Automating iLO config and OneView setup for HPE servers

We have quite a few Blade Enclosures with BL460c server blades in them and have been happy with those. For managing these we are primarly using HPE OneView and in some cases the Onboard Administrator (OA).

Our latest batch of new hardware however was DL360 and DL380 rack servers. These will also be managed by OneView primarly, but initially we need to do some iLO config on each server which in the case of blades are done by the OA. They will also have to be added to OneView manually while the blades would be brought in automatically from the chassis. With lots of new servers to configure this is a tedious process, and there are risk for errors and inconsistency when doing it manually.

To the rescue comes the APIs provided by HPE and our favourite tool, Powershell.

HPE has released a lot of Powershell modules for managing various parts of their infrastructure components. We have been using the OneView module for some time, and also the OneView APIs directly. As we have had mostly blade servers there hasn't been that much need for managing BIOS or iLO on single servers as this is done through OneView or OA, but there are Powershell modules for that as well.

So to our steps for initial configuration of a new rack server (after racking, stacking and bringing the iLO online):

  1. Add a new admin user
  2. Set correct iLO hostname
  3. Set correct iLO DNS configuration
  4. Add AD/LDAP integration to the iLO
  5. Remove default admin user
  6. Add to OneView
  7. Create and assign OneView server profile from a template (includes BIOS settings and Firmware baseline)

We have created a script that does all of these steps, but they can and will also be extracted in single functions/scripts so they can be used individually.

The script uses four different HPE tools to configure the different components:

First of we are using the HP iLO cmdlets to add the new admin user and to set the name and DNS configuration.

Add iLO user

We are adding our own admin user which is stored in a separate secret/password manager. The new username and password are set as input variables to the script

Add-HPiLOUser -Server $ILOIp -Username $UserName -Password $adminPass -NewUsername $NewUserName -NewUserLogin $NewUserName -NewPassword $pass -AdminPriv Y -ConfigILOPriv Y -RemoteConsPriv Y -ResetServerPriv Y -VirtualMediaPriv Y -DisableCertificateAuthentication

Note the different privileges the user are getting through the parameters of this cmdlet. Also note that you need to add the -DisableCertificateAuthentication switch parameter if you haven't replaced the self-signed SSL certificates.

Network settings

The next step is to set the different network settings, namely step 2 and 3 in the above list.

Set-HPiLONetworkSetting -Server $ILOIp -Username $UserName -Password $adminPass -DisableCertificateAuthentication -DHCPEnable Disable -RegDDNSServer Disable -RegWINSServer Disable -DNSName $iloName -PrimDNSServer $prim_dnsserver -SecDNSServer $sec_dnsserver -DHCPDNSServer Disable

As you notice we are both setting the name of the server (-DNSName) and the primary and secondary DNS servers (-PrimDNSServer / -SecDNSServer).

After this setting the iLO will most likely reset, in our script we have put in a Start-Sleep for 2 minutes to wait for the iLO to come back online.

LDAP integration

Now we are ready for configuring the AD/LDAP integration. There is (I haven't found a way at least) no way to set all of the required LDAP integration settings through the provided Powershell modules. Things like the mapping of AD groups to permissions and so forth have to be done through the RIBCL scripting methods which essentially is running/flashing an XML file on the iLO. Luckily there are nice examples on how this is done in the HPE documentation.

