The information in this guide applies to Version 4.20 (or later) of the HP Blade System Onboard
Part Number: 695522-006
User Guide
Abstract
This guide provides information on the initial setup and operation of the HP Blade System Onboard Administrator. It also cove
Administrator GUI and enclosure Insight Display.
Administrator.
warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212,
Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government
under vendor’s standard commercial license.
Microsoft®, Windows®, Windows Server®, Windows Vista®, and Windows XP® are U.S. registered trademarks of Microsoft Corporation.
Google™ is a trademark of Google Inc. Java is a registered trademark of Oracle and/or its affiliates. Red Hat® is a registered trademark of Red Hat,
Inc. in the United States and other countries. UNIX® is a registered trademark of The Open Group.
Running the setup wizard ......................................................................................................................... 18
Using online help .................................................................................................................................... 19
Changing enclosure and device configurations ........................................................................................... 19
Recovering the administrator password ...................................................................................................... 19
Features ................................................................................................................................................. 49
First Time Setup Wizard .............................................................................................................. 54
Before you begin ..................................................................................................................................... 54
User Preferences ..................................................................................................................................... 55
FIPS ....................................................................................................................................................... 56
Tree view ............................................................................................................................................... 82
Signed In Users ..................................................................................................................................... 289
Preparing the directory ........................................................................................................................... 323
Uploading the DC Certificate (optional) .................................................................................................... 324
Creating directory groups ....................................................................................................................... 326
Testing the directory login solution ........................................................................................................... 328
Troubleshooting LDAP on Onboard Administrator ...................................................................................... 329
Time zone settings .................................................................................................................... 331
Universal time zone settings .................................................................................................................... 331
Africa time zone settings ........................................................................................................................ 331
Americas time zone settings .................................................................................................................... 332
Asia time zone settings .......................................................................................................................... 333
Contents 6
Oceanic time zone settings ..................................................................................................................... 334
Europe time zone settings ....................................................................................................................... 335
Polar time zone settings .......................................................................................................................... 335
Support and other resources ...................................................................................................... 337
Before you contact HP ............................................................................................................................ 337
HP contact information ........................................................................................................................... 337
Acronyms and abbreviations ...................................................................................................... 338
Index ....................................................................................................................................... 343
Contents 7
Introduction
Overview
HP BladeSystem Onboard Administrator is the enclosure management processor, subsystem, and firmware
base that supports the HP BladeSystem c-Class enclosure and all the managed devices contained within the
enclosure.
Onboard Administrator provides a single point from which to perform basic management tasks on server
blades or switches within the enclosure. Onboard Administrator performs configuration steps for the
enclosure, enables run-time management and configuration of the enclosure components, and informs you of
problems within the enclosure through email, SNMP, or the Insight Display.
HP recommends that you read the specific HP BladeSystem c3000 or c7000 Enclosure user guide for
enclosure specific information before proceeding with Onboard Administrator setup.
The HP BladeSystem Onboard Administrator provides several features designed to simplify management of
c-Class blades and interconnects. The HP BladeSystem c3000 and c7000 Enclosures can be configured with
redundant Onboard Administrator modules to provide uninterrupted manageability of the entire enclosure
and blades in the event of a failure of a single Onboard Administrator module. The following table indicates
which Onboard Administrator feature is enhanced when the enclosure contains redundant Onboard
Administrator modules. For an enclosure with only a single Onboard Administrator module, the table
indicates the behavior of the enclosure if the single Onboard Administrator module has failed or is removed.
Enclosure Dynamic Power Capping, introduced in Onboard Administrator firmware version 2.31, is only
available in HP BladeSystem enclosures with redundant Onboard Administrator modules installed.
Benefits of using a redundant Onboard Administrator versus a single Onboard Administrator
Onboard Administrator
feature
Single Onboard
Administrator in enclosure
Single Onboard
Administrator failed or
Redundant Onboard
Administrator in enclosure
removed
Power allocation and control
for all blades and
interconnects
Cooling for all blades and
interconnects.
Enclosure Bay IP Addressing
(EBIPA)
Ethernet communications to
Onboard Administrator,
Yes. No enclosure dynamic
power capping as this
requires redundant Onboard
Administrators.
