HPE Community
Server Management - Remote Server Management
1752818 Members
4168 Online
108789 Solutions
New Discussion

uploading directory server certificate with hponcfg

 
SOLVED
Go to solution
BradV
Esteemed Contributor

‎06-03-2019 09:24 AM

‎06-03-2019 09:24 AM

uploading directory server certificate with hponcfg

Does anyone know if it is possible using hponcfg to upload the server certificate for my LDAP server?  I can make all of the other changes with hponcfg to connect iLO to an LDAP server, but not seeing how to upload the server certficate.

Thanks!

0 Kudos
Reply
2 REPLIES 2
Jazz_ISS
HPE Pro

‎06-04-2019 09:09 AM

‎06-04-2019 09:09 AM

Re: uploading directory server certificate with hponcfg

Hello, 

Hello, 

 

HPONCFG can be used to perform the following tasks:

-Obtain an entire configuration

-Obtain a specific configuration

-Set a configuration

 

Refer:


https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05184297&docLocale=en_US#N10393


https://support.hpe.com/hpsc/doc/public/display?docId=a00018323en_us

 

Hewlett Packard Enterprise Information Library:-


http://h17007.www1.hpe.com/us/en/enterprise/servers/solutions/info-library/index.aspx?cat=HP_iLO_4

Hope this documents will help you.


I work for HPE

Accept or Kudo

0 Kudos
Reply
BradV
Esteemed Contributor

‎06-05-2019 04:26 AM - edited ‎06-05-2019 04:27 AM

‎06-05-2019 04:26 AM - edited ‎06-05-2019 04:27 AM

Solution

Re: uploading directory server certificate with hponcfg

I figured it out after consulting the ilo5 scripting guide.  Here is my procedure in case it helps anyone else.  :)

