19
HPONCFG can still reconfigure iLO. Only a user who has the Administer User Accounts privilege can enable or disable this privilege.
7. Press F10 to save the new user account.
8. Repeat step 4 through step 7 until you are done creating user accounts.
9. Select FileExit to exit iLO RBSU.
Editing user accounts
To edit a local iLO user account:
1. Optional: If you access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen. The iLO RBSU screen appears.
4. Select UserEdit, and then press Enter. The Edit User screen appears, as shown in Figure 6 (page 20).
Figure 6 Editing user accounts
5. Select the user name that you want to edit, and then press Enter.
6. Update the user name, login name, password, or user privileges, and then press F10 to save the changes.
7. Select FileExit to exit iLO RBSU.
Removing user accounts
To remove a local iLO user account:
1. Optional: If you access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
20 Setting up iLO
3. Press F8 in the HP ProLiant POST screen.
The iLO RBSU screen appears.
4. Select UserRemove, and then press Enter. The Remove User screen appears, as shown in Figure 7 (page 21).
Figure 7 Removing user accounts
5. Select the user that you want to remove, and then press Enter. The iLO RBSU prompts you to confirm the request.
6. Press Enter to confirm the request.
7. Select FileExit to exit iLO RBSU.

Setting up iLO by using the iLO web interface

You can use the iLO web interface to configure iLO if you can connect to iLO on the network by using a web browser. You can also use this method to reconfigure an iLO management processor.
Access iLO from a remote network client by using a supported browser and providing the default DNS name, user name, and password. For information about the DNS name and default user account credentials, see “Logging in to iLO for the first time” (page 21).
For information about the configuration procedures available in the iLO web interface, see
“Configuring iLO” (page 25).

Logging in to iLO for the first time

The iLO firmware is configured with a default user name, password, and DNS name. Default user information is located on the serial number/iLO information pull tab attached to the server that contains the iLO management processor. Use these values to access iLO remotely from a network client by using a web browser.
Setting up iLO by using the iLO web interface 21
NOTE: The serial number/iLO information pull tab is double-sided. One side shows the server
serial number, and the other side shows the default iLO account information. The same information is printed on a label attached to the chassis.
The default values follow:
User name—Administrator
Password—A random eight-character alphanumeric string
DNS name—ILOXXXXXXXXXXXX, where the Xs represent the serial number of the server
If you enter an incorrect user name and password, or a login attempt fails, iLO imposes a security delay. For more information about login security, see “Login security” (page 46).
IMPORTANT: HP recommends changing the default values after you log in to iLO for the first
time. For instructions, see “Managing iLO users by using the iLO web interface” (page 32).

Activating iLO licensed features

To activate iLO licensed features, install an HP iLO license. iLO licenses activate functionality such as graphical Remote Console with multi-user collaboration, video record/playback, and many more advanced features. For licensing information and installation instructions, see “iLO licensing”
(page 31).

Installing the iLO drivers

iLO is an independent microprocessor running an embedded operating system. The architecture ensures that the majority of iLO functionality is available, regardless of the host operating system. The iLO drivers enable software such as HPONCFG and the HP Insight Management Agents to communicate with iLO. Your OS and system configuration determine the driver requirements.
The iLO drivers are available from the HP Service Pack for ProLiant and the HP website.
For Windows, Red Hat, and SLES—Download the SPP from http://www.hp.com/go/spp/
download and use it to install the iLO drivers.
For information about using the SPP, see the SPP documentation.
For Windows, Red Hat, and SLES—Download the iLO drivers from the HP Support Center:
1. Navigate to the technical support page on the HP website: http://www.hp.com/support.
2. Select a country or region and a language.
The HP Support page opens.
3. Click the Drivers & Downloads link.
4. In the search box, enter the server model that you are using (for example, DL360). A list of servers is displayed.
5. Click the link for your server. The HP Support Center page for the server opens.
6. Click the link for the server operating system.
7. Download the iLO drivers.
For VMware—Download the iLO drivers from the vibsdepot section of the Software Delivery
Repository website at http://downloads.linux.hp.com/SDR/index.html.
Follow the installation instructions provided with the downloaded software.
22 Setting up iLO
For OS-specific driver information, see the following:
“Microsoft device driver support” (page 23)
“Linux device driver support” (page 23)
“VMware device driver support” (page 24)

Microsoft device driver support

When you are using Windows with iLO, the following drivers are available:
HP ProLiant iLO 3/4 Channel Interface Driver for Windows—This driver is required for the
operating system to communicate with iLO. Install this driver in all configurations.
HP ProLiant iLO 3/4 Management Controller Driver Package for Windows—This package
includes the following components:
hpqilo3core provides iLO Management Controller Driver support.
hpqilo3service provides the HP ProLiant Health Monitor Service and HP ProLiant
System Shutdown Service.
hpqilo3whea is a helper service for Windows Hardware Error Architecture, which
passes information between iLO and the operating system in the event of a hardware fault.
IMPORTANT: The Management Controller Driver Package is required to support Automatic
Server Recovery and the HP Insight Management Agents or HP Insight Management WBEM Providers (if installed). For more information, see “Configuring iLO Management settings”
(page 84).

Linux device driver support

When you are using Linux with iLO, the following drivers are available:
HP ProLiant Channel Interface Device Driver (hpilo)—This driver manages agent and tool
application access to iLO.
HP System Health Application and Command Line Utilities (hp-health)—A collection of
applications and tools that enables monitoring of fans, power supplies, temperature sensors, and other management events. This RPM contains the hpasmd, hpasmlited, hpasmpld, and hpasmxld daemons.
IMPORTANT: These drivers are standard for SUSE Linux Enterprise Server 11, Red Hat 5, and
Red Hat 6. For open-source Linux distributions (Ubuntu, Debian, Fedora, and others), the hpilo driver is part
of the Linux kernel, so the driver is loaded automatically at startup.
Use the following commands to load the iLO drivers:
rpm -ivh hpilo-<d.vv.v-pp.Linux_version.arch>.rpm
rpm -ivh hp-health-<d.vv.v-pp.Linux_version.arch>.rpm
Where <d> is the Linux distribution and version, <vv.v-pp> are version numbers, and <arch> is the architecture (i386 or x86_64).
Use the following commands to remove the iLO drivers:
rpm -e hpilo
rpm -e hp-health
Installing the iLO drivers 23

VMware device driver support

When you are using VMware with iLO, the following driver is available: HP ProLiant Channel Interface Device Driver (hpilo)—This driver manages agent, WBEM provider,
and tool application access to iLO. It is included in the customized HP VMware images. For raw VMware images, the driver must be installed manually.
24 Setting up iLO

3 Configuring iLO

Typically, an advanced or administrative user who manages users and configures global and network settings configures iLO. This guide provides information about configuring iLO by using the iLO web interface and iLO RBSU.
TIP: You can also perform many iLO configuration tasks by using XML configuration and control
scripts or SMASH CLP. For information about using these methods, see the HP iLO 3 Scripting and Command Line Guide, HP Scripting Toolkit for Linux User Guide, and HP Scripting Toolkit for Windows User Guide.

Updating firmware

Firmware updates enhance iLO functionality with new features, improvements, and security updates. You can download the latest firmware from the following website: http://www.hp.com/support/
ilo3.
Users who have the Configure iLO Settings privilege or host operating system Administrator/root privileges can update iLO firmware. If the iLO Security Override Switch is set, any out-of-band user can update the firmware.
Due to the security enhancements in iLO 3 1.50 and later, the firmware image file is larger than previous releases. To accommodate the larger firmware image file, you must have iLO 3 1.20 or later installed to upgrade to iLO 3 1.50 or later. Upgrading from earlier firmware versions is not supported.
To downgrade from iLO 3 1.50 or later to an earlier firmware version, you must disable FIPS Mode. For instructions, see “Using encryption” (page 58).
You can update the iLO firmware by using an online or offline method. For more information, see
“Updating firmware by using an online method” (page 25) or “Updating firmware by using an offline method” (page 26)

Updating firmware by using an online method

When you use an online method to update the firmware, no server reboot is required. You can update the firmware and reset iLO without affecting the availability of the server host operating system. The online update method can be performed in-band or out-of-band.
Performing an in-band firmware update
When you use this method to update the iLO firmware, the iLO firmware is sent to iLO directly from the server host operating system. The HP ProLiant Channel Interface Driver is required for host-based iLO firmware updates. During a host-based firmware update, the iLO firmware does not verify login credentials or user privileges because the host-based utilities require a root login (Linux and VMware) or Administrator login (Windows).
You can use the following in-band firmware update methods:
iLO Online ROM Flash Component—Use an executable file to update iLO while the server is
operating. The executable file contains the installer and the firmware package. You can download an iLO Online ROM Flash Component from the following HP website: http://
www.hp.com/support/ilo3.
HPONCFG—Use the HP Lights-Out Online Configuration Utility to configure iLO by using XML
scripts. Download the iLO firmware image and the Update_Firmware.xml sample script. Edit the sample script with your setup details, and then run the script.
Sample scripts are available at http://www.hp.com/support/ilo3. For more information about scripting, see the HP iLO 3 Scripting and Command Line Guide.
Updating firmware 25
For instructions about obtaining the iLO firmware image, see “Obtaining the iLO firmware
image file” (page 26).
Performing an out-of-band firmware update
When you use this method to update the iLO firmware, you use a network connection to communicate with iLO directly.
You can use the following out-of-band firmware update methods:
iLO web interface—Download the iLO Online ROM Flash Component and install it by using
the iLO web interface. For instructions, see “Updating the iLO firmware by using a browser”
(page 27).
HPQLOCFG—Use the HP Lights-Out Configuration Utility to configure iLO by using XML scripts.
Download the iLO firmware image and the Update_Firmware.xml sample script. Edit the sample script with your setup details, and then run the script.
Sample scripts are available at http://www.hp.com/support/ilo3. For more information about scripting, see the HP iLO 3 Scripting and Command Line Guide.
For instructions about obtaining the iLO firmware image, see “Obtaining the iLO firmware
image file” (page 26).
HPLOMIG (also called HP Directories Support for Management Processors)—Download the
HP Directories Support for Management Processors executable file to access the directory support components. One of the components, HPLOMIG, can be used to discover multiple iLO processors and update their firmware in one step. You do not need to use directory integration to take advantage of this feature. For more information, see “Upgrading firmware
on management processors” (page 200).
SMASH CLP—Access SMASH CLP through the SSH port, and use standard commands to view
firmware information and update the firmware. For more information about SMASH CLP, see the HP iLO 3 Scripting and Command Line
Guide.
NOTE: The SMASH CLP method for updating firmware is not supported for upgrading to
iLO 3 1.50 or later.

Updating firmware by using an offline method

When you use an offline method to update the firmware, you must reboot the server by using an offline utility. Examples of offline firmware updates include the following:
HP Service Pack for ProLiant—Use the HP Service Pack for ProLiant to install the firmware
update. For more information, see the following website: http://www.hp.com/go/spp.
Windows or Linux Scripting Toolkit—Use the Scripting Toolkit to configure several settings
within the server and update firmware. This method is useful for deploying to multiple servers. For instructions, see the HP Scripting Toolkit for Linux User Guide or HP Scripting Toolkit for Windows User Guide.

Obtaining the iLO firmware image file

The .bin file from the iLO Online ROM Flash Component is required for some of the methods you can use to update the iLO firmware.
To download the iLO Online ROM Flash Component file, and then extract the .bin file:
1. Navigate to the technical support page on the HP website: http://www.hp.com/support.
2. Select a country or region and a language.
The HP Support page opens.
26 Configuring iLO
3. Click the Drivers & Downloads link.
4. In the search box, enter the server model that you are using (for example, DL360). A list of servers is displayed.
5. Click the link for your server. The HP Support Center page for the server opens.
6. Click the link for your server operating system.
7. Follow the onscreen instructions to download the iLO Online ROM Flash Component file.
8. Double-click the downloaded file, and then click the Extract button.
9. Select a location for the extracted files, and then click OK. The firmware image is a file similar to ilo3_<yyy>.bin, where <yyy> represents the
firmware version.

Updating the iLO firmware by using a browser

You can update the iLO firmware from any network client by using a supported browser. For a list of supported browsers, see “Using the iLO web interface” (page 92).
To update the iLO firmware:
1. Obtain the firmware image file. For instructions, see “Obtaining the iLO firmware image file”
(page 26).
2. Navigate to the AdministrationiLO Firmware page. The Firmware Update page opens, as shown in Figure 8 (page 27).
Figure 8 Firmware Update page
3. Click Browse (Internet Explorer or Firefox) or Choose File (Chrome), and then specify the location of the firmware image file in the File box.
4. Click Upload to start the update process. The firmware update will not start if you navigate away from the Firmware Update page
before the upload is complete. The iLO firmware receives, validates, and then flashes the firmware image. After the firmware
flashes and resets, iLO logs you out and the browser reconnects.
IMPORTANT: Do not interrupt a firmware update. If a firmware update is interrupted or fails,
attempt it again immediately. Do not reset iLO before reattempting the update.
Updating firmware 27
5. To start working with the updated firmware, clear your browser cache, and then log in to iLO. If an error occurs during a firmware update, see “Unable to upgrade iLO firmware” (page 228). If an iLO firmware update is corrupted or canceled, and iLO is corrupted, see “iLO network Failed
Flash Recovery” (page 229).

Using language packs

Language packs enable you to easily switch the iLO web interface from English to a supported language of your choice. Language packs currently provide translations for the iLO web interface, .NET IRC, and Java IRC.
Consider the following when using language packs:
You must have the Configure iLO Settings privilege to install a language pack.
You can install one additional language pack at a time. Uploading a new language pack
replaces the currently installed language pack, regardless of the language pack version.
The language pack firmware is independent of the iLO firmware. Setting iLO to the factory
default settings does not remove an installed language pack.
The Java IRC and .NET IRC use the language of the current iLO session.
For localization support with the Java IRC on Windows systems, you must select the correct
language in the Regional and Language Options Control Panel.
For localization support with the Java IRC on Linux systems, make sure that the fonts for the
specified language are installed and available to the JRE.
If an installed language pack does not include the translation for a text string, the text is
displayed in English.
When you update the iLO firmware, HP recommends downloading the latest language pack
to ensure that the language pack contents match the iLO web interface. iLO 3 firmware version 1.50 or later requires version 1.50 or later of the iLO language pack.
iLO uses the following process to determine the language of your session:
1. If you previously logged in to the iLO web interface on the same computer using the same browser, and you have not cleared the cookies, the language setting of the last session with that iLO processor is used.
2. If there is no cookie, the current browser language is used if it is supported by iLO and the required language pack is installed. The supported languages are English (en), Japanese (ja), and Simplified Chinese (zh).
3. Internet Explorer only: If the browser language is not supported, the OS language is used if the language is supported by iLO, and the required language pack is installed.
4. If there is no cookie, and the browser or OS language is not supported, iLO uses the configured default language. For more information, see “Configuring the default language
settings” (page 30).

Installing a language pack

1. Navigate to the iLO software download website: http://www.hp.com/support/ilo3.
2. Download the language pack to your local computer.
3. Navigate to the AdministrationAccess SettingsLanguage page, as shown in Figure 9
(page 29).
28 Configuring iLO
Figure 9 Access Settings – Language page
4. Click Browse (Internet Explorer or Firefox) or Choose File (Chrome) in the Upload Language Pack section.
5. Select the downloaded language pack, and then click Open. The following message appears:
Only one language pack is supported at a time. If a language pack is already installed, it will be replaced with this upload. iLO will automatically reboot after installing the new language pack. Are you sure you want to install now?
6. Click OK to continue. If you have a previously installed language pack, this language pack will replace it.
7. Click Upload. iLO will automatically reboot after installing a language pack. This will end your browser
connection with iLO. Wait at least 30 seconds before you attempt to re-establish a connection.

Selecting a language pack

After you have installed a language pack, you can select it in the following ways:
From the login page, as shown in Figure 10 (page 30).
Using language packs 29
Figure 10 Login page Language menu
From the toolbar located on the bottom right side of the iLO web interface, as shown in
Figure 11 (page 30).
Figure 11 Toolbar Language menu
From the AdministrationAccess SettingsLanguage page. For instructions, see “Configuring
the current language settings” (page 30).

Configuring the default language settings

To set the default language for the users of this instance of the iLO firmware:
1. Navigate to the AdministrationAccess SettingsLanguage page, as shown in Figure 9
(page 29).
2. Select a value in the Default Language menu.
The available languages are English and any other language for which a language pack is installed.
3. Click Apply.

