IBM BladeCenter Management Module User Manual

ERserver

BladeCenter Management Module
User’s Guide

BladeCenter Management Module
User’s Guide
©
US
Note: Before using this information and the product it supports, read the general information in
Appendix B, “Notices,” on page 59.
Fourth Edition (February 2004)
Copyright International Business Machines Corporation 2004. All rights reserved.
Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
On
MM
©

Contents

Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Chapter 1. Introducing the BladeCenter management module . . . . . . .1
Management module controls and indicators . . . . . . . . . . . . . .2
Management module input/output connectors . . . . . . . . . . . . . .3
Video connector . . . . . . . . . . . . . . . . . . . . . . . .3
Keyboard connector . . . . . . . . . . . . . . . . . . . . . .4
Mouse connector . . . . . . . . . . . . . . . . . . . . . . .4
Remote management and console Ethernet connector . . . . . . . . . .4
Chapter 2. Configuring the management module and BladeCenter unit . . .5
Setting up the remote connection . . . . . . . . . . . . . . . . . .7
Cabling the Ethernet port . . . . . . . . . . . . . . . . . . . .7
Configuring the management module for remote access . . . . . . . . .8
Communicating with the IBM Director software . . . . . . . . . . . .9
Chapter 3. Using the management-module Web interface . . . . . . . .11
User authority . . . . . . . . . . . . . . . . . . . . . . . . .11
Starting the management-module Web interface . . . . . . . . . . . .12
Management-module Web interface options . . . . . . . . . . . . . .14
Monitors . . . . . . . . . . . . . . . . . . . . . . . . . .14
System Status . . . . . . . . . . . . . . . . . . . . . . .14
Event Log . . . . . . . . . . . . . . . . . . . . . . . . .16
LEDs . . . . . . . . . . . . . . . . . . . . . . . . . .17
Hardware VPD . . . . . . . . . . . . . . . . . . . . . . .18
Firmware VPD . . . . . . . . . . . . . . . . . . . . . . .18
Blade Tasks . . . . . . . . . . . . . . . . . . . . . . . . .19
Power/Restart . . . . . . . . . . . . . . . . . . . . . . .19
Demand . . . . . . . . . . . . . . . . . . . . . . . .20
Remote Control . . . . . . . . . . . . . . . . . . . . . . .20
Firmware Update . . . . . . . . . . . . . . . . . . . . . .22
Configuration . . . . . . . . . . . . . . . . . . . . . . .23
Serial Over LAN . . . . . . . . . . . . . . . . . . . . . .24
I/O Module Tasks . . . . . . . . . . . . . . . . . . . . . . .25
Power/Restart . . . . . . . . . . . . . . . . . . . . . . .25
Management . . . . . . . . . . . . . . . . . . . . . . . .25
Firmware Update . . . . . . . . . . . . . . . . . . . . . .26
Control . . . . . . . . . . . . . . . . . . . . . . . . .26
General Settings . . . . . . . . . . . . . . . . . . . . . .27
Login Profiles . . . . . . . . . . . . . . . . . . . . . . .27
Alerts . . . . . . . . . . . . . . . . . . . . . . . . . .29
Port Assignments . . . . . . . . . . . . . . . . . . . . . .29
Network Interfaces . . . . . . . . . . . . . . . . . . . . .30
Network Protocols . . . . . . . . . . . . . . . . . . . . . .32
Security . . . . . . . . . . . . . . . . . . . . . . . . .33
Configuration File . . . . . . . . . . . . . . . . . . . . . .34
Firmware Update . . . . . . . . . . . . . . . . . . . . . .34
Restore Defaults . . . . . . . . . . . . . . . . . . . . . .34
Restart MM . . . . . . . . . . . . . . . . . . . . . . . .35
Network and security configuration . . . . . . . . . . . . . . . . .35
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . .35
Configuring SMTP . . . . . . . . . . . . . . . . . . . . . . .37
Configuring LDAP . . . . . . . . . . . . . . . . . . . . . . .38
Copyright IBM Corp. 2004
iii
iv
Setting up a client to use the LDAP server . . . . . . . . . . . . .38
Configuring the LDAP client authentication . . . . . . . . . . . . .40
Configuring the LDAP search attributes . . . . . . . . . . . . . .40
Secure Web server and secure LDAP . . . . . . . . . . . . . . .42
Configuring security . . . . . . . . . . . . . . . . . . . . .43
SSL certificate overview . . . . . . . . . . . . . . . . . . .44
SSL server certificate management . . . . . . . . . . . . . . .44
Enabling SSL for the secure Web server . . . . . . . . . . . . .50
SSL client certificate management . . . . . . . . . . . . . . . .50
SSL client trusted certificate management . . . . . . . . . . . . .50
Enabling SSL for the LDAP client . . . . . . . . . . . . . . . .52
Configuring the secure shell server . . . . . . . . . . . . . . . .52
Generating a secure shell server key . . . . . . . . . . . . . . .52
Enabling the secure shell server . . . . . . . . . . . . . . . .53
Using the secure shell server . . . . . . . . . . . . . . . . .54
Using the configuration file . . . . . . . . . . . . . . . . . . . .54
Backing up your current configuration . . . . . . . . . . . . . . .54
Restoring and modifying your ASM configuration . . . . . . . . . . .55
Appendix A. Getting help and technical assistance . . . . . . . . . .57
Before you call . . . . . . . . . . . . . . . . . . . . . . . . .57
Using the documentation . . . . . . . . . . . . . . . . . . . . .57
Getting help and information from the World Wide Web . . . . . . . . . .58
Software service and support . . . . . . . . . . . . . . . . . . .58
Hardware service and support . . . . . . . . . . . . . . . . . . .58
Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . .59
Edition notice . . . . . . . . . . . . . . . . . . . . . . . . .59
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . .60
Important notes . . . . . . . . . . . . . . . . . . . . . . . . .60
Product recycling and disposal . . . . . . . . . . . . . . . . . . .61
Electronic emission notices . . . . . . . . . . . . . . . . . . . .61
Federal Communications Commission (FCC) statement . . . . . . . . .61
Industry Canada Class A emission compliance statement . . . . . . . .62
Australia and New Zealand Class A statement . . . . . . . . . . . .62
United Kingdom telecommunications safety requirement . . . . . . . . .62
European Union EMC Directive conformance statement . . . . . . . . .62
Taiwanese Class A warning statement . . . . . . . . . . . . . . .62
Chinese Class A warning statement . . . . . . . . . . . . . . . .63
Japanese Voluntary Control Council for Interference (VCCI) statement . . .63
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
BladeCenter Management Module: User’s Guide
©

Safety

Before installing this product, read the Safety Information.
Antes de instalar este produto, leia as Informações de Segurança.
Pred instalací tohoto produktu si prectete prírucku bezpecnostních instrukcí.
Læs sikkerhedsforskrifterne, før du installerer dette produkt.
Lees voordat u dit product installeert eerst de veiligheidsvoorschriften.
Ennen kuin asennat tämän tuotteen, lue turvaohjeet kohdasta Safety Information.
Avant d’installer ce produit, lisez les consignes de sécurité.
Vor der Installation dieses Produkts die Sicherheitshinweise lesen.
Prima di installare questo prodotto, leggere le Informazioni sulla Sicurezza.
Copyright IBM Corp. 2004
Les sikkerhetsinformasjonen (Safety Information) før du installerer dette produktet.
Antes de instalar este produto, leia as Informações sobre Segurança.
v
To
v Do
v
v
v
v
v
v
To
To
1.
2.
3.
4.
5.
1.
2.
3.
4.
vi
Antes de instalar este producto, lea la información de seguridad.
Läs säkerhetsinformationen innan du installerar den här produkten.
Statement 1:
DANGER
Electrical
current from power, telephone, and communication cables is
hazardous.
avoid a shock hazard:
not connect or disconnect any cables or perform installation, maintenance, or reconfiguration of this product during an electrical storm.
Connect all power cords to a properly wired and grounded electrical outlet.
Connect to properly wired outlets any equipment that will be attached to this product.
When possible, use one hand only to connect or disconnect signal cables.
Never turn on any equipment when there is evidence of fire, water, or structural damage.
Disconnect the attached power cords, telecommunications systems, networks, and modems before you open the device covers, unless instructed otherwise in the installation and configuration procedures.
Connect and disconnect cables as described in the following table when installing, moving, or opening covers on this product or attached devices.
Connect:
Turn everything OFF.
First, attach all cables to devices.
Attach signal cables to connectors.
Attach power cords to outlet.
Turn device ON.
BladeCenter Management Module: User’s Guide
Disconnect:
Turn everything OFF.
First, remove power cords from outlet.
Remove signal cables from connectors.
Remove all cables from devices.
a
Statement 8:
CAUTION: Never remove the cover on a power supply or any part that has the following label attached.
Hazardous voltage, current, and energy levels are present inside any component that has this label attached. There are no serviceable parts inside these components. If you suspect a problem with one of these parts, contact
service technician.
WARNING: Handling the cord on this product or cords associated with accessories
sold with this product, will expose you to lead, a chemical known to the State of California to cause cancer, and birth defects or other reproductive harm. Wash
hands after handling.
ADVERTENCIA: El contacto con el cable de este producto o con cables de
accesorios que se venden junto con este producto, pueden exponerle al plomo, un elemento químico que en el estado de California de los Estados Unidos está considerado como un causante de cancer y de defectos congénitos, además de otros riesgos reproductivos. Lávese las manos después de usar el producto.
Safety
vii
viii
BladeCenter Management Module: User’s Guide
at
at
©

Chapter 1. Introducing the BladeCenter management module

This Management Module User’s Guide contains information about configuring the management module and managing components installed in the IBM BladeCenter
unit.
®
ERserver
Your BladeCenter unit comes with one hot-swap management module in management-module bay 1. You can add an additional management module in management-module bay 2. Only one of these management modules can be active
one time, functioning as the primary management module; a second management module, if present, provides redundancy. The secondary management module remains inactive until it is switched to act as primary.
When two management modules are installed in the BladeCenter unit, both management modules must always have the same level of firmware, at a level that supports redundant management module function. This helps ensure a smooth changeover of control from the active management module to the redundant management module. The latest level of management-module firmware is available
the IBM Support Web site at http://www.ibm.com/pc/support/.
The management module functions as a service processor and a keyboard/video/mouse (KVM) multiplexor for all of the blade servers installed in the BladeCenter unit. It provides the following external connections: keyboard, mouse, and video, for use by a local console, and one RJ-45 connector for a 10/100 Mbps Ethernet remote management connection.
The service processor in the management module communicates with the service processor in each blade server to support features such as: blade server power-on requests, error and event reporting, KVM requests, and requests to use the BladeCenter shared media tray (diskette drive, CD-ROM drive, and USB port).
You configure BladeCenter components using the management module, setting information such as IP addresses. The management module communicates with all components installed in the BladeCenter unit, detecting their presence or absence, reporting their status, and sending alerts for error conditions when required.
Copyright IBM Corp. 2004
1
v
v
v
v
v
to
v
2

Management module controls and indicators

Active LED
Power-on LED
Management module error LED
OK
LINK
TX/RX
Ethernet link LED
Ethernet activity LED
IP reset button
IP
Management module LEDs: These LEDs provide status information about the
management module and remote management connection. For additional information, see the “Light path diagnostics” section in the Hardware Maintenance
Manual and Troubleshooting Guide on the IBM BladeCenter Documentation CD.
Power-on: When this green LED is lit, the management module has power. Active: When this green LED is lit, it indicates that this management module is
actively controlling the BladeCenter unit.
Note: Only one management module actively controls the BladeCenter unit. If
there are two management modules installed in the BladeCenter unit, this LED is lit on only one.
Management module error: When this amber LED is lit, it indicates that an
error has been detected somewhere on this management module. When this indicator is lit, the system error LED on each of the BladeCenter system LED panels is also lit.
Ethernet link: When this green LED is lit, there is an active connection through
the port to the network.
Ethernet activity: When this green LED is flashing, it indicates that there is
activity through the port over the network link.
Management
module IP reset button: Do not press this button unless you intend
erase your configured IP addresses for the management module and lose
connection with the remote management station, the I/O modules, and the blade servers. If you press this button, you will need to reconfigure the management module settings (see the information beginning with “Setting up the remote connection” on page 7 for instructions). Use a straightened paper clip to press the recessed button in one of the following sequences to reset management-module settings:
Press the IP reset button for 3 seconds or less; then, restart the management module to reset the IP configuration of the management module network interfaces (Ethernet 1, Ethernet 2, gateway address, and so forth) to the factory defaults.
BladeCenter Management Module: User’s Guide
v
v
v
v
v
Press the IP reset button for 5 seconds, release it for 5 seconds; then; press it
again for 10 seconds and restart the management module to reset all of the
management-module configuration fields to the factory defaults.

