HP Integrity Superdome X and Superdome 2 Onboard Administrator User Guide

Transcription

1 HP Integrity Superdome X and Superdome 2 Onboard Administrator User Guide Abstract This document describes the Onboard Administrator for the HP Integrity Superdome X and Superdome 2 enclosures. HP Part Number: Published: September 2015 Edition: 13

2 Copyright Hewlett-Packard Development Company, L.P. Notices The information contained herein is subject to change without notice and is applicable only to the products described in this document. Please refer to the appropriate documents to verify the operation of other HP equipment. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. HP makes no warranties for non-hp products. Acknowledgements Microsoft, Windows, and Windows Server are trademarks of the Microsoft group of companies. Intel Xeon are trademarks of Intel Corporation in the in the U.S. and other countries. Google is a registered trademarks of Google Inc. Linux is a registered trademark of Linus Torvalds in the U.S. and other countries. Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. Warranty To obtain a copy of the warranty for this product, see the warranty information website: BCS Global Limited Warranty and Technical Support Revision History HP Part Number AH A AH A_ed2 AH A_ed3 AH B AH C AH D AH E AH F AH G AH H Edition First Second Third Fourth Fifth Sixth Seventh Eighth Ninth Tenth Eleventh Twelfth Thirteenth Publication Date August 2010 November 2010 December 2010 April 2011 August 2011 December 2011 December 2012 May 2013 November 2013 July 2014 December 2014 March 2015 September 2015

3 Contents 1 Introduction...9 Overview...9 Access requirements...11 Onboard Administrator overview...12 Detecting component insertion and removal...12 Identifying components...13 Managing power and cooling...13 Controlling components...13 Managing partitions...13 Interfaces...14 Onboard Administrator user interfaces...14 Onboard Administrator authentication...15 Running Onboard Administrator for the first time...15 Logging on to the Onboard Administrator GUI...16 Running the setup wizard...17 Using online help...18 Changing enclosure and device configurations...18 Recovering the administrator password Insight Display...19 Insight Display overview...19 Navigating the Insight Display...19 Health Summary screen...20 Enclosure Settings screen...21 Enclosure Info screen...22 Blade and Port Info screen...23 Turn Enclosure UID On/Off screen...24 View User Note screen...24 Chat Mode screen...25 Insight Display errors...25 Power errors...26 Cooling errors...26 Location errors...26 Configuration errors...26 Device failure errors HP Superdome 2 Door Status Display...28 Before running Door Display setup...28 Setting up the Door Display...28 Door Display status menu...32 Display Settings menu...34 Firmware Update menu First Time Setup Wizard...37 Before you begin...37 Enclosure Selection screen...37 Configuration Management screen...38 Rack and Enclosure Settings screen...39 Administrator Account Setup screen...41 Local User Accounts screen...41 Enclosure Bay IP Addressing screen...43 Directory Groups screen...44 Directory Settings screen...45 Contents 3

4 Onboard Administrator Network Settings screen...46 SNMP Settings screen...48 Power Management screen...49 Finish Navigating Onboard Administrator...52 Navigation overview...52 Tree view...53 Graphical view navigation Complex Overview...59 Complex Overview screen...59 Compute Enclosures tab...60 Power and Thermal tab...60 Complex Information screen...61 Status tab...61 Information tab...63 Complex Logs tab...65 Complex CLI Tab...65 Complex Information: Firmware Management...66 Complex Firmware Summary screen...66 Online complex firmware update...67 Introduction...67 HP Superdome 2 firmware updates...67 HP Integrity Superdome X firmware updates...68 Services unavailable...68 Management Processor access...68 IPMI...69 Event logs...69 IPMI Watchdog...69 Partition ID (HP-UX)...69 Console...69 System Firmware Services During Boot and Shutdown...70 Affected OS Commands...70 Network Services to OA...71 Frequently asked questions:...71 Known issues:...72 hpvminfo command qualifiers fail...72 Newly created HPVM guests cannot be started...72 Serviceguard Manager performance degradation and proxy errors...72 cimserver shutdown and startup fail...72 cimauth is unable to add authorizations...72 cprop command qualifiers fail...72 SMH is unable to query memory or enclosure information...72 setboot and related commands are unable to display or modify boot variables...72 wbemassist namespace error...73 par* and vpar* commands fail...73 Firmware Update screen...73 Enclosure DVD Module screen Configuring compute enclosures and enclosure devices...80 Viewing the status screens...80 Enclosure information...81 Enclosure Status...81 Enclosure Information tab...84 AlertMail Contents

5 Device Power Sequence tabs...88 Device Power Sequence Device Bays tab...89 Device Power Sequence Interconnect Bays tab...90 Date and Time...90 Enclosure TCP/IP Settings...92 Network Access...93 Login Banner...94 Trusted Hosts tab...94 Anonymous Data tab...95 Link Loss Failover...95 Enclosure Bay IP Addressing...95 SNMP Settings...98 Configuration Scripts Device Summary Active to Standby Onboard Administrator Module Active Onboard Administrator Active Onboard Administrator Status and Information tab Active Onboard Administrator Virtual Buttons tab TCP/IP Settings Certificate Administration Certificate Request tab Active Onboard Administrator Certificate Upload tab System log Log Options tab Standby Onboard Administrator TCP/IP Settings for Standby Onboard Administrator Standby Onboard Administrator Virtual Buttons tab Standby Certificate Request tab Standby Onboard Administrator Certificate Upload tab System log for Standby Onboard Administrator Standby to Active Device bays Device Bay Overview Device Bay Information Server Blade Information tab Device bay virtual buttons tab Interconnect bays Interconnect Bay Summary Interconnect Bay Information Interconnect Bay Information tab Interconnect Bay Virtual Buttons tab Interconnect Bay Port Mapping XFM bays XFM Bay Summary XFM Bay Information XFM Bay Status tab XFM Bay Information tab XFM Bay Virtual Buttons GPSM bays GPSM Bay Summary GPSM Bay Information GPSM Status tab GPSM Bay Information tab GPSM Virtual Buttons Contents 5

6 Enclosure power management Planning power management Power and Thermal Power Management Enclosure Power Allocation Enclosure Power Summary Enclosure Power Meter Graphical View tab Table View tab Power Subsystem Power Supply Information Fans and cooling management Thermal Subsystem Thermal Subsystem Fan Zones tab Enclosure fan location rules Fan Information Managing users Users/Authentication User roles and privilege levels Role-based user accounts Local Users screen Add Local User Edit Local User Edit Local User Certificate Information tab Password Settings screen Directory Settings screen Uploading a certificate Directory Certificate Upload tab Directory Test Settings tab Directory Groups Add an LDAP Group Edit an LDAP Group SSH Administration HP SSO Integration Edit Local User Certificate Information tab Two-Factor Authentication screen Two-Factor Authentication Certificate Information tab Two-Factor Authentication Certificate Upload tab Signed In users Session Options tab Insight Display Management network IP dependencies HP Superdome 2 IOX enclosures IOX Enclosure Information screen IOX Power and Thermal screen IOX Power Subsystem screen IOX Power Supply screen IOX Thermal Subsystem screen Port mapping Device bay port mapping for compute enclosures Device bay port mapping tabular view for compute enclosures Using the Command Line Interface Command line overview Contents

7 Setting up Onboard Administrator using the CLI Using the service port connection Using configuration scripts Configuration scripts Reset Factory Defaults Troubleshooting Onboard Administrator error messages Onboard Administrator factory default settings Onboard Administrator SNMP traps Enabling LDAP Directory Services Authentication to Microsoft Active Directory Certificate Services Preparing the directory Uploading the DC certificate (optional) Creating directory groups Testing the directory login solution Troubleshooting LDAP on Onboard Administrator Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts Introduction Configuring the directories Creating a directory to represent each CA and user Modifying and storing an OpenSSL configuration file in each CA directory Changing the default directories Creating a root CA Copying the OpenSSL configuration file to the rootca directory Creating the certificate and private key Creating a combined private key and certificate PEM file Creating subordinate CAs Creating the directories for the subordinate CA Providing x509 certificate information Generating a CSR and new server key Signing the level1ca CSR with the rootca key Creating user keys and CSRs Creating a directory for the user key and CSR database Providing x509 user certificate information Generating a user CSR and new server key Signing the user CSR with the level1ca key Verifying certificates Storing a user certificate on a smart card or browser Configuring the Onboard Administrator for Two-Factor Authentication with local accounts Establishing an Onboard Administrator recovery plan Recovering via Insight Display and USB key Recovering via serial console Configuring the Onboard Administrator session timeout Installing the CA chain for TFA CLI commands for administrating certificates Configuring the HTTP proxy Installing user certificates on the local Administrator account Enabling Two-Factor Authentication Logging into the Onboard Administrator web GUI using Enabling Two-Factor Authentication TFA+LDAP Authentication Contents 7

8 How TFA_LDAP authentication works Enabling TFA+LDAP authentication Methods for specifying the subject field on a CSR Troubleshooting TFA+LDAP authentication problems CLI examples configuring a user account and certificates Information about CAs and certificates available from the web Support and other resources Before you contact HP HP contact information Subscription service Installing HP Insight Remote Support Software New and changed information in this edition Related information Typographic conventions A Time zone settings Universal time zone settings Africa time zone settings Americas time zone settings Asia time zone settings Oceanic time zone settings Europe time zone settings Polar time zone settings B Connecting to the OA with a local PC Connecting a PC to the OA service port Connecting a PC to the OA serial port Modifying the serial connection baud rate C Documentation feedback Standard terms, abbreviations, and acronyms Index Contents

9 1 Introduction Overview This guide describes the HP Integrity Superdome X and Superdome 2 Onboard Administrator used to support HP Integrity Superdome X and HP Superdome 2 systems. These systems include different features and hardware, so not everything in this guide applies to both systems. Refer to the service guide for your system for more information. Images and examples in this guide might depict only one type of system. Not all HP Superdome 2 images or examples have HP Integrity Superdome X equivalents in this guide. The HP Integrity Superdome X and HP Superdome 2 compute enclosure Onboard Administrator (OA) is the complex management processor, subsystem, and firmware base used to support HP BL920s Gen8 and HP Superdome 2 complexes and all the managed devices contained within the complex. The Onboard Administrator provides a single point from which to perform basic management tasks for the following complex devices: Compute enclosures IOXs (HP Superdome 2) Server blades I/O interconnects The Onboard Administrator performs configuration steps for the complex, enables run-time management and configuration of the complex components, and informs you of problems within the complex through , SNMP, WSMAN, or the Insight Display. HP recommends that you read the service guide for your system for specific information before proceeding with the Onboard Administrator setup. This user guide provides information on the following topics: Initial setup and operation of the Onboard Administrator Use of the Onboard Administrator GUI Use of the compute enclosure Insight Display Initial setup and operation of the HP HP Superdome 2 Door Status Display The HP Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide covers the use of the CLI. The Onboard Administrator provides several features designed to simplify management of enclosures, blades, and interconnects. Compute enclosures within a complex can be configured with redundant Onboard Administrator modules to provide uninterrupted manageability of the entire complex in the event of a failure of a single Onboard Administrator module. Overview 9

10 The following table lists which Onboard Administrator feature is enhanced when an enclosure contains redundant Onboard Administrator modules. For an enclosure with only a single Onboard Administrator module, the table indicates the behavior of the enclosure if the single Onboard Administrator module has failed or is removed. Table 1 Benefits of using a redundant Onboard Administrator versus a single Onboard Administrator Onboard Administrator feature Single Onboard Administrator in enclosure Single Onboard Administrator failed or removed Redundant Onboard Administrator in enclosure Power allocation and control of all blades and interconnects. Yes. Complete control. No. Power supplies continue to deliver power to all blades and interconnects. No power on requests can be made for blades or interconnects. Yes. Complete control, including sustaining a failure of either Onboard Administrator. Cooling for all blades and interconnects. Yes. Complete control. No. All enclosure fans will ramp to an unmanaged higher speed to protect blades and interconnects from overheating. Yes. Complete control, including sustaining a failure of either Onboard Administrator. EBIPA. Yes. Complete control. No. EBIPA IP addresses are lost after lease timeout. Yes. Complete control, including sustaining a failure of either Onboard Administrator. Ethernet communications to Onboard Administrator, server ilo, interconnect management processors such as Virtual Connect, which use the Onboard Administrator/iLO management port. Yes. Complete control. No. Ethernet management communications are not available, including internal management traffic such as Virtual Connect Manager to other VC modules in the enclosure. Yes. Complete control, including sustaining a failure of either Onboard Administrator. Information and health status reporting for all blades, interconnects, fans, power supplies, Onboard Administrators, and enclosure through the Onboard Administrator GUI or CLI, AlertMail, or SNMP. Yes. Complete control. No. Additionally, no information is available from the Onboard Administrator, and no out-of-band information is available from VCM or ilo on any server. Yes. Complete control, including sustaining a failure of either Onboard Administrator. Insight Display. Yes. Complete control. No. Yes. Complete control, including sustaining a failure of either Onboard Administrator. Enclosure DVD. Yes. Complete control. No. Yes. Complete control, including sustaining a failure of either Onboard Administrator. 10 Introduction

11 Onboard Administrator module replacement and stored settings When replacing an Onboard Administrator or if a failure occurs when using redundant Onboard Administrators: Removing an Onboard Administrator module in an enclosure with a redundant Onboard Administrator module installed results in the other Onboard Administrator module immediately becoming the active Onboard Administrator if it was the standby Onboard Administrator. Only the network settings of the replaced Onboard Administrator network settings are lost. If Onboard Administrator complex firmware versions are identical, manually update the replaced Onboard Administrator network settings using the Insight Display. The replaced Onboard Administrator module gets automatically synchronized on all enclosure settings by the active Onboard Administrator. NOTE: If the enclosure IP mode is enabled ( Enclosure TCP/IP Settings (page 92)), then both Onboard Administrators have the same network settings and no manual update is required. If the complex firmware versions are not identical, the Onboard Administrator GUI and Onboard Administrator CLI can be used to synchronize the firmware versions to the most recent version in the modules, followed by synchronization of the active Onboard Administrator configuration settings to the new standby Onboard Administrator module. IMPORTANT: You cannot update firmware through the Onboard Administrator GUI if you have complex firmware earlier than the Online Firmware Update firmware release. To update complex firmware if you have complex firmware earlier than the Online Firmware Update firmware release, see the Update Firmware section in the HP Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide at Access requirements To access the Onboard Administrator web interface, you require the Onboard Administrator IP address and a compatible web browser. You must access the application through HTTPS (HTTP packets exchanged over an SSL-encrypted session). The Onboard Administrator web interface requires an XSLT-enabled browser with support for JavaScript 1.3 or the equivalent. The following browsers are officially supported for use with Onboard Administrator: Microsoft Internet Explorer 7 or later Mozilla Firefox 3.6 or later NOTE: Other browsers can be used but are not supported. For a list of browsers supported by Onboard Administrator, see the latest version of the Onboard Administrator Release Notes. Before running the web browser, you must enable the following browser settings: ActiveX (for Microsoft Internet Explorer) Cookies JavaScript If you receive a notice that your browser does not have the required functionality, be sure that your browser settings meet the preceding requirements. Access requirements 11

12 If you use an installed language pack with the Onboard Administrator GUI and the browser does not display all characters correctly, make sure the operating system has the corresponding language support installed. To access the Onboard Administrator CLI, use the Onboard Administrator IP address and a terminal or terminal application. To access the CLI interface, you must use Telnet or Secure Shell depending on which of these protocols are enabled. To access the CLI management and notification features, the ports listed on the following table must be open on any router between Onboard Administrator and any computers used to access or monitor Onboard Administrator. Protocol Secure Shell Telnet SMTP Browser access Browser access encrypted SNMP get/set SNMP traps LDAP Terminal services pass-through from PC to OA Virtual media from PC to OA Remote syslog Incoming port Outgoing port LDAP and Remote syslog port number can be changed. If a protocol is disabled, the corresponding ports are also disabled. Onboard Administrator overview NOTE: The Monarch OA is the Active OA in enclosure 1. It provides complex-wide administrative functions, such as partition management, event logs, and error diagnostics. IOX enclosure devices are managed through the Monarch OA. Many OA settings must be managed on the Monarch OA and are automatically copied to the other OAs in the complex, such as user accounts and settings, power options, and feature enablement. Some settings are managed locally on each OA, such as the IP configuration and OA certificates. Detecting component insertion and removal Onboard Administrator provides component control in compute enclosures. Component management begins after the component is detected and identified. The Onboard Administrator detects components in enclosures through presence signals on each bay. When you insert a component into a bay, or connect an IOX, the Onboard Administrator immediately recognizes and identifies the component. When you remove a component from a bay, the Onboard Administrator deletes the information about that component. In HP Superdome 2 systems, an IOX will be marked Failed if it is disconnected while the system is active. The Monarch OA must be rebooted to remove an IOX from the complex. 12 Introduction

13 Identifying components To identify a component, Onboard Administrator reads an FRU EEPROM that contains specific factory information about the component such as product name, part number, and serial number. All FRU EEPROMs in enclosures are powered on, even if the component is powered off. Therefore, Onboard Administrator can identify the component before granting power. For devices such as fans, power supplies, and Insight Display, Onboard Administrator directly reads the FRU EEPROMs. The server blades contain several FRU EEPROMs: one on the server board, which contains server information and embedded NIC information, and one on each installed mezzanine option cards. Server blade control options also include extensive blade hardware information including: Blade and partition firmware versions Blade name NIC and option card port IDs Port mapping Onboard Administrator provides easy-to-understand port mapping information for each server blade and interconnect module in each enclosure. The NIC and mezzanine option FRU data informs Onboard Administrator of the type of interconnects each server requires. Before power is provided to a server blade, Onboard Administrator compares this information with the FRU EEPROMs on installed interconnect modules to verify for electronic keying errors. For interconnect modules, Onboard Administrator provides virtual power control, dedicated serial consoles, and management Ethernet connections. While Onboard Administrator is identifying components, the progress appears as steps on the Insight Display. Discovery might take several minutes, and the number of installed mezzanine cards on each server increases the time taken as each card is identified and verified. Managing power and cooling The most important Onboard Administrator tasks are power control and thermal management. Onboard Administrator can remotely control the power state of all components in compute enclosures. For components in device bays on the front of each enclosure, Onboard Administrator communicates with ilo to control blades, and with a microcontroller to control options. A separate microcontroller controls power to the interconnect modules. After the components are powered on, the Onboard Administrator begins thermal management with Thermal Logic. The Thermal Logic feature minimizes power consumption by the enclosure fan subsystem by reading temperature sensors across the entire enclosure. Then, Thermal Logic changes the fan speed in the various zones in the enclosure to minimize power consumption and maximize cooling efficiency. Controlling components Onboard Administrator uses embedded management interfaces to provide detailed information and health status of all bays in the enclosure including presence detection signals in each bay, i2c, serial, USB, and Ethernet controllers. Onboard Administrator also offers information on firmware versions for most components in the enclosure and can be used to update those components. Managing partitions The Onboard Administrator also enables users to define and manage partitions in a complex. An npartition comprises one or more server blades working as a single system. I/O bays in IOX enclosures are assigned to npartitions and any I/O component of a server blade, including NICs and mezzanine cards are assigned to the npartition containing the server blade. Onboard Administrator overview 13

14 Interfaces In the complex, each npartition has its own dedicated portion of the complex hardware which can run a single instance of an operating system. Each npartition can boot, reboot, and operate independently of any other npartitions and hardware within the same complex. An npartition includes all hardware assigned to the npartition: all IOX I/O bays, I/O devices, and server blades. A complex can contain one or more npartitions, enabling the hardware to function as a single system or as multiple systems. NOTE: For more information about partition creation and management for HP Superdome 2, see the HP Superdome 2 Partitioning Administrator Guide. For more information about partition creation and management for HP BL920s Gen8, see the HP Integrity Superdome X User Service Guide. Each compute enclosure has several external management interfaces that connect the user to Onboard Administrator. The primary external management interface is the management port for Onboard Administrator, which is an RJ-45 jack providing Ethernet communications not only to Onboard Administrator, but also to every device or interconnect bay with a management processor. A serial port on the Onboard Administrator module provides full out-of-band CLI access to the Onboard Administrator. All enclosures support two enclosure link connectors that provide private communications among enclosures linked with CAT5 cable. In addition, the enclosure link-up connector provides an enclosure service port that enables you to temporarily connect a personal laptop computer to any linked enclosure Onboard Administrator for local diagnostics and debugging. NOTE: For complexes that have the HP Superdome 2 Door Status Display, the enclosure service port is routed through the rack-mounted E-Switch. Each compute enclosure includes an embedded Insight Display on the front of the enclosure, which provides status and information on all the bays in a compute enclosure and diagnostic information if the Onboard Administrator detects a problem in the enclosure. The Insight Display configures key settings in the Onboard Administrator, including the IP address of the Onboard Administrator. Onboard Administrator user interfaces The following user interfaces to the Onboard Administrator enable control and provide information about the enclosure and installed components: Web interface GUI Scriptable CLI Insight Display Remote network access to the Onboard Administrator GUI and CLI is available through the management Ethernet port. The serial port of the Onboard Administrator is available for local CLI access. The compute enclosure link-up port is also available as the service port for temporary local Ethernet access to the Onboard Administrators and devices in linked enclosures using either the GUI or CLI. See Connecting to the OA with a local PC (page 227) for information about using the OA link-up or serial ports. NOTE: For complexes that have the HP Superdome 2 Door Status Display, the enclosure service port is routed through the rack-mounted E-Switch. Access the Insight Display directly through the buttons on the display, or remotely through the Onboard Administrator GUI. 14 Introduction

15 Onboard Administrator authentication Security is maintained for all Onboard Administrator user interfaces through user authentication. User accounts created in the Onboard Administrator define three user privilege levels and the component bays to which each level is granted access. Onboard Administrator stores the passwords for Local User accounts and can be configured to use LDAP authentication for user group accounts. The Insight Display can be protected against unauthorized access by an LCD PIN code or completely disabled. NOTE: User accounts are managed on the Monarch OA. Role-based user accounts Onboard Administrator provides configurable user accounts that can provide complete isolation of multiple administrative roles such as server, LAN, and SAN. User accounts are configured with specific device bay or interconnect bay permissions and one of the three privilege levels: Administrator Operator User Onboard Administrator requires the user to log in to the web GUI or CLI with an account and password. The account can be a local account where the password is stored on Onboard Administrator, or an LDAP account. The Onboard Administrator contacts the defined LDAP server to verify the user credentials. Two-factor Authentication enables even tighter security for the user management session to Onboard Administrator. An account with administrator privileges, including Onboard Administrator bay permissions, can create or edit all user accounts on an enclosure. Operator privileges allow full information access and control of permitted bays. User privileges allow information access, but no control capability. For detailed information about Onboard Administrator account privileges, see the HP Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. The default Administrator account from the Monarch OA is synchronized to the other OAs in the complex. Use the default credentials from the Monarch OA to access all OAs. Rather than requiring separate logins to multiple resources (once to each enclosure or once to every server management processor or both), Onboard Administrator enables single-point access. Thus, the administrator can use single sign-on to log in to a single Onboard Administrator and use the web GUI to graphically view and manage the components in the entire complex. For example, an IT administrator can automatically propagate management commands, such as changing the enclosure power mode, throughout the complex. NOTE: The single sign-on requires that all the enclosure active Onboard Administrators have the same password. Running Onboard Administrator for the first time Setting up an enclosure using the Onboard Administrator is simplified by using the Insight Display setup process, followed by the use of the Onboard Administrator GUI First Time Setup Wizard or Onboard Administrator CLI to complete the reset of the enclosure settings. The Onboard Administrator modules and many interconnect modules default to DHCP for the management IP address. If the user has DHCP and connects the Onboard Administrator management port to the DHCP server, then the Onboard Administrator modules and interconnect modules supporting and configured to use the Onboard Administrator internal management network automatically get DHCP addresses from the user DHCP server. If you do not have a DHCP server for assigning IP addresses to management processors, then you must configure each Onboard Administrator with a static IP address using the Insight Display, then log in to the Onboard Administrator GUI and use the First Time Setup Wizard or log in to the Running Onboard Administrator for the first time 15

16 Onboard Administrator CLI and configure and enable EBIPA for device bays and interconnect bays. Enabling EBIPA for a bay enables that server or interconnect module to be replaced and the new module automatically gets the previously configured IP address for that bay. See Enclosure Bay IP Addressing (page 95) for more information on EBIPA. The initial credentials to log on to a new Onboard Administrator module are printed on a label on each module. The user is Administrator and the password is unique to each module. This password must be captured by the installer and communicated to the remote Administrator for the first remote logon to the Onboard Administrator GUI or Onboard Administrator CLI. The enclosure settings can be configured manually or uploaded from a configuration script or file. The web GUI offers a First Time Setup Wizard. The CLI can be accessed from the Onboard Administrator serial port, Ethernet management port, service port, or by using the enclosure KVM - Onboard Administrator CLI button. An alternative to manual configuration is to upload a enclosure configuration file to the active Onboard Administrator using either the GUI or CLI with an HTTP, FTP or TFTP network location for the configuration file, or use the GUI, CLI or Insight Display to upload a configuration file from a USB key drive plugged into the enclosure DVD USB port. HP recommends creating an enclosure configuration file to use the GUI, CLI, or Insight Display USB Menu to save the existing configuration to a file. The saved configuration file is a set of CLI text commands for each configuration item. The Onboard Administrator does not save user passwords when it saves a configuration file. The user can edit the configuration file and insert the password commands for each user account or use the Administrator local account to individually update all user passwords after restoring a previously saved enclosure configuration file. If the enclosure contains redundant Onboard Administrator modules, the remaining Onboard Administrator updates the new Onboard Administrator with all the settings. Logging on to the Onboard Administrator GUI If the Login Banner feature is enabled, you will be prompted to read and accept the conditions presented before being able to log in. Once the terms are accepted the main login page will appear. NOTE: X. Not all images or examples in this guide have been updated for HP Integrity Superdome 16 Introduction

17 Enter the user name and initial administration password for your Onboard Administrator account found on the tag attached to the Onboard Administrator. Possible issues that might occur when logging in include: The information has been entered incorrectly. Passwords are case-sensitive. The account information entered has not been set up for Onboard Administrator. The user name entered has been deleted, disabled, or locked out. The password for the account must be changed. Attempting to log on from an IP address that is not valid for the specified account. The password for the Administrator account has been forgotten or lost. To reset the Administrator password, see Recovering the administrator password (page 18). If you continue to have problems signing in, contact your administrator. Running the setup wizard To run the setup wizard, log on to Onboard Administrator. The First Time Setup Wizard starts automatically when you log on to Onboard Administrator for the first time. This wizard assists you in setting up the functions of the Onboard Administrator. You can access the setup wizard at any time after initial setup by clicking the Wizards link on the top left of the center screen. For more information, see First Time Setup Wizard (page 37). Running the setup wizard 17

18 Using online help To access online help, click the blue box with the white question mark located at the top right of the screen under the header bar. Online help displays information related to the section of Onboard Administrator that you are navigating. Changing enclosure and device configurations After completing the First Time Setup Wizard, return to the Onboard Administrator GUI to make configuration changes at any time. See Configuring compute enclosures and enclosure devices (page 80) for information that helps you make changes to enclosure and device configuration, user setup, and LDAP server settings and LDAP groups. See Enclosure power management (page 139) for information on enclosure power settings. Recovering the administrator password If the administrator password has been lost, you can reset the administrator password to the factory default that shipped on the tag with the Onboard Administrator module. The Onboard Administrator resets a lost password to Lost Password mode. To recover the password and reset the administrator password to the factory default: IMPORTANT: The password is recovered from the Monarch OA. 1. Connect a computer to the serial port of the active Onboard Administrator using a null-modem cable. 2. With a null-modem cable (9600 N, 8, 1, VT100, locally connect to the Onboard Administrator), open HyperTerminal (in Microsoft Windows) or a suitable terminal window (in Linux). 3. Connect to the active Onboard Administrator. 4. Press the Onboard Administrator Reset button for 5 seconds. 5. Press L to boot the system in the Lost Password mode. The password appears as the system reboots. 18 Introduction

19 2 Insight Display NOTE: Images in this section might not reflect Integrity Superdome X displays. Insight Display overview The Insight Display enables the rack technician to initially configure the enclosure. It also provides information about the health and operation of the enclosure. The color of the Insight Display varies with the condition of the enclosure health. Blue The Insight Display illuminates blue when the enclosure UID is active. The enclosure UID automatically turns on when the enclosure is powered up for the first time, and can be turned on by selecting Turn Enclosure UID On from the Main Menu or by pressing the enclosure UID button on the management interposer. When the enclosure UID is on, the Insight Display flashes after two minutes of inactivity. Pressing any button on the Insight Display stops the blinking and reactivates the screen. Green The Insight Display illuminates green when no error or alert conditions exist, and the enclosure is operating normally. After two minutes of inactivity, the Insight Display light turns off. Pressing any button on the Insight Display reactivates the screen. Amber The Insight Display illuminates amber when the OA detects an error or alert condition. The screen displays the details of the condition. After two minutes of inactivity, the Insight Display flashes amber indicating that an error or alert condition exists. If the enclosure UID is on and an error or alert condition exists, the Insight Display illuminates blue as the enclosure UID takes priority over the alert. Pressing any button on the Insight Display reactivates the screen. Dark (no power) The Insight Display has a two-minute inactivity period. If no action is taken and no alert condition exists, then the screen light turns off after two minutes. Pressing any button on the Insight Display reactivates the screen. The Enclosure Health icon is located at the bottom-left corner of every screen, indicating the condition of the enclosure health. Navigate the cursor to the Enclosure Health icon and pressing OK to access the Health Summary screen from any Insight Display screen. Navigating the Insight Display Navigate the menus and selections by using the arrow buttons on the Insight Display panel. The first menu displayed is the Main Menu. Insight Display overview 19

20 The Main Menu of the Insight Display has the following menu options: Health Summary Enclosure Settings Enclosure Info Blade or Port Info Turn Enclosure UID on/off View User Note Chat Mode If the active OA detects a USB key drive with any *.ROM, *.CFG or *.ISO files, a USB menu item appears at the bottom of the Main Menu. If the active OA detects KVM capability, a KVM menu button appears on the navigation bar of the Main Menu. Selecting KVM Menu causes the Insight Display to go blank and activate the VGA connection of OA. A USB key drive with the appropriate files and KVM capability is present in the Main Menu. TIP: Within any menu option, navigate the cursor to What is This, and press the OK button to view additional information about each setting, option, or alert. The navigation bar contains options to do the following: Navigate forward and backward through alert screens Return to the main menu Accept changes to current settings Cancel changes to current settings Access the Health Summary screen from any screen by selecting the Health Summary icon on the navigation bar Health Summary screen 20 Insight Display The Health Summary screen displays the current status of the enclosure. The Health Summary screen can be accessed by the following methods: Selecting Health Summary from the Main Menu Selecting the Health Summary icon from any Insight Display screen When an error or alert condition is detected, the Health Summary screen displays the total number of error conditions and the error locations.