Configuring the current language settings

To set the current language of this browser session:
1. Navigate to the AdministrationAccess SettingsLanguage page, as shown in Figure 9
(page 29).
2. Select a value in the Current Language menu.
The available languages are English and any other language for which a language pack is installed.
3. Click Apply.

Uninstalling a language pack

1. Navigate to the AdministrationAccess SettingsLanguage page, as shown in Figure 9
(page 29).
2. Click the Uninstall button in the Installed Languages section.
The following message appears:
Applying new settings requires an iLO reset. Would you like to apply the new settings and reset iLO now?
30 Configuring iLO
3. Click OK to continue. iLO resets and closes your browser connection. Wait at least 30 seconds before you attempt to re-establish a connection.

iLO licensing

HP iLO standard features are included in every HP ProLiant server to simplify server setup, engage health monitoring, monitor power and thermal control, and promote remote administration.
HP iLO Advanced and HP iLO Advanced for BladeSystem licenses activate functionality such as graphical Remote Console with multiuser collaboration, video record/playback, and many more advanced features.
Unlocking iLO licensed features has never been easier. Simply choose and install the license that best suits your company's infrastructure.
iLO Advanced—Enables the full set of iLO features.
iLO Advanced Single Server License
iLO Advanced Electronic License
iLO Advanced Flexible Quantity License
iLO Advanced Volume License
For details on purchasing licenses, see the following website: http://www.hp.com/go/ilo/licensing. For a list of the features that are included with each license, see “iLO license options” (page 238). Consider the following about iLO licenses:
iLO licenses are versionless, meaning, regardless of the version of iLO you have enabled (iLO
2, iLO 3, or iLO 4), an iLO license can be applied. For features that are specific to the version of iLO on your ProLiant server, see “iLO license options” (page 238).
If you purchase an iLO license with any Insight Control software suite, HP provides the Technical
Support and Update Service. For more information, see “Support and other resources”
(page 235).
If you purchase an iLO license as a one-time activation of licensed features, you must purchase
future functional upgrades.
One iLO license is required for each server on which the product is installed and used. Licenses
are not transferable. You cannot license an HP ProLiant SL/ML/DL server by using a BladeSystem license.
HP will continue to provide maintenance releases with fixes, as well as iLO standard feature
enhancements, at no extra charge.

Free iLO 60-day evaluation license

A free iLO evaluation license is available for download from the following HP website: http://
www.hp.com/go/tryinsightcontrol .
When using an evaluation license, note the following:
The evaluation license activates and enables access to iLO licensed features.
The evaluation license key is a 10-seat key, meaning it can be used on 10 different servers.
When the evaluation period has expired, your iLO system will return to the standard
functionality.
iLO licensing 31
Only one evaluation license can be installed for each iLO system. The iLO firmware will not
accept the reapplication of an evaluation license.
The evaluation license expires 60 days after the installation date. HP will notify you by email
when your license is about to expire.

Installing an iLO license by using a browser

You must have the Configure iLO Settings privilege to install a license.
1. Navigate to the AdministrationLicensing page in the iLO web interface. The Licensing page opens, as shown in Figure 12 (page 32).
Figure 12 Licensing page
2. Review the license agreement provided with your HP License Pack option kit.
3. Enter the license key in the Activation Key boxes. Press the Tab key or click inside a box to move between boxes. The cursor advances
automatically when you enter the license key in the Activation Key boxes.
4. Click Install. The EULA confirmation opens. The EULA details are available in the HP License Pack option
kit.
5. Click OK. The license key is now enabled.
For tips on troubleshooting license installation, see “Troubleshooting license installation” (page
218).

Managing iLO users by using the iLO web interface

The iLO firmware enables you to manage user accounts stored locally in the secure iLO memory and directory group accounts. Use MMC or ConsoleOne to manage directory-based user accounts.
iLO supports up to 12 users with customizable access rights, login names, and advanced password encryption. Privileges control individual user settings, and can be customized to meet user access requirements.
To support more than 12 users, you must have an iLO license, which enables integration with an unlimited number of directory-based user accounts. For more information about iLO licensing, see the following website: http://www.hp.com/go/ilo/licensing.
32 Configuring iLO
The following privileges are required for user and directory group administration:
Administer User Accounts—Required for adding, modifying, and deleting users. If you do not
have this privilege, you can view your own settings and change your password.
Configure iLO Settings—Required for adding, modifying, and deleting directory groups. If you
do not have this privilege, you can view directory groups.
NOTE: You can also manage users with the iLO RBSU. For more information, see “Managing
iLO users by using iLO RBSU” (page 18).

Viewing local user accounts

To view local users, navigate to the AdministrationUser Administration page, as shown in
Figure 13 (page 33).
Figure 13 User Administration page
The Local Users table shows the login names, user names, and assigned privileges of each configured user. Move the cursor over an icon to see the privilege name. The available privileges follow:
Remote Console Access —Enables a user to remotely access the host system Remote Console,
including video, keyboard, and mouse control.
Virtual Media —Enables a user to use the Virtual Media feature on the host system.
Virtual Power and Reset —Enables a user to power-cycle or reset the host system. These
activities interrupt the system availability. A user with this privilege can diagnose the system by using the Generate NMI to System button.
Configure iLO Settings —Enables a user to configure most iLO settings, including security
settings, and to remotely update the iLO firmware. This privilege does not enable local user account administration.
After iLO is configured, revoking this privilege from all users prevents reconfiguration using the web interface, HPQLOCFG, or the CLI. Users who have access to iLO RBSU and HPONCFG
Managing iLO users by using the iLO web interface 33
can still reconfigure iLO. Only a user who has the Administer User Accounts privilege can enable or disable this privilege.
Administer User Accounts —Enables a user to add, edit, and delete local iLO user accounts.
A user with this privilege can change privileges for all users. If you do not have this privilege, you can view your own settings and change your own password.

Viewing directory groups

To view directory groups, navigate to the AdministrationUser Administration page, as shown in
Figure 13 (page 33).
The Directory Groups table shows the group DN, group SID, and the assigned privileges for the configured groups. Move the cursor over an icon to see the privilege name. The available privileges follow:
Login Privilege —Enables members of a group to log in to iLO.
Remote Console Access —Enables users to remotely access the host system Remote Console,
including video, keyboard, and mouse control.
Virtual Media —Enables users to use the Virtual Media feature on the host system.
Virtual Power and Reset —Enables users to power-cycle or reset the host system. These
activities interrupt the system availability. Users with this privilege can diagnose the system by using the Generate NMI to System button.
Configure iLO Settings —Enables users to configure most iLO settings, including security
settings, and to remotely update iLO firmware. After iLO is configured, revoking this privilege from all users prevents reconfiguration using
the web interface, HPQLOCFG, or the CLI. Users who have access to iLO RBSU and HPONCFG can still reconfigure iLO. Only a user who has the Administer User Accounts privilege can enable or disable this privilege.
Administer User Accounts —Enables users to add, edit, and delete local iLO user accounts.

Adding or editing local user accounts

Users who have the Administer User Accounts privilege can add or edit iLO users. To add or edit a local user:
1. Navigate to the AdministrationUser Administration page, as shown in Figure 13 (page 33).
2. Do one of the following:
Click New in the Local Users section.
Select a user in the Local Users section, and then click Edit.
The Add/Edit Local User page opens, as shown in Figure 14 (page 35).
34 Configuring iLO
Figure 14 Add/Edit Local User page
3. Provide the following details in the User Information section:
User Name appears in the user list on the User Administration page. It does not have to
be the same as the Login Name. The maximum length for a user name is 39 characters. The user name must use printable characters. Assigning descriptive user names can help you to easily identify the owner of each login name.
Login Name is the name you use when logging in to iLO. It appears in the user list on the
User Administration page, on the iLO Overview page, and in iLO logs. The Login Name does not have to be the same as the User Name. The maximum length for a login name is 39 characters. The login name must use printable characters.
Password and Password Confirm set and confirm the password that is used for logging
in to iLO. The minimum length for a password is set on the Access Settings page (Figure 16). The maximum length for a password is 39 characters. Enter the password twice for verification.
For more information about passwords, see “Password guidelines” (page 36).
4. Select from the following privileges.
Remote Console Access
Virtual Media
Virtual Power and Reset
Configure iLO Settings
Administer User Accounts
Managing iLO users by using the iLO web interface 35
TIP: Click the select all check box to select all of the available user privileges.
For more information about each privilege, see “Viewing local user accounts” (page 33).
5. Do one of the following:
Click Add User to save the new user.
Click Update User to save the user account changes.
Password guidelines
HP recommends that you follow these password guidelines:
Passwords should:
Never be written down or recorded
Never be shared with others
Not be words found in a dictionary
Not be obvious words, such as the company name, product name, user name, or login
name
Passwords should have at least three of the following characteristics:
One numeric character
One special character
One lowercase character
One uppercase character
Depending on the Minimum Password Length setting on the Access Settings page, the password can have a minimum of zero characters (no password) and a maximum of 39 characters. The default Minimum Password Length is eight characters.
IMPORTANT: HP does not recommend setting the Minimum Password Length to fewer than eight
characters unless you have a physically secure management network that does not extend outside the secure data center. For information about setting the Minimum Password Length, see
“Configuring access options” (page 40).
IPMI/DCMI users
The iLO firmware follows the IPMI 2.0 specification. When you are adding IPMI/DCMI users, the login name must be a maximum of 16 characters, and the password must be a maximum of 20 characters.
36 Configuring iLO
When you select iLO user privileges, the equivalent IPMI/DCMI user privilege is displayed in the IPMI/DCMI Privilege based on above settings box.
User—A user has read-only access. A user cannot configure or write to iLO, or perform system
actions. For IPMI User privileges: Disable all privileges. Any combination of privileges that does not
meet the Operator level is an IPMI User.
Operator—An operator can perform system actions, but cannot configure iLO or manage user
accounts. For IPMI Operator privileges: Enable Remote Console Access, Virtual Power and Reset, and
Virtual Media. Any combination of privileges greater than Operator that does not meet the Administrator level is an IPMI Operator.
Administrator—An administrator has read and write access to all features.
For IPMI Administrator privileges: Enable all privileges.

Administering directory groups

iLO enables you to view iLO groups and modify settings for those groups. You must have the Configure iLO Settings privilege to add or edit directory groups. Use the Add/Edit Directory Group page to add or edit iLO directory groups.
To add or edit a directory group:
1. Navigate to the AdministrationUser Administration page, as shown in Figure 13 (page 33).
2. Do one of the following:
Click New in the Directory Groups section.
Select a group in the Directory Groups section, and then click Edit.
The Add/Edit Directory Group page opens, as shown in Figure 15 (page 38).
Managing iLO users by using the iLO web interface 37
Figure 15 Add/Edit Directory Group page
3. Provide the following details in the Group Information section:
Group DN (Security Group DN)—DN of a group in the directory. Members of this group
are granted the privileges set for the group. The specified group must exist in the directory, and users who need access to iLO must be members of this group. Enter a DN from the directory (for example, CN=Group1, OU=Managed Groups, DC=domain, DC=extension).
Shortened DNs are also supported (for example, Group1). The shortened DN is not a unique match. Any group named Group1 is displayed. HP recommends using the fully qualified DN.
Group SID (Security ID)—Microsoft Security ID is used for Kerberos and LDAP group
authorization. This is required for Kerberos. The format is S-1-5-2039349.
4. Select from the following privileges when you are adding or editing a group account:
Login Privilege
Remote Console Access
Virtual Media
Virtual Power and Reset
Configure iLO Settings
Administer User Accounts
For more information about each privilege, see “Viewing directory groups” (page 34).
5. Do one of the following:
Click Add Group to save the new directory group.
Click Update Group to save the directory group changes.
38 Configuring iLO

Deleting a user account or a directory group

The privilege required for this procedure depends on the user account type.
To delete a local user account, the Administer User Accounts privilege is required.
To delete a directory group, the Configure iLO Settings privilege is required.
To delete an existing user account or directory group:
1. Navigate to the AdministrationUser Administration page, as shown in Figure 13 (page 33).
2. Select the check box next to the user or group that you want to delete.
3. Click Delete.
A pop-up window opens with one of the following messages:
Local user: Are you sure you want to delete the selected user(s)?
Warning: Always leave at least one administrator.
Directory group: Are you sure you want to delete the selected
group(s)?
4. Click OK.

Configuring iLO access settings

You can modify iLO access settings, including service, IPMI/DCMI, and access options. The values that you enter on the Access Settings page apply to all iLO users. You must have the Configure iLO Settings privilege to modify access settings.
The default configuration is suitable for most operating environments. The values that you can modify on the Access Settings page allow complete customization of the iLO external access methods for specialized environments.

Configuring service settings

The Service section shows the SSH Access setting and the TCP/IP port values. The TCP/IP ports used by iLO are configurable, which enables compliance with any site requirements
or security initiatives for port settings. These settings do not affect the host system. Changing these settings usually requires configuration of the web browser used for standard and
SSL communication. When these settings are changed, iLO initiates a reset to activate the changes. To configure Service settings:
Configuring iLO access settings 39
1. Navigate to the AdministrationAccess Settings page, as shown in Figure 16 (page 40)
Figure 16 Access Settings page
2. Update the following settings as needed:
Table 1 Service settings
Secure Shell (SSH) Access
3. Click Apply to end your browser connection and restart iLO.
Wait at least 30 seconds before you attempt to re-establish a connection.

Configuring IPMI/DCMI settings

iLO enables you to send industry-standard IPMI and DCMI commands over the LAN. The IPMI/DCMI port is set to 623 and is not configurable.
To enable or disable IPMI/DCMI, select or clear the Enable IPMI/DCMI over LAN on Port 623 check box, and then click Apply.
Default valueService setting
Enables you to specify whether the SSH feature on iLO is enabled or disabled.
SSH provides encrypted access to the iLO CLP. The default is Enabled.
22Secure Shell (SSH) Port
17990Remote Console Port
80Web Server Non-SSL Port (HTTP)
443Web Server SSL Port (HTTPS)
17988Virtual Media Port
Enabled (default)—Enables you to send IPMI/DCMI commands over the LAN by using a
client-side application.
Disabled—Disables IPMI/DCMI over the LAN. Server-side IPMI/DCMI applications are still
functional when IPMI/DCMI over LAN is disabled.

