IMM/ILO using smartcard authentication

Has anyone set up ILO and IMM using smart card authentication? and if yes, how did you set it up correctly?
IT_Admin XXXXAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Hope this help but it will need to looks into the guide which is not available online at least from othose links below directly...but specifically the PKI infrastructure (like CA, enrolment station, etc) need to be steup to support smartcard provisioning with certificate enrolled and also note some past sharing
1. Setup an Smartcard enrollment Agent in your directory to assign certificates to the Smartcards.
2. Verify your directory settings can logon to iLO with two-factor disabled.
3. Verify Two-factor settings can logon to iLO with Directory disabled.
4. Enable both two-factor, and directory. The first logon phase will be logon with the smartcard certificate, then you will see a prompt for the directory password for the Directory User of the SmartCard. Depends on how the Certificates are build, you may need to change the "Certificate Owner Field" in the Two Factor Authentication page to "SAN" or "Subject" to get the direcotry logon to work.
http://h30499.www3.hp.com/t5/ITRC-Remote-Lights-Out-Mgmt-iLO/Using-smartcard-to-access-iLO/td-p/4131602
For most customers, the critical factor is the Active Directory setting that says "require smartcard for authentication". iLO LDAP name/password cannot work when that checkbox is checked. iLO kerberos integrated two factor authentication can and does.
http://h30499.www3.hp.com/t5/HP-BladeSystem-Management/ILO3-two-factor-authentication/td-p/5558895

It is better to get the HP support as setting it up may not be trivial and should be tested in staging
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT_Admin XXXXAuthor Commented:
Hi Thanks BTAN for the info. What about IMM for IBM? Do you have any ideas?
0
btanExec ConsultantCommented:
Not really into IMM for IBM but looking at its possible user profile for login, the use of LDAP
http://www.cisco.com/c/en/us/td/docs/wireless/module/imm/user/guide/imm_guide/03_Configuring_IMM.html#wp1057831 

I see there is certificate possible to state and issue user account with smartcard based certificate (like any smartcard logon enrollment for client machine) for the use of web browser to get into IMM running the Secure Web server supporting SSL connection.
Configure SSL security for LDAP connections:  
 a. Disable the SSL client. Use the SSL Client Configuration for LDAP Client area on the Security page.
 
 b. Generate or import a certificate. Use the SSL Client Certificate Management area on the Security page (see "SSL client certificate management" section).
 
 c. Import one or more trusted certificates. Use the SSL Client Trusted Certificate Management area on the Security page (see "SSL client trusted certificate management" section).
 
 d. Enable the SSL client. Use the SSL Client Configuration for LDAP Client area on the Security page (see "Enabling SSL for the LDAP client" section).
http://www.cisco.com/c/en/us/td/docs/wireless/module/imm/user/guide/imm_guide/03_Configuring_IMM.html#wp1059179

Focusing on SSL client
The SSL client requires that a valid certificate and corresponding private encryption key be installed before SSL is enabled. Two methods are available for generating the private key and required certificate: using a self-signed certificate, or using a certificate signed by a certificate authority.
 
The procedure for generating the private encryption key and certificate for the SSL client is the same as the procedure for the SSL server, except that you use the SSL Client Certificate Management area of the Security Web page instead of the SSL Server Certificate Management area. If you want to use a self-signed certificate for the SSL client, see "Generating a self-signed certificate" section. If you want to use a certificate authority signed certificate for the SSL client, see "Generating a certificate-signing request" section.
 http://www.cisco.com/c/en/us/td/docs/wireless/module/imm/user/guide/imm_guide/03_Configuring_IMM.html#wp1059410

better to consult IBM folks and I will not be surprised if they may suggest their Tivoli Access Manage http://www-01.ibm.com/support/knowledgecenter/SS9JLE_8.1.0/com.ibm.itamesso.doc_8.1/common/smart_cards_support_enabling.html?lang=en
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.