HP iLO 4 User Guide
Abstract
This guide provides information about configuring, updating, and operating HP ProLiant Gen8 servers by using the HP iLO 4
firmware. This document is intended for system administrators, HP representatives, and HP Authorized Channel Partners who
are involved in configuring and using HP iLO 4 and HP ProLiant Gen8 servers.
This guide discusses HP iLO for HP ProLiant servers and HP ProLiant BladeSystem server blades. For information about iLO for
Integrity servers and server blades, see the HP website at http://www.hp.com/go/integrityiLO.
HP Part Number: 684918-006
Published: February 2014
Edition: 1
© Copyright 2012, 2014 Hewlett-Packard Development Company, L.P
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Acknowledgements
Microsoft®, Windows®, Windows NT® , and Windows Vista® are U.S. registered trademarks of Microsoft Corporation.
Intel is a trademark of Intel Corporation in the U.S. and other countries.
Java is a registered trademark of Oracle and/or its affiliates.
Contents
1 Introduction to iLO....................................................................................14
Overview..............................................................................................................................14
HP iLO features......................................................................................................................14
iLO web interface...................................................................................................................15
ROM-based configuration utilities..............................................................................................15
iLO Mobile application............................................................................................................16
iLO scripting and command line...............................................................................................16
2 Setting up iLO..........................................................................................17
Preparing to set up iLO............................................................................................................17
Connecting iLO to the network.................................................................................................19
Setting up iLO by using iLO RBSU or the iLO 4 Configuration Utility...............................................20
Configuring a static IP address by using iLO RBSU..................................................................20
Configuring a static IP address by using the iLO 4 Configuration Utility.....................................22
Managing iLO users by using iLO RBSU................................................................................25
Adding iLO user accounts by using iLO RBSU...................................................................25
Editing user accounts.....................................................................................................26
Removing user accounts.................................................................................................27
Managing iLO users by using the iLO 4 Configuration Utility...................................................28
Adding iLO user accounts by using the iLO 4 Configuration Utility.......................................28
Editing or removing user accounts...................................................................................30
Setting up iLO by using the iLO web interface............................................................................32
Logging in to iLO for the first time.............................................................................................32
Activating iLO licensed features................................................................................................32
Installing the iLO drivers...........................................................................................................33
Microsoft device driver support............................................................................................34
Linux device driver support..................................................................................................34
VMware device driver support.............................................................................................35
3 Configuring iLO.......................................................................................36
Updating firmware..................................................................................................................36
Updating firmware by using an online method.......................................................................36
Performing an in-band firmware update............................................................................36
Performing an out-of-band firmware update.......................................................................37
Updating firmware by using an offline method.......................................................................37
Obtaining the iLO firmware image file..................................................................................37
Obtaining supported server firmware image files...................................................................38
Updating firmware by using a browser.................................................................................38
Using language packs............................................................................................................40
Installing a language pack..................................................................................................40
Selecting a language pack.................................................................................................41
Configuring the default language settings..............................................................................42
Configuring the current language settings..............................................................................42
Uninstalling a language pack..............................................................................................42
iLO licensing..........................................................................................................................43
Free iLO 60-day evaluation license.......................................................................................43
Installing an iLO license by using a browser..........................................................................44
Administering users.................................................................................................................44
Viewing local users............................................................................................................45
Viewing directory groups....................................................................................................46
Adding or editing local users..............................................................................................46
IPMI/DCMI users..........................................................................................................48
Contents 3
Administering directory groups............................................................................................48
Deleting a user or a directory group.....................................................................................50
Configuring iLO Federation Management..................................................................................50
iLO Federation Management network requirements.................................................................51
Configuring the multicast options.........................................................................................51
Viewing iLO Federation Management group memberships.......................................................53
Managing iLO Federation Management group membership....................................................53
Removing an iLO system from an iLO Federation Management group........................................54
Configuring enclosure support for iLO Federation Management................................................54
Configuring iLO access settings................................................................................................55
Configuring service settings.................................................................................................55
Configuring IPMI/DCMI settings..........................................................................................57
Configuring access options.................................................................................................57
Logging in to iLO by using an SSH client...............................................................................60
Configuring iLO security..........................................................................................................60
General security guidelines.................................................................................................61
Passwords....................................................................................................................61
iLO RBSU and iLO 4 Configuration Utility security..............................................................61
iLO Security Override Switch administration......................................................................62
TPM support......................................................................................................................63
User accounts and access...................................................................................................63
User privileges..............................................................................................................64
Login security................................................................................................................64
Administering SSH keys......................................................................................................64
About SSH keys............................................................................................................64
Authorizing a new key by using the iLO web interface.......................................................65
Authorizing a new key by using the CLI............................................................................66
Deleting keys................................................................................................................67
Authorizing keys from an HP SIM server...........................................................................67
Administering SSL certificates..............................................................................................67
Viewing certificate information........................................................................................68
Obtaining and importing a certificate..............................................................................68
Configuring directory settings..............................................................................................70
Configuring authentication and directory server settings.....................................................71
Running directory tests...................................................................................................73
Viewing directory test results......................................................................................75
Using the directory test controls .................................................................................77
Using encryption................................................................................................................77
Viewing encryption enforcement settings...........................................................................78
Modifying the AES/DES encryption setting.......................................................................79
Connecting to iLO by using AES or 3DES encryption.....................................................79
Enabling FIPS Mode......................................................................................................79
Disabling FIPS Mode.....................................................................................................80
Configuring iLO for HP SSO................................................................................................80
Configuring iLO for HP SSO...........................................................................................81
Adding trusted certificates..............................................................................................82
Extracting the HP SIM server certificate........................................................................83
Viewing trusted certificates.............................................................................................83
Removing trusted certificates...........................................................................................84
Configuring Remote Console security settings.........................................................................84
Configuring Remote Console Computer Lock settings..........................................................84
Configuring the Integrated Remote Console Trust setting (.NET IRC)......................................86
Configuring the Login Security Banner..................................................................................86
Configuring iLO network settings..............................................................................................88
Viewing network settings.....................................................................................................88
4 Contents
Configuring general network settings....................................................................................91
Configuring IPv4 settings....................................................................................................94
Configuring IPv6 settings....................................................................................................96
Configuring SNTP settings...................................................................................................99
Configuring and using the iLO Shared Network Port..................................................................100
Enabling the iLO Shared Network Port feature.....................................................................101
Enabling the iLO Shared Network Port feature through iLO RBSU.......................................101
Enabling the iLO Shared Network Port feature through the iLO 4 Configuration Utility..........102
Enabling the iLO Shared Network Port feature through the iLO web interface......................103
Re-enabling the iLO Dedicated Network Port.......................................................................104
Enabling the iLO Dedicated Network Port through iLO RBSU.............................................104
Enabling the iLO Dedicated Network Port through the iLO 4 Configuration Utility.................104
Enabling the iLO Dedicated Network Port through the web interface..................................106
Configuring iLO Management settings.....................................................................................106
Installing AMS or the Insight Management Agents................................................................107
Verifying the AMS installation.......................................................................................108
Verifying AMS installation: Windows........................................................................108
Verifying AMS installation: SUSE and Red Hat...........................................................109
Verifying AMS installation: VMware..........................................................................109
Verifying AMS installation: Ubuntu............................................................................109
Configuring SNMP settings...............................................................................................109
Configuring SNMPv3 Users...............................................................................................111
Configuring the SNMPv3 Engine ID...................................................................................112
Configuring SNMP alerts..................................................................................................112
Using the AMS Control Panel to configure SNMP and SNMP alerts (Windows only)............113
SNMP traps................................................................................................................114
Configuring Insight Management integration.......................................................................116
Configuring AlertMail settings...........................................................................................117
Enabling AlertMail......................................................................................................117
Disabling AlertMail.....................................................................................................118
Configuring Remote Syslog settings....................................................................................118
Enabling iLO Remote Syslog.........................................................................................118
Disabling iLO Remote Syslog........................................................................................119
Configuring Remote Support..................................................................................................119
Insight Remote Support Overview.......................................................................................119
Data collected by Insight Remote Support............................................................................120
Prerequisites....................................................................................................................122
Registering for Insight Remote Support by using the iLO web interface.....................................122
Registering for Insight Remote Support by using Direct Connect.........................................122
Editing the web proxy settings..................................................................................125
Registering for Insight Remote Support by using Central Connect.......................................125
Unregistering from Insight Remote Support by using the iLO web interface...............................127
Unregistering from Insight Remote Support Direct Connect configurations............................127
Unregistering from Insight Remote Support Central Connect configurations..........................127
Working with Insight Remote Support service events.............................................................127
Using maintenance mode.............................................................................................128
Sending a test service event..........................................................................................128
Viewing the Service Event Log.......................................................................................129
Clearing the Service Event Log......................................................................................129
Viewing and sending Remote Support data collection information..........................................130
Sending data collection information...............................................................................130
Sending Active Health System reporting information.........................................................131
Configuring iLO by using the ROM-based utilities......................................................................132
Using the iLO RBSU..........................................................................................................132
Accessing the iLO RBSU...............................................................................................132
Contents 5
Configuring NIC and TCP/IP settings.............................................................................132
Configuring DNS/DHCP settings...................................................................................133
Configuring global settings by using iLO RBSU................................................................134
Configuring serial CLI options by using iLO RBSU............................................................135
Using the UEFI System Utilities iLO 4 Configuration Utility......................................................136
Accessing the iLO 4 Configuration Utility menu...............................................................136
Configuring Network Options.......................................................................................137
Configuring Advanced Network Options........................................................................139
Configuring access settings by using the iLO 4 Configuration Utility...................................140
Viewing information about iLO by using the iLO 4 Configuration Utility..............................142
4 Using iLO..............................................................................................144
Using the iLO web interface...................................................................................................144
Browser support...............................................................................................................144
Logging in to iLO.............................................................................................................144
Handling an unknown authority.........................................................................................146
Using the iLO controls.......................................................................................................146
Starting a remote management tool....................................................................................146
Language pack support....................................................................................................146
Viewing iLO overview information...........................................................................................146
Viewing system information...............................................................................................147
Viewing status information.................................................................................................148
Viewing the active iLO sessions..........................................................................................149
Viewing iLO system information..............................................................................................149
Viewing health summary information..................................................................................149
Viewing fan information....................................................................................................150
Viewing temperature information .......................................................................................152
Viewing the temperature graph.....................................................................................153
Viewing temperature sensor data...................................................................................153
Viewing power information...............................................................................................155
Viewing processor information...........................................................................................159
Viewing memory information.............................................................................................160
Advanced Memory Protection.......................................................................................160
Memory Summary.......................................................................................................162
Memory Details..........................................................................................................162
Viewing network information.............................................................................................164
Viewing storage information..............................................................................................165
Controllers.................................................................................................................167
Drive Enclosures..........................................................................................................168
Logical Drives.............................................................................................................168
Physical Drives............................................................................................................168
Viewing firmware information............................................................................................169
Using the iLO Event Log.........................................................................................................170
Viewing the iLO Event Log.................................................................................................170
Saving the iLO Event Log...................................................................................................171
Clearing the iLO Event Log................................................................................................172
Using the Integrated Management Log....................................................................................172
Viewing the IML...............................................................................................................173
Marking a log entry as repaired........................................................................................174
Adding a maintenance note to the IML...............................................................................175
Saving the IML................................................................................................................175
Clearing the IML..............................................................................................................175
Using the HP Active Health System..........................................................................................176
Downloading the Active Health System log for a date range..................................................176
Downloading the entire Active Health System log.................................................................178
6 Contents
Extracting the Active Health System log by using curl............................................................178
Clearing the Active Health System log................................................................................179
Using iLO diagnostics............................................................................................................179
Resetting iLO through the web interface..............................................................................181
Using Location Discovery Services...........................................................................................181
Using the HP Insight Management Agents................................................................................183
Using iLO Federation Management.........................................................................................183
Viewing the iLO Federation Management Multi-System Map..................................................184
Viewing server health and model information......................................................................185
Viewing critical and degraded systems...............................................................................186
Using the iLO Federation Management group power feature..................................................187
Changing the power state for multiple servers.................................................................187
Viewing servers affected by the Virtual Power Button........................................................188
Configuring iLO Federation Management group power settings..............................................189
Configuring Automatic Group Power Capping settings.....................................................190
Using the iLO Federation Management firmware update feature.............................................191
Updating firmware for multiple servers...........................................................................191
Viewing affected systems..............................................................................................193
Using the iLO Federation Management Virtual Media feature................................................193
Connecting scripted media for groups............................................................................193
Viewing and ejecting scripted media for groups..............................................................194
Viewing affected systems..............................................................................................195
Using the Integrated Remote Console......................................................................................195
.NET IRC requirements......................................................................................................195
Microsoft .NET Framework............................................................................................196
Microsoft ClickOnce....................................................................................................196
Java IRC requirements......................................................................................................196
Recommended client settings........................................................................................197
Recommended server settings.......................................................................................197
Starting the Remote Console..............................................................................................197
Acquiring the Remote Console...........................................................................................199
Using the Remote Console power switch.............................................................................200
Using iLO Virtual Media from the Remote Console................................................................200
Using Shared Remote Console (.NET IRC only)....................................................................200
Using Console Capture (.NET IRC only)..............................................................................201
Viewing Server Startup and Server Prefailure sequences...................................................202
Saving Server Startup and Server Prefailure video files.....................................................202
Capturing video files...................................................................................................203
Viewing saved video files.............................................................................................203
Creating Remote Console hot keys.....................................................................................203
Creating a hot key......................................................................................................204
Resetting hot keys........................................................................................................205
Using the text-based Remote Console......................................................................................205
Using the iLO Virtual Serial Port.........................................................................................205
Configuring the iLO Virtual Serial Port in the host system RBSU..........................................206
Configuring the iLO Virtual Serial Port in the UEFI System Utilities.......................................209
Configuring the iLO Virtual Serial Port for Linux...............................................................213
Configuring the iLO Virtual Serial Port for the Windows EMS Console................................213
Starting an iLO Virtual Serial Port session........................................................................214
Viewing the iLO Virtual Serial Port log............................................................................214
Using the Text-based Remote Console (Textcons)..................................................................215
Customizing the Text-based Remote Console...................................................................215
Using the Text-based Remote Console............................................................................216
Using Linux with the Text-based Remote Console..............................................................216
Using iLO Virtual Media........................................................................................................216
Contents 7
Virtual Media operating system information.........................................................................218
Operating system USB requirement................................................................................218
Using Virtual Media with Windows 7............................................................................218
Operating system considerations: Virtual Floppy/USB key................................................218
Changing diskettes.................................................................................................219
Operating system considerations: Virtual CD/DVD-ROM..................................................219
Mounting a USB Virtual Media CD/DVD-ROM on Linux systems...................................219
Operating system considerations: Virtual Folder .............................................................220
Using iLO Virtual Media from the iLO web interface.............................................................220
Viewing and modifying the Virtual Media port................................................................220
Viewing and ejecting local media.................................................................................221
Connecting scripted media...........................................................................................221
Viewing and ejecting scripted media.............................................................................221
Using iLO Virtual Media from the Remote Console................................................................222
Using a Virtual Drive...................................................................................................222
Using a physical drive on a client PC........................................................................222
Using an image file................................................................................................222
Using an image file through a URL (IIS/Apache).........................................................222
Using the Create Media Image feature (Java IRC only).....................................................222
Creating an iLO disk image file................................................................................223
Copying data from an image file to a physical disk....................................................223
Using a Virtual Folder (.NET IRC only)............................................................................224
Setting up IIS for scripted Virtual Media..............................................................................224
Configuring IIS............................................................................................................224
Configuring IIS for read/write access.............................................................................225
Inserting Virtual Media with a helper application............................................................226
Sample Virtual Media helper application.......................................................................226
Configuring Virtual Media Boot Order................................................................................227
Changing the server boot mode....................................................................................227
Changing the server boot order....................................................................................228
Changing the one-time boot status................................................................................228
Using the additional options.........................................................................................229
About server power..............................................................................................................229
Powering on the server.....................................................................................................229
Brownout recovery...........................................................................................................230
Graceful shutdown...........................................................................................................230
Power efficiency...............................................................................................................230
Using iLO Power Management...............................................................................................231
Managing the server power..............................................................................................231
Configuring the System Power Restore Settings.....................................................................232
Viewing server power usage..............................................................................................233
Viewing the current power state.........................................................................................234
Viewing the server power history........................................................................................235
Configuring power settings................................................................................................235
Configuring Power Regulator settings.............................................................................236
Configuring power capping settings..............................................................................237
Configuring SNMP alert settings...................................................................................238
Configuring the persistent mouse and keyboard..............................................................238
Using iLO with Onboard Administrator....................................................................................238
Using the Active Onboard Administrator.............................................................................238
Starting the Onboard Administrator GUI.............................................................................239
Toggling the enclosure UID light.........................................................................................239
Enclosure bay IP addressing..............................................................................................240
Dynamic Power Capping for server blades..........................................................................240
iLO virtual fan.................................................................................................................240
8 Contents
iLO option.......................................................................................................................240
IPMI server management.......................................................................................................241
Using iLO with HP Insight Control server deployment ................................................................242
Using HP Enterprise Secure Key Manager with iLO....................................................................242
Configuring key manager servers.......................................................................................243
Adding key manager configuration details..........................................................................243
Testing the ESKM configuration..........................................................................................244
Viewing Enterprise Secure Key Manager events...................................................................245
Viewing remote management tool information..........................................................................245
Starting a remote management tool....................................................................................245
Deleting a remote manager configuration...........................................................................246
Using iLO with HP OneView..............................................................................................246
5 Integrating HP Systems Insight Manager....................................................247
HP SIM features....................................................................................................................247
Establishing SSO with HP SIM................................................................................................247
iLO identification and association...........................................................................................247
Viewing iLO status in HP SIM.............................................................................................247
iLO links in HP SIM..........................................................................................................248
Viewing iLO in HP SIM System(s) lists..................................................................................248
Receiving SNMP alerts in HP SIM...........................................................................................248
HP SIM port matching...........................................................................................................248
Reviewing iLO license information in HP SIM............................................................................249
6 Directory services...................................................................................250
Directory integration benefits..................................................................................................250
Choosing a directory configuration to use with iLO....................................................................250
Kerberos support..................................................................................................................251
Domain controller preparation...........................................................................................251
Realm names..............................................................................................................251
Computer accounts......................................................................................................251