21 Select Next Alert from the navigation bar, and then press the OK button to view each individual error condition. The Insight Display displays each error condition in the order of severity. Critical alerts display first (if one exists), followed by caution alerts. When the enclosure is operating normally, the Health Summary screen displays green. The bright green rectangles are components that are installed and are on. A light green rectangle represents a component that is installed, but powered off with no errors. When the enclosure is operating normally, the Health Summary screen displays green. The bright green rectangles are components that are installed and on. A dark green rectangle represents a component that is installed, but powered off with no errors. A black rectangle represents an empty bay. NOTE: A black DVD rectangle indicates no DVD is connected to the OA while a dark gray rectangle indicates the DVD drive is present, but that no media is present. A dark green rectangle indicates that media is present, but not actively connected to any server or that all connected servers have issued a disk eject command, so the disk can be removed from the drive. A bright green rectangle indicates that the media is present in the drive and actively connected to at least one server in the enclosure, and the drive tray is locked. If an error occurs, the Health Summary screen background changes from green to amber and the error is highlighted with yellow rectangles for caution and red rectangles for failures. Overall enclosure health icons at the bottom-left corner of the Insight Display screens indicate the overall enclosure health. To display the errors, select View Alert, and then press the OK button. To view the details of the error, select Details. Enclosure Settings screen The Enclosure Settings screen displays the following setting information about the enclosure: Power Mode settings Power Limit settings Dynamic Power settings Active and Standby OA IP addresses Enclosure Name Rack Name DVD Drive Insight Display PIN# Navigating the Insight Display 21

22 NOTE: The DVD Drive setting can attach or detach a CD or DVD loaded in the DVD drive to any or all partitions in the enclosure. This feature can be used to install an OS or software on the partitions. TIP: Set a PIN to protect the enclosure settings from changes. Navigate the cursor to a setting or to?, and press OK to change the setting or get help on that setting. Enclosure Info screen The Enclosure Info screen displays information about the enclosure, including the following: Active OA IP address Active OA Service IP address Current health status of the enclosure Current enclosure ambient temperature Current AC input power to the enclosure Enclosure number Enclosure name Enclosure serial number (HP Integrity Superdome X) Rack name 22 Insight Display

23 Blade and Port Info screen The Blade and Port Info screen displays information about a specific server blade. On the first screen, select the server blade number, and then press the OK button. Select Blade Info or Port Info, and press the OK button. To view information about the server blade, select Blade Info and press the OK button. NOTE: The screen below does not depict the fully loaded blade supported for this release. To view the ports used by a specific server blade, select Port Info and press the OK button. Navigating the Insight Display 23

24 The following screen shows a server blade with four embedded NICs. The other interconnect bays are empty. The four embedded NICs are connected to particular port numbers on the interconnect modules. Turn Enclosure UID On/Off screen The Main Menu displays Turn Enclosure UID Off when the enclosure UID is active, and displays Turn Enclosure UID on when the enclosure UID is off. Selecting Turn Enclosure UID On from the main menu turns on the rear enclosure UID LED and changes the color of the Insight Display screen to blue. Selecting Turn Enclosure UID Off from the main menu turns off the rear enclosure UID LED and changes the color of the Insight Display screen to the current alert condition. View User Note screen The View User Note screen displays six lines of text, each containing a maximum of 16 characters. Use this screen to display helpful information such as contact phone numbers. Change this screen using the remote OA user web interface. Both the background bitmap and the text can be changed. 24 Insight Display

25 Chat Mode screen The Chat Mode screen is used by the remote administrator who uses the web interface to send a message to an enclosure Insight Display. The technician uses the Insight Display buttons to select from a set of prepared responses, or dials in a custom response message on the? line. To send a response back to the Administrator, navigate the cursor to Send, then press the OK button. The Chat Mode screen has top priority in the Insight Display and remains on the screen until you select Send. The technician can leave this chat screen temporarily and use the other Insight Display screens, then return to the Chat Mode screen from the Main Menu to send a response. After the response, the Chat Mode screen is cleared. Both the A and? responses then appear to the remote Administrator on the LCD Chat web interface. Insight Display errors The enclosure installation is successful when all errors are corrected. The errors in the following sections are specific to installation and initial configuration of the enclosure. The following types of errors can occur when installing and configuring the enclosure: Power errors Cooling errors Location errors Configuration errors Device failure errors Insight Display errors 25

26 Power errors When the enclosure UID LED is off, the Insight Display is illuminated amber when any error condition exists. The navigation bar displays the following selections when an error condition exists: Health summary icon Displays the Health Summary screen Fix This Suggests corrective action to clear the current error Next Alert Displays the next alert, or if none exist, displays the Health Summary screen Previous Alert Displays the previous alert Power errors can occur because of insufficient power to bring up an enclosure. Power errors can occur on server blades or interconnect modules. To correct a power error, do the following: 1. Use the arrow buttons to navigate to Fix This, and then press OK. 2. Review and complete the corrective action suggested by the Insight Display. Use the OA tools for additional troubleshooting. Cooling errors Cooling errors occur when fans are missing from the enclosure, or when the existing fans are not installed in an effective configuration. Cooling errors can occur on server blades, interconnect modules, XFMs, and OAs. To correct a cooling error, do the following: 1. Use the arrow buttons to navigate to Fix This, and then press OK. 2. Review and complete the corrective action suggested by the Insight Display. In most cases, you must either add fans to the enclosure, correct the fan configuration, or remove the indicated components. Location errors Location (installation) errors occur when the component is not installed in the appropriate bay. Location errors can occur on server blades, power supplies, and fans. HP Integrity Superdome X systems are configured such that these errors should not occur unless the components have been moved. To correct a location error, do the following: 1. Use the arrow buttons to navigate to Fix This, and then press OK. 2. Review and complete the corrective action suggested by the Insight Display. Remove the indicated component, and then install it into the correct bay. The Insight Display will indicate the correct bay number. Configuration errors Configuration errors can occur if the interconnect modules are installed in the wrong bays or if mezzanine cards are installed in the wrong connectors in the server blade. Configuration errors can occur on server blades and interconnect modules. HP Integrity Superdome X systems are configured such that these errors should not occur unless the components have been moved. To correct a configuration error, do the following: 1. Use the arrow buttons to navigate to Fix This, and then press OK. 26 Insight Display

27 2. Review and complete the corrective action suggested by the Insight Display. Depending on the error received, do one of the following: Device failure errors Remove the indicated interconnect module and then install it into the correct bay (the Insight Display indicates the correct bay). Remove the server blade to correct the mezzanine card installation (the Insight Display will indicate the correct bay). For information on installing the mezzanine card, see the server-specific user guide on the Documentation CD. Device failure errors occur when a component has failed. Device failure errors can occur on all components, including the following: Server blades Power supplies Interconnect modules OA modules Fans ac power inputs To correct a device failure error, do the following: 1. Use the arrow buttons to navigate to Fix This, and then press OK. 2. Review and complete the corrective action suggested by the Insight Display. In most cases, you must remove the failed component to clear the error. 3. Replace the failed component with a spare, if applicable. NOTE: If the device failure error is an ac power input failure error, you must have the failed ac input repaired to clear the error. Insight Display errors 27

28 3 HP Superdome 2 Door Status Display HP Superdome 2 SD2-16s and SD2-32s complexes that are factory integrated ship with the HP Superdome 2 Door Status Display. The Door Display is a quick method of getting basic complex status information by using the integrated touch screen on the rack door. NOTE: HP Superdome 2 SD2-8s and HP Integrity Superdome X complexes do not support the Door Display. The Door Display screen and LED backlighting displays the overall status of the complex by the following scheme: Solid blue The Door Display screen and LED backlight glows solid blue when the complex is operating under normal conditions. Flashing blue The Door Display screen and LED backlight flashes blue when the enclosure UID of any compute enclosure in the rack is turned on. Flashing amber The Door Display and LED backlight flashes amber if any compute enclosure in the rack has an error or alert condition. If an enclosure UID is on and an error or alert condition exists, the Door Display and LED backlight flashes blue as the enclosure UID takes priority over the alert. Dark (no power) The Door Display screen turns off after one hour of displaying a screen saver. Touch the Door Display screen to return to the last menu displayed. The LED backlight remains glowing to reflect the current complex status. NOTE: You can only disable the Door Display screen by using the Door Display menu. You cannot disable the screen remotely. After one hour of inactivity, the Door Display screen displays a screen saver. Touch the Door Display screen to return to the last menu that was onscreen. Before running Door Display setup Before running the Door Display setup, you must create Onboard Administrator accounts. The Door Display uses the Onboard Administrator accounts to access complex information and enables you to set the enclosure UID for compute enclosures in the rack. Setting up the Door Display When the complex is first powered on, a brief animation on the Door Display screen is displayed, and then the startup menu appears. NOTE: The startup menu will take several seconds to appear while the Door Display starts up. 28 HP Superdome 2 Door Status Display

29 The startup menu has the following options: Disable Display A screen saver immediately appears for one hour, and then the Door Display shuts off. Setup Select this option to begin the Door Display setup. Complex configuration Select the current complex configuration in the rack. IMPORTANT: This menu selection does not set the complex configuration on the Onboard Administrator. To correctly set up the Door display, you must select the current complex configuration present in the rack. Setting up the Door Display 29

30 Press Next. Status display preferences Temperature Scale Select between displaying enclosure temperatures in C or F. Display IP Address Select to enable or disable the display of the IP addresses of the active Onboard Administrator and the complex service port. NOTE: The OA IP address does not appear until the setup process is complete. Press Next to continue. Two 16s complex setup If the complex configuration is two 16s complexes in a cabinet, unlike the other multi-enclosure configurations, each enclosure is a self-contained complex and each will require its own login and password information. 30 HP Superdome 2 Door Status Display

31 If you selected Two 16s as the complex configuration, then you are prompted to which complex displays status information on the Door Display screen. Lower Complex The Door Display screen displays status information for only the lower SD2-16s complex in the rack. Upper Complex The Door Display screen displays status information for only the upper SD2-16s complex in the rack. Both Complexes The Door Display screen displays status information for both SD2-16s complexes in the rack. NOTE: If you select Both Complexes, you are prompted to enter two user names and passwords at the next menu. Press Next. Setting up the Door Display 31

32 Complex login You must enter an OA account user name and password to enable the Door Display to log in to the complex and display complex status information. IMPORTANT: If you enter an OA Administrator or OA Operator-level user name, all complex information appears and the Door Display screen can be used to set the enclosure UID. If you enter an OA User-level user name, all complex information appears, but the Door Display screen cannot be used to set the enclosure UID. Press Login to complete setup or Cancel to quit Door Display setup. Door Display status menu 32 HP Superdome 2 Door Status Display

33 The Door Display status menu displays the following information: Complex name The user-specified name of the complex. Complex health The current health status of the complex. If there is an enclosure in the complex that now has fault conditions, the enclosure will be highlighted amber and indicated with a fault symbol. Active (OA) IP address The IP address of the active Onboard Administrator. Service IP address The IP address of the complex service port. Enclosure power The current power consumption of the enclosures in the complex in kw. Enclosure temperature The current temperature of the enclosures in the complex in C or F. Enclosure UID If an enclosure in the complex has the enclosure UID enabled, then the enclosure will be indicated with a UID symbol. The Door Display status menu has the following menu buttons: Display Settings Display the Display Settings menu. UID Display the UID control overlay. If the rack contains two SD2-16s complexes, then the Door Display status menu displays the following buttons: Upper Complex Displays the status of the upper complex in the rack. Lower Complex Displays the status of the lower complex in the rack. Logon If the OA log on information is not specified for an enclosure in the rack, select this option to enter the OA log on information. UID control To change the UID of enclosures in the rack, push the On/Off toggle button for the enclosures. Press Confirm to turn the enclosure UIDs on or off and return to the Door Display status menu. To return to the Door Display status menu without making any changes, press Cancel. Setting up the Door Display 33

34 Display Settings menu IMPORTANT: Accessing the Display Settings screen requires a valid door display login even if no settings are changed. If you cancel out of the Display Settings without entering the correct login information, the door display will continue to show the Login and Setup Info is required message. The Display Settings menu has the following options: Door Display Setup Runs the initial setup of the Door Display. Disable Display Erases all settings. A screen saver immediately appears for one hour, and then the Door Display shuts off. IMPORTANT: If you select this option, you must re-enter all setting information, such as user names and passwords before you can use the Door Display. Calibrate Screen Enters calibration mode for the touch screen. IMPORTANT: HP recommends using a stylus or the back of a pencil to calibrate the screen. Using a finger is not precise enough to properly calibrate the screen. Do not use metal objects to calibrate the screen. Using a metal object might damage the LCD touch screen. Firmware Update Use this option to update the Door Display firmware. The current status of the Door Display firmware is displayed on the menu button. The firmware status is one of the following: Setup required first The initial Door Display setup has not been completed and the Door Display is unable to access firmware status. Up-to-date The current Door Display firmware matches the current revision available on the OA. No firmware update is required. If necessary, the Door Display firmware can be reloaded using the Firmware Update menu. 34 HP Superdome 2 Door Status Display

35 Update Available A newer firmware revision is available for the Door Display. No Update Available The OA does not have firmware available for the Door Display. This occurs if the OA web server is disabled. NOTE: The Door Display firmware must be updated through the Door Display menu. Reboot Display Restarts the Door Display module only. IMPORTANT: You must reboot the Door Display after the Onboard Administrator reboots. The Door Display does not function until you reboot the Door Display after the Onboard Administrator reboots. Press Exit Display Settings to return to the Door Display status menu. Firmware Update menu NOTE: This menu is used to update the firmware of the Door Display only. The Firmware Update menu is available if the firmware status is displayed as Up-to-date or Update Available on the Firmware Update menu option. Choose one of the following options: To begin the firmware update process, press Start. To return to the Display Settings menu without updating the firmware, press Exit Firmware Update. NOTE: If the versions of the current Door Display firmware and the firmware available on the OA match, you are prompted to reload the firmware or cancel. Setting up the Door Display 35

36 When the firmware update is complete, you are prompted to reboot the Door Display to complete the firmware update. To reboot the Door Display only, press Reboot. After the Door Display reboots, you are prompted to calibrate the LCD touch screen. If you do not want to reboot the Door Display, press Not Now. The firmware update is not complete until the Door Display is rebooted. 36 HP Superdome 2 Door Status Display

37 4 First Time Setup Wizard NOTE: The First Time Setup Wizard is used only to configure compute enclosures and Onboard Administrator network settings. The First Time Setup Wizard does not enable you to set up and configure partitions. For more information about partition creation and management for HP Superdome 2, see the HP Superdome 2 Partitioning Administrator Guide. For more information about partition creation and management for the HP Integrity Superdome X, see the HP Integrity Superdome X User Service Guide at Before you begin Before running the First Time Setup Wizard, complete the following tasks: 1. Install the Onboard Administrator modules. 2. Connect the Onboard Administrator modules to the network. 3. Complete the Insight Display installation wizard. You must at least configure the active Onboard Administrator IP address. 4. Run the Insight Display installation. Logging on to Onboard Administrator For information on logging on to the Onboard Administrator, see Logging on to the Onboard Administrator GUI (page 16). The first time you log on, the Onboard Administrator automatically runs the First Time Setup Wizard. To navigate the setup wizard, click the Next button to save your changes and go to the next step. Click the Skip button if you want to leave the step without saving the changes. You can return to previous wizard steps by selecting them in the left tree view. You can also run the wizard again at any time by selecting it from the Wizards menu. Enclosure Selection screen The Enclosure Selection screen displays all discovered enclosures and selects the active enclosure, the enclosure you are signed in to by default. The check box beside each enclosure enables you to select or clear that enclosure. Selecting the check box beside All Enclosures toggles the check box for all enclosures. Before you begin 37

38 Click the Refresh Topology button to update the rack topology information. When you select Refresh Topology, the Enclosure Selection screen switches to the Linked Mode and all linked enclosures appear. If more than one enclosure is listed on the Enclosure Selection screen, select the enclosure you want to set up, and then click the Next button. For possible values and descriptions of each box, see Enclosure Status (page 81). Configuration Management screen The Configuration Management screen enables you to set up the selected enclosures using a configuration file saved from a previous setup. You can run scripts for multiple Onboard Administrators before leaving the current screen. 38 First Time Setup Wizard

39 To set up selected enclosures, using a configuration file: On the Configuration Management screen, select one of the following options: Local file: Browse for the configuration file, or enter the path of the script file into the textbox. The maximum number of characters in the file path is 256. Click Upload after entering the script file path. URL: Enter an path to the configuration file if it is located on a web server. The maximum number of characters in the file path is 256. Click Upload after entering the URL. A window opens and displays the results. If more than one enclosure is selected during the enclosure selection, select the enclosure to upload or apply the configuration file to use from the drop-down that appears. If multiple enclosures were selected, then repeat this process for each additional enclosure. You cannot select more than one enclosure at a time for configuration management. Rack and Enclosure Settings screen This screen enables you to assign time settings and a common name to your rack and to assign unique names and asset tags to your enclosures. Box Rack Name Date Possible value 1 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) yyyy-mm-dd, where: mm is an integer from 1 to 12 dd is an integer from 1 to 31 The name of the rack in which the enclosure is installed The current date assigned to the enclosure Rack and Enclosure Settings screen 39

40 Box Time Primary NTP Server Secondary NTP Server Time Zone Enclosure Name Asset Tag Possible value hh:mm:ss (24-hour time) hh is an integer from 0 to 23 mm is an integer from 0 to 59 ss is an integer from 0 to 59 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 Time zone settings Africa time zone settings (page 222) Americas time zone settings (page 223) Asia time zone settings (page 224) Universal time zone settings (page 222) Oceanic time zone settings (page 225) Europe time zone settings (page 225) Polar time zone settings (page 226) 1 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) 0 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) The current time assigned to the enclosure IP address of primary NTP server that provides date and time information or the DNS name of the NTP server IP address of secondary NTP server that provides date and time information or the DNS name of the NTP server The time zone assigned to the enclosure The name of the selected enclosure The asset tag is used for inventory control. The default asset tag is blank. See the HP Superdome 2 User Service Guide or HP Integrity Superdome X User Service Guide for your system at for more information on connecting enclosures. 40 First Time Setup Wizard

41 Administrator Account Setup screen The Administrator Account Setup screen initially displays the name of the active enclosure and its current settings. If multiple enclosures are selected on the Enclosure Selection screen, a button is activated that enables you to expose separate inputs for each selected Onboard Administrator. Box Password Password Confirm Full Name Possible value 3 to 8 characters including all printable characters 3 to 8 characters including all printable characters 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space The password for the Administrator account Must match the Password value The full name of the user Contact 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space Contact information for the user account. The contact information can be the name of an individual, a telephone number, or other useful information. PIN Code PIN Code Confirm 1 to 6 characters from the character sets 0 to 9, a to z, and A to Z 1 to 6 characters from the character sets 0 to 9, a to z, and A to Z The PIN code for the enclosure Insight Display Must match the Insight Display PIN value Local User Accounts screen The Local User Accounts screen displays the user accounts assigned to the Active Onboard Administrator and provides choices for adding, editing, and deleting accounts. Administrator Account Setup screen 41

42 New: Click the New button to add a new user to the selected enclosure. A maximum of 30 user accounts can be added including the reserved accounts. The Add Local User screen appears. Edit: Select a user (only one can be selected) by selecting the check box next to the name of the user. Click the Edit button to change the settings on the Edit Local User screen, and then click Update User to save the information. Delete: Select a user or users to be deleted by selecting the check box next to the name of the user. Click the Delete button to delete the accounts. If an attempt is made to delete the last Administrator account, you will receive an alert warning that at least one Administrator account must exist and the delete action is canceled. User Settings screen The User Settings screen displays configurable user information. 1. Enter user information in the User Information and User Permissions sections. 2. Click Add User to save the information. 3. To return to the Local User Accounts screen, click Previous. 42 First Time Setup Wizard

43 4. For each user added, select the appropriate boxes to grant access to servers and interconnect bays. For possible values and descriptions of each box, see Managing users (page 157). Enclosure Bay IP Addressing screen The Onboard Administrator EBIPA feature is intended to help you provision a fixed IP address to a particular bay in an enclosure. The components plugged into the bays are set for DHCP, and interconnect modules are configured to use the internal management port to Onboard Administrator. If the component is configured for a static IP address, an EBIPA assignment to that bay has no effect. NOTE: If you use DHCP servers on your management network, then do not use EBIPA for management IP address assignments. For HP Integrity Superdome X systems, if you use fixed IP addresses for management processors, use EBIPA to assign IP addresses to the monarch ilo. Do not configure ilo to use static IP addresses directly. NOTE: The HP Superdome 2 ilo does not support hponcfg. NOTE: All IP addresses are supported, with the exception of address ranges x.y and x.y, which are reserved for internal management network. In addition, all the IP addresses must be within the same subnet defined by netmask and IP address so that all OAs as well as all ilos fit into that subnet. If the server blade is configured for static IP address, then it carries the same address even if the blade is moved to another enclosure. If the server blades are set for DHCP and the Onboard Administrator is configured for EBIPA addressing for that bay, then ilo will obtain an EBIPA-configured IP address when it is plugged into that enclosure. If your network has an external DHCP service or if you want to manually assign static IP addresses one by one to the server blades and interconnect modules, then to bypass this step, click the Skip button. Enclosure Bay IP Addressing screen 43

44 EBIPA Settings screen For information on how to set up EBIPA, see (page 95). Directory Groups screen LDAP is an open protocol for accessing information directories. While LDAP is based on the X.500 standard, it is significantly simpler. LDAP supports TCP/IP, which enables applications to work independently of the server hosting the directory. Use the Directory Group screen to set directory access for the now selected enclosures. On this screen, you can configure directory groups. For possible values and descriptions of each box, see Directory Groups (page 167). 44 First Time Setup Wizard

45 Directory Settings screen Use the Directory Settings screen to set directory access for the now selected enclosures. Using the Directory Settings screen, you can configure the following settings: Enable LDAP Authentication: Enables a directory server to authenticate a user login. Enable Local Users: Enables a user to log on using a local user account instead of a directory account. Search Context Specify one to six search contexts. A search context is a search filter or shortcut to a common directory, defining the directory users search to start at the specified path. By specifying a search context, users do not have to specify their full DNs at login. A DN might be long and users might not be familiar with their DN or might have accounts in different directory context. The Onboard Administrator attempts to contact the directory service Directory Settings screen 45

46 by DN and then applies the search contexts in order, beginning with Search Context 1 and continuing through any subsequent search contexts until successful. Search context is also applicable to LDAP directory groups, which are useful when LDAP nested groups are configured. When specifying the search context for an LDAP directory group, the exact context is not required. Use NT Account Name Mapping (DOMAIN\username): Enables NT name mapping so that you can enter the NT domain and user name. Box Directory Server Address Directory Server SSL Port Search Context 1 Search Context 2 Search Context 3 Search Context 4 Search Context 5 Search Context 6 Possible value ###.###.###.### where ### ranges from 0 to 255 or DNS name of the directory server or the name of the domain 0 to All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters The IP address or the DNS name or the name of the domain of the directory service. This field is required. The port used for LDAP communications. The default port is port 636. This field is required. First searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Second searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Third searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Fourth searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Fifth searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Sixth searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Onboard Administrator Network Settings screen Use the Onboard Administrator Network Settings screen to modify network settings for all the Onboard Administrator modules in the selected enclosures. Settings for Standby Onboard Administrator modules appear only if the modules are present. Options for DHCP and static IP are supported. Changing network settings on the Onboard Administrator that you are signed in to might disconnect you from the Onboard Administrator. If this happens, you will have to sign in to the Onboard Administrator again. To continue, click Next. If you do not want to change network settings, click Skip. 46 First Time Setup Wizard

47 First Time Setup Wizard Network settings The Onboard Administrator allows the network configuration to be based either on dynamically assigned IP addresses obtained from a DHCP server or on static IP addresses that you specify manually. You choose the basis for network configuration by selecting the appropriate radio button. If you choose DHCP, you can enable Dynamic DNS. Use DHCP for all Active Onboard Administrators: Obtains the IP address for the Onboard Administrator from a DHCP server. The Standby checkbox is shown only if there is a Standby Onboard Administrator in the enclosure. Enable Dynamic DNS: Enable using the same host name for the Onboard Administrator over time, although the dynamically assigned IP address might change. The host name is registered with a DNS server. DDNS updates the DNS server with new or changed records for IP addresses. Use static IP settings for each Active Onboard Administrators: Manually set up static IP settings for the Onboard Administrator. The Standby checkbox is shown only if there is a Standby Onboard Administrator in the enclosure. For possible values and descriptions of each box, see Enclosure TCP/IP Settings (page 92). Onboard Administrator Network Settings screen 47

48 SNMP Settings screen Use the SNMP Settings screen to configure or modify the SNMP settings for the active Onboard Administrator. For possible values and descriptions of each box, see SNMP Settings (page 98). 48 First Time Setup Wizard

49 Power Management screen IMPORTANT: In a complex with one or more failed power supplies, it is possible for attempts to power on servers to fail if the resulting power allocation would result in the Power Redundancy Status becoming Failed. The administrator must explicitly reduce the redundancy setting to enable powering on servers prior to the failed power supplies being serviced. This applies to AC Redundant and Power Supply Redundant power modes. IMPORTANT: If redundancy mode is set to Redundant, AC Redundant, or Power Supply Redundant, and power redundancy is lost, then you must either add additional power supplies or change the redundancy mode setting in the Onboard Administrator to restore Power Subsystem status. One upper and one lower power supply must always be installed and operational. For corrective steps, see the Insight Display. Power Management screen 49

50 The enclosure power management system enables you to customize the configuration of the enclosure. You can select from the various modes on the Onboard Administrator Power Management screen. The power modes are explained in the following table. Mode Redundant AC Redundant Power Supply Redundant Not Redundant Dynamic Power Static Power Limit Insight Display name Redundant AC Redundant Power Supply None Dynamic Power Power Limit For DC power supplies only. In this configuration, N upper and N lower power supplies are used to provide power and N upper and N lower power supplies are used to provide redundancy (where N can equal 1, 2, or 3). Up to three upper and three lower power supplies can fail without causing the enclosure to fail. When correctly wired with redundant DC line feeds, this configuration also ensures that a DC line feed failure does not cause the enclosure to power off. For ac power supplies only. In this configuration, N upper and N lower power supplies are used to provide power and N upper and N lower power supplies are used to provide redundancy (where N can equal 1, 2, or 3). Up to three upper and three lower power supplies can fail without causing the enclosure to fail. When correctly wired with redundant ac line feeds, this configuration also ensures that an ac line feed failure does not cause the enclosure to power off. Up to six upper and six lower power supplies can be installed with one upper and one lower power supply always reserved to provide redundancy. In the event of a single upper or lower power supply failure, the redundant power supply in the same section (upper or lower) takes over the load. A line feed failure of more than one power supply in a section causes the system to power off. There is no power redundancy and no power redundancy warnings are given. If all power supplies are needed to supply Present Power, then any power supply or line failure can cause the enclosure to power off. If enabled, Dynamic Power automatically places unused power supplies in standby mode to increase enclosure power supply efficiency, thereby minimizing enclosure power consumption during lower power demand. Increased power demands automatically return standby power supplies to full performance. This mode is not supported for low voltage on the enclosure. An optional setting to limit power. Whenever you attempt to power on a device, the total power demands of the new device and of the devices already on are compared against this Static Power Limit. If the total power demands exceed the limit, the new device is prevented from powering on. Dynamic Power: The default setting is Enabled. The following selections are valid: Enabled: Some power supplies can be automatically placed on standby to increase overall enclosure power subsystem efficiency. Disabled: All power supplies share the load. The power subsystem efficiency varies based on load. Dynamic Power is not supported for low voltage on the enclosure. 50 First Time Setup Wizard

51 Finish Click Show Config to view the current configuration for the enclosure. To save the configuration as a text file: Microsoft Internet Explorer select Save As Mozilla Firefox select Save Page As For security, the retrieved current configuration does not contain any user passwords. You can manually edit the script to add the user passwords after the user name on the ADD USER lines. Also, the retrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, and PIN Code). These settings cannot be added from the configuration script. You can clear the Do not automatically start this wizard again check box to force the First Time Setup Wizard to run again the next time a user signs into the Onboard Administrator. Click the Finish button to save and exit the First Time Setup Wizard. The First Time Setup Wizard screen closes and you are returned to the default main screen of the Onboard Administrator. Finish 51

52 5 Navigating Onboard Administrator Navigation overview The main Onboard Administrator navigation system consists two views: Tree view: Lists all of the complex devices on the left side of the main page and remains visible at all times. Graphical view: Displays a physical picture of the enclosures in the complex. You can navigate the devices and functions in a complex through either of these views. 52 Navigating Onboard Administrator

53 Tree view The tree view aids in navigating individual compute enclosure devices, connected IOXs and functions for all complex compute enclosures in a hierarchical manner. The rendering of the tree view depends on several factors, including user permissions, device availability, and device status. If a user is configured to be an Operator or User, then some options are might not be visible in the tree view. One of the main purposes of the tree view is to enable navigation using categories based on the major systems within the complex. When a category is expanded (by clicking the white plus icon on the blue box to the left of the category), an icon next to the category name can indicate a degraded status of the affected system. In the case of multiple components reporting status, the status icon indicates a cumulative worst-case status of all the devices in the same category. Individual device pages Clicking the link for an individual device selects the device, opens the device detail page, and selects the device in the graphical view in the right frame of the GUI. Individual device pages contain detailed information on the selected device and other device-related functions. Navigation overview 53

54 Category summary pages Category summary pages contain summary information for each of the devices in that category. For example, clicking the Device Bays link opens the Device Bay Summary screen. Each parent element in the tree works in this manner. When you click a category summary link, no devices are selected in the graphical view navigation. System forms pages Some devices, particularly HP Onboard Administrator, can have links to various system forms pages listed after their main links in the left tree navigation view. Form pages contain input text boxes, radio buttons, and other HTML input elements and are used to administer settings related to the device to which they belong. For example, you can use the HP Onboard Administrator 54 Navigating Onboard Administrator

55 system forms page to change IP address settings or update firmware. These forms are linked under the HP Onboard Administrator parent element. When you click a system forms link, the device to which the form page belongs is selected in the graphical view. For example, clicking the UID State link for the Active HP Onboard Administrator selects the Active HP Onboard Administrator device in the graphical view. Links to system forms do not display status icons. Graphical view navigation The second component of the Onboard Administrator GUI navigation system is a graphical representation of physical enclosures, called the graphical view. The graphical view consists of two subcomponents: a front view and a rear view. The following image shows the graphical view of a typical HP Integrity Superdome X compute enclosure. Navigation overview 55

56 Selecting a device To select a device, click the graphical representation of the device in the front or rear graphical view. When you select a device, its border changes from gray to light blue indicating that it is the now selected device. Selecting a device in the graphical view selects the corresponding device in the left navigation tree view. Every time you select a device from any part of the navigation system, the rest of the navigation reflects the device selection event and updates accordingly. Status reporting The graphical view reports the status of every device in the enclosure. The status of each device is indicated next to the device by a small status icon. No status icon appears for a device that is 56 Navigating Onboard Administrator

57 working properly and has an OK status. However, all other status codes appear as status icons next to the device. Status icons are used instead of the health LED in the graphical view component images to convey the device status. To provide a consistent and clean GUI interface, the LED displayed by the Onboard Administrator GUI does not always match the actual LED on the hardware. Users should rely on the status icons on the GUI to determine the device health status. Device security Although the front and rear graphical views are both affected by user permissions, security on the graphical view is handled differently from the left tree view. If the user does not have the permissions to access a device, a blank bay appears regardless of whether a device is present in that bay, and a padlock icon appears in the bay table cell, indicating that the bay is locked to the current user. The user cannot select a locked bay. When the user hovers the mouse over the locked bay, a message appears, indicating that the user does not have permission to access devices in that bay. Minimizing the graphical view To minimize the graphical view from the main display, click the box with the arrow, located directly to the left of the name of the enclosure in the graphical view box. This minimizes the graphical view and gives more room for the main section of the display. This is useful when viewing the Onboard Administrator on a small monitor or on a monitor with low resolution. Navigation overview 57

58 58 Navigating Onboard Administrator

59 6 Complex Overview Complex Overview screen The Complex Overview screen displays a graphical representation of each compute enclosure in the complex, called the graphical view. The graphical view consists of a front view and a rear view of each enclosure. The front view shows the presence and status of the following components: blades bulk power supplies the DVD module The rear view shows the presence and status of the following components: PDUs X-Fabric Modules GPSMs OAs interconnect modules Fans When you mouse over a device in the graphical view, a window appears with information on that device. The graphical view provides status on each device in the enclosure and gives you the option of selecting an individual device for viewing more detailed information. NOTE: Status icons are used instead of the health LED in the component images to convey the component status. Components with an OK status will not have status icons. Complex Overview screen 59

60 Compute Enclosures tab Item Enclosure Name Enclosure ID Serial Number UUID Part Number Asset Tag UID State Insight Display The DNS name of the enclosure and the name of the enclosure in the rack. The ID for the enclosure in a multi-enclosure system. The unique serial number of the enclosure. The Universally Unique Identifier assigned to the enclosure. The part number of the enclosure used when getting a new or replacement enclosure. The tag used for inventory control. Displays On or Off, depending on whether the UID is active. A link to the Insight Display page of the enclosure. To update the complex topology information, click the Refresh Topology button. Power and Thermal tab The Power and Thermal tab displays information about the temperature inside each compute enclosure and the thermal and power subsystem health status. A graphical view of the present power and power limit helps you determine the power status. NOTE: IOXs. This information appears only for compute enclosures. Information is not included for Table 2 Compute enclosure cooling requirements Item Current Btu/hr Max Btu/hr The sum of the amount of heat being generated by the complex enclosures measured in Btu per hour. The maximum amount of heat that can be generated by the complex enclosures under load measured in Btu per hour. 60 Complex Overview

