HP OneView 1.20 User Guide

Transcription

1 HP OneView 1.20 User Guide Abstract This guide describes HP OneView features, interfaces, resource model design, and secure working environment. It describes up-front planning considerations and how to use the HP OneView appliance UI or EST APIs to configure, manage, monitor, and troubleshoot your data center infrastructure. It also includes information about the SCMB (State-Change Message Bus) and a step-by-step example that configures a sample data center from start to finish. It is intended for infrastructure administrators, network administrators, and server administrators that plan, configure, and manage data center hardware and software throughout its lifecycle, and for backup administrators and operations personnel that monitor and troubleshoot data center hardware and software. HP Part Number: Published: December 2014 Edition: 1

2 Copyright Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FA and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgements Google is a registered trademark of Google Inc. Java is a trademark of Oracle or its affiliates. Microsoft, Windows, and Windows Server are trademarks of the Microsoft Group of companies. ed Hat is a registered trademark of ed Hat, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States and other countries. VMware is a registered trademark of VMware Inc. Warranty HP will replace defective delivery media for a period of 90 days from the date of purchase.

3 Contents I Learning about HP OneView Learning about HP OneView HP OneView for converged infrastructure management HP OneView licensing Bringing hardware into HP OneView Provisioning features Server profiles Groups, templates, and sets Streamlined process for bringing hardware under management Operating system deployment Storage provisioning and management Firmware and configuration change management features Simplified firmware management Simplified configuration change management Monitoring the environment and response features Data center environmental management esource utilization monitoring Activity and health management Hardware and firmware inventory information Backup and restore features Security features Availability features Graphical and programmatic interfaces Integration with other management software Open integration Networking features Understanding the resource model esource model summary diagram Server profiles Connection templates Connections Server hardware types Server hardware Enclosure groups Enclosure types Enclosures Interconnect types Interconnects Logical interconnect groups Logical interconnects Uplink sets Networks Network sets Switches Storage Systems Storage Pools Volumes...48 Contents 3

4 2.21 Volume Templates SAN Managers Domains Appliance esources related to data center facilities Data centers acks Power delivery devices Unmanaged devices Understanding the security features of the appliance Securing the appliance Best practices for maintaining a secure appliance Creating a login session Authentication for appliance access Controlling access for authorized users Specifying user accounts and roles Protecting credentials Understanding the audit log Choosing a policy for the audit log Managing certificates from a browser Self-signed certificate Verifying a certificate Downloading and importing a self-signed certificate Using a certificate authority Browser best practices for a secure environment Nonbrowser clients Passwords SSL connection Ports required for HP OneView Controlling access to the appliance console Enabling or disabling authorized services access estricting console access Files you can download from the appliance Navigating the graphical user interface Browsers Supported browsers Commonly used browser features and settings Set the browser for US or metric units of measurement About the graphical user interface Activity sidebar About the Activity sidebar Activity sidebar details Expand or collapse the Activity sidebar Banner and main menu Button functions Filters sidebar Help sidebar Icon descriptions Status and severity icons User control icons Informational icons Contents

5 4.9 Labels screen details Map view screen details Notifications area Log out of the appliance Perform an action on multiple resources Search help topics About help system search results Search resources Clear the Smart Search box View resources according to their health status eset the health status view View resources by label Using the EST APIs and other programmatic interfaces esource operations eturn codes UI format esource model format Log in to the appliance using EST APIs EST API version and backward compatibility Asynchronous versus synchronous operations Task resource Error handling Concurrency control using etags Querying resources and pagination using common EST API parameters State-Change Message Bus Metric Streaming Message Bus Analysis and troubleshooting HP Operations Analytics integration with HP OneView Developer tools in a web browser PowerShell and Python code sample libraries Accessing documentation and help Online help conceptual and task information as you need it This user guide supplements the online help Where to find HP OneView documentation Enable off-appliance browsing of UI help and EST API help...90 II Planning tasks Planning your data center resources How many data centers? Security planning Preparing your data center network switches Planning for a dual-stack implementation Planning your resource names Planning the appliance configuration Appliance VM and host requirements Planning for high availability Separate networks for data and management Time clocks and NTP IP addresses...96 Contents 5

6 8 Planning for configuration changes Configuration changes that require or result in resource outages Configuration changes that might require changes to multiple resources Adding a network Adding an enclosure Planning for enclosure migration from VCM into HP OneView Understanding the migration process Blocking issues Warning issues III Configuration quick starts Quick Start: Initial Configuration Process overview First time setup: configuration tasks Initial configuration tasks to bring your environment under management Configure physical topology and power systems in your environment (optional) Quick Start: Adding a network to an existing appliance environment Process Quick Start: Adding an enclosure to manage and connecting its server blades to networks Checklist: connecting a server blade to a data center network Scenario 1: Adding an enclosure to manage to an existing enclosure group Scenario 2: Defining network connectivity before adding an enclosure to manage Scenario 3: Defining network connectivity as you add the enclosure to manage Quick Start: Configuring an enclosure and server blade for Direct attach to an HP 3PA Storage System Process Quick Start: Adding an HP ProLiant DL rack mount server to manage Process Quick Start: Adding an active/active network configuration Process Quick Start: Migrating from an active/standby to an active/active network configuration Process Quick Start: Configuring an HP 5900 for management by HP OneView IV Configuration and management Contents

7 18 Best practices Managing server hardware and server profiles Managing server hardware oles Tasks for server hardware Server hardware management features Server hardware monitoring features Prerequisites for bringing server hardware into appliance About server hardware How the appliance handles unsupported hardware About monitored server hardware About unsupported server hardware About unmanaged devices Tasks for server hardware types About server hardware types Effects of managing server hardware ilos Managing server profiles oles Tasks for server profiles About server profiles Capturing best-practice configurations About editing a server profile About moving a server profile About attaching SAN volumes to a server profile Working with server profiles to control remove-and-replace behavior About assigning a server profiles to an empty device bay Learning more Managing licenses UI screens and EST API resources oles Tasks for licenses About licensing License types Purchasing or obtaining licenses Licensing and utilization statistics Licensing scenarios HP OneView Advanced licensing for managing server hardware Server blade licensing at the enclosure level ack mount server licensing License delivery License reporting View license status HP OneView Standard licensing for monitoring server hardware Learning more Managing networks and network resources oles Tasks for networks Tasks for Fibre Channel networks Tasks for FCoE networks Contents 7

8 21.3 About network connectivity About network sets About Fibre Channel networks Fibre Channel network types Fabric-attach Fibre Channel networks Direct-attach Fibre Channel networks About Ethernet networks About tagged Ethernet networks About untagged Ethernet networks About tunnel Ethernet networks Managing Ethernet networks Data center switch port requirements Learning more Managing interconnects, logical interconnects, and logical interconnect groups Managing enclosure interconnect hardware oles Tasks for interconnects About interconnects Learning more Managing logical interconnects and logical interconnect groups oles Tasks for logical interconnects About logical interconnects Uplink Sets Stacking modes and stacking links Adding or deleting a logical interconnect About the HP Virtual Connect FlexFabric 20/40 F8 interconnect module About logical interconnect groups About active/active and active/standby configurations About active/standby configurations About active/active configurations About logical interconnect firmware About loop and pause flood protection About SNMP settings Update the logical interconnect configuration from the logical interconnect group Configure a port to monitor network traffic Learning more Managing enclosures and enclosure groups oles Tasks for enclosures About enclosures About managed enclosures Migrating enclosures managed by other management systems About migrating enclosures About monitored enclosures About unmanaged and unsupported enclosures Connectivity and synchronization with the appliance About enclosure groups Prerequisites for bringing an enclosure into HP OneView Add an enclosure to manage its contents Contents

9 23.7 Add an enclosure to monitor the hardware Migrate an enclosure currently managed by VCM Migrate a VCM enclosure using EST API esolve compatibility issues Configuring an enclosure with an OA configuration script About OA configuration scripts View or download OA command documentation Disallowed OA commands Effects of managing an enclosure Learning more Managing firmware for managed devices Tasks for firmware About firmware bundles About updating firmware About managing firmware manually About unsupported firmware Maintain availability during Virtual Connect interconnect firmware upgrades Best practices for managing firmware Update firmware on managed devices Learning more Managing power, temperature, and the data center Managing power oles Tasks for managing power About power delivery devices Managing your data center oles Tasks for data centers About data centers Managing racks oles Tasks for racks About racks Learning more Managing storage Storage systems oles Tasks About storage systems Storage pools oles Tasks About storage pools Volumes oles Tasks About volumes Volume templates oles Tasks Contents 9

10 About volume templates SAN Managers oles Tasks About SAN managers Learning more Managing switches oles Tasks for switches About switches Learning more Managing users and authentication oles Tasks for managing users and groups About user accounts About user roles Action privileges for user roles About authentication settings About directory service authentication Managing user passwords eset the administrator password Learning more Backing up an appliance oles About backing up the appliance Best practices for backing up an appliance Determining your backup policy Back up an appliance Using EST APIs to create and download an appliance backup file Creating a custom script to create and download an appliance backup file Learning more Managing the appliance Updating the appliance oles Tasks About appliance updates Learning more Managing appliance availability oles Tasks Best practices for managing a VM appliance Shut down the appliance estart the appliance How the appliance handles an unexpected shutdown Managing the appliance settings oles Tasks for appliance settings Enabling health monitoring for legacy servers Contents

11 Learning more Managing addresses and ID pools oles Tasks for addresses and identifiers Managing the security features of the appliance Enabling or disabling HP support access to the appliance oles Tasks Managing TLS certificates oles Tasks Learning more Managing the HP public key oles Tasks Downloading audit logs oles Tasks Learning more V Monitoring Monitoring data center status, health, and performance Daily monitoring Initial check: the Dashboard Activities Utilization graphs Monitor data center temperature Best practices for monitoring data centers Best practices for monitoring health with the appliance UI Best practices for monitoring health using EST APIs Managing activities About Activity Activity types: alerts and tasks About alerts About tasks Activity states Activity statuses Managing notifications About notification of alert messages Configure the appliance for notification of alerts Using the Dashboard screen About the Dashboard Learning about the Dashboard Dashboard screen details How to interpret the Dashboard charts Customizing the dashboard Monitoring power and temperature Monitoring power and temperature with the UI Monitoring data center temperature Manipulating the view of the data center visualization Monitoring power and temperature utilization Contents 11

12 About the Utilization panel About utilization graphs and meters EST API power and temperature monitoring Update enclosure power capacity settings Update server hardware power capacity settings Using a message bus to send data to subscribers About accessing HP OneView message buses Using the State-Change Message Bus (SCMB) Connect to the SCMB Set up a queue to connect to the HP OneView SCMB exchange JSON structure of message received from the SCMB Example to connect and subscribe to SCMB using.net C# Example to connect and subscribe to SCMB using Java Examples to connect and subscribe to SCMB using Python Installation Pika AMQP e-create the AMQP client certificate Using the Metric Streaming Message Bus (MSMB) Connect to the MSMB Set up a queue to connect to the HP OneView MSMB exchange JSON structure of message received from the MSMB Example to connect and subscribe to MSMB using.net C# Example to connect and subscribe to MSMB using Java Examples to connect and subscribe to MSMB using Python Installation Pika AMQP e-create the AMQP client certificate Generating reports oles Tasks for reports About available reports Using data services About data services About metric streaming About log forwarding to a remote syslog server EST API to enable metric streaming oles Tasks for metrics EST API EST API to leverage remote system logs oles Tasks for remotesyslog EST API VI Troubleshooting Troubleshooting Basic troubleshooting techniques Contents

13 36.2 About the support dump file Create a support dump file Create a support dump for authorized technical support using EST API scripting Troubleshooting locale issues Troubleshooting activity Alerts do not behave as expected Troubleshooting the appliance Appliance performance Unexpected appliance shutdown Appliance update is unsuccessful Cannot create a support dump file Certificate issues Cannot create or download a backup file estore action was unsuccessful Cannot restart or shut down appliance VM does not restart when the vsphere VM host time is manually set einstall the remote console Troubleshooting the appliance network setup First-time setup Appliance cannot access the network Troubleshooting notifications notification of alerts Troubleshooting enclosures and enclosure groups Add or remove enclosure is unsuccessful Migration is unsuccessful Add server blade is unsuccessful Invalid OA certificate Troubleshooting firmware bundles Incorrect credentials Lost ilo connectivity HP SUM errors Failed firmware update on enclosure add Failed firmware update on all devices in an enclosure Troubleshooting interconnects Interconnect edit is unsuccessful Interconnect modules are in Maintenance state Interconnect modules are in Unmanaged state eplace an HP Virtual Connect interconnect in a managed enclosure Troubleshooting licenses estore a license key that has been erased from an enclosure OA The license assigned does not match the type specified Licensing numbers appear to be inaccurate Issues adding and applying licenses Issues viewing licenses Troubleshooting logical interconnects I/O bay occupancy errors Uplink set warnings or errors Physical interconnect warnings or errors Firmware update errors Pause flood condition detected on a Flex-10 physical port Troubleshooting networks Network create operation is unsuccessful Troubleshooting server hardware Server add or remove is unsuccessful Cannot control power on server blade Contents 13

14 Lost connectivity to server hardware after appliance restarts eplace a server blade with an assigned server profile eplace a server adapter on server hardware with an assigned server profile Troubleshooting server profiles Server profile is not created or updated correctly What to do when you cannot apply the server profile Profile operations are not successful Troubleshooting storage Brocade Network Advisor (BNA) SAN manager fails to add Unable to establish connection with Brocade Network Advisor (BNA) SAN manager Volume not available to server hardware Volume is visible from the storage system but not visible on the appliance Target port failure Troubleshooting switches Switch communications Troubleshooting user accounts Incorrect privileges Unauthenticated user or group User public key is not accepted Directory service not available Cannot add directory service Cannot add server for a directory service Cannot add directory group estoring an appliance from a backup file oles About restoring the appliance Best practices for restoring an appliance estore an appliance from a backup file Using EST APIs to restore an appliance from a backup file Creating a custom script to restore an appliance Post-restoration tasks Support and other resources Gather information before contacting an authorized support representative How to contact HP Get connected to the HP OneView online user forum Software technical support and software updates egistering for software technical support Using your software technical support and update service Obtaining HP OneView software and firmware updates Obtaining software and drivers for HP ProLiant products Warranty elated information Product bulletins and Quick Specs for all HP products HP OneView documentation and websites Enclosure, ilo, and server hardware documentation and websites HP 3PA StoreServ Storage documentation and websites HP Virtual Connect documentation and websites Finding documents on the HP Support Center website Submit documentation feedback Contents

15 A Step by step: Configuring an example data center using HP OneView A.1 Tasks you can perform without data center hardware A.2 Information about the example data center A.2.1 Example data center hardware A.2.2 Data center networks A Fibre Channel networks A Ethernet Networks A.3 Planning the configuration A.3.1 Planning for installation of the appliance A.3.2 Planning for network sets A.3.3 Planning for users and roles A.3.4 Planning resource names A.4 Installing the appliance A.5 Provisioning eight host servers for VMware vsphere Auto Deploy A.5.1 Workflow A.5.2 Downloading the latest firmware bundle and adding it to the appliance A.5.3 Configuring the networks and network sets A Configuring the Fibre Channel SAN networks A Configuring the Ethernet networks A Configuring the network sets A.5.4 Creating a logical interconnect group and its uplink sets A Creating a logical interconnect group for enclosure A Creating a logical interconnect group for enclosure A.5.5 Creating an enclosure group for enclosure A.5.6 Adding enclosure A.5.7 Viewing the server hardware types A.5.8 Creating a server profile to use as a template A.5.9 Copying the template server profile to four servers A.5.10 Creating an enclosure group for enclosure A.5.11 Adding enclosure A.5.12 Creating a server profile for enclosure A.5.13 Copying the second template server profile to four servers A.6 Bringing an HP ProLiant DL360p Gen8 rack mount server under management A.6.1 Workflow A.6.2 Adding the server hardware A.6.3 Powering on the server A.6.4 Viewing information about the server A.6.5 Adding a license for the server A.7 Adding a storage system to the data center A.7.1 Adding an HP 3PA StoreServ Storage system A Adding an HP 3PA StoreServ Storage system to the appliance A Creating volumes and adding external volumes A Creating Direct attach networks and adding them to the uplink sets A Adding a SAN manager and associating its managed SANs with Fibre channel networks A Attaching volumes to a sever profile to make them available to server hardware B Using the virtual appliance console B.1 Using the virtual appliance console C Backup and restore script examples C.1 Sample backup script C.2 Sample restore script Contents 15

16 D Authentication directory service D.1 Microsoft Active Directory configurations D.1.1 Users and groups in same OU D.1.2 Users and groups in different OUs, under same parent D.1.3 Users and groups in different OUs, under different parents D.1.4 Built-in groups D.2 OpenLDAP directory configuration D.3 Validating the directory server configuration D.4 LDAP schema object classes Index Contents

17 Part I Learning about HP OneView This part describes HP OneView and its model for data center resources and introduces you to the terms and concepts used in this document and the appliance online help.

18 18

19 1 Learning about HP OneView 1.1 HP OneView for converged infrastructure management Optimized for collaboration, productivity, and reliability, the HP OneView appliance is designed to provide simple, single-pane-of-glass lifecycle management for the complex aspects of enterprise IT servers, networking, software, power and cooling, and storage. HP OneView is purpose-built to manage your converged infrastructure and support key scenarios such as deploying bare-metal servers, deploying hypervisor clusters from bare metal, performing ongoing hardware maintenance, and responding to alerts and outages. It is designed for the physical infrastructure needed to support virtualization, cloud computing, big data, and mixed computing environments. Storage HP Converged Infrastructure Servers Power and cooling Network Management software Architecture HP OneView is delivered as a virtual appliance, a pre-configured virtual machine ready to be deployed on a hypervisor host. In contrast to management environments that require predefined serialized workflows and different tools for different tasks, HP OneView is a scalable resource-oriented solution focused on the entire life cycle from initial configuration to on-going monitoring and maintenance of both logical and physical resources: Logical resources are items such as networks, server profiles, and connections. Physical resources are items you can touch, such as server hardware, interconnects, and enclosures. Software-defined flexibility your experts design configurations for efficient and consistent deployment The appliance provides several software-defined resources, such as groups and server profiles, to enable you to capture the best practices of your experts across a variety of disciplines, including networking, storage, hardware configuration, and operating system build and configuration. By having your experts define the server profiles and the networking groups and resources, you can 1.1 HP OneView for converged infrastructure management 19

20 eliminate cross-silo disconnects. By using BAC (role-based access control) and the groups, sets, and server profiles established by your experts, you can enable system administrators to provision and manage thousands of servers without requiring that your experts be involved with every server deployment. One tool and one data set one view HP OneView combines complex and interdependent data center provisioning and management into one simplified and unified interface. You use one tool and one model to: Provision the data center (page 22) Manage and maintain firmware and configuration changes (page 25) Monitor the data center and respond to issues (page 26) The solution also provides core enterprise management capabilities, including: Availability features (page 30) Security features (page 30) Graphical and programmatic interfaces (page 31) The appliance manages servers and enclosure networking resources, supports connections from enclosures to storage, and provides information to help you manage data center power and cooling: Servers are represented and managed through their server profiles. For a brief overview of server profiles, see Server profiles (page 22). For detailed information about server profiles, see the online help for the Server Profiles screen. The appliance enables storage provisioning with automated zoning. Storage devices connect to the enclosures using either Fibre Channel fabric attach (SAN switch) connections or Fibre Channel direct attach (flat SAN) connections. For more information about managing storage, see the online help for the Storage Systems screen. For more information about Fibre Channel network connections for storage, see About network connectivity (page 157). Networking is an essential component to provisioning and managing data center servers. For an overview of the networking features of the appliance, see Networking features (page 33). For information about networking and the resource model, see Understanding the resource model (page 35). If you are migrating a Virtual Connect configuration to HP OneView, see About migrating enclosures (page 179). Environmental management such as power, cooling, and space planning requires that you consider all the equipment in the entire data center, including equipment not managed by HP OneView. HP OneView consolidates data center power and cooling information into one interface view. For an overview of the power and cooling management features, see Data center environmental management (page 28). For an example of using the appliance to manage a data center, see Step by step: Configuring an example data center using HP OneView (page 337). 1.2 HP OneView licensing HP OneView provides the following license types: HP OneView Advanced licensing for managing server hardware HP OneView Standard licensing for monitoring server hardware HP OneView Standard licensing delivers monitoring, inventory management and reporting for HP BladeSystem and HP ProLiant BL and DL servers. HP OneView Advanced licensing delivers all supported HP OneView features. The following tables provides an overview of the features available 20 Learning about HP OneView

21 for each license type. For more information, see Bringing hardware into HP OneView (page 21) and About licensing (page 149). Features Partner integrations Software-defined infrastructure (profiles, groups, sets, and others) Storage provisioning and SAN zoning Virtual Connect advanced management Firmware management Power management (3D visualization) OS provisioning emote management (HP ilo Advanced) Map view Smart search, Activity view, and Dashboard Health monitoring Inventory eporting EST API access Technical support and software updates HP OneView Standard 1 year 9x5 support (optional) HP OneView Advanced 3 years 24x7 support (included) 1.3 Bringing hardware into HP OneView Server hardware, including enclosures and rack mount servers, can be added to HP OneView to manage or monitor. Manage If you add a managed server to HP OneView, either in an enclosure or rack server, you can apply configurations, deploy server profiles, monitor operation status, collect statistics, and alert users to specific conditions. For more information, see About managed enclosures (page 178) and Managing server hardware (page 137). Managing server hardware requires HP OneView Advanced licensing. For more information, see HP OneView licensing (page 20). Migrate Enclosures from Virtual Connect Manager (VCM) can be migrated to HP OneView with the configuration information, so that the enclosure can be managed by HP OneView. The managed enclosure requires HP OneView Advanced licensing. For more information, see HP OneView licensing (page 20). For more information about migrating, see Migrating enclosures managed by other management systems (page 178). Monitor If you add a monitored server to HP OneView, either in an enclosure or rack server, you can monitor it for inventory and hardware status only. For more information, see About monitored enclosures (page 180) and About monitored server hardware (page 141). Monitoring server hardware uses a free license called HP OneView Standard. For more information, see HP OneView licensing (page 20). 1.3 Bringing hardware into HP OneView 21

22 1.4 Provisioning features After you install the HP OneView appliance and perform the initial configuration tasks, you can quickly bring existing hardware under management, prepare for and deploy hardware to your data center Features for provisioning hardware and bringing resources under management include: Server profiles (page 22) Groups, templates, and sets (page 22) Streamlined process for bringing hardware under management (page 24) Operating system deployment (page 24) Storage provisioning and management (page 25) Server profiles A server profile captures key aspects of a server configuration in one place, including firmware levels, BIOS settings, network connectivity, boot order configuration, local storage, SAN storage, and unique IDs. Server profiles are one of the features that enable you to provision converged infrastructure hardware quickly and consistently according to your best practices. Server profiles enable your experts to specify a server configuration before the server arrives, enabling your administrators to quickly bring a new server under management when the server hardware is installed. For example, you can create a server profile that is not assigned to a particular server, but specifies all the configuration aspects such as BIOS settings, network connections, and boot order to use for a type of server hardware. After the server is installed in an enclosure bay, you can do one of the following: Directly assign the server profile to the enclosure bay. Copy the server profile and assign the copy to the enclosure bay. You can copy or move a server profile that has been assigned to hardware in an enclosure bay. If you copy a server profile, you can save it for future use by not assigning the copy to an enclosure bay. You can control the server profile behavior. For example, you can assign a server profile to an empty bay and when an appropriate server is inserted into that bay, the server profile is automatically applied to the server hardware. You can also associate the server profile with the physical hardware UUID, so that the profile moves with the server when the blade is moved to a different bay. For more information, see About server profiles (page 144) Groups, templates, and sets Software-defined infrastructure such as server profiles, groups, templates, and sets enable you to: Use your experts to define server and networking configurations for specific environments before you install data center hardware. Provision hundreds of servers quickly and consistently without requiring that your experts take action for every server you deploy. Simplify the distribution of configuration changes across your data center. Expert design with consistent deployment Your experts in different technical areas can create templates, groups, and sets with their configuration best practices built in. Using these resources and server profiles, you can ensure that 22 Learning about HP OneView

23 the infrastructure for thousands of workloads is provisioned consistently, regardless of who does the provisioning. Server profiles capture the server configuration in once place. You can use unassigned server profiles to rapidly deploy multiple servers with the same configuration. For more information about server profiles, see Server profiles (page 22). Types of groups and sets Group or set Enclosure group Logical interconnect group Uplink set Network set Description A group of enclosures that use the same configuration, network connectivity and firmware versions for the Onboard Administrator and interconnect modules. All members of an enclosure group use the same logical interconnect group. When you add an enclosure to the appliance to be managed, and assign an enclosure group, the interconnects in the enclosure are configured automatically according to the logical interconnect group associated with the enclosure group. Enclosure groups enable administrators to provision multiple enclosures in a consistent, predictable manner in seconds. A group of logical interconnects that share the same configuration for network connectivity. A logical interconnect is the set of physical interconnects and their links, including the following: Uplinks to data center networks as mapped by their uplink sets Downlinks to the servers Stacking links (connections to each other) When you or your experts define configurations using logical interconnect groups and enclosure groups: Administrators can provision multiple enclosures with consistent network configurations in seconds Network administrators are not required to take action every time an enclosure is installed because the network configuration is defined by the enclosure group. A set of physical uplink ports in a logical interconnect that connect to a common set of networks. All member interconnects of a logical interconnect can contribute physical uplinks to an uplink set. Uplink sets can be defined as part of a logical interconnect or a logical interconnect group. When uplink sets are defined as part of a logical interconnect group, they act as the template for the uplink sets that are configured automatically when a logical interconnect is added to the logical interconnect group. A set of Ethernet networks, designated by a single name. You can specify a network set instead of an individual network when you define a connection to data center Ethernet networks in a server profile. When you specify a network set in a connection, the server can access any of the networks in that set, including any networks that are subsequently added to that network set. Define configurations for specific environments Groups and templates enable you to define configurations that are specific to the environment you want to build, such as virtual hosts, Microsoft Exchange environments, external or internal web servers, or financial database servers. For example, to build multiple external web servers: 1. Your networking expert can create logical interconnect groups, uplink sets, networks, and network sets to establish all of the connection policies between data center networks and the interconnects managed by the appliance. 2. Your server expert can create enclosure groups, add enclosures, and create server profiles to establish all of the settings required by an external web server. 3. Your server operators can copy server profiles whenever they need to deploy this type of server. 1.4 Provisioning features 23

24 Flexibility in design and deployment HP OneView provides flexibility in the creation of groups, templates, and sets. For example, you can create a logical interconnect group in these ways: Before you add an enclosure to the appliance to be managed, you can create a logical interconnect group that specifies how you want the interconnects to be configured, and an enclosure group that specifies how you want the enclosure to be configured. You can add an enclosure to the appliance to be managed and, after the appliance discovers and adds the interconnect hardware in the enclosure, you can use or modify the default logical interconnect group that the appliance creates. Groups, templates, and sets also simplify the distribution of configuration changes across your data center. For more information about configuration changes, see Simplified configuration change management (page 26). For more information about resources, including groups, templates, and sets, see Understanding the resource model (page 35) Streamlined process for bringing hardware under management HP OneView simplifies the process of bringing the enclosures, interconnects, and server hardware under management. For example: When you add an enclosure, the appliance automatically detects all of the hardware seated in the enclosure and prepares it for you to bring under management. For example, the appliance: Updates the enclosure Onboard Administrator, Virtual Connect interconnect module, and server ilo firmware to the minimum version required Configures each Virtual Connect interconnect module Configures the Onboard Administrator, which includes configuring NTP (Network Time Protocol) and configuring an SSO (single sign-on) certificate for UI access Configures each server ilo, which includes configuring an SSO certificate for UI access Configures the hardware for monitoring, which includes configuring the automatic registration of SNMP (Simple Network Management Protocol) traps When you migrate a VCM-managed enclosure, the appliance automatically validates the configuration information (including hardware, Virtual Connect domains, networks, and server profiles) before importing the enclosure. When you add an HP Intelligent Power Distribution Unit (ipdu) power device, the appliance automatically detects and presents the connected devices so that you can bring the devices under management Operating system deployment Server profiles and enclosure groups make it easier to prepare a bare-metal server for operating system deployment. For example, you can use server profiles in conjunction with deployment tools such as: HP Insight Control server provisioning to install an operating system on the server Hypervisor Autodeploy to deploy hypervisors from bare metal and add them to existing clusters automatically 24 Learning about HP OneView

25 1.4.5 Storage provisioning and management HP OneView provides automated, policy-driven provisioning of storage resources. It is fully integrated with server profiles so that you can manage your new or existing storage infrastructure. With HP OneView you can view and manage your storage system and storage pools. You add existing volumes and create new volumes, and you can create volume templates to provision multiple volumes with the same configuration. Switched fabric, Direct attach, and VSAN SAN topologies are supported. NOTE: See the HP OneView Support Matrix for more information about storage hardware and systems supported by HP OneView. To add storage to the appliance: First, add a storage system and storage pools to the appliance. Then, create or add volumes, associate them with networks, and attach them to server profiles. See About storage systems (page 208) for more information. You can also add SAN managers to bring their managed SANs under management of the appliance. Managed SANs can be associated with Fibre Channel networks on the appliance to enable automated zoning and automatic detection of Fibre Channel connectivity. See About SAN managers (page 210) for more information. Supported storage automation features Automated storage provisioning When you import existing storage systems and storage pools, HP OneView can quickly create volumes. Attach volumes to HP OneView server profiles to make them available to server hardware. Automatic SAN zoning HP OneView automatically manages SAN zoning through server profile volume attachments. Storage integration through server profiles You can attach private or shared volumes to HP OneView server profiles to enable automated boot target configuration and to move Direct attach profiles across enclosures. HP OneView tracks the connection status between server profiles and SANs. Volume management You can use HP OneView manage the full life cycle of your volumes. You can add existing volumes, create new volumes, grow volumes, and remove or delete volumes using HP OneView. Zoning policies HP OneView enables you to set a zoning policy for your managed SANs. You can choose single initiator/all targets, or single initiator/single storage system. Zone naming and aliases HP OneView uses rules-based zone naming to give you full control of your zone names. You can use zone naming to incorporate your current naming structure, which HP OneView will use during the automated zoning process. HP OneView enables you to create aliases for initiators, targets, and target groups, which HP OneView displays in place of their WWPNs. 1.5 Firmware and configuration change management features Simplified firmware management The appliance provides fast, reliable, and simple firmware management across the data center. 1.5 Firmware and configuration change management features 25

26 When you add a resource to the appliance to be managed, to ensure compatibility and seamless operation, the appliance automatically updates the resource firmware to the minimum version required to be managed by the appliance. NOTE: Firmware for monitored hardware is updated outside of HP OneView. An HP firmware bundle, also known as an SPP (Service Pack for ProLiant), is a tested update package of firmware, drivers, and utilities. Firmware bundles enable you to update firmware on managed server blades, and infrastructure (enclosures and interconnects). An on-appliance firmware repository enables you to upload SPP firmware bundles and deploy them across your environment according to your best practices. For example you can: View the versions and contents of firmware bundles stored in the firmware repository. View the settings of the enclosures and interconnects, if any, that have a specific firmware bundle installed. Set a firmware baseline a desired state for firmware versions on a managed resource, such as a server profile, or on a group of resources, such as all of the interconnects in a logical interconnect group. Detect when a managed resource does not comply with the firmware baseline. Identify firmware compatibility issues. Update firmware for an entire enclosure in minutes. Update firmware for individual resources or for groups of resources, such as logical interconnect groups Simplified configuration change management Templates and groups simplify the distribution of configuration changes across your data center. For example: If you add a network to a network set, the network is available for immediate use by all of the server profiles that have a connection to the network set. You do not need to change or reapply a server profile. You can reduce errors by making multiple and complex changes to a group. Then, for each member of the group, you can use a single action to update the configuration to match the configuration of the group. The appliance notifies you when it detects that a device does not comply with the current template or group. You control when and if a device configuration is updated. The firmware for physical interconnects is managed using the logical interconnects, ensuring that the member interconnects have compatible firmware. 1.6 Monitoring the environment and response features One user interface You use the same interface you use to provision resources. There are no additional tools or interfaces to learn. Isolated management network The appliance architecture is designed to separate the management traffic from the production network, which increases reliability of the overall solution. For example, your data center resources remain operational even in the unlikely event of an appliance outage. 1. Enclosure groups do not include a firmware baseline; therefore, updates to enclosure firmware are managed on a per-enclosure basis. 26 Learning about HP OneView

27 Automatic configuration for monitoring health and utilization When you add resources to the appliance, they are automatically configured for monitoring health, activity, alerts, and utilization. You can monitor resources immediately without performing additional configuration or discovery steps. Agentless and out-of-band management All health and utilization monitoring and management of HP ProLiant Gen8 (or later) servers is agentless and out-of-band for increased security and reliability. For these servers: There are no agents to monitor or update. The appliance does not require open SNMP ports on the host operating system. The appliance does not interact with the operating system on the host, which frees memory and processor resources on the host for use by server applications, and enables you to monitor servers that have no host operating system installed. Management from other platforms using the EST APIs and message buses The EST APIs and the SCMB (State-Change Message Bus) or MSMB (Metric Streaming Message Bus) also enable you to monitor the HP OneView environment from other management platforms. For more information about message buses, see Using a message bus to send data to subscribers (page 257) Monitoring the environment and responding to issues Features for monitoring the environment and responding to issues include the following: The Dashboard screen (page 248), which displays a summary view of data center capacity and health information The Activity screen (page 243), which displays and enables you to filter all system tasks and alerts Data center environmental management (page 28) esource utilization monitoring (page 28) Activity and health management (page 28) Hardware and firmware inventory information (page 29) 1.6 Monitoring the environment and response features 27

28 1.6.1 Data center environmental management HP OneView integrates these critical areas for environmental management of the data center: Thermal data visualization in 3D Power delivery infrastructure representation Physical asset location in 3D Feature Thermal data visualization Power delivery infrastructure representation Physical asset location Description 3D data center thermal mapping provides a view of the thermal status of your entire data center. The appliance collects thermal data from the managed resources in each data center rack and presents the data graphically, enabling easy identification of hot spots in a rack. HP OneView collects and reports processor utilization and power and temperature history for your data center hardware. The appliance monitors power, automatically detects and reports power delivery errors, and provides precise power requirement information for HP ProLiant Gen8 servers and HP BladeSystem enclosures that you can use for planning rack and power usage. Power Discovery Services enable automatic discovery and visualization of the power delivery topology for your data center. HP ipdus enable the appliance to map the rack power topology automatically. The appliance detects wiring errors such as lack of redundancy and updates electrical inventory automatically when new servers are installed. The appliance also supports per-outlet power control for remote power cycling of each ipdu outlet. You can manually define the power requirements and power topology for devices that do not support Power Discovery Services. Location Discovery Services enable the appliance to automatically display the exact 3D location of HP ProLiant Gen8 servers in HP Intelligent Series acks, reducing labor time, lowering operational costs, and eliminating human errors associated with inventory and asset management. You can manually define the positions of racks and devices that do not support Location Discovery Services esource utilization monitoring HP OneView periodically collects and maintains CPU utilization information for all of the servers it manages. HP OneView also collects port-level statistics for networking, including transmit, receive, and error counters. HP OneView displays all of this data using rich UIs and makes the data available through the EST APIs Activity and health management HP OneView provides streamlined activity monitoring and management. The appliance automatically registers to receive SNMP traps from all managed resources, and resources added to the appliance are immediately available for monitoring and management. When the appliance notifies you of a problem, when possible, it suggests a way to correct the problem. Using the UI and EST APIs, you can: View all activities (alerts and tasks) by description or source, and filter activities using multiple filter criteria. Assign alerts to specific users. Annotate activities with notes from administrators, enabling the administrators of the data center to collaborate through the appliance instead of through outside tools such as Learning about HP OneView

29 View alerts for a specific resource from the UI screen for that resource or using the EST API for that resource. Automatically forward SNMP traps from managed resources to enterprise monitoring consoles or centralized SNMP trap collectors Hardware and firmware inventory information HP OneView provides detailed hardware and firmware inventory information about the resources it manages. You can access the following data through the UI and the EST APIs: Summary and detailed views of managed hardware, such as servers, enclosures, and interconnects. Summary of monitored hardware, such as servers and enclosures. Summary and detailed views of firmware bundle contents. You can use the Smart Search feature of the UI to find specific items in the inventory. eports are also available to help you monitor your inventory as well as help you monitor your environment. The inventory reports provide information about your servers or enclosures such as model, serial number, part number, and so on. Other reports provide a picture of the overall status of your environment. 1.7 Backup and restore features HP OneView provides services to backup an appliance to a backup file, and to restore an appliance from a backup file. One encrypted backup file for both the appliance and its database Backup files are encrypted and contain configuration settings and management data there is no need to create separate backup files for the appliance and its database. Flexible scheduling and an open interface for backup operations You can create backup files while the appliance is online. Also, you can use EST APIs to: Schedule a backup process from outside the appliance. Collect backup files according to your site policies. Integrate with enterprise backup and restore products. A backup file is a snapshot of the appliance configuration and management data at the time the backup file was created. HP recommends that you create regular backups, preferably once a day and after you make hardware or software configuration changes in the managed environment. Specialized user role for creating backup files HP OneView provides a user role specifically for backing up the appliance by permitting access to other resource views without permitting actions on those resources, or other tasks. ecovery from catastrophic failures You can recover from a catastrophic failure by restoring your appliance from the backup file. When you restore an appliance from a backup file, all management data and most configuration settings on the appliance are replaced with the data and settings in the backup file, including things like user names and passwords, audit logs, and available networks. The state of the managed environment is likely to be different from the state of that environment at the time the backup file was created. During a restore operation, the appliance reconciles the data 1.7 Backup and restore features 29

30 in the backup file with the current state of the managed environment. After the restore operation, the appliance uses alerts to report any discrepancies that it cannot resolve automatically. For more information about backing up and restoring an appliance, see Backing up an appliance (page 225). 1.8 Security features CATA (Comprehensive Applications Threat Analysis) is a powerful HP security quality assessment tool designed to substantially reduce the number of latent security defects. The design of the HP OneView appliance employed CATA fundamentals and underwent CATA review. To ensure a secure platform for data center management, the appliance includes feature such as the following: Separation of the data and management environments, which is critical to avoid takeover in DoS (Denial of Service) attacks. For example, the appliance is designed to operate entirely on an isolated management LAN; access to the production LAN is not required. The managed devices remain online in the event of an appliance outage. BAC (role-based access control), which enables an administrator to quickly establish authentication and authorization for users based on their responsibilities for specific resources. BAC also simplifies what is shown in the UI: Users can only view the resources for which they are authorized. For example, the appliance does not display screens that do not apply to users with the role of Network administrator, such as the Server Profiles and Server Hardware screens. Users can initiate actions only for the resources for which they are authorized. For example users with the role of Network administrator can initiate actions for the network resources only, and users with the role of Server administrator can initiate actions for the server resources only. Users with the role of Infrastructure administrator have full access to all screens and actions. Single sign-on to ilo and Onboard Administrator without storing user-created ilo or Onboard Administrator credentials. Audit logging for all user actions. Support for authentication and authorization using an optional directory service such as Microsoft Active Directory. Use of certificates for authentication over Transport Layer Security (TLS). A firewall that allows traffic on specific ports and blocks all unused ports. A UI that restricts access from host operating system users. Data downloads that are restricted to support dump files (encrypted by default), encrypted backup files, audit logs, and certificates. For detailed security information, see Understanding the security features of the appliance (page 53). 1.9 Availability features HP OneView separates the management appliance from the managed resources. In the unlikely event that the appliance experiences an outage, the managed resources continue to run. HP OneView is delivered as a virtual appliance, a pre-configured virtual machine ready to be deployed on a hypervisor host. The hypervisor software provides the virtual machine with high-availability and recovery capabilities that allow the virtual machine to be restarted on another host in the cluster and to resume management without disruption to the managed resources. 30 Learning about HP OneView

31 Configuring the appliance for availability is described in Managing appliance availability (page 230) Graphical and programmatic interfaces The HP OneView appliance was developed to use a single, consistent resource model embodied in a fast, modern, and scalable HTML5 user interface and industry-standard EST APIs for mobile, secure access and open integration with other management software. User interface efficiency and simplicity by design The UI is designed for the way you work, providing powerful, easy-to use tools, including the following: Feature Dashboard screen Map view Smart Search box Labels view Activity feed esource-specific management screens Description Provides a graphical representation of the general health and capacity of the resources in your data center. From the Dashboard you can immediately see the areas that need your attention. Available from each resource, the Map view enables you to examine the configuration and understand the relationships between logical and physical resources in your data center. The banner of every screen includes the Smart Search feature, which enables you to find resource-specific information such as specific instances of resource names, serial numbers, WWNs, and IP and MAC addresses. Available from each resource, the Labels view enables you to organize resources into groups. For example, you might want to identify the servers that are used primarily by the Finance team, or identify the storage systems assigned to the Asia/Pacific division. The Activity feed gives you a unique perspective into the health of your environment by interleaving the tasks, alerts, and administrator's notes into a single view. The Activity feed simplifies the correlation of user activity with system health, allowing for timely resolution of issues. These screens enable you to focus on the resources you are authorized to view and manage. esource group screens enhance scalability by enabling you to manage multiple resources as one. The UI provides on-screen hints and tips to help you avoid and correct errors, and provides links to learn more about the tasks. At the top of each screen, the help icon gives you access to the entire help system. For more information about the UI, see Navigating the graphical user interface (page 65). EST APIs automation and integration HP OneView has a resource-oriented architecture that provides a uniform EST interface. The EST APIs: Provide an industry-standard interface for open integration with other management platforms. Are designed to be ubiquitous every resource has one UI (Uniform esource Identifier) and represents a physical device or logical construct. Enable you to automate anything you can do from the UI using your favorite scripting or programming language. Are designed to be highly scalable. For more information about the EST APIs, see the EST API scripting online help. For more information about finding online help and other documentation, see Accessing documentation and help (page 89) Graphical and programmatic interfaces 31

32 1.11 Integration with other management software To use the integrated management software listed in this section, you must purchase HP OneView Advanced licenses. For more information, see About licensing (page 149). Onboard Administrator for HP BladeSystem c7000 enclosures HP OneView interacts seamlessly with the Onboard Administrator to provide complete management of HP BladeSystem c7000 enclosures. Onboard Administrator privileges are determined by the role assigned to your HP OneView user account. HP Integrated Lights-Out HP OneView interacts seamlessly with the ilo management processor to provide complete management of HP server hardware. HP OneView automatically configures the ilo according to the settings specified by the HP OneView server profile. HP OneView configures seamless access to the ilo graphical remote console, enabling you to launch the ilo remote console from the HP OneView UI in a single click. Your ilo privileges are determined by the role assigned to your HP OneView appliance account. HP Insight Control Full licenses of HP OneView Advanced includes the right to use HP Insight Control which delivers essential infrastructure management. This right is not included for upgrade licenses. HP Insight Control can save you time and money by making it easy to deploy, migrate, monitor, control and optimize your IT infrastructure through a single, simple management console for your ProLiant ML/DL/SL and BladeSystem servers. You can elect to use either HP OneView or the corresponding optional license for HP Insight Control to manage devices. You do not need to purchase two licenses for the same server. However, you cannot operate HP OneView and Insight Control licenses to manage the same server at the same time. The exception is Insight Control server provisioning. This can be used simultaneously with HP OneView to manage the same server. HP Insight Control is not included in the HP OneView download or media, but can be downloaded from HP Insight Control server provisioning HP OneView Advanced includes the right to use Insight Control server provisioning, a capability for multi-server, physical OS provisioning and server configuration. Insight Control server provisioning software is not included in the HP OneView media, but can be downloaded from Insight Control server provisioning replaces the capability provided by Insight Control server deployment (DP). HP OneView for Microsoft System Center HP OneView Advanced includes the right to use HP OneView for Microsoft System Center (previously known as HP Insight Control for Microsoft System Center). HP OneView for Microsoft System Center fully integrates HP s management ecosystem into Microsoft System Center, delivering capabilities such as proactive monitoring, remote management and provisioning of HP servers, networking and storage. HP OneView for Microsoft System Center can be downloaded from HP OneView for ed Hat Enterprise Virtualization HP OneView Advanced includes the right to use HP OneView for ed Hat Enterprise Virtualization (previously known as HP Insight Control for ed Hat Enterprise Virtualization). HP OneView for ed Hat Enterprise Virtualization fully integrates HP s management ecosystem into ed Hat Enterprise Virtualization, delivering capabilities such as proactive monitoring of HP server and networking 32 Learning about HP OneView

33 infrastructure. HP OneView for ed Hat Enterprise Virtualization can be downloaded from HP OneView for VMware vcenter HP OneView Advanced includes the right to use HP OneView for VMware vcenter (previously known as HP Insight Control for VMware vcenter Server), HP OneView for VMware vcenter/vealize Operations, and HP OneView for VMware vcenter Log Insight. HP OneView for VMware vcenter fully integrate HP s management ecosystem into VMware vcenter Server, vealize Operations, and Log Insight to deliver capabilities such as proactive monitoring, deep troubleshooting, remote management, and provisioning of HP servers, networking, and storage. HP OneView for VMware vcenter integrations can be downloaded from go/ovvcenter Open integration The single, consistent resource model, EST APIs, and SCMB (State-Change Message Bus) enable you to use scripting to integrate HP OneView with other enterprise applications to address user needs and perform tasks such as: Automating standard workflows and troubleshooting steps Automating integrations with other software, such as a CMDB (content management database) Connecting to service desks Monitoring resources, collecting data, and mapping and modeling systems Exporting data to formats that suit your needs Attaching custom databases, data warehouses, or third-party business intelligence tools Integrating in-house user customizations For more information about the EST APIs, see the EST API scripting online help. The SCMB is an interface that uses asynchronous messaging to notify subscribers of changes to managed resources both logical and physical. For example, you can program applications to receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes without having to continuously poll the appliance for status using the EST APIs. For more information about the SCMB, see Using a message bus to send data to subscribers (page 257) Networking features Supported networks Logical interconnects Logical interconnect groups Network sets The HP OneView appliance provides several networking features to streamline the provisioning of networking resources for server blades and to manage configuration changes, including firmware updates, to Virtual Connect interconnect modules Open integration 33

34 Supported networks The Virtual Connect interconnect modules in enclosures support the following types of data center networks: Ethernet for data networks. Fibre Channel for storage networks, including Fibre Channel fabric attach (SAN switch) connections, and Fibre Channel direct attach (Flat SAN) connections to supported HP 3PA storage systems. Logical interconnects The appliance enables you to define multiple enclosure interconnect modules as a single administrative entity called a logical interconnect, which provides universal access to data center Ethernet networks from all servers connected to any member interconnect. A logical interconnect is the set of physical interconnects and their links, including the following: Uplinks to data center networks as mapped by their uplink sets Downlinks to the servers Stacking links (connections to each other) Logical interconnect groups A logical interconnect group is a collection of logical interconnects that have the same configuration for features such as the following: Stacking mode Firmware Uplink sets Uplink port redundancy and fault tolerance When you add an enclosure and associate it with an enclosure group, the enclosure is automatically configured according to the logical interconnect group associated with the enclosure group. This feature enables you to provision hundreds of enclosures consistently and efficiently. After you create a logical interconnect, it continues to be associated with the logical interconnect group and reports if its configuration differs from the group. Network sets You can define a collection of Ethernet data center networks to be identified by a single name, called a network set. You can specify a network set instead of an individual network when you define a connection from a server to the data center networks. By using network sets, you can make changes to networks that are members of a network set without having to make changes to each server profile that uses that network set. Network sets are useful in virtual machine environments where each server profile connection must access multiple networks. For example, you can configure a hypervisor with a vswitch to access multiple network VLAN IDs by creating a network set as a trunk that includes the networks that have these VLAN IDs. For more information about networking resources, see Understanding the resource model (page 35). For detailed information about the networking model for the HP OneView appliance, see About network connectivity (page 157). 34 Learning about HP OneView

35 2 Understanding the resource model The HP OneView appliance uses a resource model that reduces complexity and simplifies the management of your data center. This model provides logical resources, including templates, groups, and sets, that when applied to physical resources, provides a common structure across your data center. High-level overview esource model summary diagram (page 35) Server resources Server profiles (page 36) Connections (page 37) Connection templates (page 37) Server hardware (page 38) Server hardware types (page 38) Network provisioning resources Enclosure groups (page 39) Enclosure types (page 40) Enclosures (page 40) Interconnect types (page 41) Interconnects (page 41) Logical interconnect groups (page 42) Logical interconnects (page 43) Switches (page 46) Uplink sets (page 45) Network resources Networks (page 45) Network sets (page 46) Storage resources Storage Systems (page 47) Storage Pools (page 47) Volumes (page 48) Volume Templates (page 48) SAN Managers (page 48) Appliance resources Appliance (page 49) Domains (page 49) Data center power and cooling management resources Data centers (page 50) acks (page 50) Power delivery devices (page 51) Unmanaged devices (page 51) Learn more For a complete list of resources, see the HP OneView EST API eference in the online help. For information about using this appliance, see the other chapters in this guide and the online help. 2.1 esource model summary diagram The following figure summarizes some of the most frequently used resources and shows the relationships between them. 2.1 esource model summary diagram 35

36 Figure 1 esource model summary diagram Volume Templates Volumes Volume Attachments Server Profiles Connection Templates Connections or Network Sets Networks Storage Pools Storage Systems Power Delivery Devices acks Data Centers Server Hardware Device Bay Device Bay Enclosures Enclosure Groups I/O Bay I/O Bay Switches Interconnects Uplink Sets Logical Interconnect Groups Domains Uplink Sets Logical Interconnects Appliance Specified in a server profile Physical resource Logical resource Server Hardware Types Enclosure Types Interconnect Types The UI and EST APIs are organized by resource. The documentation for the UI and EST APIs are also organized by resource. To view the complete list of resources, see the HP OneView EST API eference in the online help. The following sections introduce the resources shown in Figure 1 (page 36). 2.2 Server profiles Server profiles capture key aspects of the server configuration in one place, enabling you to provision converged infrastructure hardware quickly and consistently according to your best practices. A server profile can contain the following configuration information about the server hardware: Basic server identification information Firmware versions Connections to Ethernet networks, Ethernet network sets, and Fibre Channel networks Local storage SAN storage Boot settings BIOS settings Physical or virtual UUIDs (universally unique identifiers), MAC (media access control) addresses and WWN (World Wide Name) addresses elationship to other resources A server profile is associated with the following resources in the resource summary diagram (page 36): Zero or more connection resources. You use a connection resource to specify connection from the server to a network or network set. If you do not specify at least one connection, the server cannot connect to data center networks. The networks and network sets that are available to 36 Understanding the resource model

37 a server profile connection depend on the configuration of the logical interconnect of the enclosure that contains the server hardware. Exactly one server hardware resource, which can be either unassigned or can be located in a specific enclosure and enclosure bay. Exactly one server hardware type resource. Exactly one enclosure group resource. To enable portability of server profiles, a server profile is associated with an enclosure group resource instead of an enclosure resource. Because enclosures in the enclosure group are configured identically, you can assign a server profile to any appropriate server hardware, regardless of which enclosure and bay in the enclosure group contains that server hardware. UI screens and EST API resources UI screen Server Profiles EST API resource server-profiles For more information about server profiles, see the online help for the Server Profiles screen. 2.3 Connection templates A connection template defines default configuration characteristics, such as the preferred bandwidth and maximum bandwidth, for a network or network set. When you create a network or network set, the appliance creates a default connection template for the network or network set. elationship to other resources A connection template resource is associated with zero or more connection resources. A connection resource is associated with the appropriate connection template for a type of network or network set. UI screens and EST API resources UI screen None EST API resource connection-templates Notes The UI does not display or refer to connection templates, but connection templates determine the default values displayed for the connection when you select a network or network set. 2.4 Connections A connection is the logical representation of a connection between a server and a network or network set. Connections are part of server profiles. A connection specifies the following: The network or network set to which the server is to be connected Configuration overrides (such as a change to the preferred bandwidth) to be made to the default configuration for the specified network or network set Boot order 2.3 Connection templates 37

38 elationship to other resources A connection resource is associated with the following resources in the resource summary diagram (page 36): Exactly one server profile resource. Exactly one connection template resource. Exactly one network or network set resource. The resources that are available to the connection depend on the configuration of the logical interconnect of the enclosure that contains the server hardware. UI screens and EST API resources UI screen Server Profiles EST API resources connections and server-profiles For more information about connections, see the online help for the Server Profiles screen. 2.5 Server hardware types A server hardware type captures details about the physical configuration of server hardware, and defines which settings are available to the server profiles assigned to that type of server hardware. For example, the server hardware type for the HP ProLiant BL460c Gen8 Server Blade includes a complete set of default BIOS settings for that server blade hardware configuration. When you add an enclosure to the appliance, the appliance detects the servers installed in the enclosure and creates a server hardware type for each unique server configuration it discovers. When you add a unique rack mount server model, the appliance creates a new server hardware type for that server configuration. elationship to other resources A server hardware type resource is associated with the following resources in the resource summary diagram (page 36): Zero or more server profiles Zero or more servers of the type defined by that server hardware type UI screens and EST API resources UI screen Server Hardware Types EST API resource server-hardware-types For more information about server hardware types, see the online help for the Server Hardware Types screen. 2.6 Server hardware Server hardware represents an instance of server hardware, such as a physical HP ProLiant BL460c Gen8 Server Blade installed in an enclosure, or a physical HP ProLiant DL380p rack server. For information about the supported server hardware, see the HP OneView Support Matrix. 38 Understanding the resource model

39 elationship to other resources A server hardware resource is associated with the following resources in the resource summary diagram (page 36): Zero or one server profile. If a server does not have a server profile assigned, you cannot perform actions that require the server profile resource, such as managing firmware or connecting to data center networks. However, you can: Add the managed server hardware to the appliance, including automatically updating the server firmware to the minimum version required for management by the appliance. Attempts to add monitored servers with less than the minimum firmware version required by HP OneView will fail, and the firmware must be updated outside of HP OneView, for example, with HP Smart Update Manager. View inventory data. Power on or power off the server. Launch the ilo remote console. Monitor power, cooling, and utilization. Monitor health and alerts. If the server hardware is a server blade, exactly one device bay of an enclosure. This association also applies to full-height server blades, which occupy two device bays but are associated with the top bay only. If the server hardware is a rack mount server, zero or one rack resource and zero or more power delivery devices. If the appliance discovers an instance of supported server hardware for which it does not have a matching server hardware type, the appliance creates a server hardware type for that server hardware configuration. UI screens and EST API resources UI screen Server Hardware EST API resource server-hardware Notes You use the server hardware resource, not the server profile resource, to perform actions such as powering off or powering on the server, resetting the server, and launching the HP ilo remote console. You can launch the HP ilo remote console through the UI. The EST APIs do not include an API to launch the HP ilo remote console. For more information about server hardware, see the online help for the Server Hardware screen. 2.7 Enclosure groups An enclosure group is a logical resource that defines a set of enclosures that use the same configuration for network connectivity. The same logical interconnect group is used for every enclosure that is a member of the enclosure group, resulting in identically configured enclosures and uplinks to data center networks. By creating enclosure groups and adding enclosures to the group, you can quickly add and manage many identically configured enclosures. 2.7 Enclosure groups 39

40 elationship to other resources An enclosure group resource is associated with the following resources in the resource summary diagram (page 36): Zero or more enclosures Zero or more server profiles Exactly one logical interconnect group UI screens and EST API resources UI screen Enclosure Groups EST API resource enclosure-groups For more information about enclosure groups, see the online help for the Enclosure Groups screen. 2.8 Enclosure types An enclosure type defines characteristics of a specific HP enclosure hardware model, such as an HP BladeSystem c7000 Enclosure. elationship to other resources An enclosure type resource is associated with zero or more enclosures. UI screens and EST API resources UI screen None EST API resource None Notes The UI does not refer to enclosure type, but the enclosure type is used by the appliance when you add an enclosure. The enclosures EST resource includes an enclosuretype attribute. 2.9 Enclosures An enclosure is a physical structure that contains server blades, the Onboard Administrator, and interconnects. For information about the supported enclosure models, see the HP OneView Support Matrix. The enclosure provides the hardware connections between the interconnect downlinks and the installed server blades. The enclosure interconnects provide the physical uplinks to the data center networks. When you add an enclosure to be managed, the appliance discovers and adds all of the components within the enclosure, including any installed server blades and any installed interconnects. elationship to other resources An enclosure resource is associated with the following resources in the resource summary diagram (page 36): Exactly one enclosure group Zero or more physical interconnects 40 Understanding the resource model

41 One logical interconnect and one logical interconnect group (through the enclosure s association with enclosure groups and interconnects) Zero or one rack resource Zero or more power delivery devices UI screens and EST API resources UI screen Enclosures EST API resource enclosures For more information about enclosures, see the online help for the Enclosures screen Interconnect types The interconnect type resource defines the characteristics of a model of interconnect, such as the following: Downlink capabilities and the number of downlink ports Uplink port capabilities and the number of uplink ports Supported firmware versions elationship to other resources An interconnect type resource is associated with the following resources in the resource summary diagram (page 36): Zero or more interconnects UI screens and EST API resources UI screen Interconnects EST API resource interconnect-types Notes The UI does not display or refer to the interconnect type resource specifically, but the information is used by the appliance when you add or manage an interconnect using the Interconnects screen Interconnects An interconnect is a physical resource that enables communication between hardware in the enclosure and the data center Ethernet LANs and Fibre Channel SANs. The HP Virtual Connect FlexFabric 10Gb/24-port Module is an example of a supported interconnect. For a list of supported interconnects, see the HP OneView Support Matrix. An interconnect has the following types of ports: Port type Uplinks Downlinks Stacking links Description Uplinks are physical ports that connect the interconnect to the data center networks. For example, the X2 port of an HP Virtual Connect FlexFabric 10Gb/24-port Module is an uplink. Downlinks are physical ports that connect the interconnect to the server hardware through the enclosure midplane. Stacking links are internal or external physical ports that join interconnects to provide redundant paths for Ethernet traffic from servers to the data center networks Interconnect types 41

42 In the resource model: Interconnects are an integral part of enclosures and enclosure groups. The interconnects installed in an enclosure are added automatically when the enclosure is added to the appliance. To remove an interconnect from the appliance, you must remove the enclosure from the appliance. Interconnects can also be defined by a logical interconnect group, which in turn defines the logical interconnect configuration to be used for an enclosure. When you associate an enclosure with an enclosure group during an add operation, the appliance uses the interconnect configuration defined by the logical interconnect group that is associated with the enclosure group. The physical interconnect configuration in the enclosure must match the logical interconnect group configuration before an interconnect can be managed. An interconnect must be a member of a logical interconnect. For an interconnect to be usable, it must be installed in an enclosure and must be defined as part of a logical interconnect. Each physical interconnect can contribute physical uplink ports to an uplink set. Firmware baselines and firmware updates for physical interconnects are managed by the logical interconnect. elationship to other resources An interconnect resource is associated with the following resources in the resource summary diagram (page 36): Exactly one enclosure Exactly one logical interconnect, and, through that logical interconnect, exactly one logical interconnect group UI screens and EST API resources UI screen Interconnects EST API resources interconnects, interconnect-types, and logical-interconnects For more information about interconnects, see the online help for the Interconnects screen Logical interconnect groups The logical interconnect group represents the physical and logical configuration of connections to data center networks for each logical interconnect in the group. This configuration includes the following: The interconnect types, interconnect configurations, and interconnect downlink capabilities The stacking mode, which reserves the interconnect ports to be used for stacking links The uplink sets, which map uplink ports to Ethernet or Fibre Channel networks The available networks In the resource model: A logical interconnect group is associated with an enclosure group instead of an individual enclosure. Every enclosure that is a member of an enclosure group has the same network connectivity as all other enclosures in the enclosure group because their logical interconnects are identically configured. 42 Understanding the resource model

43 You can create a logical interconnect group either automatically during an enclosure add operation, or independently of enclosure add operations. If you add an enclosure without specifying an existing enclosure group, the appliance creates both an enclosure group and a logical interconnect group based on the physical interconnects in that enclosure. You can then edit that enclosure group and that logical interconnect group. The uplink sets defined by the logical interconnect group establish the initial configuration of the uplink sets of each logical interconnect associated with the logical interconnect group. If you change uplink sets for an existing logical interconnect group: The updated uplink sets are applied to any new logical interconnects that are added to the existing logical interconnect group. Existing logical interconnects are reported as not being consistent with the logical interconnect group. You can then request that those existing logical interconnects be updated with the new configuration. After a logical interconnect has been created and associated with a logical interconnect group, it continues to be associated with that group and reports if its configuration differs from the group. You can then change the configuration of the logical interconnect to match the group. elationship to other resources A logical interconnect group resource is associated with the following resources in the resource summary diagram (page 36): Zero or more logical interconnects Zero or more enclosure groups The uplink sets defined by a logical interconnect group specify the initial configuration of the uplink sets of each logical interconnect in the group. UI screens and EST API resources UI screen Logical Interconnect Groups EST API resource logical-interconnect-groups For more information about logical interconnect groups, see the online help for the Logical Interconnect Groups screen Logical interconnects A logical interconnect is a single entity for multiple physical interconnects A logical interconnect is a single administrative entity that consists of the configuration of the interconnects in an enclosure. This configuration includes: Interconnects, which are required for the enclosure to connect to data center networks. Uplink sets, which map data center networks to physical uplink ports. If no uplink sets are defined, the logical interconnect cannot connect to data center networks, and the servers attached to the downlinks of the logical interconnect cannot connect to data center networks. Downlink ports, which connect through the enclosure midplane to the servers in the enclosure. A logical interconnect includes all of the physical downlinks of all of the member interconnects. The downlinks connect the interconnects to physical servers. The set of downlinks that share access to a common set of networks is called logical downlinks Logical interconnects 43

44 Stacking links, which join interconnects either through connections inside the enclosure or external cables between the stacking ports of the interconnects. The firmware baseline, which specifies the firmware version to be used by all of the member interconnects. The firmware baseline for physical interconnects is managed by the logical interconnect. The Network administrator configures multiple paths from server bays to networks The Network administrator can ensure that every server bay of an enclosure has two independent paths to an Ethernet data center network by creating a logical interconnect for which the following conditions are true: The logical interconnect has at least two interconnects that are joined by stacking links. The logical interconnect has at least one uplink set that includes uplinks to the network from at least two physical interconnects. The appliance detects and reports a configuration or state in which there is only one path (no redundant paths) to a network or in which there are no paths to a network. The Server administrator is not required to know the details about interconnect configurations Because a logical interconnect is managed as a single entity, the server administrator is isolated from the details of interconnect configurations. For example, if the network administrator configures the logical interconnect to ensure redundant access from each server bay in the enclosure to each Ethernet data center network, the server administrator must only ensure that a server profile includes two connections to a network or to a network set that includes that network. elationship to other resources A logical interconnect resource is associated with the following resources in the resource summary diagram (page 36): Zero or more interconnects. For a logical interconnect to be usable, it must include at least one interconnect. If there are zero interconnects, the enclosure and its contents do not have any uplinks to the data center networks. Exactly one logical interconnect group, which defines the initial configuration of the logical interconnect, including its uplink sets. Using logical interconnect groups, you can easily and quickly replicate the same logical interconnect configuration across multiple enclosures. After a logical interconnect is created and associated with a logical interconnect group, it continues to be associated with that group and reports if its configuration differs from the configuration of the group. This feature enables you to manage any number of logical interconnects as though they were one by making all the configuration changes to the logical interconnect group, and then, for each logical interconnect, using a single action to update the configuration from the group. Zero or more uplink sets, which associate zero or more uplink ports and zero or more networks. UI screens and EST API resources UI screen Logical Interconnects EST API resource logical-interconnects and logical-downlinks Notes You use the logical-downlinks EST API to obtain information about the common set of networks and capabilities available to a downlink. 44 Understanding the resource model

