Two-factor authentication – HP Integrated Lights-Out 2 User Manual
Page 46
generated immediately on clicking the Create Certificate Request button. However, the
certificate request generation button is grayed out while the key generation is in progress. In
this scenario, you can close all active Remote Console sessions and try again later (around
2 minutes for a 1024-bit key, and 10 minutes for 2048-bit key).
•
Import Certificate – Use this button when you are returning to the Certificate Administration
page with a certificate to import. Click Import Certificate to go directly to the Certificate Import
screen without generating a new CR. A certificate only works with the keys generated for the
original CR from which the certificate was generated. If iLO 2 has been reset, or another CR
was generated since the original CR was submitted to a CA, then a new CR must be generated
and submitted to the CA.
You can customize and create a CR or import an existing certificate using RIBCL XML commands.
These commands enable you to script and automate certificate deployment on iLO 2 servers instead
of manually deploying certificates through the browser interface. For more information, see HP
Integrated Lights-Out Management Processor Scripting and Command Line Resource Guide at
.
Two-factor authentication
Access to iLO 2 requires user authentication. This firmware release provides an enhanced
authentication scheme for iLO 2 using two factors of authentication: a password or PIN, and a
private key for a digital certificate. Using two-factor authentication requires that you verify your
identity by providing both factors. You can store your digital certificates and private keys wherever
you choose, for example, on a smart card, USB token, or hard drive.
The Two-Factor Authentication tab enables you to configure security settings and review, import,
or delete a trusted CA certificate. The Two-Factor Authentication Enforcement setting controls
whether two-factor authentication is used for user authentication during login. To require two-factor
authentication, click Enabled. To turn off the two-factor authentication requirement and allow login
with user name and password only, click Disabled. You cannot change the setting to Enabled if a
trusted CA certificate is not configured. To provide the necessary security, the following configuration
changes are made when two-factor authentication is enabled:
•
Telnet Access: Disabled
•
Secure Shell (SSH) Access: Disabled
•
Serial Command Line Interface Status: Disabled
If Telnet, SSH, or Serial CLI access is required, re-enable these settings after two-factor authentication
is enabled. However, because these access methods do not provide a means of two-factor
authentication, only a single factor is required to access iLO 2 with Telnet, SSH, or Serial CLI.
When two-factor authentication is enabled, access by the CPQLOCFG utility is disabled because
CPQLOCFG does not meet all authentication requirements. However, the HPONCFG utility works
because administrator privileges on the host system are required to execute the utility.
A trusted CA certificate is required for two-factor authentication to function. You cannot change
the Two-Factor Authentication Enforcement setting to Enabled if a trusted CA certificate is not
configured. Also, you must map a client certificate to a local user account if local user accounts
are used. If iLO 2 is using directory authentication, client certificate mapping to local user accounts
is optional.
To change two-factor authentication security settings for iLO 2:
1.
Log in to iLO 2 with an account that has the Configure iLO 2 Settings privilege.
2.
Click Administration>Security>Two-Factor Authentication.
3.
Change the settings by entering your selections in the fields.
4.
To save the changes, click Applys.
46
Configuring iLO 2