Yes. Complete control. No. All enclosure fans will
Yes. Complete control. No. EBIPA IP addresses will
Yes. Complete control. No Ethernet management
No. Power supplies will
continue to deliver power to
all blades and interconnects.
No power on requests can be
made for blades or
interconnects.
ramp to an un-managed
higher speed to protect
blades and interconnects from
overheating.
be lost after lease timeout.
communications including
internal management traffic
Yes. Complete control
including sustaining a failure
of either Onboard
Administrator. Enclosure
dynamic power capping
requires redundant Onboard
Administrators.
Yes. Complete control,
including sustaining a failure
of either Onboard
Administrator.
Yes. Complete control,
including sustaining a failure
of either Onboard
Administrator.
Yes. Complete control,
including sustaining a failure
of either Onboard
Introduction 8
server iLO, interconnect
such as Virtual Connect
Administrator.
management processors such
as Virtual Connect which use
the Onboard
Administrator/iLO
management port
Information and health status
reporting for all blades,
interconnects, fans, power
supplies, Onboard
Administrators, and enclosure
through Onboard
Administrator's GUI or CLI,
alert mail, or SNMP
Insight Display
Enclosure DVD (requires
either c3000 DVD option,
external USB DVD drive, or
USB key)
Enclosure KVM (requires
c3000 KVM option or
Onboard Administrator
module with VGA connector)
Manager to other VC modules
in the enclosure.
Yes. Complete control. No information is available
from the Onboard
Administrator nor is any
out-of-band information
Yes. Complete control,
including sustaining a failure
of either Onboard
Administrator.
available from VCM or iLO on
any server.
Yes. Complete control. No. Yes. Complete control,
including sustaining a failure
of either Onboard
Administrator.
Yes. Complete control. No. Yes. Complete control,
including sustaining a failure
of either Onboard
Administrator.
Yes. Complete control. No. Yes. Complete control. For the
HP c3000 Enclosure, requires
both c3000 KVM option and
redundant Onboard
Administrator option. For the
HP c7000 Enclosure, requires
two of the newer Onboard
Administrator modules with
VGA connector.
Stored Onboard Administrator settings and module replacement
Enclosure model Single Onboard
Administrator in enclosure
Redundant Onboard
Administrator (same
replacement type
installed)
c3000
All enclosure settings are lost
when a single module is
removed and must be restored
manually using Insight Display
and USB key, GUI, or CLI.
c7000
All enclosure settings are lost
when a single module is
removed and must be restored
manually using Insight Display
and USB key, GUI, or CLI.
1
Removing a redundant Onboard Administrator module immediately results in the remaining module becoming the
Active Onboard Administrator.
All enclosure settings are
retained on the remaining
module and those settings are
synchronized to the replaced
module if the firmware
versions match.
All enclosure settings are
retained on the remaining
module and those settings are
synchronized to the replaced
module if the firmware
versions match.
1
2
2
Redundant Onboard
Administrator (different
replacement type
installed)
When changing from the
non-redundant c3000
Onboard Administrator to
redundant Onboard
Administrator with DDR2, the
enclosure settings must be
restored manually using
Insight Display and USB key,
GUI, or CLI.
All enclosure settings are
retained on the remaining
module and those settings are
synchronized to the replaced
module if the firmware
versions match.
1
2
Introduction 9
2
23
—
If redundant Onboard Administrator firmware versions do not match, the settings are not automatically synchronized.
Synchronize the firmware by using the Insight Display, GUI, or CLI command, and then the settings are automatically
synchronized to the replaced Onboard Administrator module.
Access requirements
To access HP BladeSystem Onboard Administrator web interface, you must have the Onboard Administrator
IP address and a compatible web browser. You must access the application through HTTPS (HTTP packets
exchanged over an SSL/TLS-encrypted session).
HP BladeSystem Onboard Administrator web interface requires an XSLT-enabled browser with support for
JavaScript 1.3 or the equivalent.
For a list of browsers supported for use with Onboard Administrator, see the latest version of the Onboard
Administrator release notes.