45 For more information about logical interconnects, see the online help for the Logical Interconnects screen Uplink sets An uplink set assigns data center networks to uplink ports of interconnects. The uplinks must be from physical interconnects that are members of the logical interconnect to which the uplink set belongs. An uplink set is part of a logical interconnect. For each logical interconnect: An uplink set cannot include a network set. A network can be a member of one uplink set. An uplink set can contain one Fibre Channel network. An uplink set can contain multiple Ethernet networks. You cannot assign two instances of the same network to the same physical port. elationship to other resources An uplink set is part of a logical interconnect or a logical interconnect group. The uplink sets defined by a logical interconnect group specify the configuration for uplink sets used by logical interconnects that are members of the group. If the uplink sets of a logical interconnect do not match the uplink sets of the logical interconnect group, the appliance notifies you that the logical interconnect is not consistent with its group. UI screens and EST API resources UI screen Logical Interconnects or Logical Interconnect Groups EST API resource uplink-sets For more information about uplink sets, see the online help for the Logical Interconnects and Logical Interconnect Groups screens Networks A network represents a Fibre Channel, Ethernet network in the data center. elationship to other resources A network resource is associated with the following resources in the resource summary diagram (page 36): Zero or more connections Zero or one uplink set per logical interconnect For Ethernet networks, zero or more network sets UI screens and EST API resources UI screen Networks EST API resource fc-networks or ethernet-networks For more information about networks, see the online help for the Networks screen Uplink sets 45

46 2.16 Network sets A network set represents a group of Ethernet networks identified by a single name. Network sets are used to simplify server profile configuration. When a connection in a server profile specifies a network set, it can access any of the member networks. Additionally, if networks are added to or deleted from a network set, server profiles that specify the network set are isolated from the change. One common use for network sets is as a trunk for multiple VLANs to a vswitch. In the resource model: A network set can contain zero or more Ethernet networks. An Ethernet network can be a member of zero or more network sets. A connection in a server profile can specify either a network or a network set. A network set cannot be a member of an uplink set. Other configuration rules apply. For more information about network sets, including specifying the network to handle untagged traffic, see About network sets (page 158). elationship to other resources A network set resource is associated with the following resources in the resource summary diagram (page 36): Zero or more connections, and, through those connections, zero or more server profiles Zero or more Ethernet networks UI screens and EST API resources UI screen Network Sets EST API resource network-sets For more information about network sets, see the online help for the Network Sets screen Switches Switches provide a unified, converged fabric over 10 Gb Ethernet for LAN and SAN traffic. This unification enables network consolidation and greater use of infrastructure and cabling, reducing the number of adapters and cables required and eliminating redundant switches. A configuration of enclosures, server blades, and third-party devices such as the Cisco Fabric Extender for HP BladeSystem modules and Cisco Nexus top of rack switches provides scalability to manage server blades and a higher demand for bandwidth from each server with access-layer redundancy. The appliance provides minimal monitoring (power and state only) of switches and their associated interconnects. See the HP OneView Support Matrix for the complete list of supported devices. elationship to other resources A Cisco Nexus top of rack switch is associated with interconnects, specifically the Cisco Fabric Extender for HP BladeSystem modules within an enclosure, as shown in the resource summary diagram (page 36). UI screens and EST API resources UI screen Switches EST API resource switches 46 Understanding the resource model

47 For more information about switches, see the online help for the Switches screen Storage Systems You can connect supported storage systems to the appliance to manage storage pools and volumes. In the resource model: A storage system can have zero or more storage pools. A storage system can have zero or more volumes in each storage pool. For more information about storage systems, see About storage systems (page 208). elationship to other resources A storage system resource is associated with the following resources in the resource model summary diagram (page 36): Zero or more storage pools, and through those storage pools, zero or more volumes. Zero or more server profiles, through zero or more volumes. UI screens and EST API resources UI screen Storage Systems EST API resource storage-systems For more information about storage systems, see the online help for the Storage Systems screen Storage Pools A storage pool exists on a storage system and contains volumes. Storage pools are created on a storage system using the management software for that system. After you add a storage pool to the appliance, you can add existing volumes or create new volumes. In the resource model: A storage pool exists on only one storage system. A storage pool can contain zero or more volumes. A storage pool can be associated with zero or more volume templates. For more information about storage pools, see About storage pools (page 208). elationship to other resources A storage pool resource is associated with the following resources in the resource model summary diagram (page 36): One storage system, and through it, zero or more volumes, which can be connected to zero or more server profiles UI screens and EST API resources UI screen Storage Pools EST API resource storage-pools For more information about storage pools, see the online help for the Storage Pools screen Storage Systems 47

48 2.20 Volumes A volume is space allocated from a storage pool. You can attach volumes to a server profiles through a volume attachment. In the resource model: A volume exists in only one storage pool, which exists on only one storage system. A volume can be attached to zero, one, or many server profiles. For more information about volumes, see About volumes (page 209). elationship to other resources A volume resource is associated with the following resources in the resource model summary diagram (page 36): One storage pool, and through it, one storage system Zero, one, or many server profiles through volume attachments UI screens and EST API resources UI screen Volumes EST API resource storage-volumes For more information about volumes, see the online help for the Volumes screen Volume Templates A volume template defines the settings for the volumes created from it. Use a volume templates to create multiple volumes with the same configuration. In the resource model: A volume template can be associated with one storage pool. For more information about volume templates, see About volume templates (page 209). elationship to other resources A volume template resource is associated with the following resources in the resource model summary diagram (page 36): One storage pool, which can have zero, one, or many volume templates associated with it UI screens and EST API resources UI screen Volume Templates EST API resource storage-volume-templates For more information about volume templates, see the online help for the Volume Templates screen SAN Managers SAN Managers enables you to bring systems that manage SANs under management of the appliance. When you add a SAN manager to the appliance, the SANs that it manages become available to associate with Fibre Channel networks that you can attach to server profiles. 48 Understanding the resource model

49 In the resource model: SAN managers are not associated with appliance resources directly. The SANs they manage (known as managed SANs) can be associated with Fibre Channel networks, which can then be connected to server profiles. For more information about SAN managers, see About SAN managers (page 210). elationship to other resources The SAN managers resource is associated with the following resources in the resource model summary diagram (page 36): A managed SAN on a SAN manager can be associated with one Fibre Channel network, which can be associated with one server profile. UI screens and EST API resources UI screen SAN Managers EST API resource device-managers For more information about SAN managers, see the online help for the SAN Managers screen Domains The domain resource describes the management domain for the appliance. All resources managed by the appliance are part of a single management domain. elationship to other resources A domain resource is associated with the following resources in the resource summary diagram (page 36): Exactly one appliance Zero or more instances of the other resources in the summary diagram (page 36) UI screens and EST API resources UI screen None EST API resource domains Notes The UI does not display or refer to domains, but the domain resource provides information about limits such as the total number of networks that you can add to the appliance. You can use the domains EST API to obtain information about the domain Appliance The appliance resource defines configuration details specific to the appliance (as distinct from the resources the appliance manages). elationship to other resources An appliance resource is associated with the following resources in the resource summary diagram (page 36): Exactly one domain Zero or more instances of the other resources in the summary diagram (page 36) 2.23 Domains 49

50 UI screens and EST API resources UI screen Settings EST API resource Several EST API resources are related to the appliance and appliance settings. See the resources in the following categories in the HP OneView EST API eference in the online help: Settings Security For more information about various appliance configuration settings, see the online help for the Settings screen esources related to data center facilities Data centers In the appliance, a data center represents a physically contiguous area in which racks containing IT equipment such as servers, enclosures, and devices are located. You create a data center to describe a portion of a computer room that provides a useful grouping to summarize your environment and its power and thermal requirements. A data center resource is often a subset of your entire data center and can include equipment that is not managed by the appliance. By representing the physical layout of your data center equipment, including unmanaged devices, you can use detailed monitoring information provided by the appliance for space planning and determining power and cooling requirements. In the appliance, you can: View a 3D model of the data center layout that includes a color-coding scheme to help you identify areas that are too hot or too cold. View temperature history data. More easily locate specific devices for hands-on servicing. elationship to other resources A data center resource is associated with the following resources in the resource summary diagram (page 36): Zero or more racks UI screens and EST API resources UI screen Data Centers EST API resource datacenters acks For more information about data centers, see the online help for the Data Centers screen. A rack is a physical structure that contains IT equipment such as enclosures, servers, power delivery devices, and unmanaged devices in a data center. By describing the physical location, size, and thermal limit of equipment in the racks, you enable space and power planning and power analysis features for your data center. 50 Understanding the resource model

51 elationship to other resources A rack resource is associated with the following resources in the resource summary diagram (page 36): Zero or one data centers Zero or more enclosures Zero or more instances of server hardware (for HP ProLiant DL servers) Zero or more unmanaged devices Zero or more power delivery devices UI screens and EST API resources UI screen acks EST API resource racks For more information about racks, see the online help for the acks screen Power delivery devices A power delivery device is a physical resource that delivers power from the data center service entrance to the rack components. You create the power distribution device objects to describe the power source for one or more components in the rack. Power delivery devices can include power feeds, breaker panels, branch circuits, PDUs, outlet bars, outlets, and UPS devices. For a complete list of power delivery devices, see the screen details online help for the Power Delivery Devices screen. elationship to other resources A power delivery device resource is associated with the following resources in the resource summary diagram (page 36): Zero or more racks Zero or more unmanaged devices UI screens and EST API resources UI screen Power Delivery Devices EST API resource power-devices For more information about power delivery devices, see the online help for the Power Delivery Devices screen Unmanaged devices An unmanaged device is a physical resource that is located in a rack or consumes power but is not currently managed by the appliance. Some unmanaged devices are unsupported devices that cannot be managed by the appliance. All devices connected to an HP Intelligent Power Distribution Unit (ipdu) using an HP Intelligent Power Discovery (IPD) connection are added to the appliance as unmanaged devices. Other devices that do not support IPD such as KVM switches, routers, in-rack monitors and keyboards are not added to the list of unmanaged devices automatically. To include these devices in the appliance, you can add them manually and describe their names, rack positions, and power requirements esources related to data center facilities 51

52 elationship to other resources An unmanaged device resource is associated with the following resources in the resource summary diagram (page 36): Zero or more racks Zero or more power delivery devices UI screens and EST API resources UI screen Unmanaged Devices EST API resource unmanaged-devices Notes You can view, add, or edit the properties of unmanaged devices using either the UI or the EST APIs. To delete an unmanaged device, you must use the EST APIs. For more information about unmanaged devices, see the online help for the Unmanaged Devices screen. 52 Understanding the resource model

53 3 Understanding the security features of the appliance Most security policies and practices used in a traditional environment are applicable in a virtualized environment. However, in a virtualized environment, these policies might require modifications and additions. Only Transport Layer Security (TLS) protocols are now supported for GUI, EST API, and message bus access. Any reference in the documentation to "SSL" should be understood to mean "TLS" protocols. 3.1 Securing the appliance CATA (Comprehensive Applications Threat Analysis) is a powerful HP security quality assessment tool designed to substantially reduce the number of latent security defects. The design of the appliance employed CATA fundamentals and underwent CATA review. The following factors secured (hardened) the appliance and its operating system: Best practice operating system security guidelines were followed. The appliance operating system minimizes its vulnerability by running only the services required to provide functionality. The appliance operating system enforces mandatory access controls internally. The appliance maintains a firewall that allows traffic on specific ports and blocks all unused ports. See Ports required for HP OneView (page 61) for the list of network ports used. Key appliance services run only with the required privileges; they do not run as privileged users. The operating system bootloader is password protected. The appliance cannot be compromised by someone attempting to boot in single-user mode. The appliance is designed to operate entirely on an isolated management LAN. Access to the production LAN is not required. The appliance enforces a password change at first login. The default password cannot be used again. The appliance supports self-signed certificates and certificates issued by a certificate authority. The appliance is initially configured with a self-signed certificate. As the Infrastructure administrator, you can generate a CS (certificate signing request) and, upon receipt, upload the certificate to the appliance. This ensures the integrity and authenticity of your HTTPS connection to the appliance. All browser operations and EST API calls use HTTPS. All weak SSL (Secure Sockets Layer) ciphers are disabled. The appliance supports secure updating. HP digitally signs all updates to ensure integrity and authenticity. Backup files and transaction logs are encrypted. Support dumps are encrypted by default, but you (as Infrastructure administrator) have the option to not encrypt them. Support dumps are automatically encrypted when a user with another role creates them. 3.1 Securing the appliance 53

54 Operating-system-level users are not allowed to access the appliance, with the following exceptions: A special pwreset command used only if the Infrastructure administrator password is lost or forgotten. This command requires that you contact your authorized support representative to obtain a one-time password. For more information, see the online help. A setting that enables an authorized support representative to obtain a one-time password so that they can log in to the appliance console (and only the console) to perform advanced diagnostics. You can either enable or disable access with this setting. HP closely monitors security bulletins for threats to appliance software components and, if necessary, issues software updates. 54 Understanding the security features of the appliance

55 3.2 Best practices for maintaining a secure appliance The following table comprises a partial list of security best practices that HP recommends in both physical and virtual environments. Differing security policies and implementation practices make it difficult to provide a complete and definitive list. Topic Accounts Certificates Best Practice Limit the number of local accounts. Integrate the appliance with an enterprise directory solution such as Microsoft Active Directory or OpenLDAP. Use certificates signed by a trusted certificate authority (CA), if possible. HP OneView uses certificates to authenticate and establish trust relationships. One of the most common uses of certificates is when a connection from a web browser to a web server is established. The machine level authentication is carried out as part of the HTTPS protocol, using SSL. Certificates can also be used to authenticate devices when setting up a communication channel. The appliance supports self-signed certificates and certificates issued by a CA. The appliance is initially configured with self-signed certificates for the web server, database, and message broker software. The browser will display a warning when browsing to the appliance using self-signed certificates. HP advises customers to examine their security needs (that is, to perform a risk assessment) and consider the use of certificates signed by a trusted CA. For the highest level of security, HP recommends that you use certificates signed by a trusted certificate authority: Ideally, you should use your company's existing CA and import their trusted certificates. The trusted root CA certificate should be deployed to user s browsers that will contact systems and devices that will need to perform certificate validation. If your company does not have its own certificate authority, then consider using an external CA. There are numerous third-party companies that provide trusted certificates. You will need to work with the external CA to have certificates generated for specific devices and systems and then import these trusted certificates into the components that use them. As the Infrastructure administrator, you can generate a CS (certificate signing request) and, upon receipt, upload the certificate to the appliance web server. This ensures the integrity and authenticity of your HTTPS connection to the appliance. Certificates can also be uploaded for the database and message broker. For more information, see Using a certificate authority (page 60). Network HP recommends a strict separation of the management LAN and production LAN, using VLAN or firewall technology (or both) to maintain the separation: Management LAN Connect all management processor devices (including Onboard Administrators and virtual connections through an Onboard Administrator, ilos, and ipdus) to the management LAN. Grant management LAN access to authorized personnel only: Infrastructure administrators, Network administrators, and Server administrators. Production LAN Connect all NICs for managed devices to the production LAN. Do not connect management systems (for example, the appliance, the ilo card, and Onboard Administrator) directly to the Internet. If you require access to the Internet, use a corporate VPN (virtual private network) that provides firewall protection. 3.2 Best practices for maintaining a secure appliance 55

56 Topic Nonessential services Passwords Best Practice The appliance is preconfigured so that nonessential services are removed or disabled in its management environment. Ensure that you continue to minimize services when you configure host systems, management systems, network devices (including network ports not in use) to significantly reduce the number of ways your environment could be attacked. For local accounts on the appliance, change the passwords periodically according to your password policies. Ensure that passwords include at least three of these types of characters: Numeric character Lowercase alphabetic character Uppercase alphabetic character Special character oles Service Management Updates Virtual Environment Clearly define and use administrative roles and responsibilities; for example, the Infrastructure administrator performs most administrative tasks. Consider using the practices and procedures, such as those defined by the Information Technology Infrastructure Library (ITIL). For more information, see the following website: Ensure that a process is in place to determine if software and firmware updates are available, and to install updates for all components in your environment on a regular basis. Educate administrators about changes to their roles and responsibilities in a virtual environment. estrict access to the appliance console to authorized users. For more information, see estricting console access (page 63). If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution has visibility into network traffic in the virtual switch. Turn off promiscuous mode in the hypervisor and encrypt traffic flowing over the VLAN to lessen the effect on any VLAN traffic sniffing. NOTE: In most cases, if promiscuous mode is disabled in the hypervisor, it cannot be used on a VM (Virtual Machine) guest. The VM guest can enable promiscuous mode, but it will not be functional. Maintain a zone of trust, for example, a DMZ (demilitarized zone) that is separate from production machines. Ensure proper access controls on Fibre Channel devices. Use LUN masking on both storage and compute hosts. Ensure that LUNs are defined in the host configuration, instead of being discovered. Use hard zoning (which restricts communication across a fabric) based on port WWNs (Worldwide Names), if possible. Ensure that communication with the WWNs is enforced at the switch-port level. 3.3 Creating a login session You create a login session when you log in to the appliance through the browser or some other client (for example, using the EST API). Additional requests to the appliance use the session ID, which must be protected because it represents the authenticated user. A session remains valid until you log out or the session times out (for example, if a session is idle for a longer period of time than the session idle timeout value). 56 Understanding the security features of the appliance

57 3.4 Authentication for appliance access Access to the appliance requires authentication using a user name and password. User accounts are configured on the appliance or in an enterprise directory. All access (browser and EST APIs), including authentication, occurs over SSL to protect the credentials during transmission over the network. 3.5 Controlling access for authorized users Access to the appliance is controlled by roles, which describe what an authenticated user is permitted to do on the appliance. Each user must be associated with at least one role Specifying user accounts and roles User login accounts on the appliance must be assigned a role, which determines what the user has permission to do. For information on each role, and the capabilities these roles provide, see About user roles (page 216). For information on how to add, delete, and edit user accounts, see the online help. 3.6 Protecting credentials Local user account passwords are stored using a salted hash; that is, they are combined with a random string, and then the combined value is stored as a hash. A hash is a one-way algorithm that maps a string to a unique value so that the original string cannot be retrieved from the hash. Passwords are masked in the browser. When transmitted between appliance and the browser over the network, passwords are protected by SSL. Local user account passwords must be a minimum of eight characters, with at least one uppercase character. The appliance does not enforce additional password complexity rules. Password strength and expiration are dictated by the site security policy (see Best practices for maintaining a secure appliance (page 55)). If you integrate an external authentication directory service (also known as an enterprise directory) with the appliance, the directory service enforces password strength and expiration. 3.7 Understanding the audit log The audit log contains a record of actions performed on the appliance, which you can use for individual accountability. You must have Infrastructure administrator privileges to download the audit log. Monitor the audit logs because they are rolled over periodically to prevent them from getting too large. Download the audit logs periodically to maintain a long-term audit history. Each user has a unique logging ID per session, enabling you to follow a user s trail in the audit log. Some actions are performed by the appliance and might not have a logging ID. A breakdown of an audit entry follows: Token Date/time Internal component ID eserved User domain User name/id Description The date and time of the event The unique identifier of an internal component The organization ID. eserved for internal use The login domain name of the user The user name 3.4 Authentication for appliance access 57

58 Token Session ID Task ID Client host/ip esult Action Description The user session ID associated with the message The UI of the task resource associated with the message The client (browser) IP address identifies the client machine that initiated the request The result of the action, which can be one of the following values: SUCCESS FAILUE SOME_FAILUES CANCELED KILLED A description of the action, which can be one of the following values: ADD LIST UNSETUP CANCELED MODIFY ENABLE DEPLOY DELETE DISABLE STAT ACCESS SAVE DONE UN SETUP KILLED LOGIN LOGOUT DOWNLOAD_STAT Severity esource category esource UI/name Message A description of the severity of the event, which can be one of the following values, listed in descending order of importance: INFO NOTICE WANING EO ALET CITICAL For EST API category information, see the HP OneView EST API eference in the online help. The resource UI/name associated with the task The output message that appears in the audit log Example 1 Sample audit entries: user login and logout :55: CST,Authentication,,,administrator,jrWI9ych,,, SUCCESS,LOGIN,INFO,CEDENTIAL,,Authentication SUCCESS :58: CST,Authentication,,,MISSING_UID,jrWI9ych,,, SUCCESS,LOGOUT,INFO,CEDENTIAL,,TEMINATING SESSION 3.8 Choosing a policy for the audit log Choose a policy for downloading and examining the audit log. The audit log contains a record of actions performed on the appliance, which you can use for individual accountability. As the audit log gets larger, older information is deleted. To maintain a long-term audit history, you must periodically download and save the audit log. For more information about the audit log, see Understanding the audit log (page 57). 58 Understanding the security features of the appliance

59 3.9 Managing certificates from a browser A certificate authenticates the appliance over SSL. The certificate contains a public key, and the appliance maintains the corresponding private key, which is uniquely tied to the public key. NOTE: This section discusses certificate management from the perspective of the browser. For information on how a non-browser client (such as cul) uses the certificate, see the documentation for that client. The certificate also contains the name of the appliance, which the SSL client uses to identify the appliance. The certificate has the following boxes: Common Name (CN) This name is required. By default it contains the fully qualified host name of the appliance. Alternative Name The name is optional, but HP recommends supplying it because it supports multiple names (including IP addresses) to minimize name-mismatch warnings from the browser. By default, this name is populated with the fully qualified host name (if DNS is in use), a short host name, and the appliance IP address. NOTE: Name. If you enter Alternative Names, one of them must be your entry for the Common These names can be changed when you manually create a self-signed certificate or a certificate signing request Self-signed certificate The default certificate generated by the appliance is self-signed; it is not issued by a trusted certificate authority. By default, browsers do not trust self-signed certificates because they lack prior knowledge of them. The browser displays a warning dialog box; you can use it to examine the content of the self-signed certificate before accepting it Verifying a certificate You can verify the authenticity of the certificate by viewing it with your browser. After logging in to the appliance, choose Settings Security to view the certificate. Make note of these attributes for comparison: Fingerprints (especially) Names Serial number Validity dates Compare this information to the certificate displayed by the browser, that is, when browsing from outside the appliance Downloading and importing a self-signed certificate The advantage of downloading and importing a self-signed certificate is to circumvent the browser warning. In a secure environment, it is never appropriate to download and import a self-signed certificate, unless you have validated the certificate and know and trust the specific appliance. 3.9 Managing certificates from a browser 59

60 In a lower security environment, it might be acceptable to download and import the appliance certificate if you know and trust the certificate originator. However, HP does not recommend this practice. Microsoft Internet Explorer and Google Chrome share a common certificate store. A certificate downloaded with Internet Explorer can be imported with Google Chrome as well as Internet Explorer. Likewise, a certificate downloaded with Google Chrome can also be imported by both browsers. Mozilla Firefox has its own certificate store, and must be downloaded and imported with that browser only. The procedures for downloading and importing a self-signed certificate differ with each browser. Downloading a self-signed certificate with Microsoft Internet Explorer 9 1. Click in the Certificate error area. 2. Click View certificate. 3. Click the Details tab. 4. Verify the certificate. 5. Select Copy to File Use the Certificate Export Wizard to save the certificate as Base-64 encoded X.509 file. Importing a self-signed certificate with Microsoft Internet Explorer 9 1. Select Tools Internet Options. 2. Click the Content tab. 3. Click Certificates. 4. Click Import. 5. Use the Certificate Import Wizard. a. When it prompts you for the certificate store, select Place. b. Select the Trusted oot Certification Authorities store Using a certificate authority Use a trusted CA (certificate authority) to simplify certificate trust management; the CA issues certificates that you import. If the browser is configured to trust the CA, certificates signed by the CA are also trusted. A CA can be internal (operated and maintained by your organization) or external (operated and maintained by a third party). You can import a certificate signed by a CA, and using it instead of the self-signed certificate. The overall steps are as follows: 1. You generate a CS (certificate signing request). 2. You copy the CS and submit it to the CA, as instructed by the CA. 3. The CA authenticates the requestor. 4. The CA sends the certificate to you, as stipulated by the CA. 5. You import the certificate. For information on generating the CS and importing the certificate, see the UI help Browser best practices for a secure environment Best practice Use supported browsers Description See the HP OneView Support Matrix to ensure that your browser and browser version are supported and the appropriate browser plug-ins and settings are configured. Log out of the appliance before you close the browser In the browser, a cookie stores the session ID of the authenticated user. Although the cookie is deleted when you close the browser, the session is valid on the appliance until you log out. Logging out ensures that the session on the appliance is invalidated. 60 Understanding the security features of the appliance

61 Best practice Avoid linking to or from sites outside of the appliance UI Use a different browser to access sites outside the appliance Description When you are logged in to the appliance, avoid clicking links to or from sites outside the appliance UI, such as links sent to you in or instant messages. Content outside the appliance UI might contain malicious code. When you are logged in to the appliance, avoid browsing to other sites using the same browser instance (for example, via a separate tab in the same browser). For example, to ensure a separate browsing environment, use Firefox for the appliance UI, and use Chrome for non-appliance browsing Nonbrowser clients The appliance supports an extensive number of EST APIs. Any client, not just a browser, can issue requests for EST APIs. The caller must ensure that they take appropriate security measures regarding the confidentiality of credentials, including: The session token, which is used for data requests. esponses beyond the encryption of the credentials on the wire using HTTPS Passwords Passwords are likely displayed and stored in clear text by a client like cul. You can download cul at the following web address: Take care to prevent unauthorized users from: Viewing displayed passwords Viewing session identifiers Having access to saved data SSL connection The client should specify HTTPS as the protocol to ensure SSL is used on the network to protect sensitive data. If the client specifies HTTP, it will be redirected to HTTPS to ensure that SSL is used. The appliance certificate, which the client requires, allows the SSL connection to succeed. A convenient way to obtain a certificate is to use a browser pointed at the appliance; for more information on obtaining a certificate with a browser, see Managing certificates from a browser (page 59) 3.12 Ports required for HP OneView HP OneView requires specific ports to be available to the appliance to manage servers, enclosures, and interconnects. Table 1 Ports required for HP OneView Port number Protocol Use Description 22 TCP Inbound and Outbound Used for SSH and SFTP. SSH is required to communicate with VC Ethernet and FlexFabric interconnect modules. SFTP is required for actions such as firmware upgrades and support dumps. 80 TCP Inbound Used for the HTTP interface. Typically, this port redirects to port 443; this port provides the access required by the ilo. 123 UDP Inbound HP OneView acts as an NTP server, both ilo and Onboard Administrator require access Nonbrowser clients 61

62 Table 1 Ports required for HP OneView (continued) Port number Protocol Use Description 123 UDP Outbound Used as an NTP client to synchronize the appliance time. 161 UDP Outbound Supports SNMP GET calls to obtain status data from a server through ilo. Also used for ipdu. 162 UDP Inbound Used for SNMP trap support from the ilo, Onboard Administrator, and ipdu devices. This port is also used to monitor the VC interconnects and trap forwarding. 443 TCP Inbound Used for the HTTPS interface to user interface and APIs. 443 TCP Outbound Used for secure SSL access to the ilo and Onboard Administrator. Used for IBCL, SOAP, and ipdu communication UDP Inbound Used as an alternative SNMP trap port TCP Inbound Allows external scripts or applications to connect to and monitor messages from the SCMB (State-Change Message Bus) TCP Browser to ilo Provides browser access to the remote console TCP Browser to ilo Provides remote console access to ilo virtual media Controlling access to the appliance console Use the hypervisor management software to restrict access to the appliance, which prevents unauthorized users from accessing the password reset and service access features. See estricting console access (page 63). Typical legitimate uses for access to the console are: Troubleshooting network configuration issues esetting an appliance administrator password Enabling service access by an on-site authorized support representative The virtual appliance console is displayed in a graphical console; password reset and HP Services access use a non-graphical console. Switching from one console to another (VMware vsphere and Microsoft Hyper-V) 1. Open the virtual appliance console. 2. Press and hold Ctrl+Alt. 3. Press and release the space bar (VMware vsphere only). 4. Press and release F1 to select the non-graphical console or F2 to select the graphical console Enabling or disabling authorized services access When you first start the appliance, you can choose to enable or disable access by on-site authorized support representatives. This feature is enabled by default. Service Access allows an authorized support representative to log on to the appliance with privileged access to perform advanced diagnostic tasks. NOTE: An HP-supplied one-time password is required for Service Access. As an added security measure, Services Access can only be performed from the appliance console. 62 Understanding the security features of the appliance

63 Any time after the initial configuration of the appliance, an Infrastructure administrator can enable or disable services access through the UI by selecting Actions Edit services access on the Settings window. You can also use an appliance/settings EST API to enable or disable services access. NOTE: HP recommends that you enable access. Otherwise, an authorized support representative will not be able to access the appliance to troubleshoot issues that you cannot resolve yourself estricting console access You can restrict console access to the virtual appliance through secure management practices of the hypervisor itself. For VMware vsphere, this information is available from the VMware website: In particular, search for topics related to vsphere's Console Interaction privilege and best practices for managing VMware's roles and permissions. For Microsoft Hyper-V, restrict access to the console through role-based access. For information, see the Microsoft website: Files you can download from the appliance You can download the following data files from the appliance: Support dump By default, all data in the support dump is encrypted and accessible by an authorized support representative only. Backup file All data in the backup file is in a proprietary format. HP recommends that you encrypt the file according to your organization's security policy. Audit logs Session IDs are not logged, only the corresponding logging IDs are logged. Passwords and other sensitive data are not logged Files you can download from the appliance 63

64 64

65 4 Navigating the graphical user interface 4.1 Browsers For general information about browser use, see the following topics: Supported browsers (page 65) Browser best practices for a secure environment (page 60) Commonly used browser features and settings (page 65) Supported browsers For information about the web browsers that are supported for use with HP OneView, see the HP OneView Support Matrix Commonly used browser features and settings Feature Screen resolution Language Close window Copy and paste Search in a screen Local history Back and forward buttons Bookmarks Open screens in a new tab or window Browser refresh Zoom in/zoom out Description For optimum performance, the minimum screen size is pixels for desktop monitors and for laptop displays. The minimum supported screen size is pixels. US English, Japanese, and Simplified Chinese are the supported languages. You can close browser windows at any time. Closing the window while you are logged in terminates your session. You can select and copy most text, with the exception of text in images. You can paste text into text entry boxes. Press Ctrl+F to search for text in the current screen. ight-click the browser back button to view the history of the active tab. Use this feature to determine how you arrived at the current screen. You can use the browser back and forward buttons to navigate the UI. NOTE: Pop-up dialog boxes are not considered screens. If you click the back button while a pop-up dialog box is displayed, you return to the previous screen. If you click the forward button to go to a pop-up dialog box, you go instead to the screen with the link to the pop-up dialog box. The exceptions are screens that you access directly from the Actions menu. If you use the browser navigation buttons with these screens, you lose any unsaved changes you made on the screens. You can create bookmarks for commonly-used screens. You can these links to other users, who must log in and have the appropriate authorization for the screen. ight-click a link to a resource or screen to open the link in a new tab or window. NOTE: If you right-click a link while in an edit screen, the actions you take on another screen do not automatically refresh the form in the first screen. For example, if the Add Network dialog box is open, but you do not have any networks to add, you can create networks in a new tab or window. However, the first Add Network dialog box does not recognize the new networks automatically. If you click the browser refresh button to refresh a screen on which you have added but not saved information, you lose the information. Use the zoom in or zoom out feature to increase or decrease the text size. 4.1 Browsers 65

66 4.1.3 Set the browser for US or metric units of measurement To configure how units of measurement are displayed either in United States (US) or metric units change the region portion of the language setting in your browser. Metric units are used for all regions except the United States region. Specify the United States as your region code if you want United States customary units. Specify any other region code if you want metric units. Table 2 Set US or metric units of measurement Browser Google Chrome Microsoft Internet Explorer Mozilla Firefox Procedure 1. Click the Google menu icon. 2. Select Settings Show advanced settings Scroll down to Languages and click Language and input settings Click Add and then select the language you want to use. 5. estart the browser to apply your changes. The browser locale and regions locale are derived from your Windows settings. 1. Select Tools+Internet Options+General (tab)+languages Language Preference. 2. Specify your own language tags. Click Add button in the Language Preferences dialog box, and then enter your language tag in the User-defined box. 3. Click OK. 4. estart the browser to apply your changes. The browser locale and regions locale are derived from the version of Firefox you are running. 1. Select Tools Options Content Languages Choose. 2. Select your preferred language and then click OK. 3. estart the browser to apply your changes. 4.2 About the graphical user interface To learn the names of common areas, icons, and controls on a UI screen, see the numbered descriptions that appear after the image. 66 Navigating the graphical user interface

67 Figure 2 Screen topography HP OneView Search? Networks 20 All statuses v All types v Create network Name VLANID Type... C1net 2015 Ethernet corp net 2013 Ethernet dev Ethernet dev Ethernet dev Ethernet Create General Type VLAN ID Purpose C1 net Overview Ethernet 2015 General v Administrator Actions v Today 12:27 pm v Activity Create c1 net Delete corp2 net Create corp2 net dev Ethernet esxi mgmt Ethernet esxi vmotion Ethernet prod Ethernet prod Ethernet prod Ethernet Preferred bandwidth Maximum bandwidth Smart link Private network Uplink Set 2.5Gb/s 10Gb/s Yes No none prod Ethernet SAN A FC Used by Member of none none HP OneView main menu: The primary menu for navigating to resources. Click the icon to expand the menu. 6 Session control: Tracks who is currently logged in to the appliance and the duration of each login session. Also enables you to 2 View selector: Enables you to control the information displayed about a resource so and edit some user account information, depending on your user credentials. that you can focus only on what you are interested in. 7 Help control: Expands (or hides) a sidebar which provides access to UI and EST API 3 Map view icon: Provides a graphical representation of the relationships between help, the EULA and Written Offer, and the HP OneView online user forum. the current resource and other resources. To see these relationships, select the Map 8 Activity sidebar: Shows recent alerts and task activity for the current resource. Use view selector or the icon. the Activity control icon to open (or close) 4 Actions menu: Provides the actions that are this sidebar. available to run on the current resource. 9 Details pane: Provides all information known Actions include, but are not limited to: about a selected resource instance. To see adding, creating, deleting, removing, and editing a resource instance. If you do not details about a particular resource instance, click its name in the master pane. have the appropriate permissions to perform an action, the action does not appear on the Actions menu. 10 Master pane: Lists all resource instances that have been configured on the appliance. In some cases, a status icon indicates general 5 Activity control: Expands (or hides) a sidebar of recent appliance, resource, or user activity (from the current login session). health of the resource. In addition to the screen components shown in Figure 2 (page 67), every UI screen has a notifications area that notifies you when an event or activity requires your attention. Some screens also have a filters sidebar that enables you to control the amount and type of information displayed in the details pane. 4.2 About the graphical user interface 67

68 4.3 Activity sidebar About the Activity sidebar The Activity sidebar shows tasks initiated during the current session. The most recent task is displayed first. Task notifications provide information (including in-progress, error, and completion messages) about tasks that were launched. The Activity sidebar differs from the Activity screen because it displays only recent activity. The Activity screen, in contrast, displays all activities and allows you to list, sort, and filter them. For more information, see About Activity (page 243). Click an activity to show more details Activity sidebar details The Activity sidebar shows task activities generated during your current login session. Component Description Shows recent task activity generated during your login session. When the Activity sidebar is closed, the number of alert or task notifications that have not yet been viewed appears next to the Activity icon. Activity Describes the alert or task and the affected resource. A health status icon indicates the current status of the resource associated with the activity Expand or collapse the Activity sidebar Prerequisites Minimum required privileges: Network administrator, Server administrator, Infrastructure administrator, Backup administrator, ead only Expanding or collapsing the Activity filter sidebar 1. Use the right pin icon ( ) to expand the Activity filter sidebar. Use the left pin icon ( 2. Select an activity to reveal more details. Next step: Filter activities. 4.4 Banner and main menu ) to collapse the Activity filter sidebar. The main menu is the primary method for navigating to resources and the actions that can be performed on them. To expand the main menu, click inside the main menu area of the banner. Figure 3 Banner The main menu provides access to resources; each resource screen contains an Actions menu. 68 Navigating the graphical user interface

69 If you are not authorized to view a resource, that resource does not appear in the main menu. If you do not have the appropriate permissions to perform an action, the action does not appear on the Actions menu. Figure 4 Expanded main menu 4.5 Button functions These UI buttons perform consistently whether they appear on screens or dialog boxes. Button Add and Add + Create and Create + Cancel OK Close Description Adds items under appliance management. Add saves the definition for a single object or resource and closes the screen or dialog box. Add + enables you to define and save multiple objects or resources sequentially without closing the screen or dialog box between entries. Creates logical constructs used by the appliance. Create creates a single item and closes the screen or dialog box Create + enables you to create another item in the same session. Closes a screen or dialog box, and discards any unsaved changes or entries that you made. Confirms and saves your edits and closes the screen or dialog box. Closes the screen or dialog box and returns you to the previous screen. 4.6 Filters sidebar Some resource screens have a Filters sidebar that enables you to control the amount and type of information displayed in the details pane. 4.5 Button functions 69

70 Figure 5 Filters sidebar 1 Pin control: Expands or hides the Filters sidebar. 2 Sorting and filtering criteria enables you to refine the information displayed for a resource in the details pane. 4.7 Help sidebar Click in the banner to open the help sidebar. The help sidebar provides hyperlinks to the help system, license agreement, open source code used in the product, and the online user forum. Figure 6 Help sidebar? Help Documentation Help on this page Browse help Browse EST API help First time setup License 5 6 End-User License agreement Written Offer Community 7 HP OneView Forum 1 Opens context-sensitive help for the current screen in a new browser window or tab. 2 Opens the top of the help contents in a new browser window, which enables you to navigate to the entire table of contents for the UI help. 70 Navigating the graphical user interface

71 3 Opens the top of the EST API help contents in a new browser window, which enables you to navigate to the entire table of contents for the EST API help. 4 Opens the first-time setup help in a new browser window, which guides you through initial configuration tasks to make your data center resources known to the appliance and bring them under management. 5 Displays the End-User License agreement (EULA). 6 Displays the Written offer, which describes the open source products used by HP OneView. 7 Opens a new browser window to the online user forum where you can share your experiences using HP OneView and pose or answer questions. 4.8 Icon descriptions HP OneView uses icons to represent the current status of resources and alerts and to control the display. Status and severity icons (page 71) User control icons (page 71) Informational icons (page 72) Status and severity icons Large icon Small icon esource Activity Task Critical Critical Failed/Interrupted Warning Warning Warning OK Informational Success Disabled Canceled Unknown An In progress rotating icon indicates that a change is being applied or a task is running. This icon can appear in combination with any of the resource states. For example: User control icons Icon Name Expand menu View details Expand Action Expands a menu to show all options Identifies a title that has additional information. Clicking the title changes the view to display details. Expands a collapsed list item Collapse Collapses an expanded list item 4.8 Icon descriptions 71

72 Icon Name Edit Action Enables editing Delete or remove Search Pin Sort Deletes the current entry Searches for the text you enter in the Search box. This is especially useful for finding types of resources or specific resources by name. The left pin expands or collapses the Filters sidebar The right pin expands or collapses the Activity sidebar or Help sidebar Determines whether items are displayed in ascending or descending order Informational icons Icon Name Map Description Provides a graphical representation of the relationships between the current resource and other resources Activity control Provides a recent history of user and appliance initiated tasks and alerts Session control Help control Displays your login name and the duration of your current session. Also provides a link you can use to log out of the appliance. To change your full name, password, and contact information, click the Edit icon next to your login name. When this icon is at the top of a dialog box, you can click it to open context-sensitive help for that topic in another window or tab. In the banner, this icon expands or collapses the Help sidebar, where you can browse the help documentation or find help on the screen currently displayed. The help sidebar provides the following: A Help on this page hyperlink to access context-sensitive help for the current screen A Browse help hyperlink to access the entire help system Links that you can use to display the EULA and the Written Offer. A link to the HP OneView Forum, an online forum for customers and partners to share their experiences and pose questions related to using HP OneView. Community members as well as HP representatives are welcome to assist with answering questions. 4.9 Labels screen details The Labels view enables you to view the labels for a resource. Labels can be used to organize resources into groups. For example, you might want to identify the servers that are used primarily by the Finance team, or identify the storage systems assigned to the Asia/Pacific division. You can filter and search for labels across all resource types or within a specific resource Map view screen details The Map view enables you to examine the configuration and understand the relationships between logical and physical resources in your data center. This view gives you immediate visibility into 72 Navigating the graphical user interface

73 your resources from the individual Ethernet and Fibre Channel networks all the way up to the enclosure, rack, and top-level physical data center. The Map view was designed to be highly interactive and useful even at scale. To open the relationship view for a resource, do one of the following: Select Map from the view selector. Select the icon. Providing context for a resource can be helpful when troubleshooting problems with the resource. By looking at the Map view, you can determine if anything related to the resource is also having a problem. A status icon indicates the general health of the resource and provides a quick path to track errors. Figure 7 Sample Map view 1Z34AB7890 Map Actions v Apr 30 10:17AM Add enclosure: Z34AB7890 BladeSystem c7000 Enclosure G2 HPTC-ACK HPTC Enclosure Groups... 1Z34AB7890 1Z34AB7890 Bay 8 Bay 8 1Z34AB7890, interconnect 1 HP VC FlexFabric 10Gb/24-Port Module acks Enclosures... 1Z34AB7890, interconnect 2 HP VC FlexFabric 10Gb/24-Port Module device-bays... 1Z34AB7890, bay 2 Proliant BL 685c G7 1Z34AB7890, bay 1 Proliant BL 620c G7 Server Hardware... Interconnects... 1Z34AB7890-LS Logical Interconnects The selected resource is located at the center of the Map view. Everything above the resource is an ancestor; everything below the resource is a descendant. A connecting line between boxes indicates a direct relationship, such as server blades in an enclosure. Use your pointer to hover over any resource to see its direct relationships to other resources. Other items can be indirectly related to the resource, such as logical interconnect groups and server profiles. Click any resource that appears in a relationship view to open its specific Map view Notifications area The notifications area on a resource UI screen appears when an activity (an alert or task) has affected the resource, which might require your attention. By default, one line of information appears in the notifications area. Click anywhere in the yellow box to expand the notifications area and view more information associated with the activity. Click again to collapse the notifications area Notifications area 73

74 Figure 8 Notifications area! A, Slot 1 Overview Actions v 1 The system A, Slot 1 is not configured for redundant power because it has 1 c... All General> 2 Model! Manag Location Power Maximum Serial A, Slot 1 Overview The system A, Slot 1 is notconfigured for redundant power because it has 1 connected power input(s). The system must have at least 2 connected power inputs(s) to have redundant power. All Actions The system A, Slot 1 is... v esolution: Configure the system with 1 more redundant power delivery device(s) or verify that the configuration matches the target system Powered by Maximum power Serial number parentls1 280 Watts a963fdec-ebfb-4ba4 1 A collapsed notifications area (the default). Select All to view all activity associated with the resource. 2 An expanded notifications area, which provides resolutions for critical or warning alerts that require your attention, with links to Details, when they are available Log out of the appliance 1. Click the Session control icon in the banner. 2. Select Logout. administrator Logged in 6 minutes ago Logout 4.13 Perform an action on multiple resources For some actions, you can select multiple resources in the rather than performing the action on one resource at a time. For example, you can power on many server blades with one operation. Each action on a resource instance is logged individually in the Activity screen. If the action cannot be performed on a specific resource instance, the resource is excluded from the action. For example, if you try to power on a server that is already powered on, the action is not performed on that server. Opening the Activity sidebar (page 68) for an action displays the results, which in this example, shows that one server was powered on and two were excluded: 74 Navigating the graphical user interface

75 If any resource is excluded from the action, a critical or warning icon is displayed. A resource is excluded if the action is not possible or if the action fails, such as attempting to delete a server profile for a powered-on server. If multiple resources are excluded, select a single resource and try the action again to determine why a resource was excluded. Use the following key combinations to select multiple resources in the master pane: To select a contiguous range of objects, select the resource at the beginning of the range and press Shift and hold as you select the end of the range. To select individual objects, press Ctrl and hold as you point to and select each object. Use the Ctrl key to unselect any previously-selected objects. You can make multiple selections for the following resources and actions: esource Enclosures Server Hardware Server Profiles Multi-select actions Update from group eapply configuration Power on/off Power on/off Delete 4.14 Search help topics 1. On any screen, click the icon in the banner to open the help sidebar. 2. In the Help sidebar, select Help on this page. Context-specific help appears in a separate browser window. 3. In the new browser window where the help is displayed, click Search at the top of the left navigation pane, next to the Contents and Index links. Figure 9 UI help search box 4. Enter a search term in the Search box. Note the following: Search terms are case insensitive. Cutting and pasting text into the search box is supported Search help topics 75

76 Wildcard characters, such as the asterisk (*), are not supported. These search operators are not supported: Plus sign (+) Minus sign or hyphen ( ) Double quotes (" ") Special characters (non-alphanumeric) 5. Press Enter or click List Topics to start the search process. Search results are presented as links to the sections in which the search term appears. 6. Scan the search results for the section title or titles that best match what you are looking for, and click the link to view the content. Each instance of your search term is highlighted in yellow for easy identification About help system search results Note the following about how the help system search feature operates: Searches are based on stem words. For example, if you type the word restore, the search returns restoring as well as restore. Searches sometime return the stem word rather than the search term. For example, searching for Orchestration stems to orchestr and thus returns no results. This is expected behavior. Unrelated partial terms are not found. For example, a search for cat: Finds cat and cats. Does not find category because it does not provide enough of the stem word for the search operation to return complete results. Sometimes searches return results based on the metadata matching the stem word rather than a match in the actual help content. In this case, you will not see highlighted terms on the page Search resources The banner of every screen includes the Smart Search feature, which enables you to find resource-specific information such as specific instances of resource names, serial numbers, WWNs (World Wide Names), and IP and MAC addresses. In general, anything that appears in a resource master pane is searchable. Smart Search makes locating resources easy, enabling you to inventory or take action on a desired set of devices. Perhaps you are looking for all resources in a given enclosure or need to find one server using a certain MAC address. Smart Search instantly gives you the information you are seeking. 76 Navigating the graphical user interface

77 The default search behavior is to focus on the resource you are currently viewing. However, to broaden the scope of your search across all resources, you must select the option to search Everything, which searches all resources. Search the current resource 1. Click in the Smart Search box. Search all resources 1. Click in the Smart Search box. Search Search 2. Enter your search text and press Enter. The search results are focused in your current location in the UI. 2. Select Everything.... Scope Server Profiles Everything 3. Enter your search text and press Enter. Some resources might not include the option to choose between the current resource or everything, in which case the default search is for everything. When you start typing, search suggestions are provided based on pattern matching and previously-entered search criteria. You can either select a suggestion (the screen displays data containing that selection) or click Enter. If your search term is a resource, then the list of resources in a master pane is filtered to match your search input. TIP: Enter complete words or names as your search criteria. Partial words or names might not return the expected results. If you enter a multi-word search term, results show matches for all words you enter. Enclose a search term in double quotes ( ) if the search term contains spaces. When you find what you are looking for in the search results, which are organized by type, select the item to navigate to it. NOTE: The Smart Search feature does not search the help system. To learn how to search the UI and EST API help, see Search help topics (page 75). The most recent filter selection is displayed in the Smart Search box. Table 3 Advanced searching and filtering with properties Example of advanced filtering syntax Search results By model name: model:"bladesystem c7000 Enclosure G2" model:"proliant BL460c Gen8" model:"hp VC 8Gb 20-Port FC Module" All hardware that matches the model number and name. By name or address: 4.15 Search resources 77

78 Table 3 Advanced searching and filtering with properties (continued) Example of advanced filtering syntax name:enclosure10 name:" , PDU 1" name:" " name:"mysystem" Search results An enclosure with the name enclosure10. A power delivery device with the name , PDU 1. A list of physical machines whose IP addresses begin with A list of physical machines for which the host name is mysystem. By health status: status:critical All resources that are in a critical state. For other health status values, see Activity statuses (page 246). By user role: By owner: owner:administrator All resources and messages owned by the Infrastructure administrator. By date: created:<7d Created within the last 7 days. efine results by combining properties: A space character separating two of the same object operates as a logical O. model:"proliant BL460c Gen8" model:"proliant BL460c Gen9" status:critical status:warning All ProLiant BL460c Gen8 and ProLiant BL460c Gen9 hardware. All resources that are in either a critical or warning state. A space character separating two dissimilar objects operates as an AND. owner:administrator firmware NTP status:critical status:unknown state:locked owner:administrator All activities owned by the Administrator and related to firmware. All critical messages related to NTP. All messages with unknown status, having a locked state, and owned by Administrator. Combining AND and O operations name:host.example.com status:critical status:warning All messages with either a Critical or Warning status and related to the resource host.example.com. NOT operation status:warning NOT model:"proliant BL465c G7" All messages with a Critical status except those that apply to ProLiant BL465c G7 models NOTE: You can only use NOT once in a query. NOT operators that follow are treated as text Clear the Smart Search box The Smart Search box retains filter options. Use this procedure to clear it before entering a search parameter. 78 Navigating the graphical user interface

79 Clearing the Smart Search box 1. From the main menu, navigate to the Activity screen. 2. Click eset in the Activity heading or the Activity filter sidebar View resources according to their health status On most screens, you can filter the view of resource instances based on their health status, which might be useful for troubleshooting or maintenance purposes. The default filtering is All statuses, which means that all resource members are shown, regardless of their health status. To filter that view based on a specific health status, select the health status you are interested in viewing from the Status menu. For more information about health status icons and what they mean, see Icon descriptions (page 71). Figure 10 Filter resource instances by their health status HP OneView Server Hardware 18 Search Status eset + Add server hardware All statuses Critical Name Warning Model Server Profile Dl 360P Ok Gen8 none Dl 360P Unknown Gen8 Dl 360P Disabled Gen8 none none eset the health status view 1 HP OneView Status:Disabled Server Hardware 4 Disabled eset + Add server hardware Name Model Server Profile... Encl1, bay 3 BL460c Gen8 none Encl1, bay 4 BL460c Gen8 none Encl1, bay 1 BL660c Gen8 none Encl1, bay 1 BL660c Gen8 none 1 To return to the default view, All statuses, click the eset link View resources according to their health status 79

80 4.17 View resources by label On most screens, you can filter the view of resource instances based on their label. The default filter is All labels, which show all resource instances. To filter the view based on a specific label or labels, select the label or labels from the Labels menu. All resource instances with those labels are shown. NOTE: Up to 100 labels are shown for the resource. If you do not see the label you are looking for, see "Organizing resources into groups by assigning labels" in the online help. Filter resources using labels HP OneView labels:mkting labels:sales Server Hardware 2 All Statuses v Labels eset All labels + Add server hardware finance mkting Name Model... sales Encl1, bay 1 BL660c Gen8 Encl1, bay 2 BL660c Gen8 none eset the label view 1 HP OneView labels:mkting labels:sales Server Hardware 2 All Statuses v mkting, sales v eset + Add server hardware Name Model Server Profile... Encl1, bay 1 BL660c Gen8 none Encl1, bay 2 BL660c Gen8 none 1 To return to the default view (All labels), click eset. 80 Navigating the graphical user interface

81 5 Using the EST APIs and other programmatic interfaces EST (epresentational State Transfer) is a web service that uses basic CUD (Create, ead, Update and Delete) operations performed on resources using HTTP POST, GET, PUT, and DELETE. To learn more about EST concepts, see The appliance has a resource-oriented architecture that provides a uniform EST interface. Every resource has one UI (Uniform esource Identifier) and represents a physical device or logical construct. You can use EST APIs to manipulate resources. 5.1 esource operations ESTful APIs are stateless. The resource manager maintains the resource state that is reported as the resource representation. The client maintains the application state and the client might manipulate the resource locally, but until a PUT or POST is made, the resource as known by the resource manager is not changed. Operation Create ead Update Delete HTTP Verb POST resource UI (payload = resource data) GET resource UI PUT resource UI (payload = update data) DELETE resource UI Description Creates new resources. A synchronous POST returns the newly created resource. An asynchronous POST returns a Taskesource UI in the Location header. This UI tracks the progress of the POST operation. eturns the requested resource representation(s) Updates an existing resource Deletes the specified resource 5.2 eturn codes eturn code 2xx 4xx 5xx Description Successful operation Client-side error with error message returned Appliance error with error message returned NOTE: If an error occurs, indicated by a return code 4xx or 5xx, an ErrorMessage is returned. The expected resource model is not returned. 5.3 UI format All UIs point to resources. The client does not need to create or modify UIs. The UI for a resource is static and uses the format category/resource ID where: /rest /resource category /resource instance ID The appliance address The type of UI The category of the resource (for example, server-profiles) The specific resource instance identifier (optional) 5.1 esource operations 81

82 5.4 esource model format The resources support JSON (JavaScript Object Notation) for exchanging data using a EST API. If not otherwise specified in the EST API operation, the default is JSON. 5.5 Log in to the appliance using EST APIs When you log in to the appliance using the login-sessions EST API, a session ID is returned. You use the session ID in all subsequent EST API operations in the auth header, except as noted in EST API equest Headers. The session ID is valid for 24 hours. Log in Operation POST API /rest/login-sessions equest headers EST API equest Headers equest body "username":"yourusername","password":"yourpassword" NOTE: This is an example of a local log in on the appliance. If you are using a directory service, you must add the following attributes: authnhost and authlogindomain. esponse The LoginSessionIdDTO that includes the session ID Log out Operation DELETE API /rest/login-sessions equest headers auth:yoursessionid EST API equest Headers equest body None esponse 204 No Content 5.6 EST API version and backward compatibility When you perform a EST API operation, an X-API-Version header is required. This version header corresponds to the EST API version of software currently running on the appliance. To determine the correct EST API version, perform /rest/version. This GET operation does not require an X-API-Version header. If multiple appliances are running in your environment, you need to determine the EST API version required by each appliance. The requests documented in the HP OneView 1.20 EST API scripting help correspond to a versionnumber of 101. equests specifying API version 120 always provide the behavior documented here. Future API changes will introduce higher version numbers. Supported EST API versions This release of HP OneView supports the new EST API version 120 in addition to supporting the EST API version 3 (minimum) that was supported in previous releases of HP OneView. The HP OneView EST API documentation for older EST API versions is available online at and the documentation for the current version of supported EST APIs is included with the online help for this release as well as online. 82 Using the EST APIs and other programmatic interfaces

83 Backward compatibility The following list explains how to preserve your existing scripts when upgrading to a new version of HP OneView, take advantage of new functionality, and find the current and previous versions of the HP OneView EST API documentation. Prevent scripts from breaking To prevent your existing scripts from breaking that were written for a specific API version, use the same X-API-Version value for that specific EST API. This ensures that the same set of data is sent and returned in the response body during PUT and POST operations. NOTE: The set of possible enumerated values that may be returned in a given resource attribute may be extended from release to release (independent of the API version). Clients should ignore any values that they do not expect. To maintain backward compatibility, the set of enumerated values will not be reduced and the meaning of these values will not change for a given API version. Use new functionality To take advantage of new functionality, you must move to the new X-API-Version value. If the X-API-Version value is set globally in your scripts, moving to a new X-API-Version will likely impact multiple EST APIs. To view a list of EST APIs that have changed, see the HP OneView elease Notes. If you do not need to use the new functionality, you can use a previous X-API-Version and avoid impacting your existing scripts. HP recommends that you move to the new X-API-Version, because backward compatibility is not guaranteed from release to release, and older functionality will be deprecated. The current version of the EST APIs are documented in the HP OneView EST API eference that is included on the appliance. To view previous versions of the EST API reference, go to Asynchronous versus synchronous operations A synchronous task returns a response after the EST API operation. For example, POST /rest/server-profiles returns a newly created server profile in the response body. An asynchronous task, such as creating an appliance backup returns the UI of a Taskesource resource model. You can use the Taskesource resource model UI to list the current status of the operation. 5.8 Task resource When you make an asynchronous EST API operation, HTTP status 202 Accepted is returned and the UI of a Taskesource resource model is returned in the Location header of the response. 5.7 Asynchronous versus synchronous operations 83

84 You can then perform a GET on the Taskesource model UI to poll for the status of the asynchronous operation. The Taskesource model also contains the name and UI of the resource that is affected by the task in the associatedesource attribute. Creating an appliance backup example 1. Create an appliance backup. /rest/backups The UI of a Taskesource in the Location header is returned in the response. 2. Poll for status of the backup using the Taskesource UI returned in step 1. /rest/tasks/id 3. When the task reaches the Completed state, use the associatedesource UI in the Taskesource to download the backup file. GET associatedesource UI 5.9 Error handling If an error occurs during a EST API operation, a 4xx (client-side) or 5xx (appliance) error is returned along with an error message (ErrorMessage resource model). The error message contains a description and might contain recommended actions to correct the error. A successful EST API POST operation returns the newly created resource (synchronous) or a Taskesource UI in the Location header (asynchronous) Concurrency control using etags A client uses etags to verify the version of the resource model. This prevents the client from modifying (PUT) a version of the resource model that is not current. For example, if a client performs a GET on a server profile and receives an etag in the response header, modifies the server profile, and then updates (PUT) the resource model, the etag in the PUT request header must match the resource model etag. If the etags do not match, the client PUT request will not complete and a 412 PECONDITION FAILED error is returned Querying resources and pagination using common EST API parameters Querying resources You can use a set of common parameters to customize the results returned from a GET operation, such as sorting or filtering. Each EST API specification lists the set of available common parameters. Pagination when querying for a collection of resources When you perform a GET operation to retrieve multiple resources (that is, a GET on a collection UI, such as /rest/server-profiles), the resources are returned in a collection object that includes an array of resources along with information about the set of resources returned. This collection of resources may be automatically truncated into pages to improve performance when a query would return a large number of resources. The collection attributes (described below) provide information needed to determine whether the full set of resources were returned, or if additional queries are required to retrieve additional pages. For example, a collection object includes a next page and previous page UI. These UIs indicate whether additional pages are available, and can be retrieved via a GET operation on these UIs. This provides a simple model for ensuring all resources in the query have been retrieved, by doing iterative GETs on the nextpageuri attribute until the attribute comes back empty/null (See Example: eturn all resources in a specific collection query below.). 84 Using the EST APIs and other programmatic interfaces

85 It s also possible to query for a specific page of resources, using the start and count query parameters. These parameters indicate the index of the first resource to be returned, and the number of resources to return in the page, respectively. NOTE: Queries across multiple pages in a collection are stateless, and are based simply on the start index and a count of resources returned from that starting point at the time the query is made. For example, if any server profiles were added or deleted after you performed a GET operation using a specific next page UI from a collection of server profile resources, and you perform the GET again, the returned page using the same next page UI may not contain the same set of resources. Note also that the specific set of resources returned with a given start and count parameter is highly dependent on any filter, query and sort parameters sent in the request, therefore it s important to always pass the same filter, query and sort parameters on all requests for additional pages. The nextpageuri and prevpageuri attributes will be pre-populated with any filter, query and sort parameters from the current request. Attributes returned in all GET operations performed on a collection UI, for example/rest/server-profile: total count start members nextpageuri prevpageuri The total number of resources available in the requested collection (taking into account including any filters). Not necessarily what was returned. The actual number of resources returned (in the members attribute). The zero-based index of the first item returned (in the members attribute). The array of resources returned in the current result set. A UI that can be used to query for the next page in the result set (using the same count specified in the current query). A UI that can be used to query for the previous page in the result set (using the same count specified in the current query). NOTE: A null or empty nextpageuri or prevpageuri attribute is an indication that you have reached the last or first page (respectively) in the query. This allows scripts to iterate on nextpageuri until null, in order to retrieve the full set of resources in the query. Example: eturn all resources in a specific collection query The number of resources returned in a query might not match what was specified in the count parameter. Clients must always check the returned results to determine whether the full results set was returned or not. The two reasons that all the resources may not be returned in a query are: You've reached the last page of the query (and there are simply not that many resource left to return). This is also indicated by a returned prevpageuri with a null value. For performance reasons, the service may automatically truncate the returned result set, requiring additional GET requests (with appropriate start & count parameters set) in order to retrieve the full set of resources. The simplest way to make sure that you have retrieved all resources in a specific collection is to always perform iterative GET requests using the returned nextpageuri until the value is null. See the following example in pseudo-code based on any filters/queries and sort order: currentcollection = doget("/rest/server-hardware"); allesources = currentcollection.members; While (currentcollection.nextpageuri) currentcollection = doget(currentcollection.nextpageuri); allesources.append(currentcollection.members); 5.11 Querying resources and pagination using common EST API parameters 85

86 5.12 State-Change Message Bus The State-Change Message Bus (SCMB) is an interface that uses asynchronous messaging to notify subscribers of changes to managed resources both logical and physical. For example, you can program applications to receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes without having to continuously poll the appliance for status using the EST APIs. To learn more about receiving asynchronous messages about changes in the appliance environment, see Using a message bus to send data to subscribers (page 257) Metric Streaming Message Bus The Metric Streaming Message Bus (MSMB) is an interface that uses asynchronous messaging to notify subscribers about the most recent metrics for managed resources. You can configure the interval and the metrics that you want to receive using the EST APIs. To learn more, see Using a message bus to send data to subscribers (page 257) Analysis and troubleshooting You can use EST APIs to capture data obtained from remote system logs and ilo and make this data accessible for use by powerful troubleshooting and analysis tools HP Operations Analytics integration with HP OneView The integration of HP Operations Analytics and HP One View provides IT professionals with troubleshooting, analysis, and capacity planning information for devices managed using HP OneView. Using HP OneView EST APIs, you can capture data from logs, metrics, alerts, and inventories, and import them into HP Operations Analytics for graphical display and viewing. eal-time troubleshooting applications like HP Operations Analytics need access to HP OneView resources, relationships, metrics, alerts, and logs at near real time intervals. This data is then used to pin point developing issues and avoid infrastructure downtime by predicting failure in advance. For technical information about HP Operations Analytics, see HP Operations Analytics Manuals Developer tools in a web browser You can use developer/debug tools in your web browser to view the EST API operations as they happen in the UI. The UI uses EST APIs for all operations; therefore, anything you can do in the UI can be done using EST API operations PowerShell and Python code sample libraries Windows PowerShell and Python libraries are available on Git-compliant websites to download and use for your EST API scripting. The libraries are currently under the MIT Open Source license, and you can modify the source code for your own purposes. Each library provides methods for you to submit feedback, issues, and other discussions to HP. About Git version control: The repository layouts and overall workflows use a very standard simple workflow where the master branch is always the top of tree trunk. HP tags each release and branches a release only to fix an issue on a specific release. To learn more about using Git, see NOTE: If you have questions about EST API scripting or HP OneView, post your questions to the user community forum at 86 Using the EST APIs and other programmatic interfaces

87 PowerShell library The PowerShell library is hosted on CodePlex and is available here: hponeview.codeplex.com. To subscribe to the site and monitor the project, you need a valid Microsoft or CodePlex account. Downloading releases or source code does not require authentication. For ease of use when the library is updated, a new installer is provided. You can use a browser or a GIT Windows client to download the source code and samples. To download the Windows client, see The CodePlex site provides an issues tracker to submit issues or feature requests. Python library The Python library is hosted on a GitHub website and is available here: HewlettPackard/python-hpOneView. To receive development discussions, sign up on the public mailing list at forum/#!forum/hp-oneview-python PowerShell and Python code sample libraries 87

88 88

89 6 Accessing documentation and help This chapter describes how to access help from the appliance, how to access the publicly available online information library, and where to find EST API help and reference documentation. 6.1 Online help conceptual and task information as you need it The online help documents both the UI and the EST APIs, and includes: Overviews of the appliance and its features Descriptions of resources and UI screens Quick-start instructions for bringing your data center under management Step-by-step instructions for using the UI to perform tasks Information about using EST API scripting to perform tasks The HP OneView EST API eference Information about using the SCMB (State-Change Message Bus) to subscribe to state change messages EST API help design The EST API help is designed so that: Each resource is documented in its own chapter. Each EST API scripting chapter identifies the EST API calls you must invoke to complete the tasks. Each EST API call links to the HP OneView EST API eference for details about the API, such as attributes and parameters, the resource model schema, and JSON (JavaScript Object Notation) examples. UI help design The online help for the UI is designed so that each resource is documented in its own chapter. At the top of each help chapter is a navigation box that directs you to: Tasks that you can perform using the UI An About section that provides conceptual information about the resource A screen details section for every screen, which provides definitions of screen components to assist you in data entry and decision making Troubleshooting information in case you encounter a problem Links to the help for the associated EST APIs if you prefer to use EST API scripting to perform a task 6.2 This user guide supplements the online help This user guide provides: Conceptual information and describes tasks you can perform using the UI or EST APIs. It does not duplicate the step-by-step instructions provided by the online help unless the information might be needed when the online help is not available. For procedures that use the EST APIs, the EST APIs are listed, but the complete syntax and usage information is included in the HP OneView EST API eference in the online help. 6.1 Online help conceptual and task information as you need it 89

90 Planning information, including configuration decisions to make and tasks that you might need to perform before you install an appliance, add managed devices, or make configuration changes. Quick starts that provide high-level step-by-step instructions for selected tasks that might require that you configure multiple resources using the UI or EST APIs. An illustrated example of using the UI to configure a sample data center. 6.3 Where to find HP OneView documentation User guides and other manuals HP OneView user guides and other manuals are available on the HP Enterprise Information Library website at See elated information (page 334) for the list of document titles that are available. Online help To view the help delivered with the appliance graphical user interface, click the open the Help sidebar. help icon to The Help sidebar provides hyperlinks to the user interface help and EST API scripting help. NOTE: To submit feedback about HP OneView documentation, send to docsfeedback@hp.com. 6.4 Enable off-appliance browsing of UI help and EST API help The off-appliance versions of the HP OneView help systems are useful for developers who are writing EST API scripts or other users who prefer the convenience of accessing help locally without logging in to the appliance. NOTE: You can also browse the API eference at Downloading HTML UI help and HTML EST help 1. Go to the Enterprise Information Library: 2. Select the HP OneView UI online help zip file or the HP OneView EST API online help zip and save it to your computer or a local directory on a web server. 3. Use the utility of your choice to extract the contents of the.zip file. 4. Navigate to the content directory. 5. Double-click the index.html file to open the HP OneView help system. 90 Accessing documentation and help

91 Part II Planning tasks The chapters in this part describe data center configuration planning tasks that you might want to complete before you install the appliance or before you make configuration changes. By completing these planning tasks, you can create a data center configuration that takes full advantage of the appliance features and is easier for your administrators to monitor and manage.

