Sun Microsystems M3000, M8000, M5000, M4000, M9000 Administration Manual

Sun SPARC Enterprise

™

M3000/M4000/M5000/M8000/M9000

Servers Administration Guide

Sun Microsystems, Inc.
www.sun.com

Part No. 819-3601-16
August 2009, Revision A

Submit comments about this document by clicking the Feedback[+] link at: http://docs.sun.com

Copyright 2008-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.
FUJITSU LIMITED provided technical input and review on portions of this material.
Sun Microsystems, Inc.and Fujitsu Limited each ownor control intellectual property rights relating toproducts andtechnology described in

this document,and such products, technology andthis documentare protectedby copyright laws,patents andother intellectual property laws
and internationaltreaties. Theintellectual property rights of SunMicrosystems, Inc.and Fujitsu Limitedin suchproducts, technology and this
document include,without limitation, one or moreof theUnited States patentslisted at http://www.sun.com/patents and one ormore
additional patentsor patent applications in theUnited States or other countries.

This documentand the product and technologyto whichit pertains are distributedunder licenses restricting their use, copying, distribution,
and decompilation.No part of such productor technology,or of this document, maybe reproducedin any form by anymeans without prior
written authorizationof Fujitsu Limited and SunMicrosystems, Inc.,and their applicablelicensors, if any.The furnishing of this documentto
you doesnot give you any rightsor licenses, express or implied,with respectto the product or technologyto which it pertains, andthis
document doesnot contain or represent any commitment ofany kind on the partof Fujitsu Limited or SunMicrosystems, Inc., or any affiliate of
either ofthem.

This documentand the product and technologydescribed inthis document mayincorporate third-partyintellectual propertycopyrighted by
and/or licensedfrom suppliersto Fujitsu Limitedand/or SunMicrosystems, Inc., including software andfont technology.

Per theterms of the GPL orLGPL, a copy of thesource code governed by theGPL or LGPL, as applicable,is available upon request bythe End
User.Please contactFujitsu Limited orSun Microsystems,Inc.

This distribution may include materials developed by third parties.
Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark

in the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd.
Sun, Sun Microsystems, the Sun logo, Java, Netra, Solaris, Sun Ray, Answerbook2, docs.sun.com, OpenBoot, and Sun Fire are trademarks or

registered trademarks of Sun Microsystems, Inc., or its subsidiaries, in the U.S. and other countries.
Fujitsu and the Fujitsu logo are registered trademarks of Fujitsu Limited.
All SPARC trademarks are used under license and are registered trademarks of SPARC International, Inc. in the U.S. and other countries.

Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems, Inc.
SPARC64 is a trademark of SPARC International, Inc., used under license by Fujitsu Microelectronics, Inc. and Fujitsu Limited.
The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges

the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun
holds anon-exclusive license from Xerox to the Xerox GraphicalUser Interface, which license alsocovers Sun’s licensees who implementOPEN
LOOK GUIs and otherwise comply with Sun’s written license agreements.

United StatesGovernment Rights - Commercial use.U.S. Governmentusers are subject to thestandard governmentuser license agreements of
Sun Microsystems, Inc.and Fujitsu Limited and theapplicable provisions of the FARand its supplements.

Disclaimer: The only warranties granted by Fujitsu Limited, Sun Microsystems, Inc. or any affiliate of either of them in connection with this
document or any product or technology described herein are those expressly set forth in the license agreement pursuant to which the product
or technology is provided. EXCEPT AS EXPRESSLY SET FORTH IN SUCH AGREEMENT, FUJITSU LIMITED, SUN MICROSYSTEMS, INC.
AND THEIRAFFILIATES MAKENO REPRESENTATIONS ORWARRANTIES OF ANY KIND (EXPRESS OR IMPLIED)REGARDING SUCH
PRODUCT OR TECHNOLOGY OR THIS DOCUMENT, WHICH ARE ALL PROVIDED AS IS, AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Unless otherwise expressly set forthin such agreement, to the
extent allowed by applicable law, in no event shall Fujitsu Limited, Sun Microsystems, Inc. or any of their affiliates have any liability to any
third party under any legal theory for any loss of revenues or profits, loss of use or data, or business interruptions, or for any indirect, special,
incidental or consequential damages, even if advised of the possibility of such damages.

DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANYIMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSE ORNON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Please

Recycle

Copyright 2008-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.
Entrée et revue tecnical fournies par FUJITSU LIMITED sur des parties de ce matériel.
Sun Microsystems, Inc. et Fujitsu Limited détiennent et contrôlent toutes deux des droits de propriété intellectuelle relatifs aux produits et

technologies décrits dans ce document. De même, ces produits, technologies et ce document sont protégés par des lois sur le copyright, des
brevets, d’autreslois sur la propriétéintellectuelle et des traités internationaux. Les droits de propriété intellectuelle de Sun Microsystems, Inc.
et Fujitsu Limited concernant ces produits, ces technologies et ce document comprennent, sans que cette liste soit exhaustive, un ou plusieurs
des brevets déposés aux États-Unis et indiqués à l’adresse http://www.sun.com/patents de même qu’un ou plusieurs brevetsou applications
brevetées supplémentaires aux États-Unis et dans d’autres pays.

Ce document, le produit et les technologies afférents sont exclusivement distribués avec des licences qui en restreignent l’utilisation, la copie,
la distribution et la décompilation. Aucune partie de ce produit, de ces technologies ou de ce document ne peut être reproduite sous quelque
forme quece soit, par quelque moyen que ce soit, sans l’autorisation écrite préalable de Fujitsu Limited et deSun Microsystems, Inc.,et de leurs
éventuels bailleurs de licence. Ce document, bien qu’il vous ait été fourni, ne vous confère aucun droit et aucune licence, expresses ou tacites,
concernant le produit ou latechnologie auxquels il se rapporte. Par ailleurs, il necontient ni ne représente aucun engagement, de quelque type
que ce soit, de la part de Fujitsu Limited ou de Sun Microsystems, Inc., ou des sociétés affiliées.

Ce document, et le produit et les technologies qu’il décrit, peuvent inclure des droits de propriété intellectuelle de parties tierces protégés par
copyright et/ou cédés sous licence par des fournisseurs à Fujitsu Limited et/ou Sun Microsystems, Inc., y compris des logiciels et des
technologies relatives aux polices de caractères.

Par limites du GPL ou du LGPL, une copie du code source régi par le GPL ou LGPL, comme applicable, est sur demande vers la fin utilsateur
disponible; veuillez contacter Fujitsu Limted ou Sun Microsystems, Inc.

Cette distribution peut comprendre des composants développés par des tierces parties.
Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque

déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.
Sun, Sun Microsystems, le logo Sun, Java, Netra, Solaris, Sun Ray, Answerbook2, docs.sun.com, OpenBoot, et Sun Fire sont des marques de

fabrique ou des marques déposées de Sun Microsystems, Inc., ou ses filiales, aux Etats-Unis et dans d’autres pays.
Fujitsu et le logo Fujitsu sont des marques déposées de Fujitsu Limited.
Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc.

aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun
Microsystems, Inc.

SPARC64 est une marques déposée de SPARC International, Inc., utilisée sous le permis par Fujitsu Microelectronics, Inc. et Fujitsu Limited.
L’interface d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun

reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphique
pour l’industrie de l’informatique. Sun détient une license non exclusive de Xerox sur l’interface d’utilisation graphique Xerox, cette licence
couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui, en outre, se conforment
aux licences écrites de Sun.

Droits du gouvernement américain - logiciel commercial. Les utilisateurs du gouvernement américain sont soumis aux contrats de licence
standard de Sun Microsystems, Inc. et de Fujitsu Limited ainsi qu’aux clauses applicables stipulées dans le FAR et ses suppléments.

Avis denon-responsabilité: les seules garanties octroyéespar Fujitsu Limited,Sun Microsystems, Inc. ou toute société affiliée del’une ou l’autre
entité enrapport avec cedocument ou toutproduit ou toutetechnologie décrit(e) dansles présentes correspondent auxgaranties expressément
stipulées dans le contrat de licence régissant le produit ou la technologie fourni(e). SAUF MENTION CONTRAIRE EXPRESSÉMENT
STIPULÉE DANS CE CONTRAT, FUJITSU LIMITED, SUN MICROSYSTEMS, INC. ET LES SOCIÉTÉS AFFILIÉES REJETTENT TOUTE
REPRÉSENTATION OU TOUTE GARANTIE, QUELLE QU’EN SOIT LA NATURE (EXPRESSE OU IMPLICITE) CONCERNANT CE
PRODUIT,CETTE TECHNOLOGIE OUCE DOCUMENT, LESQUELSSONT FOURNIS ENL’ÉTAT. ENOUTRE, TOUTES LESCONDITIONS,
REPRÉSENTATIONS ET GARANTIES EXPRESSES OU TACITES, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE À
LA QUALITÉ MARCHANDE, À L’APTITUDE À UNE UTILISATION PARTICULIÈRE OU À L’ABSENCE DE CONTREFAÇON, SONT
EXCLUES, DANS LA MESURE AUTORISÉE PAR LA LOI APPLICABLE. Sauf mention contraire expressément stipulée dans ce contrat, dans
la mesure autorisée par la loi applicable, en aucun cas Fujitsu Limited, Sun Microsystems, Inc. ou l’une de leurs filiales ne sauraient être tenues
responsables envers une quelconque partie tierce, sous quelque théorie juridique que ce soit, de tout manque à gagner ou de perte de profit,
de problèmes d’utilisation ou de perte de données, ou d’interruptions d’activités, ou de tout dommage indirect, spécial, secondaire ou
consécutif, même si ces entités ont été préalablement informées d’une telle éventualité.

