manualshive.com logo in svg

HP AB500A - Integrated Lights-Out Advanced, Technology Brief

Technology Brief: The HP AB500A - Integrated Lights-Out Advanced offers advanced remote management capabilities for enhanced control and simplified maintenance of your HP servers. With our user-friendly manual, available for free download from manualshive.com, you can optimize the full potential of this product and streamline your system management effortlessly.

Share
Download
background image

(Figure 6). The iLO Status Summary screen provides general information about iLO, such as all logged 

in users, server name and status, iLO IP address and name, and latest log entry data. At that point, 

the login process is complete. The iLO processor has fully authenticated the user who can then 
perform authorized functions. 

 

Figure 6.

 Example of iLO Status Summary page 

 

 

 

Login process using directory services with HP schema extensions  

Administrators can choose to enable directory services to authenticate users and authorize user 

privileges for groups of iLO management processors. The iLO directory services feature uses the 

industry-standard Lightweight Directory Access Protocol (LDAP). Information about LDAP is provided in 

Appendix C: LDAP/LDAPS definitions

” of this document. HP layers LDAP on top of SSL to transmit the 

directory services information securely to the directory servers. More information about directory 

services is available from the HP website at: 

http://h18004.www1.hp.com/products/servers/management/directorysupp/index.html

Using directory services, the login process includes the steps illustrated in Figure 7. After the web 
browser sends the cookie to iLO, the iLO processor extracts the user credentials from the cookie and 

accesses the directory service to determine which roles are available. First, iLO uses the credentials to 

access the iLO device object in the directory. The directory service returns only the roles for which the 

user has rights. If the user credentials allow read access to the iLO device object and the role object,

5

 

iLO determines the distinguished name

6

 (DN) of the role object and the associated user privileges. 

Then, iLO calculates the current user privileges based on those roles and returns the iLO Status 

Summary page to the client browser. 

                                                 

5

 This happens when the user is a member of the role object or if the user is granted read access to the iLO and 

role objects. 

6

 The distinguished name is the name that LDAP uses to access devices or objects in the directory.

 

13

 

Summary of Contents for AB500A - Integrated Lights-Out Advanced

Page 1: ...cess using directory services with HP schema extensions 13 Login process using directory services with HP default schema 14 Calculating current privileges 15 Login process using two factor authentication 16 Login process for remote console and virtual serial port 18 Single Sign On SSO 20 Authentication and authorization processes for CLI access 23 Encryption 23 Secure Sockets Layer SSL 24 AES encr...

Page 2: ...PONCFG 30 CPQLODOS 31 Terminal services 31 Specific IT infrastructure concerns 31 Operating iLO servers in the DMZ 31 Lights Out Management Integration with Rapid Deployment Pack 33 Communication between iLO and server blades 33 Security Audits 34 General security recommendations 34 Conclusion 34 Appendix A Digital certificates 36 Appendix B SSH 2 support 38 Appendix C LDAP LDAPS definitions 40 Ap...

Page 3: ...e iLO processor and feature sets for particular iLO 2 and iLO products is available on the HP website at www hp com go iLO A glossary in the appendix includes some common computing acronyms not defined in the text Introduction Information technology IT administrators must plan for security across the IT infrastructure Because Integrated Lights Out iLO management processors have such powerful capab...

Page 4: ... iLO processor automatically enforces generation of new unique and site specific keys used by SSL once a customer deploys the server HP cannot determine these site specific keys The iLO management processor does not transmit these keys or any other information to HP from a customer location Comparing the iLO processor to other service processors The iLO management processor and feature set have be...

Page 5: ... failures as well as successful access to the device SSH access and failed attempts alike are logged Using the SSH key mode of authentication makes brute force attacks even less likely to be successful And iLO offers 2 factor authentication which provides an additional layer of security No awareness of attacks in progress iLO captures all login activity successful or not Additionally iLO implement...

Page 6: ...k searches memory for a viable image that contains a recognizable header If a viable image is found the iLO boot block decrypts the signed SHA1 hash using the RSA public key The boot block then computes the SHA1 hash over the entire image If the two SHA1 hashes are equivalent the image is valid and the boot block passes control to the iLO main image to begin executing During the firmware flash pro...

Page 7: ...neral registers which the host server can access through the PCI bus These PCI registers contain only non sensitive information The iLO processor does not secure or try to hide these registers from the host server Protected registers in which the iLO device can lock the write access These registers restrict unwanted behavior such as flashing rogue firmware but they do not restrict information Thes...