92 92

93 7 Planning your data center resources In addition to ensuring that your environment meets the prerequisites for installation of the appliance, there are other planning tasks you might want to complete before adding data center resources. By completing these planning tasks, you can create a data center configuration that takes full advantage of the appliance features and is easier for your administrators to monitor and manage. 7.1 How many data centers? An appliance data center resource represents a physically contiguous area in which racks containing IT equipment are located. You create data centers in the appliance to describe a lab floor or a portion of a computer room, which provides a useful grouping to summarize your environment and its power and thermal requirements. Using data centers to describe the physical topology and power systems of your environment is optional. If you choose to create multiple data centers, consider including data center information in your other resource names to enable you to use the appliance search capabilities to filter results by data center. 7.2 Security planning To learn about the security features of the appliance, and for general information about protecting the appliance, see Understanding the security features of the appliance (page 53). 7.3 Preparing your data center network switches The switch ports for data center network switches that connect to the Virtual Connect interconnect modules must be configured as described in Data center switch port requirements (page 161). Network traffic should also be considered as described in About active/active and active/standby configurations (page 170). 7.4 Planning for a dual-stack implementation Network management systems can use IPv4 or IPv4/IPv6 communication protocols on the same network infrastructure. The default protocol is IPv4. Managing interconnects with IPv4 and IPv6 protocols provides network address redundancy if the IPv4 primary address fails to connect. In order for the appliance to communicate with the interconnects on the IPv6 management network, then IPv4/IPv6 dual communication stack configuration is necessary for the Onboard Administrator and the appliance. To set up a dual-stack protocol for an enclosure, use the Onboard Administrator to enable IPv6 and IPv6 address types. NOTE: SNMP access and SNMP trap destinations support IPv4 and IPv6 addresses. 7.5 Planning your resource names The banner of every screen includes the Smart Search feature, which enables you to find resource-specific information such as instances of resource names, serial numbers, WWNs, and IP and MAC addresses. In general, anything that appears in a resource is searchable. Defining a standard naming convention for your networks, network sets, enclosures, enclosure groups, logical interconnect groups, and uplink sets makes it easy for you to identify them and enables efficient searching or filtering in the UI. 7.1 How many data centers? 93

94 Consider the following information when choosing resource names: To minimize the need for name changes and to make network-related resources easier to identify, consider choosing names that include the following information: The purpose of the resource. For example: prod for production network resources dev for development network resources For tagged networks, the VLAN ID NOTE: If you are creating multiple tagged networks at the same time (creating networks in bulk), the network name is automatically appended with an underscore (_) and the VLAN ID. For example, Dev_101. An identifier to help you distinguish between resources that use the left side or the right side of an enclosure. For example: left and right A and B 1 and 2 Examples of network names that follow the recommended naming conventions include the following: dev_1105_a prod_1102_1 test_1111_left If you plan to use multi-network connections in server profiles, create network sets that contain all the networks to be used by a single profile connection. Choose names such as the following: dev_nset_a prodnset_1 testns_left Changing the names of uplinks sets can result in resources being taken offline temporarily (see Configuration changes that require or result in resource outages (page 97)). To minimize the need for name changes, and make the uplink sets easier to identify, choose names such as the following: devus_a produs_1 testus_left The appliance does not support the filtering of resources, such as server hardware, based on physical location (data center name). To enable filtering by data center name, choose a naming convention that includes the data center name in the resource name. The appliance supports the filtering of resources by model, so you can search for server hardware without having to include the model number in the name. The appliance provides default names for many resources. For example: Enclosures are assigned the name Encln, where n is a number that is incremented by 1 as each enclosure is added. enclosure_name-li is the default name of a logical interconnect, where enclosure_name is the name of the enclosure. 94 Planning your data center resources

95 Datacenter 1 is the name assigned to the data center when you initialize the appliance. Server hardware types are assigned names based on the server model, such as BL460c Gen8 1. If you select a server hardware type as a standard, you can choose to rename that server hardware type to include the word Standard or some other identifier to help administrators quickly determine the correct server hardware type to choose. You can create shorter names by using abbreviations for resources. For example: esource name Enclosure Enclosure group Logical interconnect Logical interconnect group Uplink set Typical abbreviations Encl EG, Group LI LIG US For more information about the search capabilities of the appliance, see Search resources (page 76). 7.6 Planning the appliance configuration These topics cover appliance configuration Appliance VM and host requirements HP OneView is a virtual appliance running on the following supported hypervisor hosts. Table 4 Supported hypervisors and versions Hypervisor VMware vsphere ESXi Microsoft Hyper-V Version update update update update update update update 2 Hyper-V is supported on the following Microsoft Windows platforms with the Hyper-V role installed: Windows Server 2012 Windows Server Windows Hyper-V Server 2012 Windows Hyper-V Server Planning the appliance configuration 95

96 The appliance virtual machine (VM) must run on a VM host with ProLiant G7 class CPUs or later. The appliance VM requires the following: Two 2 GHz or greater virtual CPUs. 10 GB of memory dedicated to the appliance. 170 GB of thick-provisioned disk space. A connection to the management LAN. HP recommends that you have separate networks for management and data. In addition, the clock on the VM host must be set to the correct time. If NTP (Network Time Protocol) is not used to synchronize the time on the VM host, HP recommends configuring the appliance to use NTP directly Planning for high availability To use HP OneView in an HA (high availability) configuration, see the hypervisor documentation for specific requirements. VMware vsphere ESXi Microsoft Hyper-V Separate networks for data and management vsphere/high-availability.html HP recommends having separate networks for management and data Time clocks and NTP HP recommends using NTP on the host on which you install the virtual appliance. If you are not using NTP on the host, HP recommends configuring NTP directly on the virtual appliance. Do not configure NTP on both the host and the virtual appliance IP addresses You must specify what type of IP addresses are in use and how they are assigned to the appliance, either manually by you or assigned by a DHCP (Dynamic Host Configuration Protocol) server: You must choose either IPv4 or IPv6 addresses. See Planning for a dual-stack implementation (page 93) for more information. The appliance IP address must be static. If you use a DHCP address for the appliance it must have an infinite lifetime or permanent reservation. 96 Planning your data center resources

97 8 Planning for configuration changes This chapter identifies configuration changes that might result in a resource being taken offline temporarily or that might require that you make changes to multiple resources. 8.1 Configuration changes that require or result in resource outages Appliance Taking an appliance offline does not affect the managed resources they continue to operate while the appliance is offline. When you install an appliance update, the appliance is taken offline. Enclosures The Onboard Administrator (OA) is taken offline when you update firmware for an enclosure. Interconnects and logical interconnects Server profile connections to networks in an uplink set are taken offline when you delete the uplink set. Server profile connections to networks in an uplink set can be interrupted for a few seconds when you change the name of an uplink set using either of these methods: Change the name of the uplink set in the logical interconnect. Change the name of the uplink set in the logical interconnect group, and then update the logical interconnect from the logical interconnect group. An interconnect is taken offline when you: Update or activate firmware for a logical interconnect. Staging firmware does not require interconnects be taken offline. Update firmware for an enclosure and select the option to update the enclosure, logical interconnect, and server profiles. If an interconnect has firmware that has been staged but not activated, any subsequent reboot of that interconnect activates the firmware, which takes the interconnect offline. You can prevent the loss of network connectivity for servers connected to a logical interconnect that has a stacking mode of Enclosure and a stacking health of edundantly Connected by updating firmware using the following method: 1. Staging the firmware on the logical interconnect. 2. Activating the firmware for the interconnects in even-numbered enclosure bays. 3. Waiting until the firmware update to complete and the interconnects are in the Configured state. 4. Activating the firmware for the interconnects in the odd-numbered enclosure bays. Networks If you attempt to delete a network that is in use by one or more server profiles, the appliance warns you that the network is in use. If you delete the network while it is in use, server profile connections that specify the network explicitly (instead of as part of a network set) are taken offline. If you add a network with the same name as the network you deleted, connections that specify the network explicitly (instead of as part of a network set) are not updated you must edit 8.1 Configuration changes that require or result in resource outages 97

98 each server profile connection to reconfigure it to specify the network you added. Because you must edit the server profile to edit the connection, you must power off the server. If you attempt to delete a network that is a member of a network set, the appliance warns you that the network is assigned to at least one network set. If you delete that network and there are other networks in that network set, server profile connectivity to the deleted network is taken offline, but connectivity to other networks in the network set is unaffected. You can add a network to a network set, including a network that has the same name as a network you deleted, while server profile connections to that network set remain online. Network sets If you attempt to delete a network set that is in use by one or more server profiles, the appliance warns you that the network set is in use. If you delete the network set while it is in use, server profile connections to that network set are taken offline. If you add a network set with the same name as the network you deleted, connections that specify the network set are not updated you must edit each server profile connection to reconfigure it to specify the network set you added. Because you must edit the server profile to edit the connection, you must power off the server. Server profiles with connections to a network set can be affected when a network in the network set is deleted. See Networks. Server profiles and server hardware Before you edit a server profile, you must power down the server hardware to which the server profile is assigned. Firmware updates require that you edit the server profile to change the firmware baseline. As with any other edits to server profiles, you must power down the server hardware to which the server profile is assigned before you edit a server profile. Server profiles and server hardware can be affected by changes to networks and network sets. For more information, see Networks and Network sets. Server profiles and server hardware can be affected by changes to the names of uplink sets. For more information, see Interconnects and logical interconnects. 8.2 Configuration changes that might require changes to multiple resources Adding a network (page 98) Adding an enclosure (page 99) Adding a network When you add a network to the appliance, you might need to make configuration changes to the following resources: Networks. Add the network. Network Sets. (Optional) If the network you are adding is an Ethernet network you might want to add it to a network set or create a network set that includes the network. 98 Planning for configuration changes

99 Logical Interconnects and Logical Interconnect Groups. For a server connected to a logical interconnect to access a network, the logical interconnect must have an uplink set that includes a connection to that network: You might need to update multiple logical interconnects. You can make configuration changes to the logical interconnect group, and then update each logical interconnect from the group. If your configuration changes include deleting an uplink set or changing the name of an uplink set, server profile network connectivity can be affected. See Configuration changes that require or result in resource outages (page 97). Server Profiles. If the server profile does not have a connection to a network set that includes this network, you must add connections to the network. For a summary of the tasks you complete when adding a network, see Quick Start: Adding a network to an existing appliance environment (page 111) Adding an enclosure When you add an enclosure to be managed by the appliance, you might need to make configuration changes to the following resources: Enclosures. Add the enclosure to be managed. Enclosure Groups. Every managed enclosure must be a member of an enclosure group. If you do not choose an existing enclosure group, you must create one when you add the enclosure. Logical Interconnects and Logical Interconnect Groups. Logical interconnects and logical interconnect groups define the network connectivity for the managed enclosure. Enclosure groups must specify a logical interconnect group. When you create an enclosure group, if you do not specify an existing logical interconnect group, you must create one. For a server connected to a logical interconnect to access a network, the logical interconnect group you create must have an uplink set that includes a connection to that network. Server Profiles. Adding and assigning server profiles to the server blades in the managed enclosure is not required at the time you add the enclosure, but to use the server blades in a managed enclosure, you must assign server profiles to them. To access a network, the server profile must include a connection to that network or a network set that includes that network. For a summary of the tasks you complete when adding a managed enclosure and connect its server blades to data center networks, see Quick Start: Adding an enclosure to manage and connecting its server blades to networks (page 115). 8.2 Configuration changes that might require changes to multiple resources 99

100 100

101 9 Planning for enclosure migration from VCM into HP OneView Planning for a migration from VCM-managed enclosures to HP OneView-managed enclosures is an important part of the migration process. Understanding what will be migrated from Virtual Connect Manager (VCM) and the requirements of HP OneView can help ensure a smooth and easy migration. This chapter will help explain the requirements and what to expect with migration. For example, a partial list of what will not be migrated is shown in Blocking issues (page 102). The automated migration process imports the configuration information for the enclosures including hardware, Virtual Connect domain, networks, and server profiles with some exceptions. 9.1 Understanding the migration process An enclosure managed by VCM can be migrated into HP OneView so that it can be managed by HP OneView. The migration can occur through the GUI or using EST API. The basic process consists of the following steps. eview this process to see the types of issues you might encounter so you can determine what changes you need to make in your environment to perform a successful migration. See About migrating enclosures (page 179) for more information. IMPOTANT: Backup the VCM configuration: the Virtual Connect (VC) domain as well as the output from show config -includepoolinfo. Secure the information. The backup is used if you need to revert back to VCM for management. The show config -includepoolinfo output enables you to check specific details of the VC domain after the enclosure has been migrated to HP OneView. See the Virtual Connect User Guide at docs for more information. Prerequisites for performing a migration Minimum required privileges: HP OneView Infrastructure administrator. Onboard Administrator and VCM Domain Administrator. OA and VCM credentials as well as the OA IP address for the enclosure. Backup and secure the VCM configuration where it will be available in the event that the enclosure must be reverted back to Virtual Connect Manager control. eview the HP OneView Support Matrix and verify the enclosure contains supported servers, interconnect modules, and mezzanine cards. eview Prerequisites for bringing an enclosure into HP OneView (page 182) for prerequisites and preparation that must be in place. 9.1 Understanding the migration process 101

102 Migration task Start compatibility and migration process 1. Determine whether to migrate your enclosure using the HP OneView GUI or HP OneView EST API. For more information, see Migrate an enclosure currently managed by VCM (page 184) or Migrate a VCM enclosure using EST API (page 187). 2. Provide Onboard Administrator (OA) and Virtual Connect (VC) credentials and the enclosure OA IP address. HP OneView checks the compatibility of the Virtual Connect enclosure with HP OneView and produces a migration compatibility report of the issues. The report shows warnings and blocking issues. esolve issues in the compatibility report 3. eview and resolve issues from the top down in the compatibility report. By resolving issues that are listed first, you might resolve issues listed later in the report. esolve all blocking migration errors listed on the compatibility report by modifying the configuration in VCM or HP OneView. For a list of some of the blocking issues you might encounter, see Blocking issues (page 102). Evaluate warnings on the compatibility report to determine if action needs to be taken. Unless specified otherwise, warnings indicate a capability that will not be migrated into HP OneView. Make sure the detected capability is not critical to operations before proceeding. For a list of some of the warnings you might encounter, see Warning issues (page 103). 4. esolving an issue may require disabling a feature within Virtual Connect, changing a configuration in Virtual Connect, or in some cases, changing the HP OneView logical interconnect group. For more information on Virtual Connect, see the HP Virtual Connect for c-class BladeSystem User Guide or the HP Virtual Connect Manager Command Line Interface for c-class BladeSystem User Guide at virtualconnect/docs. Migrate 5. After resolving all blocking issues (except server power on) and warnings you want to resolve, power down the servers and run a final compatibility test. 6. If the final report shows that all blocking issues are resolved, proceed with the migration. During the migration process, the VC domain is reconfigured as the enclosure is brought into HP OneView. Post migration tasks 7. Upon successfully completing the migration, you can then power on the servers. After migration, VCM is disabled and no longer available Blocking issues The following partial list of Virtual Connect features are considered blocking issues because they are not supported in HP OneView. HP OneView checks for these features and blocks the migration when these issues are found. esolving an issue might require disabling a feature within Virtual Connect, changing a configuration in Virtual Connect, or in some cases, changing the HP OneView logical interconnect group. If a feature is required in your environment and your enclosure contains ProLiant G6 or later server blades, you might want to consider monitoring your enclosure. See About monitored enclosures (page 180). NOTE: VCEM-managed enclosures can be migrated to the appliance. However, the enclosure must first be removed from the Virtual Connect domain group through the VCEM web interface so that the enclosure is managed by VCM. 102 Planning for enclosure migration from VCM into HP OneView

103 Blocking issues Auto-deployment C3000 enclosures and ProLiant G1 through G6 server blades Ethernet connection speed type disabled Federal Information Processing Standard (FIPS 140 2) Gen9 servers IGMP multicast filters and filter sets iscsi connections More than 1000 networks configured within the VC domain Multiple enclosure stacked domains Partially stacked domains QoS configuration Server VLANs mapped to alternate network VLANs SNMP v3 Storage management credentials VCEM multiple FC initiators NOTE: In general, for functions that are not required in your environment, disabling the function in VCM enables you to migrate the enclosure Warning issues The following partial list of Virtual Connect features are not supported in HP OneView. These features are considered warning issues and are listed in the compatibility report. Migration can continue with these warnings, but you should review them to determine if the features are important to your environment. If a feature is required in your environment and your enclosure contains ProLiant G6 or later server blades, you might want to consider monitoring your enclosure. See About monitored enclosures (page 180). NOTE: Unassigned profiles will not be migrated. The profiles will be deleted from VCM during the migration. Either assign profiles before the migration or use the backup configuration information to update the profiles once the enclosure is in HP OneView. Potential warnings Custom module hostname LLDP enhanced TLV Mixed USE-BIOS connections in a profile Module-specific DNS name Network Access Group ADIUS/TACACS+ sflow traffic monitoring SMIS not enabled Unassigned server profiles or unmapped server profile connections User role configuration VCM SNMP traps and Ethernet and FC SNMP access settings inconsistent NOTE: In general, if a feature is listed as a warning which is not required for the environment, continuing will mean the functionality will not be migrated to OneView. 9.1 Understanding the migration process 103

104 104

105 Part III Configuration quick starts The quick starts provided in this part describe the basic resource configuration tasks required to quickly bring the primary components of your hardware infrastructure under appliance management. Additional resource configuration and ongoing management tasks are documented in Part IV.

106 106

107 10 Quick Start: Initial Configuration This quick start describes the process to bring your data center resources under management of the appliance after you complete the appliance installation. This quick start recommends an order for adding resources to an appliance that has not previously been configured Process overview 1. Before you install the appliance, plan your data center configuration. By deciding things like resource names and the number and composition of network sets before you start adding enclosures and servers to the appliance, you can create a configuration that takes full advantage of the appliance features and results in an environment that is easier for your administrators to monitor and manage. In addition, the switch ports for data center network switches that connect to the Virtual Connect interconnect modules must be configured as described in Data center switch port requirements (page 161). For planning information, see Planning your data center resources (page 93). 2. When you install the appliance, you perform the configuration steps described in the HP OneView Installation Guide, including: Changing the Administrator password. Configuring the networking settings for the appliance, including entering an appliance host name and setting IP addresses and DNS server addresses, if used. 3. After you complete the installation, you perform the initial configuration tasks described in First time setup: configuration tasks (page 107). For illustrated examples of these tasks, see Step by step: Configuring an example data center using HP OneView (page 337). 4. After you perform the initial configuration, back up the appliance and establish policies and procedures for backing up the appliance on a regular basis. For information about creating a backup policy, see Determining your backup policy (page 226). For information about backing up the appliance, see Backing up an appliance (page 225). 5. If you have not already done so, establish policies for other aspects of appliance and data center security, such as downloading and archiving audit logs. For more information about security planning, see Security planning (page 93) First time setup: configuration tasks To bring your data center resources under appliance management, complete the following first time setup configuration tasks: 1. Initial configuration tasks (required) 2. Physical topology and power system configuration tasks (optional) Initial configuration tasks to bring your environment under management After installing the appliance and configuring its network, the next step is to make your data center environment known to the appliance and bring it under management. The first time configuration tasks are no different than when they are performed as routine maintenance. While HP OneView is designed to allow flexibility in the order in which you create, add, and edit resources and devices, HP recommends using the workflow sequence documented in the following table for initial configuration tasks or whenever you make significant additions or changes to your environment Process overview 107

108 To use EST APIs to configure the appliance and bring your environment under management for the first time, see the EST API help, which is available from the Help Sidebar. Table 5 First time setup: initial configuration tasks Configuration task Add users to the appliance 1. Add a fully authorized local user (Infrastructure administrator) Add a local user with specialized access Add a fully authorized user with authentication by membership in an organizational directory Add a user with role-based access and authentication by membership in an organizational directory Create user accounts assigned with predefined or specialized privileges with local or directory-based authentication. See the Users and Groups online help for more information. Add firmware bundles to the appliance firmware repository 2. Add the latest firmware bundles to the appliance. See the Firmware Bundles online help for more information. Create networks 3. Create Ethernet networks for data and Fibre Channel networks for storage. See the Networks online help for more information. Create network sets 4. Create network sets to group Ethernet networks together to simplify management. See the Network Sets online help for more information. Create a logical interconnect group 5. Create a logical interconnect group to define the connections between your networks and interconnect uplink ports. See the Logical Interconnect Groups online help for more information. Create an enclosure group 6. Create an enclosure group to define and maintain consistent configurations and to be able to detect and manage devices such as interconnects and server hardware in your enclosures. See the Enclosure Groups online help for more information. Add enclosures to the appliance 7. Add enclosures to the appliance to manage their contents and apply firmware updates. See the Enclosures online help for more information. If your enclosures or server hardware do not have embedded licenses, you must add licenses to the appliance first. See the Licensing online help for more information. If you have an SNMP read community string you prefer to use, set the SNMP read community string before you add an enclosure to the appliance. See the Settings: Appliance Networking online help for more information. 108 Quick Start: Initial Configuration

109 Table 5 First time setup: initial configuration tasks (continued) Configuration task Add switches to the appliance (optional) 8. Add switches to the appliance to provide a unified, converged fabric over 10 Gigabit Ethernet for LAN and SAN traffic. See the Switches online help for more information. Add storage systems and storage pools (optional) 9. Add storage systems to the appliance and then add storage pools to the appliance. See the Storage Systems online help and the Storage Pools online help for more information. Create volumes (optional) 10. Create volumes in the storage pools. You can also create volumes by creating volume templates. You can add existing volumes from storage systems to the appliance. See the Volumes online help and the Volume Templates online help for more information. Create server profiles and apply them to server hardware 11. Create and apply server profiles to define common configurations for your server hardware. See the Server Profiles online help for more information. Save the appliance configuration to a backup file 12. Save the initial appliance configuration settings and database to a backup file in the unlikely event you need to restore the appliance to its original settings in the future. See the Settings online help for more information about creating and saving appliance backup files Configure physical topology and power systems in your environment (optional) By defining the physical dimensions of the space your networking hardware inhabits and positioning enclosures, power delivery devices, server hardware, and other devices in racks provides the appliance with an accurate diagram of the devices in your data center and their physical connections. The appliance can then provide powerful monitoring and management functionality: The Data Centers screen generates a 3D model of your IT environment, which you can use for planning and organization purposes. The Data Centers screen displays power and temperature data to enable you to monitor power consumption rates. The appliance monitors and reports peak temperatures for racks and their components to identify and alert you about potential cooling issues. The Power Delivery Devices screen provides data to enable you to monitor power consumption rates and power caps First time setup: configuration tasks 109

110 Table 6 First time setup: physical topology and power system configuration tasks Configuration task Add power devices 1. Define your power devices and power connections. See the Power Delivery Devices online help for more information. After you enter device credentials (your user name and password), the appliance automatically discovers the HP Intelligent Power Distribution Units (ipdus). Add racks and configure the rack layout 2. Add racks and configure the layout of enclosures, power delivery devices, and other rack devices. See the acks online help for more information. Create data centers and position racks in them 3. Define the physical topology and cooling and power characteristics of your data center, which enables 3D visualization and temperature monitoring. See the Data Centers online help for more information. 110 Quick Start: Initial Configuration

111 11 Quick Start: Adding a network to an existing appliance environment This quick start describes the process to add a network to an existing appliance environment and enable existing server blades to access the network you added. NOTE: If you are performing initial configuration steps after installing an appliance, HP recommends that you add networks and network sets before you add enclosures. See Quick Start: Initial Configuration (page 107). Prerequisites Minimum required privileges: Infrastructure administrator or Network administrator for adding the network. Minimum required privileges: Infrastructure administrator or Server administrator for changing the configurations of the server profiles. The enclosures and server blades are already added to the appliance. All data center switch ports that connect to the Virtual Connect (VC) interconnect modules are configured as described in Data center switch port requirements (page 161). 111

112 11.1 Process When you add a network to the appliance, you might need to make configuration changes to the following resources: esource Networks Logical Interconnect Groups Logical Interconnects (one or more) Network Sets Server Profiles and Server Hardware Task 1. Add the network. 2. Add the network to an uplink set. 3. Do one of the following: Add the network to an uplink set. Update the logical interconnect from the logical interconnect group. 4. (Optional) Add the network to a network set. Description Adding a network does not require that you take resources offline. For more information about networks, see Managing networks and network resources (page 157), the online help for the Networks screen, or the EST API scripting help for networks and network sets. You can either add the network to an existing uplink set or create an uplink set for the network. Changing the configuration of an uplink set does not require that you take resources offline. Configuration changes made to a logical interconnect group are not automatically propagated to the member logical interconnects. However, by changing the logical interconnect group, you can update each logical interconnect with a single action. For more information, see Managing interconnects, logical interconnects, and logical interconnect groups (page 163), the online help for the Logical Interconnect Groups screen, or the EST API scripting help for logical interconnects and the EST API for the uplink-sets resource. Changing the configuration of an uplink set does not require that you take resources offline. Configuration changes made to a logical interconnect group are not automatically propagated to the member logical interconnects. To update a logical interconnect with changes made to its logical interconnect group, do one of the following: Select Logical Interconnects Actions Update from group. Use the EST APIs to reapply the logical interconnect group. When adding a network, updating a logical interconnect from its group does not require that you take resources offline. You can make changes to a logical interconnect without also changing the logical interconnect group. In this case, you add the network to an uplink set on the logical interconnect. However, the appliance labels the logical interconnect as being inconsistent with its group. For more information, see Managing interconnects, logical interconnects, and logical interconnect groups (page 163), the online help for the Logical Interconnects screen, or the EST API scripting help for logical interconnects. Applies to Ethernet networks only. Adding a network to a network set does not require that you take resources offline. You do not need to update server profiles that have connections to the network set. For more information about network sets, see Managing networks and network resources (page 157), the online help for the Network Sets screen, or the EST API scripting help for networks and network sets. 112 Quick Start: Adding a network to an existing appliance environment

113 esource Task 5. Power off the server before you edit the server profile. 6. Edit the server profile to add a connection to the network. 7. Power on the server after you apply the server profile. Description When you add a network to an appliance, it is immediately available. However, for a server blade to connect to that network, the server profile for the server blade must include a connection to either the network or a network set that includes the network. If you add the network to a network set, server profiles that have connections to the network set automatically have access to the added network. You do not have to edit these server profiles. If the network is not added to a network set, you must add a connection to the network in the server profiles that you want to connect to that network. Power off the server hardware before making any configuration changes to a server profile. For more information about server profiles, see Managing server hardware and server profiles (page 137), the online help for the Server Profiles screen, or the EST API scripting help for server profiles Process 113

114 114

115 12 Quick Start: Adding an enclosure to manage and connecting its server blades to networks This quick start describes the process to add an enclosure to be managed in an existing appliance environment, and enable the server blades to access the existing data center networks. The steps you take to add an enclosure and ensure that its server blades are connected to the data center networks depend on whether you use an existing enclosure group, or if you need to define the network connectivity by configuring enclosure groups, and logical interconnects and their uplink sets. For a server blade in a managed enclosure to connect to a data center network, you must ensure that several resources are configured. For a complete list of resources and the reasons you need them, see Checklist: connecting a server blade to a data center network (page 115). Logical interconnect groups, their uplink sets, and their associated enclosure groups can be created in different ways: You can create them before the enclosure is added to the appliance. You can create them as part of the enclosure add operation. During the enclosure add operation, the appliance detects the interconnects installed in the enclosure and creates the groups based on the hardware in the enclosure. You complete the configuration of the groups before you complete the enclosure add operation Checklist: connecting a server blade to a data center network Connecting a server blade to a data center network requires the following resources: Enclosure group Enclosure Logical interconnect group Logical interconnect Uplink set Network or network set Server profile assigned to server hardware The following table describes the configuration elements required for a server blade to connect to a data center network. Configuration requirement Enclosure must specify a logical interconnect group Logical interconnect group must have at least one uplink set Uplink set must include at least one network Uplink set must include at least one uplink port Server profile must be assigned to server hardware Why you need it The logical interconnect group defines the standard configurations to be used for the interconnect modules in the enclosure. The uplink set determines which data center networks are permitted to send traffic over which physical uplink ports. The uplink sets defines the networks that are to be accessible from this logical interconnect. The uplink set defines which hardware ports can accept traffic from which networks. The server hardware provides the physical connections to at least one interconnect that is part of the logical interconnect Checklist: connecting a server blade to a data center network 115

116 Configuration requirement Server profile must have at least one connection, which must specify a network or network set If you specify a network set in a server profile connection, the network set must include at least 1 network Why you need it You do not have to know the hardware configuration, but you do have to choose an available network or network set to specify which networks the server is to use. You can think of a network set as an alias through which you can refer to many different networks. If a network set contains no networks, a connection to that network set does not result in a connection to any networks Scenario 1: Adding an enclosure to manage to an existing enclosure group The quickest way to add an enclosure to be managed by the appliance is to specify an existing enclosure group. When you add an enclosure to an existing enclosure group, the enclosure is configured like the other enclosures in the group, including the network connections. Prerequisites Minimum required privileges: Infrastructure administrator or Server administrator. The hardware configuration of the enclosure interconnects must match the configuration expected by the logical interconnect group that is associated with the enclosure group. The uplink sets for the logical interconnect group includes connections to the networks you want to access. All data center switch ports that connect to the Virtual Connect (VC) interconnect modules are configured as described in Data center switch port requirements (page 161). The networks and network sets, if any, have been added to the appliance. To add networks or network sets, see Quick Start: Adding a network to an existing appliance environment (page 111) or Managing networks and network resources (page 157). See Prerequisites for bringing an enclosure into HP OneView (page 182) for prerequisites and preparation you must complete before you add an enclosure. See Prerequisites for bringing server hardware into appliance (page 140) for prerequisites and preparation you must complete before you add a server. 116 Quick Start: Adding an enclosure to manage and connecting its server blades to networks

117 Process esource Enclosures Server Profiles Task 1. Add the enclosure. 2. Do one of the following: Create a server profile and assign it to the server hardware. Copy a server profile and assign it to the server hardware, then modify it as necessary. 3. Power on the server hardware. Description Select Managed for Add enclosure as. Specify an existing enclosure group. Select a firmware baseline and an HP OneView Advanced licensing option. For more information about enclosures, see Managing enclosures and enclosure groups (page 177), the online help for the Enclosures screen, or the EST API scripting help for enclosures. For a server blade to connect to a data center network, it must have a server profile assigned to it, and that server profile must include a connection to either the network or a network set that includes the network: If there is an existing server profile that matches how you want the server hardware configured, you can copy that server profile and assign it to the server hardware. Otherwise, you must create or copy and modify a server profile that includes at least one connection to the network or a network set that contains the network. Server profiles contain much more configuration information than the connections to networks. For more information about server profiles, see Managing server hardware and server profiles (page 137), the online help for the Server Profiles screen, or the EST API scripting help for server profiles Scenario 2: Defining network connectivity before adding an enclosure to manage In this scenario, you configure the logical interconnect group, including its uplink sets, and the enclosure group before you add the enclosure to be managed. After you define those configurations, the process is the same as adding an enclosure to an existing enclosure group. For a step-by-step illustrated example of this scenario, see Provisioning eight host servers for VMware vsphere Auto Deploy (page 344). Prerequisites Minimum required privileges: Infrastructure administrator or Server administrator. The hardware configuration of the enclosure interconnects must match the configuration expected by the logical interconnect group that you create. All data center switch ports that connect to the Virtual Connect (VC) interconnect modules are configured as described in Data center switch port requirements (page 161). The networks and network sets, if any, have been added to the appliance. To add networks or network sets, see Quick Start: Adding a network to an existing appliance environment (page 111) or Managing networks and network resources (page 157). See Prerequisites for bringing an enclosure into HP OneView (page 182) for prerequisites and preparation you must complete before you add an enclosure. See Prerequisites for bringing server hardware into appliance (page 140) for prerequisites and preparation you must complete before you add a server Scenario 2: Defining network connectivity before adding an enclosure to manage 117

118 Process esource Logical Interconnect Groups Enclosure Groups Enclosures Server Profiles and Server Hardware Task 1. Create a logical interconnect group. 2. Create an enclosure group. 3. Add the enclosure. 4. Do one of the following: Create a server profile and assign it to the server hardware. Copy a server profile and assign it to the server hardware, then edit the server profile as necessary. 5. Power on the server hardware. Description You must create a logical interconnect group before you can create an enclosure group. You add uplink sets as part of creating a logical interconnect group. Ensure that at least one of the uplink sets you add includes an uplink port to the data center networks you want to access. For more information about logical interconnect groups, see Managing interconnects, logical interconnects, and logical interconnect groups (page 163), the online help for the Logical Interconnect Groups screen, or the EST API scripting help for logical interconnect groups. You must create a logical interconnect group before you can create an enclosure group. You cannot create an enclosure group that does not specify a logical interconnect group. For more information about enclosure groups, see Managing enclosures and enclosure groups (page 177), the online help for the Enclosure Groups screen or the EST API scripting help for enclosure groups. Select Managed for Add enclosure as. Specify the enclosure group you created. Select a firmware baseline and an HP OneView Advanced licensing option. For more information about enclosures, see Managing enclosures and enclosure groups (page 177), the online help for the Enclosures screen, or the EST API scripting help for enclosures. For a server blade to connect to a data center network, it must have a server profile assigned to it, and that server profile must include a connection to either the network or a network set that includes the network: If there is an existing server profile that matches how you want the server hardware configured, you can copy that server profile and assign it to the server hardware. Otherwise, you must create or copy and modify a server profile that includes at least one connection to the network or a network set that contains the network. Server profiles contain much more configuration information than the connections to networks. For more information about server profiles, see Managing server hardware and server profiles (page 137), the online help for the Server Profiles screen, or the EST API scripting help for server profiles Scenario 3: Defining network connectivity as you add the enclosure to manage In this scenario, you configure the logical interconnect group, including its uplink sets, and the enclosure group during the enclosure add operation. The appliance detects the interconnects installed in the enclosure and prompts you to create a logical interconnect group and enclosure group based on the hardware in the enclosure. Prerequisites Minimum required privileges: Infrastructure administrator or Server administrator. All data center switch ports that connect to the Virtual Connect (VC) interconnect modules are configured as described in Data center switch port requirements (page 161). 118 Quick Start: Adding an enclosure to manage and connecting its server blades to networks

119 The networks and network sets, if any, have been added to the appliance. To add networks or network sets, see Quick Start: Adding a network to an existing appliance environment (page 111) or Managing networks and network resources (page 157). See Prerequisites for bringing an enclosure into HP OneView (page 182) for prerequisites and preparation you must complete before you add an enclosure. See Prerequisites for bringing server hardware into appliance (page 140) for prerequisites and preparation you must complete before you add a server. Process esource Enclosures Logical Interconnect Groups Server Profiles and Server Hardware Task 1. Add the enclosure. 2. Select Create new logical interconnect group. 3. Edit the default logical interconnect group. 4. Do one of the following: Create a server profile and assign it to the server hardware. Copy a server profile and assign it to the server hardware, then edit the server profile as necessary. 5. Power on the server hardware. Description Select Managed for Add enclosure as. Select Create new enclosure group. Select an enclosure group name. Select a firmware baseline and an HP OneView Advanced licensing option. For more information about enclosures, see Managing enclosures and enclosure groups (page 177), the online help for the Enclosures screen, or the EST API scripting help for enclosures. During the enclosure add operation, select Create new logical interconnect group. After you click Add, the appliance discovers the interconnects in the enclosure, creates a default logical interconnect group, and opens an edit screen for that logical interconnect group. The default logical interconnect group name is the enclosure group name you entered followed by interconnect group. For example, if you specified DirectAttachGroup for the enclosure group name, the default logical interconnect group name is DirectAttachGroup interconnect group. You add uplink sets as part of editing the logical interconnect group. Ensure that at least one of the uplink sets you add includes an uplink port to the data center networks you want to access. For more information about logical interconnect groups, see Managing interconnects, logical interconnects, and logical interconnect groups (page 163), the online help for the Logical Interconnect Groups screen, or the EST API scripting help for logical interconnect groups. For a server blade to connect to a data center network, it must have a server profile assigned to it, and that server profile must include a connection to either the network or a network set that includes the network: If there is an existing server profile that matches how you want the server hardware configured, you can copy that server profile and assign it to the server hardware. Otherwise, you must create or copy and modify a server profile that includes at least one connection to the network or a network set that contains the network. Server profiles contain much more configuration information than the connections to networks. For more information about server profiles, see Managing server hardware and server profiles (page 137), the online help for the Server Profiles screen, or the EST API scripting help for server profiles Scenario 3: Defining network connectivity as you add the enclosure to manage 119

120 120

121 13 Quick Start: Configuring an enclosure and server blade for Direct attach to an HP 3PA Storage System This quick start describes the process for adding and configuring an enclosure so that its servers can connect to an HP 3PA Storage System that is directly attached to the enclosure. Prerequisites Minimum required privileges: Infrastructure administrator or Network administrator for adding the networks. Minimum required privileges: Infrastructure administrator or Server administrator for adding the enclosure and server profiles. The HP 3PA Storage System is installed and configured and the cables are attached to the enclosure you want to use. See Prerequisites for bringing an enclosure into HP OneView (page 182) for prerequisites and preparation you must complete before you add an enclosure. See Prerequisites for bringing server hardware into appliance (page 140) for prerequisites and preparation you must complete before you add a server. 121

122 13.1 Process esource Networks Logical Interconnect Groups Enclosure Groups Enclosures Server Profiles Task 1. Add the Fibre Channel direct attach networks. 2. Create a logical interconnect group that defines the uplink sets for the direct attach network connections. 3. Create an enclosure group. 4. Add the enclosure. 5. Do one of the following: Create a server profile and assign it to the server hardware. Copy a server profile, edit it as necessary, and then assign it to the server hardware. 6. After you configure the HP 3PA Storage System, power on the server hardware. Description When you add the networks from the Networks screen: For Type, select Fibre Channel For Fabric type, select direct attach For more information about networks, see Managing networks and network resources (page 157), the online help for the Networks screen, or the EST API scripting help for networks and network sets. Choose a name for the logical interconnect group that helps you distinguish logical interconnect groups that have connections to direct attach Fibre Channel networks from other logical interconnect groups. You add uplink sets as part of creating the logical interconnect group. Ensure that the uplink sets use the uplink ports on the enclosure that are physically connected to the HP 3PA Storage Server. For more information about logical interconnect groups, see Managing interconnects, logical interconnects, and logical interconnect groups (page 163), the online help for the Logical Interconnect Groups screen, or the EST API scripting help for logical interconnect groups. Choose a name that helps you distinguish enclosures that use direct attach Fibre Channel connections from enclosures that use fabric attach Fibre Channel connections. Select Managed for Add enclosure as. Select the enclosure group that you added in the preceding step. Select a firmware baseline and an HP OneView Advanced licensing option. For more information about enclosures, see Managing enclosures and enclosure groups (page 177), the online help for the Enclosures screen, or the EST API scripting help for enclosures. For a server blade to connect to the HP 3PA Storage System, it must have a server profile assigned to it, and that server profile must include at least one connection to the direct attach Fibre Channel network that connects to the storage system. For example, if the networks you added are Direct A and Direct B, ensure that the server profile has one connection to the Direct A network and one connection to the Direct B network. You enable SAN storage through the server profile, in addition to other configuration settings. You must add storage systems, add storage volumes, and then attach to volumes when you create the profile. For more information about server profiles, see Managing server hardware and server profiles (page 137), the online help for the Server Profiles screen, or the EST API scripting help for server profiles. 122 Quick Start: Configuring an enclosure and server blade for Direct attach to an HP 3PA Storage System

123 14 Quick Start: Adding an HP ProLiant DL rack mount server to manage This quick start describes the process for adding a rack mount server to manage. The features supported by the appliance vary by server model. For information about the features supported for HP ProLiant DL servers, see Server hardware management features (page 138). For an illustrated example of this task, see Step by step: Configuring an example data center using HP OneView (page 337). Prerequisites 14.1 Process Minimum required privileges: Infrastructure administrator or Server administrator. The server is connected to a live power source. See Prerequisites for bringing server hardware into appliance (page 140) for prerequisites and preparation you must complete before you add a server. esource Server Hardware Task 1. Add the server using the Server Hardware screen or the EST APIs for the server-hardware resource. 2. Power on the server. Description When you add a server, you must provide the following information: Specify Managed. The ilo IP address or host name. The user name and password for an ilo account with administrator privileges. A license type to use for the server hardware. For more information about server hardware, see Managing server hardware and server profiles (page 137), the online help for the Server Hardware screen, or the EST API scripting help for server hardware. If this server configuration differs from the other servers in the appliance, the appliance automatically adds a server hardware type for this model. Because this is a rack mount server: You cannot use this appliance to provision any networks for this server. The features supported by the appliance vary by server model. For information about the features supported for HP ProLiant DL servers, see Server hardware management features (page 138) Process 123

124 124

125 15 Quick Start: Adding an active/active network configuration This quick start describes the process to add an active/active configuration for an enclosure. Prerequisites Minimum required privileges: Infrastructure administrator or Network administrator for adding networks. Minimum required privileges: Infrastructure administrator or Server administrator for changing the server profile configurations. Two or more fully supported Virtual Connect interconnect modules as listed in the HP OneView Support Matrix. The enclosures and server blades are already added to the appliance. Follow recommended naming conventions described in equirements and best practices for an active/active configuration (page 171). 125

126 15.1 Process For each Virtual Connect interconnect module you want to set up as an active/active configuration in the appliance, make configuration changes to the following resources: esource Networks Task 1. Add a pair of Ethernet networks for each VLAN you want to connect: one network for the first interconnect module and one network for the second interconnect module using the same VLAN ID. For example, create Dev101_A and Dev101_B for VLAN ID 101. Description On the Networks screen: For Name, assign names to the networks according to equirements and best practices for an active/active configuration (page 171) For Type, select Ethernet. For VLAN ID, enter the same ID for both networks. Verify that Smart link is selected. For more information about networks, see Managing networks and network resources (page 157), the online help for the Networks screen, or the EST API scripting help for networks and network sets. Logical Interconnect Groups and Logical Interconnects 2. Add a pair of uplink sets to associate the networks with the uplink ports on the interconnect module. Assign one set of networks to the uplink set that has ports on the first interconnect module. Assign the other networks to the uplink set that has ports on the second interconnect module. For example, uplink port X5 is defined in both sets: UplinkSet_A for bay 1 and UplinkSet_B for bay 2. Dev101_A is assigned to UplinkSet_A, and Dev101_B is assigned to UplinkSet_B. You can either add the networks to existing uplink sets or create new uplink sets for the networks. Uplinks in each uplink set must be restricted to a single interconnect. Duplicate VLAN IDs are not allowed in the same uplink set. For more information, see Managing interconnects, logical interconnects, and logical interconnect groups (page 163), the online help for the Logical Interconnects screen, or the EST API scripting help for logical interconnect groups and the EST API for the uplink-sets resource. NOTE: If you change the name of an uplink set in the Logical Interconnect Groups screen, and then select Actions Update from group on the Logical Interconnects screen, connectivity is interrupted briefly. Network Sets Server Profiles and Server Hardware 3. (Optional) Add one or more pairs of network sets. Each set should include only the networks that will be used on the same server profile connection. For example, create network set DevSet_A for your development Dev_A networks, and create DevSet_B for your development Dev_B networks. 4. Edit the server profile to add two connections. Assign one port for the networks or network sets on one module, and assign a different port for the networks or network sets on the other module. Adding a network to a network set does not require that you take resources offline. You do not need to update server profiles that have connections to the network set. Duplicate VLAN IDs are not allowed in a network set. Each network set should have multiple networks. For more information about network sets, see Managing networks and network resources (page 157), the online help for the Network Sets screen, or the EST API scripting help for networks and network sets. Powering off the server before changing the server profile is optional. When adding a connection to the server profile, select the physical port connected to the module with the uplink set containing the networks configured for that connection. Do not select Auto. For more information about server profiles, see Managing server hardware and server profiles (page 137), the online help for the Server Profiles screen, or the EST API scripting help for server profiles. 126 Quick Start: Adding an active/active network configuration

127 esource Task Make sure the networks associated with the uplink ports in the uplink set match the networks assigned to the profile connections in the downlink ports. For example, Connection1 is LOM1:1-a for DevSet_A, and Connection2 is LOM1:1-b for DevSet_B. 5. Power on the server. Description 15.1 Process 127

128 128

129 16 Quick Start: Migrating from an active/standby to an active/active network configuration This quick start describes the process of migrating from an existing active/standby configuration to an active/active configuration for an enclosure. Prerequisites 16.1 Process Minimum required privileges: Infrastructure administrator or Network administrator for adding networks. Minimum required privileges: Infrastructure administrator or Server administrator for changing the server profile configurations. Two or more fully supported Virtual Connect interconnect modules as listed in the HP OneView Support Matrix. Follow recommended naming conventions described in equirements and best practices for an active/active configuration (page 171). When migrating from an active/standby configuration to an active/active configuration, make configuration changes to the following resources: esource Task Description Logical Interconnect Groups 1. Find the uplink set that you want to convert to active/active. 2. ecord all networks in that uplink set. For more information, see Managing interconnects, logical interconnects, and logical interconnect groups (page 163), the online help for the Logical Interconnect Groups screen, or see the EST API scripting help for logical interconnect groups. Networks 3. ename the networks by adding <side> to the network name, as described in equirements and best practices for an active/active configuration (page 171) (for example, Dev_100_A). 4. Create Ethernet networks using the same external VLAN ID for each network renamed in step 3 (for example, Dev_100_B). On the Networks screen: For VLAN ID, use the same external VLAN ID for each network renamed in step 3. Verify that Smart link is selected. For more information about networks, see Managing networks and network resources (page 157), the online help for the Networks screen, or the EST API scripting help for networks and network sets Process 129

130 esource Network Sets Task 5. (Optional) Add network sets for the networks created in step 4. Description Adding a network to a network set does not require that you take resources offline. You do not need to update server profiles that have connections to the network set. Duplicate VLAN IDs are not allowed in a network set. For more information about network sets, see Managing networks and network resources (page 157), the online help for the Network Sets screen, or the EST API scripting help for networks and network sets. Logical Interconnect Groups and Logical Interconnects 6. Determine if all logical interconnects have active and standby uplink ports on the same modules. If the standby uplinks are on the same module, go to step 7. If the standby uplinks are on different modules, force a failover so that all standby uplinks are on the same module. Go to step Edit the active/standby uplink set and delete the standby uplinks. 8. Create a second uplink set for the standby uplinks removed in step Add the networks created in step 4 to the new uplink set. For example, UplinkSet_B contains all Dev_B networks. 10. Select Actions Update from group. The active uplinks maintain traffic so there is no downtime. To determine the port status (active or standby), access the Logical Interconnects screen and review the state of each port in the Uplink Sets view. HP recommends deleting the standby uplinks from the original uplink set, and then adding them to the new uplink set. This method prevents connectivity loss. If you change the name of an uplink set on the Logical Interconnect Groups screen, and then select Actions Update from group on the Logical Interconnects screen, connectivity is interrupted briefly. For more information, see Managing interconnects, logical interconnects, and logical interconnect groups (page 163), the online help for the Logical Interconnects screen, or the EST API scripting help for logical interconnects and the EST API for the uplink-sets resource. Server Profiles and Server Hardware Logical Interconnect Groups and Logical Interconnects 11. Edit the server profile to add a connection for the new networks or network sets. 12. Edit the logical interconnect group and rename the original uplink set by adding <side> to the name, as described in equirements and best practices for an active/active configuration (page 171) (for example, UplinkSet_A). Do not make any changes other than the uplink set name. 13. Select Actions Update from group. Powering off the server before changing the server profile is optional. Change every server profile connection associated with the port servicing the original standby uplinks. Assign the new networks or network sets created in steps 4 or 5 to the port. For more information about server profiles, see Managing server hardware and server profiles (page 137), the online help for the Server Profiles screen, or the EST API scripting help for server profiles. For more information, see Managing interconnects, logical interconnects, and logical interconnect groups (page 163), the online help for the Logical Interconnects screen, or the EST API scripting help for logical interconnects and the EST API for the uplink-sets resource. 130 Quick Start: Migrating from an active/standby to an active/active network configuration

131 17 Quick Start: Configuring an HP 5900 for management by HP OneView To add an HP 5900 to the appliance as a SAN manager, you must configure the switch as described in this document. The following procedures describe how to configure an HP 5900 using the switch software so that you can add it to HP OneView. See also: The SAN Managers chapter in the UI help The SAN Managers chapter in the EST API scripting help See the HP OneView Support Matrix for more information about supported SAN managers. NOTE: In a cascaded switch environment, all zone and zone alias operations should be performed from a single switch that is added as SAN manager (device manager) in HP OneView. Zone and zone aliases created through other switches in the fabric will not be visible in HP OneView. Table 7 Enable SSH and create an SSH user Configuration Enable SSH on the HP 5900 and create an SSH user (named a5900 with password sanlab1 in this example) on the HP 5900 using the HP 5900 software: 1. system-view 2. public-key local create rsa 3. public-key local create dsa 4. ssh server enable 5. user-interface vty authentication-mode scheme 7. quit 8. local-user a5900 class manage 9. password simple sanlab1 10. service-type ssh 11. authorization-attribute user-role network-admin 12. quit 13. ssh user a5900 service-type stelnet authentication-type password 131

132 Table 8 Create an SNMPv3 user Configuration The 5900 has a predefined view named ViewDefault. This view grants access to the iso MIB but does not provide access to the snmpusmmib, snmpvasmmib, snmpmodules.18 MIBs. The following steps show how to assign a SNMP v3 user with default read permission. Create an SNMPv3 user with default read permissions Use this procedure if you want the user to have the default level of access. 1. Enter system-view on the HP 5900 by issuing the command: system-view 2. Create a group (named DefaultGroup in this example) and set eadview permission to ViewDefault: snmp-agent group v3 DefaultGroup privacy read-view ViewDefault 3. Create an SNMPv3 user (named defaultuser with MD5 authentication password authpass123 and AES-128 privacy password privpass123 in this example) and add it to the group created in Step 1: snmp-agent usm-user v3 defaultuser DefaultGroup simple authentication-mode md5 authpass123 privacy-mode aes128 privpass Save the changes: save NOTE: AES-128 DES-56 HP OneView supports the following privacy protocols: 132 Quick Start: Configuring an HP 5900 for management by HP OneView

133 Part IV Configuration and management The chapters in this part describe the configuration and management tasks for the appliance and the resources it manages.

134 134

135 18 Best practices HP recommends the following best practices for HP OneView: Best practices for managing a VM appliance (page 230) Best practices for maintaining a secure appliance (page 55) Best practices for backing up an appliance (page 226) Best practices for restoring an appliance (page 329) Best practices for managing firmware (page 198) Best practices for monitoring health with the appliance UI (page 240) 135

136 136

137 19 Managing server hardware and server profiles Managing servers with the appliance involves interacting with several different resources on the appliance: A server profile captures the entire server configuration in one place, enabling you to consistently replicate new server profiles and to rapidly modify them to reflect changes in your data center environment. A server profile enables management of your server hardware. An instance of server hardware is a physical server, such as an HP ProLiant BL460c Gen8 Server Blade, installed in an enclosure or an HP ProLiant DL380p rack mount server. A server hardware type defines the characteristics of a specific server model and set of hardware options, such as mezzanine cards. A connection, which is associated with a server profile, connects a server to the data center networks. Server profiles provide most of the management features for servers, but server hardware and server profiles are independent of each other: A physical server, which is an instance of server hardware, might or might not have a server profile assigned to it. A server profile might be assigned to one instance of server hardware, or no server hardware at all. It is the combination of the server hardware and the server profile assigned to it that is the complete server in the appliance. You must use the server hardware resource to add physical servers to the appliance when you install a rack mount server. Server blades are added to the appliance automatically when you add an enclosure or install a server blade in an existing enclosure. UI screens and EST API resources UI screen Server Profiles Server Hardware Server Hardware Types EST API resource server-profiles and connections server-hardware server-hardware-types 19.1 Managing server hardware Server hardware represents an instance of server hardware, such as a physical server blade installed in an enclosure, or a physical rack server. A server hardware type captures details about the physical configuration of server hardware, and defines which settings are available to the server profiles assigned to that type of server hardware Managing server hardware 137

138 oles Minimum required privileges: Infrastructure administrator or Server administrator Tasks for server hardware The appliance online help provides information about using the UI or the EST APIs to: Get information about the server hardware. Power on and power off a server. eset a server. Launch the ilo remote console to manage servers remotely. Add or edit a rack mount server. Add a server blade to an existing enclosure. Claim a server currently being managed by another appliance. emove a server from management. emove a server blade from an existing enclosure. efresh the connection between the appliance and the server hardware. View activities Server hardware management features The appliance supports the following features on server hardware when added as managed. Feature Supported Server Hardware HP ProLiant BL G7 1 HP ProLiant BL and WS Gen8 and HP ProLiant BL and WS Gen9 HP ProLiant DL Gen8 and HP ProLiant DL Gen9 Power on or power off the server View inventory data Monitor power, cooling, and utilization 2 Monitor health and alerts With manual installation and configuration of SNMP Agents NOTE: SNMP Agents are not available on ESXi Launch ilo remote console SSO (single sign-on) to ilo web interface Automatic firmware upgrade (ilo) to minimum supported version when added to the appliance ack visualization and editing Automatic discovery of server hardware type Server profile features BIOS settings Managing server hardware and server profiles

139 Feature Supported Server Hardware HP ProLiant BL G7 1 HP ProLiant BL and WS Gen8 and HP ProLiant BL and WS Gen9 HP ProLiant DL Gen8 and HP ProLiant DL Gen9 Firmware Connections to networks Boot order 4 5 Local storage 6 SAN storage 1 The appliance might report an unsupported status for some double-wide, double-dense ProLiant G7 server blade models, which means that the appliance cannot manage them. 2 Not all servers support monitoring power, cooling, and utilization. 3 HP ProLiant DL580 Gen8 is not supported. 4 Due to a limitation in Gen9 BL server OMs dated 8/27 or earlier, it is not possible to set the primary boot device when the boot mode is set to UEFI or UEFI Optimized. If Manage boot order is selected, a warning will be displayed in the corresponding profile indicating this condition. 5 HP ProLiant DL580 Gen8 is not supported. 6 Only supported with the embedded array controller Server hardware monitoring features When you monitor server hardware, the appliance supports the following features. Feature Monitored Server Hardware HP ProLiant BL and DL G6 (with ilo2) HP ProLiant BL and DL G7 HP ProLiant BL and DL Gen8 HP ProLiant BL and DL Gen9 Power on or power off the server Monitor power, cooling, and utilization 1 Monitor health and alerts With manual installation and configuration of SNMP Agents With manual installation and configuration of SNMP Agents Launch ilo remote console SSO (single sign-on) to ilo web interface Automatic discovery of server hardware type 2 1 Not all servers support monitoring power, cooling, and utilization. 2 HP ProLiant DL G7 servers do not have automatic discovery of server hardware type Managing server hardware 139

140 Prerequisites for bringing server hardware into appliance Item Server hardware model ilo firmware IP addresses Local user accounts equirement The server hardware must be a supported model listed in the HP OneView Support Matrix. The server hardware is connected to a live power source. The ilo (Integrated Lights-Out) firmware version must meet the minimum requirement listed in the HP OneView Support Matrix. IPv4 configuration is required. ilos on rack mount server hardware must have an IP address. ilos must be configured to allow for local user accounts About server hardware A server hardware resource represents an instance of HP ProLiant BL server blades installed in enclosures and ProLiant DL rack mount servers. Server blades are automatically detected by the appliance when the enclosure is added. If you are adding a rack server, you must add it manually to the appliance. To define the configuration for a server hardware resource, assign a server profile to it. There are different ways servers can be added into HP OneView. Managed Monitored HP OneView manages the server enabling you to apply configurations, deploy server profiles, monitor operation status, collect statistics, and alert users to specific conditions. Server blades are managed in an enclosure. Managed servers and enclosures require an HP OneView Advanced or an HP OneView Advanced w/o ilo license. See License types (page 149). HP OneView monitors the hardware for inventory and hardware status only. The server is managed outside of HP OneView. Server blades are monitored in an enclosure. Monitored servers and enclosures use a free license called HP OneView Standard. See License types (page 149). For all server hardware, you can launch either the ilo web UI or the remote console from the appliance. To learn more about server hardware, see the following topics: Server hardware management features (page 138) Server hardware monitoring features (page 139) About unsupported server hardware (page 141) Server hardware (page 38) Connectivity and synchronization with the appliance The appliance uses the ilo or Onboard Administrator to monitor the connectivity status of server hardware. If the appliance loses connectivity with server hardware, a notification is displayed until connectivity is restored. The appliance attempts to resolve connectivity issues and clear the alert automatically, but if it cannot, you have to resolve the issue and manually refresh the server hardware to synchronize it with the appliance. The appliance also monitors server hardware to remain synchronized with changes to hardware and configuration settings. However, some changes to devices made outside of the control of the appliance (from ilo or the OA, for example) might cause them to lose synchronization with the appliance. You might have to manually refresh devices that lose synchronization with the appliance. 140 Managing server hardware and server profiles

141 You can manually refresh the connection between the appliance and server hardware from the Server Hardware screen. See the online help for the Server Hardware screen to learn more. NOTE: HP recommends that you do not use the ilo or the OA to make changes to a device if the device is managed by the appliance. Making changes to a device from its ilo or OA could cause it to lose synchronization with the appliance How the appliance handles unsupported hardware Unsupported hardware is any device that the appliance cannot manage. Unsupported devices are similar to unmanaged devices in that all unsupported devices are not managed by the appliance. The difference is that you can bring unmanaged devices under management of the appliance if you take the appropriate actions or properly configure them. Unsupported hardware can never be managed by the appliance. The appliance detects the unsupported hardware and displays the model name and other basic information that it obtains from the device for inventory purposes. The appliance also accounts for the physical space unsupported devices occupy in enclosures and racks. To account for the space a device occupies, the appliance represents unsupported hardware the same way it represents unmanaged devices. The action available for unsupported hardware is emove About monitored server hardware You can add rack mount and blade servers in order to inventory and monitor the hardware. This is useful when you have servers that have already been deployed. The monitoring feature is available for all G6 and later ProLiant servers with ilo 2, ilo 3, or ilo 4. You can manage the enclosures, server profiles, and Virtual Connect infrastructure through VCM or VCEM. You cannot manage server profiles for monitored server hardware in HP OneView. A benefit of monitoring server hardware is that the basic functionality of inventory and monitoring can be done with a free license called HP OneView Standard. See "Add a rack mount server to monitor the hardware" in the online help. For monitored hardware counts, preform the following steps: 1. From the Server Hardware screen, click in the Smart Search box and for Scope select Server Hardware. 2. In the Smart Search box, type state:monitored and press Enter. The master pane will display all monitored server hardware About unsupported server hardware The appliance cannot manage unsupported server hardware. However, you can place unsupported server hardware in enclosures or racks. Adding unsupported server hardware to the appliance enables you to account for the physical space it occupies in an enclosure or rack for planning and inventory purposes. The appliance displays basic information about unsupported server hardware that it obtains from the ilo or the OA. When the appliance detects unsupported server hardware, it places the hardware in the Unsupported state. You can perform a remove action on unsupported server hardware to remove it from the appliance About unmanaged devices An unmanaged device is a device, such as a server, enclosure, KVM (keyboard, video and mouse) switch, in-rack monitor/keyboard, or router, that occupies space in a rack and/or consumes power but is not managed by the appliance Managing server hardware 141

142 Unmanaged devices are created automatically to represent devices that are attached to an HP Intelligent Power Distribution Unit (ipdu) using HP Power Discovery Services connections. BladeSystem enclosures and HP ProLiant DL series servers are shown in the unmanaged or unsupported state in the Enclosures and Server Hardware in the master pane, respectively. These will be represented as unmanaged enclosures and servers; as such, they are not included in the Unmanaged Devices resource list. When creating an unmanaged device, you provide its name, model description, height in U-slots and maximum power requirements. These values are used in power and cooling capacity analysis and enable alerts to be generated identify potential power and cooling issues. Because there is no communication to the unmanaged device, the status is disabled unless appliance-generated alerts identify issues to be addressed. For purposes of power configuration, unmanaged devices are assumed to have two power supply connections to support redundant power. These are identified as power supplies 1 and 2. If an unmanaged device does not support redundant power, connect only power supply 1, then clear the alert about lack of redundant power to the device. For devices that are not discovered through HP Power Discovery Services connections, you can manually add these devices to the appliance for tracking, inventory, and power management purposes Tasks for server hardware types The appliance online help provides information about using the UI or the EST APIs to: Edit the name or description of the server hardware type. Delete a server hardware type About server hardware types A server hardware type defines the physical configuration for server hardware and defines the settings that are available to server profiles to be assigned to that type of server hardware. For example, the server hardware type for the HP ProLiant BL460c Gen8 Server Blade includes a complete list of BIOS settings and the defaults for that model. The appliance creates server hardware types according to the server hardware it detects. The server hardware type is used when you create a server profile to show which settings are available. If a suitable server hardware type already exists, it is reused when you create a server profile for a server blade or rack server, otherwise a new server hardware type is created automatically Effects of managing server hardware ilos When server hardware is being managed by the appliance, the effect to the server hardware ilo is: A management account is created. SNMP is enabled and the appliance is added as an SNMP trap destination. NOTE: Health monitoring is not enabled on ProLiant G6 or ProLiant G7 ilo3 server hardware until the HP management agents are installed on the OS and the SNMP service is configured with the same SNMP read community string shown on the Settings screen. NTP is enabled and the appliance becomes the server hardware s NTP time source. An appliance certificate is installed to enable single sign-on operations. 142 Managing server hardware and server profiles