Before running the web browser, you must enable the following browser settings:
• ActiveX (for Microsoft® Internet Explorer)
• Cookies
• JavaScript
If you receive a notice that your browser does not have the required functionality, be sure that your browser
settings meet the preceding requirements, and see "Recovering the administrator password (on page 19)."
If you use an installed language pack with the Onboard Administrator GUI and the browser does not display
all characters correctly, make sure the operating system has the corresponding language support installed.
To access HP BladeSystem Onboard Administrator CLI, use HP BladeSystem Onboard Administrator IP
address and a terminal or terminal application. To access the CLI interface, you must use Telnet or SSH,
depending on which of these protocols are enabled.
The following ports are used to access and monitor the Onboard Administrator.
Protocol Incoming port Outgoing port
SSH
Telnet
SMTP
Browser access
Browser access encrypted
SNMP get/set
SNMP traps
LDAP SSL
LDAP Global Catalog
Terminal services pass-through from PC to iLO
iLO Remote Console
Virtual media from PC to iLO
Remote syslog
You can change LDAP and Remote syslog port numbers.
If a protocol is disabled, then the corresponding ports are also disabled.
To use EDPC, iLO firmware 1.70 or later is required.
Introduction 10
NOTE: The Onboard Administrator supports multiple simultaneous login sessions, whether
through the Onboard Administrator web interface or CLI, except for LDAP/Active Directory users
where only one login session is allowed per user.
Onboard Administrator overview
Managing a c-Class enclosure involves multiple functions:
• Detecting component insertion and removal
• Identifying components including required connectivity
• Managing power and cooling
• Controlling components including remote control and remote consoles
Detecting component insertion and removal
Onboard Administrator provides component control in c-Class enclosures. Component management begins
after the component is detected and identified. The Onboard Administrator detects components in
BladeSystem c-Class enclosures through presence signals on each bay. When you insert a component into a
bay, the Onboard Administrator immediately recognizes and identifies the component. When you remove a
component from a bay, the Onboard Administrator deletes the information about that component.
Identifying components
To identify a component, Onboard Administrator reads a FRU EEPROM that contains specific factory
information about the component such as product name, part number, and serial number. All FRU EEPROMs
in c-Class enclosures are powered up, even if the component is turned off. Therefore, Onboard Administrator
can identify the component before granting power. For devices such as fans, power supplies, and Insight
Display, Onboard Administrator directly reads the FRU EEPROMs. Onboard Administrator accesses server
blade FRU EEPROMs through iLO management processors.
• The server blades contain several FRU EEPROMs: one on the server board, which contains server
information and embedded NIC information, and one on each installed mezzanine option cards.
• Server blade control options include auto login to the iLO web interface and remote server consoles,
virtual power control, and boot order control. Server blade control options also include extensive server
hardware information including BIOS and iLO firmware versions, server name, NIC and option card
port IDs, and port mapping.
• Onboard Administrator provides easy-to-understand port mapping information for each server blade
and interconnect module in the enclosure.
The NIC and mezzanine option FRU information informs Onboard Administrator of the type of interconnects
each server requires. Before power is provided to a server blade, Onboard Administrator compares this
information with the FRU EEPROMs on installed interconnect modules to check for electronic keying errors.
For interconnect modules, Onboard Administrator provides virtual power control, dedicated serial consoles,
and management Ethernet connections.
A 16-step progress meter appears when the Active Onboard Administrator boots. Some steps might take as
much as several minutes, depending on the number and types of blades, mezzanine cards, and
interconnects.
Managing power and cooling
The most important Onboard Administrator tasks are power control and thermal management. Onboard
Administrator can remotely control the power state of all components in BladeSystem c-Class enclosures. For
Introduction 11
components in device bays in the front of each enclosure, Onboard Administrator communicates with iLO to
control servers, and with a microcontroller to control options such as storage blades. A separate
microcontroller controls power to the interconnect modules.
After components are powered, the Onboard Administrator begins thermal management with Thermal Logic.
The Thermal Logic feature in BladeSystem c-Class minimizes power consumption by the enclosure fan
subsystem by reading temperature sensors across the entire enclosure. Then, Thermal Logic changes fan
speed in different zones in the enclosure to minimize power consumption and maximize cooling efficiency.
