Automating iLO config and OneView setup for HPE servers

We have quite a few Blade Enclosures with BL460c server blades in them and have been happy with those. For managing these we are primarly using HPE OneView and in some cases the Onboard Administrator (OA).

Our latest batch of new hardware however was DL360 and DL380 rack servers. These will also be managed by OneView primarly, but initially we need to do some iLO config on each server which in the case of blades are done by the OA. They will also have to be added to OneView manually while the blades would be brought in automatically from the chassis. With lots of new servers to configure this is a tedious process, and there are risk for errors and inconsistency when doing it manually.

To the rescue comes the APIs provided by HPE and our favourite tool, Powershell.

HPE has released a lot of Powershell modules for managing various parts of their infrastructure components. We have been using the OneView module for some time, and also the OneView APIs directly. As we have had mostly blade servers there hasn’t been that much need for managing BIOS or iLO on single servers as this is done through OneView or OA, but there are Powershell modules for that as well.

So to our steps for initial configuration of a new rack server (after racking, stacking and bringing the iLO online):

  1. Add a new admin user
  2. Set correct iLO hostname
  3. Set correct iLO DNS configuration
  4. Add AD/LDAP integration to the iLO
  5. Remove default admin user
  6. Add to OneView
  7. Create and assign OneView server profile from a template (includes BIOS settings and Firmware baseline)

We have created a script that does all of these steps, but they can and will also be extracted in single functions/scripts so they can be used individually.

The script uses four different HPE tools to configure the different components:

First of we are using the HP iLO cmdlets to add the new admin user and to set the name and DNS configuration.

 

Add iLO user

We are adding our own admin user which is stored in a separate secret/password manager. The new username and password are set as input variables to the script

Note the different privileges the user are getting through the parameters of this cmdlet. Also note that you need to add the -DisableCertificateAuthentication switch parameter if you haven’t replaced the self-signed SSL certificates.

 

Network settings

The next step is to set the different network settings, namely step 2 and 3 in the above list.

As you notice we are both setting the name of the server (-DNSName) and the primary and secondary DNS servers (-PrimDNSServer / -SecDNSServer).

After this setting the iLO will most likely reset, in our script we have put in a Start-Sleep for 2 minutes to wait for the iLO to come back online.

 

LDAP integration

Now we are ready for configuring the AD/LDAP integration. There is (I haven’t found a way at least) no way to set all of the required LDAP integration settings through the provided Powershell modules. Things like the mapping of AD groups to permissions and so forth have to be done through the RIBCL scripting methods which essentially is running/flashing an XML file on the iLO. Luckily there are nice examples on how this is done in the HPE documentation.

Here’s an example of one of our RIBCL scripts

 

Regarding the DIR_SERVER_ADDRESS this also supports the domain name it self making it more available in case the domain controller you specify is down. However I found that logging in to iLO with an AD account took a very long time when the domain name was specified. I suspect that iLO contacts all of the domain controllers before logging in.

To set the LDAP settings we have created the RIB XML script above and have it available on the machine we are running the script from. This machine has also the HPQLOCFG.exe utility installed which is used to run the RIB script. We are creating a Powershell command object passing the iLO IP, the script and provide credentials to the HPQLOCFG.exe and this command is run through the Invoke-Expression cmdlet

UPDATE: The HP iLO Powershell module includes a cmdlet for sending these RIBCL XML scripts which eliminates the dependency on the HPQLOCFG.exe tool.

Note that the password is still fetched from input variables to the script it self.

One thing to be aware of when you are adding AD / LDAP integration to your iLO is that by default Authenticated Users have the login permission. This means that as soon as you enable and configure the integration, all authenticated users in your domain can login!
Interestingly I wasn’t able to remove the login permission from that group through the RIBCL script so I ended up overwriting the group with a “Read Only” group I had configured in Active Directory.

 

BIOS info

Next up we use the HPEBios cmdlets to get some information about the model and serial of the server. This is used later on when adding to OneView and creating a profile.

Delete admin user

Before adding to OneView we remove the default admin user (this could also be done after the first step)

OneView

So of to adding the server to OneView

First of we check if this new server has been already added to OneView

 

If it has we are just running an Update (or Refresh as it’s named in OneView) of it.