143 ilo firmware is updated to the minimum versions listed in the HP OneView Support Matrix for managed servers. The ilo time zone is set to Atlantic/eykjavik as recommended by the ilo documentation. The time zone setting determines how the ilo adjusts UTC time to obtain the local time and how it adjusts for daylight savings time (summer time). For the entries in the ilo event log and IML to display the correct local time, you must specify the time zone in which the server is located. If you want ilo to use the time provided by the SNTP server, without adjustment, configure the ilo to use a time zone that does not apply an adjustment to UTC time. In addition, that time zone must not apply a daylight saving time (summer time) adjustment. There are several time zones that fit this requirement. One example is the Atlantic/eykjavik time zone. This time zone is neither east nor west of the prime meridian and time does not change in the Spring or Fall Managing server profiles oles Servers are represented and managed through their server profiles. A server profile captures key aspects of a server configuration in one place, including firmware levels, BIOS settings, network connectivity, boot order configuration, ilo settings, and unique IDs. Minimum required privileges: Infrastructure administrator or Server administrator Tasks for server profiles The appliance online help provides information about using the UI or the EST APIs to: Get information about a server profile. Add a SAN volume to a server profile. Boot from an attached SAN volume. Create and apply a server profile. Copy, edit, or delete a server profile. Install a firmware bundle using a server profile. Connect the server to data center networks by adding a connection to a server profile. Manage local storage of a server. Manage SAN storage by attaching new or existing SAN volumes to the server profile. Manage the boot settings of a server. Manage the BIOS/UEFI settings of a server. Manage virtual or physical IDs for the server hardware. Move a server profile to another server. Power on and off the server hardware to which the server profile is assigned. Specify identifiers and addresses when creating a server profile. View activities Managing server profiles 143

144 About server profiles Capturing best-practice configurations (page 144) About editing a server profile (page 145) About moving a server profile (page 146) About attaching SAN volumes to a server profile (page 146) Working with server profiles to control remove-and-replace behavior (page 147) About assigning a server profiles to an empty device bay (page 147) Capturing best-practice configurations After setting up your data center, you can create hardware server profiles to provision hundreds or thousands of servers as easily as you provision one server. A server profile is the configuration for a server instance. Server profiles capture the entire server configuration in one place, enabling you to consistently replicate new server profiles and to rapidly modify them to reflect changes in your data center. A server profile includes: Basic server identification information Connectivity settings for Ethernet networks, network sets, and Fibre Channel networks Firmware versions Local storage settings SAN storage settings Boot settings BIOS/UEFI settings Physical or virtual UUIDs, MAC addresses, and WWN addresses When you create a server profile, you can specify the server hardware to which you want to apply the profile, or leave it unassigned if the server hardware is not yet installed or to use as a template to create other server profiles. Typically, you capture best-practice configurations in a server profile template, and then copy and deploy instances as individual server profiles. Similar to virtual machine (VM) templates, profiles enable you to create a provisioning baseline for server hardware types in an enclosure. When you create a server profile, it is designated for a server hardware type and enclosure group (for server blades), whether the profile is assigned or unassigned. Server hardware can have only one profile assigned to it. By default, server boot behavior is controlled by the server profile. The available options are determined by the server hardware type you select in the server profile. If applicable, you can select the boot mode and PXE boot policy. You also have the option of specifying the order in which the server hardware attempts to boot. By selecting to manage BIOS and Unified Extensible Firmware Interface (UEFI) settings through the appliance, you have the option to view all settings, only those you have modified, or only those that are different than the default values. The BIOS/UEFI settings displayed depend on the supported server hardware. HP ProLiant Gen9 servers support both legacy BIOS and UEFI for configuring the boot process while HP ProLiant Gen8 are legacy BIOS mode servers only. For more information about UEFI, see UEFI FAQs at Unified Extensible Firmware Interface Forum. Applying the sections of a server profile to server hardware is a sequential process. The screen displays the current section being applied, followed by other sections that have been applied successfully. If a server profile needs to be reapplied due to an error, only the unconfigured sections and unapplied sections are reapplied. For example, if a firmware update succeeds, but the 144 Managing server hardware and server profiles

145 subsequent BIOS portion of the apply operation fails, the firmware is not applied a second time when the profile is reapplied. This helps to prevent unnecessary and time-consuming updates for the profile. Best practice: Perform server profile management tasks on one enclosure at a time For best performance, create, delete, edit, copy, or move server profiles for server hardware in one enclosure before managing server profiles in a different enclosure About editing a server profile Edit a server profile to change the settings associated with that profile. You can edit a server profile any time after it has been created. You can also edit a server profile with an Error condition to make corrections. When you edit a server profile, the state of the server changes. The appliance analyzes the changes and determines the actions needed to update the server. For example, if you change the BIOS settings but not the firmware baseline, the firmware is not updated. Only the requested changes are applied. NOTE: If you change the server settings or state using tools other than the appliance, the changes are not detected or managed. These changes might be overwritten the next time the profile is edited. When you edit a server profile, consider the following: Editing a profile is an asynchronous operation. Name and description changes take effect immediately, but other changes might take time to complete. Profile names must be unique. To make changes to the logical drive options, and potentially prevent data loss, you must select Initialize local storage. When unassigning a server profile with local storage configured, the logical drive contents are at risk of being lost. To preserve the logical drive, physically remove the disk drives or make a copy of the contents of the logical drive so that you can reassign the profile at a later time. Changing a BIOS setting in a server profile overrides the BIOS settings specified using any other method. BIOS settings are associated with the profile and server type, not the server hardware. You cannot switch between virtual and physical identifiers for the following: Serial number/uuid MAC address WWN To edit some server profile settings, the server hardware must be powered off; for others, the server hardware can remain powered on. You can edit the following settings with the server hardware powered on: Profile name Profile description Profile affinity equested bandwidth of an existing connection Network and network set of an existing connection 19.2 Managing server profiles 145

146 NOTE: You cannot change an existing connection between an Ethernet network or network set and a Fibre Channel network. A Fibre Channel network can only be changed to another Fibre Channel network on the same interconnect. Create, attach, and edit storage volumes About moving a server profile You can move a server profile to another piece of server hardware, for example, if you are removing one piece of server hardware and replacing it with another that is similar. The move operation enables you to quickly change the hardware destination without rebuilding the entire server profile. If you cannot move a server profile directly to the new server hardware, you can change it to unassigned. This enables you to retain server profiles that are not currently assigned to any server. BIOS settings are associated with the profile and server type, not the server hardware. If you move the profile to another server or to unassigned, the profile retains the BIOS settings. IMPOTANT: When you move a server blade profile to a different enclosure, and the profile is configured to boot from a direct attach storage device, you must manually update the boot connection of the profile to specify the WWPN that is used for the storage device that is directly attached to the destination enclosure. Each enclosure connects to a different port of the direct attach storage device, so the WWPN for that storage device is different for each enclosure. If you do not specify the correct WWPN and LUN for the device, the server does not successfully boot from that boot target. IMPOTANT: When you move a server blade profile to a different server, and the profile is managing local storage, you must manually move the physical disks from the original server to the new server in order to preserve your data About attaching SAN volumes to a server profile Volumes are associated with server profiles through volume attachments. Attaching a volume to a server profile gives the server hardware assigned to the server profile access to storage space on a storage system. As you create or edit a server profile, you can attach an existing volume or dynamically create a new volume to attach. Newly created volumes can be marked as permanent so that they continue to exist after they are removed from the profile or if the profile is deleted. Otherwise, a non-permanent volume is deleted when the server profile is deleted. Properties for attaching a volume can be configured through the server profile. For example, you have the ability to enable and disable storage paths from the server to the SAN storage. Storage targets Within a server profile, storage target ports for volume attachment can be assigned automatically or you can manually assign available ports. The target ports that are assigned automatically will belong to same port group. Target ports that you assign manually can belong to the same or different port groups. Port groups are created when you add a storage system to HP OneView. Manual target selection is supported for Fabric attach paths only, not Direct attach paths. Existing HP 3PA volumes On HP 3PA StoreServ Storage systems, a host sees VLUN allows only a specific host to see a volume and a matched set VLUN allows only a specific host on a specific port to see the volume. 146 Managing server hardware and server profiles

147 To reuse a host sees configuration in HP OneView when adding an existing 3PA volume to a profile, you need to enter the exact LUN value as configured on the 3PA array. In HP OneView, use the Manual LUN option to add the exact LUN value in the Add Volume dialog. To reuse end-to-end connectivity for the volume, manually specify the following: LUN value (matching the LUN on the 3PA storage system) Target ports Also, to attach (export) a 3PA volume as host sees, all storage paths to that volume must be enabled or disabled together. Some paths cannot be enabled while some are disabled. For more information, download the HP 3PA StoreServ Storage Concepts Guide from the HP Storage Information Library Working with server profiles to control remove-and-replace behavior In a server profile, the Affinity control sets the remove-and-replace behavior for blade servers. If you apply a server profile to a blade server and the server is subsequently removed from the device bay, the Affinity setting controls whether the server profile is reapplied when you insert a server blade into the empty bay. Server profiles for rack servers do not have affinity. Affinity value Device bay Device bay + server hardware Description The server profile you assign to the (empty) device bay is applied to any server blade you insert into the bay, provided the server hardware type of the inserted server blade matches the server hardware type specified in the server profile. Device bay affinity is the default. The server profile you assign to the (empty) device bay is not applied if you insert a different server into the bay. The serial number and server hardware type of the inserted server blade must match the values in the server profile. Affinity between the server profile and the server hardware is established one of the following conditions is met: The server profile is assigned to server hardware in a device bay The server profile is assigned to an empty device bay and you subsequently insert a server blade with a matching server hardware type into the bay. Editing a server profile resets its server hardware affinity. If you assign the server profile to a populated device bay, the server hardware in the bay becomes associated with the profile. If the server profile is unassigned or assigned to an empty device bay, any current association is cleared About assigning a server profiles to an empty device bay You can assign a server profile to an empty bay. The server profile is applied automatically to the server hardware when a server is inserted into the bay, which must meet the following criteria: The enclosure bay is not reserved for another server profile. The enclosure bay is not assigned by another server profile (for example, you cannot assign a profile to bay 9 if a profile for a full-height server hardware type is assigned to bay 1). The server profile assigned is for the correct configuration (for example, you cannot assign a profile for a full-height server hardware type to a bay that supports half-height servers only). When you create the server profile, select Device bay or Device bay + server hardware UUID affinity. If you select the affinity Device bay + server hardware UUID for an empty bay, the UUID is set when a matching server hardware type is inserted into the bay Learning more Understanding the resource model (page 35) About enclosures (page 177) 19.3 Learning more 147

148 Managing licenses (page 149) Troubleshooting server hardware (page 312) Troubleshooting server profiles (page 314) 148 Managing server hardware and server profiles

149 20 Managing licenses You manage licenses from the Settings screen or by using the EST APIs UI screens and EST API resources UI screen Settings EST API resource licenses 20.2 oles Minimum required privileges: Infrastructure administrator 20.3 Tasks for licenses The appliance online help provides information about using the UI or the EST APIs to: Add a license key to the appliance license pool. Specify a license policy as part of adding an enclosure. Specify a license type as part of adding a rack mount server. View licensing status information through license graphs. View a list of server hardware that has been assigned a specific license type About licensing This topic describes the types of licenses, how to purchase licenses, how licenses are delivered, and how to determine how many licenses you have available License types The following types of licenses are available for managing or monitoring hardware in HP OneView. Managed hardware licenses The following HP OneView Advanced licenses provide support as listed below, and in addition, enable integration with other products. For more information, see Integration with other management software (page 32). HP OneView Advanced Provides an HP OneView Advanced license and an ilo Advanced license. This license is intended for server hardware and enclosures you want to manage with HP OneView. See Purchasing or obtaining licenses (page 150) and HP OneView licensing (page 20) for more information. HP OneView Advanced w/o ilo Provides an HP OneView Advanced license only. This license is intended for server hardware you want to manage with HP OneView. This license is for servers with ilos that are already licensed, or server hardware for which you do not require an ilo license. See Purchasing or obtaining licenses (page 150) and HP OneView licensing (page 20) for more information UI screens and EST API resources 149

150 For examples, see Licensing scenarios (page 151). Monitored hardware license HP OneView Standard An HP OneView Advanced w/o ilo license provides support for all server hardware features on the appliance, with the following exceptions: Server hardware without an ilo Advanced license does not display utilization data. ack mount servers without an ilo Advanced license cannot access the remote console. Provides an HP OneView Standard license for all monitored server hardware. This license is automatically selected: for the enclosure when adding a monitored enclosure for the server when adding a monitored server for all ProLiant G6 server blades or the G7 BL680 server blade when adding a managed enclosure HP OneView does not manage the hardware running with an HP OneView Standard license. See About monitored enclosures (page 180) for more information. When you add an enclosure or rack mount server to the appliance, you must specify one of these licenses. For examples, see Licensing scenarios (page 151) Purchasing or obtaining licenses HP OneView requires a license for each server that it manages or monitors. For monitored servers or enclosures, an HP OneView Standard license is automatically applied at no charge. For managed servers or enclosures, an HP OneView Advanced or HP OneView Advanced w/o ilo license is required. Purchasing factory-integrated (embedded) software and hardware provides the best licensing experience because the Advanced license is delivered on the hardware and is registered automatically when you register the hardware. If you purchase nonintegrated licenses, you must activate and register the licenses using the HP licensing portal at My HP Licensing. After you register your licenses, you add the license keys to the appliance. For examples, see Licensing scenarios (page 151). EULA The appliance has a EULA (End-User License agreement) that you must accept before using the appliance for the first time. You can view the EULA from the Help sidebar and online at Licensing and utilization statistics The appliance gathers and reports utilization statistics for server hardware that has an ilo Advanced license, including monitored servers and enclosures. Utilization statistics are not available for server hardware that does not have an ilo Advanced license. 150 Managing licenses

151 Licensing scenarios The way in which the appliance handles license assignments depends on the following: Whether the enclosure or server hardware has an embedded license The license type you choose when you add the enclosure or server hardware Whether there are available licenses in the appliance license pool (for server hardware without an embedded license) The following table describes how the appliance handles licensing for different user actions. Table 9 Licensing scenarios User action License policy or type esult Notes Add a managed enclosure with embedded HP OneView Advanced or HP OneView Advanced w/o ilo license. The embedded license takes precedent over the enclosure license policy you select. Embedded OA licenses are added to the appliance pool and applied to server hardware that is not licensed. Because the embedded licenses from an enclosure are placed in a pool, these licenses are available to apply to any server managed by the appliance. Add managed server hardware with embedded HP OneView Advanced or HP OneView Advanced w/o ilo license. Add managed server hardware with an existing, permanent ilo Advanced license. Add a managed enclosure or server hardware with no embedded license. Add a managed enclosure with ProLiant G6 servers. Add enclosure to monitor the hardware Embedded licenses are applied to the server hardware regardless of the license type you select. The server hardware will be assigned an HP OneView Advanced w/o ilo license regardless of the license policy or type. Any Any All the server hardware in the enclosure will be assigned an HP OneView Standard license. Embedded licenses are assigned to the server hardware on which they reside. HP OneView Advanced w/o ilo Licenses available in the pool The appliance assigns a license to the server hardware. No HP OneView Advanced w/o ilo licenses available in the pool The appliance issues a warning that there are not enough licenses to satisfy the policy. Licenses available in the pool The appliance assigns a license to the server hardware. No licenses available in the pool The appliance issues a warning that there are not enough licenses to satisfy the policy. The G6 servers will be assigned an HP OneView Standard license while the other servers are assigned the HP OneView Advanced or HP OneView Advanced w/o ilo license you specified. HP OneView Standard license The appliance automatically assigns this license when adding an enclosure for monitoring the hardware. Embedded licenses on monitored server hardware are ignored. After the 60-day trial period, a message notifies you when there are not enough licenses for the number of managed server hardware About licensing 151

152 Table 9 Licensing scenarios (continued) User action License policy or type esult Notes emove a monitored enclosure HP OneView Standard The license is unassigned from the server hardware. emove managed server hardware. HP OneView Advanced (applied to server hardware). The license remains assigned to the server hardware. If the server hardware is re-added, it will be assigned the same license. emoving server hardware with licenses assigned to them can cause the number of licensed servers shown in the licensing graphs to be greater than the number of servers currently being managed because the licenses are still being counted as assigned to server hardware. emove managed server hardware. HP OneView Advanced w/o ilo or HP OneView Advanced (license not yet applied to server). The license is unassigned from the server hardware HP OneView Advanced licensing for managing server hardware This topic provides information about server hardware licensing including server blades and rack mount servers. This section applies to HP OneView Advanced and HP OneView Advanced w/o ilo licenses only. The appliance uses server-based licensing, but server blades and rack mount servers are managed differently. Server blade licenses are managed at the enclosure level, and rack mount server licenses are managed at the server level. When you add an enclosure, you specify a license policy for all server blades in the enclosure. When you add a rack mount server, you specify a license type for that server. Both policy and type refer to either of the two licenses: HP OneView Advanced or HP OneView Advanced w/o ilo. An HP OneView Advanced w/o ilo license provides support for all server hardware features on the appliance, with the following exceptions: Server hardware without an ilo Advanced license does not display utilization data. ack mount servers without an ilo Advanced license cannot access the remote console. NOTE: The appliance applies embedded (integrated) licenses to managed server hardware on which they reside Server blade licensing at the enclosure level A server blade licensing policy at the enclosure level is an efficient way to handle licensing for all servers in an enclosure. When you add an enclosure to the appliance, you must choose a server hardware license policy. This sets the licensing policy for all server hardware in the enclosure. You cannot change the policy for an enclosure unless you remove and re-add the enclosure. For more information on how the appliance handles enclosure licenses, see About licensing (page 149). 152 Managing licenses

153 NOTE: A license embedded on a managed server blade will override the enclosure license policy. If you add a managed server blade with an embedded license, the appliance assigns the embedded license to that server, regardless of the enclosure license policy. Embedded licenses on monitored server hardware are ignored. Enclosure licensing policy behavior When you add a managed enclosure to the appliance: You must choose a licensing policy: HP OneView Advanced or HP OneView Advanced w/o ilo. A license embedded on the OA (Onboard Administrator) is added to the appliance license pool. If the server blade does not have an embedded license, the appliance attempts to assign a license from the pool. If there are not enough licenses to satisfy the policy, a notification is displayed that instructs you on how to address the issue. If you add server blades to the enclosure after it has been added to the appliance, the server hardware will use the enclosure license policy. There is no guarantee that an embedded OA license will be applied to the server blades in the enclosure that contains the embedded license. Licenses embedded on a server ilo are automatically added to the appliance and applied to the server hardware on which they are embedded. If the server hardware has an existing permanent ilo Advanced license, the appliance assigns an HP OneView Advanced w/o ilo license, regardless of the license type you choose. To change the server hardware license policy of an enclosure, you must remove the enclosure from management and then re-add it with the new license policy. When you add server hardware to the appliance, the ilo Advanced license that is part of the HP OneView Advanced license is applied to the server hardware ilo. If a server blade does not have an ilo license and there are not enough of the selected license type available, the appliance will attempt to apply a demo ilo license to the server blade ack mount server licensing ack mount server licensing is managed at the server level. When you add a rack mount server to the appliance, you must choose a license type. You cannot change the license type for a rack mount server unless you remove and re-add it. NOTE: Embedded licenses take precedent over the license type you choose. If you add a rack mount server to be managed with an embedded license, the appliance assigns the license to that rack mount server, regardless of the license type you choose. emote console support is not enabled if the rack mount server does not have an ilo license. ack mount server licensing behavior When you add a managed rack mount server to the appliance: You must choose a license type: HP OneView Advanced or HP OneView Advanced w/o ilo. A license embedded on the rack mount server ilo is automatically added to the appliance and applied to the rack mount server. If the server hardware has an existing permanent ilo Advanced license, the appliance assigns an HP OneView Advanced w/o ilo license, regardless of the license type you choose HP OneView Advanced licensing for managing server hardware 153

154 If the rack mount server does not have an embedded license, the appliance attempts to assign a license from the license pool. If there are not enough licenses available, a notification is displayed that instructs you on how to address the issue. The ilo Advanced license that is part of your HP OneView Advanced license is applied to the ilo when you add a rack mount server. To change the license type of a rack mount server that does not have an embedded license, you must remove the rack mount server from management and then re-add it with the new license type License delivery License delivery depends on how the license is purchased. The license delivery methods for HP OneView Advanced and HP OneView Advanced w/o ilo are: Embedded on the server hardware ilo (software purchased, integrated with the hardware) Embedded on the enclosure OA (enclosure bundle license for 16 servers) Standalone, nonintegrated (purchased separately from the hardware) License reporting Basic license reporting indicates whether the appliance has enough licenses for the managed server hardware in your environment. From the Licenses view on the Settings screen, you can view the following: The number of available licenses The number of licensed servers The number of licenses required for compliance (all server hardware licensed) View license status You can view the status of your server hardware licenses using the license graphs from the Settings menu in the Licenses view. NOTE: You may have to refresh the Licenses screen in order for recent license assignments to show up in the license graphs. The license graphs indicate the number of licenses available and required, and the percentage of server hardware that is in compliance (licensed). A complete blue ring indicates 100% compliance. The number of available licenses is displayed below the graph. The number of licenses required, if any, is displayed in red text. Table 10 License graph colors Color Yellow Blue Light Gray Description Indicates the percentage of server hardware without a license Indicates the percentage of server hardware that is licensed Indicates licenses that are available but have not been assigned 154 Managing licenses

155 Figure 11 Sample license graphs HP OneView w/o ilo 1 HP OneView 0% 2 100% Compliance 14 Licenses required 0 Licenses available 0 Servers licensed 3 Compliance 100 Licenses available 1000 Servers licensed 1 The license type for which 2 The license graph indicates 3 The number of licenses status information is being reported. the percentage of servers that are licensed. required (if any), the number of licenses available, and the number of servers with licenses. To view the Server Hardware screen filtered to show the server hardware that is assigned a license type, click the Servers licensed link under the license type HP OneView Standard licensing for monitoring server hardware The HP OneView Standard license applies to only monitored servers and enclosures and cannot be applied to managed servers. The HP OneView Standard license is automatically applied when adding enclosures or server hardware to monitor. The HP OneView Standard license is automatically applied when adding an enclosure to be managed that contains any ProLiant G6 server blades or G7 BL680 server blades. These servers are added in a Monitored state. For more information, see Licensing scenarios (page 151) 20.7 Learning more Troubleshooting licenses (page 307) 20.6 HP OneView Standard licensing for monitoring server hardware 155

156 156

157 21 Managing networks and network resources This chapter describes configuring and managing networks and network resources for the enclosures and server blades managed by the appliance. For information about configuring the network settings for the appliance, see Managing the appliance settings (page 232). NOTE: The network features described in this chapter apply to enclosures and server blades only. The appliance does not monitor or manage the network features and hardware for rack mount servers or for networking equipment outside the enclosures. UI screens and EST API resources UI screen Networks Network Sets Switches EST API resource connection-templates, ethernet-networks, and fc-networks network-sets switches 21.1 oles Minimum required privileges: Infrastructure administrator or Network administrator 21.2 Tasks for networks You can manage Fibre Channel and Ethernet networks from the UI Networks screen or by using the EST APIs Tasks for Fibre Channel networks The appliance online help provides information about using the UI or the EST APIs to: Add and delete a Fibre Channel SAN. Edit a Fibre Channel SAN configuration. Associate a network with a managed SAN Tasks for FCoE networks The appliance online help provides information about using the UI or the EST APIs to: Add, edit (change a network configuration), and delete a network About network connectivity The network connectivity features of the appliance are designed to separate the logical resources from the physical hardware, allowing you to add or change the physical components without having to replicate configuration changes across multiple servers. In addition, the logical and physical network resources can be configured for high availability, including: Providing redundant physical links to the data center networks Configuring stacking links between interconnects in an enclosure to provide redundant paths from servers to data center networks Using logical resources, such as logical interconnects, that represent multiple physical resources to allow continued uninterrupted operation if a physical component fails 21.1 oles 157

158 The Virtual Connect interconnect modules in enclosures support the following types of networks: Fibre Channel for storage networks, including both Fabric attach (SAN) Fibre Channel connections and Direct attach (Flat SAN) Fibre Channel connections Ethernet for data networks 21.4 About network sets A network set is a collection of tagged Ethernet networks that form a named group to simplify server profile creation. Network sets are useful in virtual environments where each server profile connection needs to access multiple networks. Network sets define how packets will be delivered to the server when a server Ethernet connection is associated with the network set. Network sets also enable you to define a VLAN trunk and associate it with a server connection. Instead of assigning a single network to a connection in a server profile, you can assign a network set to that connection. Using network sets, you can quickly deploy changes to the network environment to multiple servers. For example, you have 16 servers connected to a network set. To add a new network to all 16 servers, you only need to add it to the network set instead of each server individually. You can create a network set for your production networks and one for your development networks. You can configure a hypervisor with a vswitch to access multiple VLANs by creating a network set as a trunk that includes these networks. Network set details Network sets are supported for use in server profiles. All networks in a network set must be Ethernet networks and must have unique external VLAN IDs. Untagged and tunnel networks are single networks and do not use network sets. All networks in a network set must be configured in the same appliance. A network can be a member of multiple network sets. When a network is deleted, it is automatically deleted from all network sets to which it belonged. A network set can be empty (contain no networks) or can contain one or more of the networks configured in the appliance. Empty network sets enable you to create network sets in the configuration before you create the member networks, or to remove all of the member networks before you add their replacements. However, if a server profile adds a connection to an empty network set, the server cannot connect to any data center networks using that connection. When you create or modify a network set, you can designate a network for untagged packets. If you do not designate a network an untagged network, untagged packets are rejected on the profile connection associated with this network set. Server traffic must be tagged with the VLAN ID of one of the Ethernet networks in the network set. Untagged server traffic is either sent to the untagged network (if an untagged network is defined) or is rejected (if no untagged network is defined). The untagged network can send tagged and untagged traffic between the server and the interconnect simultaneously. When you create or modify a network set, you define the maximum bandwidth and the preferred bandwidth for connections to that network set. A server profile can override the preferred bandwidth but not the maximum bandwidth. When you delete a network set, the networks that belong to the network set are not affected. However, any servers with a connection to that network set are affected because their 158 Managing networks and network resources

159 12Vdc HP StorageWorks 4/32B SAN Switch Vdc 12Vdc HP StorageWorks 4/32B SAN Switch FAN 1 OA1 FAN 6 PS 6 UID HP VC FlexFabric 10Gb/24-Port Module ilo eset Active PS 5 UID PS 4 S H A E D : U P L I N K o r X - L I N K X1 X2 X3 X4 X5 X6 X7 X8 Enclosure UID emove management modules before ejecting sleeve UID Enclosure Interlink HP VC FlexFabric 10Gb/24-Port Module ilo eset Active UID PS 3 S H A E D : U P L I N K o r X - L I N K X1 X2 X3 X4 X5 X6 X7 X8 12Vdc PS 2 PS 1 FAN 5 OA2 FAN 10 connections are defined as being to the network set and not to the individual networks. Because the network set is no longer available, the network traffic to and from that server through that connection is stopped. When you delete a network set, any server profile connections that specified that network set become undefined About Fibre Channel networks You can use Fibre Channel networks to connect to storage systems Fibre Channel network types The Virtual Connect interconnect modules in enclosures support two types of Fibre Channel connections to storage systems: Fabric-attach connections The enclosure interconnects connect to data center SAN fabric switches. Direct-attach connections Also called Flat SAN, in which the enclosure interconnects connect directly to a supported storage system, such as an HP 3PA StoreServ Storage system. You cannot change the type of a Fibre Channel network, but you can delete the network from the appliance, and then add the network as a different type. A logical interconnect can use both direct-attach storage and fabric-attach storage at the same time. Figure 12 Direct-attach and fabric-attach Fibre Channel networks Fabric-attached HP storage devices HP 3PA Storage System SAN A SAN Switch A SAN uplink connections (Fabric attach) SAN B SAN Switch B SAN uplink connections (Direct attach) HP BladeSystem c7000 Enclosure Fabric-attach Fibre Channel networks SAN infrastructures typically use a Fibre Channel switching solution involving several SAN switches that implement NPIV (N-Port ID Virtualization) technology. NPIV uses N-ports and F-ports to build a Fibre Channel SAN fabric. NPIV enables multiple N_Ports to connect to a switch through a single F_Port, so that a virtual server can share a single physical port with other servers, but access only its associated storage on the SAN About Fibre Channel networks 159

160 When you configure a fabric-attach Fibre Channel network, the port you choose for the uplink from the enclosure interconnect to the storage SAN must support NPIV (N_Port ID Virtualization). You can use HP Virtual Connect Fibre Channel modules to connect storage. The appliance manages up to six Virtual Connect Fibre Channel modules in bays 3 through 8 of an enclosure. Virtual Connect Fibre Channel modules are not supported in bay 1 and bay Direct-attach Fibre Channel networks The direct-attach Fibre Channel solution, also called the Flat SAN solution, eliminates the need for a connection from the enclosure interconnects to a Fibre Channel SAN switch. This means you can connect the enclosure interconnects directly to the storage system. The port you choose for the uplink from the enclosure interconnect to the storage system must support NPIV. Servers connecting to a direct-attach Fibre Channel network have access to all devices connected on the uplink ports defined for that network. If there is more than one connection from a FlexFabric module to the storage system, each server can access as many paths to the storage LUN (logical unit number) as there are connections to the storage system. For direct-attach Fibre Channel networks, the enclosure interconnect does not distribute server logins evenly across uplink ports. Server login-balancing and login-distribution do not apply to Fibre Channel networks. IMPOTANT: When you move a server profile to a different enclosure, and the profile is configured to boot from a direct-attach storage system, you must manually update the boot connection of the profile to specify the WWPN (World Wide Port Name) used for the storage system that is directly attached to the enclosure. Each enclosure connects to a different port of the direct-attach storage system, so the WWPN for that storage system is different for each enclosure. If you do not specify the correct WWPN and LUN for the storage system, the server will not boot successfully from the boot target About Ethernet networks You use Ethernet networks as data networks. You can create the following types of Ethernet networks: Tagged Untagged Tunnel About tagged Ethernet networks A tagged network uses virtual LANs (VLANs), allowing multiple networks to use the same physical connections. By sharing physical uplinks, you can separate traffic streams from different servers on the same set of uplinks. Server profiles can specify networks without knowledge of the hardware configuration of the data center network. Tagged Ethernet networks that are connected to enclosure interconnects require a VLAN ID. You can add multiple Ethernet networks that use the same VLAN ID. This capability is required for logical interconnects that use an active/active configuration. Each network name in the appliance must be unique. The number of networks supported on an appliance is limited by the number of networks added, not the number of VLAN IDs that are used. Tagged Ethernet networks and network sets You can assign multiple tagged Ethernet networks to a named group called a network set. Later, when you add a connection in a server profile, you can select this network set to enable multiple networks to be selected for that single connection. 160 Managing networks and network resources

161 About untagged Ethernet networks An untagged network is a single dedicated network without a VLAN tag with a dedicated set of uplink ports. Untagged networks are used to pass traffic without VLAN tags through the stacking domain. Any tagged packets are dropped. Forwarding is done by MAC address. You may want an untagged network for iscsi storage traffic or if you want to set up networks without configuring VLANs About tunnel Ethernet networks A tunnel network is a single dedicated network with a dedicated set of uplink ports used to pass a group of VLANs without changing the VLAN tags. You may want to use tunnel networks if you want to expand beyond the current total of 1000 networks per logical interconnect and 162 networks per downlink port, or if you want to control the resources and QoS. You can have a tunnel network with a maximum of 4096 VLANs Managing Ethernet networks When you add an Ethernet network to the appliance, you are adding a VLAN to the configuration. VLANs allow multiple networks to use the same physical connections. Servers can specify networks without knowledge of the underlying hardware configuration. When you add an Ethernet network, you might also want to an existing network set or add it to a new network set. For example, by adding the Ethernet network to an existing network set, all servers that have connections to the network set can access the added network without requiring you to change the server profiles. For Ethernet connections, a logical uplink is a way to identify interconnect module uplinks that carry multiple networks over the same cable. When you add a network, you must also add it to an existing uplink set or a new uplink set. You can manage networks and network sets from the UI Networks and Network Sets screens or by using the EST APIs. IMPOTANT: HP recommends that you back up the appliance after you make configuration changes to networks. For information about backing up the appliance, see Backing up an appliance (page 225) Data center switch port requirements Although you can configure an uplink set to receive incoming network traffic as untagged by designating a network in that uplink set as Native, traffic egressing the uplink set is always VLAN tagged. The switch ports for data center network switches that connect to the Virtual Connect interconnect modules must be configured as follows: Spanning tree edge (because the Virtual Connect interconnect modules appear to the switch as access devices instead of switches). VLAN trunk ports (tagging) to support the VLAN IDs included in the uplink set that connects to switch port. For example, if you configure an uplink set, produs, that includes the production networks prod 1101 through prod 1104 to use the X2 ports of the interconnects in bay 1 and bay 2 of Enclosure 1, then the data center switch ports that connect to those X2 ports must be configured to support VLAN IDs 1101, 1102, 1103, and If multiple uplinks in an uplink set connect the same interconnect to the same data center switch, to ensure that all the uplinks in the uplink set are active, you must configure the data center switch ports for LACP (Link Aggregation Control Protocol) in the same LAG (Link Aggregation Group). As part of the LACP negotiation to form a LAG, the interconnect sends a request for 21.7 Data center switch port requirements 161

162 the frequency of control messages. The frequency can be short or long. Short is every 1 second with a 3 second timeout. Long is every 30 seconds with a 90 second timeout. Also consider the type of network traffic and if you are creating an active/standby or active/active configuration Learning more Understanding the resource model (page 35) Managing interconnects, logical interconnects, and logical interconnect groups (page 163) Managing the appliance settings (page 232) Troubleshooting networks (page 311) 162 Managing networks and network resources

163 22 Managing interconnects, logical interconnects, and logical interconnect groups A logical interconnect group acts as a recipe for creating a logical interconnect representing the available networks, uplink sets, stacking links, and interconnect settings for a set of physical interconnects in a single enclosure. UI screens and EST API resources UI screen Interconnects Logical Interconnects Logical Interconnect Groups EST API resource interconnects logical-interconnects logical-interconnect-groups 22.1 Managing enclosure interconnect hardware oles When you add an enclosure, any interconnects in the enclosure are also added to the management domain, and they remain in the domain as long as the enclosure is part of the domain. You can manage enclosure interconnect hardware from the UI Interconnects screen or by using the EST APIs. Minimum required privileges: Infrastructure administrator or Network administrator Tasks for interconnects The appliance online help provides information about using the UI or the EST APIs to: Add or replace a physical interconnect. Clear port counters. Enable or disable uplink ports or downlink ports. eapply an interconnect configuration. eset loop and pause flood protection. View data transfer statistics for uplink and downlink ports About interconnects Interconnects enable communication between the server hardware in the enclosure and the data center networks. An interconnect has several types of links: Uplinks Downlinks Stacking links Uplinks are physical ports that connect the interconnect to the data center networks. Downlinks connect the interconnect to the server hardware through the enclosure midplane. Stacking links, which can be internal or external, connect interconnects together to provide redundant paths for Ethernet traffic from server blades to the data center networks. Interconnects are added automatically when the enclosure that contains them is added to the appliance Managing enclosure interconnect hardware 163

164 Interconnects are an integral part of an enclosure, and each interconnect is a member of a logical interconnect. Each logical interconnect is associated with a logical interconnect group, which is associated with an enclosure group. For more information about logical interconnects, see About logical interconnects (page 165). For information about the relationship that enclosures and enclosure groups have with interconnects, logical interconnects, and logical interconnect groups, see Understanding the resource model (page 35). You can update interconnect firmware using an SPP (Service Pack for ProLiant). Connectivity and synchronization with the appliance The appliance monitors the health status of interconnects and issues alerts when there is a change in status of an interconnect or port. The appliance maintains the configuration that you specify on the interconnects that it manages. The appliance also monitors the connectivity status of interconnects. If the appliance loses connectivity with an interconnect, an alert is displayed until connectivity is restored. The appliance attempts to resolve connectivity issues and clear the alert. If it cannot, you have to resolve the issues and manually refresh the interconnect to synchronize it with the appliance. You can manually refresh the connection between the appliance and an interconnect from the Interconnects screen. See the online help for the Interconnects screen to learn more. About unsupported interconnects Unsupported hardware is hardware that the appliance cannot manage. If the appliance detects an interconnect that it does not expect or cannot manage, it assigns the interconnect a critical health status and displays an alert with a resolution of replacing the interconnect with a model it can manage. The appliance displays the model name of the unsupported interconnect that it obtains from the OA (Onboard Administrator). If the unsupported interconnect is in an unmanaged bay, the appliance places it into an inventory state and creates a resource for it, but does not bring it under management. NOTE: If you try to create a server profile that has a connection to an unsupported interconnect, the operation will fail Learning more Interconnects (page 41) Networking features (page 33) Troubleshooting interconnects (page 305) 22.2 Managing logical interconnects and logical interconnect groups A logical interconnect represents the available networks, uplink sets, and stacking links for a set of physical interconnects in a single enclosure. The Logical Interconnects screen provides a graphical view of the logical interconnect configuration in an enclosure. Use this screen or the EST APIs to manage the uplink sets for the logical interconnect. When you add an enclosure, a logical interconnect is created automatically. The logical interconnect group serves as a template to ensure the consistent configuration of all of its logical interconnects. 164 Managing interconnects, logical interconnects, and logical interconnect groups

165 oles Minimum required privileges: Infrastructure administrator or Network administrator Tasks for logical interconnects The appliance online help provides information about using the UI or the EST APIs to: Add, edit, or delete an uplink set. Change Ethernet settings such as: Fast MAC cache failover. MAC refresh interval. IGMP (Internet Group Management Protocol) snooping and idle timeout interval. Loop and pause flood protection. Configure a port to monitor network traffic. Create a logical interconnect support dump file. Enable and disable physical ports. Manage firmware for the interconnects via the logical interconnects. Manage SNMP (Simple Network Management Protocol) access and trap destinations. Manage the frequency of control messages through the LACP timer. eapply the logical interconnect configuration to its physical interconnects. edistribute logins for uplink failover on a Fibre Channel network. Update the logical interconnect configuration from the logical interconnect group. View and download the MAC address table About logical interconnects A logical interconnect is a single administrative entity that consists of the configuration for the interconnects in an enclosure, which includes: The uplink sets, which connect to data center networks. The mapping of networks to physical uplink ports, which is defined by the uplink sets for a logical interconnect. The downlink ports, which connect through the enclosure midplane to the servers in the enclosure. The connections between interconnects, which are called stacking links. Stacking links can be internal cables (through the enclosure) or external cables between the stacking ports of interconnects. For a server administrator, a logical interconnect represents the available networks through the interconnect uplinks and the interconnect downlink capabilities through a physical server s interfaces. For a network administrator, a logical interconnect represents an Ethernet stacking domain, aggregation layer connectivity, stacking topology, network reachability, statistics, and troubleshooting tools Managing logical interconnects and logical interconnect groups 165

166 Interconnect, Logical Interconnect, Networks NIC Teaming Drivers Connections Interconnect Network A (VLAN 100) Uplink Sets LOM1 LOM2 Stacking Link Interconnect (Optional) edundant uplinks To/ Aggregation Layer Network A (VLAN 100) Optional Teaming: Load balancing and/or failover Network A (VLAN 100) Server Blade Logical Interconnect Uplink Sets An uplink set defines a single, dedicated network or a group of networks and physical ports on the interconnect in an enclosure. An uplink set enables you to attach the interconnect to the data center networks. An uplink set enables multiple ports to support port aggregation (multiple ports connected to a single external interconnect) and link failover with a consistent set of VLAN networks. For tagged Ethernet networks, an uplink set enables you to identify interconnect uplinks that carry multiple networks over the same cable. For untagged or tunnel Ethernet networks, an uplink set identifies interconnect uplinks that are dedicated to a single network. For Fibre Channel networks, you can add one network to an uplink set. Fibre Channel does allow virtual networks or VLANs. An uplink set is part of a logical interconnect. The initial configuration of the uplink sets for a logical interconnect is determined by the configuration of the uplink sets for the logical interconnect group, but you can change (override) the uplink sets for a specific logical interconnect. Changes you make to the uplink sets for a logical interconnect group are not automatically propagated to existing logical interconnects. For example, to propagate a newly added VLAN to a logical interconnect group uplink set to its existing logical interconnects, you must individually update each logical interconnect configuration from the logical interconnect group. For active/active configurations, create a new logical interconnect group rather than updating an existing group. For each logical interconnect: You can define zero, one, or multiple uplink sets. If you do not define any uplink sets, the servers in the enclosure cannot connect to data center networks. A network can be a member of one uplink set only. An uplink set can contain only one Fibre Channel network. An uplink set can contain one or more tagged Ethernet networks. An uplink set for an untagged or a tunnel network can only contain that one untagged or tunnel network. You must specify Ethernet networks individually. The use of network sets in uplink sets is not supported for the following reasons: The networking configuration is intended to be managed by users with a role of Network administrator. Because users with a role of Server administrator can create and edit network sets, allowing network sets to be members of uplink sets could result in server 166 Managing interconnects, logical interconnects, and logical interconnect groups

167 administrators changing the mapping of networks to uplink ports without the knowledge of the network administrator. Because a network can be a member of more than one network set, allowing network sets to be members of uplink sets would make it more difficult to ensure that no single network is a member of more than one uplink set, especially as the network set configurations change over time Stacking modes and stacking links Stacking modes Stacking modes and stacking links apply to Ethernet networks only. Interconnects that are connected to one another through stacking links create a stacking mode. Ethernet traffic from a server connected to an interconnect downlink can reach the data center networks through that interconnect or through a stacking link from that interconnect to another interconnect. The supported stacking mode is enclosure. For this stacking mode: All the interconnects in the enclosure form a single logical interconnect. Stacking links between interconnects in different enclosures are not supported. When two interconnects of the same type are installed in horizontally adjacent enclosure I/O bays, they connect through internal stacking links. Installing interconnects of different types in horizontally adjacent enclosure I/O bays is not supported. Stacking health The appliance detects the topology within an enclosure of the connections between interconnects and the uplink sets, and determines the redundancy of paths between servers and data center networks. The appliance reports redundancy information as the stacking health of the logical interconnect, which is one of the following: edundantly Connected Connected Disconnected Not applicable There are at least two independent paths between any pair of interconnects in the logical interconnect, and there are at least two independent paths from any downlink port on any interconnect in the logical interconnect to any other port (uplink or downlink) in the logical interconnect. There is a single path between any pair of interconnects in the logical interconnect, and there is a single path from any downlink port on any interconnect in the logical interconnect to any other port (uplink or downlink) in the logical interconnect. At least one interconnect is not connected to the other member interconnects in the logical interconnect. Interconnect modules do not support stacking. The configuration defined in the logical interconnect group is the expected configuration within the enclosure. If any of the interconnects are defined to be in the Configured state but instead are in a different state, such as Absent, Inventory, or Unmanaged, the stacking health is displayed as Disconnected. If none of the interconnects are in the Configured state, no stacking health information is displayed Managing logical interconnects and logical interconnect groups 167

168 Adding or deleting a logical interconnect Adding a logical interconnect Every enclosure belongs to an enclosure group. When you add an enclosure: The appliance detects the physical interconnects and their stacking links. The appliance automatically creates a single logical interconnect for the enclosure. The configuration of the logical interconnect, including uplink sets, is defined by the logical interconnect group associated with the enclosure group. This ensures that all enclosures in the enclosure group are configured with the same network connectivity. The appliance automatically names the logical interconnect when you add the enclosure. The naming convention for logical interconnects follows: enclosure_name-li Where enclosure_name is the name of the enclosure. Deleting a logical interconnect To delete a logical interconnect, you must remove the enclosure from management About the HP Virtual Connect FlexFabric 20/40 F8 interconnect module The HP Virtual Connect FlexFabric 20/40 F8 Module for HP BladeSystem c-class has several unique features: Four dedicated 40G QSFP+ ports with support for 1x40G mode, 4x10G modes, or 1x10G mode. When a QSFP+ port is configured for 4x10G operation, a pluggable module with an attached splitter cable must be installed to multiplex the QSFP+ port into four SFP+ ports on the remote end. The four Ethernet QSFP ports are identified as Q1 Q4. The multiplex Ethernet ports are identified as Qx.1 Qx.4. Eight dedicated 10G ports identified as X1 X8. These ports support Ethernet and Fibre Channel traffic. Port pairs X5/X6 and X7/X8 carry one type of network traffic, either Ethernet or Fibre Channel. Ports X9 and X10 are internal stacking ports. For more information, see the HP Virtual Connect FlexFabric 20/40 F8 Module for HP BladeSystem c-class Installation Instructions at Enclosure requirements CAUTION: To avoid overheating: Make sure there are 10 fans in the enclosure. Do not insert more than six HP Virtual Connect FlexFabric 20/40 F8 modules in one enclosure About logical interconnect groups A logical interconnect group is associated with an enclosure group and is used to define the logical interconnect configuration for every enclosure that is added to that enclosure group. Logical interconnect configurations include the I/O bay occupancy, stacking mode, uplink ports and uplink sets, available networks, and downlinks. The logical interconnect group reserves the appropriate interconnect ports for stacking links required for the stacking mode. For the enclosure stacking mode: All interconnects in an enclosure are members of the logical interconnect. Horizontally adjacent interconnects must be the same interconnect type. 168 Managing interconnects, logical interconnects, and logical interconnect groups

169 Horizontally adjacent interconnects reserve one port per enclosure for internal stacking links, called East-West links. Vertically adjacent interconnects reserve an additional port per enclosure for external stacking links, called North-South links. The uplink sets portion of the logical interconnect group defines the initial configuration for uplink sets for each enclosure added to the enclosure group. You can change the uplink sets for a logical interconnect, and existing enclosures are not affected by changes you make to uplink sets in the logical interconnect group. If you change the uplink sets for an existing logical interconnect group, only enclosures that you add after the configuration change are configured with the new uplink set configuration. When you add an enclosure and assign an enclosure group, the appliance creates a logical interconnect for that enclosure. The logical interconnect it creates matches the configuration specified by the logical interconnect group that is associated with the enclosure group. When the add operation completes, the interconnects are fully configured and the networks are available for use by server profiles. Figure 13 elationship of a logical interconnect group to a logical interconnect Enclosure Group enclosure Type - c7000 Stocking Mode - enclosure LIG I/O Bay Logical Interconnect Group 1 logicalinterconnectgroupa 2 logicalinterconnectgroupa 3 logicalinterconnectgroupa 4 Logical Interconnect Group A Domain Networks: Eth1, Eth2, SanA, SanB Uplink Sets Blue Network, bay1.x1 & bay2.x1 Interconnect Maps Location Interconnect Types(s) Logical Downlink Enc1. Bay Logical DownlinkA Enc2. Bay Logical DownlinkA Enc3. Bay B21 Logical DownlinkA Enc4. Bay B21 Logical DownlinkA <create> <create> <create> Logical Interconnect LI1 Domain Networks: Eth1, Eth2, SanA, SanB Uplink Sets:... Interconnect Maps Location Int. Int. Type(s) LD EncA. Bay1 Int B21 LD A EncA. Bay2 Int B21 LD A EncA. Bay3 Int B21 LD B EncA. Bay4 Int B21 LD C Enclosure A B21, Int B21, Int2 Logical Interconnect LI2 Domain Networks: Eth1, Eth2, SanA, SanB Uplink Sets:... Interconnect Maps Location Int. Int. Type(s) LD EncB. Bay1 Int B21 LD A EncB. Bay2 Int B21 LD A EncB. Bay3 Int B21 LD B EncB. Bay4 Int B21 LD C Enclosure B B21, Int B21, Int2 Logical Interconnect LI3 Domain Networks: Eth1, Eth2, SanA, SanB Uplink Sets:... Interconnect Maps Location Int. Int. Type(s) LD EncC. Bay1 Int B21 LD A EncC. Bay2 Int B21 LD A EncC. Bay3 Int B21 LD B EncC. Bay4 Int B21 LD C Enclosure C B21, Int B21, Int B21, Int B21, Int B21, Int B21, Int B21, Int B21, Int4 EMPTY EMPTY EMPTY EMPTY EMPTY EMPTY EMPTY EMPTY EMPTY EMPTY EMPTY EMPTY You can create a logical interconnect group independently of adding an enclosure, or you can edit the logical interconnect group that the appliance creates when you add the enclosure to the appliance. When you add the first enclosure to the appliance, the preliminary logical interconnect group is based on the physical interconnects in that enclosure and is created with the following properties: Existing interconnect types in their existing positions All physical uplink ports disabled except for stacking links You can edit this logical interconnect group, and when the configuration is complete, an enclosure group is created and associated with this logical interconnect group Managing logical interconnects and logical interconnect groups 169

170 If you assign an enclosure group (which includes a logical interconnect group) to an enclosure in which the interconnects installed in the enclosure do not match the logical interconnect group, each interconnect reports its state as unmanaged. The physical interconnect configuration in the enclosure must match the logical interconnect group before an interconnect can be managed. To delete a logical interconnect group, you must delete the associated enclosure group About active/active and active/standby configurations When determining which HP Virtual Connect network configuration to use (active/active or active/standby), consider the type of network traffic the enclosure must support. For example: Will there be a high volume of server-to-server traffic (east/west) in the enclosure? Is the traffic flow in the enclosure mainly inbound and outbound (north/south)? By considering network traffic patterns, you can maximize the connected bandwidth or minimize server-to-server traffic leaving the enclosure. Use an active/standby configuration if network traffic is between systems in the same enclosure (east/west). This configuration minimizes or eliminates any server-to-server communications from leaving the enclosure. Use an active/active configuration if network traffic is inbound and outbound (north/south) of the enclosure About active/standby configurations An active/standby configuration is an Ethernet network configuration where servers in the enclosure have two NIC ports connected to the same HP Virtual Connect network. A single uplink set has uplinks in both interconnects. The uplinks in one interconnect are active; the uplinks in the other interconnect are standby and available in the event of a network or interconnect failure. Communications between servers do not leave the interconnect module. For external communications, all servers in the enclosure use the active uplink, regardless of which NIC is actively passing traffic. An active/standby configuration: Provides predictable bandwidth. Does not oversubscribe top-of-rack switch (To) bandwidth. An active/standby configuration has the following requirements: A minimum of one Ethernet network and one uplink set for each external VLAN ID you define About active/active configurations An active/active configuration is an Ethernet network configuration that allows active traffic on the same VLAN on multiple interconnect modules. The NICs on all the servers in the enclosure have their NICs connected to adjacent HP Virtual Connect modules. All uplinks are active to forward network traffic. When setting up an active/active configuration in an enclosure, the networks associated with an uplink set must be included in the server profile connection for the interconnect module. For example, if Net_101_A is in uplink set US_A, which has ports from the interconnect module in bay 1, Net_101_A must be associated with the downlink port connected to the interconnect module in bay 1 (for example, LOM1:1-a). An active/active configuration: Provides full use of all uplink ports (no uplink port in standby mode). Allows all traffic to egress through the interconnect module connected to the NIC port without crossing the internal stacking link. Doubles the available bandwidth while maintaining redundancy (when combined with Smart Link). 170 Managing interconnects, logical interconnects, and logical interconnect groups

171 equirements and best practices for an active/active configuration An active/active configuration requires two HP Virtual Connect modules and resources that meet the following requirements. For an example of an active/active configuration, see Sample active/active configuration (page 172). esource Networks equirement A pair of networks added for each VLAN you want to connect: At least one network for the first interconnect module Another network for the second interconnect module using the same VLAN ID and Smart Link selected on both networks. Best practice Designate a network name for a paired network using the naming convention <purpose>_<vlan ID>_<side> where: <purpose> could be dev, mgmt, or prod, for example. <side> could be A or B, 1 or 2, or right or left. Uplink Set Network Sets Server Profiles A pair of uplink sets to associate the networks with the uplink ports on the interconnect module. One set of networks assigned to the uplink set with uplinks on the first interconnect module The other networks assigned to the uplink set with uplinks on the second interconnect module Uplink ports in each uplink set are restricted to one interconnect One or more pairs of network sets. Each set should include only networks that are intended to be used in the same server profile connection. For example, if Net_101_A is in uplink set US_A, which has ports from the interconnect module in bay 1, Net_101_A must be associated with the downlink port connected to the interconnect module in bay 1 (for example, LOM1:1-a) The physical ports to which you want to map the network or network sets. Map the profile connections to the downlink ports on the same interconnect module as the uplinks on the uplink set. This ensures that the networks associated with the uplink ports in the uplink set match the networks assigned to the profile connections in the downlink ports. Assign names to uplink sets using the naming convention <uplink set name>_<side>, where: <side> could be A or B, 1 or 2, or right or left. Designate a network set name using the naming convention <purpose>_<side>, where: <purpose> could be dev, mgmt, or prod for example. <side> could be A or B, 1 or 2, or right or left Managing logical interconnects and logical interconnect groups 171

172 Sample active/active configuration Physical server 1 NIC TEAM Port 1 Port 2 d1 d1 IO Bay 1 Network vnet 101A -Internal VLAN 3 -External VLAN 101 SL1 SL2 SL1 SL2 Network vnet 101B -Internal VLAN 5 -External VLAN 101 IO Bay 2 Uplink Set U1 Uplink Set U2 X1 X2 X1 X2 VLAN 101 To Switch About logical interconnect firmware All components in an enclosure must run compatible firmware. You can select a single HP Service Pack for ProLiant (SPP) and apply it to all components in an enclosure, therefore minimizing the chance of downtime due to firmware incompatibility. You can also apply an SPP to a logical interconnect which results in all member interconnects running the same firmware baseline. This operation by default updates firmware only on those member interconnects that are running a different version of firmware and ignores the interconnects that are running the same firmware version. You can upgrade or downgrade the firmware on all interconnects in an enclosure. If a firmware update is required for an interconnect, a link is provided in the Logical Interconnects screen to do so. Updating firmware is a two-stage process of staging (uploading) the firmware on the interconnect, and then activating the firmware on the interconnects you select. Firmware activation options allow you to maintain network availability and reduce the probability of outages due to human error. You also have the option of staging the firmware for later activation. You can activate the staged firmware on an individual interconnect or on all interconnects About loop and pause flood protection Loop protection The loop protection feature enables detection of loops on downlink ports, which can be Flex-10 logical ports or physical ports. The feature applies when Device Control Channel (DCC) protocol is running on the Flex-10 port. If DCC is not available, the feature applies to the physical downlink port. Network loop protection uses two methods to detect loops: 172 Managing interconnects, logical interconnects, and logical interconnect groups

173 1. It periodically injects a special probe frame into the HP Virtual Connect domain and monitors downlink ports for the looped back probe frame. If this special probe frame is detected on downlink ports, the port is considered to cause the loop condition. 2. It monitors and intercepts common loop detection frames used in other switches. In network environments where the upstream switches send loop detection frames, the HP Virtual Connect interconnects must ensure that any downlink loops do not cause these frames to be sent back to the uplink ports. Even though the probe frames ensure loops are detected, there is a small time window depending on the probe frame transmission interval in which the loop detection frames from the external switch might loop through down link ports and reach uplink ports. By intercepting the external loop detection frames on downlinks, the possibility of triggering loop protection on the upstream switch is eliminated. When network loop protection is enabled, HP Virtual Connect interconnects intercept loop detection frames from various switch vendors, such as Cisco and ProCurve. When the network loop protection feature is enabled, any probe frame or other supported loop detection frame received on a downlink port is considered to be causing the network loop, and the port is disabled immediately until an administrative action is taken. The administrative action involves resolving the loop condition and clearing the loop protection error condition. The loop detected status on a port can be cleared by un-assigning all networks from the profile connect corresponding to the port in the loop detected state. The SNMP agent supports trap generation when a loop condition is detected or cleared. You can reset loop protection from the Actions menu on the Interconnects screen. Pause flood protection Ethernet switch interfaces use pause frame-based flow control mechanisms to control data flow. When a pause frame is received on a flow control enabled interface, the transmit operation is stopped for the pause duration specified in the pause frame. All other frames destined for this interface are queued up. If another pause frame is received before the previous pause timer expires, the pause timer is refreshed to the new pause duration value. If a steady stream of pause frames is received for extended periods of time, the transmit queue for that interface continues to grow until all queuing resources are exhausted. This condition severely impacts the switch operation on other interfaces. In addition, all protocol operations on the switch are impacted because of the inability to transmit protocol frames. Both port pause and priority-based pause frames can cause the same resource exhaustion condition. HP Virtual Connect interconnects provide the ability to monitor server downlink ports for pause flood conditions and take protective action by disabling the port. The default polling interval is 10 seconds and is not customer configurable. The SNMP agent supports trap generation when a pause flood condition is detected or cleared About SNMP settings Network management systems use SNMP (Simple Network Management Protocol) to monitor network-attached devices for conditions that require administrative attention. By configuring settings on the Logical Interconnect Groups and Logical Interconnects screens, you can enable third-party SNMP managers to monitor (read-only) network status information of the interconnects. The SNMP manager typically manages a large number of devices, and each device can have a large number of objects. It is impractical for the manager to poll information from every object on every device. Instead, each agent on the managed device notifies the manager without solicitation by sending a message known as an event trap. The appliance enables you to control the ability of SNMP managers to read values from an interconnect when they query for SNMP information. You can filter the type of SNMP trap to capture, and then designate the SNMP manager to which traps will be forwarded. By default, SNMP is enabled with no trap destinations set Managing logical interconnects and logical interconnect groups 173

174 When you create a logical interconnect, it inherits the SNMP settings from its logical interconnect group. To customize the SNMP settings at the logical interconnect level, use the Logical Interconnects screen or EST APIs Update the logical interconnect configuration from the logical interconnect group Compliance checking is the validation of a logical interconnect to ensure that it matches the configuration of its parent logical interconnect group. The appliance monitors both the logical interconnect and logical interconnect group, comparing the two, and checking the following for consistency: Items Ethernet interconnect settings Uplink Sets Interconnect maps Compliance checking Are there differences in the following logical interconnect settings from the expected configuration defined by the logical interconnect group? Enabling Fast MAC cache failover MAC refresh intervals Enabling IGMP snooping IGMP idle timeout intervals Loop and pause flood protection Are there differences in port assignments or network associations from the configuration defined by the logical interconnect group? Did you add an uplink set? Is an interconnect type absent from an enclosure interconnect bay or different from the expected configuration defined by the logical interconnect group? If both configurations match, the logical interconnect Consistency state field is set to Consistent and is considered to be compliant. Non-compliance results in an alert for the logical interconnect and the Consistency state field is set to Inconsistent with group. It is also set to Inconsistent with group whenever you edit the logical interconnect or the logical interconnect group, even if your edit does not lead to a difference between the two. Updating the logical interconnect configuration from the logical interconnect group To bring a non-compliant (Inconsistent with group) logical interconnect configuration back into compliance (Consistent) with the logical interconnect group, you must reapply the settings from the logical interconnect group. 1. From the Logical Interconnects screen, select Actions Update from group. NOTE: The Update from group option is not available if the logical interconnect group and logical interconnect are already compliant (Consistency state field is set to Consistent). Compliance alerts are cleared automatically and settings now match the logical interconnect group. NOTE: You cannot make a logical interconnect compliant by editing or by manually clearing the alert; you must select Actions Update from group. 2. Click Yes, update to confirm. 3. To verify that the activity is successful, check the activity for a green status in the Notifications area. If not, follow the proposed resolution listed under Details in the Notifications area. 174 Managing interconnects, logical interconnects, and logical interconnect groups

175 Configure a port to monitor network traffic Port monitoring enables you to send a copy of every Ethernet frame coming in and going out of a port to another port. By monitoring a port's network traffic, you can connect debugging equipment, such as a network analyzer, to monitor those server ports. This capability is important in a server blade environment where there is limited physical access to the network interfaces on the server blades. You can configure one network analyzer port (the monitored-to uplink port) for up to 16 downlink server ports within a single enclosure. To configure a port for monitoring, use the Logical Interconnects screen or EST APIs Learning more Logical interconnect groups (page 42) Logical interconnects (page 43) Uplink sets (page 45) Troubleshooting logical interconnects (page 310) 22.2 Managing logical interconnects and logical interconnect groups 175

176 176

177 23 Managing enclosures and enclosure groups An enclosure is a physical structure that can contain server blades, infrastructure hardware, and interconnects. An enclosure group specifies a standard configuration for all of its member enclosures. Enclosure groups enable administrators to provision multiple enclosures in a consistent, predictable manner in seconds. UI screens and EST API resources UI screen Enclosures Enclosure Groups EST API resource enclosures enclosure-groups 23.1 oles Minimum required privileges: Infrastructure administrator or Server administrator 23.2 Tasks for enclosures The appliance online help provides information about using the UI or the EST APIs to: Add an enclosure to manage its contents. Add an enclosure to monitor the hardware. Add a server blade to an existing enclosure. Bring an unmanaged enclosure under management. Claim an enclosure currently being managed by another appliance. Configure an enclosure with an OA configuration script. Forcibly add a monitored enclosure currently monitored by another management system. Forcibly remove an enclosure if a remove action fails. Migrate an enclosure currently being managed by VCM. Move a monitored enclosure to a managed status. emove an enclosure from HP OneView. emove a server blade from an existing enclosure. esolve connectivity issues between an enclosure and the appliance. View activities (alerts and tasks). Create, edit, and delete an enclosure group About enclosures An enclosure is a physical structure that can contain server blades, infrastructure hardware, and interconnects. The enclosure provides the hardware connections between the interconnect downlinks and the installed server blades. There are different ways an enclosure can be added into HP OneView. Managed HP OneView manages the enclosure enabling you to apply configurations, deploy server profiles, monitor operation status, collect statistics, and alert users to specific 23.1 oles 177

