Lenovo TD200 User Manual

Integrated Management Module User Guide

Integrated Management M odule

User Guide

Note: Before using this information and the product it supports, read the general information in Appendix B, “Notices,” on page

99.

First Edition (July 2009)

LENOVO products, data, computer software, and services have been developed exclusively at private expense and are sold to governmental entities as commercial items as defined by 48 C.F.R. 2.101 with limited and restricted rights to use, reproduction and disclosure.

LIMITED AND RESTRICTED RIGHTS NOTICE: If products, data, computer software, or services are delivered pursuant a General Services Administration ″GSA″ contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925.

Chapter 1. Introduction ........1

IMM features ..............2

Upgrading from IMM Standard to IMM Premium 3 Comparing the IMM to other systems-

management hardware in ThinkServer servers . . 3 Web browser and operating-system requirements . . 7

Notices used in this book ..........7

Chapter 2. Opening and using the IMM

Web interface ............9

Accessing the IMM Web interface .......9

Setting up the IMM network connection through

the Server Firmware Setup Utility ......9

Logging in to the IMM .........10

IMM action descriptions ..........11

Chapter 3. Configuring the IMM ....15

Setting system information .........15

Setting server timeouts .........16

Setting the IMM date and time .......17

Synchronizing clocks in a network......18

Disabling the USB in-band interface .....19

Creating a login profile ..........20

Deleting a login profile ..........23

Configuring the global login settings ......23

Configuring remote alert settings .......24

Configuring remote alert recipients .....24

Configuring global remote alert settings ....25

Configuring SNMP alert settings ......26

Configuring serial port settings ........26

Serial-to-Telnet or SSH redirection .......27

Configuring port assignments ........28

Configuring network interfaces ........28

Configuring network protocols ........31

Configuring SNMP ...........31

Configuring DNS ...........32

Configuring Telnet ...........33

Configuring SMTP ...........33

Configuring LDAP ............33

Setting up a client to use the LDAP server . . . 33

Configuring LDAP client authentication ....36

Configuring LDAP search attributes .....36

Service Location Protocol (SLP) .......38

Configuring security ...........38

Secure Web server and secure LDAP .....39

SSL certificate overview .........39

SSL server certificate management ......40

Enabling SSL for the secure Web server ....43

SSL client certificate management ......43

SSL client trusted certificate management . . . 43

Enabling SSL for the LDAP client ......44

Configuring the Secure Shell server ......44

Generating a Secure Shell server key .....45

Enabling the Secure Shell server ......45

Using the Secure Shell server .......45

Using the configuration file .........45

Backing up your current configuration ....46

Restoring and modifying your IMM

configuration .............46

Restoring defaults ............47

Restarting IMM .............47

Logging off ..............48

Chapter 4. Monitoring server status . . 49

Viewing system status ...........49

Viewing the Easy LED Diagnostics ......52

Viewing the event logs ..........52

Viewing the system-event log from the Web

interface ..............53

Viewing event logs from the Setup Utility . . . 54

Viewing event logs without restarting the server 54

Viewing vital product data .........55

Chapter 5. Performing IMM tasks . . . 57

Viewing server power and restart activity ....57

Controlling the power status of a server .....57

Remote presence.............58

Updating your IMM firmware and Java applet 59

Enabling the remote presence function ....59

Remote control ............59

Remote control screen capture .......60

Remote control Video Viewer view modes . . . 60

Remote control video color mode ......61

Remote control keyboard support ......61

Remote control mouse support .......62

Remote power control ..........64

Viewing performance statistics .......64

Starting Remote Desktop Protocol ......64

Remote disk .............64

Setting up PXE network boot ........66

Updating firmware ............67

Resetting the IMM with the Setup Utility ....67

Managing tools and utilities with IMM and the

server firmware .............68

Using IPMItool ............68

Using Advanced Settings Utility (ASU) ....68

Other methods for managing the IMM ....68

Chapter 6. LAN over USB.......71

Potential conflicts with the LAN over USB interface 71 Configuring the LAN over USB interface manually 71

Installing device drivers ..........71

Installing the Windows IPMI device driver . . . 71

Installing the LAN over USB Windows device

driver ...............72

Installing the LAN over USB Linux device driver 73

Chapter 7. Command-line interface . . 75

Managing the IMM using IPMI ........75

Accessing the command line.........75

Logging in to the command-line session .....75

Command syntax ............76

Features and limitations ..........76

Utility commands ............77

exit command ............77

help command ............77

history command ...........78

Monitor commands............78

clearlog command ...........78

fans command ............78

readlog command ...........79

syshealth command ..........79

temps command............79

volts command ............80

vpd command ............80

Server power and restart control commands . . . 81

power command ...........81

reset command ............81

Serial redirect command ..........81

console command ...........81

Configuration commands ..........82

dhcpinfo command ...........82

ifconfig command ...........83

ldap command ............84

ntp command ............85

passwordcfg command .........86

portcfg command ...........87

srcfg command ............87

ssl command .............88

timeouts command ...........89

usbeth command ...........90

users command ............90

IMM control commands ..........91

clearcfg command ...........91

clock command ............92

identify command ...........92

resetsp command ...........93

update command ...........93

Appendix A. Getting help and technical

assistance .............95

Before you call .............95

Using the documentation ..........95

Getting help and information from the World Wide

Web.................96

Calling for service ............96

Using other services ...........97

Purchasing additional services ........97

Lenovo product service ..........97

Appendix B. Notices .........99

Trademarks ..............100

Important notes ............100

Product recycling and disposal .......101

Compliance with Republic of Turkey Directive on

the Restriction of Hazardous Substances ....102

Recycling statements for Japan .......103

Battery return program ..........103

German Ordinance for Work gloss statement . . . 105

Electronic emission notices .........105

Federal Communications Commission (FCC)

statement..............105

Industry Canada Class A emission compliance

statement..............105

Avis de conformité à la réglementation

d’Industrie Canada ..........105

Australia and New Zealand Class A statement 105 United Kingdom telecommunications safety

requirement .............105

European Union EMC Directive conformance

statement..............106

Germany Class A compliance statement . . . 106 Japan Voluntary Control Council for Interference

(VCCI) statement ...........107

Taiwan Class A warning statement .....107

People’s Republic of China Class A warning

statement..............108

Korea Class A warning statement......108

Index ...............109

Integrated Management Module: User Guide

Chapter 1. Introduction

The Integrated Management Module (IMM) consolidates the service processor functionality, Super I/O, video controller, and remote presence capabilities in a single chip on the server system board. The IMM replaces the baseboard management controller (BMC) and Remote Supervisor Adapter II in Lenovo ThinkServer™servers.

