HP AB500A - Integrated Lights-Out Advanced Configuration
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Software
  5. AB500A - Integrated Lights-Out Advanced
  6. Configuration
HP AB500A - Integrated Lights-Out Advanced Configuration

HP AB500A - Integrated Lights-Out Advanced Configuration

Planning and configuration recommendations for integrated lights-out processors
Hide thumbs Also See for AB500A - Integrated Lights-Out Advanced:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual
Planning and configuration recommendations
for Integrated Lights-Out processors
technology brief, 2
nd
Abstract.............................................................................................................................................. 3
Introduction......................................................................................................................................... 3
IT environment assessment .................................................................................................................... 3
Planning considerations for network configuration ................................................................................... 4
Private management network............................................................................................................. 4
Network port configurations available to iLO ...................................................................................... 5
iLO configuration................................................................................................................................. 9
Single iLO device............................................................................................................................. 9
Multiple iLO devices ......................................................................................................................... 9
iLO network settings ....................................................................................................................... 10
Implementing iLO network security architecture...................................................................................... 12
Default local iLO users accounts....................................................................................................... 12
Advantages of directory integration.................................................................................................. 12
How to begin directory implementation ............................................................................................ 13
Methods for directory services implementation................................................................................... 13
HP default schema method .............................................................................................................. 14
HP extended schema method........................................................................................................... 15
Integrating iLO login into complex network directories........................................................................ 17
Configuring iLO to access the directory service.................................................................................. 18
Local versus directory accounts ........................................................................................................ 18
Additional security considerations .................................................................................................... 19
edition
iLO common network .................................................................................................................... 5
iLO Shared Network Port .............................................................................................................. 5
iLO on dedicated management network .......................................................................................... 6
Considerations when configuring the iLO network ............................................................................ 7
Network cabling in dense rack environments ................................................................................... 7
Out-of-band management using iLO's virtual serial port..................................................................... 8
Automated setup .......................................................................................................................... 9
Initial deployment ....................................................................................................................... 10
Naming conventions ................................................................................................................... 10
Proxy servers ............................................................................................................................. 10
Configuring IP port assignments ................................................................................................... 10
IP port assignment for blades ....................................................................................................... 11
Support for nested groups ........................................................................................................... 15
Required Software ...................................................................................................................... 15
Extending the directory schema.................................................................................................... 16
Roles......................................................................................................................................... 16
Two-factor authentication............................................................................................................. 19
Restricting access to the Remote Console port ................................................................................ 20

Advertisement

Table of Contents
loading

Related Manuals for HP AB500A - Integrated Lights-Out Advanced

Summary of Contents for HP AB500A - Integrated Lights-Out Advanced

  • Page 1: Table Of Contents

    Planning and configuration recommendations for Integrated Lights-Out processors technology brief, 2 edition Abstract.............................. 3 Introduction............................3 IT environment assessment ........................3 Planning considerations for network configuration ................... 4 Private management network......................4 Network port configurations available to iLO ..................5 iLO common network ........................
  • Page 2 Protecting SNMP traffic ....................... 21 Using iLO with other HP management tools................... 21 Integration with HP Systems Insight Manager..................21 Configuring iLO for access with Systems Insight Manager Single Sign-on..........23 How it works ..........................23 Integrating iLO usage with Onboard Administrator ................23 Unattended server deployment......................

  • Page 3: Abstract

    Abstract This document identifies specific planning and configuration practices for using the HP Integrated Lights-Out (iLO) and the HP Integrated Lights-Out 2 (iLO 2) management processors to reduce complexity and simplify management of the datacenter and remote sites. Although, management processors may not be applicable in all computing environments, HP recommends implementing these guidelines as appropriate to the specific IT infrastructure.

  • Page 4: Planning Considerations For Network Configuration

    Table 1. Assessing the IT environment Target Criteria Potential improvement Asset management Where are servers located (in datacenters Deploying iLO can eliminate the need or at remote sites)? for keyboards, video monitors, and mice, which reduces cabling complexity Where would it be helpful to use iLO? and increases server density in the How many servers exist in the computing datacenter.

  • Page 5: Network Port Configurations Available To Ilo

    Network port configurations available to iLO Possible configurations between the system network interface card NIC and the iLO based NIC provide the user with choices to best suit individual system requirements (Figure 1). Choosing between these options depends on knowing the benefits and cautions connected with each. Figure 1.

