1hp ilo4 user manual

8/11/2019 1HP ILO4 User Manual

http://slidepdf.com/reader/full/1hp-ilo4-user-manual 1/238



© Copyright 2011, 2012 Hewlett-Packard Development Company, L.P

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial

Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under

vendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express

warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall

not be liable for technical or editorial errors or omissions contained herein.

Acknowledgements

Microsoft®, Windows®, Windows NT® , and Windows Vista® are U.S. registered trademarks of Microsoft Corporation.

Intel is a trademark of Intel Corporation in the U.S. and other countries.

Java is a registered trademark of Oracle and/or its affiliates.

Revision History

March 2012Revision 1

Initial release for iLO 4 1.01 firmware

June 2012Revision 2

Update for iLO 4 1.05 firmware

September 2012Revision 3

Update for iLO 4 1.10 firmware



Contents

1 Introduction to iLO....................................................................................12iLO web interface...................................................................................................................12iLO RBSU...............................................................................................................................13iLO Mobile application............................................................................................................13

2 Setting up iLO..........................................................................................14Preparing to set up iLO............................................................................................................14Connecting iLO to the network.................................................................................................16Setting up iLO by using iLO RBSU.............................................................................................16

Configuring the network settings (static IP addresses only).......................................................17Setting up iLO user accounts by using iLO RBSU.....................................................................18

Setting up iLO by using the iLO web interface............................................................................19Logging in to iLO for the first time.............................................................................................19

Activating iLO licensed features................................................................................................20Installing the iLO drivers...........................................................................................................20

Microsoft device driver support............................................................................................20Linux device driver support..................................................................................................21

VMware device driver support.............................................................................................21

3 Configuring iLO.......................................................................................22Updating iLO firmware............................................................................................................22

Obtaining the iLO firmware image file..................................................................................23Updating iLO firmware by using a browser............................................................................24

Using language packs............................................................................................................25Installing a language pack..................................................................................................25Selecting a language pack.................................................................................................26Configuring the default language settings..............................................................................26Configuring the current language settings..............................................................................27Removing a language pack.................................................................................................27

iLO licensing..........................................................................................................................27Free iLO Advanced 60-day evaluation license........................................................................28Installing an iLO license by using a browser..........................................................................28

Administering users.................................................................................................................29 Viewing local users............................................................................................................29 Viewing directory groups ...................................................................................................30 Adding or editing local users..............................................................................................30

IPMI/DCMI users..........................................................................................................32 Administering directory groups............................................................................................32Deleting a user or a directory group.....................................................................................34

Configuring iLO access settings................................................................................................34

Configuring service settings.................................................................................................34Configuring IPMI/DCMI settings..........................................................................................36Configuring access options.................................................................................................36

Using Authentication Failure Logging and SSH clients........................................................38Configuring iLO security..........................................................................................................38

General security guidelines.................................................................................................39Passwords....................................................................................................................39iLO RBSU security..........................................................................................................40

Using iLO RBSU to configure iLO RBSU access settings..................................................40iLO Security Override Switch administration......................................................................41

TPM support......................................................................................................................42

User accounts and access...................................................................................................42

Contents 3



User privileges..............................................................................................................43Login security................................................................................................................43

Administering SSH keys......................................................................................................43 About SSH keys............................................................................................................43 Authorizing a new key...................................................................................................44Deleting keys................................................................................................................44

Authorizing keys from an HP SIM server...........................................................................44 Administering SSL certificates..............................................................................................44

Viewing certificate information........................................................................................44Obtaining and importing a certificate..............................................................................45Configuring directory settings..............................................................................................46

Configuring authentication and directory server settings.....................................................46Running directory tests...................................................................................................49

Viewing directory test results......................................................................................51Using the directory test controls .................................................................................53

Using encryption................................................................................................................53Configuring encryption settings.......................................................................................54Connecting to iLO using by AES or 3DES encryption..........................................................55

Configuring iLO for HP SIM single sign-on.............................................................................56Configuring iLO for HP SIM SSO.....................................................................................56

Adding HP SIM trusted servers........................................................................................57 Viewing HP SIM trusted servers.......................................................................................58Removing HP SIM Servers..............................................................................................59

Configuring Remote Console Security settings........................................................................59Configuring Integrated Remote Console Trust Settings (.NET IRC)..............................................60Configuring the Login Security Banner..................................................................................61

Configuring iLO IP and NIC settings..........................................................................................62Configuring IP settings........................................................................................................62Configuring NIC settings.....................................................................................................64

Using the iLO Shared Network Port..................................................................................66Enabling the iLO Shared Network Port feature..............................................................67

Re-enabling the iLO Dedicated Management NIC.........................................................68Configuring SNTP settings...................................................................................................69

Configuring iLO Management settings.......................................................................................71Installing AMS or the Insight Management Agents..................................................................72

Verifying the AMS installation.........................................................................................73 Verifying AMS installation: Windows..........................................................................73 Verifying AMS installation: Linux.................................................................................73 Verifying AMS installation: VMware............................................................................73

Configuring SNMP.............................................................................................................74Configuring SNMP alerts....................................................................................................75

Using the AMS Control Panel to configure SNMP and SNMP alerts (Windows only)..............76

SNMP traps..................................................................................................................76Configuring Insight Management Integration.........................................................................78

4 Using iLO................................................................................................80Using the iLO web interface.....................................................................................................80

Browser support.................................................................................................................80Logging in to iLO...............................................................................................................80SSL overview.....................................................................................................................81Certificates........................................................................................................................81Handling an unknown authority...........................................................................................81Using the iLO controls.........................................................................................................82

Viewing iLO overview information.............................................................................................82

Viewing system information.................................................................................................82

4 Contents



Viewing status information...................................................................................................84 Viewing the active iLO sessions............................................................................................85

Viewing iLO system information................................................................................................85 Viewing health summary information....................................................................................85 Viewing fan information......................................................................................................86 Viewing temperature information .........................................................................................87 Viewing power information.................................................................................................89 Viewing processor information.............................................................................................93

Viewing memory information...............................................................................................94 Advanced Memory Protection.........................................................................................94Memory Summary.........................................................................................................96Memory Details............................................................................................................96

Viewing network information...............................................................................................97 Viewing storage information................................................................................................98

Controllers...................................................................................................................99Drive Enclosures..........................................................................................................100Logical Drives.............................................................................................................100Physical Drives............................................................................................................100

Viewing firmware information............................................................................................100Using the iLO Event Log.........................................................................................................101

Viewing the iLO Event Log.................................................................................................101Saving the iLO Event Log...................................................................................................103Clearing the iLO Event Log................................................................................................104

Using the Integrated Management Log....................................................................................104 Viewing the IML...............................................................................................................104Marking a log entry as repaired........................................................................................106

Adding a maintenance note to the IML...............................................................................106Saving the IML................................................................................................................107Clearing the IML..............................................................................................................107

Using the HP Active Health System..........................................................................................107Downloading the Active Health System log for a date range..................................................108

Downloading the entire Active Health System log.................................................................109Clearing the Active Health System log................................................................................110

Using iLO diagnostics............................................................................................................110Resetting iLO with the web interface...................................................................................112

Using Location Discovery Services...........................................................................................112Using the Insight Management Agents.....................................................................................113Using the iLO Remote Console................................................................................................113

Remote Console licensing.................................................................................................114Using the Integrated Remote Console..................................................................................114

.NET IRC requirements.................................................................................................115 Java IRC requirements..................................................................................................115

Recommended client settings....................................................................................116Recommended server settings...................................................................................116Starting the Remote Console.........................................................................................116

Acquiring the Remote Console......................................................................................117Using the Remote Console power switch.........................................................................118Using iLO Virtual Media from the Remote Console...........................................................119Using Shared Remote Console (.NET IRC only)................................................................119Using Console Capture (.NET IRC only)..........................................................................119

Viewing Server Startup and Server Prefailure sequences..............................................120Saving Server Startup and Server Prefailure video files................................................120Capturing video files...............................................................................................121

Viewing saved video files........................................................................................121

Creating Remote Console hot keys.................................................................................121

Contents 5



Creating a hot key..................................................................................................121Resetting hot keys...................................................................................................123

Troubleshooting .........................................................................................................123Using the text-based Remote Console.................................................................................123

Text-based console during POST....................................................................................124Using the Virtual Serial Port.....................................................................................124

Text-based console after POST......................................................................................125Using iLO Text Console...........................................................................................126

Using iLO Virtual Media........................................................................................................127 Virtual Media operating system information.........................................................................128Operating system USB requirement................................................................................128Using Virtual Media with Windows 7............................................................................128Operating system considerations: virtual floppy/USB key..................................................128

Changing diskettes.................................................................................................128Operating system considerations: virtual CD/DVD-ROM ..................................................129

Mounting USB Virtual Media CD/DVD-ROM on Linux systems......................................129Operating system considerations: Virtual Folder .............................................................129

Using iLO Virtual Media from the iLO web interface.............................................................130 Viewing and modifying the Virtual Media port................................................................130 Viewing and ejecting local media.................................................................................131Connecting scripted media...........................................................................................131

Viewing and ejecting scripted media.............................................................................131Using iLO Virtual Media from the Remote Console................................................................132

Using a virtual floppy/USB key.....................................................................................132Using a physical floppy disk or USB key drive on a client PC........................................132Using an image file................................................................................................132Using scripted media (.NET IRC only)........................................................................133

Using a virtual CD/DVD-ROM......................................................................................133Using a physical CD/DVD-ROM drive on a client PC...................................................133Using an image file................................................................................................134Using an image file through a URL (IIS/Apache – .NET IRC only)..................................134

Creating iLO disk image files (Java IRC only)..................................................................134Using a Virtual Folder (.NET IRC only)............................................................................135

Setting up IIS for scripted Virtual Media..............................................................................135Configuring IIS............................................................................................................135Configuring IIS for read/write access.............................................................................135Inserting Virtual Media with a helper application............................................................136

Virtual Media helper application...................................................................................136Configuring Virtual Media Boot Order................................................................................137

Changing the server boot order....................................................................................137Changing the one-time boot status................................................................................138Using the additional options.........................................................................................139

About server power..............................................................................................................139Powering on the server.....................................................................................................139Brownout recovery...........................................................................................................139Graceful shutdown...........................................................................................................139Power efficiency...............................................................................................................139

Using iLO Power Management...............................................................................................140Managing the server power..............................................................................................140Configuring the System Power Restore Settings.....................................................................142

Viewing server power usage..............................................................................................142 Viewing the current power state.........................................................................................144 Viewing the server power history........................................................................................144Configuring power settings................................................................................................145

Configuring Power Regulator settings.............................................................................145

6 Contents



Configuring power capping settings..............................................................................146Configuring an SNMP power threshold alert...................................................................146Configuring the persistent mouse and keyboard..............................................................147

Using iLO with Onboard Administrator....................................................................................147Using the Active Onboard Administrator.............................................................................147Enclosure bay IP addressing..............................................................................................148Dynamic Power Capping for server blades..........................................................................148iLO virtual fan.................................................................................................................148

iLO option.......................................................................................................................148IPMI server management.......................................................................................................149Using iLO with HP Insight Control server deployment ................................................................149

5 Integrating HP Systems Insight Manager....................................................150HP SIM features....................................................................................................................150Establishing SSO with HP SIM................................................................................................150iLO identification and association...........................................................................................150

Viewing iLO status in HP SIM.............................................................................................150iLO links in HP SIM..........................................................................................................151

Viewing iLO in HP SIM System(s) lists..................................................................................151Receiving SNMP alerts in HP SIM...........................................................................................151

HP SIM port matching...........................................................................................................152Reviewing iLO license information in HP SIM............................................................................152

6 Directory services...................................................................................153Directory integration overview................................................................................................153Directory integration benefits..................................................................................................153Kerberos support..................................................................................................................153

Domain controller preparation...........................................................................................154Realm names..............................................................................................................154Computer accounts......................................................................................................154User accounts.............................................................................................................154Generating a keytab...................................................................................................154

Key version number................................................................................................155 Windows Vista.......................................................................................................155Universal and global user groups (for authorization)........................................................155

iLO configuration.............................................................................................................155Using the iLO web interface..........................................................................................156Using XML configuration and control scripts....................................................................156Using the CLI, CLP, or SSH interface..............................................................................157

Time requirement.............................................................................................................157Configuring single sign-on................................................................................................158

Internet Explorer..........................................................................................................158Firefox.......................................................................................................................159Chrome.....................................................................................................................159

Verifying single sign-on (HP Zero Sign In) configuration.........................................................159Login by name................................................................................................................159

Advantages and disadvantages of schema-free directories.........................................................159Schema-free directory integration.......................................................................................160

Setting up Schema-free directory integration.............................................................................160 Active Directory preparation..............................................................................................161

Introduction to Certificate Services.................................................................................161Installing Certificate Services.........................................................................................161

Verifying Certificate Services.........................................................................................161Configuring Automatic Certificate Request......................................................................161

Schema-free setup via iLO web interface.............................................................................162

Schema-free setup via scripts.............................................................................................162

Contents 7



Schema-free setup with HP Directories Support for ProLiant Management Processors.................162Schema-free setup options.................................................................................................163

Minimum Login Flexibility.............................................................................................163Better Login Flexibility..................................................................................................163Maximum Login Flexibility............................................................................................163

Schema-free nested groups................................................................................................163Setting up HP schema directory integration..............................................................................164

Features supported by HP schema directory integration.........................................................164

Setting up directory services..............................................................................................164Schema documentation.....................................................................................................165Directory services support.................................................................................................165Schema required software.................................................................................................165

Schema Extender........................................................................................................166Schema Preview.....................................................................................................166Setup....................................................................................................................166Results..................................................................................................................167

Management snap-in installer.......................................................................................167Directory Services for Active Directory.................................................................................168

Active Directory installation prerequisites........................................................................168Installing Active Directory.............................................................................................168Snap-in installation and initialization for Active Directory..................................................169Creating and configuring directory objects for use with iLO in Active Directory....................169Directory services objects.............................................................................................171

Active Directory snap-ins.........................................................................................171 Active Directory role restrictions................................................................................172

Active Directory Lights-Out management.........................................................................174Directory services for eDirectory.........................................................................................175

eDirectory installation prerequisites................................................................................175Snap-in installation and initialization for eDirectory..........................................................175Example: Creating and configuring directory objects for use with LOM devices ineDirectory..................................................................................................................175

Directory Services objects for eDirectory.........................................................................179Role Managed Devices...........................................................................................179Members...............................................................................................................179

eDirectory Role Restrictions...........................................................................................180Time restrictions......................................................................................................181Enforced client IP address or DNS name access.........................................................181

eDirectory Lights-Out Management................................................................................181User login via directory services.........................................................................................182

Directory-enabled remote management....................................................................................183Creating roles to follow organizational structure...................................................................183

Using existing groups..................................................................................................183

Using multiple roles.....................................................................................................184How directory login restrictions are enforced.......................................................................184Restricting roles...........................................................................................................185

Role time restrictions...............................................................................................185Role address restrictions..........................................................................................185

User restrictions...........................................................................................................186User address restrictions..........................................................................................186How user time restrictions are enforced......................................................................186

Creating multiple restrictions and roles...........................................................................187Using bulk import tools.....................................................................................................188

HP Directories Support for ProLiant Management Processors utility...............................................188Introduction to HP Directories Support for ProLiant Management Processors utility.....................189

Compatibility..................................................................................................................189

8 Contents



HP Directories Support for ProLiant Management Processors package.....................................189Using HP Directories Support for ProLiant Management Processors.........................................190

Finding management processors...................................................................................190Upgrading firmware on management processors.............................................................191Selecting a directory access method..............................................................................193Naming management processors..................................................................................194Configuring directories when HP Extended Schema is selected..........................................195Configuring directories when schema-free integration is selected........................................198

Setting up management processors for directories............................................................1987 Troubleshooting......................................................................................200

Kernel debugging.................................................................................................................200Event log entries...................................................................................................................201Hardware and software link-related issues................................................................................203Login issues.........................................................................................................................204

Login name and password not accepted.............................................................................204Directory user premature logout.........................................................................................204iLO management port not accessible by name.....................................................................205iLO RBSU unavailable after iLO and the server reset.............................................................205Unable to access the login page........................................................................................205

Unable to return to login page after an iLO flash or reset......................................................205Unable to access Virtual Media or the graphical Remote Console..........................................205Unable to connect to iLO after changing network settings......................................................205Unable to connect to the iLO processor through the NIC.......................................................206Unable to log in to iLO after installing the iLO certificate.......................................................206Unable to connect to the iLO IP address..............................................................................206Blocked iLO ports.............................................................................................................206

Troubleshooting alert and trap issues.......................................................................................206Unable to receive HP SIM alarms (SNMP traps) from iLO.......................................................207Using the iLO Security Override switch for emergency access.................................................207

Troubleshooting license installation..........................................................................................208Troubleshooting directory issues .............................................................................................208

User contexts do not appear to work..................................................................................208Directory user does not log out after the directory timeout has expired....................................208

Troubleshooting Remote Console issues...................................................................................208 Java IRC applet displays a red X when Firefox is used to run Java IRC on a Linux client ............208Unable to navigate the single cursor of the Remote Console to corners of the Remote Consolewindow..........................................................................................................................208Remote Console text window not updated correctly..............................................................208Mouse or keyboard not working in .NET IRC or Java IRC......................................................209.NET IRC sends characters continuously after switching windows ...........................................209

Java IRC does not display the correct floppy and USB-key device...........................................209Caps Lock goes out of sync between iLO and Java IRC.........................................................210

Num Lock goes out of sync between iLO and Shared Remote Console....................................211Keystrokes repeat unintentionally during a remote console session..........................................211Session leader does not receive a connection request when .NET IRC is in replay mode............211Keyboard LED does not work correctly................................................................................211Inactive .NET IRC.............................................................................................................211.NET IRC failed to connect to the server..............................................................................212

Troubleshooting SSH issues....................................................................................................212Initial PuTTY input slow.....................................................................................................212PuTTY client unresponsive..................................................................................................212SSH text support from a text-based Remote Console session...................................................212

iLO Virtual Floppy media applet unresponsive..........................................................................212

Troubleshooting text-based Remote Console issues....................................................................212

Contents 9



Unable to view the Linux installer in the text-based Remote Console........................................213Unable to pass data through an SSH terminal......................................................................213

Troubleshooting miscellaneous issues.......................................................................................213Cookie sharing between browser instances and iLO.............................................................213

Shared instances.........................................................................................................213Cookie order behavior.................................................................................................213Displaying the current session cookie.............................................................................214Preventing cookie-related user issues..............................................................................214

Unable to get SNMP information from HP SIM.....................................................................214Unable to upgrade iLO firmware........................................................................................215iLO network failed flash recovery.......................................................................................215Problems generating a keytab by using ktpass.exe...............................................................216Testing SSL......................................................................................................................216File not present after copy through .NET IRC virtual drives to USB key.....................................217Resetting iLO...................................................................................................................217Server name still present after the System Erase Utility is executed...........................................218Certificate error when navigating to the iLO web interface.....................................................218

Internet Explorer..........................................................................................................218Firefox.......................................................................................................................219

8 Support and other resources....................................................................220Information to collect before you contact HP.............................................................................220How to contact HP................................................................................................................220Registering for Software Technical Support and Update Service..................................................220

How to use Software Technical Support and Update Service..................................................220HP Support Center................................................................................................................220HP authorized resellers..........................................................................................................221Related information...............................................................................................................221

9 Documentation feedback.........................................................................222 A Directory services schema.......................................................................223

HP Management Core LDAP OID classes and attributes.............................................................223Core classes....................................................................................................................223Core attributes.................................................................................................................223Core class definitions.......................................................................................................223

hpqTarget..................................................................................................................223hpqRole.....................................................................................................................224hpqPolicy...................................................................................................................224

Core attribute definitions...................................................................................................224hpqPolicyDN..............................................................................................................224hpqRoleMembership....................................................................................................224hpqTargetMembership.................................................................................................225hpqRoleIPRestrictionDefault...........................................................................................225

hpqRoleIPRestrictions...................................................................................................225hpqRoleTimeRestriction.................................................................................................226

Lights-Out Management specific LDAP OID classes and attributes................................................226Lights-Out Management classes.........................................................................................226Lights-Out Management attributes......................................................................................226Lights-Out Management class definitions.............................................................................226

hpqLOMv100.............................................................................................................226Lights-Out Management attribute definitions........................................................................227

hpqLOMRightLogin......................................................................................................227hpqLOMRightRemoteConsole........................................................................................227hpqLOMRightVirtualMedia...........................................................................................227hpqLOMRightServerReset..............................................................................................227

10 Contents



hpqLOMRightLocalUserAdmin.......................................................................................228hpqLOMRightConfigureSettings.....................................................................................228

Glossary..................................................................................................229Index.......................................................................................................232

Contents 11



1 Introduction to iLOThe HP iLO Management Engine is a set of embedded management features that support thecomplete life cycle of the server. HP iLO is one feature of the HP iLO Management Engine.

The HP iLO subsystem is a standard component of HP ProLiant servers that simplifies initial serversetup, server health monitoring, power and thermal optimization, and remote server administration.The HP iLO subsystem includes an intelligent microprocessor, secure memory, and a dedicatednetwork interface. This design makes HP iLO independent of the host server and its operatingsystem.

HP iLO enables and manages the Active Health System and also features Agentless Management.HP iLO monitors all key internal subsystems. When enabled, SNMP alerts are sent directly by HPiLO regardless of the host operating system or even if no host operating system is installed.

By using HP iLO, you can do the following:

• Access a high-performance and secure Integrated Remote Console to the server from anywherein the world if you have a network connection to the server.

There are two versions of the Integrated Remote Console:

◦ .NET IRC

◦ Java IRC

General references to the Remote Console apply to both the .NET IRC and Java IRC, unlessotherwise specified.

• Use the shared .NET IRC to collaborate with up to four server administrators.

• Remotely mount high-performance Virtual Media devices to the server.

• Securely and remotely control the power state of the managed server.

• Have true Agentless Management with SNMP alerts from HP iLO regardless of the state ofthe host server.

• Access Active Health System troubleshooting features through the HP iLO web interface.

• Use Virtual Power and Virtual Media from the GUI, the CLI, or the iLO scripting toolkit formany tasks, including the automation of deployment and provisioning.

• Monitor server health. iLO monitors temperatures in the server and sends corrective signals tothe fans to maintain proper server cooling. iLO also monitors firmware versions and the statusof fans, memory, the network, processors, power supplies, and internal storage.

iLO web interfaceThe iLO web interface groups similar tasks for easy navigation and workflow. The interface is

organized in a navigational tree view located on the left side of the page. The top-level branchesinclude the Information, Remote Console, Virtual Media, Power Management, and Administrationbranches. If you have a ProLiant server blade, the BL c-Class branch is included.

When you are using the iLO web interface, note the following:

• Each high-level iLO branch has a submenu that you can display by clicking the + icon to theleft of that branch. Each menu topic displays a page title, which describes the information orsettings available on that page. The page title might not reflect the name that is displayed onthe menu option.

• Assistance for all iLO pages is available from the iLO help pages. To access page-specifichelp, click the question-mark icon on the upper right side of the page.

12 Introduction to iLO



• Typical administrator tasks are available from the Administration branch of the iLO webinterface. These features are used by administrators who must manage users, configure globaland network settings, and configure or enable the more advanced iLO features. These tasksare described in“Setting up iLO” (page 14) and “Configuring iLO” (page 22).

• Typical user tasks are available from the Information, Remote Console, Virtual Media, andPower Management branches of the iLO web interface. These tasks are described in “UsingiLO” (page 80).

For more information about iLO functionality and integration, see the following:• “Integrating HP Systems Insight Manager” (page 150)

• “Directory services” (page 153)

• “Troubleshooting” (page 200)

iLO RBSUYou can use the iLO ROM-based setup utility to configure network parameters, global settings, anduser accounts. iLO RBSU is designed for the initial iLO setup, and is not intended for continuediLO administration. iLO RBSU is available whenever the server is booted and can be run remotelyvia the Remote Console. Press F8 during POST to enter iLO RBSU.

You can disable iLO RBSU in the iLO RBSU Global Settings preferences. Disabling iLO RBSUprevents reconfiguration from the host unless the iLO Security Override Switch is set.

For more information about using iLO RBSU, see the following:

• “Setting up iLO by using iLO RBSU” (page 16)

• “iLO RBSU security” (page 40)

iLO Mobile applicationThe HP iLO Mobile application provides access to the Remote Console of your HP ProLiant serverfrom your mobile device. The mobile app interacts directly with the iLO processor on HP ProLiant

servers, providing total control of the server at all times as long as the server is plugged in. Forexample, you can access the server when it is in a healthy state, or when it is powered off with ablank hard drive. As an IT administrator, you can troubleshoot problems and perform softwaredeployments from almost anywhere.

For more information about the iLO mobile application, see http://www.hp.com/go/ilo/mobileapp.

iLO RBSU 13

http://www.hp.com/go/ilo/mobileapp




2 Setting up iLOThe iLO default settings enable you to use most features without additional configuration. However,the configuration flexibility of iLO enables customization for multiple enterprise environments. Thischapter discusses the initial iLO setup steps. For information about additional configuration options,see “Configuring iLO” (page 22).

Complete the initial setup steps:

1. Decide how you want to handle networking and security. For more information, see “Preparingto set up iLO” (page 14).

2. Connect iLO to the network. For more information, see “Connecting iLO to the network”(page 16).

3. If you are not using dynamic IP addressing, configure a static IP address by using iLO RBSU.For more information, see “Setting up iLO by using iLO RBSU” (page 16).

4. If you are using the local accounts feature, set up your user accounts by using iLO RBSU orthe iLO web interface. For more information, see “Setting up iLO by using iLO RBSU” (page 16)or “Setting up iLO by using the iLO web interface” (page 19).

5. Install an iLO license. For more information, see “Activating iLO licensed features” (page 20).

6. If required, install the iLO drivers. For more information, see “Installing the iLO drivers”(page 20).

Preparing to set up iLOBefore setting up an iLO management processor, you must decide how to handle networking andsecurity. The following questions can help you configure iLO:

1. How should iLO connect to the network?

For a graphical representation and explanation of the available connections, see “ConnectingiLO to the network” (page 16).

Typically, iLO is connected to the network through one of the following:

• A corporate network that both the NIC and the iLO port are connected to. This connectionenables access to iLO from anywhere on the network and reduces the amount ofnetworking hardware and infrastructure required to support iLO. However, on a corporatenetwork, traffic can hinder iLO performance.

• A dedicated management network with the iLO port on a separate network. A separatenetwork improves performance and security because you can physically control whichworkstations are connected to the network. A separate network also provides redundantaccess to the server when a hardware failure occurs on the corporate network. In thisconfiguration, iLO cannot be accessed directly from the corporate network.

2. How will iLO acquire an IP address?

To access iLO after connecting it to the network, the iLO management processor must acquirean IP address and subnet mask by using either a dynamic or static process:

• A dynamic IP address is set by default. iLO obtains the IP address and subnet mask fromDNS or DHCP servers. This method is the simplest.

• A static IP address is used if DNS or DHCP servers are not available on the network. Astatic IP address can be configured via iLO RBSU. For more information, see “Configuringthe network settings (static IP addresses only)” (page 17).

IMPORTANT: If you will use a static IP address, you must have the IP address beforestarting the iLO setup process.

14 Setting up iLO



3. What access security is required and what user accounts and privileges are needed?

iLO provides several options to control user access. You must select from the following methodsto prevent unauthorized access to corporate IT assets:

• Local accounts—Up to 12 user names and passwords can be stored on iLO. This is idealfor small environments such as labs and small-sized or medium-sized businesses.

• Directory services—Use the corporate directory to manage iLO user access. This is idealfor environments that have a large number of users. If you plan to use directory services,

consider leaving at least one local administrator account enabled for alternate access.For more information about iLO access security, see “Configuring iLO security” (page 38).

4. How do you want to configure iLO?

iLO supports various interfaces for configuration and operation. This guide discusses thefollowing interfaces:

• Use iLO RBSU when the system environment does not use DHCP and DNS or WINS. Formore information, see “Setting up iLO by using iLO RBSU” (page 16).

• Use browser-based setup when you can connect to iLO on the network by using a webbrowser. You can also use this method to reconfigure a previously configured iLOmanagement processor. For more information, see “Setting up iLO by using the iLO webinterface” (page 19).

Other configuration options not discussed in this guide include the following:

• HP Intelligent Provisioning—Press F10 during POST to start HP Intelligent Provisioning.For information about the iLO settings you can configure, see the HP Intelligent ProvisioningUser Guide .

• HP Scripting Toolkit—The Scripting Toolkit is a server deployment product for IT expertsthat delivers an unattended automated installation for high-volume server deployments.For more information, see HP Scripting Toolkit for Linux User Guide and HP ScriptingToolkit for Windows User Guide .

• Scripting—You can use scripting for advanced setup of multiple iLO managementprocessors. Scripts are XML files written for a scripting language called RIBCL. You canuse RIBCL scripts to configure iLO on the network during initial deployment or from analready deployed host.

The following methods are available:

◦ HP Lights-Out Configuration Utility (CPQLOCFG)—A Windows utility that sends RIBCLscripts to iLO over the network.

◦ HP Lights-Out Online Configuration Utility (HPONCFG)—A local online scripted setuputility that runs on the host and passes RIBCL scripts to the local iLO. HPONCFGrequires the HP iLO Channel Interface Driver.

◦ Custom scripting environments—The scripting toolkit provides Perl samples that canbe used on clients to send RIBCL scripts to iLO over the network.

◦ SMASH CLP—A command-line protocol that can be used when a command line isaccessible through SSH or the physical serial port.

For more information about these methods, see the HP iLO 4 Scripting and Command Line Guide .

Preparing to set up iLO 15



Connecting iLO to the networkTypically, iLO is connected to the network through a corporate network or a dedicated managementnetwork.

• In a corporate network, the server has two network port types (server NICs and one iLO NIC)connected to a corporate network, as shown in Figure 1 (page 16).

Figure 1 Corporate network diagram

Main NIC

iLO

Main NIC

Hub/Switch

Client PCs

CorporateNetwork

Management Client

iLO

• In a dedicated management network, the iLO port is on a separate network, as shown inFigure 2 (page 16).

Figure 2 Dedicated management network diagram

Hub/SwitchMain NIC

iLO

iLO

Main NIC

Hub/Switch

Client PCs

CorporateNetwork

DedicatediLO Management

Network

Management Client

Setting up iLO by using iLO RBSUHP recommends using iLO RBSU to set up iLO for the first time and to configure iLO network

parameters for environments that do not use DHCP and DNS or WINS.

16 Setting up iLO



Configuring the network settings (static IP addresses only)This procedure is required only if you are using a static IP address. When you are using dynamicIP addressing, your DHCP server automatically assigns an IP address for iLO.

NOTE: To simplify installation, HP recommends using DNS or DHCP with iLO.

To configure a static IP address:

1. Restart or power on the server.

2. Press F8 when prompted during POST.iLO RBSU starts.

3. Disable DHCP:a. Select Network→DNS/DHCP, and then press Enter .

The Network Autoconfiguration window opens.

b. Select DHCP Enable, as shown in Figure 3 (page 17).c. Press the spacebar to change the setting to OFF.

Figure 3 iLO RBSU Network Autoconfiguration window

d. Verify that DHCP Enable is set to OFF, and then press F10 to save the changes.

Setting up iLO by using iLO RBSU 17



4. Enter an IP address and subnet mask:a. Select Network→NIC and TCP/IP, and then press Enter .

The Network Configuration window opens.

b. Enter the appropriate information in the IP Address, Subnet Mask, and Gateway IP Addressfields.

Figure 4 iLO RBSU Network Configuration

c. Press F10 to save the changes.

5. Select File→Exit to exit iLO RBSU.The changes take effect when you exit iLO RBSU.

Setting up iLO user accounts by using iLO RBSUTo set up local accounts:

1. Restart or power on the server.2. Press F8 when prompted during POST.

iLO RBSU starts.

3. If prompted, enter a valid iLO user ID and password with the required iLO privileges (Administer

User Accounts, Configure iLO Settings).Default account information is located on the iLO Default Network Settings tag attached tothe server that contains the iLO management processor.

NOTE: The login prompt is displayed only if iLO is configured to present a login challengein iLO RBSU.

4. Select Add, Edit, or Remove from the User menu. For an example showing the Add Userscreen, see “Adding a user with RBSU” (page 19).

18 Setting up iLO



Figure 5 Adding a user with RBSU

5. Follow the onscreen instructions to add, edit, or remove users.6. Select File→Exit to exit iLO RBSU.

Setting up iLO by using the iLO web interfaceYou can set up iLO using the web interface if you can connect to iLO on the network by using aweb browser. You can also use this method to reconfigure a previously configured iLO managementprocessor.

Access iLO from a remote network client by using a supported browser, and providing the defaultDNS name, user name, and password. For information about the DNS name and default accountcredentials, see “Logging in to iLO for the first time” (page 19).

For information about the configuration procedures available in the iLO web interface, see“Configuring iLO” (page 22).

Logging in to iLO for the first timeThe iLO firmware is configured with a default user name, password, and DNS name. Default userinformation is located on the iLO Default Network Settings tag attached to the server that containsthe iLO management processor. Use these values to access iLO remotely from a network client byusing a web browser.

The default values follow:

• User name—Administrator

• Password—A random eight-character alphanumeric string

• DNS name—ILOXXXXXXXXXXXX , where the X s represent the serial number of the server

If you enter an incorrect user name and password, or a login attempt fails, iLO imposes a securitydelay. For more information about login security, see “Login security” (page 43).

IMPORTANT: HP recommends changing the default values after you log in to iLO for the firsttime. For instructions, see “Administering users” (page 29).

Setting up iLO by using the iLO web interface 19



Activating iLO licensed featuresTo activate iLO licensed features, install an HP iLO license. iLO licenses activate functionality suchas graphical remote console with multi-user collaboration, video record/playback, and many moreadvanced features. For licensing information and installation instructions, see “iLO licensing”(page 27).

Installing the iLO drivers

The iLO drivers enable software such as HPONCFG and the HP Insight Management Agents tocommunicate with iLO. Your OS and system configuration determine the driver requirements. ForOS-specific driver information, see the following:

• “Microsoft device driver support” (page 20)

• “Linux device driver support” (page 21)

• “VMware device driver support” (page 21)

The iLO drivers are available from the HP Service Pack for ProLiant (Windows and Linux only) andthe HP website (Windows, Linux, and VMware).

• You can download the SPP from the following website: http://www.hp.com/go/spp/

download. For information about using the SPP, see the SPP documentation.• To download the drivers from the HP website:

1. Navigate to the Support & Drivers page on the HP website: http://www.hp.com/support.2. Select a country or region.

The Support & Drivers page opens.

3. Click the Drivers & Software link.4. In the search field, enter the server model that you are using (for example, DL360p).

A list of servers is displayed.

5. Click the link for your server.6. Click the link for the server operating system.7. Download the iLO drivers.8. Follow the installation instructions provided with the downloaded software.

Microsoft device driver support When you are using Windows with iLO, the following drivers are available:

• HP ProLiant iLO 3/4 Channel Interface Driver for Windows. This driver is required for theoperating system to communicate with iLO. Install this driver in all configurations.

• HP ProLiant iLO 3/4 Management Controller Driver Package for Windows. This packageincludes the following components:

◦ hpqilo3core.sys provides iLO Management Controller Driver support.

◦ ProLiantMonitor.exe provides the HP ProLiant Health Monitor Service and HPProLiant System Shutdown Service.

◦ hpqilo3whea.sys is a helper service for Windows Hardware Error Architecture, whichpasses information between iLO and the operating system in the event of a hardwarefault.

IMPORTANT: The Management Controller Driver Package is required to support AutomaticServer Recovery and the HP Insight Management Agents or HP Insight Management WBEMProviders (if installed). For more information, see “Configuring iLO Management settings”

(page 71).

20 Setting up iLO

http://www.hp.com/go/spp/download


http://www.hp.com/support

http://www.hp.com/support





Linux device driver support When you are using Linux with iLO, the following drivers are available:

• hpilo—The HP ProLiant Channel Interface Device Driver for iLO manages agent and toolapplication access to iLO.

• hp-health—The HP System Health Application and Command Line Utilities is a collectionof applications and tools that enables monitoring of fans, power supplies, temperature sensors,and other management events. This RPM contains the hpasmd, hpasmlited, hpasmpld,

and hpasmxld daemons.

IMPORTANT: These drivers are standard for SLES 11, Red Hat 5, and Red Hat 6. You must installthe drivers manually on SLES 10.

For open-source Linux distributions (Ubuntu, Debian, Fedora, and others), the hpilo driver is partof the Linux kernel, so the driver is loaded automatically at start-up.

Use the following commands to load the iLO drivers:

rpm -ivh hpilo-d.vv.v-pp.Linux_version.arch.rpm

rpm -ivh hp-health-d.vv.v-pp.Linux_version.arch.rpm

Where d is the Linux distribution and version, vv.v-pp are version numbers, and arch is thearchitecture (i386 or x86_64).

Use the following commands to remove the iLO drivers:

rpm -e hpilo

rpm -e hp-health

VMware device driver support When you are using VMware with iLO, the following driver is available:

hpilo—The HP ProLiant Channel Interface Device Driver for iLO manages agent, WBEM provider,and tool application access to iLO. This driver is included in the VMware images that HP has

customized. For raw VMware images, the driver must be installed manually. The driver is includedwith the following packages:

• HP Agentless Management Service Offline Bundle for ESXi 4.1 U2 or ESXi 5.0

• HP Agentless Management Service for ESX 4.1 U2

• HP ESXi Offline Bundle for ESXi 4.1 or ESXi 5.0

• HP ESXi Utilities Offline Bundle for ESXi 5.0

• HP Management Agents for ESX 4.x

Installing the iLO drivers 21



3 Configuring iLOTypically, an advanced or administrative user who manages users and configures global andnetwork settings configures iLO. This guide provides information about configuring iLO by usingthe iLO web interface and iLO RBSU.

TIP: You can also perform many iLO configuration tasks by using XML configuration and controlscripts or SMASH CLP. For information about using these methods, see the HP iLO 4 Scripting and Command Line Guide, HP Scripting Toolkit for Linux User Guide , and HP Scripting Toolkit for Windows User Guide .

Updating iLO firmwareFirmware updates enhance iLO functionality with new features, improvements, and security updates.You can download the latest firmware from the following website: http://www.hp.com/support/ilo4.

Users who have the Configure iLO Settings privilege or host operating system Administrator/rootprivileges can update iLO firmware. If the iLO Security Override Switch is set, any out-of-band user

can update the firmware.To update the iLO firmware, use an online or offline method:

• Online firmware update—When you use an online method to update the firmware, no serverreboot is required. You can update the firmware and reset iLO without affecting the availabilityof the server's host operating system. The online update method can be performed in-bandor out-of-band.

◦ In-band firmware update—When you use this method to update the iLO firmware, theiLO firmware is sent to iLO directly from the server host operating system. The HP ProLiantChannel Interface Device Driver is required for host-based iLO firmware updates. Duringa host-based firmware update, the iLO firmware does not verify login credentials or user

privileges because the host-based utilities require a root login (Linux and VMware ESXClassic) or Administrator login (Windows).

You can use the following in-band firmware update methods:

– Online ROM Flash Component—Use an executable file to update iLO while the serveris operating. The executable file contains the installer and the firmware package.You can download an Online ROM Flash Component from the HP website at http://www.hp.com/support/ilo4.

– HPONCFG—Use the HP Lights-Out Online Configuration Utility to configure iLO byusing XML scripts. Download the iLO firmware image and theUpdate_Firmware.xml sample script. Edit the sample script with your setup

details, and then run the script.Sample scripts are available at http://www.hp.com/support/ilo4. For moreinformation about scripting, see the HP iLO 4 Scripting and Command Line Guide .

22 Configuring iLO

http://www.hp.com/support/ilo4












For instructions about obtaining the iLO firmware image, see “Obtaining the iLOfirmware image file” (page 23).

◦ Out-of-band firmware update—When you use this method to update the iLO firmware,you use a network connection to communicate with iLO directly.

You can use the following out-of-band firmware update methods:

– iLO web interface—Download the Online ROM Flash Component and install it by

using the iLO web interface. For instructions, see “Updating iLO firmware by usinga browser” (page 24).

– CPQLOCFG—Use the HP Lights-Out Configuration Utility to configure iLO by usingXML scripts. Download the iLO firmware image and the Update_Firmware.xmlsample script. Edit the sample script with your setup details, and then run the script.

Sample scripts are available at http://www.hp.com/support/ilo4. For moreinformation about scripting, see the HP iLO 4 Scripting and Command Line Guide .

For instructions about obtaining the iLO firmware image, see “Obtaining the iLOfirmware image file” (page 23).

– HPLOMIG (also called HP Directories Support for Management Processors)—Download

the HP Directories Support for Management Processors executable file to access thedirectory support components. One of the components, HPLOMIG, can be used todiscover multiple iLO processors and update their firmware in one step. You do notneed to use directory integration to take advantage of this feature. For moreinformation, see “Upgrading firmware on management processors” (page 191).

◦ SMASH CLP—Access SMASH CLP through the SSH port and use standard commands toview firmware information and update the firmware.

For more information about SMASH CLP, see the HP iLO 4 Scripting and Command Line Guide .

• Offline firmware update—When you use an offline firmware update method, you must reboot

the server by using an offline utility. Examples of offline firmware updates include the following:

◦ HP Service Pack for ProLiant—Use the Service Pack for ProLiant to install the firmwareupdate. For more information, see the following website: http://www.hp.com/go/spp.

◦ Windows or Linux Scripting Toolkit—Use the Scripting Toolkit to configure several settingswithin the server and update firmware. This method is useful for deploying to multipleservers. For instructions, see the HP Scripting Toolkit for Linux User Guide or HP ScriptingToolkit for Windows User Guide .

Obtaining the iLO firmware image fileMany of the available firmware update methods require the iLO .bin firmware image. You mustextract the .bin file from the iLO Online ROM Flash Component.

To download the iLO Online ROM Flash Component file and then extract the .bin file:

1. Navigate to the HP website at http://www.hp.com/support/ilo4.

The Download drivers and software page opens.

2. Select your server operating system.3. Follow the onscreen instructions to download the iLO Online ROM Flash Component file.4. Double-click the downloaded file, and then click the Extract button.5. Select a location for the extracted files, and then click OK .

The firmware image is a file similar to ilo_yyy .bin, where yyy represents the firmware

version.

Updating iLO firmware 23


http://www.hp.com/go/spp



http://www.hp.com/go/spp




Updating iLO firmware by using a browserYou can update the iLO firmware from any network client by using a supported browser. For a listof supported browsers, see the HP iLO 4 Release Notes or http://www.hp.com/go/compareilo.

To update the iLO firmware:

1. Obtain the firmware image file. For instructions, see “Obtaining the iLO firmware image file”(page 23).

2. Navigate to the Administration→iLO Firmware page.

The Firmware Update page opens, as shown in Figure 6 (page 24).

Figure 6 Firmware Update page

3. Click Browse, and then specify the location of the firmware image file in the File box.4. Click Upload to start the update process.

The iLO firmware receives, validates, and then flashes the firmware image. After the firmwareflashes and resets, iLO logs you out and the browser reconnects.

IMPORTANT: A firmware update takes approximately 1 minute, and then it takes 30 secondsfor the browser to reconnect. Do not interrupt a firmware update. If a firmware update isinterrupted or fails, attempt it again immediately. Do not reset iLO before reattempting theupdate.

The firmware update will not start if you navigate away from this page before the upload iscomplete.

5. To start working with the updated firmware, clear your browser cache, and then log in to iLO.

If an error occurs during a firmware update, see the section “Unable to upgrade iLO firmware”(page 215).

If an iLO firmware update is corrupted or canceled, and iLO is corrupted, see “iLO network failedflash recovery” (page 215).

24 Configuring iLO

http://www.hp.com/go/compareilo




Using language packsLanguage packs enable you to easily switch the iLO GUI from English to a language of your choice.Language packs currently provide translations for the iLO GUI, .NET IRC, and Java IRC.

Consider the following when you are using language packs:

• You must have the Configure iLO Settings privilege to install a language pack.

• You can install one additional language pack at a time. Uploading a new language pack

replaces the currently installed language pack, regardless of the language pack version.• The language pack firmware is independent of the iLO firmware. Setting iLO to factory defaults

does not remove an installed language pack.

• The Java IRC and the .NET IRC use the language of the current iLO session.

• For localization support with the Java IRC on Windows systems, you must select the correctlanguage in the Regional and Language Options Control Panel.

• For localization support with the Java IRC on Linux systems, make sure that the fonts for thespecified language are installed and available to the JRE.

Installing a language pack

1. Navigate to the iLO software download website: http://www.hp.com/support/ilo4.2. Download the language pack to your local computer.3. Navigate to the Administration→ Access Settings→Language page, as shown in Figure 7

(page 25).

Figure 7 Access Settings – Language page

4. Click Browse in the Upload Language Pack section.

Using language packs 25





5. Select the downloaded language pack, and then click Open.

The following message appears:Only one language pack is supported at a time. If a language pack is alreadyinstalled, it will be replaced with this upload. Are you sure?

6. Click OK to continue.

If you have a previously installed language pack, this language pack will replace it.

7. Click Upload.

iLO will automatically reboot after installing a language pack. This will end your browserconnection with iLO. You must wait at least 30 seconds before attempting to reestablish aconnection.

Selecting a language pack After you have installed a language pack, you can select it in the following ways:

• From the login page, as shown in Figure 8 (page 26).

Figure 8 Login page language menu

• From the toolbar located on the bottom right side of the iLO web interface, as shown in Figure 9(page 26).

