Directory Services; Snmp; Systems Insight Manager; Access To Ilo By Means Of A Physical Connection - HP AB500A - Integrated Lights-Out Advanced Technology Brief

Directory services

The iLO processor uses SSL-protected LDAP (LDAPS) to communicate with the directory server. For a
more detailed discussion of LDAPS, refer to "Appendix C: LDAP/LDAPS definitions" in this document.
Using directory services is generally considered to be more secure than using local iLO user accounts
for the following reasons:
• Administrator accounts are not shared among multiple people (a common practice with local
accounts).
• Password protection is enforced by the directory.
• Role-based access allows for detailed time and place access restrictions.
• Maintenance functions (such as changing rights for multiple users) are performed once at the
directory rather than multiple times for each iLO device.
Administrators who use the Lights-Out migration utility to migrate from local accounts to directory
accounts also access iLO through the network. The utility is built on top of the XML infrastructure of
CPQLOCFG, so it has the same security advantages as CPQLOCFG: strong authentication, ability to
change port numbers, and the use of encryption.

SNMP

The iLO device acts strictly as a pass-through service for SNMP functions. The SNMP port is one of
only two ports in iLO that allow traffic to be passed to the host OS through the iLO driver. Because it
does not encrypt data, there could be security concerns about the data that iLO passes from the host
server, such as the OS, type of processor, number of I/O devices, and so on. If administrators want to
continue to use the SNMP functions, they can set firewalls and routers to accept only specific source
and destination addresses. For example, an administrator can allow inbound SNMP traffic into the
host server only if it comes from a predetermined management workstation. Administrators can also
set the passwords (community strings) according to the same guidelines as administrative passwords.
Finally, administrators can disable SNMP entirely.

Systems Insight Manager

Systems Insight Manager checks for an iLO presence by starting an HTTP session. The default port
setting for this session is Port 80. Administrators can change this port number. Tight integration
between iLO and Systems Insight Manager means that information such as the server serial number,
iLO status, iLO serial number, hardware revision, and firmware revision is available through the
Insight Management software. By using the following settings, administrators can control whether
information is returned for a Systems Insight Manager request:
• Enabled—associations are present and data is present on the summary page.
• Disabled—no data is returned to Systems Insight Manager.

Access to iLO by means of a physical connection

Someone physically present at the host server can access iLO in one of two ways:
• through the physical serial port on the host server
• by means of the iLO Security Override jumper

Host server serial port

Users with access to the host server serial port can access the iLO CLI and perform many iLO functions
(such as reset power or text-based remote console) on the host server. A potential risk is that the
connection from the host serial port to the CLI is not encrypted. However, because this is a point-to-
point (and physical) connection, it is presumed that anyone with physical access is authorized to
access iLO. There is no risk of someone intercepting the data with the point-to-point connection.
Because the server serial port connects to the iLO CLI, administrators can disable the SSH/CLI
29