Management module input/output connectors

The management module has the following I/O connectors:
One video
One PS/2
One PS/2 mouse
One 10/100 Mbps Ethernet for remote management and console
The following illustration shows the I/O connectors on the management module.
Remote management and console (Ethernet)
®
keyboard
OK
LINK
TX/RX
Note: There is no internal connections between the input/output connectors on the

Video connector

Your BladeCenter management module contains one standard video connector. Use this connector to connect a compatible SVGA or VGA video monitor to the BladeCenter unit. Blade server integrated video controllers share the management-module video connector through the BladeCenter KVM interface.
Video
Mouse
Keyboard
management modules when two are installed in the BladeCenter unit. See the IBM BladeCenter Management Module Installation Guide for information about how to cable two management modules to support the redundant management module interface requirements of your installation.
5
1
1115
Chapter 1. Introducing the BladeCenter management module
3
4

Keyboard connector

Your BladeCenter management module contains one PS/2-style keyboard connector. Use this connector to connect a PS/2 keyboard to the BladeCenter unit. Blade servers share the management-module keyboard connector through the BladeCenter KVM interface.
6
4
2
5
3
1

Mouse connector

Your BladeCenter management module contains one PS/2-style mouse connector. Use this connector to connect a PS/2 mouse to the BladeCenter unit. Blade servers share the management-module mouse connector through the BladeCenter KVM interface.
6
4
2
5
3
1

Remote management and console Ethernet connector

Your BladeCenter management module contains one 10/100 Mb Ethernet connector that provides the remote connection to the network management station on the network. Use this port to establish connections with the remote management and remote console features of the BladeCenter unit.
The network management station, through this port, can access control functions running in the service processor on each blade server or within other components installed in the BladeCenter unit. The network management station cannot use this port to communicate with application programs running in the blade servers. The network management station must direct all application related communications through a network connected to the external ports of the I/O modules installed in the BladeCenter unit, which then interface with the blade servers and their application programs.
The following illustration shows the Ethernet connector that is on the management module.
8
1
BladeCenter Management Module: User’s Guide
v
v
v
v
©

Chapter 2. Configuring the management module and BladeCenter unit

Important: You configure only the primary (active) management module. The
secondary management module receives the configuration and status information automatically from the primary management module when necessary. The configuration information in this chapter applies to the primary management module, which might be the only management module installed in the BladeCenter unit.
When the BladeCenter unit is started initially, it automatically configures the remote management port on the active (primary) management module, so that you can configure and manage BladeCenter components. You configure and manage BladeCenter components remotely using the management-module Web interface or the management-module command-line interface.
Note: You can also configure the I/O modules directly through an external I/O
module port, using a Telnet interface or a Web browser. See the documentation that comes with each I/O module for information.
For the management module to communicate with the I/O modules in the BladeCenter unit, you will need to configure the IP addresses for the following internal and external ports:
The IP address for the external Ethernet (remote management) port on the
management module (see the information beginning on page 30 for instructions).
The initial automatic configuration of the management module enables the
network management station to connect to the management module to configure
the port completely and to configure the rest of the BladeCenter unit.
The IP address for the internal Ethernet port on the management module (see
the information beginning on page 30 for instructions) to support communication
with the I/O modules.
The IP address for the management port on each I/O module (see the
information beginning on page 25 for instructions) for communication with the
management module. You configure this port by configuring the IP address for
the I/O module.
Note: Some types of I/O modules, such as a pass-thru module, have no
management port.
communicate with the blade servers for functions such as deploying an operating
To system or application program, you also will need to configure at least one external (in-band) port on an Ethernet I/O module installed in I/O module bay 1 or 2. See the
Installation and User’s Guide for your BladeCenter unit for general information
about configuring the external ports on Ethernet I/O modules.
Copyright IBM Corp. 2004
Note: If a pass-thru module is installed in I/O-module bay 1 or 2 (instead of an
Ethernet I/O module), you will need to configure the network switch that the pass-thru module is connected to; see the documentation that comes with the network switch for instructions.
The management module supports the following Web browsers for remote access. The Web browser that you use must be Java™-enabled, must support JavaScript
1.2 or later, and must have the Java 1.4.1 Plug-In installed.
Microsoft
®
Internet Explorer 5.5 (with latest Service Pack installed), or later
5
v
1.
to
2.
v
v
v
v
v
v
v
v
v
v
v
6
v
Netscape Navigator 4.72, or later (version 6.x is not supported)
Mozilla version 1.3, or later
Notes:
For best results when using the Web browser, set the resolution on your monitor
800 x 600 pixels or higher and 256 colors.
The Web interface does not support the double-byte character set (DBCS) languages.
The Web-based user interface communicates with the management-module Web interface and management-module command-line interface, that are part of the firmware that comes with the management module, to perform tasks such as:
Defining the login IDs and passwords
Selecting recipients for alert notification of specific events
Monitoring the status of BladeCenter components
Controlling BladeCenter components, including the blade servers
Accessing the I/O modules to configure them
Changing the drive startup sequence for a blade server
Setting the date and time
Using a remote console for the blade servers
Changing ownership of the keyboard, video, and mouse
Changing ownership of the CD-ROM drive, diskette drive, and USB port
Activating On Demand blade servers
Note:
The IBM Director program is a system-management product that comes with the BladeCenter unit. To configure the remote alert recipients for IBM Director over LAN, the remote alert recipient must be an IBM Director-enabled server.
You also can use the management-module Web interface and management-module command-line interface to view some of the blade server configuration settings. See Chapter 3, “Using the management-module Web interface,” on page 11 and the IBM
Eserver BladeCenter Management-Module Command-Line Interface Reference
Guide for more information.
BladeCenter Management Module: User’s Guide
To
1.
2.
v
v

Setting up the remote connection

configure and manage BladeCenter components, you must first set up the
remote connection through the external Ethernet port on the management module.

Cabling the Ethernet port

Complete the following steps to connect the Ethernet cable to the management module:
Connect one end of a Category 5 or higher Ethernet cable to the remote management and console (Ethernet) connector on the management module. Connect the other end of the Ethernet cable to the network.
Check the Ethernet LEDs to ensure that the network connection is working.
When the green Ethernet link LED is lit, there is an active connection through the port to the network.
When the green Ethernet activity LED is flashing, it indicates that there is activity through the port over the network link.
following illustration shows the locations of the Ethernet LEDs.
The
OK
Ethernet link
LINK
TX/RX
Ethernet activity
IP
Chapter 2. Configuring the management module and BladeCenter unit
7
v If
v If
of
v If
v
8

Configuring the management module for remote access

After you connect the active management module to the network, the Ethernet port connection is configured in one of the following ways:
you have an accessible, active, and configured dynamic host configuration protocol (DHCP) server on the network, the host name, IP address, gateway address, subnet mask, and DNS server IP address are set automatically.
the DHCP server does not respond within 2 minutes after the port is connected, the management module uses the factory-defined static IP address and default subnet address.
Either
these actions enables the Ethernet connection on the active management
module.
Make sure your computer is on the same subnet as the management module; then, use your Web browser to connect to the management module (see “Starting the management-module Web interface” on page 12 for more information). In the browser Address field, specify the IP address the management module is using:
the IP address was assigned through a DHCP server, get the IP address from your network administrator.
The factory-defined static IP address is 192.168.70.125, the default subnet address is 255.255.255.0, and the default host name is MMxxxxxxxxxxxx, where
xxxxxxxxxxxx is the burned-in medium access control (MAC) address. The MAC
address is on a label on the management module, below the IP reset button.
OK
LINK
TX/RX
IP
Note: If the IP configuration is assigned by the DHCP server, the network
administrator can use the MAC address of the management module network interface to find out what IP address and host name are assigned.
BladeCenter Management Module: User’s Guide
MAC address
To
If
1.
a
2.
on

Communicating with the IBM Director software

The IBM Director program is a system-management product that comes with the BladeCenter unit. The IBM Director software communicates with the BladeCenter unit through the Ethernet port on the active management module.
Note: See the IBM Support Web site at http://www.ibm.com/pc/support/ for the
version of IBM Director software that you can use to manage redundant management modules.
communicate with the BladeCenter unit, the IBM Director software needs a managed object (in the Group Contents pane of the IBM Director Management Console main window) that represents the BladeCenter unit. If the BladeCenter management module IP address is known, the network administrator can create an IBM Director managed object for the unit. If the IP address is not known, the IBM Director software can automatically discover the BladeCenter unit (out-of-band, using the Ethernet port on the BladeCenter management module) and create a managed object for the unit.
For the IBM Director software to discover the BladeCenter unit, your network must initially provide connectivity from the IBM Director server to the BladeCenter management-module Ethernet port. To establish connectivity, the management module attempts to use DHCP to acquire its initial IP address for the Ethernet port.
the DHCP request fails, the management module uses the static IP address assigned to it. Therefore, the DHCP server (if used) must be on the management LAN for your BladeCenter unit.
Notes:
All management modules are preconfigured with the same static IP address. You can use the management module Web interface to assign a new static IP address for each BladeCenter unit. If DHCP is not used and you do not assign
new static IP address for each BladeCenter unit before attempting to communicate with the IBM Director software, only one BladeCenter unit at a time can be added onto the network for discovery. Adding multiple units to the network without a unique IP address assignment for each BladeCenter unit results in IP address conflicts.
For I/O module communication with the IBM Director server through the management module external Ethernet port, the I/O module internal network interface and the management module internal and external interfaces must be
the same subnet.
Chapter 2. Configuring the management module and BladeCenter unit
9
10
BladeCenter Management Module: User’s Guide
in
v
v
v
v
v
a
or
v v v v v v v v v
v v v v v v v v v
v v
v v v v v v v v v
v v v v v v v v v
v v v v v v v v v ©

Chapter 3. Using the management-module Web interface

This section provides instructions for using the management-module Web interface
the active (primary) management module. It has sections that describe:
Features of the management-module Web interface that can be accessed by users, based on their authority level (see “User authority”).
“Starting the management-module Web interface” on page 12.
Descriptions of the management-module Web interface screens (see “Management-module Web interface options” on page 14).
“Network and security configuration” on page 35.
Backup and restore of the management-module configuration (see “Using the configuration file” on page 54).