LA DOCUMENTATION EST FOURNIE “EN L’ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES
OU TACITES SONT FORMELLEMENT EXCLUES, DANSLA MESURE AUTORISEE PAR LA LOIAPPLICABLE, Y COMPRIS NOTAMMENT
TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNE UTILISATION PARTICULIERE OU A
L’ABSENCE DE CONTREFACON.

Contents

Preface xiii

1. Introduction to Server Software and Configuration 1

XSCF Firmware 2

Solaris OS Software 2

Software Services 3

Preparing for System Configuration 4

Information Needed 5

Initial Configuration Tasks 5

Related Information 6

2. Access Control 7

About Access Control 7

Logging in to the System 8

Lockout Period Between Login Attempts 8

XSCF User Accounts 9

XSCF Passwords 9

Privileges 10

XSCF Firmware Update 11

Saving and Restoring XSCF Configuration Information 12

v

XSCF Shell Procedures for Access Control 12

▼ To Log in Initially to the XSCF Console 12

▼ To Configure an XSCF Password Policy 15

▼ To Add an XSCF User Account 16

▼ To Create a Password for an XSCF User 16

▼ To Assign Privileges to an XSCF User 16

▼ To Display the Version of Installed Firmware 18

Related Information 18

3. System Configuration 19

About System Services 19

DSCP Network Between a Service Processor and a Domain 20

XSCF Network Interfaces 21

Domain Name Service 23

LDAP Service 23

Time Synchronization and NTP Service 25

SNMP Service 26

Additional Services 28

HTTPS Service 28

Telnet Service 28

SMTP Service 28

SSH Service 28

Altitude Setting 29

XSCF Shell Procedures for System Configuration 29

▼ To Configure the DSCP Network 30

▼ To Display DSCP Network Configuration 31

▼ To Configure the XSCF Network Interfaces 32

▼ To Configure the XSCF Network Route Information 33

▼ To Set Or Reset the XSCF Network 34

vi SPARC Enterprise Mx000 Servers Administration Guide • August 2009

▼ To Display XSCF Network Configuration 34

▼ To Set the Service Processor Host Name and DNS Domain Name 35

▼ To Set the Service Processor’s DNS Name Server 35

▼ To Enable or Disable Use of an LDAP Server for Authentication and

Privilege Lookup 36

▼ To Configure the XSCF as an LDAP Client 36

▼ To Configure the XSCF as an NTP Client 37

▼ To Configure the XSCF as an NTP Server 37

▼ To Display the NTP Configuration 38

▼ To Set the Timezone, Daylight Saving Time, Date, and Time Locally on the

Service Processor 38

▼ To Create a USM User Known to the SNMP Agent 39

▼ To Display USM Information for the SNMP Agent 40

▼ To Create a VACM Group 40

▼ To Create a VACM View 40

▼ To Give a VACM Group Access to a VACM View 41

▼ To Display VACM Information for the SNMP Agent 41

▼ To Configure the SNMP Agent to Send Version 3 Traps to Hosts 42

▼ To Enable the SNMP Agent 43

▼ To Display SNMP Agent Configuration 43

▼ To Enable or Disable the Service Processor HTTPS Service 44

▼ To Enable or Disable the Service Processor Telnet Service 45

▼ To Configure the Service Processor SMTP Service 45

▼ To Enable or Disable the Service Processor SSH Service 45

▼ To Generate a Host Public Key for SSH Service 46

▼ To Set the Altitude on the Service Processor 46

Related Information 47

4. Domain Configuration 49

About Domains 49

Contents vii

Domains and System Boards 50

SPARC64 VI and SPARC64 VII Processors and CPU Operational Modes 55

CPU Operational Modes 56

Domain Resource Assignment 58

Domain Component List and Logical System Boards 60

Overview of Steps for Domain Configuration 60

Domain Configuration Example 61

Domain Communication 63

DSCP Network 63

Accessing a Domain Console From the Service Processor 64

Logging in Directly to a Domain 64

CD-RW/DVD-RW Drive or Tape Drive Assignment 64

Backup and Restore Operations 65

Dynamic Reconfiguration 65

XSCF Shell Procedures for Domain Configuration 65

▼ To Set CPU Operational Mode 66

▼ To Specify XSB Mode on a Midrange or High-End Server 66

▼ To Set Up a Domain Component List for a Midrange or High-End Server

Domain 66

▼ To Assign an XSB to a Midrange or High-End Server Domain 67

▼ To Power On a Domain 67

▼ To Display System Board Status 68

▼ To Access a Domain From the XSCF Console 68