Controlling components
Onboard Administrator uses embedded management interfaces to provide detailed information and health
status for all bays in the enclosure including presence detection signals in each bay, i2c, serial, USB, and
Ethernet controllers. Onboard Administrator also offers information on firmware versions for most
components in the enclosure and can be used to update those components.
Interfaces
Each c-Class enclosure has several external management interfaces that connect the user to Onboard
Administrator. The RJ-45Ethernet jack is the primary interface. This interface provides network access to the
Onboard Administrator and management interface on all server blades (iLO), storage blades (TBM), and
interconnect modules.
A serial port on the Onboard Administrator module provides full out-of-band CLI access to the Onboard
Administrator and is used for Onboard Administrator firmware flash recovery.
USB ports on Onboard Administrator are used to connect external DVD drives to support the enclosure DVD
feature. In addition, you can order an optional internal DVD drive for the c3000 Enclosure. The USB port on
the Onboard Administrator might have a sticker on the port, stating that it is reserved for future use. To use
the USB port with Onboard Administrator firmware version 2.00 or later, remove the sticker.
All c-Class enclosures support two enclosure link connectors that provide private communications among
enclosures linked with CAT5 cable. The enclosure link-up connector provides an enclosure service port that
allows you to temporarily connect a laptop personal computer to any linked enclosure Onboard
Administrator for local diagnostics and debugging.
The KVM Module option for the c3000 Enclosure plugs into the rear bay adjacent to interconnect module 1
and provides a VGA connector and two more USB connectors for the c3000 enclosure. This KVM module
enables the enclosure KVM feature for the c3000 enclosure. The VGA connector attaches to an external
VGA monitor and external USB keyboard and mouse to provide access to all the server video consoles or the
Onboard Administrator CLI or Insight Display.
The new c7000 Onboard Administrator Module with KVM adds a VGA connector to the c7000 Onboard
Administrator, enabling the Enclosure KVM feature for the c7000 Enclosure. The Active c7000 Onboard
Administrator Module with KVM provides the same Enclosure KVM capabilities as the optional c3000 KVM
Module. An external USB hub (not included) must be used to connect a USB DVD drive at the same time as
the KVM USB for keyboard and mouse for simultaneous Enclosure KVM and Enclosure DVD functionality. The
Standby Onboard Administrator Module with KVM will only provide access to the Onboard Administrator
CLI login which enables the logged in user to force a takeover.
Each c-Class enclosure includes an embedded Insight Display on the front of the enclosure which provides
status and information on all the bays in a c-Class enclosure and diagnostic information if the Onboard
Administrator detects a problem in the enclosure. The Insight Display configures key settings in the Onboard
Administrator including the IP address of the Onboard Administrator.
Introduction 12
Onboard Administrator authentication
Security is maintained for all Onboard Administrator user interfaces through user authentication. User
accounts created in Onboard Administrator are assigned one of three privilege levels and granted access to
component bays at the specified privilege level. Onboard Administrator stores the passwords for local user
accounts and can be configured to use LDAP authentication for user group accounts. The Insight Display can
be protected by an LCD PIN code or completely disabled. An LCD PIN code protects against unauthorized
access to the Insight Display and Enclosure KVM. Use of the KVM Module to access server consoles is
protected by server operating system user name and passwords.
IMPORTANT: Onboard Administrator does not support OpenLDAP.
Role-based user accounts
Onboard Administrator provides configurable user accounts that can provide complete isolation of multiple
administrative roles such as server, LAN, and SAN. User accounts are configured with specific device bay
or interconnect bay permissions and one of three privilege levels: administrator, operator, or user. An
account with administrator privileges including Onboard Administrator bay permission can create or edit all
user accounts on an enclosure. Operator privileges enable full information access and control of permitted
bays. User privileges enable information access but no control capability.
Onboard Administrator requires you to log in to the web GUI or CLI with an account and password. The
account can be a local account where the password is stored on Onboard Administrator or an LDAP
account, where Onboard Administrator contacts the defined LDAP server to verify the user credentials.
Two-factor authentication enables even tighter security for the user management session to Onboard
Administrator.