User authority

Some fields and selections in the management-module Web interface screens can only be changed or executed by users that are assigned a required level of authority for that window. Viewing information does not require any special command authority. Users with “Supervisor” command authority can change information and execute tasks in all windows.
The following table lists the management-module Web interface windows and the authority levels that are required to change information in these windows. The windows and authorities listed in this table only apply to changing the information in
window or executing a task specified in a window: viewing the information in a window does not require any special command authority. In the table, each row indicates the valid user command authorities that let a user change the information
execute a task in that window. For example, executing tasks in the Blade Tasks
Power/Restart window is available to users with the “Supervisor” authority or to
users with the “Blade and I/O Module Power/Restart Access” authority.
Table 1. User authority relationships
Window
System Status
Event Log (view)
Event Log (clear)
LEDs
Monitors
Hardware VPD
Firmware VPD
Authority required to change information or execute tasks
Supervisor
Blade Server Remote
Console Access
Blade Server Remote Console
and Virtual Media Access
Blade and I/O Module
Power/Restart Access
Ability to Clear Event Logs
Basic Configuration
(MM, I/O Modules, Blades)
Network and Security
Configuration
Advanced Configuration
(MM, I/O Modules, Blades)
User Account Management
Copyright IBM Corp. 2004
11
v v On
v v
v v v
v v
v v
v v v
v v v
v v
v v v
v v
v v v
v v v
v v v
v v v
v v v
v v v
v v v
v v
v v
v v
v v
1.
12
Table 1. User authority relationships (continued)
Authority required to change information or execute tasks
Window
Blade Tasks
Tasks
I/O Module
MM Control
Power/Restart
Demand
Remote Control (remote console)
Remote Control (virtual media)
Firmware Update
Configuration
Serial over LAN
Power/Restart
Management
Firmware Update
General Settings
Login Profiles
Alerts
Port Assignments
Network Interfaces
Network Protocols
Security
Configuration File
Firmware Update
Restore Defaults
Restart MM
Supervisor
Blade Server Remote
Console Access
Blade Server Remote Console
and Virtual Media Access
Blade and I/O Module
Power/Restart Access
Ability to Clear Event Logs
Basic Configuration
(MM, I/O Modules, Blades)
Network and Security
Configuration
Advanced Configuration
(MM, I/O Modules, Blades)
User Account Management

Starting the management-module Web interface

Complete the following steps to start the management-module Web interface program:
Open a Web browser. In the address or URL field, type the IP address or host name assigned for the management-module remote connection (see “Configuring the management module for remote access” on page 8 for more details).
BladeCenter Management Module: User’s Guide
2.
v
v
In
The Enter Network Password window opens.
Type your user name and password. If you are logging in to the management module for the first time, you can obtain your user name and password from your system administrator. All login attempts are documented in the event log.
Note: The initial factory-defined user ID and password for the management
module are:
User ID: USERID (all capital letters)
Password: PASSW0RD (note the zero, not O, in PASSW0RD)
Follow the instructions that appear on the screen. Be sure to set the timeout
3.
value you want for your Web session.
BladeCenter management-module Web interface window opens.
The
Note: The upper left corner of the management-module Web interface window
shows the location and identity of the active (primary) management module.
the following example, the primary management module is identified as
“SN#” and is installed in management-module bay1.
Chapter 3. Using the management-module Web interface
13
of
? )
of
v
14

Management-module Web interface options

From the management-module Web interface is a management and configuration program that lets you select the BladeCenter settings that you want to view or change.
The navigation pane (on the left side of the management-module Web interface window) contains navigational links that you use to manage your BladeCenter unit and check the status of the components (modules and blade servers). Descriptions
the links that are in the navigation pane are described in the sections that follow.
Online help is provided for the management-module Web interface. Click the help (
icon next to a section or choice to display additional information about this item.

Monitors

Use the choices in the Monitors section to view the status, settings, and other information for components in the BladeCenter unit.
System Status
Select the System Status choice to view the overall system status, a list of outstanding events that require immediate attention, and the overall status of each
the blade servers and other components installed in your BladeCenter unit.
Blade Servers:
Bay - The lowest-number bay the blade server occupies.
BladeCenter Management Module: User’s Guide
v
v
v
MT -
v
v
v
to
v
v
v
v
v IP
v
v
v
v
Status - An icon that indicates good, warning, or bad status for the blade server.
Click the icon for more detailed status information.
Name - The name of the blade server. Pwr - The power state (on or off) of the blade server. Owner - An indication of whether the blade server is the current owner of the
following BladeCenter resources:
KVM - Keyboard, video, and mouse.
The media tray containing the CD-ROM drive, diskette drive, and USB
port.
Network - An indication of which network interfaces are on the blade server and
v
the I/O expansion options. For example, an Onboard status of eth indicates that the blade server has integrated Ethernet controllers on the system board and a Card status of fibre indicates that the blade server has a Fibre Channel I/O expansion option installed.
WOL - An indication of whether the Wake on LAN
®
feature is currently enabled for the blade server. The Wake on LAN feature is enabled by default in blade server BIOS code and cannot be disabled. The BladeCenter management module provides a single point of control for the Wake on LAN feature, enabling the settings to be controlled for either the entire BladeCenter unit or a single blade server. Wake on LAN settings made in the management module override the settings in the blade server BIOS code.
Local Control - An indication of whether the following options are enabled:
Local power control
Local keyboard, video, and mouse switching
Local CD-ROM drive, diskette drive, and USB port switching
BSE - An indication of whether a SCSI expansion unit occupies the blade bay.
v
SCOD - An indication of whether the blade server is an On Demand blade server
with a Standby status. You cannot turn on an On Demand blade server until you activate it (Blade Tasks On Demand), which changes the status from Standby
Active.
Note: You must contact IBM within 14 calendar days after you activate an On
Demand blade server. See your Agreement for Standby Capacity on
Demand for additional information.
modules:
I/O
Bay - The number of the bay the I/O module occupies. Status - An icon that indicates good, warning, or bad status for the I/O module. Type - The type of I/O module in the bay, such as an Ethernet I/O module, Fibre
Channel I/O module, or pass-thru module.
MAC Address - The medium access control (MAC) address of the I/O module.
Note: Some types of I/O modules, such as a pass-thru module, have no MAC
address nor IP address.
Address - The IP address of the I/O module. Pwr - The power state (on or off) of the I/O module. Details - Text information about the status of the I/O module.
Management
module:
Bay - The number of the bay that the management module occupies.
Chapter 3. Using the management-module Web interface
15
v IP
v
v
v
v
v
v
v
16
v
Status - An icon that indicates good, warning, or critical status for the
management module. Click the icon for more detailed status information.
Address - The IP address of the remote management and console connection
(external Ethernet port) on the management module.
Primary - An indication of which management module is the primary, or active,
management module.
Power
Modules: Bay - The number of the bay that the power module occupies. Status - An icon that indicates good, warning, or critical status for the power
module.
Details - Text information about the status of the power module.
Blowers:
Bay - The number of the bay that the blower module occupies. Status - An icon that indicates good, warning, or critical status for the blower
module.
Speed - The current speed of the blower module, as a percentage of the
maximum revolutions per minute (RPMs). The blower speed varies with the thermal load. An entry of Offline indicates that the blower is not functioning.
panel: The temperature status for the front of the BladeCenter unit.
Front
Event Log
Select the Event Log choice to view entries that are currently stored in the management module event log. This log includes entries for events that are detected by the blade servers. The log displays the most recent entries first. Information about all remote access attempts is recorded in the event log, and the management module sends out the applicable alerts if configured to do so.
The maximum capacity of the event log is 750 entries. When the log is 75 percent full, the BladeCenter Information LEDs light. When the log is full, new entries overwrite the oldest entries, and the BladeCenter Error LEDs light. If you do not
BladeCenter Management Module: User’s Guide
v
want the management module to monitor the state of the event log, deselect the
Monitor log state events checkbox at the top of the event log page.
You can sort and filter entries in the event log. See the event log help for more information.
LEDs
Select the LEDs choice to view the state of the BladeCenter system LED panel and blade server control panel LEDs. You also can use this choice to turn off the information LED and turn on, turn off, or blink the location LED on the BladeCenter unit and the blade servers.
Front Panel LEDs - The state of the following LEDs on the BladeCenter system
LED panel. You can change the state of the information and location LEDs.
System error
Information
Over temperature
Location
Blade Server LEDs - The state of the following LEDs on the blade server control
v
panel. You can change the state of the information and location LEDs.
Power
Error
Information
Keyboard, video, and monitor select
Media (CD-ROM, diskette drive, USB port) select
Location
Chapter 3. Using the management-module Web interface
17
or
18
Hardware VPD
Select the Hardware VPD choice to view the hardware vital product data (VPD) for the BladeCenter unit. When the BladeCenter unit is started, the management module collects the vital product data and stores it in nonvolatile memory. The management module then modifies the stored VPD as components are added to or removed from the BladeCenter unit. You can also view the log of modules inserted
removed from the BladeCenter unit.
Firmware VPD
Select the Firmware VPD choice to view the vital product data (VPD) for the firmware in all blade servers, I/O modules, and management modules in the BladeCenter unit. The firmware VPD identifies the firmware type, build ID, release date, and revision number. The VPD for the firmware in the management modules also includes the file name of the firmware components. (Selecting the Firmware VPD choice takes up to 30 seconds to refresh and display information.)
BladeCenter Management Module: User’s Guide
v
v
v
v
v

Blade Tasks

Select the choices in the Blade Tasks section to view and change the settings or configurations of blade servers in the BladeCenter unit.
Power/Restart
Select Power/Restart choice to perform the following actions on any blade server in the BladeCenter unit.
Note: You cannot perform these actions on an On Demand blade server with a
Standby status (identified by an X in the SCOD column). To activate an On Demand blade server, see the instructions in the On Demand choice described in “On Demand” on page 20.
Turn on or turn off the selected blade server (set the power state on or off).
Enable or disable local power control. When local power control is enabled, a local user can turn on or turn off the blade server by pressing the power-control button on the blade server.
Enable or disable the Wake on LAN feature.
Restart the blade server or the service processor in the blade server.
See which blade servers are currently under the control of a remote console (identified by an X in the Console Redirect column).
Select the blade servers on which you want to perform an action; then, click the appropriate link below the table for the action you want to perform.
Chapter 3. Using the management-module Web interface
19
20
On Demand
Select the On Demand choice to activate an On Demand blade server with Standby status. You must activate an On Demand blade server with Standby status before you can turn it on. When you activate an On Demand blade server, its status changes from Standby to Active, making the blade server available for use.
Select the check boxes in the Select column for one or more On Demand blade servers that have a Standby status; then, click the Activate Standby Blade
Servers link to activate the selected blade servers. Blade servers with an On
Demand status of N/A are not On Demand blade servers.
Note: You must contact IBM within 14 calendar days after you activate an On
Demand blade server. See your Agreement for Standby Capacity on
Demand for additional information.
Remote Control
BladeCenter Management Module: User’s Guide
v
v
v
v
On
1.
Select the Remote Control choice to:
View and change the current owners of the keyboard, monitor, and mouse (KVM), and of the CD-ROM drive, diskette drive, and USB port (Media tray).
View the details of any remote control session currently active (user ID, client IP address, start time).
Disable local switching of the KVM and of the media tray for all blade servers until they are explicitly enabled again. This prevents a local user from switching the console display to a different blade server while you are performing remote control tasks.
Redirect a blade server console to the remote console.
the remote console, you can:
Change the owner of the KVM and of the media tray to the blade server you need to view.
Select and access the disk drives in the media tray.
Mount a disk drive or disk image, from the computer that is acting as the remote console, on to a blade server. The mounted disk drive or disk image will appear as a USB device attached to the blade server.
Access files at any available network location.
View the current blade server display.
Control the blade server as if you were at the local console, including restarting the blade server and viewing the POST process, with full keyboard and mouse control.
Remote console keyboard support includes all keys. Icons are provided for keys that might have a special meaning to the blade server. For example, to transmit Ctrl-Alt-Del to the blade server, you must click the Ctrl icon and then press the Alt and Del keys on the keyboard.
Notes:
Only one remote control session is allowed at a time. If a remote control session is already active, you can end the current session and start a new one.
Chapter 3. Using the management-module Web interface
21
3.
at
a.
22
2.
The timeout value for a remote control session is the same as the timeout value that you set for the management-module Web interface session when you logged in.
When you redirect a blade server Linux X Window System session console to the remote console, the ability of the remote console applet to accurately track the location of the mouse cursor depends on the configuration of the X Window system. Complete the following procedure to configure the X Window System for accurate mouse tracking. Type the commands through the remote console or
the keyboard attached to the BladeCenter unit. Note that these changes
require root privileges.
Enter the following commands:
init 3 (Switch to text mode if necessary) rmmod mousedev (Unload the mouse device driver)
Add the following statement to .xinitrc in the user’s home directory:
b.
xset m 1 1 (Turn off mouse acceleration)
c.
Add the following statement to /etc/modules.conf:
options mousedev xres=x yres=y (Notify the mouse device driver of the
video resolution) where x and y specify the video resolution
Enter the following commands:
d.
insmod mousedev (Reload the mouse device driver) init 5 (Return to GUI mode if necessary)
Firmware Update
Select the Firmware Update choice to update the service processor firmware on a blade server. Select the target blade server and the firmware file to use for the update; then, click Update. You can obtain the firmware files from the IBM Support Web site at http://www.ibm.com/pc/support/.
BladeCenter Management Module: User’s Guide
v
v
-
To
by
Configuration
Select the Configuration choice to:
Define a name for a blade server.
Enable or disable the following items on all blade servers in the BladeCenter unit:
Local power control
Local KVM control
Local media tray control
The Wake on LAN feature
View or define the startup (boot) sequence for one or more blade servers. The
v
startup sequence prioritizes the following boot-record sources for a blade server:
Hard disk drives (0 through 3). The selection of hard disk drives depends on the hard disk drives that are installed in your blade server.
CD-ROM
Diskette
Network
PXE - Attempt a PXE/DHCP network startup the next time the selected
blade server is turned on or restarted.
Note:
use the CD-ROM drive or diskette drive as a boot-record source for a blade server, the blade server must have been designated as the owner of the CD-ROM drive, diskette drive, and USB port. You set ownership either
pressing the CD/diskette/USB select button on the blade server or through the Remote Control choice described in “Remote Control” on page 20.
Chapter 3. Using the management-module Web interface
23
24
Serial Over LAN
Select the Serial Over LAN choice to view and change the global serial over LAN (SOL) settings used by all blade servers installed in the BladeCenter unit and to enable or disable SOL globally for the BladeCenter unit.
This choice also lets you monitor the SOL status for each blade server and lets you enable or disable SOL for each blade server, and globally for the BladeCenter unit. Enabling or disabling SOL globally does not effect the SOL session status for each blade server: SOL must be enabled both globally for the BladeCenter unit and individually for each blade server where you plan to start an SOL session. SOL is enabled globally and on the blade servers by default.
SOL sessions are started and run using the management module command-line interface. See the IBM Eserver BladeCenter Management Module Command-Line
Interface Reference Guide for information and instructions.
BladeCenter Management Module: User’s Guide
or
v
v