178 Monitored conditions. Managed enclosures require an HP OneView Advanced or an HP OneView Advanced w/o ilo license. See License types (page 149). HP OneView monitors hardware for inventory and hardware status only. Server profile management is not allowed within HP OneView for a monitored enclosure. Monitored enclosures use a free HP OneView Standard license. See License types (page 149). For more information about enclosures, see the following topics About managed enclosures Adding an enclosure to be managed enables you to apply configurations, deploy server profiles, monitor operation status, collect statistics, and alert users to specific conditions. There are different ways to add a managed enclosure into HP OneView. You can add an enclosure so that any existing configuration settings are erased and not brought into HP OneView. This option is useful when adding a new enclosure into your environment (one that has not been managed by another system). You can migrate an enclosure from Virtual Connect Manager (VCM) so that its contents can be managed in HP OneView. If you migrate an enclosure, the existing configuration will be captured and recreated in HP OneView, if the configuration is supported by HP OneView. Adding or migrating an enclosure to be managed requires an HP OneView Advanced or an HP OneView Advanced w/o ilo license. See License types (page 149). ProLiant G6 and ProLiant G7 BL680 server blades If you add an enclosure to be managed that contains ProLiant G6 server blades or the ProLiant G7 BL680 server blade, the following occurs: These server blades are added to HP OneView in a Monitored state. See About monitored enclosures (page 180). The HP OneView Standard license is automatically applied to these servers only, even though they are in a managed enclosure. See License types (page 149). Firmware for these servers is not updated during the enclosure add. The server firmware must be updated manually (outside of HP OneView) after adding the enclosure. When you add an enclosure to be managed, you specify an enclosure group. Enclosure groups enable you to maintain configuration consistency among enclosures. Each enclosure group is associated with a logical interconnect group. The logical interconnect group enables creation and configuration of logical interconnects. Each enclosure is associated with a logical interconnect. That provides the configuration of all interconnects in the enclosure Migrating enclosures managed by other management systems Enclosures managed by other management systems can be brought into the appliance in one of the following ways. Migrate Imports the configuration information for the enclosures including hardware, Virtual Connect domains, networks, and server profiles. Enclosures managed by VCM (Virtual Connect Manager) can be migrated to HP OneView through the UI or EST API. Claim emoves all current configuration settings where it is currently being managed, and does not import the configuration settings into HP OneView. Enclosures managed by other management systems can be claimed by the appliance. NOTE: HP OneView does not support G6 server blades for migration or management. You can replace the G6 server blades with a G7 or later blade, or you can monitor the enclosure. See About monitored enclosures (page 180). 178 Managing enclosures and enclosure groups

179 When you add an enclosure to be migrated, you can specify an enclosure group or create a new enclosure group. See About managed enclosures (page 178). VCEM-managed enclosures An enclosure managed by Virtual Connect Enterprise Manager (VCEM) can be migrated into HP OneView. The following approach is recommended: First, remove the enclosure from the Virtual Connect domain group through the VCEM web interface. The enclosure is managed by VCM. NOTE: VCM ranges, even if originated from a VCEM domain group, will not be migrated. The individual MAC/WWN for each profile connection will be used as a user-defined ID within HP OneView. Follow the VCM migration process as outlined in About migrating enclosures (page 179) About migrating enclosures The migration process is illustrated by the following figure. Figure 14 Migration process Migration from VCM to HP OneView Enclosure data Administrator enters VCM-managed enclosure information into HP OneView Administrator clicks Test compatibility in HP OneView Validate Virtual Connect domain configuration After resolving all blocking issues (except server power on), the administrator powers down the servers, runs a final compatibility test, and then clicks add to start the Compatibility issues? migration Migrate VC configuration and enclosure hardware into HP OneView HP OneView analyzes the VC configuration and detects conflicts, incompatibilities, and warnings to generate a report Administrator resolves incompatibilities using VCM and/or HP OneView esolve all blocking issues and evaluate warnings HP OneView User attention Start/End Process Enclosure managed by HP OneView Enclosure migrated into HP OneView After providing Onboard Administrator (OA) and Virtual Connect (VC) credentials, HP OneView checks the compatibility of the Virtual Connect enclosure with HP OneView and produces a report of the issues. After resolving all blocking issues (except server power on), power down the servers and run a final compatibility test. If all blocking issues are resolved, proceed with the migration. Upon successfully completing the migration, you can then power on the servers About enclosures 179

180 Migration and firmware: When migrating enclosures, the firmware baseline is automatically set to manage manually. The firmware settings in VCM are migrated to HP OneView. Once the enclosure is migrated to HP OneView, you can update the firmware. See Best practices for firmware and Update firmware for enclosures in the UI help for more information. See Planning for enclosure migration from VCM into HP OneView (page 101) for tips on preparing your configuration for migration. Automated functions Once the compatibility issues have been addressed and the migration takes place, HP OneView validates the configuration information, deletes the VC domain, and then automatically performs these functions: Creates networks and network sets Creates a Logical Interconnect Group or uses an existing group Creates an Enclosure Group or uses an existing group Imports the enclosure Creates and assigns the server profiles. The newly created HP OneView server profiles retain the same MACs and WWNs used in the corresponding VCM server profiles. To migrate an enclosure, see "Migrate an enclosure managed by VCM" in the online help About monitored enclosures You can add enclosures to inventory and monitor the hardware. This is useful when you have enclosures that have already been deployed and you cannot claim or migrate them into the appliance. Monitoring hardware in enclosures can be done with a free license called HP OneView Standard. For more information, see License types (page 149). The monitoring feature is available for all G6 and later ProLiant server blades. You can manage the enclosures, server profiles, and Virtual Connect infrastructure through VCM or VCEM. You cannot manage server profiles for monitored enclosures in HP OneView. NOTE: If the firmware for any part of the enclosure does not meet the supported minimum, the enclosure will be added in an Unmanaged state. To resolve this issue, update the firmware manually (outside of HP OneView) and then refresh the enclosure. To add an enclosure for monitoring, see "Add an enclosure to monitor the hardware" in the online help. Move an enclosure from monitored to managed Once an enclosure is monitored in the appliance, if you decide to change from monitored to managed, you must remove the enclosure from the appliance and then migrate or add it back as a managed enclosure, obtaining the appropriate license. Migration would keep the configuration settings, whereas add would not migrate the configuration. Add monitored enclosure currently managed by another management system If you try to add an enclosure for monitoring that is currently being managed by another management system, you must first remove that enclosure from the other management system before trying to add it to HP OneView. 180 Managing enclosures and enclosure groups

181 About unmanaged and unsupported enclosures Unmanaged enclosures An unmanaged enclosure is one that is not currently managed or monitored by HP OneView. See About unmanaged devices (page 141) to learn more about unmanaged devices. Firmware that does not meet the minimum requirements can cause an enclosure to be unmanaged. To bring the enclosure under management update the firmware. Unsupported enclosures An unsupported enclosure cannot be managed by the appliance. However, you can place unsupported enclosures in racks. Adding unsupported enclosures to the appliance enables you to account for the physical space the enclosure occupies in a rack for planning and inventory purposes. If you have an enclosure with G6 ProLiant server blades, consider adding the enclosure as monitored instead of unsupported. See About monitored enclosures (page 180). ProLiant G7 or later server blades can be managed in HP OneView. See About managed enclosures (page 178). The appliance displays basic information about unsupported enclosures, such as the model name, OA name, and the number of OAs in the enclosure. You can specify the maximum power for the unsupported enclosure, which allows you to define its power capacity and enables the appliance to generate alerts when maximum capacity is reached. NOTE: Unsupported hardware that is within enclosures is not handled by the enclosure directly. If the appliance detects an unsupported device in an enclosure, a notification links to the screen for the hardware type (for example, an unsupported server blade alert links to the Server Hardware screen) Connectivity and synchronization with the appliance The appliance monitors the connectivity status of enclosures. If the appliance loses connectivity with an enclosure, a notification is displayed until connectivity is restored. The appliance attempts to resolve connectivity issues and clears the alert automatically, but if it is unsuccessful, you must resolve the issue and manually refresh the enclosure to synchronize it with the appliance. The appliance also makes sure the enclosures are synchronized with changes to hardware and configuration settings. However, some changes to enclosures made outside of the appliance (from ilo or the OA, for example) might cause the enclosure to lose synchronization with the appliance. You might have to manually refresh devices that lose synchronization with the appliance. NOTE: HP does not recommend using ilo or the OA to make changes to a device. Making changes to a device from its ilo or OA could cause it to become out of synchronization with the appliance. You can manually refresh the connection between the appliance and an enclosure from the Enclosures screen. efreshing an enclosure will refresh all devices in it. See the online help for the Enclosures screen to learn more About enclosure groups An enclosure group is a logical resource that defines a set of enclosures that use the same configuration for network connectivity. The network connectivity for an enclosure group is defined by the logical interconnect group associated with the enclosure group. This ensures that each enclosure has an identically configured logical interconnect and the same configuration for network connectivity About enclosure groups 181

182 23.5 Prerequisites for bringing an enclosure into HP OneView Item Enclosure model Firmware Licenses Onboard Administrator IP addresses ilo IP address Interconnects Open ports equirement The enclosure must be a supported model listed in the HP OneView Support Matrix. The enclosure power is turned on. NOTE: To enable the appliance to manage the server hardware seated in an enclosure, the server hardware must meet the prerequisites listed in Prerequisites for bringing server hardware into appliance (page 140). The enclosure firmware must be at the minimum supported firmware version listed in the HP OneView Support Matrix. The appliance firmware repository must be populated with at least one firmware bundle. An HP OneView license is required to manage servers. See About licensing (page 149). If the enclosure has two Onboard Administrators, both OAs must be at the same firmware version. The primary or standby OA must be configured with a host name or IP address and must be reachable by the appliance. As part of bringing an OA under management, a local user account is added, so the OA must be configured to allow for local user accounts. IPv4 or IPv6 configuration is required. Server hardware ilos must be configured with IP addresses, automatically with DHCP addresses or manually with Enclosure Bay IP Addressing (EBIPA)-specified addresses. Interconnects must be configured with IP addresses, automatically with DHCP addresses or manually with EBIPA-specified addresses. If you have an HP Virtual Connect Fibre Channel interconnect, see update the logical interconnect firmware in the online help to determine if you need to update the firmware. If you have an HP Virtual Connect FlexFabric 20/40 F8 interconnect, see About the HP Virtual Connect FlexFabric 20/40 F8 interconnect module (page 168) for the maximum number of modules recommended per enclosure. The following ports must be opened between the appliance and the enclosure: TCP 80, 443 UDP 123, 161, Add an enclosure to manage its contents Adding an enclosure brings the rack, the enclosure, and the server hardware and interconnects under management. You add an enclosure by providing its IP address or host name, along with the OA credentials. NOTE: If you add an enclosure to be managed that contains ProLiant G6 server blades or the ProLiant G7 BL680 server blade, these server blades are added to HP OneView in a monitored state. The HP OneView Standard license is automatically applied to these servers. When adding an enclosure, you specify an enclosure group with an associated logical interconnect group that defines a single logical interconnect within the enclosure. Interconnects in an enclosure share resources on their uplinks, share available networks, and have the same connectivity as the servers on their downlinks. An interconnect failure results in failover to another interconnect. IMPOTANT: When you add an enclosure all previous configuration will be erased from the enclosure. However, if you want to add an enclosure that is being managed by VCM and retain most of the configuration, see Migrate an enclosure currently managed by VCM (page 184). 182 Managing enclosures and enclosure groups

183 When you add an enclosure, any component whose firmware does not meet the minimum requirement is updated, except for ProLiant G6 servers blades. The firmware must be updated manually (outside of HP OneView). If you have HP Virtual Connect Fibre Channel interconnects, see "Manage logical interconnect firmware" in the online help for instructions before adding the enclosure. If you add a new OA to a managed enclosure, and it is the only OA in the enclosure, you must re-add the enclosure to the appliance. NOTE: The name associated with the enclosure is the enclosure name set in the OA, and is not the name of the OA. Prerequisites Minimum required privileges: Infrastructure administrator or Server administrator. See Prerequisites for bringing an enclosure into HP OneView (page 182) for prerequisites and preparation that must be in place before you add an enclosure. Adding an enclosure to manage its contents 1. From the main menu, select Enclosures and do one of the following: Click + Add enclosure in the master pane. Select Actions Add. 2. Select Managed for Add enclosure as. 3. Enter the data requested on the screen. 4. Choose Add or Add +. If you have more enclosures to add, you can add the next enclosure immediately; you do not have to wait for the last Add Enclosure action to complete before starting the next. You must supply a new IP address or host name for each enclosure, but the Onboard Administrator Name and Password credentials are retained on the screen as a convenience if you use the same credentials for multiple enclosures. 5. Verify that the enclosure has been added by confirming the enclosure is listed in the master pane Add an enclosure to monitor the hardware You can add enclosures to inventory and monitor the hardware. For more information about monitored enclosures, see About monitored enclosures (page 180). Prerequisites Minimum required privileges: Infrastructure administrator or Server administrator. Adding an enclosure to monitor the hardware 1. From the main menu, select Enclosures and do one of the following: Click + Add enclosure in the master pane. Select Actions Add. 2. Select Monitored for Add enclosure as. 3. Enter the data requested on the screen. 4. Choose Add or Add +. If you have more enclosures to add, you can add the next enclosure immediately; you do not have to wait for the last Add Enclosure action to complete before starting the next. 5. Verify that the enclosure has been added in the master pane Add an enclosure to monitor the hardware 183

184 23.8 Migrate an enclosure currently managed by VCM An enclosure managed by Virtual Connect Manager (VCM) can be migrated into HP OneView through the UI or through the EST API. The Virtual Connect (VC) enclosure can be migrated to a new enclosure group or an existing enclosure group. VCEM-managed enclosures can be migrated to the appliance. However, the enclosure must first be removed from the Virtual Connect domain group through the VCEM web interface so that the enclosure is managed by VCM. NOTE: See Planning for enclosure migration from VCM into HP OneView (page 101) for tips on preparing your configuration for migration. Prerequisites Minimum required privileges: HP OneView Infrastructure administrator Onboard Administrator and VCM Domain Administrator. Backup and secure the VCM configuration where it will be available in the event that the enclosure must be reverted back to Virtual Connect Manager control. See the Virtual Connect User Guide at for more information. OA and VCM credentials as well as the OA IP address for the enclosure. eview the HP OneView Support Matrix and verify the enclosure contains supported servers, interconnect modules, and mezzanine cards. eview Prerequisites for bringing an enclosure into HP OneView (page 182) for prerequisites and preparation that must be in place. Migrating an enclosure managed by VCM 1. From the main menu, select Enclosures and do one of the following: Click + Add enclosure in the master pane. Select Actions Add. 2. Enter the following information: OA IP address or host name of the Virtual Connect enclosure Your OA credentials (user name and password) 3. Select Managed for Add enclosure as. 184 Managing enclosures and enclosure groups

185 4. Choose Migrate from Virtual Connect domain from the Enclosure Group list. 5. Select the appropriate licensing. See License types (page 149). 6. Click Add. The Migrate Enclosure screen appears. 7. Enter the data requested on the screen. To migrate to a new enclosure group, select Create new enclosure group. To migrate to an existing enclosure group, select one from the enclosure group list. Enter the VCM user name and password. 8. Click Test compatibility. A report summary displays under Migration Details Migrate an enclosure currently managed by VCM 185

186 9. eview the summary. If the summary indicates no errors (except power on issues), power off the servers, run a final compatability test, and click OK to start the migration. Continue to step 10. If the summary indicates errors, click View full report to view and resolve any blocking issues. See esolve compatibility issues (page 188) for more information. 186 Managing enclosures and enclosure groups

187 10. If the activity is successful, the activity displays a green status in the Notifications area. If not, follow the proposed resolution listed under Details in the Notifications area. 11. Power on the servers Migrate a VCM enclosure using EST API An enclosure managed by Virtual Connect Manager (VCM) can be migrated into HP OneView through the UI or through EST API. The Virtual Connect (VC) enclosure can be migrated to a new enclosure group or an existing enclosure group. VCEM-managed enclosures can be migrated in the appliance. However, the enclosure must first be removed from the Virtual Connect domain group through the VCEM web interface so that the enclosure is managed by VCM. NOTE: See planning your migration in the HP OneView User Guide for tips on preparing your configuration for migration. Prerequisites Minimum required session ID privileges: Infrastructure administrator, Onboard Administrator and VCM Administrator privileges The enclosure OA user name, password, and IP address. The enclosure VCM user name and password. The license type: HP OneView Advanced or HP OneView Advanced w/o ilo. See License types (page 149). The firmware repository contains at least one firmware bundle Migrate an enclosure currently managed by VCM 187

188 Backup and secure the VCM configuration where it will be available in the event that the enclosure must be reverted back to Virtual Connect Manager control. See the Virtual Connect User Guide at for more information. eview the HP OneView Support Matrix and verify the enclosure contains supported servers, interconnect modules, and mezzanine cards. Migrating a VCM enclosure using EST APIs 1. Validate the enclosure configuration. POST /rest/migratable-vc-domains See /rest/migratable-vc-domains for a list of required UIs. The enclosure VCM IP address is retrieved from OA. The following UIs are optional: For enclosure group, do one of the following: If you want to migrate the enclosure into an existing enclosure group, use enclosuregroupuri. If you want to migrate the enclosure into a new enclosure group, the enclosure group name is automatically generated based on the serial number. If you want to migrate the enclosure into a customized enclosure group and logical interconnect group, include the enclosuregroupname and logicalinterconnectgroupname. A migratable VC domain UI is returned. 2. un a compatibility report using a MigratableVcDomainV1 UI obtained in step 1. GET /rest/migratable-vc-domains 3. esolve compatibility errors. All blocking issues (except power on issues) must be resolved before you can migrate the enclosure. See esolve compatibility issues (page 188) for more information. 4. If the compatibility reports indicates no errors (except power on issues), power off the servers, and run a final compatability test. 5. Import the VC enclosure. PUT /rest/migratable-vc-domains/id Include migrationstate set to Migrated. 6. Power on the servers esolve compatibility issues The migration tool detects if the features and hardware within a VCM-managed enclosure are compatible with the appliance. Each detected issue is grouped into a category such as hardware, domain, or server profile to identify the part of the VC domain or HP OneView system that is impacted. 188 Managing enclosures and enclosure groups

189 esolving compatibility issues 1. eview each issue and suggested resolution. NOTE: To limit application downtime, resolve all non-power related issues first before powering down the server. a. Evaluate warnings to determine if action needs to be taken. If the warning indicates that the issue will affect your use of the configuration, then take action. Otherwise, the warning can be ignored. b. esolve all blocking migration errors by modifying the configuration in VCM or HP OneView. esolving an issue may require disabling a feature within Virtual Connect, changing a configuration in Virtual Connect, or in some cases, changing the HP OneView logical interconnect group. For example, if there is a mismatch with uplink sets and one of those uplink sets already exists in HP OneView and 10 enclosures with the same configuration are to be migrated into the same enclosure group, update the uplink set in HP OneView. 2. e-execute the test compatibility report until all blocking issues (except power-on issues) are resolved. 3. Power off the servers involved in the migration and run a final test compatibility. 4. Click OK to start the migration. 5. Power on the servers Configuring an enclosure with an OA configuration script About OA configuration scripts Use configuration scripts to simplify new enclosure deployment and configuration, particularly when setting up multiple enclosures, eliminating the need to configure each enclosure manually. Capturing your best practices and compliance rules, the script is copied to, and then run on the enclosure when it is added to an enclosure group that contains a configuration script. You can create, edit, or delete an enclosure configuration script from either the Enclosure Groups screen or the Enclosures screen. To create a configuration script, do one of the following: Extract a script from a configured OA with the SHOW CONFIG CLI command. See the online help for Enclosures for more information. Copy an existing configuration script from the Enclosures or Enclosure Groups screen, and then paste it into a new enclosure group. Edit the script as necessary before clicking OK to apply. See the online help for Enclosures or Enclosure Groups for more information. By entering a configuration script on the Enclosure Groups screen, a copy of the configuration script is stored with every enclosure you add that is associated with that enclosure group. The configuration script is run on the enclosure when: You add an enclosure and the associated enclosure group contains a configuration script. You edit the configuration script of an enclosure. Clicking OK to save your changes will run the script. You select Enclosures Actions eapply configuration to re-run the OA configuration script associated with the enclosure (not the enclosure group). The action also verifies that SSO, SNMP and NTP are configured correctly on the enclosure and that the OA firmware is up to date. The action takes place immediately and requires no other interaction unless there is lost 23.9 Configuring an enclosure with an OA configuration script 189

190 connectivity to the enclosure, in which case you are prompted to re-enter the OA IP address or host name and credentials. You select Enclosures Actions Update from group which copies the enclosure configuration script from the associated enclosure group to the enclosure and then runs the script. You can initially enter passwords, SNMP community strings, and pass phrases in plain text as you create an enclosure or enclosure group script. However, all passwords, SNMP community strings, and pass phrases are masked (replaced by *********) in any UI or EST API response and are never displayed in plain text. If you replace the ********* password string with another string and rerun the script, the password is changed to the new string. Note that some commands cannot be run a second time. For example, if you rerun the ADD USE username ********* command on the same enclosure and have changed the ********* string, the command will fail because that user already exists. In this situation, remove the newly added user before you rerun the script. If any part of the command that is returned with ********* is changed, and you do not replace ********* with another string, the value of the password or the SNMP community string becomes *********. For example, if you submit the script with the command SET USE PASSWOD user_name1 new_password, the script returns SET USE PASSWOD user_name1 *********. If you change the command to SET USE PASSWOD user_name2 *********, the password for user_name2 is set to *********, and not new_password. A subset of OA commands is disallowed in the enclosure configuration script to prevent conflicts with the appliance configuration and settings. There is no syntax checking or other validation of the remaining script. See Disallowed OA commands (page 190) for a list of the OA commands not allowed in a configuration script. View or download OA command documentation (page 190) for a complete reference of OA commands View or download OA command documentation For a complete reference of OA commands, view or download the HP BladeSystem Onboard Administrator Command Line Interface User Guide from the HP Support Center. Viewing or downloading OA command documentation 1. Go to 2. Select Manuals from the left navigation pane. 3. Enter HP Onboard Administrator in the Search box. 4. Select the returned result, HP Onboard Administrator. 5. Select User guide. 6. Find the HP BladeSystem Onboard Administrator Command Line Interface User Guide title and view or download to your local computer Disallowed OA commands The following commands are not allowed in an enclosure configuration script because they conflict with the appliance configuration and could prevent the appliance from operating properly and securely. Disallowed OA commands ADD EBIPA ADD EBIPAV6 CLEA NTP CLEA VCMODE EMOVE CA CETIFICATE EMOVE EBIPA EMOVE EBIPAV6 EMOVE HPSIM CETIFICATE SET ENCLOSUE NAME SET ENCLOSUE SEIAL_NUMBE SET ENCYPTION SET FACTOY 190 Managing enclosures and enclosure groups

191 Disallowed OA commands DISABLE DHCP_DOMAIN_NAME DISABLE EBIPA DISABLE EBIPAV6 DISABLE FIMWAE MANAGEMENT DISABLE HTTPS DISABLE IPV6 DISABLE IPV6DYNDNS DISABLE NTP DISABLE SLAAC DISABLE SNMP DISABLE TUSTED HOST DISABLE USE vcmuser ENABLE DHCP_DOMAIN_NAME ENABLE EBIPA ENABLE EBIPAV6 ENABLE FIMWAE MANAGEMENT EMOVE OA ADDESS IPV6 EMOVE SNMP TAPECEIVE EMOVE SNMP TAPECEIVE V3 EMOVE SNMP USE EMOVE TUSTED HOST EMOVE USE CETIFICATE EMOVE USE vcmuser EMOVE USES ALL SAVE EBIPA SAVE EBIPAV6 SET DATE SET EBIPA SET EBIPAV6 SET EBIPA INTECONNECT SET EBIPA SEVE SET ENCLOSUE ASSET TAG SET FIPS MODE SET HPSIM TUST MODE SET IPCONFIG SET NTP SET NTP PIMAY SET OA DOMAIN_NAME SET OA NAME SET PASSWOD SET SNMP COMMUNITY EAD SET SSO TUST MODE SET TIMEZONE SET USE ACCESS vcmuser SHOW ALL SHOW SYSLOG OA HISTOY UNASSIGN SEVE INTECONNECT <bay number> ALL <bay number range> vcmuser UNASSIGN OA vcmuser Effects of managing an enclosure When an enclosure is being managed by the appliance, the following enclosure settings are in effect: A management account is created. SNMP is enabled and the appliance is added as an SNMP trap destination. NTP (Network Time Protocol) is enabled and the appliance becomes the NTP time source. The NTP default polling interval is set to 8 hours. An appliance certificate is installed to enable single sign-on operations. Enclosure firmware management is disabled (except for monitored enclosures). The Onboard Administrator (OA) firmware is updated to minimum firmware levels, listed in the HP OneView Support Matrix (except for monitored enclosures). The server hardware ilo time zone is set to Atlantic/eykjavik as recommended in the ilo documentation. The time zone setting determines how the server hardware ilo adjusts UTC (Coordinated Universal Time) time to obtain the local time, and how it adjusts for daylight saving time (summer time). For the entries in the ilo event log and IML to display the correct local time, you must specify the time zone in which the server is located. If you want ilo to use the time provided by the NTP server, without adjustment, configure the ilo to use a time zone that does not apply an adjustment to UTC time. In addition, that time zone must not apply a daylight saving time (summer time) adjustment Effects of managing an enclosure 191

192 There are several time zones that meet this requirement. One example is the Atlantic/eykjavik time zone. This time zone is neither east nor west of the prime meridian and time does not change in the spring or fall Learning more Understanding the resource model (page 35) Managing licenses (page 149) Troubleshooting enclosures and enclosure groups (page 300) 192 Managing enclosures and enclosure groups

193 24 Managing firmware for managed devices NOTE: This chapter describes how to manage the firmware for devices managed by the appliance. For information about updating the firmware for the appliance, see Updating the appliance (page 229). A firmware bundle, also known as an HP Service Pack for ProLiant (SPP), comprises a set of deliverables, a full-support ISO file, and six subset ISOs divided by HP ProLiant server family and operating system. An SPP is a comprehensive collection of firmware and system software, all tested together as a single solution stack that includes drivers, agents, utilities, and firmware packages for HP ProLiant servers, controllers, storage, server blades, and enclosures. Each SPP deliverable contains the HP Smart Update Manager (HP SUM), and software and firmware smart components. UI screens and EST API resources UI screen Firmware Bundles EST API resource firmware-bundles 24.1 Tasks for firmware The appliance online help provides information about using the UI or the EST APIs to: View the firmware repository for firmware bundles to see the following: List of firmware bundles in the repository Contents of a firmware bundle Available storage space for the repository Minimum required privileges: Network administrator, Server administrator, or ead only Upload a firmware bundle to the appliance. Minimum required privileges: Network administrator or Server administrator Install a firmware bundle for managed devices. Minimum required privileges: Network administrator for interconnects or Server administrator for server profiles and enclosures emove any or all firmware bundles from the firmware repository. Minimum required privileges: Network administrator or Server administrator Create a custom SPP. Minimum required privileges: Network administrator or Server administrator 24.2 About firmware bundles The appliance provides firmware management across the data center with no additional tools to download and install. Using the firmware management features built in to the appliance, you can define firmware baselines and perform firmware updates across many resources. When you add a resource to the appliance, the appliance automatically updates the resource firmware to the minimum version required to be managed by the appliance or version defined to be a baseline. See also About unsupported firmware (page 196) Tasks for firmware 193

194 A firmware bundle, also known as an HP Service Pack for ProLiant (SPP), is a comprehensive collection of firmware and system software components, all tested together as a single solution stack that includes drivers, agents, utilities, and firmware packages. Firmware bundles enable you to update firmware on HP ProLiant servers, controllers, storage, server blades, and enclosures. You can forcibly downgrade appliance firmware to an older version, but be aware that doing so can result in slower installation speeds and has the potential to render the device unusable. Firmware repository An embedded firmware repository enables you to upload SPP firmware bundles to the appliance and deploy them across your environment according to your best practices. You can view the versions and contents of the SPPs in the repository from the Firmware Bundles screen. Selecting a firmware bundle displays its release date, supported languages and operating systems, and the bundle components. The screen also displays the amount of storage space available for additional firmware bundles on the appliance. You cannot add a firmware bundle that is larger than the amount of space available in the repository. NOTE: To ensure that your hardware has the latest and most robust firmware bundle that takes advantage of all available management features, download the latest firmware bundle to your appliance and add it to the firmware repository. Apply SPPs as baselines You can apply SPPs as baselines to enclosures, interconnects, and server profiles, establishing a desired version for firmware and drivers across devices. When you download an SPP from to your local system, upload it to the firmware bundle repository on the appliance. Each SPP deliverable contains the HP Smart Update Manager and firmware smart components. Managing firmware for the whole enclosure can be initiated from the Enclosures screen. Logical interconnect firmware can be updated from the Logical Interconnects screen. From the Server Profiles screen, you can set the firmware baseline for the assigned server hardware. The appliance identifies firmware compatibilities issues, highlighting out-of-compliance devices for updates with the selected firmware baseline. You can remove any or all SPPs from the firmware bundle repository. However, HP recommends you have at least one SPP available at all times because an SPP is required when adding resources to the appliance that are below the minimum firmware versions for monitoring or managing. If you want to delete an SPP, HP recommends that you re-assign all resources to a different SPP before removing the SPP. You assign an SPP by editing the server profile or enclosure and setting the Firmware baseline field About updating firmware When a device is added, the firmware is automatically updated to the firmware management baseline specified, except for: HP ProLiant G6 server blades and the HP ProLiant G7 BL680 server blade which must be managed outside of HP OneView. HP Virtual Connect interconnect firmware which is managed separately as part of the Logical Interconnect. NOTE: When adding an enclosure and the OA or ilo firmware is below the minimum supported version for HP OneView, the firmware is automatically updated using the SPP that contains the latest OA or ilo firmware while the enclosure is being added. If all SPPs have been deleted, however, such an enclosure cannot be imported. In this situation, first upload an SPP that provides at least the minimum required versions for the OA and the ilo before adding the enclosure. Every resource (OA, ilo, server, or Virtual Connect) goes offline when you upgrade its firmware. Always perform the upgrade during a maintenance window. To help minimize downtime during 194 Managing firmware for managed devices

195 firmware activation, see Maintain availability during Virtual Connect interconnect firmware upgrades (page 197). esource Enclosures Server profiles Interconnects When you update firmware The OA (Onboard Administrator) is taken offline when you update firmware for an enclosure. Firmware updates require that you edit the server profile to change the firmware baseline. You must power down the server hardware to which the server profile is assigned before you change the firmware baseline. An interconnect is taken offline when you: Update or activate firmware for a logical interconnect. Staging firmware does not require interconnects be taken offline. Update firmware for an enclosure and select the option to update the enclosure, logical interconnect, and server profiles. If an interconnect has firmware that has been staged but not activated, any subsequent reboot of that interconnect activates the firmware, which takes the interconnect offline. You can prevent the loss of network connectivity for servers connected to a logical interconnect that has a stacking mode of Enclosure and a stacking health of edundantly Connected by updating firmware using the following method: 1. Stage the firmware on the logical interconnect. 2. Activate the firmware for the interconnects in even-numbered enclosure bays. 3. Wait until the firmware update to complete and the interconnects are in the Configured state. 4. Activate the firmware for the interconnects in the odd-numbered enclosure bays. Upgrading the firmware is based on your assigned role: The Server administrator role can upgrade the firmware on the enclosure OA and servers. The Network administrator role can upgrade the firmware on interconnects. The Infrastructure administrator role can upgrade the firmware on all devices About managing firmware manually Enclosures and server profiles can be set to Manage manually which means that firmware is managed using external tools, such as HP SUM. HP OneView reports firmware versions from the devices, but does not attempt to update the firmware. HP SUM can then manage firmware and drivers through the operating system. Virtual Connect firmware is always managed through HP OneView. Using HP SUM for updates HP SUM can update both firmware and drivers for devices managed by HP OneView, except for Virtual Connect interconnects About firmware bundles 195

196 HP SUM is a free download from Use HP SUM to: Install or update drivers Update firmware Install hotfixes Description After updating firmware using HP OneView, use HP SUM to update drivers in the environment using the same SPP baseline that was applied using HP OneView. After updating firmware using HP SUM, refresh the affected devices in HP OneView to reflect the new firmware version. Select Actions efresh from the Enclosures or Server Hardware screens. NOTE: Downgrading devices below the minimum supported firmware version is not recommended while the devices are managed by HP OneView. If you need to downgrade below the minimum supported firmware level, remove the enclosure from HP OneView before downgrading. Use HP SUM to install hotfixes. See Create a custom SPP in the online help for more information. After performing the update, refresh the affected devices in HP OneView to reflect the new firmware version. Select Actions efresh from the Enclosures or Server Hardware screens About unsupported firmware A default firmware bundle (SPP) is pre-installed in the appliance and provides the minimum supported firmware for all supported server hardware and interconnects. When you add a resource to bring it under management, the resource firmware must be updated to the minimum supported level. The appliance attempts to automatically update the firmware while the resource is being added to the appliance. If the update fails, an alert is generated. Unsupported firmware for firmware bundles If you attempt to add a firmware bundle that contains firmware below the minimum versions supported, an alert is generated and the firmware bundle is not added to the appliance firmware repository. Unsupported firmware for enclosures When adding an enclosure, the appliance: Generates an alert if the logical interconnect firmware for the interconnects is below the required minimum level or if the interconnect firmware levels do not match. You must update the logical interconnect firmware from the Logical Interconnects screen or EST APIs. Updates the OA firmware automatically, if below the required minimum Updates the ilo firmware automatically, if below the required minimum Unsupported firmware for server profiles You are prevented from applying server profiles if the associated ilo firmware is below the minimum supported version, and instead, are directed to the Server Hardware screen to update ilo firmware. Unsupported firmware for interconnects If you attempt to add an interconnect with firmware that is below the minimum supported version, an alert is generated. You must update the logical interconnect firmware from the Logical Interconnects screen or EST APIs. The Firmware panel of the Logical Interconnects screen displays the installed version of firmware and the firmware baseline for each interconnect. 196 Managing firmware for managed devices

197 24.4 Maintain availability during Virtual Connect interconnect firmware upgrades HP Virtual Connect (VC) interconnects reboot during the activation stage of the firmware update process, interrupting server connectivity to these modules. You can minimize the impact of module firmware activation by ensuring a redundant hardware configuration, redundantly connected networks and uplink sets, as well as properly configured NIC teaming on the servers themselves. HP recommends using these network design methodologies. When updating HP FlexFabric interconnects, you must configure SAN connectivity redundantly as well, to avoid application outages. When designing network connectivity, consider all of the dependencies that can influence the ability of the server applications to continue to pass traffic without interruption during the VC interconnect firmware update process. Verify the following aspects of a redundant design before you update firmware in downtime sensitive environments: Configuration Stacking links Firmware activation Description Configure stacking links between VC interconnects to ensure network reachability for any server blade to any network or uplink set within the logical interconnect regardless of the server location. This plays a major role in the ability of the individual VC interconnects to sustain an outage during firmware upgrade. Activate firmware manually or script the activation using the EST APIs to minimize network outage. In this case, the order of module activation plays a crucial role in how network and storage connectivity will be interrupted or preserved during a firmware update. HP recommends alternating the activation of VC interconnect firmware. If the server network and storage connectivity is redundant across horizontally adjacent VC interconnects, alternating the activation between the left and right (odd and even) side modules can minimize disruptions of network and storage connectivity. If the server network and storage connectivity is redundant across vertically adjacent VC interconnects, the activation order must be alternated so that a server does not lose connectivity to both adapter ports at the same time to minimize disruptions of network and storage connectivity Maintain availability during Virtual Connect interconnect firmware upgrades 197

198 Configuration A and B side connectivity edundant network connections Description Create Ethernet and Fibre Channel networks with both A and B side connectivity to allow either all uplinks in the uplink set to be in an active state at all times or to provide for a controlled failover. Configure NIC teaming and vswitch configuration to ensure redundancy of the network connectivity, fast network path failure detection, and timely failover to a redundant path, if available. The following operating system settings allow faster link failure detection and failover initialization: Under normal operating conditions, the Smart Link setting will alter the individual NIC port state in the vswitch, vds (vnetwork Distributed Switch), or teaming software by turning off the corresponding server NIC port. This causes the operating system to detect a failure and direct traffic to an alternate path. In order for the Smart Link functionality to operate as designed, valid DCC (Device Control Channel)-compatible NIC firmware and drivers must be installed on the server blade. However, during the firmware update process when VC interconnects are reset for activation, Smart Link and the DCC protocol will not be able to send a message to the NIC indicating that the link went down since the interconnect management processor is being restarted. Therefore, during firmware update operation it is the responsibility of the NIC and host OS to detect the link failures by configuring the vswitch or vds network failover detection option for Link Status Only in VMware ESXi Server network configuration. In vsphere environments, HP recommends to either turn OFF the high availability (HA) mode or increase the vsphere HA timeout from the default of 13 seconds to seconds. When these options are configured, all guest operating systems will be able to survive the upgrade and the expected network outage due to the stacking link re-convergence and optimal network path recalculation. For environments where changing network failover detection options or HA settings is not possible, use the Stage firmware for later activation option of the firmware update. VC interconnects will be updated but not activated. You can then manually activate the firmware by rebooting VC modules with the OA or by navigating in the UI to Logical Interconnects Actions Update firmware and selecting Activate firmware. The Spanning Tree Edge Port feature of some switches allows a switch port to bypass the listening and learning stages of spanning tree and quickly transition to the forwarding stage. By enabling this feature, edge devices immediately begin communication on the network instead of having to wait on Spanning Tree to determine if it needs to block the port to prevent a loop a process that can take over 30 seconds with default Spanning Tree timers. Since VC interconnects are edge devices, this feature allows server NICs to begin immediate communication on the network rather than waiting for the additional 30 seconds for the spanning tree algorithm to recalculate Best practices for managing firmware Best practice Set the NIC Settings in OA Upload the latest current SPP. Set the same firmware baseline for all devices in an enclosure. Update the firmware in the proper sequence. Description Before beginning a firmware update process on all devices in the enclosure, perform these steps: 1. In OA, select Enclosure Information Enclosure Settings Enclosure TCP/IP Settings. 2. Select the NIC Options tab. 3. Set the NIC Settings to Auto-negotiate. You should upload the SPP to your appliance repository. HP recommends that you set the firmware baseline using the Update Firmware option on the Enclosures screen. This immediately updates all of the devices in the enclosure to the specified SPP level. It is not always possible to update all of the devices in an enclosure in a single operation. The appliance supports installing firmware on one device at a time. In this case, upgrade the firmware in the following order: OA, logical interconnect, and then the server hardware. 198 Managing firmware for managed devices

199 Best practice Install the drivers and other software after updating the firmware. Use HP SUM to install the drivers. Verify the managed device setting before updating the firmware. Description After you update the firmware, install the drivers and other software through the operating system. HP recommends that you install the drivers from the same SPP that contains the firmware. The appliance does not install drivers. Use an external tool, such as HP SUM, to install the drivers and other nonfirmware components. Do not update the firmware using HP SUM or another external tool, on a managed device unless the firmware baseline is set to Manage manually. If you choose to create custom SPPs, use HP SUM to create them. You can use HP SUM to create custom SPPs, which can be uploaded to the appliance repository. Because the appliance only supports installing SPP ISO files, use HP SUM to insert firmware updates into an existing SPP to create a custom SPP. Download HP SUM as a standalone product. Store custom SPPs in a separate repository. The appliance does not back up SPPs, so store custom SPPs in a repository that is not on the appliance, such as in the HP SUM repository used to create the custom SPP Update firmware on managed devices Firmware bundles enable you to update firmware on servers, blades, and infrastructure (enclosures and interconnects). You can choose to update all the resources within an enclosure, just the OA firmware, the firmware within a logical interconnect, or firmware for a specific server. As a best practice when updating firmware, update the firmware in this order: 1. Enclosure 2. Logical Interconnects 3. Server Profiles Prerequisites Minimum required privileges: Infrastructure administrator, Network administrator (for interconnects), or Server administrator (for enclosures and server profiles) One or more SPPs are added to the appliance firmware repository. Interconnects must be in a Configured state. Interconnects must be powered on and functional All server hardware to be updated has an associated server profile. Updating firmware on an enclosure You can update firmware for all the devices in the enclosure or just the OA firmware. 1. From the main menu, select Enclosures. 2. In the master pane, select the enclosure on which you want to update a firmware bundle. 3. Select Actions Update firmware. 4. From Firmware baseline, select the firmware bundle to install. If you select Manage manually, you are using mechanisms outside of the appliance to manage the firmware on your devices Update firmware on managed devices 199

200 NOTE: To install an older firmware version than the version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware is known to cause a problem in your environment, perhaps as noted in the elease Notes. CAUTION: Be aware that downgrading firmware can render a server unusable and might result in slower installation speeds. 5. From Update firmware for, select one of the following options: Option Enclosure Enclosure + logical interconnect + server profiles Device updated OA, fan, and power supply firmware OA, all member interconnects, and server hardware firmware (including ilo) for servers with associated server profiles 6. Click OK. The firmware updates occur in the following order: OA, logical interconnects, and then server hardware. Hardware components that are running the same firmware version as the update are skipped from the firmware update operation. The logical interconnect update operation initiates if all of the member interconnects can be updated. If you are updating server profiles, the operation overwrites any SPP baseline that was previously assigned to individual server profiles. 7. Verify that the new firmware baseline is listed on the Enclosures screen. Updating firmware on an interconnect You update a firmware bundle for an interconnect through the logical interconnect. Do not use Virtual Connect Support Utility (VCSU) or HP SUM to update firmware on VC interconnects once they are managed by HP OneView. When updating logical interconnect firmware, if one or more interconnects are already running the targeted firmware version, HP OneView excludes those interconnects from the firmware update process. NOTE: If you have HP Virtual Connect Fibre Channel interconnects, see Update the interconnect firmware for HP Virtual Connect Fibre Channel interconnects in the online help. 1. From the main menu, select Logical Interconnects. 2. From the master pane, select the logical interconnect on which you want to update a firmware bundle. 3. Select Actions Update firmware. 4. From Firmware baseline, select the firmware bundle to install. 200 Managing firmware for managed devices

201 5. From Update action, select from the following options: Option Update firmware (stage + activate) Stage firmware for later activation Activate firmware Description Stages (uploads) the selected firmware to the secondary flash memory on the interconnect, and then activates the firmware as the baseline. At the end of this operation, all member interconnects are running the same firmware baseline and are compliant with one another. This option causes a connectivity outage until the activation is complete, but does update the firmware in the shortest time. Stages (uploads) the selected firmware to the secondary flash memory on the interconnect, but does not activate the firmware. You can activate the firmware at a later time. This option allows manual sequencing of the firmware activation and is the preferred approach to minimize service interruption. Activates the selected staged firmware. To install an older firmware version than the version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware is known to cause a problem in your environment, perhaps as noted in the elease Notes. CAUTION: Be aware that downgrading firmware can render the device unusable and might result in slower installation speeds. 6. Click OK. The interconnects are put into a Maintenance state to prevent configuration changes during the update. 7. Select the Activity view to monitor the details of the firmware update process. The staging process copies the extracted firmware image to the individual interconnects using the sftp protocol. During the activation process, whether done now or later, the interconnects are shut down and rebooted with the new firmware image. Then the latest configuration is re-applied to the interconnects and they are put into a Configured state. 8. Verify that the new firmware baseline is listed on the Interconnects screen. The firmware update is always done on the entire logical interconnect, however, there can be instances requiring the update of a single VC interconnect, for example, if you are replacing a module with a spare that shipped with a different firmware revision. An update is required to this single module to bring it to the same level of the firmware as the other modules in the logical interconnect. To update a single VC interconnect, place it into the desired I/O bay and select Logical Interconnects Actions Update firmware. The appliance will update the single interconnect and skip those interconnects that are already at the desired firmware level. IMPOTANT: Do not check Force installation of firmware as this causes all interconnects to be re-activated resulting in service interruption. Updating firmware with a server profile To update the firmware for a specific server, edit the existing server profile or create a new server profile and specify the version of the SPP. NOTE: The firmware baseline in the server profile will not be reapplied unless it has changed Update firmware on managed devices 201

202 1. From the main menu, select Server Profiles, and then do one of the following: Click Create profile in the master pane. Select a server profile in the master pane, and then select Actions Edit. 2. Select the firmware bundle for Firmware baseline. To install an older firmware version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware already installed on the server is known to cause a problem in your environment, perhaps as noted in the elease Notes CAUTION: Be aware that downgrading firmware can render an appliance unusable and might result in slower installation speeds 3. To complete the update, do one of the following: If this is a new profile, click Create to create the server profile. If you are editing an existing profile, click OK to update the server profile. 4. Power on the server to activate the firmware. a. From the main menu, select Server Hardware. b. Select the server and then select Actions Power on. 5. Verify that the new firmware baseline is listed on the Server Profiles screen Learning more Troubleshooting firmware bundles (page 303) About enclosures (page 177) About logical interconnect firmware (page 172) About server profiles (page 144) 202 Managing firmware for managed devices

203 25 Managing power, temperature, and the data center You can use the appliance to manage the power and temperature of your IT hardware. To manage and monitor hardware temperature, add your server hardware to racks, position the server hardware in the racks, and then add the racks to one or more data centers Managing power To manage power, you describe your power delivery devices to the appliance using the Power Delivery Devices screen or the EST APIs. The appliance discovers HP Intelligent Power Delivery Devices (ipdus) and their connections automatically. UI screens and EST API resources UI screen Power Delivery Devices EST API resource power-devices enclosures (power capacity) server-hardware (power capacity) oles Minimum required privileges: Infrastructure administrator or Server administrator Tasks for managing power The appliance online help provides information about using the UI and EST APIs to: Add a power delivery device. Add a power connection. Filter power delivery devices. View last 5 minutes of power consumption for an ipdu. View last 24 hours of power consumption for an ipdu. Edit the properties of a power delivery device. Power on or off the locator light for a power delivery device. Power down a power delivery device. emove a power delivery device. esolve connectivity issues between an ipdu and the appliance. Add an ipdu currently being managed by another management system. View power utilization statistics. Update enclosure power capacity settings (EST API only). Update server hardware power capacity settings (EST API only) About power delivery devices Power delivery devices provide power to IT hardware. A typical power topology in a data center includes power delivery devices such as power feeds, breaker panels, branch circuits, and power distribution units (PDUs), as well as the load segments, outlet bars, and outlet components of these 25.1 Managing power 203

204 devices. Adding your power delivery devices to the appliance enables power management using thermal limits, rated capacity, and derated capacity. The Power Delivery Devices screen describes the following classes of devices: HP Intelligent Power Distribution Units (HP ipdus), which the appliance can automatically discover and control. Other power delivery devices that the appliance cannot discover. By manually adding these devices to the appliance, they become available for tracking, inventory, and power management purposes. egardless of how power delivery devices are added to the appliance, the appliance automatically generates the same types of analysis (capacity, redundancy, and configuration). For ipdus, the appliance gathers statistical data and reports errors. Connectivity and synchronization with the appliance The appliance monitors the connectivity status of ipdus. If the appliance loses connectivity with an ipdu, an alert displays until connectivity is restored. The appliance will try to resolve connectivity issues and clear the alert automatically, but if it cannot, you must resolve the issue and manually refresh the ipdu to bring it in synchronization with the appliance. The appliance also monitors ipdu to remain synchronized with changes to hardware and power connections. However, some changes to devices made outside of the control of the appliance (from ilo or the OA, for example) may cause them to become out of synchronization with the appliance. You may have to manually refresh devices that lose synchronization with the appliance. NOTE: HP recommends that you do not use ilo or the OA to make changes to a device. Making changes to a device from its ilo or OA could cause it to lose synchronization with the appliance. You can manually refresh the connection between the appliance and an ipdu from the Power Delivery Devices screen. See the online help for the Power Delivery Devices screen to learn more Managing your data center In the appliance, a data center represents a physically contiguous area in which racks containing IT equipment such as servers, enclosures, and devices are located. The data center describes a portion of a computer room and provides a useful grouping to summarize your environment and its power and thermal requirements. UI screens and EST API resources UI screen Data Centers EST API resource datacenters oles Minimum required privileges: Infrastructure administrator or Server administrator Tasks for data centers The appliance online help provides information about using the UI and EST APIs to: Add and edit a data center. Manipulate the view of a data center visualization. Monitor data center temperature. emove a data center from management. 204 Managing power, temperature, and the data center

205 About data centers A data center represents a physically contiguous area in which racks containing IT equipment are located. For example, you have IT equipment in two rooms or on separate floors. You could create a data center for each of these areas. Each server, enclosure, or power distribution device in your data center can report its power requirements, but it can be difficult to understand the power and cooling requirements for your data center as a whole. The appliance enables you to bring power and cooling management of your servers, enclosures, and power delivery devices together in a single management system. The Layout view of the data center is color-coded to depict the peak temperature recorded in the last 24 hours. Default data center: Datacenter 1 When you initialize the appliance for the first time, it creates a data center named Datacenter 1. The appliance provides this data center as a place to visualize your racks. You can rename or edit this data center to match the values and layout of your data center, you can use it as the basis for a planned data center model, or you can delete this data center without adverse effects. Default rack placement When you add a rack to the appliance for management, the appliance displays the rack in all data centers even though its actual location is not known. If you view a data center that displays unpositioned racks, a warning appears to alert you that unpositioned racks are being displayed. When you assign a rack to a data center, it is no longer displayed in other data centers Managing racks acks allow you to manage temperature, power, and depict the layout of enclosures. UI screens and EST API resources UI screen acks EST API resource racks oles Minimum required privileges: Infrastructure administrator or Server administrator Tasks for racks Add, edit, or remove a rack. Change layout of devices in a rack. Set the thermal limit of a rack About racks A rack is a physical structure that contains IT equipment such as enclosures, servers, power delivery devices, and unmanaged devices (an unmanaged device uses slots in the rack and consumes power or exhausts heat, but it is not managed by the appliance). You can manage your racks and the equipment in them by adding them to the appliance. Having your racks managed by the appliance enables you to use the appliance for space and power planning. The appliance also gathers statistical data and monitors the power and temperature of the racks it manages Managing racks 205

206 When you add an enclosure to the appliance, it automatically creates a rack and places the enclosure in it. The appliance places into the rack all enclosures connected by management link cables. When enclosures are added, the appliance places them in the rack from top to bottom. When an enclosure is placed in an HP Intelligent Series ack, the enclosure slots are automatically detected. For other racks, to accurately depict the layout of your enclosures within the rack you must edit the rack to place the enclosure in the proper slots. You can use the appliance to view and manage your rack configuration and power delivery topology. You can specify the physical dimensions of the rack (width, height, and depth), the number of U slots, and the location of each piece of equipment in the rack. You can specify the rack PDUs that provide power to the rack, and their physical position in the rack or on either side. You can also describe how the devices in the rack are connected to those PDUs. The appliance automatically discovers the rack height and rack model for a ProLiant server with Location Discovery Services and updates the physical locations of devices when they are relocated within and between racks. NOTE: When the appliance discovers an HP Intelligent Series ack, it sets the rack height automatically using the HP Intelligent ack Location Discovery Services. For non-intelligent racks or for empty racks, the default rack height is 42U. After adding a rack to the appliance for management, you can add the rack to a data center to visualize the data center layout and to monitor device power and cooling data. After the rack is under management, you can configure the power delivery topology with redundant and uninterruptible power supplies to the devices in the rack. ack naming The way a rack is named and how you change the name of a rack depends on how it was added to the appliance. Table 11 ack naming Add method Automatically added when the appliance discovers an enclosure the rack contains Automatically discovered from a ProLiant server with Location Discovery Services Manually from the acks screen 25.4 Learning more Initial naming method Defined by enclosure OA Assigned using rack serial number as rack name Defined by the user Name change method Change rack name from enclosure OA Edit rack Edit rack Monitoring power and temperature (page 251) About utilization graphs and meters (page 253) 206 Managing power, temperature, and the data center

207 26 Managing storage This chapter describes the storage resources and the tasks associated with those resources. Storage systems: hardware that contains multiple storage disks such as the HP 3PA StoreServ Storage system. Storage pools: groups of physical disks in a storage system. Volumes: logical storage spaces provisioned from storage pools that you can attach to server profiles. Volume templates: you can create multiple volumes with the same configuration. SAN managers: hardware or software systems that manages SANs and you can use them to automate fabric zoning. Figure 15 Storage management overview UI screens and EST API resources UI screen SAN Managers Storage Systems Storage Pools Volumes Volume Templates EST API resource fc-sans/device-managers fc-sans/providers fc-sans/managed-sans storage-systems storage-pools storage-volumes storage-volume-templates 26.1 Storage systems A storage system is hardware that contains multiple storage disks such as the HP 3PA StoreServ Storage system Storage systems 207

208 oles Tasks Minimum required privileges: Infrastructure administrator or Storage administrator The appliance online help provides information about using the UI and EST APIs to: Add, edit, edit credentials, refresh, and remove a storage system Add a volume About storage systems A storage system (or storage array) is a piece of hardware that contains multiple storage disks. Bringing SAN storage systems under management of the appliance enables you to add and create logical storage spaces, known as volumes. You can then attach volumes to server profiles through volume attachments. This enables the server hardware assigned to the server profiles to access the SAN storage system. When adding a storage system, you must choose a domain on the storage system. You can then select storage pools from that domain on the storage system to add to the appliance. After you add storage pools, you can assign Fibre Channel networks to the storage ports associated with the storage system. See the HP OneView Support Matrix for a list of supported storage systems. Connectivity and synchronization with the appliance The appliance monitors the health status of storage systems and issues alerts when there is a change in status of a storage system. The appliance also monitors the connectivity status of storage systems. If the appliance loses connectivity with a storage system, an alert is displayed until connectivity is restored. The appliance attempts to resolve connectivity issues and clear the alert. If it cannot, you must resolve the issues and use the Storage Systems screen to manually refresh the storage system to synchronize it with the appliance. The appliance also monitors storage systems to ensure that they are synchronized with changes to hardware and configuration settings. However, changes to storage systems made outside the appliance (such as changing credentials) might cause the storage system to lose synchronization with the appliance, in which case you must manually refresh the storage system Storage pools oles Tasks Storage pools are groups of physical disks in a storage system that you can divide into logical volumes. Minimum required privileges: Infrastructure administrator or Storage administrator The appliance online help provides information about using the UI and EST APIs to: Add and remove a storage pool About storage pools A storage pool is an aggregation of physical storage resources (disks) in a storage system. Storage systems contain information about the storage ports through which they can be accessed. You can provision logical storage spaces, known as volumes, from storage pools. 208 Managing storage

209 You can choose one or more storage pools when adding a storage system to the appliance. Storage pools are created on a storage system using the management software for that system. You cannot create or delete storage pools from the appliance you can only add or remove them from management. After you add storage pools, you can provision volumes on them Volumes oles Tasks Volumes are logical storage spaces provisioned in storage pools. You can create multiple volumes with the same configuration using a volume template. Minimum required privileges: Infrastructure administrator, Storage administrator, or Network administrator The appliance online help provides information about using the UI and EST APIs to: Create, add, edit, delete, and increase the capacity of a volume About volumes Volumes are logical storage spaces that are provisioned in storage pools on storage systems. Volumes are associated with server profiles through volume attachments. Attaching a server profile to a volume gives the server hardware to which the server profile is assigned access to storage space on a storage system. Using volume templates, you can create multiple volumes with the same configuration. You can increase (grow) the capacity of a volume by editing it. You cannot decrease the capacity of a volume Volume templates oles Tasks You can use volume templates to create multiple volumes with the same configuration. Minimum required privileges: Infrastructure administrator or Storage administrator The appliance online help provides information about using the UI and EST APIs to: Add, edit and delete a volume template About volume templates A volume template is a logical resource that enables you to create a standard configuration from which multiple volumes can be created SAN Managers A SAN manager is a hardware or software system that manages SANs. A SAN manger is not required to attach a volume to a server profile, but SAN managers enable automated fabric zoning Volumes 209

210 oles Tasks Minimum required privileges: Infrastructure administrator or Storage administrator The appliance online help provides information about using the UI or the EST APIs to: Add, edit, and remove a SAN manager Associate a managed SAN with a network Turn automated zoning on or off for a managed SAN About SAN managers SAN Managers are hardware or software systems that manage SANs. The SAN Managers resource enables you to bring SAN management systems and the SANs they manage under management of the appliance. You can associate the managed SANs to Fibre Channel networks on the appliance. This enables the appliance to automate zoning to make the SANs visible to server profiles. Zoning defines connections between Fibre Channel endpoints. Zones are a group of endpoints that can communicate with each other. Open SANs allow communication between all endpoints. See the HP OneView Support Matrix for a list of supported SAN managers. Zoning policy SAN zoning policies determine how zoning should be enforced on a SAN, and how zones are created between the storage system and server profile. Zone name format You can specify the name format of each zoning policy. You specify the format for a zone name by selecting variables in the order of your choice. You can also add your own text strings to the zone name. Aliases You can specify aliases and their formats for initiators, targets, and target groups. The aliases are displayed in place of WWPNs. You can also add your own text strings to the alias. See for more information about editing zoning policies, names, and aliases. The appliance modifies zone and alias names so that the format is valid for the SAN manager to which they belong. The following table describes the naming guidelines and the modifications the appliance performs to create valid names. Table 12 Zone and alias naming guidelines Guideline Name cannot contain illegal characters (determined by the SAN manager) Name must be unique Name begins with and illegal initial character(determined by the SAN manager) Name cannot be blank Appliance action emoves illegal characters from name. Appends the name to make it unique. The name is appended with _# where # is a number, starting at 1. Prepends the name with legal characters. For example, a BNA SAN would be prepended with A_. Creates a unique name using a unique variable for the SAN. For example, a blank server profile connection variable would be replaced with the connection id variable. Whether or not a new or existing zone or alias is used depends on the format of the existing name. The following table describes how the appliance handles different existing name formats. 210 Managing storage

211 Table 13 Conditions of reuse for existing SAN zones Existing zone/alias name Exact zone name with exact membership Different zone name with exact membership Exact zone name but zone has additional members Alias names have exact membership and are only used in zones leveraged by HP OneView Alias names have exact membership and are used in zones beyond what HP OneView will leverage Appliance action Existing zone used Existing zone used New zone created Existing alias used New alias created NOTE: The re-use of a zone is determined on WWPN membership. If aliases are leveraged in an existing zone, HP OneView analyzes the WWPN membership of the alias to determine if the correct WWPNs are present to enable re-use. Zone names and aliases are not created until the zoning operation is performed; therefore, the appliance creates the aliases and names when the zone is created, not when the format is created in the edit dialog. Any name modifications are applied when the zone is created. When you make changes to a zone that has existing volume associations on a server profile, the appliance takes the following actions: Table 14 Appliance actions for changes to zones with existing volume associations Change to zone Alias is turned on Alias name is changed Zone name is changed Zone type is changed (with 1 or 2 existing storage systems) Zone type is changed (and then a 2nd storage system is added) Path is removed or added Appliance action Adds alias to current zone No action No action No action Creates new zone for the 2nd storage system Deletes the zone and rebuilds it with updated information HP 5900 VSANs and cascaded switches In a cascaded switch environment, an HP 5900 SAN Manager can perform operations on all VSANs configured on that switch including VSANs that span across multiple switches. If a VSAN is configured on only one switch, you need to add the switch as a SAN manager, even if the switch has already been discovered through a spanning VSAN. For VSANs that are discovered on multiple SAN managers, you must select one SAN manager to associate to a network. After you associate a SAN to a network, all duplicate entries of this SAN on other SAN managers will be removed from the listings. The appliance can only manage the VSAN from this associated SAN manager from now on. Zone aliases created for a particular VSAN on a SAN manager are not visible to other SAN managers that manage the VSAN Learning more Understanding the resource model (page 35) Troubleshooting storage (page 317) 26.6 Learning more 211

212 212

213 27 Managing switches Top of rack switches enable network consolidation and management of server blades as they are added to your data center. UI screens and EST API resources UI screen Switches EST API resource switches 27.1 oles Minimum required privileges: Infrastructure administrator or Network administrator 27.2 Tasks for switches The appliance online help provides information about using the UI or the EST APIs to: Add, edit, or remove a top of rack switch. Update the interconnect associations of a switch About switches Switches provide a unified, converged fabric over 10 Gb Ethernet for LAN and SAN traffic. This unification enables network consolidation and greater use of infrastructure and cabling, reducing the number of adapters and cables required and eliminating redundant switches. A configuration of enclosures, server blades, and third-party devices such as the Cisco Fabric Extender Modules for HP BladeSystem and Cisco Nexus top of rack switches provides scalability to manage server blades and a higher demand for bandwidth from each server with access-layer redundancy. See the HP OneView Support Matrix for the complete list of supported devices. Modular data centers, deploying both individual server blades and racks of server blades, can use a top of rack switch deployment model as a solution for network consolidation. You can increase data center flexibility by placing switching resources in each rack so that server connectivity can be aggregated. Integration with top of rack switches provides the following benefits: A distributed modular system that creates a scalable server access environment One single point of management and policy enforcement educed operation expenses (less cabling, reduced power and cooling, effective bandwidth utilization) The appliance provides minimal monitoring (power and state only) of switches and their associated interconnects Learning more Understanding the resource model (page 35) Troubleshooting switches (page 320) 27.1 oles 213

214 214

215 28 Managing users and authentication The appliance requires users to log in with a valid user name and password, and security is maintained through user authentication and role based authorization. User accounts can be local, where the credentials are stored on the appliance or can be on a company or organizational directory (Microsoft Active Directory, for example) hosted elsewhere, where the appliance contacts the defined directory server to verify user credentials. UI screens and EST API resources UI screen Users and Groups EST API resource users, roles, authz, logindomains, logindomains/global-settings, and logindomains/grouptorolemapping 28.1 oles Minimum required privileges: Infrastructure administrator 28.2 Tasks for managing users and groups The appliance online help provides information about using the user interface or the EST APIs to: Add, edit (including updating a user password), or remove a user with local authentication. Add a user with directory-based authentication. Add a group with directory-based authentication. Designate user privileges. eset the administrator password. Add an authentication directory service. Allow or disable local logins. Change the authentication directory service settings. Set an authentication directory service as the default directory. emove an authentication directory service from the appliance About user accounts ole-based access The appliance provides default roles to separate responsibilities in an organization. A user role enables access to specific resources managed from the appliance. ole-based access control enforces permissions to perform operations that are assigned to specific roles. You assign specific roles to system users or processes, which gives them permission to perform certain system operations. Because a user is not assigned permissions directly, but instead acquires them through their role (or roles), individual user rights are managed by assigning the appropriate roles to the user. At initial appliance startup, there is a default administrator account with full access (Infrastructure administrator) privileges. For more information about the actions each role can perform, see Action privileges for user roles (page 217). If you cannot see resource information or perform a resource task, your assigned role does not have the correct privileges. In this case, you should request a different role or an additional role. The Dashboard displays status of the most relevant resources that are associated with assigned 28.1 oles 215

216 user roles. If you are assigned multiple roles, such as Network and Storage roles, the dashboard displays the combination of resources that each role would see on the dashboard. Local authentication You can add a user authorized to access all resources managed by the appliance (full access user) or add a user who has access based on their job responsibilities (role-based specialist). For each of these users, authentication is confirmed by comparing the user login information to an authentication directory hosted locally on the appliance. The default administrator login for the appliance is automatically assigned with full access (Infrastructure administrator) privileges. Directory-based authentication You can add a user authorized by membership to access all resources managed by the appliance (full access user) or add a user authorized by membership who has access based on their job responsibilities (role-based specialist). For each of these users, authentication is confirmed by comparing the user login information to an enterprise directory About user roles User roles enable you to assign permissions and privileges to users based on their job responsibilities. You can assign full privileges to a user, or you can assign a subset of permissions to view, create, edit, or remove resources managed by the appliance. Table 15 User role permissions ole Full ead only Type of user Infrastructure administrator ead only Permissions or privileges View, create, edit, or remove resources managed by the appliance, including management of the appliance, through the UI or using EST APIs. An Infrastructure administrator can also manage information provided by the appliance in the form of activities, notifications, and logs. Only an Infrastructure administrator can restore an appliance from a backup file. View managed resource information. Cannot add, create, edit, remove, or delete resources. 216 Managing users and authentication