Rather than requiring separate logins to multiple resources (once to each enclosure, once to every server
management processor, or both), Onboard Administrator enables single point access for linked enclosures
in a rack. In this way, the administrator can use single sign-on to log in to a single Onboard Administrator
and use the web GUI to graphically view and manage the HP BladeSystem c-Class components in up to
seven linked enclosures. (The single sign-on requires that all the enclosure active Onboard Administrators
have the same password.) For example, an IT administrator can automatically propagate management
commands, such as changing the enclosure power mode, across all the linked enclosures. A valid account
must be present on each linked enclosure to gain access. For more information, see "Signing in to the
Onboard Administrator GUI (on page 15)."
Login security
Onboard Administrator provides several login security features. No penalty is imposed after an initial failed
login attempt. With all subsequent failed attempts, Onboard Administrator imposes a 10-second to
20-second delay. An information page appears during each delay. This action continues until a valid login
is completed. This feature assists in defending against possible dictionary attacks.
Onboard Administrator saves a detailed log entry for all failed login attempts.
Running Onboard Administrator for the first time
Setting up a c-Class enclosure using the Onboard Administrator is simplified by using the Insight Display first
time installation wizard, followed by use of the Onboard Administrator GUI First Time Wizard or Onboard
Administrator CLI to complete the reset of the enclosure settings.
Introduction 13
When operating in FIPS Mode, configure FIPS Mode before performing any other enclosure or Onboard
Administrator configuration, including configuration of the Virtual Connect or First Time Setup Wizard.
Enabling FIPS Mode on an Onboard Administrator module or redundant pair of modules forces the Onboard
Administrator modules to be reset to factory defaults. After configuring FIPS Mode, perform the configuration
steps in this section. For more information on FIPS Mode, see "FIPS tab (on page 117)."
The Onboard Administrator modules, server blade iLO management processors and many interconnect
modules default to DHCP for their management IP address. If the user has DHCP and connects the Onboard
Administrator management port to the DHCP server, then the Onboard Administrator modules, all iLO, and
interconnect modules supporting and configured to use the Onboard Administrator internal management
network will all automatically obtain DHCP addresses from the user DHCP server.
If you do not have a DHCP server for assigning IP addresses to management processors, you must configure
each Onboard Administrator IP address and then all the individual device and interconnect module
management IP addresses by using one of the following methods:
• Recommended Practice - configure each Onboard Administrator with a static IP address using the
Insight Display. Then log in to the Onboard Administrator GUI and use the First Time Setup Wizard or
log in to the Onboard Administrator CLI and configure and enable Enclosure Bay IP Addresses (EBIPA)
for Device Bays and Interconnect Bays. Enabling EBIPA for a bay will allow that server or interconnect
module to be replaced and the new module will automatically obtain the previously configured IP
address for that bay.
• Alternatively configure each device and interconnect module for static IP manually. For ProLiant server
blades, you must connect to each server blade from SUV port (using the SUV cable included with each
enclosure) and configure the iLO IP address manually during POST by pressing F8 to access the iLO
Option ROM settings. For the interconnect modules with management processors that can use the
Onboard Administrator management network, access and configure their IP address using either an
external serial console port or the Onboard Administrator CLI serial connection to that bay. After
changing the interconnect module IP address manually, the switch may require power cycling to use the
new setting.
IMPORTANT: Do not configure the IP address for any Onboard Administrator in the
169.254.x.x range.
The initial credentials to log in to a new Onboard Administrator module are printed on a label on each
module. The user is Administrator and the password is unique to each module. This password must be
captured by the installer and communicated to the remote Administrator for the first remote login to the
Onboard Administrator GUI or Onboard Administrator CLI.
The enclosure settings can be configured manually or uploaded from a configuration script or file. The web
GUI offers a First Time Setup Wizard. The CLI can be accessed from the Onboard Administrator serial port,
Ethernet management port, service port, or by using the Enclosure KVM - Onboard Administrator CLI button.
An alternative to manual configuration is to upload an enclosure configuration file to the active Onboard
Administrator using either the GUI or CLI with an HTTP, FTP or TFTP network location for the configuration file,
or use the GUI, CLI or Insight Display to upload a configuration file from a USB key drive plugged into the
active Onboard Administrator USB port.