61 Table 3 Compute enclosure thermal and power status Item Enclosure Ambient Temperature Thermal Subsystem Status Power Subsystem Status Power Mode Present Power Power Limit This box displays the highest ambient temperature being reported by the installed blade devices. If no blade devices are installed, then this box displays the temperature of the Onboard Administrator module as an approximation of the ambient temperature. The overall thermal status of the enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. The overall power status of the enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. A user setting to configure the enclosure DC power capacity and the input power redundancy mode of the enclosure. See Power Management (page 141) for possible values. The amount of watts being consumed by all devices in the enclosure. The maximum amount of power available for consumption by the enclosure measured in watts. IMPORTANT: In a complex with one or more failed power supplies it is possible for attempts to power on servers to fail if the resulting power allocation would result in the Power Redundancy Status becoming Failed. The administrator must explicitly reduce the redundancy setting to enable powering on servers prior to the failed power supplies being serviced. This applies to AC Redundant and Power Supply Redundant power modes. NOTE: If redundancy mode is set to AC Redundant, or Power Supply Redundant, and power redundancy is lost, then you must either add additional power supplies or change the redundancy mode setting in the Onboard Administrator to restore Power Subsystem status. See the Insight Display for corrective steps. NOTE: The Power Limit is dependent on the enclosure power redundancy setting and the number and location of the power supplies in the enclosure. If a Static Power Limit has been specified, the Power Limit displays that limit. Complex Information screen Status tab The Complex Information screen has four tabs: Status Information Complex Logs Complex CLI The Status tab provides the current operational status of the entire complex and the status of each compute enclosure and IOX in the complex. Complex Information screen 61

62 Item Complex Status CAMNET Status Robust Store Status Cooling Status Thermal Status Product ID Enclosure ID Xfabric Status The overall health of the complex. Possible values are Unknown, OK, Degraded, and Failed. The overall health of the CAMNET fabric in the complex. Possible values are Unknown, OK, Degraded, and Failed. The health of the complex Robust Store. Possible values are Unknown, OK, Degraded, and Failed. The overall health of the cooling systems in the complex. Possible values are Unknown, OK, Degraded, and Failed. The overall thermal status of the complex. Possible values are Unknown, OK, Degraded, and Failed. The overall status of product IDs of all devices in the complex. Possible values are Unknown, OK, Degraded, and Failed. The overall status of enclosure IDs of all enclosures in the complex. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the Xfabric. Possible values are Unknown, OK, Degraded, and Failed. The Complex Status tab displays diagnostic information in the Diagnostic Information table. Item Overheat Check Cooling Temperature is above the danger threshold. Possible values are OK or Critical temperature threshold reached. The status of the fans in the complex. Possible values are OK or Insufficient fans for enclosure cooling. 62 Complex Overview

63 Item Device Operational Device Degraded Firmware Mismatch Indicates whether or not a device has been declared degraded by firmware when status was not requested by the Onboard Administrator. Possible values are OK or Error. (Degraded state is less severe than a failed state.) Indicates whether or not a device has been declared degraded by firmware when status was requested by the Onboard Administrator. Possible values are OK or Error. One or more components in the Complex contains firmware that is not compatible with other components in the Complex. The Complex Status tab displays general status information about each compute enclosure and IOX in the complex in the Enclosure Status Overview table. Enclosure Status Overview Column Enclosure ID Enclosure Name Status The assigned number of the compute enclosure in the complex. The assigned name of the compute enclosure. The overall health of the compute enclosure. Possible values are Unknown, OK, Degraded, and Failed. IOX Status Overview (HP Superdome 2) Column IOX Number Status The number of the IOX in the complex. The overall health of the IOX. Possible values are Unknown, OK, Degraded, and Failed. Information tab The Information tab provides general information about the complex and an input box to change the Complex Name. Complex Information screen 63

64 Item Product Name Manufacturer Original Product Number Current Product Number Serial Number Universal Unique Identifier (UUID) Monarch Enclosure Number Number of Enclosures Number of IOXs Complex Firmware Version Common descriptive name of the complex Name of the company that manufactured the complex The original product number of the complex The current product number of the complex The unique manufacturer serial number of the complex The Universally Unique Identifier number assigned to the complex The number of the compute enclosure in the complex designated as the monarch enclosure The total number of compute enclosures in the complex The total number of IOXs in the complex The now configured firmware bundle version on the complex Settings box The text input box below the Complex Information table enables you to change the Complex Name for the complex. After choosing a Complex Name, to save changes, click the Apply button. 64 Complex Overview

65 Complex Logs tab The Complex Logs tab displays links to launch log viewers in new windows. The available log viewers are the System Event Log, Forward Progress Log and the Live Log. Complex CLI Tab This tab opens a page that provides a link to launch a Command Line Interface shell on the Monarch OA. Only one CLI session may be launched from the OA GUI. The CLI shell is a separate application launched by the GUI and is displayed in its own separate window. Complex Information screen 65

66 Complex Information: Firmware Management This option can be expanded to show links for the following: Complex Firmware Summary see Complex Firmware Summary screen (page 66) Updating Firmware see Online complex firmware update (page 67) Complex Firmware Summary screen The Firmware Summary screen displays the current status of firmware in the complex. Superdome systems support two types of firmware, complex firmware that must be consistent across all devices in the complex, and partition firmware that runs on the system processors of server blades. Firmware on the system can be in one of three states: Configured the firmware that should be running on a specific entity. Installed the firmware that is currently installed and will become active on the next boot. Active the version of firmware currently running on the system. A table with the configured complex firmware version appears at the top of the screen. If any entity within the complex does not have the correct complex firmware, a second table will be displayed indicating which entities have mismatched firmware. NOTE: The displayed firmware version will depend on the firmware installed on your system. Table 4 Complex Firmware information Item Configured Complex Firmware Version Enclosure / Bay Model Installed Version The version of the firmware bundle currently configured on the complex. The compute enclosure and bay number of the device with mismatched firmware The model number of the device The currently installed version of the firmware on the device. Each partition in the complex is displayed after the Complex Firmware, with the version of the firmware currently configured and active on the partition. If any devices within a partition have firmware versions that do not match the currently installed version of the complex firmware on the partition, they are displayed below the partition firmware information. 66 Complex Overview

67 Table 5 Partition Firmware information Item Configured Partition Firmware Version Active Partition Firmware Version Enclosure / Bay Model Installed Version The version of the firmware bundle currently configured on the partition. The version of the firmware bundle currently active on the partition. If the partition is not currently booted, the Active firmware version will be displayed as Unavailable while partition is inactive. NOTE: The active version of the firmware will not match the configured version if the partition requires a reboot after a firmware update. The compute enclosure and bay number of the device with mismatched firmware. Type of device with mismatched firmware. The currently installed version of the firmware on the device. Online complex firmware update Introduction IMPORTANT: Online firmware updates are supported on HP Integrity Superdome X firmware version or later. Updating from version requires an intermediate firmware update to , and then to the latest supported firmware release. See the release notes for the HP Integrity Superdome X Support Bundle for SLES 11 SP3. When performing an online complex firmware update, server management capabilities are inactive, and this is something which operators should keep in mind. It should not be surprising that server management entities throughout the complex will bear responsibility to update their own firmware Flash ROMs, reboot updated firmware images, and reestablish internal communications with each other, but it is important to remind operators what kinds of management services will become temporarily unavailable at the server level during an online complex firmware update operation. This information is being provided to inform the user of such server management limitations, but will not be a complete listing of all possible consequences which may be encountered during an online complex firmware update. HP Superdome 2 firmware updates HP Superdome 2 complex firmware bundle version and HP-UX 11i v3 September 2011 or later, supports online complex firmware updates. The ability to support online complex firmware Complex Information: Firmware Management 67

68 updates can dramatically reduce the amount of partition downtime required for a customer to update their HP Superdome 2 systems to future firmware bundles. Under certain conditions, partition downtime needed to apply a new firmware bundle can even be eliminated entirely. However, there may also be other partition maintenance activities (OS patch installations, for example) to complete during a maintenance window that will involve a partition reboot in order to take effect. Also, it should be understood that firmware updates which include new partition firmware packages (system firmware) will require a partition reboot to activate, but the timing of such an operation can be done on an individual npartition basis as determined by the operator to best fit their individual needs. NOTE: HP Superdome 2 systems running firmware prior to cannot perform an online complex firmware update. Updating firmware from a release prior to (1.3.1 for example) must be performed with all partitions taken offline, and the xfabric powered off. HP Integrity Superdome X firmware updates For information about HP Integrity Superdome X complex firmware and driver updates, see the HP Integrity Superdome X User Service Guide. Services unavailable Server management features are unavailable during the process of an online complex firmware update. System firmware will continue to operate and support the OS running on partitions in the complex, however certain activities may require system firmware to interact with server management firmware, and these operations will not work during the actual process of executing an online complex firmware update. These partition/complex firmware interactions may either be delayed until after the complex firmware update operation has completed, or may be dropped or only partially used. Legacy sx2000 Superdome systems also supported online update of server management entities (MP, ED, PDHC, CLU), and performing such updates held similar consequences for that platform. The following table shows the major classes of server management services which the OS and applications use during normal runtime and details their Availability or Unavailability during the online complex firmware update process: Service Management processor access (for example: poweron/off, restart, TOC, console, logs) IPMI services Console service to OS System firmware services during boot, shutdown, MCA, INIT and CMC logging operations Network management services (SD2 has additional services). OS-debugger, HP-SIM XML query, HP-SUM SOAP query, WEBES ws-manage events and query. Status during online complex firmware update Unavailable Unavailable Unavailable, and some character loss is possible if the buffer fills up Available Unavailable Management Processor access When an online complex firmware update is initiated, all current users are disconnected from the OA for the duration of the complex firmware update process. This includes all OA CLI and GUI sessions, with one possible exception: If the operator initiates the firmware update from the CLI, then this session will remain active to allow for tracking the progress of the update for all but the last few minutes. The time it takes for a complex firmware update to complete is highly variable based on system size and complexity (bigger systems take longer), and the number of firmware 68 Complex Overview

69 packages in the bundle which must be updated, but is not expected to exceed 150 minutes under any conditions. Typical firmware updates will take less time to complete. IPMI During the process of an online complex firmware update, no IPMI requests can be serviced until the update completes. This means that partition configuration changes, including icap changes, will not be allowed. For reference purposes the following IPMI CLI commands are unavailable: parcreate pardefault parremove parmodify parstatus vparcreate vparremove vparmodify vparboot vparreset vparstatus icapmodify icapstatus Event logs Forward Progress Logs and System Event Logs normally captured by the server management system will not be updated during the firmware update process. IPMI Watchdog During the online complex firmware update process, the IPMI watchdog timeout will be disabled. It will be re-enabled when the system wakes up. The OS will discover the watchdog timer has disappeared after the firmware update process has completed, and will recreate it by design. Partition ID (HP-UX) For HP Superdome 2 partitions running HP-UX, the # getconf _CS_PARTITION_IDENT command (which returns HP-UX partition ID), is used for licensing. It is a concatenation of UUID + npartition # + vpar #. UUID is continuously available from the SMBIOS table. The latter two (npartition, vpar #s) are obtained using an IPMI call which may fail during the firmware update process. HP-UX caches this information after the very first call to getconf _CS_PARTITION_IDENT, so this command would only fail if it had never been run before the firmware update process began. For information about how the partition UUID is managed in HP Integrity Superdome X systems, see the HP Integrity Superdome X User Service Guide. Console When the firmware update is in progress, the OS console cannot be serviced on the server management side. Since all active sessions to the OA CLI and GUI interfaces are closed at the beginning of the firmware update process, the OS console cannot be actively viewed during this process. The OS console is normally a quiet interface with little character traffic; however there are conditions (OS panics, for example) where the character buffer could potentially fill up during the firmware update process. If the console character buffer is full during an active online complex Complex Information: Firmware Management 69

70 firmware update, new incoming characters will be dropped so the console does not hang on the OS side. This potential for console character loss does not extend to kernel memory (dmesg) or impact the OS syslog or crashdump area in any way, so this should not inhibit OS problem diagnosis in the unlikely event something unexpected occurs at the OS level. The characters captured in the buffer will be drained once the firmware update process completes, and console operation will return to normal. System Firmware Services During Boot and Shutdown Certain partition events which occur while the OS is running may not be handled if they occur while management firmware is unavailable: OS-requested restart (for example: TOC, shutdown r) MCA On HP Superdome 2 systems, HP-UX boot might hang until firmware update completes In the cases above, the OS shutdown or restart may not complete. The system design does not make any guarantees about successful handling of OS restart, MCA, or boot that occurs during the online complex firmware update process, so HP recommends that the operator not attempt to initiate operations like an OS shutdown, boot/reboot, cold installation, patch update, or a Serviceguard cluster reconfiguration request during the online complex firmware update process. Such actions should be performed serially to avoid potential conflict consequences. All PAL and SAL calls do work during an online complex firmware update, as these commands execute at the partition level and do not access server management resources. The following services are not affected by the online complex firmware update process, and will remain operational: Get/SET EFI Variables Calls to get/set EFI variables will work for the OS. HPET Timer The HPET timer will not be re-initialized, and this partition resource will remain available throughout the firmware update process. EFI_SetTime System firmware will continue to maintain the correct time during an online firmware update. Error Records Error records can be generated as a result of INIT, CMC/CPE, and MCA. INITs are stored by system firmware in NVRAM, so these records will be available to the OS after restart. They will be also be available to CLI errdump once the firmware update completes. Logging of CMC/CPE error records are unaffected by a PDHC or OA restart errors not logged before a restart are saved in hardware and will be logged after the restart. MCA logs may be lost during this period, however system firmware will alert server management that an MCA has occurred once the firmware update completes, and server management will ensure the partition is reset and data integrity maintained. Affected OS Commands The HP-UX machinfo command can print the firmware versions. This command may malfunction during an active online complex firmware update operation when it attempts to print the BMC firmware version, which is sourced via IPMI. 70 Complex Overview

71 Network Services to OA All network services provided by the OA are interrupted by the firmware update process. These services include: XML inventory query from HP-SIM WS-MAN partition query from HP-SIM and plug-ins User interface (ssh, web, telnet) for all OA services SOAP request from GiCAP Group Manager, HP-SUM Kernel debugger connection through OA network port Console access through the OA Ping, SNMP queries This is the same as legacy MP or C7000 OA (depending on the protocol) behavior during an update. Frequently asked questions: Some sample questions are included below to aid the operator wishing to perform an online complex firmware update. 1 Can Oracle use IPMI to reset a partition? Not during the online complex firmware update process. 2 Do virtual partition reboots proceed during online complex firmware updates? GWLM tries a number of times and gives up, logs an error, will come back and retry later. Changes won t happen until it eventually tries later when the firmware update process has completed. 3 GWLM asks for dynamic resource change (for example, Vparmodify), what happens when it can not execute for an hour? GWLM tries a number of times and gives up, logs an error, will come back and retry later. Changes won t happen until it eventually tries later when the firmware update process has completed. 4 How does field support debug if something happened during an online complex firmware update? Kernel memory (dmesg), the OS syslog, and crashdump memory is unaffected, so this will not inhibit debug for OS-related events. The loss of event logs during the firmware update process is unavoidable (as it was on legacy sx2000 Superdome systems), but the SEL will indicate start and finish times for the update process. 5 What happens if Serviceguard or other cluster software tries to TOC during an online complex firmware update? If a node tries to TOC itself from an application running on the partition, the partition OS will shut down to a point where it is ready to talk to server management. From an application viewpoint, the system is down. It may or may not automatically restart when the firmware update process completes. The service processor is unavailable during online complex firmware update, so a node cannot successfully TOC another node. 6 Will agents that require licensing or UUID find that information available during an online complex firmware update? System firmware services are largely available during online firmware update Machinfo reports system firmware revision, BMC revision, FPSW revision (HP-UX) See the description under Partition ID (HP-UX) (page 69) for details (HP-UX) Complex Information: Firmware Management 71

72 Known issues: NOTE: Most of these issues are for HP-UX only. The following observations are included to help the operator understand how the loss of server management features might be visible from the OS perspective. hpvminfo command qualifiers fail The use of certain hpvminfo command qualifiers will return an ioctl error when executed during online firmware update. This may also result in a delay before the results of the command are displayed. The affected commands include: hpvminfo, hpvminfo -V, and hpvminfo -v. Newly created HPVM guests cannot be started Any newly created HPVM guest cannot be started during online firmware update. When you attempt to start the guest, the hpvmstart command will hang at "Initializing Forward Progress Log." The hpvmstart command will complete successfully after the Online Firmware Update has completed. NOTE: This issue only pertains to newly created guests that have never been started. Guests that have been started at least once prior to the Online Firmware Update will start without any problems. Serviceguard Manager performance degradation and proxy errors Serviceguard Manager may experience some performance degradation or report proxy errors during online firmware update. These issues do not adversely affect the Serviceguard cluster or applications being managed by Serviceguard. If you do receive a message about a proxy error, you can resolve the issue by reloading the page. Performance returns to normal once the online firmware update has completed. cimserver shutdown and startup fail The cimserver command will timeout when attempting to shutdown or startup during online firmware update. Stopping or starting the cimserver process should be performed before or after the online firmware update. The affected commands include: cimserver -s and cimserver. cimauth is unable to add authorizations cimauth will fail to add authorizations during online firmware update. These operations should be performed before or after the online firmware update. Example of a cimauth command: cimauth -a -u wbem -n root -R -W cprop command qualifiers fail The use of certain cprop command qualifiers will report Connection timed out when executed during online firmware update. The affected commands include: cprop -summary -a and cprop -summary -Memory. SMH is unable to query memory or enclosure information The SMH is unable to query memory or enclosure information during online firmware update. This information is properly reported before and after the online firmware update. setboot and related commands are unable to display or modify boot variables The setboot command is unable to display or modify boot variables during online firmware update. This also impacts any command that calls setboot. 72 Complex Overview

73 The affected commands include: setboot, drd activate, drd status, vxbrk_rootmir, and vxrootmir. wbemassist namespace error wbemassist reports a namespace error when checking the WBEM Server response. par* and vpar* commands fail Parcon services are not available during online firmware update. Due to this unavailability, all par* and vpar* commands will fail. The affected commands include, but are not limited to: parcreate, parmodify, parperm, parstatus, vparcreate, vparmodify, vparstatus, and others. Firmware Update screen IMPORTANT: For HP Superdome 2 systems, you cannot update firmware through the HP Superdome Onboard Administrator GUI if you have complex firmware earlier than firmware bundle If you have complex firmware earlier than the firmware bundle , to update complex firmware, see the UPDATE FIRMWARE section in the HP Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. If you select the firmware update link in the left navigation panel, the firmware update selections screen will be displayed. Complex Information: Firmware Management 73

74 This screen displays the options available for firmware update: Analysis Only Use this option to display the actions that will be executed by the update. This option will run the analyze update and exit without executing the update. No Firmware will be modified. Force Downgrade Use this option if you are downgrading the firmware to a previous version. The firmware update process will fail if you are downgrading and this option is not selected. The next table on this screen allows for the selection of the Update Type: Update All Firmware This option will update ALL complex and partition firmware on the system. Update Complex Firmware This option will update only the complex firmware on the system. Update npartition Firmware This option will update the npartition firmware for the selected entities. NOTE: If Update npartition Firmware is selected, a new table will be appear that allows the selection of unassigned blade resources and existing partitions. You can select all or one or more partitions or blades from each list. After the update type and targets are selected, you will need to determine if the firmware image being installed is from a URL, located on a USB drive plugged into the DVD module in enclosure 1, or in the archive storage of the monarch enclosure. IMPORTANT: To update firmware on a system, you must be an Administrator level user assigned access to the partitions which you are attempting to update. Partition firmware update will not be allowed without assigned access to the partition. Firmware image download After starting an update, a progress bar showing the progress of the firmware image download will be displayed. Firmware analysis When the firmware bundle download completes, the GUI will display a wait bar while the system runs the firmware analysis. After the system completes the firmware analysis, the GUI will display the analysis results on an analysis page. This page will contain sections that may display notice, warning, and error messages. It will also display the list of partitions and components that will be updated if the analysis was successful. 74 Complex Overview

75 If the analysis fails, you will not be supplied with further options. If the Analysis Only option was not selected, then the firmware update will automatically continue after 30 seconds. During this time the you will have the option to cancel the update using the Cancel Update button at the bottom of the analysis page. Update Status When the firmware update starts, the page will change to display the update status page. This page will show the current status of the update. Complex Information: Firmware Management 75

76 The following information will be displayed: The status of each component being updated. The total number of components that will be updated. The number of component updates either completed successfully or failed. The estimated time remaining in the update. IMPORTANT: When two Itanium processor family partitions share a single IOX, you will have to reboot both partitions in order to use the new firmware. The interface does not allow the ability to do two or more concurrent updates. If another user attempts to initiate an update, an alert appears. 76 Complex Overview

77 Enclosure DVD Module screen The DVD module in a compute enclosure can be used by a partition to perform software installations and updates in the same manner as a standard DVD drive is used in a computer system locally or remotely. The DVD module is not connected to any partitions in the complex after initial installation. To use the DVD drive, an administrator must first connect the DVD module to any or all partitions through the Onboard Administrator CLI or by navigating to the Complex npartitions menu and selecting the Virtual Devices tab. For more information for HP Superdome 2, see the HP Superdome 2 Partitioning Administrator Guide. For more information for HP BL920s Gen8, see the HP Integrity Superdome X User Service Guide. Enclosure DVD Module screen 77

78 Status and Information tab information Item Status Product Name Manufacturer Serial Number Part Number Spare Part Number Engineering Date Code Current status of the DVD module. Possible values are OK, Degraded, or Not Present. The common descriptive name of the DVD module. The name of the company that manufactured the DVD module. The unique serial number of the DVD module. The part number to use when ordering an additional DVD module of this type. The part number to use when ordering a replacement DVD module of this type. Manufacturing information about the DVD module. Diagnostic Information Item Device Identification Data Power Allocation Request Device Operational Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the Onboard Administrator. There is insufficient power to adequately power the DVD module. Possible values are OK or Insufficient enclosure power. Status of the DVD module. Possible values are OK or Error. 78 Complex Overview

79 Item Partner Device Presence Device Indictment Not applicable for HP Superdome 2 or HP Integrity Superdome X systems. This line will always display OK. Indicates if the device has been indicted by the Superdome Analysis Engine. Enclosure DVD Module screen 79

80 7 Configuring compute enclosures and enclosure devices Viewing the status screens Each compute enclosure in the complex can be selected from the left navigation tree. Clicking the enclosure name opens the main status screen of the enclosure. On this page, four tabs are available at the top of the main page: Status Information Virtual Buttons Component Firmware The Status tab displays one of the following values as Overall Enclosure Status: Critical/Failed Major Minor/Degraded Warning Normal/OK Disabled Unknown Informational The Active HP Superdome Onboard Administrator Status and Standby HP Superdome Onboard Administrator Status are similar to the Overall Enclosure Status and display a status for the Onboard Administrator. If a Standby Onboard Administrator is not present in the system, its status value is Absent. Enclosure Power Mode displays the current power mode of the enclosure. The following values are possible: AC Redundant Power Supply Redundant Not Redundant The Enclosure Device Status Overview is divided into six sections: Device Bay Overview Interconnect Overview XFM Bay Overview GPSM Overview Power Subsystem Thermal Subsystem For each of these sections, the following values are possible: Critical/Failed Major Minor/Degraded Warning 80 Configuring compute enclosures and enclosure devices

81 Normal/OK Disabled Unknown Informational Enclosure information Enclosure Status This section provides detailed procedures to configure the management functionality provided by the Onboard Administrator. Select the tree view menu item Enclosure Information to view the enclosure Status screen. Enclosure information 81

82 Enclosure Status tab Table 6 Status information Item Enclosure Status Active OA Status Standby OA Status Power Mode The overall status of the enclosure. Possible values are Unknown, OK, Degraded, N/A, or Critical Error 1. The overall status of the active Onboard Administrator. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the standby Onboard Administrator. Possible values are Absent, Unknown, OK, Degraded, and Failed. The power redundancy mode. Possible values are AC Redundant, Power Supply Redundant, Not Redundant, or Unknown. For information on these modes, see the user guide for your system. 1 The enclosure status appears as N/A if the Enable Extended Data or GUI Login Page setting is disabled. This setting is accessible at Enclosure Settings Network Access Anonymous Data Diagnostic information Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred), or is sent by the device microcontroller, without being polled to report a failure. Item Device Identification Data Overheat Check Device Operational Device Degraded Management Buses Redundancy DVD Blades Device Indictment Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the Onboard Administrator. Temperature is above the danger threshold. Possible values are OK or Critical temperature threshold reached. Possible values are OK or Error. View the syslog for errors. Possible reasons for the error are mismatched firmware or a software or hardware failure. Indicates whether or not a device has failed when status was requested by the Onboard Administrator. Possible values are OK or Error. Management bus status. Possible values are OK or Error. An error indicates the redundant Onboard Administrators are having problems syncing up. Check the syslog for errors. Possible reasons for the error are mismatched firmware or a software or hardware failure. DVD connection status. Blade status. Indicates if the device has been indicted by the Superdome Analysis Engine. Table 7 Subsystems and Devices information Table Device Bay Overview All Device Bays Interconnect Bay Overview All Interconnect Bays XFM Bay Overview All XFM Bays The overall status of all device bays. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the interconnect bays. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the XFM bays. Possible values are Unknown, OK, Degraded, and Failed. 82 Configuring compute enclosures and enclosure devices

83 Table 7 Subsystems and Devices information (continued) Table GPSM Bay Overview All GPSM Bays Power Subsystem System Status Thermal Subsystem System Status The overall status of the GPSM bays. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the Power Subsystem of the enclosure. Possible values are Unknown, OK, Degraded, and Failed. The overall thermal status of the enclosure. Possible values are Unknown, OK, Degraded, and Failed. NOTE: If any subsystem contains a component with a status other than OK, all components of that subsystem with a status other than OK are displayed inline. Enclosure information 83

84 Enclosure Information tab Hardware information Item Part Model The general description of the enclosure component The model name of the enclosure component 84 Configuring compute enclosures and enclosure devices

85 Item Manufacturer Serial Number Part Number Spare Part Number The name of the company that manufactured the enclosure component The unique serial number of the enclosure component The part number to be used when ordering an additional enclosure component The part number to be used when ordering a replacement enclosure component Changing settings You can change enclosure settings from this screen. To save the settings after making the changes, click the Apply button. Item Enclosure Name Possible value 1 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) The name of the selected enclosure Rack Name Asset Tag 1 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) 0 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) The name of the rack in which the enclosure is installed The asset tag is used for inventory control. The default asset tag is blank AlertMail Virtual Buttons tab To change the state of the enclosure UID, click the Toggle On/Off button. The enclosure UID is located to the left of the enclosure link-down port. AlertMail enables users to receive system events by instead of using SNMP traps. AlertMail is completely independent from SNMP, and both can be enabled at the same time. AlertMail uses standard SMTP commands to communicate with an SMTP-capable mail server. The "Reply To" address for each sent by AlertMail is <Enclosure Name>@<Alert Sender Domain>. To enable the AlertMail feature, select the Enable AlertMail check box. To test the AlertMail function: 1. Be sure that the address, alert sender domain, and SMTP server settings are correct. 2. Select the Send Test AlertMail button. 3. To confirm that the test completed successfully, verify the recipient account. Enclosure information 85

86 NOTE: The Alert Sender Domain might not be required. The information in this box depends on the mail server setup. Box address Possible value This box is a valid address for the administrator or other designated individual receiving the AlertMail Alert Sender Domain A character string including all alphanumeric characters and the dash (-) The domain in which the Onboard Administrator resides SMTP Server ###.###.###.### where ### ranges from 0 to 255 An IP address for the SMTP server To enable the AlertMail feature: 1. Select the Enable AlertMail check box to enable the AlertMail feature. 2. Enter values for the address, alert sender domain, and SMTP server. 3. Click the Apply button to save the settings. AlertMail, if enabled, sends alerts by for the following events: Enclosure status change Enclosure information change Fan status change Fan inserted Fan removed Power supply status Power supply inserted Power supply removed Power supply overload Blade inserted 86 Configuring compute enclosures and enclosure devices

87 Blade removed Blade status Blade thermal condition Blade fault Blade information change Tray status change Tray reset Switch connect Switch disconnect All s have the following header: From: Enclosure ENCLOSURE-NAME Date: Date in standard format Subject: HP AlertMail-SEQ: <SEVERITY> SUBJECT To: RECEIVER MAILBOX Where <SEVERITY> is one of the following (from highest to lowest): # FATAL # CRITICAL # WARNING MAJOR # WARNING MINOR # WARNING # NORMAL Each subject line contains a unique sequence number to easily identify the order of events in case the mail server distributes them in the wrong order. Sequence numbers range from 0 to 999 and restart at 0. The mail body is used to give more detailed information regarding the event issued. The mail body also contains information on what the user must do to correct any issue and what the current enclosure status is. NOTE: The enclosure status is displayed as the status at the time when the event is processed which can cause the status to show up as OK in an saying a Fan has Failed if the user replaced the fan at the time the event is sent out by AlertMail. Sample Subject: HP AlertMail-010: (CRITICAL) Power Supply #1: Failed Date: Wed, 23 Apr :02: From: Enclosure EM-00508BEBA571 <EM-00508BEBA571@hp.com> To: user@domain X-OS: HP Superdome 2 Enclosure Manager X-Priority: 1 Content-Type: text/plain; charset=us-ascii EVENT (26 May 07:09): Power Supply #1 Status has changed to: Failed. Enclosure, EM-00508BEBA571, has detected that a power supply in bay 1 has changed from status OK to Failed. The power supply should be replaced with the appropriate spare part. You can ensure that the center wall assembly is operating correctly by swapping the two power supplies. Make sure that there are no bent pins on the power supply connectors before reinserting and that each power supply is fully seated. Enclosure information 87

88 An amber LED on the power supply indicates either an over-voltage, over-temperature, or loss of AC power has occurred. A blinking LED on the power supply indicates a current limit condition. Enclosure Status: Degraded Enclosure Management URL: - PLEASE DO NOT REPLY TO THIS - Device Power Sequence tabs The enclosure power delay feature controls the order in which components are powered on if the entire enclosure has been power cycled. This feature is only enabled during the active Onboard Administrator boot process if the Onboard Administrator detects that the entire enclosure has been power cycled and power delay has been enabled on at least one component in the enclosure. The active Onboard Administrator displays a message in the system log when power delay has been initiated, and also displays a message in the system log when power delay has completed after the longest power delay has passed. The Onboard Administrator factory default setting is to disable power delay for all components. Typical use cases involving bay to bay dependencies that can be resolved by enabling the enclosure power delay feature include: Boot from network Network interconnects must complete power on self test prior to servers that are configured to boot from the network (for example, PXE or iscsi). Boot from SAN SAN interconnects must complete power on self test prior to servers that are configured to boot from SAN Critical service dependencies controlled by a server such as DHCP or licensing Storage servers must be operational prior to servers requiring those resources The delay time setting must be determined empirically since some dependencies are outside the enclosure (boot from SAN might require additional delay to enable the datacenter SAN storage system to power on). Each interconnect module has different power on timing before it is operational. The timer used for power delay is started at the time the Onboard Administrator enters the first system log message during Onboard Administrator initialization indicated by the system log message Kernel: Network link up. When the HP Onboard Administrator indicates PowerDelay has been initiated for the selected devices in the system log, the configured delay times for each bay are used to determine when that component is turned on. After the selected delay time has elapsed, that component is turned on. Valid settings for each bay are: Disabled, Enabled and No Poweron. Disabled Disables powerdelay for this bay. Onboard Administrator grants power to this bay based on its power settings: for a device configured to auto power-on, the device is granted power following an enclosure power cycle after all the Onboard Administrator configuration checks are complete. Enabled Enables powerdelay for this bay. Onboard Administrator turns on this bay based on the number of seconds elapsed following the detection of an enclosure power cycle event. No Poweron Prevents component power on for the bays with this configuration until after the Onboard Administrator logs PowerDelay has completed for the selected devices. At this time, if the device is configured to auto power-on, the device grants power following an enclosure power cycle after all the Onboard Administrator configuration checks are complete. If the device is configured to disable auto poweron, the device remains off following an enclosure power cycle independent of the setting of power delay for that bay. 88 Configuring compute enclosures and enclosure devices

89 Device Power Sequence Device Bays tab The Device Bays tab indicates the current settings for all the primary bays based on the type of enclosure. To change a setting on a particular device bay, use the menu under the Enabled column and select Enabled, Disabled (default), or No Poweron. If Enabled is selected, a power delay in seconds must be entered in the Delay column for this bay. The minimum value is 1 second; the maximum value is 3600 seconds. NOTE: HP recommends selecting Disabled (default) for the blade server power sequence setting. If double dense server blades are installed in an enclosure, the power delay settings for Side A and Side B are controlled in the Double Dense Side A and Double Dense Side B tabs. Column Bay Device Enabled Delay Bay number of the device. The type of device in the bay, or Absent if no device is installed in the bay Enables power sequencing, disables power sequencing, or does not allow powering on of the device if No Poweron is selected. The amount of delay, in seconds, before the device powers on. Enclosure information 89

