- Community Home
- >
- Servers and Operating Systems
- >
- ProLiant
- >
- Server Management - Remote Server Management
- >
- uploading directory server certificate with hponcf...
-
-
Forums
- Products
- Servers and Operating Systems
- Storage
- Software
- Services
- HPE GreenLake
- Company
- Events
- Webinars
- Partner Solutions and Certifications
- Local Language
- China - 简体中文
- Japan - 日本語
- Korea - 한국어
- Taiwan - 繁體中文
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Latin America
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Blog, Poland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-03-2019 09:24 AM
06-03-2019 09:24 AM
Does anyone know if it is possible using hponcfg to upload the server certificate for my LDAP server? I can make all of the other changes with hponcfg to connect iLO to an LDAP server, but not seeing how to upload the server certficate.
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-04-2019 09:09 AM
06-04-2019 09:09 AM
Re: uploading directory server certificate with hponcfg
Hello,
Hello,
HPONCFG can be used to perform the following tasks:
-Obtain an entire configuration
-Obtain a specific configuration
-Set a configuration
Refer:
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05184297&docLocale=en_US#N10393
https://support.hpe.com/hpsc/doc/public/display?docId=a00018323en_us
Hewlett Packard Enterprise Information Library:-
http://h17007.www1.hpe.com/us/en/enterprise/servers/solutions/info-library/index.aspx?cat=HP_iLO_4
Hope this documents will help you.
I work for HPE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-05-2019 04:26 AM - edited 06-05-2019 04:27 AM
06-05-2019 04:26 AM - edited 06-05-2019 04:27 AM
SolutionI figured it out after consulting the ilo5 scripting guide. Here is my procedure in case it helps anyone else. :)
# Get a list of domain controllers. /usr/bin/dig SRV _ldap._tcp.domain +noall +answer | awk '{ print $8 }' \ | sed -e '/^$/d' | grep -v 'noall' | sort -t \- -k 2,2 -k 1,1 DIRSRV='<name from dig command>' # # Use the one most appropriate for this server. # # Log on to the server with the iLO you want to change and switch to root. # Define this function: retrieve-cert() { REMHOST=${1} REMPORT=${2:-443} echo | \ openssl s_client connect ${REMHOST}:${REMPORT} 2>&1 | \ /bin/sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' } # Extract the current iLO settings: cd /var/tmp # On systems where the iLO encryption settings are anything other # than production, you will have to provide a user name and password: PASSWORD='password' USER=administrator hponcfg --all -writeconfig ilo.xml --user ${USER} --password ${PASSWORD} # Can edit the xml file to embed the username and password: sed -i "s|^\(.*LOGIN USER_LOGIN=\"\).*\(\" PASSWORD=\"\).*\(\">\)$|\1${USER}\2${PASSWORD}\3|" ilo.xml # Get rid of the comments line: sed -i '/^<!--/d' ilo.mxl # # First, need to make sure dns resolvers are set correctly. Pair down # the xml file to just the network information: sed -e '/<RIB_INFO mode="write"><MOD_GLOBAL_SETTINGS>/,/<\/<MOD_GLOBAL_SETTINGS><\/<RIB_INFO>/d' \ -e '/<RIB_INFO mode="write"><MOD_SNMP_IM_SETTINGS>/,/<\/<\/MOD_SNMP_IM_SETTINGS><\/<RIB_INFO>/d' \ -e '/<DIR_INFO mode="write"><MOD_DIR_CONFIG>/,/<\/<\/MOD_DIR_CONFIG><\/<DIR_INFO>/d' \ -e '/<RIB_INFO mode="write"><SET_FEDERATION_MULTICAST>.