Figure 9 Toolbar language menu

• From the Access Settings→Language page. For instructions, see “Configuring the currentlanguage settings” (page 27).

You can also set the default language on the Language page. Navigate to the

Administration→ Access Settings page, and then click the Language tab. From there, you canconfigure the default or current language and remove a language pack.

Configuring the default language settingsTo set the default language for the users of this instance of the iLO firmware:1. Navigate to the Access Settings→Language page, as shown in Figure 7 (page 25).2. Select a value in the Default Language menu.

The available languages are English and an additional language pack if one is installed.

3. Click Apply.

26 Configuring iLO



Configuring the current language settingsTo set the current language of this browser session:1. Navigate to the Access Settings→Language page, as shown in Figure 7 (page 25).2. Select a value in the Current Language menu.

The available languages are English and an additional language pack if one is installed.

3. Click Apply.

Removing a language pack1. Navigate to the Access Settings→Language page, as shown in Figure 7 (page 25).2. Click the Uninstall button in the Installed Languages section.

The following message appears:

Applying new settings requires an iLO reset.Would you like to apply the new settings and reset iLO now?

3. Click OK to continue.

iLO resets and closes your browser connection.

4. Wait 30 seconds, and then log back in to iLO.

iLO licensingHP iLO standard features are included in every HP ProLiant server to simplify server setup, engagehealth monitoring, power and thermal control, and promote remote administration.

HP iLO Advanced and HP iLO Advanced for BladeSystem licenses activate functionality such asgraphical remote console with multi-user collaboration, video record/playback, and many moreadvanced features.

Unlocking iLO licensed features has never been easier. Simply determine which license best suitsyour company's infrastructure.

The following license types are available:

• iLO Advanced Single Server License

• iLO Advanced Electronic License

• iLO Advanced Flexible Quantity License

• iLO Advanced Volume License

For details on purchasing licenses and a list of licensed features, see the following website: http://www.hp.com/go/ilo/licensing.

Consider the following information about iLO licenses:

• iLO licenses are versionless, meaning, regardless of the version of iLO you have enabled (iLO2, iLO 3, or iLO 4), an iLO license can be applied. For features that are specific to the version

of iLO on your ProLiant server, see the following website: http://www.hp.com/go/compareilo.• If you purchase an iLO license with any Insight Control software suite, HP provides the Technical

Support and Update Service. For more information, see “Support and other resources”(page 220).

• If you purchase an iLO license as a one-time activation of licensed features, you must purchasefuture functional upgrades.

• One iLO license is required for each server on which the product is installed and used. Licensesare not transferable. You cannot license an HP ProLiant SL/ML/DL server by using aBladeSystem license.

• HP will continue to provide maintenance releases with fixes, as well as iLO standard feature

enhancements, at no extra charge.

iLO licensing 27

http://www.hp.com/go/ilo/licensing








Free iLO Advanced 60-day evaluation license A free iLO Advanced evaluation license is available for download from the HP website at http://www.hp.com/go/tryinsightcontrol .

When using an evaluation license, note the following:

• The evaluation license activates and enables access to iLO Advanced features.

• The evaluation license key is a 10-seat key, meaning it can be used on 10 different servers.

• When the evaluation period has expired, your iLO will return to the standard functionality.• Only one evaluation license may be installed to an iLO. The iLO firmware will not accept the

reapplication of an evaluation license.

• The evaluation license expires 60 days after the installation date. HP will notify you by e-mailwhen your license is about to expire.

Installing an iLO license by using a browserUse the following procedure to install an iLO license.

You must have the Configure iLO Settings privilege to install a license.

1. Navigate to the Administration→Licensing page in the iLO web interface.

The Licensing page opens, as shown in Figure 10 (page 28).

Figure 10 Licensing page

2. Review the license agreement provided with your HP License Pack option kit.3. Enter the license key in the Activation Key fields.

Press the Tab key or click inside a field to move between fields. The Activation Key fieldsadvance automatically as you enter data.

4. Click Install.

The EULA confirmation opens. The EULA details are available in the license kit.

5. Click OK.

The license key is now enabled.

28 Configuring iLO

http://www.hp.com/go/tryinsightcontrol






For tips on troubleshooting license installation, see “Troubleshooting license installation” (page 208).

Administering usersThe iLO firmware enables you to manage user accounts stored locally in the secure iLO memoryand directory group accounts. Use MMC or ConsoleOne to manage directory-based user accounts.

iLO supports up to 12 users with customizable access rights, login names, and advanced passwordencryption. Privileges control individual user settings. Users can have privileges customized to their

individual access requirements.To support more than 12 users, you must have an iLO license, which enables integration with anunlimited number of directory-based user accounts. For more information about iLO Licensing visitthe following webpage: http://www.hp.com/go/ilo/licensing.

The following privileges are required for user and directory group administration:

• Administer User Accounts—Required for adding, modifying, and deleting users. If you do nothave this privilege, you can view your own settings and change your password.

• Configure iLO Settings—Required for adding, modifying, or deleting directory groups. If youdo not have this privilege, you can view directory groups.

Viewing local usersTo view local users, navigate to the Administration→User Administration page, as shown inFigure 11 (page 29).

Figure 11 User Administration page

The Local Users table shows the login names and the user names of the configured users. Localusers have the following privileges available for activation:

Administering users 29





Table 1 Local user account privileges

PrivilegeIcon

Remote Console

Virtual Media

Virtual Power and Reset

Configure iLO Settings

Administer User Accounts

Viewing directory groups

To view directory groups, navigate to the Administration→

User Administration page, as shown inFigure 11 (page 29).

The Directory Groups table shows the login names of the group administrators and the group SIDs.Group administrators have the following privileges available for activation:

Table 2 Directory user account privileges

Login

Remote Console

Virtual Media

Virtual Power and Reset

Configure iLO Settings

Administer User Accounts

Adding or editing local usersUsers who have the Administer User Accounts privilege can add or edit iLO users.

To add or edit a local user:

1. Navigate to the Administration→User Administration page, as shown in Figure 11 (page 29).2. Do one of the following:

• Click New in the Local Users section.

• Select a user in the Local Users section, and then click Edit.

The Add/Edit Local User page opens, as shown in Figure 12 (page 31).

30 Configuring iLO



Figure 12 Add/Edit Local User page

3. Provide the following details in the User Information section:

• User Name appears in the user list and on the home page. It does not have to be thesame as the login name. The maximum length for a user name is 39 characters. The username must use printable characters.

• Login Name is the name that you must use when logging in to iLO. The maximum lengthfor a login name is 39 characters. The login name must use printable characters.

• Password and Password Confirm set and confirm the password that is used for loggingin to iLO. The minimum length for a password is set on the Access Settings page. Themaximum length for a password is 39 characters. Enter the password twice for verification.

4. Select from the following permissions when you are adding or editing a user account:

• Administer User Accounts—Enables you to add, modify, and delete local iLO user accounts.It also allows you to change privileges for all users, including granting all permissions toyourself. If you do not have this privilege, you can view your own settings and changeyour own password.

• Remote Console Access—Enables you to remotely access the host system Remote Console,including video, keyboard, and mouse control.

• Virtual Power and Reset—Enables you to power-cycle or reset the host system. Any ofthese activities interrupts the availability of the system. You can also diagnose the systemby using the virtual NMI button.




• Virtual Media—Enables you to use the Virtual Media feature on the host system.

• Configure iLO Settings—Enables you to configure most iLO settings, including securitysettings, and to remotely update the iLO firmware. This privilege does not enable localuser account administration.

After iLO is configured, revoking this privilege from all users prevents reconfiguration viathe web interface, CPQLOCFG, or the command-line interface. Users who have accessto iLO RBSU and HPONCFG can still reconfigure iLO. Only a user who has the Administer

User Accounts privilege can enable or disable this privilege.

TIP: Click the select all check box to select all of the available user permissions.

5. Do one of the following:

• Click Add User to add a new user.

• Click Update User to edit a user.

IPMI/DCMI users

The iLO firmware follows the IPMI 2.0 specification. When you are adding IPMI/DCMI users, the

login name must be 16 or fewer characters and the password must be 20 or fewer characters. When you select iLO user permissions, the equivalent IPMI/DCMI user privilege is displayed inthe IPMI/DCMI Privilege based on above settings box.

• User —A user has read-only access. A user cannot configure or write to iLO, or perform systemactions.

For IPMI User privileges: Disable all privileges.

• Operator —An operator can perform system actions, but cannot configure iLO.

• Administrator —An administrator has read and write access.

For IPMI Administrator privileges: Enable all privileges.

Administering directory groupsiLO enables you to view iLO groups and modify settings for those groups. You must have theConfigure iLO Settings privilege. Use the Add/Edit Directory Group page to add or edit iLO directorygroups.

To view or modify a group:

1. Navigate to the Administration→User Administration page, as shown in Figure 11 (page 29).2. Do one of the following:

• Click New in the Directory Groups section.

•

Select a group in the Directory Groups section, and then click Edit.The Add/Edit Directory Group page opens, as shown in Figure 13 (page 33).

32 Configuring iLO



Figure 13 Add/Edit Directory Group page

3. Provide the following details in the Group Information section:

• Group DN (Security Group Distinguished Name)—Distinguished name of a group in thedirectory. Members of this group are granted the privileges set for the group. The specifiedgroup must exist in the directory, and users who need access to iLO must be members ofthis group. Complete this field with a distinguished name from the directory (for example,CN=Group1, OU=Managed Groups, DC=domain, DC=extension).

Shortened distinguished names are also supported (for example, Group1). The shorteneddistinguished name is not a unique match. Any group named Group1 is displayed. HPrecommends using the fully qualified distinguished name.

• Group SID (Security ID)—Microsoft Security ID is used for Kerberos and LDAP groupauthorization. This is required for Kerberos. The format is S-1-5-2039349.

4. Select from the following permissions when you are adding or editing a group account:

• Administer User Accounts—Enables users who belong to this group to add, edit, anddelete local user accounts.

• Remote Console Access—Enables users to remotely access the host system Remote Console,including video, keyboard, and mouse control.

• Virtual Power and Reset—Enables users to power-cycle or reset the host system. Theseactivities interrupt the availability of the system. When selected, this option also enablesa user to diagnose the system by using the virtual NMI button.

• Virtual Media—Enables users to use the Virtual Media feature on the host system.




• Configure iLO Settings—Enables users to configure most iLO settings, including securitysettings. When this permission is selected, a user can remotely update iLO firmware.

After iLO is configured, revoking this privilege from all users prevents reconfiguration viathe web interface or CPQLOCFG. Users who have access to iLO RBSU and HPONCFGcan still reconfigure iLO. Only a user who has the Administer User Accounts privilegecan enable or disable this privilege.

• Login Privilege—Enables members of a group to log in to iLO.


• Click Add Group to add a new group.

• Click Update Group to edit a group.

Deleting a user or a directory groupThe privilege required for this procedure depends on the user account type.

• To delete a local account, the Administer User Accounts privilege is required.

• To delete a directory group, the Configure iLO Settings privilege is required.

To delete an existing user or group:

1. Navigate to the Administration→User Administration page, as shown in Figure 11 (page 29).2. Select the check box next to the user or group that you want to delete.3. Click Delete.

A pop-up window opens with one of the following messages:

• Local user: Are you sure you want to delete the selected user(s)?Warning: Always leave at least one administrator.

• Directory group: Are you sure you want to delete the selectedgroup(s)?

4. Click OK .

Configuring iLO access settingsYou can modify iLO access settings, including service, IPMI/DCMI, and access options. The valuesthat you enter on the Access Settings page apply to all iLO users. You must have the Configure iLOSettings privilege to modify access settings.

The default configuration is suitable for most operating environments. The values that you canmodify on the Access Settings page allow complete customization of the iLO external access methodsfor specialized environments.

Configuring service settings

The Service section shows the SSH Access setting and the TCP/IP port values.The TCP/IP ports used by iLO are configurable, which enables compliance with any site requirementsor security initiatives for port settings. These settings do not affect the host system.

Changing these settings usually requires configuration of the web browser used for standard andSSL communication. When these settings are changed, iLO initiates a reset to activate the changes.

To configure Service settings:

34 Configuring iLO



Table 3 Service settings (continued)

Default valueField

If you change the SNMP Port value, some SNMP clients might not workcorrectly with iLO unless those clients support the use of a nonstandardSNMP port.

The industry-standard (default) SNMP trap port is 162 for SNMP alerts(or traps). You can customize the port number.

SNMP Trap Port

If you change the SNMP Trap Port value, some SNMP monitoringapplications (such as HP SIM) might not work correctly with iLO unlessthose clients support the use of a nonstandard SNMP trap port.

3. Click Apply to end your browser connection and restart iLO.

Wait at least 30 seconds before you attempt to re-establish a connection.

Configuring IPMI/DCMI settingsiLO enables you to send industry-standard IPMI and DCMI commands over the LAN. The IPMI/DCMIport is set to 623 and is not configurable.

To enable or disable IPMI/DCMI, select or clear the Enable IPMI/DCMI over LAN on Port 623check box, and then click Apply.

• Enabled (default)—Enables you to send IPMI/DCMI commands over the LAN by using aclient-side application.

• Disabled—Disables IPMI/DCMI over the LAN. Server-side IPMI/DCMI applications are stillfunctional when IPMI/DCMI over LAN is disabled.

Configuring access optionsThe Access Options section enables you to modify settings that affect all iLO users.

To view or modify iLO access options:

1. Navigate to the Administration→ Access Settings page, as shown in Figure 14 (page 35).2. Update the following values as needed:

Table 4 Access options

DescriptionDefault valueParameter

This setting specifies the interval of user inactivity, inminutes, before the iLO web interface and Remote Console

30 minutesIdle Connection Timeout(minutes)

session end automatically. The following settings are valid:15, 30, 60, or 120 minutes, or Infinite. Inactive users arenot logged out when this parameter is set to Infinite.

Failure to log out of iLO by either browsing to a differentsite or closing the browser also results in an idleconnection. The iLO firmware supports a finite number ofiLO connections. Misuse of the Infinite timeout option mightmake iLO inaccessible to other users. Idle connections arerecycled after they time out.

This setting applies to local and directory users. Directoryserver timeouts might preempt the iLO setting.

Changes to the Idle Connection Timeout value might nottake effect immediately in current user sessions, but willbe enforced immediately in all new sessions.

The iLO network and communications with operatingsystem drivers are turned off when iLO functionality isdisabled.

EnablediLO Functionality

36 Configuring iLO



Table 4 Access options (continued)


If iLO functionality is disabled (including the iLO DiagnosticPort), you must use the server Security Override Switch toenable iLO. See the server documentation to locate theSecurity Override Switch, and then set it to Override.Power up the server, and then use the iLO RBSU to set iLOFunctionality to Enabled.

NOTE: The iLO functionality cannot be disabled on bladeservers.

This setting enables or disables iLO RBSU. The iLO OptionROM prompts you to press F8 to start iLO RBSU, but if iLO

EnablediLO ROM-Based SetupUtility

is disabled or iLO RBSU is disabled, this prompt is notdisplayed.

This setting determines whether a user-credential promptis displayed when a user accesses iLO RBSU. If this setting

DisabledRequire Login for iLO RBSU

is Enabled, and you press F8 during POST, a login dialogbox opens.

This setting enables the display of the iLO network IP

address during host server POST.

EnabledShow iLO IP during POST

This setting enables you to change the login model of theCLI feature through the serial port. The following settingsare valid:

Enabled-AuthenticationRequired

Serial Command LineInterface Status

• Enabled-Authentication Required—Enables access tothe iLO CLP from a terminal connected to the host serialport. Valid iLO user credentials are required.

• Enabled-No Authentication—Enables access to the iLOCLP from a terminal connected to the host serial port.iLO user credentials are not required.

• Disabled—Disables access to the iLO CLP from the hostserial port. Use this option if you are planning to usephysical serial devices.

This setting enables you to change the speed of the serialport for the CLI feature. The following speeds (in b/s) are

9600Serial Command LineInterface Speed

valid: 9600, 19200, 38400, 57600, and 115200. Theserial port configuration must be set to no parity, 8 databits, and 1 stop bit (N/8/1) for correct operation. Theserial port speed set by this parameter must match thespeed of the serial port configured in the system ROMRBSU. For more information about the system ROM RBSU,see the HP ROM-Based Setup Utility User Guide .

This setting specifies the minimum number of charactersallowed when a user password is set or changed. Thecharacter length can be set to a value from 0 to 39.

8Minimum Password Length

This setting enables you to specify the host server name.You can assign this value manually, but it might be

—Server Name

overwritten by the host software when the operating systemloads.

To force the browser to refresh, save this setting, and thenpress F5.

This setting enables you to configure logging criteria forfailed authentications. All login types are supported; each

Enabled - Every 3rdFailure

Authentication FailureLogging

Configuring iLO access settings 37



Table 4 Access options (continued)


login type works independently. The following are validsettings:

• Enabled-Every Failure—A failed login log entry isrecorded after every failed login attempt.

• Enabled-Every 2nd Failure—A failed login log entry isrecorded after every second failed login attempt.

• Enabled-Every 3rd Failure—A failed login log entry isrecorded after every third failed login attempt.

• Enabled-Every 5th Failure—A failed login log entry isrecorded after every fifth failed login attempt.

• Disabled—No failed login log entry is recorded.



Using Authentication Failure Logging and SSH clients

When a user logs in to iLO by using SSH clients, the number of login name and password promptsdisplayed by iLO matches the value of the Authentication Failure Logging parameter (3 if it isdisabled). The number of prompts might also be affected by your SSH client configuration. SSHclients also implement delays after login failure.

For example, to generate an SSH authentication failure log with the default value (Enabled - Every3rd Failure), assuming that the SSH client is configured with the number of password prompts setto 3, three consecutive login failures occur as follows:

1. Run the SSH client and log in with an incorrect login name and password.

You receive three password prompts. After the third incorrect password, the connection endsand the first login failure is recorded. The SSH login failure counter is set to 1.

2. Run the SSH client and log in with an incorrect login name and password.You receive three password prompts. After the third incorrect password, the connection endsand the second login failure is recorded. The SSH login failure counter is set to 2.

3. Run the SSH client and log in with an incorrect login name and password.

You receive three password prompts. After the third incorrect password, the connection endsand the third login failure is recorded. The SSH login failure counter is set to 3.

The iLO firmware records an SSH failed login log entry and sets the SSH login failure counter to0.

Configuring iLO securityiLO provides the following security features:

• User-defined TCP/IP ports. For more information, see “Configuring iLO access settings”(page 34).

• User actions logged in the iLO Event Log. For more information, see “Using the iLO Event Log”(page 101).

• Progressive delays for failed login attempts. For more information, see “Login security”(page 43).

• Support for X.509 CA signed certificates. For more information, see “Administering SSLcertificates” (page 44).

• Support for securing iLO RBSU. For more information, see “iLO RBSU security” (page 40).

38 Configuring iLO



• Encrypted communication that uses SSL certificate administration. For more information, see“Administering SSL certificates” (page 44).

• Support for optional LDAP-based directory services. For more information, see “Directoryservices” (page 153).

Some of these options are licensed features. For more information, see “iLO licensing” (page 27).

General security guidelines

General security guidelines for iLO follow:• For maximum security, configure iLO on a separate management network. For more information,

see “Connecting iLO to the network” (page 16).

• Do not connect iLO directly to the Internet.

• Use a browser that has a 128-bit cipher strength.

Passwords

HP recommends that you follow these password guidelines:

• Passwords should:

Never be written down or recorded◦

◦ Never be shared with others

◦ Not be words found in a dictionary

◦ Not be obvious words, such as the company name, product name, user name, or loginname

• Passwords should have at least three of the following characteristics:

One numeric character◦

◦

One special character◦ One lowercase character

◦ One uppercase character

Passwords issued for a temporary user ID, password reset, or locked-out user ID should follow theseguidelines.

Depending on the Minimum Password Length setting on the Access Options page, the passwordcan have a minimum of zero characters (no password) and a maximum of 39 characters. Thedefault Minimum Password Length is eight characters.

IMPORTANT: HP does not recommend setting the Minimum Password Length to fewer than eightcharacters unless you have a physically secure management network that does not extend outsidethe secure data center. For information about setting the minimum password length, see “Configuringaccess options” (page 36).

Configuring iLO security 39



iLO RBSU security

iLO RBSU enables you to view and modify the iLO configuration. You can configure iLO RBSUaccess settings by using iLO RBSU, a web browser, RIBCL scripts, or the iLO Security OverrideSwitch.

• For information about using iLO RBSU to configure iLO RBSU access settings, see “Using iLORBSU to configure iLO RBSU access settings” (page 40).

• For information about using a web browser to configure iLO RBSU access settings, see

“Configuring access options” (page 36).• For information about using RIBCL scripts to configure iLO RBSU, see the HP iLO 4 Scripting

and Command Line Guide .

• For information about the iLO Security Override Switch, see “iLO Security Override Switchadministration” (page 41).

iLO RBSU has the following security levels:

• RBSU Login Not Required (default)

Anyone who has access to the host during POST can enter the iLO RBSU to view and modifyconfiguration settings. This is an acceptable setting if host access is controlled. If host accessis not controlled, any user can make changes by using the active configuration menus.

• RBSU Login Required (more secure)

If iLO RBSU login is required, the active configuration menus are controlled by the authenticateduser access rights.

• RBSU Disabled (most secure)

If iLO RBSU is disabled, user access is prohibited. This prevents modification via the iLO RBSUinterface.

Using iLO RBSU to configure iLO RBSU access settings

When iLO RBSU is enabled, the iLO Option ROM prompts you to press F8 to start iLO RBSU. If

iLO is disabled or iLO RBSU is disabled, the prompt is not displayed.1. Press F8 during POST to enter iLO RBSU.2. Select Settings→Configure, and then press Enter .

The Global iLO 4 Settings menu opens, as shown in “iLO RBSU Global Settings” (page 41).

40 Configuring iLO



Figure 15 iLO RBSU Global Settings

3. Select the iLO 4 ROM-Based Setup Utility option, and press the spacebar to toggle the settingto Enabled or Disabled.

4. Select the Require iLO 4 RBSU Login option, and press the spacebar to toggle the setting toEnabled or Disabled.

5. Press F10 to save the settings.6. Select File→Exit to close iLO RBSU.

iLO Security Override Switch administrationThe iLO Security Override Switch allows the administrator full access to the iLO processor. Thisaccess might be necessary for any of the following conditions:

• iLO has been disabled and must be re-enabled.

• All user accounts that have the Administer User Accounts privilege are locked out.

• An invalid configuration prevents iLO from being displayed on the network, and iLO RBSU isdisabled.

• The boot block must be flashed.

• The iLO NIC is turned off, and running iLO RBSU to turn it back on is not possible or convenient.

• Only one user name is configured, and the password is forgotten.

Ramifications of setting the iLO Security Override Switch include the following:

• All security authorization verifications are disabled when the switch is set.

• iLO RBSU runs if the host server is reset.

• iLO is not disabled and might be displayed on the network as configured.

• iLO, if disabled when the switch is set, does not log out the user and complete the disableprocess until the power is cycled on the server.

• The boot block is exposed for programming.




• A warning message is displayed on iLO web interface pages, indicating that the switch iscurrently in use.

• An iLO log entry records the use of the switch.

When iLO boots after you set or clear the iLO Security Override switch, an SNMP alert is sent ifan SNMP Alert Destination is configured.

Setting the iLO Security Override Switch enables you to flash the iLO boot block. HP does notanticipate that you will need to update the boot block. However, if an update is required, you must

be physically present at the server to reprogram the boot block and reset iLO. The boot block isexposed until iLO is reset. For maximum security, HP recommends disconnecting iLO from thenetwork until the reset is complete. You must open the server enclosure to access the iLO SecurityOverride Switch.

To set the iLO Security Override Switch:

1. Power off the server.2. Set the switch.3. Power on the server.

Reverse this procedure to clear the iLO Security Override Switch.

The iLO Security Override Switch uses switch #1 on the dip switch panel. For information about

accessing the iLO Security Override Switch, see the server documentation or use the diagrams onthe server access panel.

TPM support A TPM is a computer chip that securely stores artifacts used to authenticate the platform. Theseartifacts can include passwords, certificates, or encryption keys. You can also use a TPM to storeplatform measurements to make sure that the platform remains trustworthy.

On a supported system, iLO decodes the TPM record and passes the configuration status to iLO,CLP, and the XML interface. The Overview page displays the TPM status. If the host system orsystem ROM does not support TPM, the TPM status is not displayed. If TPM is supported, theOverview page displays the following TPM status information:

• Not Present—A TPM is not installed.

• Present—This indicates one of the following statuses:

A TPM is installed but is disabled.◦

◦ A TPM is installed and enabled.

◦ A TPM is installed and enabled, and Expansion ROM measuring is enabled. If ExpansionROM measuring is enabled, the Update Firmware page displays a legal warning messagewhen you click Upload.

User accounts and accessiLO supports the configuration of up to 12 local user accounts. Each account can be managedthrough the following features:

• Privileges

• Login security

You can configure iLO to use a directory to authenticate and authorize its users. This configurationenables an unlimited number of users and easily scales to the number of iLO devices in an enterprise.The directory also provides a central point of administration for iLO devices and users, and thedirectory can enforce a stronger password policy. iLO enables you to use local users, directoryusers, or both.

42 Configuring iLO



The following directory configuration options are available:

• A directory extended with HP schema

• The directory default schema

For more information about using directory authentication, see “Directory services” (page 153).

User privileges

iLO allows you to control user account access to iLO features through the use of privileges. When

a user attempts to use a feature, iLO verifies that the user has the proper privilege to use thatfeature.

You can control access to iLO features, by using the following privileges: Administer User Accounts,Remote Console Access, Virtual Power and Reset, Virtual Media, and Configure iLO Settings. Userprivileges are configured on the Administration→User Administration page. For more information,see “Administering users” (page 29).

NOTE: User accounts can also be configured via iLO RBSU. For more information, see “Settingup iLO user accounts by using iLO RBSU” (page 18).

Login security

iLO provides several login security features. After an initial failed login attempt, iLO imposes adelay of 5 seconds. After a second failed attempt, iLO imposes a delay of 10 seconds. After thethird failed attempt, and any subsequent attempts, iLO imposes a delay of 30 seconds. Allsubsequent failed login attempts cycle through these values. An information page is displayedduring each delay; this continues until a valid login occurs. This feature helps to prevent dictionaryattacks against the browser login port.

iLO saves a detailed log entry for failed login attempts. You can configure the Authentication FailureLogging frequency on the Administration→ Access Settings page. For more information, see“Configuring access options” (page 36).

Administering SSH keysThe Secure Shell Key page displays the hash of the SSH public key associated with each user.Each user can have only one key assigned. Use this page to view, add, or delete SSH keys.

You must have the Administer User Accounts privilege to add and delete SSH keys.

About SSH keys

When you add an SSH key to iLO, you paste the SSH key file in to iLO as described in “Authorizinga new key” (page 44). The file must contain the user-generated public key. The iLO firmwareassociates each key with the selected local user account. If a user is removed after an SSH keyhas been authorized for that user, the SSH key is removed.

A sample SSH key file follows:

ssh-dss AAAAB3......wHM Administrator

In this sample, ssh-dss AAAAB3.....wHM is the public key and Administrator is a localiLO user account.

NOTE: Any SSH connection authenticated through the corresponding private key is authenticatedas the owner of the key and has the same privileges.

The iLO firmware provides storage to accommodate SSH keys that have a length of 639 bytes orless. If the key is larger than 639 bytes, the authorization might fail. If this occurs, use the SSHclient software to generate a shorter key.




Authorizing a new key

1. Select the check box to the left of the user to which you want to add an SSH key.2. Click Authorize New Key.3. Copy and paste the public key into the DSA Public Key Import Data box.

The key must be a 1024-bit DSA key.

4. Click Import Public Key.

You can also use CPQLOCFG and the iLO CLI to import SSH keys. There are minor differences inthe data that you enter, depending on the method you use. If you use the iLO web interface toenter the public key, you select the user associated with the public key. If you use the CLI to enterthe public key, the public key is linked to the user name that you entered to log in to iLO. If youuse CPQLOCFG to enter the public key, you append the iLO user name to the public key data.The public key is stored with that user name.

Deleting keys

1. Select the check box to the left of the user for which you want to delete an SSH key.2. Click Delete Selected Key(s).

The selected SSH key is removed from iLO. When an SSH key is deleted from iLO, an SSH

client cannot authenticate to iLO by using the corresponding private key.

Authorizing keys from an HP SIM server

The mxagentconfig utility enables you to authorize SSH keys from an HP SIM server.

• SSH must be enabled on iLO before you use mxagentconfig to authorize a key.

• The user name and password entered in mxagentconfig must correspond to an iLO userwho has the Configure iLO Settings privilege. The user can be a directory user or a local user.

• The key is authorized on iLO and corresponds to the user name passed in the mxagentconfigcommand.

Administering SSL certificatesThe iLO firmware enables you to create a certificate request, import a certificate, and view certificateadministration information associated with a stored certificate. Certificate information is encodedin the certificate by the CA and is extracted by iLO. iLO supports SSL certificates up to 2048 bits.

By default, iLO creates a self-signed certificate for use in SSL connections. This certificate enablesiLO to work without additional configuration steps. Importing a trusted certificate can enhance theiLO security features. Users who have the Configure iLO Settings privilege can customize andimport a trusted certificate. For more information about certificates and certificate services, see“Introduction to Certificate Services” (page 161) and “Installing Certificate Services” (page 161).

Viewing certificate information

To view certificate information, navigate to the Administration→Security→SSL Certificate page.The following certificate details are displayed:

• Issued to—The entity to which the certificate was issued

• Issued by—The CA that issued the certificate

• Valid from—The first date that the certificate is valid

• Valid until—The date that the certificate expires

• Serial Number —The serial number that the CA assigned to the certificate

44 Configuring iLO



Obtaining and importing a certificate

Users who have the Configure iLO Settings privilege can customize and import a trusted certificate.

A certificate works only with the keys generated together with its corresponding CSR. If iLO is resetto factory defaults, or another CSR is generated before the certificate that corresponds to theprevious CSR is imported, the certificate does not work. In that case, a new CSR must be generatedand used to obtain a new certificate from the CA.

1. Navigate to the Administration→Security→SSL Certificate page, as shown in Figure 16

(page 45).Figure 16 SSL Certificate page

2. Click Customize Certificate.3. Enter the following information in the Certificate Signing Request (CSR) Information section.

The required fields are marked with an asterisk (*).

• Country (C)—The two-character country code that identifies the country where the companyor organization that owns this iLO subsystem is located

• State (ST)—The state where the company or organization that owns this iLO subsystem islocated

• City or Locality (L)—The city or locality where the company or organization that owns this

iLO subsystem is located• Organization Name (O)—The name of the company or organization that owns this iLO

subsystem

• Organizational Unit (OU)—(Optional) The unit within the company or organization thatowns this iLO subsystem

• Common Name (CN)—The FQDN of this iLO subsystem

4. Click Generate CSR.


The iLO subsystem is currently generating a Certificate SigningRequest (CSR). This may take 10 minutes or more. In order to view




the CSR, wait 10 minutes or more, and then click the Generate CSRbutton again.

5. After 10 minutes or more, click the Generate CSR button.

A new window displays the CSR.

6. Select and copy the CSR text.7. Open a browser window and navigate to a third-party CA.8. Follow the onscreen instructions and submit the CSR to the CA.

The certificate authority will generate a certificate in the PKCS #10 format.

9. After you obtain the certificate, make sure that:

• The CN matches the iLO FQDN. This is under iLO Hostname on the Information→Overviewpage.

• The certificate is generated as a base64-encoded X.509 certificate, and is in the RAWformat.

• The first and last lines are included in the certificate.

10. Return to the Customize Certificate page in the iLO user interface.11. Click the Import Certificate button.

The Import Certificate window opens.

12. Paste the certificate into the text box, and then click the Import button.13. Restart iLO.

Configuring directory settingsThe iLO firmware connects to Microsoft Active Directory, Novell e-Directory, and other LDAP3.0–compliant directory services for user authentication and authorization. You can configure iLOto authenticate and authorize users by using the HP Extended Schema directory integration or theschema-free directory integration. The HP Extended Schema works only with Microsoft Windows.The iLO firmware connects to directory services by using SSL-secured connections to the directory

server LDAP port. The default secure LDAP port is 636.For more information about using directory authentication with iLO, see “Directory services”(page 153).

Locally stored user accounts (listed on the User Administration page) can be active when iLOdirectory support is enabled. This enables both local-based and directory-based user access.Typically, you can delete local user accounts (with the possible exception of an emergency accessaccount) after iLO is configured to access the directory service. You can also disable access tothese accounts when directory support is enabled.

You must have the Configure iLO Settings privilege to view and change directory settings.

This feature and many others are part of our iLO licensing package. For more information about

iLO Licensing visit the following webpage: http://www.hp.com/go/ilo/licensing.Configuring authentication and directory server settings

To configure the authentication an directory server settings:

46 Configuring iLO





1. Navigate to the Administration→Security→Directory page, as shown in Figure 17 (page 47).

Figure 17 Security - Directory page

2. Configure the following options:

• LDAP Directory Authentication—Enables or disables directory authentication. If directoryauthentication is enabled and configured correctly, users can log in by using directorycredentials.

Choose from the following options:

◦ Disabled—User credentials are not validated via the directory.

◦ Use HP Extended Schema—Selects directory authentication and authorization byusing directory objects created with HP schema. Select this option when the directoryhas been extended with HP schema.

◦ Use Directory Default Schema—Selects directory authentication and authorizationby using user accounts in the directory. Select this option when the directory is notextended with HP schema. User accounts and group memberships are used toauthenticate and authorize users. After you enter the directory network information,

click Administer Groups, and then enter one or more valid directory distinguishednames and privileges to grant users access to iLO.

• Kerberos Authentication—Enables Kerberos login. If disabled, the HP Zero Sign In buttondoes not appear on the login page.

• Local User Accounts—Enables or disables local user account access.

If Local User Accounts is enabled, a user can log in by using locally stored usercredentials. HP recommends enabling this option and configuring a user account

—

with administrator privileges. This account can be used if iLO cannot communicatewith the directory server.

— If Local User Accounts is disabled, user access is limited to valid directory credentials.




Access via local user accounts is enabled when directory support is disabled or an iLOlicense is revoked. You cannot disable local user access when you are logged via a localuser account.

• Kerberos Realm—The name of the Kerberos realm in which the iLO is operating. Thisstring can be up to 127 characters. A realm name is usually the DNS name convertedto uppercase. Realm names are case sensitive.

• Kerberos KDC Server Address—The IP address or DNS name of the KDC server. This

string can be up to 127 characters. Each realm must have at least one KDC that containsan authentication server and a ticket grant server. These servers can be combined.

• Kerberos KDC Server Port—The TCP or UDP port number on which the KDC is listening.The default KDC port is 88.

• Kerberos Keytab—A binary file that contains pairs of principals and encrypted passwords.In the Windows environment, the keytab file is generated via the ktpass utility. ClickChoose File and follow the onscreen instructions to select a file.

NOTE: The components of the service principal name stored in the Kerberos keytab fileare case sensitive. The primary (service type) must be in uppercase letters (HTTP). Theinstance (iLO hostname) must be in lowercase, for example, iloexample.example.net.

The realm name must be in uppercase, for example, EXAMPLE.NET.

3. Enter the directory server settings.

iLO directory server settings enable you to identify the directory server address and LDAP port.

• Directory Server Address—Specifies the network DNS name or IP address of the directoryserver. The directory server address can be up to 50 characters.

IMPORTANT: HP recommends using DNS round robin when you are defining thedirectory server.

• Directory Server LDAP Port—Specifies the port number for the secure LDAP service on the

server. The default value is 636. You can specify a different value if your directory serviceis configured to use a different port.

• LOM Object Distinguished name—Specifies where this iLO instance is listed in the directorytree (for example: cn=iLO Mail Server,ou=Management Devices,o=hp). Thisoption is available when Use HP Extended Schema is selected.

User search contexts are not applied to the LOM object distinguished name when iLOaccesses the directory server.

• User Login Search Contexts—Enables you to specify common directory subcontexts sothat users do not need to enter their full distinguished names at login.

You can identify the objects listed in a directory by using unique distinguished names.

However, distinguished names can be long, and users might not know their distinguishednames or might have accounts in different directory contexts. iLO attempts to contact thedirectory service by distinguished name, and then applies the search contexts in orderuntil successful.

48 Configuring iLO



Directory User Contexts—Specifies user-name contexts that are applied to the login name.

◦ Example 1—If you enter the search context ou=engineering,o=hp you can login as user instead of logging in as cn=user,ou=engineering,o=hp.

◦ Example 2—If a system is managed by Information Management, Services, andTraining, search contexts such as the following enable users in any of theseorganizations to log in by using their common names:

Directory User Context 1:ou=IM,o=hpDirectory User Context 2:ou=Services,o=hpDirectory User Context 3:ou=Training,o=hp

If a user exists in both the IM organizational unit and the Training organizationalunit, login is first attempted as cn=user,ou=IM,o=hp.

◦ Example 3 (Active Directory only)—Microsoft Active Directory allows an alternateuser credential format. Only a successful login attempt can test search contexts inthis format. A user can log in as [email protected], in which case asearch context of @domain.example.com allows the user to log in as user.

4. To test the communication between the directory server and iLO, click Test Settings.

For more information, see “Running directory tests” (page 49).

5. Click Apply Settings to save the settings.6. Optional: Click Administer Groups to navigate to the User Administration page.

For more information about group administration, see “Administering directory groups”(page 32).

Running directory tests

To validate current directory settings for iLO, click Test Settings on the Directory Settings page. TheDirectory Tests page opens, as shown in Figure 18 (page 50).




Figure 18 Directory Tests page

The test page displays the results of a series of simple tests designed to validate the current directorysettings. Also, it includes a test log that shows test results and any detected issues. After yourdirectory settings are configured correctly, you do not need to rerun these tests. The Directory Testspage does not require that you be logged in as a directory user.

To verify your directory settings:

1. Enter the distinguished name and password of a directory administrator.

HP recommends that you use the same credentials that you used when creating the iLO objectsin the directory. These credentials are not stored by iLO; they are used to verify the iLO objectand user search contexts.

2. Enter a test user name and password.

Typically, this account is used to access the iLO being tested. It can be the directoryadministrator account, but the tests cannot verify user authentication with a superuser account.These credentials are not stored by iLO.

3. Click Start Test.

Several tests begin in the background, starting with a network ping of the directory user byestablishing an SSL connection to the server and evaluating user privileges.

While the tests are running, the page refreshes periodically. At any time during test execution, youcan stop the tests or manually refresh the page.

50 Configuring iLO



Viewing directory test results

The Directory Test Results section shows the directory test status.

• Overall Status—Summarizes the results of the tests.

Inconclusive—No results were reported.◦

◦ Passed—No failures were reported.

◦

Problem Detected—A problem was reported.◦ Failed—A specific subtest failed. Check the onscreen log to identify the problem.

• Individual Directory Tests—Reports status for a specific directory setting or an operation thatuses one or more directory settings. These results are generated when a sequence of tests isrun. The results stop when the tests run to completion, when a test failure prevents furtherprogress, or when the tests are stopped. Test results follow:

◦ Passed—The test ran successfully. If more than one directory server was tested, all serversthat ran this test were successful.

◦ Not Run—The test was not run.

◦ Failed—The test was unsuccessful on one or more of the directory servers. Directorysupport might not be available on those servers.

Table 5 (page 51) provides details about the individual tests.

Table 5 Individual directory tests

DescriptionTest

If the directory server is defined in FQDN format (directory.company.com), iLOresolves the name from FQDN format to IP format, and queries the configured DNSserver.

Directory Server DNSName

If the test is successful, iLO obtained an IP address for the configured directory server. IfiLO cannot get an IP address for the directory server, this test and all subsequent testsfail.

If the directory server is configured with an IP address, iLO skips this test.

If a failure occurs:

1. Verify that the DNS server configured in iLO is correct.

2. Verify that the directory server FQDN is correct.

3. As a troubleshooting tool, use an IP address instead of the FQDN.

4. If problem persists, check the DNS server records and network routing.

iLO initiates a PING to the defined directory server.Ping Directory Server

The test is successful if iLO receives the PING response, and it is unsuccessful if thedirectory server does not reply to iLO.

If this test fails, iLO will continue the subsequent tests.If a failure occurs:

1. Check to see if a firewall is active in the directory server.

2. Check for network routing issues.

iLO attempts to negotiate an LDAP connection with the directory server.Connect to DirectoryServer If this test is successful, iLO was able to initiate the connection.

If this test fails, iLO was not able to initiate an LDAP connection with the specified directoryserver.

If this test fails, subsequent tests will stop.





Table 5 Individual directory tests (continued)

DescriptionTest


1. Verify that the LDAP FQDN of the LOM object is correct.

2. Try to update the HP Extended Schema and snap-ins in the directory server by updatingthe HP Directories Support for ProLiant Management Processors software.

• Notes—Indicates the results of various phases of the directory tests. The data is updated withfailure details and information that is not readily available, like the directory server certificatesubject and which roles were evaluated successfully.

Using the directory test controls

The Directory Test Controls section enables you to view the current state of the directory tests, adjustthe test parameters, start and stop the tests, and refresh the page contents.

• In Progress—Indicates that directory tests are currently being performed in the background.Click the Stop Test button to cancel the current tests, or click the Refresh button to update thecontents of the page with the latest results. Using the Stop Test button might not stop the testsimmediately.

• Not Running—Indicates that directory tests are current, and that you can supply new parametersto run the tests again. Use the Start Test button to start the tests by using the current test controlvalues. Directory tests cannot be started after they are already in progress. The directory testsuse the following parameters, which iLO does not store.

◦ Directory Administrator Distinguished Name—Searches the directory for iLO objects,roles, and search contexts. This user must have rights to read the directory.

◦ Directory Administrator Password—Authenticates the directory administrator.

◦ Test User Name—Tests login and access rights to iLO. The name does not have to befully distinguished because user search contexts can be applied. This user must be

associated with a role for this iLO.◦ Test User Password—Authenticates the test user.

• Stopping—Indicates that directory tests have not yet reached a point where they can stop.You cannot restart tests until the status changes to Not Running. Use the Refresh button todetermine whether the tests are complete.

Using encryptioniLO provides enhanced security for remote management in distributed IT environments. SSLencryption protects web browser data. SSL encryption of HTTP data ensures that the data is secureas it is transmitted across the network. iLO supports the following cipher strengths:

• 256-bit AES with RSA, DHE, and a SHA1 MAC

• 256-bit AES with RSA, and a SHA1 MAC

• 128-bit AES with RSA, DHE, and a SHA1 MAC

• 128-bit AES with RSA, and a SHA1 MAC

• 168-bit 3DES with RSA, and a SHA1 MAC

• 168-bit 3DES with RSA, DHE, and a SHA1 MAC

iLO also provides enhanced encryption through the SSH port for secure CLP transactions. iLOsupports AES128-CBC and 3DESCBC cipher strengths through the SSH port.




If enabled, iLO enforces the use of these enhanced ciphers (both AES and 3DES) over the securechannels, including secure HTTP transmissions through the browser, SSH port, and XML port. When

AES/3DES encryption is enabled, you must use a cipher strength equal to or greater than AES/3DESto connect to iLO through these secure channels. The AES/3DES encryption enforcement settingdoes not affect communications and connections over less secure channels.

By default, Remote Console data uses 128-bit RC4 bidirectional encryption. The CPQLOCFG utilityuses a 168-bit 3DES with RSA and a SHA1 MAC cipher to securely send RIBCL scripts to iLO overthe network.

Configuring encryption settings

You can view or modify the encryption settings by using the iLO web interface, CLP, or XMLconfiguration and control scripts.

You must have the Configure iLO Settings privilege to view and change the encryption settings.

To view or modify the current encryption settings by using the iLO web interface:

54 Configuring iLO



1. Navigate to the Administration→Security→Encryption page, as shown in Figure 19 (page 55).

Figure 19 Encryption settings page

The Encryption page displays the current encryption settings for iLO.

• Current Negotiated Cipher —The cipher in use for the current browser session. After youlog in to iLO through the browser, the browser and iLO negotiate a cipher setting to useduring the session.

• Encryption Enforcement Settings—The current encryption settings for iLO:

◦ Enforce AES/3DES Encryption—Enables iLO to accept only those connections throughthe browser and SSH interface that meet the minimum cipher strength. A cipherstrength of at least AES or 3DES must be used to connect to iLO when this setting isenabled.

2. Make any necessary changes, and then click Apply.

When you are changing the Enforce AES/3DES Encryption setting to Enable, close all openbrowsers after clicking Apply. Any browsers that remain open might continue to use anon-AES/3DES cipher.

Connecting to iLO using by AES or 3DES encryption

After you enable the Enforce AES/3DES Encryption setting, iLO requires that you connect throughsecure channels (web browser, SSH, or XML port) by using a cipher strength of at least AES or3DES.

• Web browser —You must configure the browser with a cipher strength of at least AES or 3DES.If the browser is not using AES or 3DES ciphers, iLO displays an error message. The error textvaries depending on the installed browser.

Different browsers use different methods for selecting a negotiated cipher. For more information,see your browser documentation. You must log out of iLO through the current browser before




changing the browser cipher setting. Any changes made to the browser cipher setting whileyou are logged in to iLO might enable the browser to continue using a non-AES/3DES cipher.

• SSH connection—For instructions on setting the cipher strength, see the SSH utilitydocumentation.

• XML channel—CPQLOCFG uses a secure 3DES cipher by default. For example, CPQLOCFG4.x displays the following current-connection cipher strength in the XML output:

Connecting to Server..

