Configuring iLO 2 46
Base64-encoded. A CA processes this request and returns a response (X.509 certificate) that can be
imported into iLO 2.
The CR contains a public/private key pair that validates communications between the client browser
and iLO 2. The generated CR is held in memory until a new CR is generated, iLO 2 is reset, or a
certificate is imported by the generation process. You can generate the CR and copy it to the client
clipboard, leave the iLO 2 website to retrieve the certificate, and then return to import the certificate.
When submitting the request to the CA, be sure to perform the following tasks:
a.
Use the iLO 2 name as listed on the System Status screen as the URL for the server.
b.
Request that the certificate is generated in the RAW format.
c.
Include the
Begin
and
End
certificate lines.
Every time you click
Create Certificate Request,
a new certificate request is generated, even though
the iLO 2 name is the same.
•
Import Certificate—Use this button when you are returning to the Certificate Administration page
with a certificate to import. Click
Import Certificate
to go directly to the Certificate Import screen
without generating a new CR. A certificate only works with the keys generated for the original CR
from which the certificate was generated. If iLO 2 has been reset, or another CR was generated
since the original CR was submitted to a CA, then a new CR must be generated and submitted to the
CA.
You can create a CR or import an existing certificate using RIBCL XML commands. These commands
enable you to script and automate certificate deployment on iLO 2 servers instead of manually deploying
certificates through the browser interface. For more information, see
HP Integrated Lights-Out
Management Processor Scripting and Command Line Resource Guide
.
Two-factor authentication
Access to iLO 2 requires user authentication. This firmware release provides an enhanced authentication
scheme for iLO 2 using two factors of authentication: a password or PIN, and a private key for a digital
certificate. Using two-factor authentication requires that you verify your identity by providing both factors.
You can store your digital certificates and private keys wherever you choose, for example, on a smart
card, USB token, or hard drive.
The Two-Factor Authentication tab enables you to configure security settings and review, import, or delete
a trusted CA certificate. The Two-Factor Authentication Enforcement setting controls whether two-factor
authentication is used for user authentication during login. To require two-factor authentication, click
Enabled
. To turn off the two-factor authentication requirement and allow login with user name and
password only, click
Disabled
. You cannot change the setting to Enabled if a trusted CA certificate is not
configured. To provide the necessary security, the following configuration changes are made when two-
factor authentication is enabled:
•
Telnet Access: Disabled
•
Secure Shell (SSH) Access: Disabled
•
Serial Command Line Interface Status: Disabled
If telnet, SSH, or Serial CLI access is required, re-enable these settings after two-factor authentication is
enabled. However, because these access methods do not provide a means of two-factor authentication,
only a single factor is required to access iLO 2 with telnet, SSH, or Serial CLI.