Friday 9 January 2015

HP iLO 4 - LDAP and SSL Certificate Implementation

HP iLO 4 - LDAP and SSL Certificate Implementation

I had the opportunity to integrate a BL460c Gen8 Blade running iLO 4 firmware version 2.00 this week with Active Directory and replace the default SSL certificate it uses. The Blade is integrated with OneView 1.10 also to make things more interesting!! I've captured the steps more or less below and though I'd share them as it can be quite frustrating sometimes to get these things to work from product to product and version to version. I can also look back at it myself and recall it for future work!

Replacing the Default SSL iLO Certificate


Firstly you need to edit the network settings in the iLO Configuration page (https iLO administration page, not the POST iLO configuration!).

Open OneView and browse to the Server Hardware section.

Under Hardware click on the iLO IPv4 address to log into the Server’s iLO
Under Overview / Information the iLO Hostname is using a logical serial number, this must be changed to the iLO FQDN before generating the Certificate Signing Request.

Click Network on the left, then iLO Dedicated Network Port

Click the IPv4 Tab and unselect the Enable DHCPv4 option so it and the 6 sub options are ALL deselected. For the Primary, Secondary & Tertiary DNS Server fields enter is appropriate values.
Click Submit

Select the SNTP Tab next and select “Propagate NTP or OA Time to Host” and choose the Primary Time Server as 10.35.80.1 for Telehouse or 10.33.80.1 for Knock. Select the Time Zone “Europe/London (GMT)” and Click Submit
 
 
Go to the General Tab and enter the iLO Subsystem Name (Host Name) and Domain Name as the example below shows:

iLO Subsystem Name (Host Name)
mylovelyilo
Domain Name
lab.local

Click Submit
Information,Overview,iLO Hostname value should now display mylovelyilo.lab.local
Refresh the Blade in OneView to see the Hostname FQDN change to the new value (This didn't always work for me but should update after replacing the SSL cert later I hope!)
The SSL Certificate Process is more straightforward ONCE you've fixed the iLO Hostname. Otherwise after you import the certificate file and reset you'll find the iLO has regenerated the default HP self signed certificate and you've to start over!
In the iLO Click Administration, Security. Click the SSL Certificate Tab. Click Customize Certificate. Under the Certificate Signing Request Information enter the required information based on the following example:

Country (C)
IE
State (ST)
Leinster
City or Locality (L)
Craggy Island
Organization Name (O)
Father Ted
Organizational Unit (OU)
Parochial House
Common Name (CN)
mylovelyilo.lab.local*

* This field will be pre-populated with correct iLO Hostname and does not need to be changed.

Click Generate CSR, wait a few minutes and Click it again and copy the CSR text to Notepad and save using the filename <ilo hostname>.csr and send it to your Certificate Authority.
Once the Certificate is issued, open the CER file and copy the text contents, in the iLO screen Click Import Certificate, paste the details and Click Import and reset the iLO. You can open the certificate to check the iLO Hostname is reflected in the certificate CN.
Refresh the Host in OneView and you should be there.
 
Active Directory Integration
This is bit more straightforward as you've already got the networking setup. One item to get ready in advance is you're only allowed a single Domain Controller entry so HP recommends asking that a DNS round Robin entry be created. This means you get an alias such as mylovelydcs.lab.local which returns one of two or four IP Addresses each time it's queried preventing a loss of service if one should go down. You can still get it with a local iLO account and I'd recommend leaving this option enabled but the AD integration is handy for auditing and tracking purposes.
You'll need an Advanced iLO License to use this feature and I'm sticking with the Schema-free directory integration option here which is much simpler.
Now, create a new AD Group for this purpose and add any users you want to have iLO access into this group. You need to get the LDAP value and SID - I recommend AD Explorer from Sysinternals for this purpose. You point it at your AD with a valid AD user account, search for the new group and copy the LDAP OU structure and SID from the tool.
Now in the iLO administration screen once more go to Administration, Security and Click the Directory Tab. Check the following values:
LDAP Directory Authentication: Use Directory Default Schema
Directory Server Address: <ip of DC for Lab or DNS Alias for round robin DC IPs for Production>
Directory Server LDAP Port: 636 (assumes you've certificates on your DCs or use 389 if in a lab only)
Directory User Context 1: OU=Administrative Users,OU=Testing Lab,DC=Lab,DC=Local
This OU is where the user accounts are all located in my example. If you've a few locations enter each one in turn to capture all the user account locations.
Click Apply Settings, then Click Administer Groups
Edit the default authenticated users group as some point to remove all their privileges as if left ANY AD user can log into iLO, even if they can't make any changes that's unnerving when I encountered this! Add in the AD group (Click New) you plan on using and assign all iLO permissions to it. You'll need the CN of the Group and I recommend adding the SID also. Now log out and test.
CN=iLO User Group,OU=Administrative Groups,OU=Testing Lab,DC=Lab,DC=Local
The SID Value might be:
S-1-6-21-2703213456-12345678910-10987654321-132456
That's it! iLO Configured. I might reset the iLO one more time to check the settings are held and refresh the OneView Server Hardware page of the server to make sure but that's you done!