Configuring access options

The Access Options section enables you to modify settings that affect all iLO users.
40 Configuring iLO
NOTE: You can configure some of these settings by using iLO RBSU. For instructions, see “Using
the iLO RBSU” (page 87).
To view or modify iLO access options:
1. Navigate to the AdministrationAccess Settings page.
2. Click the Access Settings tab and scroll to the Access Options section of the Access Settings
page, as shown in Figure 17 (page 41).
Figure 17 Access Options
3. Update the following settings as needed:
Table 2 Access options
30Idle Connection Timeout
(minutes)
EnablediLO Functionality
DescriptionDefault valueOption
This setting specifies how long a user can be inactive, in minutes, before the iLO web interface and Remote Console session end automatically. The following settings are valid: 15, 30, 60, or 120 minutes, or Infinite. Inactive users are not logged out when this option is set to Infinite.
Failure to log out of iLO by either browsing to a different site or closing the browser also results in an idle connection. The iLO firmware supports a finite number of iLO connections. Misuse of the Infinite timeout option might make iLO inaccessible to other users. Idle connections are recycled after they time out.
This setting applies to local and directory users. Directory server timeouts might preempt the iLO setting.
Changes to the setting might not take effect immediately in current user sessions, but will be enforced immediately in all new sessions.
The iLO network and communications with operating system drivers are terminated when iLO functionality is disabled.
If iLO functionality is disabled (including the iLO Diagnostic Port), you must use the server Security Override Switch to enable iLO. See the server documentation to locate the Security Override Switch, and then set it to Override. Power up the server, and then use the iLO RBSU to set iLO
Functionality to Enabled.
NOTE: The iLO functionality cannot be disabled on blade
servers.
Configuring iLO access settings 41
Table 2 Access options (continued)
DescriptionDefault valueOption
Utility
RBSU
Serial Command Line Interface Status
Interface Speed
EnablediLO ROM-Based Setup
DisabledRequire Login for iLO
EnabledShow iLO IP during POST
Enabled-Authentication Required
9600Serial Command Line
This setting enables or disables iLO RBSU. The iLO Option ROM prompts you to press F8 to start iLO RBSU, but if iLO is disabled or iLO RBSU is disabled, this prompt is not displayed.
This setting determines whether a user-credential prompt is displayed when a user accesses iLO RBSU. If this setting is Enabled, a login dialog box opens when you access the iLO RBSU.
This setting enables the display of the iLO network IP address during host server POST.
This setting enables you to change the login model of the CLI feature through the serial port. The following settings are valid:
Enabled-Authentication Required—Enables access to the
iLO CLP from a terminal connected to the host serial port. Valid iLO user credentials are required.
Enabled-No Authentication—Enables access to the iLO CLP
from a terminal connected to the host serial port. iLO user credentials are not required.
Disabled—Disables access to the iLO CLP from the host
serial port. Use this option if you are planning to use physical serial devices.
This setting enables you to change the speed of the serial port for the CLI feature. The following speeds (in bits per second) are valid: 9600, 19200, 57600, and 115200. The serial port configuration must be set to no parity, 8 data bits, and 1 stop bit (N/8/1) for correct operation.
Length
Authentication Failure Logging
8Minimum Password
Server Name
Enabled-Every 3rd Failure
This setting specifies the minimum number of characters allowed when a user password is set or changed. The character length must be a value from 0 to 39.
This setting enables you to specify the host server name. You can assign this value manually, but it might be overwritten by the host software when the operating system loads.
You can enter a server name that is up to 49 bytes. To force the browser to refresh, save this setting, and then
press F5.
This setting enables you to configure logging criteria for failed authentications. All login types are supported; each login type works independently. The following are valid settings:
Enabled-Every Failure—A failed login log entry is recorded
after every failed login attempt.
Enabled-Every 2nd Failure—A failed login log entry is
recorded after every second failed login attempt.
Enabled-Every 3rd Failure—A failed login log entry is
recorded after every third failed login attempt.
Enabled-Every 5th Failure—A failed login log entry is
recorded after every fifth failed login attempt.
Disabled—No failed login log entry is recorded.
For information about using this setting with SSH clients, see
“Logging in to iLO by using an SSH client” (page 43).
4. Click Apply to end your browser connection and restart iLO.
Wait at least 30 seconds before you attempt to re-establish a connection.
42 Configuring iLO

Logging in to iLO by using an SSH client

When a user logs in to iLO by using an SSH client, the number of login name and password prompts displayed by iLO matches the value of the Authentication Failure Logging option (3 if it is disabled). The number of prompts might also be affected by your SSH client configuration. SSH clients also implement delays after login failure.
For example, to generate an SSH authentication failure log with the default value (Enabled-Every 3rd Failure), assuming that the SSH client is configured with the number of password prompts set to 3, three consecutive login failures occur as follows:
1. Run the SSH client and log in with an incorrect login name and password. You receive three password prompts. After the third incorrect password, the connection ends
and the first login failure is recorded. The SSH login failure counter is set to 1.
2. Run the SSH client and log in with an incorrect login name and password. You receive three password prompts. After the third incorrect password, the connection ends
and the second login failure is recorded. The SSH login failure counter is set to 2.
3. Run the SSH client and log in with an incorrect login name and password. You receive three password prompts. After the third incorrect password, the connection ends
and the third login failure is recorded. The SSH login failure counter is set to 3.
The iLO firmware records an SSH failed login log entry, and sets the SSH login failure counter to
0.

Configuring iLO security

iLO provides the following security features:
User-defined TCP/IP ports. For more information, see “Configuring iLO access settings”
(page 39).
User actions logged in the iLO Event Log. For more information, see “Using the iLO Event Log”
(page 106).
Progressive delays for failed login attempts. For more information, see “Login security”
(page 46).
Support for X.509 CA signed certificates. For more information, see “Administering SSL
certificates” (page 48).
Support for securing iLO RBSU. For more information, see “iLO RBSU security” (page 44).
Encrypted communication that uses SSL certificate administration. For more information, see
“Administering SSL certificates” (page 48).
Support for optional LDAP-based directory services. For more information, see “Directory
services” (page 160).
Some of these options are licensed features. For more information, see “iLO licensing” (page 31).

General security guidelines

General security guidelines for iLO follow:
For maximum security, configure iLO on a separate management network. For more information,
see “Connecting iLO to the network” (page 16).
Do not connect iLO directly to the Internet.
Use a browser that has a 128-bit cipher strength.
Configuring iLO security 43
iLO RBSU security
iLO RBSU enables you to view and modify the iLO configuration. You can configure iLO RBSU access settings by using iLO RBSU, a web browser, RIBCL scripts, or the iLO Security Override Switch.
For information about using a web browser to configure iLO RBSU access settings, see
“Configuring access options” (page 40).
For information about using iLO RBSU to configure iLO RBSU access settings, see “Using the
iLO RBSU” (page 87).
For information about using RIBCL scripts to configure iLO RBSU, see the HP iLO 3 Scripting
and Command Line Guide.
For information about using the iLO Security Override Switch to access iLO RBSU , see “iLO
Security Override Switch administration” (page 44).
iLO RBSU has the following security levels:
Login Not Required (default)
Anyone who has access to the host during POST can enter iLO RBSU to view and modify configuration settings. This is an acceptable setting if host access is controlled. If host access is not controlled, any user can make changes by using the active configuration menus.
Login Required (more secure)
If iLO RBSU login is required, the active configuration menus are controlled by the authenticated user access rights.
Disabled (most secure)
If iLO RBSU is disabled, user access is prohibited. This prevents modification by using the iLO RBSU .
To change the login requirement:
Use the iLO web interface to edit the Require Login for iLO RBSU setting. For instructions, see
“Configuring access options” (page 40).
Use the iLO RBSU to edit the Require iLO 3 RBSU Login setting. For instructions, see “Using
the iLO RBSU” (page 87).
To enable or disable access to iLO RBSU:
Use the iLO web interface to edit the iLO ROM-Based Setup Utility setting. For instructions, see
“Configuring access options” (page 40).
Use the iLO RBSU to edit the iLO 3 ROM-Based Setup Utility setting. For instructions, see “Using the iLO RBSU” (page 87).
iLO Security Override Switch administration
The iLO Security Override Switch grants the administrator full access to the iLO processor. This access might be necessary for any of the following conditions:
iLO has been disabled and must be re-enabled.
All user accounts that have the Administer User Accounts privilege are locked out.
An invalid configuration prevents iLO from being displayed on the network, and iLO RBSU is
disabled.
The boot block must be flashed.
The iLO NIC is turned off, and running iLO RBSU to turn it back on is not possible or convenient.
Only one user name is configured, and the password is forgotten.
44 Configuring iLO
Ramifications of setting the iLO Security Override Switch include the following:
All security authorization verifications are disabled when the switch is set.
iLO RBSU runs if the host server is reset.
iLO is not disabled and might be displayed on the network as configured.
iLO, if disabled when the switch is set, does not log out the user and complete the disable
process until the power is cycled on the server.
The boot block is exposed for programming.
A warning message is displayed on iLO web interface pages, indicating that the switch is
currently in use.
An iLO log entry records the use of the switch.
When iLO boots after you set or clear the iLO Security Override Switch, an SNMP alert is sent if an SNMP Alert Destination is configured.
Setting the iLO Security Override Switch enables you to flash the iLO boot block. HP does not anticipate that you will need to update the boot block. However, if an update is required, you must be physically present at the server to reprogram the boot block and reset iLO. The boot block is exposed until iLO is reset. For maximum security, HP recommends disconnecting iLO from the network until the reset is complete. You must open the server enclosure to access the iLO Security Override Switch.
To set the iLO Security Override Switch:
1. Power off the server.
2. Set the switch.
3. Power on the server. Reverse this procedure to clear the iLO Security Override Switch. Depending on the server, the iLO Security Override Switch might be a single jumper or a specific
switch position on a DIP switch panel. For information about accessing the iLO Security Override Switch, see the server documentation or use the diagrams on the server access panel.

TPM support

A TPM is a computer chip that securely stores artifacts used to authenticate the platform. These artifacts can include passwords, certificates, or encryption keys. You can also use a TPM to store platform measurements to make sure that the platform remains trustworthy.
On a supported system, iLO decodes the TPM record and passes the configuration status to iLO, the CLP, and the XML interface. The iLO Overview page displays the following TPM status information:
Not Supported—A TPM is not supported.
Not Present—A TPM is not installed.
Present—This indicates one of the following statuses:
A TPM is installed and enabled.
A TPM is installed and enabled, and Expansion ROM measuring is enabled. If Expansion
A TPM is installed but is disabled.
ROM measuring is enabled, the Update Firmware page displays a legal warning message when you click Upload.
Configuring iLO security 45

User accounts and access

iLO supports the configuration of up to 12 local user accounts. Each account can be managed through the following features:
Privileges
Login security
You can configure iLO to use a directory to authenticate and authorize its users. This configuration enables an unlimited number of users and easily scales to the number of iLO devices in an enterprise. The directory also provides a central point of administration for iLO devices and users, and the directory can enforce a stronger password policy. iLO enables you to use local users, directory users, or both.
The following directory configuration options are available:
A directory extended with HP schema
The directory default schema
For more information about using directory authentication, see “Directory services” (page 160).
User privileges
iLO allows you to control user account access to iLO features through the use of privileges. When a user attempts to use a feature, iLO verifies that the user has the proper privilege to use that feature.
For information about the available user account and directory group privileges, see “Managing
iLO users by using the iLO web interface” (page 32).
Login security
iLO provides several login security features. After an initial failed login attempt, iLO imposes a delay of ten seconds. Each subsequent failed attempt increases the delay by ten seconds. An information page is displayed during each delay; this continues until a valid login occurs. This feature helps to prevent dictionary attacks against the browser login port.
iLO saves a detailed log entry for failed login attempts. You can configure the Authentication Failure Logging frequency on the AdministrationAccess Settings page. For more information, see
“Configuring access options” (page 40).

Administering SSH keys

The Secure Shell Key page displays the hash of the SSH public key associated with each user. Each user can have only one key assigned. Use this page to view, add, or delete SSH keys.
You must have the Administer User Accounts privilege to add and delete SSH keys.
About SSH keys
When you add an SSH key to iLO, you paste the SSH key file into iLO as described in “Authorizing
a new SSH key” (page 47). The file must contain the user-generated public key. The iLO firmware
associates each key with the selected local user account. If a user is removed after an SSH key is authorized for that user, the SSH key is removed.
A sample SSH key file follows:
ssh-dss AAAAB3......wHM Administrator
In this sample, ssh-dss AAAAB3.....wHM is the public key, and Administrator is a local
iLO user account.
46 Configuring iLO
Note the following when working with SSH keys:
Any SSH connection authenticated through the corresponding private key is authenticated as
the owner of the key and has the same privileges.
The iLO firmware provides storage to accommodate SSH keys that have a length of 639 bytes
or less. If the key is larger than 639 bytes, the authorization might fail. If this occurs, use the SSH client software to generate a shorter key.
If you use the iLO web interface to enter the public key, you select the user associated with
the public key. If you use the CLI to enter the public key, the public key is linked to the user name that you entered to log in to iLO. If you use HPQLOCFG to enter the public key, you append the iLO user name to the public key data. The public key is stored with that user name.
Authorizing a new SSH key
1. Generate a 1,024-bit DSA SSH key by using ssh-keygen, puttygen.exe, or another SSH key utility.
2. Create the key.pub file.
3. Navigate to the AdministrationSecurity page.
4. Click the Secure Shell Key tab, as shown in Figure 18 (page 47).
Figure 18 Security–Secure Shell Key page
5. Select the check box to the left of the user to which you want to add an SSH key.
6. Click Authorize New Key.
7. Copy and paste the public key into the DSA Public Key Import Data box as shown in
Figure 19 (page 48).
Configuring iLO security 47
Figure 19 DSA Public Key Import Data box
The key must be a 1,024-bit DSA key.
8. Click Import Public Key.
Deleting SSH keys
1. Navigate to the AdministrationSecurity page.
2. Click the Secure Shell Key tab, as shown in Figure 18 (page 47).
3. Select the check box to the left of the user for which you want to delete an SSH key.
4. Click Delete Selected Key(s).
The selected SSH key is removed from iLO. When an SSH key is deleted from iLO, an SSH client cannot authenticate to iLO by using the corresponding private key.
Authorizing SSH keys from an HP SIM server
The mxagentconfig utility enables you to authorize SSH keys from an HP SIM server.
SSH must be enabled on iLO before you use mxagentconfig to authorize a key.
The user name and password entered in mxagentconfig must correspond to an iLO user
who has the Configure iLO Settings privilege. The user can be a directory user or a local user.
The key is authorized on iLO and corresponds to the user name specified in the
mxagentconfig command.
For more information about mxagentconfig, see the HP iLO 3 Scripting and Command Line Guide.

Administering SSL certificates

SSL is a standard for encrypting data so that it cannot be viewed or modified while in transit on the network. SSL uses a key to encrypt and decrypt the data. The longer the key, the better the encryption.
A certificate is a public document that describes the server. It contains the name of the server and the server's public key. Because only the server has the corresponding private key, this is how the server is authenticated.
A certificate must be signed to be valid. If it is signed by a CA, and that CA is trusted, all certificates signed by the CA are also trusted. A self-signed certificate is one in which the owner of the certificate acts as its own CA. Self-signed certificates are the default for HP management products, though they do support certificates signed by certifying authorities.
48 Configuring iLO
The iLO firmware enables you to create a certificate request, import a certificate, and view information associated with a stored certificate. Certificate information is encoded in the certificate by the CA and is extracted by iLO.
By default, iLO creates a self-signed certificate for use in SSL connections. This certificate enables iLO to work without additional configuration steps. Importing a trusted certificate can enhance the iLO security features. Users who have the Configure iLO Settings privilege can customize and import a trusted certificate.
Viewing SSL certificate information
To view certificate information, navigate to the AdministrationSecuritySSL Certificate page. The following certificate details are displayed:
Issued To—The entity to which the certificate was issued
Issued By—The CA that issued the certificate
Valid From—The first date that the certificate is valid
Valid Until—The date that the certificate expires
Serial Number—The serial number that the CA assigned to the certificate
Obtaining and importing an SSL certificate
Users who have the Configure iLO Settings privilege can customize and import a trusted certificate. A certificate works only with the keys generated with its corresponding CSR. If iLO is reset to factory
defaults, or another CSR is generated before the certificate that corresponds to the previous CSR is imported, the certificate does not work. In that case, a new CSR must be generated and used to obtain a new certificate from the CA.
To obtain and import a certificate:
1. Navigate to the AdministrationSecuritySSL Certificate page, as shown in Figure 20
(page 49).
Figure 20 Security–SSL Certificate Information page
2. Click Customize Certificate. The SSL Certificate Customization page opens, as shown in Figure 21 (page 50).
Configuring iLO security 49
Figure 21 Security–SSL Certificate Customization page
3. Enter the following information in the Certificate Signing Request Information section. The
required boxes are marked with an asterisk (*) in the iLO web interface.
Country (C)—The two-character country code that identifies the country where the company
or organization that owns this iLO subsystem is located
State (ST)—The state where the company or organization that owns this iLO subsystem is
located
City or Locality (L)—The city or locality where the company or organization that owns this
iLO subsystem is located
Organization Name (O)—The name of the company or organization that owns this iLO
subsystem
Organizational Unit (OU)—(Optional) The unit within the company or organization that
owns this iLO subsystem
Common Name (CN)—The FQDN of this iLO subsystem
4. Click Generate CSR.
The following message appears:
The iLO subsystem is currently generating a Certificate Signing Request (CSR). This may take 10 minutes or more. In order to view the CSR, wait 10 minutes or more, and then click the Generate CSR button again.
5. After 10 minutes or more, click the Generate CSR button again.
A new window displays the CSR. The CSR contains a public and private key pair that validates communications between the
client browser and iLO. iLO supports key sizes up to 2,048 bits. The generated CSR is held in memory until a new CSR is generated, iLO is reset, or a certificate is imported.
6. Select and copy the CSR text.
7. Open a browser window and navigate to a third-party CA.
50 Configuring iLO
8. Follow the onscreen instructions and submit the CSR to the CA. The CA will generate a certificate in the PKCS #10 format.
9. After you obtain the certificate, make sure that:
The CN matches the iLO FQDN. This is listed as the iLO Hostname on the
InformationOverview page.
The certificate is generated as a Base64-encoded X.509 certificate, and is in the RAW
format.
The first and last lines are included in the certificate.
10. Return to the SSL Certificate Customization page (Figure 21) in the iLO user interface.
11. Click the Import Certificate button. The Import Certificate window opens, as shown in Figure 22 (page 51).
Figure 22 Import Certificate window
12. Paste the certificate into the text box, and then click the Import button. iLO supports DER-encoded SSL certificates that are up to 3 KB in size (including the 609 or
1,187 bytes used by the private key, for 1,024-bit and 2,048-bit certificates, respectively).
13. Restart iLO.

