Authorization And Authentication; Two-Factor Authentication; Directory Services - HP AB500A - Integrated Lights-Out Advanced Technology Brief

Because administrators generally use a network connection to access iLO, HP carefully considered
security requirements of the enterprise and built iLO to provide secure ways to perform the following
functions:
• Authorize and authenticate users
• Encrypt data transmitted over the network between the managed server and the management
console
• Ensure data integrity by using digital signatures and digitally-signed firmware
• Alert administrators of potential login attacks

Authorization and authentication

Authentication refers to determining who is at the other end of the network connection. The iLO
processor incorporates authentication techniques using 128-bit SSL (Secure Socket Layer) encryption
and two-factor authentication techniques.
Authorization refers to determining whether the user attempting to perform a specific action has the
right to perform that action. The iLO processor provides local user accounts to define up to 12
separate users and to vary each user's access rights to the iLO functions. Integration with Directory
Services allows administrators to create more than 12 user accounts.

Two-factor authentication

Administrators can configure iLO to use two-factor authentication when accessing iLO through a
browser. Two-factor authentication restricts access and ensures reliable user authentication by
requiring a password or PIN and a private key for a digital certificate. Administrators can choose the
type of device used to store the digital certificates and private keys, for example on a smart card or
USB key.
Note
When iLO is configured to use two-factor authentication,
administrators cannot use scripting or SSH communications.

Directory services

Administrators can use directory services to authenticate user access and authorize user privileges for
groups of iLO management processors. Directory services use a central database called a directory to
provide a consistent way to store information about objects such as servers, shared volumes, printers,
network user accounts, and security policies. Maintaining this data in a directory makes it possible for
all servers on the network to access the same user accounts, settings, and authentication services.
The integration feature of iLO directory services uses the standards-based Lightweight Directory Access
Protocol (LDAP) to participate in the authentication and authorization processes of an existing user
database. The iLO processor layers the LDAP protocol on top of SSL to transmit the directory services
information securely to the directory.
HP provides snap-in management programs to ease directory-based administration of Lights-Out
access rights. The snap-in management programs understand how to render, display, and manipulate
Lights-Out objects stored in the directory. They integrate with existing management applications
(Microsoft Management Console for Active Directory and Novell ConsoleOne for eDirectory) so that a
separate administration application is unnecessary.
17