I/O Module Tasks

Select the choices in the I/O Module Tasks section to view and change the settings
Note: Some choices do not apply to, and are not available for, some types of I/O
Power/Restart
configuration on network-interface I/O modules in the BladeCenter unit.
modules such as pass-thru modules.
Select the Power/Restart choice to display the power status of the I/O modules and perform the following actions:
Turn on or turn off an I/O module
Reset an I/O module
Management
Select the Management choice to view or change the IP configuration of the I/O modules; ping an I/O module; return an I/O module to the default configuration;
Chapter 3. Using the management-module Web interface
25
v
v
v
v Up to 12
v
v
v
v
v
v
v
v
v
v
26
enable the I/O module ports, external management of I/O module ports, other I/O module settings; and start the configuration and management firmware that is in an I/O module.
Note: The initial factory-defined user ID and password for the I/O module firmware
are:
User ID: USERID (all capital letters)
Password: PASSW0RD (note the zero, not O, in PASSW0RD)
the Installation and User’s Guide for your BladeCenter unit for more information
See about basic I/O module configuration. See the documentation that comes with the I/O module for details about the configuration and management firmware for the I/O module. Documentation for some I/O modules is on the IBM BladeCenter
Documentation CD.
Firmware Update

MM Control

Select the Firmware Update choice to update the firmware in a I/O module. Select the target I/O module and the firmware file to use for the update; then, click Update. You can obtain the firmware files from the IBM Support Web site at http://www.ibm.com/pc/support/.
Select the choices in the MM Control section to view and change the settings or configuration on the management module that you are logged in to (the primary management module) through this management-module Web interface session. If your BladeCenter unit has redundant management modules, the configuration settings of the primary management module are automatically transferred to the secondary management module.
Management module configuration includes the following items:
The name of the management module
login profiles for logging in to the management module
Ports used by the management module How alerts are handled The management module Ethernet connections for remote console and for communicating with the I/O modules Settings for the SNMP, DNS, SMTP, and LDAP protocols Settings for secure socket layer (SSL) and secure shell (SSH) security
This also includes performing the following tasks:
Backing up and restoring the management-module configuration Updating the management-module firmware Restoring the default configuration Restarting the management module Switching from the current active management module to the redundant management module
BladeCenter Management Module: User’s Guide
v
v
v
v
v
v
v
General Settings
Select the General Settings choice to view or change the following settings:
The name of the management module
The name of the contact person responsible for the management module
The physical location of the management module
The real-time clock settings in the management module
Some of the General Settings are used during SNMP and SMTP configuration. See “Configuring SNMP” on page 35 and “Configuring SMTP” on page 37 for additional information.
Login Profiles
Select the Login Profiles choice to configure up to 12 login profiles for logging in to the management module; and to specify the following global login settings:
User authentication method (local, LDAP, or both)
How to process users that login using a modem
Lockout period after five unsuccessful login attempts
Chapter 3. Using the management-module Web interface
27
v
v
v
to
28
For each user profile, specify the following values:
Login ID
Authority level (default is Read Only)
Password (requires confirmation)
Several authority levels are available, each giving a user write and execute access
different areas of management-module function. Multiple authority levels can be assigned to each user. Users with Supervisor authority have write and execute access to all management-module functions. Users with Read-Only authority can access all management module functions for viewing only.
Attention: If you change the default login profile on your management module, be
sure to keep a record of your login ID and password in a safe place. If you forget the management-module login ID and password, you must replace the management module.
Click on View Configuration Summary to display the configuration settings for all BladeCenter users and components.
BladeCenter Management Module: User’s Guide
80
23
Alerts
Select the Alerts choice to specify which alerts (from lists of Critical, Warning, and
System alerts) are monitored, which alert notifications are sent to whom, how alert
notifications are sent (SNMP, e-mail, IBM Director), whether to include the event log
with the notification, and other alert parameters.
Note: The IBM Director program is a system-management product that comes with
the BladeCenter unit. To configure the remote alert recipients for IBM Director over LAN, the remote alert recipient must be an IBM Director-enabled server.
Port Assignments
Select the Port Assignments choice to configure some of the ports used by the
management module. Management-module ports that can be configured on the Port
Assignments screen are listed in Table 2.
Table 2. User configurable management-module ports
Default port
Port name
HTTP
HTTPS
Telnet
number
443
Description
Port used for Web server HTTP connection using UDP
Port used for SSL connection using TCP
Port used for the Telnet command-line interface connection
Chapter 3. Using the management-module Web interface
29
22
25
53
68
30
Table 2. User configurable management-module ports (continued)
Default port
Port name
SSH
SNMP Agent
SNMP Traps
number
161
162
Description
Port used for the Secure Shell (SSH) command-line interface connection
Port used for SNMP get/set commands using UDP
Port used for SNMP traps using UDP
Other ports used by the management module are listed in Table 3. These ports are fixed and can not be modified by the user.
Table 3. Fixed management-module ports
Port number (fixed) Description
Port used for TCP e-mail alerts
Port used for the UDP Domain Name Server (DNS) resolver
Port used for DHCP client connection using UDP
427
1044
1045
5900
6090
13991
Port used for the UDP Service Location Protocol (SLP) connection
Port used for remote disk function
Port used for persistent remote disk (disk on card).
Port used for the TCP VNC server applet
Port used for IBM Director commands using TCP/IP
Port used for IBM Director alerts using UDP
Click on View Configuration Summary to display the configuration settings for all BladeCenter users and components.
Network Interfaces
BladeCenter Management Module: User’s Guide
1.
If
IP
v
v
v
2.
-
-
-
is
- IP
-
-
Select the Network Interfaces choice to configure the two management-module
Ethernet interfaces: external (remote management and console), and internal
(communication with the I/O modules). You can also select this choice to view the
TCP log.
Notes:
When you use the management module Web interface to update an I/O module configuration, the management module firmware writes its settings for the I/O module only to the management module NVRAM; it does not write its settings for the I/O module to the I/O module NVRAM.
the I/O module restarts when the management module is not able to apply the
address it has in NVRAM for the I/O module, the I/O module will use whatever IP address it has in its own NVRAM. If the two IP addresses are not the same, you might not be able to manage the I/O module any more. The management module cannot apply the I/O module IP address from its NVRAM if:
The management module is restarting
The management module has failed
The management module has been removed from the chassis
You must use the Telnet interface to log into the I/O module, change the IP address to match the one you assigned through the management module, and then save the I/O module settings in the Telnet session (Basic Setup Save Changes).
For I/O module communication with a remote management station, such as the IBM Director server, through the management module external Ethernet port, the I/O module internal network interface and the management module internal and external interfaces must be on the same subnet.
External Network Interface (eth0) - This is the interface for the remote
v
management and console port.
Note: If you plan to use redundant management modules and want both to use
the same external IP address, disable DHCP and configure and use the static IP address. (The IP configuration information will be transferred to the redundant management module automatically when needed.)
Interface - The status (Enabled or Disabled) of the Ethernet connection. The
default is Enabled.
DHCP - Select one of the following choices:
Try DHCP server. If it fails, use static IP config. (this is the default). Enabled - Obtain IP config. from DHCP server Disabled - Use static IP configuration
Hostname - (Optional) This is the IP host name you want to use for the
management module (maximum of 63 characters).
Static IP configuration - You need to configure this information only if DHCP
disabled.
address - The IP address for the management module. The IP address
must contain four integers from 0 to 255, separated by periods, with no spaces or consecutive periods. The default setting is 192.168.70.125.
Subnet mask - The subnet mask must contain four integers from 0 to 255,
separated by periods, with no spaces. The default setting is 255.255.255.0
Gateway address - The IP address for your network gateway router. The
gateway address must contain four integers from 0 to 255, separated by periods, with no spaces.
Chapter 3. Using the management-module Web interface
31
be
32
v
Internal Network Interface (eth1) - This interface communicates with the
network-interface I/O modules, such as an Ethernet I/O module or the Fibre Channel I/O module.
Specify the IP address to use for this interface. The subnet mask must be the same as the subnet mask in the external network interface (eth0).
View the data rate, duplex mode, maximum transmission unit (MTU), locally-administered MAC address, and burned-in MAC address for this interface. You can configure the locally-administered MAC address; the other fields are read-only.
v
TCP log - Select this choice to view entries that are currently stored in the
management module TCP log. This log contains error and warning messages generated by the TCP/IP code running on the management module, and might
used by your service representative for advanced troubleshooting. The log
displays the most recent entries first.
You can sort and filter entries in the event log.
Click on View Configuration Summary to display the configuration settings for all BladeCenter users and components.
Network Protocols
Select the Network Protocols choice to view or change the settings for the SNMP, DNS, SMTP, and LDAP protocols.
Click on View Configuration Summary to display the configuration settings for all BladeCenter users and components.
Some of the Network Protocol settings are used during SNMP, SMTP, and LDAP configuration. See “Configuring SNMP” on page 35, “Configuring SMTP” on page 37, and “Configuring LDAP” on page 38 for additional information.
BladeCenter Management Module: User’s Guide
Security
Select the Security choice to view or change the secure socket layer (SSL) settings for the Web server and LDAP client, and view or change the Web server secure shell (SSH) settings. You can enable or disable (the default) SSL, and choose between self-signed certificates and certificates provided by a certificate authority (CA). You can also enable or disable (the default) SSH, and generate and manage the SSH server key.
Some of the Security settings are used during SSL, LDAP, and SSH configuration. See “Secure Web server and secure LDAP” on page 42 and “Configuring the secure shell server” on page 52 for additional information.
Chapter 3. Using the management-module Web interface
33
a
be
34
Configuration File
Select the Configuration File choice to back up or restore the management-module configuration file. See “Using the configuration file” on page 54 for instructions.
Firmware Update
Select the Firmware Update choice to update the management-module firmware; if
second management module is installed, the firmware update will automatically
applied to both management modules. Click Browse to locate the firmware file
you want; then, click Update.
Management-module firmware is in several separate files that are installed independently; you must install all of the firmware update files. You can obtain the firmware files from the IBM Support Web site at http://www.ibm.com/pc/support/.
Restore Defaults
Select the Restore Defaults choice to restore the factory default configuration of the management module.
BladeCenter Management Module: User’s Guide
v
v
v
v
on
1.
2. In
Restart MM
Select the Restart MM choice to restart (reset) the management module. If a second management module is present, select this choice to change to the redundant management module.