90 Device Power Sequence Interconnect Bays tab Interconnect bays by default are for auto power-on. Enabling and setting a power delay for an interconnect bay delays the power on of that bay following an enclosure power cycle event. Column Bay Device Enabled Delay Bay number of the device The type of device in the bay or Absent if no device is installed in the bay Enables power sequencing, disables power sequencing, or does not allow powering on of the device if No Poweron is selected. The amount of delay, in seconds, before the device powers on. Possible delay values are 1 to Click the Apply button to save the settings. Date and Time NOTE: The RTC in an npartition is synced to OA time when the npartition is rebooted. If you change the time on the OA, it may affect the RTC on the npartition. HP recommends that you use the NTP for both the OS and OA and also configure the NTPDATE_SERVER variable in /etc/ rc.config.d/netdamons at OS startup. This is the most reliable setting for accurate OA, npartition, and OS time. 90 Configuring compute enclosures and enclosure devices

91 Static date and time settings The date and time are static and not updated in real-time. The date and time can only be set when NTP is disabled. Box Date Time Time Zone Possible value yyyy-mm-dd mm is an integer from 1 to 12 dd is an integer from 1 to 31 hh:mm:ss (24-hour time, ss is optional) hh is an integer from 0 to 23 mm is an integer from 0 to 59 ss is an integer from 0 to 59 Time zone settings Africa time zone settings (page 222) Americas time zone settings (page 223) Asia time zone settings (page 224) Universal time zone settings (page 222) Oceanic time zone settings (page 225) Europe time zone settings (page 225) Polar time zone settings (page 226) The date assigned to the enclosure The time assigned to the enclosure The time zone assigned to the enclosure NTP settings To enable this feature, select Set time using an NTP server. NOTE: For accurate OA date and time, HP recommends using a stable and accurate NTP server with a GPS receiver for the time source, or running at a higher level in the NTP time server hierarchy. Box Primary NTP Server Secondary NTP Server Time Zone Possible value DNS name or ###.###.###.### where ### ranges from 0 to 255 DNS name or ###.###.###.### where ### ranges from 0 to 255 Time zone settings Africa time zone settings (page 222) Americas time zone settings (page 223) Asia time zone settings (page 224) Universal time zone settings (page 222) Oceanic time zone settings (page 225) Europe time zone settings (page 225) Polar time zone settings (page 226) DNS name or IP address of primary NTP server that provides date and time information. DNS name or IP address of secondary NTP server that provides date and time information. The time zone assigned to the enclosure To save the settings, click the Apply button. Enclosure information 91

92 Enclosure TCP/IP Settings This screen displays the current enclosure TCP/IP settings for the Active Onboard Administrator and enables you to change the following settings: Enclosure IP Mode The Enclosure IP Mode ensures all management applications point to the active Onboard Administrator of the enclosure, using a single static IP address. This mode is for enclosures with an active and standby Onboard Administrator. When the standby Onboard Administrator takes over the role of the active Onboard Administrator, the Onboard Administrator assumes the IP address of the previous active Onboard Administrator. This ensures the Enclosure IP Mode IP address is consistently pointing to the active Onboard Administrator. The Enclosure IP Mode requires the active Onboard Administrator to have a static IP address. Before enabling Enclosure IP Mode, you must configure a static IP address for the Active Onboard Administrator. The standby Onboard Administrator can be configured for DHCP or static IP settings. This mode is optional and is disabled by default. The transition times from standby to active and active to standby varies, depending on the configuration, enclosure population, and various other factors. The transition of standby to active can take several minutes. The transition of the previous active to standby will take longer. IMPORTANT: Replace the standby Onboard Administrator only while the enclosure is powered on to be sure that the Enclosure IP Mode settings are not changed. To ensure that the Enclosure IP Mode setting is not changed when removing an Onboard Administrator module from the enclosure, do not remove the module while it is in the failover transition phase (about six minutes after a failover). After you remove a module, to ensure that all settings are transferred to the Standby module, add a replacement module and leave it in place for five minutes. If both the Active and Standby Onboard Administrator modules are powered off or removed from the enclosure at the same time, the Standby Onboard Administrator returns to the default network settings and all manually configured static network addresses are lost. Active and Standby Onboard Administrator Network Settings The Onboard Administrator allows network configuration to be based either on dynamically assigned IP addresses obtained from a DHCP server or on static IP addresses that you specify manually. You choose the basis for network configuration by selecting either the DHCP radio button or the Static IP Settings radio button. If you select DHCP, you can enable Dynamic DNS. NOTE: Changing network settings on the Onboard Administrator that you are signed in to might disconnect you from that Onboard Administrator, in which case after you apply settings, you must sign in to the Onboard Administrator again. DHCP Obtains the IP address for the Onboard Administrator from a DHCP server Enable Dynamic DNS With DHCP enabled, Dynamic DNS allows you to use the same host name for the Onboard Administrator over time, although the dynamically assigned IP address might change. The host name is registered with a DNS server. Dynamic DNS updates the DNS server with new or changed records for IP addresses. Static IP Settings Enables you to manually set up static IP settings for the Onboard Administrator Box DNS Host Name Possible value Can be 1 to 32 characters including all alphanumeric characters and the dash (-) The DNS Name of the Onboard Administrator. The DNS host name can be 92 Configuring compute enclosures and enclosure devices

93 Box MAC Address IP Address Subnet Mask Gateway DNS Server 1 DNS Server 2 Possible value This is an informational box and cannot be changed ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 assigned when using either DHCP or static IP settings. Changing the Onboard Administrator DNS Name could cause a host name mismatch on the SSL certificate. You may have to update the certificate information on the affected Onboard Administrator, using the Active Onboard Administrator Certificate Administration screen ( Certificate Administration (page 108)) or the Standby Onboard Administrator Certificate Administration screen as appropriate. The Onboard Administrator MAC address Static IP address for the Onboard Administrator (required if static IP settings is selected) Subnet mask for the Onboard Administrator (required if static IP settings is selected) Gateway address for the Onboard Administrator (required if static IP settings is selected) The IP address for the primary DNS server The IP address for the secondary DNS server Onboard Administrator can employ up to two DNS servers for lookups, either static or DHCP assigned, but not both. Click Apply to save new or changed settings. NIC settings Auto-Negotiate Automatically configures the best link. This is the default setting. This option supports a NIC speed of 10 Mb/s, 100 Mb/s, or 1000 Mb/s. The 1000 Mb/s setting is only available when you select Auto-Negotiate. Forced Full Duplex Enables you to manually specify which settings the external NIC uses when trying to establish a link. Onboard Administrator does not verify that the forced Ethernet settings are valid on the network. The loss of communications can occur if the wrong or incompatible settings are used. Forced settings take effect 3 seconds after enabling or disabling the settings. The forced option supports only NIC speeds of 10 Mbps or 100 Mb/s. NIC Speed Selects an NIC speed of 10 Mb/s or 100 Mb/s. To save the new settings, click the Apply button. Network Access In this section, an administrator can configure settings relating to network access to the Onboard Administrator. These settings are specific to the enclosure and do not affect the network configurations for server blades. Enclosure information 93

94 The Protocol Restrictions subcategory is used to restrict access to the Onboard Administrator. Up to six protocol settings can be selected to allow or restrict access to the Onboard Administrator. An Enforce Strong Encryption option is also included. Enable Web Access (HTTP/HTTPS) This check box is selected by default. Clearing this check box disables HTTP/HTTPS access to the Onboard Administrator. Port 80 is used for HTTP and port 443 is used for HTTPS. CAUTION: Disabling Web Access (HTTP/HTTPS) disconnects all users attached to the Onboard Administrator through HTTP/HTTPS, including the administrator. Enable Secure Shell This check box is selected by default. Clearing this check box disables Secure Shell connections to the Onboard Administrator. Secure Shell is disabled when Two-Factor Authentication is enabled. Disabling Two-Factor Authentication does not automatically re-enable Secure Shell. To re-enable Secure Shell, you must select the check box and then click Apply. Port 22 is used. Enable Telnet This check box is selected by default. Clearing this check box disables Telnet connections to the Onboard Administrator. Telnet is disabled when Two-Factor Authentication is enabled. Disabling Two-Factor Authentication does not automatically re-enable Telnet. To re-enable Telnet, you must select the check box and click Apply. Port 23 is used. NOTE: Telnet is disabled after a factory reset or when Two-Factor Authentication is enabled. Login Banner Enable XML Reply This check box is selected by default. Selecting this check box enables XML data to be shared between the Onboard Administrator and other HP management tools such as HP Systems Insight Manager. To display the information that is shared by the Onboard Administrator if this protocol is enabled, click View. Enable WS-Management Selecting this check box enables the WS-Management connections to the Onboard Administrator. WS-Management is enabled by default. To save the settings, click the Apply button. Enabling the Login Banner option requires Onboard Administrator users to acknowledge the banner text before they can log in. Enable Display of Banner on User Login Select this check box to enable the Login Banner option. Acknowledgment of the Login Banner text provides access to all systems connected to the primary Onboard Administrator. Banner Text The field size is limited to 1,500 printable characters, excluding the % and \ characters. While spaces and line feeds are accepted, using only white space characters within this text field is not allowed. NOTE: The Login Banner accepts English (ASCII) characters only. Apply Click to validate the Banner Text field. If the Banner Text field is empty or contains only white space characters, but the Enable Display of Banner on User Login check box is selected, you are prompted to disable this feature. Trusted Hosts tab The Trusted Hosts subcategory is used to restrict access to the Onboard Administrator to all hosts except those listed. When enabled, this protocol allows access only to the Onboard Administrator to listed hosts. This subcategory contains one dialog box, one entry box, and one display box, which, if enabled, is used to list trusted IP addresses. 94 Configuring compute enclosures and enclosure devices

95 The Enable IP address access restriction check box is not selected by default. Selecting this check box allows only those IP addresses listed as Trusted Addresses to connect to the Onboard Administrator. CAUTION: Enabling IP address access restriction without first entering the user IP address in the Trusted Addresses list disconnects the user from the Onboard Administrator. CAUTION: When using the Trusted Hosts feature in an environment with multiple enclosures connected via enclosure link cables, ensure that all linked enclosures have the same Trusted Hosts settings. Linked enclosures that do not have the same Trusted Hosts settings may allow a web GUI user to access a protected enclosure from a non-trusted client. The Trusted Addresses box is used to enter the IP addresses of all hosts that are to be trusted and allowed to connect remotely to the Onboard Administrator through the protocols set up in the Protocol Restrictions subcategory. This box allows for IP addresses only. Under the Trusted Addresses box is the list box of all trusted IP addresses, if trusted IP addresses are configured. To add a trusted host, enter the IP address in the Trusted Addresses box, and then click Add. You can add a maximum of five Trusted Addresses. To remove a trusted host, select the IP address in the Trusted Addresses list, and then click Remove. To save the settings, click the Apply button. Anonymous Data tab Enable Extended Data on GUI Login Page This check box is selected by default. Clearing this check box disables the "+" functionality in the topology view on the login page for this enclosure. Disabling the extended data on the GUI login page prevents unauthenticated users from viewing additional information. To prevent additional information from appearing for each linked enclosure, you must clear this check box for each enclosure. To save the settings, click the Apply button. NOTE: For HP Superdome 2 SD2 32s systems, Anonymous Data must be enabled for proper operation of the OA GUI. Do not clear the Enable Extended Data on GUI Login Page checkbox on HP Superdome 2 SD2 32s systems. Link Loss Failover This screen enables you to configure automatic Onboard Administrator redundancy failover based on network link status. For Link Loss Failover to function correctly, the redundancy status of the Onboard Administrators must be OK. An OK status means that both Onboard Administrators have the same firmware version, and that they are communicating properly. Enable Link Loss Failover This check box enables or disables automatic Link Loss Failover. Failover Interval The failover interval is the amount of time the active Onboard Administrator must be without a link on the external Ethernet interface before the system considers an automatic failover. The interval must be between 30 and seconds. To save the settings, click the Apply button. Enclosure Bay IP Addressing The Enclosure Bay IP Addressing (EBIPA) screens allow you to configure fixed addresses for Onboard Administrator enclosure bays. The EBIPA feature helps to provision a fixed IP address on bay number, which preserves the IP address for a particular bay even if a module is hot-replaced. The management interface for components plugged into the bays must be set for DHCP and can only Enclosure information 95

96 be used if the devices are set to boot from DHCP. If a device is configured for static IP, then it must be manually reconfigured to DHCP to change the EBIPA IP address. The Onboard Administrator GUI lists the IP address for the server blade ilo bay and interconnect module management bay. The server blade ilo bays and interconnect module management bays can obtain IP addresses on the management network in the following ways: DHCP address The server blade ilo defaults to DHCP addressing, through the network connector of the active Onboard Administrator. Interconnect modules that have an internal management network connection to the Onboard Administrator may also default to the DHCP address. EBIPA When a server blade or interconnect module is inserted into a bay that has EBIPA enabled, that management port will receive the specific static IP address from the Onboard Administrator if that device is configured for DHCP. There is an important difference between the network the complex is connected to and the management network that the Onboard Administrator uses. Enclosure Bay IP Addressing is used to assign IP addresses to the ilo processors that are bridged through the Onboard Administrator and must not be confused with port mapping for the server blade NICs or for network routers or switches. EBIPA does not assign IP addresses for any other device on the network, and cannot be used as a DHCP server on the network. TIP: Link-local addresses: To save IP addresses, link-local addressing can be used. Link-local IP addresses can be assigned to blades, ilos, and interconnect bays within an enclosure. Link-local addresses are intended only for use within a segment of a network and can be used for network configurations that do not require allocated IP addresses on the network. As a best practice HP recommends the following rules for assigning ilo IP addresses: The Monarch Npar IP address should be assigned using EBIPA/DHCP. Do not use ilo interfaces to assign ilo static IP addresses. Auxiliary blades should be assigned using link-local addressing to save IP addresses. BL920s Gen8 and Gen9 Auxiliary blades will automatically be assigned link-local addresses and cannot be assigned public addresses. All IP addresses, with the exception of address ranges x.y and x.y (reserved for internal management network), are supported as long they are not duplicated. In addition, all the IP addresses must be within the same subnet defined by netmask and IP address so that all OAs as well as all ilos fit into that subnet. For more information on setting up link-local addresses, see the HP Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. The administrator sets an independent range for server blade bays and interconnect module bays using the Onboard Administrator EBIPA setup wizard. The first address in a range is assigned to the first bay and then consecutive bays through the range. To set up your enclosure without an active network connection using EBIPA: 1. Configure a static IP for each Onboard Administrator using the Insight Display, and note the active OA Service IP address on the Insight Display Enclosure Info screen. Attach the client PC to the enclosure Service Port (enclosure Link Up connector) between the OA bays with a standard Ethernet patch cable. The client PC NIC must be configured for DHCP because it gets an IP address in the range of approximately 1 minute later. 2. Launch a web browser (or alternatively a Telnet or Secure Shell session), and select the Onboard Administrator Service IP address as displayed in the enclosure Insight Display on the Enclosure Info screen. 96 Configuring compute enclosures and enclosure devices

97 3. Log into the Onboard Administrator as Administrator, using the administrative password attached to the active Onboard Administrator. 4. While the First Time Setup Wizard is running (alternately, after first time setup you can change the EBIPA settings in the Enclosure Settings list), enable Device Bay EBIPA with a starting fixed IP address and enable Interconnect Bay EBIPA with a different starting IP address. The Onboard Administrator then creates 16 sequential IP addresses for the device bays and eight sequential IP addresses for the interconnect bays. Servers in the device bays will automatically get the Device Bay EBIPA addresses within a minute, but the interconnect switch modules must to be manually restarted by clicking the Virtual Power button on each Onboard Administrator Interconnect Module Information screen. 5. Use the Onboard Administrator Device list to be sure that the server blade ilo addresses have been set according to the EBIPA starting IP address and range. Device list Column Bay Enabled The bay in the enclosure of the device. Enables EBIPA settings for the device bay. EBIPA settings for all device bays can be enabled by selecting the check box next to Enabled in the heading row or individual device bays can be selected by clicking the check box for that particular device bay. Enclosure information 97

98 Column EBIPA Address Autofill Current Address Device Type The static IP address you want to assign to the device bay. Assigns consecutive IP addresses for the selected device bays below in the device list. Click the autofill down arrow to assign the IP addresses. The current IP address of the device bay. The type of device installed in the device bay. Knowing your network configuration before setting up EBIPA ensures an easy setup and enables you to install your Onboard Administrator on to your network quickly. Record the information requested in the boxes on the EBIPA screen, and verify before entering the data. Use only the possible values listed in the following table. Interconnect list Box Subnet Mask Gateway Domain DNS Server 1 DNS Server 2 DNS Server 3 Possible value ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 A character string with a maximum of 64 characters, including all alphanumeric characters and the dash (-) ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 Subnet mask for the device bays Gateway address for the device bays Domain name for the device bays The IP address for the primary DNS server The IP address for the secondary DNS server The IP address for the tertiary DNS server SNMP Settings The Onboard Administrator supports SNMP Version 1 and several groups from the standard MIB-II MIB. Additional information about the enclosure infrastructure is available in the HP Rack Information MIB. CPQRACK-MIB, which is part of the Insight Management MIBs, is available on the Management CD in the Superdome Essentials Foundation Pack. The SNMP Settings screen enables you to enter system information and community strings and designate the management stations that can receive SNMP traps from the Onboard Administrator. If you select Enable SNMP, then the Onboard Administrator responds to SNMP requests over UDP port 162. Port 162 is the standard UDP port used to send and receive SNMP messages. System Information settings In the System Information subcategory, information about the Onboard Administrator SNMP system can be enabled and configured. 98 Configuring compute enclosures and enclosure devices

99 The Enable SNMP check box is not selected by default. When enabled, the Onboard Administrator can be polled for status and basic information. The SNMP client can only clear SNMP alerts and Enclosure information 99

100 status when the Write Community string is enabled. Clearing the Enable SNMP check box disables SNMP access to the Onboard Administrator. Box Possible value System Location System Contact Read Community Write Community 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space The SNMP location of the enclosure, typically used to identify the physical or topographical location of the Onboard Administrator. The name of the system contact, used to identify an individual or group of individuals who are to be contacted in the event of any status change in the HP Onboard Administrator. The Read Community string enables the client to read information, but not to manipulate the alerts or status of the Onboard Administrator through SNMP. The default community name is "public" and enables a user to receive notification traps and alerts, but not to change or manipulate the status. The Write Community string enables the client to manipulate alerts of Onboard Administrator status through SNMP. You can remotely clear alerts and mark them as "viewed" or otherwise through their SNMP management client through the SNMP agents. The default value for the Write Community string is blank. Edit any of the fields in this subcategory, and to save the changes, click the Apply button. SNMP Alert Destinations settings In the SNMP Alert Destinations subcategory, the IP addresses and community strings for the SNMP management clients are configured so that any alert or trap from the Onboard Administrator is sent to the appropriate system with the community string. Box IP Address Possible value ###.###.###.### Where: ### ranges from 0 to 255 The management station IP address Community String 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space A text string that acts as a password. It is used to authenticate messages that are sent between HP SIM and Onboard Administrator. Adding SNMP alert destinations 1. Enter the IP address for management clients to which the traps are to be sent in the IP Address box. 2. Enter the appropriate community string in the Community String box directly under the IP Address box. 3. After the IP address and community string is entered, click the Add button. A maximum of eight SNMP alert destinations can be added. Removing SNMP alert destinations Select the IP address from the list containing the trap destinations, and then click the Remove button. 100 Configuring compute enclosures and enclosure devices

101 Testing SNMP To send a test SNMP trap to all the configured trap destinations, click the Send Test Alert button. SNMP must be enabled to use this function. Configuration Scripts Use configuration scripts to maintain settings and configuration information, particularly when setting up multiple enclosures and Onboard Administrator modules and eliminating the need to configure each enclosure manually. Configuration scripts can be created and used with Onboard Administrator in the browser or through the CLI, executing them in the same manner as a shell script is executed in Linux or UNIX. You select to run the script from a URL, USB drive, or Archive Storage. Current configuration To view a current configuration for the enclosure: 1. Click the SHOW CONFIG link. The configuration opens in a new browser window. 2. To save the configuration as a text file, select either of the following options: If you use Microsoft Internet Explorer 7 or later, select Save As. If you use Mozilla Firefox 3.6 or later, select Save Page As. For security reasons, the retrieved current configuration does not contain any user passwords. You can manually edit the script to add the user passwords after the user name on the ADD USER lines. The enclosure Administrator account password cannot be added from the configuration script. Also, the retrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, and PIN Code). These settings cannot be added from the configuration script. Current enclosure inventory To download a script of the current enclosure inventory, click the SHOW ALL link; the current enclosure inventory opens in a new browser window. To save the inventory as a text file, select either of the following options: If you are using Microsoft Internet Explorer 7.0 or later, select Save As. If you are using Mozilla Firefox 2 or later, select Save Page As. NOTE: Saving the enclosure inventory does not save partitioning information. The downloaded text file provides the same information as the CLI SHOW ALL command. The text file also displays the current configuration of the enclosure. Enclosure information 101

102 Device Summary The FRU Summary section provides information on all FRUs within the enclosure. Information provided in this section can quickly aid the administrator in contacting HP Customer Service for troubleshooting, repairing, and ordering replacements. The information is organized in tabular format and divided into subcategories within the Device Summary section: Enclosure Onboard Administrator Blade Blade mezzanine Interconnect 102 Configuring compute enclosures and enclosure devices

103 XFM GPSM Fan Power supply Insight Display Active to Standby When a second Onboard Administrator is installed, the menu item Active to Standby appears under the Enclosure Settings tree menu item, and both Onboard Administrators are visible in the tree menu and in the enclosure view under the Status tab. If more than one Onboard Administrator is installed in the enclosure, you can manually change the active Onboard Administrator. This feature can be useful when troubleshooting the Onboard Administrator. To perform a transition: 1. Click the Transition Active to Standby button to force the change. A confirmation screen appears, confirming the transition. 2. Close your browser if you are logged in to the active Onboard Administrator. 3. Click OK to proceed, or click Cancel to exit without a change. If only one Onboard Administrator is installed in the enclosure, the Active to Standby menu item does not appear. You can also perform a transition using the FORCE TAKEOVER command from the Onboard Administrator CLI. The transition times from Standby to Active and Active to Standby vary, depending on the configuration, enclosure population, and various other factors. Removing the previously Active Onboard Administrator early in the transition process forces the transition time of the Standby to Active to increase. Onboard Administrator Module Active Onboard Administrator The Active Onboard Administrator screen under the Status and Information tab, has tables that provide detailed information about your Onboard Administrator. Onboard Administrator Module 103

104 Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred) or is sent by the device microcontroller, without being polled, to report a failure. 104 Configuring compute enclosures and enclosure devices

105 Active Onboard Administrator Status and Information tab Status information Item Status Role Bay Number Temperature Caution Threshold Critical Threshold The overall status of the enclosure. Possible values are Unknown, OK, Degraded, and Failed. Active or Standby. The physical bay number where the Onboard Administrator is installed. The temperature of the enclosure in degrees Fahrenheit. The temperature at which the enclosure reports a status of caution. The temperature at which the enclosure reports a critical status and powers off. Hardware information Item Device Name Manufacturer Complex Firmware Version Hardware Version Part Number Serial Number Spare Part Number UUID The common descriptive name of the Onboard Administrator. The name of the company that manufactured the Onboard Administrator. The version of the complex firmware image in the Onboard Administrator. The version of the enclosure hardware. The part number to use when ordering an additional or replacement Onboard Administrator. The serial number of the Onboard Administrator module. The spare part number to use when ordering an additional or replacement Onboard Administrator. The Universally Unique Identifier number of the Onboard Administrator. Diagnostic information Item Device Identification Data Enclosure ID OA USB Cable Firmware Mismatch Device Indictment This row displays information such as model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. A device identification data error appears if the data is not present or not readable by the Onboard Administrator. Possible values are OK or Error. The number of the enclosure in the complex. Status of the OA USB Cable. The standby Onboard Administrator with the lowest firmware version displays Error when two Onboard Administrators are present and the firmware does not match. Indicates if the device has been indicted by the Error Analysis Engine. Active Onboard Administrator Virtual Buttons tab To reset the Onboard Administrator: 1. To reset the Onboard Administrator, click the Reset button. 2. A confirmation screen appears, asking if you are sure that you want to perform the action and that you will be signed out and disconnected from the Onboard Administrator. Onboard Administrator Module 105

106 3. Click OK to proceed, or click Cancel to exit without a change. You can also click the Toggle On/Off button on this tab to change the Onboard Administrator module UID LED. This button is useful in identifying a particular Onboard Administrator when there is more than one in the enclosure. 106 Configuring compute enclosures and enclosure devices

107 TCP/IP Settings This screen displays the current enclosure TCP/IP settings for the active Onboard Administrator. To change these settings, select Click here. For information on modifying the TCP/IP settings, see Enclosure TCP/IP Settings (page 92). Onboard Administrator Module 107

108 Certificate Administration Information tab This screen displays the detailed information of the SSL certificate now in use by the Onboard Administrator. An SSL certificate is used to certify the identity of Onboard Administrator and is required by the underlying HTTP server to establish a secure (encrypted) communications channel with the client web browser. On initial start up, Onboard Administrator generates a default self-signed SSL certificate valid for 10 years, and the certificate is issued to the name of the Onboard Administrator. Because this default certificate is self-signed, the issued by box is also set to the same name. 108 Configuring compute enclosures and enclosure devices

109 Status information Item Cert Common Name The certificate subject common name. Certificate information Item Issued by Valid from Valid until Serial Number Version MD5 Fingerprint SHA1 Fingerprint The certificate authority that issued the certificate. The date from which the certificate is valid. The date the certificate expires. The serial number assigned to the certificate by the certifying authority. Version number of current certificate. A validation of authenticity embedded in the certificate. A validation of authenticity embedded in the certificate. Required Information Item Country (C) State or Province (ST) City or Locality (L) Organization Name (O) The two-character country code that identifies the country where the Onboard Administrator is located. The state or province where the Onboard Administrator is located. The city or locality where the Onboard Administrator is located. The company that owns this Onboard Administrator. Optional data Item Contact Person Address Organizational Unit Surname Given Name Initials DN Qualifier The person responsible for the Onboard Administrator. The address of the person responsible for the Onboard Administrator. The unit within the company or organization that owns the Onboard Administrator. The surname of the person responsible for the Onboard Administrator. The given name of the person responsible for the Onboard Administrator. The initials of the person responsible for the Onboard Administrator. The distinguished name qualifier of the Onboard Administrator. Certificate-signing request attributes Item Unstructured Name This is for additional information. Onboard Administrator Module 109

110 Certificate Request tab The Certificate Request tab enables you to enter the information needed to generate a self-signed certificate or a standardized certificate-signing request to a certificate authority. 110 Configuring compute enclosures and enclosure devices

111 Onboard Administrator Module 111

112 Required Information Item Country (C) State or Province (ST) City or Locality (L) Organization Name (O) Common Name (CN) Possible values Must be one to two characters in length. Acceptable characters are all alphanumeric, a space, and the following punctuation marks: ' ( ) +, -. / : =? Must be 1 to 30 characters in length. Must be 1 to 50 characters in length. Must be 1 to 60 characters in length. Must be 1 to 60 characters in length. To prevent security alerts, the value of this box must match exactly the host name as it is known by the web browser. The web browser compares the host name in the resolved web address to the name that appears in the certificate. For example, if the web address in the address box is then the value must be oa xyz.com. A valid country code that identifies the country where the Onboard Administrator is located. The state or province where the Onboard Administrator is located. The city or locality where the Onboard Administrator is located. The organization that owns this Onboard Administrator. When this information is used to generate a certificate-signing request, the certificate issuing authority can be sure that the organization requesting the certificate is legally entitled to claim ownership of the given company name or organization. The Onboard Administrator name that appears in the browser web address box. Select Standby OA Host Name to include a request for a Standby Onboard Administrator certificate. Enter the information in the Standby Common Name (CN) box, which must be 1 to 60 characters in length. This selection appears only if you have a Standby Onboard Administrator in the enclosure. Optional Information Item Alternative Name Contact Person Address Organizational Unit Surname Given Name Possible values Must be 0 to 512 characters in length. Must be 0 to 60 characters in length. Must be 0 to 60 characters in length. Must be 0 to 60 characters in length. Must be 0 to 60 characters in length. Must be 0 to 60 characters in length. An alternate name for the Onboard Administrator. The field must either be empty or contain a list of keyword:value pairs separated by commas. The valid keyword:value entries include IP:<ip address> and DNS:<domain name>. The person responsible for the Onboard Administrator. The address of the contact person responsible for the Onboard Administrator. The unit within the company or organization that owns the Onboard Administrator. The surname of the person responsible for the Onboard Administrator. The given name of the person responsible for the Onboard Administrator. 112 Configuring compute enclosures and enclosure devices

113 Item Initials DN Qualifier Possible values Must be 0 to 20 characters in length. Must be 0 to 60 characters in length. Acceptable characters are all alphanumeric, the space, and the following punctuation marks: ' ( ) +, -. / : =? The initials of the person responsible for the Onboard Administrator. The distinguished name qualifier of the Onboard Administrator. Certificate-signing request attributes Box Challenge Password Confirm Password Unstructured Name Possible values Must be 0 to 30 characters in length Must be 0 to 30 characters in length Must be 0 to 60 characters in length The password for the certificate-signing request Confirm the Challenge Password This is for additional information (for example, an unstructured name that is assigned to the Onboard Administrator) To generate a self-signed certificate or a standardized certificate-signing request, click the Apply button. Standardized certificate-signing request This screen displays a standardized certificate signing request generated by the Onboard Administrator. The content of the request in the text box may can be sent to a certificate authority of your choice for signing. Once signed and returned from the certificate authority, the certificate can be uploaded under the Certificate Upload tab. If a static IP address is configured for Onboard Administrator when this certificate request is generated, the certificate request will be issued to the static IP address. Otherwise, it is issued to the dynamic DNS name of the Onboard Administrator. The certificate, by default, requests a valid duration of 10 years (this value is now not configurable). When submitting the request to the certificate authority, be sure to: Use the Onboard Administrator URL for the server. Request the certificate be generated in the RAW format. Include the Begin and End certificate lines. Active Onboard Administrator Certificate Upload tab Upload certificates for use in an Onboard Administrator in the following ways: Paste certificate contents into the text box and click the Upload button. Paste the URL of the certificate into the URL box and click the Apply button. The certificate to be uploaded must be from a certificate request sent out and signed by a certificate authority for this particular Onboard Administrator. Otherwise, the certificate fails to match the private keys used to generate the certificate request, and the certificate is rejected. Also, if the Onboard Administrator domain has been destroyed or re-imported, then you must repeat the steps for generating a certificate request. The certificate is re-signed by a certificate authority because the private keys are destroyed and recreated along with the Onboard Administrator domain. If the new certificate is successfully accepted and installed by the Onboard Administrator, you are automatically signed out. The HTTP server must be restarted so that the new certificate takes effect. Onboard Administrator Module 113

114 System log The System Log subcategory can be found within the Active Onboard Administrator category. The System Log displays logged information of events within the Onboard Administrator. Events are logged from the top of the list to the bottom, with the most recent logged event appearing at the top of the list. The system log can be scrolled using the scroll bar on the right of the log screen (if the log is larger than the display box). The log has a maximum capacity of KB and automatically deletes the oldest logged event first (FIFO). To clear the list of all logged events, click the Clear button on the lower-right of the screen under the system log display. Log Options tab This screen enables you to send system log messages to a remote host. By default, the local system log is enabled. To manage the system log settings, you must be an Administrator or Operator with OA bay permissions. Remote system logging is a feature that can be used to send Onboard Administrator syslog messages to a remote server on the network for persistent storage. The syslog messages are sent from Onboard Administrator using the UDP protocol on a port that can be specified by the user. The default remote syslog port is 514. Onboard Administrators Remote System Logging feature follows the guidelines in RFC3164 ( In most Linux systems, remote system logging can be enabled by starting syslog with the "-r" option. The remote syslog port must also be opened in the firewall. Documentation for your particular distribution must be consulted for additional information. Windows does not have native support for remote system logging. Any application that listens on UDP port 514 or the specified syslog port can receive remote system log messages from the Onboard Administrator. To send system log messages to a remote host, select the Enable remote system logging check box. Specify the server and port. Box Syslog Server Address Port Possible value ###.###.###.###. where ### ranges from 0 to 255 An integer between 1 and The IP address of the remote host The IP port of the remote host. If this box is left blank, the default UDP port 514 is used. After configuring, the Onboard Administrator remote system logging feature can be tested using the GUI Test button on the configuration page, or using the CLI TEST SYSLOG command. To send a test message to the remote host address and to the local system log, click Test Remote Log. You must enable remote system logging to use this function. NOTE: The Test Remote Log button is grayed out if remote system logging is not enabled. To save the settings, click Apply. The list of possible events include: Enclosure Event 0x01: Enclosure Status Changed Enclosure Event 0x02: Enclosure UID Status Changed Enclosure Event 0x03: Enclosure Shutdown Enclosure Event 0x04: Enclosure Information Changed Enclosure Event 0x05: Enclosure Name Changed 114 Configuring compute enclosures and enclosure devices