User accounts.............................................................................................................252
Generating a keytab...................................................................................................252
Key version number................................................................................................252
Windows Vista.......................................................................................................253
Universal and global user groups (for authorization)........................................................253
Configuring iLO for Kerberos login.....................................................................................253
Using the iLO web interface..........................................................................................253
Using XML configuration and control scripts....................................................................254
Using the CLI, CLP, or SSH interface..............................................................................254
Time requirement.............................................................................................................254
Configuring single sign-on................................................................................................254
Internet Explorer..........................................................................................................255
Firefox.......................................................................................................................255
Chrome.....................................................................................................................256
Verifying single sign-on (HP Zero Sign In) configuration.........................................................256
Login by name................................................................................................................256
Schema-free directory integration............................................................................................256
Setting up schema-free directory integration.........................................................................257
Active Directory prerequisites........................................................................................257
Introduction to Certificate Services............................................................................257
Installing Certificate Services....................................................................................257
Verifying Certificate Services....................................................................................257
Configuring Automatic Certificate Request.................................................................257
Schema-free setup using the iLO web interface................................................................258
Schema-free setup using scripts.....................................................................................258
Contents 9
Schema-free setup with HP Directories Support for ProLiant Management Processors.............258
Schema-free setup options............................................................................................259
Minimum login flexibility.........................................................................................259
Better login flexibility..............................................................................................259
Maximum login flexibility.........................................................................................259
Schema-free nested groups...........................................................................................259
Setting up HP extended schema directory integration................................................................260
Features supported by HP schema directory integration.........................................................260
Setting up directory services..............................................................................................260
Schema documentation.....................................................................................................261
Directory services support.................................................................................................261
Schema required software.................................................................................................261
Schema Extender........................................................................................................262
Schema Preview window.........................................................................................262
Setup window........................................................................................................263
Results window......................................................................................................263
Management snap-in installer.......................................................................................264
Directory services for Active Directory.................................................................................264
Active Directory installation prerequisites........................................................................264
Installing Active Directory.............................................................................................265
For the schema-free configuration.............................................................................265
For HP extended schema.........................................................................................265
Snap-in installation and initialization for Active Directory..................................................266
Creating and configuring directory objects for use with iLO in Active Directory....................266
Directory services objects.............................................................................................267
Active Directory snap-ins.........................................................................................268
Role Restrictions tab................................................................................................269
Lights Out Management tab.........................................................................................271
Directory services for eDirectory.........................................................................................272
eDirectory installation prerequisites................................................................................272
Snap-in installation and initialization for eDirectory..........................................................272
Example: Creating and configuring directory objects for use with iLO devices in eDirectory...272
Directory services objects for eDirectory.........................................................................276
Role Managed Devices...........................................................................................276
Members tab.........................................................................................................276
Role Restrictions tab.....................................................................................................277
Time restrictions......................................................................................................278
Enforced client IP address or DNS name access.........................................................278
eDirectory Lights-Out Management................................................................................279
User login using directory services..........................................................................................280
Directory-enabled remote management....................................................................................280
Creating roles to follow organizational structure...................................................................281
Using existing groups..................................................................................................281
Using multiple roles.....................................................................................................281
How directory login restrictions are enforced.......................................................................282
Restricting roles...........................................................................................................283
Role time restrictions...............................................................................................283
Role address restrictions..........................................................................................283
User restrictions...........................................................................................................283
User address restrictions..........................................................................................283
User time restrictions...............................................................................................284
Creating multiple restrictions and roles...........................................................................285
Using bulk import tools.....................................................................................................286
HP Directories Support for ProLiant Management Processors utility...............................................286
Compatibility..................................................................................................................286
10 Contents
HP Directories Support for ProLiant Management Processors package.....................................287
Using HP Directories Support for ProLiant Management Processors.........................................287
Finding management processors...................................................................................287
Upgrading firmware on management processors.............................................................289
Selecting a directory access method..............................................................................291
Naming management processors..................................................................................291
Configuring directories when HP extended schema is selected...........................................292
Configuring directories when schema-free integration is selected........................................296
Setting up management processors for directories............................................................296
7 Troubleshooting......................................................................................298
Kernel debugging.................................................................................................................298
Event log entries...................................................................................................................299
Hardware and software link-related issues................................................................................301
Login issues.........................................................................................................................302
Login name and password not accepted.............................................................................302
Directory user premature logout.........................................................................................302
iLO management port not accessible by name.....................................................................303
iLO RBSU unavailable after iLO and server reset...................................................................303
Unable to access the login page........................................................................................303
Secure Connection Failed error when using Firefox browser...................................................303
Unable to return to login page after an iLO flash or reset......................................................304
Unable to access Virtual Media or graphical Remote Console................................................304
Unable to connect to iLO after changing network settings......................................................304
Unable to connect to iLO processor through NIC..................................................................304
Unable to log in to iLO after installing iLO certificate............................................................305
Unable to connect to iLO IP address...................................................................................305
Blocked iLO ports.............................................................................................................305
Troubleshooting alert and trap issues.......................................................................................305
Unable to receive HP SIM alarms (SNMP traps) from iLO.......................................................306
Using the iLO Security Override Switch for emergency access.....................................................306
Troubleshooting license installation..........................................................................................306
Troubleshooting directory issues .............................................................................................306
User contexts do not appear to work..................................................................................307
Directory user does not log out after directory timeout has expired.........................................307
Problems generating keytab by using ktpass.exe..................................................................307
Troubleshooting Remote Console issues...................................................................................307
Java IRC applet displays red X when Firefox is used to run Java IRC on Linux client ..................307
Unable to navigate single cursor of Remote Console to corners of Remote Console window.......307
Remote Console text window not updated correctly..............................................................307
Mouse or keyboard not working in .NET IRC or Java IRC......................................................308
.NET IRC sends characters continuously after switching windows ...........................................308
Java IRC does not display correct floppy and USB-key device.................................................308
Caps Lock out of sync between iLO and Java IRC.................................................................309
Num Lock out of sync between iLO and Shared Remote Console............................................310
Keystrokes repeat unintentionally during Remote Console session............................................310
Session leader does not receive connection request when .NET IRC is in replay mode...............310
Keyboard LED does not work correctly................................................................................310
Inactive .NET IRC.............................................................................................................310
.NET IRC failed to connect to server...................................................................................311
File not present after copy from .NET IRC virtual drives to USB key..........................................311
.NET IRC takes a long time to verify application requirements................................................311
.NET IRC fails to start.......................................................................................................312
.NET IRC cannot be shared...............................................................................................312
.NET IRC launch is blocked by Google Chrome...................................................................313
Contents 11
iLO Virtual Floppy media applet unresponsive......................................................................313
Troubleshooting SSH issues....................................................................................................313
Initial PuTTY input slow.....................................................................................................313
PuTTY client unresponsive..................................................................................................314
SSH text support from text-based Remote Console session......................................................314
Troubleshooting text-based Remote Console issues....................................................................314
Unable to view Linux installer in text-based Remote Console...................................................314
Unable to pass data through SSH terminal..........................................................................314
VSP-driven selection during the serial timeout window sends output to BIOS redirect instead of
VSP................................................................................................................................314
Scrolling and text appear irregular during BIOS redirection...................................................314
Troubleshooting Remote Support issues....................................................................................315
SSL Bio Error during Insight RS registration..........................................................................315
HP ProLiant Gen8 server identified in Insight Online as <product name>_<serial number> and in
Insight RS as <serial number>............................................................................................315
HP ProLiant Gen8 server OS name and version not listed in Insight RS or Insight Online............315
Connection error during iLO Direct Connect registration........................................................316
iLO session ends unexpectedly during iLO Direct Connect registration.....................................316
Troubleshooting iLO Federation Management issues..................................................................316
Query errors occur on iLO Federation Management pages....................................................316
A timeout error is displayed on the Multi-System Map page...................................................317
A 502 error is displayed on the Multi-System Map page.......................................................317
A 403 error is displayed on the Multi-System Map page.......................................................318
iLO peers are not displayed..............................................................................................318
iLO peers are displayed with IPv6 addresses on IPv4 networks...............................................318
Troubleshooting miscellaneous issues.......................................................................................318
Cookie sharing between browser instances and iLO.............................................................318
Shared instances.........................................................................................................319
Cookie order..............................................................................................................319
Displaying the current session cookie.............................................................................319
Preventing cookie-related issues....................................................................................320
Unable to get SNMP information from HP SIM.....................................................................320
Unable to upgrade iLO firmware........................................................................................320
iLO Firmware update does not finish...................................................................................320
iLO network Failed Flash Recovery.....................................................................................321
Testing SSL......................................................................................................................321
Resetting iLO...................................................................................................................322
Resetting iLO by using the iLO 4 Configuration Utility.......................................................323
Resetting iLO to the factory default settings by using iLO RBSU...............................................324
Resetting iLO to the factory default settings by using the iLO 4 Configuration Utility...................325
Server name still present after System Erase Utility is executed................................................326
Certificate error when navigating to iLO web interface..........................................................327
Resolving a browser certificate error: Internet Explorer......................................................327
Resolving a browser certificate error: Firefox...................................................................329
Resolving a browser certificate error: Chrome..................................................................330
8 Support and other resources....................................................................331
Information to collect before you contact HP.............................................................................331
How to contact HP................................................................................................................331
Registering for Software Technical Support and Update Service..................................................331
How to use Software Technical Support and Update Service..................................................331
HP Support Center................................................................................................................331
HP authorized resellers..........................................................................................................332
Related information...............................................................................................................332
12 Contents
9 Documentation feedback.........................................................................334
A iLO license options.................................................................................335
B FlexibleLOM support...............................................................................337
C Directory services schema.......................................................................339
HP Management Core LDAP OID classes and attributes.............................................................339
Core classes....................................................................................................................339
Core attributes.................................................................................................................339
Core class definitions.......................................................................................................339
hpqTarget..................................................................................................................339
hpqRole.....................................................................................................................340
hpqPolicy...................................................................................................................340
Core attribute definitions...................................................................................................340
hpqPolicyDN..............................................................................................................340
hpqRoleMembership....................................................................................................340
hpqTargetMembership.................................................................................................341
hpqRoleIPRestrictionDefault...........................................................................................341
hpqRoleIPRestrictions...................................................................................................341
hpqRoleTimeRestriction.................................................................................................342
Lights-Out Management specific LDAP OID classes and attributes................................................342
Lights-Out Management classes.........................................................................................342
Lights-Out Management attributes......................................................................................342
Lights-Out Management class definitions.............................................................................342
hpqLOMv100.............................................................................................................342
Lights-Out Management attribute definitions........................................................................343
hpqLOMRightLogin......................................................................................................343
hpqLOMRightRemoteConsole........................................................................................343
hpqLOMRightVirtualMedia...........................................................................................343
hpqLOMRightServerReset..............................................................................................343
hpqLOMRightLocalUserAdmin.......................................................................................344
hpqLOMRightConfigureSettings.....................................................................................344
Glossary..................................................................................................345
Index.......................................................................................................349
Contents 13
1 Introduction to iLO
Overview
The HP iLO Management Engine is a set of embedded management features that support the
complete life cycle of the server, from initial deployment, to ongoing management, to service
alerting and remote support. HP iLO is one feature of the HP iLO Management Engine.
The HP iLO subsystem is a standard component of HP ProLiant servers that simplifies initial server
setup, server health monitoring, power and thermal optimization, and remote server administration.
The HP iLO subsystem includes an intelligent microprocessor, secure memory, and a dedicated
network interface. This design makes HP iLO independent of the host server and its operating
system.
HP iLO enables and manages the Active Health System and also features Agentless Management.
HP iLO monitors all key internal subsystems. When enabled, SNMP alerts are sent directly by HP
iLO, regardless of the host operating system or whether a host operating system is installed.
Embedded remote support software is available on HP ProLiant Gen8 servers with iLO 4, regardless
of the operating system software and without installing OS agents on the server.
HP iLO features
Using HP iLO, you can do the following:
• Monitor server health. iLO monitors temperatures in the server and sends corrective signals to
the fans to maintain proper server cooling. iLO also monitors firmware versions and the status
of fans, memory, the network, processors, power supplies, and internal storage.
• Download the Active Health System log. You can send the log file to HP when you have an
open support case.
• Manage multiple servers at one time by using the iLO Federation management features.
• Access a high-performance and secure Integrated Remote Console to the server from anywhere
in the world if you have a network connection to the server.
There are two versions of the Integrated Remote Console:
◦ .NET IRC
◦ Java IRC
General references to the Remote Console apply to both the .NET IRC and Java IRC, unless
otherwise specified.
• Use the shared .NET IRC to collaborate with up to four server administrators.
• Remotely mount high-performance Virtual Media devices to the server.
• Use Virtual Power and Virtual Media from the GUI, the CLI, or the iLO scripting toolkit for
many tasks, including the automation of deployment and provisioning.
• Securely and remotely control the power state of the managed server.
• Monitor the power consumption and server power settings.
• Implement true Agentless Management with SNMP alerts from HP iLO, regardless of the state
of the host server.
• Register a ProLiant Gen8 server for HP Insight Remote Support.
• Use local or directory-based user accounts to log in to iLO.
• Configure Kerberos authentication, which adds the HP Zero Sign In button to the login screen.
14 Introduction to iLO
• Use iLO language packs to switch between English and another supported language.
• Control iLO by using a remote management tool.
iLO web interface
The iLO web interface groups similar tasks for easy navigation and workflow. The interface is
organized in a navigational tree view located on the left side of the page. The top-level branches
are Information, iLO Federation, Remote Console, Virtual Media, Power Management, Network,
Remote Support, and Administration. If you have a ProLiant server blade, the BL c-Class branch is
included. When a remote management tool is used with iLO, the <Remote Management Tool
Name> page is included.
When using the iLO web interface, note the following:
• Each high-level iLO branch has a submenu that you can display by clicking the + icon to the
left of that branch. Each menu topic displays a page title that describes the information or
settings available on that page. The page title might not reflect the name that is displayed on
the menu option.
• Assistance for all iLO pages is available from the iLO help pages. To access page-specific
help, click the ? icon on the upper right side of the page.
• Typical administrator tasks are available from the iLO Federation, Network, Remote Support,
Administration, and <Remote Management Tool Name> branches of the iLO web interface.
These tasks are described in “Setting up iLO” (page 17) and “Configuring iLO” (page 36).
• Typical user tasks are available from the Information, Remote Console, Virtual Media, Power
Management, iLO Federation, and BL c-Class branches of the iLO web interface. These tasks
are described in “Using iLO” (page 144).
For more information about iLO functionality and integration, see the following:
• “Integrating HP Systems Insight Manager” (page 247)
• “Directory services” (page 250)
• “Troubleshooting” (page 298)
ROM-based configuration utilities
Depending on your server model, you can use iLO RBSU or the iLO 4 Configuration Utility to
configure network parameters, global settings, and user accounts. On servers that support UEFI,
such as the HP ProLiant DL580 Gen8 server, use the iLO 4 Configuration Utility in the UEFI System
Utilities. On all other servers, use iLO RBSU.
iLO RBSU and the iLO 4 Configuration Utility are designed for the initial iLO setup, and are not
intended for continued iLO administration. You can start these utilities when the server is booted,
and you can run them remotely with the Remote Console.
To determine whether your server supports iLO RBSU or the iLO 4 Configuration Utility, see your
server documentation.
You can configure iLO to require users to log in when they access these utilities, or you can disable
the utilities for all users. These settings can be configured in the iLO access options. Disabling iLO
RBSU or the iLO 4 Configuration Utility prevents reconfiguration from the host unless the iLO Security
Override Switch is set. For more information, see “Configuring access options” (page 57).
To access the ROM-based configuration utilities:
• iLO RBSU—Press F8 during POST to enter iLO RBSU.
• iLO 4 Configuration Utility—Press F9 during POST to enter the UEFI System Utilities, and then
select System Configuration→iLO 4 Configuration Utility.
iLO web interface 15
NOTE: On servers that use the system RBSU, the iLO option ROM lists the installed license and
the firmware version. This information is not listed in the option ROM on UEFI systems.
iLO Mobile application
The HP iLO Mobile application provides access to the Remote Console of your HP ProLiant server
from your mobile device. The mobile application interacts directly with the iLO processor on HP
ProLiant servers, providing total control of the server at all times as long as the server is plugged
in. For example, you can access the server when it is in a healthy state or when it is powered off
with a blank hard drive. As an IT administrator, you can troubleshoot problems and perform
software deployments from almost anywhere.
For more information about the iLO Mobile application, see http://www.hp.com/go/ilo/mobileapp.
iLO scripting and command line
You can use the iLO scripting tools to configure multiple iLO systems, to incorporate a standard
configuration into the deployment process, and to control servers and subsystems.
The HP iLO Scripting and Command Line Guide describes the syntax and tools available to use
iLO 4 through a command line or scripted interface.
16 Introduction to iLO
2 Setting up iLO
The iLO default settings enable you to use most features without additional configuration. However,
the configuration flexibility of iLO enables customization for multiple enterprise environments. This
chapter discusses the initial iLO setup steps. For information about additional configuration options,
see “Configuring iLO” (page 36).
Complete the initial setup steps:
1. Decide how you want to handle networking and security.
For more information, see “Preparing to set up iLO” (page 17).
2. Connect iLO to the network.
For more information, see “Connecting iLO to the network” (page 19).
3. If you are not using dynamic IP addressing, configure a static IP address by using iLO RBSU.
For more information, see “Setting up iLO by using iLO RBSU or the iLO 4 Configuration
Utility” (page 20).
4. If you are using the local accounts feature, set up your user accounts by using iLO RBSU or
the iLO web interface.
For more information, see “Setting up iLO by using iLO RBSU or the iLO 4 Configuration
Utility” (page 20) or “Setting up iLO by using the iLO web interface” (page 32).
5. Install an iLO license. For more information, see “Activating iLO licensed features” (page 32).
6. If required, install the iLO drivers.
For more information, see “Installing the iLO drivers” (page 33).
Preparing to set up iLO
Before setting up an iLO management processor, you must decide how to handle networking and
security. The following questions can help you configure iLO:
1. How should iLO connect to the network?
For a graphical representation and explanation of the available connections, see “Connecting
iLO to the network” (page 19).
Typically, iLO is connected to the network through one of the following:
• A corporate network that both the NIC and the iLO port are connected to. This connection
enables access to iLO from anywhere on the network and reduces the amount of
networking hardware and infrastructure required to support iLO. However, on a corporate
network, traffic can hinder iLO performance.
• A dedicated management network with the iLO port on a separate network. A separate
network improves performance and security because you can physically control which
workstations are connected to the network. A separate network also provides redundant
access to the server when a hardware failure occurs on the corporate network. In this
configuration, iLO cannot be accessed directly from the corporate network.
2. How will iLO acquire an IP address?
To access iLO after connecting it to the network, the iLO management processor must acquire
an IP address and subnet mask by using either a dynamic or static process.
• A dynamic IP address is set by default. iLO obtains the IP address and subnet mask from
DNS or DHCP servers. This method is the simplest.
• A static IP address is used if DNS or DHCP servers are not available on the network. A
static IP address can be configured by using iLO RBSU or the iLO 4 Configuration Utility.
Preparing to set up iLO 17
For more information, see “Configuring a static IP address by using iLO RBSU” (page 20)
and “Configuring a static IP address by using the iLO 4 Configuration Utility” (page 22).
IMPORTANT: If you plan to use a static IP address, you must have the IP address before
starting the iLO setup process.
3. What access security is required, and what user accounts and privileges are needed?
iLO provides several options to control user access. You must use one of the following methods
to prevent unauthorized access to corporate IT assets:
• Local accounts—Up to 12 user names and passwords can be stored in iLO. This is ideal
for small environments such as labs and small-sized or medium-sized businesses.
• Directory services—Use the corporate directory to manage iLO user access. This is ideal
for environments that have a large number of users. If you plan to use directory services,
consider enabling at least one local administrator account for alternate access.
For more information about iLO access security, see “Configuring iLO security” (page 60).
18 Setting up iLO
4. How do you want to configure iLO?
iLO supports various interfaces for configuration and operation. This guide discusses the
following interfaces:
• Use iLO RBSU or the iLO 4 Configuration Utility when the system environment does not
use DHCP, DNS, or WINS. For more information, see “Setting up iLO by using iLO RBSU
or the iLO 4 Configuration Utility” (page 20).
• Use the iLO web interface when you can connect to iLO on the network by using a web
browser. You can also use this method to reconfigure an iLO management processor.
For more information, see “Setting up iLO by using the iLO web interface” (page 32).
Other configuration options not discussed in this guide follow:
• HP Intelligent Provisioning—Press F10 during POST to start HP Intelligent Provisioning.
For information about the iLO settings you can configure, see the HP Intelligent Provisioning
User Guide.
• HP Scripting Toolkit—This toolkit is a server deployment product for IT experts that provides
unattended automated installation for high-volume server deployments. For more
information, see the HP Scripting Toolkit for Linux User Guide and the HP Scripting Toolkit
for Windows User Guide.
• Scripting—You can use scripting for advanced setup of multiple iLO management
processors. Scripts are XML files written for a scripting language called RIBCL. You can
use RIBCL scripts to configure iLO on the network during initial deployment or from an
already deployed host.
The following methods are available:
◦ HP Lights-Out Configuration Utility (HPQLOCFG)—The HPQLOCFG.EXE utility replaces
the previously used CPQLOCFG.EXE utility. It is a Windows command line utility that
sends XML configuration and control scripts over the network to iLO.
◦ HP Lights-Out Online Configuration Utility (HPONCFG)—A local online scripted setup
utility that runs on the host and passes RIBCL scripts to the local iLO. HPONCFG
requires the HP iLO Channel Interface Driver.
◦ Custom scripting environments—The iLO scripting samples include a Perl sample that
can be used to send RIBCL scripts to iLO over the network.
◦ SMASH CLP—A command-line protocol that can be used when a command line is
accessible through SSH or the physical serial port.
For more information about these methods, see the HP iLO 4 Scripting and Command
Line Guide.
Connecting iLO to the network
You can connect iLO to the network through a corporate network or a dedicated management
network.
• In a corporate network, the server has two network port types (server NICs and one iLO NIC)
connected to the corporate network, as shown in Figure 1 (page 20).
Connecting iLO to the network 19
Figure 1 Corporate network diagram
Main NIC
iLO
Main NIC
Hub/Switch
Client PCs
Corporate
Network
Management Client
iLO
Hub/Switch
Main NIC
iLO
iLO
Main NIC
Hub/Switch
Client PCs
Corporate
Network
Dedicated
iLO Management
Network
Management Client
• In a dedicated management network, the iLO port is on a separate network, as shown in
Figure 2 (page 20).
Figure 2 Dedicated management network diagram
Setting up iLO by using iLO RBSU or the iLO 4 Configuration Utility
HP recommends using iLO RBSU or the iLO 4 Configuration Utility to set up iLO for the first time
and to configure iLO network parameters for environments that do not use DHCP, DNS, or WINS.
To determine whether your server supports iLO RBSU or the iLO 4 Configuration Utility, see your
server documentation.
Configuring a static IP address by using iLO RBSU
This procedure is required only if you are using a static IP address. When you are using dynamic
IP addressing, your DHCP server automatically assigns an IP address for iLO.
20 Setting up iLO
NOTE: To simplify installation, HP recommends using DNS or DHCP with iLO.
To configure a static IP address:
1. Optional: If you access the server remotely, start an iLO remote console session.
You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen.
The iLO RBSU screen appears.
4. Disable DHCP:
a. Select Network→DNS/DHCP, and then press Enter.
The Network Autoconfiguration window opens.
b. Select DHCP Enable, as shown in Figure 3 (page 21).
Figure 3 iLO RBSU Network Autoconfiguration window
c. Press the spacebar to set DHCP Enable to OFF, and then press F10 to save the changes.
Setting up iLO by using iLO RBSU or the iLO 4 Configuration Utility 21
5. Enter an IP address and subnet mask:
a. Select Network→NIC and TCP/IP, and then press Enter.
The Network Configuration window opens.
b. Enter the appropriate information in the IP Address, Subnet Mask, and Gateway IP Address
fields, as shown in Figure 4 (page 22).
Figure 4 iLO RBSU Network Configuration window
c. Press F10 to save the changes.
6. Select File→Exit to exit iLO RBSU.
The changes take effect when you exit iLO RBSU.
Configuring a static IP address by using the iLO 4 Configuration Utility
This procedure is required only if you are using a static IP address. When you are using dynamic
IP addressing, your DHCP server automatically assigns an IP address for iLO.
NOTE: To simplify installation, HP recommends using DNS or DHCP with iLO.
To configure a static IP address:
1. Optional: If you access the server remotely, start an iLO remote console session.
You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F9 in the HP ProLiant POST screen.
The System Configuration screen appears.
4. Use the up or down arrow keys and the Enter key to navigate to the System Configuration→iLO
Configuration Utility→Network Options screen.
The System Configuration screen displays the Network Options, as shown in Figure 5 (page
23).
22 Setting up iLO
Figure 5 iLO 4 Configuration Utility Network Configuration
5. Disable DHCP:
a. Select DHCP Enable, and then press Enter.
b. Select OFF, and then press Enter.
6. Enter an IP address, subnet mask, and gateway IP address:
a. Select IP Address, and then press Enter.
b. Type the IP address, and then press Enter.
c. Select Subnet Mask, and then press Enter.
d. Type the subnet mask address, and then press Enter.
e. Select Gateway IP Address, and then press Enter.
f. Type the gateway IP address, and then press Enter.