Page 8: ...ailable for most ProLiant servers with the iLO processor Even though network traffic and iLO management traffic both flow through the same port it is impossible for management data to flow to the host data stream To ensure that all packets travel to the appropriate destination the shared network port contains two separate Media Access Control MAC addresses inside the NIC one for the iLO traffic an...

Page 9: ...ized to make changes or access a requested environment Finally is it possible for data being sent through iLO to remain confidential The following sections identify the three essential techniques that iLO has or an iLO administrator can use to verify trust Authentication and authorization Encryption Disabling ports and changing port locations Every function of iLO such as the remote console virtua...

Page 10: ...it SSL encryption and the accompanying digital certificates to encrypt web pages HTTP data transmitted across the network SSL encryption ensures that all information and commands issued through the web pages are private An integral part of SSL is a digital certificate see Appendix A Digital certificates The iLO management processor creates its own self signed certificate by default Administrators ...

Page 11: ...n At the client browser the user enters his login credentials and the browser generates a unique cookie 4 called hp iLO Login The web server within iLO uses this cookie for authentication and authorization Figure 4 The browser encodes both the username and the password using a base 64 hash function and incorporates it into the cookie The cookie also includes the unique session ID and the random se...

Page 12: ...edentials Erase SSO proxy credentials Match as SSO No Yes Directory integration Yes No No Attempt directory authentication Authenticated to directory iLO security override switch set No Yes No Login as security override login name Exit error No Yes No Login as Local user Login as SSO user Login as Directory user Yes Yes Yes Yes Record login event Record login failure Log the event Yes No Exit succ...

Page 13: ... directory services is available from the HP website at http h18004 www1 hp com products servers management directorysupp index html Using directory services the login process includes the steps illustrated in Figure 7 After the web browser sends the cookie to iLO the iLO processor extracts the user credentials from the cookie and accesses the directory service to determine which roles are availab...

Page 14: ...s login credentials user name and password get session information from iLO and combine these into a security cookie iLO then uses this cookie to ensure that the user has access to the pages and resources he or she is trying to use If ActiveX is disabled in the browser or the call fails and the name used for login is a DN then the login script will work The login script will also work if this name...

Page 15: ...ces but authorized to access the system only between 8 a m and 5 p m XML scripts could alter privileges administrators could delete a user account directory settings could change and time or address based restrictions could apply Therefore every time a user makes a request iLO re evaluates the user s privileges see the flowchart in Figure 8 If the evaluation is successful the user s request procee...

Page 16: ...et Explorer only This authentication scheme involves using two factors of authentication The user is authenticated by providing both of these factors 1 Something the user knows a password or PIN 2 Something the user possesses the private key for their digital certificate Users have the ability to store their digital certificates and private keys wherever they choose It is likely however that smart...

Page 17: ...ss access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 SSL Port 443 XML traffic only all other traffic remains unaffected If the user wishes the SSH and or Telnet ports can be selectively re enabled through manual intervention It is important to know that the XML port CPQLOCFG access cannot be enabled while two factor authentication is enabled Performing group admini...

Page 18: ...serial port The iLO remote console server monitors the remote console port for connections from the remote console and virtual serial port applets and possibly Telnet Figure 10 shows the steps in establishing a remote console session 1 The user launches the Java applet by clicking on a link in the client browser 2 The link opens a separate browser window 18 ...

Page 19: ...mote console session 6 Comparison of applet and user name permits l Figure 11 shows schematically how iLO constructs the one time login token 1 The original browser session contains a 40 character random session key Programming code stored in the remote console applet generates a 40 character random secret The random session key is concatenated with the random secret 2 The iLO device performs an M...

Page 20: ...s open as long as the server receives a heartbeat once every 30 seconds If the server does not receive a heartbeat within one minute the connection will be closed The iLO v1 91 and iLO 2 v1 30 and later releases include the Remote Console Computer Lock feature With Remote Console Computer Lock the operating system console self locks when the session is closed or is timed out Even though the sessio...

Page 21: ...dding the BladeSystem Integrated Manager 2 4 or later exposes SSO capability for iLO processors in blades The SIM SSO provides the following capabilities Importing one or more SIM certificates Automatic certificate importation to ease initial setup Manual SSO certificate importation Support for certificate revocation SIM role to user privilege mapping Redirect to the SIM console for SSO Modificati...

