- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Remote Server Management
- >
- uploading directory server certificate with hponcf...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2019 09:24 AM
06-03-2019 09:24 AM
Does anyone know if it is possible using hponcfg to upload the server certificate for my LDAP server? I can make all of the other changes with hponcfg to connect iLO to an LDAP server, but not seeing how to upload the server certficate.
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2019 09:09 AM
06-04-2019 09:09 AM
Re: uploading directory server certificate with hponcfg
Hello,
Hello,
HPONCFG can be used to perform the following tasks:
-Obtain an entire configuration
-Obtain a specific configuration
-Set a configuration
Refer:
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05184297&docLocale=en_US#N10393
https://support.hpe.com/hpsc/doc/public/display?docId=a00018323en_us
Hewlett Packard Enterprise Information Library:-
http://h17007.www1.hpe.com/us/en/enterprise/servers/solutions/info-library/index.aspx?cat=HP_iLO_4
Hope this documents will help you.
I work for HPE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2019 04:26 AM - edited 06-05-2019 04:27 AM
06-05-2019 04:26 AM - edited 06-05-2019 04:27 AM
SolutionI figured it out after consulting the ilo5 scripting guide. Here is my procedure in case it helps anyone else. :)
# Get a list of domain controllers. /usr/bin/dig SRV _ldap._tcp.domain +noall +answer | awk '{ print $8 }' \ | sed -e '/^$/d' | grep -v 'noall' | sort -t \- -k 2,2 -k 1,1 DIRSRV='<name from dig command>' # # Use the one most appropriate for this server. # # Log on to the server with the iLO you want to change and switch to root. # Define this function: retrieve-cert() { REMHOST=${1} REMPORT=${2:-443} echo | \ openssl s_client connect ${REMHOST}:${REMPORT} 2>&1 | \ /bin/sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' } # Extract the current iLO settings: cd /var/tmp # On systems where the iLO encryption settings are anything other # than production, you will have to provide a user name and password: PASSWORD='password' USER=administrator hponcfg --all -writeconfig ilo.xml --user ${USER} --password ${PASSWORD} # Can edit the xml file to embed the username and password: sed -i "s|^\(.*LOGIN USER_LOGIN=\"\).*\(\" PASSWORD=\"\).*\(\">\)$|\1${USER}\2${PASSWORD}\3|" ilo.xml # Get rid of the comments line: sed -i '/^<!--/d' ilo.mxl # # First, need to make sure dns resolvers are set correctly. Pair down # the xml file to just the network information: sed -e '/<RIB_INFO mode="write"><MOD_GLOBAL_SETTINGS>/,/<\/<MOD_GLOBAL_SETTINGS><\/<RIB_INFO>/d' \ -e '/<RIB_INFO mode="write"><MOD_SNMP_IM_SETTINGS>/,/<\/<\/MOD_SNMP_IM_SETTINGS><\/<RIB_INFO>/d' \ -e '/<DIR_INFO mode="write"><MOD_DIR_CONFIG>/,/<\/<\/MOD_DIR_CONFIG><\/<DIR_INFO>/d' \ -e '/<RIB_INFO mode="write"><SET_FEDERATION_MULTICAST>.*/d' \ -e '/<SSO_INFO mode="write"><MOD_SSO_SETTINGS>.*/d' \ -e '/<SERVER_INFO mode="write"><SET_HOST_POWER.*/d' \ -e '/<USER_INFO mode="write">/,/<\/USER_INFO>/d' \ -e '/<SERVER_INFO mode="write"><SERVER_AUTO_PWR.