7. Press F10 to save the changes.
The iLO 4 Configuration Utility prompts you to confirm that you want to save all pending
configuration changes, as shown in Figure 6 (page 24).
Setting up iLO by using iLO RBSU or the iLO 4 Configuration Utility 23
Figure 6 Saving iLO configuration changes
8. Press Enter.
The iLO 4 Configuration Utility notifies you that iLO must be reset in order for the changes to
take effect, as shown in Figure 7 (page 24).
Figure 7 iLO 4 Configuration Utility iLO reset message
24 Setting up iLO
9. Press Enter.
iLO resets, and the iLO session is automatically ended. You can reconnect in approximately
30 seconds.
10. Resume the normal boot process:
a. Start the iLO remote console.
The iLO 4 Configuration Utility is still open from the previous session.
b. Press ESC several times to navigate to the System Configuration page.
c. Press ESC to exit the System Utilities and resume the normal boot process.
Managing iLO users by using iLO RBSU
You can use iLO RBSU to perform the following user management tasks:
• “Adding iLO user accounts by using iLO RBSU” (page 25)
• “Editing user accounts” (page 26)
• “Removing user accounts” (page 27)
Adding iLO user accounts by using iLO RBSU
To add local iLO user accounts:
1. Optional: If you access the server remotely, start an iLO remote console session.
You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen.
iLO RBSU starts.
4. Select User→Add, and then press Enter.
The Add User screen appears, as shown in Figure 8 (page 25).
Figure 8 iLO RBSU Add User window
Setting up iLO by using iLO RBSU or the iLO 4 Configuration Utility 25
5. Enter the following user account details:
• User name appears in the user list on the User Administration page. It does not have to
be the same as the Login name. The maximum length for a user name is 39 characters.
The user name must use printable characters. Assigning descriptive user names can help
you to easily identify the owner of each login name.
• Login name is the name you must use when logging in to iLO. It appears in the user list
on the User Administration page, on the iLO Overview page, and in iLO logs. The Login
name does not have to be the same as the User name. The maximum length for a login
name is 39 characters. The login name must use printable characters.
• Password and Verify password set and confirm the password that is used for logging in
to iLO. The maximum length for a password is 39 characters. Enter the password twice
for verification.
6. Select from the following iLO privileges. To enable a privilege, set it to Yes. To disable a
privilege, set it to No.
• Administer User Accounts—Enables a user to add, edit, and delete local iLO user accounts.
A user with this privilege can change privileges for all users. If you do not have this
privilege, you can view your own settings and change your own password.
• Remote Console Access—Enables a user to remotely access the host system Remote
Console, including video, keyboard, and mouse control.
• Virtual Power and Reset—Enables a user to power-cycle or reset the host system. These
activities interrupt the system availability. A user with this privilege can diagnose the
system by using the Generate NMI to System button.
• Virtual Media—Enables a user to use the Virtual Media feature on the host system.
• Configure iLO Settings—Enables a user to configure most iLO settings, including security
settings, and to remotely update the iLO firmware. This privilege does not enable local
user account administration.
After iLO is configured, revoking this privilege from all users prevents reconfiguration
using the web interface, HPQLOCFG, or the CLI. Users who have access to iLO RBSU,
the iLO 4 Configuration Utility, or HPONCFG can still reconfigure iLO. Only a user who
has the Administer User Accounts privilege can enable or disable this privilege.
7. Press F10 to save the new user account.
8. Repeat step 4 through step 6 until you are done creating user accounts.
9. Select File→Exit to exit iLO RBSU.
Editing user accounts
To edit a local iLO user account:
1. Optional: If you access the server remotely, start an iLO remote console session.
You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen.
The iLO RBSU screen appears.
4. Select User→Edit, and then press Enter.
The Edit User screen appears, as shown in Figure 9 (page 27).
26 Setting up iLO
Figure 9 Editing user accounts
5. Select the user name that you want to edit, and then press Enter.
6. Update the user name, login name, password, or user permissions, and then press F10 to
save the changes.
7. Select File→Exit to exit iLO RBSU.
Removing user accounts
To remove a local iLO user account:
1. Optional: If you access the server remotely, start an iLO remote console session.
You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F8 in the HP ProLiant POST screen.
The iLO RBSU screen appears.
4. Select User→Remove, and then press Enter.
The Remove User screen appears, as shown in Figure 10 (page 28).
Setting up iLO by using iLO RBSU or the iLO 4 Configuration Utility 27
Figure 10 Removing user accounts
5. Select the user that you want to remove, and then press Enter.
The iLO RBSU prompts you to confirm the request.
6. Press Enter to confirm the request.
7. Select File→Exit to exit iLO RBSU.
Managing iLO users by using the iLO 4 Configuration Utility
You can use the iLO 4 Configuration Utility to perform the following user management tasks:
• “Adding iLO user accounts by using the iLO 4 Configuration Utility” (page 28)
• “Editing or removing user accounts” (page 30)
Adding iLO user accounts by using the iLO 4 Configuration Utility
You can use the iLO 4 Configuration Utility User Management menu to configure local iLO user
accounts.
To configure local iLO user accounts:
1. Optional: If you access the server remotely, start an iLO remote console session.
You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F9 in the HP ProLiant POST screen.
The System Utilities screen appears.
4. From the System Utilities screen, select System Configuration→iLO 4 Configuration Utility→User
Management.
The User Management screen appears, as shown in Figure 11 (page 29).
28 Setting up iLO
Figure 11 User Management screen
5. Select Add User, and then press Enter.
The User Management→Add User screen appears, as shown in Figure 12 (page 29).
Figure 12 Configuring user account properties
Setting up iLO by using iLO RBSU or the iLO 4 Configuration Utility 29
6. Select from the following iLO privileges. To enable a privilege, set it to YES. To disable a
privilege, set it to NO.
• Administer User Accounts—Enables a user to add, edit, and delete local iLO user accounts.
A user with this privilege can change privileges for all users. If you do not have this
privilege, you can view your own settings and change your own password.
• Remote Console Access—Enables a user to remotely access the host system Remote
Console, including video, keyboard, and mouse control.
• Virtual Power and Reset—Enables a user to power-cycle or reset the host system. These
activities interrupt the system availability. A user with this privilege can diagnose the
system by using the Generate NMI to System button.
• Virtual Media—Enables a user to use the Virtual Media feature on the host system.
• Configure iLO Settings—Enables a user to configure most iLO settings, including security
settings, and to remotely update the iLO firmware. This privilege does not enable local
user account administration.
After iLO is configured, revoking this privilege from all users prevents reconfiguration
using the web interface, HPQLOCFG, or the CLI. Users who have access to iLO RBSU,
the iLO 4 Configuration Utility, or HPONCFG can still reconfigure iLO. Only a user who
has the Administer User Accounts privilege can enable or disable this privilege.
7. Enter the following user account details:
• New User Name appears in the user list on the User Administration page. It does not
have to be the same as the Login Name. The maximum length for a user name is 39
characters. The user name must use printable characters. Assigning descriptive user names
can help you to easily identify the owner of each login name.
• Login Name is the name you must use when logging in to iLO. It appears in the user list
on the User Administration page, on the iLO Overview page, and in iLO logs. The Login
Name does not have to be the same as the User Name. The maximum length for a login
name is 39 characters. The login name must use printable characters.
• Password and Password Confirm set and confirm the password that is used for logging
in to iLO. The maximum length for a password is 39 characters. Enter the password twice
for verification.
8. Create as many user accounts as needed, and then press F10 to save the changes.
9. Press Esc until the main menu is displayed.
10. Select Exit and Resume Boot in the main menu, and then press Enter.
11. When prompted to confirm the request, press Enter to exit the utility and resume the boot
process.
Editing or removing user accounts
You can use the iLO 4 Configuration Utility User Management menu to edit or remove local iLO
user accounts.
To edit or remove a local iLO user accounts:
1. Optional: If you access the server remotely, start an iLO remote console session.
You can use the .NET IRC or Java IRC.
2. Restart or power on the server.
3. Press F9 in the HP ProLiant POST screen.
The System Utilities screen appears.
4. From the System Utilities screen, select System Configuration→iLO 4 Configuration Utility→User
Management.
The User Management screen appears, as shown in Figure 13 (page 31).
30 Setting up iLO
Figure 13 User Management screen
5. Select Edit/Remove User, and then press Enter.
The User Management→Edit/Remove User screen appears, as shown in Figure 14 (page 31).
Figure 14 Editing or removing user accounts
6. Locate the user name that you want to edit or delete, select the Action menu for that user name,
and then press Enter.
Setting up iLO by using iLO RBSU or the iLO 4 Configuration Utility 31
7. Select one of the following, and then press Enter.
• No Change—Returns you to the main menu.
• Delete—Deletes this user.
• Edit—Edits the user.
8. Depending on your selection in step 7, do one of the following:
• If you selected No Change, no further action is needed.
• If you selected Delete, the user name is marked to be deleted when you save the changes
on this page.
• If you selected Edit, update the login name, password, or user permissions.
9. Update as many user accounts as needed, and then press F10 to save the changes.
10. Press Esc until the main menu is displayed.
11. Select Exit and Resume Boot in the main menu, and then press Enter.
12. When prompted to confirm the request, press Enter to exit the utility and resume the boot
process.
Setting up iLO by using the iLO web interface
You can set up iLO using the web interface if you can connect to iLO on the network by using a
web browser. You can also use this method to reconfigure an iLO management processor.
Access iLO from a remote network client by using a supported browser and providing the default
DNS name, user name, and password. For information about the DNS name and default account
credentials, see “Logging in to iLO for the first time” (page 32).
For information about the configuration procedures available in the iLO web interface, see
“Configuring iLO” (page 36).
Logging in to iLO for the first time
The iLO firmware is configured with a default user name, password, and DNS name. Default user
information is located on the serial number/iLO information pull tab attached to the server that
contains the iLO management processor. Use these values to access iLO remotely from a network
client by using a web browser.
NOTE: The serial number/iLO information pull tab is double-sided. One side shows the server
serial number, and the other side shows the default iLO account information. The same information
is printed on a label attached to the chassis.
The default values follow:
• User name—Administrator
• Password—A random eight-character alphanumeric string
• DNS name—ILOXXXXXXXXXXXX, where the Xs represent the serial number of the server
If you enter an incorrect user name and password, or a login attempt fails, iLO imposes a security
delay. For more information about login security, see “Login security” (page 64).
IMPORTANT: HP recommends changing the default values after you log in to iLO for the first
time. For instructions, see “Administering users” (page 44).
Activating iLO licensed features
To activate iLO licensed features, install an HP iLO license. iLO licenses activate functionality such
as graphical Remote Console with multi-user collaboration, video record/playback, and many
32 Setting up iLO
more advanced features. For licensing information and installation instructions, see “iLO licensing”
(page 43).
Installing the iLO drivers
iLO is an independent microprocessor running an embedded operating system. The architecture
ensures that the majority of iLO functionality is available, regardless of the host operating system.
The iLO drivers enable software such as HPONCFG and the Agentless Management Service to
communicate with iLO. Your OS and system configuration determine the driver requirements.
The iLO drivers are available from the HP Service Pack for ProLiant (Windows, Red Hat, and SLES)
and the HP website (Windows, Linux, and VMware).
• For Windows, Red Hat, and SLES—Download the SPP from http://www.hp.com/go/spp/
download and use it to install the iLO drivers.
For information about using the SPP, see the SPP documentation.
• For Windows, Red Hat, and SLES—Download the iLO drivers from the HP Support Center:
1. Navigate to the technical support page on the HP website: http://www.hp.com/support.
2. Select a country or region.
The HP Support page opens.
3. Click the Drivers & Downloads link.
4. In the search box, enter the server model that you are using (for example, DL360p).
A list of servers is displayed.
5. Click the link for your server.
The HP Support Center page for the server opens.
6. Click the link for the server operating system.
7. Download the iLO drivers.
• For VMware—Download the iLO drivers from the vibsdepot section of the Software Delivery
Repository website at http://downloads.linux.hp.com/SDR/index.html.
• For Ubuntu—Download the iLO drivers from the mcp section of the Software Delivery Repository
at http://downloads.linux.hp.com/SDR/index.html.
Follow the installation instructions provided with the downloaded software.
For OS-specific driver information, see the following:
• “Microsoft device driver support” (page 34)
• “Linux device driver support” (page 34)
• “VMware device driver support” (page 35)
Installing the iLO drivers 33
Microsoft device driver support
When you are using Windows with iLO, the following drivers are available:
• HP ProLiant iLO 3/4 Channel Interface Driver for Windows—This driver is required for the
operating system to communicate with iLO. Install this driver in all configurations.
• HP ProLiant iLO 3/4 Management Controller Driver Package for Windows—This package
includes the following components:
◦ hpqilo3core provides iLO Management Controller Driver support.
◦ hpqilo3service provides the HP ProLiant Health Monitor Service and HP ProLiant
System Shutdown Service.
◦ hpqilo3whea is a helper service for Windows Hardware Error Architecture, which
passes information between iLO and the operating system in the event of a hardware
fault.
IMPORTANT: The Management Controller Driver Package is required to support Automatic
Server Recovery and the HP Insight Management Agents or HP Insight Management WBEM
Providers (if installed). For more information, see “Configuring iLO Management settings”
(page 106).
Linux device driver support
When you are using Linux with iLO, the following drivers are available:
• HP ProLiant Channel Interface Device Driver (hpilo)—This driver manages agent and tool
application access to iLO.
• HP System Health Application and Command Line Utilities (hp-health)—A collection of
applications and tools that enables monitoring of fans, power supplies, temperature sensors,
and other management events. This RPM contains the hpasmd, hpasmlited, hpasmpld,
and hpasmxld daemons.
Loading and removing SLES and Red Hat drivers:
IMPORTANT: These drivers are standard for SLES 11, Red Hat 5, and Red Hat 6.
Use the following commands to load the iLO drivers:
rpm -ivh hpilo-<d.vv.v-pp.Linux_version.arch>.rpm
rpm -ivh hp-health-<d.vv.v-pp.Linux_version.arch>.rpm
Where <d> is the Linux distribution and version, <vv.v-pp> are version numbers, and <arch>
is the architecture (i386 or x86_64).
Use the following commands to remove the iLO drivers:
rpm -e hpilo
rpm -e hp-health
Loading and removing Ubuntu drivers:
HP recommends subscribing to the Management Component Pack repository to ensure that your
Ubuntu systems have the latest HP software.
IMPORTANT: For open-source Linux distributions (Ubuntu, Debian, Fedora, and others), the
hpilo driver is part of the Linux kernel, so the driver is loaded automatically at startup.
Use the following procedure to load the HP System Health Application and Command Line Utilities:
34 Setting up iLO
1. Subscribe to the MCP.
For instructions, see the following HP website: http://downloads.linux.hp.com/SDR/project/
mcp/.
2. Enter the following command to update the repository cache: apt-get update.
3. Enter the following command to install the HP System Health Application and Command Line
Utilities: apt-get install hp-health.
Use the following command to remove the HP System Health Application and Command Line
Utilities:
apt-get remove hp-health
VMware device driver support
When you are using VMware with iLO, the following driver is available:
HP ProLiant Channel Interface Device Driver (hpilo)—This driver manages agent, WBEM provider,
and tool application access to iLO. It is included in the customized HP VMware images. For raw
VMware images, the driver must be installed manually.
Installing the iLO drivers 35
3 Configuring iLO
Typically, an advanced or administrative user who manages users and configures global and
network settings configures iLO. This guide provides information about configuring iLO by using
the iLO web interface and iLO RBSU or the iLO 4 Configuration Utility.
TIP: You can perform many iLO configuration tasks by using XML configuration and control
scripts or SMASH CLP. For information about using these methods, see the HP iLO 4 Scripting and
Command Line Guide, HP Scripting Toolkit for Linux User Guide, and HP Scripting Toolkit for
Windows User Guide.
Updating firmware
Firmware updates enhance server and iLO functionality with new features, improvements, and
security updates.
Users who have the Configure iLO Settings privilege or host operating system Administrator/root
privileges can update firmware. If the iLO Security Override Switch is set, any out-of-band user
can update firmware.
You can update the following types of firmware on the Firmware Update page:
• iLO
• HP ProLiant System ROM
• System Programmable Logic Device
• SL Chassis Firmware
• Power PIC
You can update firmware by using an online or offline method. For more information, see “Updating
firmware by using an online method” (page 36) or “Updating firmware by using an offline method”
(page 37)
Updating firmware by using an online method
When you use an online method to update the firmware, no server reboot is required. You can
update the firmware and reset iLO without affecting the availability of the server host operating
system. The online update method can be performed in-band or out-of-band.
Performing an in-band firmware update
When you use this method to update the iLO firmware, the iLO firmware is sent to iLO directly
from the server host operating system. The HP ProLiant Channel Interface Driver is required for
host-based iLO firmware updates. During a host-based firmware update, the iLO firmware does
not verify login credentials or user privileges because the host-based utilities require a root login
(Linux and VMware) or Administrator login (Windows).
You can use the following in-band firmware update methods:
• iLO Online ROM Flash Component—Use an executable file to update iLO while the server is
operating. The executable file contains the installer and the firmware package. You can
36 Configuring iLO
download an iLO Online ROM Flash Component from the following HP website: http://
www.hp.com/support/ilo4.
• HPONCFG—Use the HP Lights-Out Online Configuration Utility to configure iLO by using XML
scripts. Download the iLO firmware image and the Update_Firmware.xml sample script.
Edit the sample script with your setup details, and then run the script.
Sample scripts are available at http://www.hp.com/support/ilo4. For more information about
scripting, see the HP iLO 4 Scripting and Command Line Guide.
For instructions about obtaining the iLO firmware image, see “Obtaining the iLO firmware
image file” (page 37).
Performing an out-of-band firmware update
When you use this method to update the iLO firmware, you use a network connection to
communicate with iLO directly.
You can use the following out-of-band firmware update methods:
• iLO web interface—Download the iLO Online ROM Flash Component and install it by using
the iLO web interface. For instructions, see “Updating firmware by using a browser” (page 38).
• HPQLOCFG—Use the HP Lights-Out Configuration Utility to configure iLO by using XML scripts.
Download the iLO firmware image and the Update_Firmware.xml sample script. Edit the
sample script with your setup details, and then run the script.
Sample scripts are available at http://www.hp.com/support/ilo4. For more information about
scripting, see the HP iLO 4 Scripting and Command Line Guide.
For instructions about obtaining the iLO firmware image, see “Obtaining the iLO firmware
image file” (page 37).
• HPLOMIG (also called HP Directories Support for Management Processors)—Download the
HP Directories Support for Management Processors executable file to access the directory
support components. One of the components, HPLOMIG, can be used to discover multiple
iLO processors and update their firmware in one step. You do not need to use directory
integration to take advantage of this feature. For more information, see “Upgrading firmware
on management processors” (page 289).
• SMASH CLP—Access SMASH CLP through the SSH port, and use standard commands to view
firmware information and update the firmware.
For more information about SMASH CLP, see the HP iLO 4 Scripting and Command Line
Guide.
Updating firmware by using an offline method
When you use an offline method to update the firmware, you must reboot the server by using an
offline utility. Examples of offline firmware updates include the following:
• HP Service Pack for ProLiant—Use the HP Service Pack for ProLiant to install the firmware
update. For more information, see the following website: http://www.hp.com/go/spp.
• Windows or Linux Scripting Toolkit—Use the Scripting Toolkit to configure several settings
within the server and update firmware. This method is useful for deploying to multiple servers.
For instructions, see the HP Scripting Toolkit for Linux User Guide or HP Scripting Toolkit for
Windows User Guide.
Obtaining the iLO firmware image file
The .bin file from the iLO Online ROM Flash Component is required for some of the methods you
can use to update the iLO firmware.
To download the iLO Online ROM Flash Component file, and then extract the .bin file:
Updating firmware 37
1. Navigate to the technical support page on the HP website: http://www.hp.com/support.
2. Select a country or region and a language.
The HP Support page opens.
3. Click the Drivers & Downloads link.
4. In the search box, enter the server model that you are using (for example, DL360p).
A list of servers is displayed.
5. Click the link for your server.
The HP Support Center page for the server opens.
6. Click the link for your server operating system.
7. Follow the onscreen instructions to download the iLO Online ROM Flash Component file.
8. Double-click the downloaded file, and then click the Extract button.
9. Select a location for the extracted files, and then click OK.
The firmware image is a file similar to ilo4_<yyy>.bin, where <yyy> represents the
firmware version.
Obtaining supported server firmware image files
To obtain the server firmware image files:
1. Navigate to the technical support page on the HP website: http://www.hp.com/support.
2. Select a country or region.
The HP Support page opens.
3. Click the Drivers & Downloads link.
4. In the search box, enter the server model that you are using (for example, DL360p).
A list of servers is displayed.
5. Click the link for your server.
The HP Support Center page for the server opens.
6. Click the link for the server operating system.
7. Follow the onscreen instructions to download the firmware Online ROM Flash Component
file.
8. Double-click the downloaded file, and then click the Extract button.
9. Select a location for the extracted files, and then click OK.
Updating firmware by using a browser
You can update firmware from any network client by using a supported browser. For a list of
supported browsers, see “Using the iLO web interface” (page 144).
To update the server or iLO firmware:
1. Obtain the firmware image file. For instructions, see “Obtaining the iLO firmware image file”
(page 37) or “Obtaining supported server firmware image files” (page 38).
2. Navigate to the Administration→Firmware page.
The Firmware Update page opens, as shown in Figure 15 (page 39).
38 Configuring iLO
Figure 15 Firmware Update page
3. Click Browse (Internet Explorer or Firefox) or Choose File (Chrome), and then specify the
location of the firmware image file in the File box.
4. Click Upload to start the update process.
The following message appears:
Updating the iLO firmware will cause the iLO to reboot. This will
terminate any connections to the iLO including Remote Console and
Virtual Media. Updating other types of firmware will not cause iLO
to reboot, but they may require a server reboot. The server will
not reboot automatically.