  • Page 6: Ilo On Dedicated Management Network

    issue to consider when implementing the iLO common network approach is that there will be an increase in traffic on the corporate network. A corporate network configuration reduces the amount of networking hardware and infrastructure required to support iLO because iLO uses existing DNS and DHCP servers and routers. Additionally, with iLO 2 only, the shared network port performance is comparable to the iLO Dedicated Network Port.

  • Page 7: Considerations When Configuring The Ilo Network

    Considerations when configuring the iLO network Administrators can use a hierarchical decision tree (Figure 2) to analyze the benefits of choosing particular network configurations. Figure 2. Planning iLO network implementation How to implement iLO network Is there a dedicated management network? Deploy iLO on Should iLO be...

  • Page 8: Out-Of-Band Management Using Ilo's Virtual Serial Port

    Figure 3. Consolidating multiple iLO devices into a single rack-mounted access switch Out-of-band management using iLO’s virtual serial port The Virtual Serial Port (iLO) and Remote Serial Console (iLO 2) functions allow access to the physical serial port of the server virtually through the iLO network connection. These two functions are technically equivalent;...

  • Page 9: Ilo Configuration

    iLO configuration Each iLO device can be configured individually in multiple ways: through the ROM-Based Setup Utility (RBSU), through the web browser interface, through the Command Line Protocol (CLP), or through a scripted setup over the network or from the host. This allows the administrator to configure iLO using the appropriate means for their environment, and enables 1:1 configuration (such as using a browser) or 1:many configuration (such as using a scripted setup).

  • Page 10: Initial Deployment

    Software Links http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang HPONCFG.EXE =en&cc=us&prodTypeId=18964&prodSeriesId=1146658&prodNameId=1135772&s for Linux wEnvOID=2025&swLang=8&mode=2&taskId=135&swItem=MTX- 0e9ae397b9224e3dae2fb457d5 http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang XML scripting =en&cc=us&prodTypeId=18964&prodSeriesId=1146658&prodNameId=1135772&s sample for wEnvOID=1005&swLang=8&mode=2&taskId=135&swItem=MTX- Windows 84d9a19b43b84516ac2d26d01f Initial deployment HP recommends using a bar code scanner to further facilitate automation. Appendix A discusses, in detail, how to use these utilities, their respective sample script files and the bar code reader in order to automate the deployment and configuration of multiple iLO devices.

  • Page 11: Ip Port Assignment For Blades

    to access iLO through a firewall and use HP Systems Insight Manager (HP SIM) as the data collection vehicle for port changes. For an iLO device to work properly when going across routers using port blocking and/or firewalls, ports 23, 80, 443, and 17988 must be open. Table 3.

  • Page 12: Implementing Ilo Network Security Architecture

    ProLiant BL c-Class blades support Enclosure-Based IP Addressing (EBIPA), an extended version of ESIP. Configured via the Onboard Administrator, this simplifies deployment of c-Class blades. Implementing iLO network security architecture Before pursuing any single method of access, administrators should be aware that there are a number of ways to manage user access to iLO.

  • Page 13: How To Begin Directory Implementation

    How to begin directory implementation Information helpful for understanding directory implementation is available in the Integration Note, "Integrating HP ProLiant Lights-Out processors with Microsoft Active Directory" available in ‘For more information’ at the end of this paper. Figure 4 details the process for directory implementation and the basic decisions administrators must make.

  • Page 14: Hp Default Schema Method

    These two methods accomplish integration with a network’s directory services in the following manner. • HP Default Schema method (without HP Schema Extensions). This method allows the iLO to authenticate a user against groups that already exist in the network’s directory schema. The Default Schema method is more straightforward, leveraging the existing directory structure for authentication and avoiding potential issues and complexities associated with modifying the directory structure and dealing with domain and forest trust relationships.

  • Page 15: Support For Nested Groups

    If the default schema method is being deployed, it is not necessary to extend the directory schema with the HP schema extensions. If the directory schema has previously been extended, the default schema method may also be deployed. The default schema method of authenticating directory users is supported only with Microsoft Active Directory.

  • Page 16: Extending The Directory Schema

    Software Location http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lan HP Smart g=en&cc=us&prodTypeId=18964&prodSeriesId=1146658&prodNameId=1135772 Component &swEnvOID=1005&swLang=8&mode=2&taskId=135&swItem=MTX-UNITY-I23896 installation for directories support Note: The directory integration package runs under Windows only but has general content applicable to other OS. This software includes: • Schema Installer, which extends the existing directory schema. •...

