Implementing Ilo Network Security Architecture; Default Local Ilo Users Accounts; Advantages Of Directory Integration - HP AB500A - Integrated Lights-Out Advanced Configuration

ProLiant BL c-Class blades support Enclosure-Based IP Addressing (EBIPA), an extended version of
ESIP. Configured via the Onboard Administrator, this simplifies deployment of c-Class blades.

Implementing iLO network security architecture

Before pursuing any single method of access, administrators should be aware that there are a number
of ways to manage user access to iLO. The available management options include:
• Local iLO user accounts, which are the default method
• Directory-based user accounts
• Onboard Administrator access to iLO in c-Class blades
• HP SIM access to iLO using Single Sign-On
• Two-Factor (Smart Card) authentication

Default local iLO users accounts

iLO's standard login security, which uses local user accounts for authentication/authorization, is a
secure and appropriate solution for smaller installations. Administrators can configure a maximum of
12 users for authentication/authorization. The user list must be entered and maintained separately for
each iLO device. Therefore, it can prove limiting when using a large number of iLO-enabled servers.
The recommended way to implement iLO login security on larger, more complex networks is to
integrate it with the network's existing directory services using iLO's LDAP-based directory support.

Advantages of directory integration

An administrator can integrate directory services to improve security. As a licensed feature, directory
services integration is supported by current iLO firmware and allows an administrator to authenticate
a user and authorize user privileges by means of the same login process employed throughout the rest
of the network.
The advantages of integrating directory services are:
• Fewer credentials are required. The creation of user accounts is not required on each iLO device
that supports directories. If a user exists in the directory, then the account can be used for lights-out
processors. After the lights-out processor is configured, adding the user to the appropriate group
grants them access to all associated lights-out processors. ILO records the user activity in the event
logs using their directory name, leaving an audit trail.
• Users are less likely to share an iLO account when they can use their directory user accounts. This
reduces potential "anonymous" access or the treatment of iLO user accounts as "roles."
• The directory becomes the single point for password maintenance, instead of each iLO instance.
This allows implementation of a secure password policy and avoids the downsides of maintaining
password lists.
• Centralized network administration is enabled after a lights-out processor is configured to use the
directory. User administration can take place in a single place, the management console, instead of
at each lights-out processor.
• The directory scales well to larger populations.
Using directory access provides greater protection against malicious attacks. For instance, using a
local account, each network connected iLO presents a unique logon opportunity for an intruder.
However, with directory services, the intruder would have only a single access point to multiple iLO
devices. Additionally, after each unsuccessful logon attempt, the iLO introduces a progressively longer
delay before presenting subsequent logon prompts. This design thwarts automated attacks and
reduces the chance that intruders may log in to any iLO device.
12