# Get a list of domain controllers.
/usr/bin/dig SRV _ldap._tcp.domain +noall +answer | awk '{ print $8 }' \
| sed -e '/^$/d' | grep -v 'noall' | sort -t \- -k 2,2 -k 1,1
DIRSRV='<name from dig command>'
#
# Use the one most appropriate for this server.
#
# Log on to the server with the iLO you want to change and switch to root.
# Define this function:
retrieve-cert() {
   REMHOST=${1}
   REMPORT=${2:-443}
   echo | \
   openssl s_client connect ${REMHOST}:${REMPORT} 2>&1 | \
   /bin/sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
}
# Extract the current iLO settings:
cd /var/tmp
# On systems where the iLO encryption settings are anything other
# than production, you will have to provide a user name and password:
PASSWORD='password'
USER=administrator
hponcfg --all -writeconfig ilo.xml --user ${USER} --password ${PASSWORD}
# Can edit the xml file to embed the username and password:
sed -i "s|^\(.*LOGIN USER_LOGIN=\"\).*\(\" PASSWORD=\"\).*\(\">\)$|\1${USER}\2${PASSWORD}\3|" ilo.xml
# Get rid of the comments line:
sed -i '/^<!--/d' ilo.mxl
#
# First, need to make sure dns resolvers are set correctly.  Pair down
# the xml file to just the network information:
sed -e '/<RIB_INFO mode="write"><MOD_GLOBAL_SETTINGS>/,/<\/<MOD_GLOBAL_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<RIB_INFO mode="write"><MOD_SNMP_IM_SETTINGS>/,/<\/<\/MOD_SNMP_IM_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<DIR_INFO mode="write"><MOD_DIR_CONFIG>/,/<\/<\/MOD_DIR_CONFIG><\/<DIR_INFO>/d' \
    -e '/<RIB_INFO mode="write"><SET_FEDERATION_MULTICAST>.*/d' \
    -e '/<SSO_INFO mode="write"><MOD_SSO_SETTINGS>.*/d' \
    -e '/<SERVER_INFO mode="write"><SET_HOST_POWER.*/d' \
    -e '/<USER_INFO mode="write">/,/<\/USER_INFO>/d' \
    -e '/<SERVER_INFO mode="write"><SERVER_AUTO_PWR.*/d' \
    -e '/<RIB_INFO mode="write"><\/<RIB_INFO>/d' ilo.xml > ilo-net.xml
#
# Now, update the DNS servers (if not already correct).
DNS1='<ip of first dns server>'
DNS2='<ip of second dns server>'
sed -i "s|^\(    <PRIM_DNS_SERVER VALUE=\"\).*\(\"/\)|\1${DNS1}\2|" ilo-net.xml
sed -i "s|^\(    <SEC_DNS_SERVER VALUE=\"\).*\(\"/\)|\1${DNS2}\2|" ilo-net.xml
#
# Now, write the file to iLO (Note: this will reset iLO.  It might take a couple of minutes):
hponcfg -f ilo-net.xml
#
# Get the directory server certificate file into an xml file.
sed -e '/<RIB_INFO mode="write"><MOD_NETWORK_SETTINGS>/,/<\/<\/MOD_NETWORK_SETTINGS><\/<RIB_INFO>/d' ilo-net.xml > ilo-cert.xml
sed-i '/<LOGIN USER_LOGIN= a\
    <DIR_INFO MODE="write"> \
        <IMPORT_LDAP_CA_CERTIFICATE> \
        </IMPORT_LDAP_CA_CERTIFICATE> \
    </DIR_INFO>' ilo-cert.xml
#
while read line; do
   echo ${line}
   echo ${line} | grep -q "<IMPORT_LDAP_CA_CERTIFICATE>"
   [ ${?} -eq 0 ] && "$(retrieve-cert ${DIRSRV} 636)"
done < ilo-cert.xml > ilo-cert-new.xml
# Upload to iLO:
hponcfg -f ilo-cert-new.xml
#
# Now, need to set up information to enable authentication with active directory.
# Again, pair down the original xml file:
sed -e '/<RIB_INFO mode="write"><MOD_GLOBAL_SETTINGS>/,/<\/<MOD_GLOBAL_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<RIB_INFO mode="write"><MOD_SNMP_IM_SETTINGS>/,/<\/<\/MOD_SNMP_IM_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<RIB_INFO mode="write"><SET_FEDERATION_MULTICAST>.*/d' \
    -e '/<SSO_INFO mode="write"><MOD_SSO_SETTINGS>.*/d' \
    -e '/<SERVER_INFO mode="write"><SET_HOST_POWER.*/d' \
    -e '/<USER_INFO mode="write">/,/<\/USER_INFO>/d' \
    -e '/<SERVER_INFO mode="write"><SERVER_AUTO_PWR.*/d' \
    -e '/<RIB_INFO mode="write"><MOD_NETWORK_SETTINGS>/,/<\/<\/MOD_NETWORK_SETTINGS><\/<RIB_INFO>/d' \
    -e '/<RIB_INFO mode="write"><\/<RIB_INFO>/d' ilo.xml > ilo-dir.xml
#
# Now, edit to put in correct information:
sed -i -e 's|\(<DIR_AUTHENTICATION_ENABLED VALUE="\).*\("/>\)|\1Y\2|' \
    -e    "s|\(<DIR_SERVER_ADDRESS VALUE=\"\).*\(\"/>\)|\1${DIRSRV}\2|" \
    -e    's|\(<DIR_USER_CONTEXT_1 VALUE="\).*\("/>\)|\1DC=my,DC=com\2|' \
    -e    's|\(<DIR_USER_CONTEXT_2 VALUE="\).*\("/>\)|\1@my.com\2|' \
    -e    's|\(<DIR_ENABLE_GRP_ACCT VALUE="\).*\("/>\)|\1Y\2|' ilo-dir.xml
#
# Add in group accounts.  Repeat for however many groups you are adding:
GRP=iLOAdmins
PRIVVAL='1,2,3,4,5,6'
# and
GRP=iLOUser
PRIVVAL='2,3,4,6'
#
RETURN=$(adquery group --all ${GRP} | grep -E '^dn:|^sid:')
DN=$(echo ${RETURN} | tr ' ' '\n' | grep '^dn:' | cut -d: -f2)
SID=$(echo ${RETURN} | tr ' ' '\n' | grep '^sid:' | cut -d: -f2)
# Need to find the current number of group accounts:
NUM=$(grep DIR_GRPACCT ilo.xml | cut -c6-17 | sort -u | tail -1)
NEWNUM=$((${NUM:$((${#NUM}-1)):1}+1))
# For the second group, just increment the NEWNUM variable:
((NEWNUM++))
sed -i "/<DIR_KERBEROS_ENABLED VALUE/i\    <DIR_GRPACCT${NEWNUM}_NAME VALUE=\"${DN}\">\n    <DIR_GRPACCT${NEWNUM}_PRIVVALUE=\"${PRIVVAL}\">\n    <DIR_GRPACCT${NEWNUM}_SID VALUE=\"${SID}\">" ilo-dir.xml
#
# End of repeat section.
# Now write to iLO:
hponcfg -f ilo-dir.xml
#
# Should be all set!  Remove your files:
/bin/rm ilo*
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.