The recommended practice to create an enclosure configuration file is to use the GUI, CLI, or Insight Display
USB Key Menu to save the existing configuration to a file. The saved configuration file is a set of CLI text
commands for each configuration item. The Onboard Administrator will not save user passwords when it
saves a configuration file. The user can edit the configuration file and insert the password commands for
Introduction 14
each user account - or use the Administrator local account to individually update all user passwords after
restoring a previously saved enclosure configuration file.
If the enclosure contains redundant Onboard Administrator modules, the remaining Onboard Administrator
updates the new Onboard Administrator with all the settings.
Signing in to the Onboard Administrator GUI
Enter the user name and initial administration password for your Onboard Administrator. The default account
credentials can be found on the tag attached to the Onboard Administrator.
When signing in to the Onboard Administrator, the following issues might occur:
• You are not entering the information correctly. Passwords are case sensitive.
• The account information you are entering has not been set up for HP BladeSystem Onboard
Administrator.
• The user name you are entering has been deleted, disabled, or locked out.
• The password for the account must be changed.
• You are attempting to sign in from an IP address that is not valid for the specified account.
• The password for the Administrator account has been forgotten or lost. To reset the Administrator
password, see "Recovering the Administrator password (on page 19)."
If you continue to have issues signing in, contact your administrator.
If you have the same credentials on multiple enclosures, you can use single sign-on to log in to multiple linked
enclosures. Before signing in, select the box next to each of the linked enclosures listed in the table on the
Sign-in page, as shown in the following table. In this scenario, you are attempting to log in to three active
Onboard Administrators on the corresponding selected enclosures, using the supplied user name and
password. Alternatively, to verify and log in to all the linked enclosures, select the box at the top of the check
box column. If the login succeeds, then each of those enclosures is viewed in the same GUI window. The
display order of each enclosure is based on the enclosure link cables. Connect the "down-link" port of the
Introduction 15
topmost enclosure to the "up-link" port of the following enclosure. Repeat until the bottom enclosure is
reached. This GUI order is the same order that appears in the SHOW TOPOLOGY command.
As shown in the preceding example, the enclosure table on the Sign-in page also provides information on the
enclosure status, connection, firmware version, OA name, and rack position. If extended data has been
enabled on the Network Access (on page 114) page Anonymous Data tab, you can view more detailed
enclosure and Onboard Administrator information by selecting the sign to the left of the enclosure icon.
The sign appears only if extended data is enabled on that enclosure. Through Location Discovery
Services, the extended data includes location information for each chassis. For more information about
Location Discovery Services, see "Rack Overview screen (on page 88)." Extended data is enabled by
default. If extended data is disabled on an enclosure, the enclosure status appears as N/A.
Introduction 16
The following figure shows the extended data for the first enclosure listed in the table.
Flash disaster recovery
To successfully recover an Onboard Administrator from a failed flash, you must have the following:
• Local access to the enclosure
• A DHCP server accessible by the Onboard Administrator
• A TFTP server accessible by the Onboard Administrator
• Onboard Administrator firmware (.bin file)
To recover from a failed flash use one of the following processes:
• If you have only one Onboard Administrator in the enclosure or you want to Flash Recover the Active
OA:
a. With a null-modem cable (9600 N, 8, 1, VT100), locally connect to the Onboard Administrator.
b. Press and hold the Reset button of the Onboard Administrator for 5 seconds.
c. On the serial console, when you are prompted for Flash Recovery or Reset Password, press F. The
Onboard Administrator obtains an IP address through DHCP.
d. At the prompt for the TFTP server IP address (where the Onboard Administrator image files are
stored), enter the appropriate IP address.
e. You are prompted for the path to the Onboard Administrator firmware image. The Onboard
Administrator downloads the image and flashes itself.
Upon successful completion of this process, the Onboard Administrator firmware is up to date, and any error
condition is repaired.
• If you have two Onboard Administrator modules in the enclosure and you want to Flash Recover the
Active OA:
Introduction 17
a.