Configuring directory settings

The iLO firmware connects to Microsoft Active Directory, Novell e-Directory, and other LDAP
3.0-compliant directory services for user authentication and authorization. You can configure iLO
to authenticate and authorize users by using the HP Extended Schema directory integration or the schema-free directory integration. The HP Extended Schema works only with Microsoft Windows. The iLO firmware connects to directory services by using SSL connections to the directory server LDAP port. The default secure LDAP port is 636.
For more information about using directory authentication with iLO, see “Directory services”
(page 160).
Locally stored user accounts (listed on the User Administration page) can be active when iLO directory support is enabled. This enables both local-based and directory-based user access. Typically, you can delete local user accounts (with the possible exception of an emergency access account) after iLO is configured to access the directory service. You can also disable access to these accounts when directory support is enabled.
Configuring iLO security 51
You must have the Configure iLO Settings privilege to change directory settings. This feature and many others are part of an iLO licensing package. For more information about
iLO licensing, see the following website: http://www.hp.com/go/ilo/licensing.
Configuring authentication and directory server settings
1. Navigate to the AdministrationSecurityDirectory page, as shown in Figure 23 (page 52).
Figure 23 Security - Directory page
2. Configure the following options:
LDAP Directory Authentication—Enables or disables directory authentication. If directory
52 Configuring iLO
authentication is enabled and configured correctly, users can log in by using directory credentials.
Choose from the following options:
Disabled—User credentials are not validated by using a directory.
Use HP Extended Schema—Selects directory authentication and authorization by
using directory objects created with the HP Extended Schema. Select this option when the directory has been extended with the HP Extended Schema.
Use Directory Default Schema—Selects directory authentication and authorization
by using user accounts in the directory. Select this option when the directory is not
extended with the HP Extended Schema. User accounts and group memberships are used to authenticate and authorize users. After you enter and save the directory network information, click Administer Groups, and then enter one or more valid directory DNs and privileges to grant users access to iLO.
Kerberos Authentication—Enables Kerberos login. If Kerberos login is enabled and
configured correctly, the HP Zero Sign In button appears on the login page.
Local User Accounts—Enables or disables local user account access.
Enabled—A user can log in by using locally stored user credentials. HP recommends
enabling this option and configuring a user account with administrator privileges. This account can be used if iLO cannot communicate with the directory server.
Disabled—User access is limited to valid directory credentials.
Access through local user accounts is enabled when directory support is disabled or an iLO license is revoked. You cannot disable local user access when you are logged in through a local user account.
Kerberos Realm—The name of the Kerberos realm in which the iLO processor is operating.
This string can be up to 128 characters. A realm name is usually the DNS name converted to uppercase. Realm names are case sensitive.
Kerberos KDC Server Address—The IP address or DNS name of the KDC server. This
string can be up to 128 characters. Each realm must have at least one KDC that contains an authentication server and a ticket grant server. These servers can be combined.
Kerberos KDC Server Port—The TCP or UDP port number on which the KDC is listening.
The default KDC port is 88.
Kerberos Keytab—A binary file that contains pairs of service principal names and
encrypted passwords. In the Windows environment, the keytab file is generated by the ktpass utility. Click Browse (Internet Explorer or Firefox) or Choose File (Chrome), and then follow the onscreen instructions to select a file.
IMPORTANT: The components of the service principal name stored in the Kerberos
keytab file are case sensitive. The primary (service type) must be in uppercase letters, for example, (HTTP). The instance (iLO host name) must be in lowercase letters, for example,
iloexample.example.net. The realm name must be in uppercase, for example, EXAMPLE.NET.
3. Enter the directory server settings. iLO directory server settings enable you to identify the directory server address and LDAP port.
Directory Server Address—Specifies the network DNS name or IP address of the directory
server. The directory server address can be up to 127 characters.
IMPORTANT: HP recommends using DNS round-robin when you are defining the
directory server.
Directory Server LDAP Port—Specifies the port number for the secure LDAP service on the
server. The default value is 636. You can specify a different value if your directory service is configured to use a different port.
Configuring iLO security 53
LOM Object Distinguished Name—Specifies where this iLO instance is listed in the directory
tree (for example, cn=iLO Mail Server,ou=Management Devices,o=hp). This option is available when Use HP Extended Schema is selected.
User search contexts are not applied to the LOM object DN when iLO accesses the directory server.
Directory User Contexts—These boxes enable you to specify common directory subcontexts
so that users do not need to enter their full DNs at login. Directory user contexts can be up to 128 characters.
You can identify the objects listed in a directory by using unique DNs. However, DNs can be long, and users might not know their DNs or might have accounts in different directory contexts. iLO attempts to contact the directory service by DN, and then applies the search contexts in order until successful.
Example 1—If you enter the search context ou=engineering,o=hp, you can log
in as user instead of logging in as cn=user,ou=engineering,o=hp.
Example 2—If a system is managed by Information Management, Services, and
Training, search contexts such as the following enable users in any of these organizations to log in by using their common names:
Directory User Context 1:ou=IM,o=hp Directory User Context 2:ou=Services,o=hp Directory User Context 3:ou=Training,o=hp
If a user exists in both the IM organizational unit and the Training organizational unit, login is first attempted as cn=user,ou=IM,o=hp.
Example 3 (Active Directory only)—Microsoft Active Directory allows an alternate
4. Click Apply Settings.
5. To test the communication between the directory server and iLO, click Test Settings.
For more information, see “Running directory tests” (page 54).
6. Optional: Click Administer Groups to navigate to the User Administration page.
For information about group administration, see “Administering directory groups” (page 37).
Running directory tests
Directory tests enable you to validate the configured directory settings. The directory test results are reset when directory settings are saved, or when the directory tests are started.
To validate the configured directory settings:
user credential format. A user can log in as user@domain.example.com, in which case a search context of @domain.example.com allows the user to log in as user. Only a successful login attempt can test search contexts in this format.
54 Configuring iLO
1. Click Test Settings on the SecurityDirectory page. The Directory Tests page opens, as shown in Figure 24 (page 55).
Figure 24 Directory Tests page
This page displays the results of a series of simple tests designed to validate the current directory settings. Also, it includes a test log that shows test results and any detected issues. After your directory settings are configured correctly, you do not need to rerun these tests. The Directory Tests page does not require that you be logged in as a directory user.
2. In the Directory Test Controls section, enter the DN and password of a directory administrator.
Directory Administrator Distinguished Name—Searches the directory for iLO objects,
roles, and search contexts. This user must have rights to read the directory.
Directory Administrator Password—Authenticates the directory administrator.
HP recommends that you use the same credentials that you used when creating the iLO objects in the directory. These credentials are not stored by iLO; they are used to verify the iLO object and user search contexts.
3. In the Directory Test Controls section, enter a test user name and password.
Test User Name—Tests login and access rights to iLO. The name does not have to be
fully distinguished because user search contexts can be applied. This user must be associated with a role for this iLO.
Test User Password—Authenticates the test user.
Typically, this account is used to access the iLO processor being tested. It can be the directory administrator account, but the tests cannot verify user authentication with a superuser account. These credentials are not stored by iLO.
Configuring iLO security 55
4. Click Start Test.
Several tests begin in the background, starting with a network ping of the directory user by establishing an SSL connection to the server and evaluating user privileges.
While the tests are running, the page refreshes periodically. You can stop the tests or manually refresh the page at any time.
Viewing directory test results
The Directory Test Results section shows the directory test status with the date and time of the last update.
Overall Status—Summarizes the results of the tests.
Not Run—No tests were run.
Inconclusive—No results were reported.
Passed—No failures were reported.
Problem Detected—A problem was reported.
Failed—A specific subtest failed. Check the onscreen log to identify the problem.
Warning—One or more of the directory tests reported a Warning status.
Test—The name of each test.
Table 3 (page 56) provides details about each directory test.
Table 3 Directory tests
DescriptionTest
Directory Server DNS Name
If the directory server is defined in FQDN format (directory.company.com), iLO resolves the name from FQDN format to IP format, and queries the configured DNS server.
If the test is successful, iLO obtained an IP address for the configured directory server. If iLO cannot obtain an IP address for the directory server, this test and all subsequent tests fail.
If the directory server is configured with an IP address, iLO skips this test. If a failure occurs:
1. Verify that the DNS server configured in iLO is correct.
2. Verify that the directory server FQDN is correct.
3. As a troubleshooting tool, use an IP address instead of the FQDN.
4. If the problem persists, check the DNS server records and network routing.
iLO initiates a ping to the configured directory server.Ping Directory Server The test is successful if iLO receives the ping response; it is unsuccessful if the directory
server does not reply to iLO. If the test fails, iLO will continue with the subsequent tests. If a failure occurs:
1. Check to see if a firewall is active on the directory server.
2. Check for network routing issues.
Server
56 Configuring iLO
iLO attempts to negotiate an LDAP connection with the directory server.Connect to Directory If the test is successful, iLO was able to initiate the connection. If the test fails, iLO was not able to initiate an LDAP connection with the specified directory
server. Subsequent tests will stop. If a failure occurs:
Table 3 Directory tests (continued)
DescriptionTest
1. Verify that the configured directory server is the correct host.
2. Verify that iLO has a clear communication path to the directory server through port
636 (consider any routers or firewalls between iLO and the directory server).
3. Verify that any local firewall on the directory server is enabled to allow communications
through port 636.
Connect using SSL
Bind to Directory Server
Directory Administrator Login
iLO initiates SSL handshake and negotiation and LDAP communications with the directory server through port 636.
If the test is successful, the SSL handshake and negotiation between iLO and the directory server were successful.
If a failure occurs, the directory server is not enabled for SSL negotiations. If you are using Microsoft Active Directory, verify that Active Directory Certificate Services
(Windows Server 2008) are installed.
This test binds the connection with the user name specified in the test boxes. If no user is specified, iLO will do an anonymous bind.
If the test is successful, the directory server accepted the binding. If a failure occurs:
1. Verify that the directory server allows anonymous binding.
2. If you entered a user name in the test boxes, verify that the credentials are correct.
3. If you verified that the user name is correct, try using other user-name formats; for
example, user@domain.com, DOMAIN\username, username (called Display Name in Active Directory), or userlogin.
4. Verify that the specified user is allowed to log in and is enabled.
If Directory Administrator Distinguished Name and Directory Administrator Password were specified, iLO uses these values to log in to the directory server as an administrator. These boxes are optional.
iLO authenticates to the directory server with the specified user name and password.User Authentication If the test is successful, the supplied user credentials are correct. If the test fails, the user name and/or password is incorrect. If a failure occurs:
1. If you verified that the user name is correct, try using other user-name formats; for
example, user@domain.com, DOMAIN\username, username (called Display Name in Active Directory), or userlogin.
2. Verify that the specified user is allowed to log in and is enabled.
3. Check to see if the specified user name is restricted by logon hours or IP-based logging.
User Authorization
Directory User Contexts
LOM Object Exists
This test verifies that the specified user name is part of the specified directory group, and is part of the directory search context specified during directory services configuration.
If a failure occurs:
1. Verify that the specified user name is part of the specified directory group.
2. Check to see if the specified user name is restricted by logon hours or IP-based logging.
If Directory Administrator Distinguished Name was specified, iLO tries to search the specified context.
If the test is successful, iLO found the context by using the administrator credentials to search for the container in the directory.
Contexts that begin with "@" can be tested only by user login. A failure indicates that the container could not be located.
This test searches for the iLO object in the directory server by using the LOM Object Distinguished Name configured on the SecurityDirectory page.
Configuring iLO security 57
Table 3 Directory tests (continued)
DescriptionTest
NOTE: You can enter a LOM Object Distinguished Name on the SecurityDirectory
page only when Use HP Extended Schema is selected. This test is run even if LDAP Directory Authentication is disabled.
If the tests is successful, iLO found the object that represents itself. If a failure occurs:
1. Verify that the LDAP FQDN of the LOM object is correct.
2. Try to update the HP Extended Schema and snap-ins in the directory server by updating
the HP Directories Support for ProLiant Management Processors software.
Result—Reports status for a specific directory setting or an operation that uses one or more
directory settings. These results are generated when a sequence of tests is run. The results stop when the tests run to completion, when a test failure prevents further progress, or when the tests are stopped. Test results follow:
Passed—The test ran successfully. If more than one directory server was tested, all servers
that ran this test were successful.
Not Run—The test was not run.
Failed—The test was unsuccessful on one or more of the directory servers. Directory
support might not be available on those servers.
Warning—The test ran and reported a warning condition, for example, a certificate error.
Check the Notes column for suggested actions to correct the warning condition.
Notes—Indicates the results of various phases of the directory tests. The data is updated with
failure details and information that is not readily available, like the directory server certificate subject and which roles were evaluated successfully.
Using the directory test controls
The Directory Test Controls section enables you to view the current state of the directory tests, adjust the test parameters, start and stop the tests, and refresh the page contents.
In Progress—Indicates that directory tests are currently being performed in the background.
Click the Stop Test button to cancel the current tests, or click the Refresh button to update the contents of the page with the latest results. Using the Stop Test button might not stop the tests immediately.
Not Running—Indicates that directory tests are current, and that you can supply new parameters
to run the tests again. Use the Start Test button to start the tests and use the current test control values. Directory tests cannot be started after they are already in progress.
Stopping—Indicates that directory tests have not yet reached a point where they can stop.
You cannot restart tests until the status changes to Not Running. Use the Refresh button to determine whether the tests are complete.
For information about the parameters you can enter, see “Running directory tests” (page 54).

Using encryption

iLO provides enhanced security for remote management in distributed IT environments. SSL encryption protects web browser data. SSL encryption of HTTP data ensures that the data is secure as it is transmitted across the network. iLO supports the following cipher strengths:
256-bit AES with RSA, DHE, and a SHA1 MAC
256-bit AES with RSA, and a SHA1 MAC
58 Configuring iLO
128-bit AES with RSA, DHE, and a SHA1 MAC
128-bit AES with RSA, and a SHA1 MAC
168-bit 3DES with RSA, and a SHA1 MAC
168-bit 3DES with RSA, DHE, and a SHA1 MAC
iLO also provides enhanced encryption through the SSH port for secure CLP transactions. iLO supports AES128-CBC and 3DESCBC cipher strengths through the SSH port.
If enabled, iLO enforces the use of these enhanced ciphers (both AES and 3DES) over the secure channels, including secure HTTP transmissions through the browser, SSH port, and XML port. When AES/3DES encryption is enabled, you must use a cipher strength equal to or greater than AES/3DES to connect to iLO through these secure channels. The AES/3DES encryption enforcement setting does not affect communications and connections over less-secure channels.
By default, Remote Console data uses 128-bit RC4 bidirectional encryption. The HPQLOCFG utility uses 128-bit RC4 with 160-bit SHA1 and 2048-bit RSAKeyX encryption to securely send RIBCL scripts to iLO over the network.
Version 1.50 and later of the iLO 3 firmware supports FIPS Mode.
NOTE: The term FIPS Mode is used in this document and in iLO to describe the feature, not its
validation status.
FIPS is a set of standards mandated for use by United States government agencies and
contractors.
FIPS Mode in iLO 3 1.50 and later is intended to meet the requirements of FIPS 140-2 level
1. This version or any other version of the iLO firmware might have this feature but might or might not be FIPS validated. The FIPS validation process is lengthy, so not all iLO firmware versions will be validated. For information about the current FIPS status of this or any other version of the iLO firmware, see the following document: http://csrc.nist.gov/groups/STM/
cmvp/documents/140-1/140InProcess.pdf.
Viewing encryption enforcement settings
Navigate to the AdministrationSecurityEncryption page, as shown in Figure 25 (page 59).
Figure 25 Security–Encryption Settings page
Configuring iLO security 59
The Encryption Settings page displays the current encryption settings for iLO.
Current Negotiated Cipher—The cipher in use for the current browser session. After you log
in to iLO through the browser, the browser and iLO negotiate a cipher setting to use during the session.
Encryption Enforcement Settings—The current encryption settings for iLO:
FIPS Mode—Indicates whether FIPS Mode is enabled or disabled for this iLO system.
Enforce AES/3DES Encryption—Indicates whether AES/3DES encryption is enforced for
this iLO. When enabled, iLO accepts only those connections through the browser and SSH interface
that meet the minimum cipher strength. A cipher strength of at least AES or 3DES must be used to connect to iLO when this setting is enabled.
Modifying the AES/DES encryption setting
You must have the Configure iLO Settings privilege to change the encryption settings. To modify the AES/DES encryption setting:
1. Navigate to the AdministrationSecurityEncryption page, as shown in Figure 25 (page 59).
2. Change the Enforce AES/3DES Encryption setting to Enabled or Disabled.
3. Click Apply to end your browser connection and restart iLO. Wait at least 30 seconds before you attempt to re-establish a connection. When changing the Enforce AES/3DES Encryption setting to Enabled, close all open browsers
after clicking Apply. Any browsers that remain open might continue to use a non-AES/3DES cipher.
Connecting to iLO by using AES or 3DES encryption
After you enable the Enforce AES/3DES Encryption setting, iLO requires that you connect through secure channels (web browser, SSH connection, or XML channel) by using a cipher strength of at least AES or 3DES.
Web browser—You must configure the browser with a cipher strength of at least AES or 3DES.
If the browser is not using AES or 3DES ciphers, iLO displays an error message. The error text varies depending on the installed browser.
Different browsers use different methods for selecting a negotiated cipher. For more information, see your browser documentation. You must log out of iLO through the current browser before changing the browser cipher setting. Any changes made to the browser cipher setting while you are logged in to iLO might enable the browser to continue using a non-AES/3DES cipher.
SSH connection—For instructions on setting the cipher strength, see the SSH utility
documentation.
XML channel—HPQLOCFG uses a secure 3DES cipher by default. For example, HPQLOCFG
displays the following cipher strength in the XML output:
Connecting to Server... Negotiated cipher: 128–bit Rc4 with 160–bit SHA1 and 2048–bit RsaKeyx
Enabling FIPS Mode
You must have the Configure iLO Settings privilege to change the encryption settings. To enable FIPS Mode for iLO:
1. Optional: Capture the current iLO configuration by using HPONCFG. For more information, see the HP iLO 3 Scripting and Command Line Guide.
60 Configuring iLO
2. Verify that a trusted certificate is installed. Using iLO in FIPS Mode with the default self-signed certificate is not FIPS compliant. For
instructions, see “Obtaining and importing an SSL certificate” (page 49).
IMPORTANT: Some interfaces to iLO, such as supported versions of IPMI and SNMP, are
not FIPS compliant and cannot be made FIPS compliant. For information about the iLO firmware versions that are FIPS validated, see the following document: http://csrc.nist.gov/groups/
STM/cmvp/documents/140-1/140-1val.zip
3. Power off the server.
4. Navigate to the AdministrationSecurityEncryption page, as shown in Figure 25 (page 59).
5. Set FIPS Mode to Enabled.
CAUTION: Enabling FIPS Mode resets iLO to the factory default settings, and clears all user
and license data.
6. Click Apply. iLO reboots in FIPS Mode. Wait at least 90 seconds before attempting to re-establish a
connection.
7. Optional: Restore the iLO configuration by using HPONCFG. For more information, see the HP iLO 3 Scripting and Command Line Guide.
TIP: You can use the Login Security Banner feature to notify iLO users that a system is using FIPS
Mode. For more information, see “Configuring the Login Security Banner” (page 67). You can also use XML configuration and control scripts to enable FIPS mode. For more information,
see the HP iLO 3 Scripting and Command Line Guide.
Disabling FIPS Mode
If you want to disable FIPS Mode for iLO (for example, if a server is decommissioned), you must set iLO to the factory default settings. You can perform this task by using RIBCL scripts or iLO RBSU.
For instructions, see “Resetting iLO to the factory default settings by using iLO RBSU” (page 230) or the HP iLO 3 Scripting and Command Line Guide.
When you disable FIPS Mode, all potentially sensitive data is erased, including all logs and settings.