5. Click OK.
The iLO firmware receives, validates, and then flashes the firmware image.
The firmware update will not start if you navigate away from the Firmware Update page
before the file upload is complete.
IMPORTANT: Do not interrupt a firmware update. If a firmware update is interrupted or fails,
attempt it again immediately. Do not reset iLO before reattempting the update.
6. Do one of the following:
• For an iLO firmware update: To start working with the new firmware, clear your browser
cache, and then log in to iLO.
• For a server firmware update: Some firmware updates require an iLO reset, a system
reset, or both. For more information, see the server documentation.
If an error occurs during a firmware update, see “Unable to upgrade iLO firmware” (page 320).
If an iLO firmware update is corrupted or canceled, and iLO is corrupted, see “iLO network Failed
Flash Recovery” (page 321).
Updating firmware 39
Using language packs
Language packs enable you to easily switch the iLO web interface from English to a supported
language of your choice. Language packs currently provide translations for the iLO web interface,
.NET IRC, and Java IRC.
Consider the following when using language packs:
• You must have the Configure iLO Settings privilege to install a language pack.
• You can install one additional language pack at a time. Uploading a new language pack
replaces the currently installed language pack, regardless of the language pack version.
• The language pack firmware is independent of the iLO firmware. Setting iLO to the factory
default settings does not remove an installed language pack.
• The Java IRC and .NET IRC use the language of the current iLO session.
• For localization support with the Java IRC on Windows systems, you must select the correct
language in the Regional and Language Options Control Panel.
• For localization support with the Java IRC on Linux systems, make sure that the fonts for the
specified language are installed and available to the JRE.
• If an installed language pack does not include the translation for a text string, the text is
displayed in English.
• When you update the iLO firmware, HP recommends downloading the latest language pack
to ensure that the language pack contents match the iLO web interface.
iLO 4 firmware version 1.20 or later requires version 1.20 or later of the iLO language pack.
• iLO uses the following process to determine the language of your session:
1. If you previously logged in to the iLO web interface on the same computer using the same
browser, and you have not cleared the cookies, the language setting of the last session
with that iLO processor is used.
2. If there is no cookie, the current browser language is used if it is supported by iLO and
the required language pack is installed. The supported languages are English (en),
Japanese (ja), and Simplified Chinese (zh).
3. Internet Explorer only: If the browser language is not supported, the OS language is used
if the language is supported by iLO, and the required language pack is installed.
4. If there is no cookie, and the browser or OS language is not supported, iLO uses the
configured default language. For more information, see “Configuring the default language
settings” (page 42).
Installing a language pack
1. Navigate to the iLO software download website: http://www.hp.com/support/ilo4.
2. Download the language pack to your local computer.
3. Navigate to the Administration→Access Settings→Language page, as shown in Figure 16
(page 41).
40 Configuring iLO
Figure 16 Access Settings – Language page
4. Click Browse (Internet Explorer or Firefox) or Choose File (Chrome) in the Upload Language
Pack section.
5. Select the downloaded language pack, and then click Open.
The following message appears:
Only one language pack is supported at a time. If a language pack
is already installed, it will be replaced with this upload. iLO will
automatically reboot after installing the new language pack. Are
you sure you want to install now?
6. Click OK to continue.
If you have a previously installed language pack, this language pack will replace it.
7. Click Upload.
iLO will automatically reboot after installing a language pack. This will end your browser
connection with iLO.
It might take several minutes before you can re-establish a connection.
Selecting a language pack
After you have installed a language pack, you can select it in the following ways:
• From the login page, as shown in Figure 17 (page 42).
Using language packs 41
Figure 17 Login page Language menu
• From the toolbar located on the bottom right side of the iLO web interface, as shown in
Figure 18 (page 42).
Figure 18 Toolbar Language menu
• From the Administration→Access Settings→Language page. For instructions, see “Configuring
the current language settings” (page 42).
Configuring the default language settings
To set the default language for the users of this instance of the iLO firmware:
1. Navigate to the Administration→Access Settings→Language page, as shown in Figure 16
(page 41).
2. Select a value in the Default Language menu.
The available languages are English and any other language for which a language pack is
installed.
3. Click Apply.
Configuring the current language settings
To set the current language of this browser session:
1. Navigate to the Administration→Access Settings→Language page, as shown in Figure 16
(page 41).
2. Select a value in the Current Language menu.
The available languages are English and any other language for which a language pack is
installed.
3. Click Apply.
Uninstalling a language pack
1. Navigate to the Administration→Access Settings→Language page, as shown in Figure 16
(page 41).
2. Click the Uninstall button in the Installed Languages section.
The following message appears:
Applying new settings requires an iLO reset.
Would you like to apply the new settings and reset iLO now?
42 Configuring iLO
3. Click OK to continue.
iLO resets and closes your browser connection.
It might take several minutes before you can re-establish a connection.
iLO licensing
HP iLO standard features are included in every HP ProLiant server to simplify server setup, engage
health monitoring, monitor power and thermal control, and promote remote administration.
HP iLO licenses activate functionality such as graphical Remote Console with multiuser collaboration,
video record/playback, and many more advanced features.
Unlocking iLO licensed features has never been easier. Simply choose and install the license that
best suits your company's infrastructure.
The following license types are available:
• iLO Advanced—Enables the full set of iLO features. iLO Advanced is available for all HP
ProLiant Gen8 servers.
◦ iLO Advanced Single Server License
◦ iLO Advanced Electronic License
◦ iLO Advanced Flexible Quantity License
◦ iLO Advanced Volume License
• iLO Essentials—Enables the iLO Integrated Remote Console, Virtual Media, and email alerts.
HP iLO Essentials is available on all HP ProLiant Gen8 e-series servers.
• iLO Scale-Out—Enables the following iLO remote management features: Textcons, Power
Management, Virtual Serial Port log, email alerts, and Remote Syslog. HP iLO Scale-Out is
available on all HP ProLiant Gen8 SL and BL servers.
For details on purchasing licenses, see the following website: http://www.hp.com/go/ilo/licensing.
For a list of the features that are included with each license, see “iLO license options” (page 335).
Consider the following about iLO licenses:
• iLO licenses are versionless, meaning, regardless of the version of iLO you have enabled (iLO
2, iLO 3, or iLO 4), an iLO license can be applied. For features that are specific to the version
of iLO on your ProLiant server, see “iLO license options” (page 335).
• If you purchase an iLO license with any Insight Control software suite, HP provides the Technical
Support and Update Service. For more information, see “Support and other resources”
(page 331).
• If you purchase an iLO license as a one-time activation of licensed features, you must purchase
future functional upgrades.
• One iLO license is required for each server on which the product is installed and used. Licenses
are not transferable. You cannot license an HP ProLiant SL/ML/DL server by using a
BladeSystem license.
• HP will continue to provide maintenance releases with fixes, as well as iLO standard feature
enhancements, at no extra charge.
Free iLO 60-day evaluation license
A free iLO evaluation license is available for download from the following HP website: http://
www.hp.com/go/tryinsightcontrol .
iLO licensing 43
When using an evaluation license, note the following:
• The evaluation license activates and enables access to iLO licensed features.
• The evaluation license key is a 10-seat key, meaning it can be used on 10 different servers.
• When the evaluation period has expired, your iLO system will return to the standard
functionality.
• Only one evaluation license can be installed for each iLO system. The iLO firmware will not
accept the reapplication of an evaluation license.
• The evaluation license expires 60 days after the installation date. HP will notify you by email
when your license is about to expire.
Installing an iLO license by using a browser
You must have the Configure iLO Settings privilege to install a license.
1. Navigate to the Administration→Licensing page in the iLO web interface.
The Licensing page opens, as shown in Figure 19 (page 44).
Figure 19 Licensing page
2. Review the license agreement provided with your HP License Pack option kit.
3. Enter the license key in the Activation Key boxes.
Press the Tab key or click inside a box to move between boxes. The cursor advances
automatically when you enter the license key in the Activation Key boxes.
4. Click Install.
The EULA confirmation opens. The EULA details are available in the HP License Pack option
kit.
5. Click OK.
The license key is now enabled.
For tips on troubleshooting license installation, see “Troubleshooting license installation” (page
306).
Administering users
The iLO firmware enables you to manage user accounts stored locally in the secure iLO memory
and directory group accounts. Use MMC or ConsoleOne to manage directory-based user accounts.
44 Configuring iLO
iLO supports up to 12 users with customizable access rights, login names, and advanced password
encryption. Privileges control individual user settings, and can be customized to meet user access
requirements.
To support more than 12 users, you must have an iLO license, which enables integration with an
unlimited number of directory-based user accounts. For more information about iLO licensing, see
the following website: http://www.hp.com/go/ilo/licensing.
The following privileges are required for user and directory group administration:
• Administer User Accounts—Required for adding, modifying, and deleting users. If you do not
have this privilege, you can view your own settings and change your password.
• Configure iLO Settings—Required for adding, modifying, and deleting directory groups. If you
do not have this privilege, you can view directory groups.
Viewing local users
To view local users, navigate to the Administration→User Administration page, as shown in
Figure 20 (page 45).
Figure 20 User Administration page
The Local Users table shows the login names, user names, and assigned privileges of each
configured user. Table 1 (page 45) lists the account privileges that can be activated for local users.
Table 1 Local user account privileges
PrivilegeIcon
Remote Console
Virtual Media
Virtual Power and Reset
Administering users 45
Table 1 Local user account privileges (continued)
PrivilegeIcon
Configure iLO Settings
Administer User Accounts
Viewing directory groups
To view directory groups, navigate to the Administration→User Administration page, as shown in
Figure 20 (page 45).
The Directory Groups table shows the group DN, group SID, and the assigned privileges for the
configured groups. Table 2 (page 46) lists the account privileges that can be activated for directory
groups.
Table 2 Directory user account privileges
Login
Remote Console
Virtual Media
Virtual Power and Reset
Configure iLO Settings
Administer User Accounts
Adding or editing local users
Users who have the Administer User Accounts privilege can add or edit iLO users.
To add or edit a local user:
1. Navigate to the Administration→User Administration page, as shown in Figure 20 (page 45).
2. Do one of the following:
• Click New in the Local Users section.
• Select a user in the Local Users section, and then click Edit.
The Add/Edit Local User page opens, as shown in Figure 21 (page 47).
46 Configuring iLO
Figure 21 Add/Edit Local User page
3. Provide the following details in the User Information section:
• User Name appears in the user list on the User Administration page. It does not have to
be the same as the Login Name. The maximum length for a user name is 39 characters.
The user name must use printable characters. Assigning descriptive user names can help
you to easily identify the owner of each login name.
• Login Name is the name you use when logging in to iLO. It appears in the user list on the
User Administration page, on the iLO Overview page, and in iLO logs. The Login Name
does not have to be the same as the User Name. The maximum length for a login name
is 39 characters. The login name must use printable characters.
• Password and Password Confirm set and confirm the password that is used for logging
in to iLO. The minimum length for a password is set on the Access Settings page
(Figure 25). The maximum length for a password is 39 characters. Enter the password
twice for verification.
4. Select from the following permissions.
TIP: Click the select all check box to select all of the available user permissions.
• Administer User Accounts—Enables a user to add, edit, and delete local iLO user accounts.
A user with this privilege can change privileges for all users. If you do not have this
privilege, you can view your own settings and change your own password.
• Remote Console Access—Enables a user to remotely access the host system Remote
Console, including video, keyboard, and mouse control.
Administering users 47
• Virtual Power and Reset—Enables a user to power-cycle or reset the host system. These
• Virtual Media—Enables a user to use the Virtual Media feature on the host system.
• Configure iLO Settings—Enables a user to configure most iLO settings, including security
5. Do one of the following:
• Click Add User to add a new user.
• Click Update User to edit a user.
IPMI/DCMI users
The iLO firmware follows the IPMI 2.0 specification. When you are adding IPMI/DCMI users, the
login name must be a maximum of 16 characters, and the password must be a maximum of 20
characters.
When you select iLO user permissions, the equivalent IPMI/DCMI user privilege is displayed in
the IPMI/DCMI Privilege based on above settings box.
activities interrupt the system availability. A user with this privilege can diagnose the
system by using the Generate NMI to System button.
settings, and to remotely update the iLO firmware. This privilege does not enable local
user account administration.
After iLO is configured, revoking this privilege from all users prevents reconfiguration with
the web interface, HPQLOCFG, or the CLI. Users who have access to iLO RBSU, the UEFI
System Utilities, or HPONCFG can still reconfigure iLO. Only a user who has the
Administer User Accounts privilege can enable or disable this privilege.
• User—A user has read-only access. A user cannot configure or write to iLO, or perform system
actions.
For IPMI User privileges: Disable all privileges. Any combination of privileges that does not
meet the Operator level is an IPMI User.
• Operator—An operator can perform system actions, but cannot configure iLO or manage user
accounts.
For IPMI Operator privileges: Enable Remote Console Access, Virtual Power and Reset, and
Virtual Media. Any combination of privileges greater than Operator that does not meet the
Administrator level is an IPMI Operator.
• Administrator—An administrator has read and write access to all features.
For IPMI Administrator privileges: Enable all privileges.
Administering directory groups
iLO enables you to view iLO groups and modify settings for those groups. You must have the
Configure iLO Settings privilege to add or edit directory groups. Use the Add/Edit Directory Group
page to add or edit iLO directory groups.
To add or edit a directory group:
1. Navigate to the Administration→User Administration page, as shown in Figure 20 (page 45).
2. Do one of the following:
• Click New in the Directory Groups section.
• Select a group in the Directory Groups section, and then click Edit.
The Add/Edit Directory Group page opens, as shown in Figure 22 (page 49).
48 Configuring iLO
Figure 22 Add/Edit Directory Group page
3. Provide the following details in the Group Information section:
• Group DN (Security Group DN)—DN of a group in the directory. Members of this group
are granted the privileges set for the group. The specified group must exist in the directory,
and users who need access to iLO must be members of this group. Enter a DN from the
directory (for example, CN=Group1, OU=Managed Groups, DC=domain, DC=extension).
Shortened DNs are also supported (for example, Group1). The shortened DN is not a
unique match. Any group named Group1 is displayed. HP recommends using the fully
qualified DN.
• Group SID (Security ID)—Microsoft Security ID is used for Kerberos and LDAP group
authorization. This is required for Kerberos. The format is S-1-5-2039349.
4. Select from the following permissions when you are adding or editing a group account:
• Administer User Accounts—Enables users to add, edit, and delete local iLO user accounts.
• Remote Console Access—Enables users to remotely access the host system Remote Console,
including video, keyboard, and mouse control.
• Virtual Power and Reset—Enables users to power-cycle or reset the host system. These
activities interrupt the system availability. Users with this privilege can diagnose the system
by using the Generate NMI to System button.
• Virtual Media—Enables users to use the Virtual Media feature on the host system.
• Configure iLO Settings—Enables users to configure most iLO settings, including security
settings, and to remotely update iLO firmware.
After iLO is configured, revoking this privilege from all users prevents reconfiguration with
the web interface, HPQLOCFG, or the CLI. Users who have access to iLO RBSU, the UEFI
Administering users 49
System Utilities, or HPONCFG can still reconfigure iLO. Only a user who has the
Administer User Accounts privilege can enable or disable this privilege.
• Login Privilege—Enables members of a group to log in to iLO.
5. Do one of the following:
• Click Add Group to add a new group.
• Click Update Group to edit a group.
Deleting a user or a directory group
The privilege required for this procedure depends on the user account type.
• To delete a local account, the Administer User Accounts privilege is required.
• To delete a directory group, the Configure iLO Settings privilege is required.
To delete an existing user or group:
1. Navigate to the Administration→User Administration page, as shown in Figure 20 (page 45).
2. Select the check box next to the user or group that you want to delete.
3. Click Delete.
A pop-up window opens with one of the following messages:
• Local user: Are you sure you want to delete the selected user(s)?
Warning: Always leave at least one administrator.
• Directory group: Are you sure you want to delete the selected
group(s)?
4. Click OK.
Configuring iLO Federation Management
When iLO systems are in the same iLO Federation Management group, you can use the iLO web
interface on one system to manage all of the iLO systems in the group.
iLO uses multicast discovery, peer-to-peer communication, and iLO Federation Management groups
to communicate with other iLO systems.
• Each multicast announcement is approximately 300 bytes, and you can configure the time
between announcements on the Group Configuration page.
• iLO Federation Management groups allow iLO to encrypt and sign messages to other iLOs in
the same group.
• iLO Federation Management groups can overlap, span racks and data centers, and group
servers of the same type.
• An iLO system can be in up to 10 iLO Federation Management groups.
• iLO systems in multiple locations can be managed together if the network is configured to
forward multicast traffic.
• If the switches in your network include the option to enable or disable multicast traffic, ensure
that multicast traffic is enabled. This is required for iLO Federation Management and other
HP products to discover the iLOs on the network.
• If you want to use server blades in an enclosure with iLO Federation Management, you must
configure Enclosure iLO Federation Support in the Onboard Administrator web interface. OA
4.11 or later is required to configure this setting. For more information, see “Configuring
enclosure support for iLO Federation Management” (page 54).
When data is loaded on an iLO Federation Management page in the iLO web interface, a request
for data is sent from the iLO system running the web interface to the iLO’s peers, and from those
50 Configuring iLO
peers to other peers, and so on until all of the data for the selected iLO Federation Management
group is retrieved.
Use the iLO web interface on each iLO system to configure group memberships and multicast
preferences. The settings on the Group Configuration page apply to the local iLO system only. You
must configure these settings separately on each iLO system that will use the iLO Federation
Management features.
When you configure group memberships, you must specify the privileges that members of a group
will have over the local iLO system. For example, If you add the local iLO system to group1, and
assign the Virtual Power and Reset privilege, then the other iLO systems in group1 can use the
Group Power features to change the power state of the local iLO system. If the local iLO system
does not grant the Virtual Power and Reset privilege to a group, then the other group members
cannot use the Group Power features to change the power state of the local iLO system. If the iLO
Security Override Switch is set on the local system, the other systems in group1 can use any iLO
Federation Management feature to change the state of the local iLO system, regardless of the
assigned privileges.
All iLO systems are automatically added to the DEFAULT group, which is granted the Login privilege
for each group member. You can edit or delete the DEFAULT group membership.
For information about using iLO Federation Management, see “Using iLO Federation Management”
(page 183).
TIP: You can use RIBCL XML scripts to configure group memberships and multicast preferences
for a batch of iLO systems. For more information, see the HP iLO 4 Scripting and Command Line
Guide.
iLO Federation Management network requirements
When you use iLO Federation Management, note the following network requirements:
• If the switches in your network include the option to enable or disable multicast traffic, ensure
that multicast traffic is enabled. This is required for iLO Federation Management and other
HP products to discover the iLOs on the network.
• For iLOs that are separated by Layer 3 switches, configure the switches to forward SSDP
multicast traffic between networks.
• UDP port 1900 must be configured as a firewall exception to allow iLO Federation Management
multicast traffic.
Configuring the multicast options
You must configure the multicast options for each iLO system that will be added to an iLO Federation
Management group.
Use the following procedure to configure multicast options for one iLO system at a time.
TIP: You can use RIBCL XML scripts to complete this procedure for a batch of iLO systems. For
more information, see the HP iLO 4 Scripting and Command Line Guide.
Configuring iLO Federation Management 51
1. Navigate to the iLO Federation→Group Configuration page, as shown in Figure 23 (page
52).
Figure 23 Group Configuration page
2. Configure the following options in the Multicast Options section:
• iLO Federation Management—Select Enabled or Disabled.
The default setting is Enabled. Selecting Disabled will disable the iLO Federation
Management features for the local iLO system.
• Multicast Discovery—Select Enabled or Disabled.
Selecting Disabled will disable the iLO Federation Management features for the local iLO
system.
• Multicast Announcement Interval (seconds)—Sets the frequency at which iLO announces
itself on the network. Select a value of 30 seconds to 30 minutes. The default value is 10
minutes.
Selecting Disabled will disable the iLO Federation Management features for the local iLO
system.
• IPv6 Multicast Scope—Select the multicast discovery scope. The following values are
supported: Link, Site, and Organization.
IMPORTANT: Do not select the Global value. This value is not supported.
• Multicast Time To Live (TTL)—Specifies the number of switches that can be traversed before
multicast discovery is stopped. The default value is 5.
3. Click Apply to save the settings.
IMPORTANT: To ensure that multicast discovery works correctly, make sure that all iLO systems
in the same group use the same values for Multicast Time to Live (TTL) and IPv6 Multicast Scope.
52 Configuring iLO
Viewing iLO Federation Management group memberships
To view the group memberships of a local iLO system, navigate to the iLO Federation→Group
Configuration page, as shown in Figure 23 (page 52).
The Group Membership for this iLO table lists the name of each group that includes the local iLO
system and the privileges granted to the group by the local iLO system. Table 3 (page 53) lists the
available privileges.
Table 3 Group privileges
Login—Enables members of a group to log in to iLO.
Remote Console Access—Enables members of a group to remotely access the host system Remote
Console, including video, keyboard, and mouse control.
Virtual Media—Enables members of a group to use scripted Virtual Media with the local iLO system.
Virtual Power and Reset—Enables members of a group to power-cycle or reset the local iLO system.
Configure iLO Settings—Enables members of a group to configure most iLO settings, including
security settings, and to remotely update firmware.
Administer User Accounts—Enables members of a group to add, edit, and delete iLO user accounts.
Managing iLO Federation Management group membership
An iLO system can be a member of up to 10 groups, and there is no limit to the number of iLOs
that can be in a group.
Use the following procedure to configure iLO Federation Management group membership for one
iLO system at a time.
TIP: You can use RIBCL XML scripts to add a batch of iLO systems to a group. For more
information, see the HP iLO 4 Scripting and Command Line Guide.
1. Navigate to the iLO Federation→Group Configuration page, as shown in Figure 23 (page
52).
2. Do one of the following:
• Click New to create a new group membership.