  • Page 17: Integrating Ilo Login Into Complex Network Directories

    “local admin” can access only the rights specified for that role (such as login access and Remote Console) and only at specified times (such as from 8:00 a.m. to 5:00 p.m.) and locations (such as from a specific IP address). Roles can model very complex relationships and it is important to remember that users can be grouped into one or more roles.

  • Page 18: Configuring Ilo To Access The Directory Service

    Figure 5. Directory implementation Directory Forest with Two Domain Trees iLO Role ABCHoldings.com ABCcorp.com iLO Role Users Users Users Users Sales.ABCCorp.com Finance.ABCcorp.com Sales.ABCHoldings.com Finance.ABCHoldings.com Two Way Transitive Trust Configuring iLO to access the directory service The directory server field can be configured with a DNS name or an IP address. The DNS name can be the DNS name of a single server or the DNS name of a domain.

  • Page 19: Additional Security Considerations

    directory service. To increase security, an administrator using directory accounts may want to disable local accounts or remove them entirely. Additional security considerations In addition to implementing directory services, administrators ensure security by including two-factor certificates, restricting port access, and protecting SNMP traffic. Two-factor authentication Many environments benefit from additional security such as a physical token in addition to user credentials for access.

  • Page 20: Restricting Access To The Remote Console Port

    Table 6. Example of distinguished and SAN user names Authentication Directory User Field User Identification Method Default Schema distinguished name CN=john.doe@MyCompany.com,OU=IT,DC=MyCompany,DC=com john.doe@MyCompany.com Use of the SAN will: • Authenticate against MS Active Directory, since AD has LDAP extensions that can map the SAN to the correct user.

  • Page 21: Protecting Snmp Traffic

    iLO 2 Remote Console settings • The Enabled setting turns-on the telnet port and disables encryption so that telnet access is available. • The Disabled setting turns-off the telnet port so that telnet access is not available. • Regardless of this setting, the iLO remote console and integrated remote console are always available in the encrypted mode.
  • Page 22 Figure 6. Device list in HP SIM The administrator can configure the iLO device for proactive management by allowing SNMP trap delivery to HP SIM. Up to three TCP/IP addresses can be configured to receive SNMP alerts. Typically, the administrator configures one address to be the same as the TCP/IP address of the HP SIM server console, while the others can be backup monitoring consoles.

  • Page 23: Configuring Ilo For Access With Systems Insight Manager Single Sign-On

    Configuring iLO for access with Systems Insight Manager Single Sign-on SIM Single sign-on allows a SIM user to access iLO directly from Systems Insight Manager without having an extra iLO login step. iLO rights are governed by the user’s HP SIM role. Use of this feature requires iLO 2 v1.30 and HP SIM 5.1 with SIM 5.1 Hotfix to add iLO 2 single- signon support.
  • Page 24 Figure 7. Onboard Administrator access to iLO Users login to Onboard Administrator using one of the following methods: • Local User (i.e. Onboard Administrator’s local user list) • Authentication against the network Directory using the Default Schema method • Access through Insight Manager single sign-on. Onboard Administrator uses roles-based administration, assigning one of the following roles to each user that logs in - Administrator, Operator, User.

  • Page 25: Unattended Server Deployment

    Onboard Administrator has the capability to restrict access to individual bays in an enclosure on a Local User or Directory group basis. If the user does not have Onboard Administrator rights to access a given bay, then there is no access to the iLO for that Bay/server through Onboard Administrator, although there may well be to access it directly through the user iLO login account.

  • Page 26: Taking Advantage Of Advanced Remote Consoling

    From the Deployment Server Console in RDP, right-click the server. Select Power Control and then RILOE/iLO - Interface as shown in Figure 9. This provides easy access to the iLO management features. Figure 9. Server deployment with iLO, the Virtual Floppy, and the SmartStart Scripting Toolkit Using the Altiris Boot Disk Creator Utility, an administrator can create boot floppies.
  • Page 27 • The session leader retains ultimate control of the session, although keyboard and mouse control can be relinquished to one of the other participants. • Up to three additional users that can share the session • For more on basic operation of Shared Remote console, please see the Users Guide link in “For more information.”...

