iBMC Configuring the Directory Server

Atlas 900 Compute Node iBMC (V3.01.00.00 or Later) User Guide 09

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

The LDAP supports Windows AD, Linux OpenLDAP, and FreeIPA. Kerberos supports interconnection with Windows AD.

This section uses Windows Server 2012 R2 Enterprise as an example to describe how to configure a directory server. If a directory server is already available, skip this section.

Prerequisites

The device (for example, a Huawei server) for deploying the directory server is available.
The Windows Server 2012 R2 Enterprise installation CD-ROM or ISO image file is available.

Procedure

Install the OS.
1. On the iBMC web user interface (WebUI) of the server, set the CD-ROM drive as the next boot device of the server.
2. Insert the OS installation CD-ROM into the CD-ROM drive or mount the OS image file through the iBMC virtual CD-ROM drive.
3. Restart the server to access the OS installation wizard.
4. On the OS selection page, select Windows Server 2012 R2 Datacenter.
5. Click Next.
  Complete the OS installation by following the instructions.
Install the DNS service.
1. Select Server Manager in the Start menu.
2. Select Local Server in the navigation tree.
  The PROPERTIES For FusionServer window is displayed, as shown in Figure 6-3.
  
  Figure 6-3 Local server properties
3. Select Manage at the top right corner and choose Add Roles and Features.
  The Add Roles and Features Wizard window is displayed, as shown in Figure 6-4.
  
  Figure 6-4 Add roles and features wizard
4. Click Next.
  The Select installation type window is displayed.
5. Select Role-based or feature-based installation and click Next.
  The Select destination server window is displayed, as shown in Figure 6-5.
  
  Figure 6-5 Select destination server
6. Choose Select a server from the server pool, select the server in the Server Pool box and click Next.
  The Select server roles page is displayed, as shown in Figure 6-6.
  
  Figure 6-6 Select server roles
7. Select DNS Server in the Roles box.
  The confirmation window is displayed.
8. Click Add Features.
  The Select server roles window is displayed.
9. Click Next.
  The Select features window is displayed, as shown in Figure 6-7.
  
  Figure 6-7 Select features
10. Select .NET Framework 4.5 Features and click Next.
  The DNS Server window is displayed.
11. Click Next.
  The confirmation window is displayed.
12. Click Install.
  The DNS server installation process is displayed.
13. When the installation is complete, click Close.
  The Local Server window is displayed.
Install the AD service.
Add new services by referring to 2.
1. Select Active Directory Domain Services in the Roles box shown in Figure 6-7.
  The confirmation window is displayed.
2. Click Add Features.
  The Select server roles window is displayed.
3. Click Next.
  The Select features window is displayed.
4. Select .NET Framework 4.5 Features and click Next.
  The Active Directory Domain Services window is displayed.
5. Click Next.
  The confirmation window is displayed.
6. Click Install.
  The installation progress of the Active Directory Domain Services is displayed.
7. When the installation is complete, click Close.
  The Local Server window is displayed.
Configure the AD service.
1. Select AD DS in the navigation tree in the Server Manager window.
  The AD DS properties are displayed in the right pane, as shown in Figure 6-8.
  
  Figure 6-8 AD DS properties
1. Click More... in the alarm information.
  The All Servers Task Details window is displayed, as shown in Figure 6-9.
  
  Figure 6-9 All servers task details
1. Click Promote this server to a domain controller.
  The Active Directory Domain Services Configuration Wizard window is displayed, as shown in Figure 6-10.
  
  Figure 6-10 Active Directory Domain Services Configuration Wizard
1. Select Add a new forest, enter the AD domain name, for example iBMC.com, in Root domain name, and click Next.
  The Domain Controller Options window is displayed, as shown in Figure 6-11.
  
  The domain name is case-sensitive. Set the domain name based on the planned domain name.
  
  Figure 6-11 Domain controller options
1. Set the AD domain controller password and click Next.
2. Click Next until the window in Figure 6-12 is displayed.
  Figure 6-12 Domain services paths
1. Set the AD domain services paths and click Next.
  You can also retain the default configuration.
2. Click Next in the following windows displayed.
3. When the Prerequisites Check window is displayed, click Install.
  The OS automatically restarts after the configuration is complete.
(Optional for the LDAP function) Configure the AD host name.
1. On the toolbar in the upper right corner of Server Manager, click Tools and choose Active Directory Users and Computers from the drop-down list.
2. In Active Directory Users and Computers, choose Computers from the navigation tree.
  The list of host names is displayed, as shown in Figure 6-13.
  