If it’s not found by name, we’ll do an additional check on the serial number. If it’s still not found we are adding it

Finally we create and assign (if a profile is not already assigned) a Server Profile to the server based on a Server Profile Template matching the model of the server

 

Note that since the server needs to be powered off when assigning a Server profile we’ll check the status of it, and optionally power it off if the user wants to. We’ll not wait on the Profile assignment to finish because the Server Profile might include a Firmware Baseline which applies this firmware to the server and this can take some time to finish.

Summary

In summary this post has shown how you can leverage the Powershell modules and tools provided by HPE to automate the setup of servers, both the iLO settings and the OneView part. If you’re not using OneView but still like to manage the BIOS settings and so forth you could easily leverage the HPE BIOS Cmdlets to do most of the BIOS settings for you.

The full script can be found on GitHub

Rudi

Working with Cloud Infrastructure @ Intility, Oslo Norway. VMware vExpert. Mainly focused on automating Datacenter stuff. All posts are personal

6 thoughts to “Automating iLO config and OneView setup for HPE servers”

  1. Hello Rudi,
    Thanks for you post.
    Have you also tried to use the “new” HPEiLOCmdlets (version 2) ?
    I am facing some issue and I am searching for help.

      1. Let’s start with the Certificate :
        Start-HPEiLOCertificateSigningRequest
        – ‘-IncludeiLOIP’ parameter gives errors if you specify it, no matter what syntax.
        – does not use the value of ‘-City’, regardless of how you specify it. Should place it into ” inside the XML it sends, but there’s no such field in the raw request being sent.

        Also
        Set-HPEiLOSNTPSetting
        – ‘-SNTPServer’ parameter does not work as advertise in the example when it’s a table @(“1.1.1.1”,”2.2.2.2”) WARNING: Number of parameter values greater than number of targets. Ignoring extra parameter values.
        – The XML it sends only as it should normal process the table and send also

        Set-HPEiLOIPv4NetworkingSetting
        – Again the -DNSServer and DNSType when these are table are not treated as by the example … didn’t find a way to set multiple value

        1. Hi Philippe.
          I haven’t been checking the Cert stuff. Will see if I can get around to it.

          About the two other issues. Did you include a comma before the array (table) you are creating? I believe this can be why you see those issues.

          Not sure why they’ve built the cmdlets like this, but if you include that comma you should be able to get them working (at least it worked for me).
          A quick example on the difference of an array with and without the comma:

          PS C:> $a = @(1,2,3)
          PS C:> $b = ,@(1,2,3)
          PS C:> $a | % {$_.gettype()}

          IsPublic IsSerial Name BaseType
          ——– ——– —- ——–
          True True Int32 System.ValueType
          True True Int32 System.ValueType
          True True Int32 System.ValueType

          PS C:> $b | % {$_.gettype()}

          IsPublic IsSerial Name BaseType
          ——– ——– —- ——–
          True True Object[] System.Array

          Here’s a post explaining more about this:
          https://rkeithhill.wordpress.com/2007/09/24/effective-powershell-item-8-output-cardinality-scalars-collections-and-empty-sets-oh-my/

          And MS docs about_Operators (see the section about the comma operator):
          https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_operators?view=powershell-6

  2. Hello, I noticed you were unable to locate the cmdlet to manipulate the user permissions. Here is an example. The cmdlet is Set-HPiLOSchemalessDirectory and the parameter that controls access is -Group[1-9]Priv .

    The values are as follows:
    1 = Administer Groups Accounts
    2 = Remote Console Access
    3 = Virtual Power and Reset
    4 = Virtual Media
    5 = Configure iLO 4 Settings
    6 = Login Privilege(If any privilege 1 to 5 is set, privilege 6 will always be set even if it is not included)

    So if you wanted user 3 to have admin access you would pass in these parameters
    -Group3Name $name
    -Group3Priv “1,2,3,4,5,6”

    Set-HPiLOSchemalessDirectory -Server $ilo_ip -Username $ilo_user -Password $ilo_pass -WarningAction SilentlyContinue -DisableCertificateAuthentication -GroupAccount Enable
    -Group1Name “CN=SOME_GROUP,OU=Resource_Groups,OU=User_Based,OU=Security_Groups,DC=domain,DC=com ” -Group1Priv "1,2,3,4,5,6"
    -Group2Name “Authenticated Users” -Group2Priv "6"
    -Group2SID “S-1-5-11” -Group3Name ""
    -Group3Priv “”

    Enjoy
    -jc

Leave a Reply

Your email address will not be published. Required fields are marked *