115 Enclosure Event 0x06: User Permissions Changed Enclosure Event 0x07: Administrator Rights Changed Enclosure Event 0x08: Enclosure Shutdown Pending Enclosure Event 0x09: Enclosure Topology Changed Enclosure Event 0x10: Fan Status Changed Enclosure Event 0x11: Fan Inserted Enclosure Event 0x12: Fan Removed Enclosure Event 0x14: Thermal Subsystem Redundancy Status Changed Enclosure Event 0x15: Fan at Max Percentage Enclosure Event 0x16: Add Fan to Bay Enclosure Event 0x17: Remove Fan from Bay Enclosure Event 0x18: Fan Over Consuming Power Enclosure Event 0x20: Thermal Status Changed Enclosure Event 0x30: Power Supply Status Changed Enclosure Event 0x31: Power Supply Inserted Enclosure Event 0x32: Power Supply Removed Enclosure Event 0x33: Power Supply Subsystem Redundant Status Changed Enclosure Event 0x34: Power Supply Subsystem Overloaded Enclosure Event 0x35: AC Failure Enclosure Event 0x36: Inadequate Power or Cooling Enclosure Event 0x40: Interconnect Device Status Changed Enclosure Event 0x41: Interconnect Device Reset Enclosure Event 0x42: Interconnect Device UID Status Changed Enclosure Event 0x43: Interconnect Device Inserted Enclosure Event 0x44: Interconnect Device Removed Enclosure Event 0x45: Interconnect Device Information Changed Enclosure Event 0x46: Interconnect Device Health LED Status Changed Enclosure Event 0x47: Interconnect Device Thermal Status Changed Enclosure Event 0x48: Interconnect Device CPU Fault Enclosure Event 0x49: Interconnect Device Power Mode Changed Enclosure Event 0x50: Enclosure Demonstration Mode Blade Event 0x100: Blade Device Status Changed Blade Event 0x101: Blade Device Inserted Blade Event 0x102: Blade Device Removed Blade Event 0x103: Blade Device Power State Changed Blade Event 0x104: Blade Device Power Management Changed Blade Event 0x105: Blade Device UID Status Changed Blade Event 0x106: Blade Device Shutdown Blade Event 0x107: Blade Device Fault Onboard Administrator Module 115

116 Blade Event 0x108: Blade Device Thermal Status Change Blade Event 0x110: Blade Device Information Changed Blade Event 0x111: Blade Bay Management Processor Changed Blade Event 0x112: ilo Ready Blade Event 0x114: Keying Error Blade Event 0x115: ilo Has IP Address LCD Event 0x200: Display Changed LCD Event 0x201: Button Pressed LCD Event 0x202: Pin Information Changed LCD Event 0x203: User Note Information Changed LCD Event 0x204: Chat Requested LCD Event 0x205: Chat Response Sent LCD Event 0x206: LCD Display State Changed Enclosure Event 0x1001: Network Information Changed Enclosure Event 0x1002: SNMP Information Changed Enclosure Event 0x1003: System Log Cleared Enclosure Event 0x1004: Session Cleared Enclosure Event 0x1005: Time Changed Enclosure Event 0x1006: Session Started Enclosure Event 0x1007: Blade Connected Enclosure Event 0x1008: Blade Disconnected Enclosure Event 0x1009: Switch Connected Enclosure Event 0x100A: Switch Disconnected Enclosure Event 0x100B: Blade Cleared Enclosure Event 0x100C: Switch Cleared Enclosure Event 0x100D: AlertMail Information Changed Enclosure Event 0x100E: LDAP Information Changed Enclosure Event 0x100F: EBIPA Information Changed Enclosure Event 0x1013: User Information Changed Enclosure Event 0x1014: Bay Changed Enclosure Event 0x1016: Onboard Administrator Reboot Enclosure Event 0x1017: Onboard Administrator Logoff Request Enclosure Event 0x1018: User Added Enclosure Event 0x1019: User Deleted Enclosure Event 0x1020: User Enabled Enclosure Event 0x1021: User Disabled Enclosure Event 0x1201: Flash Pending Enclosure Event 0x1202: Flash Started Enclosure Event 0x1203: Flash Progress 116 Configuring compute enclosures and enclosure devices

117 Enclosure Event 0x1204: Flash Complete Enclosure Event 0x1210: Non-iLO EBIPA Standby Onboard Administrator When a second Onboard Administrator is placed in the enclosure, it becomes the standby Onboard Administrator. The standby Onboard Administrator is normally placed in the available Onboard Administrator tray at the rear of the enclosure. By selecting the Active to Standby screen in the Enclosure Settings, you can force a transition within the Onboard Administrator user interface to make the active Onboard Administrator become the standby Onboard Administrator. For an Active or Standby relationship, the two Onboard Administrator modules must have the same firmware version installed. If the firmware versions are not identical, the Insight Display and the main status screen of the Onboard Administrator identifies this error and alerts the user through SNMP if enabled. If using two Onboard Administrators, each Onboard Administrator has a unique IP address. Refer to the Insight Display to get the IP addresses for the Active and Standby Onboard Administrators and write them down. When looking at the enclosure from the rear, the bay on the left is bay 1, while the bay on the right is bay 2. When the Active Onboard Administrator transitions to the Standby Onboard Administrator, the DNS host name and IP addresses remains the same. To connect to the new Active Onboard Administrator, you must completely close your browser and connect to the host name or IP address of the former Standby Onboard Administrator. Onboard Administrator Module 117

118 Status, Information, and Virtual Buttons tabs The information under the Status, Information, and Virtual Buttons tabs is the same as it is for an active Onboard Administrator. For information on these tabs, see Active Onboard Administrator (page 103). TCP/IP Settings for Standby Onboard Administrator This screen displays the current TCP/IP settings for the Standby Onboard Administrator: IPv4 Information General Information IPv4 Information Parameter IP Address Subnet Mask Gateway The IPv4 address of the Standby Onboard Administrator, with indication of the type of IP address assigned (static or dynamic). The subnet mask for the Standby Onboard Administrator. The mask determines to which subnet the Active Onboard Administrator IP address belongs. The gateway address for the Standby Onboard Administrator. General Information Parameter DNS Server 1 Onboard Administrator Name MAC Address NIC Settings Link Status The IP address for the primary DNS server. The name of the Onboard Administrator. The default for this box is the DNS host name. The Onboard Administrator MAC address. The NIC settings for the Active Onboard Administrator, such as auto negotiation, duplex mode, and speed. Indicates whether the NIC is actively connected to the network. To modify the TCP/IP settings, select Click here. Standby Onboard Administrator Virtual Buttons tab The Virtual Buttons tab is the same as it is for an active Onboard Administrator. For information on this tab, see Active Onboard Administrator Virtual Buttons tab (page 105). Standby Certificate Request tab The standby Certificate Request tab is the same as it is for an active Onboard Administrator. For information on this tab, see Certificate Request tab (page 110). Standby Onboard Administrator Certificate Upload tab The standby Certificate Upload tab is the same as it is for an active Onboard Administrator. For information on this tab, see Active Onboard Administrator Certificate Upload tab (page 113). 118 Configuring compute enclosures and enclosure devices

119 System log for Standby Onboard Administrator The System Log displays logged information of events within the Onboard Administrator. Events are logged from the top of the list to the bottom, with the most recent logged event appearing at the bottom of the list. If the list is longer than the display box, you can scroll using the scroll bar on the right side of the log screen. When the log reaches maximum capacity, it automatically deletes the oldest logged event first (first in, first out). To clear the list of all logged events, click Clear Log (below the system log display). Standby to Active Device bays To force the Standby Onboard Administrator to Active, click Transition Standby to Active. A confirmation screen appears, asking if you are sure that you want to perform the action. To proceed, click OK. To exit without a change, click Cancel. This functionality is only available when you are signed into the Standby Onboard Administrator GUI. You can also force the Standby Onboard Administrator to Active by using the FORCE TAKEOVER CLI command. The transition times from Standby to Active and Active to Standby vary, depending on the configuration, enclosure population, and various other factors. Removing the previously Active Onboard Administrator early in the transition process forces the transition time of the Standby to Active to increase. Device Bay Overview Device Bay Summary In the Systems and Devices menu, the Device Bays category lists all blades in the enclosure. Select Device Bays from the menu, and the device list appears with a grid showing the status of each blade in the enclosure. Use individual check boxes to select a specific blade. After selecting blades, select UID State from the drop-down to perform the appropriate action. Device bays 119

120 NOTE: c-class blades also include options for Virtual Power, One Time Boot, and DVD. These options are not available for server blades. Device List Item Check boxes Bay Status UID Power State ilo IP Address ilo Name ilo DVD Status Select bays by selecting the check boxes to which you want to apply the Virtual Power, UID State, One Time Boot, or DVD features. The device bay within the enclosure. The overall status of the device. Possible values are Unknown, OK, Degraded, Failed, and Other. The status of the UID on the device. Possible values are On (blue), Off (gray) or Blink (flashing). When the UID light is flashing, a critical operation is being performed on the device and must not be interrupted. The power state of the device. Possible values are On or Off. The IP address of the ilo within the server blade. NOTE: Not applicable for HP Superdome 2 server blades or storage blades. The DNS name of the ilo within the server blade. NOTE: Not applicable for HP Superdome 2 server blades or storage blades. The status of the DVD connection to the server blade. A status of Incompatible Firmware means the DVD feature is not supported with the ilo firmware installed on the device. NOTE: Not applicable for HP Superdome 2 server blades or storage blades. Information on this page is current as of the last download. To view updated information, click the Refresh button. UID State The UID State drop-down is used to set the UID light on the blades. Turning on the UID light aids in locating a specific blade within an enclosure. The UID lights can be turned on or off one at a time or as groups, depending on the check boxes. DVD NOTE: This menu is not present for HP Superdome 2 server blades or storage blades. For connecting the selected blades to the enclosure media, the DVD menu enables you to select one of the following: Enclosure DVD, if present One of the listed ISO files from an attached USB key None The enclosure media can be connected to multiple blades at the same time. Various USB key ISO files can be attached to various servers at the same time. After the enclosure media is connected using the DVD menu, you can use the Virtual Power menu to reboot the selected server blades in the list. Device Bay Information Selecting a specific blade within the enclosure opens the Device Bay Information - xx screen, where xx is the bay selected. Information provided on this screen includes tabs for Status, Information, and Virtual Devices. 120 Configuring compute enclosures and enclosure devices

121 The Server Management section of the page contains a link to Port Mapping Information to aid the management of the server blade in the device bay. Device bays 121

122 ilo NOTE: This menu is not present for HP Superdome 2 or HP BL920s Gen8 server blades. Port Mapping Information Information regarding port mapping for all devices in the device bay is available by clicking the Port Mapping Information link. Status information Item Status Powered Power Allocated Virtual Fan The overall status of the blade. Possible values are Unknown, OK, Degraded, Failed, or Other with an informational icon. The informational icon with an Other status displays until the server blade is configured for Virtual Connect Manager. See the Diagnostic Information table for more information. The power state of the blade. Possible values are On or Off. The amount of power allocated to the blade in watts. The percentage of maximum RPM of the virtual fan. Diagnostic Information Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred) or is sent by the device microcontroller, without being polled to report a failure. Item Device Identification Data Management Processor I/O Configuration Device Operational Device Degraded ilo Network Device Informational Firmware Mismatch Deconfigured Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the Onboard Administrator. Status of the ilo. Possible values are OK or Error. Device bay configuration is incorrect. If a storage blade is partnered with a full height server blade, and the server blade does not have the correct mezzanine card, an invalid I/O configuration will result. Possible values are OK or I/O mismatch detected. See the EBIPA section for more information. Device has failed; status was not requested by the Onboard Administrator. Possible values are OK or Error. Device has failed; status was requested by the Onboard Administrator. Possible values are OK or Error. Detects an ilo network configuration problem. Possible values are OK or ilo network configuration problem, check connectivity to ilo default gateway. If the problem continues, then attempt to reset ilo using the Onboard Administrator CLI HPONCFG command to send a script command to reset ilo. Device has an error. Possible values are OK or an Informational message. NOTE: Not applicable for c-class server blades. The now configured partition firmware version does not match the now configured complex firmware bundle version. Possible values are OK or Error. NOTE: Not applicable for c-class server blades. Values are FAILED or OK. Failed means the blade, if part of an npar, will not be used at next boot. 122 Configuring compute enclosures and enclosure devices

123 Item PDHC Processor Device Indictment State of the PDHC management entity. Indicates if the device has been indicted by the Superdome Analysis Engine. Possible values are OK or Error with an informational message. NOTE: Not applicable for c-class server blades. CPU Status Item Resource Path Status FRU Read Status Indictment Status The resource path for the processor socket. The overall status of the processor. Possible values are Unknown, OK, Degraded, or Failed. The status of the FRU data for the processor. Possible values are Unknown, OK, Degraded or Failed. The indictment status of the processor. Possible values are OK or Error with an informational message. DIMM Status: CPU Socket 0 or 1 Item Resource Path Status FRU Read Status Indictment Status Configuration Status The resource path for the DIMM socket. The overall status of the DIMM. Possible values are Unknown, OK, Degraded, or Failed. The status of the FRU data for the DIMM. Possible values are Unknown, OK, Degraded or Failed. The indictment status of the DIMM. Possible values are OK or Error with an informational message. The configuration status of the DIMM is either DECONFIGURED or OK. A deconfigured DIMM will also cause a Critical Error Indictment Status. Temperature Sensors NOTE: The Temperature Sensors table only displays when the blade is powered on. Item Sensor Location Status The sensor number Location of sensor in the device This is the status of the temperature sensor. The status matches the graphic presentation of the temperature. Temperature Graphic presentation of temperature Device bays 123

124 Server Blade Information tab Device Information Row Blade Type Manufacturer Server blade Name of the company that manufactured the server blade 124 Configuring compute enclosures and enclosure devices

125 Row Product Name Part Number System Board Spare Part Number Serial Number Serial Number (Logical) UUID Complex Firmware Version Partition Firmware Version Common descriptive name for the server blade Part number used when ordering an additional or replacement server blade of this type Part number used when ordering an additional or replacement system board of this type The static factory serial number for the server blade A relocatable serial number assigned to the server blade The universally unique identifier assigned to the server blade Currently configured complex firmware version Currently configured partition firmware version Server NIC Information Item Port: NIC 1 Port: NIC 2 Port: NIC 3 Port: NIC 4 Port: ilo The MAC address of this NIC port The MAC address of this NIC port The MAC address of this NIC port. The MAC address of this NIC port. The MAC address of the ilo port for the blade in this enclosure slot. Mezzanine Card Information Item Mezzanine Slot Mezzanine Device Mezzanine Device Port Device ID The physical slot in which the mezzanine card is located. The common or product name of the mezzanine device. The port assigned to the mezzanine device. The MAC address of the interconnect bay port. CPU and memory information Table 8 CPU Information Item Resource path Part Number Speed (MHz) Part Number Serial Number Engineering Date Code The resource path to the processor socket Model of processor Clock speed of the processor Processor part number used to order replacement processor of the same type Factory serial number of the processor Manufacturing reference number Device bays 125

126 Table 9 DIMM Information: CPU Socket 0 or 1 Item Resource path Part Number Manufacturer Speed (MHz) Size (MB) Path to DIMM socket DIMM module part number used to order additional or replacement module of the same type Name of the manufacturer of the DIMM module Bus speed of the DIMM module Memory capacity of DIMM module. The total capacity of all DIMM modules is listed at the bottom. Device bay virtual buttons tab UID Light Clicking the Toggle On/Off button turns the UID light on the server blade on or off for identification of the selected server blade. Interconnect bays Interconnect Bay Summary In the Enclosure Information menu, the Interconnect Bays category lists all the interconnect devices within the selected enclosure within the complex. Selecting the interconnect bays menu item directly opens the interconnect device list with a grid that shows the status of each interconnect device within the enclosure, and the UID status, power state, tray type, management URL, and product name. The check box in the first column on the top row toggles all check boxes on or off for all enclosure interconnect devices. This feature is useful if you want to toggle the UID state for all interconnect devices at the same time. Otherwise, the first column contains check boxes that can be used to select individual interconnects. After the appropriate interconnects are selected, the Virtual Power or UID state drop-down can be selected to perform the appropriate action. Item Check box Bay Select the check boxes next to the bay or bays where you want to apply the Virtual Power and UID State features. Bay in the enclosure of the corresponding interconnect device. This box displays only populated bays. Empty bays are not displayed in this table. 126 Configuring compute enclosures and enclosure devices

127 Item Status UID Power State Module Type Management URL Product Name Overall status of the interconnect device. Possible values are Unknown, OK, Degraded, and Failed. Status of the UID on the interconnect device. Possible values are On (blue) or Off (gray). Power state of the interconnect device. Possible values are On or Off. Network interface type for the interconnect device installed in this bay. Possible values are Ethernet or fiber. Address where the interconnect device can be managed and configured for use in the network. Common descriptive name for the interconnect device. Information on this page is current as of last download. To view updated information, click the Refresh button. The Virtual Power menu enables you to turn an interconnect device on or off. HP recommends that only one device be turned on or off at a time using this feature. The UID State menu is used to set the UID LED on the interconnect device. Turning on the UID LED assists in locating a specific interconnect device within an enclosure. These LEDs can be turned on or off one at a time or as groups depending on the checkboxes. Interconnect Bay Information The Interconnect Bay Information screen displays information about the bays where switches and routers can be placed. Click the Port Mapping Information link to display port mapping information on the interconnect bay you have selected. The port mapping information can also be selected from the navigation tree. Interconnect bays 127

128 Interconnect Bay Status tab Status information Item Status Thermal Status Powered The overall status of the interconnect device. Possible values are Unknown, OK, Degraded, and Failed. The thermal status of the interconnect device. Possible values are Unknown, OK, Degraded, and Failed. The power state of the interconnect device. Possible values are On or Off. Diagnostic Information Row Device Identification Data Management Processor Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the Onboard Administrator. Management processor is not responding. Possible values are OK or Error. 128 Configuring compute enclosures and enclosure devices

129 Row Temperature Overheat Check Power Allocation Request Device Operational Device Degraded Temperature is above the warning threshold. Possible values are OK or Temperature Warning. Temperature is above the danger threshold. Possible values are OK or Critical temperature threshold reached. There is insufficient power to adequately power the interconnect. Possible values are OK or Insufficient enclosure power. Device has failed; status was not requested by the Onboard Administrator. Possible values are OK or Error. Device has failed; status was requested by the Onboard Administrator. Possible values are OK or Error. Interconnect Bay Information tab Interconnect bays 129

130 Hardware Information Item Product Name Management IP Address Management URL User Assigned Name Part Number Spare Part Number Serial Number Type Manufacturer Temperature Sensor Firmware Version The common descriptive name of the interconnect device. IP address of the interconnect management interface. Web address of the interconnect management interface. A name assigned to the interconnect by the user. If supported, the name is assigned using the interconnect Management Interface. The part number to be used when ordering an additional interconnect device of this type. The part number to be used when ordering a replacement interconnect device of this type. The unique serial number of the interconnect device. The interface type of the interconnect device. Possible values are Ethernet or fiber. The name of the company that manufactured the interconnect device. Indicates whether or not the interconnect device has a temperature sensor. The firmware version of the interconnect module. Connectivity information Item JS2 Connector Internal Ethernet Interface to OA Internal Ethernet Route to OA Internal Serial Interface to OA Internal Serial Route to OA Serial Port Baud Rate External Serial Port Interface External Ethernet Interface This box displays the presence or absence of the JS2 connector. This box displays the presence or absence of an internal Ethernet interface to the Onboard Administrator. This box displays the status of an internal Ethernet route to the Onboard Administrator. Possible values are Enabled or Disabled. This box displays the presence or absence of an internal serial interface to the Onboard Administrator. This box displays the status of an internal serial route to the Onboard Administrator. Possible values are Enabled or Disabled. This box displays the serial port baud rate. This only displays if an external serial port interface is present. This box displays the presence or absence of an external serial port interface. This box displays the presence or absence of an external Ethernet interface. Interconnect Bay Virtual Buttons tab Interconnect bay virtual buttons enable you to cycle power, reset, or toggle the UID on the device of your choice from the Onboard Administrator GUI. 130 Configuring compute enclosures and enclosure devices

131 Button Power Off Reset Toggle On/Off Clicking this button shuts the power off on the interconnect device. Clicking this button forces the interconnect device to power off and then power up again, performing a reset. Clicking this button turns the UID on the interconnect device on (blue) or off (gray) for easy identification of the selected interconnect device. Interconnect Bay Port Mapping The Interconnect Bay Port Mapping screen provides a graphical view and a tabular view of the interconnect bay port mapping. Interconnect bays 131

132 Graphical view When you mouse over the port on the interconnect, the graphical view provides the same information that appears in the tabular view. Tabular view Item Interconnect Bay Port Port Status Device Bay Server Mezzanine Slot The number of the interconnect bay port in order from 1 to 16 Current status of the port The device bay corresponding with the interconnect port mapping The type of device placed into the mezzanine of the server blade 132 Configuring compute enclosures and enclosure devices

133 Item Server Mezzanine Port Device ID The physical port of the mezzanine device The MAC address of the interconnect bay port XFM bays XFM Bay Summary In the Enclosure Information menu, the XFM Bays category lists the Xbar Fabric modules within the selected enclosure within the complex. Selecting the XFM Module bays menu item directly opens the XFM Module list with a grid that shows the status of each XFM Module within the enclosure and the UID status, Engineering Date Code, part number and product name. The check box in the first column on the top row toggles all check boxes on or off for all XFMs. This feature is useful if you want to toggle the UID state for all XFMs at the same time. Otherwise, the first column contains checkboxes that can be used to select individual XFMs. After the appropriate interconnects are selected, the UID state drop-down can be selected to toggle the UID state. Item Check box Bay Status UID Power State Engineering Date Code Part Number Product Name Select the check box next to the bay or bays where you want to apply the UID State features. Bay in the enclosure of the corresponding XFM. This box displays only populated bays. Empty bays are not displayed in this table. Overall status of the XFM. Possible values are Unknown, OK, Degraded, and Failed. Status of the UID on the XFM. Possible values are On (blue) or Off (gray). Power state of the XFM. Possible values are On or Off. Manufacturing information about the XFM. Part number of the XFM used to order replacement parts of the same type. Common descriptive name for the XFM. Information on this page is current as of last download. Click the Refresh button to view updated information. XFM bays 133

134 UID State The UID State menu is used to set the UID LED on the XFM. Turning on the UID LED assists in locating a specific XFM within an enclosure. These LEDs can be turned on or off one at a time or as groups depending on the checkboxes. XFM Bay Information The XFM Bay screen displays information about the bays where XFMs can be placed. XFM Bay Status tab Status information Row Status Inlet Thermal Status Outlet Thermal Status Powered The overall status of the XFM. Possible values are Unknown, OK, Degraded, and Failed. The thermal status of the airflow coming into the XFM. Possible values are Unknown, OK, Degraded, and Failed. The thermal status of the airflow exiting the XFM. Possible values are Unknown, OK, Degraded, and Failed. The power state of the XFM. Possible values are On or Off. Diagnostic Information Row Device Identification Data Contains information on model name, part number, serial number, and other information used to identify the device. 134 Configuring compute enclosures and enclosure devices

135 Row This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the Onboard Administrator. Management Processor Temperature Overheat Check Power Allocation Request Cooling Device Operational Management processor is not responding. Possible values are OK or Error. Temperature is above the warning threshold. Possible values are OK or Temperature Warning. Temperature is above the danger threshold. Possible values are OK or Critical Temperature Threshold Reached. There is insufficient power to adequately power the XFM. Possible values are OK or Insufficient Enclosure Power. Temperature is above the warning threshold. Possible values are OK or Temperature Warning. Device has failed; status was not requested by the Onboard Administrator. Possible values are OK or Error. XFM Link Status Column Port Number Status Indicates the port on the XFM module. Current status of link to connected device. Possible values are OK, Error, Dormant, or Unknown. XFM Bay Information tab Device Information Item Product Name Part Number The common descriptive name of the XFM. The part number to be used when ordering an additional XFM of this type. XFM bays 135

136 Item Spare Part Number Serial Number Engineering Date Code Manufacturer Complex Firmware Version The part number to be used when ordering a replacement XFM of this type. The unique serial number of the XFM. Manufacturing information about the XFM. The name of the company that manufactured the XFM. Now configured firmware version on the XFM. XFM Bay Virtual Buttons GPSM bays XFM virtual buttons enables you to toggle the UID on the XFM of your choice from the Onboard Administrator GUI. Click the Toggle On/Off button to turn UID on the XFM on (blue) or off (gray) for easy identification of the selected XFM. GPSM Bay Summary In the Enclosure Information menu, the GPSM Bays category lists the Global Partition Services modules within the selected enclosure within the complex. Selecting the GPSM bays menu item directly opens the GPSM list with a grid that shows the status of each GPSM within the enclosure and the UID status, Engineering Date Code, part number, and product name. The check box in the first column on the top row toggles all checkboxes on or off for all GPSMs. This feature is useful if you want to toggle the UID state for all GPSMs at the same time. Otherwise, the first column contains checkboxes that can be used to select individual GPSMs. After the appropriate interconnects are selected, the UID state drop-down can be selected to toggle the UID state. Item Check box Bay Status UID Click the check box next to the bay or bays where you want to apply the UID State features. Bay in the enclosure of the corresponding GPSM. This box displays only populated bays. Empty bays are not displayed in this table. Overall status of the GPSM. Possible values are Unknown, OK, Degraded, and Failed. Status of the UID on the GPSM. Possible values are On (blue) or Off (gray). 136 Configuring compute enclosures and enclosure devices

137 Item Engineering Date Code Part Number Product Name Manufacturing information about the GPSM. Part number of the GPSM used to order replacement parts of the same type. Common descriptive name for the GPSM. Information on this page is current as of the download. Click the Refresh button to view updated information. UID State The UID State menu is used to set the UID LED on the GPSM. Turning on the UID LED assists in locating a specific GPSM within an enclosure. These LEDs can be turned on or off one at a time or as groups depending on the checkboxes. GPSM Bay Information The GPSM Bay Information screen displays information about the bays where GPSMs can be placed. GPSM Status tab Status information Item Status Thermal Status The overall status of the GPSM. Possible values are Unknown, OK, Degraded, and Failed. The thermal status of the GPSM. Possible values are Unknown, OK, Degraded, and Failed. GPSM bays 137

138 Diagnostic Information Item Device Identification Data Management Processor Temperature Firmware Mismatch Device Indictment Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error appears if the data is not present or not readable by the Onboard Administrator. Management processor is not responding. Possible values are OK or Error. Temperature is above the warning threshold. Possible values are OK or Temperature Warning. The GPSM with a firmware version that does not match the installed Complex firmware will display FAILED in this field. Indicates if the device has been indicted by the Superdome Analysis Engine. Possible values are OK or Error with an informational message. NOTE: Not applicable for c-class server blades. GPSM Bay Information tab Device information Item Product Name Part Number Spare Part Number Serial Number Engineering Date Code Manufacturer Complex Firmware Version The common descriptive name of the GPSM. The part number to be used when ordering an additional GPSM of this type. The part number to be used when ordering a replacement GPSM of this type. The unique serial number of the GPSM. Manufacturing information about the GPSM. The name of the company that manufactured the GPSM. Now configured firmware version on the GPSM. 138 Configuring compute enclosures and enclosure devices

139 GPSM Virtual Buttons GPSM virtual buttons enables you to toggle the UID on the GPSM of your choice from the Onboard Administrator GUI. Click the Toggle On/Off button to turn UID on the GPSM on (blue) or off (gray) for easy identification of the selected GPSM. Enclosure power management Planning power management The compute enclosures each contain twelve power supplies (six upper and six lower), which are monitored directly by Onboard Administrator. At least one upper and one lower power supply must be installed at all times. Onboard Administrator is responsible for calculating the redundancy status, total available power, and total power consumed. This information is displayed to the user and is used to manage power resources. The Onboard Administrator power subsystem displays include status and information for each power supply, and the power enclosure itself. Also included in the power fault realm is control of the electronic fuses between the power backplane and the server or switch bays. The Onboard Administrator will alert on fuse trips to enable you to reset fuses manually. When installing additional power supplies into the enclosure, different power supply part numbers are not supported in the same enclosure. The Onboard Administrator identifies which power supplies must be replaced by displaying a caution icon. For proper installation of the power supplies into a compute enclosure, see the installation guide for your system. Enclosure power management 139

140 Power and Thermal Item Enclosure Ambient Temperature Thermal Subsystem Status Power Subsystem Status Power Mode Present Power Power Limit This box displays the highest ambient temperature being reported by the installed blade devices. If no blade devices are installed, then this box displays the temperature of the Onboard Administrator module as an approximation of the ambient temperature. The overall thermal status of the enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. The overall power status of the enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. A user setting to configure the enclosure DC power capacity and the input power redundancy mode of the enclosure. See Power Management for possible values. The amount of watts being consumed by all devices in the enclosure. The maximum amount of power available for consumption by the enclosure measured in watts. NOTE: The Power Limit is dependent on the enclosure power redundancy setting and the number and location of the power supplies in the enclosure. If a Static Power Limit has been specified, the Power Limit displays that limit. 140 Configuring compute enclosures and enclosure devices

141 Power Management To set the power management options in Onboard Administrator, go to the menu on the left and select the enclosure to be managed, and then click Power and Thermal. The Power Management page appears below. Click Power Management to display the following choices: AC Redundant Power Supply Redundant Not Redundant Beneath the main power management choices is the Dynamic Power Savings mode check box which enables you to enable Dynamic Power Savings Mode. The AC Input VA Limit box enables you to set a VA limit for the enclosure. After this limit is met by the enclosure, it will not allow any additional blades, power supplies, fans, or switches to power on. If a value is entered into the VA Limit box that is lower than the now used VA for the enclosure, the enclosure does not power off any devices within the enclosure. However, if a device is powered off, it cannot power on because of the VA limit rule set in the Onboard Administrator power management settings. IMPORTANT: If redundancy mode is set to Redundant, AC Redundant, or Power Supply Redundant, and power redundancy is lost, then you must either add additional power supplies or change the redundancy mode setting in the Onboard Administrator to restore Power Subsystem status. See the Insight Display for corrective steps. IMPORTANT: To change the power redundancy mode, you must disable EDPC. After changing the power redundancy mode, reset EDPC based on the new ranges. Enclosure power management 141

142 The enclosure power management system enables you to customize the configuration of the enclosure. You can select from the different modes on the Onboard Administrator Power Management screen. The power modes are explained in the following table. Mode Redundant AC Redundant Power Supply Redundant Not Redundant Dynamic Power Power Limit Insight Display name Redundant AC Redundant Power Supply None Dynamic Power Power Limit For DC power supplies only. In this configuration, N upper and N lower power supplies are used to provide power and N upper and N lower power supplies are used to provide redundancy (where N can equal 1, 2, or 3). Up to three upper and three lower power supplies can fail without causing the enclosure to fail. When correctly wired with redundant DC line feeds, this configuration also ensures that a DC line feed failure does not cause the enclosure to power off. For ac power supplies only. In this configuration, N upper and N lower power supplies are used to provide power and N upper and N lower power supplies are used to provide redundancy (where N can equal 1, 2, or 3). Up to three upper and three lower power supplies can fail without causing the enclosure to fail. When correctly wired with redundant ac line feeds, this configuration also ensures that an ac line feed failure does not cause the enclosure to power off. Up to six upper and six lower power supplies can be installed with one upper and one lower power supply always reserved to provide redundancy. In the event of a single upper or lower power supply failure, the redundant power supply in the same section (upper or lower) takes over the load. A line feed failure of more than one power supply in a section causes the system to power off. There is no power redundancy and no power redundancy warnings are given. If all power supplies are needed to supply Present Power, then any power supply or line failure may cause the enclosure to brown-out. If enabled, Dynamic Power automatically places unused power supplies in standby mode to increase enclosure power supply efficiency, thereby minimizing enclosure power consumption during lower power demand. Increased power demands automatically return standby power supplies to full performance. This mode is not supported for low voltage on the enclosure. An optional setting to limit power. Whenever you attempt to power on a device, the total power demands of the new device and of the devices already on are compared against this Static Power Limit. If the total power demands exceed the limit, the new device is prevented from powering on. Dynamic Power The default setting is Enabled. The following selections are valid: Enabled Some power supplies can be automatically placed on standby to increase overall enclosure power subsystem efficiency. Disabled All power supplies share the load. The power subsystem efficiency varies based on load. Dynamic Power is not supported for low voltage on the enclosure. Enclosure Power Allocation To set the power management options in Onboard Administrator, go to the menu on the left and select the enclosure to be managed, and then click Power and Thermal. The Enclosure Power Allocation page appears. Click Enclosure Power Allocation to display the following information: 142 Configuring compute enclosures and enclosure devices