▼ To Attach a CD-RW/DVD-RW Drive or Tape Drive While the Solaris OS

Is Running on a High-End Server 68

▼ To Disconnect a CD-RW/DVD-RW Drive or Tape Drive While the Solaris

OS Is Running on a High-End Server 69

Related Information 70

5. Audit Configuration 71

viii SPARC Enterprise Mx000 Servers Administration Guide • August 2009

About Auditing 71

Audit Records 72

Audit Events 72

Audit Classes 73

Audit Policy 73

Audit File Tools 74

XSCF Shell Procedures for Auditing 74

▼ To Enable or Disable Writing of Audit Records to the Audit Trail 74

▼ To Configure an Auditing Policy 74

▼ To Display Whether Auditing is Enabled Or Disabled 75

▼ To Display Current Auditing Policy, Classes, or Events 75

Related Information 75

6. Log Archiving Facility 77

About Log Archiving 77

Using the Log Archiving Facility 77

Archive Host Requirements 79

Log Archiving Errors 79

Using the snapshot Tool 79

Solaris OS Procedures for Log Archiving 80

▼ To Configure the Log Archive Host 80

XSCF Shell Procedures for Log Archiving 80

▼ To Enable Log Archiving 80

▼ To Disable Log Archiving 81

▼ To Display Log Archiving Configuration and Status 81

▼ To Display Log Archiving Error Details 81

Related Information 82

7. Capacity on Demand 83

Contents ix

About Capacity on Demand 83

COD Boards 84

COD License Purchase 85

License Installation 85

License Allocation 86

Headroom Management 87

License Violations 87

XSCF Shell Procedures for Using COD 88

▼ To Install a COD License 88

▼ To Delete a COD License 89

▼ To Reserve Licenses for Allocation 90

▼ To Increase or Decrease Headroom 91

▼ To Disable Headroom 91

▼ To Display COD Information 92

▼ To Display COD License Status 92

▼ To Display Usage Statistics for COD Resources 94

Related Information 95

A. Mapping Device Path Names 97

Device Mapping and Logical System Board Numbers 97

CPU Mapping 97

CPU Numbering Examples 99

I/O Device Mapping 100

I/O Device Mapping on Entry-Level Servers 101

Internal Devices on Entry-Level Servers 101

I/O Device Mapping on Midrange Servers 102

Internal Devices on Midrange Servers 102

I/O Device Mapping on High-End Servers 103

Internal Devices on High-End Servers 103

x SPARC Enterprise Mx000 Servers Administration Guide • August 2009

Sample cfgadm Output 105

Entry-Level Server 105

Midrange Servers 106

High-End Servers 107

Index 109

Contents xi

xii SPARC Enterprise Mx000 Servers Administration Guide • August 2009

Preface

This manual contains initial system configuration instructions for system
administrators of the Sun SPARC Enterprise M3000/M4000/M5000/M8000/M9000
servers. It is written for experienced system administrators with working knowledge
of computer networks, and advanced knowledge of the Solaris Operating System.
This manual documents entry-level (M3000), midrange (M4000 and M5000) and
high-end (M8000 and M9000) servers.

Related Documentation

Related documents include:

Application Title

Product Notes Sun SPARC Enterprise™ M3000 Server Product Notes

Product Notes Sun SPARC Enterprise M4000/M5000 Servers Product Notes

Product Notes Sun SPARC Enterprise M8000/M9000 Servers Product Notes

Glossary Sun SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers

Installation Sun SPARC Enterprise M3000 Server Installation Guide

Installation Sun SPARC Enterprise M4000/M5000 Servers Installation Guide

Installation Sun SPARC Enterprise M8000/M9000 Servers Installation Guide

Service Sun SPARC Enterprise M3000 Server Service Manual

Service Sun SPARC Enterprise M4000/M5000 Servers Service Manual

Service Sun SPARC Enterprise M8000/M9000 Servers Service Manual

Glossary

xiii

Application Title

Software
Administration

Software
Administration

Software
Administration

Capacity on Demand
Administration

Sun SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers
XSCF User’s Guide

Sun SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers
XSCF Reference Manual

Sun SPARC Enterprise M4000/M5000/M8000/M9000 Servers Dynamic
Reconfiguration (DR) User’s Guide

Sun SPARC Enterprise M4000/M5000/M8000/M9000 Servers Capacity
on Demand (COD) User’s Guide

