Two-factor authentication – HP Integrated Lights-Out User Manual

Configuring iLO 2 48

Two-factor authentication

Access to iLO 2 requires user authentication. This firmware release provides an enhanced authentication

scheme for iLO 2 using two factors of authentication: a password or PIN, and a private key for a digital

certificate. Using two-factor authentication requires that you verify your identity by providing both factors.
You can store your digital certificates and private keys wherever you choose, for example, on a smart

card, USB token, or hard drive.
The Two-Factor Authentication tab enables you to configure security settings and review, import, or delete

a trusted CA certificate. The Two-Factor Authentication Enforcement setting controls whether two-factor

authentication is used for user authentication during login. To require two-factor authentication, click
Enabled. To turn off the two-factor authentication requirement and allow login with user name and

password only, click Disabled. You cannot change the setting to Enabled if a trusted CA certificate is not

configured. To provide the necessary security, the following configuration changes are made when two-

factor authentication is enabled:

•

Telnet Access: Disabled

•

Secure Shell (SSH) Access: Disabled

•

Serial Command Line Interface Status: Disabled

If telnet, SSH, or Serial CLI access is required, re-enable these settings after two-factor authentication is

enabled. However, because these access methods do not provide a means of two-factor authentication,

only a single factor is required to access iLO 2 with telnet, SSH, or Serial CLI.
When two-factor authentication is enabled, access by the CPQLOCFG utility is disabled because

CPQLOCFG does not meet all authentication requirements. However, the HPONCFG utility works

because administrator privileges on the host system are required to execute the utility.
A trusted CA certificate is required for two-factor authentication to function. You cannot change the Two-
Factor Authentication Enforcement setting to Enabled if a trusted CA certificate is not configured. Also,

you must map a client certificate to a local user account if local user accounts are used. If iLO 2 is using

directory authentication, client certificate mapping to local user accounts is optional.
To change two-factor authentication security settings for iLO 2:

1.

Log in to iLO 2 using an account that has the Configure iLO 2 Settings privilege.

2.

Click Administration>Security>Two-Factor Authentication.

3.

Change the settings by entering your selections in the fields.

4.

Click Apply to save the changes.

The Certificate Revocation Checking setting controls whether iLO 2 uses the certificate CRL distribution

points attribute to download the latest CRL and verify revocation of the client certificate. If the client
certificate is contained in the CRL, or if you cannot download the CRL, access is denied. The CRL

distribution point must be available and accessible to iLO 2 when Certificate Revocation Checking is set

to Yes.
The Certificate Owner Field setting specifies which attribute of the client certificate to use when
authenticating with the directory. Only use the Certificate Owner Field setting if directory authentication is

enabled. Configuration of the Certificate Owner Field depends on the version of directory support used,

the directory configuration, and the certificate issuance policy of your organization. If SAN is specified,

iLO 2 extracts the User Principle Name from the Subject Alternative Name attribute and then uses the User
Principle Name when authenticating with the directory (for example, [email protected]). For
example, if the subject name is /DC=com/DC=domain/OU=organization/CN=user, iLO 2 will

derive CN=user,OU=organization,DC=domain,DC=com.