Negotiated cipher: 168-bit Triple DES with RSA and a SHA1 MAC

Configuring iLO for HP SIM single sign-onHP SIM SSO enables you to browse directly from HP SIM to an iLO processor, bypassing anintermediate login step. To use SSO, you must have a supported version of HP SIM, and you mustconfigure the iLO processor to accept the links from HP SIM. For more information about HP SIM,see http://www.hp.com/go/hpsim.

This feature and many others are part of our iLO licensing package. For more information aboutiLO Licensing visit the following webpage: http://www.hp.com/go/ilo/licensing.

The HP SIM SSO page enables you to view and configure SSO settings through the iLO web

interface. For more information, see “Configuring iLO for HP SIM SSO” (page 56).You must have the Configure iLO Settings privilege to view and change the HP SIM SSO settings.

Configuring iLO for HP SIM SSO

1. Navigate to the Administration→Security→HP SIM SSO page, as shown in “Single Sign-OnSettings page” (page 56).

Figure 20 Single Sign-On Settings page

2. Make sure you have the HP SIM network address, and that an iLO license key is installed.

56 Configuring iLO

http://www.hp.com/go/hpsim






3. Enable Single Sign-On Trust Mode by selecting Trust by Certificate, Trust by Name, or Trust All.

The iLO firmware supports configurable trust modes. This feature enables you to meet yoursecurity requirements. The trust mode affects how iLO responds to HP SIM SSO requests. Ifyou enable iLO support for HP SIM SSO, HP recommends the Trust by Certificate mode. Theavailable modes are as follows:

• Trust None (default)—Rejects all SSO connection requests.

• Trust by Certificate (most secure)—Enables only SSO connections from an HP SIM serverthat matches a certificate previously imported into iLO.

HP SIM certificates that have a key larger than 1024 bits cannot be used with this option.

• Trust by Name—Enables SSO connections from an HP SIM server that matches a DNSname or certificate previously imported into iLO.

• Trust All (least secure)—Accepts any SSO connection initiated from any HP SIM server.

4. Users who log in to HP SIM are authorized based on the role assignment at the HP SIM server.The role assignment is passed to iLO when SSO is attempted. You can configure iLO privilegesfor each role in the Single Sign-On Settings section. For more information about each privilege,see “Administering users” (page 29).

SSO attempts to receive only the privileges assigned in this section. iLO directory settings donot apply. Default privilege assignments are as follows:

• User —Login only

• Operator —Login, Remote Console, Power and Reset, and Virtual Media

• Administrator —Login, Remote Console, Power and Reset, Virtual Media, Configure iLO,and Administer Users

5. Click Apply to save the SSO settings.6. If you selected Trust by Certificate or Trust by Name, add the HP SIM server certificate or DNS

name to iLO. For more information about adding certificates and DNS names, see “Adding

HP SIM trusted servers” (page 57).The certificate repository is sized to allow five typical iLO certificates. However, if typicalcertificates are not issued, certificate sizes might vary. The certificates and iLO server nameshave 6 KB of combined allocated storage. When the allocated storage is used, no moreimports are accepted.

7. After setting up SSO in iLO, log in to HP SIM, navigate to the System page for the iLOmanagement processor, and then click the iLO link in the More Information section.

HP SIM opens a browser window that is logged in to iLO.

NOTE: Although a system might be registered as a trusted server, SSO might be refusedbecause of the current trust level or certificate status. For example, if an HP SIM server name

is registered and the trust level is set to Trust by Certificate, but the certificate is not imported,SSO is not allowed from that server. Likewise, if an HP SIM server certificate is imported, butthe certificate is expired, SSO is not allowed from that server. Additionally, the records arenot used when SSO is disabled. iLO does not enforce SSO server certificate revocation.

Adding HP SIM trusted servers

iLO users who have the Configure iLO Settings privilege can install HP SIM server certificates oradd direct DNS names.

The base64-encoded x.509 certificate data resembles:

-----BEGIN CERTIFICATE-----

. . . several lines of encoded data . . .




• Certificate—Indicates that the record contains a stored certificate. Move the cursor over theicon to view the certificate details, including subject, issuer, and dates.

• Description—Displays the server name (or certificate subject).

Removing HP SIM Servers

Use the Remove HP SIM Server button to remove HP SIM servers configured to use SSO with thisiLO processor.

1. Select a server in the HP SIM Trusted Servers list.2. Click Remove HP SIM Server .


Are you sure you want to remove this SIM server?

3. Click Yes.

Configuring Remote Console Security settings

Configuring Remote Console Computer Lock settings

Remote Console Computer Lock enhances the security of an iLO-managed server by automatically

locking an operating system or logging out a user when a Remote Console session ends or thenetwork link to iLO is lost. This feature is standard and does not require an additional license.

The Remote Console Computer Lock feature is set to Disabled by default.

You must have the Configure iLO Settings privilege to change the Remote Console Computer Locksettings.

To change the Remote Console Computer Lock settings:

1. Navigate to the Administration→Security→Remote Console page, as shown in Figure 21(page 59).

Figure 21 Remote Console Computer Lock Settings page




2. Modify the Remote Console Computer Lock settings as required:

• Windows—Use this option to configure iLO to lock a managed server running a Windowsoperating system. The server automatically displays the Computer Locked dialog boxwhen a Remote Console session ends or the iLO network link is lost.

• Custom—Use this option to configure iLO to use a custom key sequence to lock a managedserver or log out a user on that server. You can select up to five keys from the list. Theselected key sequence is sent automatically to the server operating system when a Remote

Console session ends or the iLO network link is lost.• Disabled—Use this option to disable the Remote Console Computer Lock feature.

Terminating a Remote Console session or losing an iLO network link will not lock themanaged server.

You can create a Remote Console Computer Lock key sequence by using the keys listed inthe following table:

Table 7 Remote Console Computer Lock keys

g1SCRL LCK ESC

h2SYS RQL_ALT

i3F1R_ALTj4F2L_SHIFT

k5F3R_SHIFT

l6F4L_CTRL

m7F5R_CTRL

n8F6L_GUI

o9F7R_GUI

p;F8INS

q=F9DEL

r [F10HOME

s\F11END

t]F12PG_UP

u'" " (Space)PG_DN

va'ENTER

wb,TAB

xc-BREAK

yd.BACKSPACE

ze/NUM PLUS

f0NUM MINUS

3. Click Apply to save changes.

Configuring Integrated Remote Console Trust Settings (.NET IRC)The .NET IRC is launched via Microsoft ClickOnce, which is part of the Microsoft .NET Framework.ClickOnce requires that any application installed from an SSL connection be from a trusted source.If a browser is not configured to trust an iLO, and the Integrated Remote Console Trust Setting is

set to Enabled, ClickOnce displays the following error message:

60 Configuring iLO



Cannot Start Application – Application download did not succeed...

To specify whether all clients that browse to this iLO require a trusted iLO certificate to run the .NETIRC:

1. Navigate to the Security→Remote Console page.2. Select one of the following in the Integrated Remote Console Trust Settings section:

• Enabled—The .NET IRC is installed and runs only if this iLO certificate and the issuercertificate have been imported and are trusted.

• Disabled (default)—When you launch the .NET IRC, the browser installs the applicationfrom a non-SSL connection. SSL is still used after the .NET IRC starts to exchange encryptionkeys.

3. Click Apply.

Configuring the Login Security BannerThe Login Security Banner feature allows you to configure the security banner displayed on theiLO login page.

You must have the Configure iLO Settings privilege to make changes on this page.

When this feature is enabled, a security notice is displayed on the iLO login page.

To enable the Login Security Banner:

1. Navigate to the Security→Login Security Banner page, as shown in Figure 22 (page 61).

Figure 22 Login Security Banner Settings page

2. Select the Enable Login Security Banner check box.

iLO uses the following default text for the Login Security Banner:

This is a private system. It is to be used solely by authorizedusers and may be monitored for all lawful purposes. By accessingthis system, you are consenting to such monitoring.




3. Optional: To customize the security message, enter a custom message in the Security Messagetext box.

The byte counter above the text box indicates the remaining number of bytes allowed for themessage. The maximum is 1500 bytes.

TIP: Click Use Default Message to restore the default text for the Login Security Banner.

4. Click Apply.

The security message is displayed at the next login attempt, as shown in Figure 23 (page 62).

Figure 23 Security message example

Configuring iLO IP and NIC settingsUse the Network IP & NIC Settings page to view and configure the iLO network settings.

You must have the Configure iLO Settings privilege to view and change IP and NIC settings.

Configuring IP settingsTo configure the IP settings:

62 Configuring iLO



1. Navigate to the Administration→Network→IP & NIC Settings page, as shown in Figure 24(page 63).

Figure 24 IP & NIC Settings page

2. Update the values in the IP Settings – Dedicated Network Port section. The following valuesare available:

• Enable DHCP—Enables iLO to obtain its IP address (and many other settings) from a DHCPserver.

◦ IP Address—The iLO IP address. If DHCP is used, the iLO IP address is suppliedautomatically. If DHCP is not used, enter a static IP address.

◦ Subnet Mask—The subnet mask of the iLO IP network. If DHCP is used, the subnetmask is supplied automatically. If DHCP is not used, enter the subnet mask for thenetwork.

• Use DHCP Supplied Gateway—Specifies whether iLO uses the DHCP server-suppliedgateway. If DHCP is not used, enter a gateway address in the Gateway IP Address box.

• Use DHCP Supplied Domain Name—Specifies whether iLO uses the DHCP server-supplied

domain name. If DHCP is not used, enter a domain name in the Domain Name box.• iLO Subsystem Name (Host Name)—The DNS name of the iLO subsystem (for example,

ilo instead of ilo.example.com). This name can be used only if DHCP and DNSare configured to connect to the iLO subsystem name instead of the IP address.

iLO subsystem-name limitations follow:

◦ Name service limitations—The subsystem name is used as part of the DNS nameand WINS name. The DNS and WINS differences follow:

– DNS allows alphanumeric characters and hyphens. WINS allows alphanumericcharacters, hyphens, and underscores.

– WINS subsystem names are truncated at 15 characters. DNS subsystem names

are not truncated.

Configuring iLO IP and NIC settings 63



If you require underscores, enter them by using iLO RBSU or the iLO scripting utility.

NOTE: Name service limitations also apply to the domain name.

◦ To avoid namespace issues:

– Do not use the underscore character.

– Limit subsystem names to 15 characters.

– Verify that you can ping iLO by IP address and by DNS or WINS name.– Verify that NSLOOKUP resolves the iLO network address correctly and that no

namespace conflicts exist.

– If you are using both DNS and WINS, verify that they resolve the iLO networkaddress correctly.

– Flush the DNS name if you make any namespace changes.

3. Click Show Advanced Settings to update additional IP and NIC settings. The following settingsare available:

• Use DHCP Supplied DNS Servers—Specifies whether iLO uses the DHCP server-supplied

DNS server list. If not, enter the DNS server addresses in the Primary DNS Server ,Secondary DNS Server , and Tertiary DNS Server fields.

• Use DHCP Supplied WINS Servers—Specifies whether iLO uses the DHCP server-supplied WINS server list. If not, enter the WINS server addresses in the Primary WINS Server and Secondary WINS Server fields.

• Use DHCP Supplied Static Routes—Specifies whether iLO uses the DHCP server-suppliedstatic route. If not, enter the static route addresses in the Static Route #1, Static Route #2,or Static Route #3 field.

• Enable WINS Server Registration—Specifies whether iLO registers its name with a WINSserver.

• Enable DDNS Server Registration—Specifies whether iLO registers its name with a DDNSserver.

• Ping Gateway on Startup—Causes iLO to send four ICMP echo request packets to thegateway when iLO initializes. This ensures that the ARP cache entry for iLO is up to dateon the router that routes packets to and from iLO.

4. Click Apply.

Clicking Apply applies your changes to the iLO network configuration, ends your browserconnection, and causes iLO to restart. Wait at least 30 seconds before you attempt tore-establish a connection.

Configuring NIC settingsThe NIC Settings section of the Network IP & NIC Settings page displays the Control, Link, VLAN,and MAC address settings.

To configure the NIC settings:

1. Navigate to the Administration→Network→IP & NIC Settings page, as shown in Figure 24(page 63).

64 Configuring iLO



2. Set the Control value to one of the following:

• Enabled—Enables the iLO Dedicated Network Port.

When the Dedicated Network Port is enabled, iLO uses an embedded NIC that handlesonly iLO traffic.

• Disabled—Disables the iLO network interface. You must use the iLO RBSU or anotherhost-based scripting utility to re-enable the network interface. For instructions, see“Re-enabling the iLO Dedicated Management NIC” (page 68).

• Shared Network Port – LOM—Enables networking via the embedded host Ethernet port.

When the Shared Network Port – LOM is enabled, iLO uses the embedded NIC thathandles server network traffic and can, if iLO is configured to do so, handle iLO trafficat the same time.

The Shared Network Port has a different Ethernet MAC address than the iLO DedicatedNetwork Port.

This option is available only if your server supports the required hardware. The requiredhardware is installed when your server is manufactured, if your server supports it. It isnot available as an upgrade.

iLO communications will be shared with the NIC port #1, and cannot be shared with

other NIC ports.This option is not supported on blade servers.

• Shared Network Port – FlexibleLOM—Enables networking via the optional host Ethernetport.

When the Shared Network Port – FlexibleLOM is enabled, iLO uses an optional NIC thatplugs into a special slot on the server that handles server network traffic and can, if iLOis configured to do so, handle iLO traffic at the same time.

The Shared Network Port has a different Ethernet MAC address than the dedicatedEthernet port.

This option is available with the servers and optional NICs listed in Table 8 (page 65).This option is not supported on blade servers.

The hardware does not have to be installed for this option to be available, but the servermust have the required slot. If you select Shared Network Port – FlexibleLOM, and iLOreboots and does not detect a FlexibleLOM NIC, iLO will be unreachable over the networkand you must use iLO RBSU to switch back to the iLO Dedicated Network Port. For moreinformation, see “Re-enabling the iLO Dedicated Management NIC” (page 68).

iLO communications will be shared with the NIC port #1, and cannot be shared withother NIC ports.

Table 8 Shared Network Port – FlexibleLOM support

NIC modelHP ProLiant Gen8 servers

HP Ethernet 1Gb 4-port 331FLR AdapterDL360p Gen8, DL380p Gen8,DL160 Gen8, and ML350p Gen8

HP FlexFabric 10 Gb 2-port 530FLR-SFP+ AdapterDL360p Gen8, DL380p Gen8,DL160 Gen8

HP FlexFabric 10 Gb 2-port 554FLR-SFP+ AdapterDL360p Gen8, DL380p Gen8,and DL160 Gen8




3. Select a Link value.

The link setting controls the speed and duplex settings of the iLO network transceiver. Theavailable settings follow:

• Automatic (default)—Enables iLO to negotiate the highest supported link speed and duplexsettings when it is connected to the network.

• 1Gb/FD—Forces a 1 Gb connection that uses full duplex (not supported for BL c-Classservers).

• 1Gb/HD—Forces a 1 Gb connection that uses half duplex (not supported for BL c-Classservers).

• 100Mb/FD—Forces a 100 Mb connection that uses full duplex.

• 100Mb/HD—Forces a 100 Mb connection that uses half duplex.

• 10Mb/FD—Forces a 10 Mb connection that uses full duplex.

• 10Mb/HD—Forces a 10 Mb connection that uses half duplex.

If you selected one of the Shared Network Port options, you cannot modify the link settings.In Shared Network Port configurations, link settings must be managed in the operating system.

4. Select or clear the Enable VLAN check box to enable or disable VLAN.

VLAN can be enabled only if one of the Shared Network Port options is selected. When aShared Network Port option is enabled, the iLO Shared Network Port becomes part of a

VLAN. All network devices that have the same VLAN tag appear to be on a separate LANfrom other network devices even if they are connected to the same LAN.

5. If you enabled VLAN, enter a VLAN tag.

All network devices that you want to communicate with each other must have the same VLANtag. The VLAN tag can be any number between 1 and 4094.

6. Click Apply to apply the changes you made to the IP and NIC settings.

Clicking Apply applies your changes to the iLO network configuration, ends your browserconnection, and causes iLO to restart. Wait at least 30 seconds before you attempt tore-establish a connection.

Using the iLO Shared Network Port

The iLO Shared Network Port feature enables you to choose between the LOM, FlexibleLOM, andiLO Dedicated Management NIC for server management. When you enable the iLO SharedNetwork Port, regular network traffic and network traffic intended for iLO pass through the selectedShared Network Port NIC.

On servers that do not have an iLO Dedicated Management NIC, the standard hardwareconfiguration provides iLO network connectivity only through the iLO Shared Network Portconnection. The iLO firmware automatically defaults to the Shared Network Port.

On servers that use the iLO Dedicated Management NIC, you can enable Shared Network Portoperation through the iLO web interface, CLI, CPQLOCFG, iLO RBSU, HPONCFG, or HP IntelligentProvisioning.

The iLO Shared Network Port uses the network port labeled NIC 1 on the rear panel of the serverwhen Shared Network Port – LOM is selected, and the network port labeled 1 on the FlexibleLOMadapter if Shared Network Port – FlexibleLOM is selected. NIC numbering in the operating systemcan be different from system numbering. The iLO Shared Network Port does not incur an iLOperformance penalty. Peak iLO traffic is less than 2 Mb/s (on a NIC capable of 1Gb/s or 10GB/s speeds), and iLO traffic volume is low unless the Virtual Media or Remote Console featureis in use.

66 Configuring iLO



When you are using the iLO Shared Network Port, observe the following:

• You can use the iLO Shared Network Port and the iLO Dedicated Management NIC port onlyfor iLO server management.

• The iLO Shared Network Port is not an availability feature. Its purpose is to allow managednetwork port consolidation.

• The iLO Shared Network Port and the iLO Dedicated Management NIC port cannot operatesimultaneously. If you enable the iLO Dedicated Management NIC port, you will disable the

iLO Shared Network Port. If you enable the iLO Shared Network Port, you will disable theiLO Dedicated Management NIC port.

• Disabling the iLO Shared Network Port does not completely disable the system NIC—networktraffic still passes through the system NIC. When the iLO Shared Network Port is disabled,any traffic going to or originating from iLO will not pass through the iLO Shared Network Portbecause that port is no longer shared with iLO.

• Using the iLO Shared Network Port can create a single failure point. That is, if the port failsor is unplugged, both the host and iLO become unavailable to the network.

Enabling the iLO Shared Network Port feature

The iLO Shared Network Port feature is disabled by default on servers that are shipped with aDedicated iLO Management NIC. You can enable it by using the following methods:

• iLO RBSU—For more information, see “Enabling the iLO Shared Network Port feature throughiLO RBSU” (page 67).

• iLO web interface—For more information, see “Enabling the iLO Shared Network Port featurethrough the iLO web interface” (page 68).

• XML configuration and control scripts—For more information, see the HP iLO 4 Scripting and Command Line Guide .

• SMASH CLP—For more information, see the HP iLO 4 Scripting and Command Line Guide .

Enabling the iLO Shared Network Port feature through iLO RBSU

1. Connect the LOM or FlexibleLOM port 1 to a LAN.2. Press F8 during POST to enter iLO RBSU.3. Select Network→NIC and TCP/IP, and then press Enter .4. On the Network Configuration menu, press the spacebar to toggle the Network Interface

Adapter setting to Shared Network Port – LOM or Shared Network Port – FlexibleLOM, asshown in Figure 25 (page 68).

NOTE: The Shared Network Port option is available only on supported servers.




Figure 25 iLO RBSU Network Configuration menu

5. Press F10 to save the configuration.6. Select File→Exit, and then press Enter .

After iLO resets, the Shared Network Port feature is active. Any network traffic going to or originatingfrom iLO is directed through the LOM or FlexibleLOM port 1.

Enabling the iLO Shared Network Port feature through the iLO web interface

1. Connect the LOM or FlexibleLOM port 1 to a LAN.2. Log in to the iLO web interface.3. Navigate to the Administration→Network→IP & NIC Settings page.4. Select Shared Network Port – LOM or Shared Network Port – FlexibleLOM from the Control

menu in the NIC Settings section.

NOTE: The Shared Network Port feature is available on supported servers only.

5. Click Apply.

Clicking Apply applies your changes to the iLO network configuration, ends your browserconnection, and causes iLO to restart. You must wait at least 30 seconds before you attemptto re-establish a connection.

After iLO resets, the Shared Network Port feature is active. Any network traffic going to or originatingfrom iLO is directed through the LOM or FlexibleLOM port 1.

Re-enabling the iLO Dedicated Management NIC

Only the Shared Network Port or the iLO Dedicated Management NIC is active for servermanagement. They cannot be enabled at the same time. If you enabled the Shared Network Port,use one of the following methods if you want to re-enable the iLO Dedicated Management NIC:

• iLO RBSU—For more information, see “Enabling the Dedicated Management NIC by usingiLO RBSU” (page 69).

68 Configuring iLO



NOTE: Re-enabling the Dedicated Management NIC through RBSU requires a system reboot.

• iLO web interface—For more information, see “Enabling the iLO Dedicated Management NICby using the web interface” (page 69).

• XML scripting—For more information, see the HP iLO 4 Scripting and Command Line Guide .

Enabling the Dedicated Management NIC by using iLO RBSU

1. Connect the iLO Dedicated Management NIC port to a LAN from which the server is managed.2. Reboot the server.3. Press F8 during POST to enter iLO RBSU.4. Select Network→NIC and TCP/IP, and then press Enter .5. On the Network Configuration menu, press the spacebar to toggle the Network Interface

Adapter setting to On.6. Press F10 to save the configuration.7. Select File→Exit, and then press Enter .

After iLO resets, the iLO Dedicated Management NIC is active.

Enabling the iLO Dedicated Management NIC by using the web interface1. Connect the iLO Dedicated Management NIC port to a LAN from which the server is managed.2. Log in to the iLO web interface.3. Navigate to the Administration→Network→IP & NIC Settings page.4. Select Enabled from the Control menu in the NIC Settings section.5. Click Apply.

Clicking Apply applies your changes to the iLO network configuration, ends your browserconnection, and causes iLO to restart. You must wait at least 30 seconds before you attemptto re-establish a connection.

Configuring SNTP settingsSNTP helps iLO to maintain the correct time. Configuring SNTP is optional because the iLO dateand time can also be synchronized through the following:

• System ROM (during POST)

• Insight Management Agents (in the OS)

• SNTP setting in OA (blade servers only)

To use SNTP, you must have at least one SNTP server configured on your network. iLO can failover to a secondary server to get the correct time if the primary server is unavailable. You canenter the IP addresses of up to two SNTP servers in the appropriate fields, or you can configureyour DHCP server to provide the IP addresses and time zone.

The SNTP Settings page allows you to use the DHCP-supplied time settings or enter the SNTP settingsmanually. SNTP enables you to set the time for multiple iLOs at once, instead of having to set thetime on each server. You must have the Configure iLO Settings privilege to view or change thesesettings.

To configure the SNTP settings:




1. Navigate to the Administration→Network→SNTP Settings page, as shown in Figure 26(page 70).

Figure 26 SNTP Settings page


• Select the Use DHCP Supplied Time Settings check box to enable the DHCP server tosupply one or two SNTP server IP addresses and the time zone name.

See the Timezone list to identify the time zone to have your DHCP server distribute (forexample, America/Chicago (GMT-06:00:00) or Europe/Zurich (GMT+01:00:00)). TheGMT offset displayed in the list box after the time-zone name is not entered into yourDHCP server.

When iLO receives an IP address, it receives the UTC, and then converts it to local time.

• Clear the Use DHCP Supplied Time Settings check box if you do not want to use DHCPto supply the time settings.

The iLO firmware must recognize the IP address of at least one SNTP server. This serverprovides the current time to iLO. If you clear the Use DHCP Supplied Time Settings checkbox, you must supply the IP address for a primary time server.

3. If you cleared the Use DHCP Supplied Time Settings check box, enter the following information:

• Primary Time Server —The IP address of an SNTP server. The iLO firmware contacts thisserver for the UTC time. If iLO is unable to contact this server, it attempts to contact theSecondary Time Server.

• Secondary Time Server —The IP address of an SNTP server. If iLO cannot contact thePrimary Time Server, it contacts this server.

NOTE: Set the SNTP servers to display the time as Coordinated Universal Time (GMT).

70 Configuring iLO



4. Select the server time zone from the Timezone list.

This setting determines how iLO adjusts UTC time to obtain local time, and how iLO adjustsfor Daylight Savings Time. For the entries in the iLO Event Log and IML to display the correctlocal time, iLO must identify the time zone in which the server is located.



TIP: If you notice that the iLO Event Log entries have the incorrect date or time, check this pagefirst. Make sure that the SNTP server IP addresses and time zone are correct.

Configuring iLO Management settings With iLO 3 and earlier, SNMP management used the HP Insight Management Agents running inthe server operating system. With iLO 4, you can use either Agentless Management or the InsightManagement Agents. The default configuration is to use Agentless Management without any agentsoftware.

iLO 4 Agentless Management uses out-of-band communication for increased security and stability. With Agentless Management, health monitoring and alerting is built into the system and begins

working the moment a power cord is connected to the server. This feature runs on the iLO hardware,independent of the operating system and processor. You can install the optional AMS to collectadditional operating system data.

The Management page allows you to configure the iLO settings for SNMP, SNMP alerts, andInsight Manager integration.

You must have the Configure iLO Settings privilege to change these settings.

Depending on your configuration, you might need to install additional software. For moreinformation, see “Installing AMS or the Insight Management Agents” (page 72).

Table 9 (page 72) provides a comparison of the information provided by Agentless Managementand the Insight Management Agents.

Configuring iLO Management settings 71



Table 9 Information provided by Agentless Management and Insight Management Agents

Agentless Management with AMS

Agentless Management without AMSInsight Management AgentsComponent

Server health • Fans• Fans• Fans

• ••Temperatures TemperaturesTemperatures

•• •Power suppliesPower supplies Power supplies

••• MemoryMemoryMemory

• ••CPU CPUCPU

Storage • Smart Array• Smart Array• Smart Array

• ••HBA HBASMART Drive Monitoring

•• •Internal hard drivesattached to Smart Array

Fibre Channel and iSCSI SMART Drive Monitoring

•• Internal hard drivesattached to Smart Array

SMART Drive Monitoring

• Tape

• External storage

• MAC addresses forembedded NICs

NIC • Standup and embedded• Standup and embedded

• •MAC and IP address MAC and IP address•• Link up/Link down trapsLink up/Link down

• Teaming information

• VLAN information

Other • iLO data• iLO data• Operating system

information (host MIB)•• Operating system

information (host MIB)Firmware inventory

• iLO data

•• Firmware inventoryPerformance data

• •Configurable thresholds Driver/service inventory

• Logging events to

operating system logs• Clustering information

Installing AMS or the Insight Management Agents AMS is installed automatically when you perform an operating system installation by using HPIntelligent Provisioning or the HP Service Pack for ProLiant. Follow the instructions in this section if

AMS is not installed or if you want to use the Insight Management Agents.

When you are using Agentless Management and AMS, note the following:

• To verify AMS installation, see “Verifying the AMS installation” (page 73).

•

HP does not recommend installing AMS at the same time as the Insight Management Agentsand WMI Providers.

• If you must run AMS with the Insight Management Agents on Linux systems, start the hp-amsdaemon process first, and then decrease the number of traditional agents (for example,cmasm2d) running on the system. For more information about AMS on Linux systems, see themanpage for hpHelper, the AMS daemon process.

• When you install AMS on Windows systems, the Agentless Management Service ControlPanel is installed. You can use the Control Panel to configure SNMP settings, enable or disable

AMS, and remove AMS.

• AMS writes operating system configuration information and critical events to the Active HealthSystem Log.

72 Configuring iLO



AMS and the Insight Management Agents are available from the Service Pack for ProLiant andthe HP website.

NOTE: The VMware version of AMS is not available from the Service Pack for ProLiant, but it isavailable from the HP website and from the HP VMware Vibs Depot (http://vibsdepot.hp.com).

AMS is also included in the customized HP VMware ISO images that are released on HP SoftwareDepot.

• For instructions on using the Service Pack for ProLiant to install AMS or the Insight Management Agents, see the Service Pack for ProLiant documentation.

• To download AMS or the Insight Management Agents from the HP website:1. Navigate to the Support & Drivers page on the HP website: http://www.hp.com/support/

iLO4.2. Select an operating system.3. Download the software.4. Follow the installation instructions provided with the downloaded software.

Verifying the AMS installation

Use the following procedures to verify the AMS installation on Windows, Linux, and VMwaresystems.

Verifying AMS installation: Windows

To verify that AMS is enabled on a Windows system:

1. Open the Windows Control Panel.

If the Agentless Management Control Panel is present, then AMS is installed.

2. Open the Agentless Management Control Panel.3. Click the Service tab.

If AMS is enabled, the following message appears:

Agentless Management Service (AMS) is enabled.

Verifying AMS installation: Linux

To verify that AMS is installed on a Linux system, enter the following command (SuSE and RedHat):

rpm –qi hp-ams

To verify that AMS is running on a Linux system, enter the following command (SuSE and Red Hat):

service hp-ams status

Verifying AMS installation: VMware

To verify that AMS is installed on a VMware system:1. Access the VMware host from the VMware vSphere Client.2. Navigate to the server’s Inventory→Configuration→Health Status tab.3. Click the plus sign (+) next to Software Components.

The installed software on the host is listed. The AMS component includes the string hp-ams.

NOTE: The full name of the AMS component is different for each supported version ofESX/ESXi.


http://vibsdepot.hp.com/

http://www.hp.com/support/iLO4







Configuring SNMPTo configure SNMP, select Agentless Management or SNMP Pass-thru, and then enter additionalSNMP settings.

1. Navigate to the Administration→Management page, as shown in Figure 27 (page 74).

Figure 27 iLO Management page

2. Select Agentless Management or SNMP Pass-thru.

• Agentless Management (default)—Use SNMP agents running on iLO to manage the server.SNMP requests sent by the client to iLO over the network are fulfilled by iLO. This settingdoes not affect alerts.

• SNMP Pass-thru—Use SNMP agents running on the host operating system to manage theserver. SNMP requests sent by the client to iLO over the network are passed to the hostoperating system. The responses are then passed to iLO and returned to the client overthe network. This setting does not affect alerts.

3. Enter the following information:

• System Location (Agentless Management only)—A string of up to 49 characters thatspecifies the physical location of the server.

• System Contact (Agentless Management only)—A string of up to 49 characters thatspecifies the system administrator or server owner. The string can include a name, emailaddress, or phone number.

• System Role (Agentless Management only)—A string of up to 64 characters that describesthe server role or function.

• System Role Details (Agentless Management only)—A string of up to 512 characters thatdescribes specific tasks that the server might perform.

74 Configuring iLO



• Read Community (Agentless Management only)—The configured SNMP read-onlycommunity string.

The Read Community field supports the following formats:

◦ A community string (for example, public).

◦ A community string followed by an IP address or FQDN (for example, public192.168.0.1).

Use this option to specify that SNMP access will be allowed from the specified IPaddress or FQDN. For iLO 4 1.10 or later, you can enter an IPv4 address or fullyqualified domain name.

• Trap Community—The configured SNMP trap community string.

• SNMP Alert Destination(s)—The IP addresses or fully qualified domain names of up tothree remote management systems to receive SNMP alerts from iLO.

NOTE: Typically, you enter the HP SIM server console IP address in this section.

• SNMP Port—The port used for SNMP communications. This value is read only, but can

be modified on the Administration→

Access Settings page.For more information, see “Configuring iLO access settings” (page 34).

4. Click Apply to save the configuration.

Configuring SNMP alertsYou can configure the Trap Source Identifier, iLO SNMP alerts, forwarding of Insight Management

Agent SNMP alerts, and Cold Start Trap broadcast.

To configure SNMP alerts:

1. Navigate to the Administration→Management page, as shown in Figure 27 (page 74).2. Click the SNMP Settings tab.

3. Select from the following alert types:• Trap Source Identifier —By default, the iLO host name is used in the SNMP-defined sysName

variable. The Trap Source Identifier option allows the substitution of the OS host namefor sysName when iLO generates SNMP traps.

NOTE: The host name is an OS construct and does not remain persistent with the serverin cases where the hard drives are moved to a new server platform. The iLO sysName,however, remains persistent with the system board.

• iLO SNMP Alerts—Alert conditions that iLO detects independently of the host operatingsystem can be sent to specified SNMP alert destinations, such as HP SIM.

• Forward Insight Management Agent SNMP Alerts—Alert conditions detected by the hostmanagement agents can be forwarded to SNMP alert destinations through iLO. Thesealerts are generated by the Insight Management Agents, which are available for eachsupported operating system. Insight Management Agents must be installed on the hostserver to receive these alerts.

• Cold Start Trap Broadcast—Cold Start Trap is broadcast to a subnet broadcast addressif there are no trap destinations configured in the SNMP Alert Destination(s) boxes.

The subnet broadcast address for an IPv4 host is obtained through performing a bitwiselogical OR operation between the bit complement of the subnet mask and the host IPaddress. For example, the host 192.168.1.1, which has the subnet mask




255.255.252.0, has the broadcast address 192.168.1.1 | 0.0.3.255 =192.168.3.255.

4. Click Apply to save the configuration.5. Optional: Click Send Test Alert to generate a test alert and send it to the TCP/IP addresses in

the SNMP Alert Destination(s) boxes.

Test alerts include an Insight Management SNMP trap and are used to verify the networkconnectivity of iLO in HP SIM. Only users with the Configure iLO Settings privilege can send

test alerts. After the alert is generated, a confirmation dialog box opens. Check the HP SIM console forreceipt of the alert.

Using the AMS Control Panel to configure SNMP and SNMP alerts (Windows only)

1. Open the Agentless Management Service Control Panel.2. Click the SNMP tab.3. Update the SNMP settings.

For a description of the available settings, see “Configuring SNMP” (page 74) and “ConfiguringSNMP alerts” (page 75).

4. Optional: Click Send Test Alert to generate a test alert and send it to the TCP/IP addresses inthe SNMP Alert Destination(s) boxes.

Test alerts include an Insight Management SNMP trap and are used to verify the networkconnectivity of iLO in HP SIM. Only users that have the Configure iLO Settings privilege cansend test alerts.

After the alert is generated, a confirmation dialog box opens. Check the HP SIM console forreceipt of the alert.


SNMP traps

Table 10 (page 76) lists the SNMP traps that you can generate with iLO and HP ProLiant Gen8servers.

For more information about these SNMP traps, see the following files in the Insight ManagementMIB update kit for HP SIM:

• cpqida.mib

• cpqhost.mib

• cpqhlth.mib

• cpqsm2.mib

• cpqide.mib

• cpqscsi.mib

• cpqnic.mib

Table 10 SNMP traps

DescriptionSNMP trap name

SNMP has been initialized, the system has completed POST, or AMS has started.

Cold Start Trap 0

SNMP has detected an authentication failure. Authentication Failure Trap 4

A change has been detected in the status of the Smart Arraycontroller.

cpqDa6CntlrStatusChange 3033

76 Configuring iLO



Table 10 SNMP traps (continued)

DescriptionSNMP trap name

iLO 4 has detected a Self Test Error.cpqSm2SelfTestError 9005

iLO 4 has detected that the security override jumper has beentoggled to the engaged position.

cpqSm2SecurityOverrideEngaged 9012

iLO 4 has detected that the security override jumper has beentoggled to the disengaged position.

cpqSm2SecurityOverrideDisengaged 9013

The server has been powered on.cpqSm2ServerPowerOn 9017

The server has been powered off.cpqSm2ServerPowerOff 9018

A request was made to power on the server, but the server couldnot be powered on because of a failure condition.

cpqSm2ServerPowerOnFailure 9019

Generic trap. Verifies that the SNMP configuration, client SNMPconsole, and network are operating correctly. You can use the

cpqHo2GenericTrap 11003

iLO web interface to generate this alert to verify receipt of the alerton the SNMP console.

A power threshold has been exceeded.cpqHo2PowerThresholdTrap 11018

A change in the health status of the server has occurred.cpqHoMibHealthStatusArrayChangeTrap 11020 AMS detected a change in the status of an SAS or SATA physicaldrive.

cpqSasPhyDrvStatusChange 5022

AMS detected a change in the status of an ATA disk drive.cpqIdeAtaDiskStatusChange 14004

AMS detected that connectivity was restored to a logical networkadapter.

cpqNic3ConnectivityRestored 18011

AMS detected that the status of a logical network adapter changedto failed.

cpqNic3ConnectivityLost 18012

Configuring Insight Management Integration

The HP System Management Homepage URL sets the browser destination of the Insight Agent linkon the Information→Insight Agent page. Typically, this link is the IP address or DNS name of themanagement agent running on the host server operating system.

To configure Insight Management Integration:

1. Navigate to the Administration→Management page, as shown in Figure 27 (page 74).2. Enter the IP address or DNS name of the host server in the HP System Management Homepage

(HP SMH) field.

The protocol (https://) and port number (:2381) are added automatically to the IP addressor DNS name to allow access to the Insight Management Web Agents from iLO.

If the System Management Homepage URL is set through another method (for example,

CPQLOCFG), click the browser refresh button to display the updated URL.3. Select a value in the Level of Data Returned box.

This setting controls the content of an anonymous discovery message that iLO receives. Thedata returned is used for Insight Manager HTTP identification requests. The following optionsare available:

• Enabled (default)—Enables Insight Manager to associate the management processor withthe host server, and provides sufficient data to allow integration with HP SIM

• Disabled—Prevents iLO from responding to the HP SIM requests

• View XML Reply—Enables you to examine the data returned with the current configuration

4. Click Apply to save the changes.

78 Configuring iLO



For more information about the Insight Agents, navigate to the Information→Insight Agents page.




4 Using iLOThe main iLO features for a non-administrative user are located in the Information, Remote Console,

Virtual Media, and Power Management sections of the navigation pane. This guide providesinformation about using iLO with the iLO web interface.

TIP: You can also perform many iLO tasks by using XML configuration and control scripts orSMASH CLP. For information about using these methods, see the HP iLO 4 Scripting and Command Line Guide, HP Scripting Toolkit for Linux User Guide , and HP Scripting Toolkit for Windows User Guide .

Using the iLO web interfaceThe iLO web interface is one method that you can use to access iLO. You can also use a RemoteConsole, scripting, or the CLP.

Browser supportThe iLO web interface requires a browser that supports JavaScript. For a list of supported browsers,

see http://www.hp.com/go/compareilo or the HP iLO 4 Release Notes.If you receive a notice that your browser does not have the required functionality, verify that yourbrowser settings meet the following requirements, or contact your administrator.

The following settings must be enabled:

• JavaScript—The iLO web interface uses client-side JavaScript extensively.

• ActiveX—ActiveX must be enabled when you are using Microsoft Internet Explorer with iLO.

• Cookies—Cookies must be enabled for certain features to function correctly.

• Pop-up windows—Pop-up windows must be enabled for certain features to function correctly. Verify that pop-up blockers are disabled.

Logging in to iLOYou must access the iLO web interface through HTTPS (HTTP exchanged over an SSL encryptedsession).

To log in to iLO:

1. Enter https://iLO host name or IP address.

The iLO login page opens.

If the iLO system is configured to use the Login Security Banner feature, a security message isdisplayed on the login page.

For information about configuring the Login Security Banner, see “Configuring the LoginSecurity Banner” (page 61).

2. Enter an HP iLO user name and password, and then click Log In.

Login problems might occur for the following reasons:

• You have recently upgraded the iLO firmware. You might need to clear your browser cachebefore attempting to log in again.

• You are not entering the login information correctly. Passwords are case sensitive.

• The account you are entering is not a valid iLO account.

• The account you are entering has been deleted, disabled, or locked out.

80 Using iLO





• The password for the account must be changed.

• You are attempting to sign in from an IP address that is not valid for the specified account.

Contact the administrator if you continue to have problems.

If iLO is configured for Kerberos network authentication, the HP Zero Sign In button is displayedbelow the Log In button. Clicking the HP Zero Sign In button logs the user in to iLO without requiringthe user to enter a user name and password. If the Kerberos login fails, the user can log in byusing a user name and password.

A failed Kerberos login might be caused by one of the following reasons:

• The client does not have a ticket or has an invalid ticket. Press Ctrl+Alt+Del to lock the clientPC and get a new ticket.

• The browser is not configured correctly. This might be indicated by a dialog box from thebrowser that is requesting credentials.

• The Kerberos realm that the client PC is logged in to does not match the Kerberos realm forwhich iLO is configured.

• The computer account in Active Directory for iLO does not exist or is disabled.

• The user logged in to the client PC is not a member of a Universal or Global directory group

authorized to access iLO.• The key in the Kerberos keytab stored in iLO does not match the key in Active Directory.

• The KDC server address for which iLO is configured is incorrect.

• The date and time do not match between the client PC, the KDC server, and iLO.

• The DNS server is not working correctly. iLO requires a functioning DNS server for Kerberossupport.

SSL overviewSSL is a standard for encrypting data so that it cannot be viewed or modified while in transit on

the network. SSL uses a key to encrypt and decrypt the data. The longer the key, the better theencryption.

Certificates A certificate is a public document that describes the server. It contains the name of the server andthe server's public key. Because only the server has the corresponding private key, this is how theserver is authenticated.

A certificate must be signed to be valid. If it is signed by a CA, and that CA is trusted, all certificatessigned by the CA are also trusted. A self-signed certificate is one in which the owner of the certificateacts as its own CA. Self-signed certificates are the default for HP management products, thoughthey do support certificates signed by certifying authorities.

Handling an unknown authorityIf the Website Certified by an Unknown Authority message is displayed, take the following action:

1. Make sure that you are browsing to the correct management server (not an imposter):

• View the certificate.

• Verify that the Issued To name is your management server. Perform any other steps youfeel necessary to verify the identity of the management server.

• If you are not sure that this is the correct management server, do not proceed. You mightbe browsing to an imposter and giving your sign-in credentials to that imposter when yousign in. Contact the administrator. Exit the certificate window and click No or Cancel to

cancel the connection.

Using the iLO web interface 81



2. If you verified the items in Step 1, you have the following options:

• Accept the certificate temporarily for this session.

• Accept the certificate permanently.

• Stop now and import the certificate to your browser from a file provided by youradministrator.

Using the iLO controls When you log in to the iLO web interface, the controls at the bottom of the browser window areavailable from any iLO page.

• Power —Use this menu to access the iLO Virtual Power features.

• UID—Use this button to turn the UID light on and off.

• Language—Use this menu to select a language or to navigate to the Access Settings→Languagepage, where you can install a language pack and configure other language-related settings.

• Health icon—Use this icon to view the overall health status for the server fans, temperaturesensors, and other monitored subsystems. Click the icon to view the status of the monitoredcomponents. Click a component to view more information about the component status.

Viewing iLO overview informationThe iLO Overview page displays high-level details about the server and iLO subsystem, as well aslinks to commonly used features.

Viewing system informationTo view iLO overview information, navigate to the Information→Overview page, as shown inFigure 28 (page 83).

82 Using iLO



Figure 28 iLO Overview page

The Information section displays the following information:

• Server Name—The server name defined by the host operating system. Click the Server Namelink to navigate to the Administration→ Access Settings page.

• Product Name—The product with which this iLO processor is integrated.

• UUID—The Universally Unique Identifier that the software uses to uniquely identify this host.This value is assigned when the system is manufactured.

• UUID (Logical)—The system UUID that is presented to host applications. This value is displayedonly when it has been set by other HP software, such as HP Virtual Connect Manager. Thisvalue might affect operating system and application licensing. The UUID (Logical) value is setas part of the logical server profile that is assigned to the system. If the logical server profileis removed, the system UUID value reverts from the UUID (Logical) value to the UUID value. Ifno UUID (Logical) value is set, this item is not displayed on the Overview page.

• Server Serial Number —The server serial number, which is assigned when the system ismanufactured. You can change this value by using the system RBSU during POST.

• Serial Number (Logical)—The system serial number that is presented to host applications. Thisvalue is displayed only when it has been set by other HP software, such as HP Virtual ConnectManager. This value might affect operating system and application licensing. The SerialNumber (Logical) value is set as part of the logical server profile that is assigned to the system.If the logical server profile is removed, the serial number value reverts from the Serial Number (Logical) value to the Server Serial Number value. If no Serial Number (Logical) value is set,this item is not displayed on the Overview page.

• Product ID—This value distinguishes between different systems with similar serial numbers.The product ID is assigned when the system is manufactured. You can change this value byusing the system RBSU.

• System ROM—The family and version of the active system ROM.

• Backup System ROM—The date of the backup system ROM. The backup system ROM is usedif a system ROM update fails or is rolled back. This value is displayed only if the system

Viewing iLO overview information 83



supports a backup system ROM. For information about using the backup system ROM, see“Using iLO diagnostics” (page 110).

• Integrated Remote Console—Provides links to start the .NET IRC or Java IRC application forremote, out-of-band interaction with the server console. For information about Remote Consolerequirements and features, see “Using the iLO Remote Console” (page 113).

• License Type—The level of licensed iLO functionality.

• iLO Firmware Version—The version and date of the installed iLO firmware. Click the iLO

Firmware Version link to navigate to the Administration→iLO Firmware page.For more information about firmware, see “Updating iLO firmware” (page 22).

• IP Address—The network IP address of the iLO subsystem.

• iLO Hostname—The fully qualified network name assigned to the iLO subsystem. By default,the iLO host name is ILO followed by the system serial number and the currently known domainname. This value is used for the network name and must be unique. You can change this nameon the Network→IP & NIC Settings page.