*/d' \ -e '/<RIB_INFO mode="write"><\/<RIB_INFO>/d' ilo.xml > ilo-net.xml # # Now, update the DNS servers (if not already correct). DNS1='<ip of first dns server>' DNS2='<ip of second dns server>' sed -i "s|^\( <PRIM_DNS_SERVER VALUE=\"\).*\(\"/\)|\1${DNS1}\2|" ilo-net.xml sed -i "s|^\( <SEC_DNS_SERVER VALUE=\"\).*\(\"/\)|\1${DNS2}\2|" ilo-net.xml # # Now, write the file to iLO (Note: this will reset iLO. It might take a couple of minutes): hponcfg -f ilo-net.xml # # Get the directory server certificate file into an xml file. sed -e '/<RIB_INFO mode="write"><MOD_NETWORK_SETTINGS>/,/<\/<\/MOD_NETWORK_SETTINGS><\/<RIB_INFO>/d' ilo-net.xml > ilo-cert.xml sed-i '/<LOGIN USER_LOGIN= a\ <DIR_INFO MODE="write"> \ <IMPORT_LDAP_CA_CERTIFICATE> \ </IMPORT_LDAP_CA_CERTIFICATE> \ </DIR_INFO>' ilo-cert.xml # while read line; do echo ${line} echo ${line} | grep -q "<IMPORT_LDAP_CA_CERTIFICATE>" [ ${?} -eq 0 ] && "$(retrieve-cert ${DIRSRV} 636)" done < ilo-cert.xml > ilo-cert-new.xml # Upload to iLO: hponcfg -f ilo-cert-new.xml # # Now, need to set up information to enable authentication with active directory. # Again, pair down the original xml file: sed -e '/<RIB_INFO mode="write"><MOD_GLOBAL_SETTINGS>/,/<\/<MOD_GLOBAL_SETTINGS><\/<RIB_INFO>/d' \ -e '/<RIB_INFO mode="write"><MOD_SNMP_IM_SETTINGS>/,/<\/<\/MOD_SNMP_IM_SETTINGS><\/<RIB_INFO>/d' \ -e '/<RIB_INFO mode="write"><SET_FEDERATION_MULTICAST>.*/d' \ -e '/<SSO_INFO mode="write"><MOD_SSO_SETTINGS>.*/d' \ -e '/<SERVER_INFO mode="write"><SET_HOST_POWER.*/d' \ -e '/<USER_INFO mode="write">/,/<\/USER_INFO>/d' \ -e '/<SERVER_INFO mode="write"><SERVER_AUTO_PWR.*/d' \ -e '/<RIB_INFO mode="write"><MOD_NETWORK_SETTINGS>/,/<\/<\/MOD_NETWORK_SETTINGS><\/<RIB_INFO>/d' \ -e '/<RIB_INFO mode="write"><\/<RIB_INFO>/d' ilo.xml > ilo-dir.xml # # Now, edit to put in correct information: sed -i -e 's|\(<DIR_AUTHENTICATION_ENABLED VALUE="\).*\("/>\)|\1Y\2|' \ -e "s|\(<DIR_SERVER_ADDRESS VALUE=\"\).*\(\"/>\)|\1${DIRSRV}\2|" \ -e 's|\(<DIR_USER_CONTEXT_1 VALUE="\).*\("/>\)|\1DC=my,DC=com\2|' \ -e 's|\(<DIR_USER_CONTEXT_2 VALUE="\).*\("/>\)|\1@my.com\2|' \ -e 's|\(<DIR_ENABLE_GRP_ACCT VALUE="\).*\("/>\)|\1Y\2|' ilo-dir.xml # # Add in group accounts. Repeat for however many groups you are adding: GRP=iLOAdmins PRIVVAL='1,2,3,4,5,6' # and GRP=iLOUser PRIVVAL='2,3,4,6' # RETURN=$(adquery group --all ${GRP} | grep -E '^dn:|^sid:') DN=$(echo ${RETURN} | tr ' ' '\n' | grep '^dn:' | cut -d: -f2) SID=$(echo ${RETURN} | tr ' ' '\n' | grep '^sid:' | cut -d: -f2) # Need to find the current number of group accounts: NUM=$(grep DIR_GRPACCT ilo.xml | cut -c6-17 | sort -u | tail -1) NEWNUM=$((${NUM:$((${#NUM}-1)):1}+1)) # For the second group, just increment the NEWNUM variable: ((NEWNUM++)) sed -i "/<DIR_KERBEROS_ENABLED VALUE/i\ <DIR_GRPACCT${NEWNUM}_NAME VALUE=\"${DN}\">\n <DIR_GRPACCT${NEWNUM}_PRIVVALUE=\"${PRIVVAL}\">\n <DIR_GRPACCT${NEWNUM}_SID VALUE=\"${SID}\">" ilo-dir.xml # # End of repeat section. # Now write to iLO: hponcfg -f ilo-dir.xml # # Should be all set! Remove your files: /bin/rm ilo*