Before the IMM was used in Lenovo servers, the baseboard management controller (BMC) and basic input/output system (BIOS) were the standard systems-management hardware and firmware. ThinkServer servers used BMC service processors to manage the interface between systems-management software and platform hardware. The Remote Supervisor Adapter II and Remote Supervisor Adapter II Slimline were optional controllers for out-of-band server management.

The IMM offers several improvements over the combined functionality of the BMC and the Remote Supervisor Adapter II:

v Choice of dedicated or shared Ethernet connection. v One IP address for both the Intelligent Platform Management Interface (IPMI)

and the service processor interface.

v Embedded Dynamic System Analysis (DSA). v Ability to locally or remotely update other entities without requiring a server

restart to initiate the update process.

v Remote configuration with Advanced Settings Utility (ASU). v Capability for applications and tools to access the IMM either in-band or

out-of-band.

v Enhanced remote-presence capabilities.

Unified Extensible Firmware Interface (UEFI) replaces BIOS in ThinkServer servers. The basic input/output system (BIOS) was the standard firmware code that controlled basic hardware operations, such as interactions with diskette drives, hard disk drives, and the keyboard. The server firmware offers several features that BIOS does not, including UEFI 2.1 compliance, iSCSI compatibility, and enhanced reliability and service capabilities. The Setup Utility provides server information, server setup, customization compatibility, and establishes the boot device order.

Notes:

1. The server firmware is occasionally called UEFI in this document.

2. The server firmware is fully compatible with non-UEFI operating systems.

This document explains how to use the functions of the IMM in a Lenovo Thinkserver server. The IMM works with the server firmware to provide systems-management capability for ThinkServer servers.

This document does not contain explanations of errors or messages. IMM errors and messages are described in the Hardware Maintenance Manual that came with your server.

If firmware and documentation updates are available, you can download them from the Lenovo Support Web site. The IMM might have features that are not

described in the documentation, and the documentation might be updated occasionally to include information about those features, or technical updates might be available to provide additional information that is not included in the IMM documentation.

Note: Changes are made periodically to the Lenovo Support Web site. Procedures

for locating firmware and documentation might vary slightly from what is described in this document.

To check for firmware updates, complete the following steps.

1. Go to http://www.lenovo.com/support.

2. Enter your product number (machine type and model number) or select

Servers and Storage from the Select your product list.

3. Select Servers and Storage from the Brand list.

4. From the Family list, select the name of your server, and click Continue.

5. Click Downloads and drivers to download firmware and driver updates.

To check for documentation updates, complete the following steps:

1. Go to http://www.lenovo.com/support.

2. Enter your product number (machine type and model number) or select

Servers and Storage from the Select your product list.

3. Select Servers and Storage from the Brand list.

4. From the Family list, select the name of your server, and click Continue.

5. Click User's guides and manuals for documentation.

IMM features

The IMM provides the following functions:

v Around-the-clock remote access and management of your server v Remote management independent of the status of the managed server v Remote control of hardware and operating systems v Web-based management with standard Web browsers

There are two types of IMM functionality: IMM Standard and IMM Premium. For information about the type of IMM hardware in your server, see the documentation that came with the server.

IMM Standard has the following features:

v Access to critical server settings v Access to server vital product data (VPD) v Advanced Hardware Failure Prediction v Automatic notification and alerts v Continuous health monitoring and control v Choice of a dedicated or shared Ethernet connection v Domain Name System (DNS) server support v Dynamic Host Configuration Protocol (DHCP) support v E-mail alerts v Embedded Dynamic System Analysis (DSA) v Enhanced user authority levels

2 Integrated Management Module: User Guide

v LAN over USB for in-band communications to the IMM v Event logs that are time stamped, saved on the IMM, and can be attached to

e-mail alerts

v Industry-standard interfaces and protocols v OS watchdogs v Remote configuration through Advanced Settings Utility (ASU) v Remote firmware updating v Remote power control v Seamless remote accelerated graphics v Secure Web server user interface v Serial over LAN v Server console redirection v Simple Network Management Protocol (SNMP) support v User authentication using a secure connection to a Lightweight Directory Access

Protocol (LDAP) server

IMM Premium has the following features:

v Remote presence, including the remote control of a server v Operating-system failure screen capture and display through the Web interface v Remote disk, which enables the attachment of a diskette drive, CD/DVD drive,

USB flash drive, or disk image to a server

Note: The following features of the Remote Supervisor Adapter II are not in the

IMM:

v Display of server MAC addresses v Multiple NTP server entries v Dynamic DNS support

Upgrading from IMM Standard to IMM Premium

If your server has IMM Standard functionality, you can upgrade to IMM Premium by purchasing and installing a virtual media key on your server system board. No new firmware is required.

Comparing the IMM to other systems-management hardware in ThinkServer servers

The following table compares IMM features with baseboard management controller (BMC) and Remote Supervisor Adapter II features in ThinkServer servers.

Note: Like the BMC, the IMM uses the standard Intelligent Platform Management

Interface (IPMI) specification.

Chapter 1. Introduction 3

Table 1. Comparison of the IMM features and combined BMC and Remote Supervisor Adapter II features in ThinkServer servers

BMC with Remote Supervisor Adapter II

Description

Network connections BMC uses a network connection that is

(TS100, TS100, TS100x, RS110, and RD120) IMM(RD210, RD220, and later)

The IMM provides both BMC and Remote shared with a server and an IP address that is different from the Remote Supervisor Adapter II IP address.

Supervisor Adapter II functionality through

the same network connection. One IP

address is used for both. The user can

choose either a dedicated or a shared Remote Supervisor Adapter II uses a

network connection. dedicated systems-management network

connection and an IP address that is different from the BMC IP address.