Configuring iLO for HP SSO

HP SSO enables you to browse directly from an HP SSO-compliant application (such as HP SIM) to iLO, bypassing an intermediate login step. To use SSO, you must have a supported version of an HP SSO-compliant application, and you must configure the iLO processor to trust the SSO-compliant application.
This feature and many others are part of an iLO licensing package. For more information about iLO licensing, see the following website: http://www.hp.com/go/ilo/licensing.
Some HP SSO-compliant applications automatically import trust certificates when they connect to iLO. For applications that do not do this automatically, use the HP SSO page to configure the SSO settings through the iLO web interface. You must have the Configure iLO Settings privilege to change these settings.
Configuring iLO security 61
Configuring iLO for HP SSO
1. Navigate to the AdministrationSecurityHP SSO page, as shown in Figure 26 (page 62).
Figure 26 Security–Single Sign-On Settings page
2. Make sure you have an iLO license key installed.
3. Enable Single Sign-On Trust Mode by selecting Trust by Certificate, Trust by Name, or Trust All.
The iLO firmware supports configurable trust modes, which enables you to meet your security requirements. The trust mode affects how iLO responds to HP SSO requests. If you enable support for HP SSO, HP recommends using the Trust by Certificate mode. The available modes follow:
Trust None (SSO disabled) (default)—Rejects all SSO connection requests
Trust by Certificate (most secure)—Enables SSO connections from an HP SSO-compliant
Trust by Name—Enables SSO connections from an HP SSO-compliant application by
Trust All (least secure)—Accepts any SSO connection initiated from any HP SSO-compliant
62 Configuring iLO
application by matching a certificate previously imported to iLO
matching an IP address or DNS name imported directly, or an IP address or DNS name included in a certificate imported to iLO
application.
4. Configure iLO privileges for each role in the Single Sign-On Settings section.
When you log in to an HP SSO-compliant application, you are authorized based on your HP SSO-compliant application role assignment. The role assignment is passed to iLO when SSO is attempted. For more information about each privilege, see “Managing iLO users by using
the iLO web interface” (page 32).
SSO attempts to receive only the privileges assigned in this section. iLO directory settings do not apply. Default privilege assignments are as follows:
User—Login only
Operator—Login, Remote Console, Power and Reset, and Virtual Media
Administrator—Login, Remote Console, Power and Reset, Virtual Media, Configure iLO,
and Administer Users
5. Click Apply to save the SSO settings.
6. If you selected Trust by Certificate or Trust by Name, add the trusted certificate or DNS name
to iLO. For more information about adding certificates and DNS names, see “Adding trusted
certificates” (page 64).
The certificate repository can hold five typical certificates. However, if typical certificates are not issued, certificate sizes might vary. When all of the allocated storage is used, no more imports are accepted.
7. After you configure SSO in iLO, log in to an HP SSO-compliant application and browse to
iLO. For example, log in to HP SIM, navigate to the System page for the iLO processor, and then click the iLO link in the More Information section.
NOTE: Although a system might be registered as a trusted server, SSO might be refused
because of the current trust mode or certificate status. For example, if an HP SIM server name is registered, and the trust mode is Trust by Certificate, but the certificate is not imported, SSO is not allowed from that server. Likewise, if an HP SIM server certificate is imported, but the certificate has expired, SSO is not allowed from that server. The list of trusted servers is not used when SSO is disabled. iLO does not enforce SSO server certificate revocation.
Viewing trusted certificates
The Manage Trusted Certificates table on the Single Sign-On Settings page displays the status of the trusted certificates configured to use SSO with the current iLO management processor.
Status—The status of the record (if any are installed).
Configuring iLO security 63
Table 4 HP trusted certificate status
DescriptionIcon
The record is valid.
There is a problem with the trust settings or the iLO license. Possible reasons follow:
This record contains a DNS name, and the trust mode is set to Trust by Certificate (only
certificates are valid).
Trust None (SSO disabled) is selected.
A valid license key is not installed.
The record is not valid. Possible reasons follow:
An out-of-date certificate is stored in this record. Check the certificate details for more
information.
The iLO clock is not set or is set incorrectly.
The iLO clock must be in the Valid from and Valid until range.
Certificate—Indicates that the record contains a stored certificate. Move the cursor over the
icon to view the certificate details, including subject, issuer, and dates.
Description—The server name (or certificate subject).
Adding trusted certificates
iLO users who have the Configure iLO Settings privilege can install trusted certificates or add direct DNS names.
The Base64-encoded X.509 certificate data resembles the following:
-----BEGIN CERTIFICATE-----
. . . several lines of encoded data . . .
-----END CERTIFICATE-----
To add trusted HP SSO records by using the iLO web interface:
1. Navigate to the AdministrationSecurityHP SSO page, as shown in Figure 26 (page 62).
2. Use one of the following methods to add a trusted certificate:
To directly import a trusted certificate, copy the Base64-encoded certificate X.509 data,
paste it into the text box above the Import Certificate button, and then click the button.
To indirectly import a trusted certificate, type the DNS name or IP address in the text box
above the Import Certificate from URL button, and then click the button. iLO contacts the HP SSO-compliant application over the network, retrieves the certificate, and then saves it.
To import the direct DNS name, enter the DNS name in the text box above the Import
Direct DNS Name button, and then click the button.
For information about how to extract an HP SIM certificate, see “Extracting the HP SIM server
certificate” (page 65).
For information about how to extract certificates from other HP SSO-compliant applications, see your HP SSO-compliant application documentation.
64 Configuring iLO
Extracting the HP SIM server certificate
You can use the following methods to extract HP SIM certificates.
Enter one of the following links in a web browser:
For HP SIM versions earlier than 7.0:
http://<HP SIM name or network address>:280/GetCertificate
https://<HP SIM name or network address>:50000/GetCertificate
For HP SIM 7.0 or later:
http://<HP SIM name or network address>:280/GetCertificate?certtype=sso
https://<HP SIM name or network address>:50000/GetCertificate?certtype=sso
NOTE: All request parameters are case-sensitive. If you capitalize the lowercase
certtype parameter, the parameter will not be read, and HP SIM will return the default HP SIM server certificate instead of a trust certificate.
Export the certificate from HP SIM:
For HP SIM versions earlier than 7.0:
Select OptionsSecurityCertificatesServer Certificate.
For HP SIM 7.0 or later:
Select OptionsSecurityHP Systems Insight Manager Server Certificate, and then click Export.
Use the HP SIM command-line tools. For example, using the alias tomcat for the HP SIM
certificate, enter mxcert -l tomcat.
For more information, see the HP SIM documentation.
Removing trusted certificates
1. Navigate to the AdministrationSecurityHP SSO page, as shown in Figure 26 (page 62).
2. Select one or more records in the Manage Trusted Certificates table.
3. Click Delete.
The following message appears:
Are you sure you want to remove the selected certificates?
4. Click Yes.

Configuring Remote Console security settings

Use the Remote Console security settings to control the Remote Console Computer Lock settings and the Integrated Remote Console Trust setting. You must have the Configure iLO Settings privilege to change these settings.
Configuring Remote Console Computer Lock settings
Remote Console Computer Lock enhances the security of an iLO-managed server by automatically locking an operating system or logging out a user when a Remote Console session ends or the network link to iLO is lost. This feature is standard and does not require an additional license. As a result, if you open a .NET IRC or Java IRC window and this feature is already configured, the operating system will be locked when you close the window, even if an iLO license is not installed.
The Remote Console Computer Lock feature is set to Disabled by default.
Configuring iLO security 65
To change the Remote Console Computer Lock settings:
1. Navigate to the AdministrationSecurityRemote Console page, as shown in Figure 27 (page
66).
Figure 27 Remote Console Computer Lock Settings
2. Modify the Remote Console Computer Lock settings as required:
Windows—Use this option to configure iLO to lock a managed server running a Windows
operating system. The server automatically displays the Computer Locked dialog box when a Remote Console session ends or the iLO network link is lost.
Custom—Use this option to configure iLO to use a custom key sequence to lock a managed
server or log out a user on that server. You can select up to five keys from the list. The selected key sequence is sent automatically to the server operating system when a Remote Console session ends or the iLO network link is lost.
Disabled (default)—Use this option to disable the Remote Console Computer Lock feature.
Terminating a Remote Console session or losing an iLO network link will not lock the operating system on the managed server.
You can create a Remote Console Computer Lock key sequence by using the keys listed in
Table 5 (page 66):
Table 5 Remote Console Computer Lock keys
g1SCRL LCKESC
h2SYS RQL_ALT
i3F1R_ALT
j4F2L_SHIFT
k5F3R_SHIFT
l6F4L_CTRL
m7F5R_CTRL
n8F6L_GUI
o9F7R_GUI
p;F8INS
q=F9DEL
66 Configuring iLO
r[F10HOME
s\F11END
t]F12PG_UP
u'" " (space)PG_DN
va'ENTER
wb,TAB
Table 5 Remote Console Computer Lock keys (continued)
f0NUM MINUS
3. Click Apply to save the changes.
Configuring the Integrated Remote Console Trust setting (.NET IRC)
The .NET IRC is launched through Microsoft ClickOnce, which is part of the Microsoft .NET Framework. ClickOnce requires that any application installed from an SSL connection be from a trusted source. If a browser is not configured to trust an iLO processor, and the Integrated Remote Console Trust setting is set to Enabled, ClickOnce displays the following error message:
Cannot Start Application – Application download did not succeed...
To specify whether all clients that browse to this iLO require a trusted iLO certificate to run the .NET IRC:
1. Navigate to the AdministrationSecurityRemote Console page, as shown in Figure 28 (page
67).
Figure 28 Remote Console Trust Settings
xc-BREAK
yd.BACKSPACE
ze/NUM PLUS
2. Select one of the following in the Integrated Remote Console Trust Setting section:
Enabled—The .NET IRC is installed and runs only if this iLO certificate and the issuer
certificate have been imported and are trusted.
Disabled (default)—When you launch the .NET IRC, the browser installs the application
from a non-SSL connection. SSL is still used after the .NET IRC starts to exchange encryption keys.
3. Click Apply.

Configuring the Login Security Banner

The Login Security Banner feature allows you to configure the security banner displayed on the iLO login page. For example, you could enter a message indicating that an iLO system uses FIPS Mode.
You must have the Configure iLO Settings privilege to make changes on the Login Security Banner page.
To enable the Login Security Banner:
Configuring iLO security 67
1. Navigate to the AdministrationSecurityLogin Security Banner page, as shown in Figure 29
(page 68).
Figure 29 Security–Login Security Banner Settings page
2. Select the Enable Login Security Banner check box. iLO uses the following default text for the Login Security Banner:
This is a private system. It is to be used solely by authorized users and may be monitored for all lawful purposes. By accessing this system, you are consenting to such monitoring.
3. Optional: To customize the security message, enter a custom message in the Security Message text box.
The byte counter above the text box indicates the remaining number of bytes allowed for the message. The maximum is 1,500 bytes.
TIP: Click Use Default Message to restore the default text for the Login Security Banner.
68 Configuring iLO
4. Click Apply.
The security message is displayed at the next login, as shown in Figure 30 (page 69).
Figure 30 Security message example

Configuring iLO network settings

Use the tabs on the Network page to view and configure the iLO network settings. You must have the Configure iLO Settings privilege to view and change these settings.

Viewing network settings

To view a summary of the configured network settings, select NetworkiLO Dedicated Network Port or NetworkShared Network Port to navigate to the Network Summary page. See Figure 31
(page 70).
Configuring iLO network settings 69
Figure 31 Network Summary page (iLO Dedicated Network Port)
The iLO Shared Network Port and the iLO Dedicated Network Port cannot operate simultaneously. If you enable the iLO Dedicated Network Port, you will disable the iLO Shared Network Port. If you enable the iLO Shared Network Port, you will disable the iLO Dedicated Network Port.
The Network Summary page for the inactive port displays the message iLO is not configured
to use this NIC.
The summary information follows:
NIC in Use—The name of the selected iLO network interface (iLO Dedicated Network Port or
Shared Network Port).
iLO Host Name—The fully qualified network name assigned to the iLO subsystem. By default,
the iLO host name is ILO followed by the system serial number and the current domain name. This value is used for the iLO network name and must be unique.
MAC Address—The MAC address of the selected iLO network interface.
Link State—The current link speed of the selected iLO network interface. The default value is
Auto-Negotiate.
Duplex Option—The current link duplex selection for the selected iLO network interface. The
default value is Auto-Negotiate.
You can configure the iLO host name and NIC settings on the Network General Settings page. For instructions, see “Configuring general network settings” (page 72).
IPv6 is supported by iLO 3 1.50 and later in the iLO Dedicated Network Port configuration. The IPv6 protocol was introduced by the IETF in response to the ongoing depletion of the IPv4 address pool. In IPv6, addresses are increased to 128 bits in length, to avoid an address shortage problem. iLO supports the simultaneous use of both protocols through a dual-stack implementation. All previously available iLO features are still supported in IPv4.
NOTE: IPv6 is not supported in the Shared Network Port configuration.
70 Configuring iLO
The following features support the use of IPv6:
IPv6 Static Address Assignment
IPv6 SLAAC Address Assignment
IPv6 Static Route Assignment
Integrated Remote Console
OA Single Sign-On
Web Server
SSH Server
SNTP Client
DDNS Client
DHCPv6 Address Assignment
DHCPv6 DNS and NTP Configuration
RIBCL over an IPv6 connection
HP SIM SSO
WinDBG Support
HPQLOCFG and HPLOMIG over an IPv6 connection
Scriptable Virtual Media
CLI/RIBCL key import over an IPv6 connection
IPv6 support for the iLO scripting interfaces requires the following versions of the iLO utilities:
HPQLOCFG 1.0 or later
HP Lights-Out XML Scripting Sample bundle 4.2.0 or later
HPONCFG 4.2.0 or later
LOCFG.PL 4.20 or later
HPLOMIG 4.20 or later
The IPv4 Summary section displays the following information:
DHCPv4 Status—Indicates whether DHCP is enabled for IPv4.
Address—The IPv4 address currently in use. If the value is 0.0.0.0, the IPv4 address is not
configured.
Subnet Mask—The subnet mask of the IPv4 address currently in use. If the value is 0.0.0.0,
no address is configured.
Default Gateway—The default gateway address in use for the IPv4 protocol. If the value is
0.0.0.0, the gateway is not configured.
The IPv6 Summary section displays the following information:
DHCPv6 Status—Indicates whether DHCP is enabled for IPv6. The following values are possible:
Enabled—Stateless and Stateful DHCPv6 are enabled.
Enabled (Stateless)—Only Stateless DHCPv6 is enabled.
Disabled—DHCPv6 is disabled.
IPv6 Stateless Address Auto-Configuration (SLAAC)—Indicates whether SLAAC is enabled for
IPv6. When SLAAC is disabled, the SLAAC link-local address for iLO is still configured because it is required.
Configuring iLO network settings 71
Address list—This table shows the currently configured IPv6 addresses for iLO. It provides the
following information:
Source—Indicates whether the address is a static or SLAAC address.
IPv6—The IPv6 address.
Prefix Length—The address prefix length.
Status—The address status: Active (the address is in use by iLO), Pending (Duplicate
Address Detection is in progress for this address), or Failed (Duplicate Address Detection failed and the address is not in use by iLO).
Default Gateway—The default IPv6 gateway address that is currently in use. For IPv6, iLO
keeps a list of possible default gateway addresses. The addresses in this list originate from router advertisement messages and the IPv6 Static Default Gateway setting.
The Static Default Gateway setting is configured on the IPv6 page. For more information, see
“Configuring IPv6 settings” (page 76).

