HP AB500A - Integrated Lights-Out Advanced User Manual page 47

When two-factor authentication is enabled, access by the CPQLOCFG utility is disabled because
CPQLOCFG does not meet all authentication requirements. However, the HPONCFG utility works
because administrator privileges on the host system are required to execute the utility.
A trusted CA certificate is required for two-factor authentication to function. You cannot change the Two-
Factor Authentication Enforcement setting to Enabled if a trusted CA certificate is not configured. Also,
you must map a client certificate to a local user account if local user accounts are used. If iLO 2 is using
directory authentication, client certificate mapping to local user accounts is optional.
To change two-factor authentication security settings for iLO 2:
Log in to iLO 2 using an account that has the Configure iLO 2 Settings privilege.
1.
Click Administration>Security>Two-Factor Authentication.
2.
Change the settings by entering your selections in the fields.
3.
Click Apply to save the changes.
4.
The Certificate Revocation Checking setting controls whether iLO 2 uses the certificate CRL distribution
points attribute to download the latest CRL and verify revocation of the client certificate. If the client
certificate is contained in the CRL, or if you cannot download the CRL, access is denied. The CRL
distribution point must be available and accessible to iLO 2 when Certificate Revocation Checking is set
to Yes.
The Certificate Owner Field setting specifies which attribute of the client certificate to use when
authenticating with the directory. Only use the Certificate Owner Field setting if directory authentication is
enabled. Configuration of the Certificate Owner Field depends on the version of directory support used,
the directory configuration, and the certificate issuance policy of your organization. If SAN is specified,
iLO 2 extracts the User Principle Name from the Subject Alternative Name attribute and then uses the User
Principle Name when authenticating with the directory (for example, username@domain.extension). For
example, if the subject name is /DC=com/DC=domain/OU=organization/CN=user, iLO 2 will
derive CN=user,OU=organization,DC=domain,DC=com.
Setting up two-factor authentication for the first time
When setting up two-factor authentication for the first time, you can use either local user accounts or
directory user accounts. For more information on two-factor authentication settings, see the "Two-Factor
Authentication (on page 46)" section.
Setting up local user accounts
Obtain the public certificate from the CA that issues user certificates or smart cards in your
1.
organization.
Export the certificate in Base64-encoded format to a file on your desktop (for example, CAcert.txt).
2.
Obtain the public certificate of the user who needs access to iLO 2.
3.
Export the certificate in Base64-encoded format to a file on your desktop (for example, Usercert.txt).
4.
Open the file CAcert.txt in Notepad, select all of the text, and copy it by pressing the Ctrl+C keys.
5.
Log in to iLO 2, and browse to the Two-Factor Authentication Settings page.
6.
Click Import Trusted CA Certificate. The Import Root CA Certificate page appears.
7.
Click inside the white text area so that your cursor is in the text area, and paste the contents of the
8.
clipboard by pressing the Ctrl+V keys.
Click Import Root CA Certificate. The Two-Factor Authentication Settings page appears again with
9.
information displayed under Trusted CA Certificate Information.
Configuring iLO 2 47