Update capabilities Each server requires a unique update for

BMC and Remote Supervisor Adapter II.

One IMM firmware image can be used for

all of the applicable servers.

Configuration capabilities

Operating-system screen capture

BIOS and diagnostic tools can be updated in-band.

Configuration changes with the Advanced Settings Utility (ASU) are available only in-band. The system requires separate configurations for BMC, Remote Supervisor Adapter II, and BIOS.

Screen captures are performed by the Remote Supervisor Adapter II when operating-system failures occur. The display of screen captures requires a Java

™

applet.

The IMM firmware, server firmware, and

Dynamic System Analysis (DSA) firmware

can be updated both in-band and

out-of-band.

The IMM can update itself, the server

firmware, and the DSA firmware either

locally or remotely without requiring the

server to be restarted to initiate the update

process.

The ASU can run either in-band or

out-of-band and can configure both the IMM

and the server firmware. With the ASU, you

can also modify the boot order, iSCSI, and

VPD (machine type, serial number, UUID,

and asset ID).

The server firmware configuration settings

are kept by the IMM. Therefore, you can

make server firmware configuration changes

while the server is turned off or while the

operating system is running, and those

changes are effective the next time the server

is started.

The IMM configuration settings can be

configured in-band or out-of-band through

the following IMM user interfaces:

v Web interface

v Command-line interface

v SNMP

This feature is available only with IMM

Premium.

Screen captures are displayed directly by the

Web browser without the need for a Java

applet.

4 Integrated Management Module: User Guide

Table 1. Comparison of the IMM features and combined BMC and Remote Supervisor Adapter II features in ThinkServer servers (continued)

BMC with Remote Supervisor Adapter II

Description

Error logging The BMC provides a BMC system-event log

(TS100, TS100, TS100x, RS110, and RD120) IMM(RD210, RD220, and later)

The IMM has two event logs:

(IPMI event log).

The Remote Supervisor Adapter II provides a text-based log that includes descriptions of events that are reported by the BMC. This log also contains any information or events detected by the Remote Supervisor Adapter II itself.

1. The system-event log is available through the IPMI interface.

2. The chassis-event log is available through the other IMM interfaces. The chassis-event log displays text messages that are generated using the Distributed Management Task Force specifications DSP0244 and DSP8007.

Note: For an explanation of a specific event or message, see the Hardware Maintenance Manual that is available on the Lenovo Support Web site at http:// www.lenovo.com/support.

Monitoring The BMC with Remote Supervisor Adapter II

has the following monitoring capabilities: v Monitoring of server and battery voltage,

server temperature, fans, power supplies, and processor and DIMM status

v Fan speed control

The IMM provides the same monitoring capabilities as the BMC and Remote Supervisor Adapter II. When used in a RAID configuration, expanded hard disk drive status, including disk drive Hardware Failure Prediction, is supported by the IMM.

v Hardware Failure Prediction v System diagnostic LED control (power,

hard disk drive, activity, alerts, heartbeat)

v Automatic Server Restart (ASR) v Automatic BIOS Recovery (ABR)

Chapter 1. Introduction 5

Table 1. Comparison of the IMM features and combined BMC and Remote Supervisor Adapter II features in ThinkServer servers (continued)

BMC with Remote Supervisor Adapter II

Description

Remote presence The BMC with Remote Supervisor Adapter II

(TS100, TS100, TS100x, RS110, and RD120) IMM(RD210, RD220, and later)

This feature is available only with IMM has the following remote presence capabilities:

v Graphical console redirection over LAN v Remote virtual diskette and CD-ROM v High-speed remote redirection of PCI

video, keyboard, and mouse

v Video resolution up to 1024 x 768, at 70 Hz,

is supported

v Data encryption

Premium.

In addition to the Remote Supervisor

Adapter II remote presence features, the

IMM also has the following capabilities.

Note: The IMM requires Java Runtime

Environment 1.5 or later.

v Video resolution up to 1280 x 1024, at 75

Hz, is supported

v USB 2.0 support for virtual keyboard,

mouse, and mass storage devices

v 15-bit color depth

v Choice of either absolute or relative

mouse mode

v USB flash drive support

v Server power and reset control on the

Remote Control window

v Video on the Remote Control window can

be saved in a file

Security Remote Supervisor Adapter II has advanced

security features, including Secure Sockets Layer (SSL) and encryption.

Serial redirection The IPMI Serial over LAN (SOL) function is a

standard capability of the BMC.

The Remote Supervisor Adapter II provides the ability to redirect server serial data to a Telnet or SSH session. Note: This feature is not available on some servers.

The IMM provides two separate client

windows. One is for video and keyboard

and mouse interaction, and the other one is

for virtual media.

The IMM Web interface has a menu item

that allows color depth adjustment to reduce

the data transmitted in low-bandwidth

situations. The Remote Supervisor Adapter

II interface has a bandwidth slider.

The IMM has the same security features as

Remote Supervisor Adapter II.

The COM1 port is used for SOL on

ThinkServer servers. COM1 is configurable

only through the IPMI interface.

The COM2 port is used for serial redirection

through Telnet or SSH. COM2 is

configurable through all of the IMM

interfaces except for the IPMI interface.

Both COM port configurations are limited to

8 data bits, null parity, 1 stop bit, and a

baud rate choice of 9600, 19200, 38400,

57600, 115200, or 230400.

On rack-mounted and tower servers, the

IMM COM2 port is an internal COM port

with no external access.

SNMP SNMP support is limited to SNMPv1. The IMM supports SNMPv1 and SNMPv3.

6 Integrated Management Module: User Guide

Web browser and operating-system requirements

The IMM Web interface requires the Java Plug-in 1.5 or later (for the remote presence feature) and one of the following Web browsers:

v Microsoft

Internet Explorer®version 6.0 or later with the latest Service Pack

v Mozilla Firefox version 1.5 or later

The following server operating systems have USB support, which is required for the remote presence feature:

v Microsoft Windows

Server®2008

v Microsoft Windows Server 2003

v Red Hat Enterprise Linux

versions 4.0 and 5.0

v SUSE Linux version 10.0

Note: The IMM Web interface does not support the double-byte character set

(DBCS) languages.