Configuring general network settings

Use the iLO Dedicated Network Port or Shared Network Port Network General Settings page to configure general network settings. You must have the Configure iLO Settings privilege to make changes on this page.
1. Navigate to the NetworkiLO Dedicated Network Port or NetworkShared Network Port page.
2. Click the General tab, as shown in Figure 32 (page 72).
Figure 32 Network General Settings page (iLO Dedicated Network Port)
72 Configuring iLO
3. Enter the following information in the iLO Hostname Settings section:
iLO Subsystem Name (Host Name)—The DNS name of the iLO subsystem (for example,
ilo instead of ilo.example.com). This name can be used only if DHCP and DNS are configured to connect to the iLO subsystem name instead of the IP address.
iLO subsystem-name limitations follow:
Name service limitations—The subsystem name is used as part of the DNS name.
DNS allows alphanumeric characters and hyphens.
Name service limitations also apply to the Domain Name.
Namespace issues—To avoid these issues:
Do not use the underscore character. Limit subsystem names to 15 characters. Verify that you can ping iLO by IP address and by DNS/WINS name. Verify that NSLOOKUP resolves the iLO network address correctly and that no
namespace conflicts exist.
If you are using both DNS and WINS, verify that they resolve the iLO network
address correctly.
Flush the DNS name if you make any namespace changes.
Domain Name—The iLO domain name. If DHCP is not used, enter a domain name.
4. Enter the following information in the NIC Settings section:
Select the Use iLO Dedicated Network Port or Use Shared Network Port check box to
enable or disable the iLO Dedicated Network Port or Shared Network Port.
Use iLO Dedicated Network Port—Uses a NIC with a jack on the back of the server.
The NIC handles iLO traffic only.
Shared Network Port – LOM—Uses a NIC that is built into the server. The NIC handles
server network traffic and can, if iLO is configured to do so, handle iLO traffic at the same time.
Shared Network Port Enabled Standup NIC—An optional NIC that plugs into a PCI
slot on the server and requires a special cable to connect it to the server motherboard. The NIC handles server network traffic and can, if iLO is configured to do so, handle iLO traffic at the same time.
On systems that have more than one Shared Network Port option, select the check box, and then select a Shared Network Port option.
Select a Link State (iLO Dedicated Network Port only).
The link setting controls the speed and duplex settings of the iLO network transceiver.
NOTE: This setting is not available on blade servers.
The available settings follow:
Auto-Negotiate (default)—Enables iLO to negotiate the highest supported link speed
and duplex settings when connected to the network
100BaseT, Full-duplex—Forces a 100 Mb connection using full duplex
100BaseT, Half-duplex—Forces a 100 Mb connection using half duplex
Configuring iLO network settings 73
10BaseT, Full-duplex—Forces a 10 Mb connection using full duplex
10BaseT, Half-duplex—Forces a 10 Mb connection using half duplex
If the Shared Network Port is enabled, you cannot modify the link state or duplex option. In Shared Network Port configurations, link settings must be managed in the operating system.
Select or clear the Enable VLAN check box to enable or disable VLAN (Shared Network
Port only). When the Shared Network Port is active and VLAN is enabled, the iLO Shared Network
Port becomes part of a VLAN. All network devices with different VLAN tags will appear to be on separate LANs, even if they are physically connected to the same LAN.
If you enabled VLAN, enter a VLAN Tag (Shared Network Port only). All network devices
that you want to communicate with each other must have the same VLAN tag. The VLAN tag can be any number between 1 and 4094.
5. Click Submit to save the changes.
6. If you are finished configuring the iLO network settings on the General, IPv4, IPv6, and SNTP tabs, click Reset to restart iLO.
Wait at least 30 seconds before you attempt to re-establish a connection.

Configuring IPv4 settings

Use the iLO Dedicated Network Port or Shared Network Port IPv4 Settings page to configure IPv4 settings for iLO. You must have the Configure iLO Settings privilege to make changes on this page.
1. Navigate to the NetworkiLO Dedicated Network Port or NetworkShared Network Port page.
2. Click the IPv4 tab, as shown in Figure 33 (page 75).
74 Configuring iLO
Figure 33 IPv4 Settings page (iLO Dedicated Network Port)
3. Configure the following settings:
Enable DHCPv4—Enables iLO to obtain its IP address (and many other settings) from a
DHCP server.
Use DHCPv4 Supplied Gateway—Specifies whether iLO uses the DHCP server-supplied
gateway. If DHCP is not used, enter a gateway address in the Gateway IPv4 Address box.
Use DHCPv4 Supplied Static Routes—Specifies whether iLO uses the DHCP
server-supplied static routes. If not, enter the static route destination, mask, and gateway addresses in the Static Route #1, Static Route #2, and Static Route #3 boxes.
Use DHCPv4 Supplied Domain Name—Specifies whether iLO uses the DHCP
server-supplied domain name. If DHCP is not used, enter a domain name in the Domain Name box on the Network General Settings page. For more information, see “Configuring general network settings” (page 72).
Use DHCPv4 Supplied DNS Servers—Specifies whether iLO uses the DHCP
server-supplied DNS server list. If not, enter the DNS server addresses in the Primary DNS Server, Secondary DNS Server, and Tertiary DNS Server boxes.
Configuring iLO network settings 75
Use DHCPv4 Supplied Time Settings—Specifies whether iLO uses the DHCPv4-supplied
NTP service locations.
Use DHCPv4 Supplied WINS Servers—Specifies whether iLO uses the DHCP
server-supplied WINS server list. If not, enter the WINS server addresses in the Primary WINS Server and Secondary WINS Server boxes.
IPv4 Address—The iLO IP address. If DHCP is used, the iLO IP address is supplied
automatically. If DHCP is not used, enter a static IP address.
Subnet Mask—The subnet mask of the iLO IP network. If DHCP is used, the subnet mask
is supplied automatically. If DHCP is not used, enter a subnet mask for the network.
Gateway IPv4 Address—The iLO gateway IP address. If DHCP is used, the iLO gateway
IP address is supplied automatically. If DHCP is not used, enter the iLO gateway IP address.
Static Route #1, Static Route #2, and Static Route #3—The iLO static route destination,
mask, and gateway addresses. If Use DHCPv4 Supplied Static Routes is used, these values are supplied automatically. If not, enter the static route values.
DNS server information—Enter the following information:
Primary DNS Server—If Use DHCPv4 Supplied DNS Servers is enabled, this value is
supplied automatically. If not, enter the Primary DNS Server address.
Secondary DNS Server—If Use DHCPv4 Supplied DNS Servers is enabled, this value
is supplied automatically. If not, enter the Secondary DNS Server address.
Tertiary DNS Server—If Use DHCPv4 Supplied DNS Servers is enabled, this value is
supplied automatically. If not, enter the Tertiary DNS Server address.
Enable DDNS Server Registration—Select or clear this check box to specify whether
iLO registers its IPv4 address and name with a DNS server.
WINS server information—Enter the following information:
Primary WINS Server—If Use DHCPv4 Supplied WINS Servers is enabled, this value
is supplied automatically. If not, enter the Primary WINS Server address.
Secondary WINS Server—If Use DHCPv4 Supplied WINS Servers is enabled, this
value is supplied automatically. If not, enter the Secondary WINS Server address.
Enable WINS Server Registration—Specifies whether iLO registers its name with a
WINS server.
Ping Gateway on Startup—Causes iLO to send four ICMP echo request packets to the
gateway when iLO initializes. This ensures that the ARP cache entry for iLO is up-to-date on the router responsible for routing packets to and from iLO.
4. Click Submit to save the changes you made on the IPv4 Settings page.
5. If you are finished configuring the iLO network settings on the General, IPv4, IPv6, and SNTP tabs, click Reset to restart iLO.
Wait at least 30 seconds before you attempt to re-establish a connection.

Configuring IPv6 settings

Use the iLO Dedicated Network Port IPv6 Settings page to configure IPv6 settings for iLO. You must have the Configure iLO Settings privilege to make changes on this page.
76 Configuring iLO
When using IPv6, note the following:
IPv6 is not supported in the Shared Network Port configuration.
If you downgrade the iLO firmware from version 1.6x or later to version 1.5x, the IPv6 settings
will be reset to the default values.
To configure the IPv6 settings:
1. Navigate to the NetworkiLO Dedicated Network Port page.
2. Click the IPv6 tab, as shown in Figure 34 (page 77).
Figure 34 IPv6 Settings page (iLO Dedicated Network Port)
3. Configure the following settings:
iLO Client Applications use IPv6 first—When both IPv4 and IPv6 service addresses are
configured for iLO client applications, this option specifies which protocol iLO tries first when accessing a client application. This setting also applies to lists of addresses received from the name resolver when using FQDNs to configure NTP.
Select this check box if you want iLO to use IPv6 first.
Clear this check box if you want iLO to use IPv4 first.
Configuring iLO network settings 77
If communication fails using the first protocol, iLO automatically tries the second protocol.
Enable Stateless Address Auto Configuration (SLAAC)—Select this check box to enable
iLO to create IPv6 addresses for itself from router advertisement messages.
NOTE: iLO will create its own link-local address even when this option is not selected.
Enable DHCPv6 in Stateful Mode (Address)—Select this check box to allow iLO to request
and configure IPv6 addresses provided by a DHCPv6 server.
Use DHCPv6 Rapid Commit—Select this check box to instruct iLO to use the Rapid
Commit messaging mode with the DHCPv6 server. This mode reduces DHCPv6 network traffic, but might cause problems if it is used in networks where more than one DHCPv6 server can respond and provide addresses.
Enable DHCPv6 in Stateless Mode (Other)—Select this check box to enable iLO to request
settings for NTP and DNS service location from the DHCPv6 server.
Use DHCPv6 Supplied DNS Servers—Select this check box to use IPv6 addresses
provided by the DHCPv6 server for DNS server locations. This setting can be enabled in addition to the IPv4 DNS server location options.
Use DHCPv6 Supplied NTP Servers—Select this check box to use IPv6 addresses
provided by the DHCPv6 server for NTP server locations. This setting can be enabled in addition to the IPv4 NTP server location options.
NOTE: When Enable DHCPv6 in Stateful Mode (Address) is selected, Enable DHCPv6
in Stateless Mode (Other) is always selected by default, because it is implicit in the DHCPv6
Stateful messages required between iLO and the DHCPv6 server.
Primary DNS Server, Secondary DNS Server, and Tertiary DNS Server—Enter the IPv6
addresses for the DNS service. When DNS server locations are configured in both IPv4 and IPv6, both sources are used,
with preference given according to the iLO Client Applications use IPv6 first configuration option, primary sources, then secondary, and then tertiary.
Enable DDNS Server Registration—Specify whether iLO registers its IPv6 address and
name with a DNS server.
Static IPv6 Address 1, Static IPv6 Address 2, Static IPv6 Address 3, and Static IPv6 Address
4—Enter up to four static IPv6 addresses and prefix lengths for iLO. Do not enter link-local addresses.
Static Default Gateway—Enter a default IPv6 gateway address for cases in which no
router advertisement messages are present in the network.
Static Route #1, Static Route #2, and Static Route #3—Enter static IPv6 route destination
prefix and gateway address pairs. You must specify the prefix length for the destination. Link-local addresses are not allowed for the destination, but are allowed for the gateway.
4. Click Submit to save the changes you made on the IPv6 Settings page.
5. If you are finished configuring the iLO network settings on the General, IPv4, IPv6, and SNTP tabs, click Reset to restart iLO.
Wait at least 30 seconds before you attempt to re-establish a connection.
78 Configuring iLO

Configuring SNTP settings

SNTP allows iLO to synchronize its clock with an external time source. Configuring SNTP is optional because the iLO date and time can also be synchronized from the following sources:
System ROM (during POST only)
Insight Management Agents (in the OS)
Onboard Administrator (blade servers only)
To use iLO SNTP, you must have at least one NTP server available on your management network. Primary and secondary NTP server addresses can be configured manually or via DHCP servers.
If the primary server address cannot be contacted, the secondary address is used. You must have the Configure iLO Settings privilege to change these settings.
NOTE: IPv6 is not supported in the Shared Network Port configuration.
To configure the SNTP settings:
1. Navigate to the NetworkiLO Dedicated Network Port or NetworkShared Network Port
page.
2. Click the SNTP tab, as shown in Figure 35 (page 79).
Figure 35 SNTP Settings page (iLO Dedicated Network Port)
3. Do one of the following:
Select the Use DHCPv4 Supplied Time Settings check box, the Use DHCPv6 Supplied Time
Settings check box, or both check boxes to use DHCP-provided NTP server addresses.
Note the following configuration prerequisites:
To configure a DHCPv4-provided NTP service configuration, you must first enable
DHCPv4 on the IPv4 tab.
To configure a DHCPv6-provided NTP service configuration, DHCPv6 Stateless Mode
must be enabled on the IPv6 tab.
When you use DHCP servers to provide NTP server addresses, the iLO Client Applications use IPv6 first setting controls the selection of the primary and secondary NTP values. When iLO Client Applications use IPv6 first is selected on the IPv6 tab, a DHCPv6-provided NTP service address (if available) is used for the primary time server and a DHCPv4-provided address (if available) is used for the secondary time server.
To change the protocol-based priority behavior to use DHCPv4 first, clear the iLO Client Applications use IPv6 first check box.
Configuring iLO network settings 79
If a DHCPv6 address is not available for the primary or secondary address, a DHCPv4 address (if available) is used.
Enter NTP server addresses in the Primary Time Server and Secondary Time Server boxes.
You can enter the server addresses by using the server FQDN, IPv4 address, or IPv6 address.
4. If you selected only Use DHCPv6 Supplied Time Settings, or if you entered a primary and secondary time server, select the server time zone from the Time Zone list.
This setting determines how iLO adjusts UTC time to obtain the local time, and how it adjusts for Daylight Savings Time (Summer Time). In order for the entries in the iLO Event Log and IML to display the correct local time, you must specify the time zone in which the server is located.
If you want iLO to use the time the SNTP server provides, without adjustment, configure iLO to use a time zone that does not apply an adjustment to UTC time. In addition, that time zone must not apply a Daylight Savings Time (Summer Time) adjustment. There are several time zones that fit this requirement. One example is the Atlantic/Reykjavik time zone, which is neither east or west of the Prime Meridian, and in which the time does not change in the spring or fall. If you select the Atlantic/Reykjavik time zone, iLO web pages and log entries will display the exact time provided by the SNTP server.
NOTE: Configure the NTP servers to use Coordinated Universal Time (GMT).
5. Configure the NTP time propagation setting by selecting or clearing the Propagate NTP Time to Host check box (ML, DL, and SL servers) or the Propagate NTP or OA Time to Host check
box (BL servers). These settings are enabled by default, and they determine whether the server time is
synchronized with the iLO time during the first POST after AC power is applied, a blade is inserted, or iLO is reset to the default settings.
For BladeSystems only: When Propagate NTP or OA Time to Host is enabled, and NTP is not configured or functional, the server time is synchronized with the OA time.
6. Click Submit to save the changes you made on the SNTP Settings page.
7. If you are finished configuring the iLO network settings on the General, IPv4, IPv6, and SNTP tabs, click Reset to restart iLO.
Wait at least 30 seconds before you attempt to re-establish a connection.
TIP: If you notice that iLO Event Log entries have an incorrect date or time, make sure that the
NTP server addresses and time zone are correct. The iLO Event Log includes entries that indicate success or failure when contacting the NTP server(s).