• Select a group membership, and then click Edit.
3. Enter the following information:
• Group Name—The group name
• Group Key—The group password. The password can be up to 39 characters.
• Group Key Confirm—Confirm the group password
4. Select from the following permissions when you are adding or editing a group membership.
The permissions granted to the local iLO system control the tasks that you can perform when
you use the iLO Federation Management features to manage a group of systems.
• Administer User Accounts
• Remote Console Access
Configuring iLO Federation Management 53
• Virtual Power and Reset
• Virtual Media
• Configure iLO Settings
• Login Privilege
5. Click Add Group or Update Group to save the settings.
Removing an iLO system from an iLO Federation Management group
Use the following procedure to remove an iLO system from an iLO Federation Management group.
TIP: You can use RIBCL XML scripts to remove a batch of iLO systems from a group. For more
information, see the HP iLO 4 Scripting and Command Line Guide.
1. Navigate to the iLO Federation→Group Configuration page, as shown in Figure 23 (page
52).
2. Select the check box next to the group membership that you want to delete.
3. Click Delete.
The following message appears:
Are you sure you want to delete the selected group(s)?
4. Click OK.
Configuring enclosure support for iLO Federation Management
If you want to use server blades in an enclosure with iLO Federation Management, you must
configure Enclosure iLO Federation Support on the Enclosure Settings→Network Access→Protocols
page in the Onboard Administrator web interface. This step is required to allow peer-to-peer
communication between the server blades in an enclosure. Onboard Administrator 4.11 or later
is required to use this feature.
For more information, see the Onboard Administrator documentation.
To verify that a server blade is configured to be used with iLO Federation, navigate to the Device
Bays→<Device Name>→iLO page, and verify that the iLO Federation Capable setting shows the
value Yes, as shown in Figure 24 (page 55).
54 Configuring iLO
Figure 24 iLO Federation Capable setting
Configuring iLO access settings
You can modify iLO access settings, including service, IPMI/DCMI, and access options. The values
that you enter on the Access Settings page apply to all iLO users. You must have the Configure iLO
Settings privilege to modify access settings.
The default configuration is suitable for most operating environments. The values that you can
modify on the Access Settings page allow complete customization of the iLO external access methods
for specialized environments.
Configuring service settings
The Service section on the Access Settings page shows the Secure Shell (SSH) Access and SNMP
Access settings and the TCP/IP port values.
The TCP/IP ports used by iLO are configurable, which enables compliance with any site requirements
or security initiatives for port settings. These settings do not affect the host system.
Changing these settings usually requires configuration of the web browser used for standard and
SSL communication. When these settings are changed, iLO initiates a reset to activate the changes.
To configure Service settings:
Configuring iLO access settings 55
1. Navigate to the Administration→Access Settings page, as shown in Figure 25 (page 56)
Figure 25 Access Settings page
2. Update the following settings as needed:
Table 4 Service settings
Default valueService setting
Secure Shell (SSH) Access
SNMP Access
Enables you to specify whether the SSH feature on iLO is enabled or
disabled.
SSH provides encrypted access to the iLO CLP. The default is Enabled.
22Secure Shell (SSH) Port
17990Remote Console Port
80Web Server Non-SSL Port (HTTP)
443Web Server SSL Port (HTTPS)
17988Virtual Media Port
Specifies whether iLO should respond to external SNMP requests. The
default setting is Enabled.
If you set SNMP Access to Disabled, the iLO Management Engine continues
to operate, and the information displayed in the iLO web interface is
updated, but no alerts are generated and SNMP access is not permitted.
When SNMP Access is set to Disabled, most of the boxes on the
Administration→Management→SNMP Settings page are unavailable
and will not accept input.
SNMP Trap Port
56 Configuring iLO
The industry-standard (default) SNMP port is 161 for SNMP access.SNMP Port
If you customize the SNMP Port value, some SNMP clients might not work
correctly with iLO unless those clients support the use of a nonstandard
SNMP port.
The industry-standard (default) SNMP trap port is 162 for SNMP alerts
(or traps).
Table 4 Service settings (continued)
3. Click Apply to end your browser connection and restart iLO.
It might take several minutes before you can re-establish a connection.
Configuring IPMI/DCMI settings
iLO enables you to send industry-standard IPMI and DCMI commands over the LAN. The IPMI/DCMI
port is set to 623 and is not configurable.
To enable or disable IPMI/DCMI, select or clear the Enable IPMI/DCMI over LAN on Port 623
check box, and then click Apply.
• Enabled (default)—Enables you to send IPMI/DCMI commands over the LAN by using a
client-side application.
• Disabled—Disables IPMI/DCMI over the LAN. Server-side IPMI/DCMI applications are still
functional when IPMI/DCMI over LAN is disabled.
Configuring access options
Default valueService setting
If you customize the SNMP Trap Port value, some SNMP monitoring
applications (such as HP SIM) might not work correctly with iLO unless
those applications support the use of a nonstandard SNMP trap port.
The Access Options section enables you to modify settings that affect all iLO users.
NOTE: You can configure some of these settings by using iLO RBSU or the iLO Configuration
Utility. For instructions, see “Using the iLO RBSU” (page 132) and “Using the UEFI System Utilities
iLO 4 Configuration Utility” (page 136).
To view or modify iLO access options:
1. Navigate to the Administration→Access Settings page.
2. Click the Access Settings tab and scroll to the Access Options section of the Access Settings
page, as shown in Figure 26 (page 57).
Figure 26 Access Options
3. Update the following settings as needed:
Configuring iLO access settings 57
Table 5 Access options
DescriptionDefault valueOption
(minutes)
30Idle Connection Timeout
EnablediLO Functionality
This setting specifies how long a user can be inactive, in
minutes, before the iLO web interface and Remote Console
session end automatically. The following settings are valid:
15, 30, 60, or 120 minutes, or Infinite. Inactive users are not
logged out when this option is set to Infinite.
Failure to log out of iLO by either browsing to a different site
or closing the browser also results in an idle connection. The
iLO firmware supports a finite number of iLO connections.
Misuse of the Infinite timeout option might make iLO
inaccessible to other users. Idle connections are recycled after
they time out.
This setting applies to local and directory users. Directory
server timeouts might preempt the iLO setting.
Changes to the setting might not take effect immediately in
current user sessions, but will be enforced immediately in all
new sessions.
The iLO network and communications with operating system
drivers are terminated when iLO functionality is disabled.
If iLO functionality is disabled (including the iLO Diagnostic
Port), you must use the server Security Override Switch to
enable iLO. See the server documentation to locate the
Security Override Switch, and then set it to Override. Power
up the server, and then use the iLO RBSU or the iLO 4
Configuration Utility (in the UEFI System Utilities) to set iLO
Functionality to Enabled.
NOTE: The iLO functionality cannot be disabled on blade
servers.
Utility
iLO 4 Configuration Utility
RBSU
Require Login for iLO 4
Configuration Utility
EnablediLO ROM-Based Setup
DisabledRequire Login for iLO
EnabledShow iLO IP during POST
The name of this setting depends on whether your system
supports the iLO RBSU or the HP UEFI System Utilities.
This setting enables or disables iLO RBSU or the iLO 4
Configuration Utility (in the UEFI System Utilities).
On servers that support iLO RBSU, the iLO Option ROM
prompts you to press F8 to start iLO RBSU. If this option is set
to Disabled, the prompt is not displayed.
On servers that support the HP UEFI System Utilities, if this
option is set to Disabled, the iLO 4 Configuration Utility menu
item is not available when you access the UEFI System Utilities.
The name of this setting depends on whether your system
supports the iLO RBSU or the HP UEFI System Utilities.
This setting determines whether a user-credential prompt is
displayed when a user accesses iLO RBSU or the iLO 4
Configuration Utility (in the UEFI System Utilities). If this setting
is Enabled, a login dialog box opens when you access the
iLO RBSU or the iLO 4 Configuration Utility.
This setting enables the display of the iLO network IP address
during host server POST.
58 Configuring iLO
Table 5 Access options (continued)
DescriptionDefault valueOption
Serial Command Line
Interface Status
Interface Speed
Enabled-Authentication
Required
9600Serial Command Line
DisabledVirtual Serial Port Log
This setting enables you to change the login model of the CLI
feature through the serial port. The following settings are valid:
• Enabled-Authentication Required—Enables access to the
iLO CLP from a terminal connected to the host serial port.
Valid iLO user credentials are required.
• Enabled-No Authentication—Enables access to the iLO CLP
from a terminal connected to the host serial port. iLO user
credentials are not required.
• Disabled—Disables access to the iLO CLP from the host
serial port. Use this option if you are planning to use
physical serial devices.
This setting enables you to change the speed of the serial port
for the CLI feature. The following speeds (in bits per second)
are valid: 9600, 19200, 38400, 57600, and 115200. The
serial port configuration must be set to no parity, 8 data bits,
and 1 stop bit (N/8/1) for correct operation. The serial port
speed set by this option should match the speed of the serial
port configured in the iLO RBSU or the iLO 4 Configuration
Utility (in the UEFI System Utilities).
NOTE: The 38400 speed is not currently supported by the
iLO RBSU or the iLO 4 Configuration Utility.
This setting enables or disables logging of the Virtual Serial
Port. When enabled, Virtual Serial Port activity is logged to
a 150-page circular buffer in the iLO memory, and can be
viewed using the CLI command vsp log. The Virtual Serial
Port buffer size is 128 KB.
This feature and many others are part of an iLO licensing
package. For more information about iLO licensing, see the
following website: http://www.hp.com/go/ilo/licensing.
Length
Authentication Failure
Logging
8Minimum Password
—Server Name
—Server FQDN/IP Address
Enabled-Every 3rd
Failure
This setting specifies the minimum number of characters
allowed when a user password is set or changed. The
character length must be a value from 0 to 39.
This setting enables you to specify the host server name. You
can assign this value manually, but it might be overwritten by
the host software when the operating system loads.
You can enter a server name that is up to 49 bytes.
To force the browser to refresh, save this setting, and then
press F5.
This setting enables you to specify the server FQDN or IP
address. You can assign this value manually, but it might be
overwritten by the host software when the operating system
loads.
You can enter an FQDN or IP address that is up to 255 bytes.
To force the browser to refresh, save this setting, and then
press F5.
This setting enables you to configure logging criteria for failed
authentications. All login types are supported; each login type
works independently. The following are valid settings:
• Enabled-Every Failure—A failed login log entry is recorded
after every failed login attempt.
• Enabled-Every 2nd Failure—A failed login log entry is
recorded after every second failed login attempt.
Configuring iLO access settings 59
Table 5 Access options (continued)
4. Click Apply to end your browser connection and restart iLO.
It might take several minutes before you can re-establish a connection.
Logging in to iLO by using an SSH client
When a user logs in to iLO by using an SSH client, the number of login name and password
prompts displayed by iLO matches the value of the Authentication Failure Logging option (3 if it is
disabled). The number of prompts might also be affected by your SSH client configuration. SSH
clients also implement delays after login failure.
For example, to generate an SSH authentication failure log with the default value (Enabled-Every
3rd Failure), assuming that the SSH client is configured with the number of password prompts set
to 3, three consecutive login failures occur as follows:
1. Run the SSH client and log in with an incorrect login name and password.
You receive three password prompts. After the third incorrect password, the connection ends
and the first login failure is recorded. The SSH login failure counter is set to 1.
DescriptionDefault valueOption
• Enabled-Every 3rd Failure—A failed login log entry is
recorded after every third failed login attempt.
• Enabled-Every 5th Failure—A failed login log entry is
recorded after every fifth failed login attempt.
• Disabled—No failed login log entry is recorded.
For information about using this setting with SSH clients, see
“Logging in to iLO by using an SSH client” (page 60).
2. Run the SSH client and log in with an incorrect login name and password.
You receive three password prompts. After the third incorrect password, the connection ends
and the second login failure is recorded. The SSH login failure counter is set to 2.
3. Run the SSH client and log in with an incorrect login name and password.
You receive three password prompts. After the third incorrect password, the connection ends
and the third login failure is recorded. The SSH login failure counter is set to 3.
The iLO firmware records an SSH failed login log entry, and sets the SSH login failure counter to
0.
Configuring iLO security
iLO provides the following security features:
• User-defined TCP/IP ports. For more information, see “Configuring iLO access settings”
(page 55).
• User actions logged in the iLO Event Log. For more information, see “Using the iLO Event Log”
(page 170).
• Progressive delays for failed login attempts. For more information, see “Login security”
(page 64).
• Support for X.509 CA signed certificates. For more information, see “Administering SSL
certificates” (page 67).
• Support for securing iLO RBSU and the iLO 4 Configuration Utility. For more information, see
“iLO RBSU and iLO 4 Configuration Utility security” (page 61).
60 Configuring iLO
• Encrypted communication that uses SSL certificate administration. For more information, see
“Administering SSL certificates” (page 67).
• Support for optional LDAP-based directory services. For more information, see “Directory
services” (page 250).
Some of these options are licensed features. For more information, see “iLO licensing” (page 43).
General security guidelines
General security guidelines for iLO follow:
• For maximum security, configure iLO on a separate management network. For more information,
see “Connecting iLO to the network” (page 19).
• Do not connect iLO directly to the Internet.
• Use a browser that has a 128-bit cipher strength.
Passwords
HP recommends that you follow these password guidelines:
• Passwords should:
Never be written down or recorded◦
◦ Never be shared with others
◦ Not be words found in a dictionary
◦ Not be obvious words, such as the company name, product name, user name, or login
name
• Passwords should have at least three of the following characteristics:
One numeric character◦
◦ One special character
◦ One lowercase character
◦ One uppercase character
Depending on the Minimum Password Length setting on the Access Settings page, the password
can have a minimum of zero characters (no password) and a maximum of 39 characters. The
default Minimum Password Length is eight characters.
IMPORTANT: HP does not recommend setting the Minimum Password Length to fewer than eight
characters unless you have a physically secure management network that does not extend outside
the secure data center. For information about setting the Minimum Password Length, see
“Configuring access options” (page 57).
iLO RBSU and iLO 4 Configuration Utility security
iLO RBSU and the iLO 4 Configuration Utility enable you to view and modify the iLO configuration.
You can configure iLO RBSU and iLO Configuration Utility access settings by using iLO RBSU, the
iLO 4 Configuration Utility, a web browser, RIBCL scripts, or the iLO Security Override Switch.
• For information about using a web browser to configure iLO RBSU or iLO 4 Configuration
Utility access settings, see “Configuring access options” (page 57).
• For information about using iLO RBSU or iLO 4 Configuration Utility to configure iLO RBSU
or iLO 4 Configuration Utility access settings, see “Configuring iLO by using the ROM-based
utilities” (page 132).
Configuring iLO security 61
• For information about using RIBCL scripts to configure iLO RBSU or the iLO 4 Configuration
Utility, see the HP iLO 4 Scripting and Command Line Guide.
• For information about using the iLO Security Override Switch to access iLO RBSU or the iLO
4 Configuration Utility, see “iLO Security Override Switch administration” (page 62).
iLO RBSU and the iLO 4 Configuration Utility have the following security levels:
• Login Not Required (default)
Anyone who has access to the host during POST can enter iLO RBSU or the iLO 4 Configuration
Utility to view and modify configuration settings. This is an acceptable setting if host access
is controlled. If host access is not controlled, any user can make changes by using the active
configuration menus.
• Login Required (more secure)
If iLO RBSU or iLO 4 Configuration Utility login is required, the active configuration menus
are controlled by the authenticated user access rights.
• Disabled (most secure)
If iLO RBSU or the iLO 4 Configuration Utility is disabled, user access is prohibited. This
prevents modification by using the iLO RBSU or the iLO 4 Configuration Utility .
To change the login requirement:
• Use the iLO web interface to edit the Require Login for iLO RBSU or Require Login for iLO 4
Configuration Utility setting. For instructions, see “Configuring access options” (page 57).
• Use the iLO RBSU or the iLO 4 Configuration Utility to edit the Require iLO 4 RBSU Login or
Require Login for iLO 4 Configuration Utility setting. For instructions, see “Configuring iLO by
using the ROM-based utilities” (page 132).
To enable or disable access to iLO RBSU or the iLO 4 Configuration Utility:
• Use the iLO web interface to edit the iLO ROM-Based Setup Utility or iLO 4 Configuration
Utility setting. For instructions, see “Configuring access options” (page 57).
• Use the iLO RBSU or the iLO 4 Configuration Utility to edit the iLO 4 ROM-Based Setup Utility
or iLO 4 Configuration Utility setting. For instructions, see “Configuring iLO by using the
ROM-based utilities” (page 132).
iLO Security Override Switch administration
The iLO Security Override Switch grants the administrator full access to the iLO processor. This
access might be necessary for any of the following conditions:
• iLO has been disabled and must be re-enabled.
• All user accounts that have the Administer User Accounts privilege are locked out.
• An invalid configuration prevents iLO from being displayed on the network, and iLO RBSU
or the iLO 4 Configuration Utility is disabled.
• The boot block must be flashed.
• The iLO NIC is turned off, and running iLO RBSU or the iLO 4 Configuration Utility to turn it
back on is not possible or convenient.
• Only one user name is configured, and the password is forgotten.
Ramifications of setting the iLO Security Override Switch include the following:
• All security authorization verifications are disabled when the switch is set.
• iLO RBSU or the iLO 4 Configuration Utility runs if the host server is reset.
• iLO is not disabled and might be displayed on the network as configured.
62 Configuring iLO
• iLO, if disabled when the switch is set, does not log out the user and complete the disable
process until the power is cycled on the server.
• The boot block is exposed for programming.
• A warning message is displayed on iLO web interface pages, indicating that the switch is
currently in use.
• An iLO log entry records the use of the switch.
When iLO boots after you set or clear the iLO Security Override Switch, an SNMP alert is sent if
an SNMP Alert Destination is configured.
Setting the iLO Security Override Switch enables you to flash the iLO boot block. HP does not
anticipate that you will need to update the boot block. However, if an update is required, you must
be physically present at the server to reprogram the boot block and reset iLO. The boot block is
exposed until iLO is reset. For maximum security, HP recommends disconnecting iLO from the
network until the reset is complete. You must open the server enclosure to access the iLO Security
Override Switch.
To set the iLO Security Override Switch:
1. Power off the server.
2. Set the switch.
3. Power on the server.
Reverse this procedure to clear the iLO Security Override Switch.
The iLO Security Override Switch uses switch #1 on the DIP switch panel. For information about
accessing the iLO Security Override Switch, see the server documentation or use the diagrams on
the server access panel.
TPM support
A TPM is a computer chip that securely stores artifacts used to authenticate the platform. These
artifacts can include passwords, certificates, or encryption keys. You can also use a TPM to store
platform measurements to make sure that the platform remains trustworthy.
On a supported system, iLO decodes the TPM record and passes the configuration status to iLO,
the CLP, and the XML interface. The iLO Overview page displays the following TPM status
information:
• Not Supported—A TPM is not supported.
• Not Present—A TPM is not installed.
• Present—This indicates one of the following statuses:
A TPM is installed but is disabled.◦
◦ A TPM is installed and enabled.
◦ A TPM is installed and enabled, and Expansion ROM measuring is enabled. If Expansion
ROM measuring is enabled, the Update Firmware page displays a legal warning message
when you click Upload.
User accounts and access
iLO supports the configuration of up to 12 local user accounts. Each account can be managed
through the following features:
• Privileges
• Login security
You can configure iLO to use a directory to authenticate and authorize its users. This configuration
enables an unlimited number of users and easily scales to the number of iLO devices in an enterprise.
Configuring iLO security 63
The directory also provides a central point of administration for iLO devices and users, and the
directory can enforce a stronger password policy. iLO enables you to use local users, directory
users, or both.
The following directory configuration options are available:
• A directory extended with HP schema
• The directory default schema
For more information about using directory authentication, see “Directory services” (page 250).
User privileges
iLO allows you to control user account access to iLO features through the use of privileges. When
a user attempts to use a feature, iLO verifies that the user has the proper privilege to use that
feature.
You can control access to iLO features by using the following privileges: Administer User Accounts,
Remote Console Access, Virtual Power and Reset, Virtual Media, and Configure iLO Settings. User
privileges are configured on the Administration→User Administration page. For more information,
see “Administering users” (page 44).
NOTE: User accounts can also be configured by using iLO RBSU or the iLO 4 Configuration
Utility. For more information, see “Adding iLO user accounts by using iLO RBSU” (page 25).
Login security
iLO provides several login security features. After an initial failed login attempt, iLO imposes a
delay of ten seconds. Each subsequent failed attempt increases the delay by ten seconds. An
information page is displayed during each delay; this continues until a valid login occurs. This
feature helps to prevent dictionary attacks against the browser login port.
iLO saves a detailed log entry for failed login attempts. You can configure the Authentication Failure
Logging frequency on the Administration→Access Settings page. For more information, see
“Configuring access options” (page 57).
Administering SSH keys
The Secure Shell Key page (Figure 27) displays the hash of the SSH public key associated with
each user. Each user can have only one key assigned. Use this page to view, add, or delete SSH
keys.
You must have the Administer User Accounts privilege to add and delete SSH keys.
About SSH keys
When you add an SSH key to iLO, you paste the SSH key file into iLO as described in “Authorizing
a new key by using the iLO web interface” (page 65) and “Authorizing a new key by using the
CLI” (page 66). The file must contain the user-generated public key. The iLO firmware associates
each key with the selected local user account. If a user is removed after an SSH key is authorized
for that user, the SSH key is removed.