You can find these related documents, as well as the Solaris™ Operating System
documentation collection, at:

http://www.docs.sun.com

Documentation, Support, and Training

Sun Function URL

Documentation http://docs.sun.com

Support http://www.sun.com/support/

Training http://www.sun.com/training/

Third-Party Web Sites

Sun is not responsible for the availability of third-party web sites mentioned in this
document. Sun does not endorse and is not responsible or liable for any content,
advertising, products, or other materials that are available on or through such sites or
resources. Sun will not be responsible or liable for any actual or alleged damage or
loss caused by or in connection with the use of or reliance on any such content,
goods, or services that are available on or through such sites or resources.

xiv SPARC Enterprise Mx000 Servers Administration Guide • August 2009

Sun Welcomes Your Comments

Sun is interested in improving its documentation and welcomes your comments and
suggestions. You can submit your comments by going to:

http://www.sun.com/hwdocs/feedback

Please include the title and part number of your document with your feedback:

Sun SPARC Enterprise M3000/M4000/5000/M8000/M9000 Servers Administration Guide,
part number 819-3601-16.

Preface xv

xvi SPARC Enterprise Mx000 Servers Administration Guide • August 2009

CHAPTER

1

Introduction to Server Software and
Configuration

This manual describes initial system configuration of the SPARC Enterprise
M3000/M4000/M5000/M8000/M9000 servers. This product line has entry-level
(M3000), midrange (M4000 and M5000) and high-end (M8000 and M9000) servers.

™

Note – The midrange and high-end servers support the following features, while

the entry-level server does not: Dynamic Reconfiguration (DR), multiple domains,
PCI hotplug, Capacity on Demand (COD), and the optional External I/O Expansion
Unit.

Once you have completed the initial configuration processes described here, see the
SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide for
day-to-day system administration and management tasks.

This chapter provides an overview of server firmware, server software, and initial
system configuration. It has these sections:

■ XSCF Firmware

■ Solaris OS Software

■ Software Services

■ Preparing for System Configuration

■ Related Information

1

XSCF Firmware

Your server provides system management capabilities through eXtended System
Controller Facility (XSCF) firmware, pre-installed at the factory on the Service
Processor

The XSCF firmware consists of system management applications and two user
interfaces to configure and control them:

■ XSCF Web, a browser-based graphical user interface

■ XSCF Shell, a terminal-based command-line interface

You can access the XSCF firmware by logging in to the XSCF command shell. This
document includes instructions for using the XSCF interface as part of the initial
system configuration. For more information about the XSCF firmware, see Chapter 2,
and the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s
Guide.

XSCF firmware, OpenBoot™ PROM firmware, and power-on self-test (POST)
firmware are known collectively as the XSCF Control Package (XCP).

XSCF firmware has two networks for internal communication. The Domain to
Service Processor Communications Protocol (DSCP) network provides an internal
communication link between the Service Processor and the Solaris™ domains. The
Inter-SCF Network (ISN) provides an internal communication link between the two
Service Processors in a high-end server.

1

boards.

On a high-end server with two Service Processors, one Service Processor is
configured as active and the other is configured as standby. This redundancy of two
Service Processors allows them to exchange system management information and, in
case of failover, to change roles. All configuration information on the active Service
Processor is available to the standby Service Processor.

Solaris OS Software

The Solaris OS is pre-installed at the factory on one domain by default. Within its
domain, the Solaris OS includes features to manage Solaris OS system capabilities.

1. The Service Processor issometimes referredto asthe XSCF Unit,or XSCFU.

2 SPARC Enterprise Mx000 Servers Administration Guide • August 2009

Note – The XSCF firmware requires that all domains have the SUNWsckmr and

SUNWsckmu.u packages. Since the Core System, Reduced Network, and Minimal
System versions of the Solaris OS do not automatically install these packages, you
must do so on any such domains that do not already have them.

You can install applications on the domains. That process is managed through the
Solaris OS tools. Likewise, any other software management applications that you
prefer to use on the domains must be installed through the Solaris OS tools.

The DSCP network provides an internal communication link between the Service
Processor and the Solaris domains.

Software Services

TABLE 1-1 contains an overview of XSCF firmware services and networks that are

part of your server, and where they are documented.

TABLE 1-1 Software Services

Service Description

Access control Access control includes logging in to the system, user accounts, passwords,

privileges, and XSCF firmware control.
See Chapter 2.

Initial system
configuration

Domain configuration Each domain runs its own copy of the Solaris OS. Domains are managed by the

Auditing The auditing function logs all security-related events.

Log archiving The log archiving function allows you to set up a remote host to automatically

Initial configuration of the services for the Service Processor and the domains,
including DSCP network, XSCF network, DNS name service, LDAP service, NTP
service, HTTPS service, Telnet service, SSH service, SNMP service, and SMTP
service.

See Chapter 3.

Service Processor XSCF firmware, and communicate with the Service Processor over
the DSCP network. You can access a domain console from the Service Processor or,
if your system is networked, log in to a domain directly.