Configuring and using the iLO Shared Network Port

The iLO Shared Network Port feature enables you to choose between the Shared Network Port LOM, Shared Network Port Enabled Standup NIC, and the iLO Dedicated Network Port for server management. When you enable the iLO Shared Network Port, regular network traffic and iLO network traffic pass through the selected Shared Network Port NIC.
If you install a Shared Network Port Enabled Standup NIC, the Shared Network Port LOM is no longer available to send and receive iLO network traffic. That traffic will go through the iLO Dedicated Network Port or the Shared Network Port Enabled Standup NIC, depending on the iLO configuration.
If you install a Shared Network Port Enabled Standup NIC, you do not need to change the iLO configuration to use that NIC. The first time that the server is plugged in with a correctly installed Shared Network Port Enabled Standup NIC, iLO will detect the NIC and automatically begin using
80 Configuring iLO
it. If you later decide to switch back to the iLO Dedicated Network Port, you can do this using any of the standard iLO interfaces.
On servers that do not have an iLO Dedicated Network Port, the standard hardware configuration provides iLO network connectivity only through the iLO Shared Network Port connection. The iLO firmware automatically defaults to the Shared Network Port.
The iLO Shared Network Port uses the network port labeled NIC 1 on the rear panel of the server when Shared Network Port – LOM is selected, and the network port labeled 1 on the Shared Network Port Enabled Standup NIC adapter if Shared Network Port Enabled Standup NIC is selected. NIC numbering in the operating system can be different from system numbering. The iLO Shared Network Port does not incur an iLO performance penalty. Peak iLO traffic is less than 2 Mb/s (on a NIC capable of 1 GB/s or 10 GB/s speeds), and iLO traffic volume is low unless the Virtual Media or Remote Console feature is in use.
When using the iLO Shared Network Port, observe the following:
The iLO Shared Network Port is supported on all nonblade servers.
You can use the iLO Shared Network Port and the iLO Dedicated Network Port only for iLO
server management.
The iLO Shared Network Port is not an availability feature. Its purpose is to allow managed
network port consolidation.
Due to server auxiliary-power budget limitations, some 1Gb/s copper network adapters used
for iLO Shared Network Port functionality might run at 10/100 speed when the server is powered off. To avoid this issue, HP recommends configuring the switch the iLO Shared Network Port is connected to for autonegotiation.
If you want to configure the iLO switch for a speed of 1Gb/s, be aware that some copper iLO Shared Network Port adapters might lose connectivity when the server is powered off. Connectivity will return when the server is powered back on.
The iLO Shared Network Port and iLO Dedicated Network Port cannot operate simultaneously.
If you enable the iLO Dedicated Network Port, you will disable the iLO Shared Network Port. If you enable the iLO Shared Network Port, you will disable the iLO Dedicated Network Port.
Disabling the iLO Shared Network Port does not completely disable the system NIC—network
traffic still passes through the NIC. When the iLO Shared Network Port is disabled, any traffic going to or originating from iLO will not pass through the iLO Shared Network Port because that port is no longer shared with iLO.
Using the iLO Shared Network Port can create a single failure point. If the port fails or is
unplugged, both the host and iLO become unavailable to the network.

Enabling the iLO Shared Network Port feature

The iLO Shared Network Port feature is disabled by default on servers that are shipped with a Dedicated iLO Management NIC. You can enable it by using the following methods:
iLO RBSU—For more information, see “Enabling the iLO Shared Network Port feature through
iLO RBSU” (page 82).
iLO web interface—For more information, see “Enabling the iLO Shared Network Port feature
through the iLO web interface” (page 82).
XML configuration and control scripts—For more information, see the HP iLO 3 Scripting and
Command Line Guide.
SMASH CLP—For more information, see the HP iLO 3 Scripting and Command Line Guide.
Configuring and using the iLO Shared Network Port 81
Enabling the iLO Shared Network Port feature through iLO RBSU
1. Connect the Shared Network Port LOM or Shared Network Port Enabled Standup NIC port 1 to a LAN.
2. Optional: If you will access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
3. Restart or power on the server.
4. Press F8 in the HP ProLiant POST screen.
5. Select NetworkNIC and TCP/IP, and then press Enter.
6. On the Network Configuration menu, press the spacebar to toggle the Network Interface
Adapter setting to Shared Network Port, as shown in Figure 36 (page 82).
NOTE: The Shared Network Port option is available only on supported servers.
Figure 36 iLO RBSU Network Configuration window
7. Press F10 to save the configuration.
8. Select FileExit, and then press Enter.
After iLO resets, the Shared Network Port feature is active. Any network traffic going to or originating from iLO is directed through the Shared Network Port LOM or Shared Network Port Enabled Standup NIC port 1.
Enabling the iLO Shared Network Port feature through the iLO web interface
1. Connect the Shared Network Port LOM or Shared Network Port Enabled Standup NIC port 1 to a LAN.
2. Log in to the iLO web interface.
3. Navigate to the NetworkShared Network Port page.
4. Click the General tab.
5. Depending on your configuration, select the Shared Network Port Enabled Standup NIC or
Use Shared Network Port check box.
NOTE: The Shared Network Port option is available only on supported servers.
6. To use a VLAN, select the Enable VLAN check box. VLAN is only available for the Shared Network Port. When the Shared Network Port is activated
and VLAN is enabled, the iLO Shared Network Port becomes part of a VLAN. All network
82 Configuring iLO
devices with different VLAN tags will appear to be on separate LANs, even if they are physically connected to the same LAN.
7. If you enabled VLAN, enter a VLAN tag (Shared Network Port only). All network devices that
you want to communicate with each other must have the same VLAN tag. The VLAN tag can be any number between 1 and 4,094.
8. Click Apply.
Your changes are applied to the iLO network configuration, your browser connection ends, and iLO restarts. You must wait at least 30 seconds before you attempt to re-establish a connection.
After iLO resets, the Shared Network Port feature is active. Any network traffic going to or originating from iLO is directed through the Shared Network Port LOM or Shared Network Port Enabled Standup NIC port 1.

Re-enabling the iLO Dedicated Network Port

Only the Shared Network Port or the iLO Dedicated Network Port is active for server management. They cannot be enabled at the same time. If you enabled the Shared Network Port, use one of the following methods if you want to re-enable the iLO Dedicated Network Port:
iLO RBSU (on servers that support iLO RBSU)—For more information, see “Enabling the iLO
Dedicated Network Port through iLO RBSU” (page 83).
iLO web interface—For more information, see “Enabling the iLO Dedicated Network Port
through the web interface” (page 83).
XML scripting—For more information, see the HP iLO 3 Scripting and Command Line Guide.
SMASH CLP—For more information, see the HP iLO 3 Scripting and Command Line Guide.
Enabling the iLO Dedicated Network Port through iLO RBSU
1. Connect the iLO Dedicated Network Port to a LAN from which the server is managed.
2. Optional: If you access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
3. Restart or power on the server.
4. Press F8 in the HP ProLiant POST screen.
5. Select NetworkNIC and TCP/IP, and then press Enter.
6. On the Network Configuration menu, press the spacebar to toggle the Network Interface Adapter setting to On.
7. Press F10 to save the configuration.
8. Select FileExit, and then press Enter. After iLO resets, the iLO Dedicated Network Port is active.
Enabling the iLO Dedicated Network Port through the web interface
1. Connect the iLO Dedicated Network Port to a LAN from which the server is managed.
2. Log in to the iLO web interface.
3. Navigate to the NetworkiLO Dedicated Network Port page.
4. Click the General tab.
5. Select the Use iLO Dedicated Network Port check box.
6. Select a Link State. For more information, see “Configuring general network settings” (page 72).
Configuring and using the iLO Shared Network Port 83
7. Click Apply.
Your changes are applied to the iLO network configuration, your browser connection ends, and iLO restarts. You must wait at least 30 seconds before you attempt to re-establish a connection.

Configuring iLO Management settings

The AdministrationManagement page allows you to configure the iLO settings for SNMP alerts and Insight Manager integration.
You must have the Configure iLO Settings privilege to change these settings. Depending on your configuration, you might need to install additional software. See “Installing
the Insight Management Agents” (page 84).

Installing the Insight Management Agents

The Insight Management Agents are available from the HP Service Pack for ProLiant and the HP website. For instructions about using the HP Service Pack for ProLiant to install the Insight Management Agents, see the Service Pack for ProLiant documentation.
To download the Insight Management Agents from the HP website:
1. Navigate to the technical support page on the HP website: http://www.hp.com/support.
2. Select a country or region and a language.
The HP Support page opens.
3. Click the Drivers & Downloads link.
In the search box, enter the server model that you are using (for example, DL360p). A list of servers is displayed.
4. Click the link for your server. The HP Support Center page for the server opens.
5. Click the link for the server operating system.
6. Download the software.
7. Follow the installation instructions provided with the downloaded software.

Configuring SNMP alerts

You can enable or disable iLO SNMP alerts, forwarding of Insight Management Agent SNMP alerts, and SNMP Pass-thru.
To configure SNMP alerts:
1. Navigate to the AdministrationManagement page.
2. Click the SNMP Settings tab and scroll to the SNMP Alerts section, as shown in Figure 37).
Figure 37 Editing the SNMP alerts
84 Configuring iLO
3. Enable or disable the following alert types:
iLO SNMP Alerts—Alert conditions that iLO detects independently of the host operating
system can be sent to specified SNMP alert destinations, such as HP SIM.
Forward Insight Manager Agent SNMP Alerts—Alert conditions detected by the host
management agents can be forwarded to SNMP alert destinations through iLO. These alerts are generated by the Insight Management Agents, which are available for each supported operating system. Insight Management Agents must be installed on the host server to receive these alerts.
SNMP Pass-thru—Use SNMP agents running on the host operating system to manage the
server. SNMP requests sent by the client to iLO over the network are passed to the host operating system. The responses are then passed to iLO and returned to the client over the network. Alerts are not affected by this setting.
4. Optional: Click Send Test Alert to generate a test alert and send it to the TCP/IP addresses in the SNMP Alert Destination(s) boxes.
Test alerts include an Insight Management SNMP trap, and are used to verify the network connectivity of iLO in HP SIM. Only users with the Configure iLO Settings privilege can send test alerts.
After the alert is generated, a confirmation dialog box opens. Check the HP SIM console for receipt of the alert.
5. Click Apply to save the configuration.
SNMP traps
You can generate the following SNMP traps with iLO 3:
ALERT_TEST is used to verify that the SNMP configuration, client SNMP console, and network
ALERT_SERVER_POWER occurs when the iLO management processor detects an unexpected
ALERT_SERVER_RESET occurs when the iLO management processor is used to perform a cold
ALERT_SELFTEST_FAILURE is an SNMP alert transmitted when iLO detects an error in any of
ALERT_THRESHOLD_BREACH alert is transmitted when the iLO management processor detects
are operating correctly. You can use the iLO web interface to generate this alert to verify receipt of the alert at the SNMP console. You can also generate this alert using the iLO Option ROM to verify SNMP configuration settings.
transition of the host system power, either from ON to OFF, or OFF to ON. Transitions of the host system power are unexpected when the change takes place because of events unknown to the management processor. This alert is not generated when the system is powered up or down using the iLO web interface, CLI, RIBCL or other management feature. If the server is powered down because of the operating system, physical power button presses, or other methods, the alert is generated and sent.
boot or warm boot of the host system. This alert is also sent when the iLO management processor detects the host system is in reset because of events unknown to the management processor. Certain operating system behavior or actions can cause this type of event to be detected, and the alert transmitted.
the monitored internal components. If an error is detected an SNMP alert is transmitted.
host system power to be above a user configurable power threshold, over a user configurable period of time.

Configuring SNMP alert destinations

iLO 3 supports up to three IP addresses to receive SNMP alerts.
Configuring iLO Management settings 85
1. Navigate to the AdministrationManagement page, as shown in Figure 38 (page 86).
Figure 38 iLO Management – SNMP Settings page
2. Enter the SNMP Alert Destinations in the Configure SNMP Alerts section. You can provide the
IP addresses of up to three remote management systems to receive SNMP alerts from iLO.
NOTE: Typically, you enter the HP SIM server console IP address in this section.
3. Click Apply.

Configuring Insight Management integration

1. Navigate to the AdministrationManagement page.
2. Configure the HP System Management Homepage (HP SMH). This value sets the browser destination of the Insight Agent link on iLO pages. Enter the IP address or DNS name of the host server. The protocol (https://) and port
number (:2381) are added automatically to the IP address or DNS name to allow access from iLO. If the URL is set through another method (for example, HPQLOCFG), click the browser refresh button to display the updated URL.
3. Select the Level of Data Returned. This setting controls the content of an anonymous discovery message received by iLO. The
information returned is used for HP SIM HTTP identification requests. The following options are available:
Enabled (iLO+Server Association Data) (default)—Enables HP SIM to associate the
management processor with the host server, and provides sufficient data to enable integration with HP SIM.
Disabled (No Response to Request)—Prevents iLO from responding to HP SIM requests.
4. Optional: Click View XML Reply to view the response that is returned to HP SIM when it requests iLO management processor identification using the provided address.
5. Click Apply to save the changes.
For more information about the Insight Management Agents, navigate to the InformationInsight Agent page.
86 Configuring iLO

Using the iLO RBSU

Accessing the iLO RBSU

You can access the iLO RBSU from the physical system console, or by using an iLO remote console session.
To access iLO RBSU:
1. Optional: If you access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen. The iLO RBSU screen appears.
4. Select an option, and then press Enter. You can use iLO RBSU to perform the following tasks:
“Configuring NIC and TCP/IP settings” (page 87)
“Configuring DNS/DHCP settings” (page 88)
“Configuring global settings by using iLO RBSU” (page 89)
“Configuring serial CLI options by using iLO RBSU” (page 90)
“Resetting iLO to the factory default settings by using iLO RBSU” (page 230)
“Managing iLO users by using iLO RBSU” (page 18)

Configuring NIC and TCP/IP settings

You can use the iLO RBSU Network menu to configure basic iLO network options, including NIC and TCP/IP settings.
To configure NIC and TCP/IP settings:
1. Optional: If you access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen. The iLO RBSU screen appears.
4. Select NetworkNIC and TCP/IP. The Network Configuration screen appears, as shown in Figure 39 (page 88).
Using the iLO RBSU 87
Figure 39 Network Configuration screen
5. View or update the following values, as needed:
MAC Address (read-only)—The MAC address of the selected iLO network interface.
Network Interface Adapter—Specifies the iLO network interface adapter to use. Select
ON or OFF to enable or disable the iLO Dedicated Network Port. Select Shared Network Port to use the Shared Network Port.
The Shared Network Port option is available only on supported servers.
Transceiver Speed Autoselect (iLO Dedicated Network port only)—Enables iLO to negotiate
the highest supported link speed and duplex settings when connected to the network.
IP Address—The iLO IP address. If DHCP is used, the iLO IP address is supplied
automatically. If DHCP is not used, enter a static IP address.
Subnet Mask—The subnet mask of the iLO IP network. If DHCP is used, the subnet mask
is supplied automatically. If DHCP is not used, enter a subnet mask for the network.
Gateway IP Address—The iLO gateway IP address. If DHCP is used, the iLO gateway IP
address is supplied automatically. If DHCP is not used, enter the iLO gateway IP address.
6. Press F10 to save your changes.
7. Select FileExit to exit iLO RBSU.