Notices used in this book

The following notices are used in the documentation:

v Note: These notices provide important tips, guidance, or advice. v Important: These notices provide information or advice that might help you

avoid inconvenient or problem situations.

v Attention: These notices indicate potential damage to programs, devices, or data.

An attention notice is placed just before the instruction or situation in which damage might occur.

Chapter 1. Introduction 7

8 Integrated Management Module: User Guide

Chapter 2. Opening and using the IMM Web interface

The IMM combines service processor functions, a video controller, and remote presence function (when an optional virtual media key is installed) in a single chip. To access the IMM remotely by using the IMM Web interface, you must first log in. This chapter describes the login procedures and the actions that you can perform from the IMM Web interface.

Accessing the IMM Web interface

The IMM supports both static and Dynamic Host Configuration Protocol (DHCP) IP addressing. The default static IP address assigned to the IMM is 192.168.70.125. The IMM is initially configured to attempt to obtain an address from a DHCP server, and if it cannot, it uses the static IP address.

The IMM provides the choice of using a dedicated systems-management network connection or one that is shared with the server. The default connection for rack-mounted and tower servers is to use the dedicated systems-management network connector.

Setting up the IMM network connection through the Server Firmware Setup Utility

After you start the server, you can use the Setup Utility to select an IMM network connection. The server with the IMM hardware must be connected to a Dynamic Host Configuration Protocol (DHCP) server, or the server network must be configured to use the IMM static IP address.

To set up the IMM network connection through the Setup Utility, complete the following steps:

1. Turn on the server.

Note: Approximately 2 minutes after the server is connected to ac power, the

power-control button becomes active.

The welcome screen is displayed.

2. When the prompt <F1> Setup is displayed, press F1. If you have set both a power-on password and an administrator password, you must type the administrator password to access the full Setup Utility menu.

3. From the Setup Utility main menu, select System Settings.

4. On the next screen, select Integrated Management Module.

5. On the next screen, select Network Configuration.

6. Highlight DHCP Control. There are three IMM network connection choices in

the DHCP Control field:

v Static IP v DHCP Enabled v DHCP with Failover (default)

7. Select one of the network connection choices.

Notes:

a. If you choose to use a static IP address, you must specify the IP address, the

subnet mask, and the default gateway.

b. You can also use the Setup Utility to select a dedicated or shared IMM

network connection. On the Network Configuration screen, select Dedicated or Shared in the Network Interface Port field.

c. To find the locations of the Ethernet connectors on your server that are used

by the IMM, see the documentation that came with your server.

8. Select Save Network Settings.

9. Exit from the Setup Utility.

Notes:

1. You must wait approximately 1 minute for changes to take effect before the server firmware is functional again.

2. You can also configure the IMM network connection through the IMM Web interface. For more information, see “Configuring network interfaces” on page

28.

Logging in to the IMM

Important: The IMM is set initially with a user name of USERID and password of

PASSW0RD (with a zero, not the letter O). This default user setting has

Supervisor access. Change this default password during your initial configuration for enhanced security.

To access the IMM through the IMM Web interface, complete the following steps:

1. Open a Web browser. In the address or URL field, type the IP address or host name of the IMM server to which you want to connect.

2. Type your user name and password in the IMM Login window. If you are using the IMM for the first time, you can obtain your user name and password from your system administrator. All login attempts are documented in the event log. Depending on how your system administrator configured the user ID, you might need to enter a new password.

3. On the Welcome Web page, select a timeout value from the drop-down list in the field that is provided. If your browser is inactive for that number of minutes, the IMM logs you off the Web interface.

Note: Depending on how your system administrator configured the global

4. Click Continue to start the session. The browser opens the System Status page, which gives you a quick view of

the server status and the server health summary. For descriptions of the actions that you can perform from the links in the left

navigation pane of the IMM Web interface, see “IMM action descriptions” on page 11. Then, go to Chapter 3, “Configuring the IMM,” on page 15.

10 Integrated Management Module: User Guide

IMM action descriptions

Table 2 lists the actions that are available when you are logged in to the IMM.

Table 2. IMM actions

Link Action Description

System Status View system health for a server,

view the operating-system-failure screen capture, and view the users who are logged in to the IMM

Easy LED Diagnostics

Event Log View event logs for remote

Vital Product Data View the server vital product data

Power/Restart Remotely turn on or restart a

Remote Control Redirect the server video console

PXE Network Boot Change the host server startup

Firmware Update Update firmware on the IMM Use the options on the Firmware Update page to update

View the name, color, and status of every LED on the server light path

servers

(VPD)

server

and use your computer disk drive or disk image as a drive on the server

(boot) sequence for the next restart to attempt a Preboot Execution Environment (PXE) / Dynamic Host Configuration Protocol (DHCP) network startup

You can monitor the server power and health state, and the temperature, voltage, and fan status of your server on the System Health page. You can also view the image of the last operating-system-failure screen capture and the users who are logged in to the IMM.

The Easy LED Diagnostics page displays the current status of the LEDs on the server.

The Event Log page contains entries that are currently stored in the chassis-event log. The log includes a text description of events that are reported by the BMC, plus information about all remote access attempts and configuration changes. All events in the log are time stamped, using the IMM date and time settings. Some events also generate alerts, if they are configured to do so on the Alerts page. You can sort and filter events in the event log.

The IMM collects server information, server firmware information, and server component VPD. This data is available from the Vital Product Data page.

The IMM provides full remote power control over your server with power-on, power-off, and restart actions. In addition, power-on and restart statistics are captured and displayed to show server hardware availability.

From the Remote Control page, you can start the Remote Control feature. With Remote Control, you can view the server console from your computer, and you can mount one of your computer disk drives, such as the CD-ROM drive or the diskette drive, on the server. You can use your mouse and keyboard to interact with and control the server. When you have mounted a disk, you can use it to restart the server and to update firmware on the server. The mounted disk appears as a USB disk drive that is attached to the server.