See Chapter 4.

See Chapter 5.

receive and store log data from your server.
See Chapter 6.

Chapter 1 Introduction to Server Software and Configuration 3

TABLE 1-1 Software Services (Continued)

Service Description

Capacity on demand
(COD)

Security Security is provided through access control (user names, passwords, privileges),

Fault management No initial configuration is needed.

Capacity on Demand is an option on that allows you to purchase spare processing
capacity for your midrange or high-end (but not entry-level) server. The spare
capacity is provided in the form of one or more CPUs on COD boards that are
installed on your server. To use the CPU processing capacity, you must purchase a
license. The XSCF firmware allows you to set up and manage COD.

See Chapter 7.

audit logs of security-related events, and various security protocols. Your server is
secure by default. That is, other than setting up user accounts and privileges, no
initial configuration has to be done related to security. For example, no insecure
protocols, such as Telnet, are initially enabled.

See Chapter 2 and Chapter 5.

• Domain fault management includes CPU, memory, and I/O (PCI/PCIe) nonfatal
errors. All nonfatal errors are reported to the Solaris OS, which will attempt to
take faulty CPUs offline or to retire faulty memory pages. Fatal errors are
generally handled by the Service Processor.

• Service Processor fault management includes fatal CPU, memory, and I/O errors
(the Service Processor will exclude the faulty components upon reboot), as well as
environmental monitoring (power supplies, fan speeds, temperatures, currents)
and the External I/O Expansion Unit.

See the Solaris OS documentation collection at http://docs.sun.com

Hot-replacement
operations

External I/O Expansion
Unit management

Preparing for System Configuration

This section lists the information needed for initial system configuration and the
initial configuration tasks.

No initial configuration is needed.
PCI cards can be removed and inserted while your midrange or high-end (but not

entry-level) server continues to operate. The Solaris OS cfgadm command is used to
unconfigure and disconnect a PCI card.

See the Service Manual, and the Solaris OS documentation collection at

http://docs.sun.com

No initial configuration is needed.
The External I/O Expansion Unit on midrange and high-end (but not entry-level)

servers is a rack mountable PCI card chassis.
See the External I/O Expansion Unit Installation and Service Manual.

4 SPARC Enterprise Mx000 Servers Administration Guide • August 2009

Information Needed

Before you configure the software, have the following available:

■ Access to the Service Processor with the appropriate privileges for your tasks.

More information about access is contained in Chapter 2.

■ An unused range of IP addresses for the internal DSCP network between the

Service Processor and the domains.

■ Network configuration information for the Service Processor, including IP

addresses, netmask, DNS server, default route, NFS server.

■ The number of domains in your system. By default, there is one domain and its

domain number is 0 (zero). The number of domains could be different from the
default on midrange or high-end (but not entry-level) servers if you specified
another number of domains when you ordered your system.

■ Firmware version information if you are upgrading the XSCF firmware.

■ Information for optional services that you are going to use, such as Lightweight

Directory Access Protocol (LDAP) information for authentication.

Initial Configuration Tasks

Initial configuration requires these tasks:

1. Logging in to the Service Processor with the default log-in name over a serial
connection. You must have physical access to the system.

2. Adding at least one user account with a minimum of one privilege, useradm.
This user with useradm privileges can then create the rest of the user accounts.

3. Configuring the DSCP network.

4. Configuring the XSCF network.

5. Setting the Service Processor time. The Service Processor can be an NTP client, or
an NTP client and NTP server for the domains.

6. Configuring or enabling any optional services you want to use immediately.
These services include Telnet, SNMP, SMTP, LDAP, NTP, HTTPS, DNS, SSH,

domains, log archiving, and COD. COD is not supported on the M3000 server.

Chapter 1 Introduction to Server Software and Configuration 5

Related Information

For additional information on this chapter’s topics, see:

Resource Information

man pages (see the Note following this table) fmdump(8), fmadm(8), fmstat(8), version(8),

cfgadm(1M)

Site Planning Guide Site planning

SPARC Enterprise M3000/M4000/M5000/M8000/M9000
Servers XSCF User’s Guide

Solaris OS documentation collection at

http://docs.sun.com

Service Manual Hot-replacement operations, fault management

External I/O Expansion Unit Installation and Service
Manual

System configuration and administration

Solaris OS, including fault management.

PCI card chassis

Note – man pages available on the Service Processor are followed by (8), for

example, version(8); they are also available in the SPARC Enterprise
M3000/M4000/M5000/M8000/M9000 Servers XSCF Reference Manual. Solaris OS man

pages available on the domains are followed by (1M), for example, cfgadm(1M).