The following SSH key formats are supported:
• RFC 4716
---- BEGIN SSH2 PUBLIC KEY ---Comment: "Administrator"
AAAAB3NzaC1kc3MAAACAT27C04Dy2zr7fWhUL7TwHDKQdEdyuAlNLIivLFP3IoKZ
ZtzF0VInP5x2VFVYmTvdVjD92CTlxxAtarOPON2qUqoOajKRtBWLmxcfqsLCT3wI
3ldxQvPYnhTYyhPQuoeJ/vYhoam+y0zi8D03pDv9KaeNA3H/zEL5mf9Ktgts8/UA
AAAVAJ4efo8ffq0hg4a/eTGEuHPCb3INAAAAgCbnhADYXu+Mv4xuXccXWP0Pcj47
7YiZgos3jt/Z0ezFX6/cN/RwwZwPC1HCsMuwsVBIqi7bvn1XczFPKOt06gVWcjFt
eBY3/bKpQkn61SGPC8AhSu8ui0KjyUZrxL4LdBrtp/K2+lm1fqXHnzDIEJ0RHg8Z
JazhY920PpkD4hNbAAAAgDN3lba1qFVl0UlRjj21MjXgr6em9TETSOO5b7SQ8hX/
64 Configuring iLO
Z/axobbrHCj/2s66VA/554chkVimJT2IDRRKVkcV8OVC3nb4ckpfFEZvKkAWYaiF
DLqRbHhh4qyRBIfBKQpvvhDj1aecdFbaO2UvZltMir4n8/E0hh19nfi3tjXAtSTV
---- END SSH2 PUBLIC KEY ----
• OpenSSH key format—These keys must be one line only.
ssh-dss
AAAAB3NzaC1kc3MAAACAYjEd8Rk8HLCLqDIlI+RkA1UXjVS28hNSk8YDljTaJpw1VOlBirrLGPdSt0avNSz0DNQuU7gTPfjj/8c
XyHe3y95Oa3Rics1fARyLiNFGqFjr7w2ByQuoYUaXBzzghIYMQcmpc/W/kDMC0dVOf2XnfcLpcVDIm3ahVPRkxFV9WKkAAAAVAI
3J61F+oVKrbNovhoHh8pFfUa9LAAAAgA8pU5/M9F0s5QxqkEWPD6+FVz9cZ0GfwIbiuAI/9ARsizkbwRtpAlxAp6eDZKFvj3ZIy
NjcQODeYYqOvVU45AkSkLBMGjpF05cVtnWEGEvrW7mAvtG2zwMEDFSREw/V526/jR9TKzSNXTH/wqRtTc/oLotHeyV2jFZFGpxD
OvNWAAAAgFf6pvWaco3CDELmH0jT3yUkRSaDztpqtoo4D7ev7VrNPPjnKKKmpzHPmAKRxz3g5S80SfWSnWM3n/pekBa9QI9lH1r
3Lx4JoOVwTpkbwb0by4eZ2cqDw20KQ0A5J84iQE9TbPNecJ0HJtZH/K8YnFNwwYy2NSJyjLwA0TSmQEOW Administrator
• iLO legacy format—These are OpenSSH keys surrounded by the BEGIN/END headers needed
for RIBCL. This format must be one line between the BEGIN SSH KEY and END SSH KEY text.
-----BEGIN SSH KEY----ssh-dss
AAAAB3NzaC1kc3MAAACBANA45qXo9cM1asav6ApuCREt1UvP7qcMbw+sTDrx9lV22XvonwijdFiOM/0VvuzVhM9oKdGMC7sCGQr
FV3zWDMJcIb5ZdYQSDt44X6bvlsQcAR0wNGBN9zHL6YsbXvNAsXN7uBM7jXwHwrApWVuGAI0QnwUYvN/dsE8fbEYtGZCRAAAAFQ
DofA47q8pIRdr6epnJXSNrwJRvaQAAAIBY7MKa2uH82I0KKYTbNMi0o5mOqmqy+tg5s9GC+HvvYy/S7agpIdfJzqkpHF5EPhm0j
KzzVxmsanO+pjju7lrE3xUxojevlokTERSCM xLa+OVVbNcgTe0xpvc/cF6ZvsHs0UWz6gXIMCQ9Pk118VMOw/tyLp42YXOaLZzG
fi5pKAAAAIEAl7FsO7sDbPj02a5jO3qFXa762lWvu5iPRZ9cEt5WJEYwMO/ICaJVDWVOpqF9spoNb53Wl1pUARJg1ss8Ruy7YBv
8Z1urWWAF3fYy7R/SlQqrsRYDPLM5eBkkLO28B8C6++HjLuc+hBvj90tsqeNVhpCfO9qrjYomYwnDC4m1IT4= ASmith
-----END SSH KEY-----
Note the following when working with SSH keys:
• The previously listed sample formats are supported with the iLO web interface and the CLI.
Only the iLO legacy format is supported with RIBCL scripts.
• Any SSH connection authenticated through the corresponding private key is authenticated as
the owner of the key and has the same privileges.
• The iLO firmware provides storage to accommodate SSH keys that have a length of 1366
bytes or less. If the key is larger than 1366 bytes, the authorization might fail. If this occurs,
use the SSH client software to generate a shorter key.
• If you use the iLO web interface to enter the public key, you select the user associated with
the public key. If you use the CLI to enter the public key, the public key is linked to the user
name that you entered to log in to iLO. If you use HPQLOCFG to enter the public key, you
append the iLO user name to the public key data. The public key is stored with that user name.
Authorizing a new key by using the iLO web interface
1. Generate a 2,048-bit DSA or RSA SSH key by using ssh-keygen, puttygen.exe, or
another SSH key utility.
2. Create the key.pub file.
3. Navigate to the Administration→Security page.
4. Click the Secure Shell Key tab, as shown in Figure 27 (page 66).
Configuring iLO security 65
Figure 27 Security–Secure Shell Key page
5. Select the check box to the left of the user to which you want to add an SSH key.
6. Click Authorize New Key.
7. Copy and paste the public key into the Public Key Import Data box as shown in Figure 28 (page
66).
Figure 28 Public Key Import Data box
The key must be a 2,048-bit DSA or RSA key.
8. Click Import Public Key.
Authorizing a new key by using the CLI
1. Generate a 2,048-bit DSA or RSA SSH key by using ssh-keygen, puttygen.exe, or
another SSH key utility.
2. Create the key.pub file.
3. Verify that Secure Shell (SSH) Access is enabled on the Access Settings page.
For more information, see “Configuring iLO access settings” (page 55).
4. Use Putty.exe to open an SSH session using port 22.
5. Change to the cd /Map1/Config1 directory.
66 Configuring iLO
6. Enter the following command:
The CLI performs a cursory syntax verification of the values you enter. You must visually verify that
the URL is valid. The following example shows the command structure:
oemhp_loadSSHkey -source http://192.168.1.1/images/path/sshkey.pub
Deleting keys
1. Navigate to the Administration→Security page.
2. Click the Secure Shell Key tab, as shown in Figure 27 (page 66).
3. Select the check box to the left of the user for which you want to delete an SSH key.
4. Click Delete Selected Key(s).
load sshkey type "oemhp_loadSSHkey -source
<protocol://username:password@hostname:port/filename>"
When you use this command:
• The protocol value is required and must be HTTP or HTTPS.
• The hostname and filename values are required.
• The username:password and port values are optional.
• oemhp_loadSSHkey is case-sensitive.
The selected SSH key is removed from iLO. When an SSH key is deleted from iLO, an SSH
client cannot authenticate to iLO by using the corresponding private key.
Authorizing keys from an HP SIM server
The mxagentconfig utility enables you to authorize SSH keys from an HP SIM server.
• SSH must be enabled on iLO before you use mxagentconfig to authorize a key.
• The user name and password entered in mxagentconfig must correspond to an iLO user
who has the Configure iLO Settings privilege. The user can be a directory user or a local user.
• The key is authorized on iLO and corresponds to the user name specified in the
mxagentconfig command.
For more information about mxagentconfig, see the HP iLO 4 Scripting and Command Line
Guide.
Administering SSL certificates
SSL is a standard for encrypting data so that it cannot be viewed or modified while in transit on
the network. SSL uses a key to encrypt and decrypt the data. The longer the key, the better the
encryption.
A certificate is a public document that describes the server. It contains the name of the server and
the server's public key. Because only the server has the corresponding private key, this is how the
server is authenticated.
A certificate must be signed to be valid. If it is signed by a CA, and that CA is trusted, all certificates
signed by the CA are also trusted. A self-signed certificate is one in which the owner of the certificate
acts as its own CA. Self-signed certificates are the default for HP management products, though
they do support certificates signed by certifying authorities.
The iLO firmware enables you to create a certificate request, import a certificate, and view
information associated with a stored certificate. Certificate information is encoded in the certificate
by the CA and is extracted by iLO.
By default, iLO creates a self-signed certificate for use in SSL connections. This certificate enables
iLO to work without additional configuration steps. Importing a trusted certificate can enhance the
Configuring iLO security 67
iLO security features. Users who have the Configure iLO Settings privilege can customize and
import a trusted certificate.
Viewing certificate information
To view certificate information, navigate to the Administration→Security→SSL Certificate page.
The following certificate details are displayed:
• Issued To—The entity to which the certificate was issued
• Issued By—The CA that issued the certificate
• Valid From—The first date that the certificate is valid
• Valid Until—The date that the certificate expires
• Serial Number—The serial number that the CA assigned to the certificate
Obtaining and importing a certificate
Users who have the Configure iLO Settings privilege can customize and import a trusted certificate.
A certificate works only with the keys generated with its corresponding CSR. If iLO is reset to factory
defaults, or another CSR is generated before the certificate that corresponds to the previous CSR
is imported, the certificate does not work. In that case, a new CSR must be generated and used
to obtain a new certificate from the CA.
To obtain and import a certificate:
1. Navigate to the Administration→Security→SSL Certificate page, as shown in Figure 29
(page 68).
Figure 29 Security–SSL Certificate Information page
2. Click Customize Certificate.
The SSL Certificate Customization page opens, as shown in Figure 30 (page 69).
68 Configuring iLO
Figure 30 Security–SSL Certificate Customization page
3. Enter the following information in the Certificate Signing Request Information section. The
required boxes are marked with an asterisk (*) in the iLO web interface.
• Country (C)—The two-character country code that identifies the country where the company
or organization that owns this iLO subsystem is located
• State (ST)—The state where the company or organization that owns this iLO subsystem is
located
• City or Locality (L)—The city or locality where the company or organization that owns this
iLO subsystem is located
• Organization Name (O)—The name of the company or organization that owns this iLO
subsystem
• Organizational Unit (OU)—(Optional) The unit within the company or organization that
owns this iLO subsystem
• Common Name (CN)—The FQDN of this iLO subsystem
4. Click Generate CSR.
The following message appears:
The iLO subsystem is currently generating a Certificate Signing
Request (CSR). This may take 10 minutes or more. In order to view
the CSR, wait 10 minutes or more, and then click the Generate CSR
button again.
5. After 10 minutes or more, click the Generate CSR button again.
A new window displays the CSR.
The CSR contains a public and private key pair that validates communications between the
client browser and iLO. iLO supports key sizes up to 2,048 bits. The generated CSR is held
in memory until a new CSR is generated, iLO is reset, or a certificate is imported.
6. Select and copy the CSR text.
7. Open a browser window and navigate to a third-party CA.
Configuring iLO security 69
8. Follow the onscreen instructions and submit the CSR to the CA.
The CA will generate a certificate in the PKCS #10 format.
9. After you obtain the certificate, make sure that:
• The CN matches the iLO FQDN. This is listed as the iLO Hostname on the
Information→Overview page.
• The certificate is generated as a Base64-encoded X.509 certificate, and is in the RAW
format.
• The first and last lines are included in the certificate.
10. Return to the SSL Certificate Customization page (Figure 30) in the iLO user interface.
11. Click the Import Certificate button.
The Import Certificate window opens, as shown in Figure 31 (page 70).
Figure 31 Import Certificate window
12. Paste the certificate into the text box, and then click the Import button.
iLO supports DER-encoded SSL certificates that are up to 3 KB in size (including the 609 or
1,187 bytes used by the private key, for 1,024-bit and 2,048-bit certificates, respectively).
13. Restart iLO.
Configuring directory settings
The iLO firmware connects to Microsoft Active Directory, Novell e-Directory, and other LDAP
3.0-compliant directory services for user authentication and authorization. You can configure iLO
to authenticate and authorize users by using the HP Extended Schema directory integration or the
schema-free directory integration. The HP Extended Schema works only with Microsoft Windows.
The iLO firmware connects to directory services by using SSL connections to the directory server
LDAP port. The default secure LDAP port is 636.
For more information about using directory authentication with iLO, see “Directory services”
(page 250).
Locally stored user accounts (listed on the User Administration page) can be active when iLO
directory support is enabled. This enables both local-based and directory-based user access.
Typically, you can delete local user accounts (with the possible exception of an emergency access
account) after iLO is configured to access the directory service. You can also disable access to
these accounts when directory support is enabled.
70 Configuring iLO
You must have the Configure iLO Settings privilege to change directory settings.
This feature and many others are part of an iLO licensing package. For more information about
iLO licensing, see the following website: http://www.hp.com/go/ilo/licensing.
Configuring authentication and directory server settings
1. Navigate to the Administration→Security→Directory page, as shown in Figure 32 (page 71).
Figure 32 Security - Directory page
2. Configure the following options:
• LDAP Directory Authentication—Enables or disables directory authentication. If directory
authentication is enabled and configured correctly, users can log in by using directory
credentials.
Choose from the following options:
◦ Disabled—User credentials are not validated by using a directory.
◦ Use HP Extended Schema—Selects directory authentication and authorization by
using directory objects created with the HP Extended Schema. Select this option
when the directory has been extended with the HP Extended Schema.
◦ Use Directory Default Schema—Selects directory authentication and authorization
by using user accounts in the directory. Select this option when the directory is not
Configuring iLO security 71
extended with the HP Extended Schema. User accounts and group memberships are
used to authenticate and authorize users. After you enter and save the directory
network information, click Administer Groups, and then enter one or more valid
directory DNs and privileges to grant users access to iLO.
• Kerberos Authentication—Enables Kerberos login. If Kerberos login is enabled and
configured correctly, the HP Zero Sign In button appears on the login page.
• Local User Accounts—Enables or disables local user account access.
Enabled—A user can log in by using locally stored user credentials. HP recommends
◦
enabling this option and configuring a user account with administrator privileges.
This account can be used if iLO cannot communicate with the directory server.
◦ Disabled—User access is limited to valid directory credentials.
Access through local user accounts is enabled when directory support is disabled or an
iLO license is revoked. You cannot disable local user access when you are logged in
through a local user account.
• Kerberos Realm—The name of the Kerberos realm in which the iLO processor is operating.
This string can be up to 128 characters. A realm name is usually the DNS name converted
to uppercase. Realm names are case sensitive.
• Kerberos KDC Server Address—The IP address or DNS name of the KDC server. This
string can be up to 128 characters. Each realm must have at least one KDC that contains
an authentication server and a ticket grant server. These servers can be combined.
• Kerberos KDC Server Port—The TCP or UDP port number on which the KDC is listening.
The default KDC port is 88.
• Kerberos Keytab—A binary file that contains pairs of service principal names and
encrypted passwords. In the Windows environment, the keytab file is generated by the
ktpass utility. Click Browse (Internet Explorer or Firefox) or Choose File (Chrome), and
then follow the onscreen instructions to select a file.
IMPORTANT: The components of the service principal name stored in the Kerberos
keytab file are case sensitive. The primary (service type) must be in uppercase letters, for
example, (HTTP). The instance (iLO host name) must be in lowercase letters, for example,
iloexample.example.net. The realm name must be in uppercase, for example,
EXAMPLE.NET.
3. Enter the directory server settings.
iLO directory server settings enable you to identify the directory server address and LDAP port.
• Directory Server Address—Specifies the network DNS name or IP address of the directory
server. The directory server address can be up to 127 characters.
IMPORTANT: HP recommends using DNS round-robin when you are defining the
directory server.
• Directory Server LDAP Port—Specifies the port number for the secure LDAP service on the
server. The default value is 636. You can specify a different value if your directory service
is configured to use a different port.
72 Configuring iLO
• LOM Object Distinguished Name—Specifies where this iLO instance is listed in the directory
tree (for example, cn=iLO Mail Server,ou=Management Devices,o=hp). This
option is available when Use HP Extended Schema is selected.
User search contexts are not applied to the LOM object DN when iLO accesses the
directory server.
• Directory User Contexts—These boxes enable you to specify common directory subcontexts
so that users do not need to enter their full DNs at login. Directory user contexts can be
up to 128 characters.
You can identify the objects listed in a directory by using unique DNs. However, DNs
can be long, and users might not know their DNs or might have accounts in different
directory contexts. iLO attempts to contact the directory service by DN, and then applies
the search contexts in order until successful.
◦ Example 1—If you enter the search context ou=engineering,o=hp, you can log
in as user instead of logging in as cn=user,ou=engineering,o=hp.
◦ Example 2—If a system is managed by Information Management, Services, and
Training, search contexts such as the following enable users in any of these
organizations to log in by using their common names:
Directory User Context 1:ou=IM,o=hp
Directory User Context 2:ou=Services,o=hp
Directory User Context 3:ou=Training,o=hp
If a user exists in both the IM organizational unit and the Training organizational
unit, login is first attempted as cn=user,ou=IM,o=hp.
◦ Example 3 (Active Directory only)—Microsoft Active Directory allows an alternate
4. Click Apply Settings.
5. To test the communication between the directory server and iLO, click Test Settings.
For more information, see “Running directory tests” (page 73).
6. Optional: Click Administer Groups to navigate to the User Administration page.
For information about group administration, see “Administering directory groups” (page 48).
Running directory tests
Directory tests enable you to validate the configured directory settings. The directory test results
are reset when directory settings are saved, or when the directory tests are started.
To validate the configured directory settings:
user credential format. A user can log in as user@domain.example.com, in which
case a search context of @domain.example.com allows the user to log in as user.
Only a successful login attempt can test search contexts in this format.
Configuring iLO security 73
1. Click Test Settings on the Security→Directory page.
The Directory Tests page opens, as shown in Figure 33 (page 74).
Figure 33 Directory Tests page
This page displays the results of a series of simple tests designed to validate the current directory
settings. Also, it includes a test log that shows test results and any detected issues. After your
directory settings are configured correctly, you do not need to rerun these tests. The Directory
Tests page does not require that you be logged in as a directory user.
2. In the Directory Test Controls section, enter the DN and password of a directory administrator.
• Directory Administrator Distinguished Name—Searches the directory for iLO objects,
roles, and search contexts. This user must have rights to read the directory.
• Directory Administrator Password—Authenticates the directory administrator.
HP recommends that you use the same credentials that you used when creating the iLO objects
in the directory. These credentials are not stored by iLO; they are used to verify the iLO object
and user search contexts.
3. In the Directory Test Controls section, enter a test user name and password.
• Test User Name—Tests login and access rights to iLO. The name does not have to be
fully distinguished because user search contexts can be applied. This user must be
associated with a role for this iLO.
• Test User Password—Authenticates the test user.
Typically, this account is used to access the iLO processor being tested. It can be the directory
administrator account, but the tests cannot verify user authentication with a superuser account.
These credentials are not stored by iLO.
74 Configuring iLO
4. Click Start Test.
Several tests begin in the background, starting with a network ping of the directory user by
establishing an SSL connection to the server and evaluating user privileges.
While the tests are running, the page refreshes periodically. You can stop the tests or manually
refresh the page at any time.
Viewing directory test results
The Directory Test Results section shows the directory test status with the date and time of the last
update.
• Overall Status—Summarizes the results of the tests.
Not Run—No tests were run.◦
◦ Inconclusive—No results were reported.
◦ Passed—No failures were reported.
◦ Problem Detected—A problem was reported.
◦ Failed—A specific subtest failed. Check the onscreen log to identify the problem.
◦ Warning—One or more of the directory tests reported a Warning status.
• Test—The name of each test.
Table 6 (page 75) provides details about each directory test.
Table 6 Directory tests
DescriptionTest
Directory Server DNS
Name
If the directory server is defined in FQDN format (directory.company.com), iLO
resolves the name from FQDN format to IP format, and queries the configured DNS
server.
If the test is successful, iLO obtained an IP address for the configured directory server. If
iLO cannot obtain an IP address for the directory server, this test and all subsequent tests
fail.
If the directory server is configured with an IP address, iLO skips this test.
If a failure occurs:
1. Verify that the DNS server configured in iLO is correct.
2. Verify that the directory server FQDN is correct.
3. As a troubleshooting tool, use an IP address instead of the FQDN.
4. If the problem persists, check the DNS server records and network routing.
iLO initiates a ping to the configured directory server.Ping Directory Server
The test is successful if iLO receives the ping response; it is unsuccessful if the directory
server does not reply to iLO.
If the test fails, iLO will continue with the subsequent tests.
If a failure occurs:
1. Check to see if a firewall is active on the directory server.
2. Check for network routing issues.
Server
iLO attempts to negotiate an LDAP connection with the directory server.Connect to Directory
If the test is successful, iLO was able to initiate the connection.
If the test fails, iLO was not able to initiate an LDAP connection with the specified directory
server. Subsequent tests will stop.
If a failure occurs:
Configuring iLO security 75
Table 6 Directory tests (continued)
DescriptionTest
1. Verify that the configured directory server is the correct host.
2. Verify that iLO has a clear communication path to the directory server through port
636 (consider any routers or firewalls between iLO and the directory server).
3. Verify that any local firewall on the directory server is enabled to allow communications
through port 636.
Connect using SSL
Bind to Directory
Server
Directory
Administrator Login
iLO initiates SSL handshake and negotiation and LDAP communications with the directory
server through port 636.
If the test is successful, the SSL handshake and negotiation between iLO and the directory
server were successful.
If a failure occurs, the directory server is not enabled for SSL negotiations.
If you are using Microsoft Active Directory, verify that Active Directory Certificate Services
(Windows Server 2008) are installed.
This test binds the connection with the user name specified in the test boxes. If no user is
specified, iLO will do an anonymous bind.
If the test is successful, the directory server accepted the binding.
If a failure occurs:
1. Verify that the directory server allows anonymous binding.
2. If you entered a user name in the test boxes, verify that the credentials are correct.
3. If you verified that the user name is correct, try using other user-name formats; for
example, user@domain.com, DOMAIN\username, username (called Display
Name in Active Directory), or userlogin.