If your server firmware and PXE boot agent utility are correctly defined, from the PXE Network Boot page you can change the host server startup (boot) sequence for the next restart to attempt a PXE / DHCP network startup. The host startup sequence will be altered only if the host is not under Privileged Access Protection (PAP). After the next restart occurs, the check box on the PXE Network Boot page will be cleared.

the IMM firmware, server firmware, and DSA firmware.

Chapter 2. Opening and using the IMM Web interface 11

Table 2. IMM actions (continued)

Link Action Description

System Settings View and change the IMM server

settings

Set the IMM clock You can set the IMM clock that is used for time stamping

Enable or disable the USB in-band interface

and global login settings

Alerts Configure remote alerts and

remote alert recipients

Configure Simple Network Management Protocol (SNMP) events

Configure alert settings You can establish global settings that apply to all remote

Serial Port Configure the IMM serial port

settings

Port assignments Change the port numbers of the

IMM protocols

Network Interfaces Configure the network interfaces

of the IMM

Network Protocols Configure the network protocols

of the IMM

Security Configure the Secure Sockets

Layer (SSL)

Enable Secure Shell (SSH) access You can enable SSH access to the IMM.

Configuration File Back up and restore the IMM

configuration

You can configure the server location and general information, such as the name of the IMM, server timeout settings, and contact information for the IMM, from the System Settings page.

the entries in the event log.

You can enable or disable the USB in-band (or LAN over USB) interface.

You can define up to 12 login profiles that enable access to the IMM. You can also define global login settings that apply to all login profiles, including enabling Lightweight Directory Access Protocol (LDAP) server authentication and customizing the account security level.

You can configure the IMM to generate and forward alerts for different events. On the Alerts page, you can configure the alerts that are monitored and the recipients that are notified.

You can set the event categories for which SNMP traps are sent.

alert recipients, such as the number of alert retries and the delay between the retries.

From the Serial Port page, you can configure the serial port baud rate that is used by the serial redirection function. You can also configure the key sequence that is used to switch between the serial redirection and command-line interface (CLI) modes.

From the Port Assignments page, you can view and change the port numbers assigned to the IMM protocols (for example, HTTP, HTTPS, Telnet, and SNMP).

From the Network Interfaces page, you can configure network-access settings for the Ethernet connection on the IMM.

You can configure Simple Network Management Protocol (SNMP), Domain Name System (DNS), and Simple Mail Transfer Protocol (SMTP) settings that are used by the IMM from the Network Protocols page. You can also configure LDAP parameters.

You can enable or disable SSL and manage the SSL certificates that are used. You can also enable or disable whether an SSL connection is used to connect to an LDAP server.

You can back up, modify, and restore the configuration of the IMM, and view a configuration summary, from the Configuration File page.

12 Integrated Management Module: User Guide

Table 2. IMM actions (continued)

Link Action Description

Restore Default Settings

Restart IMM Restart the IMM You can restart the IMM.

Log off Log off the IMM You can log off your connection to the IMM.

Restore the IMM default settings Attention: When you click Restore Defaults, all of the

modifications that you made to the IMM are lost.

You can reset the configuration of the IMM to the factory defaults.

You can click the View Configuration Summary link, which is in the top-right corner on most pages, to quickly view the configuration of the IMM.

Chapter 2. Opening and using the IMM Web interface 13

14 Integrated Management Module: User Guide

Chapter 3. Configuring the IMM

Use the links under IMM Control in the navigation pane to configure the IMM. v From the System Settings page, you can:

– Set server information – Set server timeouts – Set IMM date and time – Enable or disable commands on the USB interface

v From the Login Profiles page, you can:

– Set login profiles to control access to the IMM – Configure global login settings, such as the lockout period after unsuccessful

– Configure the account security level

v From the Alerts page, you can:

– Configure remote alert recipients – Set the number of remote alert attempts – Select the delay between alerts – Select which alerts are sent and how they are forwarded

v From the Serial Port page, you can:

– Configure the baud rate of serial port 2 (COM2) for serial redirection – Specify the keystroke sequence that is used to switch between the serial

redirection and the command-line interface (CLI)

v From the Port Assignments page, you can change the port numbers of IMM

services.

v From the Network Interfaces page, you can set up the Ethernet connection for

the IMM.

v From the Network Protocols page, you can configure:

– SNMP setup – DNS setup – Telnet protocol – SMTP setup – LDAP setup – Service location protocol

v From the Security page, you can install and configure the Secure Sockets Layer

(SSL) settings.

v From the Configuration File page, you can back up, modify, and restore the

configuration of the IMM.

v From the Restore Defaults page, you can reset the IMM configuration to the

factory defaults.

v From the Restart IMM page, you can restart the IMM.

Setting system information

To set the IMM system information, complete the following steps:

1. Log in to the IMM where you want to set the system information. For more information, see Chapter 2, “Opening and using the IMM Web interface,” on page 9.

2. In the navigation pane, click System Settings.

Note: The available fields in the System Settings page are determined by the

accessed remote server.

3. In the Name field in the IMM Information area, type the name of the IMM. Use the Name field to specify a name for the IMM in this server. The name is

included with e-mail and SNMP alert notifications to identify the source of the alert.

Note: Your IMM name (in the Name field) and the IP host name of the IMM

(in the Hostname field on the Network Interfaces page) do not automatically share the same name because the Name field is limited to 16 characters. The Hostname field can contain up to 63 characters. To minimize confusion, set the Name field to the nonqualified portion of the IP host name. The nonqualified IP host name consists of up to the first period of a fully qualified IP host name. For example, for the fully qualified IP host name imm1.us.company.com, the nonqualified IP host name is imm1. For information about your host name, see “Configuring network interfaces” on page 28.

4. In the Contact field, type the contact information. For example, you can specify the name and phone number of the person to contact if there is a problem with this server. You can type a maximum of 47 characters in this field.

5. In the Location field, type the location of the server. Include in this field sufficient detail to quickly locate the server for maintenance or other purposes. You can type a maximum of 47 characters in this field.

6. Scroll to the bottom of the page and click Save.

Setting server timeouts

Note: Server timeouts require that the in-band USB interface (or LAN over USB)

be enabled to allow commands. For more information about the enabling and disabling commands for the USB interface, see “Disabling the USB in-band interface” on page 19. For information regarding the installation of the required device drivers, see “Installing device drivers” on page 71.