6 SPARC Enterprise Mx000 Servers Administration Guide • August 2009

CHAPTER

2

Access Control

Access control is a way of granting access to the system functions or components
only to those users who have been authenticated by the system and who have
appropriate privileges. Access control depends on the proper configuration of the
general security services provided by the server.

This chapter contains these sections:

■ About Access Control

■ XSCF Shell Procedures for Access Control

■ Related Information

About Access Control

The Service Processor is an appliance. In an appliance model, users or management
agents can access the Service Processor and its components only through authorized
user interfaces. Users and agents cannot access any of the underlying operating
system interfaces, and users cannot install individual software components on the
Service Processor.

These sections provide details on access control:

■ Logging in to the System

■ XSCF User Accounts

■ XSCF Passwords

■ Privileges

■ XSCF Firmware Update

7

Logging in to the System

There are two entities that can be logged in to on the system, a Service Processor and
a Solaris domain.

You initially log in to the Service Processor using a serial connection from a terminal
device. A terminal device can be an ASCII terminal, a workstation, or a PC. For
details on serial port connections, see the Installation Guide for your server or the
SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.

A unique login account with the user name of default exists on the Service
Processor. This account is unique in the following ways:

■ It can never be logged in to using the standard UNIX user name and password

authentication or SSH public key authentication.

■ It can only be logged in to using a procedure that requires physical access to the

system.

■ Its privileges are fixed to be useradm and platadm; you cannot change these

privileges.

■ It cannot be deleted, it has no password, and no password can be set for it.

After initial configuration, you can log in to the Service Processor using a serial
connection or an Ethernet connection. You can redirect the XSCF console to a domain
and get a Solaris console. You can also log in to a domain directly using an Ethernet
connection to access the Solaris OS.

When a user logs in, the user establishes a session. Authentication and user
privileges are valid only for that session. When the user logs out, that session ends.
To log back in, the user must be authenticated once again, and will have the
privileges in effect during the new session. See “Privileges” on page 10 for
information on privileges.

Lockout Period Between Login Attempts

After multiple XSCF login failures, no further login attempts are allowed for a
certain amount of time. To set the lockout period, use the setloginlockout(8)
command. To view the lockout period, use the showloginlockout(8) command.
For more information, see the setloginlockout(8) and showloginlockout(8)
man pages.

Note – The ability to specify and view the lockout period was added in a recent

XCP update. Please see the Product Notes for the firmware release running on your
server (no earlier than the XCP 1080 release) for possible restrictions.

8 SPARC Enterprise Mx000 Servers Administration Guide • August 2009

XSCF User Accounts

A user account is a record of an individual user that can be verified through a user
name and password.

When you initially log in to the system, add at least one user account with a
minimum of one privilege, useradm. This user with useradm privileges can then
create the rest of the user accounts. For a secure log in method, enable SSH service.
See “To Enable or Disable the Service Processor SSH Service” on page 45 and to “To

Generate a Host Public Key for SSH Service” on page 46 for more information.

Note – You cannot use the following user account names, as they are reserved for

system use: root, bin, daemon, adm, operator, nobody, sshd, rpc, rpcuser, ldap,
apache, ntp, admin, and default.

XSCF supports multiple user accounts for log in to the Service Processor. The user
accounts are assigned privileges; each privilege allows the user to execute certain
XSCF commands. By specifying privileges for each user, you can control which
operations each XSCF user is allowed to perform. On its own, a user account has no
privileges. To obtain permission to run XSCF commands and access system
components, a user must have privileges.

You can set up the Service Processor to use an LDAP server for authentication
instead. To use LDAP, the Service Processor must be set up as an LDAP client. For
information about setting up the Service Processor to use the LDAP service, see

“LDAP Service” on page 23. If you are using an LDAP server for authentication, the

user name must not be in use, either locally or in LDAP.

XSCF Passwords

User passwords are authenticated locally by default unless you are using an LDAP
server for authentication.

Site-wide policies, such as password nomenclature or expiration dates, make
passwords more difficult to guess. You can configure a password policy for the
system using the setpasswordpolicy command. The setpasswordpolicy
command describes the default values for a password policy.

If you have lost password access to your system, use the procedure “To Log in

Initially to the XSCF Console” on page 12.

Chapter 2 Access Control 9

Privileges

Privileges allow a user to perform a specific set of actions on a specific set of
components. Those components can be physical components, domains, or physical
components within a domain.

The system provides the predefined privileges shown in

TABLE 2-1. These are the

only privileges allowed in the server. You cannot define additional privileges.

TABLE 2-1 User Privileges

Privilege Capabilities

none None. When the local privilege for a user is set to none, that user has no privileges,

even if privileges for that user are defined in LDAP. Setting a user’s local privilege to

none prevents the user’s privileges from being looked up in LDAP.

useradm Can create, delete, disable, and enable user accounts.