Page 22: ...ent replay attacks 4 HP SIM builds a signed link incorporating the resource secret user and HP SIM 5 Client browser redirects to the link at the Integrated Lights Out processor 6 iLO validates the request based on the request contents iLO configuration secret and HP SIM source Authenticated requests receive the resource SIM SSO does not affect the local iLO user SSO trust is iLO based and can be d...

Page 23: ... for exchanging the public and private keys during the SSH protocol negotiation 3 The protocol negotiation task completes the key exchange 4 The protocol negotiation task then spawns a task for checking authentication timeout and another task for performing the authentication The authentication task is also used for reading from the SSH port once authentication completes successfully 5 The task fo...

Page 24: ...ommunication and the LDAP server provides server side communication Popular AES cipher strengths are supported through the web browser XML and SSH Remote console and virtual serial port data encryption The iLO processor uses the RC4 streaming cipher algorithm a variable key size stream cipher with byte oriented operations to encrypt the remote console and virtual serial port sessions Unlike a bloc...

Page 25: ...s These new keys are used to create a new set of RC4 data The server sends a signal to the client indicating that it has generated the new RC4 data and will begin communicating using the new cipher The client will perform the same operation when it sees the signal It then sends a signal to the server indicating that it is using the new RC4 data The signal is implemented with a byte insertion proto...

Page 26: ...ntication is enabled for web browser access access to the following ports is automatically disabled SSH Port 22 Telnet Port 23 XML Port 443 If desired the user can selectively re enable the SSH and or Telnet ports Table 1 Default port locations for iLO Port Number Protocol Can Port Number be Changed Supports Enabled by default 22 SSH Yes SSH Connections Yes 23 Telnet Yes Remote graphical console R...

Page 27: ...hat only administrators be granted access to that network This not only improves performance by reducing traffic load across the main network it also acts as the first line of defense against security attacks A separate network allows administrators to physically control which workstations are connected to the network Figure 14 The iLO processor relative to the network and host server Web browser ...

Page 28: ...he Disabled mode no application including the remote console or virtual serial port applet can connect to port 23 Finally any potential security risk of the Telnet port across the network is reduced because the remote console and virtual serial port applets have strong authentication and authorization processes Multi user Integrated Remote Console IRC Beginning with the iLO v1 91 and iLO 2 v1 30 r...

Page 29: ... allow inbound SNMP traffic into the host server only if it comes from a predetermined management workstation Administrators can also set the passwords community strings according to the same guidelines as administrative passwords Finally administrators can disable SNMP entirely Systems Insight Manager Systems Insight Manager checks for an iLO presence by starting an HTTP session The default port ...

Page 30: ...e server The iLO driver enables the other iLO integration services such as RBSU Terminal Services pass through HPONCFG and the agents RBSU RBSU allows users to initially configure iLO and iLO user accounts Every time the server boots RBSU is available to anyone with access to the server console Therefore RBSU requires strong security Administrators can configure RBSU to require valid user credenti...

Page 31: ...that any active security measures are established between the Microsoft terminal services client and Microsoft s RDP service The Terminal Services port is the second of two ports in iLO that allow traffic to be passed to the host OS through the iLO driver Administrators can disable the Terminal Services Pass Through port Specific IT infrastructure concerns Customers have questioned security issues...

Page 32: ...an initial line of defense Behind this router is a firewall system There is no direct connection from the Internet or the external router to the internal network All traffic to or from the internal network must pass through the firewall system An additional router which filters packets destined for the public services in the DMZ protects the internal network from public access The firewall is a mu...

Page 33: ... Altiris eXpress Deployment Solution and the ProLiant Integration Module The ProLiant Integration Module consists of software optimizations including the SmartStart Scripting Toolkit Configuration Events for leading industry standard operating systems sample unattended files and ProLiant Support Packs containing software drivers management agents and important documentation Servers can be deployed...

Page 34: ...hould be changed immediately to a more relevant password Administrators should change the iLO management passwords with the same frequency and according to the same guidelines as the server administrative passwords Passwords should include at least three of these four characteristics numeric character special character lowercase character and uppercase character Implement directory services This a...

Page 35: ...rver traffic A networked environment has inherent security risks The iLO processor mitigates many of these risks through authorization authentication and encryption Administrators can further decrease the chance of attacks by following security recommendations being aware of access points to the iLO devices and their host servers and configuring their networks to eliminate any unnecessary services...