To set the server timeout values, complete the following steps:

1. Log in to the IMM where you want to set the server timeouts. For more information, see Chapter 2, “Opening and using the IMM Web interface,” on page 9.

2. In the navigation pane, click System Settings and scroll down to the Server Timeouts area.

You can set the IMM to respond automatically to the following events:

v Halted operating system v Failure to load operating system

3. Enable the server timeouts that correspond to the events that you want the IMM to respond to automatically.

OS watchdog

Use the OS watchdog field to specify the number of minutes between checks of the operating system by the IMM. If the operating system

16 Integrated Management Module: User Guide

fails to respond to one of these checks, the IMM generates an OS timeout alert and restarts the server. After the server is restarted, the OS watchdog is disabled until the operating system is shut down and the server is power cycled.

To set the OS watchdog value, select a time interval from the menu. To turn off this watchdog, select 0.0 from the menu. To capture operating-system-failure screens, you must enable the watchdog in the

OS watchdog field.

Loader watchdog

Use the Loader watchdog field to specify the number of minutes that the IMM waits between the completion of POST and the starting of the operating system. If this interval is exceeded, the IMM generates a loader timeout alert and automatically restarts the server. After the server is restarted, the loader timeout is automatically disabled until the operating system is shut down and the server is power cycled (or until the operating system starts and the software is successfully loaded).

To set the loader timeout value, select the time limit that the IMM waits for the operating-system startup to be completed. To turn off this watchdog, select 0.0 from the menu.

4. Scroll to the bottom of the page and click Save.

Setting the IMM date and time

The IMM uses its own real-time clock to time stamp all events that are logged in the event log.

Note: The IMM date and time setting affects only the IMM clock, not the server

clock. The IMM real-time clock and the server clock are separate, independent clocks and can be set to different times. To synchronize the IMM clock with the server clock, go to the Network Time Protocol area of the page and set the NTP server host name or IP address to the same server host name or IP address that is used to set the server clock. See “Synchronizing clocks in a network” on page 18 for more information.

Alerts that are sent by e-mail and SNMP use the real-time clock setting to time stamp the alerts. The clock settings support Greenwich mean time (GMT) offsets and daylight saving time (DST) for added ease-of-use for administrators who are managing systems remotely over different time zones. You can remotely access the event log even if the server is turned off or disabled.

To verify the date and time settings of the IMM, complete the following steps:

1. Log in to the IMM where you want to set the IMM date and time values. For more information, see Chapter 2, “Opening and using the IMM Web interface,” on page 9.

2. In the navigation pane, click System Settings and scroll down to the IMM Date and Time area, which shows the date and time when the Web page was

generated.

3. To override the date and time settings and to enable daylight saving time (DST) and Greenwich mean time (GMT) offsets, click Set IMM Date and Time.

4. In the Date field, type the numbers of the current month, day, and year.

5. In the Time field, type the numbers that correspond to the current hour,

minutes, and seconds in the applicable entry fields. The hour (hh) must be a

Chapter 3. Configuring the IMM 17

number from 00 - 23 as represented on a 24-hour clock. The minutes (mm) and seconds (ss) must be numbers from 00 - 59.

6. In the GMT offset field, select the number that specifies the offset, in hours, from Greenwich mean time (GMT), corresponding to the time zone where the server is located.

7. Select or clear the Automatically adjust for daylight saving changes check box to specify whether the IMM clock automatically adjusts when the local time changes between standard time and daylight saving time.

8. Click Save.

Synchronizing clocks in a network

The Network Time Protocol (NTP) provides a way to synchronize clocks throughout a computer network, enabling any NTP client to obtain the correct time from an NTP server.

The IMM NTP feature provides a way to synchronize the IMM real-time clock with the time that is provided by an NTP server. You can specify the NTP server that is to be used, specify the frequency with which the IMM is synchronized, enable or disable the NTP feature, and request immediate time synchronization.

The NTP feature does not provide the extended security and authentication that are provided through encryption algorithms in NTP Version 3 and NTP Version 4. The IMM NTP feature supports only the Simple Network Time Protocol (SNTP) without authentication.

To set up the IMM NTP feature settings, complete the following steps:

1. Log in to the IMM on which you want to synchronize the clocks in the network. For more information, see Chapter 2, “Opening and using the IMM Web interface,” on page 9.

2. In the navigation pane, click System Settings and scroll down to the IMM Date and Time area.

3. Click Set IMM Date and Time.

4. Under Network Time Protocol (NTP), you can select from the following

settings:

NTP auto-synchronization service

Use this selection to enable or disable automatic synchronization of the IMM clock with an NTP server.

NTP server host name or IP address

Use this field to specify the name of the NTP server to be used for clock synchronization.

NTP update frequency

Use this field to specify the approximate interval (in minutes) between synchronization requests. Enter a value between 3 - 1440 minutes.

Synchronize Clock Now

Click this button to request an immediate synchronization instead of waiting for the interval time to lapse.

5. Click Save.

18 Integrated Management Module: User Guide

Disabling the USB in-band interface

Important: If you disable the USB in-band interface, you cannot perform an

in-band update of the IMM firmware, server firmware, and DSA firmware by using the Linux or Windows flash utilities. If the USB in-band interface is disabled, use the Firmware Update option on the IMM Web interface to update the firmware. For more information, see “Updating firmware” on page 67.

If you disable the USB in-band interface, also disable the watchdog timeouts to prevent the server from restarting unexpectedly. For more information, see “Setting server timeouts” on page 16.

The USB in-band interface, or LAN over USB, is used for in-band communications to the IMM. To prevent any application that is running on the server from requesting the IMM to perform tasks, you must disable the USB in-band interface. For more information about LAN over USB, see Chapter 6, “LAN over USB,” on page 71.

To disable the USB in-band interface, complete the following steps:

1. Log in to the IMM on which you want to disable the USB device driver interface. For more information, see Chapter 2, “Opening and using the IMM Web interface,” on page 9.