  Figure 6-13 AD host names
3. Right-click the blank area in the host name list to create a host name, for example, host.
  
  The host name will be used when you configure the host name on the iBMC WebUI. Record the host name. For details about how to configure the host name on the iBMC WebUI, see 1 in Configuring the Kerberos Parameters on the iBMC.
(Optional for the LDAP function) Configure the encryption algorithms supported by the AD domain.
1. On the toolbar in the upper right corner of Server Manager, click Tools and choose Local Security Policy from the drop-down list.
2. In the Local Security Policy window, choose Local Policies > Security Options from the navigation tree.
  The security options are displayed in the right pane, as shown in Figure 6-14.
  Figure 6-14 Security options
3. Right-click Network security: Configure encryption types allowed for Kerberos, and choose Priorities.
4. Select the following algorithms in Local Security Setting:
  - AES128_HMAC_SHA1
  - AES256_HMAC_SHA1
  For cross-domain logins, you need to configure the trust relationships between domains to ensure successful authentication of secure encryption algorithms.
(Optional for the LDAP function) Configure the encryption algorithms supported by the server in the AD domain.
1. On the toolbar in the upper right corner of Server Manager, click Tools and choose ADSI Edit from the drop-down list.
2. In the navigation tree on the left of ADSI Edit, choose Computers.
  The host name list is displayed in the right pane.
3. Right-click the target host name and choose Properties from the shortcut menu.
  The property list is displayed.
4. Select msDS-SupportedEncryptiontypes.
5. Click Edit, and enter the values of the encryption algorithms supported by the server in the text box in Integer Attribute Editor.
  
  The client supports only the AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96 encryption algorithms, the values of which are 8 and 16, respectively as listed in Table 6-1. To ensure successful negotiation between the server and the client, the encryption algorithms configured for the server must be the same as that supported by the client. Therefore, the encryption algorithm values must be 8 and 16, or 24.
  
  Table 6-1 Encryption algorithms
  Encryption algorithm Value
  
  Encryption Algorithm
  
  8
  
  AES128-CTS-HMAC-SHA1-96
  
  16
  
  AES256-CTS-HMAC-SHA1-96
  
  24
  
  AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96
6. Click OK.

Encryption algorithm Value	Encryption Algorithm
8	AES128-CTS-HMAC-SHA1-96
16	AES256-CTS-HMAC-SHA1-96
24	AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96

(Optional for the LDAP function) Generate a key table.

On the AD domain server, run the cmd command.

Run the ktpass command to generate a key table.

When generating a key table using the ktpass command, use the AES128-CTS-HMAC-SHA1-96 or AES256-CTS-HMAC-SHA1-96 encryption algorithm. In addition, use the same encryption algorithm on the server and the client.

If the server encryption algorithm is set to 8, use AES128-CTS-HMAC-SHA1-96 to generate a key table.
If the server encryption algorithm is set to 16 or 24, use AES256-CTS-HMAC-SHA1-96 to generate a key table.

Example:

C:\Users\Administrator>ktpass -out c:\kerberos\admin.keytab +rndPass -ptype KRB5_NT_SRV_HST -mapuser admin$@it.software.com -princ HTTP/admin.it.software.com@IT.SOFTWARE.COM -crypto AES128-SHA1
Targeting domain controller: WIN-D0VNHFBODLC.it.software.com
Successfully mapped HTTP/admin.it.software.com to ADMIN$.
WARNING: Account ADMIN$ is not a user account (uacflags=0x1021).
WARNING: Resetting ADMIN$'s password may cause authentication problems if ADMIN$ is being used as a server.

Reset ADMIN$'s password [y/n]?  y
Password successfully set!8
Key created.Output keytab to c:\kerberos\admin.keytab:
Keytab version: 0x502
keysize 86 HTTP/admin.it.software.com@IT.SOFTWARE.COM ptype 3 (KRB5_NT_SRV_HST) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0xd517c317bf1a6f333a45f3282d0b69a9)

Install the CS services.
Add new services by referring to 2.
1. Select Active Directory Certificate Services in the Roles box shown in Figure 6-7.
  The confirmation window is displayed.
2. Click Add Features.
  The Select server roles window is displayed.
3. Click Next.
  The Select features window is displayed.
4. Select .NET Framework 4.5 Features and click Next.
  The Active Directory Certificate Services window is displayed.
5. Click Next.
  The Select role services window is displayed.
6. Select Certification Authority and Certification Authority Web Enrollment, and click Next.
  The confirmation window is displayed.
7. Click Add Features.
  The Select server roles window is displayed.
8. Click Next.
9. Click Install in the Confirm installation selections window.
  The installation progress is displayed.
10. Click Close when the installation is complete.
Configure the CS services.
1. Open the Server Manager window.
2. Select AD CS in the navigation tree.
  The AD CS properties are displayed in the right pane, as shown in Figure 6-15.
  