217 Table 15 User role permissions (continued) ole Specialized Type of user Backup administrator Network administrator Server administrator Storage administrator Permissions or privileges Create and download backup files, view the appliance settings and activities. Has the authority to use scripts to log in to the appliance and run scripts to back up the appliance. Cannot restore the appliance from a backup file. NOTE: This role is specifically intended for scripts using EST APIs to log into the appliance to perform scripted backup creation and download so that you do not expose the Infrastructure administrator credentials for backup operations. HP recommends that users with this role should not initiate interactive login sessions through the HP OneView user interface. View, create, edit, or remove networks, network sets, connections, interconnects, uplink sets, and firmware bundles. View related activities, logs, and notifications. Cannot manage user accounts. View, create, edit, or remove server profiles and templates, network sets, enclosures, and firmware bundles. Access the Onboard Administrator and physical servers, and hypervisor registration. View connections, networks, racks, power, and related activities, logs, and notifications. Cannot manage user accounts. Add volumes, but cannot add storage pools or storage systems. View, add, edit, or remove storage systems. View, add, or remove storage pools. View, create, edit, add, or delete volumes. View, create, edit, or delete volume templates Action privileges for user roles The following table lists the user action privileges associated with each user role. The Use privilege is a special case that allows you to associate objects to objects that you own but you are not allowed to change. For example, in a logical interconnect group, a user assigned the role of Server administrator is not allowed to define logical interconnect groups, but can use them when adding an enclosure. Table 16 Action privileges for user roles Category Action privileges for user roles (C=Create, =ead, U=Update, D=Delete, Use) Infrastructure administrator Server administrator Network administrator Backup administrator Storage administrator ead only activities CUD CU CU CU alerts UD UD UD UD appliance CUD audit logs C backups CUD CD 28.5 Action privileges for user roles 217

218 Table 16 Action privileges for user roles (continued) Category Action privileges for user roles (C=Create, =ead, U=Update, D=Delete, Use) Infrastructure administrator Server administrator Network administrator Backup administrator Storage administrator ead only communitystring U CU connections CUD C connection templates CUD, Use, Use CUD console users CUD data centers CUD CUD debug logs CUD CU CU device bays CUD CUD domains CUD CU enclosures CUD CUD enclosure groups CUD, Use CUD, Use Ethernet networks CUD CUD events CU CU CU fabrics CUD CUD FC aliases CUD CUD FC device managers CUD CUD FC endpoints FC networks CUD CUD FCOE networks CUD, Use CUD, Use FC ports FC providers FC SANs CUD CUD FC SAN services CUD CUD FC switches FC tasks FC zones CUD CUD firmware drivers CUD CUD CUD global settings CUD CUD CUD CUD grouptorolemappings CUD ID range vmacs (MAC addresses) CUD CU 218 Managing users and authentication

219 Table 16 Action privileges for user roles (continued) Category Action privileges for user roles (C=Create, =ead, U=Update, D=Delete, Use) Infrastructure administrator Server administrator Network administrator Backup administrator Storage administrator ead only ID range vsns (serial numbers) CUD CU ID range vwwns (World Wide Names) CUD CU integrated tools CUD interconnects CUD C CUD interconnect types, Use CUD labels CUD CUD CUD CUD licenses CUD C logical downlinks logical interconnects CU, Use, Use U, Use logical interconnects groups CUD, Use, Use CUD, Use login domains CUD login sessions CUD U U U U U migratable VC domains CUD, Use networks CUD, Use, Use CUD, Use network sets CUD, Use CUD 1 CUD notifications CUD CD CD organizations CUD ports U, Use U, Use power devices CUD CUD racks CUD CUD reports restores CUD roles CUD server hardware CUD, Use CUD, Use server hardware types CUD, Use CUD, Use server profiles CUD CUD storage pools CD CUD storage systems CUD CUD 28.5 Action privileges for user roles 219

220 Table 16 Action privileges for user roles (continued) Category Action privileges for user roles (C=Create, =ead, U=Update, D=Delete, Use) Infrastructure administrator Server administrator Network administrator Backup administrator Storage administrator ead only storage target ports CUD CUD storage volumes CUD CUD CUD storage volume attachments CUD CUD CUD storage volumes templates CUD CUD switches CUD, Use U CUD tasks trap forwarding U unmanaged devices CUD CUD uplink sets CUD CUD users CUD user preferences CUD 1 Server administrator s cannot edit bandwidths About authentication settings Security is maintained through user authentication and role-based authorization. User accounts can be local, where the user credentials are stored on the appliance, or they can be in a directory (Microsoft Active Directory, for example) hosted elsewhere, where the appliance contacts the designated directory server to verify the user credentials. When logging in to the appliance, each user is authenticated by the authentication directory service, which confirms the user name and password. Use the Authentication settings panel to configure authentication settings on the appliance, which is populated with default values during first-time setup of the appliance. To view or make changes to Authentication settings, log in with Infrastructure administrator privileges. No other users are permitted to change or view these settings. View and access the Authentication settings by using the UI and selecting Settings Security Authentication or with the EST APIs About directory service authentication You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to provide a single sign-on for groups of users instead of maintaining individual local login accounts. Each user in a group is assigned the same role (for example, Infrastructure administrator). An example of an authentication directory service is a corporate directory that uses LDAP (Lightweight Directory Access Protocol). 220 Managing users and authentication

221 After the directory service is configured, any user in the group can log in to the appliance. On the login window, the user: Enters their user name (typically, the Common-Name attribute, CN). The format for the user name depends on the Directory type. OpenLDAP Common name and UID formats are supported. The appliance automatically detects the user name format as follows: User name format User-Principal-Name SAM-Account-Name If the user name / You should choose the Common Name and UID formats in the User Interface. Microsoft Active Directory The following maps the Active Directory attribute to the LDAP property: Active Directory attribute Common-Name UID User-Principal-Name SAM-Account-Name LDAP property cn uid userprincipalname samaccountname If a user object is created in the Active Directory Users and Computers Microsoft Management Console, the names default as follows: You specify the following components of the user s name, displayed here with the corresponding attribute: User s: Attribute: First Name Intials Last Name givenname initial sn The field labeled Full Name defaults to this format and this string is assigned to the cn attribute (Common Name). givenname.initials.givenname.initial.sn In the New Object user dialog box, you are also required to specify a User logon name. This, in combination with the DNS domain name, becomes the userprincipalname. The userprincipalname" is an alternative name that the user can use for logging in. It is in the form: LogonName@DNSDomain For example: JoeUser@exampledomain.example.com Finally, as you enter the User logon name, the first twenty characters are automatically filled in the pre-windows 2000 logon name field, which becomes the "samaccountname" attribute About directory service authentication 221

222 The full NT name of an Active Directory object has the following form. The uid (userid) attribute type contains computer system login names associated with the object. NetBIOSDomain\sAMAccountName Enters their password. Selects the authentication directory service. This box appears only if you have added an authentication directory service to the appliance. In the Session control, ( ) the user is identified by their name preceded by the authentication directory service. For example: CorpDir\pat When you add an authentication directory service to the appliance, you provide search criteria so that the appliance can find the group by its DN (Distinguished Name). For example, the following attribute values identify a group of administrators in a Microsoft Active Directory: distinguishedname CN=Administrator,CN=Users,DC=example,DC=com If you replicate the authentication directory service for high availability or disaster tolerance, add the replicated directory service as a separate directory service. After configuring and adding a directory server, you can designate it as the default directory service. You can: Allow local logins only, which is the default. Allow both local logins and logins for user accounts authenticated by the directory service. Disable local logins, which restricts logins to user accounts authenticated by the directory service Managing user passwords A user with Infrastructure administrator privileges can manage the passwords of all local users on the appliance using the UI or the EST APIs. Users without Infrastructure administrator privileges can manage only their own passwords. As Infrastructure administrator, you can view all users logged in to the appliance with the Users and Groups screen or EST APIs. Select any user, and then edit their password or assigned role. All other local users can edit their own passwords by using the UI or the EST APIs. In the UI, click the Session icon in the top banner, and then click the Edit icon to change their current password or contact information eset the administrator password If you lose or forget the administrator password, run the pwreset command and then telephone your authorized support representative for additional instructions. Prerequisites You have access to the physical appliance console or, by using a tool such as a hypervisor, to a virtual appliance. The appliance software is running. esetting the administrator password 1. From the console appliance login screen, switch to the pwreset login screen by pressing Ctrl+Alt+F1. To return to the console s login screen, press Ctrl+Alt+F2. NOTE: For VMware vsphere users, Ctrl+Alt is used for another function. To send the command to the console, you must press Ctrl+Alt+Spacebar then press Ctrl+Alt+F Managing users and authentication

223 2. Log in with the user name pwreset. The appliance displays a challenge key. For example: <hostname> login: pwreset Challenge = xyaay42a3a Password: 3. Telephone your authorized support representative and read the challenge key to them. They will provide you with a short-lived, one-time password based on the challenge key. For information on how to contact HP by telephone, see How to contact HP (page 333). The authorized support representative uses the challenge code to generate a short-lived, one-time password based on the challenge key. It will be an easy-to-type, space-separated set of strings. For example: VET OME DUE HESS FA GAS 4. The appliance generates a new password. 5. Note the new password for the administrator account, and then press Enter to log out. 6. Use the UI or EST API to log in as administrator with the new password Learning more Controlling access for authorized users (page 57) Learning more 223

224 224

225 29 Backing up an appliance This chapter describes how to use the UI, EST APIs, or a custom-written PowerShell script to save your appliance resource configuration settings and management data to a backup file. UI screens and EST API resources UI screen Settings Actions EST API resource backups 29.1 oles Users with Infrastructure administrator and Backup administrator privileges can create and download backup files, however, only the Infrastructure administrator can restore an appliance from a backup file. The Backup administrator has the authority to use scripts to log in to the appliance and run scripts to back up the appliance. This role is specifically intended for scripted backup creation and download. HP recommends that users with this role should not initiate interactive login sessions through the HP OneView user interface About backing up the appliance HP OneView provides the ability to save your configuration settings and management data to a backup file and enables you to use that backup to restore a corrupted appliance in the event of a catastrophic failure. The backup process involves creating a backup file and then downloading that file so that you can store it to a safe and secure (off-appliance) location for future use. For advice on creating and archiving a backup file, see Best practices for backing up an appliance (page 226). For the procedure on creating a backup file from the UI, see Back up an appliance (page 227). IMPOTANT: In the unlikely event you need to restore the appliance, HP recommends backing up your appliance configuration on a regular basis, preferably daily and, and especially: After adding hardware After changing the appliance configuration Before and after updating the appliance firmware The appliance stores one backup file at a time. Creating each subsequent backup file replaces the current backup file. To prevent a backup file from being overwritten by a new backup file, download and save the backup file to an off-appliance location before running the next backup process. HP OneView provides a Backup administrator user role specifically for backing up the appliance by permitting access to other resource views without permitting actions on those resources, or other 29.1 oles 225

226 tasks. Only the Infrastructure administrator or the Backup administrator can create a backup file, either through the UI or EST APIs. What the backup process backs up HP OneView database System files: Non-database data Audit log License files What the backup process does not back up Non-data files: Static files that are installed as part of the execution environment, and are not specific to the appliance or managed environment configuration Log files (except the Audit log file) Appliance network configuration First-time setup configuration files Firmware bundles Use a backup file to do the following: estore the appliance from which the backup file was created. estore the settings to a different appliance. For example, if an appliance fails and cannot be repaired, you can use a backup file to restore the management configuration settings and management data to a replacement appliance created from the same version of the virtual machine image. EST APIs let you: Schedule a backup process from outside the appliance. Collect backup files according to your site policies. Integrate with enterprise backup and restore products Best practices for backing up an appliance Method Creating Frequency Archiving Description Always use the HP OneView backup feature to back up your appliance. CAUTION: Do not use any hypervisor-provided capabilities or snapshots to back up HP OneView appliances because doing so can cause synchronization errors and result in unpredictable and unwanted behavior. HP recommends performing regular backups, preferably daily, and especially after adding hardware, changing the appliance configuration, and before and after updating the appliance firmware. If you added server hardware to the appliance after the backup file was created, that hardware is not in the appliance database when the restore process completes. You must add that hardware to the appliance and then repeat any other configuration changes (such as assigning server profiles) that were made between the time the backup file was created and the restore process completed. You can back up the appliance while it is in use and while normal activity is taking place. You do not need to wait for tasks to stop before creating a backup file. The backup file format is proprietary, however, HP recommends that after you create and download the backup file you encrypt, and then safely store the backup file to protect your sensitive data. HP recommends using an enterprise backup product such as HP Data Protector to archive backup files. For information on HP Data Protector, see the following website: HP provides EST APIs for integration with enterprise backup products Determining your backup policy A backup file is an encrypted snapshot of the appliance configuration and management data at the time the backup file was created. HP recommends that you create regular backups, preferably 226 Backing up an appliance

227 once a day and after you make hardware or software configuration changes in the managed environment. As an alternative to using Settings Actions Create backup from the appliance UI, you can write and run a script to automatically create and download an appliance backup file. You can schedule the backup script to run automatically in interactive or batch mode on a regular basis. Only a user with Backup administrator or Infrastructure administrator privileges can run the script interactively. For more information, see Sample backup script (page 381) Back up an appliance A backup file saves the configuration settings and management data for your appliance. You can recover from a catastrophic failure by restoring your appliance from the backup file. For more information, see About backing up the appliance (page 225). NOTE: To reduce the size of the backup file and the time it takes to create it, the firmware bundles you have uploaded to the appliance are not included in the backup file. Prerequisites Minimum required privileges: Infrastructure administrator or Backup administrator You have completed all the best practices for backing up an appliance. Backing up an appliance 1. From the Settings screen, select Actions Create backup. While the backup file is being created, a progress bar appears in the Overview pane. Wait for the backup file creation to complete. 2. Optionally, click the Create backup notification banner for more information and the name of the backup file, which has the format: appliance-host-name_backup_yyyy-mm-dd_hhmmss.bkp 3. After the backup file is created, select Actions Download backup to download the backup file from the appliance. 4. Save the backup file to an external location for safekeeping. Do not store it on the appliance Using EST APIs to create and download an appliance backup file After the backup is initiated, a Taskesource UI is created that you use to track the progress of the backup. When the backup is complete, you can use a GET EST API operation to download and change the backup file name. The latest backup is stored on the appliance and is replaced when a new backup is initiated. Prerequisites Minimum required session ID privileges: Backup administrator Creating and downloading an appliance backup file using EST APIs 1. Create the backup file. POST /rest/backups 2. Download the backup file. GET /rest/backups/archive/backup UI 29.5 Back up an appliance 227

228 NOTE: After the POST operation is complete, a Taskesource UI and backup UI are returned. You can use the Taskesource UI to monitor the progress of the backup. Use the backup UI to refer to a specific backup when downloading the backup file or performing another operation Creating a custom script to create and download an appliance backup file If you prefer to write a customized script to create and download your appliance backup file, and schedule that script to run on a schedule according to your IT policies, see Sample backup script (page 381) for a sample PowerShell script Learning more Basic troubleshooting techniques (page 287) 228 Backing up an appliance

229 30 Managing the appliance 30.1 Updating the appliance You manage appliance updates from the Settings screen or by using the EST APIs. UI screens and EST API resources UI screen Settings EST API resource appliance/firmware oles Tasks Minimum required privileges: Infrastructure administrator Updating the appliance requires a single user accessing the appliance and causes the appliance to restart. This does not disrupt the operation of the devices under management, but does result in an outage of the appliance. The appliance online help provides information about using the UI or the EST APIs to: Determine if a newer appliance update is available. (Minimum required privileges: ead only, Network administrator, or Infrastructure administrator) Update the appliance. (Minimum required privileges: Infrastructure administrator) About appliance updates The appliance runs a combination of software and firmware. Maintaining up-to-date appliance software and firmware fixes problems, improves performance, and adds new features to the appliance. The appliance does not automatically notify you when an update is available, you need to determine if an appliance update file has been released. To view the installed version of appliance firmware, use the Settings Appliance General view. Then, verify if a newer version of an appliance update file is available to download from the website. Before you update the appliance, examine the HP OneView elease Notes to learn about supported upgrade paths, new features delivered in the update, best practices, limitations, troubleshooting hints and tips, and whether or not you must restart the appliance after it is updated. NOTE: When you download the appliance update file, a link to the update HP OneView elease Notes appears in the download dialog box. HP recommends clicking that link to read and then save and print the information for future reference. Once the download starts, you cannot access that link again. You manage appliance updates from the Settings Actions Update appliance menu or by using the EST APIs. An appliance update is installed from a single file during the update process. You can either download the file directly to the appliance or to another computer and then transfer the file to the appliance. When you install an appliance update, the appliance restarts and goes offline. When the appliance is offline, it does not affect the managed resources they continue to operate while the appliance is offline Updating the appliance 229

230 Learning more For more information about obtaining software updates, see Support and other resources (page 333) Managing appliance availability Managing and maintaining appliance availability starts with configuring the appliance virtual machine for high availability as described in Planning for high availability (page 96), and following the best practices described in Best practices for managing a VM appliance (page 230). In the event of an appliance shutdown, your managed resources continue to operate. For more information about how the appliance handles an unexpected shutdown, and what you can do to recover, see: How the appliance handles an unexpected shutdown (page 232) What to do when an appliance restarts (page 232) For information about how to shut down or restart the appliance, see: Shut down the appliance (page 231) estart the appliance (page 231) UI screens and EST API resources UI screen Settings EST API resource appliance/shutdown oles Tasks Minimum required privileges: Infrastructure administrator The appliance online help provides information about using the UI or the EST APIs to: Shut down the appliance (Minimum required privileges: Infrastructure administrator) estart the appliance. (Minimum required privileges: Infrastructure administrator) Best practices for managing a VM appliance HP recommends the following guidelines for managing your VM appliance from the virtual console: 230 Managing the appliance

231 Table 17 Best practices for managing a VMware vsphere virtual machine Do Use thick provisioning. Use shares and reservations to ensure adequate CPU performance. Do not Use thin provisioning. Update the VMware tools. If VMware Tools show Out of Date or Unmanaged, they are running correctly. These status messages are not a problem, because the tools are available and running. VMware tools are updated with each HP OneView software update. evert to a VM snapshot (unless under specific circumstances, as instructed by your authorized support representative). Set the Synchronize guest time with host option in the vsphere client when the HP OneView appliance is configured to use NTP. HP OneView automatically sets the appropriate Synchronize guest time with host setting during network configuration. When HP OneView is configured to use NTP servers, the Synchronize guest time with host option is disabled. If HP OneView is not configured to use NTP servers, it synchronizes to the host VM clock and the Synchronize guest time with host option is enabled. In this case, configure the VM host to use NTP. educe the amount of memory assigned to the VM. Table 18 Best practices for managing a Hyper-V virtual machine Do Use fixed size. Do not Update integration services. evert to a VM checkpoint (unless under specific circumstances, as instructed by your authorized support representative). educe the amount of memory assigned to the VM Shut down the appliance Use this procedure to perform a graceful shutdown of the appliance. Prerequisites Minimum required privileges: Infrastructure administrator. Ensure that all tasks have been completed or stopped, and that all other users are logged off. Shutting down the appliance 1. From the Settings screen, select Actions Shut down. A dialog box opens to inform you that all users will be logged out and ongoing tasks will be canceled. 2. Select Yes, shut down in the dialog box estart the appliance Use this procedure to perform a graceful shutdown and restart of the appliance. You are returned to the login screen. Prerequisites Minimum required privileges: Infrastructure administrator. Ensure that all tasks have been completed or stopped, and that all other users are logged off Managing appliance availability 231

232 estarting the appliance 1. From the Settings screen, select Actions estart. A dialog box opens to inform you that all users will be logged out and ongoing tasks will be canceled. 2. Select Yes, restart in the dialog box. 3. Log in when the login screen reappears How the appliance handles an unexpected shutdown The appliance has features to enable it to automatically recover from an unexpected shutdown, and managed resources continue to operate while the appliance is offline. However, HP recommends that you use the appliance backup features to ensure that the appliance is backed up daily, and when you make significant configuration changes, such as adding or deleting a network. Appliance recovery operations When the appliance restarts, it performs the following operations: Detects tasks that were in progress and resumes those tasks, if it is safe to do so. If the appliance cannot complete a task, it notifies you that the task has been interrupted or is in some other error state. Attempts to detect differences between the current environment and the environment at the time the appliance shut down, and then refreshes its database with the detected changes. If you determine that the appliance data does not match the current environment, you can request that the appliance refresh the data for certain resources, such as enclosures. Appliance recovery during a firmware update of a managed resource If the appliance shuts down during a firmware update of a managed resource, when the appliance restarts, it detects the failed update and marks the firmware update tasks as being in an error state. To update the firmware for this resource, you must re-initiate the firmware update task. What to do when an appliance restarts The online help provides information about using the user interface or the EST APIs to: Check for critical alerts or failed tasks and follow the provided resolution instructions Manually refresh a resource if the resource information displayed appears to be incorrect or inconsistent Create a support dump (recommended for unexpected crashes to help support personnel to troubleshoot a problem) Update firmware for a resource, if a firmware update task was in progress when the appliance shut down Managing the appliance settings Appliance settings include the network settings, the clock settings, and the SNMP settings for your appliance in the data center. If the appliance has not yet been configured when you log in, you are instructed to configure the appliance network. You can change appliance network settings at any time after they are configured. You manage the appliance network configuration from the Settings screen or by using the EST APIs. The Settings screen enables you to manage various system-wide settings and tasks. Use the Settings Actions menu to access various appliance and security tasks, including downloading audit logs. 232 Managing the appliance

233 UI screens and EST API resources UI screen Settings EST API resource appliance/network-interfaces, appliance/device-read-community-string, and appliance/trap-destinations oles Minimum required privileges: Infrastructure administrator Tasks for appliance settings The appliance online help provides information about using the UI or the EST APIs to: Change the appliance host name, IP address, subnet or CID mask, or gateway address. Change the DNS server IP address. Set and synchronize the appliance clock. Set the SNMP read community string and add SNMP trap destinations Enabling health monitoring for legacy servers Network management systems use SNMP (Simple Network Management Protocol) to monitor network-attached devices. The appliance uses SNMP to retrieve information from managed devices. The devices use SNMP to send asynchronous notifications (called traps) to the appliance. You specify a read community string that serves as a credential to verify access to the SNMP data on the managed devices. The appliance sends the read community string to enclosures (through their OAs) and to the servers (though their ilo management processors). Some older devices require manual host OS configuration. Install SNMP OS host agents for HP ProLiant server blades For the appliance to monitor the health of HP ProLiant G6 and HP ProLiant G7 server blades, you need to configure the SNMP settings for the server and ilo3. 1. Install the host operating system on the server. 2. Install the SNMP subsystem on the server. 3. Configure SNMP on the host to use the community string and trap destination of the appliance. 4. Using the latest SPP, install the HP management agent set and associated drivers. You will be prompted for the SNMP community string and the trap destination. 5. After the HP management agent set and associated drivers are installed and running, add the HP ProLiant G6 and HP ProLiant G7 server blade to the appliance. If you install the agents and drivers after adding the G7 server blade, you might have to refresh the G7 server blade from the user interface or with EST APIs. NOTE: If you change the appliance read community string, you must reconfigure all HP ProLiant G6 and HP ProLiant G7 server blade SNMP OS host agents to use the new read community string. The appliance cannot propagate this update to the host OS Learning more Planning the appliance configuration (page 95) Managing appliance availability (page 230) Managing the security features of the appliance (page 234) 30.3 Managing the appliance settings 233

234 30.4 Managing addresses and ID pools A default set of virtual ID pools for MAC addresses, WWNs, and serial numbers are provided at startup. If you need additional addresses or identifiers, you can add autogenerated or custom ranges of ID pools. You manage the ID pools from the UI Settings screen or by using the EST APIs. UI screens and EST API resources UI screen Settings EST API resource id-pools oles Minimum required privileges: Infrastructure administrator Tasks for addresses and identifiers The appliance online help provides information about using the UI or the EST APIs to: View a list of active ID pools and their properties. Add an autogenerated ID pool for MAC addresses, WWNs, or serial numbers. Add a custom ID pool range for MAC addresses, WWNs, or serial numbers Managing the security features of the appliance To learn about the security features of the appliance, see Understanding the security features of the appliance (page 53) Enabling or disabling HP support access to the appliance This product contains a technical feature that will allow an on-site authorized support representative to access your system, through the system console, to assess problems that you have reported. This access will be controlled by a password generated by HP that will only be provided to the authorized support representative. You can disable access at any time while the system is running. UI screens and EST API resources UI screen Settings EST API resource appliance/settings oles Tasks Minimum required privileges: Infrastructure administrator The appliance online help provides information to enable or disable HP support access from either the Settings screen or the EST APIs Managing TLS certificates A Transport Layer Security (TLS) certificate certifies the identity of the appliance. The certificate is required by the underlying HTTP server to establish a secure (encrypted) communications channel with the client web browser. 234 Managing the appliance

235 You manage certificates from the Settings screen or by using the appliance settings EST APIs. UI screens and EST API resources UI screen Settings EST API resource certificates oles Tasks Minimum required privileges for all tasks except as noted: Infrastructure administrator The appliance online help provides information about using the UI or the EST APIs to: Create a self-signed certificate. Create a certificate signing request. Import a certificate. View the TLS certificate settings (Minimum required privileges: Infrastructure administrator, Backup administrator, or ead only) Learning more See Understanding the security features of the appliance (page 53) Managing the HP public key oles Tasks The HP public key verifies that: HP created its software packages (PMs) and updates. The code was not modified after it was signed. Minimum required privileges: Infrastructure administrator The appliance online help provides information about managing public keys from the Settings screen or by using the EST APIs to: Acquire and install the HP public key. View the HP public key Downloading audit logs The audit log helps the security administrator understand what security-related actions took place. You can gather log files and other information that your authorized support representative needs so that they can diagnose and troubleshoot an appliance. UI screens and EST API resources UI screen Settings EST API resource audit-logs 30.8 Managing the HP public key 235

236 oles Tasks Minimum required privileges: Infrastructure administrator The appliance online help provides information how to download the audit logs from the Settings screen or by using the EST APIs Learning more Understanding the audit log (page 57) Choosing a policy for the audit log (page 58) 236 Managing the appliance

237 Part V Monitoring The chapters in this part describe using the appliance to monitor your data center. You use the information in this part after the appliance has been configured and the data center resources have been added to the appliance.

238 238

239 31 Monitoring data center status, health, and performance This chapter describes the recommended best practices for monitoring data center status, health, and performance using HP OneView Daily monitoring As part of the daily monitoring of your data center, it is important to be able to quickly scan the appliance-managed resources to assess the overall health of your data center. By reviewing the UI screens, you are able to rapidly analyze the state and condition of your data center Initial check: the Dashboard The Dashboard provides an at-a-glance visual health summary of the appliance resources you are authorized to view. The Dashboard can display a health summary of the following: Server Profiles Server Hardware Enclosures Logical Interconnects Storage Pools Volumes Appliance alerts The status of each resource is indicated by an icon: OK ( ), Warning ( ), or Critical ( ). You can link to the resource screens in the UI for more information by clicking on the status icons displayed for each resource. To learn more about the Dashboard screen, see Using the Dashboard screen (page 248) Activities The Activity screen provides a log of health and status notifications. The appliance verifies the current activity of resources in your environment, and posts alerts to the Activity screen and to the associated resource screens for you to review. The Activity screen is also a database of all tasks that have been run, either synchronously or asynchronously, and initiated by the user or system. It is similar to an audit log, but provides more detail and is easily accessed from the UI Utilization graphs For certain resources, the appliance collects CPU, power, and temperature utilization statistics from management processors (the ilo, Onboard Administrator, and ipdu). Utilization graphs enable you to understand recent utilization statistics relative to available capacity, see utilization trends over time, and see historical utilization over time. Hover over the utilization area in the UI to display tool tips. The Enclosures screen The Server Hardware screen The Power Delivery Devices screen View historical metrics of power consumption (average, peak, and power cap) and temperature. View historical metrics of CPU utilization/cpu frequency, power consumption (average, peak, and power cap), and temperature. View historical metrics of power consumption (average and peak and previous 5 minutes, previous 24 hours) Daily monitoring 239

240 The acks screen The Interconnects screen The Storage systems screen View historical metrics of power consumption (average, peak, and power cap) and temperature. View uplink port statistics of the bit transfer rates (transmitted and received). View capacity amount of storage in tebibyte (TiB) of space. To learn more about utilization graphs, see Monitoring power and temperature (page 251) Monitor data center temperature The appliance provides detailed monitoring data that you can use to determine the power and cooling capabilities of the devices in your data center. The overall cooling in your data center might be sufficient; however, there might be areas that are insufficiently cooled due to conditions such as poor airflow, concentration of excessive heat output, or wrap-around airflow at the ends of aisles. To easily identify temperature issues and look for thermal hotspots in all areas in your data center, use the 3D visualization features provided by the Data Centers UI screen. To learn more about temperature, see Monitoring power and temperature (page 251) Best practices for monitoring data centers The following are recommended best practices for using HP OneView appliance to ensure the health of the managed components in your data center environment Best practices for monitoring health with the appliance UI HP recommends the following best practices to monitor the health of the managed resources in your environment. NOTE: The status represented for all HP OneView resources represents the status for that single resource and does not represent the roll-up status of sub-components. For example, the status for an enclosure does not aggregate status for all server blades and servers, but rather just the status of the enclosure (Onboard Administrator, fans, and power supplies). General health monitoring steps Monitoring step 1. Navigate to the Activity screen and filter activities, using the filtering options that work best for the situation. You can also start from the Dashboard screen to see alerts for specific resources. 2. Navigate to a specific resource screen to view the specific activities for that resource. On the resource screen, verify the state of the resource instances via health status icons. 3. Investigate each resource instance with a warning or error status. elated information About Activity (page 243) Using the Dashboard screen (page 248) Icon descriptions (page 71) 4. Expand critical and warning alerts to see their full descriptions, and click Event details to view additional information about the event(s) that caused the alert. 5. Follow the instructions in the recommended resolution (if any) or research the alert to correct the problem. 240 Monitoring data center status, health, and performance

241 Server hardware health monitoring For server hardware with a Critical or Warning status, the associated server profile might be in failed state, so you need to verify it as well. Monitoring step 1. Expand the server hardware alert to see more information. You can view alerts from the Server Hardware screen, Activity screen, or the Dashboard screen. elated information See the UI help for Server Hardware and About Activity (page 243). 2. Follow the instructions in the recommended resolution (if any) or research the alert to correct the problem. 3. Ensure the server profile was properly assigned to the server hardware. See the UI help for Server Profiles. Network health monitoring To monitor the current health of a network, navigate to the Interconnects and Logical Interconnects resources to view recent activity, alerts and notifications, and current health status. For interconnects, a healthy state is Configured For logical interconnects, a healthy state for stacking is edundantly Connected Monitoring step 1. View the activities and states for logical interconnects. View the health of Downlink ports and Uplink ports on the Interconnects screen. View the Stacking mode of the interconnects on the Logical Interconnects screen. 2. Follow the instructions in the recommended resolution (if any) or research the alert to correct the problem. elated information See the UI help for Interconnects and Logical Interconnects. About Activity (page 243) Best practices for monitoring health using EST APIs To ensure the health of the managed components in your data center environment, follow these best practices. Overall health monitoring Server hardware health monitoring Network health monitoring Overall health monitoring Monitoring step Filter alerts based on severity or date to view current health issues. GET /rest/alerts?filter="severity='unknown, OK, WANING, CITICAL'"&filter="created='YYYY-MM-DDThh:mm:ss.sssZ'" NOTE: The DISABLED severity is not applicable to alerts. See the EST API scripting online help for more information about alerts. Get alerts for a specific physical resource type, such as server hardware. GET /rest/alerts?filter="physicalesourcetype='physical_server'" See the EST API scripting online help for more information about server hardware Best practices for monitoring data centers 241

242 Monitoring step View the originating event(s) that caused a specific alert. 1. Select an alert. GET /rest/alerts/ 2. Get a specific alert using the alert ID. GET /rest/alerts/id 3. Get the associated event(s). GET /rest/events/id Fix the problem. Use the recommended fix (perform a GET operation on the specific alert resource and view the correctiveaction attribute), or research the alert. Server hardware health monitoring A server or servers turn to a warning or critical status when something is not correct within the appliance. If a server profile has been applied to a failed server, the server profile will also be in a failed status. Monitoring step Use details from the alert to fix the problem. When available, attempt the recommended fix first. In some cases, additional research of the alert might be needed to best determine the fix. GET /rest/alerts?filter="physicalesourcetype='physical_servers'"&filter="severity='waning, CITICAL'" See the EST API scripting online help for more information on alerts. Make sure that server profiles are appropriately assigned to the server hardware. See the EST API scripting online help for more information on server profiles. Network health monitoring To determine the current health of a network or networks on the appliance, view alerts for interconnects and logical interconnects to verify the correct connections. To list alerts, you can perform a GET operation on alerts and filter for alerts related to interconnects. To list states, you can perform a GET operation on interconnects and logical interconnects and filter for an OK state. 242 Monitoring data center status, health, and performance

243 Monitoring step View alerts for interconnects. 1. Select an interconnect alert. GET /rest/alerts?filter="physicalesourcetype='interconnect'"&filter="severity='waning, CITICAL'" 2. Get a specific alert using the alert ID. GET /rest/alerts/id See the EST API chapter in the online help for more information on interconnects. Filter for logical interconnects with unhealthy stacking. 1. Get unhealthy logical interconnect. GET /rest/logical-interconnects?filter="stackinghealth='unknown, Disconnected'" 2. View specific unhealthy interconnect using the interconnect ID. GET /rest/logical-interconnects/id See the EST API chapter in the online help for more information on logical interconnects. Use information provided in the alert to fix the problem. Use the recommended fix if there is one, or research the alert. See the EST API scripting online help for more information on alerts Managing activities The appliance online help provides information about using the UI or the EST APIs to: View activities for a resource. Filter activities by health, status, or date. Assign an owner to an alert. Add a note to an alert. Clear an alert. estore a cleared activity to the active state About Activity The Activity screen lists alerts and other notifications about appliance activity and events occurring in your data center. You can filter, sort, and expand areas of the screen to refine how information is displayed. Links within activity details also enable you to view additional information about specific resources, especially if the notification is reporting an event that requires immediate attention. See the following topics for more information about alerts and tasks that can appear on the Activity screen: Activity types: alerts and tasks (page 244) Activity states (page 246) Activity statuses (page 246) About the Activity sidebar (page 68) Activity screen components The image shown here illustrates the important areas on the screen that you can use to monitor, resolve, and manage activity Managing activities 243

244 HP OneView Search? Activity All All types All statuses All states All time All owners eset 2 Actions v 6 Name Worst case power consumption for the power delivery device Lab N32 ack [4,2] PDU A is 7,676 Watts which exceeds its capacity by 3,683 Watts esource Date State Owner 7 Lab N32 ack [4,2] PDU A Power Delivery Devices Nov 20 12:35 pm Active unassigned v 3 X esolution Verify that the capacity of 3,9993 Watts is specified correctly. Change the system configuration or apply a power cap to prevent the attached devices from exceeding the capacity. 5 Notes Write a note Health category Power 4 Event details corrective Action 1 By default, the Activity screen shows All alerts, tasks, and events that have occurred. To quickly filter the default activity list to display the notifications that require your attention, click the icon to switch from All to Needs attention. Use the filters and date range selectors on the Filters menu bar to pinpoint the type of activity you want to see. To expand choices for any filtering selector on the filter banner, click the icon next to each filtering selector 2 Use the Actions menu to assign, clear, or restore selected notifications. 3 To assign an alert or other notification to a specific user, select a name listed in the Owner column of each notification. 4 When a notification is expanded, click the Event details link to view more details about this notification, which is where you might find specific corrective action for an activity that requires your attention. 5 Start typing in the note box to add instructions or other information to a notification. TIP: You can click and drag the lower right corner of the note box to expand the box for better viewing or easier editing. 6 Click the icon to expand the view of a notification to see all information about it. Click the icon to collapse the notification into a single-line summary. 7 If a notification is reporting a status other than OK (green), click the link to view details about the resource that generated the notification Activity types: alerts and tasks About alerts The appliance uses alert messages to report issues with the resources it manages. The resources generate alerts to notify you that some meaningful event occurred and that an action might be required. An event describes a single problem or change that occurred on a resource. For example, an event might be an SNMP trap received from a server's Integrated Lights-Out (ilo) management processor. 244 Monitoring data center status, health, and performance

245 Each alert includes the following information about the event it reports: severity, state, description, and urgency. You can clear alerts, assign owners to alerts, and add notes to alerts. While alerts have an active or locked state, they contribute to a resource s overall displayed status. After you change their state to Cleared, they no longer affect the displayed status. IMPOTANT: The appliance keeps a running count of incoming alerts. At intervals of 500 alert messages, the appliance determines if the number of alerts has reached 75,000. When it does, an auto-cleanup occurs, which deletes alert messages until the total number is fewer than 74,200. When the auto-cleanup runs, it first removes the oldest cleared alerts. Then it deletes the oldest alerts by severity About tasks All user- or system-initiated tasks are reported as activities: User-initiated tasks are created when a user adds, creates, removes, updates, or deletes resources. Other tasks are created by processes running on the appliance, such as gathering utilization data for a server. The task log provides a valuable source of monitoring and troubleshooting information that you can use to resolve an issue. You can determine the type of task performed, whether the task was completed, when the task was completed, and who initiated the task. The types of tasks are: Task type User Appliance Background Description A user-initiated task, such as creating, editing, or removing an enclosure group or a network set An appliance-initiated task, such as updating utilization data A task performed in the background. This type of task is not displayed in the log. IMPOTANT: The appliance maintains a tasks database that holds information for approximately 6 months' worth of tasks or 50,000 tasks. If the tasks database exceeds 50,000 tasks, blocks of 500 tasks are deleted until the count is fewer than 50,000. Tasks older than 6 months are removed from the database. The tasks database and the stored alerts database are separate Managing activities 245

246 Activity states Activity Alert Task State Active Locked Cleared Completed unning Pending Interrupted Error Terminated Warning Description The alert has not been cleared or resolved. A resource s active alerts are considered in the resource s overall health status. Active alerts contribute to the alert count summary. An Active alert that was set (locked) by an internal resource manager. You cannot manually clear a Locked alert. Examine the corrective action associated with an alert to determine how to fix the problem. After the problem is fixed, the resource manager moves the alert to the Active state. At that time, you can clear or delete the alert. A resource s locked alerts contribute to its overall status. The alert was addressed, noted, or resolved. You clear an activity when it no longer needs to be tracked. The appliance clears certain activities automatically. Cleared activities do not affect the resource s health status and they are not counted in the displayed summaries. The task started and ran to completion. The task has started and is running, but has not yet completed. The task has not yet run. The task ran, but was interrupted. For example, it could be waiting for a resource A task failed or generated a Critical alert. Investigate Error states immediately. A task was gracefully shut down or cancelled. An event occurred that might require your attention. A warning can mean that something is not correct within the appliance. Investigate Warning states immediately Activity statuses Status Critical Warning OK Unknown Disabled Description A critical alert message was received, or a task failed or was interrupted. Investigate Critical status activities immediately. An event occurred that might require your attention. A warning can mean that something is not correct within the appliance and it needs your attention. Investigate Warning status activities immediately. For an alert, OK indicates normal behavior or information from a resource. For a task, OK indicates that it completed successfully. The status of the alert or task is unknown. The status of a task that is set to run at a later time is Unknown. A task was prevented from continuing or completing. 246 Monitoring data center status, health, and performance

247 31.4 Managing notifications The appliance online help provides information about using the UI to: Configure the appliance for notification of alerts. Add an recipient and filter. Edit an recipient and filter entry. Enable or disable an recipient and filter. Clear an alert. Delete an recipient and filter entry About notification of alert messages You can configure the appliance to send an message to notify you or others when an alert is generated. With this feature, when an alert is generated, it is compared against specified filter search criteria and, if it matches, the text of the alert message is sent as to previously specified recipients. The appliance provides for as many as 100 recipient and filter combinations, and there can be as many as 50 recipients in a single message. With this flexibility, you can fine-tune which alert messages are sent and to whom. For example, you can configure the appliance to send Warning alerts to one recipient and Critical alerts to another. Filters have the same syntax as the Smart Search box in the Activity screen, so you can copy and paste that information. The appliance sends the message in both plain text and HTML MIME types, which allows the recipient s mail application to determine how they are displayed. You can enable or disable this notification feature, or you can enable or disable individual filter notifications, as required Configure the appliance for notification of alerts Use this procedure to configure the appliance for sending messages of alerts. Later, you can add, edit, or delete entries for recipients or filters. NOTE: notification filters can only be configured for alert messages. Prerequisites Minimum required privileges: Infrastructure administrator Configuring the appliance for notification of alerts 1. From the main menu, navigate to the Settings screen. 2. Locate the Notifications panel and click. 3. Supply the data requested in the panel of the Edit Notifications screen: NOTE: The SMTP server is automatically determined from the domain name in the address for the appliance. If you need to specify the SMTP settings, click SMTP options to supply them. 4. Proceed to add one or more entries Managing notifications 247

248 31.7 Using the Dashboard screen About the Dashboard Learning about the Dashboard The charts on the Dashboard provide a visual representation of the general health and status of the appliance and several managed resources in your data center. From the Dashboard, you can immediately see resources that need your attention. For direct access to resources needing your attention, click the resource name. Each time you log in to the appliance, the Dashboard is the first screen you see. Select Dashboard from the main menu any time you want to see the Dashboard charts. The Dashboard displays status of the most relevant resources that are associated with assigned user roles. If you are assigned multiple roles, such as Network and Storage roles, the default dashboard displays the combination of resources that each role would see on the dashboard. You can customize your Dashboard display by adding, deleting, and moving resource panels Dashboard screen details IMPOTANT: The Dashboard is blank the first time you log in to the appliance because you have not yet configured any resources. If this is the first time you are logging in to the appliance, see First time setup: configuration tasks (page 107) to define your data center environment and bring your infrastructure under appliance management. Hover your pointer over a chart slice to view the count of resource instances being represented by that slice. If you hover over a different slice in the same chart, the text and count displayed in the center of the chart changes. If you view the Dashboard on a narrow screen, the charts are arranged vertically for resources with multiple charts, and you can use the scroll bar to navigate to each chart. The Dashboard displays the following chart types: Chart type Status Servers with profiles Populated blade bays Description A Status chart summarizes health status. The number displayed next to the resource name indicates the total number of resource instances known to the appliance. To learn more, click the resource name to display the resource's main screen and view detailed health and status information. On a Status chart, a dark-gray chart slice indicates the number of resources that are not reporting information because they are either disabled or are not being managed by the appliance. To filter the view of a resource based on its status, click the status icon. To learn more about health status and severity icons, see Icon descriptions (page 71). The default view of the Servers with profiles chart reports the count of server hardware instances with server profiles assigned to them. If the chart is not solid blue, hover your pointer over the light-gray chart slice to see the count of servers without server profile assignments. The default view of the Populated blade bays chart reports the count of server hardware instances in all managed enclosure bays. If the chart is not solid blue, hover your pointer over the light-gray chart slice to see the count of empty enclosure bays. 248 Monitoring data center status, health, and performance

249 How to interpret the Dashboard charts Dashboard chart colors help you to quickly interpret the reported data. Table 19 Dashboard chart colors Color Green Yellow ed Blue Light gray Dark gray Indication A healthy status An event has occurred that might require your attention A critical condition requires your immediate attention The resource instances that match the data being measured (a solid blue chart indicates 100%) The resource instances that do not match the data being measured (used in combination with blue to total 100%) esource instances reporting status other than OK, Warning, or Critical, that is, they are Disabled or Unknown Status icons To assist you in identifying resources that are not in a healthy state, status icons indicate the number of resources with a status of OK ( ), Warning ( ), or Critical ( ). You can select a status icon to view the resource s main screen, with resource instances filtered by that status. If no resources are defined or if no resource instances are detected with a particular status (indicated by the number zero), the associated icon is nearly colorless (very pale gray). To learn how to interpret the data displayed on the charts, see the numbered descriptions that appear after the figure. Figure 16 Dashboard sample 31.7 Using the Dashboard screen 249

250 1 Click a resource name to view the resource s main screen for more information. The adjacent number identifies how many instances of that resource are being managed by the appliance. In this example, one enclosure has been added to the appliance, and it is in a healthy status. 2 When you hover your pointer over a dashboard panel, additional icons appear as shown on the Enclosures panel. The remove or delete (x) icon removes the panel from the dashboard. The move ( ) icon allows you to move the panel to a different position on the dashboard. For custom panels, the edit ( ) icon also appears, which allows you toedit a custom panel. 3 The sample chart for the Interconnects resource shows a total of six interconnects of which two are in a Critical state and the other four are reporting a healthy status. Click the Critical status icon to open the Interconnects screen to begin investigating the cause, perhaps from the resource Activity view or Map view. 4 On a Status chart, a dark-gray slice represents the count of resources that are not reporting status information because the resource is disabled or the status is not known. The sample chart for the Server Hardware resource shows a total of 14 instances of managed server hardware, of which 11 are either disabled or are unknown devices. Hover your pointer over the dark-gray chart slice to see a count of server hardware instances with a Disabled and Unknown status. 5 The icon enables you to customize your dashboard by adding custom or pre-defined panels. See Customizing the dashboard (page 250) to learn more about customizing panels. 6 The Ethernet Networks chart illustrates a customized panel where a user has defined the number of Ethernet networks assigned to that user. For more examples, see Customizing the dashboard (page 250). 7 The Storage Pools chart reports the state of storage pools that are being managed by the appliance, if any. See About storage pools (page 208) to learn more about storage pools. 8 The Appliance area summarizes important appliance-related alerts and notifications, typically about back up and licensing issues. Alerts related to other resources are not included here. If one appliance alert is detected, the alert text appears here. For multiple alerts, the number of alerts are shown, and you can click Appliance to go directly to the Activity screen for a filtered view of all appliance-related alerts. See About Activity (page 243) to learn more about alerts Customizing the dashboard You can customize the dashboard to show panels that interest you. You can select from a set of pre-defined panels such as Unassigned Alerts or Server Profiles. You can create or edit your own custom panel by selecting the data you want to view through the use of dashboard queries. You can rearrange or move panels on the dashboard to suit your needs. You can remove panels that do not interest you. IMPOTANT: Changes to the dashboard are associated with a user and the browser used to make the changes. Clearing your browser cache causes any changes that you made to be lost and returns you to the default dashboard. 250 Monitoring data center status, health, and performance

251 32 Monitoring power and temperature HP OneView enables you to monitor the power and temperature of your hardware environment. Power and temperature monitoring feature overview The appliance: Displays 3D color-coded hardware temperature visualization (UI only) Collects and reports power metric statistics Collects and reports temperature metric statistics Displays utilization statistics using customizable utilization graphs (UI only) Power and temperature monitoring features by resource Data Centers Color-coded temperature visualization of racks and the server hardware in them Enclosures and Server Hardware Alerts for degraded and critical temperature and power Proactive analysis and alerting for power configuration errors Utilization graphs for power and temperature statistics Power Delivery Devices Alerts on power thresholds Proactive analysis and alerting for power configuration errors Utilization graphs for power and temperature statistics acks Proactive analysis and alerting for power configuration errors Utilization graphs for power and temperature statistics 32.1 Monitoring power and temperature with the UI The Data Centers screen provides a 3D visualization of your hardware environment, and uses a color-coded system to display temperature data for your hardware. The Utilization panel and Utilization graphs display utilization power and temperature statistics via the Utilization view on the Enclosures, Interconnects (utilization graphs only), Power Delivery Devices, acks, and Server Hardware screens Monitoring data center temperature The Data Centers resource provides a visualization of the racks in your data center and displays their peak temperature using a color-coded system. To enable this, you must first specify the physical positions of your racks and the position of the components in them using the Data Centers resource. You can use temperature visualization to identify over-cooled areas of your data center. You can close vent tiles in areas that have low peak temperatures to increase airflow to areas that have insufficient cooling. If the entire data center is over-cooled, you can raise the temperature to save on cooling costs Monitoring power and temperature with the UI 251

252 Prerequisites Minimum required privileges: Server administrator. You have created a data center and positioned your racks in it. The placement of racks in your data center accurately depicts their physical locations. You have specified a thermal limit for your rack using the acks screen, if your policy dictates a limit (optional). Temperature collection and visualization details The visualization displays peak rack temperature using a color-coded system. The rack is colored based on the highest peak temperature (over the last 24 hours) of the device in the rack with the highest peak temperature recorded (of devices which support ambient temperature history reporting). Temperatures are determined using the temperature utilization data collected from each device. Background data collection occurs at least once a day, so the reported peak temperature for a rack will be within the past 48 hours. acks without an observed peak temperature with 48 hours are depicted without color coding (gray). Figure 17 3D data center visualization Manipulating the view of the data center visualization You can zoom in or zoom out and adjust the viewing angle of the data center from the Overview view or Layout view of the Data Centers screen. Prerequisites Minimum required privileges: Server administrator NOTE: The data center view controls do not appear in the Layout panel of the Overview view until you hover your pointer over the panel. 252 Monitoring power and temperature

253 Manipulating the view of the data center visualization To change the data center view, do one or more of the following: Move the horizontal slider left to zoom in and right to zoom out. Move the vertical slider up and down to change the vertical viewing angle. Click and drag the rotation dial to change the horizontal viewing angle Monitoring power and temperature utilization Utilization statistics for power and temperature are displayed on: The Utilization panel Utilization graphs in the Utilization view Power utilization metrics Temperature utilization metrics About the Utilization panel The Enclosures, Power Delivery Devices, acks, Server Hardware, and Storage Systems screens display a Utilization panel in the Overview for each resource. The possible states of the Utilization panel are: Panel contents Utilization meters display utilization data. A licensing message is displayed. no data is displayed. not set is displayed (a gray meter with hash marks). not supported is displayed. eason The appliance has collected data and it is being displayed. Server hardware without an ilo Advanced license will not display utilization data. The appliance has not collected data during the previous 24 hours. The meter might not be set for the following reasons: The page is loading and the data is not yet available. There is no utilization data prior to the most recent 5 minute collection period. There may be historic data in the utilization graphs. Enclosures will not display temperature data if none of the server blades are powered on. acks will not display data if there are no devices mounted on the rack and the rack thermal limit is not set. Utilization data gathering is not supported on the device. See the online help for Utilization for more information About utilization graphs and meters The appliance gathers and reports CPU, power consumption, temperature, and capacity data for certain resources via utilization graphs and utilization meters. NOTE: The minimum data collection interval is 5 minutes (averaged) and the maximum is one hour (averaged). Utilization graphs can display a range of data up to a maximum of three years Monitoring power and temperature with the UI 253

254 Table 20 Utilization statistics gathered by resource Utilization metric esource CPU Power Temperature Custom Capacity Enclosures acks Power Delivery Devices Server Hardware Storage Systems NOTE: You can use the Interconnects screen to view utilization graphs that display data transfer statistics for interconnect ports. See the online help for the Interconnects screen. Utilization statistics and licensing Utilization statistics and graphs are disabled for server hardware that does not have an ilo license assigned. See About licensing (page 149) to learn more. If utilization is disabled, the Utilization panel displays a message stating the reason it is disabled in the details pane for the unlicensed resource. Utilization graphs 1 Primary graph: The large primary utilization graph displays metric data (vertical axis) for your devices over an interval of time (horizontal axis) using a line to graph data points. 2 Horizontal axis: The horizontal axis on the primary utilization graph depicts the time interval for the data being displayed, with the most recent interval data on the right. The minimum time interval is two minutes and the maximum is five days. 3 Vertical axis: The vertical axis on the primary utilization graph depicts the interval for the metric displayed in the corresponding unit of measurement down the left side of the graph. 254 Monitoring power and temperature

255 The interval for each unit of measurement is fixed and cannot be changed. Graphs that display two metrics with different units of measurement have a second interval down the right side of the graph. The measurement value at the top of the graph represents the maximum utilization capacity for a given metric. 4 Navigation graph: The navigation graph below the primary graph displays the maximum time interval of available data. Use the navigation graph to select the time interval you want to display in the primary graph by highlighting the interval with your pointing device. See the online help for more information on creating a custom utilization graph and how to change the level of detail that the graph displays Power utilization metrics Power capacity is the calibrated maximum power that a device can consume. Use this data to determine how much power your facility is consuming and the resources that are consuming it. The appliance reports Alerts for devices that exceed their power capacity. Metric Average power Peak power Power cap Description The average amount of power the resource is consuming The peak amount of power consumed by the resource Most server hardware and enclosures support control of power consumption through a Dynamic Power Cap. When reporting power utilization, the appliance includes both average and peak power consumption as well as Dynamic Power Cap settings in its graphs. The appliance controls power caps through ilo or enclosure OA. esource Enclosures Server Hardware Description The power consumption or cooling limitation on the enclosure. When you set the Dynamic Power Cap on an enclosure, it keeps the power used by the enclosure under the cap by managing the power consumption of server hardware. To set power limits on an enclosure, select the Power thermal Power management menu item on the enclosure OA. The Dynamic Power Cap limits the enclosure power consumption based on a cooling limit that might be lower than the Derated circuit capacity. The Average power cannot exceed the Power cap or the Derated circuit capacity. The Peak power cannot exceed the ated circuit capacity. The limitation on power consumption enforced by the management processor, in watts Temperature utilization metrics Temperature utilization graphs display the ambient/inlet air temperature of your data center. The air temperature is detected by sensors embedded on the front of enclosures and other hardware devices. The operating threshold is 10 C to 35 C (50 F to 95 F). When the device reaches a threshold, it generates temperature alerts. The appliance displays these alerts in the notification banner and in the Activity sidebar. NOTE: The temperature is displayed in degrees Celsius or Fahrenheit, depending upon the locale setting of your browser Monitoring power and temperature with the UI 255

256 32.2 EST API power and temperature monitoring Update enclosure power capacity settings To update the enclosure capacity settings, perform a PUT operation that includes only the calibratedmaxpower attribute. View the enclosure capacity settings attributes by using a GET operation, edit the calibratedmaxpower attribute, and then perform a PUT operation that includes only the edited calibratedmaxpower attribute. Prerequisites Minimum required session ID privileges: Server administrator Updating enclosure capacity settings using EST APIs 1. Select an enclosure UI. GET /rest/enclosures 2. Get the enclosure capacity using the UI from step 1. GET enclosure UI/environmentalConfiguration 3. Edit the enclosure capacity. The only attribute to send in the response body is calibratedmaxpower. Do not send all attributes from the GET operation. 4. Update the enclosure capacity. PUT enclosure UI/environmentalConfiguration Update server hardware power capacity settings To update server hardware capacity settings, perform a PUT operation that includes only the calibratedmaxpower attribute. View server hardware capacity settings attributes by using a GET operation, edit the calibratedmaxpower attribute, and then perform a PUT operation that includes only the edited calibratedmaxpower attribute. Prerequisites Minimum required session ID privileges: Server administrator Updating server hardware capacity settings using EST APIs 1. Select a server hardware UI. GET /rest/server-hardware 2. Get the current server hardware capacity using the UI from step 1. GET server hardware UI/environmentalConfiguration 3. Edit the server hardware capacity. The only attribute to send in the response body is calibratedmaxpower. Do not send all attributes from the GET operation. 4. Update the server hardware capacity. PUT server hardware UI/environmentalConfiguration 256 Monitoring power and temperature

257 33 Using a message bus to send data to subscribers 33.1 About accessing HP OneView message buses HP OneView supports asynchronous messaging to notify subscribers of changes to managed resources both logical and physical and changes to metrics on managed resources. For example, you can program applications to receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes, and you can stream power, thermal and CPU metrics for managed resources. Using HP OneView EST APIs, you can obtain certificates to access the two message buses described in this chapter: the State-Change Message Bus or the Metric Streaming Message Bus. The message content is sent in JSON (JavaScript Object Notation) format and includes the resource model. Before you can set up subscription to messages, you must create and download an AMQP (Advanced Message Queuing Protocol ) certificate from the appliance using EST APIs. Next, you connect to the message bus using the EXTENAL authentication mechanism with or without specifying a user name and password. This ensures that you use certificate-based authentication between the message bus and your client. After connecting to the message bus, you set up a queue with the queue name empty, and AMQP generates a unique queue name. You use this queue name to bind your client to exchanges and receive messages. To connect to the message and set up a queue, you must use a client that supports the AMQP Using the State-Change Message Bus (SCMB) Connect to the SCMB Prerequisites Minimum required session ID privileges: Infrastructure administrator To use the SCMB, you must do the following tasks: Use EST APIs to create and download an Advanced Message Queuing Protocol (AMQP) certificate from the appliance. Connect to thescmb using one or both of these methods: Use the EXTENAL authentication mechanism Connect without sending a user name and password Using one of these methods ensures that certificate-based authentication is used. Set up a queue with an empty queue name. AMQP generates a unique queue name. You use this queue name to bind to exchanges and receive messages About accessing HP OneView message buses 257

258 Create and download the AMQP client certificate Creating and downloading the client certificate, private key, and root CA certificate 1. Create the certificate. POST /rest/certificates/client/rabbitmq equest body: "type":"abbitmqclientcertv2","commonname":"default" 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 4. After you connect the client to the SCMB, you can Set up a queue to connect to the HP OneView SCMB exchange (page 258) Figure 18 Connecting the client to the SCMB 1 The SCMB consumer requests a client certificate as part of the registration process. 2 The appliance manages the client certificates in a JVK (Java KeyStore) file. 3 The appliance issues a client certificate to the SCMB consumer. 5 The appliance can revoke the SCMB client certificate to deny access to the SCMB 4 The SCMB client provides an client. The client is managed SSL client certificate to into a CL (Certificate create a connection with the evocation List) file. appliance. 6 The appliance authenticates the SCMB client using the client certificate Set up a queue to connect to the HP OneView SCMB exchange The state change messages are published to the HP OneView SCMB exchange name. To subscribe to messages, you must create a queue or connect to an existing queue that receives messages from the SCMB exchange based on a routing key. When you create a queue, you define the routing key associated with the queue to receive specific messages. 258 Using a message bus to send data to subscribers

259 NOTE: The routing key is case sensitive. The change-type requires an initial capital letter. The resource-category and resource-uri are lower-case. For example, if you set the change-type in the routing key to created instead of Created, you do not receive any messages. The routing key syntax is: scmb.resource-category.change-type.resource-uri where: scmb resource-category change-type resource-uri The HP OneView exchange name. The category of resource. For a complete list of resources, see the HP OneView EST API eference chapter in the online help. The type of change that is reported. Valid values are Created, Updated, and Deleted. The UI of the specific resource associated with the state-change message. NOTE: The task resources routing key syntax is scmb.resource-category and does not use change-type and resource-uri. To receive messages about all task resources: scmb.# scmb.tasks Sample queues Subscription eceive all SCMB messages for physical servers eceive all messages for created connections eceive all messages for the enclosure with the UI /rest/enclosures/enc1234 eceive all created messages (for all resource categories and types) Example scmb.server-hardware.# NOTE: To match everything after a specific point in the routing key, use the # character. This example uses # in place of resource-uri. The message queue receives all server-hardware resource UIs. scmb.connections.created.# scmb.enclosures.*./rest/enclosures/enc1234 NOTE: To match everything for an individual field in the routing key, use the asterisk (*). This example uses * in place of change-type. The message queue receives all change types: Created, Updated, and Deleted. scmb.*.created.# JSON structure of message received from the SCMB The following table lists the attributes included in the JSON payload of each message from the SCMB. The resource model for the HP OneView resource is included in the resource attribute. To view all resource models, see the HP OneView EST API eference chapter in the online help. Attribute resourceuri changetype newstate etag Data type String String String String Description The UI for the resource. The state-change type: Created, Updated, or Deleted. For details, see ChangeType values (page 260). The new state of the resource. The ETag for the resource when the state change occurred Using the State-Change Message Bus (SCMB) 259

260 Attribute timestamp newsubstate resource associatedtask userinitiatedtask changedattributes data Data type String String Object String String Array Object Description The time the message was sent. If substate messages are required (for substate machines associated with a primary state), this is the resource-specific substate. The resource model. If a task is not associated with this message, the value is null. The value of the userinitiated attribute included in the associatedtask attribute. A list of top-level attributes that have changed based on the POST or PUT call that caused the state-change message to be sent. Additional information about the resource state change. ChangeType values ChangeType value Created Updated Deleted Description The resource is created or is added to HP OneView. The resource state, attributes, or both are updated. The resource is permanently removed from HP OneView. Example 2 JSON example "resourceuri" : "/rest/enclosures/123xyz", "changetype" : "Created", "newstate" : "Managed", "etag" : "123456", "timestamp" : " T18:30:44Z", "newsubstate" : "null", "resource" : "category" : "enclosures", "created" : " T18:30:00Z",..., "associatedtask" : "/rest/tasks/4321", "userinitiatedtask" : "true", "changedattributes" : [], "data" :, Example to connect and subscribe to SCMB using.net C# Prerequisites In addition to completing the prerequisites, you must complete the example-specific prerequisites before using the.net C# examples. To use the.net C# examples, add the following to the Windows certificate store: CA root certificate. Client certificate Private key To try the.net C# examples, do the following: 260 Using a message bus to send data to subscribers

261 1. Download the root CA certificate. GET /rest/certificates/ca 2. Save the contents in the response body into a text file named rootca.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. 3. Import the rootca.crt file into the Windows certificate store under Trusted oot Certification Authorities. 4. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 5. Save the contents of the client certificate and private key in the response body into a text file named scmb.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE----- for the client certificate. Next, copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY----- for the private key. You must include the dashes, but do not include the quotes Using the State-Change Message Bus (SCMB) 261

262 Example 3 Using.Net C# to directly reference client certificate Convert the client certificate and private key to PKCS format for.net. openssl.exe pkcs12 -passout pass:default -export -in scmb.crt -out scmb.p12 Example public void Connect() string exchangename = "scmb"; string hostname = "OneView.domain"; string queuename = ""; string routingkey = "scmb.#"; ; ConnectionFactory factory = new ConnectionFactory(); factory.authmechanisms = new abbitmq.client.authmechanismfactory[] new ExternalMechanismFactory() factory.hostname = hostname; factory.port = 5671; factory.ssl.certpath factory.ssl.certpassphrase = "default"; factory.ssl.servername = hostname; factory.ssl.enabled = true; IConnection connection = factory.createconnection(); IModel model = connection.createmodel(); queuename = model.queuedeclare(queuename, false, false, false, null); model.queuebind(queuename, exchangename, routingkey, null); using (Subscription sub = new Subscription(model, queuename)) foreach (BasicDeliverEventArgs ev in sub) DoSomethingWithMessage(ev); sub.ack(); Example 4 Using.Net C# to import certificate to Microsoft Windows certificate store Import the scmb.crt into your preferred Windows certificate store. Example public void Connect() string exchangename = "scmb"; string hostname = "OneView.domain"; string queuename = ""; string routingkey = "scmb.#"; string username = "rabbitmq_readonly"; X509Store store = new X509Store(StoreName.oot, StoreLocation.LocalMachine); store.open(openflags.eadwrite); X509Certificate cert = store.certificates.find(x509findtype.findbysubjectname, username, false).oftype<x509certificate>().first(); ; ConnectionFactory factory = new ConnectionFactory(); factory.authmechanisms = new abbitmq.client.authmechanismfactory[] new ExternalMechanismFactory() factory.hostname = hostname; factory.port = 5671; factory.ssl.certs = new X509CertificateCollection(new X509Certificate[] cert ); factory.ssl.servername = hostname; factory.ssl.enabled = true; IConnection connection = factory.createconnection(); IModel model = connection.createmodel(); queuename = model.queuedeclare(queuename, false, false, false, null); model.queuebind(queuename, exchangename, routingkey, null); using (Subscription sub = new Subscription(model, queuename)) foreach (BasicDeliverEventArgs ev in sub) DoSomethingWithMessage(ev); sub.ack(); 262 Using a message bus to send data to subscribers