2. In the navigation pane, click System Settings and scroll down to the Miscellaneous area.

3. Select the Do not allow commands on USB interface check box to disable the USB in-band interface. Selecting this option does not affect the USB remote presence functions (for example, keyboard, mouse, and mass storage). When you disable the USB in-band interface, the in-band systems-management applications such as the Advanced Settings Utility (ASU) and firmware update package utilities might not work.

Note: The ASU works with a disabled USB in-band interface if an IPMI device

driver is installed. If you try to use systems-management applications while the in-band interface is disabled, they might not work.

4. Click Save.

To enable the USB device driver interface after it has been disabled, clear the Do

not allow commands on USB interface check box and click Save.

Notes:

1. The USB in-band interface is also called "LAN over USB" and is described in more detail in Chapter 6, “LAN over USB,” on page 71.

2. When you attempt a network installation of some Linux distributions, the installation might fail if the IMM USB in-band interface is enabled. For more information, see http://rhn.redhat.com/errata/RHBA-2009-0127.html.

3. If you are performing a network installation that does not contain the update on the Red Hat Web site described in the preceding note 2, you must disable the USB in-band interface before you perform the installation and enable it after the installation is complete.

4. For information about the configuration of the LAN over USB interface, see “Configuring the LAN over USB interface manually” on page 71.

Chapter 3. Configuring the IMM 19

Creating a login profile

Use the Login Profiles table to view, configure, or change individual login profiles. Use the links in the Login ID column to configure individual login profiles. You can define up to 12 unique profiles. Each link in the Login ID column is labeled with the configured login ID of the associated profile.

Certain login profiles are shared with the IPMI user IDs, providing a single set of local user accounts (username/password) that work with all of the IMM user interfaces, including IPMI. Rules that pertain to these shared login profiles are described in the following list:

v IPMI user ID 1 is always the null user. v IPMI user ID 2 maps to login ID 1, IPMI user ID 3 maps to login ID 2, and so

on.

v The IMM default user is set to USERID and PASSW0RD (with a zero, not the letter

O) for IPMI user ID 2 and login ID 1.

For example, if a user is added through IPMI commands, that user information is also available for authentication through the Web, Telnet, SSH, and other interfaces. Conversely, if a user is added on the Web or other interfaces, that user information is available for starting an IPMI session.

Because the user accounts are shared with IPMI, certain restrictions are imposed to provide a common ground between the interfaces that use these accounts. The following list describes IMM and IPMI login profile restrictions:

v IPMI allows a maximum of 64 user IDs. The IMM IPMI implementation allows

only 12 user accounts.

v IPMI allows anonymous logins (null user name and null password), but the

IMM does not.

v IPMI allows multiple user IDs with the same user names, but the IMM does not. v IPMI requests to change the user name from the current name to the same

current name return an invalid parameter completion code because the requested user name is already in use.

v The maximum IPMI password length for the IMM is 16 bytes. v The following words are restricted and are not available for use as local IMM

user names: – immroot – nobody – ldap – lighttpd – sshd – daemon – immftp

To configure a login profile, complete the following steps:

1. Log in to the IMM where you want to create a login profile. For more information, see Chapter 2, “Opening and using the IMM Web interface,” on page 9.

2. In the navigation pane, click Login Profiles.

20 Integrated Management Module: User Guide

Note: If you have not configured a profile, it does not appear in the Login

Profiles table. The Login Profiles page displays each login ID, the login access level, and the password expiration information.

Important: By default, the IMM is configured with one login profile that

enables remote access using a login user ID of USERID and a password of PASSW0RD (the 0 is a zero, not the letter O). To avoid a potential security exposure, change this default login profile during the initial setup of the IMM.

3. Click Add User. An individual profile is displayed.

4. In the Login ID field, type the name of the profile.

You can type a maximum of 16 characters in the Login ID field. Valid characters are uppercase and lowercase letters, numbers, periods, and underscores.

Note: This login ID is used to grant remote access to the IMM.

5. In the Password field, assign a password to the login ID. A password must contain a minimum of five characters, one of which must be

a nonalphabetic character. Null or empty passwords are accepted.

Note: This password is used with the login ID to grant remote access to the

IMM.

6. In the Confirm password field, type the password again.

7. In the Authority Level area, select one of the following options to set the access

rights for this login ID:

Supervisor

The user has no restrictions.

Read Only

The user has read-only access only and cannot perform actions such as file transfers, power and restart actions, or remote presence functions.

Custom

If you select the Custom option, you must select one or more of the following custom authority levels:

v User Account Management: A user can add, modify, or delete users

v Remote Console Access: A user can access the remote console. v Remote Console and Virtual Media Access: A user can access both

v Remote Server Power/Restart Access: A user can access the

v Ability to Clear Event Logs: A user can clear the event logs.

v Adapter Configuration - Basic: A user can modify configuration

v Adapter Configuration - Networking & Security: A user can modify

and change the global login settings in the Login Profiles page.

the remote console and the virtual media feature.

power-on and restart functions for the remote server. These functions are available in the Power/Restart page.

Everyone can look at the event logs, but this particular permission is required to clear the logs.

parameters in the System Settings and Alerts pages.

configuration parameters in the Security, Network Protocols, Network Interface, Port Assignments, and Serial Port pages.

Chapter 3. Configuring the IMM 21

v Adapter Configuration - Advanced: A user has no restrictions when

configuring the IMM. In addition, the user is said to have administrative access to the IMM, meaning that the user can also perform the following advanced functions: firmware updates, PXE network boot, restore IMM factory defaults, modify and restore IMM configuration from a configuration file, and restart and reset the IMM.

When a user sets the authority level of an IMM login ID, the resulting IPMI privilege level of the corresponding IPMI User ID is set according to these priorities:

v If the user sets the IMM login ID authority level to Supervisor, the

IPMI privilege level is set to Administrator.

v If the user sets the IMM login ID authority level to Read Only, the

IPMI privilege level is set to User.

v If the user sets the IMM login ID authority level to have any of the

following types of access, the IPMI privilege level is set to Administrator:

– User Account Management Access – Remote Console Access – Remote Console and Remote Disk Access – Adapter Configuration - Networking & Security – Adapter Configuration - Advanced

v If the user sets the IMM login ID authority level to have Remote

Server Power/Restart Access or Ability to Clear Event Logs, the IPMI privilege level is set to Operator.

v If the user sets the IMM login ID authority level to have Adapter

Configuration (Basic), the IPMI privilege level is set to User.