4. Verify that the specified user is allowed to log in and is enabled.
If Directory Administrator Distinguished Name and Directory Administrator Password
were specified, iLO uses these values to log in to the directory server as an administrator.
These boxes are optional.
iLO authenticates to the directory server with the specified user name and password.User Authentication
If the test is successful, the supplied user credentials are correct.
If the test fails, the user name and/or password is incorrect.
If a failure occurs:
1. If you verified that the user name is correct, try using other user-name formats; for
example, user@domain.com, DOMAIN\username, username (called Display
Name in Active Directory), or userlogin.
2. Verify that the specified user is allowed to log in and is enabled.
3. Check to see if the specified user name is restricted by logon hours or IP-based logging.
User Authorization
Directory User
Contexts
LOM Object Exists
76 Configuring iLO
This test verifies that the specified user name is part of the specified directory group, and
is part of the directory search context specified during directory services configuration.
If a failure occurs:
1. Verify that the specified user name is part of the specified directory group.
2. Check to see if the specified user name is restricted by logon hours or IP-based logging.
If Directory Administrator Distinguished Name was specified, iLO tries to search the
specified context.
If the test is successful, iLO found the context by using the administrator credentials to
search for the container in the directory.
Contexts that begin with "@" can be tested only by user login.
A failure indicates that the container could not be located.
This test searches for the iLO object in the directory server by using the LOM Object
Distinguished Name configured on the Security→Directory page.
Table 6 Directory tests (continued)
DescriptionTest
NOTE: You can enter a LOM Object Distinguished Name on the Security→Directory
page only when Use HP Extended Schema is selected. This test is run even if LDAP Directory
Authentication is disabled.
If the tests is successful, iLO found the object that represents itself.
If a failure occurs:
1. Verify that the LDAP FQDN of the LOM object is correct.
2. Try to update the HP Extended Schema and snap-ins in the directory server by updating
the HP Directories Support for ProLiant Management Processors software.
• Result—Reports status for a specific directory setting or an operation that uses one or more
directory settings. These results are generated when a sequence of tests is run. The results stop
when the tests run to completion, when a test failure prevents further progress, or when the
tests are stopped. Test results follow:
◦ Passed—The test ran successfully. If more than one directory server was tested, all servers
that ran this test were successful.
◦ Not Run—The test was not run.
◦ Failed—The test was unsuccessful on one or more of the directory servers. Directory
support might not be available on those servers.
◦ Warning—The test ran and reported a warning condition, for example, a certificate error.
Check the Notes column for suggested actions to correct the warning condition.
• Notes—Indicates the results of various phases of the directory tests. The data is updated with
failure details and information that is not readily available, like the directory server certificate
subject and which roles were evaluated successfully.
Using the directory test controls
The Directory Test Controls section enables you to view the current state of the directory tests, adjust
the test parameters, start and stop the tests, and refresh the page contents.
• In Progress—Indicates that directory tests are currently being performed in the background.
Click the Stop Test button to cancel the current tests, or click the Refresh button to update the
contents of the page with the latest results. Using the Stop Test button might not stop the tests
immediately.
• Not Running—Indicates that directory tests are current, and that you can supply new parameters
to run the tests again. Use the Start Test button to start the tests and use the current test control
values. Directory tests cannot be started after they are already in progress.
• Stopping—Indicates that directory tests have not yet reached a point where they can stop.
You cannot restart tests until the status changes to Not Running. Use the Refresh button to
determine whether the tests are complete.
For information about the parameters you can enter, see “Running directory tests” (page 73).
Using encryption
iLO provides enhanced security for remote management in distributed IT environments. SSL
encryption protects web browser data. SSL encryption of HTTP data ensures that the data is secure
as it is transmitted across the network. iLO supports the following cipher strengths:
• 256-bit AES with RSA, DHE, and a SHA1 MAC
• 256-bit AES with RSA, and a SHA1 MAC
Configuring iLO security 77
• 128-bit AES with RSA, DHE, and a SHA1 MAC
• 128-bit AES with RSA, and a SHA1 MAC
• 168-bit 3DES with RSA, and a SHA1 MAC
• 168-bit 3DES with RSA, DHE, and a SHA1 MAC
iLO also provides enhanced encryption through the SSH port for secure CLP transactions. iLO
supports AES256-CBC, AES128-CBC, and 3DESCBC cipher strengths through the SSH port.
If enabled, iLO enforces the use of these enhanced ciphers (both AES and 3DES) over the secure
channels, including secure HTTP transmissions through the browser, SSH port, and XML port. When
AES/3DES encryption is enabled, you must use a cipher strength equal to or greater than AES/3DES
to connect to iLO through these secure channels. The AES/3DES encryption enforcement setting
does not affect communications and connections over less-secure channels.
By default, Remote Console data uses 128-bit RC4 bidirectional encryption. The HPQLOCFG utility
uses 128-bit RC4 with 160-bit SHA1 and 2048-bit RSAKeyX encryption to securely send RIBCL
scripts to iLO over the network.
Version 1.20 and later of the iLO 4 firmware supports FIPS Mode.
NOTE: The term FIPS Mode is used in this document and in iLO to describe the feature, not its
validation status.
• FIPS is a set of standards mandated for use by United States government agencies and
contractors.
• FIPS Mode in iLO 4 1.20 and later is intended to meet the requirements of FIPS 140-2 level
1. This version or any other version of the iLO firmware might have this feature but might or
might not be FIPS validated. The FIPS validation process is lengthy, so not all iLO firmware
versions will be validated. For information about the current FIPS status of this or any other
version of the iLO firmware, see the following document: http://csrc.nist.gov/groups/STM/
cmvp/documents/140-1/140InProcess.pdf.
Viewing encryption enforcement settings
Navigate to the Administration→Security→Encryption page, as shown in Figure 34 (page 78).
Figure 34 Security–Encryption Settings page
78 Configuring iLO
The Encryption Settings page displays the current encryption settings for iLO.
• Current Negotiated Cipher—The cipher in use for the current browser session. After you log
in to iLO through the browser, the browser and iLO negotiate a cipher setting to use during
the session.
• Encryption Enforcement Settings—The current encryption settings for iLO:
FIPS Mode—Indicates whether FIPS Mode is enabled or disabled for this iLO system.◦
◦ Enforce AES/3DES Encryption—Indicates whether AES/3DES encryption is enforced for
this iLO.
When enabled, iLO accepts only those connections through the browser and SSH interface
that meet the minimum cipher strength. A cipher strength of at least AES or 3DES must
be used to connect to iLO when this setting is enabled.
Modifying the AES/DES encryption setting
You must have the Configure iLO Settings privilege to change the encryption settings.
To modify the AES/DES encryption setting:
1. Navigate to the Administration→Security→Encryption page, as shown in Figure 34 (page 78).
2. Change the Enforce AES/3DES Encryption setting to Enabled or Disabled.
3. Click Apply to end your browser connection and restart iLO.
It might take several minutes before you can re-establish a connection.
When changing the Enforce AES/3DES Encryption setting to Enabled, close all open browsers
after clicking Apply. Any browsers that remain open might continue to use a non-AES/3DES
cipher.
Connecting to iLO by using AES or 3DES encryption
After you enable the Enforce AES/3DES Encryption setting, iLO requires that you connect through
secure channels (web browser, SSH connection, or XML channel) by using a cipher strength of at
least AES or 3DES.
• Web browser—You must configure the browser with a cipher strength of at least AES or 3DES.
If the browser is not using AES or 3DES ciphers, iLO displays an error message. The error text
varies depending on the installed browser.
Different browsers use different methods for selecting a negotiated cipher. For more information,
see your browser documentation. You must log out of iLO through the current browser before
changing the browser cipher setting. Any changes made to the browser cipher setting while
you are logged in to iLO might enable the browser to continue using a non-AES/3DES cipher.
• SSH connection—For instructions on setting the cipher strength, see the SSH utility
documentation.
• XML channel—HPQLOCFG uses a secure 3DES cipher by default. For example, HPQLOCFG
displays the following cipher strength in the XML output:
Connecting to Server...
Negotiated cipher: 128–bit Rc4 with 160–bit SHA1 and 2048–bit RsaKeyx
Enabling FIPS Mode
You must have the Configure iLO Settings privilege to change the encryption settings.
To enable FIPS Mode for iLO:
1. Optional: Capture the current iLO configuration by using HPONCFG.
For more information, see the HP iLO 4 Scripting and Command Line Guide.
Configuring iLO security 79
2. Verify that a trusted certificate is installed.
Using iLO in FIPS Mode with the default self-signed certificate is not FIPS compliant. For
instructions, see “Obtaining and importing a certificate” (page 68).
IMPORTANT: Some interfaces to iLO, such as supported versions of IPMI and SNMP, are
not FIPS compliant and cannot be made FIPS compliant. For information about the iLO firmware
versions that are FIPS validated, see the following document: http://csrc.nist.gov/groups/
STM/cmvp/documents/140-1/140-1val.zip
3. Power off the server.
4. Navigate to the Administration→Security→Encryption page, as shown in Figure 34 (page 78).
5. Set FIPS Mode to Enabled.
CAUTION: Enabling FIPS Mode resets iLO to the factory default settings, and clears all user
and license data.
6. Click Apply.
iLO reboots in FIPS Mode. Wait at least 90 seconds before attempting to re-establish a
connection.
7. Optional: Restore the iLO configuration by using HPONCFG.
For more information, see the HP iLO 4 Scripting and Command Line Guide.
TIP: You can use the Login Security Banner feature to notify iLO users that a system is using FIPS
Mode. For more information, see “Configuring the Login Security Banner” (page 86).
You can also use XML configuration and control scripts to enable FIPS mode. For more information,
see the HP iLO 4 Scripting and Command Line Guide.
Disabling FIPS Mode
If you want to disable FIPS Mode for iLO (for example, if a server is decommissioned), you must
set iLO to the factory default settings. You can perform this task by using RIBCL scripts, iLO RBSU,
or the iLO 4 Configuration Utility.
For instructions, see “Resetting iLO to the factory default settings by using iLO RBSU” (page 324),
“Resetting iLO to the factory default settings by using the iLO 4 Configuration Utility” (page 325),
or the HP iLO 4 Scripting and Command Line Guide.
When you disable FIPS Mode, all potentially sensitive data is erased, including all logs and settings.
Configuring iLO for HP SSO
HP SSO enables you to browse directly from an HP SSO-compliant application (such as HP SIM)
to iLO, bypassing an intermediate login step. To use SSO, you must have a supported version of
an HP SSO-compliant application, you might need iLO 4 1.20 or later, and you must configure
the iLO processor to trust the SSO-compliant application.
This feature and many others are part of an iLO licensing package. For more information about
iLO licensing, see the following website: http://www.hp.com/go/ilo/licensing.
Some HP SSO-compliant applications automatically import trust certificates when they connect to
iLO. For applications that do not do this automatically, use the HP SSO page to configure the SSO
settings through the iLO web interface. You must have the Configure iLO Settings privilege to
change these settings.
80 Configuring iLO
Configuring iLO for HP SSO
1. Navigate to the Administration→Security→HP SSO page, as shown in Figure 35 (page 81).
Figure 35 Security–Single Sign-On Settings page
2. Make sure you have an iLO license key installed.
3. Enable Single Sign-On Trust Mode by selecting Trust by Certificate, Trust by Name, or Trust
All.
The iLO firmware supports configurable trust modes, which enables you to meet your security
requirements. The trust mode affects how iLO responds to HP SSO requests. If you enable
support for HP SSO, HP recommends using the Trust by Certificate mode. The available modes
follow:
• Trust None (SSO disabled) (default)—Rejects all SSO connection requests
• Trust by Certificate (most secure)—Enables SSO connections from an HP SSO-compliant
application by matching a certificate previously imported to iLO
• Trust by Name—Enables SSO connections from an HP SSO-compliant application by
matching an IP address or DNS name imported directly, or an IP address or DNS name
included in a certificate imported to iLO
• Trust All (least secure)—Accepts any SSO connection initiated from any HP SSO-compliant
application.
Configuring iLO security 81
4. Configure iLO privileges for each role in the Single Sign-On Settings section.
When you log in to an HP SSO-compliant application, you are authorized based on your HP
SSO-compliant application role assignment. The role assignment is passed to iLO when SSO
is attempted. For more information about each privilege, see “Administering users” (page 44).
SSO attempts to receive only the privileges assigned in this section. iLO directory settings do
not apply. Default privilege assignments are as follows:
• User—Login only
• Operator—Login, Remote Console, Power and Reset, and Virtual Media
• Administrator—Login, Remote Console, Power and Reset, Virtual Media, Configure iLO,
and Administer Users
5. Click Apply to save the SSO settings.
6. If you selected Trust by Certificate or Trust by Name, add the trusted certificate or DNS name
to iLO.
For more information about adding certificates and DNS names, see “Adding trusted
certificates” (page 82).
The certificate repository can hold five typical certificates. However, if typical certificates are
not issued, certificate sizes might vary. When all of the allocated storage is used, no more
imports are accepted.
7. After you configure SSO in iLO, log in to an HP SSO-compliant application and browse to
iLO. For example, log in to HP SIM, navigate to the System page for the iLO processor, and
then click the iLO link in the More Information section.
NOTE: Although a system might be registered as a trusted server, SSO might be refused
because of the current trust mode or certificate status. For example, if an HP SIM server name
is registered, and the trust mode is Trust by Certificate, but the certificate is not imported, SSO
is not allowed from that server. Likewise, if an HP SIM server certificate is imported, but the
certificate has expired, SSO is not allowed from that server. The list of trusted servers is not
used when SSO is disabled. iLO does not enforce SSO server certificate revocation.
Adding trusted certificates
iLO users who have the Configure iLO Settings privilege can install trusted certificates or add direct
DNS names.
The Base64-encoded X.509 certificate data resembles the following:
-----BEGIN CERTIFICATE-----
. . . several lines of encoded data . . .
-----END CERTIFICATE-----
To add trusted HP SSO records by using the iLO web interface:
1. Navigate to the Administration→Security→HP SSO page, as shown in Figure 35 (page 81).
2. Use one of the following methods to add a trusted certificate:
• To directly import a trusted certificate, copy the Base64-encoded certificate X.509 data,
paste it into the text box above the Import Certificate button, and then click the button.
• To indirectly import a trusted certificate, type the DNS name or IP address in the text box
above the Import Certificate from URL button, and then click the button. iLO contacts the
HP SSO-compliant application over the network, retrieves the certificate, and then saves
it.
• To import the direct DNS name, enter the DNS name in the text box above the Import
82 Configuring iLO
Direct DNS Name button, and then click the button.
For information about how to extract an HP SIM certificate, see “Extracting the HP SIM server
certificate” (page 83).
For information about how to extract certificates from other HP SSO-compliant applications, see
your HP SSO-compliant application documentation.
Extracting the HP SIM server certificate
You can use the following methods to extract HP SIM certificates.
NOTE: iLO 4 1.20 or later might be required to install the larger certificates used with recent
versions of HP SIM.
• Enter one of the following links in a web browser:
For HP SIM versions earlier than 7.0:
◦
http://<HP SIM name or network address>:280/GetCertificate
https://<HP SIM name or network address>:50000/GetCertificate
◦ For HP SIM 7.0 or later:
http://<HP SIM name or network
address>:280/GetCertificate?certtype=sso
https://<HP SIM name or network
address>:50000/GetCertificate?certtype=sso
NOTE: All request parameters are case-sensitive. If you capitalize the lowercase
certtype parameter, the parameter will not be read, and HP SIM will return the default
HP SIM server certificate instead of a trust certificate.
• Export the certificate from HP SIM:
For HP SIM versions earlier than 7.0:
◦
Select Options→Security→Certificates→Server Certificate.
◦ For HP SIM 7.0 or later:
Select Options→Security→HP Systems Insight Manager Server Certificate, and then click
Export.
• Use the HP SIM command-line tools. For example, using the alias tomcat for the HP SIM
certificate, enter mxcert -l tomcat.
For more information, see the HP SIM documentation.
Viewing trusted certificates
The Manage Trusted Certificates table on the Single Sign-On Settings page displays the status of
the trusted certificates configured to use SSO with the current iLO management processor.
• Status—The status of the record (if any are installed).
Configuring iLO security 83
Table 7 HP trusted certificate status
DescriptionIcon
The record is valid.
There is a problem with the trust settings or the iLO license. Possible reasons follow:
◦ This record contains a DNS name, and the trust mode is set to Trust by Certificate (only
certificates are valid).
◦ Trust None (SSO disabled) is selected.
◦ A valid license key is not installed.
The record is not valid. Possible reasons follow:
◦ An out-of-date certificate is stored in this record. Check the certificate details for more
information.
◦ The iLO clock is not set or is set incorrectly.
◦ The iLO clock must be in the Valid from and Valid until range.
• Certificate—Indicates that the record contains a stored certificate. Move the cursor over the
icon to view the certificate details, including subject, issuer, and dates.
• Description—The server name (or certificate subject).
Removing trusted certificates
1. Navigate to the Administration→Security→HP SSO page, as shown in Figure 35 (page 81).
2. Select one or more records in the Manage Trusted Certificates table.
3. Click Delete.
The following message appears:
Are you sure you want to remove the selected certificates?
IMPORTANT: If you delete the certificate of a remote management system, you might
experience impaired functionality when using the remote management system with iLO.
4. Click Yes.
Configuring Remote Console security settings
Use the Remote Console security settings to control the Remote Console Computer Lock settings
and the Integrated Remote Console Trust setting. You must have the Configure iLO Settings privilege
to change these settings.
Configuring Remote Console Computer Lock settings
Remote Console Computer Lock enhances the security of an iLO-managed server by automatically
locking an operating system or logging out a user when a Remote Console session ends or the
network link to iLO is lost. This feature is standard and does not require an additional license. As
a result, if you open a .NET IRC or Java IRC window and this feature is already configured, the
operating system will be locked when you close the window, even if an iLO license is not installed.
The Remote Console Computer Lock feature is set to Disabled by default.
To change the Remote Console Computer Lock settings:
84 Configuring iLO
1. Navigate to the Administration→Security→Remote Console page, as shown in Figure 36 (page
85).
Figure 36 Remote Console Computer Lock Settings
2. Modify the Remote Console Computer Lock settings as required:
• Windows—Use this option to configure iLO to lock a managed server running a Windows
operating system. The server automatically displays the Computer Locked dialog box
when a Remote Console session ends or the iLO network link is lost.
• Custom—Use this option to configure iLO to use a custom key sequence to lock a managed
server or log out a user on that server. You can select up to five keys from the list. The
selected key sequence is sent automatically to the server operating system when a Remote
Console session ends or the iLO network link is lost.
• Disabled (default)—Use this option to disable the Remote Console Computer Lock feature.
Terminating a Remote Console session or losing an iLO network link will not lock the
operating system on the managed server.
You can create a Remote Console Computer Lock key sequence by using the keys listed in
Table 8 (page 85):
Table 8 Remote Console Computer Lock keys
g1SCRL LCKESC
h2SYS RQL_ALT
i3F1R_ALT
j4F2L_SHIFT
k5F3R_SHIFT
l6F4L_CTRL
m7F5R_CTRL
n8F6L_GUI
o9F7R_GUI
p;F8INS
q=F9DEL
r[F10HOME
s\F11END
t]F12PG_UP
u'" " (space)PG_DN
va'ENTER
wb,TAB
Configuring iLO security 85
Table 8 Remote Console Computer Lock keys (continued)
f0NUM MINUS
3. Click Apply to save the changes.
Configuring the Integrated Remote Console Trust setting (.NET IRC)
The .NET IRC is launched through Microsoft ClickOnce, which is part of the Microsoft .NET
Framework. ClickOnce requires that any application installed from an SSL connection be from a
trusted source. If a browser is not configured to trust an iLO processor, and the Integrated Remote
Console Trust setting is set to Enabled, ClickOnce displays the following error message:
Cannot Start Application – Application download did not succeed...
To specify whether all clients that browse to this iLO require a trusted iLO certificate to run the .NET
IRC:
1. Navigate to the Administration→Security→Remote Console page, as shown in Figure 37 (page
86).
Figure 37 Remote Console Trust Settings
xc-BREAK
yd.BACKSPACE
ze/NUM PLUS
2. Select one of the following in the Integrated Remote Console Trust Setting section:
• Enabled—The .NET IRC is installed and runs only if this iLO certificate and the issuer
certificate have been imported and are trusted.
• Disabled (default)—When you launch the .NET IRC, the browser installs the application
from a non-SSL connection. SSL is still used after the .NET IRC starts to exchange encryption
keys.
3. Click Apply.
Configuring the Login Security Banner
The Login Security Banner feature allows you to configure the security banner displayed on the
iLO login page. For example, you could enter a message indicating that an iLO system uses FIPS
Mode.
You must have the Configure iLO Settings privilege to make changes on the Login Security Banner
page.
To enable the Login Security Banner:
86 Configuring iLO
1. Navigate to the Administration→Security→Login Security Banner page, as shown in Figure 38
(page 87).
Figure 38 Security–Login Security Banner Settings page
2. Select the Enable Login Security Banner check box.
iLO uses the following default text for the Login Security Banner:
This is a private system. It is to be used solely by authorized
users and may be monitored for all lawful purposes. By accessing
this system, you are consenting to such monitoring.
3. Optional: To customize the security message, enter a custom message in the Security Message
text box.
The byte counter above the text box indicates the remaining number of bytes allowed for the
message. The maximum is 1,500 bytes.
TIP: Click Use Default Message to restore the default text for the Login Security Banner.
Configuring iLO security 87
4. Click Apply.
The security message is displayed at the next login, as shown in Figure 39 (page 88).
Figure 39 Security message example
Configuring iLO network settings
Use the tabs on the Network page to view and configure the iLO network settings.
You must have the Configure iLO Settings privilege to view and change these settings.