Viewing status informationTo view general status information, navigate to the Information→Overview page, as shown in

Figure 28 (page 83).The Status section displays the following information:

• System Health—The server health indicator. This value summarizes the condition of themonitored subsystems, including overall status and redundancy (ability to handle a failure).Click the System Health link to navigate to the System Information→Health Summary page.

For more information about the Health Summary page, see “Viewing health summaryinformation” (page 85).

• Server Power —The server power state (ON /OFF) when the page was loaded.

• UID Indicator —The state of the UID when the page was loaded. The UID helps you identify

and locate a system, especially in high-density rack environments. The possible states are ON,OFF, and BLINK .

You can change the UID state to ON or OFF by using the UID buttons on the server chassis orthe UID control at the bottom of the browser window.

CAUTION: The UID blinks automatically to indicate that a critical operation is underway onthe host, such as Remote Console access or a firmware update. Do not remove power froma server with a blinking UID.

When the UID is blinking, the UID Indicator displays the status BLINK . When the UID stopsblinking, the status reverts to the previous value (ON or OFF). If a new state is selected whilethe UID is blinking, that state takes effect when the UID stops blinking.

• TPM Status—The current status of the TPM. If the host system or system ROM does not supportTPM, the value Not Supported is displayed.

• SD-Card Status—The current status of the internal SD card. If present, the number of blocks inthe SD card is displayed.

On nonblade servers, SD cards are not hot-pluggable. Use the following procedure to insertan SD card:

84 Using iLO



Power down the server.1.2. Remove the top cover.3. Insert or remove the SD card.

• iLO Date/Time—The internal clock of the iLO subsystem. The iLO clock can be synchronizedautomatically with the network.

Viewing the active iLO sessions

To view the active iLO sessions, navigate to the Information→Overview page, as shown in Figure 28(page 83).

The Active Sessions section displays the following information for all users logged in to iLO:

• User name

• IP address

• Source (for example, iLO web interface or Remote Console)

Viewing iLO system informationThe iLO System Information page displays the health of the monitored subsystems and devices.

The information that you can view depends on whether you are using Agentless Management orSNMP Pass-thru, and whether AMS is installed. For more information, see “Configuring iLOManagement settings” (page 71).

The System Information page includes the following embedded health tabs: Summary, Fans,Temperatures, Power , Processors, Memory, Network, Storage, and Firmware.

Viewing health summary informationThe Health Summary page displays the status of monitored subsystems and devices. Dependingon the server type, the information on this page varies.

To view health summary information, navigate to the Information→System Information page, andthen click the Summary tab, as shown in Figure 29 (page 86).

Redundancy information is available for the following:

• Fans

• Power supplies

Summarized status information is available for the following:

• BIOS/Hardware Health

• Fans

• Memory

• Network

• Power Supplies

• Processors

• Storage

• Temperatures

Viewing iLO system information 85



Figure 29 System Information – Health Summary page

The displayed status values follow:

Table 11 Health status values

Description Value

There is a backup component for the device or subsystem.Redundant

The device or subsystem is working correctly.OK

There is no backup component for the device or subsystem.Not Redundant

The device or subsystem is operating at a reduced capacity.Degraded

NOTE: Previous versions of iLO used a status of Mismatched to indicate thepresence of mismatched power supplies. iLO 4 displays the power supply statusas Degraded when mismatched power supplies are installed.

If you boot a server with nonredundant fans or power supplies, the system healthstatus is listed as OK . However, if a redundant fan or power supply fails whilethe system is booted, the system health status is listed as Degraded until youreplace the fan or power supply.

The device or subsystem is in a nonoperational state.Failed Redundant

One or more components of the device or subsystem are nonoperational.Failed

Navigate to the System Information page of the component that is reporting thisstatus for more information.

Other

The network link is down.Link Down

Viewing fan informationThe iLO firmware controls the operation and speed of the fans. Fans provide essential cooling ofcomponents to ensure reliability and continued operation. The fans react to the temperaturesmonitored throughout the system to provide sufficient cooling with minimal noise.

86 Using iLO



Fan operation policies might differ from server to server based on fan configuration and coolingdemands. Fan control takes into account the internal temperature of the system, increasing the fanspeed to provide more cooling, and decreasing the fan speed if cooling is sufficient. In the eventof a fan failure, some fan operation policies might increase the speed of the other fans, record theevent in the IML, or turn LED indicators on.

Monitoring the fan subsystem includes the sufficient, redundant, and nonredundant fanconfigurations. In ProLiant servers that support redundant configurations, if one or more fans fail,the server still provides sufficient cooling to continue operation.

In nonredundant configurations, or redundant configurations where multiple fan failures occur, thesystem might be incapable of providing sufficient cooling to protect the system from damage andto ensure data integrity. In this case, in addition to the cooling policies, the system might start agraceful shutdown of the operating system and server.

To view fan information, navigate to the Information→System Information page, and then clickthe Fans tab, as shown in Figure 30 (page 87).

Figure 30 System Information – Fan Information page

The information displayed on the Fan Information page varies depending on the server type.

• Rack server —The output includes the location of the replaceable fans in the server chassis,the status of each fan, and the current fan speeds.

• Blade server —The output includes the fan location, status, and speed. ProLiant c-Class serverblades use the enclosure fans to provide cooling because they do not have internal fans. Theenclosure fans are called “virtual fans” on this page. The virtual fan reading represents thecooling amount that a server blade is requesting from the enclosure. The server blade calculatesthe amount of cooling required by examining various temperature sensors and calculating anappropriate fan speed. The enclosure uses information from all of the installed server andnonserver blades to adjust the fans to provide the appropriate enclosure cooling.

Viewing temperature informationThe Temperature Information page displays the location, status, temperature, and threshold settings

of temperature sensors in the server chassis. The temperature is monitored to maintain the location




temperature below the caution threshold. If one or more sensors exceed this threshold, iLOimplements the recovery policy to prevent damage to server components.

• If the temperature exceeds the caution threshold, the fan speed is increased to maximum.

• If the temperature exceeds the critical temperature, a graceful server shutdown is attempted.

• If the temperature exceeds the fatal threshold, the server is shut down immediately to preventpermanent damage.

Monitoring policies differ depending on the server requirements. Policies usually include increasingfan speed to maximum cooling, logging temperature events in the IML, providing visual indicationof the event by using LED indicators, and starting a graceful shutdown of the operating system toavoid data corruption.

Additional policies are implemented after an excessive temperature condition is corrected, includingreturning the fan speed to normal, recording the event in the IML, turning off the LED indicators,and canceling shutdowns in progress (if applicable).

To view temperature information, navigate to the Information→System Information page, and thenclick the Temperatures tab, as shown in Figure 31 (page 88).

When temperatures are displayed in Celsius, you can click the Show values in Fahrenheit buttonto change the display to Fahrenheit. When temperatures are displayed in Fahrenheit, you can

click the Show values in Celsius button to change the display to Celsius.

Figure 31 System Information – Temperature Information page

The Temperature Information page displays the following information:

• Temp—The ID of the temperature sensor.

• Location—The area where the temperature is being measured.

In this column, Memory refers to the temperature sensors located on a physical memory DIMM.

Memory also refers to other temperature sensors located close to the memory DIMMs, but notlocated on the DIMMs. These sensors are located further down the airflow cooling path, nearthe DIMMs, to provide additional temperature information.

88 Using iLO



The ID of the temperature sensor in the Temp column helps to pinpoint the location, providingdetailed information about the DIMM or memory area.

• Status—The temperature status. Depending on the memory configuration, some sensors showa status of Not installed.

• Reading—The temperature recorded by the listed temperature sensor. If a temperature sensoris not installed, the Reading column shows the value N/A.

• Thresholds—The temperature thresholds for the warning for overheating conditions. The two

threshold values are Caution and Critical.

◦ Caution—The server is designed to maintain a temperature below the caution thresholdwhile operating. If a failure prevents this safe operating condition from being maintained,the server increases the fan speed and initiates a graceful operating system shutdown.This ensures both data integrity and system safety.

◦ Critical—If temperatures are uncontrollable or rise quickly, the critical temperature thresholdprevents system failure by physically stopping the system before the high temperaturecauses an electronic component failure.

◦ N/A—If a temperature sensor is not installed, the Thresholds column shows the valueN/A.

Viewing power informationiLO monitors the power supplies in the system to ensure the longest available uptime of the serverand operating system. Power supplies might be affected by brownouts and other electricalconditions, or AC cords might be unplugged accidentally. These conditions result in a loss ofredundancy if redundant power supplies are configured, or result in a loss of operation if redundantpower supplies are not in use. If a power supply failure is detected (hardware failure) or the ACpower cord is disconnected, events are recorded in the IML and LED indicators are used.

iLO monitors power supplies to make sure that they are installed correctly. Reviewing the Power Information page and the IML helps you to decide when to repair or replace a power supply,

preventing a disruption in service.For more information about HP power supply options, see the HP website at: http://www.hp.com/go/rackandpower.

To view power information, navigate to the Information→System Information page, and then clickthe Power tab, as shown in Figure 32 (page 90).


http://www.hp.com/go/rackandpower






Figure 32 System Information – Power Information page

The power information displayed on this page varies depending on the server type.

• Rack servers (DL, ML)—The output includes the following sections: Power Supply Summary,Power Supplies, and HP Power Discovery Services PDU Summary (if available).

• Rack servers (SL)—The output includes the following sections: Power Supply Summary andPower Supplies.

• Blade servers—The output includes the following sections: Power Readings and Power Microcontroller .

Depending on the server type, this page displays the following information:

• Power Supply Summary (all Rack servers)—The following summary information is listed:

Present Power Reading—The most recent power reading from the server.

Although this value is typically equal to the sum of all active power supply outputs, theremight be some small variance as a result of reading the individual power supplies. This

◦

value is a guideline value and is not as accurate as the values presented on the Power Management pages. For more information, see “Viewing server power usage” (page 142).

◦ Power Management Controller Firmware Version—The firmware version of the powermanagement controller. The server must be powered on for iLO to determine the firmwareversion.

◦ Power Supply Redundancy—Whether redundant power supplies are installed.

◦ High Efficiency Mode—The redundant power supply mode that will be used if redundantpower supplies are configured.

High Efficiency Mode improves the power efficiency of the system by placing the secondarypower supplies in standby mode. When the secondary power supplies are in standbymode, primary power provides all DC power to the system. The power supplies are moreefficient (more DC output watts for each watt of AC input) at higher output levels, andthe overall power efficiency improves.

90 Using iLO



High Efficiency Mode does not affect power redundancy. If the primary power suppliesfail, the secondary power supplies immediately begin supplying DC power to the system,preventing any downtime. You can configure redundant power supply modes only throughthe system RBSU. You cannot modify these settings through iLO. For more information,see the HP ROM-Based Setup Utility User Guide .

The available redundant power supply modes are as follows:

– Balanced Mode—Shares the power delivery equally between all installed power

supplies.– High Efficiency Mode (Auto)—Delivers full power to one of the power supplies and

places the other power supplies on standby at a lower power-usage level. Asemi-random distribution is achieved, because the Auto option chooses between theodd or even power supply based on the server serial number.

– High Efficiency Mode (Even Supply Standby)—Delivers full power to the odd-numberedpower supplies and places the even-numbered power supplies on standby at a lowerpower-usage level.

– High Efficiency Mode (Odd Supply Standby)—Delivers full power to the even-numberedpower supplies and places the odd-numbered power supplies on standby at a lowerpower-usage level.

• Power Supplies (ML and DL servers only)—The following information about the installed powersupplies is listed:

◦ Bay—The bay number of the power supply.

◦ Present—Whether a power supply is installed.

◦ Status—The status of the power supply.

◦ PDS—Whether the installed power supply is enabled for HP Power Discovery Services.

PDS is an enhancement to the HP Intelligent Power Distribution Unit technology. If the

server power supply is connected to an iPDU, an additional summary table on this pagedisplays the linked iPDUs. For more information about HP Power Discovery Services andIntelligent Power Distribution Units, see http://www.hp.com/go/ipd.

◦ Hotplug—Whether the power supply is in redundant mode. If the value is Yes, the powersupply can be removed or replaced when the server is powered on.

◦ Model—The model number of the power supply.

◦ Spare—The part number of the power supply.

◦ Serial—The serial number of the power supply.

◦

Capacity—The capacity of the power supply (watts).◦ Firmware—The installed power supply firmware.

• Power Supplies (SL servers only)—The name, location, and status of the installed powersupplies.

◦ OK —Indicates that the power supply is installed and operational.

◦ Not Installed—Indicates that the power supply is not installed. Power is not redundant.


http://www.hp.com/go/ipd




◦ Failed—Indicates that the power supply is not functioning. Make sure that the power cordis plugged in.

◦ Mismatched Supply Types—Indicates that multiple types of power supplies are installedand that this power supply is not in use. If mismatched power supply types are installed,only one type is used. For correct operation at the power subsystem, make sure that thepower supplies are the same type, wattage, and part number.

• HP Power Discovery Services PDU Summary (ML and DL servers only)—The following informationis displayed if the server power supplies are connected to an iPDU.

For more information about the state-of-the-art technology features that HP brings to the IntelligentData Center, see the following website: http://www.hp.com/go/ipd.

After iLO is reset, or when the iPDU is attached, the HP Power Discovery Services PDU Summarytable takes approximately 2 minutes to be displayed in the iLO web interface. This delay isdue to the iPDU discovery process.

◦ Bay—The power supply bay number.

◦ Present—Whether a power supply is installed. This value is taken from the Power Suppliestable.

◦ Status—The overall communication link status and rack input power redundancy, asdetermined by the iPDU. The possible status values follow:

– PDU Redundant—This Good status indicates that the server is connected to at leasttwo different iPDUs.

– PDU Not Redundant—This Caution status indicates that the server is not connectedto at least two different iPDUs. Typically, this status is displayed when one of thefollowing conditions occurs:

– A PDS link is not established for all power supplies, or when or two or morepower supplies are connected to the same iPDU.

–

The PDS Link and iPDU Serial Number fields are identical for power supplieswhose input power comes from the same iPDU. If one power supply is waitingfor a connection to be established, the iPDU is listed as not redundant.

– Waiting for connection—This Informational status indicates one or more of thefollowing conditions:

– The wrong power cord was used to connect the power supply to the iPDU.

– The iPDU and the iLO are in the process of connecting. This process can takeup to 2 minutes after iLO or the iPDU is reset.

– The iPDU module does not have a network (or IP) address.

◦

Part Number —The iPDU part number.◦ Serial—The iPDU serial number.

◦ PDS Link—The iPDU HTTP address (if available). Click the link in this column to open theHP Intelligent Modular PDU web interface.

92 Using iLO





• Power Readings (BL servers only)—The following information is listed:

◦ Present Power Reading—The most recent power reading from the server.

Although this value is typically equal to the sum of all active power supply outputs, theremight be some small variance as a result of reading the individual power supplies. Thisvalue is a guideline value and is not as accurate as the values presented on the Power Management pages. For more information, see “Viewing server power usage” (page 142).

•

Power Microcontroller (BL servers only)—The following information is listed:◦ Firmware Version—The firmware version of the power management controller. The server

must be powered on for iLO to determine the firmware version.

Viewing processor informationThe Processor Information page displays the available processor slots, the type of processor installedin each slot, and a summary of the processor subsystem.

To view processor information page, navigate to the Information→System Information page, andthen click the Processors tab, as shown in Figure 33 (page 93).

Figure 33 System Information – Processor Information page

The following information is displayed:

• Processor Name—The name of the processor

• Processor Status—The health status of the processor

• Processor Speed—The speed of the processor

• Execution Technology—Processor cores and threads

• Memory Technology—Memory capabilities

• Internal L1 cache—The cache size






Viewing memory informationThe Memory Information page displays a summary of the system memory. When server power isoff, AMP data is unavailable, and only memory modules present at POST are displayed.

To view memory information, navigate to the Information→System Information page, and then

click the Memory tab, as shown in Figure 34 (page 94).

Figure 34 System Information – Memory Information page

Advanced Memory ProtectionThis section lists the AMP Mode Status, Configured AMP Mode, and Supported AMP Modes.

• AMP Mode Status—The status of the AMP subsystem. The following states are supported:

Other/Unknown—The system does not support AMP, or the management software cannotdetermine the status.

◦

◦ Not Protected—The system supports AMP, but the feature is disabled.

◦ Protected—The system supports AMP. The feature is enabled but not engaged.

◦ Degraded—The system was protected, but AMP is engaged. Therefore, AMP is no longeravailable.

◦ DIMM ECC —The system is protected by DIMM ECC only.

◦ Mirroring—The system is protected by AMP in the mirrored mode. No DIMM faults havebeen detected.

◦ Degraded Mirroring—The system is protected by AMP in the mirrored mode. One ormore DIMM faults have been detected.

◦ On-line Spare—The system is protected by AMP in the hot spare mode. No DIMM faultshave been detected.

◦ Degraded On-line Spare—The system is protected by AMP in the hot spare mode. One

or more DIMM faults have been detected.

94 Using iLO



◦ RAID-XOR—The system is protected by AMP in the XOR memory mode. No DIMM faultshave been detected.

◦ Degraded RAID-XOR—The system is protected by AMP in the XOR memory mode. Oneor more DIMM faults have been detected.

◦ Advanced ECC—The system is protected by AMP in the Advanced ECC mode.

◦ Degraded Advanced ECC—The system is protected by AMP in the Advanced ECC mode.

One or more DIMM faults have been detected.

◦ LockStep—The system is protected by AMP in the LockStep mode.

◦ Degraded LockStep—The system is protected by AMP in the LockStep mode. One or moreDIMM faults have been detected.

• Configured AMP Mode—The active AMP mode. The following modes are supported:

None/Unknown—The management software cannot determine the AMP fault tolerance,or the system is not configured for AMP.

◦

◦ On-line Spare—A single spare bank of memory is set aside at boot time. If enough ECC

errors occur, the spare memory is activated and the memory that is experiencing theerrors is disabled.

◦ Mirroring—The system is configured for mirrored memory protection. All memory banksare duplicated in mirrored memory, as opposed to only one for on-line spare memory.If enough ECC errors occur, the spare memory is activated and the memory that isexperiencing the errors is disabled.

◦ RAID-XOR—The system is configured for AMP with the XOR engine.

◦ Advanced ECC—The system is configured for AMP with the Advanced ECC engine.

◦ LockStep—The system is configured for AMP with the LockStep engine.

• Supported AMP Modes—The AMP modes supported on this system. Possible values are asfollows:

◦ RAID-XOR—The system can be configured for AMP using the XOR engine.

◦ Dual Board Mirroring—The system can be configured for mirrored advanced memoryprotection in a dual memory board configuration. The mirrored memory can be swappedwith memory on the same memory board or with memory on the second memory board.

◦ Single Board Mirroring—The system can be configured for mirrored advanced memoryprotection in a single memory board.

◦

Advanced ECC—The system can be configured for Advanced ECC.◦ Mirroring—The system can be configured for mirrored AMP.

◦ On-line Spare—The system can be configured for online spare AMP.

◦ LockStep—The system can be configured for LockStep AMP.

◦ None—The system cannot be configured for AMP.




Memory Summary

This section shows a summary of the memory installed and operational at POST.

• Location—The slot or processor number in which the memory board, cartridge, or riser isinstalled. Possible values are as follows:

◦ System Board—There is no separate memory board slot. All DIMMs are installed on themotherboard.

◦ Board Number —There is a memory board slot available. All DIMMs are installed on thememory board.

◦ Processor Number —The processor number on which the memory DIMMs are installed.

◦ Riser Number —The riser number on which the memory DIMMs are installed.

• Number of Sockets—The number of memory module sockets present on the memory board,cartridge, or riser.

• Total Memory—The size of the memory for this board, cartridge, or riser, including memoryrecognized by the operating system and memory used for spare, mirrored, XOR, or LockStepconfigurations.

• Operating Frequency—The frequency at which the memory on the memory board, cartridge,or riser operates.

• Operating Voltage—The voltage at which the memory on the memory board, cartridge, orriser operates.

Memory Details

This section shows the memory modules in the host that are installed and operational at POST.Unpopulated module positions are also listed. Various resilient memory configurations can changethe actual memory inventory from what was sampled at POST. In systems that have a high numberof memory modules, all module positions might not be listed.

•

Memory Location—The slot or processor number in which the memory module is installed.• Socket—The memory module socket number.

• Status—The memory module status and whether it is in use.

• HP SmartMemory—Whether the memory module is HP SmartMemory. The possible valuesare Yes and No. If no memory module is installed, the value N/A is displayed.

If the value No is displayed in this column, the listed module is not an HP memory module.The memory module will still function, but it has no warranty, and it might not perform as wellas an HP memory module.

For more information about HP SmartMemory, see http://www.hp.com/products/memory.

•

Type—The type of memory installed. Possible values are as follows:Other —Memory type cannot be determined.◦

◦ Board—Memory module is permanently mounted (not modular) on a system board ormemory expansion board.

◦ CPQ single width module

◦ CPQ double width module

◦ SIMM

◦ PCMCIA

96 Using iLO

http://www.hp.com/products/memory

http://www.hp.com/products/memory



◦ Compaq-specific

◦ DIMM

◦ Small outline DIMM

◦ RIMM

◦ SRIMM

◦ FB-DIMM

◦ DIMM DDR

◦ DIMM DDR2

◦ DIMM DDR3

◦ FB-DIMM DDR2

◦ FB-DIMM DDR3

◦

N/A—Memory module is not present.• Size—The size of the memory module, in MB.

• Maximum Frequency—The maximum frequency at which the memory module can operate.

• Minimum Voltage—The minimum voltage at which the memory module can operate.

• Ranks—The number of ranks in the memory module.

• Technology—The memory module technology. Possible values are as follows:

Unknown—Memory technology cannot be determined.◦

◦ N/A—Memory module is not present.

◦ Fast Page

◦ EDO

◦ Burst EDO

◦ Synchronous

◦ RDRAM

◦ RDIMM

◦ UDIMM

◦ LRDIMM

Viewing network informationThe NIC Information page displays read-only information about the integrated NICs.

To view NIC information, navigate to the Information→System Information page, and then clickthe Network tab, as shown in Figure 35 (page 98).




Figure 35 System Information – NIC Information page


• Device Type—The device type is one of the following:

iLO 4—This device type is typically assigned to the iLO Dedicated Network Port. However,the iLO port might be disabled or configured as the Shared Network Port. Using the

◦

Shared Network Port enables you to manage the system by using iLO through the systemNIC instead of the dedicated management NIC. Users who have the Configure iLOSettings privilege can change these settings on the Administration→Network page.

◦ NIC—This device type indicates NIC or LAN adapter components embedded in the serveror added after manufacturing. Because system NICs are directly available to the serverhost operating system, the iLO firmware is cannot directly obtain current IP addresses (orother configuration settings) for these devices.

• Network Port—The configured network port.

• MAC Address—The port MAC address.

• IP Address—The host IP address.

NOTE: The Agentless Management Service is required to display the host IP address.

• Description—A description of the NIC.• Status—The NIC status.

Viewing storage informationThe Storage Information page displays information about Smart Array controllers, drive enclosures,the attached logical drives, and the physical drives that constitute the logical drives.

To view storage information, navigate to the Information→System Information page, and thenclick the Storage tab, as shown in Figure 36 (page 99).

To expand or collapse the data, click Expand All or Collapse All, respectively.

98 Using iLO



Figure 36 System Information – Storage Information page

A description of each section on the Storage Information page follows.

Controllers

This section provides information about the Smart Array controllers.

The top-level controller status is a combination of the controller hardware status and the status ofcache modules, enclosures, and physical, logical, and spare drives associated with the controller.If the controller hardware status is OK , and any associated hardware has a failure, the top-levelcontroller status changes to Major Warning or Degraded, depending on the failure type. If thecontroller hardware is in a Failed state, the top-level controller status is Failed.

• Controller location—Slot number or system board

• Controller status—Controller hardware status (OK or Failed)

• Controller serial number

• Controller model name and number

• Controller firmware version

• Cache module status

• Cache module serial number

• Cache module memory




Drive Enclosures

This section provides the following information about the drive enclosures attached to a Smart Array controller:

• Enclosure port and box numbers

• Enclosure status

• Number of drive bays

• Serial number• Model number

• Firmware version

Some enclosures do not have all the listed properties, and some storage configurations do nothave drive enclosures.

Logical Drives

This section provides the following details about logical drives attached to a Smart Array controller:

• Logical drive number

•

Logical drive status• Logical drive capacity

• Fault tolerance

NOTE: Logical drives must be configured through the HP Array Configuration Utility before theycan be displayed on this page. For more information, see the Configuring Arrays on HP Smart

Array Controllers Reference Guide .

Physical Drives

This section provides the following details about the physical drives that constitute a logical drive:

When a physical drive has a failed status, this status does not affect the overall storage healthstatus. Only logical drives affect the storage health status.

• Physical drive port, box, and bay numbers

• Physical drive status

• Physical drive serial number

• Physical drive model number

• Physical drive capacity

• Physical drive location

• Physical drive firmware version

• Physical drive configuration

Viewing firmware informationThe Firmware Information page displays firmware information for various server components. Foreach component, the page shows the component name and the installed firmware version.

To view firmware information, navigate to the Information→System Information page, and thenclick the Firmware tab, as shown in Figure 37 (page 101).

100 Using iLO



Figure 37 System Information – Firmware Information page


• Firmware Name—The name of the firmware.

The firmware types listed on this page will vary based on the server model and configuration.

For most servers, the HP ProLiant System ROM and the iLO firmware are listed. Other possiblefirmware options include the Power Management Controller, Server Platform Services, HPSmartArray, and networking adapters.

To view firmware information for hard drives, see the“Viewing storage information” (page 98)page.

• Firmware Version—The version of the firmware.

Using the iLO Event LogThe iLO Event Log provides a record of significant events detected by iLO. Logged events includemajor server events such as a server power outage or a server reset, and iLO events such asunauthorized login attempts. Other logged events include successful or unsuccessful browser andRemote Console logins, virtual power and power-cycle events, clearing the log, and someconfiguration changes, such as creating or deleting a user.

iLO provides secure password encryption, tracking all login attempts and maintaining a record ofall login failures. The Authentication Failure Logging setting allows you to configure logging criteriafor failed authentications. The log captures the client name for each logged entry to improveauditing capabilities in DHCP environments, and records the account name, computer name, andIP address.

Earlier versions of iLO firmware might not support events logged by later versions of iLO firmwareIf an unsupported firmware version logs an event, the event is listed as UNKNOWN EVENT TYPE.You can clear the event log to eliminate these entries, or update the firmware to the latest supportedversion.

Viewing the iLO Event LogTo view the iLO Event Log, navigate to the Information→iLO Event Log page, as shown in Figure 38

(page 102).

Using the iLO Event Log 101



Figure 38 iLO Event Log page

The iLO Event Log displays the following information:

• Severity—The importance of the detected event. Move the cursor over the severity icon to viewa tooltip description.

Possible values are as follows:

◦ Informational—The event provides background information.

◦ Caution—The event is significant but does not indicate performance degradation.

◦ Degraded—A subsystem is not operating properly, but the event does not indicate aservice outage.

◦ Critical—The event indicates a service loss or imminent service loss. Immediate attentionis needed.

• Class—The component or subsystem that identified the logged event.

• Last Update—The date and time, as reported by the server clock, when the latest event of thistype occurred. This field is based on the date and time stored by iLO.

The iLO date and time can be synchronized via the following:

◦ System ROM (during POST)

◦ Insight Management Agents (in the OS)

◦ SNTP setting (in iLO)

◦ SNTP setting in OA (Blade servers only)

If iLO did not recognize the date and time when an event was updated, [NOT SET] isdisplayed.

102 Using iLO



• Initial Update—The date and time, as reported by the server clock, when the first event of thistype occurred. This field is based on the date and time stored by iLO.

The iLO date and time can be synchronized via the following:





If iLO did not recognize the date and time when the event was first created, [NOT SET] isdisplayed.

• Count—The number of times this event has occurred. When frequently occurring errors arereported, they are identified as the same or similar errors. When the same event occurs again,the Count and Last Update fields are updated.

• Description—A description of the recorded event. The description identifies the componentand detailed characteristics of the event. If the iLO firmware is rolled back to an earlier version,the description UNKNOWN EVENT TYPE might be displayed for events recorded by the newer

firmware. You can resolve this issue by updating the firmware to the latest supported version,or by clearing the event log.

Saving the iLO Event LogTo save iLO Event Log information:

1. Click the View CSV button.

The event log information is displayed in a format that you can copy and paste into a texteditor, as shown in Figure 39 (page 103).

Figure 39 CSV Output window

2. Copy the text displayed in the CSV Output window, and save it in a text editor as a *.csvfile.

3. Click Exit to close the window.

Using the iLO Event Log 103



Clearing the iLO Event LogTo clear the event log of all previously logged information:

1. Click Clear Event Log.


Are you sure you want to clear the iLO Event Log?

2. Click OK .

The following event is recorded:Event log cleared by <user name>.

Using the Integrated Management LogThe Integrated Management Log is a record of historical events that have occurred on the server.Events are generated by the system ROM and by services such as the iLO health driver. Loggedevents include all server-specific events recorded by the system health driver, including operatingsystem information and ROM-based POST codes.

Entries in the IML can help you to diagnose issues or identify possible issues before they occur.Preventative action might be recommended to avoid possible disruption of service. iLO manages

the IML, which you can access through a supported browser, even when the server is off. Theability to view the event log even when the server is off can be helpful when you are troubleshootingremote host server issues.

The following list shows examples of the types of information that the iLO processor records in theIML:

• Fan inserted

• Fan removed

• Fan failure

• Fan degraded

• Fan repaired• Fan redundancy lost

• Fans redundant

• Power supply inserted

• Power supply removed

• Power supply failure

• Power supplies redundancy lost

• Power supplies redundant

•

Temperature over threshold• Temperature normal

• Automatic shutdown started

• Automatic shutdown canceled

• Drive failure

Viewing the IMLTo view the IML, navigate to the Information→Integrated Management Log page, as shown inFigure 40 (page 105).

104 Using iLO



Figure 40 Integrated Management Log page

The log displays the following information:

• Severity—The importance of the detected event. Move the cursor over the severity icon to viewa tooltip description.

Possible values are as follows:

◦ Informational—The event provides background information.

◦ Caution—The event is significant but does not indicate performance degradation.

◦ Degraded—A subsystem is not operating properly, but the event does not indicate a

service outage.◦ Critical—The event indicates a service loss or an imminent service loss. Immediate attention

is needed.

◦ Repaired—A Caution, Degraded, or Critical event has undergone corrective action.

• Class—Identifies the component or subsystem that identified the logged event.

• Last Update—The date and time, as reported by the server clock, when the latest event of thistype occurred. This field is based on the date and time stored by iLO.

The iLO date and time can be synchronized through the following:

◦

System ROM (during POST)◦ Insight Management Agents (in the OS)



If iLO did not recognize the date and time when an event was updated, [NOT SET] isdisplayed.

Using the Integrated Management Log 105



• Initial Update—The date and time, as reported by the server clock, when the first event of thistype occurred. This field is based on the date and time stored by iLO.

The iLO date and time can be synchronized through the following:





If iLO did not recognize the date and time when the event was first created, [NOT SET] isdisplayed.

• Count—The number of times this event has occurred. When frequently occurring errors arereported, they are identified as the same or similar errors. When the same event occurs again,the Count and Last Update fields are updated.

• Description—A description of the recorded event. The description identifies the componentand detailed characteristics of the event. If the iLO firmware is rolled back, the descriptionUNKNOWN EVENT TYPE might be displayed for events recorded by the newer firmware. You

can resolve this issue by updating the firmware to the latest supported version, or by clearingthe log.

Marking a log entry as repairedUse this feature to change the status of an IML log entry from Critical or Caution status to Repaired.You must have the Configure iLO privilege to use this feature.

When a Critical or Caution event is reported in the IML log:

1. Investigate and repair the issue.2. Navigate to the Information→Integrated Management Log page.3. Select the log entry.

4. Click Mark as Repaired.The iLO web interface refreshes, and the selected log entry status changes to Repaired.

Adding a maintenance note to the IMLUse the maintenance note feature to create a log entry that logs information about maintenanceactivities such as component upgrades, system backups, periodic system maintenance, or softwareinstallations. You must have the Configure iLO Settings privilege to use this feature.

1. Navigate to the Information→Integrated Management Log page.2. Click Add Maintenance Note.

The Enter Maintenance Note window opens, as shown in Figure 41 (page 106).

Figure 41 Enter Maintenance Note window

106 Using iLO



3. Enter the text that you want to add as a log entry, and then click OK .

You can enter up to 227 bytes of text. You cannot submit a maintenance note without enteringsome text.

An informational log entry with the class Maintenance is added to the IML.

Saving the IMLTo save the IML information:

1. Click the View CSV button.The IML information is displayed in a format that you can copy and paste into a text editor.

2. Copy the text displayed in the CSV Output window, and save it in a text editor as a *.csvfile.

3. Click Exit to close the window.

Clearing the IMLTo clear the IML of all previously logged information:

1. Click Clear IML.

The following message appears: Are you sure you want to clear the Integrated Management Log?

2. To confirm that you want to clear the IML, click OK .

The following event is recorded:

IML Cleared by <user name>.

You can also clear the IML from the server System Management home page.

Using the HP Active Health SystemThe HP Active Health System monitors and records changes in the server hardware and system

configuration. It assists in diagnosing problems and delivering rapid resolution when system failuresoccur. HP Active Health System does not collect information about your operations, finances,customers, employees, partners, or data center (for example, IP addresses, host names, user names,and passwords).

By downloading and sending the Active Health System data to HP, you agree to have HP use thedata for analysis, technical resolution, and quality improvements. The data that is collected ismanaged according to the HP Privacy Statement: http://www.hp.com/go/privacy.

Examples of data that is collected follow:

• Server model

• Serial number

• Processor model and speed• Storage capacity and speed

• Memory capacity and speed

• Firmware/BIOS

NOTE: The HP Active Health System does not parse or change operating system data fromthird-party error event log activities (for example, content created or passed through by the operatingsystem).

The Active Health System log holds up to 1 GB of data. When this limit is reached, new dataoverwrites the oldest data in the log.

Using the HP Active Health System 107

http://www.hp.com/go/privacy

http://www.hp.com/go/privacy



You can download the Active Health System log manually and send it to HP. To download thelog, use iLO, Intelligent Provisioning, or the Active Health System download CLI. For moreinformation, see “Downloading the Active Health System log for a date range” (page 108), the HP Intelligent Provisioning User Guide , or the HP ProLiant Gen8 Troubleshooting Guide, Volume I:Troubleshooting.

Downloading the Active Health System log for a date rangeUse the following procedure to download the Active Health System log for a date range.

A video demonstration of this procedure is available at http://www.hp.com/go/ilo/videos.

1. Navigate to the Information→ Active Health System Log page, as shown in Figure 42 (page 108).

Figure 42 Active Health System Log page

2. Enter the range of days to include in the log.

The default setting is to include log information for the last 7 days. Click Reset range to default

values to reset the dates.

NOTE: When you download the log file by using the default settings, the typical file size isapproximately 10 MB.

a. Click the From box.

A calendar is displayed.

b. Select the range start date on the calendar.c. Click the To box.

A calendar is displayed.

d. Select the range end date on the calendar.

108 Using iLO

http://www.hp.com/go/ilo/videos




4. Click Download Entire Log.

A dialog box prompts you to open or save the file.

5. Click Save.

A dialog box prompts you to choose a file location.

6. Specify a file location and file name, and then click Save.7. If you have an open case with HP Support, you can email the Active Health System log file

to [email protected].

Use the following convention for the email subject: <CASE:XXXXXXXXXX >, where XXXXXXXXXX represents your HP Support case number.

NOTE: You must compress log files larger than 15 MB before sending them to HP Support.Files larger than 15 MB must be uploaded to an FTP site. If needed, contact HP Support forFTP site information.

Clearing the Active Health System logIf the log file is corrupted, or if you want to clear and restart logging, use the following procedureto clear the Active Health System log:

1. Navigate to the Information→ Active Health System log page, as shown in Figure 42 (page 108).2. Click Show Advanced Settings.3. Click the Clear button.


Are you sure that you want to clear the entire Active Health Systemlog?

4. Click OK .

The following message appears at the top of the page:

The AHS Log is being cleared and it may take several minutes. Please

press the Refresh button to reload this page.5. Reset iLO.

For instructions, see “Using iLO diagnostics” (page 110).

You must reset iLO after clearing the Active Health System log. Some Active Health Systemdata is recorded to the log only during iLO start-up. Resetting iLO ensures that a complete setof data is available in the log.

Using iLO diagnosticsThe Diagnostics page displays iLO self-test results and allows you to reset iLO, generate an NMIto the system, or configure redundant ROM.

To view iLO diagnostics information, navigate to the Information→Diagnostics page, as shown inFigure 43 (page 111).

110 Using iLO



Figure 43 Diagnostics page

The Diagnostics page contains the following sections:

• iLO Self-Test Results—This section displays the results of internal iLO diagnostics.

The status of each self-test is listed in the Status column. Move the cursor over the status iconsto view a tooltip description. If a status has not been reported for a test, the test is not listed.

The tests that are run are system dependant. Not all tests are run on all systems. View the liston the Diagnostics page to verify which tests are performed on your system.

A test might include additional information in the Notes column. Notes are used to show theversions of other system programmable logic, such as the System Board PAL or the PowerManagement Controller.

• Reset iLO—This section contains the Reset button, which enables you to reboot the iLOprocessor. Using Reset does not make any configuration changes, but ends any activeconnections to iLO and interrupts any firmware updates in progress. You must have the

Configure iLO privilege to use this feature.• Non-Maskable Interrupt (NMI) button—This section contains the Generate NMI to System

button, which enables you to stop the operating system for debugging.

CAUTION: Generating an NMI as a diagnostic and debugging tool is primarily used whenthe operating system is no longer available. NMI is not used during normal operation of theserver. Generating an NMI crashes the operating system, resulting in lost service and data.The Generate NMI to System button does not gracefully shut down the operating system.

The Virtual Power and Reset privilege is required to generate an NMI. An unexpected NMItypically signals a fatal condition on the host. A bluescreen, panic, ABEND, or other fatalexception occurs when the host operating system receives an unexpected NMI, even whenthe operating system is unresponsive or locked up.

Using iLO diagnostics 111



The following information is listed on the Location Discovery Services page:

• Platform Type—The server type.

• Discovery Rack Support—Whether the rack supports Location Discovery Services.

• Discovery Data Error —Whether there was an error during discovery.

• Tag Version—The rack tag version number.

• Rack Identifier —The rack identifier.

• Rack Location Discovery Product Part Number —The rack part number.

• Rack Location Discovery Product Description—The rack product name.

• Rack U Height—The rack height in U rack units. Possible values are between 1 and 50.

• U Position—The vertical U position value, which indicates the rack U where the device isinstalled. Possible values are between 1 and 50.

• U Location—The side of the rack where the device is installed. Possible values are Back, Front(default), Left, and Right.

• Server UUID—The Universally Unique Identifier of the server.

Additional fields are listed depending on the server type.

DL and ML server-specific data:

• Server U Height—The server height in U rack units. Possible values are between 1.00 and50.00.

• Contacts position U offset—Possible values are between 1 and 50.

Using the Insight Management AgentsThe HP Insight Management Agents support a browser interface for access to run-time managementdata through the HP System Management Homepage. The HP System Management Homepage isa secure web-based interface that consolidates and simplifies the management of individual serversand operating systems. By aggregating data from HP Insight Management Agents and othermanagement tools, the System Management Homepage provides an intuitive interface to reviewin-depth hardware configuration and status data, performance metrics, system thresholds, andsoftware version control information.

The agents can automatically provide the link to iLO, or you can manually enter the link on the Administration→Management page.

For more information, see: http://www.hp.com/servers/manage.

Click the Insight Agent button to open the HP System Management Homepage.

Using the iLO Remote ConsoleiLO Remote Console redirects the host server console to the network client browser, providing fulltext (standard) or graphical mode video, keyboard, and mouse access to the remote host server(if licensed). iLO uses virtual KVM technology to improve Remote Console performance.

With Remote Console access, you can observe POST boot messages as the remote host serverrestarts, and initiate ROM-based setup routines to configure the remote host server hardware.

When you are installing operating systems remotely, the graphical Remote Consoles (if licensed)enable you to view and control the host server monitor throughout the installation process.

Remote Console access gives you full control over a remote host server as if you were in front ofthe system, including access to the remote file system and network drives. The Remote Consoleenables you to change hardware and software settings for the remote host server, install applicationsand drivers, change screen resolution of the remote server, and gracefully shut down the remoteserver.

Using the Insight Management Agents 113

http://www.hp.com/servers/manage

http://www.hp.com/servers/manage



iLO includes the Integrated Remote Console (.NET and Java) and text-based Remote Console. Forinformation about each option, see:

• “Using the Integrated Remote Console” (page 114)

• “Using the text-based Remote Console” (page 123)

Remote Console licensingBladeSystems ship with the iLO Standard for BladeSystem license, which includes Remote Console

access (pre-OS and OS).Non-blade servers ship with the iLO Standard license, which does not include Remote Consoleaccess after server POST. When the server starts to boot the operating system on these servers,iLO displays a message that indicates the need for an iLO license. For more information about iLOLicensing visit the following webpage: http://www.hp.com/go/ilo/licensing.

Using the Integrated Remote Console.NET IRC and Java IRC are graphical remote consoles that turn a supported browser into a virtualdesktop, allowing full control over the display, keyboard, and mouse of the host server. Using theRemote Console also provides access to the remote file system and network drives. Use the .NETIRC or Java IRC to change the hardware and software settings of the remote host server, installapplications and drivers, change remote server screen resolution, or gracefully shut down theremote server.

iLO provides the following Integrated Remote Console access options:

• .NET IRC—Provides access to the system KVM, allowing control of Virtual Power and VirtualMedia from a single console through using a supported browser on a Microsoft Windowsclient. In addition to the standard features, the .NET IRC supports Console Capture, SharedConsole, Virtual Folder, and Scripted Media.

• Java IRC—Provides access to the system KVM, allowing control of Virtual Power and VirtualMedia from a Java-based console. In addition to the standard features, the Java IRC includesthe iLO disk image tool.

• Standalone Remote Console (HPLOCONS)—Provides full iLO Integrated Remote Consolefunctionality directly from your Windows desktop, without going through the iLO web interface.HPLOCONS has the same functionality and requirements as the .NET IRC application that islaunched from the iLO web interface.

A video demonstration of the standalone Remote Console is available at http://www.hp.com/go/ilo/videos.

• iLO Mobile app for iOS and Android devices—Provides Integrated Remote Console accessfrom your supported mobile phone or tablet. For more information, see http://www.hp.com/go/ilo/mobileapp.

Up to 10 users can to log in to iLO simultaneously. However, only four users can access a shared

.NET IRC session. If you attempt to open the Remote Console while it is in use, a warning messageindicates that another user is using it. To view the Remote Console session that is in progress, followthe instructions in “Using Shared Remote Console (.NET IRC only)” (page 119). To take control ofthe session, follow the instructions in “Acquiring the Remote Console” (page 117).

NOTE: For a list of supported browsers, see the HP iLO 4 Release Notes or http://www.hp.com/go/compareilo.

114 Using iLO

















.NET IRC requirements

• The .NET IRC requires the Microsoft .NET Framework 3.5. The .NET Framework 3.5 is standardon Windows 7 but must be installed on earlier versions of Windows. You can use WindowsUpdate to install the .NET Framework 3.5.

For Internet Explorer users only: The .NET Version Detected table on the iLO Integrated RemoteConsole page lists the installed .NET version and indicates whether it can run the .NET IRC.To view information related to the .NET Framework version, click the reports link above the

.NET Version Detected table.• The .NET IRC is launched using Microsoft ClickOnce, which is part of the .NET Framework.

ClickOnce requires that any application installed from an SSL connection be from a trustedsource. If a browser is not configured to trust an iLO, and the Integrated Remote Console TrustSetting is set to Enabled, ClickOnce displays the following error message:

Cannot Start Application - Application download did not succeed....

For instructions on configuring the Remote Console Trust Setting, see “Configuring IntegratedRemote Console Trust Settings (.NET IRC)” (page 60).

IMPORTANT: Mozilla Firefox requires an add-on to launch a ClickOnce application. Youcan launch the .NET IRC from a supported version of FireFox by using a ClickOnce plug-in

such as the Microsoft .NET Framework Assistant. You can download the .NET Framework Assistant from https://addons.mozilla.org/en-US/firefox/addon/microsoft-net-framework-assist/.

Google Chrome requires an add-on to launch a ClickOnce application. You can launch the.NET IRC from a supported version of Chrome by using the ClickOnce plug-in for the Chromebrowser. You can download this plug in from http://code.google.com/p/clickonceforchrome/.

Java IRC requirements

Java IRC runs with all operating systems and browsers that iLO supports. Navigate to the RemoteConsole→ Java page to view the supported Java versions or to download Java. See Figure 44

(page 115).

Figure 44 Remote Console – Java page

NOTE: For a list of supported browsers, see the HP iLO 4 Release Notes or http://www.hp.com/

go/compareilo.

Using the iLO Remote Console 115

https://addons.mozilla.org/en-US/firefox/addon/microsoft-net-framework-assist/


http://code.google.com/p/clickonceforchrome/





http://code.google.com/p/clickonceforchrome/





Recommended client settings

Ideally, the remote server display resolution is the same or lower than that of the client computer.Higher resolutions transmit more information, reducing the overall performance.

Use the following client and browser settings to optimize performance:

• Display properties

Select an option greater than 256 colors.◦

◦ Select a screen resolution higher than that of the remote server.

◦ Linux X Display properties—Set the font size to 12 on the X Preferences screen.

