This article explains how to configure the ILOM (Integratred Lights Out Manager) of a Sun Microsystems server to authenticate against a Windows Active Directory user account.

To use AD accounts to authenticate to the ILOM, the administrator must setup a TFTP server using the Windows 2003 install CD and the Windows Resource Kit. This will install a service on the host machine, preferably the same machine with Active Directory.

Once the TFTP daemon is up and running, an enterprise root certificate authority must be created and exported on the host. If Certificate Services is not installed, it can be through Add/Remove Programs > Add/Remove Windows Components > Certificate Services. An enterprise root certificate must be created and subsequently exported as “Base-64 encoded X.509 (.CER)”, which should be placed in the TFTP root directory.

The last step is to setup the ILOM to pull the certificate from the TFTP server and then assign groups, operators, and/or single users to be authenticated through AD to the ILOM.

Before we get started, you’ll need the following:

  • Windows 2003 Server install CD
  • Windows 2003 Resource Kit Tools
    • In order to use these tools from the command line, you will either need to execute them while in the directory, or add the directory to the %PATH% environment variable using the following command:
      • path=%PATH%;”C:\Program Files \Windows Resource Kits\Tools”
  • Working Active Directory structure

TFTP Service

In order for the ILOM to receive a certificate, a TFTP server needs to be setup. I used the route of creating the TFTP server where Active Directory is installed (e.g. Domain Controller). Creating the TFTP server on the same machine saved me the hassle of moving the certificate to a different machine.

A root directory for TFTP will be created and this is where the TFTP daemon and an exported certificate will be located. The service can be setup using tools provided by the install disc and the Windows 2003 Resource Kit.

Follow these steps to install the TFTP Daemon from the command line (Note: Adjust the drive letter accordingly):

  • Create a folder named “tftproot” in the root directory:

    • mkdir c:\tftproot

  • cd to the AMD64 or I386 folder, depending on your architecture, on the Windows 2003 Install Disc and expand tftpd.ex_ to the TFTP root folder:

    • expand tftpd.ex_ c:\tftproot\tftpd.exe

  • Install the service using instsrv provided by the Windows 2003 Resource Kit:

    • instsrv tftpd c:\tftproot\tftpd.exe

  • Add the following registry keys and values:
    • reg add hklm\system\currentcontrolset\services\tftpd\Parameters
    • reg add hklm\system\currentcontrolset\services\tftpd\Parameters /v Directory /t
    • REG_SZ /d c:\tftproot
  • Start the tftpd service:

    • net start tftpd

  • Confirm that the service is started and set to “Automatic” in case of an unexpected reboot.

Certificate Services

The ILOM requires a certificate, obtained via TFTP, for authentication to AD and the ability to read the directory in the case where anonymous querying of the directory is disabled. To create a certificate on the host machine where AD is installed, Certificate Services must be installed and an Enterprise Root CA must be created. In the case where Certificate Services is already installed with an Enterprise Root CA, skip to Step 5. Once the certificate is installed on the ILOM, it can be removed from the TFTP directory and the TFTP service can be stopped permanently until needed for future use.

  • Go to Add/Remove Programs > Add/Remove Windows Components and check “Certificate Services.” Click Next.
  • Choose “Enterprise root CA” and click Next.
  • Enter a common name for the CA and click Next.
  • Leave the defaults for Certificate database and log. Click Next.
  • Navigate to Internet Options, click the Content tab and click “Certificates”.
  • Navigate to the “Intermediate Certification Authorities” tab.
  • Choose the certificate using the common name you chose in setup. Click Export.
  • Click Next on the following pop-up.
  • Choose “No, do not export the private key” and click Next.
  • Choose “Base-64 encoded X.509 (.CER)” and click Next.
  • Browse to C:\tftproot and choose a name for the file.
  • Click Next, then click Finish.

The export should be completed successfully and now you’re ready to setup the ILOM.

ILOM-AD Authentication Setup Through the WebGUI

Navigate to the “Active Directory” tab under “User Management” on the ILOM WebGUI and fill out the following paramters:

  • State: ENABLED
  • Role: [Administrator Decision]
  • IP Address: [Address of Server with AD installed]
  • Port: AUTOSELECT
  • Timeout: [Administrator Decision]
  • Strict Certificate Mode: DISABLED
  • Log Detail: [Administrator Decision, Low = most information]
  • Click “Save”

Certificate Information:

  • TFTP Server: [Address of Server with AD installed]
  • Path and File Name: [just the filename of certificate, C:\tftproot is the root directory]
  • Click “Retrieve Certificate”
  • Confirm that the “Certificate Status” is set to “certificate present; certificate.backup present;”

Groups:

These sections (Admin, Operator, User Domains) are determined by the System Administrator. The Admin and Operator Groups require Distinguished Names for the paths of the corresponding groups in AD. The User Domains require single users with fully qualified domain names (e.g. @example.com).