HP BladeSystem Onboard Administrator User Guide - HP Business ...

More documents

Recommendations

Info

Security considerations This section documents the architecture and best practice security recommendations to be considered when configuring the Onboard Administrator and the default setting comparisons with the previous version. BladeSystem network architecture overview All device bays, interconnect modules, and Onboard Administrator modules are connected to an internal enclosure network that is managed by the active Onboard Administrator. Network traffic from business applications running on server blades is routed through interconnect switch modules and onto on the production network. Although it is possible for the management and production networks to be connected, the management network should be isolated from production traffic and the intranet. From a security perspective, this reduces access and ability to attack the management interfaces. From an efficiency standpoint, separate networks keep production traffic off of the management network. Recommended security best practices In addition to the best practices, note these additional considerations. Physical presence considerations Physical access to a system often implies administrator privilege. The Onboard Administrator is no exception. For more information on how to configure the Onboard Administrator administrator, see Configuring the HP BladeSystem c7000 enclosure and enclosure devices (on page 65). • Verifying physical cabling The BladeSystem enclosure can have many cables attached to the enclosure. Cables connected to the interconnect switch modules are generally for production network traffic. All other cables and ports are generally for enclosure management network traffic and should be carefully inspected. o Ensure that enclosure link ports are connected only to enclosure link ports on other enclosures. o Inspect Onboard Administrator serial ports for unauthorized connections. o Inspect Onboard Administrator USB ports for unauthorized connections. • Securing the Insight Display LCD panel Introduction 20
The Insight Display LCD panel allows for configuration and monitoring of key Onboard Administrator settings: network address configuration and power up/down of server blade bays to name a few critical BladeSystem functions. HP recommends securing the Insight Display LCD panel with a PIN, particularly in a multi-tenant datacenter. Furthermore, certain regulatory or industry standards, such as PCI, might require that all interfaces be secured with a PIN/password, regardless of requiring physical access. The Insight Display LCD panel buttons are locked by default in FIPS Mode ON/DEBUG. For more information, see FIPS tab (on page 85). Set factory defaults before hardware redeployment The very nature of redundant hardware is to ensure that all settings are present so that if a failure occurs on the Active Onboard Administrator, the Standby Onboard Administrator can take over the active role. This means that local user account information is duplicated on the Standby Onboard Administrator. If Enclosure IP mode is configured, then the private key used for SSL communications is also stored on the Standby Onboard Administrator. (Enclosure IP mode is not configured by default.) Depending on the security requirements for the datacenter, critical security parameters should be cleared from the hardware before decommissioning or reprovisioning an enclosure or components inside the enclosure, such as the Onboard Administrator, VC, and iLO for HP BladeSystem. To ensure all critical security parameters are cleared, SET FACTORY defaults. Additionally, the Administrator password can be set to factory “toe-tag” value by manually changing the password or connecting a serial cable and invoking the lost password recovery procedure. For instructions, see "Recovering the administrator password (on page 19)." Isolate the management network No matter how secure a device might appear to be, there will always be some sort of new attack or vulnerability. As a preventative measure and to follow industry best practices, HP strongly recommends that the management network be separate from the production network. Furthermore, do not place the management network on the open internet or firewall DMZ without requiring