With a null-modem cable (9600 N, 8, 1, VT100), locally connect to the Onboard Administrator.
b. Press and hold the Reset button of the Onboard Administrator for 5 seconds.
c. On the serial console, when you are prompted for Flash Recovery or Reset Password, do not type
anything. Wait at least 2 minutes or more to let the Standby OA to become the Active OA before
proceeding to the next step.
d. When the OA to be flashed has become the Standby OA, press and hold the Reset button a second
time on the same OA as in step b.
e. On the serial console, when you are prompted for Flash Recovery or Reset Password, press F. The
Onboard Administrator obtains an IP address through DHCP.
f. At the prompt for the TFTP server IP address (where the Onboard Administrator image files are
stored), enter the appropriate IP address.
g. You are prompted for the path to the Onboard Administrator firmware image. The Onboard
Administrator downloads the image and flashes itself.
Upon successful completion of this process, the Onboard Administrator firmware is up to date, and any error
condition is repaired.
Running the setup wizard
To run the setup wizard, sign in to Onboard Administrator. The First Time Setup Wizard starts automatically
when you sign in to Onboard Administrator for the first time. This wizard assists you in setting up all of the
functions of the Onboard Administrator. You can access the setup wizard at any time after initial setup by
clicking the Wizards link on the top left of the center screen.
For detailed information, see "First Time Setup wizard (on page 54)."
Introduction 18
Using online help
To access online help, click the blue box with the white question mark or Help located on the top right of the
screen under the header bar. Online help displays information related to the section of Onboard
Administrator in which you are navigating.
Changing enclosure and device configurations
After you have completed the First Time Setup Wizard, you can return to the Onboard Administrator GUI to
make configuration changes at any time. For information that will help you make changes to enclosure and
device configuration, user setup, and LDAP server settings and LDAP groups, see "Configuring the HP
BladeSystem c7000 enclosure and enclosure devices (on page 96)."
For information about enclosure power settings, see "Enclosure Power Management (on page 245)."
Recovering the administrator password
If the Administrator password has been lost, you can reset the administrator password to the factory default
that shipped on the tag with the Onboard Administrator module. The Onboard Administrator resets a lost
password to Lost Password/Flash Disaster Recovery (LP/FDR) mode. To reset the administrator password to
the factory default:
1. Connect a computer to the serial port of the Active Onboard Administrator using a null-modem cable.
2. With a null-modem cable (9600 N, 8, 1, VT100) locally connect to the Onboard Administrator.
3. Open a suitable terminal window utility (Windows or Linux), and connect to the Active Onboard
Administrator.
4. Press and hold in the Onboard Administrator reset button for 5 seconds.
5. To boot the system into Lost Password modem Press L. The password appears as the system reboots.
Introduction 19
Alternatively, to reset a password on the Onboard Administrator, select the Insight Display (LCD panel) USB
Menu option. This option restores a configuration script using command line interface commands stored on
a USB key.
NOTE: If the Insight Display USB menu buttons are locked, then the serial port method must be
used. If the LCD panel is locked, then a large “lock” symbol appears on the screen.
In this example, the OA Administrator password is set to Password123.
1. Create a text file named reset_password.cfg with the one line command: SET USER PASSWORD
“Administrator” “Password123”
2. Insert the flash drive with reset_password.cfg file into the USB port of the active Onboard
Administrator. The LED on the Onboard Administrator indicates which OA is active.
3. Using the Onboard Administrator Insight Display, navigate to the main menu, select USB Key Menu,
and then click OK.
4. If Insight Display PIN Protection is enabled, you are prompted to enter the PIN. Select Accept, and then
click OK.
5. Select Restore Configuration, then click OK. The USB flash drive in the Onboard Administrator is
scanned and the available .cfg files are listed.
6. Select the reset_password.cfg file, and then click OK.
7. The Confirm Operation screen appears, click OK.
8. Login into the Onboard Administrator with the user ID and password specified in step 1.
Security considerations
This section documents the architecture and best practice security recommendations to be considered when
configuring the Onboard Administrator and compares default settings with the previous versions.