Page 36: ... authority wJD3Wsm8VqCQSjK YpwOcVCcCG Ai drsqz4E Name of issuing certificate authority CA DN o ACME c US A digital signature typically uses the sophisticated encryption of the RSA encryption algorithm rather than a simple hashing signature Figure A 1 The RSA algorithm developed by Rivest Shamir and Adleman is widely used for encrypting data using a public key private key system Also known as asymm...

Page 37: ...Figure A 1 Example of how a digital signature works 37 ...

Page 38: ...fish192 cbc Optional Not supported twofish128 cbc Recommended Not supported aes256 cbc Optional Not supported aes192 cbc Optional Not supported aes128 cbc Recommended Supported serpent256 cbc Optional Not supported serpent192 cbc Optional Not supported serpent128 cbc Optional Not supported Arcfour Optional Not supported idea cbc Optional Not supported cast128 cbc Optional Not supported None Option...

Page 39: ...al Not supported Spki sign dss certificates Optional Not supported Pgp sign rsa certificates Optional Not supported Pgp sign dss certificates Optional Not supported Client User Authentication Method None Must not be listed Public key Required Not supported Host based Optional Not supported Password Supported Client User authentication parameters Default authentication timeout 10 minutes recommende...

Page 40: ...sting operations Schema is published in the directory for use by clients The LDAP protocol is used to read from and write to Active Directory By default LDAP traffic is transmitted unsecured System administrators can make LDAP traffic confidential and secure by using SSL Transport Layer Security TLS technology Administrators can enable LDAP over SSL LDAPS by installing a properly formatted certifi...

Page 41: ...s a sublayer of the data link layer in the OSI model of network communication In the Ethernet standard every network connection must support a unique MAC value NIC Network interface controller NVRAM Non volatile random access memory This is memory that maintains data across power cycles OSI model OSI stands for Open System Interconnection a seven layer protocol model for defining a networking fram...

Page 42: ...blic wires the Internet to connect nodes These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted Source www webopedia com XML Extensible markup language HTML and RIBCL are subsets of XML ...

Page 43: ...tml Software and drivers for lights out processors www hp com go ilo Lights out supported servers www hp com servers ilo supportedservers Information about iLO 2 Advanced licenses www hp com servers iloadv2 Call to action Send comments about this paper to TechCom HP com 2004 2006 2007 2008 Hewlett Packard Development Company L P The information contained herein is subject to change without notice ...

Reviews:

No comments

Related manuals for AB500A - Integrated Lights-Out Advanced

nvent SCHROFF 11850-016 User Manual preview
SCHROFF 11850-016
Brand: nvent Pages: 18
IBM xSeries 235 User Manual preview
xSeries 235
Brand: IBM Pages: 66
Cable-Tronix CT-HDIPSS Installation & Configuration Manual preview
CT-HDIPSS
Brand: Cable-Tronix Pages: 33
IBM P 615 series Service Manual preview
P 615 series
Brand: IBM Pages: 491
Ubiquiti UniFi UAS-PRO Quick Start Manual preview
UniFi UAS-PRO
Brand: Ubiquiti Pages: 28
Seyeon FW3150 User Manual preview
FW3150
Brand: Seyeon Pages: 10
IBM eServer xSeries 205 Type 8480 Hardware Maintenance Manual And Troubleshooting Manual preview
eServer xSeries 205 Type 8480
Brand: IBM Pages: 168
DataCard 500 Datasheet preview
500
Brand: DataCard Pages: 2
Kenwood HAM RADIO DELUXE User Manual preview
HAM RADIO DELUXE
Brand: Kenwood Pages: 16
Viavi G4-GigaFlow Manual preview
G4-GigaFlow
Brand: Viavi Pages: 11
Meinberg IMS-M4000 Manual preview
IMS-M4000
Brand: Meinberg Pages: 112
DEVA DB4000 Maintenance And Operation Instruction Manual preview
DB4000
Brand: DEVA Pages: 90
360 Systems MAXX-1200-EX Operation Manual preview
MAXX-1200-EX
Brand: 360 Systems Pages: 148
3Com OfficeConnect 3C19500 Installation Manual preview
OfficeConnect 3C19500
Brand: 3Com Pages: 1
Planex Mini300 User Manual preview
Mini300
Brand: Planex Pages: 75
Planex Mini100 User Manual preview
Mini100
Brand: Planex Pages: 89
Planex MZK-NAS01SG User Manual preview
MZK-NAS01SG
Brand: Planex Pages: 86
Lantronix MSS4 Installation Manual preview
MSS4
Brand: Lantronix Pages: 76

Brands by name

Popular brands

Load more brands