Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

ILO2 SSO from SIM

bconstant
Advisor

ILO2 SSO from SIM

Hello,

I'm trying to enable SSO authentication from SIM to ILO2 but without success.

On the ILO2 (BL460CG1 c-class blade):
- Select license is enabled
- HP SIM SSO trust mode is set to trust by certificate
- HP SIM certificate is imported and status is ok
- Administrator privileges has all rights enabled (I'm "jumping" with the Administrator account of the SIM).

On the SIM:
- The ILO2 is available and reachable

When I click on the "HP Integrated Lights-Out 2 Login" menu item from the "Tools & links" toolbox, a new browser window open with the SSO item in the url but it always fails and shows the authentication page of the ILO2.

ILO2 FW is: 1.50 03/12/2008
HP SIM build is: C.05.02.01.00
HP SIM patches: HOTFIX52_003

Any idea?

Regards,

Benjamin.
3 REPLIES
Brody
Occasional Advisor

Re: ILO2 SSO from SIM

We are getting the exact same symptoms - has anyone found a solution to this?

We reproduced on the following systems:

* DL380 G5 (iLO2)
- Firmware: 1.60 07/11/2008
- License Type: iLO 2 Advanced
- SSO Trust Mode: Trust by Certificate
- Certificate: Imported & Status OK
- iLO Device "Identified" from within SIM subsequent to Cert Import

* BL460c G1 (iLO2)
- Firmware: 1.61 08/31/2008
- License Type: iLO 2 Select
- SSO Trust Mode: Trust by Certificate
- Certificate: Imported & Status OK
- iLO Device "Deleted" then "Discovered" from within SIM subsequent to Cert Import

Browsers: IE6 & IE7

HP SIM Build: C.05.01.00.02 (5.1 with SP1, 2007-04-11 17:26)
HP SIM Patches:
- HOTFIX51_001
- HOTFIX51_002
- HOTFIX51_003
- HOTFIX51_005
- HOTFIX51_008
- HOTFIX51_011
- HOTFIX51_012
- HOTFIX51_015
- HOTFIX51_016

The URL redirect order is:
1.) https://{HP-SIM HOST}:50000/SSO?DID={ID1}&APP=ILO&FRM=3&URL=https://{ILO HOST}:443/
2.) https://{ILO HOST}/Proxy/SSO?TKN={ID2}&KEY=ssononce%20{ID3}&XE={HP-SIM CERT CN}&UN={AD DOMAIN}\{AD USERNAME}&UA=4&URL=https://{ILO HOST}:443/
3.) https://{ILO HOST}/login.htm

The second URL page displays the text...
"Note: When the 'Security Alert' panel is displayed, you must select 'Yes' to select the certificate to access Integrated Lights-Out."
...only, it redirects and no such security alert panel is displayed (see attachment).

The iLO2 log has the following relevant entries:
1.) SSO login attempt from {CLIENT IP X.X.X.X} via HP-SIM {HP-SIM CERT CN} as Administrator by user:{AD DOMAIN}\{AD USERNAME}.
2.) SSO rejected: HP SIM certificate mismatch.

Only thing is, the certificate matches identically. We've tried setting the certificate by...
- Specifying the HP SIM server address to import from (both by DNS name, and IP address)
- Exporting the HP SIM server certificate from the issuing authority, then copy & pasting the raw X.509 data
- Copy & pasting the raw X.509 data from the url http://{HP-SIM HOST}:280/GetCertificate
...every attempt yeilded the same idential certificate (as it should do).

If we delete the HP-SIM cert from iLO, set the mode to "Trust by Name", and specify the CN of the HP-SIM server as it appears on the certificate for the "Tursted HP SIM Server Name" - then SSO works, which indicates iLO is seeing the HP-SIM hostname as it appears on the certificate, so it shouldn't be due to hostname mismatch.
The certificate is valid until 2010, so it is not expired.

We have attempted using the iLO diagnostics page to "Reset" the iLO2 device at varaious stages in the process - but this has also made no difference.
Brody
Occasional Advisor

Re: ILO2 SSO from SIM

Upgraded...

HP SIM Build: C.05.02.02.00 (5.2 with SP2, 2008-07-04 10:23)

Also note, HP SIM is running on Windows Server 2003 Standard SP2.
Brody
Occasional Advisor

Re: ILO2 SSO from SIM

...what I forgot to mention is that the upgrade didn't resolve the issue :-s