Can change a user’s password and password properties.
Can change a user’s privileges.
Can view all platform states.

platadm Can perform all Service Processor configuration other than the useradm and auditadm

tasks.
Can assign and unassign hardware to or from domains.
Can perform domain and Service Processor power operations.
Can perform Service Processor failover operations on systems with more than one

Service Processor.
Can perform all operations on domain hardware.
Can view all platform states.

platop Can view all platform states.

domainadm Can perform all operations on hardware assigned to the domain(s) on which this

privilege is held.
Can perform all operations on the domain(s) on which this privilege is held.
Can view all states of the hardware assigned to the domain(s) on which this privilege is

held.
Can view all states of the domain(s) on which this privilege is held.

domainmgr Can perform domain power operations.

Can view all states of the hardware assigned to the domain(s) on which this privilege is
held.

Can view all states of the domain(s) on which this privilege is held.

domainop Can view all states of the hardware assigned to the domain(s) on which this privilege is

held.
Can view all states of the domain(s) on which this privilege is held.

10 SPARC Enterprise Mx000 Servers Administration Guide • August 2009

TABLE 2-1 User Privileges (Continued)

Privilege Capabilities

auditadm Can configure auditing.

Can delete audit trail.

auditop Can view all audit states and the audit trail.

fieldeng Can perform all operations reserved for field engineers.

The domainadm, domainmgr, and domainop privileges must include the domain
number, numbers, or range of numbers to associate with a particular user account.

A user can have multiple privileges, and a user can have privileges on multiple
domains.

User privileges are authenticated locally by default. You can set up the Service
Processor to use an LDAP server for authentication instead. For information about
setting up the Service Processor to use the LDAP service, see “LDAP Service” on

page 23.

If no privileges are specified for a user, no local privilege data will exist for that user;
however, the user’s privileges can be looked up in LDAP, if LDAP is being used. If a
user’s privileges are set to none, that user does not have any privileges, regardless
of privilege data in LDAP.

XSCF Firmware Update

The Service Processor firmware can only be updated as an entire image, known as an
XCP image. The image includes the XSCF firmware, OpenBoot PROM firmware,
POST firmware, and miscellaneous files. Only valid images authorized by Sun
Microsystems or Fujitsu can be installed.

The XCP image is installed in the Service Processor flash memory. You need
platadm or fieldeng privilege to update an XCP image. More information on
updating an XCP image is contained in the SPARC Enterprise
M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.

Chapter 2 Access Control 11

Saving and Restoring XSCF
Configuration Information

To save and restore XSCF configuration information, use the dumpconfig(8) and
restoreconfig(8) commands in the XSCF shell. The commands permit you to
specify the location where the information is to be stored and retrieved. For more
information, see the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers
XSCF User’s Guide and the dumpconfig(8) and restoreconfig(8) man pages.

Note – The XCP 1080 firmware is the first XCP release to support the

dumpconfig(8) and restoreconfig(8) commands.

XSCF Shell Procedures for Access
Control

This section describes these procedures:

■ To Log in Initially to the XSCF Console

■ To Add an XSCF User Account

■ To Create a Password for an XSCF User

■ To Configure an XSCF Password Policy

■ To Assign Privileges to an XSCF User

■ To Display the Version of Installed Firmware

▼ To Log in Initially to the XSCF Console

This procedure can be used for initial login or for lost password access.

12 SPARC Enterprise Mx000 Servers Administration Guide • August 2009

1. Log in to the XSCF console with the default login name from a terminal device
connected to the Service Processor. You must have physical access to the
system.

serial port log-in prompt: default

You are prompted to toggle the Operator Panel MODE switch (keyswitch) on the
front of the system. The location of the MODE switch on an entry-level server is
shown in
shown in
horizontally rather than vertically, as shown in

FIGURE 2-1. The location of the MODE switch on a midrange server is
FIGURE 2-2. And the MODE switch on a high-end server is mounted

FIGURE 2-3. The MODE switch has

two positions: Service and Locked.

Note – In the following illustrations, the three LEDs appear first, followed by the

POWER button, then the MODE switch.

FIGURE 2-1 Location of the Operator Panel MODE Switch on an Entry-Level Server

Chapter 2 Access Control 13

FIGURE 2-2 Location of the Operator Panel MODE Switch on a Midrange Server

FIGURE 2-3 Operator Panel on a High-end Server

You must toggle the MODE switch within one minute of the login prompt or the
login process times out.

2. Toggle the MODE switch using one of two methods, as follows:

■ If the switch is in the Service position, turn it to the Locked position, leave it there

for at least five seconds, and then turn it back to the Service position. Press the
Enter key.

14 SPARC Enterprise Mx000 Servers Administration Guide • August 2009