143 Item Subsystem Status Power Allocated Power Available Power Capacity The overall power status of the enclosure. Possible values are unknown, OK, Degraded, and Failed. The amount of power consumed by the devices in the enclosure in watts. The amount of power currently available for all unpowered devices in the enclosure measured in watts. The amount of power possible for all the devices in the enclosure measured in watts. The Power Allocation screen displays basic information regarding the total capacity of the power subsystem, redundant capacity, and the allocated power in watts. The Enclosure Internal Power graph displays the watts that are allocated in green against a gray background, which represents the total redundant capacity of the power supplies. If you change the enclosure redundancy mode after power is allocated to the devices, then the power subsystem might become degraded. Power is still allocated to the devices, but redundancy might not function properly. If zero watts are available and the power graph displays degraded, check your power subsystem and redundancy configurations. You can resolve the degraded condition by changing your redundancy mode or by adding more power supplies to the enclosure. Power Capacity will equal Power Allocated in the case where redundancy is lost. To refresh this display, click the Refresh button beneath the table on the right side of the page. Enclosure power management 143

144 Enclosure Power Summary 144 Configuring compute enclosures and enclosure devices

145 Enclosure Input Power Summary Item Present Power Max Input Power Enclosure Dynamic Power Cap Power Limit Input watts to the enclosure. Highest expected input watts. For HP BL920s Gen8, this is the maximum input power for the enclosure to operate at maximum DC output capacity. N/A for HP Integrity Superdome X An optional setting to limit power. Whenever you attempt to power on a device, the total power demands of the new device and of the devices already on are compared against this Static Power Limit. If the total power demands exceed the limit, the new device is prevented from powering on. Enclosure Output Power Summary Item Present Capacity Power Allocated Power Available Watts possible for all devices in the enclosure. Watts consumed by all devices in the enclosure. Watts currently available to all devices in the enclosure. Enclosure Bay Output Power Allocation Item Device Bays Interconnect Bays XFM Fans Watts allocated for all device bays. Watts allocated for all interconnect bays. Watts allocated for all XFM bays. Watts allocated for all fans. Bay Power Summaries A separate table is displayed for these types of bays: device interconnect XFM Each type of bay is listed by bay number. The name of the component in each bay and the power allocated to it is displayed. Fan Power Summary Fan power is allocated based on a fan-rule. Fan-rule is determined according to the enclosure type and occupied device bays. Both the power allocation for the fans and the total Present Power consumption of all the fans are listed. Enclosure Power Meter The Enclosure Power Meter screen displays peak power use, average power use, and allocated power available in a graph, which enables fast and easy interpretation of the power situation for the enclosure. The power meter is useful for showing trends in power consumption and can assist in troubleshooting the power subsystem. The power information is available in either graphical or tabular form. Enclosure power management 145

146 Graphical View tab This screen enables you to see a graphical view of the power readings for the enclosure. To toggle between Watts, Btu/hr, and Amps, click Show Values. The Line Voltage value is used to provide conversion to Amps. The default value is based on the power supply hardware model, not the actual line voltage. Select the actual line voltage for the enclosure for a more accurate Amps conversion. To view updated power meter information, click Refresh Page. Average Power data graph This graph displays the power usage of the enclosure over the previous 24 hours. The Onboard Administrator collects power usage and Enclosure Dynamic Power Cap information from the enclosure every 5 minutes. For each 5 minute time period, the peak and average power usage 146 Configuring compute enclosures and enclosure devices

147 and the cap for that time period are stored in a circular buffer. These values appear in the form of a bar graph, with the average value in blue, the peak value in red, and the cap value in black. This data is reset when the enclosure is reset. You can choose what appears on the bar graph by selecting or clearing the Average, Cap, Derated, Rated, and Min check boxes. Present Power This value represents the number of watts being consumed by all devices in the enclosure. Most Recent Power Meter Reading This value represents the most recent power reading from the enclosure. Peak Power data graph This graph displays the peak power usage and the Enclosure Dynamic Power Cap over the previous 24 hours. The label Peak Power becomes Peak Power (Side A + Side B) when N+N redundant power is in place, indicating that the peak is divided across two circuits. Also, two graphs appear: one for Side A and one for Side B. The power distribution between Side A and Side B is estimated from the number of active power supplies on each side. If redundancy is lost, the lost side displays peak power of zero. Enclosure Dynamic Power Cap This value represents the most recent Enclosure Dynamic Power Cap reading from the enclosure. Average Power Reading This value represents the average of the power readings from the enclosure over the last 24-hour period. If the enclosure has not been running for 24 hours, then the value is the average of all the readings since the enclosure was powered up. Peak Power Reading This value represents the peak power readings from the enclosure over the last 24-hour period. If the enclosure has not been running for 24 hours, then the value is the maximum of all the readings since the enclosure was powered up or the Onboard Administrator was reset. The label Peak Power Reading becomes Peak Power Reading (Side A + Side B) when N+N redundant power is in place, indicating that the peak is divided across two circuits. Minimum Power Reading This value represents the minimum power readings from the enclosure over the last 24-hour period. If the enclosure has not been running for 24 hours, then the value is the minimum of all the readings since the enclosure was powered up. Table View tab This screen enables you to view the power readings for the enclosure in a table format. Enclosure power management 147

148 Enclosure Power Sumary Row Samples Average (Watts, Btu/hr, or Amps) Minimum (Watts, Btu/hr, or Amps) Number of samples taken. This value shows the average of the power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the average of all the readings since the enclosure was powered up. This value shows the minimum power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the minimum of all the readings since the enclosure was powered up. 148 Configuring compute enclosures and enclosure devices

149 Row Maximum (Watts, Btu/hr, or Amps) (Side A + Side B) Present Power This value shows the maximum power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. This value shows the power being consumed by all devices in the enclosure. Enclosure Power Detail The Enclosure Power Detail table provides detailed information for each five minute sample period. Click Date in the table heading to arrange the order of the detailed enclosure power information from present date to oldest date or oldest date to present date. Row Date Time Peak (Watts, Btu/hr, or Amps) (Side A + Side B) Min (Watts, Btu/hr, or Amps) Average (Watts, Btu/hr, or Amps) Cap (Watts, Btu/hr, or Amps) Derated (Watts, Btu/hr, or Amps) Rated (Watts, Btu/hr, or Amps) Date the power reading sample was taken. Time the power reading sample was taken. This value shows the maximum power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. This value shows the minimum power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the minimum of all the readings since the enclosure was powered up. This value shows the average of the power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the average of all the readings since the enclosure was powered up. This value shows the maximum dynamic power cap readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. This value shows the derated power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. This value shows the rated power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. Power Subsystem Power supplies available for use in compute enclosures All power supplies in one enclosure must have the same part number. The Onboard Administrator identifies which power supplies must be replaced by displaying a caution icon. Power Supply summary The Power Subsystem screen provides status on the power subsystem, on each individual power supply, and fault conditions. Enclosure power management 149

150 This screen provides status on the power subsystem and on each individual power supply. Power Subsystem information Item Power Subsystem Status Power Mode Redundancy State The status of the power subsystem. Possible values are Unknown, OK, Degraded, or Critical Error. A user setting to configure the enclosure DC power capacity and the input power redundancy mode of the enclosure. Possible values are Redundant, AC Redundant, Power Supply Redundant, Not Redundant, or Unknown. Indicates the redundancy status of the power subsystem. Possible values are Redundant, Not Redundant, or Redundancy Lost. Power supply status Item Bay Model Status Input Status Present Output (Watts) Output Capacity (Watts) The bay in the enclosure of the corresponding power supply. This box displays only populated bays. Empty bays do not appear in this table. The power supply model name. The overall status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The input status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. This value is a measure of the present output of the power supply in watts. The amount of power provided by the power supply displayed in watts. This is a measure of the output in DC watts generated by the power supply. 150 Configuring compute enclosures and enclosure devices

151 Click Refresh to update the power subsystem information. Power Supply Information Selecting a specific power supply opens the Power Supply Information-Bay x screen, where x is the bay of the selected power supply. This screen provides status information on the selected power supply. Status information Item Status Input Status Present Output Output Capacity Model Serial Number Part Number Spare Part Number The overall status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The input status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The amount of power provided by the power supply displayed in watts. The maximum amount of power that can be provided by the power supply displayed in watts. The power supply model name. The unique serial number of the power supply. The part number to be used when ordering an additional or replacement power supply of this type. The spare part number to be used when ordering an additional or replacement power supply. Enclosure power management 151

152 Diagnostic Information Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred) or is sent by the device microcontroller, without being polled to report a failure. Row Device Identification Data Device Operational Power Cord Device Indictment The device identification data is information such as model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. A device identification data error appears if the data is not present or not readable by the Onboard Administrator. Possible values are OK or Error. Device has failed; status was not requested by the Onboard Administrator. Possible values are OK and Error. Input power status. Possible values are OK and Error. Indicates if the power supply has been indicted by the Superdome Analysis Engine. Click the Refresh button to update the power supply information. Fans and cooling management Thermal Subsystem Onboard Administrator monitors up to 15 fans in the enclosure and adjusts fan speeds as necessary, based on thermal and power measurements. The speed of individual fans can be adjusted to reduce noise and power consumption, and to compensate for airflow differences within the enclosure. The performance of each fan is monitored, and Onboard Administrator reports any failures or warnings to the system log and HP SIM (when SNMP is enabled). 152 Configuring compute enclosures and enclosure devices

153 Fan Summary This screen provides status on the thermal subsystem and each individual fan. Enclosure power management 153

154 Fan subsystem status Row Thermal Subsystem Status Redundancy Fan Location Rule Indicates the overall status of the fan subsystem. Possible values are Unknown, OK, Degraded, or Critical Error. Indicates the redundancy status of the fans. Possible values are Redundant or Not Redundant The fan location rule indicates the proper location of the fans and the device bays that are supported. Fan status Column Fan Model Status Fan Speed The bay in the enclosure of the corresponding fan. The fan model name. The overall status of the fan. Possible values are Unknown, OK, Degraded, Failed, and Absent. Fan speed as a percentage of maximum RPM. When a fan module fails, the remaining fans automatically compensate by adjusting fan speeds. You can view the status of each fan by selecting the fan bay either through the tree navigation or the graphical navigation view. The Fan Information screen provides information about the overall status, the name, the amount of power consumed in watts, the spare part number, and the serial number. The Fan Information screen also includes diagnostic information such as internal data errors, location errors, device failures, and device degradation. Fan speeds appear in RPMs. To update information on this page, click the Refresh button. Thermal Subsystem Fan Zones tab Fan zones monitor the bay cooling efficiency and the status of the bays the fans are configured to cool. The zone speeds reported are targeted speeds. These values change with time as the fans speed and slow in response to cooling needs of the zone. The Fan Zones tab does not dynamically update. To update information on this tab, click the Refresh button. 154 Configuring compute enclosures and enclosure devices

155 Fan speeds appear in percentage of total capacity, and fans operating in a zone without any blades run at a minimum RPM of 30% to maintain proper cooling in the entire enclosure. Item Thermal Zone Zone Speed Device Bays Fan Bay The six cooling zones in the enclosure: upper left, upper right, middle left, middle right, lower left, and lower right. The computed fan speed required based on the highest device need in the zone. The number of the device bays in a particular thermal zone. The fan bay number. Fans in bays 3, 8, and 13 are shared between thermal zones. Enclosure power management 155

156 Item Fan Status Fan Speed The overall status of each fan. Possible values are Unknown, OK, Degraded, Failed, and Absent. The fan speed is displayed as a percentage of maximum RPM. Enclosure fan location rules The enclosure ships with 15 HP Active Cool fans. All 15 fans are required for optimum cooling of all device bays, GSPM bays, XFM bays and interconnect bay components. 15 Fan Rule Fan Information All fan bays are used to support the maximum configuration of eight server blades, eight interconnect modules, two Onboard Administrator modules, two GPSMs, and four XFMs. Selecting a specific fan opens the Fan Information - Bay x screen, where x is the bay of the selected Fan. This screen provides status information on the selected fan. Selecting a specific power supply opens the Power Supply Information Bay x screen, where x is the bay of the selected power supply. This screen provides status information on the selected power supply. 156 Configuring compute enclosures and enclosure devices

157 Status information Row Status Name Present Power Part Number Spare Part Number Serial Number The overall status of the fan. Possible values are Unknown, OK, Degraded, and Failed. The product name of the fan. The amount of power consumed by the fan displayed in watts. The part number to be used when ordering an additional fan of this type. The spare part number to be used when ordering a replacement fan of this type. The unique serial number of the fan. Diagnostic Information Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred) or is sent by the device microcontroller, without being polled to report a failure. Row Device Identification Data Device Location Device Operational Device Degraded Fan Presence Device Indictment The device identification data checked is information such as model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. A device identification data error appears if the data is not present or not readable by the Onboard Administrator. Possible values are OK or Error. Incorrect power supply location. Possible values are OK or Incorrect location for proper device cooling. Device has failed; status was not requested by the Onboard Administrator. Possible values are OK and Error. Device has failed; status was requested by the Onboard Administrator. Possible values are OK and Error. Presence of a fan module. Possible values are OK and Not Present. Indicates if the fan has been indicted by the Superdome Analysis Engine. To update the fan information, click the Refresh button. For proper installation of the fans into the enclosure, see the service guide for your system. Managing users Users/Authentication This section explains the levels of user rights recognized by the Onboard Administrator and provides detailed procedures to configure the management functionality provided by the Onboard Administrator. The Users/Authentication menu item cannot be selected and does not display overview information for user accounts or settings. Instead, select any of the sublevel menu items for specific settings. User roles and privilege levels Within the Users/Authentication category of Onboard Administrator, you can access the Local Users subcategory. In this subcategory, you can create user accounts that individuals user to log Managing users 157

158 in to the Onboard Administrator, and have a username, password, and typically, contact information. Users can have one of the following privilege levels: Administrator: Allows access to all aspects of the Onboard Administrator including configuration, firmware updates, user management, and resetting default settings. Operator: Allows access to all but configuration changes and user management. This account is ideal for individuals who are required to periodically change configuration settings. User: Allows access to all information, but no changes can be made within Onboard Administrator. This account is for individuals who must see the configuration of the Onboard Administrator but do not require the ability to change settings. The privilege level approach of Onboard Administrator to user permissions enables the maintenance of server blade bays. This approach operates according to the following principles: Users are assigned privilege levels in User Management. A user can have access to any combination of device bays, interconnect bays, and Onboard Administrator bays. Access to a server blade by a user depends on the privilege level assigned to the user account. If you select a user with Administrator or OA permission, the page grays out and disables access to the blade and interconnect permissions and selects them all. In cases where HP SIM is used, Onboard Administrator can integrate with HP SIM and use HP SIM users to enable a single login from HP SIM into Onboard Administrator. For more information, see HP SSO Integration (page 171). Role-based user accounts Role-based user accounts on Onboard Administrator serves to control the functions to which a user has access on the Onboard Administrator. There are two major aspects to the role-based user accounts on Onboard Administrator: bay permissions and a user privilege level. Bay permissions determine which bays the user is allowed to access. Bay permissions are selected during user account creation and allow access to specific device bays, interconnect bays, or Onboard Administrator bays. The privilege level determines which administrative functions the user is allowed to perform. A user's privilege level can be Administrator, Operator, or User. A user with an Administrator privilege level and with permissions to the OA bays in the enclosure is automatically given full access to all bays and can perform any function on the enclosure or bays including managing user accounts and configuring the enclosure. An Operator with permissions to only the OA bays can configure the enclosure, but the Operator can neither manage users or any security settings, nor access any other bays. A User with permission to the OA bays can view only configuration settings, but the User cannot change the settings. The user accounts can be created with multiple bay permissions, but the same privilege level, across those bays. User accounts configured to permit access to device bays can be created for server administrators. If the user logs into the Onboard Administrator, the user is given information on the permitted server bays. If the user selects the ilo from the Onboard Administrator web GUI, the user is automatically logged into that ilo using a temporary user account with their privilege level. ilo users with administrator privilege level have complete control including modifying user accounts. Operators have full control over the server power and consoles. Users have minimum read-only access to server information. Using this single-sign on feature greatly simplifies managing multiple servers from the Onboard Administrator web GUI. Permissions for interconnect modules are slightly different. Autologin is not supported for interconnect modules, and all user levels have access to the Management Console link for interconnect bays to which they have permission. Administrators and operators can use the virtual buttons from Onboard Administrator to control power and the UID light on the interconnect module. Users can view only status and information about the interconnect module. 158 Configuring compute enclosures and enclosure devices

159 Examples The following are examples of management scenarios and the user accounts that can be created to provide the appropriate level of security. Scenario 1: A member of an organization must have full access to the servers in bays 1-8 to view logs, control power, and use the remote console. The user does not have clearance to manage any settings on Onboard Administrator. The user account with this security level has an Administrator access level and permission to server bays 1-8. Thus, the user does not have permission to Onboard Administrator bays or any interconnect bay. Scenario 2: A member of an organization must manage ports on two interconnect modules in bays 3 and 4. This person must know which ports on the switch map to certain servers, but this person must not be able to manage any of the servers. The user account with this security level has a User access level, permission to all server bays, and permission to interconnect bays 3 and 4. However, this user is not be able to control the power or UID LED for the interconnect modules or blades. To control the power or UID to the interconnect modules the user privilege has to be Operator. To restrict this user from performing server operations such as power control or consoles, the account is restricted to just bay permissions for interconnect bays 3 and 4. Local Users screen Add Local User New To add a new user to the selected enclosure, click the New button. A maximum of 30 user accounts can be added including the reserved accounts. The Add Local User screen appears. Edit Select a user (only one can be selected) by selecting the check box next to the name of the user. To change the settings on the Edit Local User screen, click the Edit button. Delete Select a user or users to be deleted by selecting the check box next to the name of the user. To delete the accounts, click the Delete button. If an attempt is made to delete the last remaining Administrator account, then you will receive an alert warning that one Administrator account must remain and the delete action will be canceled. Item Possible value Username 1 to 40 characters, including all alphanumeric characters, the dash (-), and the underscore (_) A maximum of 30 user accounts can be added including the reserved accounts. The user names ALL (case-insensitive), ADMINISTRATOR (case-insensitive), switch1, switch2, switch3, switch4, switch5, switch6, switch7, switch8, ldapuser, nobody, and vcmuser_ are reserved and cannot be used. The user name must begin with a letter and is case-sensitive. Password Password Confirm 3 to 40 characters, including all printable characters 3 to 40 characters, including all printable characters The password associated with the user. The password associated with the user. This value must match the Password value. Click the Add User button to save settings. The Edit Local User screen appears. Managing users 159

160 Edit Local User User information Item Possible value Username 1 to 40 characters, including all alphanumeric characters, the dash (-), and the underscore (_) A maximum of 30 user accounts can be added, including the reserved accounts. The user names ALL (case-insensitive), ADMINISTRATOR (case-insensitive), switch1, switch2, switch3, switch4, switch5, switch6, switch7, switch8, ldapuser, nobody, vcmuser_ are reserved and cannot be used. The user name must begin with a letter and is case-sensitive. Password Password Confirm Full Name 3 to 40 characters, including all printable characters 3 to 40 characters, including all printable characters 0 to 20 characters, including all alphanumeric characters, the dash (-), the underscore (_), and the space The password associated with the user. The password associated with the user. This value must match the Password value. The user's full name. All users can modify their own full name. Contact 0 to 20 characters, including all alphanumeric characters, the dash (-), the underscore (_), and the space Contact information for the user account. The contact information can be the name of an individual, a telephone number, or other useful information. All users can modify their own contact information. 160 Configuring compute enclosures and enclosure devices

161 Item Possible value Privilege Level Administrator Only the Administrator, with Onboard Administrator Bays permission, can set the user privilege level. Can perform all actions on the enclosure when Onboard Administrator Bays permission is selected. All Device Bays and All Interconnect Bays are automatically selected when Onboard Administrator Bays is selected, and all the check boxes are grayed out. Without Onboard Administrator Bays permission, can only see devices and interconnects to which permissions have been given. Privilege Level Operator Can perform all actions on the enclosure except for the functions under Configuration Scripts, Reset Factory Defaults, Active to Standby, and Users/Authentication when Onboard Administrator Bays, All Device Bays, and All Interconnect Bays permissions are selected Without Onboard Administrator Bays permission, can only see devices and interconnects to which permissions have been given. Privilege Level User (read only) Can view all information the Administrator and Operator can change except the Network Access, DVD Drive, and Users/Authentication information. Can launch web interfaces to other devices. Cannot change any configuration settings. Without Onboard Administrator Bays permission, can only manage devices and interconnects to which permissions have been given. User Enabled must be selected to enable the user account. If a user account is disabled, then all open sessions for that account are ended (signed out). Privilege level change If a user account privilege level is changed, then all open sessions for that user account are terminated (signed out). The user must log on again after the privilege level change. Check boxes Selecting the device base bay check box does not give the user permission to a double-dense server without also selecting A and B for that bay. Select only A or B for a device bay if restricting permission to a single server in a double-denser server blade. User Permissions Item Onboard Administrator Bays Gives the user permissions for the Onboard Administrator bays and enables the user to see the fans and power supplies. If the user privilege level is Administrator, then All Managing users 161

162 Item Device Bays and All Interconnect Bays are automatically selected when Onboard Administrator Bays is selected and all the check boxes are grayed out. All Device Bays Selected Device Bays All Interconnect Bays Selected Interconnect Bays Gives the user permissions for all the device bays Gives the user permissions for only the selected device bays Gives the user permissions for all the interconnect bays Gives the user permissions for only the selected interconnect bays Click Update User to save the changes. Edit Local User Certificate Information tab When Two-Factor Authentication is enabled, a user must have a user certificate to log on to the Onboard Administrator. Users with administrator privileges can upload or map a valid certificate to a selected user. There are two methods for uploading certificates for use in Onboard Administrator: Paste certificate contents into the text box, and then click the Upload button. Paste the URL of the certificate into the URL box, and then click the Apply button. When the certificate is successfully uploaded, the SHA1 fingerprint of the user certificate appears. If a user already has a certificate mapped to an account, the SHA1 fingerprint of the certificate appears. Any user with administrator privileges can delete their certificate and upload a new user certificate. Password Settings screen This screen enables you to enforce strong password features. Only Administrators with Onboard Administrator permission are allowed to manage strong passwords. 1. To enable this feature, select Enable Strong Passwords. 2. To save the setting, click the Apply button. The user password must contain three of the four following character types: Character type Uppercase Lowercase Numeric Nonalphanumeric An uppercase character from the character set A to Z. A lowercase character from the character set a to z. A numeric character from the character set 0 to 9. Any printable character that is not a space or an alphanumeric character. The minimum password length can be between 3 and 40 characters. If the minimum password length is not configured, then the password defaults to three characters. To save the minimum password length setting, click Apply. Directory Settings screen LDAP is a protocol for accessing information directories. While LDAP is based on the X.500 standard, it is significantly simpler. LDAP also supports TCP/IP and is an open protocol. 162 Configuring compute enclosures and enclosure devices

163 Use the Directory Settings screen to set directory access for the now selected enclosure. You can configure the following settings: Enable LDAP Authentication Select this checkbox to enable a directory server to authenticate a user sign in. Enable Local Users Select this checkbox to enable a user to sign in using a local user account instead of a directory account. Search Context Specify one to six search contexts. A search context is a search filter or shortcut to a common directory, defining the directory users search to start at the specified path. By specifying a search context, users do not have to specify their full DNs at login. A DN might be long and users might not be familiar with their DN or might have accounts in different directory context. The Onboard Administrator attempts to contact the directory service by DN and then applies the search contexts in order, beginning with Search Context 1 and continuing through any subsequent search contexts until successful. Search context is also applicable to LDAP directory groups, which are useful when LDAP nested groups are configured. When specifying the search context for an LDAP directory group, the exact context is not required. Box Directory Server Address Directory Server SSL Port Search Context 1 Search Context 2 Search Context 3 Search Context 4 Search Context 5 Search Context 6 Possible value ###.###.###.### where ### ranges from 0 to 255 or DNS name of the directory server or the name of the domain 0 to All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters The IP address or the DNS name or the name of the domain of the directory service. This field is required. The port used for LDAP communications. The default port is port 636. This field is required. First searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Second searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Third searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Fourth searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Fifth searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Sixth searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Managing users 163

164 Uploading a certificate Certificates protect user credentials from "man-in-the-middle" attacks. If certificates are not loaded onto the Onboard Administrator, it is possible for a man-in-the-middle to view LDAP credentials for anyone who logs into the Onboard Administrator. The Onboard Administrator accepts multiple domain controller certificates, which can be uploaded using the Certificate Upload tab under Directory Settings. To upload a certificate: 1. Get the certificate from the domain controller by opening a browser and entering the following address: controller>:636 where domain controller is the IP address for your network domain controller. 2. When prompted to accept a certificate, click View Certificate. 3. Click the Details tab, and then click the Copy to File button. 4. From the list of export options, select Base-64 encoded x.509 (.CER). 5. Provide a name and location for the file, and finish the Upload a Certificate Wizard. 6. Locate the exported certificate file, and then rename it with a.txt extension (for example, dccert.txt). 7. Open the file in a text editor, and copy the entire contents to the clipboard. The following is an example of an exported certificate file: -----BEGIN CERTIFICATE----- MIIFxDCCBKygAwIBAgIKJWUSwAAAAAAAAjANBgkqhkiG9w0BAQUFADBVMRMwEQYK CZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCaHAxFzAVBgoJkiaJk/Is ZAEZFgdhdGxkZW1vMREwDwYDVQQDEwh3aW5kb3pDQTAeFw0wNjA4MjIyMDIzMTFa Fw0wNzA4MjIyMDIzMTFaMCAxHjAcBgNVBAMTFXdpbmRvei5hdGxkZW1vLmhwLmNv btcbnzanbgkqhkig9w0baqefaaobjqawgykcgyeay4zeh3ixyduawkvhidsxlj6b aruvt9zhkl5nqhiderjumsgc/jhserdmhuyoy/qbf7jmhj9lh9qqhug8qfeysc1y qtvgisrzehtvmrmecvsxzm27b4bj5xyn0vycrwqknh7x/tvhmwqgls7/yzyahnu1 lgb2ojocq5ejxx+ybx0caweaaaoca00wggnjmasga1uddwqeawifodbebgkqhkig 9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D output truncated -----END CERTIFICATE Return to the Onboard Administrator, paste the certificate contents into the window, and click the Upload button. Directory Certificate Upload tab Upload an LDAP certificate to the Onboard Administrator to establish a trusted relationship with the LDAP server. You can upload a maximum of three certificates. Upload certificates for use in Onboard Administrator in the following ways: Paste certificate contents into the text box, and then click the Upload button. Paste the URL of the certificate into the URL box, and then click the Apply button. Directory Test Settings tab The directory Test Settings tab enables Onboard Administrator administrators to ensure that the configuration information provided allows the directory user access to the Onboard Administrator and to the resources in the enclosure. The Test Settings tab applies only to the current settings. Therefore, after making changes, you must click the Apply button, and then select the Test Settings tab. 164 Configuring compute enclosures and enclosure devices

165 Use the Test Settings tab to run and report the tests. When the page initially appears, it contains a list of tests with the current status of Not Run. To run the tests, click Test Settings. The tests are run in the order that they appear. The tests end when an error occurs. To perform the User Authentication and User Authorization tests, you must enter a user name and password in Directory Test Controls. The following tests are performed in the order listed. Overall Test Status The Overall Test Status is an aggregation of all the tests run. The value is either Not Run, Passed, or Failed. If any of the individual tests fail, the status is Failed. Ping Directory Server A simple ping test is performed after a valid IP address or domain name is verified for the directory server. The ping test sends a maximum of four ping packets to the directory server and reports success or failure. A successful test reports that Onboard Administrator can establish a network path to the directory server. A failed test reports that Onboard Administrator cannot establish a network path to the directory server. The administrator must verify the host name or IP address. Directory Server IP Address If the LDAP configuration specifies an IP address instead of a DNS, then this test verifies that the IP address is a valid IPv4 address. Otherwise the test reports the Not Run status. A successful test reports that the IP address stored for the directory server is a valid IPv4 address. A failed test reports that the IP address stored for the directory server is not a valid IPv4 address. The administrator must verify the IP address entered and correct the IP address. Directory Server DNS Name The DNS lookup test determines if Onboard Administrator can resolve the domain name of the LDAP server. If the LDAP server configuration uses IP addresses instead of a DNS name, then this test reports Not Run. A successful test reports that Onboard Administrator is able to resolve the Directory Server host name using domain name. A failed test reports that Onboard Administrator is unable to resolve the Directory Server host name. The administrator must be sure that the directory server host name is correct and that the host name is correct for the directory server. Connect to Directory Server This test attempts to connect to the specified directory server IP address and service port. A successful test reports that Onboard Administrator can establish a connection to the directory server at the specified host name or address and at the specified port number. The successful test indicates that network service is available, the directory service is running, and available at the specified directory server and port. A failed test reports that Onboard Administrator cannot establish a connection to the directory server. The unsuccessful test reports that the network service is not available. The administrator must verify the host name or address and port number. Connect using SSL This test verifies that the directory server is providing the directory service over an SSL connection. Managing users 165

166 A successful test reports that Onboard Administrator can establish an SSL connection to the directory server host name or IP address and port. The network service is available as a secure SSL connection. A failed test reports that the network service is not available as a secure SSL connection and the Onboard Administrator does not allow this type of connection. The administrator must identify a directory server that supports SSL connections or reconfigure the directory server to use SSL connections. Certificate of Directory Server If the directory server SSL certificate has been loaded onto Onboard Administrator, use this test to verify that the certificate provided by the directory server matches the current certificate stored on Onboard Administrator. If the directory server SSL certificate has not been loaded, then this test does not run. A successful test reports that Onboard Administrator was able to validate the directory server certificate against the certificates stored on Onboard Administrator for the specified directory server. A failed test reports that the directory server certificate stored on Onboard Administrator does not match the certificate provided on the SSL connection. User Authentication This test attempts to log in the user to the directory by using the user name and password provided in Directory Test Controls. If user authentication fails using the provided user name and password, then each search context is attempted. If a search context begins with the then the DN used to log in is the search name concatenated to the user name entered. Otherwise, the search DN used to log in is constructed as follows: cn=<username>,<search context>. The result from this test identifies the search context that was successful in authenticating the user. User Authorization After a user has successfully authenticated and logged into Onboard Administrator, the configured directory group to which the user belongs is identified. A user can belong to multiple directory groups, so the directory group that gives the user the most privileges is identified. A successful test reports the directory group with the highest privilege levels for the authenticated user. A failed test reports that the authenticated user does not have any authorization on Onboard Administrator because the user does not belong to any of the configured directory groups. Test Log This is a running log of the details associated with the tests that have run and the results of the tests. Directory Test Controls The user name and password are sent to the LDAP server for authentication before the User Authentication and User Authorization tests are performed. The Onboard Administrator limits the length of the user name and password as indicated. Authentication requirements are defined by the LDAP server; the length limits imposed by the LDAP server might be more restricted than the limits imposed by the Onboard Administrator. User Name Accepts 0 to 256 characters Password Accepts 0 to 1024 characters 166 Configuring compute enclosures and enclosure devices