• Mouse properties

Set the mouse pointer speed to the middle setting.◦

◦ Set the mouse pointer acceleration to low or disable it.

Recommended server settings

For all servers, note the following:

• To optimize performance, set the server display properties to use a plain background (nowallpaper pattern), and set the server mouse properties to disable pointer trails.

• To display the entire host server screen in the client Remote Console window, select a serverdisplay resolution that is less than or equal to that of the client.

For Red Hat Linux and SUSE Linux servers only, note the following: To optimize performance, setthe value for server mouse properties pointer acceleration to 1x. For KDE, access the Control Center ,select Peripherals/Mouse, and then click the Advanced tab.

Starting the Remote Console

To start the Remote Console:

116 Using iLO



1. Navigate to the Remote Console — iLO Integrated Remote Console page.

Figure 45 Integrated Remote Console launch page

2. Verify that your system meets the requirements for using the .NET IRC or Java IRC.

3. Click the Launch button for the Remote Console that you want to use.

Acquiring the Remote Console

If another user is working in the Remote Console, you can acquire it from them.

To acquire the Remote Console:




1. Start the .NET IRC or Java IRC.

The system notifies you that another user is working in the Remote Console, as shown inFigure 46 (page 118).

Figure 46 Acquiring the Remote Console

2. Click the Acquire button.

The other user is prompted to approve or deny permission to acquire the Remote Console. Ifthere is no response in 10 seconds, permission is granted.

Using the Remote Console power switch

To use the power switch, select one of the following options from the power switch menu:

NOTE: The Press and Hold, Reset, and Cold Boot options are not available when the server ispowered down.

• Momentary Press—Provides behavior identical to pressing the physical power button. If aserver is powered off, a momentary press will turn the server power on.

Some operating systems might be configured to initiate a graceful shutdown after a momentarypress, or might be configured to ignore this event. HP recommends completing a graceful OSshutdown by using system commands before you attempt to shut down by using the virtualpower button.

• Press and Hold—Provides behavior identical to pressing the physical power button for 5seconds and then releasing it.

This option provides the ACPI-compatible functionality that some operating systems implement.These operating systems behave differently depending on a short press or long press. Systempower is powered off as a result of this operation. Using this option might circumvent thegraceful shutdown features of the operating system.

118 Using iLO



• Cold Boot—Immediately removes power from the system. Processors, memory, and I/Oresources lose main power. The system will restart after approximately 6 seconds. Using thisoption circumvents the graceful shutdown features of the operating system.

• Reset—Forces a system to warm-boot: CPUs and I/O resources are reset. Using this optioncircumvents the graceful shutdown features of the operating system.

Using iLO Virtual Media from the Remote Console

For instructions on using the Virtual Media feature from the Remote Console, see “Using iLO VirtualMedia from the Remote Console” (page 132).

Using Shared Remote Console (.NET IRC only)

Shared Remote Console allows the connection of up to four sessions on the same server. Thisfeature can be used for activities such as training and troubleshooting.


The first user to initiate a Remote Console session connects to the server normally and is designatedas the session leader (session host). Any subsequent user who is requesting Remote Console accessinitiates an access request for a satellite client connection. A dialog box for each access request

opens on the session leader's desktop, identifying the requester's user name and DNS name (ifavailable) or IP address. The session leader can grant or deny access. If there is no response,permission is automatically denied.

Shared Remote Console does not support passing the session leader designation to another user,or reconnecting a user after a failure. You must restart the Remote Console session to allow useraccess after a failure.

During a shared Remote Console session, the session leader has access to all Remote Consolefeatures, whereas all other users can access only the keyboard and mouse. Satellite clients cannotcontrol Virtual Power or Virtual Media.

iLO encrypts Remote Console sessions by authenticating the client first, and then the session leader

determines whether to allow new connections.Using Console Capture (.NET IRC only)

Console Capture allows you to record and play back video streams of events such as start-up, ASRevents, and sensed operating system faults. The Server Startup and Server Prefailure sequencesare automatically captured by iLO. You can manually start and stop the recording of console video.


When you are using Console Capture, note the following:

• Console Capture is supported with the .NET IRC. It is not supported with the Java IRC.

• Console Capture is available only through the .NET IRC. It cannot be accessed through XMLscripting or the CLP.

• The Server Startup and Server Prefailure sequences are not automatically captured duringfirmware upgrades or while the Remote Console is in use.

• Server Startup and Server Prefailure sequences are automatically saved in the iLO memory.They will be lost during firmware upgrades, iLO reset, and power loss. You can save thecaptured video to your local drive by using the .NET IRC.

• The Server Startup file starts capturing when server start-up is detected, and stops when it runsout of space. This file is overwritten each time the server starts.








• The Server Prefailure file starts capturing when the Server Startup file is full, and stops wheniLO detects an ASR event. The Server Prefailure file is locked when iLO detects an ASR event.The file is unlocked and can be overwritten after it is downloaded via the .NET IRC.

• The Console Capture control buttons are located on the bottom of the .NET IRC session window.The following table explains the playback controls used for viewing a captured video.

Table 12 Playback controls

FunctionNameControl

Restarts playback from the beginning of the fileSkip to Start

Pauses the playbackPause

Starts playback if the currently selected file is notplaying or is paused

Play

Records your .NET IRC sessionRecord

Shows the progress of the video sessionProgress Bar

Viewing Server Startup and Server Prefailure sequences

1. Start the .NET IRC.2. Press the Play button.

The Playback Source dialog box opens, as shown in Figure 47 (page 120).

Figure 47 Playback Source dialog box

3. Select Server Startup or Server Prefailure.4. Click Start.

Saving Server Startup and Server Prefailure video files1. Start the .NET IRC2. Press the Play button.3. Select Server Startup or Server Prefailure.4. Click Start.5. Press the Play button again to stop playback.

The Save Capture dialog box opens, as shown in Figure 48 (page 121).

120 Using iLO



Figure 48 Save Capture dialog box

6. Click Yes, and then follow the onscreen instructions to save the file.

Capturing video files

You can use Console Capture to manually capture video files of sequences other than Server Startupand Server Prefailure.

1. Start the .NET IRC.2. Click the Record button.3. The Save Video dialog box opens.4. Enter a file name and save location, and then click Save.5. When you are finished recording, press the Record button again to stop recording.

A video demonstration of this procedure is available at http://www.hp.com/go/ilo/videos.

Viewing saved video files

1. Start the .NET IRC.2. Press the Play button.

The Playback Source dialog box opens.

3. Click the magnifying glass icon next to the From File box.4. Navigate to a video file, and then click Open.

Video files captured in the Remote Console have the file type .ilo.

5. Click Start. A video demonstration of this procedure is available at http://www.hp.com/go/ilo/videos.

Creating Remote Console hot keys

The Program Remote Console Hot Keys page allows you to define up to six hot keys to use duringRemote Console sessions. Each hot key represents a combination of up to five different keys thatare sent to the host machine when the hot key is pressed. Hot keys are active during RemoteConsole sessions that use .NET IRC, Java IRC, and the text-based Remote Console.

If a hot key is not set—for example, Ctrl+V is set to NONE, NONE, NONE, NONE, NONE—thefunctionality for this hot key is disabled. The server OS will interpret Ctrl+V as it usually does (paste,

in this example). If you set the Ctrl+V hot key to use another combination of keys, the server OSwill use the key combination set in iLO (losing the paste functionality).

Example 1: If you want to send Alt+F4 to the remote server, but pressing that key combinationcloses your browser, you can configure the hot key Ctrl+X to send the Alt+F4 key combination tothe remote server. After you configure the hot key, press Ctrl+X in the Remote Console windowwhenever you want to use Alt+F4 on the remote server.

Example 2: If you want to create a hot key by using the international AltGR key, use R_ALT in thekey list.

Creating a hot key

You must have the Configure iLO Settings privilege to create hot keys.








Table 13 Available keys (continued)

wb,TAB

xc-BREAK

yd.BACKSPACE

ze /NUM PLUS

f0NUM MINUS

3. Click Save Hot Keys.


Remote Console Hot Keys settings successful.

Resetting hot keys

Resetting the hot keys clears all current hot-key assignments.

1. Navigate to the Remote Console→Hot Keys page.2. Click Reset Hot Keys.3. The following message appears:

Are you sure you want to reset all hot keys?

4. Click OK .


Remote Console Hot Keys settings successful.

Troubleshooting

• The Java IRC is a signed Java applet. If you do not accept the Java IRC applet certificate, the Java IRC will not work (a red X is displayed in the Java IRC window).

• The Java IRC experiences a slight delay when the Java applet first loads in your browser.

• Exit the .NET IRC or Java IRC by closing the window or clicking the Close button.

• The UID blinks when a .NET IRC or Java IRC session is active.

• View your user settings to determine whether you have the Remote Console privilege.

• Select Administration→Licensing to determine whether a license is installed.

• The .NET IRC or Java IRC is suitable for high-latency (modem) connections.

• Do not run the .NET IRC or Java IRC from the host operating system on the server that containsthe iLO management processor.

• HP recommends that users who log in to a server through the .NET IRC or Java IRC log out

before closing the .NET IRC or Java IRC.• Pop-up blocking applications prevent the .NET IRC or Java IRC from running, so you must

disable them before starting a .NET IRC or Java IRC session. In some cases, you can Ctrl+clickthe .NET IRC or Java IRC link to bypass the pop-up blocker and launch the .NET IRC or JavaIRC.

Using the text-based Remote ConsoleiLO supports a true text-based Remote Console. Video information is obtained from the server, andthe contents of the video memory are sent to the management processor, compressed, encrypted,and forwarded to the management client application. iLO uses a screen-frame buffer that detectschanges in text information, encrypts the changes, and sends the characters (including screen

positioning information) to text-based client applications. This method ensures compatibility with




GRUB to use the Virtual Serial Port, modify the GRUB configuration file to look like the following(Red Hat Linux example shown):

serial -unit=0 -speed=115200terminal -timeout=10 serial consoledefault=0timeout=10#splashimage=(hd0,2)/grub/splash.xpm.gztitle Red Hat Linux (2. 6.18-164.e15)root (hd0,2)

9kernel /vmlinuz-2. 6.18-164.e15 ro root=/dev/sda9 console=tty0, 115200,initrd /initrd-2. 6.18-164.e15.img

After Linux is fully booted, a login console can be redirected to the serial port. The /dev/ttyS0and /dev/ttyS1 devices, if configured, enable you to obtain serial TTY sessions through the

Virtual Serial Port. To begin a shell session on a configured serial port, add the following line tothe /etc/inittab file to start the login process automatically during system boot (this exampleinitiates the login console on /dev/ttyS0):

Sx:2345:respawn:/sbin/agetty 115200 ttyS0 vt100

For more information about configuring Linux for use with the Virtual Serial Port, see the technicalpublication iLO Virtual Serial Port configuration and operation HOWTO on the HP website.

Windows EMS Console

The Windows EMS Console, if enabled, allows you to perform emergency management serviceswhen video, device drivers, or other operating system features prevent normal operation andnormal corrective actions from being performed.

iLO enables you to use EMS over the network through a web browser. Microsoft EMS enables youto display running processes, change the priority of processes, and halt processes. You can usethe EMS Console and the iLO Remote Console at the same time.

The Windows EMS serial port must be enabled through the host system RBSU. The configurationallows enabling or disabling the EMS port, and the selection of the COM port. The iLO systemautomatically detects whether the EMS port is enabled or disabled, and it automatically detectsthe selection of the COM port.To obtain the SAC> prompt, you might have to press Enter after connecting through the VirtualSerial Port console.

For more information about using the EMS Console, see the Windows documentation.

Text-based console after POST

iLO Text Console after POST is a text-based console accessible from SSH after POST. When youare using SSH, the data stream, including authentication credentials, is protected by the encryptionmethod that the SSH client and iLO use.


iLO Licensing visit the following webpage: http://www.hp.com/go/ilo/licensing.The presentation of colors, characters, and screen control depends on the client that you are using,which can be any standard SSH client compatible with iLO. Features and support include thefollowing:

• Display of text-mode screens that are 80x25 (standard color configurations), including:

System boot process (POST)◦

◦ Standard Option ROMs

◦ Text boot loaders (LILO or GRUB)

◦ Linux operating system in VGA 80x25 mode






◦ DOS

◦ Other text-based operating systems

• International language keyboards (if the server and client systems have a similar configuration)

• Line-drawing characters when the correct font and code-page are selected in the clientapplication

Using iLO Text ConsoleTo start an iLO Text Console session:

1. Start an SSH session to iLO.

Make sure that the terminal application character encoding is set to Western (ISO-8859-1).

2. Log in to iLO.3. At the prompt, enter textcons.

A message appears and indicates that the iLO Text Console software is initiating.

To exit iLO Text Console and return to the CLI session, press Esc+Shift+9.

Customizing iLO Text Console

When you are starting iLO Text Console, you can use the textcons command options andarguments to customize the display. In general, you do not need to change these options.

• Controlling the rate of sampling

Use the textcons speed option to indicate, in milliseconds, the time between each samplingperiod. A sampling period is when the iLO firmware examines screen changes and updatesiLO Text Console. Adjusting the speed can alleviate unnecessary traffic on long or slow networklinks, reduce bandwidth used, and reduce iLO CPU time. HP recommends that you specify avalue between 1 and 5000 (1 ms to 5 seconds). For example:

textcons speed 500

• Controlling smoothingiLO attempts to transmit data only when it changes and becomes stable on the screen. If aline of the text screen is changing faster than iLO can sample the change, the line is nottransmitted until it becomes stable.

When an iLO Text Console session is active, the data is displayed rapidly and is essentiallyindecipherable. If the data is transmitted by iLO across the network, it consumes bandwidth.The default behavior is smoothing (delay 0), which transmits data only when the changesbecome stable on the screen. You can control or disable smoothing by using the delay option.For example:

textcons speed 500 delay 10

• Configuring character mappingUnder the ASCII character set, CONTROL characters (ASCII characters less than 32) are notprintable and are not displayed. These characters can be used to represent items such asarrows, stars, or circles. Some of the characters are mapped to equivalent ASCIIrepresentations. The supported equivalents are listed in Table 14 (page 126).

Table 14 Character equivalents

Mapped equivalentDescriptionCharacter value

Small dot0x07

Sun0x0F

126 Using iLO



Table 14 Character equivalents (continued)

Mapped equivalentDescriptionCharacter value

>Right pointer0x10

<Left pointer0x11

^Up arrow0x18

vDown arrow0x19

<Left arrow0x1A

>Right arrow0x1B

^Up pointer0x1E

vDown pointer0x1F

blank spaceShaded block0xFF

Using Linux with iLO Text Console

You can run an iLO Virtual Serial Port on a Linux system that is configured to present a terminal

session on the serial port. This feature enables you to use a remote logging service. You can logon to the serial port remotely and redirect output to a log file. Any system messages directed tothe serial port are logged remotely.

Some keyboard combinations that Linux requires in text mode might not be passed to iLO TextConsole. For example, the client might intercept the Alt+Tab keyboard combination.

Using iLO Virtual MediaiLO Virtual Media provides a virtual floppy disk drive and CD/DVD-ROM drive, which can beused to boot a remote host server from standard media from anywhere on the network. VirtualMedia devices are available when the host system is booting. Virtual Media devices connect tothe host server by using USB technology.

When you are using Virtual Media, note the following:

• An iLO license key is required to use some forms of Virtual Media. For more information aboutiLO Licensing visit the following webpage: http://www.hp.com/go/ilo/licensing.

• You must have the Virtual Media privilege to use this feature.

• You can use Virtual Media to boot a server.

• Only one of each type of media can be connected at a time.

• Before you use using the iLO Virtual Media feature, review the operating system considerationsin “Virtual Media operating system information” (page 128).

• You can also access the Virtual Media feature by using the .NET IRC or Java IRC, XMLconfiguration and control scripts, or the SMASH CLP.

For information about using Virtual Media through the .NET IRC and Java IRC, see “Using theiLO Remote Console” (page 113).

• If the virtual floppy capability is enabled, the floppy drive normally cannot be accessed fromthe client operating system.

• If the virtual CD/DVD-ROM capability is enabled, the CD/DVD-ROM drive cannot be accessedfrom the client operating system.

CAUTION: To prevent file and data corruption, do not access the local media when youare using it as Virtual Media.

Using iLO Virtual Media 127





Virtual Media operating system informationThis section describes the operating system requirements to consider when you are using the iLO

Virtual Media features.

Operating system USB requirement

To use Virtual Media devices, your operating system must support USB devices, including USBmass storage devices. For more information, see your operating system documentation.

During system boot, the ROM BIOS provides USB support until the operating system loads. BecauseMS-DOS uses the BIOS to communicate with storage devices, utility diskettes that boot DOS willalso function with Virtual Media.

Using Virtual Media with Windows 7

By default, Windows 7 powers off the iLO virtual hub when no Virtual Media devices are enabledor connected during boot. To change this setting, manually override the power management featurein the Windows 7 through the Control Panel so that the virtual hub does not power down.

1. Open Device Manager .2. Select View→Devices by connection.3. Expand Standard Universal PCI to USB Host Controller to display the USB devices, including

the Generic USB Hub.The Generic USB Hub option is the iLO virtual USB hub controller.

4. Right-click Generic USB Hub and select Properties.5. Select the Power Management tab.6. Clear the Allow the computer to turn off this device to save power check box.

Operating system considerations: virtual floppy/USB key

• Boot process and DOS sessions—During the boot process and DOS sessions, the virtual floppydevice appears as a standard BIOS floppy drive (drive A). If a physically attached floppydrive exists, it is unavailable during this time. You cannot use a physical local floppy drive

and a virtual floppy drive simultaneously.• Windows Server 2008 or later —Virtual floppy and USB key drives appear automatically after

Windows recognizes the USB device. Use the virtual device as you would use a locally attacheddevice.

To use a virtual floppy as a driver diskette during a Windows installation, disable the integrateddiskette drive in the host RBSU, which forces the virtual floppy disk to appear as drive A.

To use a virtual USB key as a driver diskette during a Windows installation, change the bootorder of the USB key drive in the system RBSU. HP recommends placing the USB key drivefirst in the boot order.

• Windows Vista—Virtual media does not work correctly on Windows Vista if you are usingInternet Explorer 7 with Protected Mode enabled. If you attempt to use Virtual Media withProtected Mode enabled, various error messages appear, including could not opencdrom (the parameter is incorrect.) To use Virtual Media, select Tools→InternetOptions→Security, clear Enable Protected Mode, and then click Apply. After you disableProtected Mode, close all open browser instances and restart the browser.

• Red Hat and SUSE Linux—Linux supports the use of USB diskette and key drives.

Changing diskettes

When you are using a virtual floppy or USB key drive on a client machine with a physical USBdisk drive, disk change operations are not recognized. For example, if a directory listing is obtained

from a floppy disk, and then the disk is changed, a subsequent directory listing shows the directory

128 Using iLO



listing for the first disk. If disk changes are necessary when you are using a virtual floppy or USBkey, make sure that the client machine contains a non-USB disk drive.

Operating system considerations: virtual CD/DVD-ROM

• MS-DOS—The virtual CD/DVD-ROM is not supported in MS-DOS.

• Windows Server 2008—The virtual CD/DVD-ROM appears automatically after Windows hasrecognized the mounting of the device. Use it as you would use a locally attached

CD/DVD-ROM device.• Linux—The requirements for Red Hat Linux and SLES follow:

Red Hat Linux

On servers that have a locally attached IDE CD/DVD-ROM, the virtual CD/DVD-ROMdevice is accessible at /dev/cdrom1. However, on servers that do not have a locally

◦

attached CD/DVD-ROM, such as BL c-Class blade systems, the virtual CD/DVD-ROM isthe first CD/DVD-ROM accessible at /dev/cdrom.

You can mount the virtual CD/DVD-ROM as a normal CD/DVD-ROM device by usingthe following command:

mount /mnt/cdrom1

◦ SLES

The virtual CD/DVD-ROM can be found at /dev/scd0, unless a USB-connected localCD/DVD-ROM is present. In that case the virtual CD/DVD-ROM uses /dev/scd1.

You can mount the virtual CD/DVD-ROM as a normal CD/DVD-ROM device by usingthe following command:

mount /dev/scd0 /media/cdrom11

For step-by-step instructions, see “Mounting USB Virtual Media CD/DVD-ROM on Linux systems”(page 129).

Mounting USB Virtual Media CD/DVD-ROM on Linux systems1. Access iLO through a browser.2. Start the IRC or Java IRC.3. Select the Virtual Drives menu.4. Select the CD/DVD-ROM to use.5. Mount the drive by using the following commands:

For Red Hat Linux, use the following command:

mount /dev/cdrom1 /mnt/cdrom1

For SLES, use the following command:

mount /dev/scd0 /media/cdrom1

Operating system considerations: Virtual Folder

• Boot process and DOS sessions—The Virtual Folder device appears as a standard BIOS floppydrive (drive A). If a physically attached floppy drive exists, it is unavailable during this time.You cannot use a physical local floppy drive and the virtual folder simultaneously.

• Windows—A Virtual Folder appears automatically after Windows recognizes the mountingof the virtual USB device. You can use the folder the same way that you use a locally attached




device. Virtual folders are nonbootable. Attempting to boot from the virtual folder might preventthe server from starting.

• Red Hat and SLES Linux—Linux supports the use of the Virtual Folder feature. The Virtual Folderfeature uses a FAT 16 file system format.

Using iLO Virtual Media from the iLO web interfaceThe Virtual Media page allows you to perform the following tasks:

• View or change the Virtual Media port.You can also change the port on the Administration→ Access Settings page.

• View or eject local media, including locally stored image files, floppy disks, USB keys,CDs/DVD-ROMs, and virtual folders.

• View, connect, eject, or boot from scripted media. Scripted media refers to connecting imageshosted on a web server by using a URL. iLO will accept URLs in HTTP or HTTPS format. FTP isnot supported.

Viewing and modifying the Virtual Media port

The Virtual Media port specifies the port that iLO uses to listen for incoming local Virtual Media

connections. The default value is 17988.To change the port:

1. Navigate to the Virtual Media→ Virtual Media page, as shown in Figure 50 (page 130).

Figure 50 Virtual Media page

2. Enter a new port number.3. Click Change Port.

The system prompts you to reset iLO.

4. Click OK .

130 Using iLO



Viewing and ejecting local media

When local Virtual Media is connected, the details are listed in the following sections:

• Virtual Floppy/USB Key/Virtual Folder Status

Image Inserted—The Virtual Media type that is connected. Local media is displayed whenlocal media is connected.

◦

◦ Connected—Whether a Virtual Media device is connected.

• Virtual CD/DVD-ROM Status

Image Inserted—The Virtual Media type that is connected. Local media is displayed whenlocal media is connected.

◦


To eject local Virtual Media devices, click the Force Eject Media button in the Virtual Floppy/USBKey/Virtual Folder Status or Virtual CD/DVD-ROM Status section.

Connecting scripted media

You can connect scripted media from the Virtual Media page. Use the .NET IRC or Java IRC,

RIBCL/XML, or the iLO CLI to connect other types of Virtual Media. Scripted media supports only1.44 MB floppy images (.img) and CD/DVD-ROM images (.iso). The image must be locatedon a web server on the same network as iLO.

To connect scripted media:

1. Navigate to the Virtual Media→ Virtual Media page, as shown in Figure 50 (page 130).2. Enter the URL for the scripted media in the Scripted Media URL box in the Connect Virtual

Floppy section (.img files) or the Connect CD/DVD-ROM section (.iso files).3. Select the Boot on Next Reset check box if the server should boot to this image only on the

next server reboot. The image will be ejected automatically on the second server reboot, sothat the server does not boot to this image twice.

If this check box is not selected, the image will remain connected until it is manually ejected,and the server will boot to it on all subsequent server resets, if the system boot options areconfigured accordingly.

4. Click Insert Media.5. Optional: To boot to the connected image, click Server Reset to initiate a server reset.

Viewing and ejecting scripted media

When scripted Virtual Media is connected, the details are listed in the following sections:

• Virtual Floppy/Virtual Folder Status

Image Inserted—The Virtual Media type that is connected. Scripted media is displayed

when scripted media is connected.

◦


◦ Image URL—The URL that points to the connected scripted media.

• Virtual CD/DVD-ROM Status

Image Inserted—The Virtual Media type that is connected. Scripted media is displayedwhen scripted media is connected.

◦


◦

Image URL—The URL that points to the connected scripted media.




2. Click the Virtual Drives menu, and then select Image File (.NET) or Virtual Image (Java .NET).

The console prompts you for the path to the image file.

3. Enter the path or file name of the image in the text box, or click Browse to locate the imagefile by using the Choose Disk Image File dialog box.

The connected drive icon (Java IRC only) and virtual drive activity LED change state to reflectthe current status of the virtual drive.

Using scripted media (.NET IRC only)You can connect scripted media by using the .NET IRC. Scripted media supports only 1.44 MBfloppy images (.img) and CD/DVD-ROM images (.iso). The image must be located on a webserver on the same network as iLO.

1. Start the .NET IRC.2. Click the Virtual Drives menu, and then select URL.

The Remote Console prompts you to enter the image URL.

3. Enter the URL to the image file that you want to mount as a virtual drive.

The connected drive icon (Java IRC only) and virtual drive activity LED change state to reflectthe current status of the virtual drive.

Using a virtual CD/DVD-ROM

The iLO virtual CD/DVD-ROM is available at server boot time for supported operating systems.Booting from the iLO virtual CD/DVD-ROM enables you to deploy an operating system from networkdrives and perform disaster recovery of failed operating systems.

If the host server operating system supports USB mass storage devices, the iLO virtual CD/DVD-ROMis available after the host server operating system loads. You can use the iLO virtual CD/DVD-ROMwhen the host server operating system is running to upgrade device drivers, install software, andperform other tasks. Having the virtual CD/DVD-ROM available when the server is running canbe useful if you must diagnose and repair the NIC driver.

The virtual CD/DVD-ROM can be the physical CD/DVD-ROM drive on which the web browser isrunning, or an image file stored on your local hard drive or network drive. For optimal performance,HP recommends using image files stored either on the hard drive of your client PC or on a networkdrive accessible through a high-speed network link.

To an operating system, virtual CDs/DVD-ROMs behave like any other CD/DVD-ROM. When youare using iLO for the first time, the host operating system might prompt you to complete a NewHardware Found wizard.

When virtual devices are connected, they are available to the host server until you disconnectthem. When you are finished using a Virtual Media device and you disconnect it, you might receivea warning message from the host operating system regarding unsafe removal of a device. Youcan avoid this warning by using the operating system feature to stop the device before disconnecting

it.

Using a physical CD/DVD-ROM drive on a client PC

1. Start the .NET IRC or Java IRC.2. Click the Virtual Drives menu, and then select the drive letter of a physical CD/DVD-ROM

drive on your client PC.

The connected drive icon (Java IRC only) and virtual drive activity LED change state to reflectthe current status of the virtual CD/DVD-ROM drive.

NOTE: When you are using the .NET IRC or Java IRC with Windows Vista or Windows Server2008 or later, you must have Windows administrator rights in order to mount a physical drive

(CD/DVD-ROM or USB key).




Using an image file

1. Start the .NET IRC or Java IRC.2. Click the Virtual Drives menu, and then select Image File (.NET IRC) or Floppy/USB-Key→ Virtual

Image (Java).

The Remote Console prompts you for the path to the image file.

3. Enter the path or file name of the image in the text box, or click Browse to locate the imagefile by using the Choose Disk Image File dialog box.

Using an image file through a URL (IIS/Apache – .NET IRC only)

1. Start the .NET IRC.2. Click the Virtual Drives menu, and then select URL.3. Enter the URL to the image file that you want to mount as a virtual drive.

Creating iLO disk image files (Java IRC only)

iLO Virtual Media enables you to create virtual floppy disk and CD image files from the Java IRC.Creation of DVD-ROM image files via the Java IRC is not supported. The image files that the JavaIRC creates are ISO-9660 file system images. When you use iLO Virtual Media, performance isfastest when image files are used instead of physical devices. You can also use industry-standard

tools like DD to create image files.To create an image file:

1. Start the Java IRC.2. Select Virtual Drives →Create Disk Image.3. Enter the path or file name in the text box, or click Browse to select an existing image file or

to change the directory in which the image file will be created.4. Click Create.

The Virtual Media applet begins the process of creating the image file. The process is completewhen the progress bar reaches 100%. To cancel the creation of an image file, click Cancel.

Figure 51 Create Media Image dialog box

Use the Disk>>Image option to create image files from physical disks or CDs. The Image>>Diskoption is not valid for virtual CD images.

When you click the Disk>>Image button, the button label changes to Image>>Disk. Use this buttonto switch from creating image files from physical disks to creating physical floppy disks from imagefiles.

134 Using iLO



Using a Virtual Folder (.NET IRC only)

This feature enables you to access, browse, and transfer files from a client to a managed server.It enables you to mount and dismount a local or networked directory that is accessible through theclient. After you create a virtual image of a folder or directory, the server connects to the createdimage as a USB storage device, enabling you to browse to the server and transfer the files fromthe iLO-generated image to any location on the server.


The Virtual Folder is nonbootable and read only; the mounted folder is static. Changes to the clientfile are not replicated in the mounted folder.

To use a Virtual Folder:

1. Start the .NET IRC.2. Select Virtual Drives→Folder .

The Browse For Folder window opens.

3. Select the folder that you want to use, and then click OK .

The Virtual Folder is mounted on the server with the name iLO Folder .

Setting up IIS for scripted Virtual MediaBefore you set up IIS for scripted Virtual Media, verify that IIS is operational. Use IIS to set up asimple website and verify that it is working correctly by browsing to the site.

Configuring IIS

To configure IIS to serve diskette or ISO-9660 CD images for read-only access:1. Add a directory to your website and place your images in the directory.2. Verify that IIS can access the MIME type for the files you are serving.

For example, if your diskette image files use the extension .img, you must add a MIME typefor that extension. Use the IIS Manager to access the Properties dialog box of your website.

On the HTTP Headers tab, click MIME Types to add MIME types.HP recommends adding the following types:

.img application/octet-stream

.iso application/octet-stream

After you complete these steps, you should be able to navigate to the location of your images byusing a web browser and download them to a client. If you can complete this step, your web serveris configured to serve read-only diskette and CD images.

Configuring IIS for read/write access

1. Install Perl (for example, Active-Perl).2. Customize the Virtual Media helper application as needed.

For a sample helper application, see “Virtual Media helper application” (page 136).

3. Create a directory on your website for the Virtual Media helper script, and then copy the scriptto that directory.

The sample script uses the directory name cgi-bin, but you can use any name.

4. By using the Properties page for your directory, under Application Settings, click Create tocreate an application directory.

The icon for your directory in IIS Manager changes from a folder to a gear icon.

5. Set the Execute permissions to Scripts only.






my ($prefix) = "c:/inetpub/wwwroot";my ($start, $end, $len, $decode);

my $q = new CGI(); # Get CGI data

my $file = $q->param('file'); # File to be writtenmy $range = $q->param('range'); # Byte range to be writtenmy $data = $q->param('data'); # Data to be written

#

# Change the file name appropriately#$file = $prefix . "/" . $file;

## Decode the range#if ($range =~ m/([0-9A-Fa-f]+)-([0-9A-Fa-f]+)/) {$start = hex($1); $end = hex($2); $len = $end - $start + 1;}

## Decode the data (a big hexadecimal string)#$decode = pack("H*", $data);

## Write it to the target file#sysopen(F, $file, O_RDWR);binmode(F);sysseek(F, $start, SEEK_SET);syswrite(F, $decode, $len);close(F);

print "Content-Length: 0\r\n";print "\r\n";

Configuring Virtual Media Boot OrderThe Virtual Media Boot Order feature enables you to set the server boot options. You must havethe Virtual Media and Configure iLO Settings privileges to change these settings.

NOTE: Changes made to the boot order or one-time boot status might require a server reset. iLOwill notify you when a reset is necessary.

Changing the server boot order

To change the boot order of floppy, CD/DVD-ROM, USB, hard disk, and network devices:




1. Navigate to the Virtual Media→Boot Order page, as shown in Figure 52 (page 138).

Figure 52 Boot Order page

2. Select a device in the Server Boot Order list, and click Up or Down to move it up or down inthe boot order.

You can select from the following devices:

• CD/DVD Drive

• Floppy Drive

• USB Storage Device

• Hard Disk Drive

• Network Device <number> where the server Ethernet card is Network Device 1, andadditional NIC/ALOM cards are Network Device 2, Network Device 3, and so on.

3. Click Set Boot Order .

Changing the one-time boot status

To set one type of media to boot on the next server reset without changing the predefined bootorder:

1. Navigate to the Virtual Media→Boot Order page.2. Select an option from the Select One-Time Boot Option menu.

The following choices are available:

• No One-Time Boot

• CD/DVD Drive

• Floppy Drive

• USB Storage Device

• Hard Disk Drive

• Network Device

3. Click Set One-Time Boot.

138 Using iLO



to the system. The power supplies are more efficient (more DC output watts for each watt of ACinput) at higher power output levels, and the overall power efficiency improves.

NOTE: HEM is available only on nonblade servers.

When the system begins to draw more than 70% capacity of the maximum power output of theprimary supplies, the secondary supplies return to normal operation (that is, they exit step-downmode). When power use drops below 60% capacity of the primary supplies, the secondary suppliesreturn to step-down mode. HEM enables you to achieve power consumption equal to the maximum

power output of the primary and secondary power supplies, while maintaining improved efficiencyat lower power usage levels.

HEM does not affect power redundancy. If the primary supplies fail, the secondary suppliesimmediately begin supplying DC power to the system, preventing any downtime.

You can configure HEM only through the RBSU. You cannot modify these settings through iLO. Formore information, see the HP ROM-Based Setup Utility User Guide .

The configured HEM settings are displayed on the System Information→Server Power page.

Using iLO Power ManagementiLO Power Management enables you to view and control the power state of the server, monitor

power usage, and modify power settings. The Power Management menu has three menu options:Server Power , Power Meter , and Power Settings.

A video demonstration of iLO's power management features is available at http://www.hp.com/go/ilo/videos.

Managing the server powerThe Virtual Power Button section displays the current power state of the server, as well as optionsfor remotely controlling server power. System Power indicates the state of the server power whenthe page is first opened. The server can be ON, OFF, or Reset. Use the browser refresh feature toview the current status of the power indicator.

NOTE: Seeing the server in the Reset state is rare.

To change the current server power state by using the Virtual Power Button options, you must havethe Virtual Power and Reset privilege. Some of the power control options do not shut down theoperating system gracefully. You must initiate an operating system shutdown by using the RemoteConsole before you use the Virtual Power Button options.

To change the server power state:

140 Using iLO







Configuring the System Power Restore SettingsThe settings in the System Power Restore Settings section control system behavior after power islost. These settings can also be configured by using the system RBSU during POST.

To change the System Power Restore Settings:

1. Navigate to the Power Management→Server Power page as shown in Figure 53 (page 141).2. Select an Auto Power-On value.

This setting determines how iLO behaves after power is restored—for example, when theserver is plugged in or when a UPS is activated after a power outage.

The following options are available:

• Always Power On—Power on the system after the power-on delay (BL default).

• Always Remain Off—The system remains off until directed to power on.

• Restore Last Power State—Return to the server power state when power was lost. If theserver was on, it powers on; if the server was off, it remains off (ML, DL, SL default).

3. Select a Power-On Delay value.

This setting staggers server automatic power-on in a data center. It does not interfere with thepower button. The power-on delay occurs before iLO powers on the server. The iLO firmware

requires approximately 30 seconds before the server powers on with the minimum delay.The following options are available:

• Minimum Delay—Power-on is delayed by approximately 30 seconds.

• Random up to 120 seconds—The power-on delay varies and can be up to 120 seconds.

4. Click Submit.

Viewing server power usageThe Power Meter page enables you to view the server power consumption over time.


iLO Licensing visit the following webpage: http://www.hp.com/go/ilo/licensing. A video demonstration of iLO's power management features is available at http://www.hp.com/

go/ilo/videos.

To access power meter graphs, navigate to the Power Management→Power Meter page, as shownin Figure 54 (page 143).

142 Using iLO









Figure 54 Power Meter page

The power meter graphs display recent server power usage. The graph data is reset when iLO isreset. The iLO firmware periodically samples peak power, average power, and power cap. Thefollowing graphs are displayed:

• 24-Hour History Graph—This graph displays the power usage of the server over the previous24 hours. The iLO firmware collects power usage information from the server every 5 minutes.The bar graph displays the average values in blue and the peak values in red. The graphshows No cap set during a host power reset. This data resets when either the server or iLO isreset.

• 20-Minute History Graph—This graph displays the power usage of the server over the previous20 minutes. The iLO firmware collects power usage information from the server every 10seconds. The bar graph displays the average values in blue and the peak values in red. Thisdata resets when the server or iLO is reset.

When you are viewing the power meter graphs, use the Display Options to control the informationthat is displayed. You can view minimum, average, peak, and cap power information.

Select one or more of the following check boxes, and then click Refresh Page to update the graphs.

• Min—The minimum value observed during a measurement period. Typically, the 20-minutegraph measures a minimum value every 10 seconds, which matches the average value. The24-hour graph can capture minimum values lower than the 5-minute average value.

• Average—The mean power reading during the sample.

Using iLO Power Management 143



• Peak—The highest instantaneous power reading during the sample. Hardware records thisvalue on a subsecond basis.

• Cap—The configured power cap during the sample. If the power cap is not configured or notsupported, it does not appear.

◦ A power cap limits average power draw for extended periods of time.

◦ Power caps are not maintained during server reboots, resulting in temporary spikes during

boot.◦ Power caps set for less than 50% of the difference between maximum power and idle

power might become unreachable because of changes in the server. HP does notrecommend setting caps for less than 20%. Configuring a cap that is too low for thesystem configuration can prevent correct system operation.

◦ For more information about HP Insight Control power management software, see http://www.hp.com/go/dpc.

The following options are also available:

• Power Unit—Select a value on the Power Unit menu to show the power readings in eitherwatts or BTU/hr.

• Refresh Page—Click the Refresh Page button to update the history graphs.

Viewing the current power stateTo view the current power state, navigate to the Power Management→Power Meter page, asshown in Figure 54 (page 143).

The values displayed in the Current State table vary depending on the server type:

• Present Power Reading—The current power reading from the server. This value is displayedfor all HP ProLiant server types.

• Power Regulator Mode—The configured power regulator mode. This value is displayed for

all HP ProLiant server types. The settings are as follows:◦ HP Dynamic Power Savings Mode

◦ HP Static Low Power Mode

◦ HP Static High Performance Mode

◦ OS Control Mode

• Present Power Cap—The configured power cap on the server. This value is zero if the powercap is not configured. This value is displayed for HP ProLiant ML/DL and blade servers.

• Power Input Voltage—The supplied input voltage for the server. This value is displayed for HP

ProLiant ML/DL servers.• Power Supply Capacity—The server power capacity. This value is displayed for HP ProLiant

SL servers.

• Peak Measured Power —The highest measured power reading. This value is displayed for HPProLiant SL servers.

Viewing the server power historyTo view the server power history, navigate to the Power Management→Power Meter page, asshown in Figure 54 (page 143).

144 Using iLO

http://www.hp.com/go/dpc






The Power History table shows power readings from three different time periods: 5 minutes, 20minutes, and 24 hours.

• Average Power —The average of the power readings for the specified time period. If the serverhas not been running for the specified time period, the value is the average of all the readingssince the server booted.

• Maximum Power —The maximum power reading from the server for the specified time period.If the server has not been running for the specified time period, the value is the maximum of

all readings since the server booted.• Minimum Power —The minimum power reading from the server for the specified time period.

If the server has not been running for the specified time period, the value is the minimum ofall readings since the server booted.

Configuring power settingsThe Power Settings page enables you to view and control the power management features of theserver. The power management features on this page vary based on the server configuration. TheConfigure iLO Settings privilege is required to change the values on this page.

A video demonstration of iLO's power management features is available at http://www.hp.com/go/ilo/videos.

Configuring Power Regulator settings

The Power Regulator for ProLiant feature enables iLO to dynamically modify processor frequencyand voltage levels, based on operating conditions, to provide power savings with minimal effecton performance. The Power Settings page allows you to view and control the power regulatormode of the server. This feature is not available on all processor models. To determine processorsupport, see the HP Power Regulator for ProLiant website at http://www.hp.com/servers/power-regulator.

To configure the Power Regulator settings:

1. Navigate to the Power Management→Power Settings page.

2. Select a value from the following options:• HP Dynamic Power Savings Mode—Automatically varies processor speed and power

usage based on processor utilization. Allows reducing overall power consumption withlittle or no impact to performance. Does not require OS support.

• HP Static Low Power Mode—Reduces processor speed and power usage. Guarantees alower maximum power usage for the system.

• HP Static High Performance Mode—Processors will run in their maximumpower/performance state at all times regardless of the OS power management policy.

• OS Control Mode—Processors will run in their maximum power/performance state at alltimes unless the OS enables a power management policy.

3. Click Apply.The server requires a reboot for the change to take effect. These settings cannot be changedwhile the server is in POST. If the settings do not change after you click Apply, the server mightbe in the boot process or require rebooting. Exit any RBSU program you are running, allowPOST to complete, and then try the operation again.

Using iLO Power Management 145



http://www.hp.com/servers/power-regulator








Configuring power capping settings

The Power Capping Settings section enables you to view measured power values, set a powercap, and disable power capping. When you are configuring a power cap, note the following:

• The Measured Power Values section lists the following:

Maximum Available Power —The power supply capacity for a non-blade server, or initialpower-on request value for a blade server

◦

◦ Peak Observed Power —The maximum observed power for the server

◦ Minimum Observed Power —The minimum observed power for the server

During POST, the ROM runs two power tests that determine the peak and minimum observedpower values.

• Power cap settings are disabled when the server is part of an Enclosure Dynamic Power Cap.These values are set and modified through using either Onboard Administrator or InsightControl power management.

• Use the Power Cap Thresholds as guidelines for configuring a power cap.

Maximum Power Cap—The maximum power available for the server. The server must not

exceed this value.

◦

◦ Minimum High-Performance Cap—The maximum power that the server uses in the currentconfiguration. A power cap set to this value does not affect server performance.

◦ Minimum Power Cap—The minimum observed power usage by the server. A cap set atthis point reduces the server power usage to the minimum, which results in serverperformance degradation.

When a power cap is set, the average power reading of the server over time must be at or belowthe cap value.

To configure a power cap:

1. Navigate to the Power Management→Power Settings page.2. Select the Enable power capping check box.3. Enter the power cap value in watts or a percentage.

Click Show values in BTU/hr to toggle the display between watts and BTU/hr. The percentageis the difference between the maximum and minimum power values. The cap value cannot beset below the server minimum power value.

4. Click Apply.

Configuring an SNMP power threshold alert

The SNMP Alert on Breach of Power Threshold section enables the sending of SNMP alerts whenpower consumption exceeds a defined threshold. You can set the following:

1. Navigate to the Power Management→Power Settings page.2. Select a value in the Warning Trigger menu.

The warning trigger determines whether warnings are based on peak power consumption,are based on average power consumption, or are disabled.

3. Enter a value in the Warning Threshold box.

This value sets the power consumption threshold. If power consumption is above this value forthe specified duration, an SNMP alert is triggered.

146 Using iLO



4. Enter a value in the Duration box.

This value sets the length of time, in minutes, that power consumption must remain above thewarning threshold before an SNMP alert is triggered. The maximum duration is 240 minutes,and the duration must be a multiple of 5.


Configuring the persistent mouse and keyboard

The Other Settings section on the Power Settings page allows you to enable or disable the persistentkeyboard and mouse setting.

When this feature is enabled, the iLO virtual keyboard and mouse are always connected to theiLO UHCI USB controller. When this feature is disabled, the iLO virtual keyboard and mouse areconnected dynamically to the iLO UHCI controller only when a Remote Console application isopen and connected to iLO. Disabling the feature allows some HP servers to gain approximately15 watts of power savings when the server operating system is idle and no virtual USB keyboardand mouse are connected.

The persistent mouse and keyboard setting is disabled by default.

After you select or clear the Enable persistent mouse and keyboard setting, click Apply to save theconfiguration change.

Using iLO with Onboard AdministratorOnboard Administrator is the enclosure management processor, subsystem, and firmware basethat is used to support the HP BladeSystem and all managed devices contained in the enclosure.

Using the Active Onboard AdministratorThe BL c-Class→ Active Onboard Administrator page provides general information about the primaryOA in the enclosure where iLO is located. This page is displayed only when there is an enclosure.Figure 55 (page 147) shows an example of the page.

Figure 55 Active Onboard Administrator page

This page displays the following information and options:

• IP Address—The IP address of the active OA.

• MAC Address—The MAC address of the active OA.

Using iLO with Onboard Administrator 147



• System Health—The health of the active OA, as reported by the OA.

A value of unknown means that OA health has not been reported to iLO.

• Blade Location—The blade that is hosting the current iLO session is in the listed enclosure bay.

• Enclosure Name—The active OA manages this enclosure. You can adjust this setting throughthe OA.

• Rack Name—The enclosure is linked with other enclosures identified by the rack name. You

can adjust this setting through the OA.• Onboard Administrator GUI—Click the Launch button to open a new browser window to

connect to the active OA web interface.

• Enclosure UID Light—Click the Toggle UID button to toggle the state of the enclosure UID whereiLO is located.

You can turn the UID on and off through other sources. The true state of the UID might not berepresented after a period of time.

Enclosure bay IP addressingThe First Time Setup Wizard prompts you to set up your enclosure bay IP addressing. For more

information about the wizard, see the HP BladeSystem Onboard Administrator User Guide .