Network and security configuration

The following sections describe how to configure management module networking and security parameters for:
SNMP and DNS (see “Configuring SNMP”)
SMTP (see “Configuring SMTP” on page 37)
SSL and LDAP (see “Configuring LDAP” on page 38)
SSH (see “Configuring the secure shell server” on page 52)

Configuring SNMP

You can query the SNMP agent to collect the sysgroup information and to send configured SNMP alerts to the configured host names or IP addresses.
Note: If you plan to configure Simple Network Management Protocol (SNMP) traps
the management module, you must install and compile the management information base (MIB) on your SNMP manager. The MIB supports SNMP traps. The MIB is included in the management-module firmware update package that you downloaded from the IBM Support Web site.
Complete the following steps to configure your SNMP:
Log in to the management module where you want to configure SNMP. For more information, see “Starting the management-module Web interface” on page 12
the navigation pane, click MM Control General Settings. In the management-module information page that opens, specify the following information:
Chapter 3. Using the management-module Web interface
35
v
v
3.
4. In
5.
v
v
v At
v At
6.
v
v IP
If
36
v
Management module name - The name that you want to use to identify the
management module. The name will be included with e-mail and SNMP alert notifications to identify the source of the alert.
System contact - The name and phone number of the person to contact if
there is a problem with the BladeCenter unit.
System location - Sufficient detail to quickly locate the BladeCenter unit for
maintenance or other purposes.
Scroll to the bottom of the page and click Save.
the navigation pane, click MM Control Network Protocols; then, click the
Simple Network Management Protocol (SNMP) link. A page similar to the
one in the following illustration is displayed.
Select Enabled in the SNMP agent and SNMP traps fields to forward alerts to SNMP communities on your network. To enable the SNMP agent, the following criteria must be met:
System contacts must be specified on the General Settings page.
The system location must be specified on the General Settings page.
least one community name must be specified.
least one valid IP address or host name (if DNS is enabled) must be
specified for that community.
Note:
Alert recipients whose notification method is SNMP will not receive alerts unless both the SNMP agent and the SNMP traps are enabled.
Set up a community to define the administrative relationship between SNMP agents and SNMP managers. You must define at least one community. Each community definition consists of the following parameters:
Name
address
either of these parameters is not correct, SNMP management access is not
granted.
BladeCenter Management Module: User’s Guide
7. In
8. In
IP
9. If a
If a
If a
If
IP
In
1.
2. In
to
Note: If an error message window opens, make the necessary adjustments to
the fields listed in the error window. Then, scroll to the bottom of the page and click Save to save your corrected information. You must configure at least one community to enable this SNMP agent.
the Community Name field, enter a name or authentication string to specify the community.
the corresponding Host Name or IP Address field, enter the host name or
addresses of each community manager.
DNS server is not available on your network, scroll to the bottom of the
page and click Save.
10.
DNS server is available on your network, scroll to the Domain Name
System (DNS) section. A page similar to the one in the following illustration is
displayed.
11.
12.
13.
14.

Configuring SMTP

Complete the following steps to specify the IP address or host name of the Simple Mail Transfer Protocol (SMTP) server.
Note: If you plan to set up an SMTP server for e-mail alert notifications, be sure
DNS server (or servers) is available on your network, select Enabled in the DNS field. The DNS field specifies whether you use a DNS server on your network to translate host names into IP addresses.
you enabled DNS, in the DNS server IP address fields, you can specify the
addresses of up to three DNS servers on your network. Each IP address
should contain integers from 0 through 255, separated by periods.
Scroll to the bottom of the page and click Save.
the navigation pane, click MM Control Restart MM to activate the
changes.
that the name in the Name field in the MM Information section of the MM Control General Settings window is valid as part of an e-mail address (for example, there are no spaces).
Log in to the management module where you want to configure SMTP. For more information, see “Starting the management-module Web interface” on page 12.
the navigation pane, click MM Control Network Protocols and scroll down the Simple Mail Transfer Protocol (SMTP) section.
Chapter 3. Using the management-module Web interface
37
In
4.
1.
2. In
3.
is
38
3.

Configuring LDAP

Using a Lightweight Directory Access Protocol (LDAP) server, a management module can authenticate a user by querying or searching an LDAP directory on an LDAP server, instead of going through its local user database. Then, all LDAP clients (BladeCenter management modules or server remote supervisor adapters) can remotely authenticate any user access through a central LDAP server. This requires LDAP client support on the management module. You can also assign authority levels based on information found on the LDAP server.
You can also use LDAP to assign users and management modules to groups, and perform group authentication, in addition to the normal user (password check) authentication. For example, a management module can be associated with one or more groups, and a user would only pass group authentication if he belongs to at least one group associated with the management module.
the SMTP Server Host Name or IP Address field, type the host name of the SMTP server. Use this field to specify the IP address or, if DNS is enabled and configured, the host name of the SMTP server.
Scroll to the bottom of the page and click Save.
Setting up a client to use the LDAP server
Complete the following steps to set up a client to use the LDAP server:
Log in to the management module where you want to set up the client. For more information, see “Starting the management-module Web interface” on page 12.
the navigation pane, click MM Control Network Protocols. Scroll down to the Lightweight Directory Access Protocol (LDAP) Client section. A page similar to the one in the following illustration is displayed.
Configure the LDAP client using the following information:
LDAP Server
The management module contains a Version 2.0 LDAP client that you can configure to provide authentication through a centrally located LDAP server. You can configure up to three LDAP servers. The port number for each server is optional. If left blank, the default value of 389
used for non-secured LDAP connections. For secured connections,
the default is 636. You must configure at least one LDAP server.
BladeCenter Management Module: User’s Guide
As
is
is
be
be
Root DN
The distinguished name for the root entry of the directory tree on the LDAP server. An example might look like dn=companyABC,dn=com.
User Search Base DN
part of the user authentication process, it is necessary to search the LDAP server for one or more attributes associated with a particular user. Any search request must specify the base distinguished name for the actual search. The User Search Base DN field specifies the base distinguished name that is used to search the user directory. An example might look like cn=Users,dn=companyABC,dn=com. If this field
left blank, the root distinguished name is used as the search base.
User searches are part of the authentication process. They are carried out to retrieve information about the user such as login permissions, callback number, and group memberships. For Version 2.0 LDAP clients, be sure to configure this parameter; otherwise, a search using the root distinguished name might not succeed (as seen on Microsoft Windows
®
Server 2003 Active Directory servers).
ASM Group Filter
This parameter is used for group authentication. It specifies the set of groups to which this particular management module belongs. If left blank, group authentication is disabled. Otherwise, group authentication
performed against this filter. The filter specified can be a specific group name (for example, RSAWest), a wildcard with a prefix (for example, RSA*), or a wildcard (specified as *). If a specific name is used, this management module belongs only to this group. If a prefix filter is used (for example, RSA*), this management module belongs to any group whose first three letters are RSA. If a wildcard filter ( * ) is used, then this management module belongs to all groups. The default filter is RSA*.
Group authentication is performed after user authentication (where a user ID and password are verified). Group authentication refers to the process of verifying that a user is a member of at least one group associated with this management module. For example, assume the group filter is set to RSA*. If the user belongs to two groups, for example, Engineering and RSAWest, group authentication passes because the user belongs to a group (RSAWest) that matches the filter RSA*. If the groups to which the user belong do not match the filter, group authentication fails and the user is not allowed to access the management module. Note that if the group filter is *, then group authentication will automatically succeed because any group to which the user belongs will match this wildcard.
Binding Method
For initial binds to the LDAP server during user authentication, choose from the following options:
Anonymous authentication. A bind attempt is made without a client distinguished name or password. If the bind is successful, a search will
requested to find an entry on the LDAP server for the user
attempting to log in. If an entry is found, a second attempt to bind will
attempted, this time with the distinguished name and password of the user. If this succeeds, the user has passed the user authentication phase. Group authentication is then attempted if it is enabled.
Chapter 3. Using the management-module Web interface
39
1. In
2.
3.
1. In
2.
40
Client authentication. A bind attempt is made with the client distinguished name and password specified by this configuration parameter. If the bind is successful, the user authentication phase proceeds as in Anonymous authentication.
User Principal Name. A bind attempt is made directly with the credentials used during the login process. If this succeeds, the user has passed the user authentication phase. The user principal name usually refers to a fully qualified name, such as johndoe@abc.com. However, johndoe would also be acceptable.
Strict User Principal Name. This is similar to the user principal name, except that a fully qualified name must be entered by the user. That is, johndoe@abc.com would be acceptable, but not johndoe. The name entered by the user will be parsed for the @ symbol.
Configuring the LDAP client authentication
Complete the following steps to configure the LDAP client authentication:
the navigation pane, click MM Control Network Protocols.
Scroll down to the Lightweight Directory Access Protocol (LDAP) Client section and click Set DN and password for Client Authentication. A page similar to the one in the following illustration is displayed.
The initial bind to the LDAP server during user authentication can be performed with anonymous authentication, client-based authentication, or user principle name. To use client-based authentication, in the Client DN field, type a client distinguished name. Type a password in the Password field or leave it blank.
Configuring the LDAP search attributes
Complete the following steps to configure the LDAP search attributes:
the navigation pane, click MM Control Network Protocols.
Scroll down to the Lightweight Directory Access Protocol (LDAP) Client section and click Set search attribute names for LDAP based authentication. A page similar to the one in the following illustration is displayed.
BladeCenter Management Module: User’s Guide
To
is
If
If
v It
3.
UID
configure the search attributes, use the following information.
Search Attribute
When the binding method selected is Anonymous authentication or Client authentication, the initial bind to the LDAP server is followed by a search request directed at retrieving specific information about the user, including the distinguished name, login permissions, and group ownerships of the user. To retrieve this information, the search request must specify the attribute name used to represent user IDs on that server. Specifically, this name is used as a search filter against the login ID entered by the user. This attribute name is configured here. If this field is left blank, a default of UID is used during user authentication. For example, on Active Directory servers, the attribute name used for user IDs is often sAMAccoutName.
When the binding method selected is User principal name or Strict user principal name, the UID Search Attribute field defaults automatically to userPrincipalName during user authentication if the user ID entered has the form userid@somedomain.
Group Search Attribute
When the Group Filter name is configured, it is necessary to retrieve from the LDAP server the list of groups to which a particular user belongs. This
required to perform group authentication. To retrieve this list, the search filter sent to the server must specify the attribute name associated with groups. This field specifies this attribute name.
this field is left blank, the attribute name in the filter will default to
memberOf.
Login Permission Attribute
When a user is successfully authenticated using an LDAP server, the login permissions for this user must be retrieved. To retrieve these permissions, the search filter sent to the server must specify the attribute name associated with login permissions. This field specifies this attribute name.
this field is left blank, the user is assigned a default of read-only permissions, assuming user and group authentication passes. When successfully retrieved, the attribute value returned by the LDAP server is interpreted according to the following information:
must be a bit string entered as 12 consecutive zeros or ones, with each bit representing a particular set of functions. For example: 010000000000 or 000011001000. The bits are numbered according to their position. The leftmost bit is bit position 0, and the rightmost bit is bit position 11. A value of 1 at a particular position enables that particular function. A value of 0 disables that function. There are 12 available bits, which are described in the following list:
Deny Always (bit position 0): If set, a user will always fail authentication. This function can be used to block a particular user or users associated with a particular group.
Supervisor Access (bit position 1): If set, a user is given administrator privileges. The user has read and write access to every function. When this bit is set, the other bits below do not have to be set individually.
Read Only Access (bit position 2): If set, a user has read-only access and cannot perform any maintenance procedures (for example, restart, remote actions, and firmware updates), and nothing can be modified (using the save, clear, or restore functions). Note that
Chapter 3. Using the management-module Web interface
41
a
If
v
on
42
read-only and all other bits are mutually exclusive, with read-only having the lowest precedence. That is, if any other bit is set, this bit will be ignored.
Networking and Security (bit position 3): If set, a user can modify the settings in the Security, Network Protocols, and Network Interface pages for MM Control. If set, a user can also modify the settings in the Management page for I/O Module Tasks.
User Account Management (bit position 4): If set, a user can add, modify, and delete users and change the Global Login Settings in the Login Profiles page.
Blade server Remote Console Access (bit position 5): If set, a user can access the remote server console.
Blade server Remote Console and Virtual Media Access (bit position
6): If set, a user can access the remote server console and the virtual media functions for the remote server.
Blade and I/O Module Power/Restart Access (bit position 7): If set, a user can access the power on and restart functions for the remote blades servers and I/O Modules. These functions are available in the Power/Restart pages.
Basic Configuration (MM, I/O Modules, Blades) (bit position 8): If set,
user can modify the General Settings and Alerts pages for MM
Control, and the Configuration page for Blade Tasks.
Ability to Clear Event Logs (bit position 9): If set, a user can clear the event logs. Everyone can look at the event logs, but this particular permission is required to clear the logs.
Advanced Configuration (MM, I/O Modules, Blades (bit position 10): If set, a user has no restrictions when configuring the management module, blade servers, I/O Modules, and VPD. This user can also perform firmware upgrades on the management module or blade servers, restore the management module to its factory default settings, modify and restore the management-module configuration from a configuration file, and restart or reset the management module.
Reserved (bit position 11): Reserved for future use.
v
none of the bits are set, the default will be set to read-only for the user.
Priority is given to login permissions retrieved directly from the user record. If the user does not have the login permission attribute in its record, an attempt will be made to retrieve the permissions from the groups to which the user belongs. This is done as part of the group authentication phase. The user will be assigned the inclusive OR of all the bits for all of the groups. The Browser Only bit will be set only if all the other bits are zero. If the Deny Always bit is set for any of the groups, the user will be refused access. The Deny Always bit always has precedence over every other bit.