263 NOTE:.Net C# code example 2 (Microsoft Windows certificate store) is referencing the Trusted oot Certificate Authorities store, located under Local Computer. StoreName.oot = Trusted oot Certificate Authorities StortLocation.LocalMachine = Local Computer Example to connect and subscribe to SCMB using Java 1. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 2. Save the contents of the client certificate in the response body into a text file named default-client.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. 3. Save the contents of the private key in the response body into a text file named default-client.key. You must copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY-----, including the dashes, but not including the quotes. 4. Create a PKCS12 keystore from the private key and the public certificate. openssl pkcs12 -export -name myclientcert -in default-client.crt -inkey default-client.key -out myclient.p12 5. Convert the PKCS12 keystore into a JKS keystore. keytool -importkeystore -destkeystore c:\\mykeystore -srckeystore myclient.p12 -srcstoretype pkcs12 -alias myclient 33.2 Using the State-Change Message Bus (SCMB) 263

264 Example 5 Example to connect and subscribe to SCMB using Java //c://mykeystore contains client certificate and private key. Load it into Java Keystore final char[] keypassphrase = "MyKeyStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); ks.load(new FileInputStream("c://MyKeyStore"), keypassphrase); final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, keypassphrase); //c://mytruststore contains CA certificate. Load it into Java Trust Store final char[] trustpassphrase = "MyTrustStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); tks.load(new FileInputStream("c:\\MyTrustStore"), trustpassphrase); final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(tks); //load SSLContext with keystore and truststore. final SSLContext c = SSLContext.getInstance("SSL"); c.init(kmf.getkeymanagers(), tmf.gettrustmanagers(), new Secureandom()); final ConnectionFactory factory = new ConnectionFactory(); factory.sethost(" "); //Set Auth mechanism to "EXTENAL" so that commonname of the client certificate is mapped to AMQP user name. Hence, No need to set userid/password here. factory.setsaslconfig(defaultsaslconfig.extenal); factory.setport(5671); factory.usesslprotocol(c); final Connection conn = factory.newconnection(); final Channel channel = conn.createchannel(); //do not specify queue name. AMQP will create a queue with random name starting with amq.gen* e.g. amq.gen-32sfqz95qj85k_lmbhu6ha final DeclareOk queue = channel.queuedeclare("", true, false, true, null); //Now get the queue name from above call and bind it to required Exchange with required routing key. channel.queuebind(queue.getqueue(), "scmb", "scmb.#"); //Now you should be able to receive messages from queue final Getesponse chesponse = channel.basicget(queue.getqueue(), false); if (chesponse == null) System.out.println("No message retrieved"); else final byte[] body = chesponse.getbody(); System.out.println("eceived: " + new String(body)); channel.close(); conn.close(); Examples to connect and subscribe to SCMB using Python The Python code examples show how to connect and subscribe to the SCMB. For more information about Python (Pika AMQP client library and AMQP client library), see and Installation 1. Install the pika and amqp libraries. a. Download and install the setuptools (Python setup.py install) at pypi/setuptools#downloads. b. Install the pika tools. When you install the pika or amqp libraries, run the same python setup.py install command from the downloaded pika or amqp directory. 2. Create the certificate. POST /rest/certificates/client/rabbitmq equest body: "type":"abbitmqclientcertv2","commonname":"default" 3. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 264 Using a message bus to send data to subscribers

265 Pika 4. Save the contents of the client certificate in the response body into a text file named client.pem. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). 5. Save the contents of the private key in the response body into a text file named key.pem. You must copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). 6. Download the root CA certificate. GET /rest/certificates/ca 7. Save the contents in the response body into a text file named caroot.pem. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). Example 6 Pika example When you invoke the script, you must pass host:hostname or IP. See the following examples: --host: host:my-appliance.example.com IMPOTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. import pika, ssl from optparse import OptionParser from pika.credentials import ExternalCredentials import json import logging logging.basicconfig() ############################################### # Callback function that handles messages def callback(ch, method, properties, body): msg = json.loads(body) timestamp = msg['timestamp'] resourceuri = msg['resourceuri'] resource = msg['resource'] changetype = msg['changetype'] print print ("%s: Message received:" %(timestamp)) print ("outing Key: %s" %(method.routing_key)) print ("Change Type: %s" %(changetype)) print ("esource UI: %s" %(resourceuri)) print ("esource: %s" %(resource)) # Pem Files needed, be sure to replace the \n returned from the APIs with C/LF # caroot.pem - the CA oot certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq equest body: "type":"abbitmqclientcert","commonname":"default" # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CETIFICATE----- # key.pem is the key with -----BEGIN SA PIVATE KEY----- # Setup our ssl options ssl_options = ("ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", "cert_reqs": ssl.cet_equied, "server_side": False) parser = OptionParser() parser.add_option('--host', dest='host', 33.2 Using the State-Change Message Bus (SCMB) 265

266 ) help='pika server to connect to (default: %default)', default='localhost', options, args = parser.parse_args() # Connect to abbitmq host = options.host print ("Connecting to %s:5671, to change use --host hostname " %(host)) connection = pika.blockingconnection( pika.connectionparameters( host, 5671, credentials=externalcredentials(), ssl=true, ssl_options=ssl_options)) # Create and bind to queue EXCHANGE_NAME = "scmb" OUTING_KEY = "scmb.#" channel = connection.channel() result = channel.queue_declare() queue_name = result.method.queue channel.queue_bind(exchange=exchange_name, queue=queue_name, routing_key=outing_key) channel.basic_consume(callback, queue=queue_name, no_ack=true) # Start listening for messages channel.start_consuming() AMQP Example 7 AMQP example When you invoke the script, you must pass host:hostname or IP. See the following examples: --host: host:my-appliance.example.com IMPOTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. #!/usr/bin/env python from optparse import OptionParser from functools import partial import amqplib.client_0_8 as amqp def callback(channel, msg): for key, val in msg.properties.items(): print ('%s: %s' % (key, str(val))) for key, val in msg.delivery_info.items(): print ('> %s: %s' % (key, str(val))) print ('') print (msg.body) print (' ') print msg.delivery_tag channel.basic_ack(msg.delivery_tag) # # Cancel this callback # if msg.body == 'quit': channel.basic_cancel(msg.consumer_tag) def main(): parser = OptionParser() parser.add_option('--host', dest='host', help='amqp server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args() host = options.host+":5671" # Pem Files needed, be sure to replace the \n returned from the APIs with C/LF # caroot.pem - the CA oot certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq equest body: "type":"abbitmqclientcert","commonname":"default" 266 Using a message bus to send data to subscribers

267 # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CETIFICATE----- # key.pem is the key with -----BEGIN SA PIVATE KEY----- ssl_options = ("ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", # "cert_reqs": CET_EQUIED, "server_side": False) print ('Connecting to host %s, to change use --host hostname ' %host) conn = amqp.connection(host, login_method='extenal', ssl=ssl_options) print ('Successfully connected, creating and binding to queue') ch = conn.channel() qname, _, _ = ch.queue_declare() ch.queue_bind(qname, 'scmb', 'scmb.#') ch.basic_consume(qname, callback=partial(callback, ch)) print ('Successfully bound to queue, waiting for messages') #pyamqp:// # # Loop as long as the channel has callbacks registered # while ch.callbacks: ch.wait() ch.close() conn.close() if name == ' main ': main() e-create the AMQP client certificate If you change the appliance name, you must re-create the AMQP client certificate. Prerequisites Minimum required session ID privileges: Infrastructure administrator e-creating and downloading the client certificate, private key, and root CA certificate 1. evoke the certificate. DELETE /rest/certificates/ca/rabbitmq_readonly equest body is not required. NOTE: When you revoke the default client certificate, the appliance re-generates the CA certificate, AMQP server certificate, and the default client certificate. 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 33.3 Using the Metric Streaming Message Bus (MSMB) The Metric Streaming Message Bus (MSMB) is an interface that uses asynchronous messaging to notify subscribers about the most recent metrics of the managed resources. You can configure the interval and the metrics that you want to receive using the EST APIs Using the Metric Streaming Message Bus (MSMB) 267

268 Connect to the MSMB Prerequisites To use the MSMB, you must do the following tasks: Use EST APIs to create and download an Advanced Message Queuing Protocol (AMQP) certificate from the appliance. Connect to the MSMB using one or both of these methods: Use the EXTENAL authentication mechanism Connect without sending a user name and password Using one of these methods ensures that certificate-based authentication is used. Set up a queue with an empty queue name. AMQP generates a unique queue name. You use this queue name to bind to exchanges and receive messages. Create and download the AMQP client certificate Creating and downloading the client certificate, private key, and root CA certificate 1. Create the certificate. POST /rest/certificates/client/rabbitmq equest body: "type":"abbitmqclientcertv2","commonname":"default" 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 4. After you connect the client to the MSMB, you can Set up a queue to connect to the HP OneView MSMB exchange (page 269). Figure 19 Connecting the client to the MSMB 1 The MSMB consumer requests a client certificate as part of the registration process. 3 The appliance issues a client certificate to the MSMB consumer. 4 The MSMB client provides a SSL client certificate to 5 The appliance can revoke the MSMB client certificate to deny access to the MSMB client. The client is managed 268 Using a message bus to send data to subscribers

269 2 The appliance manages the client certificates in a JVK create a connection with the appliance. into a CL (Certificate evocation List) file. (Java KeyStore) file. 6 The appliance authenticates the MSMB client using the client certificate Set up a queue to connect to the HP OneView MSMB exchange The metric streaming messages are published to the HP OneView MSMB exchange name. To subscribe to messages, you must create a queue or connect to an existing queue that receives messages from the MSMB exchange based on a routing key. When you create a queue, you define the routing key associated with the queue to receive specific messages. Exchange Name: msmb outing Key: msmb.# where: msmb Sample queues The HP OneView exchange name for metric streaming. Subscription eceive all MSMB messages for physical servers, enclosures, and power devices Example The exchange is msmb The routing key is msmb.# Configure metric relay using Metric Streaming configuration API JSON structure of message received from the MSMB The following table lists the attributes included in the JSON payload of each message from the MSMB. The resource model for the HP OneView resource is included in the resource attribute. To view all resource models, see the HP OneView EST API eference chapter in the online help. Attribute resourceuri changetype newstate etag timestamp newsubstate resource associatedtask userinitiatedtask changedattributes data Data type String String String String String String MetricData String String Array Object Description The UI for the resource. The state-change type: Created, Updated, or Deleted. The new state of the resource. The ETag for the resource when the state change occurred. The time the message was sent. If substate messages are required (for substate machines associated with a primary state), this is the resource-specific substate. The resource model. If a task is not associated with this message, the value is null. The value of the userinitiated attribute included in the associatedtask attribute. A list of top-level attributes that have changed based on the POST or PUT call that caused the state-change message to be sent. Additional information about the resource state change Using the Metric Streaming Message Bus (MSMB) 269

270 MetricData Attribute starttime sampleintervalinseconds numberofsamples resourcetype resourcedatalist uri category created modified etag type Data type String Integer Integer String List String String Timestamp Timestamp String String Description The starting time of the metric collection. Interval between samples. Number of samples in the list for each metric type. Identifies the category of resource. The supported devices are server-hardware, enclosures, and power-devices. Metric sample list. Canonical UI of the resource. Identifies the category of resource. The supported devices are server-hardware, enclosures, and power-devices. Date and time when the resource was created. Date and time when the resource was last modified. Entity tag/version ID of the resource, the same value that is returned in the ETag header on a GET of the resource. Uniquely identifies the type of the JSON object. 270 Using a message bus to send data to subscribers

271 Example 8 Structure of message received from the MSMB "etag": null, "resourceuri": "/rest/enclosures/09sgh100x6j1", "changetype": "Updated", "newstate": null, "newsubstate": null, "associatedtask": null, "userinitiatedtask": false, "changedattributes": null, "data": null, "resource": "type": "MetricData", "resourcetype": "enclosures", "resourcedatalist": [ "metricsamplelist": [ "valuearray": [ null ], "name": "atedcapacity", "valuearray": [ 523 ], "name": "AveragePower", "valuearray": [ 573 ], "name": "PeakPower", "valuearray": [ null ], "name": "PowerCap", "valuearray": [ 23 ], "name": "AmbientTemperature", "valuearray": [ null ], "name": "DeratedCapacity" ], "resourceid": "09SGH100X6J1" ], "numberofsamples": 1, "sampleintervalinseconds": 300, "starttime": " T08:43:36.294Z", "etag": null, "modified": null, "created": null, "category": "enclosures", 33.3 Using the Metric Streaming Message Bus (MSMB) 271

272 "uri": "/rest/enclosures/09sgh100x6j1", "timestamp": " T08:48:36.819Z" Example to connect and subscribe to MSMB using.net C# Prerequisites In addition to completing the prerequisites, you must complete the example-specific prerequisites before using the.net C# examples. To use the.net C# examples, add the following to the Windows certificate store: CA root certificate. Client certificate Private key To try the.net C# examples, do the following: 1. Download the root CA certificate. GET /rest/certificates/ca 2. Save the contents in the response body into a text file named rootca.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. 3. Import the rootca.crt file into the Windows certificate store under Trusted oot Certification Authorities. 4. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 5. Save the contents of the client certificate and private key in the response body into a text file named msmb.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE----- for the client certificate. Next, copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY----- for the private key. You must include the dashes, but do not include the quotes. 272 Using a message bus to send data to subscribers

273 Example 9 Using.Net C# to directly reference client certificate Convert the client certificate and private key to PKCS format for.net. openssl.exe pkcs12 -passout pass:default -export -in msmb.crt -out msmb.p12 Example public void Connect() string exchangename = "msmb"; string hostname = "OneView.domain"; string queuename = ""; string routingkey = "msmb.#"; ; ConnectionFactory factory = new ConnectionFactory(); factory.authmechanisms = new abbitmq.client.authmechanismfactory[] new ExternalMechanismFactory() factory.hostname = hostname; factory.port = 5671; factory.ssl.certpath factory.ssl.certpassphrase = "default"; factory.ssl.servername = hostname; factory.ssl.enabled = true; IConnection connection = factory.createconnection(); IModel model = connection.createmodel(); queuename = model.queuedeclare(queuename, false, false, false, null); model.queuebind(queuename, exchangename, routingkey, null); using (Subscription sub = new Subscription(model, queuename)) foreach (BasicDeliverEventArgs ev in sub) DoSomethingWithMessage(ev); sub.ack(); Example 10 Using.Net C# to import certificate to Microsoft Windows certificate store Import the msmb.crt into your preferred Windows certificate store. Example public void Connect() string exchangename = "msmb"; string hostname = "OneView.domain"; string queuename = ""; string routingkey = "msmb.#"; string username = "rabbitmq_readonly"; X509Store store = new X509Store(StoreName.oot, StoreLocation.LocalMachine); store.open(openflags.eadwrite); X509Certificate cert = store.certificates.find(x509findtype.findbysubjectname, username, false).oftype<x509certificate>().first(); ; ConnectionFactory factory = new ConnectionFactory(); factory.authmechanisms = new abbitmq.client.authmechanismfactory[] new ExternalMechanismFactory() factory.hostname = hostname; factory.port = 5671; factory.ssl.certs = new X509CertificateCollection(new X509Certificate[] cert ); factory.ssl.servername = hostname; factory.ssl.enabled = true; IConnection connection = factory.createconnection(); IModel model = connection.createmodel(); queuename = model.queuedeclare(queuename, false, false, false, null); model.queuebind(queuename, exchangename, routingkey, null); using (Subscription sub = new Subscription(model, queuename)) foreach (BasicDeliverEventArgs ev in sub) DoSomethingWithMessage(ev); sub.ack(); 33.3 Using the Metric Streaming Message Bus (MSMB) 273

274 NOTE: Using.Net C# to import certificate to Microsoft Windows certificate store references the Trusted oot Certificate Authorities store, located under Local Computer. StoreName.oot = Trusted oot Certificate Authorities StortLocation.LocalMachine = Local Computer Example to connect and subscribe to MSMB using Java 1. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 2. Save the contents of the client certificate in the response body into a text file named default-client.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. 3. Save the contents of the private key in the response body into a text file named default-client.key. You must copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY-----, including the dashes, but not including the quotes. 4. Create a PKCS12 keystore from the private key and the public certificate. openssl pkcs12 -export -name myclientcert -in default-client.crt -inkey default-client.key -out myclient.p12 5. Convert the PKCS12 keystore into a JKS keystore. keytool -importkeystore -destkeystore c:\\mykeystore -srckeystore myclient.p12 -srcstoretype pkcs12 -alias myclient 274 Using a message bus to send data to subscribers

275 Example 11 Example to connect and subscribe to MSMB using Java //c://mykeystore contains client certificate and private key. Load it into Java Keystore final char[] keypassphrase = "MyKeyStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); ks.load(new FileInputStream("c://MyKeyStore"), keypassphrase); final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, keypassphrase); //c://mytruststore contains CA certificate. Load it into Java Trust Store final char[] trustpassphrase = "MyTrustStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); tks.load(new FileInputStream("c:\\MyTrustStore"), trustpassphrase); final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(tks); //load SSLContext with keystore and truststore. final SSLContext c = SSLContext.getInstance("SSL"); c.init(kmf.getkeymanagers(), tmf.gettrustmanagers(), new Secureandom()); final ConnectionFactory factory = new ConnectionFactory(); factory.sethost(" "); //Set Auth mechanism to "EXTENAL" so that commonname of the client certificate is mapped to AMQP user name. Hence, No need to set userid/password here. factory.setsaslconfig(defaultsaslconfig.extenal); factory.setport(5671); factory.usesslprotocol(c); final Connection conn = factory.newconnection(); final Channel channel = conn.createchannel(); //do not specify queue name. AMQP will create a queue with random name starting with amq.gen* e.g. amq.gen-32sfqz95qj85k_lmbhu6ha final DeclareOk queue = channel.queuedeclare("", true, false, true, null); //Now get the queue name from above call and bind it to required Exchange with required routing key. channel.queuebind(queue.getqueue(), "msmb", "msmb.#"); //Now you should be able to receive messages from queue final Getesponse chesponse = channel.basicget(queue.getqueue(), false); if (chesponse == null) System.out.println("No message retrieved"); else final byte[] body = chesponse.getbody(); System.out.println("eceived: " + new String(body)); channel.close(); conn.close(); Examples to connect and subscribe to MSMB using Python The Python examples show how to connect and subscribe to the MSMB. For more information about Python (Pika AMQP client library and AMQP client library), see Introduction to Pika ( pika.readthedocs.org/, and AMQP Client Library ( pypi.python.org/pypi/amqplib/) Installation 1. Install the pika and amqp libraries. a. Download and install the setup tools (Python setup.py install) at pypi.python.org/pypi/setuptools#downloads. b. Install the pika tools. When you install the pika or amqp libraries, run the same python setup.py install command from the downloaded pika or amqp directory. 2. Create the certificate. POST /rest/certificates/client/rabbitmq equest body: "type":"abbitmqclientcertv2","commonname":"default" 33.3 Using the Metric Streaming Message Bus (MSMB) 275

276 Pika 3. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 4. Save the contents of the client certificate in the response body into a text file named client.pem. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). 5. Save the contents of the private key in the response body into a text file named key.pem. You must copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). 6. Download the root CA certificate. GET /rest/certificates/ca 7. Save the contents in the response body into a text file named caroot.pem. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). Example 12 Pika example When you invoke the script, you must pass host:hostname or IP. See the following examples: --host: host:my-appliance.example.com IMPOTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. import pika, ssl from optparse import OptionParser from pika.credentials import ExternalCredentials import json import logging logging.basicconfig() ############################################### # Callback function that handles messages def callback(ch, method, properties, body): msg = json.loads(body) timestamp = msg['timestamp'] resourceuri = msg['resourceuri'] resource = msg['resource'] changetype = msg['changetype'] print print ("%s: Message received:" %(timestamp)) print ("outing Key: %s" %(method.routing_key)) print ("Change Type: %s" %(changetype)) print ("esource UI: %s" %(resourceuri)) print ("esource: %s" %(resource)) # Pem Files needed, be sure to replace the \n returned from the APIs with C/LF # caroot.pem - the CA oot certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq equest body: "type":"abbitmqclientcert","commonname":"default" # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CETIFICATE----- # key.pem is the key with -----BEGIN SA PIVATE KEY----- # Setup our ssl options ssl_options = ("ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", "cert_reqs": ssl.cet_equied, 276 Using a message bus to send data to subscribers

277 "server_side": False) parser = OptionParser() parser.add_option('--host', dest='host', help='pika server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args() # Connect to abbitmq host = options.host print ("Connecting to %s:5671, to change use --host hostname " %(host)) connection = pika.blockingconnection( pika.connectionparameters( host, 5671, credentials=externalcredentials(), ssl=true, ssl_options=ssl_options)) # Create and bind to queue EXCHANGE_NAME = "msmb" OUTING_KEY = "msmb.#" channel = connection.channel() result = channel.queue_declare() queue_name = result.method.queue channel.queue_bind(exchange=exchange_name, queue=queue_name, routing_key=outing_key) channel.basic_consume(callback, queue=queue_name, no_ack=true) # Start listening for messages channel.start_consuming() AMQP Example 13 AMQP example When you invoke the script, you must pass host:hostname or IP. See the following examples: --host: host:my-appliance.example.com IMPOTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. #!/usr/bin/env python from optparse import OptionParser from functools import partial import amqplib.client_0_8 as amqp def callback(channel, msg): for key, val in msg.properties.items(): print ('%s: %s' % (key, str(val))) for key, val in msg.delivery_info.items(): print ('> %s: %s' % (key, str(val))) print ('') print (msg.body) print (' ') print msg.delivery_tag channel.basic_ack(msg.delivery_tag) # # Cancel this callback # if msg.body == 'quit': channel.basic_cancel(msg.consumer_tag) def main(): parser = OptionParser() parser.add_option('--host', dest='host', help='amqp server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args() host = options.host+":5671" 33.3 Using the Metric Streaming Message Bus (MSMB) 277

278 # Pem Files needed, be sure to replace the \n returned from the APIs with C/LF # caroot.pem - the CA oot certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq equest body: "type":"abbitmqclientcert","commonname":"default" # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CETIFICATE----- # key.pem is the key with -----BEGIN SA PIVATE KEY----- ssl_options = ("ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", # "cert_reqs": CET_EQUIED, "server_side": False) print ('Connecting to host %s, to change use --host hostname ' %host) conn = amqp.connection(host, login_method='extenal', ssl=ssl_options) print ('Successfully connected, creating and binding to queue') ch = conn.channel() qname, _, _ = ch.queue_declare() ch.queue_bind(qname, 'msmb', 'msmb.#') ch.basic_consume(qname, callback=partial(callback, ch)) print ('Successfully bound to queue, waiting for messages') #pyamqp:// # # Loop as long as the channel has callbacks registered # while ch.callbacks: ch.wait() ch.close() conn.close() if name == ' main ': main() e-create the AMQP client certificate If you change the appliance name, you must re-create the AMQP client certificate. NOTE: If the certificates are already created, you can skip this step. Prerequisites Minimum required session ID privileges: Infrastructure administrator e-creating and downloading the client certificate, private key, and root CA certificate 1. evoke the certificate. DELETE /rest/certificates/ca/rabbitmq_readonly equest body is not required. NOTE: When you revoke the default client certificate, the appliance re-generates the CA certificate, AMQP server certificate, and the default client certificate. 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 278 Using a message bus to send data to subscribers

279 34 Generating reports HP OneView offers predefined reports to help you manage your appliance and its environment. You can view the reports in the UI or generate them using EST API. You can also save the reports as a Microsoft Excel workbook (*.xlsx) or CSV MS-DOS (*.csv). UI screens and EST API resources UI screen eports EST API resource reports 34.1 oles Minimum required privileges: Infrastructure administrator (for local users report) 34.2 Tasks for reports The appliance online help provides information about using the UI or the EST APIs to: View a report. Save a report About available reports HP OneView offers reports to help you manage your appliance and its environment. Select a report, by name, from the left navigation column of the eports screen. The main pane of the screen describes the report chosen. It provides a bar chart, a donut chart, or both, and tabular data for more detailed information. Click anywhere on a bar or donut chart to view the resource screen. For example, clicking on a resource in a server report displays that resource in the Server Hardware screen oles 279

280 The following reports are available: eport Active alerts Enclosure Bay Inventory Enclosure Inventory Interconnect Inventory Description This report shows all alerts in an active or locked state. This report is useful in reviewing the most important issues to determine which need immediate attention. The donut chart shows the distribution of alerts based on the status. By clicking on a particular status on the chart (such as Critical), the Activity screen displays a filtered view of the alerts for that status. Alerts are summarized in a graph by status, and listed in a table showing for each alert: Status icon Severity Creation date Modification date Description Associated resource name Physical resource type Health category Corrective action Alert state The enclosure inventory report shows all the device bays, including those populated with blades and those that are empty, across all enclosures. This report also provides a summary of enclosure models. Status icon Name Model ack name Serial number Device bay number Device presence The enclosure inventory report shows all enclosures, summarized by model and firmware baseline. The tabular data shows the following information for each enclosure: Status icon Name Model ack name Serial number Part number Firmware baseline Onboard Administrator bay number IP address of the Onboard Administrator Interconnects are summarized by model based on interconnect type. For each interconnect in the enclosure, this report shows: Status icon Name Model State 280 Generating reports

281 eport Local users Server Firmware Inventory Server Inventory Server Profiles Inventory Description The Local users report only filters and shows the local users; it does not include the active directory users. The user roles and the number of local users with these roles is displayed in a graph. Click on a particular role to display the Users and Groups screen. The following additional user information is shown in the table: Name of user address The role for this user This server inventory report summarizes how many servers are on specific ilo or OM version. This report shows the following information for each server: Status icon Name Bay number Model Processor type Memory (in megabytes) OM firmware version ilo firmware version With this report, you can identify the ilo and OM firmware versions for each server to verify that the firmware is up to date. This server inventory report shows servers summarized by model, OM versions, ilo firmware version, processor type, memory, and status. The tabular data shows the following information for each server: Status icon Name Bay number Model number Processor type Memory (in megabytes) Serial number Mezzanine slot number Mezzanine card model OM firmware version ilo firmware version IP address of the ilo Part number This server inventory report shows specifically whether or not there are profiles applied on the available servers and, if so, the names of the server profiles. Servers are summarized by model and status of server hardware hosting server profiles. For each server, the tabular data shows: Status icon Name Bay number Model Profile State (profiles applied, not applied, or unmanaged) Profile Name 34.3 About available reports 281

282 282

283 35 Using data services Using EST APIs, you can collect metrics from devices managed by HP OneView and preserve that data remotely from the HP OneView appliance for viewing in other software tools. This gives you the flexibility to further analyze the data in meaningful ways About data services Using data services, you can make data available for offline analysis and troubleshooting. For information on supported data types, see the following sections on metric streaming and log forwarding About metric streaming The HP OneView EST APIs allow you to obtain information about what metrics are available for streaming from enclosures, physical servers, and power devices. Using this information, you can configure which metrics to relay using the Metric Streaming Message Bus (MSMB). To learn more about MSMB, see Using the Metric Streaming Message Bus (MSMB) (page 267). For example, you can extract the following data from managed server hardware to provide to subscribers: rated and derated power capacity, peak power, average power, and ambient temperature About log forwarding to a remote syslog server EST APIs can be used to configure the remote syslog destination. Once configured, the logs are streamed directly from the device using rsyslog EST API to enable metric streaming Metrics for managed resources can be streamed at a specified interval. /rest/metrics/capability /rest/metrics/configuration Table 21 ecommended metric frequency of relay for a maximum number of devices by device type Device type Max devices Frequency (sec) Max devices Frequency (sec) Max devices Frequency (sec) Max devices Frequency (sec) Max devices Frequency (sec) Enclosure Power-devices Server-hardware For example, the recommended configuration for 640 servers, 80 power devices, and 40 enclosures is as follows: "sourcetypelist": [ "frequencyofelayinseconds": 3600, "sampleintervalinseconds": 300, "sourcetype": "/rest/server-hardware", "frequencyofelayinseconds": 3600, "sampleintervalinseconds": 300, "sourcetype": "/rest/power-devices", 35.1 About data services 283

284 oles "frequencyofelayinseconds": 1800, "sampleintervalinseconds": 300, "sourcetype": "/rest/enclosures" ] Minimum required privileges: Infrastructure administrator Tasks for metrics EST API The appliance online help provides information about using the EST APIs to Fetch metric streaming capability Fetch metric streaming configuration Update metric streaming configuration NOTE: license. When configured, metrics are streamed only for servers with HP OneView Advanced 35.3 EST API to leverage remote system logs oles The remotesyslog EST API allows you to implement a remote system log server to receive and retain remote Syslog data and to configure the data relay. This EST API allows you to configure a remote syslog destination server and port. Once configured, all servers with HP OneView Advanced license and enclosures will forward the logs to this remote syslog server. /rest/logs/remotesyslog Minimum required privileges: Infrastructure administrator Tasks for remotesyslog EST API The appliance online help provides information about using the EST APIs to Fetch remotesyslog configuration Update remotesyslog configuration 284 Using data services

285 Part VI Troubleshooting The chapters in this part include information you can use when troubleshooting issues in your data center, and information about restoring the appliance from a backup file in the event of a catastrophic failure.

286 286

287 36 Troubleshooting HP OneView has a variety of troubleshooting tools you can use to resolve issues. By following a combined approach of examining screens and logs, you can obtain a history of activity and of the errors encountered along the way. For specific troubleshooting instructions, select a topic from the following list. Category Activity Appliance Appliance network setup Enclosures and enclosure groups Firmware bundles Interconnects Licensing Logical interconnects Networks Server hardware Server profiles Storage Switches User accounts and groups Learn more Basic troubleshooting techniques (page 287) Create a support dump file (page 289) Create a support dump for authorized technical support using EST API scripting (page 290) Using the virtual appliance console (page 379) Troubleshooting locale issues (page 291) 36.1 Basic troubleshooting techniques HP OneView has a variety of troubleshooting tools you can use to resolve issues. By following a combined approach of examining screens and logs, you can obtain a history of activity and the errors encountered. The Activity screen displays a log of all changes made on the appliance, whether user-initiated or appliance-initiated. It is similar to an audit log, but with finer detail and it is easier to access from the UI. The Activity screen also provides a log of health alerts and status notifications. Download an audit log to help an administrator understand what security relevant actions took place on the system Basic troubleshooting techniques 287

288 Create a support dump file to gather logs and other information required for debugging into an encrypted, compressed file that you can send to your authorized support representative for analysis. eview reports for interconnect, server, and enclosure status. eports can also provide inventory information and help you see the types of server models and processors in your data center. They can also show you what firmware needs to be updated. ecommendation Look for a message Examine the Activity screen Examine the appliance virtual machine Details About syntax errors: The user interface checks for syntax when you enter a value. If you make a syntax error, an instructional message appears next to the entry. The user interface or command line continues to display messages until you enter the correct value. About network setup errors: Before applying them, the appliance verifies key network parameters like the IP address and the fully qualified domain name (FQDN), to ensure that they have the proper format. After network settings are applied, the appliance performs additional validation, such as reachability checks and host name to IP lookup. If a parameter is incorrect, the appliance generates an alert that describes validation errors for the Network Interface Card (NIC), and the connection between the browser and the appliance can be lost. About reported serious errors: Check connectivity to the enclosure from the appliance. Create a support dump and contact your HP support representative. To find a message for an activity: NOTE: You might need to perform these steps from the virtual console. 1. Locate recent activities with a Critical or Warning status. 2. Expand the activity to see recommendations on how to resolve the error. 3. Follow the instructions. When VM host is down or nonresponsive: 1. From the local computer, use the ping command to determine if you can reach the appliance. If the ping command is successful, determine that the browser settings, especially the proxy server, are correct. Consider bypassing the proxy server. If the ping command did not reach the appliance, ensure that the appliance is connected to the network. 2. Log onto hypervisor to verify that the hypervisor is running. 3. Verify that the virtual guest for the appliance is operational. 4. Ensure that the VM host configuration is valid. Verify the accuracy of the IP address and other network parameters for the VM host. 5. Examine the hypervisor performance data. If the appliance is running at 100% utilization, restart the hypervisor. 288 Troubleshooting

289 36.2 About the support dump file Some error messages recommend that you create a support dump of the appliance and send it to an authorized support representative for analysis. The support dump process performs the following functions: Deletes any existing support dump file Gathers logs and other information required for debugging Creates a compressed file with a name in the following format: hostname-ci-timestamp.sdmp Unless you specify otherwise, all data in the support dump file is encrypted so that only an authorized support representative can access it. You can choose not to encrypt the support dump file if you have an onsite, authorized support representative or if your environment prohibits outside connections. You can also validate the contents of the support dump file and verify that it does not contain sensitive data such as passwords. IMPOTANT: If the appliance is in an error state, you can still create an encrypted support dump file without logging in or other authentication. The support dump file contains the following: Operating system logs (from /var/log) Product logs (from /ci/logs) The results of certain operating system and product-related commands Items logged in the support dump file are recorded according to UTC time. See also Create a support dump file (page 289) 36.3 Create a support dump file Prerequisites Minimum required privileges: Network administrator, Server administrator, Infrastructure administrator, Backup administrator, ead only NOTE: Only the Infrastructure administrator has the option of not encrypting a support dump file. When a user with a different role creates a support dump file, it is encrypted automatically. Creating a support dump file 1. From the main menu, select Settings Actions Create support dump. To include logical interconnect support dump information, select Logical Interconnects Actions Create support dump. The logical interconnect support dump file is incorporated into the appliance support dump file and the entire bundle of files is compressed into a zip file and encrypted for downloading. 2. If you are an Infrastructure administrator, choose whether or not to encrypt the support dump file: a. To encrypt the support dump file, confirm that the Enable support dump encryption check box is selected. b. To turn off encryption, clear the Enable support dump encryption check box. 3. Click Yes, create. You can continue doing other tasks while the support dump file is created About the support dump file 289

290 4. The support dump file is downloaded when this task is completed. If your browser settings specify a default download folder, the support dump file is placed in that folder. Otherwise, you are prompted to indicate where to download the file. 5. Contact your authorized support representative for instructions on how to transfer the support dump file to HP. For information on contacting HP, see How to contact HP (page 333). IMPOTANT: Unless you specify otherwise, the support dump file is encrypted so that only an authorized support representative can view its contents. Support dump files sent to HP are deleted after use, as the HP data retention policy requires. See also About the support dump file (page 289) Troubleshooting: Cannot create a support dump file 36.4 Create a support dump for authorized technical support using EST API scripting Some error messages recommend that you create a support dump of the appliance to send to an authorized support representative for analysis. The support dump process: Deletes any existing support dump file Gathers logs and other information required for debugging Creates a compressed file Unless you specify otherwise, all data in the support dump file is encrypted so that it is accessible only by an authorized support representative. You might choose not to encrypt the support dump file if you have an onsite, authorized support representative or if your environment prohibits outside connections. You can also validate the contents of the support dump file and verify that it does not contain sensitive data such as passwords. IMPOTANT: If the appliance is in an error state, you can still create an encrypted support dump file without logging in or other authentication. The support dump file contains the following: Operating system logs (from /var/log) Product logs (from /ci/logs) The results of certain operating system and product-related commands Items logged in the support dump file are recorded in UTC (Coordinated Universal Time). Prerequisites Minimum required session ID privileges: Infrastructure administrator Creating a support dump using EST APIs 1. Create support dump. POST /rest/appliance/support-dumps 2. Download the support dump file. GET /rest/appliance/support-dumps/file name 290 Troubleshooting

291 IMPOTANT: Unless you specify otherwise, the support dump file is encrypted so that only authorized support personnel can view its contents. In accordance with the HP data retention policy, support dump files sent to HP are deleted after use Troubleshooting locale issues Symptom Possible cause and recommendation Messages returned from EST API calls specifying Chinese (zh) or Japanese (ja) in the Accept-Language header are not displayed correctly 36.6 Troubleshooting activity When using a Microsoft Windows Command Prompt window to invoke EST APIs (either directly or via scripts run in the Command Prompt window), messages returned from EST API calls specifying Chinese (zh) or Japanese (ja) in the Accept-Language header are not displayed correctly. HP OneView returns messages using the UTF-8 encoding. This is not supported by current versions of the Command Prompt window 1. When using a Command Prompt window, set the EST API accept-language header to a locale that is supported by Command Prompt such as en-us. 2. edirect the output of the EST call to a text file and view the file using Windows tools such and Notepad which supports UTF Use other third-party tools available for Windows that support UTF-8. For example, users have reported that the Cygwin environment for Windows supports UTF-8. Use the following information to troubleshoot alerts that appear on the Activity screen Alerts do not behave as expected Symptom Alerts are not generated Alert is locked and cannot be cleared Alerts are not visible in the UI Possible cause and recommendation Appliance out of compliance The server hardware exceeds the number of licenses. 1. Apply a license to server hardware. 2. Apply the licenses to unlicensed server hardware. Locked alert was created by a resource 1. Expand the alert and follow the recommended action described in esolution. 2. If you need more information, expand the Event details and see the details for correctiveaction. 3. When the resource detects a change, it will automatically change the alert status to Cleared. Improper permission 1. If possible, log in as a privileged user. Otherwise, request that the Infrastructure administrator change your role so that you can see alerts for the physical resource type. 2. View the Activity screen. Alert status is other than Critical, Warning, OK, or Unknown Alert state is other than Active, Locked, or Cleared Blank or unexpected status reported for the alert 1. Clear the alert. 2. estore the alert. esource reported an unexpected alert state for an underlying problem 1. Expand the alert and follow the recommended action described in esolution. 2. If you need more information, expand the Event details and see the details for correctiveaction. 3. When the resource detects a change, it will automatically change the alert state to Cleared Troubleshooting locale issues 291

292 36.7 Troubleshooting the appliance Appliance performance Symptom Appliance performance is slow Possible causes and recommendations Follow these steps when the appliance performance is slow: 1. Ensure that the physical components satisfy the requirements described in the HP OneView Support Matrix. VM host with ProLiant G7-class CPUs or later VM with two 2 GHz or greater virtual CPUs 2. Ensure power management is not enabled. 3. Ensure the hypervisor is not overloaded. 4. Ensure the available storage is acceptable. 5. Ensure the host is not overloaded. Examine the virtual machine s performance data (performance counters). If the hypervisor host is running at 100% utilization. Consider: estarting the VM host Moving the appliance to a VM host with more resources, especially one that is not as busy Using reservations or shares on the hypervisor host 6. From the local computer, use the ping command to determine if the round-trip time of the ping is acceptable. Long times can indicate browser problems. 7. Determine that the browser settings are correct. Consider bypassing the proxy server. 8. Ensure the scale limits are not exceeded. See the HP OneView Support Matrix. 9. Create a support dump and contact your HP support representative Unexpected appliance shutdown Symptom Appliance crash Possible cause and recommendation Actions to take after a crash Unexpected shutdowns are rare. Check for critical alerts or failed tasks. Follow the resolution instructions, if provided. Manually refresh a resource (Actions efresh) if the resource information displayed appears to be incorrect or inconsistent. Create a support dump (Settings Actions Create support dump) for unexpected shutdowns to help your authorized support representative troubleshoot the problem Appliance update is unsuccessful Any blocking or warning conditions affecting the appliance update are displayed prior to the update operation. Symptom Update fails Possible cause and recommendation 1. Confirm you are not upgrading to the same version already installed. 2. Verify that all status indicators for LAN, CPU, and memory in the Appliance panel in the Settings screen are green before retrying the update. 3. Create a support dump and contact your HP support representative. 292 Troubleshooting

293 Cannot create a support dump file Symptom Support dump file not created Support dump file not saved Possible cause and recommendation Insufficient time elapsed 1. Wait. Creating a support dump file can take several minutes. If the log files are large or if the system is extensive, creating a support dump file can take even longer. 2. etry the create support dump action. Disk space was insufficient on the client side 1. Ensure that the local computer has enough disk space to accommodate the support dump file. The support dump file could require a maximum of 15GB of disk space. The actual amount depends on how long the appliance was running. 2. Verify the download has completed. You can easily miss notifications of automatic downloads if the browser settings are not set correctly. Examine the download progress bar in the Activity sidebar Certificate issues Symptom Unable to import a certificate Certificate revoked Invalid certificate chain Invalid certificate content Possible cause and recommendation Follow the recommendation to troubleshoot any of these certificate actions: Create a self-signed certificate Create a certificate signing request Import certificate You do not have proper authorization Minimum required privileges: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. Try the action again. Appliance lost connection with browser Minimum required privileges: Infrastructure administrator 1. Verify that the network is working properly. See Appliance cannot access the network (page 298) 2. Wait for the web server to restart, and then try the action again. Certificate is no longer valid Minimum required privileges: Infrastructure administrator 1. Create or acquire a new certificate for the appliance. 2. Generate a new signing request. Certificate chain in remote appliance was corrupted Minimum required privileges: Infrastructure administrator 1. Create or acquire a new certificate for the appliance. 2. Generate a new signing request. Certificate format is invalid Minimum required privileges: Infrastructure administrator 1. Create or acquire a new certificate with a valid format. 2. Import the new certificate Troubleshooting the appliance 293

294 Cannot create or download a backup file Symptom Backup file not created Cannot download backup file Duplicate GUIDs in the network and a server with settings from a previous profile Possible cause and recommendation Other related operations are in progress Only one backup file can be created at a time. A backup file cannot be created during the restore operation or while a previous backup file is being uploaded or downloaded. Minimum required privileges: Infrastructure administrator 1. Verify that another backup or restore operation is not running. Look for a progress bar in the Settings screen or a completion noted in the Activity sidebar. 2. Wait until the operation is complete. 3. If an alert appears, follow its resolution to a. etry the backup operation. b. If the backup operation fails, restart the appliance. c. un the backup operation again after restarting the appliance. The appliance network is down Minimum required privileges: Infrastructure administrator 1. Ensure that the network is correctly configured and performing as expected. A backup or restore operation is in progress A backup file cannot be uploaded or downloaded while a backup file creation or restore operation is in progress. Minimum required privileges: Infrastructure administrator 1. Ensure that another backup or restore operation is not running. They are indicated with a progress bar in the Settings screen. Insufficient time 1. Wait. Downloading a large backup file can take several minutes or more, depending on the complexity of the appliance configuration. A profile operation was running during the backup Minimum required privileges: Infrastructure administrator 1. Identify the server affected. 2. Unassign the profile from the server. 3. eassign the profile to the server. 4. Create a support dump file. 5. eport this issue to your authorized support representative. Error messages: 1. The operation was interrupted and 2. The configuration is inconsistent. A profile operation was running during the backup Minimum required privileges: Infrastructure administrator 1. Unassign the profile. 2. eassign the profile. 3. Create a support dump file. 4. Determine any factors (not related to HP OneView) that contributed to this condition, such as: Was the server moved? Was the server power turned off? 294 Troubleshooting

295 estore action was unsuccessful Symptom Cannot restore appliance from backup file Server hardware booting from wrong device or incorrect BIOS settings Possible cause and recommendation The backup file is incompatible Minimum required privileges: Infrastructure administrator 1. etry the restore operation with a recent backup file that fulfills this criteria: The appliance being restored has the same HP OneView major and minor version numbers as the appliance on which the backup file was created. The Settings screen displays the version number in this format: Version major.minor.nn-nnnnn month day year 2. econcile any discrepancies that the restore operation could not resolve automatically. An unrecoverable error occurred during the restore operation Minimum required privileges: Infrastructure administrator If an unrecoverable error occurs during the restore operation, you will have to re-create the appliance virtual machine from the virtual machine image supplied by HP. BIOS, firmware, and boot settings were changed after the backup and before the restore operation Minimum required privileges: Infrastructure administrator 1. Verify the BIOS firmware, and boot settings. 2. Unassign the profiles. 3. eassign each profile to its corresponding server. estore operation does not restore server profile Error messages: 1. The operation was interrupted and 2. The configuration is inconsistent. estore operation does not succeed or times out Minimum required privileges: Infrastructure administrator 1. Create a support dump file. 2. Do one of the following: a. etry the restore operation, specifying the most recent backup file. b. Try the restore operation with another backup file that is compatible with the appliance. 3. Verify that all the necessary actions were followed to put the profiles back in-line with the environment. If there is a profile still in an inconsistent state, there might be incorrect behavior in the data center. A profile operation was running during the backup Minimum required privileges: Infrastructure administrator 1. Unassign the profile. 2. eassign the profile. 3. Create a support dump file. 4. Determine any factors (not related to HP OneView) that contributed to this condition, such as: Was the server moved? Was the server power turned off? 36.7 Troubleshooting the appliance 295

296 Cannot restart or shut down appliance Symptom The appliance did not shut down Cannot restart the appliance after a shutdown Possible cause and recommendation Internal server error Minimum required privileges: Infrastructure administrator 1. Use the hypervisor to perform a graceful shutdown. 2. If the problem persists, create a support dump. 3. Contact your authorized support representative and provide them with the support dump. For information on contacting HP, see How to contact HP (page 333). Internal server error Minimum required privileges: Infrastructure administrator 1. etry the restart action from the hypervisor. 2. If the problem persists, create a support dump. 3. Contact your authorized support representative and provide them with the support dump. For information on contacting HP, see How to contact HP (page 333). 296 Troubleshooting

297 VM does not restart when the vsphere VM host time is manually set Symptom Possible cause and recommendation The appliance VM does not restart and the following error appears in the vsphere virtual console: The superblock last mount time is in the future UNEXPECTED INCONSISTENCY; UN fsck MANUALLY einstall the remote console The appliance is not using NTP and the VM host time was incorrectly set to a time in the past. eset the time settings on the VM host to the correct time, and then restart the VM appliance. For more information, see your vsphere documentation. If the appliance or VM host is configured as an NTP client, ensure that the NTP server is working correctly. NOTE: For recommended best practices for managing the appliance VM, see Best practices for managing a VM appliance (page 230). When running Firefox or Chrome on a Windows client, the first-time installation of the remote console prevents the installation dialog box from being displayed again. If you need to reinstall the console software, you must reset the installation dialog box. Symptom Installation dialog box is not displayed Possible cause and recommendation If you installed the ilo remote console software using one browser (Firefox or Chrome), but are using another browser, the dialog box that prompts you to install the software is displayed, even if the software is already installed. To reinstall the console, press the Shift key and select Actions Launch console. einstall the software 1. Click Install software and close all of the dialog boxes for installing the application. 2. Click My installation is complete Launch console to launch the console after it is installed Troubleshooting the appliance 297

298 36.8 Troubleshooting the appliance network setup First-time setup Symptoms Appliance cannot access network Appliance is configured correctly but cannot access network Possible causes and recommendations Appliance network settings are not properly configured Minimum required privileges: Infrastructure administrator 1. Access the appliance console. 2. Examine the alerts on the Activity screen to help diagnose the problem. 3. On the Settings screen, verify that the following entries are correct: Host name (if DNS is used, ensure that the appliance host name is a fully qualified domain name) IP address Subnet mask Gateway address 4. For manual DNS assignment, verify that there are no errors in the IP addresses you entered for the primary and secondary DNS servers. 5. Verify that your local router is working. 6. Verify that the network is up and running. External difficulties 1. Verify that your local router is working. 2. Verify that the network is up and running Appliance cannot access the network Symptom Appliance cannot access the network Possible cause and recommendation Appliance network was not properly configured Minimum required privileges: Infrastructure administrator 1. Verify that the IP address assignment is correct. 2. Verify that the DNS IP address is correct. 3. Verify that the DNS server is not behind a firewall. If it is, modify the firewall settings. 4. Verify that the DNS server is operational. 5. Verify the gateway address for your network. 6. Log in to the appliance console as root and correct the network settings Troubleshooting notifications Use the following information to troubleshoot alerts that appear on the Notifications panel of the Settings screen. 298 Troubleshooting

299 notification of alerts Symptom You cannot configure notification of alerts Possible cause and recommendation You do not have proper authorization Minimum required privileges: Infrastructure administrator 1. Log in to the appliance as the Infrastructure administrator. 2. Add or edit an recipient and filter entry. 3. Verify that you were able to add or edit the recipient and filter entry successfully. Unable to connect through sending address host name Invalid configuration parameter Minimum required privileges: Infrastructure administrator 1. Follow the procedure in Configure the appliance for notification of alerts (page 247) so that you can view the configuration parameters. 2. Correct any invalid configuration parameter. 3. Save the configuration. 4. Verify the configuration either with the ping command or by generating an alert. Appliance cannot access the network Minimum required privileges: Infrastructure administrator 1. Verify that the host name for the sending address is on the network with the ping command. 2. See Appliance cannot access the network (page 298) to resolve problems connecting with the network. Host name of sending address is not responding as an SMTP server Unable to deliver messages to some IDs Invalid configuration Minimum required privileges: Infrastructure administrator 1. Verify that the host name for the sending address is on the network with the ping command. 2. Verify the port number used is correct. 3. Follow the procedure in Configure the appliance for notification of alerts (page 247) so that you can view the configuration parameters. 4. Update the parameters as needed. 5. Save the configuration. 6. Verify the configuration with the telnet command. For example: telnet mail.example.com Verify also by monitoring notifications. ecipient is either not configured or configured incorrectly Minimum required privileges: Infrastructure administrator 1. Follow the procedure for editing an recipient in the online help so that you can view the recipient and filter entries. 2. Verify that the recipient is specified. Correct the entry as needed. 3. Verify that the address of each recipient is valid. Correct the entry as needed. 4. Verify by monitoring notifications. message blocked or treated as spam, junk 1. If the sending address host name and the recipient are in the same domain, examine the application of the recipient. Ensure that the application does not block the message and that it does not treat the message as spam or send it to a junk folder. 2. Verify by monitoring notifications Troubleshooting notifications 299

300 Symptom notifications not being received by all recipients Frequent, irrelevant messages Possible cause and recommendation notification is disabled Minimum required privileges: Infrastructure administrator 1. Log in to the appliance as the Infrastructure administrator. 2. Follow the procedure in Configure the appliance for notification of alerts (page 247) so that you can view the configuration parameters. 3. Ensure that notification feature is enabled. 4. Ensure that each recipient and filter entry is appropriately enabled or disabled. 5. Verify by monitoring notifications. ecipient is not configured Minimum required privileges: Infrastructure administrator 1. Log in to the appliance as the Infrastructure administrator. 2. Follow the procedure in Configure the appliance for notification of alerts (page 247) so that you can view the configuration parameters. 3. Verify that the recipient is specified and that their address is valid. 4. If the recipient is not specified, do one of the following, as appropriate: Include the recipient in the list of addresses for an existing filter by editing the recipient and filter entry. Add the recipient to a new filter. For information on these procedures, see the online help. 5. Verify by monitoring notifications. Invalid filter criteria Minimum required privileges: Infrastructure administrator 1. Follow the procedure for editing an recipient in the online help to view the filter entries. 2. Examine the alerts reported in the Activity screen and note the alerts you believe should have been captured by the filter. 3. eview the filter entries. Ensure that the filter is defined precisely and accurately. 4. Save the recipient and filter entry. 5. Verify the configuration by monitoring notifications. Invalid filter entry Minimum required privileges: Infrastructure administrator 1. Follow the procedure for editing an recipient in the online help to view the filter entries. 2. eview the filter entries: Ensure that there are no empty filter entries. When the filter entry is empty, an message is generated for any alert. Ensure that filter entries are unique. Otherwise, at least twice as many messages are sent. Be precise when specifying the filter criteria. Edit the filter entry so that it acts on only the alerts for which you want to be notified. 3. Save the recipient and filter entry. 4. Verify the configuration by monitoring notifications Troubleshooting enclosures and enclosure groups Add or remove enclosure is unsuccessful (page 301) Migration is unsuccessful (page 302) Add server blade is unsuccessful (page 303) Invalid OA certificate (page 303) 300 Troubleshooting

301 Add or remove enclosure is unsuccessful Symptom Unable to add an enclosure Unable to forcibly add an enclosure Possible cause and recommendation If adding an enclosure is not successful, a notification panel provides the reason why and provides a solution to the problem. Often, the resolution is to click the add link embedded in the message; the add action rediscovers all components and updates its knowledge of the enclosure. Enclosure is already being managed by some other management software and is claimed by that software 1. If a first-time enclosure add does not succeed, verify that the enclosures prerequisites listed in the online help are met. Verify that the data you entered on the screen is correct, and try the action again. 2. Follow the guidance in the notification panel for the corrective action you need to take to successfully add the enclosure. Failures can occur during the add action if all information about an enclosure, its server blades, or interconnect modules cannot be acquired. When this happens, an explanation of the problem and the component that caused the problem (the enclosure, a server blade, an interconnect) is provided in a notification panel. 3. To re-add an enclosure, click the add link in the notification message panel (if there is one), or start the add action again from the Add Enclosure screen, supplying the address and credentials for the enclosure's Onboard Administrator. To forcibly add the enclosure to the appliance, see the online help for enclosures. You forcibly added an enclosure but received an error message. This happens in cases where there is a VCMode set and HP Virtual Connect (VC) is managing the enclosure. 1. Manual clean-up of the configuration is needed, investigate the following items: The management UL might still point to the appliance. If so, it needs to be reset to point at the first interconnect in the enclosure. To fix this, use the following ssh commands to go into the Onboard Administrator (using administrator credentials) and change the management UL to point to the first active VC interconnect's IP address: clear vcmode restart interconnect N restart oa N Disassociates the enclosures from the appliance. (where N is the bay number of a VC interconnect) Performing this step for every VC interconnect in the enclosure causes the interconnect to revert to a default configuration. (where N is the bay number of the active Onboard Administrator) This causes the OA to obtain the management UL from the first VC interconnect. 2. After manual configuration, see the online help for adding enclosures. An existing enclosure is detected as being new after a midplane is replaced You replaced the enclosure midplane but did not follow the recommended procedure in the hardware documentation. ecommendation: e-add the enclosure Troubleshooting enclosures and enclosure groups 301

302 Symptom Unable to remove an enclosure Possible cause and recommendation You might be unable to remove an enclosure for the following reasons: Lack of communication with the hardware during the remove action can prevent the appliance from being able to properly manage the interconnect, server hardware, and enclosure settings. To forcibly remove an enclosure from the appliance due to lack of communication, see the online help for enclosures. The enclosure is not removed from the appliance. This is typically a problem on the appliance itself, and the best resolution is to follow instructions in the notification panels. The enclosure is removed but due to a communication failure, the configuration requires manual intervention to correct. If manual clean-up of the configuration is needed, investigate the following items: The management UL might still point to the appliance. If so, it needs to be reset to point at the first interconnect in the enclosure. To fix this, use the following ssh commands to go into the Onboard Administrator (using administrator credentials) and change the management UL to point to the first active VC interconnect's IP address: clear vcmode restart interconnect N restart oa N Disassociates the enclosures from the appliance. (where N is the bay number of a VC interconnect) Performing this step for every VC interconnect in the enclosure causes the interconnect to revert to a default configuration. (where N is the bay number of the active Onboard Administrator) This causes the OA to obtain the management UL from the first VC interconnect. The interconnects might still be claimed by the appliance. If this is the case, you have to remove the interconnects manually. Unable to unconfigure single sign -on (SSO) on the Onboard Administrator when adding or removing an enclosure esolution: emove all certificates and restart the OA (Onboard Administrator). 1. From the OA user interface, select Users/Authentication. 2. Select HP SSO integration, in the right pane. 3. Verify that Settings, Trust mode is set to Trust by Certificate. 4. Select the Certification Information tab and remove all HP SSO Certificates. 5. eboot the OA. 6. e-add the enclosure Migration is unsuccessful Symptom You see a message indicating HP OneView is unable to migrate the VCM enclosure Possible cause and recommendation Failures can occur during the add action if all information about an enclosure, its server blades, or interconnect modules cannot be acquired. When this happens, an explanation of the problem and the component that caused the problem (the enclosure, a server blade, an interconnect) is provided in the compatibility report. 1. eview each issue listed in the compatibility report and perform the corrective action. 2. etry the migration. 3. If the migration cannot be performed, revert back to Virtual Connect Manager. 4. emove all server profiles that were created during the migration. 5. emove the enclosure from the appliance 6. From the OA UI, reset the lowest bay flex-fabric module. 7. From the VC module, recover the VC configuration from the backup file. 302 Troubleshooting

303 Add server blade is unsuccessful Symptom Add server blade failed Possible cause and recommendation If a server blade previously associated with this profile is re-inserted in a different place (different bay or enclosure), a message appears. The edit link within the expanded message causes the new server blade location to be pre-populated in the edit profile dialog box location field when it is displayed. Same server blade, different bay 1. Manually move the server profile to a server blade in a different bay using the Edit Server Profile screen. If you come to this screen via the edit link the error message, it is automatically populated for the server hardware value, with the appropriate change indications at the bottom of the dialog box. 2. Click OK. Different server blade, same bay Server profiles are associated by UUID to a specific server blade. If the wrong server blade is inserted in the bay, a message is displayed, which you can clear by resolving the conflict. The Server Hardware hyperlink points to the new server blade s Server Hardware screen. Connections will still show a disabled status. The Server Hardware screen appears normal because it doesn t recognize it was ever associated with a server profile Invalid OA certificate Symptom Invalid certificate message is displayed Possible cause and recommendation The OA single sign-on certificate can be corrupted when the OA firmware is downgraded to a lower version and then is upgraded to a higher version. eset the OA: 1. From the OA UI, select security+hpsim SSO. 2. Delete the corrupted certificate, which is shown in yellow. 3. To re-install the original certificate, refresh the enclosure Troubleshooting firmware bundles Incorrect credentials Symptom The ilo user name or password is not valid Unable to get Onboard Administrator (OA) credentials Possible cause and recommendation Incorrect credentials for a server While attempting to update server firmware, the user name or password you supplied is not valid for a ilo management processor. To resolve the issue, enter the correct the credentials and add the enclosure again. OA credentials are unavailable While attempting to update firmware, the appliance was unable to get Onboard Administrator (OA) credentials for the enclosure. To resolve the issue, enter the correct credentials and add the enclosure again Troubleshooting firmware bundles 303

304 Lost ilo connectivity Symptom Connection error Possible cause and recommendation ecommendation 1. eset the server to restore network connectivity to the server's management processor 2. Update the firmware again HP SUM errors Symptom Possible cause and recommendation Unable to remove the firmware upgrade log files ecommendation 1. estart the appliance. 2. Update the firmware again. Unable to initiate the firmware update request Update the firmware again Failed firmware update on enclosure add When adding an enclosure, the OA or ilo firmware might fail to update to the minimum version due to network or power outages, or other issues. The device is listed in an Unmanaged state. Symptom OA firmware failed to update ilo firmware failed to update Possible cause and recommendation ecommendation 1. From the main menu, select Enclosures. 2. In the master pane, select the unmanaged enclosure. 3. Select Actions Update firmware. 4. Select an SPP for the Firmware baseline. 5. Select Enclosure for Update firmware for. 6. Click OK. 7. To verify that the activity is successful, check the activity for a green status in the Notifications area. If not, follow the proposed resolution listed under Details in the Notifications area. ecommendation 1. From the main menu, select Server Hardware. 2. In the master pane, select the unmanaged server hardware. 3. Select Actions Update ilo firmware. NOTE: You will only see "Update ilo firmware" if the ilo firmware is below the minimum required and the server hardware is listed in an Unmanaged Unsupported Firmware state. 4. Click OK. 5. To verify that the activity is successful, check the activity for a green status in the Notifications area. If not, follow the proposed resolution listed under Details in the Notifications area. 304 Troubleshooting

305 Failed firmware update on all devices in an enclosure When attempting to update firmware on all devices in an enclosure, the update process may fail on some servers. Symptom Unable to get the results from HP SUM Possible cause and recommendation TCP/IP Settings in the OA are not set to Auto-negotiate 1. In OA, select Enclosure Information Enclosure Settings Enclosure TCP/IP Settings. 2. Select the NIC Options tab. 3. Set the NIC Settings to Auto-negotiate. 4. In HP OneView, retry the firmware update process. a. From the main menu, select Enclosures. b. In the master pane, select the enclosure. c. Select Actions Update firmware. d. Select an SPP for the Firmware baseline. e. Select Enclosure + logical interconnect + server profiles for Update firmware for. f. Click OK. g. To verify that the activity is successful, check the activity for a green status in the Notifications area. If not, follow the proposed resolution listed under Details in the Notifications area Troubleshooting interconnects Interconnect edit is unsuccessful Symptom Notification that modifying an interconnect was unsuccessful Possible cause and recommendation If interconnect edit is unsuccessful: 1. Verify that the prerequisites listed in the online help are met. 2. Follow the instructions provided by any notification message. When the interconnect has been edited successfully, a notification will display in the banner at the top of the screen, and the desired port setting and port status will be displayed Interconnect modules are in Maintenance state Symptom Interconnect modules are in a Maintenance state Possible cause and recommendation There is an OA credential caching issue if interconnect modules report their state as Maintenance. If interconnect modules are in a Maintenance state: You have to re-add the enclosure. 1. From the main menu, select Enclosures Add. 2. Provide the enclosure information (IP/FQDN, Administrator account and password), and click the Add button. This will initiate rediscovery of the enclosure and its components Troubleshooting interconnects 305

306 Interconnect modules are in Unmanaged state Symptom Interconnect modules are in an Unmanaged state Possible cause and recommendation Interconnect bay has a mismatch with the expected type The logical interconnect group is expecting a different interconnect than what is in the enclosure. 1. emove the unexpected interconnect from the enclosure 2. Insert the expected interconnect into the enclosure. 3. Use the interconnect by updating the logical interconnect group. Interconnect has firmware installed which is less than the minimum supported baseline version For an HP Virtual Connect Fibre Channel interconnect: The enclosure contains an HP Virtual Connect Fibre Channel interconnect with IPv6 addresses and the interconnect firmware version is less than 4.10, the minimum supported baseline version. The enclosure contains only an HP Virtual Connect Fibre Channel interconnect by itself or with other HP Virtual Connect Fibre Channel interconnects and the interconnect firmware version is less than 4.10, the minimum supported baseline version. ecommendation If the interconnect firmware version is at or above the minimum to import (v3.15), you can update to the supported version after adding the interconnect. If interconnect firmware is below version 3.15, then follow these steps: 1. emove the enclosure from the Enclosures screen. 2. Update the interconnect firmware for HP Virtual Connect Fibre Channel interconnects as described in the online help. 3. Add the enclosure on the Enclosures screen. For an interconnect that is not an HP Virtual Connect Fibre Channel, update the interconnect firmware for the logical interconnect as described in the online help. See the HP OneView Support Matrix for the complete list of supported firmware versions. 306 Troubleshooting

307 eplace an HP Virtual Connect interconnect in a managed enclosure Symptom Interconnect failure Possible cause and recommendation Interconnect failed and must be replaced 1. Unplug all interconnect cables and remove the interconnect from the enclosure. 2. Insert the replacement interconnect, and then re-plug in all interconnect cables. 3. Log into the appliance. 4. From the main menu, select Logical Interconnects, and then select the logical interconnect that contains the replaced interconnect. 5. From the view menu, select Activity. An activity for the added interconnect appears in the activity list. If the interconnect firmware version is the same or greater than the supported minimum firmware version, the appliance automatically applies the logical interconnect group to the replaced interconnect and the interconnect is ready to use. If the interconnect firmware is less than the supported minimum firmware baseline, an alert is generated and you must update the firmware as shown in step 6. NOTE: To view the installed firmware, select Firmware from the view selector. 6. Update the firmware on the interconnects. For Fibre Channel interconnects, see below. For FlexFabric interconnects, go to step 7. NOTE: Fibre Channel interconnects with a firmware version that is below the HP OneView minimum version cannot be managed by HP OneView. You must remove the enclosure to update or delete the firmware outside of HP OneView. If the Fibre Channel interconnects are below the minimum version, remove the enclosure from HP OneView and update the Fibre Channel interconnects to the minimum version. Alternatively, remove the interconnects from the HP OneView managed enclosure and insert into an enclosure which is not managed by HP OneView and update the firmware to the minimum version. The minimum version requirements are listed in the HP OneView Support Matrix. a. Either remove the enclosure from HP OneView or physically remove the Fibre Channel interconnects and place them into an enclosure that is not currently being managed by HP OneView. b. Use the Onboard Administrator or the external DHCP server to assign an IPv4 address to the interconnect. c. Use HPSUM or the Virtual Connect Support Utility (VCSU) to update the firmware on the interconnect. d. Add the enclosure to HP OneView or return the Fibre Channel interconnects to an HP OneView-managed enclosure. e. Optional: If the Fibre Channel interconnects are intended to support an IPv6 address, use the Onboard Administrator or an external DHCP server to assign an IPv6 address to the interconnect. 7. See Updating firmware on an interconnect in the online help for firmware update information. Firmware update progress will be shown at the top of the Logical Interconnects screen. When the upgrade is finished, the appliance automatically applies the Logical interconnect group and the interconnect is ready to use Troubleshooting licenses estore a license key that has been erased from an enclosure OA If you perform a factory reset on an enclosure, any license embedded on the OA is erased, and you must manually retrieve and re-add the license key Troubleshooting licenses 307