Viewing network settings
To view a summary of the configured network settings, select Network→iLO Dedicated Network
Port or Network→Shared Network Port to navigate to the Network Summary page. See Figure 40
(page 89).
88 Configuring iLO
Figure 40 Network Summary page (iLO Dedicated Network Port)
The iLO Shared Network Port and the iLO Dedicated Network Port cannot operate simultaneously.
If you enable the iLO Dedicated Network Port, you will disable the iLO Shared Network Port. If
you enable the iLO Shared Network Port, you will disable the iLO Dedicated Network Port.
The Network Summary page for the inactive port displays the message iLO is not configured
to use this NIC..
The summary information follows:
• NIC in Use—The name of the selected iLO network interface (iLO Dedicated Network Port or
Shared Network Port).
• iLO Host Name—The fully qualified network name assigned to the iLO subsystem. By default,
the iLO host name is ILO followed by the system serial number and the current domain name.
This value is used for the iLO network name and must be unique.
• MAC Address—The MAC address of the selected iLO network interface.
• Link State—The current link speed of the selected iLO network interface. The default value is
Auto-Negotiate.
• Duplex Option—The current link duplex selection for the selected iLO network interface. The
default value is Auto-Negotiate.
You can configure the iLO host name and NIC settings on the Network General Settings page. For
instructions, see “Configuring general network settings” (page 91).
IPv6 is supported by iLO 4 1.20 and later in the iLO Dedicated Network Port configuration. The
IPv6 protocol was introduced by the IETF in response to the ongoing depletion of the IPv4 address
pool. In IPv6, addresses are increased to 128 bits in length, to avoid an address shortage problem.
iLO supports the simultaneous use of both protocols through a dual-stack implementation. All
previously available iLO features are still supported in IPv4.
NOTE: IPv6 is not supported in the Shared Network Port configuration.
Configuring iLO network settings 89
The following features support the use of IPv6:
• IPv6 Static Address Assignment
• IPv6 SLAAC Address Assignment
• IPv6 Static Route Assignment
• Integrated Remote Console
• OA Single Sign-On
• Web Server
• SSH Server
• SNTP Client
• DDNS Client
• DHCPv6 Address Assignment
• DHCPv6 DNS and NTP Configuration
• RIBCL over an IPv6 connection
• SNMP
• HP SIM SSO
• WinDBG Support
• HPQLOCFG and HPLOMIG over an IPv6 connection
• AlertMail
• Remote Syslog
• Scriptable Virtual Media
• CLI/RIBCL key import over an IPv6 connection
• iLO Federation Management
IPv6 support for the iLO scripting interfaces requires the following versions of the iLO utilities:
• HPQLOCFG 1.0 or later
• HP Lights-Out XML Scripting Sample bundle 4.2.0 or later
• HPONCFG 4.2.0 or later
• LOCFG.PL 4.20 or later
• HPLOMIG 4.20 or later
The IPv4 Summary section displays the following information:
• DHCPv4 Status—Indicates whether DHCP is enabled for IPv4.
• Address—The IPv4 address currently in use. If the value is 0.0.0.0, the IPv4 address is not
configured.
• Subnet Mask—The subnet mask of the IPv4 address currently in use. If the value is 0.0.0.0,
no address is configured.
• Default Gateway—The default gateway address in use for the IPv4 protocol. If the value is
0.0.0.0, the gateway is not configured.
90 Configuring iLO
The IPv6 Summary section displays the following information:
• DHCPv6 Status—Indicates whether DHCP is enabled for IPv6. The following values are possible:
Enabled—Stateless and Stateful DHCPv6 are enabled.◦
◦ Enabled (Stateless)—Only Stateless DHCPv6 is enabled.
◦ Disabled—DHCPv6 is disabled.
• IPv6 Stateless Address Auto-Configuration (SLAAC)—Indicates whether SLAAC is enabled for
IPv6. When SLAAC is disabled, the SLAAC link-local address for iLO is still configured because
it is required.
• Address list—This table shows the currently configured IPv6 addresses for iLO. It provides the
following information:
◦ Source—Indicates whether the address is a static or SLAAC address.
◦ IPv6—The IPv6 address.
◦ Prefix Length—The address prefix length.
◦ Status—The address status: Active (the address is in use by iLO), Pending (Duplicate
Address Detection is in progress for this address), or Failed (Duplicate Address Detection
failed and the address is not in use by iLO).
• Default Gateway—The default IPv6 gateway address that is currently in use. For IPv6, iLO
keeps a list of possible default gateway addresses. The addresses in this list originate from
router advertisement messages and the IPv6 Static Default Gateway setting.
The Static Default Gateway setting is configured on the IPv6 page. For more information, see
“Configuring IPv6 settings” (page 96).
Configuring general network settings
Use the iLO Dedicated Network Port or Shared Network Port Network General Settings page to
configure general network settings. You must have the Configure iLO Settings privilege to make
changes on this page.
1. Navigate to the Network→iLO Dedicated Network Port or Network→Shared Network Port
page.
2. Click the General tab, as shown in Figure 41 (page 92).
Configuring iLO network settings 91
Figure 41 Network General Settings page (iLO Dedicated Network Port)
3. Enter the following information in the iLO Hostname Settings section:
• iLO Subsystem Name (Host Name)—The DNS name of the iLO subsystem (for example,
ilo instead of ilo.example.com). This name can be used only if DHCP and DNS
are configured to connect to the iLO subsystem name instead of the IP address.
iLO subsystem-name limitations follow:
◦ Name service limitations—The subsystem name is used as part of the DNS name.
DNS allows alphanumeric characters and hyphens.–
– Name service limitations also apply to the Domain Name.
◦ Namespace issues—To avoid these issues:
– Do not use the underscore character.
– Limit subsystem names to 15 characters.
– Verify that you can ping iLO by IP address and by DNS/WINS name.
– Verify that NSLOOKUP resolves the iLO network address correctly and that no
namespace conflicts exist.
– If you are using both DNS and WINS, verify that they resolve the iLO network
address correctly.
– Flush the DNS name if you make any namespace changes.
• Domain Name—The iLO domain name. If DHCP is not used, enter a domain name.
92 Configuring iLO
4. Enter the following information in the NIC Settings section:
• Select the Use iLO Dedicated Network Port, Use Shared Network Port – LOM, or Use
Shared Network Port – Flexible LOM check box to enable or disable the iLO Dedicated
Network Port or Shared Network Port.
◦ iLO Dedicated Network Port—Uses a NIC with a jack on the back of the server. The
NIC handles iLO traffic only.
◦ Shared Network Port – LOM—Uses a NIC that is built into the server. The NIC handles
server network traffic and can, if iLO is configured to do so, handle iLO traffic at the
same time.
◦ Shared Network Port – Flexible LOM—Uses an optional NIC that plugs into a special
slot on the server. The NIC handles server network traffic and can, if iLO is configured
to do so, handle iLO traffic at the same time. Not all servers support a FlexibleLOM.
For the list of servers that support the Shared Network Port – FlexibleLOM option,
see “FlexibleLOM support” (page 337).
On systems that have more than one Shared Network Port option, select the check box,
and then select the LOM or FlexibleLOM option.
For more information about using the Shared Network Port, see “Configuring and using
the iLO Shared Network Port” (page 100).
• Select a Link State (iLO Dedicated Network Port only).
The link setting controls the speed and duplex settings of the iLO network transceiver.
NOTE: This setting is not available on blade servers.
The available settings follow:
◦ Automatic (default)—Enables iLO to negotiate the highest supported link speed and
duplex settings when connected to the network
◦ 1000BaseT, Full-duplex—Forces a 1 Gb connection that uses full duplex (not
supported for BL c-Class servers)
◦ 1000BaseT, Half-duplex—Forces a 1 Gb connection that uses half duplex (not
supported for BL c-Class servers)
If you use this setting, ensure that your switch is configured to support 1000BaseT,
Half-duplex.
◦ 100BaseT, Full-duplex—Forces a 100 Mb connection using full duplex
◦ 100BaseT, Half-duplex—Forces a 100 Mb connection using half duplex
◦ 10BaseT, Full-duplex—Forces a 10 Mb connection using full duplex
◦ 10BaseT, Half-duplex—Forces a 10 Mb connection using half duplex
If the Shared Network Port is enabled, you cannot modify the link state or duplex option.
In Shared Network Port configurations, link settings must be managed in the operating
system.
Configuring iLO network settings 93
• Select or clear the Enable VLAN check box to enable or disable VLAN (Shared Network
Port only).
When the Shared Network Port is active and VLAN is enabled, the iLO Shared Network
Port becomes part of a VLAN. All network devices with different VLAN tags will appear
to be on separate LANs, even if they are physically connected to the same LAN.
• If you enabled VLAN, enter a VLAN Tag (Shared Network Port only). All network devices
that you want to communicate with each other must have the same VLAN tag. The VLAN
tag can be any number between 1 and 4094.
5. Click Submit to save the changes.
6. If you are finished configuring the iLO network settings on the General, IPv4, IPv6, and SNTP
tabs, click Reset to restart iLO.
It might take several minutes before you can re-establish a connection.
Configuring IPv4 settings
Use the iLO Dedicated Network Port or Shared Network Port IPv4 Settings page to configure IPv4
settings for iLO. You must have the Configure iLO Settings privilege to make changes on this page.
1. Navigate to the Network→iLO Dedicated Network Port or Network→Shared Network Port
page.
2. Click the IPv4 tab, as shown in Figure 42 (page 95).
94 Configuring iLO
Figure 42 IPv4 Settings page (iLO Dedicated Network Port)
3. Configure the following settings:
• Enable DHCPv4—Enables iLO to obtain its IP address (and many other settings) from a
DHCP server.
◦ Use DHCPv4 Supplied Gateway—Specifies whether iLO uses the DHCP server-supplied
gateway. If DHCP is not used, enter a gateway address in the Gateway IPv4 Address
box.
◦ Use DHCPv4 Supplied Static Routes—Specifies whether iLO uses the DHCP
server-supplied static routes. If not, enter the static route destination, mask, and
gateway addresses in the Static Route #1, Static Route #2, and Static Route #3 boxes.
◦ Use DHCPv4 Supplied Domain Name—Specifies whether iLO uses the DHCP
server-supplied domain name. If DHCP is not used, enter a domain name in the
Domain Name box on the Network General Settings page. For more information,
see “Configuring general network settings” (page 91).
◦ Use DHCPv4 Supplied DNS Servers—Specifies whether iLO uses the DHCP
server-supplied DNS server list. If not, enter the DNS server addresses in the Primary
DNS Server, Secondary DNS Server, and Tertiary DNS Server boxes.
Configuring iLO network settings 95
◦ Use DHCPv4 Supplied Time Settings—Specifies whether iLO uses the DHCPv4-supplied
NTP service locations.
◦ Use DHCPv4 Supplied WINS Servers—Specifies whether iLO uses the DHCP
server-supplied WINS server list. If not, enter the WINS server addresses in the
Primary WINS Server and Secondary WINS Server boxes.
• IPv4 Address—The iLO IP address. If DHCP is used, the iLO IP address is supplied
automatically. If DHCP is not used, enter a static IP address.
• Subnet Mask—The subnet mask of the iLO IP network. If DHCP is used, the subnet mask
is supplied automatically. If DHCP is not used, enter a subnet mask for the network.
• Gateway IPv4 Address—The iLO gateway IP address. If DHCP is used, the iLO gateway
IP address is supplied automatically. If DHCP is not used, enter the iLO gateway IP address.
• Static Route #1, Static Route #2, and Static Route #3—The iLO static route destination,
mask, and gateway addresses. If Use DHCPv4 Supplied Static Routes is used, these values
are supplied automatically. If not, enter the static route values.
• DNS server information—Enter the following information:
Primary DNS Server—If Use DHCPv4 Supplied DNS Servers is enabled, this value is
◦
supplied automatically. If not, enter the Primary DNS Server address.
◦ Secondary DNS Server—If Use DHCPv4 Supplied DNS Servers is enabled, this value
is supplied automatically. If not, enter the Secondary DNS Server address.
◦ Tertiary DNS Server—If Use DHCPv4 Supplied DNS Servers is enabled, this value is
supplied automatically. If not, enter the Tertiary DNS Server address.
◦ Enable DDNS Server Registration—Select or clear this check box to specify whether
iLO registers its IPv4 address and name with a DNS server.
• WINS server information—Enter the following information:
Primary WINS Server—If Use DHCPv4 Supplied WINS Servers is enabled, this value
◦
is supplied automatically. If not, enter the Primary WINS Server address.
◦ Secondary WINS Server—If Use DHCPv4 Supplied WINS Servers is enabled, this
value is supplied automatically. If not, enter the Secondary WINS Server address.
◦ Enable WINS Server Registration—Specifies whether iLO registers its name with a
WINS server.
• Ping Gateway on Startup—Causes iLO to send four ICMP echo request packets to the
gateway when iLO initializes. This ensures that the ARP cache entry for iLO is up-to-date
on the router responsible for routing packets to and from iLO.
4. Click Submit to save the changes you made on the IPv4 Settings page.
5. If you are finished configuring the iLO network settings on the General, IPv4, IPv6, and SNTP
tabs, click Reset to restart iLO.
It might take several minutes before you can re-establish a connection.
Configuring IPv6 settings
Use the iLO Dedicated Network Port IPv6 Settings page to configure IPv6 settings for iLO. You
must have the Configure iLO Settings privilege to make changes on this page.
96 Configuring iLO
When using IPv6, note the following:
• IPv6 is not supported in the Shared Network Port configuration.
• If you downgrade the iLO firmware from version 1.30 or later to version 1.2x, the IPv6 settings
will be reset to the default values.
To configure the IPv6 settings:
1. Navigate to the Network→iLO Dedicated Network Port page.
2. Click the IPv6 tab, as shown in Figure 43 (page 97).
Figure 43 IPv6 Settings page (iLO Dedicated Network Port)
3. Configure the following settings:
• iLO Client Applications use IPv6 first—When both IPv4 and IPv6 service addresses are
configured for iLO client applications, this option specifies which protocol iLO tries first
when accessing a client application. This setting also applies to lists of addresses received
from the name resolver when using FQDNs to configure NTP.
◦ Select this check box if you want iLO to use IPv6 first.
◦ Clear this check box if you want iLO to use IPv4 first.
Configuring iLO network settings 97
If communication fails using the first protocol, iLO automatically tries the second protocol.
• Enable Stateless Address Auto Configuration (SLAAC)—Select this check box to enable
iLO to create IPv6 addresses for itself from router advertisement messages.
NOTE: iLO will create its own link-local address even when this option is not selected.
• Enable DHCPv6 in Stateful Mode (Address)—Select this check box to allow iLO to request
and configure IPv6 addresses provided by a DHCPv6 server.
◦ Use DHCPv6 Rapid Commit—Select this check box to instruct iLO to use the Rapid
Commit messaging mode with the DHCPv6 server. This mode reduces DHCPv6
network traffic, but might cause problems if it is used in networks where more than
one DHCPv6 server can respond and provide addresses.
• Enable DHCPv6 in Stateless Mode (Other)—Select this check box to enable iLO to request
settings for NTP and DNS service location from the DHCPv6 server.
◦ Use DHCPv6 Supplied DNS Servers—Select this check box to use IPv6 addresses
provided by the DHCPv6 server for DNS server locations. This setting can be enabled
in addition to the IPv4 DNS server location options.
◦ Use DHCPv6 Supplied NTP Servers—Select this check box to use IPv6 addresses
provided by the DHCPv6 server for NTP server locations. This setting can be enabled
in addition to the IPv4 NTP server location options.
NOTE: When Enable DHCPv6 in Stateful Mode (Address) is selected, Enable DHCPv6
in Stateless Mode (Other) is always selected by default, because it is implicit in the DHCPv6
Stateful messages required between iLO and the DHCPv6 server.
• Primary DNS Server, Secondary DNS Server, and Tertiary DNS Server—Enter the IPv6
addresses for the DNS service.
When DNS server locations are configured in both IPv4 and IPv6, both sources are used,
with preference given according to the iLO Client Applications use IPv6 first configuration
option, primary sources, then secondary, and then tertiary.
• Enable DDNS Server Registration—Specify whether iLO registers its IPv6 address and
name with a DNS server.
• Static IPv6 Address 1, Static IPv6 Address 2, Static IPv6 Address 3, and Static IPv6 Address
4—Enter up to four static IPv6 addresses and prefix lengths for iLO. Do not enter link-local
addresses.
• Static Default Gateway—Enter a default IPv6 gateway address for cases in which no
router advertisement messages are present in the network.
• Static Route #1, Static Route #2, and Static Route #3—Enter static IPv6 route destination
prefix and gateway address pairs. You must specify the prefix length for the destination.
Link-local addresses are not allowed for the destination, but are allowed for the gateway.
4. Click Submit to save the changes you made on the IPv6 Settings page.
5. If you are finished configuring the iLO network settings on the General, IPv4, IPv6, and SNTP
tabs, click Reset to restart iLO.
It might take several minutes before you can re-establish a connection.
98 Configuring iLO
Configuring SNTP settings
SNTP allows iLO to synchronize its clock with an external time source. Configuring SNTP is optional
because the iLO date and time can also be synchronized from the following sources:
• System ROM (during POST only)
• Insight Management Agents (in the OS)
• Onboard Administrator (blade servers only)
To use iLO SNTP, you must have at least one NTP server available on your management network.
Primary and secondary NTP server addresses can be configured manually or via DHCP servers.
If the primary server address cannot be contacted, the secondary address is used. You must have
the Configure iLO Settings privilege to change these settings.
NOTE: IPv6 is not supported in the Shared Network Port configuration.
To configure the SNTP settings:
1. Navigate to the Network→iLO Dedicated Network Port or Network→Shared Network Port
page.
2. Click the SNTP tab, as shown in Figure 44 (page 99).
Figure 44 SNTP Settings page (iLO Dedicated Network Port)
3. Do one of the following:
• Select the Use DHCPv4 Supplied Time Settings check box, the Use DHCPv6 Supplied Time
Settings check box, or both check boxes to use DHCP-provided NTP server addresses.
Note the following configuration prerequisites:
◦ To configure a DHCPv4-provided NTP service configuration, you must first enable
DHCPv4 on the IPv4 tab.
◦ To configure a DHCPv6-provided NTP service configuration, DHCPv6 Stateless Mode
must be enabled on the IPv6 tab.
When you use DHCP servers to provide NTP server addresses, the iLO Client Applications
use IPv6 first setting controls the selection of the primary and secondary NTP values.
When iLO Client Applications use IPv6 first is selected on the IPv6 tab, a DHCPv6-provided
NTP service address (if available) is used for the primary time server and a
DHCPv4-provided address (if available) is used for the secondary time server.
To change the protocol-based priority behavior to use DHCPv4 first, clear the iLO Client
Applications use IPv6 first check box.
Configuring iLO network settings 99
If a DHCPv6 address is not available for the primary or secondary address, a DHCPv4
address (if available) is used.
• Enter NTP server addresses in the Primary Time Server and Secondary Time Server boxes.
You can enter the server addresses by using the server FQDN, IPv4 address, or IPv6
address.
4. If you selected only Use DHCPv6 Supplied Time Settings, or if you entered a primary and
secondary time server, select the server time zone from the Time Zone list.
This setting determines how iLO adjusts UTC time to obtain the local time, and how it adjusts
for Daylight Savings Time (Summer Time). In order for the entries in the iLO Event Log and
IML to display the correct local time, you must specify the time zone in which the server is
located.
If you want iLO to use the time the SNTP server provides, without adjustment, configure iLO
to use a time zone that does not apply an adjustment to UTC time. In addition, that time zone
must not apply a Daylight Savings Time (Summer Time) adjustment. There are several time
zones that fit this requirement. One example is the Atlantic/Reykjavik time zone, which is
neither east or west of the Prime Meridian, and in which the time does not change in the
spring or fall. If you select the Atlantic/Reykjavik time zone, iLO web pages and log entries
will display the exact time provided by the SNTP server.
NOTE: Configure the NTP servers to use Coordinated Universal Time (GMT).
5. Configure the NTP time propagation setting by selecting or clearing the Propagate NTP Time
to Host check box (ML, DL, and SL servers) or the Propagate NTP or OA Time to Host check
box (BL servers).
These settings are enabled by default, and they determine whether the server time is
synchronized with the iLO time during the first POST after AC power is applied, a blade is
inserted, or iLO is reset to the default settings.
For BladeSystems only: When Propagate NTP or OA Time to Host is enabled, and NTP is not
configured or functional, the server time is synchronized with the OA time.
6. Click Submit to save the changes you made on the SNTP Settings page.
7. If you are finished configuring the iLO network settings on the General, IPv4, IPv6, and SNTP
tabs, click Reset to restart iLO.
It might take several minutes before you can re-establish a connection.
TIP: If you notice that iLO Event Log entries have an incorrect date or time, make sure that the
NTP server addresses and time zone are correct. The iLO Event Log includes entries that indicate
success or failure when contacting the NTP server(s).
Configuring and using the iLO Shared Network Port
The iLO Shared Network Port feature enables you to choose between the Shared Network Port
LOM, FlexibleLOM, and the iLO Dedicated Network Port for server management. When you enable
the iLO Shared Network Port, regular network traffic and iLO network traffic pass through the
selected Shared Network Port NIC. The iLO Shared Network Port does not incur an iLO performance
penalty. Peak iLO traffic is less than 2 Mb/s on a NIC capable of a speed of 1 GB/s or 10 GB/s.
iLO traffic volume is low unless the Virtual Media or Remote Console feature is in use.
On servers that do not have an iLO Dedicated Network Port, the standard hardware configuration
provides iLO network connectivity only through the iLO Shared Network Port connection. The iLO
firmware automatically defaults to the Shared Network Port.
The iLO Shared Network Port uses the network port labeled NIC 1 on the rear panel of the server
when Use Shared Network Port – LOM is selected, and uses the network port labeled 1 on the
100 Configuring iLO
Loading...