*/d' \ -e '/<SSO_INFO mode="write"><MOD_SSO_SETTINGS>.*/d' \ -e '/<SERVER_INFO mode="write"><SET_HOST_POWER.*/d' \ -e '/<USER_INFO mode="write">/,/<\/USER_INFO>/d' \ -e '/<SERVER_INFO mode="write"><SERVER_AUTO_PWR.*/d' \ -e '/<RIB_INFO mode="write"><\/<RIB_INFO>/d' ilo.xml > ilo-net.xml # # Now, update the DNS servers (if not already correct). DNS1='<ip of first dns server>' DNS2='<ip of second dns server>' sed -i "s|^\( <PRIM_DNS_SERVER VALUE=\"\).*\(\"/\)|\1${DNS1}\2|" ilo-net.xml sed -i "s|^\( <SEC_DNS_SERVER VALUE=\"\).*\(\"/\)|\1${DNS2}\2|" ilo-net.xml # # Now, write the file to iLO (Note: this will reset iLO. It might take a couple of minutes): hponcfg -f ilo-net.xml # # Get the directory server certificate file into an xml file. sed -e '/<RIB_INFO mode="write"><MOD_NETWORK_SETTINGS>/,/<\/<\/MOD_NETWORK_SETTINGS><\/<RIB_INFO>/d' ilo-net.xml > ilo-cert.xml sed-i '/<LOGIN USER_LOGIN= a\ <DIR_INFO MODE="write"> \ <IMPORT_LDAP_CA_CERTIFICATE> \ </IMPORT_LDAP_CA_CERTIFICATE> \ </DIR_INFO>' ilo-cert.xml # while read line; do echo ${line} echo ${line} | grep -q "<IMPORT_LDAP_CA_CERTIFICATE>" [ ${?} -eq 0 ] && "$(retrieve-cert ${DIRSRV} 636)" done < ilo-cert.xml > ilo-cert-new.xml # Upload to iLO: hponcfg -f ilo-cert-new.xml # # Now, need to set up information to enable authentication with active directory. # Again, pair down the original xml file: sed -e '/<RIB_INFO mode="write"><MOD_GLOBAL_SETTINGS>/,/<\/<MOD_GLOBAL_SETTINGS><\/<RIB_INFO>/d' \ -e '/<RIB_INFO mode="write"><MOD_SNMP_IM_SETTINGS>/,/<\/<\/MOD_SNMP_IM_SETTINGS><\/<RIB_INFO>/d' \ -e '/<RIB_INFO mode="write"><SET_FEDERATION_MULTICAST>.*/d' \ -e '/<SSO_INFO mode="write"><MOD_SSO_SETTINGS>.*/d' \ -e '/<SERVER_INFO mode="write"><SET_HOST_POWER.*/d' \ -e '/<USER_INFO mode="write">/,/<\/USER_INFO>/d' \ -e '/<SERVER_INFO mode="write"><SERVER_AUTO_PWR.*/d' \ -e '/<RIB_INFO mode="write"><MOD_NETWORK_SETTINGS>/,/<\/<\/MOD_NETWORK_SETTINGS><\/<RIB_INFO>/d' \ -e '/<RIB_INFO mode="write"><\/<RIB_INFO>/d' ilo.xml > ilo-dir.xml # # Now, edit to put in correct information: sed -i -e 's|\(<DIR_AUTHENTICATION_ENABLED VALUE="\).*\("/>\)|\1Y\2|' \ -e "s|\(<DIR_SERVER_ADDRESS VALUE=\"\).*\(\"/>\)|\1${DIRSRV}\2|" \ -e 's|\(<DIR_USER_CONTEXT_1 VALUE="\).*\("/>\)|\1DC=my,DC=com\2|' \ -e 's|\(<DIR_USER_CONTEXT_2 VALUE="\).*\("/>\)|\1@my.com\2|' \ -e 's|\(<DIR_ENABLE_GRP_ACCT VALUE="\).*\("/>\)|\1Y\2|' ilo-dir.xml # # Add in group accounts. Repeat for however many groups you are adding: GRP=iLOAdmins PRIVVAL='1,2,3,4,5,6' # and GRP=iLOUser PRIVVAL='2,3,4,6' # RETURN=$(adquery group --all ${GRP} | grep -E '^dn:|^sid:') DN=$(echo ${RETURN} | tr ' ' '\n' | grep '^dn:' | cut -d: -f2) SID=$(echo ${RETURN} | tr ' ' '\n' | grep '^sid:' | cut -d: -f2) # Need to find the current number of group accounts: NUM=$(grep DIR_GRPACCT ilo.xml | cut -c6-17 | sort -u | tail -1) NEWNUM=$((${NUM:$((${#NUM}-1)):1}+1)) # For the second group, just increment the NEWNUM variable: ((NEWNUM++)) sed -i "/<DIR_KERBEROS_ENABLED VALUE/i\ <DIR_GRPACCT${NEWNUM}_NAME VALUE=\"${DN}\">\n <DIR_GRPACCT${NEWNUM}_PRIVVALUE=\"${PRIVVAL}\">\n <DIR_GRPACCT${NEWNUM}_SID VALUE=\"${SID}\">" ilo-dir.xml # # End of repeat section. # Now write to iLO: hponcfg -f ilo-dir.xml # # Should be all set! Remove your files: /bin/rm ilo*
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2022 Hewlett Packard Enterprise Development LP