Here's an example of one of our RIBCL scripts

<RIBCL VERSION="2.0">
 <LOGIN USER_LOGIN="adminname" PASSWORD="password">
 <DIR_INFO MODE="write">
 <MOD_DIR_CONFIG>
 <DIR_AUTHENTICATION_ENABLED value="Y"/>
 <DIR_LOCAL_USER_ACCT value="Y"/>
 <DIR_SERVER_ADDRESS value="ip_to_domain_controller"/>
 <DIR_SERVER_PORT value="636"/>
 <DIR_OBJECT_DN value=""/>
 <DIR_USER_CONTEXT_1 value="OU=aaa,OU=bbb,OU=ccc,DC=domain,DC=name"/>
 <DIR_USER_CONTEXT_2 value=""/>
 <DIR_USER_CONTEXT_3 value=""/>
 <DIR_USER_CONTEXT_4 value=""/>
 <DIR_USER_CONTEXT_5 value=""/>
 <DIR_USER_CONTEXT_6 value=""/>
 <DIR_USER_CONTEXT_7 value=""/>
 <DIR_USER_CONTEXT_8 value=""/>
 <DIR_USER_CONTEXT_9 value=""/>
 <DIR_USER_CONTEXT_10 value=""/>
 <DIR_USER_CONTEXT_11 value=""/>
 <DIR_USER_CONTEXT_12 value=""/>
 <DIR_USER_CONTEXT_13 value=""/>
 <DIR_USER_CONTEXT_14 value=""/>
 <DIR_USER_CONTEXT_15 value=""/>
 <DIR_ENABLE_GRP_ACCT value = "Y"/>
 <DIR_GRPACCT1_NAME VALUE= "Administrators"/>
 <DIR_GRPACCT1_PRIV VALUE= "1,2,3,4,5,6"/>
 <DIR_GRPACCT1_SID VALUE= ""/>
 <DIR_GRPACCT2_NAME VALUE= "CN=admin_group,OU=aaa,OU=bbb,DC=domain,DC=name"/>
 <DIR_GRPACCT2_PRIV VALUE= "1,2,3,4,5,6"/>
 <DIR_GRPACCT2_SID VALUE= ""/>
 <DIR_GRPACCT3_NAME VALUE= "CN=read_group,OU=aaa,OU=bbb,DC=domain,DC=name"/>
 <DIR_GRPACCT3_PRIV VALUE= "6"/>
 <DIR_GRPACCT3_SID VALUE= ""/>
 <DIR_GENERIC_LDAP_ENABLED VALUE="N"/>
 <DIR_KERBEROS_ENABLED value="N"/>
 <DIR_KERBEROS_REALM VALUE=""/>
 <DIR_KERBEROS_KDC_ADDRESS VALUE=""/>
 <DIR_KERBEROS_KDC_PORT VALUE="88"/>
 </MOD_DIR_CONFIG>
 </DIR_INFO>
 </LOGIN>
</RIBCL>

Regarding the DIR_SERVER_ADDRESS this also supports the domain name it self making it more available in case the domain controller you specify is down. However I found that logging in to iLO with an AD account took a very long time when the domain name was specified. I suspect that iLO contacts all of the domain controllers before logging in.

To set the LDAP settings we have created the RIB XML script above and have it available on the machine we are running the script from. This machine has also the HPQLOCFG.exe utility installed which is used to run the RIB script. We are creating a Powershell command object passing the iLO IP, the script and provide credentials to the HPQLOCFG.exe and this command is run through the Invoke-Expression cmdlet

<del>$command = @"
HPQLOCFG.exe -s $ILOIp -f D:\hw\rib\ldap_config.xml -u newadmin -p "$pass"
"@
Invoke-Expression -Command:$command</del>

UPDATE: The HP iLO Powershell module includes a cmdlet for sending these RIBCL XML scripts which eliminates the dependency on the HPQLOCFG.exe tool.

$ribcmd = ([string](Get-Content "D:\hw\rib\ldap_config.xml"))
Invoke-HPiLORIBCLCommand -Server $ILOIp -Username $Username -Password $adminPass -DisableCertificateAuthentication -RIBCLCommand $ribcmd

Note that the password is still fetched from input variables to the script it self.

One thing to be aware of when you are adding AD / LDAP integration to your iLO is that by default Authenticated Users have the login permission. This means that as soon as you enable and configure the integration, all authenticated users in your domain can login! Interestingly I wasn't able to remove the login permission from that group through the RIBCL script so I ended up overwriting the group with a "Read Only" group I had configured in Active Directory.

BIOS info

Next up we use the HPEBios cmdlets to get some information about the model and serial of the server. This is used later on when adding to OneView and creating a profile.