additional access authentication, such as using a VPN/tunnel. Network ports For more information on ports, see Access requirements (on page 10). For more information on managing HP software through a firewall, see the Managing HP Servers Through Firewalls with Insight Management White Paper. This document may be downloaded from the HP Insight Management Information Library. Default FIPS MODE settings compared to STRONG ENCRYPTION Onboard Administrator 3.70 significantly upgrades the Onboard Administrator cryptographic capabilities by adding a new FIPS Mode of operation. FIPS Mode enforces a number of requirements that are significantly different than the Enforce Strong Encryption setting in previous Onboard Administrator releases. The default security settings in Onboard Administrator 3.70 have been upgraded and are now equivalent to prior version’s Enforce Strong Encryption setting. The new security improvements remove HMAC-MD5 and HMAC-SHA-96 for message authentication, default the SSL hash signature algorithm to SHA-256, and use of only FIPS 140-2-approved ciphers. For more information, see the following table. Introduction 21
Page 1 and 2: HP BladeSystem Onboard Administrato
Page 3 and 4: Contents Introduction .............
Page 5 and 6: Boot Options tab ..................
Page 7 and 8: Europe time zone settings .........
Page 9 and 10: server iLO, interconnect management
Page 11 and 12: If a protocol is disabled, then the
Page 13 and 14: the KVM USB for keyboard and mouse
Page 15 and 16: Option ROM settings. For the interc
Page 17 and 18: If extended data is disabled on an
Page 19: Using online help To access online
Page 23 and 24: OA 3.60 Encryption Normal OA3.60 En
Page 25 and 26: 2. Slide the Onboard Administrator
Page 27 and 28: Enclosure KVM Features The Enclosur
Page 29 and 30: • Server Console—Select a serve
Page 31 and 32: First Time Setup Wizard Before you
Page 33 and 34: To update the rack topology informa
Page 35 and 36: Rack and Enclosure Settings screen
Page 37 and 38: Administrator Account Setup screen
Page 39 and 40: For possible values and description
Page 41 and 42: Knowing your network configuration
Page 43 and 44: Use the LDAP Group Configuration sc
Page 45 and 46: Field Possible value Description Se
Page 47 and 48: Power Management screen IMPORTANT:
Page 49 and 50: Mode Insight Display name Descripti
Page 51 and 52: Navigating Onboard Administrator Na
Page 53 and 54: Clicking the link for an individual
Page 55 and 56: The following image shows the graph
Page 57 and 58: Rack View Rack View screen The Rack
Page 59 and 60: If the active mode is set for a sin
Page 61 and 62: Row Description Enclosure Ambient T
Page 63 and 64: Column Description Bay Model Manufa
Page 65 and 66: Configuring the HP BladeSystem c700
Page 67 and 68: To view the enclosure Status screen
Page 69 and 70: Information Configuring the HP Blad
Page 71 and 72:
To change the state of the enclosur
Page 73 and 74:
o Fan removed o Power supply status
Page 75 and 76:
Disabled—Disables powerdelay for
Page 77 and 78:
Column Description Delay Click Appl
Page 79 and 80:
Enclosure TCP/IP settings IPv4 Sett
Page 81 and 82:
IPv6 Settings tab This screen displ
Page 83 and 84:
• Auto-Negotiate—Automatically
Page 85 and 86:
Below the Trusted Addresses field i
Page 87 and 88:
EBIPA assigns IP addresses for the
Page 89 and 90:
Column Description EBIPA Address Su
Page 91 and 92:
Enclosure Virtual Buttons tab To ch
Page 93 and 94:
Active to Standby DVD drive When a
Page 95 and 96:
in the list. If multiple media disk
Page 97 and 98:
The revert delay on the VLAN Settin
Page 99 and 100:
Adding, editing, and removing VLANs
Page 101 and 102:
To change the membership of a devic
Page 103 and 104:
HP Insight Remote Support Use the R
Page 105 and 106:
Insight Remote Support Service Even
Page 107 and 108:
Row Description Collection Click Se
Page 109 and 110:
Enclosure Firmware Management setti
Page 111 and 112:
updating the firmware management lo
Page 113 and 114:
• In the list of enclosures, the
Page 115 and 116:
Row Description Firmware Version Ha
Page 117 and 118:
Certificate Administration Informat
Page 119 and 120:
Certificate Request tab The Certifi
Page 121 and 122:
Certificate-signing request attribu
Page 123 and 124:
Force Downgrade—You must use this
Page 125 and 126:
