Two-factor authentication – HP Remote Insight Lights-Out Edition II Board User Manual
Page 63
RILOE II security 63
Two-factor authentication
RILOE II is a powerful tool for managing HP ProLiant servers. To prevent misuse of this tool, access to
RILOE II requires reliable user authentication. This firmware release provides a stronger authentication
scheme for RILOE II using two factors of authentication: a password or PIN and a private key for a digital
certificate. Users are asked to verify their identities by providing both factors. Users can store their digital
certificates and private keys wherever they choose, for example, smart card, USB token, or hard disk.
Setting up two-factor authentication for the first time
When setting up two-factor authentication for the first time you can use either local user accounts or
directory user accounts. For more information on two-factor authentication settings, See the "Two-Factor
Authentication Settings (on page
Setting up local user accounts:
1.
Obtain the public certificate from the CA that issues user certificates or smart cards in your
organization.
2.
Export the certificate in Base64 encoded format to a file on your desktop, for example, CAcert.txt.
3.
Obtain the public certificate of the user who needs access to RILOE II.
4.
Export the certificate in Base64 encoded format to a file on your desktop, for example, Usercert.txt.
5.
Open the file CAcert.txt in Notepad, select all of the text, and copy by pressing the Ctrl+C keys.
6.
Log in to RILOE II and browse to the Two-Factor Authentication Settings page.
7.
Click Import Trusted CA Certificate. Another page appears.
8.
Click the white text area so that your cursor is in the text area, and paste the contents of the
clipboard by pressing the Ctrl+V keys.
9.
Click Import Root CA Certificate. The Two-Factor Authentication Settings page appears again
with information displayed under Trusted CA Certificate Information.
10.
From your desktop, open the file for the user certificate in Notepad, select all the text, and copy the
text to the clipboard by pressing the Ctrl+C keys.
11.
Browse to the User Administration page on RILOE II, and select the user for which you have obtained
a public certificate or create a new user.
12.
Click View/Modify.
13.
Click Add a certificate.
14.
Click the white text area so that your cursor is in the text area, and paste the contents of the
clipboard by pressing the CTRL+V keys.
15.
Click Add user Certificate. The Modify User page appears again with a 40 digit number in the
Thumbprint field. You can compare the number to the thumbprint displayed for the certificate by
using Microsoft® Certificate Viewer.
16.
Browse to the Two-Factor Authentication Settings page.
17.
Change Enforce Two-Factor Authentication to Yes.
18.
Change Check for Certificate Revocation to No (default).
19.
Click Apply. RILOE II is reset. When RILOE II attempts to go to the login page again, the browser
displays the Client Authentication page with a list of certificates that are available to the system.
If the user certificate is not registered on the client machine, you will not see it in the list. The user
certificate must be registered on the client system before you can use it. If there are no client
certificates on the client system you may not see the Client Authentication page and instead see a
Page cannot be displayed error. To resolve the error, the client certificate must be registered on the
client machine. For more information on exporting and registering client certificates, See the
documentation for your smart card, or certificate authority.