$conn = Connect-HPEBIOS -IP $ILOIp -Username newadmin -Password $Pass -DisableCertificateAuthentication
if(!$conn){
    Write-Error "Couldn't get BIOS connection, the script cannot continue"
    break
}
$serial = (Get-HPEBIOSSystemInfo -Connection $conn | select serialnumber).serialnumber
$productName = $conn.ProductName

/ /

Delete admin user

Before adding to OneView we remove the default admin user (this could also be done after the first step)

Remove-HPiLOUser -Server $ILOIp -RemoveUserLogin Administrator -DisableCertificateAuthentication -Username newadmin -Password $pass

/ /

OneView

So of to adding the server to OneView

First of we check if this new server has been already added to OneView

$ovhw = Get-HPOVServer -Name $iloName -ErrorAction SilentlyContinue
if($ovhw){
 Write-Verbose "Server found in OneView, refreshing"
 Update-HPOVServer $ovhw -Async
}

If it has we are just running an Update (or Refresh as it's named in OneView) of it.

If it's not found by name, we'll do an additional check on the serial number. If it's still not found we are adding it

else{
    $ovhwservers = Get-HPOVServer
    if($serial -in $ovhwservers.serialnumber){
        $ovhw = $ovhwservers | Where-Object {$_.serialnumber -eq $serial}
        Write-Verbose "Server found in OneView based on serialnumber, refreshing"
        Update-HPOVServer $ovhw -Async
    }
    else{
        Write-Verbose "Server not found in OneView, adding"
        New-HPOVServer -Hostname $ILOIP -Username rmadmin -Password $pass -LicensingIntent OneView #| Wait-HPOVTaskComplete
        $ovhw = Get-HPOVServer -Name $iloName
        if($ovhw){
            Write-Verbose "Server added"
        }
    }
}

Finally we create and assign (if a profile is not already assigned) a Server Profile to the server based on a Server Profile Template matching the model of the server

if(!$ovhw.serverProfileUri){
    Write-Verbose "No Server Profile found, creating"
    #Choose template based on model (ok), and what it will be used for (missing)
    $hwtype = Get-HPOVServerHardwareType -Model $productName
    Write-Verbose "Hardware type found : $($hwtype.name)"
    $template = Get-HPOVServerProfileTemplate -ServerHardwareType $hwtype
    if($template.count -gt 1){
        Write-Warning "Multiple templates found, please specify"
        Write-Output $template.name
        $templatename = Read-Host "Specify template name"
        $template = Get-HPOVServerProfileTemplate -Name $templatename
    }

    if($template){
        Write-Verbose "Proceeding with template $($template.name)"
        if((Get-HPOVServer -Name $iloName).Powerstate -eq "On"){
            Write-Warning "Server power is on"
            $answer = Read-Host "Do you want to power off server to continue? y/n"
            if($answer -eq "y"){
                $ovhw | Stop-HPOVServer -Confirm:$true | Wait-HPOVTaskComplete
                New-HPOVServerProfile -Name $Servername -Server $ovhw -ServerProfileTemplate $template -AssignmentType Server -Async
            }
            else{
                Write-Warning "Cannot assign profile to server"
                New-HPOVServerProfile -Name $Servername -ServerProfileTemplate $template -AssignmentType Server -Async
            }
        }
        else{
            New-HPOVServerProfile -Name $Servername -Server $ovhw -ServerProfileTemplate $template -AssignmentType Server -Async
        }

    }
    else{
        Write-Warning "No templates found, exiting"
    }
}

Note that since the server needs to be powered off when assigning a Server profile we'll check the status of it, and optionally power it off if the user wants to. We'll not wait on the Profile assignment to finish because the Server Profile might include a Firmware Baseline which applies this firmware to the server and this can take some time to finish.

/ /

Summary

In summary this post has shown how you can leverage the Powershell modules and tools provided by HPE to automate the setup of servers, both the iLO settings and the OneView part. If you're not using OneView but still like to manage the BIOS settings and so forth you could easily leverage the HPE BIOS Cmdlets to do most of the BIOS settings for you.

The full script can be found on GitHub

This page was modified on April 1, 2019: Fixed categories and tags