Additional Security Considerations; Two-Factor Authentication - HP AB500A - Integrated Lights-Out Advanced Configuration
Planning and configuration recommendations for integrated lights-out processors
Hide thumbs
Also See for AB500A - Integrated Lights-Out Advanced:
- User manual (235 pages) ,
- Technology brief (43 pages) ,
- Technology brief (24 pages)
Table of Contents
Advertisement
directory service. To increase security, an administrator using directory accounts may want to disable
local accounts or remove them entirely.
Additional security considerations
In addition to implementing directory services, administrators ensure security by including two-factor
certificates, restricting port access, and protecting SNMP traffic.
Two-factor authentication
Many environments benefit from additional security such as a physical token in addition to user
credentials for access. This security is called two-factor authentication where the two factors are a
password or PIN, and a private key for a digital certificate. As a licensed feature, current iLO
firmware supports two-factor authentication.
Two factor authentication is web based and doesn't work with SSH and scripting. Additionally, it can
only be used with the web-based interface to iLO, and only with Microsoft Internet Explorer. iLO
employs digital certificates to authenticate users when the Two-Factor Authentication feature is
enforced. Directory users and local iLO users can interoperate with two-factor authentication.
The administrator should obtain the public certificate of the certificate authority (CA) which issues user
certificates in the organization. This certificate must be configured as the trusted CA certificate in iLO.
For local iLO users, the administrator must obtain the public certificate of each user requiring access
to iLO. Use the iLO User Administration page to configure the public certificate for each user and the
View/Modify feature to add the appropriate certificate to each local user account.
For directory users, the administrator should pick the certificate field to be used for authentication. The
certificate field may vary depending on the directory integration method.
Using the Two-Factor Authentication Settings page, the administrator can use the Directory User field
to choose which type of user identification from the certificate is presented to the directory services
(Table 6). These identification types are:
• The distinguished name contained in the certificate's 'Subject' attribute
• The e-mail-like user name in The Subject Alternative Name (SAN) attribute, if there is a SAN
attribute included as part of the certificate.
19
Advertisement
Table of Contents