  Figure 6-15 AD CS properties
1. Click More... in the alarm information.
  The All Servers Task Details window is displayed, as shown in Figure 6-16.
  
  Figure 6-16 All servers task details
1. Click Configure Active Directory Certificate Services on the Destination Server.
  The AD CS Configuration window is displayed.
2. Click Next.
  The Role Services window is displayed, as shown in Figure 6-17.
  
  Figure 6-17 Role services
1. Select Certification Authority and Certification Authority Web Enrollment, and click Next.
  The Setup Type window is displayed.
2. Select Enterprise CA and click Next.
  The CA Type window is displayed.
3. Select Root CA and click Next.
  The Private Key window is displayed.
4. Select Create a new private key and click Next.
  The Cryptography for CA window is displayed, as shown in Figure 6-18.
  
  Figure 6-18 Cryptography for CA
1. Select RSA#Microsoft Software Key Storage Provider as the cryptographic provider, 2048 in Key length, and SHA1 as the hash algorithm, and click Next.
  The CA Name window is displayed, as shown in Figure 6-19.
  
  Figure 6-19 CA name
1. Set the common name for this CA and click Next.
  The Validity Period window is displayed.
2. Set the validity period and click Next.
  The CA Database window is displayed.
3. Specify the CA database path and click Next.
  The Confirmation window is displayed.
4. Click Configure.
  The configuration process of AD certificate services is displayed.
5. Click Close when the configuration is complete.
Restart the server to make the configuration take effect.
Create an organizational unit.
You can create an organizational unit in any node of the server. The following describes how to create a first-level node and its sub-nodes.
1. Log in to the server OS.
2. Open Server Manager, and select Local Server in the navigation tree.
3. Select Active Directory Users and Computers from the TASKS drop-down list at the top right corner of the window.
  The window shown in Figure 6-20 is displayed.
  
  Figure 6-20 Server manager
1. Right-click the first-level node (for example, iBMC.com) of the server, and choose New > Organizational Unit.
  The window shown in Figure 6-21 is displayed.
  
  Figure 6-21 Adding an organizational unit
1. Enter the organization name, for example company, and click OK.
  The organizational unit company is displayed in the server organization.
2. Right-click the newly created organizational unit (for example, company), and choose New > Organizational Unit to create a sub-organizational unit (for example, department).
  The sub-node department is displayed under company.
3. Repeat 12.d to 12.f to create organizational units based on actual needs.
Create a group.
Create a group in any node based on actual needs.
1. Right-click the node (for example, department), and choose New > Group.
  The New Object-Group window is displayed, as shown in Figure 6-22.
  
  Figure 6-22 Creating a group
1. In the Group name box, enter the LADP group name, for example info_group1, select the group scope and the group type, and click OK.
  
  You are advised to set the same value for Group name and Group name (pre-Windows 2000).
The newly created group (for example, info_group1) is displayed in the specified organization.
1. Repeat 13.1 to 13.2 to create groups based on actual needs.
Create a user.
You can add users in any directory, but you are advised to add users in the Users directory.
1. Right-click the node (for example, Users) and choose New > User.
2. In the New Object-User window as shown in Figure 6-23, enter the user information and click Next.
User login name is the domain name used to log in to the iBMC WebUI. Record the user login name.

Figure 6-23 Creating a user
1. Click Next.
  The window shown in Figure 6-24 is displayed.
  
  Figure 6-24 Setting the password
1. Enter the password (for example, Admin@9000) in the Password and Confirm password boxes, select the password policy, and click Next.
  
  Do not select User must change password at next logon as the password policy.
The user information confirmation window is displayed.
1. Click Finish.
  The user HWinfo is displayed in the Users list.
2. Create other users in the same way.
Add the user to a group.
You can add a user to a group by managing the user or group. The following uses the operations on the user as an example.
1. Right-click the user created in 14 (for example, HWinfo) and choose Add to a group.
  The Select Groups window is displayed, as shown in Figure 6-25.
  
  Figure 6-25 Select groups
1. In Enter the object names to select, enter the group name (for example, info_group1) to which the user is to be added, and click OK.
  A message is displayed indicating the operation is successful.
2. Repeat the steps to add users to the related groups based on actual needs.