Managing servers with iLO configured for two-factor authentication
As iLO 5 supports two-factor authentication, HPE OneView is able to import and manage servers when iLO 5 is configured for two-factor authentication. When you configure iLO 5 with CAC/Smart Card Authentication enabled, no specific configurations are required for HPE OneView to manage the server. HPE OneView authenticates to the iLO using its own credentials to manage the server.
HPE OneView and the iLO are set up with a CA-signed certificate.
The HPE OneView certificate has Extended Key Usage (EKU) of 'Client Authentication' in addition to 'Server Authentication.'
Make sure the CA root certificate and any appropriate certificate chains are present in the iLO and HPE OneView trust stores.
If Local user accounts is enabled in the iLO, ensure that these prerequisites are met:
An account for HPE OneView is created in the iLO with full administrator privileges.
- The HPE OneView certificate is imported into the iLO and mapped to this iLO user and account.NOTE:
You can use the HPE OneView self-signed certificate instead of a CA-signed certificate.
- If Local user accounts is disabled in the iLO and the iLO is configured for directory authentication and authorization, ensure that:
You have created a user account for HPE OneView in the directory server.
The account name matches the name specified in the Subject Alternative Name (SAN) DNS Name= or in the Subject CN= field in the certificate. In general, this field takes the hostname of the HPE OneView appliance as the value.
The user account created in the directory is associated with a directory group that has 'Administrator' privileges in the iLO.
You must manually perform these configurations for each iLO that has CAC Strict Mode enabled.