Secure Web server and secure LDAP

Secure Sockets Layer (SSL) is a security protocol that provides communication privacy. SSL enables applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery.
You can configure the management module to use SSL support for two types of connections: secure Web server (HTTPS) and secure LDAP connection (LDAPS). The management module takes on the role of SSL client or SSL server depending
the type of connection. The following table shows that the management module
BladeCenter Management Module: User’s Guide
An
on
1.
a.
b.
c.
a.
b.
c.
d.
acts as an SSL server for secure Web server connections. The management module acts as an SSL client for secure LDAP connections.
Table 4. Management module SSL connection support
Connection type SSL client
Secure Web server (HTTPS)
Secure LDAP
Web browser of the user (For example: Microsoft Internet Explorer)
Management-module LDAP client
SSL server
Management-module Web server
LDAP server connection (LDAPS)
You can view or change the Secure Sockets Layer (SSL) settings from the MM Control Security page. You can enable or disable SSL and manage the certificates required for SSL.
Configuring security
Use the general procedure in this section to configure security for the management module Web server and to configure security for the connection between the management module and an LDAP server. If you are not familiar with the use of SSL certificates, read the information in “SSL certificate overview” on page 44.
The content of the Security Web page is context-sensitive. The selections available
the page change when certificates or certificate signing requests are generated, when certificates are imported or removed, and when SSL is enabled or disabled for the client or the server.
Use the following general tasks list to configure the security for the management module:
Configure the Secure Web server:
Disable the SSL server. Use the SSL Server Configuration for Web
Server section on the MM Control Security page.
Generate or import a certificate. Use the SSL Server Certificate
Management section on the MM Control Security page. (See “SSL server
certificate management” on page 44.)
Enable the SSL server. Use the SSL Server Configuration for Web Server section on the MM Control Security page. (See “Enabling SSL for the secure Web server” on page 50.)
Configure SSL security for LDAP connections:
2.
Disable the SSL client. Use the SSL Client Configuration for LDAP Client section on the MM Control Security page.
Generate or import a certificate. Use the SSL Client Certificate
Management section on the MM Control Security page. (See “SSL client
certificate management” on page 50.)
Import one or more trusted certificates. Use the SSL Client Trusted
Certificate Management section on the MM Control Security page. (See
“SSL client trusted certificate management” on page 50.)
Enable the SSL client. Use the SSL Client Configuration for LDAP Client section on the MM Control Security page. (See “Enabling SSL for the LDAP client” on page 52.)
Restart the management module for SSL server configuration changes to take
3.
effect. For more information, see “Restart MM” on page 35.
Chapter 3. Using the management-module Web interface
43
to
on
44
Note: Changes to the SSL client configuration take effect immediately and do
not require a restart of the management module.
SSL certificate overview
You can use SSL with either a self-signed certificate or with a certificate signed by a third-party certificate authority. Using a self-signed certificate is the simplest method for using SSL, but it does create a small security risk. The risk arises because the SSL client has no way of validating the identity of the SSL server for the first connection attempted between the client and server. It is possible that a third party could impersonate the server and intercept data flowing between the management module and the Web browser. If at the time of the initial connection between the browser and the management module, the self-signed certificate is imported into the certificate store of the browser, all future communications will be secure for that browser (assuming the initial connection was not compromised by an attack).
For more complete security, you can use a certificate signed by a certificate authority. To obtain a signed certificate, use the SSL Certificate Management page
generate a certificate signing request. You must then send the certificate signing
request to a certificate authority and make arrangements to procure a certificate. When the certificate is received, it is then imported into the management module using the Import a Signed Certificate link, and you can enable SSL.
The function of the certificate authority is to verify the identity of the management module. A certificate contains digital signatures for the certificate authority and the management module. If a well-known certificate authority issues the certificate or if the certificate of the certificate authority has already been imported into the Web browser, the browser will be able to validate the certificate and positively identify the management-module Web server.
The management module requires a certificate for the secure Web server and one for the secure LDAP client. Also, the secure LDAP client requires one or more trusted certificates. The trusted certificate is used by the secure LDAP client to positively identify the LDAP server. The trusted certificate is the certificate of the certificate authority that signed the certificate of the LDAP server. If the LDAP server uses self-signed certificates, the trusted certificate can be the certificate of the LDAP server itself. Additional trusted certificates can be imported if more than one LDAP server is used in your configuration.
SSL server certificate management
The SSL server requires that a valid certificate and corresponding private encryption key is installed before SSL is enabled. There are two methods available for generating the private key and required certificate: using a self-signed certificate and using a certificate signed by a certificate authority. If you want to use a self-signed certificate for the SSL server, see “Generating a self-signed certificate”
page 45. If you want to use a certificate authority signed certificate for the SSL
server, see “Generating a certificate signing request” on page 46.
BladeCenter Management Module: User’s Guide
1. In
in
2. In
3. In
4.
Generating a self-signed certificate:
Complete the following steps to generate a
new private encryption key and self-signed certificate:
the navigation plane, click MM Control Security. A page similar to the one
the following illustration is displayed.
the SSL Server Configuration for Web Server section, make sure that the SSL server is disabled. If it is not disabled, select Disabled in the SSL Server field and then click Save.
the SSL Server Certificate Management section, select Generate a New Key and a Self-signed Certificate. A page similar to the one in the following illustration is displayed.
Type the information in the required fields and any optional fields that apply to your configuration. For a description of the fields, see “Required certificate data”
Chapter 3. Using the management-module Web interface
45
A
1. In
2. In
3. In
4.
46
on page 46. After you finish typing the information, click Generate Certificate. Your new encryption keys and certificate are generated. This process might take several minutes.
page similar to the one in the following illustration is displayed and you can
see that a self-signed certificate is installed.
Generating a certificate signing request:
Complete the following steps to
generate a new private encryption key and certificate signing request:
the navigation pane, click MM Control Security.
the SSL Server Configuration for Web Server section, make sure that the SSL server is disabled. If it is not disabled, select Disabled in the SSL Server field and then click Save.
the SSL Server Certificate Management section, select Generate a New Key and a Certificate Signing Request. A page similar to the one in the following illustration is displayed.
Type the information in the required fields and any optional fields that apply to your configuration. The fields are the same as the self-signed certificate with some additions.
Read the information in the following sections for a description of each of the common fields.
Required certificate data
The following user-input fields are required for generating a self-signed certificate or a certificate signing request.
BladeCenter Management Module: User’s Guide
MM
Country
Use this field to indicate the country where the management module physically resides. This field must contain the 2-character country code.
State or Province
Use this field to indicate the state or province where the management module physically resides. This field can contain a maximum of 30 characters.
City or Locality
Use this field to indicate the city or locality where the management module physically resides. This field can contain a maximum of 50 characters.
Organization Name
Use this field to indicate the company or organization that owns the management module. When this is used to generate a certificate signing request, the issuing certificate authority can verify that the organization requesting the certificate is legally entitled to claim ownership of the given company or organization name. This field can contain a maximum of 60 characters.
Host Name
Use this field to indicate the management module host name that currently appears in the browser Web address bar.
Make sure that the value you typed in the MM host name field exactly matches the host name as it is known by the Web browser. The browser compares the host name in the resolved Web address to the name that appears in the certificate. To prevent certificate warnings from the browser, the value used in this field must match the host name used by the browser to connect to the management module. For example, if the Web address bar in the browser currently is http://mm11.xyz.com/private/main.ssi, the value used for the MM Host
Name field must be mm11.xyz.com. If the Web address is
http://mm11/private/main.ssi, the value used must be mm11. If the Web address is http://192.168.70.2/private/main.ssi, the value used will be
192.168.70.2.
This certificate attribute is generally referred to as the common name.
This field can contain a maximum of 60 characters.
Contact Person
Use this field to indicate the name of a contact person responsible for the management module. This field can contain a maximum of 60 characters.
Email Address
Use this field to indicate the e-mail address of a contact person responsible for the management module. This field can contain a maximum of 60 characters.
Optional
certificate data
The following user-input fields are optional for generating a self-signed
certificate or a certificate signing request.
Chapter 3. Using the management-module Web interface
47
of 60
a
a
DN
5.
6.
as
48
Organizational Unit
Use this field to indicate the unit within the company or organization that owns the management module. This field can contain a maximum
characters.
Surname
Use this field for additional information, such as the surname of a person responsible for the management module. This field can contain
maximum of 60 characters
Given Name
Use this field for additional information, such as the given name of a person responsible for the management module. This field can contain
maximum of 60 characters.
Initials
Use this field for additional information, such as the initials of a person responsible for the management module. This field can contain a maximum of 20 characters.
Qualifier
Use this field for additional information, such as a distinguished name qualifier for the management module. This field can contain a maximum of 60 characters.
Certificate
signing request attributes
The following fields are optional unless they are required by your selected certificate authority.
Challenge Password
Use this field to assign a password to the certificate signing request. This field can contain a maximum of 30 characters.
Unstructured Name
Use this field for additional information, such as an unstructured name assigned to the management module. This field can contain a maximum of 60 characters.
After completing the information, click Generate CSR. The new encryption keys and certificate are generated. This process might take several minutes. A page similar to the one in the following illustration is displayed when the process is completed.
Click Download CSR and then click Save to save the file to your workstation. The file produced when you create a certificate signing request is in DER format. If your certificate authority expects the data in some other format, such
PEM, the file can be converted using a third-party tool such as OpenSSL (http://www.openssl.org). If the certificate authority asks you to copy the contents of the certificate signing request file into a Web browser window, PEM format is usually expected.
The command for converting a certificate signing request from DER to PEM format using OpenSSL is similar to the following:
openssl req -in csr.der -inform DER -out csr.pem -outform PEM
BladeCenter Management Module: User’s Guide
an
Go to
8. In
9.
7.
Send the certificate signing request to your certificate authority. When the certificate authority returns your signed certificate it might be necessary to convert the certificate to DER format. (If you received the certificate as text in
e-mail or a Web page, it is probably in PEM format.) You can change the format using a tool provided by your certificate authority or using a third-party tool such as OpenSSL (http://www.openssl.org). The command for converting a certificate from PEM to DER format is similar to the following:
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
step 8 after the signed certificate is returned from the certificate
authority.
the navigation pane, click MM Control Security. Scroll to the SSL Server Certificate Management section, which looks similar to the page in the following illustration.
Select Import a Signed Certificate. A page similar to the one in the following illustration is displayed.
10.
Click Browse.
11.
Click the certificate file that you want and then click Open. The file name (including the full path) is displayed in the field next to the Browse button.
12.
Click Import Server Certificate to begin the process. A progress indicator is displayed as the file is transferred to storage on the management module. Remain on this page until the transfer is completed.
Chapter 3. Using the management-module Web interface
49
1. In
2.
to
1. In
2. In
50
Enabling SSL for the secure Web server
Note: To enable SSL, you must have a valid SSL certificate installed.
Complete the following steps to enable the secure Web server:
the navigation pane, click MM Control Security. The page that is displayed looks similar to the one in the following illustration and shows that a valid SSL server certificate is installed. If the SSL server certificate status does not show that a valid SSL certificate is installed, go to “SSL server certificate management” on page 44.
Scroll to the SSL Server Configuration for Web Server section and select Enabled in the SSL Client field and then click Save. The value selected takes effect the next time the management module is restarted.
SSL client certificate management
The SSL client requires that a valid certificate and corresponding private encryption key is installed before SSL is enabled. There are two methods available for generating the private key and required certificate: using a self-signed certificate, or using a certificate signed by a certificate authority.
The procedure for generating the private encryption key and certificate for the SSL client is the same as the procedure for the SSL server, except that you use the SSL Client Certificate Management section of the Security Web page instead of the SSL Server Certificate Management section. If you want to use a self-signed certificate for the SSL client, see “Generating a self-signed certificate” on page 45. If you want
use a certificate authority signed certificate for the SSL client, see “Generating a
certificate signing request” on page 46.
SSL client trusted certificate management
The secure SSL client (LDAP client) uses trusted certificates to positively identify the LDAP server. A trusted certificate can be the certificate of the certificate authority that signed the certificate of the LDAP server or it can be the actual certificate of the LDAP server. At least one certificate must be imported to the management module before the SSL client is enabled. You can import up to three trusted certificates.
Complete the following steps to import a trusted certificate:
the navigation pane, select MM Control Security.
the SSL Client Configuration for LDAP Client section, make sure that the SSL client is disabled. If it is not disabled, select Disabled in the SSL Client field and then click Save.
BladeCenter Management Module: User’s Guide
to
4.
to
5.
6.
7. To
8.
3.
Scroll to the SSL Client Trusted Certificate Management section. A page similar
the one in the following illustration is displayed.
Click Import next to one of the Trusted CA Certificate 1 fields. A page similar
the one in the following illustration is displayed.
Click Browse.
Select the certificate file that you want and click Open. The file name (including the full path) is displayed in the box beside the Browse button.
begin the import process, click Import Certificate. A progress indicator is displayed as the file is transferred to storage on the management module. Remain on this page until the transfer is completed.
The SSL Client Trusted Certificate Management section of the MM Control → Security page will now look similar to the one in the following illustration.
The Remove button is now available for the Trusted CA Certificate 1 option. If you want to remove a trusted certificate, click the corresponding Remove button.
You can import other trusted certificates using the Trusted CA Certificate 2 and the Trusted CA Certificate 3 Import buttons.
Chapter 3. Using the management-module Web interface
51
1. In
in
2. On
3.
ID
or
A
52
Enabling SSL for the LDAP client
Use the SSL Client Configuration for LDAP Client section of the Security page to enable or disable SSL for the LDAP Client. To enable SSL, a valid SSL client certificate and at least one trusted certificate must first be installed.
Complete the following steps to enable SSL for the client:
the navigation pane, click MM Control Security. A page similar to the one the following illustration is displayed.
The MM Control Security page shows an installed SSL client certificate and Trusted CA Certificate 1.
the SSL Client Configuration for LDAP Client page, select Enabled in the
SSL Client field.
Click Save. The value selected takes effect immediately.