Dynamic Power Capping for server bladesDynamic Power Capping is an iLO feature available for c-Class server blades and accessed throughOnboard Administrator. Dynamic Power Capping is available only if your system hardwareplatform, BIOS (ROM), and power microcontroller firmware version support this feature. If yoursystem supports Dynamic Power Capping, iLO automatically functions in Dynamic Power Cappingmode.

For information about the power setting options for c-Class server blades, see the HP BladeSystemOnboard Administrator User Guide.

iLO virtual fanIn c-Class blade servers, Onboard Administrator controls the enclosure fans (also called “virtualfans”). The iLO firmware cannot detect these enclosure fans. Instead, the iLO firmware monitorsan ambient temperature sensor located on the blade server. This information is displayed on theiLO web interface and retrieved by the Onboard Administrator periodically. The Onboard

Administrator uses the sensor information collected from all iLO management processors in theenclosure to determine enclosure fan speeds.

iLO optionThe iLO - Device Bay <XX> page in Onboard Administrator provides the following links:

• Web Administration—Starts the iLO web interface• Integrated Remote Console—Starts the .NET IRC

• Remote Console—Starts the Java IRC

Clicking a link on this page opens the requested iLO session in a new window that uses usingSSO, which does not require an iLO user name or password. If your browser settings prevent newwindows from opening, the links do not function properly.

148 Using iLO



5 Integrating HP Systems Insight ManagerThe iLO firmware is integrated with HP SIM in key operating environments, providing a singlemanagement console from a standard web browser. While the operating system is running, youcan establish a connection to iLO by using HP SIM.

Integration with HP SIM provides the following:

• Support for SNMP trap delivery to an HP SIM console—The HP SIM console can be configuredto forward SNMP traps to a pager or email address.

• Support for management processors—All iLO devices installed in servers on the network arediscovered in HP SIM as management processors.

• Grouping of iLO management processors—All iLO devices can be grouped logically anddisplayed on one page. This structure provides access to iLO from one page in HP SIM.

• HP Management Agents or Agentless Management—iLO, combined with AgentlessManagement or the HP Management Agents, provides remote access to system managementinformation through the iLO web interface.

• Support for SNMP management—HP SIM can access Insight Management Agent information

through iLO.

HP SIM featuresHP SIM enables you to do the following:

• Identify iLO processors.

• Create an association between iLO and its server.

• Create links between iLO and its server.

• View iLO and server information and status.

• Control the amount of information displayed for iLO.

The following sections summarize these features. For detailed information, see the HP SystemsInsight Manager User Guide .

Establishing SSO with HP SIMTo establish SSO with HP SIM:

1. Configure iLO for HP SIM SSO and add HP SIM trusted servers. For instructions, see“Configuring iLO for HP SIM single sign-on” (page 56).

2. Log in to the HP SIM server that you specified in Step 1, and discover the iLO.

After you complete the discovery process, SSO is enabled for the iLO.

For more information about HP SIM discovery tasks, see the HP Systems Insight Manager User Guide .

iLO identification and associationHP SIM can identify an iLO processor and create an association between iLO and a server. Youcan configure iLO to respond to HP SIM identification requests by setting the Level of Data Returnedvalue on the Administration→Management page. For more information, see “Configuring InsightManagement Integration” (page 78).

Viewing iLO status in HP SIMHP SIM identifies iLO as a management processor. HP SIM displays the management processor

status on the All Systems page, as shown in Figure 56 (page 151).

150 Integrating HP Systems Insight Manager



The iLO management processor is displayed as an icon on the same row as its host server. Thecolor of the icon represents the status of the management processor.

Figure 56 HP SIM status page

For a list of device statuses, see the HP Systems Insight Manager User Guide .

iLO links in HP SIMFor ease of management, HP SIM creates links to the following:

• iLO and the host server from any System(s) list

• The server from the System page for iLO

• iLO from the System page for the server

The System(s) list pages display iLO, the server, and the relationship between iLO and the server.

Click a status icon to display the iLO web interface.

Click the iLO or server name to display the System page of the device.

Viewing iLO in HP SIM System(s) listsiLO management processors can be viewed in HP SIM. A user who has full configuration rightscan create and use customized system collections to group management processors. For moreinformation, see the HP Systems Insight Manager User Guide .

Receiving SNMP alerts in HP SIMYou can configure iLO to forward alerts from the management agents of the host operating systemand to send iLO alerts to HP SIM.

HP SIM supports full SNMP management. iLO supports SNMP trap delivery to HP SIM. You canview the event log, select the event, and view additional information about the alert.

To configure receipt of SNMP alerts in HP SIM:

Receiving SNMP alerts in HP SIM 151



1. To enable iLO to send SNMP traps, navigate to the Administration→Management page andconfigure the settings for SNMP, SNMP alerting, and Insight Management Integration. Enterthe IP address of the HP SIM computer in the SNMP Alert Destination(s) box. For moreinformation, see “Configuring iLO Management settings” (page 71).

2. To discover iLO in HP SIM, configure iLO as a managed device for HP SIM.

This enables the NIC interface on iLO to function as a dedicated management port, isolatingmanagement traffic from the NIC interface for the remote host server. For instructions, see theHP Systems Insight Manager User Guide .

For major events that are not cleared, iLO traps appear in All Events. To obtain moreinformation about the event, click Event Type.

HP SIM port matchingHP SIM is configured to start an HTTP session to check for iLO at port 80. If you want to changethe port number, you must change it in both iLO and HP SIM.

• To change the port in iLO, navigate to the Administration→ Access Settings page, and thenenter the new port number in the Web Server Non-SSL Port box.

• To change the port number in HP SIM, add the port to the config\identification\

additionalWsDisc.props file in the HP SIM installation directory. If iLO uses the defaultport (80), you do not need to edit this file.

The port entry must be on a single line with the port number first, with all other items identicalto the following example (including capitalization). The following example shows the correctentry for discovering iLO at port 55000:

55000=iLO 4,,true,false,com.hp.mx.core.tools.identification.mgmtproc.MgmtProcessorParser

Reviewing iLO license information in HP SIMHP SIM displays the license status of the iLO management processors. You can use this information

to determine how many and which iLO devices have an optional license installed.To view license information, select Deploy→License Manager . To make sure that the displayeddata is current, run the Identify Systems task for your management processors. For more information,see the HP Systems Insight Manager User Guide .

152 Integrating HP Systems Insight Manager



6 Directory servicesThis chapter describes how to configure and use directory services with iLO.

Directory integration overviewiLO can be configured to use a directory to authenticate and authorize its users. Before you configureiLO for directories, you must decide whether you want to use the HP Extended Schema option.

The HP Extended Schema offers the following advantages:

• There is more flexibility in controlling access. For example, access can be limited to a time ofday or a certain range of IP addresses.

• Groups are maintained in the directory, not on each iLO.

For more information, see the comprehensive list of benefits in “Directory integration benefits”(page 153). “Directory-enabled remote management” (page 183) explains how roles, groups, andsecurity are enabled and enforced via directories.

Directory integration benefits• Scalability—The directory can be leveraged to support thousands of users on thousands of

iLOs.

• Security—Robust user-password policies are inherited from the directory. User-passwordcomplexity, rotation frequency, and expiration are policy examples.

• User accountability—In some environments, users share iLO accounts, which results in notknowing who performed an operation, instead of knowing what account (or role) was used.

• Role-based administration—You can create roles (for example, clerical, remote control of thehost, complete control) and associate users or user groups with those roles. A change to asingle role applies to all users and iLO devices associated with that role.

• Single point of administration—You can use native administrative tools like MMC and

ConsoleOne to administer iLO users.• Immediacy—A single change in the directory rolls out immediately to associated iLO processors.

This eliminates the need to script this process.

• Simpler credentials—You can use existing user accounts and passwords in the directory withouthaving to record a new set of credentials for iLO.

• Flexibility—You can create a single role for a single user on a single iLO, a single role formultiple users on multiple iLOs, or a combination of roles as suited to your enterprise.

• Compatibility—iLO directory integration supports the popular Active Directory and eDirectory.

• Standards—iLO directory support is based on the LDAP 2.0 standard for secure directory

access.

Kerberos supportKerberos support enables a user to log in to iLO without supplying a user name and password ifthe client workstation is logged in to the domain and the user is a member of a directory groupfor which iLO is configured. If the workstation is not logged in to the domain, the user can alsolog in to iLO by using the Kerberos user name and domain password. Kerberos support can beconfigured through the web interface, XML (RIBCL), or SSH (partial support for CLI).

Because a trust relationship between iLO and the domain is established by a system administratorin advance of user sign-on, any form of authentication (including two-factor authentication) issupported. For configuration of a user to support two-factor authentication, see the server operating

system documentation.

Directory integration overview 153



A video demonstration of the Kerberos configuration procedure is available at http://www.hp.com/go/ilo/videos.

Domain controller preparationIn a Windows Server environment, Kerberos support is part of the domain controller.

Realm names

The Kerberos realm name for a DNS domain is usually the domain name converted to uppercase.For example:

• Parent domain name: example.net

• Kerberos realm name: EXAMPLE.NET

Computer accounts

A computer account must be present and enabled in the domain directory for each iLO account.In Windows, create the user account in the Active Directory Users and Computers snap-in. Forexample:

• iLO host name: iloname

• Parent domain name: example.net• iLO domain name (fully qualified): iloname.example.net

User accounts

A user account must be present and enabled in the domain directory for each user who is allowedto log in to iLO.

Generating a keytab

The iLO host name that you use for keytab generation must be identical to the iLO host name forwhich iLO is configured. iLO host names are case sensitive. This section describes how to generatea keytab file for iLO in a Windows environment.

1. Use the ktpass command to generate a keytab and set the shared secret.

The command is case sensitive and has special characters.

ktpass -out iloname.keytab +rndPass -ptype KRB5_NT_SRV_HST [email protected] -princ HTTP/[email protected]

The output should be similar to the following:

Targeting domain controller: domaincontroller.example.netUsing legacy password setting methodSuccessfully mapped HTTP/iloname.example.net to iloname.WARNING: pType and account type do not match. This might cause problems.Key created.Output keytab to iloname.keytab: Keytab version: 0x502keysize 69 HTTP/[email protected] ptype 3(KRB5 _NT_SRV_HST) vno 3 etype 0x17 (RC4-HMAC) keylength 16(0x5a5c7c18ae23559acc2 9d95e0524bf23)

NOTE: The ktpass command might display a message about not being able to set theUPN. This is acceptable because iLO is a service, not a user. You might be prompted tochange the password on the computer object. Click OK to close the window and continuecreating the keytab file. Do not use the -kvno option of the ktpass command. This optioncauses the knvo in the keytab file to be out of sync with the kvno in Active Directory.

154 Directory services







2. Use the SetSPN command to assign the Kerberos SPN to the computer object. For example:

SetSPN -A HTTP/iloname.example.net iloname

If the SetSPN command displays an error message, do the following:

a. Use MMC with the ADSIEdit snap-in and find the computer object for iLO.b. Set the DNSHostName property to the iLO DNS name. For example:

cn=iloname,ou=us,ou=clients,dc=example,dc=net

3. Use the SetSPN -L iloname command to display the SPNs and DN for the iLO. Verify that the HTTP/iloname.example.net service is displayed.

NOTE: The SetSPN command might display a message about not being able to set theUPN. This is acceptable because iLO is a service, not a user. You might be prompted tochange the password on the computer object. Click OK to close the window and continuecreating the keytab file.

Key version number

If a domain controller OS is reinstalled, the key version number sequence resets. You must regenerateand reinstall the keytab files that iLO uses for devices associated with that domain controller.

Windows Vista

To generate keytab files on Windows Vista, use Microsoft hotfix KB960830 and ktpass.exeversion 6.0.6001.22331 or later.

Universal and global user groups (for authorization)

To set permissions in iLO, you must create a group in the domain directory. Users who log in toiLO are granted the sum of the permissions for all groups of which they are a member. Onlyuniversal and global user groups can be used to set permissions. Domain local groups are notsupported.

iLO configurationThis section describes the iLO parameters to configure for Kerberos login.

• iLO Hostname—The case of the iLO host name used for keytab generation must be identicalto the case of the iLO host name for which iLO is configured. iLO host names are case sensitive.

• Kerberos Authentication—This parameter enables or disables Kerberos login. If Kerberos loginis disabled, the HP Zero Sign In button does not appear on the login page.

• Kerberos Realm—This parameter is the name of the Kerberos realm in which iLO is operating.This string can be up to 127 characters. HP recommends that you use the DNS domainconverted to uppercase. Realm names are case sensitive.

• Kerberos KDC Server Address—This parameter is the address (IP address or DNS name) ofthe KDC. This string can be up to 127 characters. Each realm must have at least one KDC,which contains an authentication server and a ticket grant server. These servers can becombined.

• Kerberos KDC Server Port—This parameter is the TCP or UDP port number on which the KDCis listening. The default KDC port is 88.

• Kerberos Keytab—The keytab file is a binary file that contains pairs of principals and encryptedpasswords. In the Windows environment, the ktpass command generates the keytab file.

Kerberos support 155



• Directory Groups—Use iLO directory groups to grant permissions (privileges) to users whoare logging in to iLO.

Each Directory Group includes a DN, SID, and permissions. For Kerberos login, the SIDs ofgroups that the user is a member of are compared to the SIDs for directory groups where iLOis configured. The user is granted the sum of the permissions for all groups that the user is amember of.

You can only use global and universal groups to set permissions. Domain local groups are

not supported.• iLO Date/Time, SNTP Settings—For Kerberos authentication to function properly, the date and

time must be synchronized between the iLO processor, the KDC, and the client workstation.Set the date and time in iLO with the server, or obtain the date and time from the network byenabling the SNTP Settings feature in iLO.

Using the iLO web interface

To configure the iLO parameters by using the web interface:

• Navigate to the Administration→Network page to configure the iLO Hostname parameter inthe iLO Subsystem Name (Host Name) box. For more information, see “Configuring iLO IPand NIC settings” (page 62).

• Navigate to the Administration→Security→Directory page to configure the followingKerberos-specific parameters:

◦ Kerberos Authentication

◦ Kerberos Realm

◦ Kerberos KDC Server Address

◦ Kerberos KDC Server Port

◦ Kerberos Keytab

For more information about these parameters, see “Configuring directory settings” (page 46).

• Navigate to the Administration→User Administration page to configure directory groups. Formore information, see “Administering users” (page 29).

• Navigate to the Information→Overview page to check the Current iLO Date/Time. For moreinformation, see “Viewing iLO overview information” (page 82).

• Navigate to the Administration→Network→SNTP Settings page if you want to change thedate and time. For more information, see “Configuring SNTP settings” (page 69).

Using XML configuration and control scripts

NOTE: You can download sample XML scripts from http://www.hp.com/support/ilo4. For moreinformation, see the HP iLO 4 Scripting and Command Line Guide .

The following sample scripts show how to set the iLO parameters for directories:

• Set_Server_Name.xml shows how to set the iLO host name.

• Mod_Schemaless_Directory.xml shows how to configure directory groups.

• Mod_Network_Settings.xml shows how to configure SNTP settings.

• Mod_Kerberos_Config.xml shows how to configure Kerberos-specific parameters.






Using the CLI, CLP, or SSH interface

To configure the iLO parameters by using the CLI, CLP, or SSH:

• iLO Hostname—You can change the iLO host name in the Hostname property of the/map1/dnsendpt1 target.

• Directory groups—You can configure directory group names and permissions in the propertiesof the /map1/oemhp_dircfg1 target. The group SIDs cannot be configured through thisinterface.

• iLO Date/Time, SNTP Settings—The current date and time and the SNTP settings cannot bedisplayed through this interface.

• Kerberos-specific configuration parameters—The following example shows the targetoemhp_dircfg1, which contains the Kerberos-specific configuration information:

/map1/oemhp_dircfg1 Targets oemhp_keytab1 Properties oemhp_dirauth=Disabled [Properties removed for brevity.] oemhp_group6_priv=0 oemhp_dir_kerberos_enabled=Enabled oemhp_dir_kerberos_kdc_port=88 oemhp_dir_kerberos_kdc_address=example.net oemhp_dir_kerberos_realm=EXAMPLE.NET Verbs cd version exit show set delete

/map1/oemhp_dircfg1/oemhp_keytab1 Targets Properties Verbs cd version exit show load

The target oemhp_dircfg1 includes a target oemhp_keytab1 and the following properties:

◦ oemhp_dir_kerberos_enabled—Enables or disables Kerberos authentication.Boolean values are accepted.

◦ oemhp_dir_kerberos_kdc_port—Specifies the port number that is used to connectto the domain controller. The Kerberos port number is 88, but the domain controller canbe configured for a different port number. The value can be 1 to 65535.

◦ oemhp_dir_kerberos_kdc_address—Specifies the location of the domain controller.The domain controller location is specified as an IP address or DNS name. The addressis a string of up to 127 characters.

◦ oemhp_dir_kerberos_realm—Specifies the Kerberos realm for which the domaincontroller is configured. By convention, the Kerberos realm name for a given domain isthe domain name converted to uppercase.

The target /map1/oemhp_dircfg1/oemhp_keytab1 contains a load verb that loads thebinary keytab file from a given URL. The keytab file can be up to 1024 bytes in length. Formore information, see the HP iLO 4 Scripting and Command Line Guide .

Time requirementTo log in to Kerberos successfully, the date and time of the iLO server, the client running the webbrowser, and the servers that are performing the authentication must be within 5 minutes of one

another. To do this, synchronize the times of all servers.

Kerberos support 157



Firefox

This section describes the procedure for enabling single sign-on with Firefox. The following stepsenable login if Active Directory is configured correctly for iLO, and iLO is configured correctly forKerberos login:

1. Enter about:config in the browser location bar to open the browser configuration page.

If the This might void your warranty! message appears, click the I'll be careful, Ipromise! button.

2. Enter network.negotiate in the Filter box.3. Double-click network.negotiate-auth.trusted-uris.4. Enter the iLO DNS domain name (for example, example.net), and then click OK .5. Use the fully qualified domain name to browse to iLO—for example, iloname.example.net.6. Click the HP Zero Sign In button.

Chrome

No special settings are required for the Chrome browser.

Verifying single sign-on (HP Zero Sign In) configuration

To verify that HP Zero Sign In has been installed correctly:1. Browse to the iLO login page (for example, http://iloname.example.net).2. Click the HP Zero Sign In button.

If a prompt for credentials opens, Kerberos authentication has failed and the system hasreverted to NTLM authentication. Click Cancel, and then repeat the procedures in “Configuringsingle sign-on” (page 158).

Login by nameTo verify that login in by name is working properly:

1. Browse to the iLO login page (for example, http://iloname.example.net).

2. Enter the user name in the Kerberos SPN form—for example, [email protected]. Enter the associated domain password.

If a prompt for credentials appears, Kerberos authentication has failed and the system hasreverted to NTLM authentication. Click Cancel to close the dialog box.

Login by name might not function correctly if the computer account for iLO is part of a childdomain, but the Kerberos configuration parameters (Kerberos Realm, Kerberos KDC Server

Address, and Kerberos KDC Server Port) reference the parent domain.

Advantages and disadvantages of schema-free directoriesDirectories enhance security, enabling you to manage access and rights from a central location.Directories also enable flexible configuration. Some directory configuration practices work betterwith iLO than others. Before you configure iLO for directories, you must decide whether to use theschema-free directory or the HP schema directory integration methods. Answer the followingquestions to help evaluate your directory integration requirements:

1. Can you apply schema extensions to your directory?

• No—You are using Active Directory, and policy prevents applying extensions.

• No—Directory integration does not fit your environment. Consider deploying an evaluationserver to assess the benefits of directory integration.

• Yes—Use group-based schema-free directory integration.

• Yes—Proceed to question 2.

Advantages and disadvantages of schema-free directories 159



2. Is your configuration scalable?

• No—Deploy an instance of the schema-free directory integration to evaluate whether thisdirectory integration method meets your policy and procedural requirements. If necessary,you can deploy HP schema directory integration later.

• Yes—Use HP schema directory integration.

The following questions can help you determine whether your configuration is scalable:

• Are you likely to change the rights or privileges for a group of directory users?

• Will you regularly script iLO changes?

• Do you use more than five groups to control iLO privileges?

Schema-free directory integrationIn the schema-free directory integration method, users and group memberships reside in thedirectory, but group privileges reside in the individual iLO. iLO uses login credentials to read theuser object in the directory and retrieve the user group memberships, which are compared to thosestored in iLO. If the credentials and membership match, authorization is granted, as shown inFigure 57 (page 160).

Figure 57 Schema-free directory integration

User entersuser name

and password

iLOinterface

Credentialstranslatedto a DN

Login script validates user credentials

User found inthe directory

and verified inthe iLO groups

Directory

iLOinterface

Advantages of using schema-free directory integration include the following:

• You do not have to extend the directory schema.

• Minimal setup is required for users in the directory. If no setup exists, the directory uses existingusers and group memberships to access iLO. For example, if you have a domain administratornamed User1, you can copy the distinguished name of the domain administrator securitygroup to iLO and give it full privileges. User1 would then have access to iLO.

Disadvantages of using schema-free directory integration include the following:

• Only Microsoft Active Directory is supported.

• Group privileges are administered on each iLO. However, this disadvantage is minimizedbecause group privileges rarely change, and the task of changing group membership isadministered in the directory and not on each separate iLO. HP provides tools that enableyou to make changes to a large number of iLOs at the same time.

Setting up Schema-free directory integrationBefore you set up the schema-free option, your system must meet the prerequisites described in“Active Directory preparation” (page 161).




You can use the following methods to set up iLO for directories:

• Browser

• Scripts

• HP Directories Support for ProLiant Management Processors

Active Directory preparationSSL must be enabled at the directory. To enable SSL, install a certificate for the domain in ActiveDirectory. iLO communicates with the directory only over a secure SSL connection.

To validate the setup, you must have the directory distinguished name for at least one user andthe distinguished name of a security group that the user is a member of.

Introduction to Certificate Services

Certificate Services is used to issue signed digital certificates to network hosts. The certificates areused to establish SSL connections with the host and verify the authenticity of the host.

Installing Certificate Services enables Active Directory to receive a certificate that allows iLOprocessors to connect to the directory service. Without a certificate, iLO cannot connect to thedirectory server.

Each directory server that you want iLO to connect to must be issued a certificate. If you install anEnterprise Certificate Service, Active Directory can automatically request and install certificates forall the Active Directory controllers on the network.

Installing Certificate Services

Use the following procedure for Windows Server 2008:

1. Navigate to Server Manager.2. Click Roles in the left pane.3. Click Add Roles.4. Select Active Directory Certificate Services.

5. Follow the onscreen instructions. If you are not sure what values to use, accept the defaultvalues.

Verifying Certificate Services

Because management processors communicate with Active Directory by using SSL, you must createa certificate or install Certificate Services. You must install an enterprise CA because you will beissuing certificates to objects within your organizational domain.

To verify that Certificate Services is installed, select Start→Programs→ AdministrativeTools→Certification Authority. An error message appears if Certificate Services is not installed.

Configuring Automatic Certificate Request

To specify that a certificate be issued to the server:1. Select Start→Run, and then enter mmc.2. Select File→ Add/Remove Snap-in.3. To add the snap-in to MMC, select Group Policy Object, and then click Add.4. Click Browse, and then select the Default Domain Policy object. Click OK .5. Click Finish, and then click Close and OK to close the remaining dialog boxes.6. Expand Computer Configuration→ Windows Settings→Security Settings→Public Key.7. Right-click Automatic Certificate Requests Settings, and select New→ Automatic Certificate

Request.

The Automatic Certificate Request Setup wizard starts.

Setting up Schema-free directory integration 161

8. Click Next.9. Select the Domain Controller template, and click Next.10. Select the listed certificate authority (it is the same CA that was defined during the Certificate

Services installation). Click Next.11. Click Finish to close the wizard.

Schema-free setup via iLO web interface

You can set up a schema-free configuration using the iLO web interface. Only users who have theConfigure iLO Settings privilege can change these settings. Users who do not have the ConfigureiLO Settings privilege can only view the assigned settings.

1. Navigate to the Administration→Security→Directory page.2. Select Use Directory Default Schema in the Authentication and Directory Server Settings section.

For more information, see “Schema-free setup options” (page 163).3. Click Apply Settings.4. To test the communication between the directory server and iLO, click Test Settings.

Schema-free setup via scriptsTo set up the schema-free directories option by using XML configuration and control scripts:

1. Review the HP iLO 4 Scripting and Command Line Guide .2. Write a script that configures iLO for schema-free directory support and run it.

The following script can be used as a template.

<RIBCL VERSION="2.0"> <LOGIN USER_LOGIN="admin" PASSWORD="admin123"> <DIR_INFO MODE = "write"> <MOD_DIR_CONFIG> <DIR_ENABLE_GRP_ACCT value = "Yes"/>

<DIR_GRPACCT1_NAME value = "test1"/> <DIR_GRPACCT1_PRIV value = "3,4,5"/>    <DIR_GRPACCT1_SID value= "S-1-0"/>



</MOD_DIR_CONFIG> </DIR_INFO>

</LOGIN></RIBCL>

Schema-free setup with HP Directories Support for ProLiant Management ProcessorsHP Directories Support for ProLiant Management Processors is the simplest way to set up a largenumber of iLO processors for directories.

NOTE: The HPLOMIG.exe utility user interface now displays the name HP Directories Support for ProLiant Management Processors utility .

To use HP Directories Support for ProLiant Management Processors, download the software fromhttp://www.hp.com/support/ilo4 . HP recommends using HP Directories Support for ProLiant



Management Processors when you are configuring multiple iLO processors for directories. Formore information, see “HP Directories Support for ProLiant Management Processors utility” (page188).

Schema-free setup optionsThe schema-free setup options are the same regardless of which method (browser, HP DirectoriesSupport for ProLiant Management Processors, or scripts) you use to configure the directory.

After you enable directories and select the schema-free option, you have the following options.

Minimum Login Flexibility

• Enter the directory server DNS name or IP address and LDAP port. Typically, the LDAP portfor an SSL connection is 636.

• Enter the distinguished name for at least one group. This group can be a security group (forexample: CN=Administrators,CN=Builtin,DC=HP,DC=com) or any other group aslong as the intended iLO users are members of the group.

With a minimum configuration, you can log in to iLO by using your full distinguished nameand password. You must be a member of a group that iLO recognizes.

Better Login FlexibilityIn addition to the minimum settings, enter at least one directory user context.

At login time, the login name and user context are combined to make the user distinguished name.For instance, if the user logs in as JOHN.SMITH and a user context is set up asCN=USERS,DC=HP,DC=COM, the distinguished name that iLO tries isCN=JOHN.SMITH,CN=USERS,DC=HP,DC=COM.

Maximum Login Flexibility

• Configure iLO as described.

• Configure iLO with a DNS name and not an IP address for the directory server network address.The DNS name must be resolvable to an IP address from both iLO and the client system.

In some cases, it might not be possible to get the maximum login flexibility option to work. Forexample, if the client and iLO are in different DNS domains, one of the two might not be able toresolve the directory server name to an IP address.

Schema-free nested groupsMany organizations have users and administrators arranged in groups. Having this arrangementof existing groups is convenient because you can associate them with one or more iLO managementrole objects. When the devices are associated with the role objects, you can use the administratorcontrols to access the iLO devices associated with the role by adding or deleting members from

the groups. When you are using Microsoft Active Directory, you can place one group within another groupto create a nested group. Role objects are considered groups and can include other groups directly.You can add the existing nested group directly to the role and assign the appropriate rights andrestrictions. New users can be added to either the existing group or the role.

In schema-free integration, users who are indirect members (a member of a group that is a nestedgroup of the primary group) are allowed to log in to iLO.

When you are using trustee or directory rights assignments to extend role membership, users mustbe able to read the object that represents the iLO device. Some environments require the sametrustees of a role to also be read trustees of the object to successfully authenticate users.

Setting up Schema-free directory integration 163



5. Handle exceptions

iLO migration utilities are easier to use with a single role. If you plan to create multiple rolesin the directory, you might need to use directory scripting utilities, like LDIFDE or VBScriptutilities. These utilities create complex role associations. For more information, see “Using bulkimport tools” (page 188).

After the schema has been extended, you can complete the directory services setup by using HPmigration utilities, which are included in the HP Directories Support for ProLiant Management

Processors package.

Schema documentationTo assist with the planning and approval process, HP provides documentation about the changesmade to the schema during the schema setup process. To review the changes made to your existingschema, see “Directory services schema” (page 223).

Directory services supportiLO software is designed to run within the Microsoft Active Directory Users and Computers andNovell ConsoleOne management tools, enabling you to manage user accounts through the directory.

iLO supports the following directory services for HP schema directory integration:

• Microsoft Active Directory

• Microsoft Windows Server 2008 Active Directory

• Novell eDirectory

This solution makes no distinction between eDirectory running on Linux or eDirectory runningon Windows. eDirectory schema extension requires Java 1.4.0 or later for SSL authentication.

Schema required softwareiLO requires specific software that extends the schema and provides snap-ins to manage the iLOnetwork. The HP Directories Support for ProLiant Management Processors package contains the

schema installer and the management snap-in installer, as shown in Figure 58 (page 165). You candownload the software from http://www.hp.com/support/ilo4.

Figure 58 Installer for Schema Extender and snap-ins

You cannot run the schema installer on a domain controller that hosts Windows Server 2008 Core. Windows Server 2008 Core does not use a GUI (for security and performance reasons). To usethe schema installer, you must install a GUI on the domain controller or use a domain controllerthat hosts an earlier version of Windows.

Setting up HP schema directory integration 165





Schema Extender

Several .xml files are bundled with the Schema Extender. These files contain the schemas thatare added to the directory. Typically, one of these files contains a core schema that is common toall of the supported directory services. Additional files contain product-specific schemas. The schemainstaller requires the .NET Framework.

The Schema Extender installer includes three important windows:

• Schema Preview

• Setup

• Results

Schema Preview

The Schema Preview window enables the user to view the proposed extensions to the schema. Theinstaller reads the selected schema files, parses the XML, and displays it as a tree view. It lists allthe details of the installed attributes and classes.

Figure 59 Schema Preview window

Setup

You use the Setup window to enter the appropriate information before extending the schema.

The Directory Server section of the Setup window enables you to select whether you will be using Active Directory or eDirectory, and to set the computer name and the port to be used for LDAPcommunications.

NOTE: When you are running the Schema Extender tool, you must use the Administratorlogin along with the domain name, for example: [email protected] or domain\ Administrator.

Extending the schema on Active Directory requires that the user is an authenticated Schema Administrator, that the schema is not write protected, and that the directory is the FSMO role ownerin the tree. The installer attempts to make the target directory server the FSMO schema master ofthe forest.

The Directory Login section of the Setup window enables you to enter your login name andpassword. These might be required to complete the schema extension. The Use SSL for this Sessionoption sets the form of secure authentication to be used. If this option is selected, directory

authentication via SSL is used. If this option is not selected and Active Directory is selected, Windows




NT authentication is used. If this option is not selected and eDirectory is selected, the administratorauthentication and the schema extension proceed by using an unencrypted (clear text) connection.

Figure 60 Setup window

Results

The Results window displays the results of the installation, including whether the schema could beextended and what attributes were changed.

Figure 61 Results window

Management snap-in installer

The management snap-in installer installs the snap-ins required to manage iLO objects in a Microsoft Active Directory Users and Computers directory or Novell ConsoleOne directory.

iLO snap-ins are used to perform the following tasks in creating an iLO directory:

• Creating and managing the iLO and role objects.

• Making the associations between iLO objects and the role objects.




Directory Services for Active DirectoryThe following sections provide installation prerequisites, preparation, and a working example ofDirectory Services for Active Directory. HP provides a utility to automate much of the directorysetup process. You can download HP Directories Support for Management Processors at http://www.hp.com/support/ilo4.

Active Directory installation prerequisites

• Active Directory must have a digital certificate installed to enable iLO to connect securely overthe network.

• Active Directory must have the schema extended to describe iLO object classes and properties.

• An iLO license must be installed.

For more information about iLO Licensing visit the following webpage: http://www.hp.com/go/ilo/licensing.

• Installing Directory Services for iLO requires extending the Active Directory schema. An ActiveDirectory schema administrator must complete the task of extending the schema.

• Directory Services for iLO uses LDAP over SSL to communicate with the directory servers.Before you install snap-ins and schema for Active Directory, read and have available thefollowing documentation:

◦ Microsoft Knowledge Base Articles

You can use the Knowledge Base Article ID Number Search option at http://support.microsoft.com/.

– 321051 Enabling LDAP over SSL with a Third-Party Certificate Authority

– 299687 MS01-036: Function Exposed By Using LDAP over SSL Could Enable Passwords to Be Changed

◦ iLO requires a secure connection to communicate with the directory service. This connectionrequires the installation of the Microsoft CA. For more information, see the MicrosoftKnowledge Base Article 321051: How to Enable LDAP over SSL with a Third-Party Certification Authority.

Installing Active Directory

For the default schema:

1. Disable IPv6, and then install Active Directory, DNS, and the root CA to Windows Server2008.

2. Log in to iLO and enter the directory settings and directory user contexts on the Administration→Security→Directory page. For more information, see “Configuring directorysettings” (page 46)

3. Click Apply Settings to save the changes.4. Click the Administer Groups button, and then create directory groups for the iLO users.

For more information, see “Administering users” (page 29).

5. Navigate to the Network→IP & NIC Settings page, and then enter the environment settings inthe Domain Name and Primary DNS server fields. For more information, see “ConfiguringiLO IP and NIC settings” (page 62).

For the HP Extended Schema:

1. Disable IPv6, and then install Active Directory, DNS, and the root CA to Windows Server2008.

2. Verify that version 2.0 or later of the .NET Framework is installed. This software is required

by the iLO LDAP component.






http://support.microsoft.com/










3. Install the latest HP Directories Support for ProLiant Management Processors software.

You can download HP Directories Support for ProLiant Management Processors from http://www.hp.com/support/ilo4.

4. Extend the schema by using the Schema Extender.

For more information, see “Schema required software” (page 165).

5. Install the HP LDAP component snap-ins.

For more information, see “Schema required software” (page 165).

6. Create the HP device and HP role.7. Log in to iLO and enter the directory settings and directory user contexts on the

Administration→Security→Directory page. For more information, see “Configuring directorysettings” (page 46)

8. Navigate to the Network→IP & NIC Settings page, and then enter the environment settings inthe Domain Name and Primary DNS server fields. For more information, see “ConfiguringiLO IP and NIC settings” (page 62).

NOTE: The LDAP component does not work with a Windows Server 2008 core installation.

Snap-in installation and initialization for Active Directory1. Run the snap-in installation application to install the snap-ins.2. Configure the directory service to have the appropriate objects and relationships for iLO

management.a. Use the management snap-ins from HP to create iLO, policy, admin, and user role objects.b. Use the management snap-ins from HP to build associations between the iLO object, the

policy object, and the role object.c. Point the iLO object to the admin and user role objects. (Admin and user roles automatically

point back to the iLO object.)

For more information about iLO objects, see “Directory services objects” (page 171).

At a minimum, you must create the following:• One role object that contains one or more users and one or more iLO objects.

• One iLO object that corresponds to each iLO management processor that uses the directory.

Creating and configuring directory objects for use with iLO in Active Directory

The following example describes how to set up roles and HP devices in an enterprise directorywith the domain testdomain.local. This domain consists of two organizational units, Rolesand iLOs.

Assume that a company has an enterprise directory that includes the domain testdomain.local

Create an organizational unit that contains the iLO devices managed by the domain.

1. Use the HP provided Active Directory Users and Computers snap-ins to create Lights-OutManagement objects in the iLOs organizational unit for several iLO devices.a. Right-click the iLOs organizational unit found in the testdomain.local domain, and

then select New HP Object.

The Create New HP Management Object dialog box appears.

b. Select Device.c. Enter an appropriate name in the Name field of the dialog box.

In this example, the DNS host name of the iLO device, rib-email-server, is used asthe name of the Lights-Out Management object.

d. Click OK .








2. Use the HP provided Active Directory Users and Computers snap-ins to create HP role objectsin the Roles organizational unit.a. Right-click the Roles organizational unit, and then select New HP Object.

The Create New HP Management Object dialog box appears.

b. Select Rolec. Enter an appropriate name in the Name field of the dialog box.

In this example, the role will contain users trusted for remote server administration and

will be called remoteAdmins.d. Click OK .e. Repeat the process, creating a role for remote server monitors called remoteMonitors.

3. Use the HP provided Active Directory Users and Computers snap-ins to assign the roles rights,and associate the roles with users and devices.a. Right-click the remoteAdmins role in the Roles organizational unit in the

testdomain.local domain, and then select Properties.

The remoteAdmins Properties dialog box appears.

b. Click the HP Devices tab, and then click Add.

The Select Users dialog box opens.c. Enter the Lights-Out Management object created in step 2, rib-email-server in folder

testdomain.local/iLOs.d. Click OK to close the dialog box, and then click Apply to save the list.e. Click the Members tab, and add users by using the Add button and the Select Users,

Contacts, Computers, Service Accounts or Groups dialog box.f. Click OK to close the dialog box, and then click Apply to save the list.

The devices and users are now associated.

g. Click the Lights Out Management tab to set the rights for the role.

All users and groups within a role will have the rights assigned to the role on all of the

iLO devices that the role manages. In this example, the users in the remoteAdmins rolewill receive full access to the iLO functionality.

h. Select the boxes next to each right, and then click Apply. Click OK to close the dialogbox.

4. By using the same procedure as in step 3, edit the properties of the remoteMonitors role,add the rib-email-server device to the list on the HP Devices tab, and add users to theremoteMonitors role on the Members tab. Then, on the Lights Out Management tab, selectthe Login permission. Click OK to close the dialog box, and then click Apply to save the list.

Members of the remoteMonitors role will be able to authenticate and view the server status.

User rights to any iLO are calculated as the sum of all the rights assigned by all the roles in

which the user is a member, and in which the iLO is a managed device. Following thepreceding examples, if a user is in both the remoteAdmins and remoteMonitors roles,they will have all the rights, because the remoteAdmins role has those rights.

For example, to gain access, user Elizabeth Bennett, with the unique ID bennette,located in the Users organizational unit within the testdomain.local domain, who is alsoa member of one of the remoteAdmins or remoteMonitors roles, can log in to iLO.Elizabeth would enter testdomain\bennette, [email protected], orElizabeth Bennett, in the Login Name field of the iLO web interface login page, anduse her Active Directory password in the Password field of that page.




5. To configure iLO and associate it with a Lights-Out Management object used in this example,use settings similar to the following on the Administration→Security→Directory page.

LOM Object Distinguished Name =cn=rib-email-server,ou=ILOs,dc=testdomain,dc=local Directory UserContext 1 = cn=Users,dc=testdomain,dc=local

Directory services objects

One of the keys to directory-based management is proper virtualization of the managed devicesin the directory service. This virtualization allows the administrator to build relationships betweenthe managed device and user or groups already contained in the directory service. Usermanagement of iLO requires the following basic objects in the directory service:

• Lights-Out Management object

• Role object

• User objects

Each object represents a device, user, or relationship that is required for directory-basedmanagement.

NOTE: After the snap-ins are installed, ConsoleOne and MMC must be restarted to show thenew entries.

After the snap-in is installed, iLO objects and iLO roles can be created in the directory. By usingthe Users and Computers tool, the user completes the following tasks:

• Creates iLO and role objects

• Adds users to the role objects

• Sets the rights and restrictions of the role objects

Active Directory snap-ins

The following sections discuss the additional management options available in Active Directory

Users and Computers after the HP snap-ins have been installed.

HP Devices

The HP Devices tab is used to add the HP devices to be managed within a role. Clicking Addenables you to browse to a specific HP device and add it to the list of member devices. ClickingRemove enables you to browse to a specific HP device and remove it from the list of memberdevices.




Figure 62 HP Devices tab

Members After user objects are created, the Members tab enables you to manage the users within the role.Clicking Add enables you to browse to the specific user that you want to add. Highlighting anexisting user and clicking Remove removes the user from the list of valid members.

Figure 63 Members tab

Active Directory role restrictions

The Role Restrictions tab enables you to set login restrictions for the role. These restrictions includethe following:

• Time restrictions

• IP network address restrictions:

IP/mask—

— IP range

— DNS name




Figure 64 Role Restrictions tab

Time restrictionsYou can manage the hours available for logon by members of the role by clicking Effective Hourson the Role Restrictions tab. In the Logon Hours dialog box, you can select the times available forlogon for each day of the week in half-hour increments. You can change a single square by clickingit, or you can change a section of squares by clicking and holding the mouse button, draggingthe cursor across the squares to be changed, and releasing the mouse button. The default settingis to allow access at all times.

Figure 65 Logon Hours dialog box

Enforced client IP address or DNS name access

Access can be granted or denied to an IP address, IP address range, or DNS name.

1. In the By Default menu, select whether to Grant or Deny access from all addresses except thespecified IP addresses, IP address ranges, and DNS names.




2. Select the type of restriction, and then click Add.

The DNS Name option allows you to restrict access based on a single DNS name or asubdomain, entered in the form of host.company.com or *.domain.company.com.

The IP/MASK option allows you to enter an IP address or network mask.

The IP Range option allows you to enter an IP address range.

3. In the new restriction pop-up window, enter the required information, and then click OK .4. Click OK to save the changes and close the Properties dialog box.

To remove any of the entries, highlight the entry in the display list and click Remove.

Figure 66 New IP/Mask Restriction dialog box

Active Directory Lights-Out management

After you create a role, you can select rights for the role. You can now make users and groupobjects members of the role, giving the users or group of users the rights granted by the role. Rightsare managed on the Lights Out Management tab.

Figure 67 Lights-Out Management tab




The available rights are:

• Login—This option controls whether users can log in to the associated devices.

• Remote Console—This option enables the user to access the Remote Console.

• Virtual Media—This option enables the user to access the iLO Virtual Media functionality.

• Server Reset and Power —This option enables the user to access the iLO Virtual Power buttonto remotely reset the server or power it down.

• Administer Local User Accounts—This option enables the user to administer accounts. The usercan modify their account settings, modify other user account settings, add users, and deleteusers.

• Administer Local Device Settings—This option enables the user to configure the iLO managementprocessor settings.

Directory services for eDirectoryThe following sections provide installation prerequisites, preparation, and a working example ofDirectory Services for eDirectory.

eDirectory installation prerequisites

Directory Services for iLO uses LDAP over SSL to communicate with the directory servers. iLOsoftware is designed to be installed in an eDirectory version 8.6.1 (and above) tree. HP does notrecommend installing this product if you have eDirectory servers with a version earlier than eDirectory8.6.1. Before you install snap-ins and schema extensions for eDirectory, you must read and haveavailable the following technical information documents, available from the Novell Support websiteat http://support.novell.com.

Installing Directory Services for iLO requires extending the eDirectory schema. An administratormust complete the task of extending the schema. For more information, see the following Novelldocuments:

• TID10057565 Unknown objects in a mixed environment

• TID10059954 How to test whether LDAP is working correctly • TID10023209 How to configure LDAP for SSL (secure) connections

• TID10075010 How to test LDAP authentication

Snap-in installation and initialization for eDirectory

The following section shows step-by-step instructions on using the snap-in installation application.

NOTE: After you install the snap-ins, you must restart ConsoleOne and MMC to show the newentries.

Example: Creating and configuring directory objects for use with LOM devices in eDirectoryThe following example shows how to set up roles and HP devices in a company called samplecorp,which consist of two regions, region1 and region2.

Assume samplecorp has an enterprise directory arranged according to the following screen.


http://support.novell.com/

http://support.novell.com/



Figure 68 Directory objects sample

1. Create organizational units in each region. Each organizational unit must contain the LOMdevices and roles specific to that region. In this example, two organizational units are created,called roles and hp devices, in each organizational unit, region1 and region2.

2. Create LOM objects in the hp devices organizational units for several iLO devices by usingthe ConsoleOne snap-in tool that HP has provided.a. Right-click the hp devices organizational unit found in the region1 organizational unit,

and then select New→Object.b. Select hpqTarget from the list of classes, and click OK.c. Enter an appropriate name and surname in the New hpqTarget dialog box.

In this example, the DNS host name of the iLO device, rib-email-server, is used asthe name of the LOM object, and the surname is RILOEII.

d. Click OK . The Select Object Subtype dialog box opens.e. Select Lights Out Management Device, and click OK .




f. Repeat the process for several more iLO devices with DNS names rib-nntp-server andrib-file-server-users1 in hp devices under region1, and rib-file-server-users2 andrib-app-server in hp devices under region2.

Figure 69 Select Object Subtype window

3. Create HP role objects in the roles organizational unit by using the ConsoleOne snap-in tool.a. Right-click the roles organizational unit found in the region2 organizational unit, and then

select New→Object.b. Select hpqRole from the list of classes, and click OK .c. Enter an appropriate name in the New hpqRole dialog box. In this example, the role

contains users trusted for remote server administration and is named remoteAdmins.Click OK .

The Select Object Subtype dialog box opens.

d. Because this role manages the rights to Lights-Out Management devices, select Lights OutManagement Devices from the list, and click OK .

e. Repeat the process, creating a role for remote server monitors, named remoteMonitors,in roles in region1, and a remoteAdmins and a remoteMonitors role in roles in region2.

4. Assign rights to the roles and associate the roles with users and devices by using theConsoleOne snap-in tool.a. Right-click the remoteAdmins role in the roles organizational unit in the region1

organizational unit, and then select Properties.b. Click the Role Managed Devices tab of the HP Management option, and then click Add.c. In the Select Object Subtype dialog box, browse to the hp devices organizational unit in

the region1 organizational unit. Select the three LOM objects created in Step 2. ClickOK , and then click Apply.

d. Click the Members tab, and add users to the role by clicking the Add button on the SelectObjects dialog box.

Devices and users are now associated.




e. Set the rights for the role by using the Lights Out Management Device Rights option onthe HP Management tab. All users within the role have the rights assigned to the role onall the iLO devices the role manages. In this example, the users in the remoteAdmins rolereceive full access to the iLO functionality. Select the check boxes next to each right, andclick Apply. To close the property sheet, click Close.

Figure 70 Property sheet

5. By using the same procedure as in Step 4, edit the properties of the remoteMonitors role:a. Add the three iLO devices within hp devices under region1 to the Managed Devices list

on the Role Managed Devices option of the HP Management tab.

b. Add users to the remoteMonitors role by using the Members tab.c. Select the Login check box, click Apply, and then click Close. By using the Lights OutManagement Device Rights option of the HP Management tab, members of theremoteMonitors role will be able to authenticate and view the server status.

User rights to any LOM device are calculated as the sum of all the rights assigned by all the rolesin which the user is a member, and in which the LOM device is a managed device. Following thepreceding examples, if a user is in both the remoteAdmins and remoteMonitors roles, they willhave all the rights, because the remoteAdmins role has those rights.

To configure a LOM device and associate it with a LOM object used in this example, use settingssimilar to the following on the Directory Settings page.

NOTE: Commas, not periods, are used in LDAP distinguished names to separate each component.LOM Object Distinguished Name = cn=rib-email-server,ou=hpdevices,ou=region1,o=samplecorp Directory User Context 1 =ou=users,o=samplecorp

For example, user CSmith, located in the users organizational unit within the samplecorporganization, who is also a member of one of the remoteAdmins or remoteMonitors roles, wouldbe allowed to log in to the iLO. The user enters csmith (case insensitive) in the Login Name fieldof the iLO login page and uses the eDirectory password in the Password field of that page to gainaccess.




Directory Services objects for eDirectory

Directory Services objects enable virtualization of the managed devices and the relationshipsbetween the managed device and the user or groups already contained in the directory service.

Role Managed Devices

The Role Managed Devices tab under the HP Management tab is used to add the HP devices to bemanaged within a role. Clicking Add allows you to browse to the specific HP device and add itas a managed device.

Figure 71 Role Managed Devices tab

Members

After user objects are created, the Members tab allows you to manage the users within the role.Clicking Add enables you to browse to the specific user that you want to add. Highlighting anexisting user and clicking Delete removes the user from the list of valid members.




Figure 72 Select Objects dialog box

eDirectory Role Restrictions

The Role Restrictions tab allows you to set login restrictions for the role. These restrictions include:

• Time restrictions

• IP network address restrictions:

IP/mask—

— IP range

• DNS name

Figure 73 Properties of Administrators window




Time restrictions

You can manage the hours available for logon by members of the role by using the time griddisplayed on the Role Restrictions tab. You can select the times available for logon for each dayof the week in half-hour increments. You can change a single square by clicking it, or a section ofsquares by clicking and holding the mouse button, dragging the cursor across the squares to bechanged, and releasing the mouse button. The default setting is to allow access at all times.

Enforced client IP address or DNS name access

Access can be granted or denied to an IP address, IP address range, or DNS name.1. In the By Default menu, select whether to Allow or Deny access from all addresses, except the

specified IP addresses, IP address ranges, and DNS names.2. Select the addresses to be added, select the type of restriction, and then click Add.3. In the Add New Restriction dialog box, enter the information, and then click OK , as shown in

Figure 74 (page 181).

The DNS Name option allows you to restrict access based on a single DNS name or asubdomain, entered in the form of host.company.com or *.domain.company.com.

4. Click Apply to save the changes.

To remove any of the entries, highlight the entry in the display list and click Delete.

Figure 74 Add New Restriction dialog box

eDirectory Lights-Out Management After you create a role, you can select rights for the role. You can now make users and groupobjects members of the role, giving the users or group of users the rights granted by the role. Rightsare managed on the Lights-Out Management Device Rights tab of the HP Management tab.




Figure 75 Lights-Out Management Device Rights tab

The available rights are as follows:

• Login—This option controls whether users can log in to the associated devices.

Login access can be used to create a user who is a service provider and who receives alertsfrom iLO but does not have login access to iLO.

• Remote Console—This option allows the user to access the Remote Console.

• Virtual Media—This option allows the user to access the iLO Virtual Floppy and Virtual Mediafunctionality.

• Server Reset and Power —This option allows the user to remotely reset the server or power itdown.

• Administer Local User Accounts—This option allows the user to administer accounts. The usercan modify their account settings, modify other user account settings, add users, and deleteusers.

• Administer Local Device Settings—This option allows the user to configure iLO settings.

User login via directory servicesThe Login Name field on the iLO login page accepts all of the following:

• Directory users

• LDAP fully distinguished names

Example: CN=John Smith,CN=Users,DC=HP,DC=COM, or @HP.com

The short form of the login name by itself does not notify the directory which domain you aretrying to access. You must provide the domain name or use the LDAP distinguished name ofyour account.

• DOMAIN\user name form (Active Directory Only)

Example: HP\jsmith

• username@domain form (Active Directory Only)

Example: [email protected]




Directory users specified through the @ searchable form might be located in one of threesearchable contexts, which are configured in Directory Settings.

• User name form

Example: John Smith

Directory users specified through the user name form might be located in one of threesearchable contexts, which are configured in Directory Settings.

•

Local users—login-IDOn the iLO login page, the maximum length of the login name is 39 characters for local users.For Directory Services users, the maximum length of the login name is 256 characters.

Directory-enabled remote managementThis section is for administrators who are familiar with directory services and the iLO product andwant to use the HP schema directory integration option for iLO. You must be familiar with“Directoryservices” (page 153) and comfortable with setting up and understanding the examples.

Directory-enabled remote management enables you to do the following:

• Create Lights-Out Management objects

You must create one LOM device object to represent each device that will use the directoryservice to authenticate and authorize users. For additional information on creating LOM deviceobjects for Active Directory and eDirectory, see “Directory services” (page 153). In general,you can use the snap-ins that HP has provided to create objects. It is useful to give the LOMdevice objects meaningful names, such as the device network address, DNS name, host servername, or serial number.

• Configure the Lights-Out management devices

Every LOM device that uses the directory service to authenticate and authorize users must beconfigured with the appropriate directory settings. For information on the specific directorysettings, see “Configuring authentication and directory server settings” (page 46). In general,

you can configure each device with the appropriate directory server address, LOM objectdistinguished name, and any user contexts. The server address is the IP address or DNS nameof a local directory server or, for more redundancy, a multihost DNS name.

Creating roles to follow organizational structureOften, the administrators within an organization are placed into a hierarchy in which subordinateadministrators must assign rights independently of ranking administrators. In this case, it is usefulto have one role that represents the rights assigned by higher-level administrators and to allow thesubordinate administrators to create and manage their own roles.

Using existing groups

Many organizations have their users and administrators arranged into groups. In many cases, itis convenient to use the existing groups and associate the groups with one or more Lights-OutManagement role objects. When the devices are associated with the role objects, the administratorcontrols access to the Lights-Out devices associated with the role by adding or deleting membersfrom the groups.

When you are using Microsoft Active Directory, it is possible to place one group within another(that is, use nested groups). Role objects are considered groups and can include other groupsdirectly. Add the existing nested group directly to the role, and assign the appropriate rights andrestrictions. New users can be added to either the existing group or the role.

When you are using trustee or directory rights assignments to extend role membership, users mustbe able to read the LOM object that represents the LOM device. Some environments require thesame trustees of a role to also be read trustees of the LOM object to successfully authenticate users.

Directory-enabled remote management 183



Using multiple roles

Most deployments do not require the same user to be in multiple roles managing the same device.However, these configurations are useful for building complex rights relationships. When usersare building multiple-role relationships, they receive all the rights assigned by every applicablerole. Roles can only grant rights, never revoke them. If one role grants a user a right, then the userhas the right, even if the user is in another role that does not grant that right.

Typically, a directory administrator creates a base role with the minimum number of rights assigned

and then creates additional roles to add more rights. These additional rights are added underspecific circumstances or to a specific subset of the base role users.

For example, an organization can have two types of users, administrators of the LOM device orhost server and users of the LOM device. In this situation, it makes sense to create two roles, onefor the administrators and one for the users. Both roles include some of the same devices but grantdifferent rights. Sometimes, it is useful to assign generic rights to the lesser role and include theLOM administrators in that role, as well as the administrative role.

An admin user gains the login right from the regular user group. More advanced rights are assignedthrough the Admin role, which assigns additional rights—Server Reset and Remote Console.

Figure 76 Admin user

Admin User

User

Admin Role

Role

Server

The Admin role assigns all admin rights—Server Reset, Remote Console, and Login.

Figure 77 Admin role

Admin User

User

Admin Role

Role

Server

How directory login restrictions are enforcedTwo sets of restrictions potentially limit a directory user's access to LOM devices. User accessrestrictions limit a user's access to authenticate to the directory. Role access restrictions limit anauthenticated user's ability to receive LOM privileges based on rights specified in one or moreroles.




Figure 78 Directory login restrictions

User LOMClientWorkstation

DirectoryServer

User restrictions must be met toauthenticate to the directory.

Enforced by the directoryserver.

Role restrictions must bemet to receive rightsgranted by 1 or more roles.

Enforced by LOM.

Role accessrestrictions

User accessrestrictions

Restricting rolesRestrictions allow administrators to limit the scope of a role. A role grants rights to only users whosatisfy the role restrictions. Using restricted roles results in users who have dynamic rights that canchange based on the time of day or network address of the client.

NOTE: When directories are enabled, access to a particular iLO is based on whether the userhas read access to a role object that contains the corresponding iLO object. This includes but isnot limited to the members listed in the role object. If the role is configured to allow inheritablepermissions to propagate from a parent, members of the parent that have read access privilegeswill also have access to iLO. To view the access control list, navigate to Active Directory Users andComputers, open the Properties page for the role object, and then click the Security tab. The

Advanced View must be enabled in the MMC in order to view the Security tab.For step-by-step instructions on how to create network and time restrictions on a role, see “ActiveDirectory role restrictions” (page 172) or “eDirectory Role Restrictions” (page 180).

Role time restrictions

Administrators can place time restrictions on LOM roles. Users are granted the rights specified forthe LOM devices listed in the role only if they are members of the role and meet the time restrictionsfor that role. LOM devices use local host time to enforce time restrictions. If the LOM device clockis not set, the role time restriction fails unless no time restrictions are specified on the role.

Role-based time restrictions can be satisfied only if the time is set on the LOM device. The time is

normally set when the host is booted. The time setting can be maintained by configuring SNTP,which allows the LOM device to compensate for leap years and minimize clock drift with respectto the host. Events, such as unexpected power loss or flashing LOM firmware, can cause the LOMdevice clock to not be set. Also, the host time must be correct for the LOM device to preserve timeacross firmware flashes.

Role address restrictions

Role address restrictions are enforced by the LOM firmware, based on the client IP network address. When the address restrictions are met for a role, the rights granted by the role apply.

Address restrictions can be difficult to manage if access is attempted across firewalls or throughnetwork proxies. Either of these mechanisms can change the apparent network address of the

client, causing the address restrictions to be enforced in an unexpected manner.




User restrictions

You can restrict access using address or time restrictions.

User address restrictions

Administrators can place network address restrictions on a directory user account, and theserestrictions are enforced by the directory server. For information about the enforcement of addressrestrictions on LDAP clients, such as a user logging in to a LOM device, see the documentation forthe directory service.

Network address restrictions placed on the user in the directory might not be enforced in theexpected manner if the directory user logs in through a proxy server. When a user logs in to aLOM device as a directory user, the LOM device attempts authentication to the directory as thatuser, which means that address restrictions placed on the user account apply when the user isaccessing the LOM device. However, because the user is proxied at the LOM device, the networkaddress of the authentication attempt is that of the LOM device, not that of the client workstation.

IP address range restrictions

IP address range restrictions enable the administrator to specify network addresses that are grantedor denied access. The address range is typically specified in a low-to-high range format. An addressrange can be specified to grant or deny access to a single address. Addresses that fall within thelow-to-high IP address range meet the IP address restriction.

IP address and subnet mask restrictions

IP address and subnet mask restrictions enable the administrator to specify a range of addressesthat are granted or denied access. This format has similar capabilities as an IP address range butmight be more native to your networking environment. An IP address and subnet mask range istypically specified through a subnet address and address bit mask that identifies addresses thatare on the same logical network.

In binary math, if the bits of a client machine address, added with the bits of the subnet mask,match the subnet address in the restriction, the client machine meets the restriction.

DNS-based restrictionsDNS-based restrictions use the network name service to examine the logical name of the clientmachine by looking up machine names assigned to the client IP addresses. DNS restrictions requirea functional name server. If the name service goes down or cannot be reached, DNS restrictionscannot be matched and it fails.

DNS-based restrictions can limit access to a single, specific machine name or to machines thatshare a common domain suffix. For example, the DNS restriction, www.hp.com, matches hoststhat are assigned the domain name www.hp.com. However, the DNS restriction, *.hp.com, matchesany machine that originates from HP.

DNS restrictions can cause some ambiguity because a host can be multihomed. DNS restrictions

do not necessarily match one to one with a single system.Using DNS-based restrictions can create some security complications. Name service protocols arenot secure. Any individual who has malicious intent and access to the network can place a rogueDNS service on the network and create a fake address restriction criteria. When you areimplementing DNS-based address restrictions, be sure to take organizational security policies intoconsideration.

How user time restrictions are enforced

Administrators can place a time restriction on directory user accounts. Time restrictions limit theability of the user to log in (authenticate) to the directory. Typically, time restrictions are enforcedvia the time at the directory server. If the directory server is located in a different time zone or if a


http://www.hp.com/

http://www.hp.com/

http://localhost/var/www/apps/conversion/tmp/scratch_6/*.hp.com

http://localhost/var/www/apps/conversion/tmp/scratch_6/*.hp.com

http://www.hp.com/

http://www.hp.com/



replica in a different time zone is accessed, time zone information from the managed object canbe used to adjust for relative time.

The directory server evaluates user time restrictions, but the determination can be complicated bytime zone changes or the authentication mechanism.

Figure 79 User time restrictions

User LOMClientWorkstation

DirectoryServer

User time restrictions are

enforced by the directory server

Creating multiple restrictions and roles

The most useful application of multiple roles includes restricting one or more roles so that rights donot apply in all situations. Other roles provide different rights under different constraints. Usingmultiple restrictions and roles enables the administrator to create arbitrary, complex rightsrelationships with a minimum number of roles.

For example, an organization might have a security policy in which LOM administrators are allowedto use the LOM device from within the corporate network but can reset the server only outsideregular business hours.

Directory administrators might be tempted to create two roles to address this situation, but extracaution is required. Creating a role that provides the required server reset rights and restricting itto an after-hours application might allow administrators outside the corporate network to reset theserver, which is contrary to most security policies.

In the example, security policy dictates that general use is restricted to clients in the corporatesubnet, and server reset capability is additionally restricted to after hours.

Figure 80 Creating restrictions and roles

User

General UseRole

Reset Role

Assigns Login RightIP Restrictions:DENY

except to corporate subnet

Server Assigns Server Reset RightTime Restriction: Denied Mondaythrough Friday, 8 a.m. to 5 p.m.

Alternatively, the directory administrator might create a role that grants the login right and restrictit to the corporate network, and then create another role that grants only the server reset right and

restrict it to after-hours operation. This configuration is easier to manage but more dangerous




because ongoing administration might create another role that grants the login right to users fromaddresses outside the corporate network. This other role might unintentionally grant the LOMadministrators in the server Reset role the ability to reset the server from anywhere, if they satisfythe time constraints of that role.

The previous configuration meets corporate security policy. However, adding another role thatgrants the login right can inadvertently grant server reset privileges from outside the corporatesubnet after hours. A more manageable solution would be to restrict the Reset role and the GeneralUse role.

Figure 81 Restricting the Reset and General Use roles

User

General UseRole

Reset Role

Assigns Login RightIP Restrictions: DENY except to corporatesubnet

ServerAssigns Server Reset Right AND Login RightTime Restriction: Denied Monday throughFriday, 8 a.m. to 5 p.m.

IP Restriction:DENY

except to corporatesubnet

Using bulk import tools Adding and configuring large numbers of LOM objects is time consuming. HP provides severalutilities to assist in these tasks.

• HP Lights-Out Migration utility

The HP Lights-Out Migration utility imports and configures multiple LOM devices. The utilityincludes a GUI that provides a step-by-step approach to implementing or upgrading largenumbers of management processors. HP recommends using this GUI method when you are

upgrading numerous management processors. For more information, see “Using HP DirectoriesSupport for ProLiant Management Processors” (page 190).

• HP SIM utilities:

Manage multiple LOM devices.◦

◦ Discover the LOM devices as management processors by using CPQLOCFG to send aRIBCL XML script file to a group of LOM devices to manage those LOM devices. The LOMdevices perform the actions designated by the RIBCL file and send a response to theCPQLOCFG log file. For more information, see the HP iLO 4 Scripting and Command Line Guide .

• Traditional import utilities Administrators familiar with tools such as LDIFDE or the NDS Import/Export Wizard can usethese utilities to import or create many LOM device objects in the directory. Administratorsmust still configure the devices manually, as described previously, but can do so at any time.Programmatic or scripting interfaces can also be used to create the LOM device objects inthe same way as users or other objects. For information about attributes and attribute dataformats when you are creating LOM objects, see “Directory services schema” (page 223).

HP Directories Support for ProLiant Management Processors utilityThe HPLOMIG.exe utility user interface now displays the name HP Directories Support for ProLiant

Management Processors utility .




Introduction to HP Directories Support for ProLiant Management Processors utilityThe Directories Support for ProLiant Management Processors utility is for customers who previouslyinstalled management processors and want to simplify the migration of these processors tomanagement by directories. The utility automates some of the migration steps necessary for themanagement processors to support Directory Services. HPLOMIG can do the following:

• Discover management processors on the network.

• Upgrade the management processor firmware.

• Name the management processors to identify them in the directory.

• Create objects in the directory that correspond to each management processor, and associatethem to a role.

• Configure the management processors to enable them to communicate with the directory.

CompatibilityThe Directories Support for ProLiant Management Processors utility operates on Microsoft Windowsand requires the Microsoft .NET Framework. The utility supports the following operating systems:

• Windows Server 2003 32-bit, 64-bit

• Windows Server 2008 32-bit, 64-bit

• Windows Server 2008 R2

HP Directories Support for ProLiant Management Processors package All the migration software, as well as the schema extender and management snap-ins, are packagedin the HP Directories Support for ProLiant Management Processors package. You can downloadthe installer from http://www.hp.com/support/ilo4. To complete the migration of your managementprocessors, you must extend the schema and install the management snap-ins before running themigration tool.

To install the migration utilities, start the installer and then click HP Directories Support for ProLiant

Management Processors, as shown in Figure 82 (page 189).

Figure 82 HP Directories Support for ProLiant Management Processors installer

HPLOMIG.exe, the required DLLs, the license agreement, and other files are installed into the C:\Program Files\Hewlett-Packard\HP Directories Support for ProLiantManagement Processors directory. You can select a different directory. The installer createsa shortcut to HP Directories Support for ProLiant Management Processors on the Start menu andinstalls a sample XML file.

HP Directories Support for ProLiant Management Processors utility 189





4. Enter your iLO login name and password, and then click Find.

When the search is complete, the management processors are listed and the Find buttonchanges to Verify, as shown in Figure 83 (page 191).

Figure 83 Find Management Processors page

You can also enter a list of management processors from a file by clicking Import. The file isa simple text file with one management processor listed per line. The fields are delimited withsemicolons. The fields are as follows:

• Network Address

• Management Processor Type

• Firmware Version

• DNS Name

• User Name

• Password

• Directory Configuration

For example, one line might have the following information:

16.100.225.20;iLO;1.10;ILOTPILOT2210;user;password;Default Schema

If, for security reasons, the user name and password cannot be in the file leave these fieldsblank, but enter the semicolons.

Upgrading firmware on management processors

The Upgrade Firmware page enables you to update the firmware on your iLO managementprocessors. This page also enables you to designate the location of the firmware image for eachmanagement processor by either entering the path or clicking Browse.




NOTE: Binary images of the firmware for the management processors must be accessible fromthe system that is running the migration utility. These binary images can be downloaded fromhttp://www.hp.com/support/ilo4 .

The upgrade process might take a long time, depending on the number of management processorsselected. The firmware upgrade of a single management processor can take as long as 5 minutesto complete. If an upgrade fails, a message is displayed in the Results column and HP DirectoriesSupport for ProLiant Management Processors continues to upgrade the other discovered management

processors.

IMPORTANT: HP recommends that you test the upgrade process and verify the results in a testenvironment before running the utility on a production network. An incomplete transfer of thefirmware image to a management processor might result in having to locally reprogram themanagement processor by using a floppy disk.

If you want to upgrade the firmware on your management processors:

1. Navigate to the Upgrade Firmware on Management Processors page in HP Directories Supportfor ProLiant Management Processors, as shown in Figure 84 (page 192).

Figure 84 Upgrade Firmware on Management Processors page

2. Select the management processors to upgrade.3. For each discovered management processor type, enter the correct pathname to the firmware

image or browse to the image.4. Click Upgrade Firmware.

The selected management processors are upgraded. Although this utility enables you toupgrade hundreds of management processors, only 25 management processors are upgradedsimultaneously. Network activity is considerable during this process.

5. After the upgrade is complete, click Next.

During the firmware upgrade process, all buttons are deactivated to prevent navigation. You can

still close the application by using the X at the top right of the page. If the GUI is closed during






programming of firmware, the application continues to run in the background and completes thefirmware upgrade on all selected devices.

HP Directories Support for ProLiant Management Processors supports firmware flash on serversthat have a TPM module. If a TPM module is present and enabled in the server and Optional ROMmeasuring is enabled, HPLOMIG displays a warning message, as shown in Figure 85 (page 193).If you click Yes, HP Directories Support for ProLiant Management Processors continues with theflash process. Otherwise, firmware flash on the selected server is skipped. This message appearsevery time a server that has a TPM module is detected during firmware flash.

Figure 85 TPM Enabled dialog box

Selecting a directory access method After you click Next from the Upgrade Firmware on Management Processors page, the Select theDesired Configuration page appears. You can select which management processors to configure(with respect to schema usage) and how to configure them. The Select the Desired Configurationpage helps to prevent an accidental overwrite of iLOs already configured for HP schema, or thosethat have directories turned off.

The selections you make on this page determine whether the HP Extended Schema, schema-free(default) schema, or no directories support configuration pages follow when you click Next.

Figure 86 Select the Desired Configuration page

To configure the management processor for Directory Services, see “Configuring directories when

HP Extended Schema is selected” (page 195). To configure the management processor for




Schema-free (default schema) directories support, see “Configuring directories when schema-freeintegration is selected” (page 198).

Naming management processors

The Name the management processors page enables you to name iLO management device objectsin the directory and create corresponding device objects for all management processors to bemanaged. You can create names by using one or more of the following:

• The network address

• The DNS name

• An index

• Manual creation of the name

• The addition of a prefix to all

• The addition of a suffix to all

To name the management processors, click the Object Name field and enter the name, or:

1. Select Use Network Address, Use iLO Names, or Create Name Using Index.2. Enter the text to add (suffix or prefix) to all names (optional).

3. Click Create Names.The names appear in the Object Name column as they are generated. At this point, namesare not written to the directory or the management processors. The names are stored until thenext HP Directories Support for ProLiant Management Processors page.

4. To change the names (optional), click Clear Names, and rename the management processors.5. After the names are correct, click Next.

Figure 87 Name the management processors page




Configuring directories when HP Extended Schema is selected

The Configure Directory page enables you to create a device object for each discoveredmanagement processor and to associate the new device object to a previously defined role. Forexample, the directory defines a user as a member of a role (such as administrator) who has acollection of privileges on a specific device object, as shown in Figure 88 (page 195).

The fields in the Configure Directory page follow:

• Network Address—The network address of the directory server, which can be a valid DNS

name or IP address.• Port—The SSL port to the directory. The default entry is 636. Management processors can

communicate with the directory only by using SSL.

• Login Name and Password—These fields are used to log in with an account that has domainadministrator access to the directory.

• Container DN—After you have the network address, port, and login information, you can clickBrowse to navigate for the container and role distinguished name. The container distinguishedname is where the migration utility will create all the management processor objects in thedirectory.

• Role DN—The role distinguished name is where the role to be associated with the device

objects resides and must be created before you run this utility.

Figure 88 Configure Directory page

To configure the device objects to be associated with a role:

1. Enter the network address, login name, and password for the designated directory server.2. Enter the container distinguished name in the Container DN field, or click Browse, as shown

in Figure 89 (page 196).




Figure 89 Entering the container distinguished name

3. Associate device objects with a member of a role by entering the role distinguished name inthe Role DN field, or click Browse, as shown in Figure 90 (page 196).

Figure 90 Entering the role distinguished name

4. Click Update Directory. The tool connects to the directory, creates the management processorobjects, and adds them to the selected roles.

5. After the device objects have been associated with a role, click Next.




Figure 91 Configure Directory window

6. Define the user contexts.

The user contexts define where the users who will log in to iLO are located in the LDAP structure.You can enter the OU distinguished name or click Browse.

Figure 92 Define the user contexts

7. Click Configure, and then click Done when the Done button becomes available.




2. Click Configure. The migration utility connects to all the selected management processors andupdates their configuration as you have specified. HPLOMIG supports configuring 15 usercontexts. To access the user context fields, use the scroll bar.

Figure 94 Set up Management Processors for Directories page

When you click Configure, Directories Support for ProLiant Management Processors displaysthe following message:

3. Click OK to continue.4. When the process finishes, click Done.




7 Troubleshooting

Kernel debuggingUse the Windows Windbg kernel debugger from a local test system (usually a laptop) for a hostserver that is being debugged. This method uses the iLO Virtual Serial Port feature.

NOTE: You must have PuTTy installed on your test system. You can download PuTTy from http://www.putty.org/.

1. By using the iLO web interface on the server that has kernel issues (the host server), navigateto the Administration→ Access Settings page, and configure the Serial Command Line InterfaceSpeed setting.

2. Configure the debug options in Windows (the boot.ini parameters for the serial connection).

Use debugport=com2, and set the baud rate to match the settings in the iLO web interface.

3. During POST, press F9 to enter the server RBSU.4. From the main menu, disable EMS and BIOS Serial Console. For detailed instructions, see the

HP ROM-Based Setup Utility User Guide .

5. Set the Virtual Serial Port to COM 2. For detailed instructions, see the HP ROM-Based Setup Utility User Guide .6. Reboot the host server to access the selection menu for the Windows debug boot option.7. From the local test system, connect to iLO by using PuTTy and log in.

This is a command-line interface connection to iLO.

8. Enter the IP address for the session host name and use the default settings for an SSH session.

When the PuTTy iLO CLI opens, a user login window opens, unless the PuTTy session isconfigured to use the private keys. For more information, see “Configuring iLO security”(page 38) and “Administering SSH keys” (page 43).

It might take a minute for the prompt to appear.

9. At the </>hpiLO-> prompt, enter:

windbg_enable

This opens a socket to the Virtual Serial Port on port 3002.

10. Enter the following command to start the Windows debugger:

windbg -k com:port=IP-address,ipport=3002

IP-address is the iLO IP address, and 3002 is the socket to connect to (the raw serial datasocket for iLO).

NOTE: You can add any other windbg command-line parameters that you need. HPrecommends using the -b parameter for the initial breakpoint.

11. Go to the server console (or access the iLO Remote Console), and press Enter to boot thedebug selection on the OS load menu.

This might take several minutes.

12. When you are finished debugging the host server, turn off the debug socket to the VirtualSerial Port by connecting (via PuTTy) to the CLI, and then entering the following command:

windbg_disable

NOTE: You can disconnect and reconnect the Windows debugger as long as you keep theiLO debug socket enabled.

200 Troubleshooting

http://www.putty.org/






Event log entriesTable 15 (page 201) shows typical iLO event log entries.

Table 15 Event log entries

ExplanationEvent log display

Appears when the server power is removed.Server power removed

Displays the IP address for the browser that logged in.Browser login: <IP address>

Appears when the server power is restored.Server power restored

Displays the IP address for the browser that logged out.Browser logout: <IP address>

Appears when the server is reset.Server reset

Appears when a browser login fails.Failed Browser login ? IP Address: <IP address>

Appears when iLO has failed an internal test. The probable cause is that acritical component has failed. Further use of iLO on this server is notrecommended.

iLO Self Test Error: #

Appears when iLO is reset.iLO reset

Appears when the on-board clock is set.On-board clock set; was<#:#:#:#:#:#>

Appears when the server logs critical errors.Server logged criticalerror(s)

Appears when a user clears the event log.Event log cleared by: <User>

Appears when iLO is reset to the default settings.iLO reset to factorydefaults

Appears when the ROM has been upgraded.iLO ROM upgrade to <#>

Appears when iLO is reset for the ROM upgrade.iLO reset for ROM upgrade

Appears when iLO is reset by user diagnostics.iLO reset by userdiagnostics

Appears when the power is restored to iLO.Power restored to iLO

Appears when an error has occurred in iLO and iLO has reset itself. If this issuepersists, call customer support.

iLO reset by watchdog

Appears when the server resets iLO.iLO reset by host

Appears when a noncritical error has occurred in iLO and iLO has reset itself.If this issue persists, call customer support.

Recoverable iLO error, code<#>

Appears when the SNMP trap does not connect to the specified IP address.SNMP trap delivery failure:

<IP address> Appears when the SNMP trap does not connect to the specified IP address.Test SNMP trap alert failed

for: <IP address>

Appears when the SNMP trap does not connect to the specified IP address.Power outage SNMP trap alertfailed for: <IP address>

Appears when the SNMP trap does not connect to the specified IP address.Server reset SNMP trap alertfailed for: <IP address>

Appears when the SNMP trap does not connect to the specified IP address.Illegal login SNMP trapalert failed for: <IPaddress>

Event log entries 201



Table 15 Event log entries (continued)


Appears when the SNMP trap does not connect to the specified IP address.Diagnostic error SNMP trapalert failed for: <IPaddress>

Appears when the SNMP trap does not connect to the specified IP address.Host generated SNMP trapalert failed for: <IPaddress>

Appears when the SNMP trap does not connect to the specified IP address.Network resource shortageSNMP trap alert failed for:<IP address>

Appears when the network is connected to iLO.iLO network link up

Appears when the network is not connected to iLO.iLO network link down

Appears when a user starts a firmware upgrade.iLO Firmware upgrade startedby: <User>

Appears when a user resets the host server.Host server reset by: <User>

Appears when a user powers off a host server.Host seerver powered OFF by:

<User>

Appears when a user powers on a host server.Host server powered ON by:<User>

Appears when a user begins using a virtual floppy.Virtual Floppy in use by:<User>

Appears when a user logs in to a Remote Console session.Remote Console login: <User>

Appears when a Remote Console session is closed.Remote Console Closed

Displays a failed console login and IP address.Failed Console login - IP Address: <IP address>

Appears when a local user is added. Added User: <User>

Appears when a local user is deleted.User Deleted by: <User>

Appears when a local user is modified.Modified User: <User>

Appears when a valid user logs in to iLO by using an Internet browser.Browser login: <User>

Appears when a valid user logs out of iLO by using an Internet browser.Browser logout: <User>

Appears when an authorized user logs in on by using the Remote Console port.Remote Console login: <User>

Appears when an authorized Remote Console user is logged out or when theRemote Console port is closed after a failed login attempt.

Remote Console Closed

Appears when an unauthorized user has failed three login attempts when usingthe Remote Console port.Failed Console login ? IP Address: <IP address>

Appears when a new entry is made to the authorized user list. Added User: <User>

Appears when an entry is removed from the authorized user list. The User section displays the user who requested the removal.

User Deleted by: <User>

Appears when the power has been reset.Power Cycle (Reset): <User>

Appears when the system is booted with the Security Override Switch set toOn.

Security Override SwitchSetting is On

Appears when the system is booted with the Security Override Switch changedfrom On to Off.

Security Override SwitchSetting Changed to Off

202 Troubleshooting



Table 15 Event log entries (continued)


Appears when the on-board clock is set. Displays the previous time or NOT SETif no time was set.

On-board clock set; waspreviously [NOT SET]

Appears when the logs are full and the SNMP trap alert failed for a specifiedIP address.

Logs full SNMP trap alertfailed for: <IP address>

Appears when the security has been disabled and the SNMP trap alert failed

for a specified IP address.Security disabled SNMP trap

alert failed for: <IPaddress>

Appears when the security has been enabled and the SNMP trap alert failedfor a specified IP address.

Security enabled SNMP trapalert failed for: <IPaddress>

Appears when an authorized user connects the virtual floppy.Virtual Floppy connected by<User>

Appears when an authorized user disconnects the virtual floppy.Virtual Floppy disconnectedby <User>

Appears when an authorized user adds a license.License added by: <User>

Appears when an authorized user removes a license.License removed by: <User>

Appears when an error occurs in activating the license.License activation error by:<User>

Appears when an authorized user logs in to iLO RBSU.iLO RBSU user login: <User>

Displays when a power request was received as one of the following types:Power on request receivedby: <Type> Power Button

Wake On LAN

Automatic Power On

Appears when an authorized user clicks the Virtual NMI button.Virtual NMI selected by:

<User>

Appears when a Virtual Serial Port session is started.Virtual Serial Port sessionstarted by: <User>

Appears when a Virtual Serial Port session is ended.Virtual Serial Port sessionstopped by: <User>

Appears when a login failure occurs.Virtual Serial Port sessionlogin failure from: <User>

Hardware and software link-related issuesiLO uses standard Ethernet cabling, which includes CAT 5 UTP with RJ-45 connectors.

Straight-through cabling is necessary for a hardware link to a standard Ethernet hub. Use a crossovercable for a direct PC connection.

The default DNS name is displayed on the iLO Default Network Settings tag and can be used tolocate iLO if you do not know the assigned IP address.

The following information applies if you are using DHCP:

• The iLO management port must be connected to a network that is connected to a DHCP server,and iLO must be on the network before power is applied. DHCP sends a request soon after

Hardware and software link-related issues 203



power is applied. If the DHCP request is not answered when iLO first boots, it will reissue therequest at 90-second intervals.

• The DHCP server must be configured to supply DNS and WINS name resolution.

• In the iLO RBSU, you can press F1 on the Network Autoconfiguration page for advancedoptions for viewing the status of iLO DHCP requests.

The following information applies if you are using a static IP address:

• If a direct connection to a PC is used, then a static IP address must be used because no DHCPserver is present on the link.

• You can configure iLO to work with a static IP address by using iLO RBSU or the iLO webinterface. For more information, see “Setting up iLO by using iLO RBSU” (page 16) and “Settingup iLO by using the iLO web interface” (page 19).

Login issuesUse the following information when you are attempting to resolve login issues:

• Try using the default account information, which is located on the iLO Default Network Settingstag.

•

If you forget your password, it can be reset by an administrator who has the Administer User Accounts privilege.

• If an administrator forgets the administrator account password, they must use the SecurityOverride Switch or use HPONCFG to establish an administrator account and password. Forinstructions, see the HP iLO 4 Scripting and Command Line Guide .

• Check for standard issues, such as the following:

Is the password complying with password restrictions? For example, does the passwordcontain case-sensitive characters?

◦

◦ Is an unsupported browser being used?

Login name and password not acceptedSolution: You must verify that your login information is configured correctly. Have a user who hasthe Administer User Accounts privilege log in and change your password. If you still cannot connect,have the user log in again and delete and re-add your user account. For instructions, see“Administering users” (page 29).

NOTE: The RBSU can also be used to configure user accounts. For instructions, see “Setting upiLO user accounts by using iLO RBSU” (page 18).

Directory user premature logout

Solution: To recover from a premature session timeout, log back in and continue using iLO. If thedirectory server is unavailable, you must use a local account.

Network errors can cause iLO to conclude that a directory connection is no longer valid. If iLOcannot detect the directory, iLO ends the directory connection. Any additional attempt to continueusing the terminated connection redirects the browser to the login page.

A premature session timeout can occur during an active session if:

• The network connection is severed.

• The directory server is shut down.

204 Troubleshooting



iLO management port not accessible by nameSolution: The iLO management port can register with a WINS server or DDNS server to providethe name-to-IP address resolution necessary to access the iLO management port by name. The

WINS or DDNS server must be up and running before the iLO management port is powered on,and the iLO management port must have a valid route to the WINS or DDNS server.

In addition, the iLO management port must be configured with the IP address of the WINS orDDNS server. You can use DHCP to configure the DHCP server with the necessary IP addresses.

These options are enabled as factory defaults and can be changed via the iLO RBSU or the iLOweb interface. For more information, see “Setting up iLO by using iLO RBSU” (page 16) or“Configuring iLO IP and NIC settings” (page 62).

The clients that are used to access the iLO management port must be configured to use the sameDDNS server where the IP address of the iLO management port is registered.

If you are using a WINS server and a non-dynamic DNS server, the access to the iLO managementport might be significantly faster if you configure the DNS server to use the WINS server for nameresolution. For more information, see the appropriate Microsoft documentation.

iLO RBSU unavailable after iLO and the server resetSolution: Reset the server a second time. To avoid this issue, wait a few seconds before resetting

the server after resetting the iLO processor.If the iLO processor is reset and the server is immediately reset, iLO firmware might not be fullyinitialized when the server performs its initialization and attempts to start the iLO RBSU. In thiscase, the iLO RBSU is unavailable, or the iLO option ROM code is skipped altogether.

Unable to access the login pageSolution: Verify that the SSL encryption level of your browser is set to 128 bits. The SSL encryptionlevel in iLO is set to 128 bits and cannot be changed. The browser and iLO encryption levels mustbe the same.

Unable to return to login page after an iLO flash or resetSolution: Clear the browser cache and restart the browser.

Unable to access Virtual Media or the graphical Remote ConsoleSolution: You enable the iLO Virtual Media and graphical Remote Console features are enabledby installing an optional iLO Advanced license. If a license is not installed, a message informs youthat these features are not available without a license.

For details on purchasing licenses and a list of licensed features, see the following website: http://www.hp.com/go/ilo/licensing.

Unable to connect to iLO after changing network settingsSolution: Verify that both sides of the connection (the NIC and the switch) have the same settingsfor transceiver speed autoselect, speed, and duplex. For example, if one side is autoselecting theconnection, the other side must use the same setting. For information about configuring the iLOnetwork settings, see “Configuring iLO IP and NIC settings” (page 62).

Login issues 205







Unable to connect to the iLO processor through the NICSolution: If you cannot connect to the iLO processor through the NIC, try any or all of the followingtroubleshooting methods:

• Confirm that the green LED indicator (link status) on the iLO RJ-45 connector is on. This conditionindicates a good connection between the PCI NIC and the network hub.

• Look for intermittent flashes of the green LED indicator, which indicates normal network traffic.

•

Run the iLO RBSU to confirm that the NIC is enabled, and verify the assigned IP address andsubnet mask.

• Run the iLO RBSU and use the Advanced tab on the DNS/DHCP page to view the status ofDHCP requests.

• Ping the IP address of the NIC from a separate network workstation.

• Attempt to connect with a browser by entering the IP address of the NIC as the URL. You cansee the iLO home page from this address.

• Reset iLO.

NOTE: If a network connection is established, you might have to wait up to 90 seconds forthe DHCP server request.

Unable to log in to iLO after installing the iLO certificateSolution: Do not install the iLO self-signed certificate into the browser certificate store. If you wantto install the iLO certificate, request a permanent certificate from a CA and import it to iLO. Forinstructions, see “Administering SSL certificates” (page 44).

When you reset iLO to the factory defaults or change the iLO host name, a new self-signed certificateis generated. If the iLO self-signed certificate is installed permanently in some browsers, you mightnot be able to log back in to iLO after the new self-signed certificate is generated.

Unable to connect to the iLO IP addressSolution: If the web browser software is configured to use a proxy server, it will not connect to theiLO IP address. To resolve this issue, configure the browser not to use the proxy server for the IPaddress of iLO. For example, in Internet Explorer:

1. Select Tools→Internet Options.2. Click Connections.3. Click LAN setttings.4. Click Advanced in the Proxy server section.5. Enter the iLO IP address or DNS name in the Exceptions box.6. Click OK to save the changes.

Blocked iLO portsSolution: iLO communicates through several configurable TCP/IP ports. If these ports are blocked,the administrator must configure the firewall to allow for communications on these ports. Forinformation about viewing and changing the iLO port configuration, see “Configuring iLO accesssettings” (page 34).

Troubleshooting alert and trap issuesTable 16 (page 207) shows the alerts and traps that might occur.

206 Troubleshooting



Table 16 Alerts

Explanation Alert

This trap is generated when you click the Send Test Alert button on the Administration→Management page in the iLO web interface.

Test Trap

The server lost power.Server Power Outage

The server was reset.Server Reset

A remote user login attempt failed.Failed Login Attempt

This is an error condition that is not predefined by the hard-coded MIB.General Error

The circular log has been overrun.Logs

The state of the Security Override switch changed (On/Off).Security Override SwitchChanged: On/Off

The server could not power on because insufficient power was available.Rack Server Power On Failed

The server was forced to power on manually despite reporting insufficientpower.

Rack Server Power On ManualOverride

The name of the rack was changed.Rack Name Changed

Unable to receive HP SIM alarms (SNMP traps) from iLOSolution: A user who has the Configure iLO Settings privilege must connect to iLO to configureSNMP trap parameters. When you are connected to iLO, make sure that the correct alert typesand trap destinations are enabled on the Administration→Management page in the iLO webinterface.

Using the iLO Security Override switch for emergency accessSolution: The iLO Security Override switch allows emergency access to the administrator who hasphysical control over the server system board. Setting the iLO Security Override switch allows login

access, with all privileges, without a user ID and password.The iLO Security Override switch is located inside the server and cannot be accessed withoutopening the server enclosure. To set the iLO Security Override switch, make sure that the server ispowered off and disconnected from the power source. Set the switch and then power on the server.To clear the iLO Security Override switch, reverse this procedure.

When you use the iLO Security Override switch, the following occur:

• A warning message indicating that the iLO Security Override switch is currently in use isdisplayed on the iLO web interface pages.

• An iLO log entry is added to record the use of the iLO Security Override switch.

• An SNMP alert might be sent when you set or clear the iLO Security Override switch.

In the unlikely event that it is necessary, setting the iLO Security Override switch also enables youto flash the iLO boot block. The boot block is exposed until iLO is reset. HP recommends that youdisconnect iLO from the network until the reset is complete.

Depending on the server, the iLO Security Override switch might be a single jumper or it might bea specific switch position on a dip switch panel. For information about how to access the iLOSecurity Override switch, see the server documentation.

Troubleshooting alert and trap issues 207



Troubleshooting license installationLicense key installation issues might occur because of the following situations:

• The license key is not for iLO.

• If a license key was previously installed, an evaluation license key cannot be installed.

• The iLO firmware must be updated before the license key can be installed.

• The iLO date and time are incorrect.

Troubleshooting directory issuesThe following sections provide instructions for troubleshooting directory issues.

User contexts do not appear to workSolution: Check with your network administrator. The full distinguished name of your user objectmust be in the directory. Your login name is what appears after the first CN=. The remainder of thedistinguished name must appear in one of the user context fields. User contexts are not casesensitive, and any other characters, including spaces, are part of the user context. For informationabout entering directory user contexts, see “Configuring directory settings” (page 46).

Directory user does not log out after the directory timeout has expiredSolution: If you set the iLO Idle Connection Timeout to Infinite, the Remote Console periodicallypings the firmware to verify that the connection exists. When this ping occurs, the iLO firmwarequeries the directory for user permissions. This periodic query keeps the directory connection active,preventing a timeout and logging the user.

Troubleshooting Remote Console issuesThe following sections discuss troubleshooting for Remote Console issues.

IMPORTANT: Pop-up blocking applications, which are set to prevent the automatic opening of

new windows, prevent the Remote Console from running. Disable any pop-up blocking programsbefore you start the Remote Console.

Java IRC applet displays a red X when Firefox is used to run Java IRC on a Linuxclient

Solution: Firefox browsers must be configured to accept cookies. For instructions on configuringFirefox, see the Firefox documentation.

Unable to navigate the single cursor of the Remote Console to corners of the RemoteConsole window

In some cases, you might be unable to navigate the mouse cursor to the corners of the RemoteConsole window.

Solution: Right-click and drag the mouse cursor outside the Remote Console window and then dragit back inside.

Remote Console text window not updated correctly When you are using the Remote Console to display text windows that scroll at a high rate of speed,the text window might not be updated correctly. This error is caused by video updates occurringfaster than the iLO firmware can detect and display them. Typically, only the upper left corner ofthe text window is updated while the rest of the text window remains static.

Solution: After the scrolling is complete, click Refresh to update the text window.

208 Troubleshooting



Mouse or keyboard not working in .NET IRC or Java IRCSolution 1: When you open the .NET IRC or Java IRC and notice that the mouse or keyboard isnot working, perform the following steps to recover:

1. Close the .NET IRC or Java IRC.2. Navigate to the Power Management→Power Settings page.3. Clear the Enable persistent mouse and keyboard check box, and then click Apply.4. Start the .NET IRC or Java IRC again.

Solution 2 (.NET IRC only): Some monitors do not support DirectDraw. For example, some USB VGA device drivers might disable DirectDraw in all monitors for Windows Vista and Windows 7clients.

The .NET IRC requires DirectDraw support.

Solution 2 (Java IRC only):

1. Shut down and exit your browser.2. Open the Java Control Panel.3. Navigate to the Java Runtime Environment Settings dialog box.4. Add the following runtime parameter:

-Dsun.java2d.noddraw=true

5. Click to close the Java Runtime Environment Settings dialog box.6. Click Apply and then click OK to close the Java Control Panel.

NOTE: Viewing your changes before you click Apply might reset the Runtime Parametersfield, causing your edits to be lost.

.NET IRC sends characters continuously after switching windowsSolution: If you have a key pressed during an .NET IRC session and you inadvertently switchwindows, the key can remain pressed in the .NET IRC session, causing the character to repeatcontinuously. To stop the character from repeating, click the .NET IRC session screen to bring it tothe front of your desktop.

Java IRC does not display the correct floppy and USB-key deviceThis issue occurs only with the Firefox browser.

Solution:

1. Make sure that Red Hat Enterprise Linux 5 or later is installed on the local client system.2. Install the latest version of Java and configure it to connect through the Firefox browser.3. Log in to the iLO web interface by using Firefox.4. Insert a USB key or floppy disk on the local client system.5. Verify that you can access USB key or floppy disk.6. Open a Java IRC session.7. Select Virtual Drives→Floppy/USB-Key, and then select Virtual Image.

The Choose Disk Image File dialog box opens.

Troubleshooting Remote Console issues 209



Figure 95 Choose Disk Image File dialog box

8. Type or select the path of the USB key/floppy (/dev/disk) which is inserted in the client.

You can also mount the USB key/floppy by label, as shown in Figure 96 (page 210).

Figure 96 Mounting the USB key by label

9. Click OK .

Caps Lock goes out of sync between iLO and Java IRC When you log in to the Java IRC, the Caps Lock setting might go out of sync between iLO and the Java IRC.

Solution: Select Keyboard→Caps Lock in the Java IRC to sync the Caps Lock settings.

210 Troubleshooting



Num Lock goes out of sync between iLO and Shared Remote Console When you log in to a Shared Remote Console session, the Num Lock setting might go out of syncbetween iLO and some of the Remote Console sessions.

Solution: Select Keyboard→Num Lock in the Remote Console to synchronize the Num Lock settings.

Keystrokes repeat unintentionally during a remote console session When you are using the .NET or Java IRC, a keystroke might repeat unintentionally during a remote

console session.Solution 1: Identify and fix problems that might cause network latency.

Solution 2: Adjust the following settings on the remote machine:

• Increase the typematic delay—This setting controls the delay before a character repeats whenyou press and hold a key on the keyboard.

• Decrease the typematic rate—This setting controls the rate at which a character repeats whenyou press and hold a key on the keyboard.

NOTE: The exact name of the setting varies depending on the OS you are using. For moreinformation about changing the typematic delay and rate, see your OS documentation.

Session leader does not receive a connection request when .NET IRC is in replaymode

Solution: When a Remote Console session leader plays captured video data, the .NET IRC doesnot display the Deny or Accept message when another user attempts to access or share the .NETIRC. Instead, the new .NET IRC session waits and eventually times out. If you require access to the.NET IRC, and your request times out, contact the other user or use the Acquire feature to takecontrol of the IRC. For instructions, see “Acquiring the Remote Console” (page 117).

Keyboard LED does not work correctlyThe client keyboard LED does not reflect the true state of the keyboard lock keys. The Caps Lock,Num Lock, and Scroll Lock keys are fully functional when you are using the keyboard options inthe Remote Console.

Inactive .NET IRCThe iLO .NET IRC might become inactive or disconnect during periods of high activity. .NET IRCactivity slows before becoming inactive. Symptoms of an affected .NET IRC include the following:

• The .NET IRC display is not updated.

• Keyboard and mouse activity is not recorded.

• Shared Remote Console requests do not register.

Although you can replay a captured file on an inactive .NET IRC, the active state of the .NET IRCis not restored.

This issue might occur when multiple users are logged in to iLO, a Virtual Media session is connectedand is performing a continuous copy operation, or a .NET IRC session is open. The Virtual Mediacontinuous copy operation takes priority, and, consequently, the .NET IRC loses synchronization.Eventually, the Virtual Media connection resets multiple times and causes the USB media drive forthe OS to lose synchronization with the Virtual Media client.

Solution: Reconnect to the .NET IRC and the Virtual Media. If possible, reduce the number ofsimultaneous iLO user sessions. If necessary, reset iLO. (The server does not need to be reset.)

Troubleshooting Remote Console issues 211



Unable to view the Linux installer in the text-based Remote Console When you are installing Linux by using the text console, the initial installation screen might notappear because the screen is in graphics mode.

Solution: To correct this and proceed with the installation, do one the following:

• For most versions of Linux, enter linux text nofb.

The characters that you enter do not appear.

After you enter the command, the screen changes from graphics mode to text mode, displayingthe screen.

• For SLES 10 and SLES 11, press F2 and the down arrow from the text console. The text modeis selected and the screen appears.

Unable to pass data through an SSH terminalIf you use an SSH terminal to access the text console, SSH might intercept keystroke data and notpass the action to the text-based Remote Console. When this occurs, it appears as if the keystrokedid not perform its function.

Solution: Disable any SSH terminal shortcuts.

Troubleshooting miscellaneous issuesThe following sections discuss troubleshooting miscellaneous hardware or software issues.

Cookie sharing between browser instances and iLOiLO uses browser session cookies to distinguish between separate logins—each browser windowappears as a separate user login—while actually sharing the same active session with iLO. Thesemultiple logins can confuse the browser. This confusion can appear as an iLO issue. However, thisis typical browser behavior.

Several processes can cause a browser to open additional windows. Browser windows openedfrom within an open browser represent different aspects of the same program in memory.Consequently, each browser window shares properties with the parent, including cookies.

Shared instances

When iLO opens another browser window—for example, the Remote Console or a help file—thiswindow shares the same connection to iLO and the session cookie.

The iLO web server makes URL decisions based on each request received. For example, if a requestdoes not have access rights, it is redirected to the login page, regardless of the original request.

Web server-based redirection, selecting File→New→ Window or pressing Ctrl+N, opens a duplicateinstance of the original browser.

Cookie order behavior

During login, the login page builds a browser session cookie that links the window to the appropriatesession in the iLO firmware. The firmware tracks browser logins as separate sessions listed in the

Active Sessions section on the iLO Overview page.

For example, when User1 logs in, the web server builds the initial frames view, with current user:User1 in the top pane, menu items in the left pane, and page data in the lower-right pane. AsUser1 clicks from link to link, only the menu items and page data are updated.

While User1 is logged in, if another user, User2, opens another browser window on the sameclient and logs in, the second login overwrites the cookie generated in the original User1 session.

Assuming that User2 is a different user account, a different current frame is built, and a new sessionis granted. The second session appears in the Active Sessions section of the iLO Overview page

as current user: User2.

Troubleshooting miscellaneous issues 213



The second login has effectively orphaned the first session (User1) by overriding the cookiegenerated during the User1 login. This behavior is the same as closing the User1 browser withoutclicking the Sign Out button. The User1 orphaned session is reclaimed when the session timeoutexpires.

Because the current user frame is not refreshed unless the browser is forced to refresh the entirepage, User1 can continue navigating by using his or her browser window. However, the browseris now operating by using the User2 session cookie settings, even though it is not readily apparent.

If User1 continues to navigate in this mode (User1 and User2 sharing the same process becauseUser2 logged in and reset the session cookie), the following can occur:

• User1 session behaves consistently with the privileges assigned to User2.

• User1 activity keeps User2 session alive, but User1 session can time out unexpectedly.

• Logging out of either window causes both sessions to end. The next activity in the other windowcan redirect the user to the login page as if a session timeout or premature timeout occurred.

• Clicking Sign Out from the second session (User2) results in the following warning message:

Logging out: unknown page to display before redirecting the user tothe login page.

•

If User2 logs out and then logs back in as User3, User1 assumes the User3 session.• If User1 is at login, and User2 is logged in, User1 can alter the URL to redirect to the index

page. It appears as if User1 has accessed iLO without logging in.

These behaviors continue as long as the duplicate windows are open. All activities are attributedto the same user, using the last session cookie set.

Displaying the current session cookie

After logging in, you can force the browser to display the current session cookie by entering thefollowing in the URL navigation bar:

javascript:alert(document.cookie)

The first field visible is the session ID. If the session ID is the same among the different browserwindows, these windows are sharing the same iLO session.

You can force the browser to refresh and reveal your true identity by pressing the F5 key, selecting View→Refresh, or clicking the Refresh button.

Preventing cookie-related user issues

To prevent cookie-based behavioral issues:

• Start a new browser for each login by double-clicking the browser icon or shortcut.

• Click the Sign Out button to close the iLO session before you close the browser window.

Unable to get SNMP information from HP SIMSolution: The agents running on the managed server supply SNMP information to HP SIM. Foragents to pass information through iLO, iLO device drivers must be installed. For installationinstructions, see “Installing the iLO drivers” (page 20).

If you have installed the drivers and agents for iLO, verify that iLO and the management PC areon the same subnet. You can verify this quickly by pinging iLO from the management PC. Consultyour network administrator for proper routes to access the iLO network interface.

214 Troubleshooting



Unable to upgrade iLO firmware

• Solution 1: If you attempt to upgrade the iLO firmware by using the iLO web interface, and itdoes not respond, does not accept the firmware upgrade, or is stopped before a successfulupgrade, try reinstalling the firmware after you complete the following diagnostic steps:1. Attempt to connect to iLO through the web browser. If you cannot connect, a

communication issue occurred.2. Attempt to ping iLO. If you are successful, the network is working.

• Solution 2: If an incorrect file is used to flash the iLO firmware by using the iLO web interface,the following error is displayed: The last firmware update attempt was notsuccessful. Ready for the next update.

If this error occurs, click the Clear Error button to reset the flash process, and then try thefirmware update again with the correct firmware file. If you do not clear the error, the sameerror might occur even when you use the correct firmware file.

• Solution 3: If a connection error occurs after you install a firmware update by using the iLOweb interface, clear the browser cache.

• Solution 4: Try a different firmware update method. For information about the methods thatyou can use to update the firmware, see “Updating iLO firmware” (page 22).

iLO network failed flash recoveryMost firmware upgrades finish successfully. In the unlikely event of server power loss during aniLO firmware upgrade, iLO might be recoverable when power is restored.

When the computer is booting, the kernel performs image validation on the main image. If theimage is corrupted or incomplete, the kernel enters Failed Flash Recovery. Failed Flash Recoveryactivates an FTP server within iLO. This FTP server enables you to send an image to iLO forprogramming. The FTP server does not provide any other services.

A network client can connect to this FTP server. The user name for the connection is test and thepassword is flash. To send a firmware image to iLO, use the FTP client PUT command. After

receiving the image, iLO validates the image. If the image is a complete, signed, and valid firmwareimage, the kernel begins programming the FLASH part.

After the image is completely programmed into the FLASH part, reset iLO by issuing the RESETcommand to the iLO FTP server.

Example:

F:\ilo>ftp 192.168.1.2Connected to 192.168.1.2.220 FTP Recovery server ready.User (192.168.1.2:(none)): ftp331 Password required.Password:231 Logged in.ftp> put iLO.bin200 Ok.150 ready for file226-Checking file226-File acceptable226-Flashing 3% complete226-Flashing 4% complete226-Flashing 6% complete...226-Flashing 97% complete226-Flashing 99% complete

226-Flashing 100% complete




226-Flashing completed226 Closing fileftp: 8388608 bytes sent in 1.38Seconds 6100.81 Kbytes/sec.ftp> quote reset221 Goodbye (reset).Connection closed by remote host.ftp> quit

Problems generating a keytab by using ktpass.exe

If you use ktpass.exe to generate a keytab, you must specify a principal name by using the-princ argument.

Principal names must be entered as follows:

HTTP/[email protected]

This command is case sensitive. The command must be entered as follows:

• The first part of the command is uppercase (HTTP).

• The middle part is lowercase (ilo.somedomain.com).

• The last part is uppercase (@SOMEDOMAIN.COM).

If you do not format the command exactly as shown, the command does not work.

Here is an example of the full ktpass.exe command:

ktpass +rndPass -ptype KRB5_NT_SRV_HST -mapuser [email protected] HTTP/[email protected] -out myilo.keytab

Testing SSLThe following test checks for the correct security prompt. A nonworking server will proceed to aPage cannot be displayed message. If this test fails, your domain controller is not acceptingSSL connections and probably has not been issued a certificate.

1. Open a browser and navigate to https://domain controller :636.

You can substitute domain in place of domain controller , which accesses the DNS anddetermines which domain controller is handling requests for the domain. Test multiple domaincontrollers to verify that all of them have been issued a certificate.

2. If SSL is operating correctly on the domain controller (a certificate is issued), you are promptedwith a security message that asks whether you want to proceed with accessing the site or viewthe server certificate. Clicking Yes does not display a webpage. This is normal. This processis automatic, but might require rebooting. To avoid rebooting:a. Open the MMC.b. Add the certificates snap-in.c. When you are prompted, select Computer Account for the type of certificates you want

to view.

d. Click OK to return to the certificates snap-in.e. Select the Personal→Certificates folder.f. Right-click the folder and select Request New Certificate.g. Verify that the Type is domain controller, and click Next until a certificate is used.

You can also use the Microsoft Ldp.exe tool to verify SSL connections. For more information aboutthe LDP tool, see your Microsoft documentation.

An old certificate can cause issues with SSL on the domain controller when it points to a previouslytrusted CA with the same name. This situation is rare but might happen if a certificate service isadded and removed, and then added again on the domain controller. To remove old certificatesand issue a new one, follow the instructions in step 2.

216 Troubleshooting



File not present after copy through .NET IRC virtual drives to USB keyProblem: If the user copies files from the target server to a mounted iLO virtual drive (USB keyconnected to a client computer running any Windows OS), the files are not visible in WindowsExplorer on the client computer.

Indicator : File changes on the iLO Virtual Media USB key are never seen in Windows Explorer bythe user on the client computer.

Cause: Windows Explorer keeps a cached copy of the files on the USB key, and the iLO Remote

Console does not notify the Windows Shell when the USB key is updated with file changes. Thefile changes exist on the USB drive but if the user refreshes the Explorer window, the cached copyof the files is flushed back to the USB key and the user will never see the file changes in WindowsExplorer.

Any kind of file change made on a mounted iLO Virtual Media USB key drive from a Windowsclient via the Remote Console can trigger this issue.

Solution:

1. Install a USB key drive on a Windows client computer.2. By using .NET IRC, connect the client USB key to the iLO Virtual Media drive on the target

server.

3. Make file changes to the connected iLO Virtual Media drive (copy, delete, and so on.).4. Safely unmount the iLO USB Virtual Media drive on the target server so that all data is updatedto the Virtual Media drive.

5. Disconnect the client USB key by using the .NET IRC.

CAUTION: Do not refresh the contents of the USB key by using Windows Explorer.

6. Safely remove the USB key from the client computer by clicking the Safely Remove Hardwareicon in the Windows notification area. Follow the onscreen instructions.

7. Remove the USB key from the client computer.8. The USB key can now be connected to any computer, and any file changes will be visible in

Windows Explorer.Resetting iLO

In some cases, it might be necessary to reset iLO; for example, if iLO is not responding to thebrowser.

iLO might reset itself in certain instances. For example, an internal iLO watchdog timer resets if thefirmware detects an iLO issue. If a firmware upgrade is completed or a network setting is changed,iLO also resets.

To reset iLO, choose one of the following options:

• Click Reset on the Information→Diagnostics page in the iLO web interface. For more

information, see “Resetting iLO with the web interface” (page 112)• Use the CLI or HPONCFG. For instructions, see the HP iLO 4 Scripting and Command Line

Guide .

• The HP Insight Management Agents 5.40 and later have the ability to reset iLO. Select theReset iLO option on the HP Management Agent page in the iLO section.

• Click Apply on the Administration→Network page to manually force the iLO managementprocessor to reset. If the Apply button is not available, change a setting, change it back, andthen click Apply to reset iLO without changing the configuration.

A video demonstration of procedure for using the iLO web interface or HPONCFG is availableat http://www.hp.com/go/ilo/videos.






If none of the methods in the list is available or working as expected, you must power down theserver and disconnect the power supplies completely.

Server name still present after the System Erase Utility is executedThe server name, as shown in the Server Name field is the installed host operating system name.If the Insight Management Agents are installed on the server, the agents will obtain the host nameand update it on the iLO web interface page.

To remove the server name after the redeployment of a server, do one of the following:

• Load the HP Insight Management Agents to update the Server Name field with the new servername.

• Use iLO RBSU Reset to Factory Defaults feature to clear the Server Name field.

CAUTION: This procedure clears all iLO configuration information, not just the Server Nameinformation.

• Change the server name on the Administration→ Access Settings→ Access Options page in theiLO web interface.

Certificate error when navigating to the iLO web interfaceIssue: When you point your browser to the iLO web interface, a certificate error message appears.

Suggested action: Use one of the following procedures to resolve the security warning.

Internet Explorer

1. When the security warning appears, click the Continue to this website (not recommended)link.

2. Log in to the iLO web interface.3. Navigate to the Administration→Security→SSL Certificate page.4. Click Customize Certificate.

5. Enter the following information in the Certificate Signing Request (CSR) Information section.The required fields are marked with an asterisk (*).

• Country (C)—The two-character country code that identifies the country where the companyor organization that owns this iLO subsystem is located

• State (ST)—The state where the company or organization that owns this iLO subsystem islocated

• City or Locality (L)—The city or locality where the company or organization that owns thisiLO subsystem is located

• Organization Name (O)—The name of the company or organization that owns this iLOsubsystem

• Organizational Unit (OU)—(Optional) The unit within the company or organization thatowns this iLO subsystem

• Common Name (CN)—The FQDN of this iLO subsystem

6. Click Generate CSR.

The following message is appears:The iLO subsystem is currently generating a CertificateSigning Request (CSR). This may take 10 minutes or more. In order to viewthe CSR, wait 10 minutes or more, and then click the Generate CSR buttonagain.

7. After 10 minutes or more, click the Generate CSR button.

A new window displays the CSR.

218 Troubleshooting



8. Select and copy the CSR text.9. Open a browser window and navigate to a third-party CA.10. Follow the onscreen instructions and submit the CSR to the CA.

The certificate authority will generate a certificate in the PKCS #10 format.

11. After you obtain the certificate, make sure that:

• The CN matches the iLO FQDN. This is listed as the iLO Hostname on theInformation→Overview page.

• The certificate is generated as a base64-encoded X.509 certificate, and is in the RAWformat.

• The first and last lines are included in the certificate.

12. Return to the Customize Certificate page in the iLO user interface.13. Click the Import Certificate button.

The Import Certificate window opens.

14. Paste the certificate into the text box, and then click the Import button.15. Restart iLO.

Firefox1. Click the I Understand the Risks link to expand the section, and then click Add Exception.2. In the Add Security Exception dialog box, enter https://<iLO Hostname or IP

address> in the location field.3. Click Confirm Security Exception to resolve the security warning.




about HP products. For discussions related to iLO Advanced and iLO Advanced for BladeSystemsoftware, see the Management Software and System Tools area.

HP authorized resellersFor the name of the nearest HP authorized reseller, see the following sources:

• In the United States, see the HP U.S. service locator website:

http://www.hp.com/service_locator

• In other locations, see the Contact HP worldwide website:

http://www.hp.com/go/assistance

Related information

Documents

• HP iLO 4 Scripting and Command Line Guide

• HP iLO 4 Release Notes

• HP ROM-Based Setup Utility User Guide

• HP Intelligent Provisioning User Guide

• HP Scripting Toolkit for Linux User Guide

• HP Scripting Toolkit for Windows User Guide

• HP Smart Update Firmware DVD User Guide

• HP Smart Update Manager User Guide

• HP Service Pack for ProLiant User Guide

• HP Insight Management Agents User Guide

• HP Insight Management Agents Installation Guide

• HP Systems Insight Manager User Guide

• HP BladeSystem Onboard Administrator User Guide

• HP ProLiant Gen8 Troubleshooting Guide, Volume I: Troubleshooting

Websites

• HP ProLiant Gen8 Server Management: http://www.hp.com/go/proliantgen8/docs

• HP iLO Management Engine: http://www.hp.com/go/ilomgmtengine/docs

• HP Intelligent Provisioning: http://www.hp.com/go/intelligentprovisioning/docs

• HP SUM: http://www.hp.com/go/hpsum• HP Service Pack for ProLiant: http://www.hp.com/go/spp/documentation

• HP iLO 4: http://www.hp.com/go/ilo/docs

• HP iLO videos: http://www.hp.com/go/ilo/videos

• HP Systems Insight Manager: http://www.hp.com/go/hpsim

• HP Onboard Administrator: http://www.hp.com/go/oa

• HP VMware Vibs Depot :http://vibsdepot.hp.com

HP authorized resellers 221



http://www.hp.com/go/proliantgen8/docs

http://www.hp.com/go/ilomgmtengine/docs

http://www.hp.com/go/intelligentprovisioning/docs

http://www.hp.com/go/hpsum

http://www.hp.com/go/spp/documentation

http://www.hp.com/go/ilo/docs



http://www.hp.com/go/oa



http://www.hp.com/go/oa



http://www.hp.com/go/ilo/docs

http://www.hp.com/go/spp/documentation

http://www.hp.com/go/hpsum

http://www.hp.com/go/intelligentprovisioning/docs

http://www.hp.com/go/ilomgmtengine/docs

http://www.hp.com/go/proliantgen8/docs





A Directory services schemaThis appendix describes the classes and attributes that are used to store Lights-Out managementauthorization data in the directory service.

HP Management Core LDAP OID classes and attributesChanges made to the schema during the schema setup process include changes to the following:

• Core classes

• Core attributes

Core classes

Assigned OIDClass name

1.3.6.1.4.1.232.1001.1.1.1.1hpqTarget

1.3.6.1.4.1.232.1001.1.1.1.2hpqRole

1.3.6.1.4.1.232.1001.1.1.1.3hpqPolicy

Core attributes

Assigned OID Attribute name

1.3.6.1.4.1.232.1001.1.1.2.1hpqPolicyDN

1.3.6.1.4.1.232.1001.1.1.2.2hpqRoleMembership

1.3.6.1.4.1.232.1001.1.1.2.3hpqTargetMembership

1.3.6.1.4.1.232.1001.1.1.2.4hpqRoleIPRestrictionDefault

1.3.6.1.4.1.232.1001.1.1.2.5hpqRoleIPRestrictions

1.3.6.1.4.1.232.1001.1.1.2.6hpqRoleTimeRestriction

Core class definitionsThe following tables define the HP Management core classes.

hpqTarget

1.3.6.1.4.1.232.1001.1.1.1.1OID

This class defines target objects, providing the basis for HP productsthat use directory-enabled management.

Description

StructuralClass type

userSuperClasses

hpqPolicyDN - 1.3.6.1.4.1.232.1001.1.1.2.1 Attributes

hpqRoleMembership - 1.3.6.1.4.1.232.1001.1.1.2.2

NoneRemarks

HP Management Core LDAP OID classes and attributes 223



hpqRole

1.3.6.1.4.1.232.1001.1.1.1.2OID

This class defines role objects, providing the basis for HP products thatuse directory-enabled management.

Description

StructuralClass type

groupSuperClasses

hpqRoleIPRestrictions - 1.3.6.1.4.1.232.1001.1.1.2.5 Attributes

hpqRoleIPRestrictionDefault - 1.3.6.1.4.1.232.1001.1.1.2.4

hpqRoleTimeRestriction - 1.3.6.1.4.1.232.1001.1.1.2.6

hpqTargetMembership - 1.3.6.1.4.1.232.1001.1.1.2.3

NoneRemarks

hpqPolicy

1.3.6.1.4.1.232.1001.1.1.1.3OID

This class defines policy objects, providing the basis for HP products thatuse directory-enabled management.

Description

StructuralClass Type

topSuperClasses

hpqPolicyDN - 1.3.6.1.4.1.232.1001.1.1.2.1 Attributes

NoneRemarks

Core attribute definitionsThe following tables define the HP Management core class attributes.

hpqPolicyDN

1.3.6.1.4.1.232.1001.1.1.2.1OID

Distinguished name of the policy that controls the general configurationof this target

Description

Distinguished Name - 1.3.6.1.4.1.1466.115.121.1.12Syntax

Single valuedOptions

NoneRemarks

hpqRoleMembership

1.3.6.1.4.1.232.1001.1.1.2.2OID

Provides a list of hpqRole objects that belong to this objectDescription

Distinguished Name - 1.3.6.1.4.1.1466.115.121.1.12Syntax

MultivaluedOptions

NoneRemarks

224 Directory services schema



hpqRoleTimeRestriction

1.3.6.1.4.1.232.1001.1.1.2.6OID

A 7-day time grid, with 30-minute resolution, which specifies rights restrictionsunder a time constraint

Description

Octet String {42} - 1.3.6.1.4.1.1466.115.121.1.40Syntax


This attribute is used only on role objects.Remarks

Time restrictions are satisfied when the bit that corresponds to the current localtime of the device is 1 and unsatisfied when the bit is 0.

• The least significant bit of the first byte corresponds to Sunday, frommidnight to 12:30 a.m.

• Each more significant bit and sequential byte corresponds to the nextconsecutive half-hour blocks within the week.

• The most significant (eighth) bit of the 42nd byte corresponds to Saturdayat 11:30 p.m. to Sunday at midnight.

Lights-Out Management specific LDAP OID classes and attributesThe following schema attributes and classes might depend on attributes or classes defined in theHP Management core classes and attributes.

Lights-Out Management classes


1.3.6.1.4.1.232.1001.1.8.1.1hpqLOMv100

Lights-Out Management attributes


1.3.6.1.4.1.232.1001.1.8.2.3hpqLOMRightLogin

1.3.6.1.4.1.232.1001.1.8.2.4hpqLOMRightRemoteConsole

1.3.6.1.4.1.232.1001.1.8.2.6hpqLOMRightVirtualMedia

1.3.6.1.4.1.232.1001.1.8.2.5hpqLOMRightServerReset

1.3.6.1.4.1.232.1001.1.8.2.2hpqLOMRightLocalUserAdmin

1.3.6.1.4.1.232.1001.1.8.2.1hpqLOMRightConfigureSettings

Lights-Out Management class definitionsThe following table defines the Lights-Out Management core class.

hpqLOMv100

1.3.6.1.4.1.232.1001.1.8.1.1OID

This class defines the rights and settings used with HP Lights-OutManagement products.

Description

AuxiliaryClass Type

NoneSuperClasses





This attribute is used only on role objects. If this attribute is TRUE, membersof the role are granted the right.

Remarks

hpqLOMRightLocalUserAdmin

1.3.6.1.4.1.232.1001.1.8.2.2OID

Local User Database Administration right for HP Lights-Out Managementproducts.

Description

Boolean - 1.3.6.1.4.1.1466.115.121.1.7Syntax



Remarks

hpqLOMRightConfigureSettings

1.3.6.1.4.1.232.1001.1.8.2.1OID

Configure Devices Settings right for HP Lights-Out Management products.Description

Boolean - 1.3.6.1.4.1.1466.115.121.1.7Syntax



Remarks




Glossary.NET IRC .NET version of the Integrated Remote Console.

3DES Triple Data Encryption Algorithm.

ABEND Abnormal End.

ACPI Advanced Configuration and Power Interface.

AES Advanced Encryption Standard. AMP Advanced Memory Protection.

AMS Agentless Management Service.

ARP Address Resolution Protocol.

ASR Automatic Server Recovery.

BMC Baseboard Management Controller.

CA Certificate authority.

CLP Command Line Protocol.

CN Common Name.

COM port Communication port.cookie A small, unscriptable text file placed on your hard drive by a website to preserve specific settings. When you return to the site, your system opens the cookie with the previously saved settings sothey can be passed along to the site. Cookies are also used to store session data temporarily.

CR Certificate request.

CSR Certificate Signing Request.

DCMI Data Center Manageability Interface.

DDNS Dynamic Domain Name System.

DHCP Dynamic host configuration protocol.

DHE Diffie–Hellman Key Exchange.

DIMM Dual In-line Memory Module.DLL Dynamic-link library.

DMTF Distributed Management Task Force.

DN Distinguished name.

DNS Domain name system.

DSA Digital Signature Algorithm.

DVO Digital Video Out.

ECC Error Correcting Code.

EDO Extended Data Out.

EMS Emergency Management Services.

FMSO Flexible Single Master Operation.

FQDN Fully Qualified Domain Name.

GMT Greenwich Mean Time.

GRUB Grand Unified Bootloader.

HEM High Efficiency Mode.

HP SIM HP Systems Insight Manager.

HPLOMIG HP Lights-Out Migration Utility. This utility is also called HP Directories Support for ManagementProcessors.

HPONCFG HP Lights-Out Online Configuration utility.

ICMP Internet Control Message Protocol.

229



IIS Internet Information Server.

iLO Integrated Lights-Out.

IML Integrated Management Log.

iPDU HP Intelligent Power Distribution Unit.

IPMI Intelligent Platform Management Interface.

IRC Integrated Remote Console.

ISO International Organization for Standardization.

Java IRC Java version of the Integrated Remote Console.

JRE Java Runtime Environment.

KCS Keyboard Controller Style.

KDC Key Distribution Center.

KDE K Desktop Environment (for Linux).

KVM Keyboard, video, and mouse.

LDAP Lightweight Directory Access Protocol.

LILO Linux Loader.

LOM Lights-Out Management.

MAC Media Access Control.MIB Management information base. A database of managed objects accessed by network management

protocols. An SNMP MIB is a set of parameters that an SNMP management station can queryor set in the SNMP agent of a network device (for example, a router).

MIME Multipurpose Internet Mail Extensions

MMC Microsoft Management Console.

NDS Novell Directory Services.

NMI Non-maskable interrupt.

NTLM NT Local Machine.

OU Organizational Unit.

PAL Programmable Array Logic.

PDS HP Power Discovery Services.

PKCS Public-Key Cryptography Standards.

POST Power-On Self Test.

RBSU ROM-Based Setup Utility. Pressing F9 starts the system ROM RBSU, and pressing F8 starts the iLORBSU.

RDRAM Rambus Dynamic Random Access Memory.

RIBCL Remote Insight Board Command Language.

RPM RPM Package Manager.

RSA Rivest, Shamir, and Adelman public encryption key.SAID Service Agreement Identifier.

SAS Serial Attached SCSI.

SATA disk Serial ATA (SATA) disk. The evolution of the ATA (IDE) interface that changes the physicalarchitecture from parallel to serial and from primary-secondary (master-slave) to point-to -point.Unlike parallel ATA interfaces that connect two drives; one configured as primary (master), theother as secondary (slave), each SATA drive is connected to its own interface.

SD Secure Digital.

SHA Secure Hash Algorithm.

SID Security Identifier.

SLES SUSE Linux Enterprise Server

230 Glossary



SMASH System Management Architecture for Server Hardware.

SMS System Management Software.

SNMP Simple Network Management Protocol.

SNTP Simple Network Time Protocol.

SPN Service Principal Name.

SPP HP Service Pack for ProLiant.

SSD Solid-State Drive.

SSH Secure Shell.

SSL Secure Sockets Layer.

SSO Single Sign-On.

SUM Software Update Manager.

TPM Trusted Platform Module.

UDP User Datagram Protocol.

UHCI Universal Host Controller Interface.

UID Unit Identification.

UPN User Principal Name.

UPS Uninterruptible Power Supply.USB Universal Serial Bus.

UTC Coordinated Universal Time.

UTP Unshielded Twisted Pair.

UUID Universally Unique Identifier.

WBEM Web-Based Enterprise Management.

WINS Windows Internet Naming Service.

231



Index

Symbols.NET IRC, 116

Inactive .NET IRC, 211requirements, 115

Aaccess options

Authentication Failure Logging, 37, 38configuring, 36Idle Connection Timeout, 36iLO Functionality, 36iLO RBSU, 37Minimum Password Length, 37Require Login for iLO RBSU, 37Serial Command Line Interface Speed, 37Serial Command Line Interface Status, 37Server Name, 37

Show iLO IP during POST, 37access settings

configuring, 34iLO RBSU, 40

accessing iLOtroubleshooting, 205

acquiringRemote Console, 117

Active Directoryinstalling, 168

Active Directory integrationautomatic certificate request, 161

certificate services, 161directory objects, 169Directory services , 168Directory services objects, 171installation prerequisites, 168preparation, 161Snap-in installation and initialization for Active

Directory, 169 Active Health System

clearing the log, 110downloading the log, 108, 109overview, 107

active iLO sessionsviewing, 85

addingdirectory groups, 32users, 30

administrationiLO Security Override Switch, 41SSH keys, 43SSL certificates, 44users, 29

Agentless Managementconfiguring, 74overview, 71

Agentless Management Service

installing, 72verifying installation, 73

alertstroubleshooting, 206, 207

AMS, 73

control panel, 72, 73, 76 Authentication Failure Loggingconfiguring, 37using with SSH clients, 38

authorized resellerTechnical support, 220

Bblocked ports

troubleshooting, 206brown-out recovery, 139browser support

iLO web interface, 80

Ccertificate services

configuring automatic certificate request, 161installing for Active Directory, 161verifying for Active Directory, 161

certificatesoverview, 81troubleshooting, 206

clearing Active Health System log, 110iLO Event Log, 104

Integrated Management Log, 107compatibility, directory migration, 189computer lock

configuring remote console, 59configuring, 64

access options, 36access settings, 34 Agentless Management, 74directory settings, 46encryption settings, 54HP schema directory integration, 164HP SIM single sign-on, 56iLO, 22Insight Management Integration, 78IP settings, 62IPMI/DCMI settings, 36management settings, 71network settings, 62, 66NIC settings, 64persistent mouse and keyboard, 147ports, 206power settings, 145power threshold alerts, 146proxy servers, 206remote console computer lock, 59

Remote Console trust settings (.NET IRC), 60

232 Index



schema free directory, 163service settings, 34snmp, 74SNMP alerts, 75, 76SNTP settings, 69

connecting to iLOtroubleshooting, 205, 206

Console Captureusing, 119

control panel AMS, 72, 73, 76

cookie behaviortroubleshooting, 213

Ddedicated management NIC

enabling, 68default values

DNS name, 19language, 26network settings, 19

password, 19user name, 19deleting

directory groups, 34users, 34

diagnostic toolsusing, 110

directoriesschema free, 159setting up schema free directories, 160

Directories Support for ProLiant Management Processors,189configuring directories with HP Extended Schema, 195Configuring directories with schema-free integration,

198installing, 189naming management processors, 194overview, 189Selecting a directory access method, 193Setting up management processors for directories, 198updating firmware, 191using, 190

directory groupsadding, 32deleting, 34

editing, 32viewing, 30

directory integrationbenefits, 153Kerberos, 153overview, 153troubleshooting, 204, 208troubleshooting logout, 208troubleshooting user contexts, 208

directory servicesmigration, 188settings, 168

directory settings

authentication, 46configuring, 46directory server settings, 46verifying, 49

Directory-enabled remote managementconfiguring, 183overview, 183requirements, 183

DNS name

default, 19documentation

providing feedback on, 222downloading

Active Health System log, 108, 109drivers, 20

Linux, 21 VMware, 21 Windows, 20

EeDirectory integration

Directory services, 175eDirectory Lights-Out Management, 181prerequisites, 175Snap-in installation and initialization for eDirectory, 175

editingdirectory groups, 32users, 30

Emergency Management Services (EMS) Virtual Serial Port, 124 Windows EMS Console, 125

EMS (Emergency Management Services) Virtual Serial Port, 124

enablingdedicated management NIC, 68shared network port, 67

enclosurefan control, 148temperature, 148

encryptionabout, 53configuring, 54connecting to iLO, 55

event logtroubleshooting, 201

Ffan informationviewing, 86

fansiLO Virtual Fan, 148

Firefoxtroubleshooting with Remote Console, 208

firmwareobtaining, 23updating iLO firmware, 22updating with Directories Support for ProLiant

Management Processors, 191

updating with iLO web interface, 24

233



firmware informationviewing, 100

firmware updatetroubleshooting, 215

Ggraceful shutdown

power, 139groups

schema free directory, 163

Hhardware and software links

troubleshooting, 203health summary

viewing, 85hot keys

Remote Console, 121HP Insight Control software

integration, 149HP schema directory integration

configuring, 164installer, 166overview, 164requirements, 165

HP SIMauthorizing SSH keys, 44configuring SSO, 150iLO identification, 150iLO license, 152iLO links, 151Insight Management Intgration, 78integrating with iLO, 150overview, 150port matching, 152single sign-on, 56SNMP alerts, 151troubleshooting, 207viewing iLO, 151viewing iLO status, 150

HP Zero Sign InKerberos, 158, 159

HPLOMIG see Directories Support for ProLiantManagement Processors

hpqLOMRightConfigureSettings, 228hpqLOMRightLocalUserAdmin, 228

hpqLOMRightLogin, 227hpqLOMRightRemoteConsole, 227hpqLOMRightServerReset, 227hpqLOMRightVirtualMedia, 227hpqLOMv100, 226hpqPolicy, 224hpqPolicyDN, 224hpqRole, 224hpqRoleIPRestrictionDefault, 225hpqRoleIPRestrictions, 225hpqRoleMembership, 224hpqRoleTimeRestriction, 226

hpqTarget, 223

hpqTargetMembership, 225

IIdle Connection Timeout

configuring, 36iLO

certificate error, 218configuring, 22overview, 12

using, 80iLO Advanced, 27

installing a license, 20iLO Advanced for BladeSystem, 27iLO controls

using, 82iLO drivers

installing, 20Linux, 21 VMware, 21 Windows, 20

iLO Event Log

clearing, 104overview, 101saving, 103troubleshooting, 201viewing, 101

iLO Functionalityconfiguring, 36

iLO licenseviewing iLO license in HP SIM, 152

iLO Mobile applicationoverview, 13

iLO RBSUaccess settings, 40configuring, 37configuring user accounts, 18network settings, 17security, 40setting up iLO, 16troubleshooting, 205

iLO Security Override Switch, 41iLO Security Override switch

emergency access, 207iLO Shared Network Port, 66iLO Standard, 27iLO Standard for BladeSystem, 27

iLO web interfacebrowser support, 80configuring schema free directory, 162configuring with Directories Support for ProLiant

Management Processors, 162overview, 12setting up iLO, 19updating firmware, 24using, 80using Virtual Media, 130

Insight Management Agentsinstalling, 72

using, 113

234 Index



Insight Management Integrationconfiguring, 78

installerHP schema directory integration, 166

installing Active Directory, 168 Agentless Management Service, 72Directories Support for ProLiant Management Processors,

189

iLO drivers, 20Insight Management Agents, 72language packs, 25license keys, 28

Integrated Management Log, 106clearing, 107maintenance note, 106overview, 104saving, 107viewing, 104

integrationHP Insight Control software, 149

HP SIM, 78, 150introductioniLO, 12

IP addressconfiguring with iLO RBSU, 17IP address and subnet mask restrictions, 186

IP settings, 62IPMI/DCMI

configuring, 36privileges, 32server management, 149

J Java IRC, 116

requirements, 115

KKerberos

computer accounts, 154configuring with CLI, 157configuring with iLO scripts, 156configuring with iLO web interface, 156directory integration, 153generating a keytab, 154HP Zero Sign In, 158, 159

iLO configuration, 155login by name, 159realm names, 154single sign-on, 158, 159time requirement, 157two-factor authentication, 153user accounts, 154user groups, 155

kernel debuggingtroubleshooting, 200

keyboardconfiguring persistent mouse and keyboard, 147

Llanguage

configuring, 26, 27current, 27default, 26

language packsinstalling, 25uninstalling, 27using, 25, 26

licenseinstalling, 28

licensesinstalling, 20viewing in HP SIM, 152

licensing, 205license types, 27Remote Console, 114troubleshooting, 208

Lights-Out Management attributes, LDAP, 226, 227Lights-Out Management classes, LDAP, 226Linux support

Using a Linux session, 127Linux Virtual Serial Port configuration, 124local users

viewing, 29logging in to iLO, 80

first time, 19unknown authority message, 81

loginsecurity, 43troubleshooting, 204

login problemstroubleshooting, 205, 206

Mmaintenance note

Integrated Management Log, 106management settings

configuring, 71memory information

viewing, 94Microsoft software

Directory services for Active Directory, 168migration utilities, 188Minimum Password Length

configuring, 37

mobile applicationoverview, 13

mouseconfiguring persistent mouse and keyboard, 147

Nnetwork connections

setting up, 16network failed flash recovery, 215network settings, 62, 66

troubleshooting, 205, 206network settings tag, 19

NIC information

235



viewing, 97NIC settings, 64

OOnboard Administrator

iLO option, 148using with iLO, 147

overview Active Health System, 107

Agentless Management, 71certificates, 81Directories Support for ProLiant Management Processors,

189directory integration, 153encryption, 53HP schema directory integration, 164iLO, 12iLO Event Log, 101iLO Mobile application, 13iLO web interface, 12Integrated Management Log, 104

power, 139security guidelines, 39SSL, 81text-based Remote Console, 123viewing iLO overview information, 82 Virtual Media, 127

Ppassword

default, 19security, 39

port matchingHP SIM, 152

ports, 206HP SIM, 152

powerbrown-out recovery, 139configuring persistent mouse and keyboard, 147configuring threshold alerts, 146current power state, 144Dynamic Power Capping for server blades, 148efficiency, 139graceful shutdown, 139history, 144iLO power management, 140

managing server power, 140overview, 139power capping, 146Power Regulator for ProLiant, 145server, 139system power restore setting, 142usage, 142

power cappingconfiguring, 146

power informationviewing, 89

Power Regulator for ProLiant

configuring, 145

Dynamic Power Capping for server blades, 148power settings

configuring, 145power switch

Remote Console, 118processor information

viewing, 93proxy server

using with iLO, 206

RRBSU, 66RBSU Erase Option, 218Remote Console

.NET IRC requirements, 115acquiring, 117computer lock settings, 59configuring trust settings (.NET IRC), 60Console Capture, 119creating hot keys, 121customizing iLO Text Console, 126

Java IRC requirements, 115licensing, 114power switch, 118sharing, 119starting, 116text-based, 123troubleshooting, 205, 208using .NET IRC and Java IRC, 114Using a text-based Linux session, 127Using iLO Text Console, 126using Virtual Media, 119

troubleshooting, 123Remote Server Management (RSM)

Linux configuration example, 124Require Login for iLO RBSU

configuring, 37requirements

HP schema directory integration, 165 Virtual Media, 128

resetting to defaults, 217restoring, 217

factory presets, 217RSM (Remote Server Management)

Linux configuration example, 124

SsavingiLO Event Log, 103Integrated Management Log, 107

schema documentation, 223Core attribute definitions, 224Core attributes, 223Core class definitions, 223Core classes, 223Lights-Out Management specific LDAP OID classes and

attributes, 226schema free directories

configuration options, 163

236 Index



configuring with Directories Support for ProLiantManagement Processors, 162

configuring with iLO scripts, 162configuring with iLO web interface, 162nested groups, 163overview, 159setting up, 160

Secure Shell (SSH) Virtual Serial Port, 124

securityconfiguring, 38guidelines, 39iLO RBSU, 40login security, 43passwords, 39remote console computer lock, 59user accounts, 42user privileges, 43

Serial Command Line Interface Speedconfiguring, 37

Serial Command Line Interface Status

configuring, 37serial port, virtual, 124server

managing power, 140powering on, 139

server managementusing IPMI, 149

Server Nameconfiguring, 37

service settingsconfiguring, 34

setting upconfiguring the IP address, 17configuring user accounts using iLO RBSU, 18iLO, 14network connections, 16preparation, 14using iLO RBSU, 16using iLO web interface, 19

settingssystem power restore, 142

shared network portenabling, 67

sharingRemote Console, 119

Show iLO IP during POSTconfiguring, 37

single sign-onconfiguring with HP SIM, 56Kerberos, 158, 159viewing trusted servers, 58

SNMPconfiguring, 74trap definitions, 76

SNMP alertsconfiguring, 75, 76Receiving in HP SIM, 151

SNMP Pass-thru

configuring, 74SNTP settings

configuring, 69SSH

about keys, 43authorizing keys, 44authorizing keys from HP SIM, 44deleting keys, 44key administration, 43

troubleshooting, 212 Virtual Serial Port, 124

SSH clients Authentication Failure Logging, 38

SSLoverview, 81troubleshooting, 216

SSL certificatesadministration, 44importing, 45obtaining, 45viewing, 44

SSOconfiguring with HP SIM, 150starting

.NET IRC or Java IRC, 116status information

viewing, 84storage information

viewing, 98support

Technical support, 220System Erase Utility, 218system information

viewing, 82, 85

Ttechnical support

Technical support, 220telephone numbers

Technical support, 220temperature information

viewing, 87testing

directory settings, 49text-based Remote Console

after POST, 125

customizing, 126during POST, 124overview, 123troubleshooting, 212using, 126Using a Linux session, 127

TPMusing, 42

trap definitionsSNMP, 76

trapstroubleshooting, 206

troubleshooting, 200

237



alerts and traps, 206blocked ports, 206certificate error, 218cookies, 213directory integration, 204, 208directory logout, 208firmware update, 215hardware and software links, 203HP SIM alarms, 207

iLO access, 205iLO Event Log, 201iLO RBSU, 205iLO Security Override switch, 207Inactive .NET IRC, 211IRC f il d t t t 212

Directories Support for ProLiant Management Processors,190

iLO controls, 82iLO web interface, 80Insight Management Agents, 113Onboard Administrator, 147Remote Console, 113

using with iLO, 135

Vverifying

Agentless Management Service installation, 73viewing

active iLO sessions, 85t t t 144