Introduction 20
BladeSystem network architecture overview
All device bays, interconnect modules, and Onboard Administrator modules are connected to an internal
enclosure network that is managed by the active Onboard Administrator. Network traffic from business
applications running on server blades is routed through interconnect switch modules and onto the production
network.
Although it is possible for the management and production networks to be connected, the management
network should be isolated from production traffic and the intranet. From a security perspective, this reduces
access and ability to attack the management interfaces. From an efficiency standpoint, separate networks
keep production traffic off the management network.
Recommended security best practices
In addition to the best practices, note these additional considerations.
Physical presence considerations
Physical access to a system often implies administrator privilege. The Onboard Administrator is no exception.
For more information on how to configure the Onboard Administrator administrator, see "Configuring the HP
BladeSystem c7000 enclosure and enclosure devices (on page 96)."
• Verifying physical cabling
The BladeSystem enclosure can have many cables attached to the enclosure. Cables connected to the
interconnect switch modules are generally for production network traffic. All other cables and ports are
generally for enclosure management network traffic and should be carefully inspected.
o Ensure that enclosure link ports are connected only to enclosure link ports on other enclosures.
o Inspect Onboard Administrator serial ports for unauthorized connections.
o Inspect Onboard Administrator USB ports for unauthorized connections.
Introduction 21
• Securing the Insight Display LCD panel
The Insight Display LCD panel allows for configuration and monitoring of key Onboard Administrator
settings: network address configuration and power up/down of server blade bays to name a few
critical BladeSystem functions. HP recommends securing the Insight Display LCD panel with a PIN,
particularly in a multi-tenant datacenter. Furthermore, certain regulatory or industry standards, such as
PCI, might require that all interfaces be secured with a PIN/password, regardless of requiring physical
access.
The Insight Display LCD panel buttons are locked by default in FIPS Mode ON/DEBUG. For more
information, see "FIPS tab (on page 117)."
Set factory defaults before hardware redeployment
The very nature of redundant hardware is to ensure that all settings are present so that if a failure occurs on
the Active Onboard Administrator, the Standby Onboard Administrator can take over the active role. This
means that local user account information is duplicated on the Standby Onboard Administrator. If Enclosure
IP mode is configured, then the private key used for SSL communications is also stored on the Standby
Onboard Administrator. (Enclosure IP mode is not configured by default.) Depending on the security
requirements for the datacenter, critical security parameters should be cleared from the hardware before
decommissioning or reprovisioning an enclosure or components inside the enclosure, such as the Onboard
Administrator, VC, and iLO for HP BladeSystem.
To ensure all critical security parameters are cleared, SET FACTORY defaults. Additionally, the Administrator
password can be set to factory “toe-tag” value by manually changing the password or connecting a serial
cable and invoking the lost password recovery procedure. For instructions, see "Recovering the administrator
password (on page 19)."
Isolate the management network
No matter how secure a device might appear to be, there will always be some sort of new attack or
vulnerability. As a preventative measure and to follow industry best practices, HP strongly recommends that
the management network be separate from the production network. Furthermore, do not place the
management network on the open internet or firewall DMZ without requiring additional access
authentication, such as using a VPN/tunnel.
Network ports
For more information on ports, see "Access requirements (on page 10)."
For more information on managing HP software through a firewall, see the Managing HP Servers Through
Firewalls with Insight Management White Paper. This document may be downloaded from the HP Insight
Management Information Library (http://www.hp.com/go/docs).
Default FIPS Mode settings compared to strong encryption
Beginning with version 3.70, Onboard Administrator significantly upgrades the Onboard Administrator
cryptographic capabilities by adding a new FIPS Mode of operation. FIPS Mode enforces a number of
requirements that differ significantly from the Enforce Strong Encryption setting in Onboard Administrator
version 3.60 and prior releases. As of version 3.70, the default security settings in Onboard Administrator
have been upgraded and are now equivalent to the version 3.60 Enforce Strong Encryption setting. The
security improvements remove weak algorithms for message authentication, default the SSL hash signature
algorithm to SHA-256, and support use of only FIPS 140-2 approved ciphers. For more information, see the
following table. A list of supported SSH ciphers, SSH key exchange algorithms, and SSH Message
Authentication Code algorithms follows the table.
Introduction 22
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.