Configuring the secure shell server

The Secure Shell (SSH) feature provides secure access to the command-line interface and the serial over LAN (text console) redirect features of the management module.
Secure shell users are authenticated by exchanging user ID and password. The password and user ID are sent after the encryption channel is established. The user
and password pair can be one of the 12 locally stored user IDs and passwords
they can be stored on an LDAP server. Public key authentication is not
supported.
Generating a secure shell server key
secure shell server key is used to authenticate the identity of the secure shell server to the client. Secure shell must be disabled before you create a new secure shell server private key. You must create a server key before enabling the secure shell server.
When you request a new server key, both a Rivest, Shamir, and Adelman (RSA) key and a DSA key are created to allow access to the management module from
BladeCenter Management Module: User’s Guide
v
v
1. In
2.
3.
4.
1. In
either a SSH version 1.5 or SSH version 2 client. For security, the secure shell server private key is not backed-up during a configuration save and restore operation.
The following third-party SSH clients are available. While some SSH clients have been tested, support or non-support of any particular SSH client is not implied.
The SSH clients distributed with operating systems such as Linux, AIX®, and
®
UNIX
(see your operating-system documentation for information). The SSH
client of Red Hat Linux 7.3 was used to test the command-line interface.
The SSH client of cygwin (see http://www.cygwin.com for information)
The following table shows the types of encryption algorithms that are supported, based on the SSH version that is being used.
Algorithm
Public key exchange
Host key type
Bulk cipher algorithms
MAC algorithms
SSH version 1.5 clients
SSH 1-key exchange algorithm
RSA (1024-bit)
3-des
32-bit crc
SSH version 2.0 clients
Diffie-Hellman-group 1-sha-1
DSA (1024-bit)
3-des-cbc or blowfish-cbc
Hmac-sha1
Complete the following steps to create a new secure shell server key:
the navigation pane, click MM Control Security.
Scroll to the Secure Shell (SSH) Server section and make sure that the secure shell server is disabled. If it is not disabled, select Disabled in the SSH Server field and then click Save.
Scroll to the SSH Server Key Management section. A page similar to the one in the following illustration is displayed.
Click Generate SSH Server Private Key. A progress window is displayed. Wait for the operation to finish. This step might take several minutes to complete.
Enabling the secure shell server
From the Security page you can enable or disable the secure shell server. The selection that you make takes effect only after the management module is restarted. The value displayed on the screen (Enabled or Disabled) is the last value selected and is the value used when the management module is restarted.
Note: You can enable the secure shell server only if a valid secure shell server
private key is installed.
Complete the following steps to enable the secure shell server:
the navigation pane, click Security.
Chapter 3. Using the management-module Web interface
53
3.
4. In
If
to
v
v
54
2.
Scroll to the Secure Shell (SSH) Server section. A page similar to the one in the following illustration is displayed.
Click Enabled in the SSH Server field.
the navigation pane, click Restart ASM to restart the management module.
Using the secure shell server
you are using the secure shell client that is included in Red Hat Linux version 7.3,
start a secure shell session to a management module with network address
192.168.70.2, type a command similar to the following example:
ssh -x -l USERID 192.168.70.2
where -x indicates no X Window System forwarding and -l indicates that the session should use the user ID ’USERID’.

Using the configuration file

Use the management-module Web interface MM Control Configuration File to:
Back up the management-module configuration
Restore the management-module configuration
Note: If you cannot communicate with a replacement management module through
the Web interface or the IBM Director programs, the IP address might be different from the IP address of the management module just removed. Press the IP reset button to set the management module to the factory default IP addresses; then, access the management module using the factory IP address (see “Configuring the management module for remote access” on page 8 for the factory IP addresses) and configure the management module or load the saved configuration file.

Backing up your current configuration

You can download a copy of your current management-module configuration to the client computer that is running the management-module Web interface. Use this backup copy to restore your management-module configuration if it is accidentally
BladeCenter Management Module: User’s Guide
1.
2. In
3. In
4.
5. To
6.
v In
v In
1.
2. In
3. In
4.
5. If
If
by a
changed or damaged. Use it as a base that you can modify to configure multiple management modules with similar configurations.
Complete the following steps to back up your current configuration:
Log in to the management module where you want to back up your current configuration. For more information, see “Starting the management-module Web interface” on page 12.
the navigation pane, click MM Control Configuration File.
the Backup MM Configuration section, click view the current
configuration summary.
Note: The security settings on the Security page are not backed up.
Verify the settings and then click Close.
back up this configuration, click Backup.
Type a name for the backup, select the location where the file will be saved, and then click Save.
Netscape Navigator, click Save File.
Microsoft Internet Explorer, select Save this file to disk, and then click
OK.

Restoring and modifying your ASM configuration

You can restore a saved configuration in full, or you can modify key fields in the saved configuration before restoring the configuration to your management module. Modifying the configuration file before restoring it helps you set up multiple management modules with similar configurations. You can quickly specify parameters that require unique values such as names and IP addresses, without having to enter common, shared information.
Complete the following steps to restore or modify your current configuration:
Log in to the management module where you want to restore the configuration. For more information, see “Starting the management-module Web interface” on page 12.
the navigation pane, click MM Control Configuration File.
the Restore MM Configuration section, click Browse.
Click the configuration file that you want; then, click Open. The file (including the full path) appears in the box beside Browse.
you do not want to make changes to the configuration file, click Restore. A new window opens with the management-module configuration information. Verify that this is the configuration that you want to restore. If it is not the correct configuration, click Cancel.
you want to make changes to the configuration file before restoring, click
Modify and Restore to open an editable configuration summary window.
Initially, only the fields that allow changes appear. To change between this view and the complete configuration summary view, click the Toggle View button at the top or bottom of the window. To modify the contents of a field, click the corresponding text box and enter the data.
Note: When you click Restore or Modify and Restore, an alert window might
open if the configuration file you are attempting to restore was created
management module with older firmware (and therefore, less
functionality). This alert message will include a list of
Chapter 3. Using the management-module Web interface
55
on
6. To
7.
8.
9.
To
56
system-management functions that you will have to configure manually after the restoration is complete. Some functions require configurations
more than one window.
proceed with restoring this file to the management module, click Restore
Configuration. A progress indicator appears as the firmware on the management module is updated. A confirmation window opens to verify whether the update was successful.
Note: The security settings on the Security page are not restored with the
restore operation. To modify security settings, see “Secure Web server and secure LDAP” on page 42.
After receiving a confirmation that the restore process is complete, in the navigation pane, click MM Control Restart MM; then, click Restart.
Click OK to confirm that you want to restart your management module.
Click OK to close the current browser window.
10.
log in to the management module again, start your browser, and follow your
regular login process.
BladeCenter Management Module: User’s Guide
If
v
v
v
in
at
v Go to
To
©

Appendix A. Getting help and technical assistance

you need help, service, or technical assistance or just want more information about IBM products, you will find a wide variety of sources available from IBM to assist you. This appendix contains information about where to go for additional information about IBM and IBM products, what to do if you experience a problem with your BladeCenter, xSeries®, or IntelliStation service, if it is necessary.