Configuring DNS/DHCP settings

You can use the iLO RBSU Network menu to configure basic iLO network options, including DNS and DHCP settings.
To configure DNS and DHCP settings:
1. Optional: If you access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen. The iLO RBSU screen appears.
88 Configuring iLO
4. Select NetworkDNS/DHCP. The Network Autoconfiguration screen appears, as shown in Figure 40 (page 89).
Figure 40 Network Autoconfiguration screen
5. View or update the following values, as needed:
DHCP Enable—Configures iLO to obtain its IP address (and many other settings) from a
DHCP server.
DNS Name—The DNS name of the iLO subsystem (for example, ilo instead of
ilo.example.com).
This name can be used only if DHCP and DNS are configured to connect to the iLO subsystem name instead of the IP address.
6. Press F10 to save your changes.
7. Select FileExit to exit iLO RBSU.

Configuring global settings by using iLO RBSU

1. Optional: If you will access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 during POST to enter iLO RBSU.
4. Select SettingsConfigure, and then press Enter. The Global iLO 3 Settings menu opens, as shown in Figure 41 (page 90).
Using the iLO RBSU 89
Figure 41 Global iLO 3 Settings window
5. For each option that you want to change, select the option, and press the spacebar to toggle the setting to ENABLED or DISABLED. You can change the following settings:
iLO 3 ROM-Based Setup Utility
Require iLO 3 RBSU Login
iLO 3 ROM-Based Setup Utility
Local Users
For more information about the first four options in the list, see Table 2 (page 41). For more information about the last option in the list, see “Configuring authentication and
directory server settings” (page 52).
6. Press F10 to save the settings.
7. Select FileExit to close iLO RBSU.

Configuring serial CLI options by using iLO RBSU

1. Optional: If you access the server remotely, start an iLO remote console session. You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen.
4. Select SettingsCLI, and then press Enter.
5. The Configure iLO Command-Line Interface menu opens, as shown in Figure 42 (page 91).
90 Configuring iLO
Figure 42 iLO RBSU Configure iLO Command-Line Interface window
6. For each option that you want to change, select the option, and press the spacebar to toggle
through the available settings. You can change the following settings:
Serial CLI Status
Serial CLI Speed (bits/second)
For more information about these options, see Table 2 (page 41).
7. Press F10 to save the settings.
8. Select FileExit to close iLO RBSU.
Using the iLO RBSU 91

4 Using iLO

The main iLO features for a nonadministrative user are located in the Information, Remote Console, Virtual Media, Power Management, and BL c-Class sections of the navigation pane. This guide provides information about using iLO with the iLO web interface.
TIP: You can also perform many iLO tasks by using XML configuration and control scripts or
SMASH CLP. For information about using these methods, see the HP iLO 3 Scripting and Command Line Guide, HP Scripting Toolkit for Linux User Guide, and HP Scripting Toolkit for Windows User Guide.

Using the iLO web interface

You can use the iLO web interface to access iLO. You can also use a Remote Console, scripting, or the CLP.
For Technical Support information, see the HP iLO 3 User Guide.

Browser support

The iLO web interface requires a browser that supports JavaScript. For a list of supported browsers, see Table 6 (page 92).
Table 6 Supported browsers
If you receive a notice that your browser does not have the required functionality, verify that your browser settings meet the following requirements, or contact your administrator.
The following settings must be enabled:
JavaScript—The iLO web interface uses client-side JavaScript extensively.
Cookies—Cookies must be enabled for certain features to function correctly.
Pop-up windows—Pop-up windows must be enabled for certain features to function correctly.
Verify that pop-up blockers are disabled.

Logging in to iLO

You must access the iLO web interface through HTTPS (HTTP exchanged over an SSL encrypted session).
To log in to iLO:
1. Enter https://<iLO host name or IP address>.
ChromeFirefoxInternet ExploreriLO version
Chrome (latest version)ESR 107, 8, 9iLO 3 1.50
Chrome (latest version)ESR 107, 8, 9iLO 3 1.55
Chrome (latest version)ESR 107, 8, 9iLO 3 1.57
Chrome (latest version)ESR 178, 9, 10iLO 3 1.61
Chrome (latest version)ESR 248, 10iLO 3 1.70
92 Using iLO
The iLO login page opens. If iLO is configured to use the Login Security Banner feature, a security message is displayed
on the login page. For information about configuring the Login Security Banner, see “Configuring the Login
Security Banner” (page 67).
2. Enter an HP iLO user name and password, and then click Log In. Login problems might occur for the following reasons:
You have recently upgraded the iLO firmware. You might need to clear your browser cache
before attempting to log in again.
You are not entering the login information correctly.
Passwords are case sensitive.
User names are not case sensitive. Uppercase and lowercase characters are treated the
same (for example, Administrator is treated as the same user as administrator).
The account you are entering is not a valid iLO account.
The account you are entering has been deleted, disabled, or locked out.
The password for the account must be changed.
You are attempting to sign in from an IP address that is not valid for the specified account.
Contact the administrator if you continue to have problems.
If iLO is configured for Kerberos network authentication, the HP Zero Sign In button is displayed below the Log In button. Clicking the HP Zero Sign In button logs the user in to iLO without requiring the user to enter a user name and password. If the Kerberos login fails, the user can log in by using a user name and password.
A failed Kerberos login might be due to one of the following reasons:
The client does not have a ticket or has an invalid ticket. Press Ctrl+Alt+Del to lock the client
PC and get a new ticket.
The browser is not configured correctly. The browser might display a dialog box requesting
credentials.
The Kerberos realm that the client PC is logged in to does not match the Kerberos realm for
which iLO is configured.
The computer account in Active Directory for iLO does not exist or is disabled.
The user logged in to the client PC is not a member of a universal or global directory group
authorized to access iLO.
The key in the Kerberos keytab stored in iLO does not match the key in Active Directory.
The KDC server address for which iLO is configured is incorrect.
The date and time do not match between the client PC, the KDC server, and iLO. To log in to
Kerberos successfully, ensure that the date and time of the following are set to within 5 minutes of one another:
The iLO server
The client running the web browser
The servers performing the authentication
The DNS server is not working correctly. iLO requires a functioning DNS server for Kerberos
support.

Handling an unknown authority

If the message Website Certified by an Unknown Authority is displayed, take the following action:
Using the iLO web interface 93
1. View the certificate to ensure that you are browsing to the correct management server (not an imposter).
Verify that the Issued To name is your management server. Perform any other steps you
feel necessary to verify the identity of the management server.
If you are not sure that this is the correct management server, do not proceed. You might
be browsing to an imposter and giving your sign-in credentials to that imposter when you sign in. Contact the administrator. Exit the certificate window, and then click No or Cancel to cancel the connection.
2. After verifying the items in Step 1, you have the following options:
Accept the certificate temporarily for this session.
Accept the certificate permanently.
Stop now and import the certificate into your browser from a file provided by your
administrator.

Using the iLO controls

When you log in to the iLO web interface, the controls at the bottom of the browser window are available from any iLO page.
POWER—Use this menu to access the iLO Virtual Power features.
UID—Use this button to turn the UID on and off.
Language—Use this menu to select a language or to navigate to the Access Settings→Language
page, where you can install a language pack and configure other language-related settings.
Health icon—Use this icon to view the overall health status for the server fans, temperature
sensors, and other monitored subsystems. Click the icon to view the status of the monitored components. Select a component to view more information about the component status.

Language pack support

If a language pack is currently installed in iLO, a language menu is available on the login screen for you to select the language for the iLO session. This selection is saved in a browser cookie for future use.

Viewing iLO overview information

The iLO Overview page displays high-level details about the server and iLO subsystem, as well as links to commonly used features.

Viewing system information

To view iLO overview information, navigate to the InformationOverview page, as shown in
Figure 43 (page 95).
94 Using iLO
Figure 43 iLO Overview page
The Information section displays the following information:
Server Name—The server name defined by the host operating system. Click the Server Name
link to navigate to the AdministrationAccess Settings page.
Product Name—The product with which this iLO processor is integrated.
UUID—The universally unique identifier that software (for example, HP SIM) uses to uniquely
identify this host. This value is assigned when the system is manufactured.
UUID (Logical)—The system UUID that is presented to host applications. This value is displayed
only when it has been set by other HP software, such as HP Virtual Connect Manager. This value might affect operating system and application licensing. The UUID (Logical) value is set as part of the logical server profile that is assigned to the system. If the logical server profile is removed, the system UUID value reverts from the UUID (Logical) value to the UUID value. If no UUID (Logical) value is set, this item is not displayed on the iLO Overview page.
Server Serial Number—The server serial number, which is assigned when the system is
manufactured. You can change this value by using the system RBSU during POST.
Serial Number (Logical)—The system serial number that is presented to host applications. This
value is displayed only when it has been set by other HP software, such as HP Virtual Connect Manager. This value might affect operating system and application licensing. The Serial Number (Logical) value is set as part of the logical server profile that is assigned to the system. If the logical server profile is removed, the serial number value reverts from the Serial Number (Logical) value to the Server Serial Number value. If no Serial Number (Logical) value is set, this item is not displayed on the iLO Overview page.
Product ID—This value distinguishes between different systems with similar serial numbers.
The product ID is assigned when the system is manufactured. You can change this value by using the system RBSU during POST.
System ROM—The family and version of the active system ROM.
Backup System ROM—The date of the backup system ROM. The backup system ROM is used
if a system ROM update fails or is rolled back. This value is displayed only if the system supports a backup system ROM. For information about using the backup system ROM, see
“Using iLO diagnostics” (page 112).
Integrated Remote Console—Provides links to start the .NET IRC or Java IRC application for
remote, out-of-band communication with the server console. For information about Remote Console requirements and features, see “Using the Integrated Remote Console” (page 114).
Viewing iLO overview information 95
License Type—The level of licensed iLO functionality.
iLO Firmware Version—The version and date of the installed iLO firmware. Click the iLO
Firmware Version link to navigate to the AdministrationiLO Firmware page. For more information about firmware, see “Updating firmware” (page 25).
IP Address—The network IP address of the iLO subsystem.
Link-Local IPv6 Address—The SLAAC link-local address for iLO, followed by the address prefix
length. Click the Link-Local IPv6 Address link to navigate to the Network Summary page.
iLO Hostname—The fully qualified network name assigned to the iLO subsystem. By default,
the iLO host name is ILO, followed by the system serial number and the current domain name. This value is used for the network name and must be unique. You can change this name on the Network General Settings page for the iLO Dedicated Network Port or Shared Network Port.

Viewing status information

To view general status information, navigate to the InformationOverview page, as shown in
Figure 43 (page 95).
The Status section displays the following information:
System Health—The server health indicator. This value summarizes the condition of the
monitored subsystems, including overall status and redundancy (ability to handle a failure). Click the System Health link to navigate to the System InformationHealth Summary page. For more information about viewing system health information, see “Viewing health summary
information” (page 97).
Server Power—The server power state (ON or OFF).
UID Indicator—The state of the UID. The UID helps you identify and locate a system, especially
in high-density rack environments. The possible states are UID ON, UID OFF, and UID BLINK. You can change the UID state to UID ON or UID OFF by using the UID buttons on the server
chassis or the UID control at the bottom of the browser window.
CAUTION: The UID blinks automatically to indicate that a critical operation is underway on
the host, such as Remote Console access or a firmware update. Do not remove power from a server when the UID is blinking.
When the UID is blinking, the UID Indicator displays the status UID BLINK. When the UID stops blinking, the status reverts to the previous value (UID ON or UID OFF). If a new state is selected while the UID is blinking, that state takes effect when the UID stops blinking.
TPM Status—The current status of the TPM. If the host system or system ROM does not support
TPM, the value Not Supported is displayed.
iLO Date/Time—The internal clock of the iLO subsystem. The iLO clock can be synchronized
automatically with the network.

Viewing the active iLO sessions

To view the active iLO sessions, navigate to the InformationOverview page, as shown in Figure 43
(page 95).
The Active Sessions section displays the following information for all users logged in to iLO:
Login name
IP address
Source (for example, iLO web interface, Remote Console, or SSH)
96 Using iLO

Viewing iLO system information

The iLO System Information page displays the health of the monitored subsystems and devices. The System Information page includes the following embedded health tabs: Summary, Fans,
Temperatures, Power, Processors, Memory, NIC Information, and Drives.

Viewing health summary information

The Health Summary page displays the status of monitored subsystems and devices. Depending on the server type, the information on this page varies.
If the server is powered off, the system health information on this page is current as of the last power off. Health information is updated only when the server is powered on and POST is complete.
To view health summary information, navigate to the InformationSystem Information page, and then click the Summary tab to view the list of monitored subsystems and devices, as shown in
Figure 44 (page 97).
Redundancy information is available for the following items in the list:
Fan Redundancy
Power Supply Redundancy
Summarized status information is available for the following items in the list:
Fans
Power Supplies
Drives
Temperatures
VRMs
Figure 44 System Information – Health Summary page
Table 7 (page 97) lists the displayed health status values.
Table 7 Health status values
DescriptionValue
Redundant
OK
There is a backup component for the device or subsystem.
The device or subsystem is working correctly.
Viewing iLO system information 97
Table 7 Health status values (continued)
DescriptionValue
Not Redundant
Failed Redundant
Failed
Other

Viewing fan information

The iLO firmware, in conjunction with the hardware, controls the operation and speed of the fans. Fans provide essential cooling of components to ensure reliability and continued operation. The fans react to the temperatures monitored throughout the system to provide sufficient cooling with minimal noise.
Fan operation policies might differ from server to server based on fan configuration and cooling demands. Fan control takes into account the internal temperature of the system, increasing the fan speed to provide more cooling, and decreasing the fan speed if cooling is sufficient. In the event of a fan failure, some fan operation policies might increase the speed of the other fans, record the event in the IML, or turn LED indicators on.
Monitoring the fan subsystem includes the sufficient, redundant, and nonredundant fan configurations. If one or more fans fail, the server still provides sufficient cooling to continue operation.
In nonredundant configurations, or redundant configurations where multiple fan failures occur, the system might be incapable of providing sufficient cooling to protect the system from damage and to ensure data integrity. In this case, in addition to the cooling policies, the system might start a graceful shutdown of the operating system and server.
To view fan information, navigate to the InformationSystem Information page, and then click the Fans tab.
The information displayed on this page varies depending on the server type. If the server is powered off, the system health information on this page is current as of the last
power off. Health information is updated only when the server is powered on and POST is complete. The following information is displayed:
There is no backup component for the device or subsystem.
The device or subsystem is in a nonoperational state.
One or more components of the device or subsystem are nonoperational.
Navigate to the System Information page of the component that is reporting this status for more information.
Rack servers—The following information is displayed for each fan in the server chassis:
98 Using iLO
Location
Status
Speed
Figure 45 (page 99) shows the Fan Information page for a rack server.
Figure 45 System Information – Fan Information page for rack servers
Blade servers—ProLiant c-Class server blades use the enclosure fans to provide cooling because
they do not have internal fans. The enclosure fans are called “virtual fans” on this page. The virtual-fan reading represents the cooling amount that a server blade is requesting from the enclosure. The server blade calculates the amount of cooling required by examining various temperature sensors and calculating an appropriate fan speed. The enclosure uses information from all of the installed server and nonserver blades to adjust the fans to provide the appropriate enclosure cooling.
The following information is displayed for virtual fans:
Location
Status
Speed
Figure 46 (page 99) shows the Fan Information page for a blade server.
Figure 46 System Information – Fan Information page for blade servers
Viewing iLO system information 99

Viewing temperature information

The Temperature Information page displays the location, status, temperature, and threshold settings of temperature sensors in the server chassis.
If the server is powered off, the system health information on this page is current as of the last power off. Health information is updated only when the server is powered on and POST is complete.
The temperature is monitored to maintain the sensor location temperature below the caution threshold. If one or more sensors exceed this threshold, iLO implements a recovery policy to prevent damage to server components.
If the temperature exceeds the caution threshold, the fan speed is increased to maximum.
If the temperature exceeds the caution threshold for 60 seconds, a graceful server shutdown
is attempted.
If the temperature exceeds the critical threshold, the server is shut down immediately to prevent
permanent damage.
Monitoring policies differ depending on the server requirements. Policies usually include increasing fan speeds to maximum cooling, logging temperature events in the IML, providing a visual indication of events by using LED indicators, and starting a graceful shutdown of the operating system to avoid data corruption.
Additional policies are implemented after an excessive temperature condition is corrected, including returning the fan speed to normal, recording the event in the IML, turning off the LED indicators, and canceling shutdowns in progress (if applicable).
Viewing temperature sensor data
To view temperature sensor data, navigate to the InformationSystem Information page, and then click the Temperatures tab, as shown in Figure 47 (page 100).
When temperatures are displayed in Celsius, click the Show values in Fahrenheit button to change the display to Fahrenheit. When temperatures are displayed in Fahrenheit, click the Show values
in Celsius button to change the display to Celsius.
Figure 47 Viewing temperature sensor data
100 Using iLO
Loading...