167 Directory Groups Use the Group Settings screen to configure directory groups and set directory access for the currently selected enclosure. Access to the enclosure can be granted using LDAP. To use the LDAP server, you must create directory accounts. The Directory Groups screen displays current directory groups that have been added to the Primary Connection enclosure. You may add user groups to all enclosures but you may edit and delete user groups only from the Primary Connection enclosure. To use LDAP services, you must add at least one directory group. Item Check box Group Name Privilege Level Privilege Level Privilege Level Used to select Directory Group for editing or deleting 1 to 255 characters and contains the same characters as search contexts. The group name is used to determine LDAP users group membership. The group name must match one of the following properties of a directory group: Name Distinguished name Common name Display name SAM account name For nested groups, matching is based on objectsid (an attribute that specifies the security ID of the group). The distinguished name is recommended to uniquely specify the LDAP group. If the Onboard Administrator is configured to search the GC port and a distinguished name is not used, then an incorrect match in multiple domains may occur which could result in unintended authorization. Administrator Only the Administrator, with Onboard Administrator Bays permission, can set the user privilege level. Can perform all actions on the enclosure when Onboard Administrator Bays permission is selected. All Device Bays and All Interconnect Bays are automatically selected when Onboard Administrator Bays is selected, and all the checkboxes are grayed out. Without Onboard Administrator Bays permission, cannot see fans and power supplies. Without Onboard Administrator Bays permission, can see only devices and interconnects to which permissions have been given. Operator Can perform all actions on the enclosure except for the functions under Users/Authentication when Onboard Administrator Bays, All Device Bays, and All Interconnect Bays permissions are selected. Without Onboard Administrator Bays permission, cannot see fans and power supplies. Without Onboard Administrator Bays permission, can see only devices and interconnects to which permissions have been given. User (read-only) Can view all information the Administrator and Operator can change except the Users/Authentication information. Can launch web interfaces to other devices. Cannot change any configuration settings. Without Onboard Administrator Bays permission, can manage only devices and interconnects to which permissions have been given. Without Onboard Administrator Bays permission, cannot see fans and power supplies. 0 to 58 characters, containing alphanumeric characters, the dash (-), the underscore (_), and the space. The description of the LDAP group, a more readable version of the group name, or other useful information. Managing users 167

168 New: Click the New button to add a new Directory Group to the selected enclosure. You can add a maximum of 30 Directory Groups. The Add LDAP Group screen appears. Edit: Select a Directory Group to be edited by selecting the check box next to the name of the group. Click the Edit button to change the settings on the Edit LDAP Group screen. Delete: Select the Directory Group to be deleted by selecting the check box next to the name of the group. Click the Delete button to remove the group. Add an LDAP Group Group Information NOTE: A maximum of 30 Directory Groups can be added. Item Check box Group Name Privilege Level Privilege Level Privilege Level Used to select Directory Group for editing or deleting 1 to 255 characters and contains the same characters as search contexts. The group name is used to determine LDAP users group membership. The group name must match one of the following properties of a directory group: Name Distinguished name Common name Display name SAM account name Administrator Only the Administrator, with Onboard Administrator Bays permission, can set the user privilege level. Can perform all actions on the enclosure when Onboard Administrator Bays permission is selected. All Device Bays and All Interconnect Bays are automatically selected when Onboard Administrator Bays is selected, and all the checkboxes are grayed out. Without Onboard Administrator Bays permission, cannot see fans and power supplies. Without Onboard Administrator Bays permission, can see only devices and interconnects to which permissions have been given. Operator Can perform all actions on the enclosure except for the functions under Users/Authentication when Onboard Administrator Bays, All Device Bays, and All Interconnect Bays permissions are selected. Without Onboard Administrator Bays permission, cannot see fans and power supplies. Without Onboard Administrator Bays permission, can see only devices and interconnects to which permissions have been given. User (read-only) Can view all information the Administrator and Operator can change except the Users/Authentication information. Can launch web interfaces to other devices. Cannot change any configuration settings. Without Onboard Administrator Bays permission, can manage only devices and interconnects to which permissions have been given. Without Onboard Administrator Bays permission, cannot see fans and power supplies. 0 to 58 characters, containing alphanumeric characters, the dash (-), the underscore (_), and the space. The description of the LDAP group, a more readable version of the group name, or other useful information. 168 Configuring compute enclosures and enclosure devices

169 Group Permissions Check box Onboard Administrator Bays All Device Bays Selected Device Bays All Interconnect Bays Selected Interconnect Bays Gives the user permissions for the Onboard Administrator bays and enables the user to see the fans and power supplies. If the user privilege level is Administrator, then All Device Bays and All Interconnect Bays are automatically selected when Onboard Administrator Bays is selected and all the checkboxes are grayed out. Gives the user permissions for all the device bays Gives the user permissions for only the selected device bays Gives the user permissions for all the interconnect bays Gives the user permissions for only the selected interconnect bays Click the Add Group button to save settings. Edit an LDAP Group Group Information Item Group Name Privilege Level Privilege Level Privilege Level 1 to 255 characters and contains the same characters as search contexts. The group name is used to determine LDAP users group membership. The group name must match one of the following properties of a directory group: Name Distinguished name Common name Display name SAM account name Administrator Only the Administrator, with Onboard Administrator Bays permission, can set the user privilege level. Can perform all actions on the enclosure when Onboard Administrator Bays permission is selected. All Device Bays and All Interconnect Bays are automatically selected when Onboard Administrator Bays is selected, and all the checkboxes are grayed out. Without Onboard Administrator Bays permission, cannot see fans and power supplies. Without Onboard Administrator Bays permission, can see only devices and interconnects to which permissions have been given. Operator Can perform all actions on the enclosure except for the functions under Users/Authentication when Onboard Administrator Bays, All Device Bays, and All Interconnect Bays permissions are selected. Without Onboard Administrator Bays permission, cannot see fans and power supplies. Without Onboard Administrator Bays permission, can see only devices and interconnects to which permissions have been given. User (read-only) Can view all information the Administrator and Operator can change except the Users/Authentication information. Can launch web interfaces to other devices. Managing users 169

170 Item Cannot change any configuration settings. Without Onboard Administrator Bays permission, can manage only devices and interconnects to which permissions have been given. Without Onboard Administrator Bays permission, cannot see fans and power supplies. 0 to 58 characters, containing alphanumeric characters, the dash (-), the underscore (_), and the space. The description of the LDAP group, a more readable version of the group name, or other useful information. Group Permissions Item Onboard Administrator Bays All Device Bays Selected Device Bays All Interconnect Bays Selected Interconnect Bays Gives the user permissions for the Onboard Administrator bays and enables the user to see the fans and power supplies. If the user privilege level is Administrator, then All Device Bays and All Interconnect Bays are automatically selected when Onboard Administrator Bays is selected and all the checkboxes are grayed out. Gives the user permissions for all the device bays Gives the user permissions for only the selected device bays Gives the user permissions for all the interconnect bays Gives the user permissions for only the selected interconnect bays Click the Update Group button to save settings. 170 Configuring compute enclosures and enclosure devices

171 SSH Administration This page lists the owner of each authorized Secure Shell key and enables adding new keys. SSH Fingerprint: Lists the public key portion of a public/private key pair. Authorized SSH Keys: Lists the authorized Secure Shell key data. The owner is always the Administrator. To add additional Authorized Secure Shell Keys, enter the Secure Shell key in the text box and click the Apply button. To clear all Authorized Secure Shell Keys, delete all the text in the text box and click the Apply button. Download SSH Key File: In the URL to SSH Keys File box, enter the location of the public key file, and click the Apply button to download. All now authorized Secure Shell keys are replaced when the Secure Shell key file is downloaded. The key file must contain the Administrator name at the end of the public key. Each key is associated with the Administrator account. HP SSO Integration Onboard Administrator supports SSO with trusted applications, such as HP SIM. This feature enables you to log in to a trusted management application and then be able to automatically access any managed devices where the SSO certificate is installed. To configure SSO to work through HP SIM: Managing users 171

172 1. Set the SSO trust mode to ON. On the HP SIM Integration screen, select Trust by Certificate from the Trust mode menu. NOTE: When trust mode is disabled, the HP SSO single sign-on attempt fails, and you must enter Onboard Administrator credentials to log on. 2. Download a certificate from the HP SIM system to manage the enclosure. On the HP SIM Integration screen, select the Certificate Upload tab, and then upload the certificate using one of the following methods: Paste the contents of the certificate into the text box and then click Upload. Enter the IP address of the HP SIM system that will be managing the enclosure and then click Apply. Edit Local User Certificate Information tab When Two-Factor Authentication is enabled, a user must have a user certificate to log on to the Onboard Administrator. Users with administrator privileges can upload or map a valid certificate to a selected user. 172 Configuring compute enclosures and enclosure devices

173 Upload certificates for use in Onboard Administrator in the following ways: Paste certificate contents into the text box, and then click the Upload button. Paste the URL of the certificate into the URL box, and then click the Apply button. When the certificate is successfully uploaded, the SHA1 fingerprint of the user certificate appears. If a user already has a certificate mapped to an account, the SHA1 fingerprint of the certificate appears. Any user with administrator privileges can delete their certificate and upload a new user certificate. Two-Factor Authentication screen Two-Factor Authentication Settings tab NOTE: Onboard Administrator must be configured in Virtual Connect mode before enabling Two-Factor Authentication when using Virtual Connect Manager and Two-Factor Authentication. When Two-Factor Authentication is enabled, only users with a valid user certificate are allowed to log on to Onboard Administrator. A valid user certificate is signed by a trusted Certificate Authority and is mapped to the respective user on the Onboard Administrator. To enable Two-Factor Authentication for user authentication during log on, select Enable Two-Factor Authentication. When Two-Factor Authentication is enabled, Secure Shell and Telnet access is disabled by default. Disabling Two-Factor Authentication does not automatically re-enable Secure Shell and Telnet. You must go to the Network Access screen, and then select Enable Secure Shell and Enable Telnet. To enable the Onboard Administrator to verify with the Certifying Authority that the certificate being used has been added to the certificate revocation list (CRL), select Check for Certificate Revocation. If the certificate is on the CRL, the log on is denied. Certificate Owner Field You can configure the Onboard Administrator to use the user principle name in the SAN by selecting SAN or to use the certificate subject name by selecting Subject when authenticating directory users with a directory server. To save settings, click the Apply button. Two-Factor Authentication Certificate Information tab This screen displays all Certificate Authorities trusted by the Onboard Administrator. Any user certificates uploaded to the Onboard Administrator must be signed by one of these Certificate Authorities. A maximum of three Certificate Authority certificates can be uploaded to the Onboard Administrator. Row Certificate Version Issuer Organization Issuer Organization Unit Issued By Subject Organization Issued To Valid From Valid Upto Version number of current certificate Name of the organization that issued the certificate Name of the organizational unit that issued the certificate The authority that issued the certificate Subject name Organization to whom the certificate was issued The date from which the certificate is valid The date on which the certificate expires Two-Factor Authentication screen 173

174 Row Serial Number Extension Count MD5 Fingerprint SHA1 Fingerprint The serial number assigned to the certificate by the certificate authority Number of extensions in the certificate A validation of authenticity embedded in the certificate A validation of authenticity embedded in the certificate Two-Factor Authentication Certificate Upload tab To enable Two-Factor Authentication, upload at least one valid certificate belonging to a CA to the Onboard Administrator. There are two methods for uploading certificates for use in Onboard Administrator: Paste certificate contents into the text box, and then click the Upload button. Paste the web address of the certificate into the URL box, and then click the Apply button. Signed In users This screen displays all the current sessions signed in to the Onboard Administrator. This screen is only available to Administrators with Onboard Administrator access. The Administrator can end sessions, disable users, and delete users from this screen. Current Session: This table lists the session created when you signed in to the Onboard Administrator. Other Sessions: This table lists the other users signed in to the Onboard Administrator. Column Check box Username IP Address Age Idle Time User Type Session Type OA Module Used to select a user or all users. The name of the user signed in to the enclosure. The user account IP address. The IP address of the session can be an enclosure linked address if it looks like " x". These sessions are created by other linked enclosures. Performing a delete, disable, or end session on a user with a linked enclosure IP address might end the enclosure link sessions of other users. For KVM and Serial logins the IP address box displays Local. The length of time (measured in days, hours, minutes and seconds) that the user account has been signed in. The length of time (measured in days, hours, minutes and seconds) that the signed in account has been idle. The type of user signed in to the enclosure. Possible values are Local, LDAP, or HP SIM. The type of session of the signed-in user. Possible values are Web, SSH, Telnet, KVM, Serial, and Factory Diagnostics. The Onboard Administrator module the user is signed into. Possible values are Active or Standby. 174 Configuring compute enclosures and enclosure devices

175 Delete Users: Select a user or users to be deleted by selecting the check box next to the name of the user, and click the Delete Users button. You cannot delete your own account or the built-in Administrator account. Disable Users: Select a user or users to be disabled by selecting the check box next to the name of the user, and click the Disable Users button. You cannot disable your own account or the built-in Administrator account. Terminate Sessions: Select a user or users whose sessions you want to end by selecting the check box next to the name of the user, and click the Terminate Sessions button. You cannot end your own session. Session Options tab This screen enables you to specify the length of time a user session is valid if there is no activity. Sessions are checked every 5 minutes to see if they have been inactive for the amount of time specified by the system administrator. If any sessions have been inactive for the specified amount of time, they are removed from the system. Session Timeout: The number of minutes before an inactive session becomes invalid. Session Timeout can be any value between 10 and 1440 (24 hours). The default value for Session Timeout is After entering a Session Timeout value, click the Apply button. Insight Display All Onboard Administrator GUI users can access the Insight Display screens by selecting Insight Display from the Tree View or Rack Overview. The Security tab can lock the Insight Display buttons and set a PIN code and enable PIN protection. The User Note tab enables note text to be edited. The Background tab allows a 320x240 px Windows bitmap to be uploaded as the user note background image. The Chat Mode tab enables an administrator to initiate a chat with a user at the enclosure using the Insight Display. Management network IP dependencies Onboard Administrators management port enables external clients to connect through Onboard Administrator to ilos and interconnect management processors that are configured to use Onboard Administrators internal management network. Onboard Administrator firmware bridges the client traffic to the enclosure from the management port to the internal enclosure management network if the destination IP address is not Onboard Administrator. Onboard Administrator creates a route table entry for each server ilo IP address in an enclosure. This enables Onboard Administrator to conduct IP communications with that ilo. These ilo route table entries enable you to configure each ilo network in a different subnet than Onboard Administrator. Each ilo is configured with a valid gateway on its subnet that is accessible through Onboard Administrators external management port connection. Routers must be present on the network connected to Onboard Administrator management port to provide the multiple subnets and gateways on the management network. Use of different subnets to attempt to isolate ilos and Onboard Administrator management is not complete isolation of those networks. Insight Display 175

176 8 HP Superdome 2 IOX enclosures Each IOX enclosure in the complex can be selected from the left navigation tree. Clicking the IOX name opens the main status page of the IOX. The following tabs are available at the top of the main page: Status Information Virtual Buttons IOX Enclosure Information screen IOX Status tab Item IOX Status Tray 1 Power Tray 2 Power The overall status of the IOX. Possible values are Degraded, Failed, OK or Unknown. Power status of I/O tray 1. Possible values are On or Off. Power status of I/O tray 2. Possible values are On or Off. 176 HP Superdome 2 IOX enclosures

177 Diagnostic Information Item Device Identification Data Management Processor Temperature Overheat Check Contains information on model name, part number, serial number, and other information used to identify the IOX. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the Onboard Administrator. Status of the IOX management processor. Possible values are OK or Error. Temperature is above the warning threshold. Possible values are OK or Temperature Warning. Temperature is above the danger threshold. Possible values are OK or Critical temperature threshold reached. The IOX Status Overview is divided into four sections: Power Subsystem Thermal Subsystem Link Subsystem Status IO Slot Status For the Power and Thermal Subsystem section, the following values are possible: OK Degraded Failed Unknown For the Link Subsystem and IO Slot Status sections, the following values are possible: OK Failed Unknown If any component of a subsystem has any status other than OK, the status of each component in the subsystem is listed under the relevant section. IOX Enclosure Information screen 177

178 IOX Information tab Item Product Name Enclosure Number Manufacturer Part Number Spare Part Number Serial Number Engineering Date Code Complex Firmware Version The common descriptive name of the IOX enclosure. The number of the IOX enclosure configured by dipswitches on the IOX enclosure hardware. The name of the company that manufactured the IOX enclosure. The part number to be used when ordering an additional IOX enclosure of this type. The part number to be used when ordering a replacement IOX enclosure of this type. The unique serial number of the IOX enclosure. Manufacturing information about the IOX enclosure. Now configured firmware version on the IOX enclosure. IOX Virtual Buttons tab Click the Toggle On/Off button to change the state of the IOX UID. The IOX UID is located on the lower-right side of the IOX enclosure faceplate. 178 HP Superdome 2 IOX enclosures

179 IOX Power and Thermal screen Item Ambient Temperature Thermal Subsystem Status Power Subsystem Status Redundancy State Present Power Power Limit The temperature of the IOX enclosure in degrees Celsius and Fahrenheit. The overall thermal status of the IOX enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. The overall power status of the IOX enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. Indicates the redundancy status of the power subsystem. Possible values are Redundant or Redundancy Lost. The amount of watts being consumed by all devices in the IOX. The maximum amount of power available for consumption by the enclosure measured in watts. Present Power/Power Limit The Present Power is the number of watts being consumed by all the devices in the now selected IOX. The Power Limit is the maximum amount of input power available for consumption by the enclosure. The Power Limit is dependent on the number of power supplies present in the IOX. To update information on this screen, click the Refresh button. IOX Power Subsystem screen The Power Subsystem screen shows the overall status of the IOX enclosure power subsystem and information about each power supply in the IOX enclosure. Power supplies available for use in IOX enclosures All power supplies in one IOX enclosure must have the same part number. The Onboard Administrator identifies which power supplies must be replaced by displaying a caution icon. Power Supply summary The Power Subsystem screen provides status on the power subsystem, on each individual power supply, and fault conditions. IOX Power and Thermal screen 179

180 Item Power Subsystem Status Redundancy State The overall power status of the IOX enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. Indicates the redundancy status of the power subsystem. Possible values are Redundant, Not Redundant, or Redundancy Lost. This screen provides status on the power subsystem and on each individual power supply. Power Supply status Item Bay Model Status Input Status Present Output (Watts) Output Capacity (Watts) The bay in the IOX enclosure of the corresponding power supply. This box displays only populated bays. Empty bays do not appear in this table. The power supply model name. The overall status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The input status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. This value is a measure of the present output of the power supply in watts. The amount of power provided by the power supply displayed in watts. This is a measure of the output in DC watts generated by the power supply. Click the Refresh button to update the power subsystem information. IOX Power Supply screen Selecting a specific power supply opens the Power Supply Information-Bay x page, where x is the bay of the selected power supply. This screen provides status information of the selected power supply. 180 HP Superdome 2 IOX enclosures

181 Status information Item Status Input Status Output Capacity Model Serial Number Spare Part Number The overall status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The input status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The maximum amount of power that can be provided by the power supply displayed in watts. The power supply model name. The unique serial number of the power supply. The spare part number to be used when ordering an additional or replacement power supply. IOX Thermal Subsystem screen Onboard Administrator monitors up to 4 fans in the enclosure and adjusts fan speeds as necessary, based on thermal and power measurements. The performance of each fan is monitored, and Onboard Administrator reports any failures or warnings to the system log and HP SIM (when SNMP is enabled). Thermal Subsystem information Item Thermal Subsystem Status Redundancy Ambient Temperature Fans Good Fans Wanted Fans Needed Indicates the overall status of the fan subsystem. Possible values are Unknown, OK, Degraded, or Critical Error. Indicates the redundancy status of the fans. Possible values are Redundant or Not Redundant The temperature of the IOX enclosure in degrees Celsius and Fahrenheit. The total number of fans functioning with OK status in the IOX enclosure. The minimum number of fans required for optimum cooling. The minimum number of fans required to ensure adequate cooling. IOX Thermal Subsystem screen 181

182 Fan information Item Fan Status Fan Speed The bay in the enclosure of the corresponding fan. The overall status of the fan. Possible values are Unknown, OK, Degraded, Failed, and Absent. Fan speed as a percentage of maximum RPM. When a fan module fails, the remaining fans automatically compensate by adjusting fan speeds. To update information on this page, click the Refresh button. 182 HP Superdome 2 IOX enclosures

183 9 Port mapping Device bay port mapping for compute enclosures BL920s Gen8 or Gen9 Server Blade HP Superdome 2 Server Blade Device bay port mapping for compute enclosures 183

184 In this diagram, N equals the number of the blade in the enclosure and the port number for the switch. For example, if a blade is inserted into slot 1, it is considered device 1. Because full-height server blades take up the space of two half-height server blades, the enclosure is limited to a maximum of eight full-height server blades. Port mapping from these full-height server blades can initially appear to be different from the half-height server blades, but they use similar conventions. Just as in a half-height server blade, if a blade is inserted into slot 1, it is considered device 1, but it has a second set of ports that also map to switches 1 and 2. With the full-height server blade, an N/N+8 scheme is used on the switches. Therefore, server blade 1 maps to ports 1 and 9 on both switches, as N=1. For a server blade inserted into slot 2, the 4 ports used on switches 1 and 2 are 2 and 10, as N=2. Device bay port mapping tabular view for compute enclosures If a device is not present, the check box is disabled and the port cannot be viewed. The server blades are mapped to the interconnect bays in the following manner: BL920s server blade Server blade port FlexLOM 1 port 1 FlexLOM 1 port 2 FlexLOM 2 port 1 FlexLOM 2 port 2 Mezzanine 1 port 1 Mezzanine 1 port 2 Mezzanine 1 port 3 Mezzanine 1 port 4 Mezzanine 2 port 1 Mezzanine 2 port 2 Mezzanine 2 port 3 Mezzanine 2 port 4 Mezzanine 3 port 1 Mezzanine 3 port 2 Mezzanine 3 port 3 Mezzanine 3 port 4 Compute enclosure interconnect bay HP Superdome 2 server blade Embedded NICs 1 and 3 (ENET:1 and ENET:3) map to interconnect bay 1. Embedded NICs 2 and 4 (ENET:2 and ENET:4) map to interconnect bay Port mapping

185 10 Using the Command Line Interface Command line overview The Onboard Administrator CLI is available from the Onboard Administrator serial port, management port, or service port and provides access to all Onboard Administrator commands and information. The CLI user must provide a valid user name/password to log into Onboard Administrator. The CLI is available for both local user accounts and LDAP users. Two-Factor Authentication is not available for the CLI. Access to the Onboard Administrator CLI from either the Onboard Administrator Ethernet management port or service port requires that Telnet or Secure Shell protocols are enabled on the Onboard Administrator. The Onboard Administrator serial port must be used for Onboard Administrator lost password recovery. The Onboard Administrator serial port speed is fixed at 9600, N, 8, 1. For more information about the CLI, see the HP Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. Setting up Onboard Administrator using the CLI 1. Connect to the Onboard Administrator CLI using the serial port, management port, or service port. See Connecting to the OA with a local PC (page 227) for information about connecting a PC to the OA serial or service ports. 2. Log into the Onboard Administrator with the Administrator user account and the OA dogtag password. 3. Set Onboard Administrator name by running the SET OA NAME 1 <name> command. 4. If a redundant Onboard Administrator is present, run the SET OA NAME 2 <name> command. 5. Configure Onboard Administrator IP address: a. Select either the OA1/OA2 IP address or Enclosure IP address. b. Configure OA1 IP address as static or DHCP. Example for static, run the SET IPCONFIG STATIC 1 <ipaddress> <netmask> command. 6. If a redundant Onboard Administrator is present, run the SET IPCONFIG STATIC 2 <ip address> <netmask> command. 7. Set Onboard Administrator gateway by running the SET OA GATEWAY 1 <ip address> command. 8. If a redundant Onboard Administrator is present, run the SET OA GATEWAY 2 <ip address> command. 9. Set the ilo IP address by running the SET EBIPA BLADE <ip address> <netmask> command. Allocate each IP address (up to 32) consecutive static IP addresses. 10. If a gateway exists on the management network, set the ilo gateway to the IP address, run the SET EBIPA BLADE GATEWAY <ip address> command. 11. Start EBIPA for ilo by running the ENABLE EBIPA BLADE command. 12. Complete the remainder of the settings as required. For information on the enclosure defaults for each setting, see the HP Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. Configuring server blade ilo IP addresses Each server blade ilo factory default configuration enables DHCP network settings. To use the server blade with a DHCP network, connect the Onboard Administrator management port to a Command line overview 185

186 network with a DHCP server and Onboard Administrator and all ilo management processors and supporting interconnect modules get IP addresses from the DHCP server. To configure each server blade for static IP addresses, use Onboard Administrator to setup an IP address for each ilo using EBIPA. This enables ilo to be addressed using TCP/IP so that the network settings can be reconfigured. Configuring each server blade with an IP address using EBIPA provides a fixed network configuration including IP address, netmask and gateway that is based on the enclosure bay where the server is installed. The new ilo gets the IP address for that bay without additional configuration needed. Using the service port connection The Onboard Administrator service port is the enclosure link-up connector which also has a laptop icon next to the up arrow. This port is a 100BaseT Ethernet jack and may be directly connected to a laptop or PC RJ45 Ethernet connector using a standard CAT5 patch cable as the wiring on the link-up connector is crossed over to enable direct connect to a PC 100BaseT connector. The Service Port provides direct connection to any of the active Onboard Administrator modules in the complex or just the active Onboard Administrator module in a single enclosure if there are no other enclosures in the complex. The network connection is private to the enclosures and cannot be used to access any device outside the internal enclosure management network. Use the connection to directly access the active Onboard Administrator at the active service IP address, located on the enclosure Insight Display, Enclosure Info screen. See Connecting a PC to the OA service port (page 227) for information about connecting a local PC to the OA service port for accessing the OA CLI. 186 Using the Command Line Interface

187 11 Using configuration scripts Configuration scripts Use configuration scripts to maintain settings and configuration information, particularly when setting up multiple enclosures and Onboard Administrator modules. This eliminates the need to manually configure each enclosure, saving time and effort in the process. Configuration scripts can be created and used with Onboard Administrator in the browser, or through the CLI, executing them in the same manner as a shell script is executed in Linux or UNIX. NOTE: Configuration scripts cannot be used to store partition information. Current configuration To download a current configuration for the enclosure: 1. Click the Click here link. The configuration opens in a new browser window. 2. To save the configuration, as a text file, select either of the following options: If you use Microsoft Internet Explorer 7 or later, select Save As. If you use Mozilla Firefox 3.6 or later, select Save Page As. You can also select a local file or a web address for the configuration script: Local file: You can browse for the configuration file or enter the path of the configuration file into the textbox. The maximum number of characters in the file path cannot exceed 256. After entering the configuration file path, click the Upload button. URL: If the configuration file is located on a web server, enter an path to it. The maximum number of characters in the file path cannot exceed 256. Click the Apply button after entering the web address. Configuration scripts 187

188 For security reasons, the retrieved current configuration does not contain any user passwords. You can manually edit the script to add the user passwords after the user name on the ADD USER lines. Also, the retrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, and PIN Code). These settings cannot be added from the configuration script. Current enclosure inventory To download a script of the current enclosure inventory, click the Click here link, and then the current enclosure inventory opens in a new browser window. To save the inventory as a text file, select either of the following options: If you are using Microsoft Internet Explorer 7 or later, select Save As. If you are using Mozilla Firefox 3.6 or later, select Save Page As. The downloaded text file provides the same information as a CLI SHOW ALL command. The text file also displays the current configuration for the enclosure. USB Support This box appears when a USB key is detected in the enclosure DVD module USB port and configuration files are present. To download a configuration file, select a file from the menu, and then click the Apply button. To save the current Onboard Administrator configuration file to the USB key, enter a simple file path, either a relative path in the format path/file or with a leading dot (.), such as./path/ file, or an absolute path beginning with a slash (/), in the format /path/file. Do not enter a URL. Do not include spaces within the file name. Click Apply. Reset Factory Defaults When you reset the enclosure to the factory defaults, all enclosure settings are reset except the built-in Administrator password. All AlertMail, Network and Network Protocol, SNMP, and Power Management settings are reset. To reset the enclosure click the Reset Factory Defaults button. A confirmation screen appears, asking if you are sure that you want to perform the action. To confirm resetting the enclosure, click OK, or to exit without resetting the enclosure to factory defaults, click Cancel. To download a current configuration for the enclosure: 1. Click the Click here link. The configuration opens in a new browser window. 2. To save the configuration, as a text file, select either of the following options: If you use Microsoft Internet Explorer 7 or later, select Save As. If you use Mozilla Firefox 3.6 or later, select Save Page As. For security, the retrieved current configuration does not contain any user passwords. You can manually edit the script to add the user passwords after the user name on the ADD USER lines. The enclosure Administrator account password cannot be added from the configuration script. Also, the retrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, and PIN Code). These settings cannot be added from the configuration script. 188 Using configuration scripts

189 12 Troubleshooting Onboard Administrator error messages Descriptive error messages can help identify hundreds of possible problems related to set up, privileges, user requests, OA failures, file uploads, incompatibilities, Insight Display, and more. Onboard Administrator factory default settings When resetting the Onboard Administrator to factory defaults, the administrator password is not reset to factory default. It remains set to the password last specified. In the event that the administrator password must be reset to factory defaults (as included on the tag that shipped with the Onboard Administrator), see Recovering the administrator password (page 18). Resetting the Onboard Administrator to factory defaults also resets any certificates on the Onboard Administrator. Onboard Administrator SNMP traps The Onboard Administrator supports the following SNMP traps. Trap ID Trap name cpqracknamechanged cpqrackenclosurenamechanged cpqrackenclosureremoved cpqrackenclosureinserted cpqrackenclosuretempfailed cpqrackenclosuretempdegraded cpqrackenclosuretempok cpqrackenclosurefanfailed cpqrackenclosurefandegraded cpqrackenclosurefanok cpqrackenclosurefanremoved cpqrackenclosurefaninserted cpqrackpowersupplyfailed cpqrackpowersupplydegraded cpqrackpowersupplyok cpqrackpowersupplyremoved cpqrackpowersupplyinserted cpqrackpowersubsystemnotredundant cpqrackpowersubsystemlinevoltageproblem cpqrackpowersubsystemoverloadcondition cpqrackenclosuremanagerdegraded cpqrackenclosuremanagerok cpqrackenclosuremanagerremoved Rack Name has changed Enclosure Name has changed Rack enclosure has been removed Linked Enclosure insertion detected Enclosure temperature above critical Enclosure temperature above warning Enclosure temperature is OK Enclosure fan has failed Enclosure fan is degraded Enclosure fan is OK Enclosure fan is removed Enclosure fan is inserted Enclosure power supply has failed Enclosure power supply is degraded Enclosure power supply is OK Enclosure power supply is removed Enclosure power supply is inserted Enclosure power subsystem is not redundant Enclosure power subsystem line voltage problem Enclosure power subsystem overload condition Onboard Administrator degraded Onboard Administrator OK Onboard Administrator removed Onboard Administrator error messages 189

190 Trap ID Trap name cpqrackenclosuremanagerinserted cpqrackmanagerprimaryrole cpqrackserverbladeekeyingfailed cpqracknetconnectorremoved cpqracknetconnectorinserted cpqracknetconnectorfailed cpqracknetconnectordegraded cpqracknetconnectorok cpqrackserverbladetolowpower cpqrackserverbladeremoved2 cpqrackserverbladeinserted2 cpqrackinformationaleaetrap cpqrackminoreaetrap cpqrackmajoreaetrap cpqrackcriticaleaetrap cpqrackinformationaleaetrap cpqrackminoreaetrap cpqrackmajoreaetrap cpqrackcriticaleaetrap Onboard Administrator inserted Onboard Administrator is Active Blade ekeying config failed Interconnect removed Interconnect inserted Interconnect failed Interconnect degraded Interconnect OK Blade requested too low power Blade removed Blade inserted Error Analysis Engine Informational event (HP Superdome 2 only) Error Analysis Engine Degraded/Warning or Minor event (HP Superdome 2 only) Error Analysis Engine Major event (HP Superdome 2 only) Error Analysis Engine Critical or Fatal event (HP Superdome 2 only) Error Analysis Engine Informational event (HP Integrity Superdome X only) Error Analysis Engine Degraded/Warning or Minor event (HP Integrity Superdome X only) Error Analysis Engine Major event (HP Integrity Superdome X only) Error Analysis Engine Critical or Fatal event (HP Integrity Superdome X only) 190 Troubleshooting

191 13 Enabling LDAP Directory Services Authentication to Microsoft Active Directory Certificate Services The Microsoft implementation of LDAP over SSL requires that the Domain Controllers install DC certificates from the CA of the organization. This process occurs when the Enterprise Root CA service is added to a server in Active Directory. HP strongly recommends using an Enterprise Root CA to minimize the complexities of requesting and accepting DC certificates from a standalone CA. Preparing the directory For a normal production environment, similar groups already exist in some form, but the following group names can be used as-is if desired. To prepare the directory: 1. Create an Active Directory group named OA Admins, and then add a user named TestAdmin to this group. 2. Create a group called OA Operators, and then add a user named TestOperator to this group. User permissions are irrelevant. Preparing the Onboard Administrator To prepare the Onboard Administrator: Certificate Services 191