Before you call

Before you call, make sure that you have taken these steps to try to solve the problem yourself:
Check all cables to make sure that they are connected.
Check the power switches to make sure that the system is turned on.
Use the troubleshooting information in your system documentation, and use the diagnostic tools that come with your system. Information about diagnostic tools is
the Hardware Maintenance Manual and Troubleshooting Guide on the IBM
xSeries Documentation CD or in the IntelliStation Hardware Maintenance Manual
the IBM Support Web site.
the IBM Support Web site at http://www.ibm.com/pc/support/ to check for technical information, hints, tips, and new device drivers or to submit a request for information.
®
system, and whom to call for
can solve many problems without outside assistance by following the
You troubleshooting procedures that IBM provides in the online help or in the publications that are provided with your system and software. The information that comes with your system also describes the diagnostic tests that you can perform. Most xSeries and IntelliStation systems, operating systems, and programs come with information that contains troubleshooting procedures and explanations of error messages and error codes. If you suspect a software problem, see the information for the operating system or program.

Using the documentation

Information about your IBM xSeries or IntelliStation system and preinstalled software, if any, is available in the documentation that comes with your system. That documentation includes printed books, online books, readme files, and help files. See the troubleshooting information in your system documentation for instructions for using the diagnostic programs. The troubleshooting information or the diagnostic programs might tell you that you need additional or updated device drivers or other software. IBM maintains pages on the World Wide Web where you can get the latest technical information and download device drivers and updates.
access these pages, go to http://www.ibm.com/pc/support/ and follow the instructions. Also, you can order publications through the IBM Publications Ordering System at http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.
Copyright IBM Corp. 2004
57
On
at
by
In
7
58

Getting help and information from the World Wide Web

the World Wide Web, the IBM Web site has up-to-date information about IBM xSeries and IntelliStation products, services, and support. The address for IBM xSeries information is http://www.ibm.com/eserver/xseries/. The address for IBM IntelliStation information is http://www.ibm.com/pc/intellistation/.
You can find service information for your IBM products, including supported options,
http://www.ibm.com/pc/support/.

Software service and support

Through IBM Support Line, you can get telephone assistance, for a fee, with usage, configuration, and software problems with xSeries servers, IntelliStation workstations, and appliances. For information about which products are supported
Support Line in your country or region, go to
http://www.ibm.com/services/sl/products/.
For more information about Support Line and other IBM services, go to http://www.ibm.com/services/, or go to http://www.ibm.com/planetwide/ for support telephone numbers. In the U.S. and Canada, call 1-800-IBM-SERV (1-800-426-7378).

Hardware service and support

You can receive hardware service through IBM Integrated Technology Services or through your IBM reseller, if your reseller is authorized by IBM to provide warranty service. Go to http://www.ibm.com/planetwide/ for support telephone numbers, or in the U.S. and Canada, call 1-800-IBM-SERV (1-800-426-7378).
the U.S. and Canada, hardware service and support is available 24 hours a day,
days a week. In the U.K., these services are available Monday through Friday,
from 9 a.m. to 6 p.m.
BladeCenter Management Module: User’s Guide
OR
OF
©
©

Appendix B. Notices

This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

Edition notice

INTERNATIONAL
BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product, and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Copyright International Business Machines Corporation 2004. All rights
reserved.
Copyright IBM Corp. 2004
U.S. Government Users Restricted Rights Use, duplication, or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
59
in
KB
60

Trademarks

The following terms are trademarks of International Business Machines Corporation
the United States, other countries, or both:
Active Memory
Predictive Failure
Analysis Active PCI Active PCI-X Alert on LAN BladeCenter C2T Interconnect Chipkill EtherJet e-business logo
Eserver
FlashCopy IBM IBM (logo) IntelliStation NetBAY Netfinity NetView
PS/2
ServeRAID
ServerGuide
ServerProven
TechConnect
ThinkPad
Tivoli
Tivoli Enterprise
Update Connector
Wake on LAN
XA-32
XA-64
X-Architecture
XceL4
XpandOnDemand
xSeries OS/2 WARP
Lotus, Lotus Notes, SmartSuite, and Domino are trademarks of Lotus Development Corporation and/or IBM Corporation in the United States, other countries, or both.

Important notes

Intel, MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
Processor speeds indicate the internal clock speed of the microprocessor; other factors also affect application performance.
CD-ROM drive speeds list the variable read rate. Actual speeds vary and are often less than the maximum possible.
When referring to processor storage, real and virtual storage, or channel volume,
stands for approximately 1000 bytes, MB stands for approximately 1 000 000
bytes, and GB stands for approximately 1 000 000 000 bytes.
BladeCenter Management Module: User’s Guide
of
to
When referring to hard disk drive capacity or communications volume, MB stands for 1 000 000 bytes, and GB stands for 1 000 000 000 bytes. Total user-accessible capacity may vary depending on operating environments.
Maximum internal hard disk drive capacities assume the replacement of any standard hard disk drives and population of all hard disk drive bays with the largest currently supported drives available from IBM.
Maximum memory may require replacement of the standard memory with an optional memory module.
IBM makes no representation or warranties regarding non-IBM products and services that are ServerProven®, including but not limited to the implied warranties
merchantability and fitness for a particular purpose. These products are offered
and warranted solely by third parties.
IBM makes no representations or warranties with respect to non-IBM products. Support (if any) for the non-IBM products is provided by the third party, not IBM.
Some software may differ from its retail version (if available), and may not include user manuals or all program functionality.

Product recycling and disposal

This unit contains materials such as circuit boards, cables, electromagnetic compatibility gaskets, and connectors which may contain lead and copper/beryllium alloys that require special handling and disposal at end of life. Before this unit is disposed of, these materials must be removed and recycled or discarded according
applicable regulations. IBM offers product-return programs in several countries. Information on product recycling offerings can be found on IBM’s Internet site at http://www.ibm.com/ibm/environment/products/prp.shtml.

Electronic emission notices

Federal Communications Commission (FCC) statement

Note: This equipment has been tested and found to comply with the limits for a
Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user will be required to correct the interference at his own expense.
Properly shielded and grounded cables and connectors must be used in order to meet FCC emission limits. IBM is not responsible for any radio or television interference caused by using other than recommended cables and connectors or by unauthorized changes or modifications to this equipment. Unauthorized changes or modifications could void the user’s authority to operate the equipment.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.
Appendix B. Notices
61
62

Industry Canada Class A emission compliance statement

This Class A digital apparatus complies with Canadian ICES-003.
Avis de conformité à la réglementation d’Industrie Canada
Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.

Australia and New Zealand Class A statement

Attention: This is a Class A product. In a domestic environment this product may
cause radio interference in which case the user may be required to take adequate measures.

United Kingdom telecommunications safety requirement

Notice to Customers
This apparatus is approved under approval number NS/G/1234/J/100003 for indirect connection to public telecommunication systems in the United Kingdom.

European Union EMC Directive conformance statement

This product is in conformity with the protection requirements of EU Council Directive 89/336/EEC on the approximation of the laws of the Member States relating to electromagnetic compatibility. IBM cannot accept responsibility for any failure to satisfy the protection requirements resulting from a nonrecommended modification of the product, including the fitting of non-IBM option cards.
This product has been tested and found to comply with the limits for Class A Information Technology Equipment according to CISPR 22/European Standard EN
55022. The limits for Class A equipment were derived for commercial and industrial environments to provide reasonable protection against interference with licensed communication equipment.
Attention:
This is a Class A product. In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures.

Taiwanese Class A warning statement

BladeCenter Management Module: User’s Guide

Chinese Class A warning statement

Japanese Voluntary Control Council for Interference (VCCI) statement

Appendix B. Notices
63
64
BladeCenter Management Module: User’s Guide
54
IP
2 IP
2
2
12
©

Index

A
algorithms, encryption 53 authentication, LDAP 27 authority, user 11
B
blade server
firmware
update 22
C
cabling
remote
connection Ethernet port 7 Class A electronic emission notice 61 configuration file
restoring
saving 54 Configuration/Setup Utility program 11 configuring
BladeCenter
unit 5 DNS 37 LDAP 38 LDAP client authentication 40 LDAP search attributes 40 secure shell server 52 SMTP 37 SNMP 35
connector
Ethernet
remote
management and console 4 input/output 3 keyboard 4 PS/2 mouse 4 remote management 4 video 3
D
difficulty communicating with replacement module 54 DNS 32 DNS, configuring 37
event log 16 event log in alerts 29 event log, viewing 16
F
factory defaults 2 FCC Class A notice 61 firmware update
blade
server 22 I/O module 26 management module 34
H
help 14
I
I/O module
firmware
update 26
configuration
reset
reset button 2, 54
K
keyboard connector 4
L
LDAP 32
configuring client authentication 40 configuring search attributes 40 overview 38 setting up client 38
LDAP authentication 27 LEDs
active error 2 Ethernet activity 2 Ethernet-link status 2 power-on 2
E
electronic emission Class A notice 61 encryption algorithms 53 error log.
See
event log
Ethernet
configuring
port, cabling 7 Ethernet activity LED 2 Ethernet connector, remote management and
console 4
Ethernet-link status LED 2
Copyright IBM Corp. 2004
remote connection 8
M
management module
firmware redundant
management-module configuration
reset
management-module Web interface
starting
mouse connector 4
manual
update 34
changeover 35
65
37
IP
53
66
N
network protocols
configuring
DNS 37 configuring LDAP 38 configuring SMTP 37 configuring SNMP 35 configuring SSL 42
network, connecting 7 notes, important 60 notices
electronic
emission 61
FCC, Class A 61
P
port
See
connector port assignments 29 ports 29 power-on LED 2 protocols
DNS SMTP 37 SNMP 35 SSL 42
R
remote console 21 remote control 21 remote disk 21 remote management connector 4 replacement module, difficulty communicating with 54 reset
factory
defauts 2
configuration 2
management-module configuration 2
restoring configuration file 54
SMTP 32 SMTP, configuring 37 SNMP 32 SNMP, configuring 35 SOL 24 SSH 33 SSH clients 53 SSL certificate overview 44 SSL client certificate management 50 SSL client trusted certificate management 50 SSL security protocol 42 SSL server certificate management 44 SSL, enabling
for
LDAP client 52
for secure Web server 50
SSL,LDAP 33
T
TCP log 32 TCP log, viewing 32 trademarks 60
U
United States electronic emission Class A notice 61 United States FCC Class A notice 61 use authority 11 utility, Configuration/Setup 11
V
video connector 3
W
Web browsers, supported 5
S
saving configuration file 54 Secure Shell connection clients 53 secure shell server
enabling generating private key 52 overview 52
secure Web server and secure LDAP
configuring enabling SSL for LDAP client 52 enabling SSL for secure Web server 50 overview 42 SSL certificate overview 44 SSL client certificate management 50 SSL client trusted certificate management 50
SSL server certificate management 44 security 32, 33 security, configuring 43 serial over LAN 24 setting up LDAP client 38
BladeCenter Management Module: User’s Guide
security 43

Part Number: 13N0318
Printed in USA
(1P) P/N: 13N0318
Loading...