HP Integrated Lights-Out 2 User Manual

The Certificate Revocation Checking setting controls whether iLO 2 uses the certificate CRL
distribution points attribute to download the latest CRL and verify revocation of the client certificate.
If the client certificate is contained in the CRL, or if you cannot download the CRL, access is denied.
The CRL distribution point must be available and accessible to iLO 2 when Certificate Revocation
Checking is set to Yes.

The Certificate Owner Field setting specifies which attribute of the client certificate to use when
authenticating with the directory. Only use the Certificate Owner Field setting if directory
authentication is enabled. Configuration of the Certificate Owner Field depends on the version of
directory support used, the directory configuration, and the certificate issuance policy of your
organization. If SAN is specified, iLO 2 extracts the User Principle Name from the Subject Alternative
Name attribute and then uses the User Principle Name when authenticating with the directory (for
example, [email protected]). For example, if the subject name is /DC=com/DC=domain/
OU=organization/CN=user

, iLO 2 will derive

CN=user,OU=organization,DC=domain,DC=com

.

Setting up two-factor authentication for the first time

When setting up two-factor authentication for the first time, you can use either local user accounts
or directory user accounts. For more information on two-factor authentication settings, see

“Two-factor

authentication” (page 46)

.

Setting up local user accounts

1.

Obtain the public certificate from the CA that issues user certificates or smart cards in your
organization.

2.

Export the certificate in Base64-encoded format to a file on your desktop (for example,
CAcert.txt).

3.

Obtain the public certificate of the user who needs access to iLO 2.

4.

Export the certificate in Base64-encoded format to a file on your desktop (for example,
Usercert.txt).

5.

Open the file CAcert.txt in Notepad, select all of the text, and copy it by pressing the Ctrl+C
keys.

6.

Log in to iLO 2, and browse to the Two-Factor Authentication Settings page.

7.

Click Import Trusted CA Certificate. The Import Root CA Certificate page appears.

8.

Click inside the white text area so that your cursor is in the text area, and paste the contents
of the clipboard by pressing the Ctrl+V keys.

9.

Click Import Root CA Certificate. The Two-Factor Authentication Settings page appears again
with information displayed under Trusted CA Certificate Information.

10.

From your desktop, open the file for the user certificate in Notepad, select all the text, and
copy the text to the clipboard by pressing the Ctrl+C keys.

11.

Browse to the User Administration page on iLO 2, and select the user for which you have
obtained a public certificate or create a new user.

12.

Click View/Modify.

13.

Click Add a certificate.

14.

Click inside the white text area so that your cursor is in the text area, and paste the contents
of the clipboard by pressing the CTRL+V keys.

15.

Click Add User Certificate. The Modify User page appears again with a 40-digit number in
the Thumbprint field. You can compare the number to the thumbprint displayed for the certificate
by using Microsoft Certificate Viewer.

16.

Browse to the Two-Factor Authentication Settings page.

17.

Select Enabled for the Two-Factor Authentication option.

18.

Select Disabled for the Certificate Revocation Checking option. This value is the default.

Security

47