  • Page 28: Configuring And Managing Console Replay

    Figure 10. Shared Remote Console architecture Shared Remote Console Architecture Managed Server with iLO 2 Port 23 Port 9300 Remote Console Remote Console Remote Console Session Leader Session Sharer Session Sharer Configuring and managing Console Replay iLO 2 ver. 1.30 allows the capture of both of the following for replay and analysis: •...

  • Page 29: Creating A Central Repository For Use With Ilo's Virtual Media Feature

    • Location of the Storage server for capture files is another decision that needs to be made. The iLO devices write files to the configured web server, while administrative clients will be pulling those files for replay from the configured server to the client workstations. In order to optimize playback performance, it is probably a good idea to ensure that there is a low latency network path should be available between the web server(s) being used for storage and the administrative workstations from which the capture files will be accessed.

  • Page 30: Xml Examples

    Version 2.20 or above of CPQLOCFG.EXE is required to configure iLO Directory Settings using RIBCL scripts. Be sure that the Lights-Out Configuration Utility is in a directory referenced by the PATH environment variable. Table 8 identifies the CPQLOCFG.EXE switches and their functions. Table 8.

  • Page 31: Scripting Web Server Requirements

    Server Management Architecture for Server Hardware (SMASH) Command Line Protocol (CLP) Specification, 1.00 Draft. Either SSH or Telnet access to iLO supports the CLP, which can invoke a Remote Console connection as well as a Virtual Serial Port connection. The oemhp_image value is a URL. The URL is limited to 80 characters, specifies the location of the virtual media image file on a HTTP server, and is in the same format as the scriptable virtual media image location.

  • Page 32: Hp Systems Insight Manager

    managed using HP SIM or CPQLOCFG.EXE and script (batch) files. “Appendix A” and “Appendix B” depict specific scenarios to ease mass-configuration of iLO devices and to ease mass-deployment of iLO-based servers, respectively. HP Systems Insight Manager Administrators can manage multiple iLO devices through HP SIM by using the following components: Remote Insight board Command Language (RIBCL) –...

  • Page 33: Appendix A

    The CPQLOCFG utility is used to provide remote client-side configuration capability. Multiple iLO devices can be accessed from one client device to perform simultaneous configuration and management. The HPONCFG utility provides host-side configuration and management, and can access only the iLO device on the host system it is running on. The advantage of using HPONCFG is that no iLO login is required (the host operating system provides the security), and the network address of the iLO need not be known.

  • Page 34: Command-Line Switches

    Command-line switches Table A-1 shows an example of the Perl script command: perl ilodply.pl -[s|i|m] <dnsfile.*> <file.*> -d <dnsSuffix> Table A-1. Perl script command-line switches Switch Function Comments Switch to scan/enter The desired new DNS names should be located in the management processor file specified by <dnsfile.*>.

  • Page 35: Updating Ilo Devices

    • Now, all management processors defined in websrv.txt can be set up with the XML script, ilotpl.xml, by invoking ilodply.pl with the following command line options: • perl -i websrv.txt ilotpl.xml-d nuclear.plant • To verify that an XML script executed correctly on a particular management processor, the log file generated by CPQLOCFG.EXE can be viewed.

  • Page 36: Appendix B

    Appendix B Using a RAM drive to ease mass-deployment of iLO-based servers Mass deployment and configuration of operating systems to iLO-based servers can be accomplished in a variety of different ways. One method that can be utilized to ease the task and save time is to utilize the virtual media feature of iLO.

  • Page 37: The Custom Deployment Tool

    Create an autoexec.bat file that contains the following: path=c:\;c:\net;c:\batch;a:\ md c:\net md c:\batch copy a:\batch\*.* c:\batch\*.* a:\pkunzip -d a:\net.zip REM Launch the process c:\batch\cpqlodos /get_nicconfig > c:\batch\ilo.txt c:\batch\SETUPNET.EXE c:\batch\mapping.txt C:\net c:\batch\ilo.txt c:\batch\ghst.bat > c:\batch\setvars.bat c:\batch\netstart The process expands the entire net and batch directories (that come with making a diskette with CPQIMAGE.EXE ) into the RAM drive.
  • Page 38 Note that this method can be modified to incorporate additional or different setup/configuration information for the specific desired operating system deployment. The information content is simply placed into the mapping.txt file, on the line that pertains to the specified server. This method allows the deployment operation to be fully automated, such that it can proceed unattended and at full- speed.

  • Page 39: For More Information

    Send comments about this paper to TechCom@HP.com. © 2004, 2006, 2007,2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services.

Table of Contents