Onboard Administrator authentication
Security is maintained for all Onboard Administrator user interfaces through user authentication. User accounts created in Onboard Administrator define three user privilege levels and the component bays to which each level is granted access. Onboard Administrator stores the passwords for local user accounts and can be configured to use LDAP authentication for user group accounts. The Insight Display can be protected by an LCD PIN code or completely disabled. The Optional KVM Module protects against changes to server power or enclosure DVD connection using the LCD PIN code. Use of the KVM Module to access server consoles is protected by server operating system username and passwords.
IMPORTANT: Onboard Administrator does not support OpenLDAP.
Role-based user accounts
Onboard Administrator provides configurable user accounts that can provide complete isolation of multiple administrative roles such as server, LAN, and SAN. User accounts are configured with specific device bay or interconnect bay permissions and one of three privilege levels: administrator, operator, or user. An account with administrator privileges including Onboard Administrator bay permission can create or edit all user accounts on an enclosure. Operator privileges enable full information access and control of permitted bays. User privileges enable information access but no control capability.
Onboard Administrator requires you to log in to the web GUI or CLI with an account and password. The account can be a local account where the password is stored on Onboard Administrator or an LDAP account, where Onboard Administrator contacts the defined LDAP server to check the user credentials. Two-factor authentication enables even tighter security for the user management session to Onboard Administrator.
Rather than requiring separate logins to multiple resources (once to each enclosure, once to every server management processor, or both), Onboard Administrator enables single point access. In this way, the administrator can use single sign-on to log in to a single Onboard Administrator and use the web GUI to graphically view and manage the HP BladeSystem c-Class components in up to four linked enclosures. For example, an IT administrator can automatically propagate management commands, such as changing the enclosure power mode, across all the linked enclosures.
Onboard Administrator provides several login security features. No penalty is imposed after an initial failed login attempt. With all subsequent failed attempts, Onboard Administrator imposes a 10- to 20-second delay. An information page appears during each delay. This action continues until a valid login is completed. This feature assists in defending against possible dictionary attacks against the browser login port.
Onboard Administrator saves a detailed log entry for all failed login attempts.