192 1. Navigate to the Directory Settings screen for the enclosure located under Users/Authentications. 2. Click Enable LDAP and then enter the IP address or the name of one of your DCs. See Troubleshooting LDAP on Onboard Administrator (page 197) for more information on verifying that the DC is listening on port 636. Alternatively, to force the DNS servers defined for the domain to offer DCs, enter the domain name of your AD domain (DOMAIN.COM) instead of a server name. For simplicity during initial setup, HP recommends using a single IP address. The Search Context is standard LDAP format. For example, if the user accounts are in the Users OU in a domain named BLADEDEMO.HP.COM, the Search Context must be: CN=Users,DC=bladedemo,DC=hp,DC=com Uploading the DC certificate (optional) You can upload multiple DC certificates. Upload a certificate that permits LDAP over SSL. 1. Click the Certificate Upload tab. 2. Get the certificate from the DC by opening a new web browser window to (where <domain_controller> is your DC). NOTE: This is a secure HTTPS web address, so you are prompted to accept a certificate. 3. Click the View Certificate button. 192 Enabling LDAP Directory Services Authentication to Microsoft Active Directory

193 4. Click the Details tab, and then click the Copy to File... button. 5. IMPORTANT: Select Base-64 encoded x.509 (.CER) from the list of export options. Click the Next button. Uploading the DC certificate (optional) 193

194 6. Provide a name and location for the file (c:\dccert.cer) and click the Finish button to complete the wizard. 7. Locate the exported certificate file in Internet Explorer and rename it with a.txt extension (dccert.txt). Open the file in Notepad and copy the entire contents to the clipboard. The following is an example of the certificate file contents: -----BEGIN CERTIFICATE----- MIIFxDCCBKygAwIBAgIKJWUSwAAAAAAAAjANBgkqhkiG9w0BAQUFADBVMRMwEQYK CZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCaHAxFzAVBgoJkiaJk/Is ZAEZFgdhdGxkZW1vMREwDwYDVQQDEwh3aW5kb3pDQTAeFw0wNjA4MjIyMDIzMTFa Fw0wNzA4MjIyMDIzMTFaMCAxHjAcBgNVBAMTFXdpbmRvei5hdGxkZW1vLmhwLmNv btcbnzanbgkqhkig9w0baqefaaobjqawgykcgyeay4zeh3ixyduawkvhidsxlj6b aruvt9zhkl5nqhiderjumsgc/jhserdmhuyoy/qbf7jmhj9lh9qqhug8qfeysc1y qtvgisrzehtvmrmecvsxzm27b4bj5xyn0vycrwqknh7x/tvhmwqgls7/yzyahnu1 lgb2ojocq5ejxx+ybx0caweaaaoca00wggnjmasga1uddwqeawifodbebgkqhkig 9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D output truncated -----END CERTIFICATE Return to the OA Upload Certificate screen, paste the certificate contents into the window, and then click the Upload button. Creating directory groups Onboard Administrator authenticates users and assigns privileges by first verifying that the user name and password provided to Onboard Administrator match the credentials in the Directory. When a match is verified, Onboard Administrator queries the Directory to discover the names of the Active Directory groups the user is a member of. Onboard Administrator then matches those group names against the Directory Group names that exist in Onboard Administrator. In the following example, Onboard Administrator Directory Groups are created. The group name is used 194 Enabling LDAP Directory Services Authentication to Microsoft Active Directory

195 to determine LDAP users group membership and must match one of the following properties of a directory group: Name Distinguished name Common name Display name SAM account name To create a directory group: 1. In Onboard Administrator, navigate to the User Authentication Directory Groups link. 2. Click the New button. 3. Create a group named OA Admins which is the same name as the one created in the Active Directory. 4. Assign this group full administrative privileges over all server bays and interconnect bays and then click the Add Group button. Creating directory groups 195

196 5. Create a Second Directory Group named OA Operators to match the operator group created in Active Directory. Assign the group Operator privilege level instead of Administrator, and do not allow the group access to Server Bays, but do allow access to Interconnect bays, and then click the Add button. Testing the directory login solution 1. Log out of the current Onboard Administrator session, and then close all browser windows. 2. Browse to the Onboard Administrator, and then log in using one of the following options: TestAdmin TestAdmin@domain.com DOMAIN\TestAdmin 3. Enter the corresponding password used for the user account. If you cannot log in with full Administrative privileges, see Troubleshooting LDAP on Onboard Administrator (page 197). NOTE: You cannot login using your user name. For example, if your Account name is Jeff Allen and your account is jallen, you cannot login as jallen because this format is not now supported by LDAP. 4. Log off or sign out of Onboard Administrator, and then attempt to log in as Test Operator using one of the following options: TestOperator TestOperator@Domain.com DOMAIN\TestOperator 196 Enabling LDAP Directory Services Authentication to Microsoft Active Directory

197 5. Enter the password used for the account. If this process succeeds, then the account has no access to any server blades, but full access to interconnect bays. Troubleshooting LDAP on Onboard Administrator To be sure that SSL is working on the Domain Controllers in your domain, open a browser and then navigate to (substitute your Domain Controller for <domain_controller>). You can substitute <domain> in place of <domain controller>, which goes to DNS to verify which Domain Controller is now answering requests for the domain. Test multiple Domain Controllers to be sure that all of them have been issued a certificate. If SSL is operating properly on a Domain Controller (for example, a Certificate has been issued to it), you are prompted by the Security dialog whether you want to proceed with accessing the site or view the certificate. If you click Yes, nothing happens. The test is intended to make the Security Dialog prompt appear. A server not accepting connections on port 636 displays the page cannot be displayed message. If this test fails, it means that the Domain Controller is not accepting SSL connections, possibly because a certificate has not been issued. This process is automatic, but might require a reboot. To avoid a reboot, do the following: 1. On the Domain Controller, load the "Computer Account" MMC Snap-in, and then navigate to the Personal Certificates folder. 2. Right-click the folder, and then select Request New Certificate. The type default is already "Domain Controller". 3. Click Next, and then repeat until the Domain Controller issues the certificate. Another method for troubleshooting SSL is to go to the DC, and then run the following command: C:\netstat -an find /i "636" If the server is listening for requests on port 636, the following response appears: TCP : :0 LISTENING One of the problems can be that the domain controllers have not auto-enrolled. The DCs can take up to 8 hours to auto-enroll and get their certificates issued because MS uses GPO to make the DCs aware of the newly installed CA. You can force this by running DSSTORE -pulse from the DCs (the tool is located in the w2k reskit). It is triggered by winlogon. Therefore for auto-enrollment to function, you must log off and then log on again. The certificates appear automatically in the CAs Issued Certs list. Make sure the CA is not listing them in Pending Certs. If it is, change the CA to auto-issue certificates when a request comes in. If the auto-enrollment feature still does not function, request the certificate: 1. On the Domain Controller, open MMC, and then add Certificate Snap-in (Computer Account). 2. Navigate to Personal, and then right-click the folder. 3. Click Request New Cert, and then click Next. 4. Enter a name for the certificate. If an RPC error occurs, be sure that the CA is listed in DNS and that the CA is running. If the wizard does not start, force the server to see the CA and then enable the wizard to run. To speed up the GPO process and make the DCs acknowledge the CA, use one of the following commands: Windows 2003: Gpupdate /force Windows 2000: Secedit /refreshpolicy machine_policy /enforce Be sure that the Onboard Administrator has all the appropriate network settings unique to your network (such as DNS) and that the time and date are correct (certificates are date sensitive). Be sure that Onboard Administrator can reach the DNS server (by pinging it from the Onboard Administrator CLI). Troubleshooting LDAP on Onboard Administrator 197

198 If LDAP is enabled while booting into Lost Password mode, the local Administrator password is reset, LDAP is disabled, and local login is re-enabled. If the nested groups function is not displayed properly, verify the Domain Functional Level. Windows 2000 and Windows 2003 domain controllers, by default, are placed in function level 2000 mixed. When using this functional level, you cannot add or nest local groups. 198 Enabling LDAP Directory Services Authentication to Microsoft Active Directory

199 14 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts Introduction Two-Factor Authentication (also known as Two-Step Authentication) is an optional feature that provides enhanced security for the Onboard Administrator. To permit access to the Onboard Administrator, two-factor Authentication requires something that a user has (a certificate) and something that a user knows (a password or PIN). The certificate is stored directly in a browser or on the accessing device (as a smartcard, dongle, or TPM). You can use Two-Factor Authentication with either local user accounts or directory (LDAP) group accounts. For LDAP accounts, you can use the subject or subject alternate name to provide the LDAP login name. In all cases, the user certificate must be validated against a Certificate authority (CA). Two-Factor Authentication public key infrastructure map CAs are based on a tree structure. Root certificates are self signed. All other certificates can be traced back to the root by following the certificate issuer field. User certificates may be issued by any of the CAs in the tree. The Onboard Administrator has limited storage space and therefore supports storing a maximum of 12 CA certificates. The following diagram shows a tree structure similar to that used in the examples to follow. Steps for creating CAs and configuring Two-Factor Authentication with local user and LDAP group accounts The following sections provide instructions and examples for creating CAs and configuring Two-Factor Authentication with local user and LDAP group accounts. For simplicity, the CA certificates in the provided examples are created on a single system instead of multiple systems. A real CA implementation would use multiple systems. Introduction 199

200 The following table lists the steps for setting up Two-Factor Authentication with local user and LDAP group accounts, and indicates the section documenting each step plus any subordinate steps. Step Section Configuring the directories (page 200) Create the initial directories for the root CA Modify and store an OpenSSL configuration file in each CA Modify the default directories to suit your structure Creating a root CA (page 201) Copy the OpenSSL configuration file to the root CA Create the root CA certificate and private key Create a combined root CA private key and certificate PEM file Creating subordinate CAs: Creating subordinate CAs (page 202) Create the directories for the subordinate CAs Provide x509 certificate information Generate a CSR and server key for each subordinate CA Have the root CA sign the CSR Creating user keys and CSRs (page 204) Create the directories for the user keys and CSRs Provide x509 certificate information Generate a CSR and server key for each user Have the appropriate subordinate CA sign the CSR Verifying certificates (page 206) Storing a user certificate on a smart card or browser (page 207)r Configuring the Onboard Administrator for Two-Factor Authentication with local accounts (page 209) Establish an Onboard Administrator recovery plan Configure the Onboard Administrator session timeout Install the CA chain Install user certificates on the local Administrator account Enable Two-Factor Authentication Log in to the Onboard Administrator using Two-Factor Authentication Enabling TFA+LDAP authentication (page 215) The following sections also include: Methods for specifying the subject field on a CSR (page 216) Troubleshooting TFA+LDAP authentication problems (page 216) CLI examples configuring a user account and certificates (page 217) Information about CAs and certificates available from the web (page 218) Configuring the directories This section describes the setup steps required prior to creating the root CA. 200 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts

201 Creating a directory to represent each CA and user The commands in the following example set up the initial directories for the root CA. A description of each directory follows. In this and subsequent examples, user input to prompts is indicated by boldface type. NOTE: This is a tutorial for creating CAs in a simple test environment. In an actual production environment, the CA servers would be on separate servers. In this tutorial example, the CA servers are represented by separate directories on a single server. [~/]$ mkdir m 0755 ~/examples [~/]$ mkdir -m 0755 \ ~/examples/rootca \ ~/examples/rootca/private \ ~/examples/rootca/certs \ ~/examples/rootca/newcerts \ ~/examples/rootca/crl [~/]$ mkdir -m 0755 \ ~/examples/level1ca \ ~/examples/level1ca/private \ ~/examples/level1ca/certs \ ~/examples/level1ca/newcerts \ ~/examples/level1ca/crl [~/]$ mkdir -m 0755 \ ~/examples/testuser \ ~/examples/testuser/private \ ~/examples/testuser/certs Directory descriptions./private The location for private keys. Normally, permissions on this directory should be set to restrict read access to root (0200) or to the user account for the web server. This example starts with full read/write access for everyone (0755)../certs The location for the CA certificates../newcerts The location for new signed certificates. They are stored in unencrypted PEM format with a file name format <cert_serial_number>.pem (such as 03.pem)../crl The location for the certificate revocation list. Modifying and storing an OpenSSL configuration file in each CA directory The OpenSSL configuration file (openssl.cnf) contains the default directory structure, names, and options. On most Linux distributions, a default openssl.cnf file is located in /etc/pki/ tls. [~/examples]$ cp -v /etc/pki/tls/openssl.cnf. `/etc/pki/tls/openssl.cnf' -> `./openssl.cnf' Changing the default directories In this example, a change is made for all CAs and users. You can use this file as a template for other directories. ########################################################################## [ CA_default ] dir =. # CHANGE from../../ca # Everything is stored here certs = $dir/certs # Issued certs are stored here Creating a root CA This section describes the steps for creating a root CA. Creating a root CA 201

202 Copying the OpenSSL configuration file to the rootca directory Copy the openssl.cnf file to the root CA directory (rootca in this example): [~/examples]$ cp ~/examples/openssl.cnf ~/examples/rootca/openssl-rootca.cnf [~/examples]$ cd ~/examples/rootca Creating the certificate and private key Create the root CA key and certificate (rootca-private.key and rootca.crt). In the following example, the key length is set to 2048 and the hash signature algorithm to SHA256. When prompted, enter a secure passphrase. When using the -nodes option, you may omit the passphrase. When prompted for input such as the country, state, city, you may specify an empty field by entering a dot ("."), as shown. [~/examples/ rootca]$ openssl req -config./openssl-rootca.cnf -newkeyrsa:2048 -x509 -extensions v3_ca -keyout private/rootca-private.key -outcerts/rootca.crt -days sha256 -nodes Generating a 2048 bit RSA private key writing new private key to 'private/rootca-private.key' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [GB]:. State or Province Name (full name) [Berkshire]:. Locality Name (eg, city) [Newbury]:. Organization Name (eg, company) [My Company Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []: My Root CA Address []:. [~/examples/rootca]$ ]$ ls -l private/ certs/ certs/: total 4 -rw-rw-r-- 1 xxx 1314 Nov 10 08:11 rootca.crt private/: total 4 -rw-rw-r-- 1 xxx 1675 Nov 10 08:11 rootca-private.key To verify that the newly created certificate is correct, view the certificate by entering the command shown in the following example: [~/examples/rootca]$ openssl x509 -in certs/rootca.crt -text For a root self-signed certificate, the -issuer and -subject fields should match. To verify that they match, use the following command to display jus the -issuer and -subject fields: [~/examples/rootca]$ openssl x509 -in certs/rootca.crt \ noout issuer subject Creating a combined private key and certificate PEM file A combined private key and certificate PEM file is needed when your CA cross-signs other certificates. The file is referenced by the OpenSSL configuration file. The following commands change the default directory and create the combined private key and certificate PEM file cakey.pem: [ ]$ cd ~/examples/rootca [ rootca]$ cat private/rootca-private.key certs/rootca.crt > private/cakey.pem Creating subordinate CAs This section describes the steps for creating server certificates that are issued (signed) by another CA. Creating the directories for the subordinate CA If not already present, create the directory structure to contain the subordinate CA database, as shown in the following example: 202 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts

203 [~/]$ mkdir -m 0755 \ ~/examples/level1ca \ ~/examples/level1ca/private \ ~/examples/level1ca/certs \ ~/examples/level1ca/newcerts \ ~/examples/level1ca/crl Copy the modified openssl.cnf file to the working directory, as shown: [~/examples]$ cp -v openssl.cnf level1ca/ `openssl.cnf' -> `level1ca/openssl.cnf' Providing x509 certificate information A certificate includes numerous data items that describe the certificate. You can enter the data manually when prompted or provide the data automatically via an OpenSSL configuration file. The following example shows a an example of how to create an OpenSSL configuration file via a script file. #!/bin/sh # cat << _end_marker_ > openssl-level1ca.cnf [ req ] distinguished_name=req_dn attributes=req_attr prompt=no [ req_dn ] CN=level1CA C=US ST=TX L=Houston O=Development subjectaltname=othername:gorilla OU=Jungle address=george@thejungle.com surname=. givenname=frederick initials=fgg # dnqualifier= name=george of the Jungle [ req_attr ] # challengepassword= # unstructuredname= _end_marker Generating a CSR and new server key This step generates a new key (-newkey) and generates a CSR that can be submitted to a CA. The new private key is stored in the keyout location. The CSR is dumped to the -out parameter. For simplicity, the -nodes option is used to eliminate the need for protection from a passphrase. [~/examples/level1ca]$ openssl req -config./openssl-level1ca.cnf -newkey rsa:2048 -sha256 -keyout./private/level1ca-private.key -nodes -out./temp-level1ca.csr Generating a CSR without generating a new key (Optional) You may choose to generate the CSR without generating a new private key, as shown in this example: [~/examples/level1-ca]$ openssl req -config./openssl-level-1-ca.cnf \ -new -key./level-1-ca-private.key -nodes -out./level-1-ca.csr Viewing the private key To view the private key, use the command shown in the following example: Creating subordinate CAs 203

204 [~/examples/level1ca]$ openssl rsa -in./private/level1ca-private.key -text Signing the level1ca CSR with the rootca key After a CSR is generated (in the preceding step), it must be signed by an established CA in the chain of trust. After the first signing request (when only the root CA exists), the CSR must be signed by the root CA. Subsequent CSRs may be signed by lower-level CAs, if they have permission to do so. In this example, the root CA signs the first-level CSR (level-1-ca.csr). 1. Go to the CA that is going to do the signing, then view the CSR and verify that you really want it signed: [ ]$ cd ~/examples/rootca/ [ rootca]$ openssl req -in../level1ca/temp-level1ca.csr -noout -text 2. Perform the following one-time setup step: [ rootca]$ echo '01' > serial [ rootca]$ touch index.txt 3. After verifying that you want to sign the CSR, have the CSR signed by issuing the following command: [~/examples/rootca]$ openssl ca \ -config openssl-rootca.cnf \ -extensions v3_ca -policy policy_anything \ -in../level1ca/temp-level1ca.csr \ -cert certs/rootca.crt \ -default_md sha256 \ -key private/rootca-private.key The signed certificate is written to./certs/{serialnumber}.pem. The files serial and index.txt have been updated. 4. Install the certificate onto the first-level CA server, specifying the appropriate serial number (in this example, the serial number is 01). [ ~]$ cp ~/examples/rootca/newcerts/01.pem ~/examples/level1ca/certs/level1ca.pem Creating user keys and CSRs The steps for creating a new user key and CSR are similar to those for creating a CSR for a CA except you specify a different type. Creating a directory for the user key and CSR database If not already present, create the directory structure to contain the user key and CSR database: [~/]$ mkdir -m 0755 \ ~/examples/testuser \ ~/examples/testuser/private \ ~/examples/testuser/certs Copy the modified openssl.cnf file to the working directory: [~/examples]$ cp -v ~/examples/openssl.cnf ~/examples/testuser/ `~/examples/openssl.cnf' -> `~/examples/testuser/openssl.cnf' Providing x509 user certificate information You can enter the data manually when prompted or provide the data automatically via an OpenSSL configuration file. The default configuration file is sufficient. 204 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts

205 Generating a user CSR and new server key This step generates a new key (-newkey) and generates a certificate request for a user. The resulting certificate will include the subject field (-subj). You can specify the subject field on the OpenSSL command line as a single parameter or populate the subject field from various fields in the openssl.cnf file. For more information, see Methods for specifying the subject field on a CSR (page 216). The CSR is written to the file specified by the -out parameter. In the following command example, the subject field is specified as a single parameter, and the CSR is written to./temp-test-user.csr. [~/examples/testuser]$ openssl req \ -subj "/O=Hewlett-Packard Company/OU=Employment Status - Employees/OU=VPN-WEB-H/CN=Jonathan Smith/ Address=jonathan.smith@hp.com" \ -config./openssl.cnf \ -newkey rsa:2048 sha256 \ -keyout./private/test-user-private.key \ -nodes \ -out./temp-test-user.csr View the CSR and verify that it is what you want signed. The following command displays the CSR: [ ]$ openssl req -in./temp-test-user.csr -text Signing the user CSR with the level1ca key To sign and configure a user certificate: 1. Sign the user CSR with the level1ca key, as in the following example: [ ]$ cd ~/examples/level1ca/ 2. View the CSR and verify that it is what you want to sign. The following command displays the CSR: [ level1ca]$ openssl req -in../testuser/temp-test-user.csr -text 3. It is important to specify how the user certificate may be used. Do this using x509 extensions. For more information about x509 extensions, see the OpenSSL website ( The difference between a server certificate and a user certificate is the permissions that the CA assigns to the certificate. For example, a CA certificate is typically used as an SSL server, while a user certificate needs to be used as an SSL client and smart card login. To specify the extensions, modify the openssl.cnf file [ user_cert ] section, as shown in the following example. Uncomment the nscerttype and keyusage lines as shown. The modified lines are shown in boldface type. [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicconstraints=critical, CA:FALSE # Here are some examples of the usage of nscerttype. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nscerttype = server # For an object signing certificate this would be used. # nscerttype = objsign # For normal client use this is typical nscerttype = client, # Uncomment this line # and for everything including object signing: # nscerttype = client, , objsign # This is typical in keyusage for a client certificate. # Uncomment this line: keyusage = critical, nonrepudiation, digitalsignature, keyencipherment # If extendedkeyusage is specified, it MUST include all three items # to be used for Two-Factor authentication. Creating user keys and CSRs 205

206 # Client Authentication ( ) # Code Signing ( ) # Smart Card Login ( ) # extendedkeyusage=clientauth,codesigning, # This will be displayed in Netscape's comment listbox. nscomment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectkeyidentifier=hash authoritykeyidentifier=keyid,issuer # This stuff is for subjectaltname and issueraltname. # Import the address. # subjectaltname= copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectaltname= move # Copy subject details # issueraltname=issuer:copy # For testing purposes we will just use some well known CR nscarevocationurl = #nsbaseurl #nsrevocationurl #nsrenewalurl #nscapolicyurl #nssslservername 4. Sign the certificate request, as in the following example: [level1ca]$ openssl ca -config./openssl.cnf -extensions usr_cert -policy policy_anything -in../testuser/temp-test-user.csr -cert certs/level1ca.pem -md sha256 -keyfile private/level1ca-private.key 5. To view the results, issue the following command: [ level1ca]$ openssl x509 -in newcerts/07.pem -noout text 6. To enable certificate usage in smart cards, the keyusage field must include sslauth and, if present, the extendedkeyusage field must specify client authentication, code signing, and smart card login. For more information, see Troubleshooting TFA+LDAP authentication problems (page 216). 7. Give the public certificate to the user, using the following command: [ TestUser]$ cp -v ~/examples/level1ca/newcerts/07.pem ~/examples/test/user/certs/test-user.pem `../level1ca/newcerts/06.pem' -> `certs/test-user.pem' 8. Combine the public certificate and private key into a PKCS #12.pem file by creating a PKCS #12 certificate and providing a password (PIN) for the certificate. The user is prompted for the password (PIN). This password protects the private key contained in the PKCS #12 certificate. [ ]$ cd ~/examples/testuser [ TestUser]$ openssl pkcs12 -export -in certs/test-user.pem -inkey private/test-user-private.key -out private/test-user-private.p12 Verifying certificates To verify the certificates, follow these steps. 206 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts

207 1. To verify the certificates, use the commands shown in the following example: [ examples]$ mkdir CA [ examples]$ cp -v rootca/certs/rootca.crt CA/CA.pem `rootca/certs/rootca.crt' -> `CA/CA.pem' [ examples]$ cat level1ca/certs/level1ca.pem >> CA/CA.pem [ examples]$ openssl verify -CAfile CA/CA.pem -verbose -purpose sslserver./level1ca/certs/level1ca.pem./level1ca/certs/level1ca.pem: OK 2. Verify that the user certificate is not an SSL server by using the following command: [examples]$ openssl verify -CAfile CA/CA.pem -verbose -purpose sslserver./testuser/certs/test-user.pem./testuser/certs/test-user.pem: /O=Hewlett-Packard Company/OU=Employment Status - Employees/OU=VPN-WEB-H/CN=Jonathan Smith/ Address=jonathan.smith@hp.com error 26 at 0 depth lookup:unsupported certificate purpose OK 3. Verify that the user certificate can be used for an SSL client by using the following command: [user1@user1-station examples]$ openssl verify -CAfile CA/CA.pem -verbose -purpose sslclient./testuser/certs/test-user.pem./testuser/certs/test-user.pem: OK Storing a user certificate on a smart card or browser This section explains how to store a user certificate on a smart card or browser. The browser information in this section is based on Microsoft Internet Explorer. The Microsoft Internet Explorer does not support PEM formatted files. Create a.p12 certificate that contains both the private and public keys, using a command such as the following: [ TestUser]$ openssl pkcs12 -export -in certs/test-user.pem -inkey private/test-user-private.key -out private/test-user-private.p12 To install the.p12 certificate using Internet Explorer 8, follow these steps: 1. Access the Internet Explorer Internet Certificate Wizard by clicking Tools Internet Options Content Certificates: 2. Click Next. Storing a user certificate on a smart card or browser 207

208 3. Click Browse... a. Locate the directory that contains the.p12 certificate file. b. Change the file type to Personal Information Exchange (.p12). c. Select the appropriate.p12 certificate file. 4. Select the.p12 file and click Next. 5. Enter the password specified when the PKCS#12 file was created. See Signing the user CSR with the level1ca key (page 205). Click Next. Accept the default check box values. 208 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts

209 6. The Certificate Store window appears. Click Next. 7. To complete the Wizard installation import process, click Finish. 8. The next window informs you that an application is creating a protected item and indicates the security level set for that item. Click OK. 9. The wizard informs you that the import was successful. Click OK. Configuring the Onboard Administrator for Two-Factor Authentication with local accounts This section provides an example showing how to configure the Onboard Administrator to enforce Two-Factor Authentication. Establishing an Onboard Administrator recovery plan HP recommends establishing a recovery plan prior to configuring the Onboard Administrator for two-factor certificate authentication. If something goes wrong with the configuration, the Onboard Administrator configuration may be recovered accessing the USB key drive either through the serial port or the Insight Display panel. Both methods require physical access to the Onboard Administrator. IMPORTANT: If an LCD PIN has been configured (and forgotten), and local accounts have been disabled or TFA has been incorrectly configured, then the only way to recover is through a serial port. See Connecting a PC to the OA serial port (page 228). The two most common situations where Onboard Administrator recovery is needed are when LDAP has been configured with local accounts disabled or when Two-Factor Authentication has been configured without certificate access (keyusage). Recovering via Insight Display and USB key To recover the Onboard Administrator via USB key, create a configuration file on the USB key to restore the needed settings. You can either set up the file to reset only what is needed to regain access or to completely restore factory settings: GAIN_ACCESS.CFG (reset only what is needed to regain access): DISABLE TWOFACTOR DISABLE LDAP SET USER PASSWORD Administrator My.Password123 SET_FACTORY.CFG (reset to factory defaults): SET FACTORY To recover a configuration: 1. Insert the USB key that contains the configuration file into the USB port of the Onboard Administrator. 2. Using the Insight Display display, navigate to the main menu, select USB Key Menu and click OK. 3. Select Restore Configuration, then click OK. 4. Select the listed configuration file, then click OK. 5. The Confirm Operation screen appears. Click OK. Recovering via serial console To recover the Onboard Administrator via the serial port, follow these steps: Configuring the Onboard Administrator for Two-Factor Authentication with local accounts 209

210 1. Ensure that you have the appropriate cables and software to connect to the Onboard Administrator serial port. The default serial connection setting is 9600, 8, N,1. For more information about the serial port pinout signals, see Connecting a PC to the OA serial port (page 228). 2. Press and hold the Reset button for five seconds. 3. On the serial console, when you are prompted for Flash Recovery or Reset Password, press the L key (Lost Password). The console displays the built-in Administrator account password and local logins are enabled. Configuring the Onboard Administrator session timeout By default, if a user session is inactive for one day (1440 minutes), a timeout occurs. Reduce this setting to a value that is suitable for your security policy. For testing purposes, you can set the timeout value to a minimum of 10 minutes. To modify the timeout setting, use the Onboard Administrator GUI or a CLI command. Valid timeout values are 0 (which disables the timeout), or an integer ranging from 10 to Using the GUI 1. Navigate to the Signed in Users screen (Enclosure Information Users/Authentication Signed in Users) and select the Session Options tab. 2. Modify the Session Timeout field. 3. Click Apply. Using the CLI Use the following command, where <timeout-value> is the number of minutes: SET SESSION TIMEOUT <timeout-value> Installing the CA chain for TFA A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice, this includes the end certificate, the certificates of intermediate CAs, and the certificate of the root CA trusted by all parties in the chain. Every intermediate CA in the chain holds a certificate issued by the CA that is one level above it in the trust hierarchy. The root CA issues a certificate for itself. This section describes how to install CAs for Two-Factor Authentication. 210 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts

211 IMPORTANT: Two-Factor Authentication and LDAP have separate repositories for CAs. Do not confuse them with one another. To install CA certificates for Two-Factor Authentication, you can use the Onboard Administrator GUI as follows: 1. Navigate to the Two-Factor Authentication screen: Enclosure Information Users/Authentication Two-Factor Authentication. 2. Click the Certificate Upload tab. The Certificate Upload screen appears. 3. Copy and paste the root CA certificate into the text box provided by the Certificate Upload screen. The certificate includes beginning and ending delimiters, as shown: -----BEGIN CERTIFICATE----- MIIDkTCCAnmgAwIBAgIJALg8cO2Ikvr8MA0GCSqGSIb3DQEBBQUAMDkxDDAKBgNV BAMTA2NhMDEUMBIGCgmSJomT8ixkARkWBHRlc3QxEzARBgoJkiaJk/IsZAEZFgNj... Ob6IFCSUTKbCVT95cYTRHiSbgBYaqDXBJk3Lyjvtb7ZovmMT5dnU/w061wV5MEce RZfXH3U= -----END CERTIFICATE Click Upload. After the certificate is uploaded successfully, the Certificate Information tab displays. Configuring the Onboard Administrator for Two-Factor Authentication with local accounts 211

212 5. Add an intermediate or end CA in the chain: a. Return to the Certificate Upload tab. b. Copy and paste the next CA certificate into the text box provided. c. Click Upload. After the certificate is successfully uploaded, the Certificate Information tab appears. In this example, the CA1 certificate was issued by the root CA CA0. d. To install additional CAs, repeat steps a through c for each CA. 212 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts

213 CLI commands for administrating certificates You can use the following CLI commands to add, download, display, and remove certificates. For more information, see the HP Superdome 2 and HP Integrity Superdome X Onboard Administrator Command Line Interface User Guide. ADD CA CERTIFICATE DOWNLOAD CA CERTIFICATE SHOW CA CERTIFICATE REMOVE CA CERTIFICATE Configuring the HTTP proxy The Onboard Administrator might require a proxy server to reach addresses such as those needed to verify a certificate or to obtain a CRL. A CRL is a database of certificates that have been revoked before they expired. For this purpose, you must configure the HTTP proxy server on the Onboard Administrator by using the following command: SET URB PROXY URL { <URL> } The specified URL can contain up to 128 characters. The Onboard Administrator GUI does not include the ability to set a proxy URL. Installing user certificates on the local Administrator account Install a user certificate on the Onboard Administrator administrator account, following these steps: 1. Navigate to the Local Users Administrator screen (Edit Local User): Enclosure Information Users/Authentication Local Users Administrator. 2. Click the Certificate Information tab. If an Administrator certificate has not yet been installed, the Certificate Information screen appears with an empty text box. Copy and paste the appropriate user certificate into the text box. Configuring the Onboard Administrator for Two-Factor Authentication with local accounts 213

214 3. Click Upload. After the certificate is uploaded successfully, the Certificate Information tab displays. Enabling Two-Factor Authentication After successfully uploading CA certificates for Two-Factor Authentication and uploading at least one Onboard Administrator administrator account, you may enable Two-Factor Authentication: 1. Navigate to the Two-Factor Authentication Settings tab (Enclosure Information Users/Authentication Local Users Two-Factor Authentication). 2. Select the Enable Two-Factor Authentication check box. If you are using Two-Factor Authentication in combination with LDAP, use the Certificate Owner field to specify whether to have the Onboard Administrator use the subject alternative name field (SAN) or the certificate subject field (Subject). For more information about using Two-Factor Authentication with LDAP, see TFA+LDAP Authentication (page 215). 3. Click Apply. 214 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts