HP AB500A - Integrated Lights-Out Advanced Technology Brief page 11
Hp integrated lights-out security, 6th edition
Hide thumbs
Also See for AB500A - Integrated Lights-Out Advanced:
- User manual (235 pages) ,
- Configuration (39 pages) ,
- Technology brief (24 pages)
Table of Contents
Advertisement
Once an SSL connection is established, login authentication commences. The iLO device returns a
login page to the user that includes a unique session ID and a random session key. The unique
session ID points to a session control block, an area of memory where all the session information is
stored for that user and that session. Without the session control block, every user request would result
in the need to re-authenticate all of the user credentials.
The session ID is time-stamped and valid only for the length of time defined by the
SESSION_TIMEOUT parameter. Administrators can set the SESSION_TIMEOUT parameter to 15, 30,
60, or 120 minutes. iLO 2 releases after v1.30 support an Infinite Inactivity Timeout request. This
request extends sessions indefinitely.
The combination of the session ID with the session key prevents a session from being hijacked by
another authenticated connection.
At the client browser, the user enters his login credentials, and the browser generates a unique
cookie,
4
called hp-iLO-Login. The web server within iLO uses this cookie for authentication and
authorization (Figure 4). The browser encodes both the username and the password using a base-64
hash function and incorporates it into the cookie. The cookie also includes the unique session ID and
the random session key sent with the login page.
The cookie links the browser window to the appropriate session in the firmware. The firmware tracks
browser logins as separate sessions listed in the Active Sessions section of the iLO Status page.
Figure 4. How the browser generates the login cookie used for authentication
The cookie is stored in the memory of the client machine while the browser session is open. Any open
browser session may preserve a cookie, including a "spawned" browser session such as the remote
console window. The client browser never writes the cookie to its disk drive, and only the client
4
The iLO cookie has been available in iLO firmware releases beginning with version 1.40.
11
Advertisement
Table of Contents