Note: To return the login profiles to the factory defaults, click Clear

8. In the Configure SNMPv3 User area, select the check box if the user should have access to the IMM by using the SNMPv3 protocol. After you click the check box, the configuration settings for SNMPv3 appear. Use following fields to configure the SNMPv3 settings for the user profile:

Authentication Protocol

Use this field to specify either HMAC-MD5 or HMAC-SHA as the authentication protocol. These are hash algorithms used by the SNMPv3 security model for the authentication. The password for the Linux account will be used for authentication. If you choose None, authentication protocol is not used.

Privacy Protocol

Data transfer between the SNMP client and the agent can be protected using encryption. The supported methods are DES and AES. Privacy protocol is valid only if the authentication protocol is set to either

HMAC-MD5 or HMAC-SHA.

Privacy Password

Use this field to specify the encryption password.

Confirm Privacy Password

Use this field to confirm the encryption password.

22 Integrated Management Module: User Guide

Access Type

Hostname/IP address for traps

9. Click Save to save your login ID settings.

Deleting a login profile

To delete a login profile, complete the following steps:

1. Log in to the IMM for which you want to create a login profile. For more information, see Chapter 2, “Opening and using the IMM Web interface,” on page 9.

2. In the navigation pane, click Login Profiles. The Login Profiles page displays each login ID, the login access level, and the password expiration information.

3. Click the login profile that you want to delete. The Login Profile page for that user is displayed

4. Click Clear Login Profile.

Use this field to specify either Get or Set as the access type. SNMPv3 users with the access type Get can perform only query operations. With the access type Set, SNMPv3 users can both perform query operations and modify settings (for example, setting the password for an user).

Use this field to specify the trap destination for the user. This can be an IP address or hostname. Using traps, the SNMP agent notifies the management station about events (for example, when a processor temperature exceeds the limit).

Configuring the global login settings

Complete the following steps to set conditions that apply to all login profiles for the IMM:

1. Log in to the IMM for which you want to set the global login settings. For more information, see Chapter 2, “Opening and using the IMM Web interface,” on page 9.

2. In the navigation pane, click Login Profiles.

3. Scroll down to the Global Login Settings area.

4. In the User authentication method field, specify how users who are attempting

to log in are authenticated. Select one of the following authentication methods: v Local only: Users are authenticated by a search of a table that is local to the

IMM. If there is no match on the user ID and password, access is denied. Users who are successfully authenticated are assigned the authority level that is configured in “Creating a login profile” on page 20.

v LDAP only: The IMM attempts to authenticate the user by using the LDAP

server. Local user tables on the IMM are never searched with this authentication method.

v Local first, then LDAP: Local authentication is attempted first. If local

authentication fails, LDAP authentication is attempted.

v LDAP first, then Local: LDAP authentication is attempted first. If LDAP

authentication fails, local authentication is attempted.

Notes:

a. Only locally administered accounts are shared with the IPMI interface

because IPMI does not support LDAP authentication.

b. Even if the User authentication method field is set to LDAP only, users can

Chapter 3. Configuring the IMM 23

5. In the Lockout period after 5 login failures field, specify how long, in minutes, the IMM prohibits remote login attempts if more than five sequential failures to log in remotely are detected. The lockout of one user does not prevent other users from logging in.

6. In the Web inactivity session timeout field, specify how long, in minutes, the IMM waits before it disconnects an inactive Web session. Select No timeout to disable this feature. Select User picks timeout if the user will select the timeout period during the login process.

7. (Optional) In the Account security level area, select a password security level. The Legacy security settings and High security settings set the default values as indicated in the requirement list.

8. To customize the security setting, select Custom security settings to view and change the account security management configuration.

User login password required

Use this field to indicate whether a login ID with no password is allowed.

Number of previous passwords that cannot be used

Use this field to indicate the number of previous passwords that cannot be reused. Up to five previous passwords can be compared. Select 0 to allow the reuse of all previous passwords.

Maximum Password Age

Use this field to indicate the maximum password age that is allowed before the password must be changed. Values of 0 - 365 days are supported. Select 0 to disable the password expiration checking.

9. Click Save.

Configuring remote alert settings

You can configure remote alert recipients, the number of alert attempts, incidents that trigger remote alerts, and local alerts from the Alerts link on the navigation pane.

After you configure a remote alert recipient, the IMM sends an alert to that recipient through a network connection when any event selected from the Monitored Alerts group occurs. The alert contains information about the nature of the event, the time and date of the event, and the name of the system that generated the alert.

Note: If the SNMP Agent or SNMP Traps fields are not set to Enabled, no SNMP

traps are sent. For information about these fields, see “Configuring SNMP” on page 31.

Configuring remote alert recipients

You can define up to 12 unique remote alert recipients. Each link for an alert recipient is labeled with the recipient name and alert status.

Note: If you have not configured an alert recipient profile, the profile does not

appear in the remote alert recipients list.

To configure a remote alert recipient, complete the following steps:

1. Log in to the IMM for which you want to configure remote alert settings. For more information, see Chapter 2, “Opening and using the IMM Web interface,” on page 9.

24 Integrated Management Module: User Guide

+ 90 hidden pages

Lenovo TD200 User Manual

Contents

Chapter 1. Introduction

IMM features

Upgrading from IMM Standard to IMM Premium

Comparing the IMM to other systems-management hardware in ThinkServer servers

Web browser and operating-system requirements

Notices used in this book

Chapter 2. Opening and using the IMM Web interface

Accessing the IMM Web interface

Setting up the IMM network connection through the Server Firmware Setup Utility

Logging in to the IMM

IMM action descriptions

Chapter 3. Configuring the IMM

Setting system information

Setting server timeouts

Setting the IMM date and time

Synchronizing clocks in a network

Disabling the USB in-band interface

Creating a login profile

Deleting a login profile

Configuring the global login settings

Configuring remote alert settings

Configuring remote alert recipients