• Enclosure Event 0x11: Fan Inser
Page 127 and 128:
• Enclosure Event 0x1203: Flash P
Page 129 and 130:
TCP/IP Settings for Standby Onboard
Page 131 and 132:
Row Description Version MD5 Fingerp
Page 133 and 134:
Field Possible values Description I
Page 135 and 136:
Button Description Momentary Press
Page 137 and 138:
Row Description Status Powered Powe
Page 139 and 140:
The Onboard Administrator provides
Page 141 and 142:
Row Description Bay Device Model Fi
Page 143 and 144:
Row Description Serial Number (Logi
Page 145 and 146:
Column Description iLO DVD Status D
Page 147 and 148:
IML Log tab The IML Log tab display
Page 149 and 150:
Diagnostic information is gathered
Page 151 and 152:
Status tab Status information Row D
Page 153 and 154:
Management Console Information prov
Page 155 and 156:
Interconnect bays Interconnect Bay
Page 157 and 158:
Click the Port Mapping Interconnect
Page 159 and 160:
Interconnect Bay Virtual Buttons In
Page 161 and 162:
Enclosure power management Power ma
Page 163 and 164:
IMPORTANT: To change the power redu
Page 165 and 166:
HP launched Power Capping technolog
Page 167 and 168:
The Line Voltage value is used to p
Page 169 and 170:
Row Description Present Power Enclo
Page 171 and 172:
The Power Subsystem screen provides
Page 173 and 174:
Fans and cooling management Fan zon
Page 175 and 176:
Fan status Column Description Fan M
Page 177 and 178:
Row Description Serial Number Diagn
Page 179 and 180:
c3000 Enclosure fan location rules
Page 181 and 182:
When a USB key is detected in the A
Page 183 and 184:
If a Windows® installation CD is i
Page 185 and 186:
You can eject media from the DVD dr
Page 187 and 188:
Unattended OS deployment The Onboar
Page 189 and 190:
You can initiate an unattended oper
Page 191 and 192:
From the DVD Connection Status scre
Page 193 and 194:
To view the progress of the unatten
Page 195 and 196:
Onboard Administrator bays. The pri
Page 197 and 198:
Field Possible value Description Pa
Page 199 and 200:
Account classification Capabilities
Page 201 and 202:
Field Possible value Description Se
Page 203 and 204:
A failed test reports that the IP a
Page 205 and 206:
Privilege level Field Possible valu
Page 207 and 208:
Checkbox Description Onboard Admini
Page 209 and 210:
Account classification Capabilities
Page 211 and 212:
HP SIM integration HP BladeSystem O
Page 213 and 214:
Using Enclosure Firmware Management
Page 215 and 216:
2. Select the Manual Update tab. 3.
Page 217 and 218:
Logging Enclosure Firmware Manageme
Page 219 and 220:
Server firmware Select Device Bays
Page 221 and 222:
When Two-Factor Authentication is e
Page 223 and 224:
administrator. If any sessions have
Page 225 and 226:
Port mapping Device bay port mappin
Page 227 and 228:
HP ProLiant BL680c G7 Servers Devic
Page 229 and 230:
HP ProLiant BL2x220c G7 Server The
Page 231 and 232:
In this diagram, N equals the numbe
Page 233 and 234:
Device bay port mapping table for c
Page 235 and 236:
Connection Port Number Connects to
Page 237 and 238:
12. Complete the remainder of the s
Page 239 and 240:
Since none of the configured device
Page 241 and 242:
Current enclosure inventory To view
Page 243 and 244:
The iLO entry in the tree view is o
Page 245 and 246:
Troubleshooting Onboard Administrat
Page 247 and 248:
55 Getting the Onboard Administrato
Page 249 and 250:
137 The session could not be create
Page 251 and 252:
216 Firmware update in progress. Lo
Page 253 and 254:
285 Invalid remote server address 2
Page 255 and 256:
358 URB reporting using SMTP cannot
Page 257 and 258:
Resetting the Onboard Administrator
Page 259 and 260:
Enabling LDAP Directory Services Au
Page 261 and 262:
1. Click the Upload Certificate Tab
Page 263 and 264:
CZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZP
Page 265 and 266:
o Test Operator o TestOperator@Doma
Page 267 and 268:
Time zone settings Africa time zone
Page 269 and 270:
Asia time zone settings IMPORTANT:
Page 271 and 272:
Europe/Belfast Europe/Lisbon Europe
Page 273 and 274:
Acronyms and abbreviations CA certi
Page 275 and 276:
SUV serial, USB, video TFTP Trivial
Page 277 and 278:
Index A AC redundant, lost 161 acce
Page 279 and 280:
power management planning 161 power
show all

HP BladeSystem Onboard Administrator User Guide - HP Business ...

Create successful ePaper yourself

Delete template?

Save as template?