Onboard administrator authentication, Running onboard administrator for the first time – HP Onboard Administrator User Manual
Page 13
Introduction 13
Onboard Administrator authentication
Security is maintained for all Onboard Administrator user interfaces through user authentication. User
accounts created in Onboard Administrator are assigned one of three privilege levels and granted access to
component bays at the specified privilege level. Onboard Administrator stores the passwords for local user
accounts and can be configured to use LDAP authentication for user group accounts. The Insight Display can
be protected by an LCD PIN code or completely disabled. An LCD PIN code protects against unauthorized
access to the Insight Display and Enclosure KVM. Use of the KVM Module to access server consoles is
protected by server operating system user name and passwords.
IMPORTANT:
Onboard Administrator does not support OpenLDAP.
Role-based user accounts
Onboard Administrator provides configurable user accounts that can provide complete isolation of multiple
administrative roles such as server, LAN, and SAN. User accounts are configured with specific device bay
or interconnect bay permissions and one of three privilege levels: administrator, operator, or user. An
account with administrator privileges including Onboard Administrator bay permission can create or edit all
user accounts on an enclosure. Operator privileges enable full information access and control of permitted
bays. User privileges enable information access but no control capability.
Onboard Administrator requires you to log in to the web GUI or CLI with an account and password. The
account can be a local account where the password is stored on Onboard Administrator or an LDAP
account, where Onboard Administrator contacts the defined LDAP server to verify the user credentials.
Two-factor authentication enables even tighter security for the user management session to Onboard
Administrator.
Rather than requiring separate logins to multiple resources (once to each enclosure, once to every server
management processor, or both), Onboard Administrator enables single point access for linked enclosures
in a rack. In this way, the administrator can use single sign-on to log in to a single Onboard Administrator
and use the web GUI to graphically view and manage the HP BladeSystem c-Class components in up to
seven linked enclosures. (The single sign-on requires that all the enclosure active Onboard Administrators
have the same password.) For example, an IT administrator can automatically propagate management
commands, such as changing the enclosure power mode, across all the linked enclosures. A valid account
must be present on each linked enclosure to gain access. For more information, see "Signing in to the
Onboard Administrator GUI (on page
)."
Login security
Onboard Administrator provides several login security features. No penalty is imposed after an initial failed
login attempt. With all subsequent failed attempts, Onboard Administrator imposes a 10-second to
20-second delay. An information page appears during each delay. This action continues until a valid login
is completed. This feature assists in defending against possible dictionary attacks.
Onboard Administrator saves a detailed log entry for all failed login attempts.
Running Onboard Administrator for the first time
Setting up a c-Class enclosure using the Onboard Administrator is simplified by using the Insight Display first
time installation wizard, followed by use of the Onboard Administrator GUI First Time Wizard or Onboard
Administrator CLI to complete the reset of the enclosure settings.