308 NOTE: You need your entitlement certificate (physical or electronic document) to restore the license key. Symptom Possible cause and recommendation The license key embedded on the OA is not discovered when you add the enclosure The license key embedded on the OA has been erased 1. Go to the HP Licensing for Software Portal at to activate, register, and download your license key(s). 2. Add the key(s) to the appliance from the Settings screen The license assigned does not match the type specified Symptom Possible cause and recommendation Server hardware is assigned a license that is different from the one specified when it was added to the appliance The server hardware has an embedded license Embedded licenses override the license policy or type specified when the enclosure or rack server was added. Server hardware with an existing, permanent ilo Advanced license will be assigned an HP OneView Advanced w/o ilo license. A server that was previously managed by the appliance has been added again If a server was previously managed by the appliance and had an HP OneView Advanced license applied, it will be assigned that same license when it is added, regardless of the license type specified Licensing numbers appear to be inaccurate Symptom ecently added or assigned licenses are not reported in the licensing graphs Possible cause and recommendation The license graphs are not up to date You may need to refresh the Settings screen for the license graphs to display recent changes. The license graphs show a higher number of licensed server hardware than the current number of server hardware under management Cannot find license count for HP OneView Standard license Server hardware that has been assigned an HP OneView Advanced license has been removed from management When server hardware that has been assigned an HP OneView Advanced license is removed from management, the license remains assigned to it. This could cause the number of servers licensed to be higher than the number of licensed server hardware currently being managed. You can use the EST API to view the entire list of all servers assigned to licenses. The appliance does not display HP OneView Standard license counts You can however, obtain a count of server hardware licensed with a HP OneView Standard license: 1. From the Server Hardware screen, click in the Smart Search box and for Scope select Server Hardware. 2. In the Smart Search box, type state:monitored and press Enter. The master pane will display all monitored server hardware. All monitored server hardware is assigned a HP OneView Standard license. 308 Troubleshooting

309 Issues adding and applying licenses Symptom Could not add license or license key Possible cause and recommendation License key is blank, incorrect, or invalid Minimum required privileges: Infrastructure administrator 1. Verify the license key you entered. Do not try to add a license key for a product that supports ilo to one that does not. Likewise, do not apply a license key for a product that does not support ilo to one that does. 2. Provide proper values and make sure that the license key format is valid. NOTE: Invalid formats include the following: The ilo key portion of the HP OneView license key is omitted. Any portion of the 5 x 5-character ilo key is incorrect. A single-quote character (') is used instead of a double-quote character (") A double quote character is replaced with another special character, for example or an * character. There are extra spaces in the license key. The autopass portion of the license key is incorrect. 3. Try again. 4. If the problem persists, contact your authorized support representative. License key has expired Minimum required privileges: Infrastructure administrator 1. Acquire a valid, current license key. 2. Try again with the new license key. Invalid date and time setting for appliance Minimum required privileges: Infrastructure administrator 1. Confirm the date and time setting of the appliance. 2. Inspect the date and time when the license becomes active. Ensure that it is not too early to add the license. 3. If the problem persists, contact your authorized support representative Issues viewing licenses Symptom Could not view license details Possible cause and recommendation No license is assigned to the appliance Minimum required privileges: Infrastructure administrator 1. Assign the license. 2. View the license details again. Filter entry is blank or incorrect Minimum required privileges: Infrastructure administrator 1. Correct the filter criteria. 2. View the license details again Troubleshooting licenses 309

310 36.14 Troubleshooting logical interconnects I/O bay occupancy errors Symptom Change in interconnect state Possible cause and recommendation Interconnect state errors can be caused by: Interconnect missing from an IO bay (Interconnect state is Absent) Unsupported interconnect model found in an IO bay (Interconnect state is Unsupported) Unable to manage interconnect in IO bay due to unsupported firmware (Interconnect state is Unmanaged) Mismatch between the interconnect type and the type specified by logical interconnect group Mismatch of horizontally adjacent interconnect modules Uplink set warnings or errors Symptom Uplink set not operational Possible cause and recommendation Uplink set not operational due to: One or more uplinks are not in operation due to a bad cable, no cable, lack of transceiver, or invalid transceiver No networks assigned 1. Verify that the following prerequisites are met: At least one network is defined You have Network administrator privileges or equivalent to manage networks. 2. Verify that the data you entered on the Add Uplink Set screen is correct, and that the uplink set name is unique. 3. etry the operation Physical interconnect warnings or errors Symptom Interconnect-level warnings or errors Possible cause and recommendation Interconnect warnings or errors can be caused by: Downlink with a deployed connection is not operational Incorrect firmware version (different from firmware baseline version) Configuration error Hardware fault Lost communication Administratively disabled ports 310 Troubleshooting

311 Firmware update errors Symptom Firmware update fail entries shown in the Activity log Possible cause and recommendation Interconnect firmware errors can be caused by: estarting interconnect modules while a firmware update is in progress. Starting a firmware update while another firmware update is already in progress. An interconnect in the Logical Interconnect is not in a Configured state before starting the upgrade. HP OneView cannot communicate with the Onboard Administrator for the enclosure. ecommendations Do not restart interconnect modules while a firmware update is in progress. Check the Activity Log for more information about the root cause. 1. If staging firmware failed, check the Activity Log, correct the problem and restart the update. 2. If activating firmware failed, check the Activity Log, and then manually activate the firmware. Then confirm the VC interconnect firmware versions in HP OneView are the same versions shown in OA. Make sure that all interconnects in the Logical Interconnect are in the Configured state before starting the upgrade. If a firmware update persistently fails, see the online help to create a logical interconnect support dump file and contact your HP support representative Pause flood condition detected on a Flex-10 physical port Symptom All Flex-10 logical ports associated with physical ports are disabled Possible cause and recommendation When pause flood protection is enabled, this feature detects pause flood conditions on server downlink ports and disables the port. The port remains disabled until an administrative action is taken. The administrative action involves the following steps: 1. esolve the issue with the NIC on the server causing the continuous pause generation. This might include updating the NIC firmware and device drivers. ebooting the server might not clear the pause flood condition if the cause of the pause flood condition is in the NIC firmware. In this case, the server must be completely disconnected from the power source to reset the NIC firmware. 2. e-enable the disabled ports by resetting the pause flood protection. You can reset pause flood protection from the Actions menu on the Interconnects screen Troubleshooting networks Network create operation is unsuccessful Symptom Network creation is unsuccessful Possible cause and recommendation The network configuration is incorrect 1. Verify that: The network name is unique. The VLAN ID is appended to the network name when creating multiple tagged networks using a bulk operation. The number of networks does not exceed the maximum as indicated in the HP OneView Support Matrix. The number of private networks does not exceed the maximum as indicated in the HP OneView Support Matrix. 2. etry the create network operation Troubleshooting networks 311

312 36.16 Troubleshooting server hardware For information on specific server hardware issues, see the HP OneView elease Notes Server add or remove is unsuccessful If the add server action is not successful, a notification panel provides the reason why the action failed and provides a solution to the problem. Often, the resolution is to click the add link embedded in the message; the add action rediscovers all components and updates its knowledge of the server. Symptom Cannot remove a server Possible cause and recommendation Lack of connectivity with the server hardware can prevent the remove action from being successful The server is not removed from the appliance. The likely cause is an internal problem on the appliance and the best resolution is to follow the instructions in the notification panel. The server is removed but due to communication failure, the configuration requires manual intervention to correct. In the case where manual configuration is needed, investigate the following: The management UL might still point to the appliance, leave it alone. To manually clean up after removal, use the Force option to add the server back under a new appliance manager. emove _HPOneViewAdmin administrative user, from the list of ilo users through the ilo. emove the SNMP trap destination, which is the IP address of the appliance, from the list of trap targets. Go to: ilo >HP OV>delete this remote manager configuration from ilo Cannot control power on server blade Server hardware power control depends on both the HP Integrated Lights-Out (ilo) on the target server hardware, and in the case of ProLiant C-class servers, the Onboard Administrator module in the host enclosure. If you have difficulty with server power control, examine recent configuration and security changes which might affect this feature. Often the ilo event log can be a useful starting point to see these changes. Another area to examine for ProLiant C-class servers are the power management policies of the enclosure. Verify the Onboard Administrator to ensure sufficient power is available and the power operations policy is appropriate. Hardware could have failed as well. Use the Integrated Management Log (IML) on the ilo for Power On Self Test (POST) errors to determine if a hardware failure has occurred. If a power on or power off action fails, follow the instructions in the notification message Lost connectivity to server hardware after appliance restarts When the appliance restarts after a crash, the server inventory is evaluated for any long-running activity that failed, such as applying server profile settings, that might have been in progress when the crash occurred. You can recover by performing the same action again, such as reapplying the server profile settings. The appliance resynchronizes the servers. During resynchronization, each server hardware enters the resyncpending state. A full resynchronization of individual server hardware includes rediscovering the server hardware, verifying the server hardware power state and updating the resource state accordingly, and updating the health status. The appliance creates a task queue for each task during a resynchronization operation. 312 Troubleshooting

313 eplace a server blade with an assigned server profile Symptom Server Hardware failure Possible cause and recommendation Server hardware failed and must be replaced 1. Gracefully shut down the server hardware. 2. emove the original server and install the replacement server. 3. If the server hardware type of the replacement server matches the server hardware type of the original server then: a. If the Affinity defined in the profile is set to Device bay, the server profile will be automatically re-assigned to the new server. Proceed to step 5. b. If the Affinity is set to Device bay + server hardware, the server profile must be edited and re-saved to allow the appliance to reconfigure the profile for the new server. No changes to the server profile are required. Proceed to step If the server hardware type of the replacement server does not match the server hardware type of the original server a new profile must be created that matches the server hardware type of the replacement server. The original profile assigned to the server must be unassigned or deleted and the new profile assigned to the replacement server. 5. If the Integrated Lights-out (ilo) firmware version is greater than or equal to the minimum required firmware version, proceed to Step 6. The minimum ilo firmware version is available in the HP OneView Support Matrix. If the replacement server has an ilo firmware version less than the minimum required firmware version, an alert on the Server Hardware screen is displayed and the server status is Unmanaged/Unsupported Firmware. a. Select Actions Update ilo firmware. b. Click OK. 6. If the ilo firmware version is different from the baseline and the server profile is assigned to a Gen8 server or later, the ilo server firmware can be updated automatically with the re-assignment of the server profile. a. From the main menu, select Server Profiles, and then select the server profile to edit. b. Select Actions Edit. If needed, select the proper server hardware. c. To manage the firmware update manually, from the Firmware baseline list, select managed manually. d. To automatically update the firmware, select the appropriate firmware baseline. To force install the firmware, select Force installation. e. Click OK. If the firmware version is different from the baseline and the server profile is assigned to a G7 server, you must update the firmware outside of the appliance Troubleshooting server hardware 313

314 eplace a server adapter on server hardware with an assigned server profile IMPOTANT: The replacement adapter must match the old adapter. If the replacement adapter does not match the old adapter, the server hardware type will change. If a server profile was assigned to that server hardware, a new server profile must be created to support the changed server hardware type. Symptom Server adapter failure Possible cause and recommendation Server adapter failed and must be replaced 1. Gracefully shut down the server. 2. eplace the adapter on the server. 3. If the corresponding server profile is configured with virtual identifiers (MAC & WWN addresses) proceed to step 4. If the profile is configured with physical identifiers (MAC & WWN), consider the following: a. Due to change in the identifiers, any Ethernet network configurations may be lost on the OS and may require a reconfiguration. b. The server host WWN may need to be updated in your storage network zone and on the storage array. 4. Check the firmware version of the new adapter. a. From the main menu, select Server Hardware or Server Profiles, and then select the server hardware or server profile that contains the replaced adapter. b. From the Server Hardware screen or Server Profile screen, select Actions Launch console. The ilo emote Console is launched. c. Power on the server and check the firmware version of the new adapter during boot. NOTE: To check that the firmware version matches your firmware baseline, from the main menu, select Firmware Bundles, and select your firmware baseline. Scroll through the list of firmware to find what is offered in your baseline and compare it to your adapter firmware. 5. If the firmware version is different from the baseline and the server profile is assigned to a Gen8 server or later, the server firmware can be updated automatically with the re-assignment of the server profile. a. From the main menu, select Server Profiles, and then select the server profile to edit. b. Select Actions Edit. If needed, select the proper server hardware. c. To manage the firmware update manually, from the Firmware baseline list, select managed manually. d. To automatically update the firmware, select the appropriate firmware baseline. To force install all of the firmware, even if it is the same or newer, select Force installation. e. Click OK. NOTE: If the firmware version is different from the baseline and the server profile is assigned to a G7 server, you must update the firmware outside of the appliance Troubleshooting server profiles Server profile is not created or updated correctly When a server profile is not created or updated correctly, a notification appears at the top of the screen stating the profile operation was not successful; click the notification area to show more details. Also, the status icon next to the server profile name indicates it is in an Error condition 314 Troubleshooting

315 ( ). The profile remains on the appliance, but you must edit the profile to correct it. When you correct the server profile, the profile status changes to OK ( ). Symptom Server profile is not created or updated correctly Cannot find a network when adding a connection Cannot add a connection from the profile Possible cause and recommendation Verify the following conditions: 1. Verify that the prerequisites listed in the online help have been met. 2. Verify that the following conditions are TUE: The latest SPP is installed and applied A profile name has been entered and is unique The selected server hardware is powered off The server hardware is in the No Profile Applied state, has the correct firmware, the ports are mapped to the correct interconnect, and the device bay has no profile assigned to it The server hardware is able to power cycle, and a user did not shut down the server hardware while the profile settings were being applied You applied the correct ilo and system OM firmware levels You are using supported server hardware The ilo has an IP address and network connectivity Communication exists with the server hardware ilo, including but not limited to whether the ilo is functioning, network cabling is connected and functional, and there are no problems with switches or interconnects in the management network The appliance and managed resources are not separated by a firewall The add enclosure operation successfully completed The OA has network connectivity The add server hardware operation successfully completed The specified network or network set is available on the server hardware port The interconnects are in the Configured state, and have the correct firmware The logical interconnect configuration matches its logical interconnect group There are no duplicate networks on a physical port If multiple adapters are installed, all adapters must have the same firmware version User-specified addresses are unique and have correct format 3. When the issues have been addressed, either edit the profile or delete the profile and create another profile. Server profile has duplicate networks on the same physical port Change the connection to a different port Change the connection to use a different VLAN Verify that the following condition is true: The logical interconnect group is set up with the networks configured into uplink sets Verify that the following conditions are true: The interconnects in the logical interconnect group are in the Configured state and have the correct firmware The servers are in the No Profile Applied state, have the correct firmware, and the ports are mapped to the correct interconnect Troubleshooting server profiles 315

316 Symptom A profile operation timeout when applying BIOS settings Possible cause and recommendation The server hardware or its ilo are powered-off or reset In most cases, retrying the operation resolves the problem The appliance cannot collect progress information from the ilo In most cases, retrying the operation resolves the problem Auto-assignment for FlexNIC fails while assigning/deploying connections Invalid configuration Auto-assignment for FlexNIC connections does not validate the following: Bandwidth oversubscription on the physical port Maximum networks (VLANs) on the physical port Duplicate networks (VLANs) on the physical port Manual assignment is required What to do when you cannot apply the server profile Symptom Cannot verify the status of the server hardware Possible cause and recommendation Verify the operational status of the server hardware 1. Click Cancel to exit from the Create Server Profile screen. 2. From the main menu, navigate to the Server Hardware screen. 3. Find, and then select the server hardware Profile operations are not successful Symptom Message indicates that the server is managed by another management system Possible cause and recommendation The enclosure is no longer managed by HP OneView To prevent losing all allocated virtual IDs, perform the following steps before forcibly deleting the server profile. 1. Use EST APIs to get the server profile. GET /rest/server-profiles 2. Force delete the profile using the UI or EST APIs. 3. ecreate the IDs using the User Specified option in the UI, or use EST APIs to create the server profile: a. Get the server profile. GET /rest/server-profiles b. Edit the server profile. 1) emove uri, serverhardwaretypeuri, enclosuregroupuri, enclosureuri, and enclosurebay. 2) Change the serverhardwareuri value to the server the profile is going to be associated to. 3) Change serialnumbertype from Virtual to UserDefined. 4) In the connections property, change mactype from Virtual to UserDefined. 5) In the connections property, change wwpntype from Virtual to UserDefined. 6) In the connections property, if applicable change networkuri with the correct networks. c. Create the server profile. POST /rest/server-profiles 316 Troubleshooting

317 36.18 Troubleshooting storage Brocade Network Advisor (BNA) SAN manager fails to add Symptom Possible cause and recommendation Adding the SAN manager fails with the error No SAN manager can be found at the specified location. The BNA or the Standalone SMI Agent is not installed on a server See the BNA software documentation. A BNA administrator account with full access is not configured and available for use by the appliance See the BNA software documentation. The Common Information Model Object Manager (CIMOM) is not installed and configured on the server See the BNA software documentation. The BNA SSL setting and the SSL setting for the BNA on the appliance do not match 1. Use the BNA software to verify whether or not SSL is enabled. See the BNA software documentation for more information. 2. From the SAN Managers screen, verify that the Use SSL setting on the appliance for BNA matches the SSL setting in the BNA software. If the SSL setting does not match: a. From the main menu, select SAN Managers, and do one of the following: In the master pane, select the BNA and select Actions Edit. Hover your pointer device in the details pane and click the Edit icon. 3. For Use SSL, change the value so that it matches the SSL setting in the BNA software. 4. Click Ok to save your changes Unable to establish connection with Brocade Network Advisor (BNA) SAN manager Symptom Unable to establish a connection with the SAN manager Possible cause and recommendation The CIMOM is not bound to the NIC that is on the same subnet as the appliance Binding the CIMOM to an NIC on the same subnet as the appliance is required for the appliance to connect and communicate with the BNA network management software. See the BNA software documentation Troubleshooting storage 317

318 Volume not available to server hardware Symptom Volume not accessible on the server Possible cause and recommendation A possible cause of a volume not being accessible on the server is that the SAN zone is improperly configured or missing. The following are recommended solutions: e-enable the attachment (Managed SAN case) 1. From the main menu, select Server Profiles. 2. In the master pane, select an server profile and select Actions Edit. 3. Under SAN Storage locate the volume attachment and select Enable. 4. Click OK. Create or configure the zone using the SAN management software (no managed SAN) See the SAN manager documentation. Using managed SANs 1. Verify that the SAN manager and SAN is associated with the network. 2. Verify that Automate zoning is enabled. Automated zoning is not enabled on the SAN Verify that the zone has been manually configured. 1. See the SAN manager documentation. A possible cause of a volume not being accessible on the server is that the Server initiators are not logged into the fabric because the interconnect port is disabled. The following are recommended solutions: Enable the interconnect port on the appliance 1. From the main menu, select Interconnects. 2. In the master pane, select an interconnect and select Actions Edit. 3. Locate the port you want to enable and select Enable. 4. Click OK. You can also use the EST API to complete this task. EST API: /rest/interconnects/id/ports See the HP OneView EST API eference for more information. econfigure the logical interconnect group 1. From the main menu, select Logical Interconnect Groups. 2. In the master pane, select a logical interconnect group and select Actions Edit. 3. Edit the uplink sets to connect the Fibre Channel networks with the desired interconnect ports. 4. Click OK. 5. Verify that the logical interconnect group link comes online. 6. From the main menu, select Logical Interconnects. 7. In the master pane, select a logical interconnect and select Actions Update from group. You can also use the EST API to complete this task. EST API: /rest/logical-interconnect-groups/id and /rest/logical-interconnects/id/compliance See the HP OneView EST API eference for more information. Verify the cabling 1. Verify the physical cabling is configured as intended. 318 Troubleshooting

319 Symptom Possible cause and recommendation A possible cause of a volume not being accessible on the server is that the connection has not been defined in the server profile. Add a connection to a Fibre Channel network in the server profile 1. From the main menu, select Server Profiles. 2. In the master pane, select a server profile and select Actions Edit. 3. Under Connections click Add Connection. 4. For Device type select Fibre Channel. 5. For Network select a network that is connected to the storage system and click Add. 6. Click OK Volume is visible from the storage system but not visible on the appliance Symptom Volume is not in a normal state Possible cause and recommendation A possible cause of a volume not being visible on the appliance is that the volume has been moved to a storage pool that is not managed by the appliance. Move the volume to a pool that is managed by the appliance and refresh the volume using the storage system software See the storage system documentation. Bring the storage pool in which the volume resides under management of the appliance NOTE: If the volume was moved by Adaptive Optimization, HP recommends bringing all pools that Adaptive Optimization might use under management of the appliance. This will ensure that the volume is still available to the appliance if it is moved by Adaptive Optimization. 1. From the main menu, select Storage Pools, and do one of the following: Click + Add storage pool in the master pane. Select Actions Add. 2. For Storage System, select the storage system that contains the storage pools you want to add. 3. For Storage Pool, select the storage pool you want to add. 4. Click Add to add the storage pool, or click Add + add another pool. You can also use the EST API to complete this task. EST API: /rest/storage-pools See the HP OneView EST API eference for more information Troubleshooting storage 319

320 Target port failure Symptom Target port is in a failure state Possible cause and recommendation One cause of target port failure is that the Actual and Expected network are mismatched. Possible causes for this are the following: The expected network needs to be updated on the appliance 1. From the main menu, select Storage Systems. 2. In the master pane, select the storage system and select Actions Edit. 3. For the port change the Expected Network so that it matches the Actual Network. 4. Click OK. You can also use the EST API to complete this task. EST API: /rest/storage-systems/id See the HP OneView EST API eference for more information. The enclosure that is physically connected to the storage system has not been added to the appliance (Direct attach) Use the Enclosures screen to add the enclosure to the appliance. You can also use the EST API to complete this task. EST API: /rest/enclosures See the HP OneView EST API eference for more information. The physical cabling is improperly configured (Fabric attach) Verify that the cabling between the storage system and the SAN switch is properly configured. The physical cabling is improperly configured (Direct attach) Verify that the cabling between the storage system and the enclosure interconnects is properly configured. Port failed on device Examine your storage system hardware. epair as necessary Troubleshooting switches Switch communications Symptom Unable to communicate with switch Possible cause and recommendation Incorrect IP address or host name Edit the switch to specify the correct IP address or host name Invalid credentials The user name or password is not valid for the switch. Edit the switch and enter new credentials Lost network connectivity efresh the switch Edit the switch to specify a new IP address or host name 320 Troubleshooting

321 36.20 Troubleshooting user accounts Incorrect privileges Users must have view privileges (at minimum) on a managed object to see that object in the user interface. Symptom Unable to see specific resource information or perform a resource task Possible cause and recommendation Your assigned role does not have the correct privileges equest a different role or an additional role from the Infrastructure administrator in order to do your work Unauthenticated user or group Each user is authenticated on login to the appliance by the authentication service that confirms the user name and password. The Edit Authentication screen enables you to configure authentication settings on the appliance; the default values are initially populated during first time setup of the appliance. Symptom Unable to configure a directory user or group Possible cause and recommendation Configure authentication settings 1. From the Users screen, click Add Directory User or Group. 2. Click add a directory. 3. From the Edit Authentication screen, click Add directory. 4. Provide the requested information. 5. Click OK User public key is not accepted Symptom User public key does not work or is not accepted Possible cause and recommendation Hidden characters introduced during a copy/paste operation change the key code Enter the key again, taking care to prevent special characters from being injected into the key when pasting it into the public key field. Only SA keys are supported Troubleshooting user accounts 321

322 Directory service not available Symptom Cannot connect to the directory service Possible cause and recommendation Directory service server is down 1. Locally run the ping command on the directory server IP address or host name to determine if it is online. 2. Verify that the appliance network is operating correctly. 3. Contact the directory service administrator to determine if the server is down. Inaccurate settings in the Add Directory screen 1. Verify that the name of the directory service is unique and entered correctly. Duplicate names are not accepted. 2. Verify that the Directory type is correct. 3. Ensure that the Search context fields are correct. Verify that the group is configured in the directory service. If users and groups are in different hierarchies. you can enter multiple searches using the + operator. 4. Verify that the credentials of the authentication directory service administrator are correct. 5. Ensure that the role assigned to the group is correct Cannot add directory service Symptom Cannot connect with directory service host Cannot log in Possible cause and recommendation Connection with directory service host is lost Minimum required privileges: Infrastructure administrator 1. Verify that the settings for the directory service host are accurate. 2. Locally run the ping command on the directory server s IP address or host name to determine if it is on-line. 3. Verify that the port for LDAP communication with the directory service is port Verify that the port (default port 636) you are using for communication is not blocked by any firewalls. See Ports required for HP OneView (page 61). 5. Verify that the appliance network is operating correctly. 6. Determine that the appliance virtual machine is functioning properly and that there are enough resources. The credentials are inaccurate Minimum required privileges: Infrastructure administrator 1. Verify the login name and password are accurate. 2. Verify the search context information is accurate; you might be trying to access a different account or group. 3. e-acquire and install the directory service host certificate. 4. Contact the directory service provider to ensure that the credentials are accurate. 322 Troubleshooting

323 Cannot add server for a directory service Symptom Cannot connect with directory service host Cannot log in Possible cause and recommendation Lost connection with directory service host 1. Verify that the settings for the directory service host are accurate. 2. Verify that the correct port is used for the directory service. 3. Verify that the port (default port 636) you are using for communication is not blocked by any firewalls. See Ports required for HP OneView (page 61). 4. Locally run the ping command on the directory service host s IP address or host name to determine if it is on-line. 5. Verify that the appliance network is operating correctly. 6. If the appliance is hosted on a virtual machine, determine that it is functioning properly and there are enough resources. Inaccurate credentials 1. Verify that the login name and password are accurate. 2. eacquire and install the directory service host certificate. 3. Contact the directory service provider to ensure that the credentials are accurate. Inaccurate settings in the Add Directory screen 1. Verify that the name of the directory service is unique and entered correctly. Duplicate names are not accepted. 2. Verify that the Directory type is correct. 3. Ensure that the Search context fields are correct. Verify that the group is configured in the directory service. 4. Verify that the credentials of the authentication directory service administrator are correct Troubleshooting user accounts 323

324 Cannot add directory group Symptom Cannot log in Cannot find group in the directory service Possible cause and recommendation Connection with directory service host is lost Minimum required privileges: Infrastructure administrator 1. Verify that the settings for the directory service host are accurate. 2. Verify that the correct port is used for the directory service. 3. Verify that the port (default port 636) you are using for communication is not blocked by any firewalls. See Ports required for HP OneView (page 61). 4. Locally run the ping command on the directory service host IP address or host name to determine if it is online. 5. Verify that the appliance network is operating correctly. 6. If the appliance is hosted on a virtual machine, determine that the virtual machine is functioning properly and enough resources are allocated to it. The credentials are inaccurate Minimum required privileges: Infrastructure administrator 1. Verify that the login name and password are accurate. 2. eacquire and install the directory service host certificate. 3. Contact the directory service provider to ensure that the credentials are accurate. Group is not configured in the directory service Minimum required privileges: Infrastructure administrator 1. Verify the credentials of the authentication directory service. 2. Verify that the directory service is operational. 3. Verify the name of the group. 4. Contact the directory service administrator to verify that the group account is configured in the directory service. 5. Verify that the group is within four hierarchical levels from the group specified by the DN. 6. Try to find the group again. For more information, see About directory service authentication (page 220). Directory type is incorrect Minimum required privileges: Infrastructure administrator The directory type was incorrectly specified. For example, an Active Directory service might have be specified as OpenLDAP. 1. Verify that the settings for the directory service are accurate. Cannot add group Cannot find any groups on servers configured for the directory service Group is already mapped Minimum required privileges: Infrastructure administrator The authentication directory and group specified already exist. Groups must be unique. 1. eassign the current group to another role, or otherwise make the group unique. Specified search for configured directory service does not contain any groups Minimum required privileges: Infrastructure administrator 1. Verify the directory server configuration. 2. Add all search contexts to retrieve the wanted group or groups. Use the + operator. 324 Troubleshooting

325 Symptom Possible cause and recommendation No groups found on servers configured for directory service; cannot reach other directory servers Error occurred while accessing directory groups Minimum required privileges: Infrastructure administrator 1. Verify the directory server configuration. 2. Verify the connection to the directory server host. See Cannot add server for a directory service (page 323). 3. Add all search contexts to retrieve the wanted group or groups. Use the simple + syntax. Cannot reach the server configured for the directory service Error occurred while retrieving groups from the directory server Minimum required privileges: Infrastructure administrator 1. Verify the connection to the directory server host. See Cannot add server for a directory service (page 323). 2. Verify the directory server configuration Troubleshooting user accounts 325

326 326

327 37 estoring an appliance from a backup file This chapter describes how to use the UI, EST APIs, or a custom-written PowerShell script to restore a corrupted appliance from a backup file. A restore operation is required only to recover from catastrophic failures, not to fix minor problems that can be resolved in other ways. UI screens and EST API resources UI screen Settings Actions EST API resource restores 37.1 oles For more information about restoring an appliance, see the online help for the Settings screen. IMPOTANT: Do not use any hypervisor-provided capabilities or snapshots to restore an HP OneView appliance because doing so can cause synchronization errors and result in unpredictable and unwanted behavior. Users with Infrastructure administrator or Backup administrator privileges can create and download backup files, however, only an Infrastructure administrator can restore an appliance from a backup file About restoring the appliance estoring an appliance from a backup file replaces all management data and most configuration settings with the data and settings in the backup file, including user names and passwords, audit logs, and available networks. The appliance is not operational during the restore operation and it can take several hours to perform; the more resources and devices to restore, the longer the restore operation takes. A restore operation cannot be canceled or undone after it has started. The appliance blocks login requests while a restore operation is in progress. IMPOTANT: A restore operation is required to recover from catastrophic failures, not to fix minor problems that can be resolved in other ways. You can restore an appliance from a backup file that was created on the same appliance or, if an appliance fails and cannot be repaired, from a backup file from a different appliance. In this 37.1 oles 327

328 case, the backup file must have been created from an appliance running the same version of HP OneView. Actions during the restore operation Validates the resource inventory efreshes enclosures to validate contents Clears virtual IDs Description During a restore operation, the appliance firmware validates the resource inventory (enclosures, servers, interconnects) and reconciles the data in the backup file with the current state of the managed environment. The state of the managed environment is likely to be different from the state of that environment at the time the backup file was created. After the restore operation, the appliance uses alerts to report any discrepancies that it cannot resolve automatically. If you removed, and then re-added an enclosure after a backup file was created, and then perform a restore operation using that backup file, you must refresh the enclosure before the appliance can connect. If you added server hardware to the appliance after the backup file was created, that hardware is not in the appliance database when the restore operation completes. You must add that hardware to the appliance and then repeat any other configuration changes (such as assigning server profiles) that were made between the time the backup file was created and the restore operation completed. During the restore operation, the appliance refreshes each enclosure to validate its contents especially to ensure that the appliance still claims them. Then the appliance refreshes each server blade and clears the virtual IDs of any servers added to an enclosure since the last time the backup file was created. The appliance also refreshes all rack servers to ensure they are claimed. The appliance clears virtual IDs for server hardware that does not have a profile assigned but does have virtual IDs configured. These servers most likely had a profile assigned after the last backup was made. See also Post-restoration tasks (page 331). You can use the UI to upload a backup file and restore the appliance from it. You can also use EST APIs for this purpose. 328 estoring an appliance from a backup file

329 37.3 Best practices for restoring an appliance Best Practice Before you begin Inform users Use the right backup file Description 1. Note the passwords you use. Maintain a list of the current user accounts on the appliance. The restore operation resets the user names and passwords to those that were in effect when the backup file was created. 2. Create a support dump. Use the support dump to diagnose failures that occurred before the restore operation. 3. Download the existing audit logs, and store them for safekeeping. The restore operation restores the audit logs from the backup file, overwriting the existing logs. 4. Stop all automatically scheduled backups. estart the automatically scheduled backups after the appliance is restored. 5. Make the backup file accessible to the appliance from which you plan to issue the upload request. If you are using an enterprise backup product to archive backup files, follow any steps required by your backup product to prepare for the restore operation. Make sure that all users logged in to the appliance log out. Users who are logged in when the restore operation begins are automatically logged out, losing whatever work was in progress. All users are blocked from logging in during the restore operation. Use the latest backup file to restore the appliance. Changes made after the backup file is created cannot be saved. Make sure the appliance network settings are the ones you want the appliance to use after the restore operation. Appliance network configuration settings are not included in the backup file. Ensure that the appliance being restored and the appliance on which the backup file was created have the same firmware version; otherwise, the restore operation fails. The platform type, hardware model, and the major and minor numbers of the appliance firmware must match to restore a backup. The format of the appliance firmware version is as follows: majornumber.minornumber.revisionnumber-buildnumber The revision and build numbers do not need to match. If the backup file is incompatible with the firmware on the appliance, the upload returns an error and the restore operation stops. You will need to update the firmware or select a different backup file. If the backup file was created on an appliance that is different from the one you are restoring, do one of the following: Delete the original appliance. econfigure the original appliance so that it no longer manages the devices it was managing when the backup file was created. Serious errors can occur if multiple appliances attempt to manage the same devices estore an appliance from a backup file estoring an appliance from a backup file replaces all management data and most configuration settings on the appliance. You are directed to re-enter unresolved data, if applicable. For more information, see About restoring the appliance (page 327). Prerequisites Minimum required privileges: Infrastructure administrator. You have completed all the best practices for restoring an appliance Best practices for restoring an appliance 329

330 IMPOTANT: If you are using a backup file created on another appliance to restore a new or replacement appliance: 1. Install HP OneView on the new or replacement appliance. For instructions, see the HP OneView Installation guide. 2. Configure the new appliance with the same network settings as the appliance on which the backup file was created. Thus, you can use the network to upload the backup file to the new appliance. For more information on the network configuration settings, see the online help for the add or edit appliance screen details. If the network configuration for the new appliance does not exactly match the network configuration in the backup file, the network configuration disagrees with the network certificates in the backup file. As a result, the browser loses connection with the appliance and the appliance cannot be restored. 3. When the new appliance network is configured, continue the restore operation described in the following procedure. estoring an appliance from a backup file Select the procedure that applies to your environment and practices: Select a backup file and start the restoration immediately Select a backup file and start the restoration later Select a backup file and start the restoration immediately 1. From the Settings screen, select Actions estore from backup. A dialog box opens. 2. ead the on-screen notification, then select Select a backup file. 3. Do one of the following: Drag the backup file and drop it into the indicated text box. Click Browse and select the backup file to upload. NOTE: Not all browsers and browser versions offer the ability to drag and drop files onto applications. 4. Click Upload and restore. Wait until the restore process is complete. A status page indicates progress. When the restore process completes, you are returned to the login page where you can log in to the restored appliance. 5. Upload the firmware bundles used by your server profiles, enclosures, and logical interconnects. These were not saved as part of the backup file. efer to each profile's Firmware baseline setting to determine the file name for the required baseline. You do not need to upload the default baseline, HP Service Pack for ProLiant - Base Firmware, which is included in the appliance image. 6. esolve any discrepancies that a restore operation cannot resolve automatically. See Post-restoration tasks (page 331). Select a backup file and start the restoration later 1. From the Settings screen, select Actions estore from backup. A dialog box opens. 2. ead the on-screen notification, then select Select a backup file. 330 estoring an appliance from a backup file

331 3. Do one of the following: Drag the backup file and drop it into the indicated text box. Click Browse and select the backup file to upload. NOTE: Not all browsers and browser versions offer the ability to drag and drop files onto applications. 4. Click Upload only. Wait until the file upload is complete. A progress bar appears. The file name, creation date, and version are displayed when the file upload is complete. 5. When you are ready to restore the appliance from the backup file, return to the dialog box and verify that the backup file is correct and uploaded. 6. Select estore from a backup file. 7. Click estore. Wait until the restore process is complete. A status page indicates progress. When the restore process completes, you are returned to the login page where you can log in to the restored appliance. 8. Upload the firmware bundles used by your server profiles, enclosures, and logical interconnects. These were not saved as part of the backup file. efer to each profile's Firmware baseline setting to determine the file name for the required baseline. You do not need to upload the default baseline, HP Service Pack for ProLiant - Base Firmware, which is included in the appliance image. 9. esolve any discrepancies that a restore operation cannot resolve automatically. See Post-restoration tasks (page 331) Using EST APIs to restore an appliance from a backup file Prerequisites Minimum required session ID privileges: Infrastructure administrator You have uploaded a backup file to the appliance. estoring the appliance from a backup file using EST APIs 1. Initiate the restore process. POST /rest/restores The restore UI is returned. 2. List the status of the restore process. GET /rest/restores 37.6 Creating a custom script to restore an appliance If you prefer to write a script to restore an appliance from a backup file, see Sample restore script (page 392) for a sample PowerShell script that you can customize for your environment Post-restoration tasks During a restore operation, the appliance reconciles the data in the backup file with the current state of the managed environment. There are some discrepancies that a restore operation cannot resolve automatically, for example, if servers were added after the backup file was created. The 37.5 Using EST APIs to restore an appliance from a backup file 331

332 network configuration on these servers is unknown to the appliance after a restore and could result in duplicate MAC addresses and World Wide Names (WWNs), as a result. After a restore operation completes, you must manually resolve any remaining alerts and add these servers back into the appliance to eliminate the risk of duplicate IDs. You must also perform manual cleanup of hardware (servers, interconnects, and enclosures) if server profiles are forcibly unassigned or the hardware is forcibly removed without first being unconfigured. Preventing duplicate IDs on the network after a restore 1. After a restore operation is complete, re-add any enclosure or server hardware added since the selected backup. NOTE: For any enclosures added since the last backup that you decide not to re-add after the restore, avoid duplicate IDs by running the Onboard Administrator SSH command clear vcmode on these enclosures. unning this command ensures the virtual MACs and WWNs on the server blades in the enclosure have been cleared. 2. For any server profile alerts about the profile not matching the server hardware: a. Identify all server profiles with a mismatch-type of error message. Make a list of these server profiles and the assigned server hardware. b. Power off the server, and then unassign all of the server profiles individually. From the Server Profiles screen, select Actions Edit, and then select Unassign from the server hardware drop down selector. Click OK. c. Select Actions Edit again, and then reassign all of the documented profiles to the documented server hardware. 3. For any alerts about ID ranges, the Network administrator should examine the address and identifier ranges and edit them, if needed. 4. e-create any profiles for the servers in any enclosures that were added in step estoring an appliance from a backup file

333 38 Support and other resources The following topics provide information about HP Support as well as the other resources and documentation that are available to assist you in the use of HP OneView Gather information before contacting an authorized support representative If you need to contact an authorized HP support representative, be sure to have the following information available: Your Service Agreement Identification Number (SAID), required for entitlement Software product name HP OneView Hypervisor virtualization platform and version Messages generated by the appliance Other HP or third-party software in use A support dump if a message recommended that you create a support dump for analysis purposes 38.2 How to contact HP See the Contact HP Worldwide website to obtain contact information for any country: See the contact information provided on the HP Support Center website: In the United States, call to contact HP by telephone. This service is available 24 hours a day, 7 days a week. For continuous quality improvement, conversations might be recorded or monitored. Say OneView when prompted for the product name Get connected to the HP OneView online user forum The HP OneView interactive online forum enables you to share your experiences and pose and answer questions related to using HP OneView. See to join the discussion Software technical support and software updates HP OneView software products include three years of 24 x 7 software technical support and update services, which provides access to technical assistance to resolve software implementation or operations problems. With this service, you benefit from expedited problem resolution as well as proactive notification and delivery of software updates. See for more information egistering for software technical support When you order HP OneView, you receive a license entitlement certificate by physical shipment or , which you must redeem online in order to obtain the license activation key Gather information before contacting an authorized support representative 333

334 After redeeming your license certificate activation key, you are prompted to register for software technical support and update services. Licenses that are embedded in the hardware are automatically registered, and do not require you to redeem the entitlement certificate. See for more information Using your software technical support and update service Once registered, you receive a service contract in the mail containing the customer service phone number and your Service Agreement Identifier (SAID). You need the SAID when you phone for technical support Obtaining HP OneView software and firmware updates See to obtain HP OneView software updates and product-specific firmware bundles Obtaining software and drivers for HP ProLiant products See for the latest software and drivers for your HP ProLiant products Warranty HP will replace defective delivery media for a period of 90 days from the date of purchase. This warranty applies to all products found on the delivery media elated information Use the information in this section to learn about HP OneView and related products Product bulletins and Quick Specs for all HP products The HP product bulletin website accessible from your desktop or mobile device, is a convenient central resource providing technical overviews and specifications for HP hardware and software products. 334 Support and other resources

335 HP OneView documentation and websites See the Enterprise Information Library at to download the latest versions of the following HP OneView documentation: HP OneView elease Notes HP OneView Support Matrix HP OneView Installation Guide HP OneView User Guide HP OneView EST API eference zip file of HP OneView user interface HTML help files zip file of HP OneView EST API HTML help files Technical white papers HP OneView help To view help on the appliance, click to open the Help sidebar. Links in the sidebar open help in a new browser window or tab: Help on this page opens help for the current screen Browse help opens the top of the help system where you decide which help topics you want to read about Browse EST API help opens help for API scripting and reference information Clicking on a screen or dialog box opens context-sensitive help for that dialog box HP OneView websites Primary website: Software updates: oneviewupdates User community forum: oneviewcommunity Videos: NOTE: See the online help for instructions to enable users and developers to browse the HP OneView help and HP OneView EST API eference on their local computers or a web server Enclosure, ilo, and server hardware documentation and websites You can download the latest versions of hardware manuals from the HP Servers Information Library For more information about hardware products, see the following websites: Enclosure and ilo websites HP BladeSystem enclosures: bladesystem HP Integrated Lights-Out : HP ProLiant server hardware websites General information: BL series server blades: DL series rack mount servers: us/en/products/proliant-servers/index.html? facet=proliant-dl-ack HP 3PA StoreServ Storage documentation and websites You can download the latest versions of HP 3PA StoreServ Storage manuals from the HP Storage Information Library For more information about HP 3PA StoreServ Storage products, see storage elated information 335

336 HP Virtual Connect documentation and websites You can download the latest versions of HP Virtual Connect manuals from the HP Support Center. Document type HP Virtual Connect user guides HP Virtual Connect command line references See Finding documents on the HP Support Center website (page 336) HP Virtual Connect website Finding documents on the HP Support Center website Follow these instructions to access technical manuals hosted on the HP Support Center. 1. Go to the HP Support Center website at 2. Under Knowledge Base in the left navigation pane, select Manuals. 3. Type a product name in the Find an HP product by search box (for example, Storage 3PA or HP Virtual Connect) and click Go. 4. If more than one product name is returned in the results, select the product you want. 5. On the Manuals page for that product, select your Language. 6. Next, select the type of document you are looking for to narrow down the list of documents that are offered to you. For example, select getting started information, user guides, setup and installation guides, general reference information, or white papers. If the list of documents is long, it might take a few seconds to load the page. You can use the sorting options in the table headings to sort the list of documents alphabetically by title or by publication date. 7. Select a document title to download to your local computer or to view online Submit documentation feedback HP is committed to providing documentation that meets your needs. To help us improve our documentation, send your suggestions and comments to this address: docsfeedback@hp.com For UI and EST API help In your message, include the section title where the content is located. Also include the product name, product version, help edition, and publication date located on the legal notices page. For user guides and other manuals In your message, include the document title, edition, publication date, and document part number located on the front cover of the document as well as the section title and page number. 336 Support and other resources

337 A Step by step: Configuring an example data center using HP OneView This appendix contains an illustrated example of using the HP OneView appliance UI to configure and manage an example (fictional) data center. It demonstrates using the UI to: 1. Provision eight VMware vsphere ESXi host servers using the HP OneView appliance and vsphere Auto Deploy feature. This demonstration includes adding a firmware bundle to the appliance, establishing a firmware baseline for an enclosure, and creating networks and network sets that are used in the demonstrations that follow. 2. Bring an HP ProLiant DL360p Gen8 rack mount server under management. This scenario includes adding a license to the appliance and using the appliance Map view to display relationships between resources. 3. Add an HP StoreServ Storage system to the example data center using a Fabric attach or Direct attach connection IMPOTANT: The information in this appendix, including all IP addresses, names, user names, passwords, and hardware and software configurations, is intended as an example for demonstration purposes only. The example in this appendix was created using HP OneView Version 1.20 and might not be valid for other versions of the software. Video demonstrations of HP OneView are also available. See Support and other resources (page 333). A.1 Tasks you can perform without data center hardware You can perform the following tasks before you add any hardware to the appliance: Plan the data center configuration. Install the appliance. Add, edit, and delete networks, network sets, logical interconnect groups, and enclosure groups. Add, edit, and delete server profiles that are not assigned to hardware. Not all aspects of a server profile can be configured before the appropriate server hardware is added to the appliance. Upload firmware bundles to the appliance repository. emove firmware bundles from the appliance repository. Add and delete users. Change settings. Create support dump files. Create backup files. A.2 Information about the example data center A.2.1 Example data center hardware The example data center hardware includes: One HP ProLiant DL360p Gen8 rack mount server One rack that contains the enclosures and rack mount servers A.1 Tasks you can perform without data center hardware 337

338 One HP BladeSystem c7000 Enclosure containing HP Virtual Connect FlexFabric 10Gb/24-Port Modules, HP Virtual Connect 8Gb 20 Port Fibre Channel Modules, and several different models of HP BladeServer server blades One HP BladeSystem c7000 Enclosure containing HP Virtual Connect FlexFabric-20/40 F8 modules and several different models of HP BladeServer server blades A pair of SAN switches that connect to data center storage systems A pair of Ethernet switches that connect to the data center networks An HP 3PA Storage System that connects directly to one of the enclosures (a Direct attach configuration) All of the hardware is located in the same room. ack mount server Attribute Model Name ilo IP address Description HP ProLiant DL360p Gen8 DL360pGen ilo administrator credentials Physical location User name Password ack 173, U26 iloadmin S&leP@ssw0rd Enclosure 1 Attribute Name Primary Onboard Administrator IP address Secondary Onboard Administrator IP address Onboard Administrator credentials ilo administrator credentials (all servers) Description Enclosure User name Password User name Password OAAdmin S&leP@ssw0rd iloadmin S&leP@ssw0rd Physical location ack 173, U1 through U10 Interconnect hardware HP Virtual Connect FlexFabric 10Gb/24-Port Module HP Virtual Connect 8Gb 20 Port Fibre Channel Module I/O bay number 1, 2 3, 4 TIP: HP Virtual Connect Fibre Channel modules cannot be placed in bays 1 and Step by step: Configuring an example data center using HP OneView

339 Server hardware model HP ProLiant BL660c Gen8 HP ProLiant BL460c Gen8 Server bay numbers 1, 2 (full height) 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16 Enclosure 2 Attribute Name Primary Onboard Administrator IP address Secondary Onboard Administrator IP address Onboard Administrator credentials ilo administrator credentials (all servers): Description Enclosure User name Password User name Password OAAdmin S&leP@ssw0rd iloadmin S&leP@ssw0rd Physical location ack 173, U11 through U20 Interconnect hardware HP Virtual Connect FlexFabric-20/40 F8 Module I/O bay number 1, 2 Server hardware models HP ProLiant BL660c Gen8 HP ProLiant BL460c Gen8 Server bay numbers 1, 2 (full height) 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16 HP Virtual Connect FlexFabric 10Gb/24-Port Module port configurations Ports X1, X2, X3, X4 X5, X6 X7, X8 Permitted configurations Either Fibre Channel or 10Gb Ethernet Either 1GB or 10Gb Ethernet Either internal stacking link or 1GB or 10Gb Ethernet. If a port is used for an internal stacking link, do not use it for an external Ethernet connection. For this data center, use X7 for the internal stacking link. HP Virtual Connect 8Gb 20 Port Fibre Channel Module Ports 1, 2, 3, 4 Permitted configurations 8Gb Fibre Channel A.2 Information about the example data center 339

340 HP Virtual Connect FlexFabric-20/40 F8 Module port configurations Ports X1, X2, X3, X4 X5, X6 X7, X8 X9, X10 Q1, Q2, Q3, Q4 Qx.1 Qx.4 Permitted configurations Either 1Gb/10Gb Ethernet or Fibre Channel Either 1Gb/10Gb Ethernet or Fibre Channel but must be same type of network traffic Either 1Gb/10Gb Ethernet or Fibre Channel but must be same type of network traffic Internal stacking link Either 1x40Gb, 4x10Gb, or 1x10Gb Ethernet If configured for 4x10Gb, 1Gb multiplex Ethernet A.2.2 Data center networks All data center switch ports that connect to the Virtual Connect (VC) interconnect modules are configured as described in Data center switch port requirements (page 161). A Fibre Channel networks Fibre Channel networks for the SAN fabrics The example data center has two Fibre Channel SAN switches. To see a graphical representation of the configuration, see Figure 20 (page 341). The names for the Fabric attach Fibre Channel networks are: FC 1 FC 2 FC 3 FC 4 Table 22 Fabric attach Fibre Channel network configurations Configuration attribute Type Fabric type Preferred bandwidth Maximum bandwidth Login redistribution Link stability time Value Fibre Channel Fabric attach 2.5 Gb/s 8 Gb/s Auto 30 seconds Notes Choose Fabric attach for Fibre Channel networks that connect to SAN switches in the data center. This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. Fibre Channel networks directly attached to the 3PA Storage System (Direct attach) The example data center has a 3PA Storage System that is connected directly to an enclosure. This is called a Direct attach or Flat SAN network configuration. To see a graphical representation of the configuration, see Figure 20 (page 341). The names of the Direct attach Fibre Channel networks follow: Direct A Direct B 340 Step by step: Configuring an example data center using HP OneView

341 12Vdc HP StorageWorks 4/32B SAN Switch Vdc 12Vdc HP StorageWorks 4/32B SAN Switch FAN 1 OA1 FAN 6 PS 6 UID HP VC FlexFabric 10Gb/24-Port Module ilo eset Active PS 5 UID PS 4 S H A E D : U P L I N K o r X - L I N K X1 X2 X3 X4 X5 X6 X7 X8 Enclosure UID emove management modules before ejecting sleeve UID Enclosure Interlink HP VC FlexFabric 10Gb/24-Port Module ilo eset Active UID PS 3 S H A E D : U P L I N K o r X - L I N K X1 X2 X3 X4 X5 X6 X7 X8 12Vdc PS 2 PS 1 FAN 5 OA2 FAN 10 Table 23 Direct A and Direct B Fibre Channel network configurations Configuration attribute Type Fabric type Preferred bandwidth Maximum bandwidth Login redistribution Link stability time Value Fibre Channel Direct attach 2.5 Gb/s 8 Gb/s Auto 30 seconds Notes Choose Direct attach for Fibre Channel networks that connect to the 3PA storage system. This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. Figure 20 Example data center: Fibre Channel network connections Fabric-attached HP storage devices HP 3PA Storage System SAN A SAN Switch A SAN uplink connections (Fabric attach) SAN B SAN Switch B SAN uplink connections (Direct attach) HP BladeSystem c7000 Enclosure A Ethernet Networks You will configure all of the networks described in this section with the attributes listed in Table 28 (page 342). For each Ethernet network: The network name indicates the purpose of the network and enables users to search and filter by networks with similar names and purposes. The VLAN ID in the network name enables users to determine the VLAN ID of the network without having to look it up. Table 24 Networks for vmotion and virtual machine management Name mgmt 1131 vmotion 1132 VLAN ID Notes This is the boot network that includes the PXE server. This is the network used for live migration of VMs (virtual machines). A.2 Information about the example data center 341

342 Table 25 Production networks Name prod_1101 prod_1102 prod_1103 prod_1104 VLAN ID Table 26 Development networks Name dev_1105 dev_1106 dev_1107 dev_1108 VLAN ID Table 27 Test networks Name test_1111 test_1112 test_1113 test_1114 VLAN ID Table 28 Ethernet network configuration values Configuration attribute Type VLAN Preferred bandwidth Maximum bandwidth Smart link Private network Value Ethernet Tagged 2.5 Gb/s 10 Gb/s Selected Not selected Notes This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. This is the default value displayed on the Create network screen. A.3 Planning the configuration A.3.1 Planning for installation of the appliance For the example data center, assume that you make the following choices before and during installation: You follow the recommendations in the HP OneView Installation Guide, including: Choosing a physical host for the appliance virtual machine (VM) that is not targeted to be managed by this appliance Choosing a static IP address Ensuring that the ports required by the appliance are available You allow support personnel to access the appliance. 342 Step by step: Configuring an example data center using HP OneView

343 You synchronize the appliance time with the VM host time. When prompted to change the Administrator password, you use the password SDC14u$. You specify the following for the appliance networking settings: Configuration attribute Appliance host name IPv4 address assignment Subnet mask Gateway address Preferred DNS server Alternate DNS server IPv6 address assignment Value myhostname.example.com Manual Unassigned (do not use IPv6 addresses in this example) A.3.2 Planning for network sets To enable servers to connect any Ethernet production network or test network without having to specify an individual network name, and to provision additional networks of these types without being required to change the configuration for every server, this data center requires network sets for these networks: Production networks Development networks Test networks A.3.3 Planning for users and roles The Administrator user ID, which has full access and privileges on the appliance, can perform all configuration steps. The appliance provides BAC (role-based access control), which enables an administrator to quickly establish authentication and authorization for users based on their responsibilities for specific resources. Users can view only the resources for which they are authorized, and they can initiate actions only for the resources for which they are authorized. The appliance also provides SSO (single sign-on) for the server ilo and the enclosure Onboard Administrator. The appliance roles are mapped to the appropriate role for the ilo or Onboard Administrator. Existing LDAP or Active Directory (AD) groups can be mapped to HP OneView roles, and then users in those groups can authenticate using their existing LDAP/AD credentials. Understanding the security features of the appliance (page 53) describes controlling access for authorized users. The online help lists the minimum required privileges for each task and resource. For the example data center, assume that all tasks are performed by a user with Infrastructure administrator privileges, such as the Administrator user. A.3 Planning the configuration 343

344 A.3.4 Planning resource names Searching and filtering in the appliance is based on a smart search model. By embedding information about the resource in the resource name, you can take advantage of the search and filter capability. In this example: All uplink set names include the text US. Example: testus The names of Direct attach Fibre Channel networks include the text Direct. Example: Direct A The names of networks, network sets, and uplink sets include text that indicates the purpose of the network: Network category production networks development networks test networks Text used in names prod dev test Examples prod_1101, prod networks, produs dev_1105, dev networks, devus test_1111, test networks, testus A.4 Installing the appliance For installation instructions, see the HP OneView Installation Guide. A.5 Provisioning eight host servers for VMware vsphere Auto Deploy This example demonstrates using the appliance to provision and prepare eight server blades for use by VMware vsphere Auto Deploy to create a host cluster. Assumptions The appliance has been installed and the appliance networking settings have been configured, but no other configuration has been completed. You are adding enclosure 1 and enclosure 2 of the example data center. The enclosures have embedded licenses. You will add the Ethernet networks and Fabric attach SAN networks described in Data center networks (page 340). A.5.1 Workflow 1. Downloading the latest firmware bundle and adding it to the appliance (page 345). 2. Configuring the networks and network sets (page 345). 3. Configuring an enclosure group that captures the Virtual Connect uplink configuration in its logical interconnect group: a. Creating a logical interconnect group and its uplink sets (page 350). b. Creating an enclosure group (page 357). 4. Adding the enclosure (page 357). 5. Viewing the server hardware types (page 359). 6. Creating a server profile to use as a template (page 360). This server profile includes a firmware baseline, the BIOS settings for the profile, and the network connections required for vsphere host servers in the example data center. 344 Step by step: Configuring an example data center using HP OneView

345 7. Copying the template server profile to four servers (page 363). 8. Adding a second enclosure and copying a server profile to four additional servers (page 363) A.5.2 Downloading the latest firmware bundle and adding it to the appliance You use the latest firmware bundles in your firmware baselines to ensure that managed resources have the latest firmware and to enable you take advantage of all available management features. 1. Download SPPs from the HP website to your local system. 2. From the main menu, select Firmware Bundles, and then click Add Firmware Bundle in the master pane. 3. Do one of the following: Drag and drop the firmware bundle file onto the shaded portion of the screen. Click Choose File to select the.iso file that contains the firmware bundle. 4. Click Start upload to upload the firmware bundle (the.iso files) to the firmware bundle repository. NOTE: Wait for the SPP upload to complete before you start firmware updates or set firmware baselines. Keep this browser window open until the upload is complete and details about the SPP are displayed in the Firmware Bundles screen. TIP: You can perform other tasks while the firmware bundle is uploading. Uploading a firmware bundle can take several minutes. If the browser window closes before the upload completes, the upload fails. HP recommends starting the firmware upload in a separate browser window to prevent you from accidentally interrupting the upload as you perform other tasks. A.5.3 Configuring the networks and network sets A Configuring the Fibre Channel SAN networks In this procedure, you will create the Fibre Channel networks that connect to the Fibre Channel SAN switches in the data center. Fibre Channel networks that connect to Fibre Channel SAN switches are Fabric attach Fibre Channel networks. Create the Fibre Channel SAN networks: 1. From the main menu, select Networks, and then click + Create network in the master pane. The Create network dialog box opens. 2. For Name, enter FC For Type, select Fibre Channel. 4. For Fabric type, select Fabric attach. 5. For this data center, use the default values for the other configuration attributes. 6. Click Create +. The appliance creates the network and opens the Create network dialog box. This dialog box uses the configuration values you selected in the preceding steps, except for the name. 7. For Name, enter FC 2 and click Create For Name, enter FC 3 and click Create For Name, enter FC 4 and click Create. The Networks screen opens. A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 345

346 After the networks are added, when you select a network in the master pane, you can see details about that network in the details pane. For each of the networks you created: The value for Uplink Set is none because you have not yet defined an uplink set that uses this network. You will define the logical interconnect and its uplink sets in Creating a logical interconnect group and its uplink sets (page 350). The value for Associate with SAN is none because there are no server profiles or storage systems using this network yet. You will define a server profile in Creating a server profile to use as a template (page 360). You will create a storage system in Adding a storage system to the data center (page 372). You will also create a SAN manager and associate a network in Adding a SAN manager and associating its managed SANs with Fibre channel networks (page 376). The following figure shows the Networks screen after you add the Fibre Channel networks. Networks 4 All statuses All types All labels eset V V V Create network FC 4 Overview V Actions V Name VLAN Type... FC 1 FC FC 2 FC FC 3 FC FC 4 FC General Type Associate with SAN SAN manager Fibre Channel Fabric attach none none Preferred bandwidth Maximum bandwidth Uplink Set 2.5Gb/s 10Gb/s none Login redistribution Link stability interval Auto 30 seconds Used by no server profiles no storage systems A Configuring the Ethernet networks 1. From the main menu, select Networks, and then click + Create network in the master pane. The Create network dialog box opens. 2. Create the ESXi management and vmotion networks: a. For Name, enter mgmt b. For Type, select Ethernet. c. For VLAN, select Tagged. d. For VLAN ID, enter e. For Purpose, select Management. f. For Preferred bandwidth and Maximum bandwidth, use the default values. g. Select Smart link, but do not select Private network. Smart link specifies that if all of the uplinks to this network within an uplink set fail, server connections that specify this network report an error. This feature enables the server software to detect and respond to an uplink failure. It can be helpful when using certain server network teaming (bonding) configurations. h. Click Create + to create another network. The appliance creates the network and opens the Create network dialog box. This dialog box uses the configuration values you selected in the preceding steps, except for the name and VLAN ID. Behind the Create network dialog box, you might see the networks you create listed in the master pane of the Networks screen as those networks are added. 346 Step by step: Configuring an example data center using HP OneView

347 i. For Name, enter vmotion j. For VLAN ID, enter k. For Purpose, select VM Migration. l. Click Create + to create another network. The appliance creates the network and opens the Create network dialog box. This dialog box uses the configuration values you selected in the preceding steps, except for the name and VLAN ID. 3. Create the production networks. For this procedure, you use the default values displayed on the Create network dialog box. Because all of the configuration values for production networks are the same except for the name and VLAN ID, you can add multiple networks at the same time. a. For Name, enter prod. TIP: When adding multiple networks at the same time, the network name is automatically appended with the VLAN IDs. For example, prod_1101 and prod_1102. b. For VLAN ID, enter c. For Purpose, select General. d. Click Create + to create another network. Behind the Create network screen, you also might see the networks you create listed in the master pane of the Networks screen as those networks are added. 4. Create the development networks and test networks. For this procedure, you continue to use the default values displayed on the Create network dialog box. Because all of the configuration values for the development and test networks are the same except for the name and VLAN ID, you follow the same procedure for each network: a. For Name, enter the name of the network. When adding multiple networks at the same time, the network name is automatically appended with the VLAN IDs. For example, dev_1105 and test_1111. b. For VLAN ID, enter the VLAN ID of the network. c. Click Create + to create another network. When you finish entering the values for the last Ethernet network you want to create, click Create instead of Create +. The Networks screen opens. Use the following names and VLAN IDs for the development networks: Name dev_1105 dev_1106 dev_1107 dev_1108 VLAN ID Use the following names and VLAN IDs for the test networks: Name test_1111 test_1112 test_1113 test_1114 VLAN ID A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 347

348 The following illustration shows the Networks screen after you add the Ethernet networks. Networks 18 All statuses All types All labels eset V V V Create network Name VLAN Type... dev_ Ethernet dev_1105 General Edit Overview V Actions V dev_ Ethernet dev_ Ethernet dev_ Ethernet Type VLAN Purpose Ethernet 1105 General FC 1 FC 2 FC FC Preferred bandwidh Maximum bandwidh 2.5 Gb/s 10 Gb/s FC 3 FC 4 FC FC Smart link Private network Yes No mgmt Ethernet prod_ Ethernet prod_ Ethernet prod_ Ethernet prod_ Ethernet test_ Ethernet test_ Ethernet test_ Ethernet test_ Ethernet vmotion Ethernet Uplink Set Used by Member of none no server profiles no storage profiles none A Configuring the network sets You use network sets to create multiple networks per connection. During this task, you will use the smart search features of the appliance to quickly narrow down the list of networks to those networks you will add to the network set. 1. From the main menu, select Network Sets, and then click + Create network set in the master pane. The Create network set dialog box opens. 2. For all of the network sets in this data center, use the defaults displayed on the screen for Preferred Bandwidth and Maximum Bandwidth. 3. Create the network set for the production networks: a. For Name, enter prod networks and click Add networks. The Add Networks to prod networks dialog box opens. All Ethernet networks that have been configured on this appliance are listed in alphabetical order. b. In the search box, enter prod. The Add Networks to prod networks dialog box displays only the networks with names containing prod. To learn more about searching and filtering, which is available throughout the appliance, see Search resources (page 76). c. Select all of the prod networks listed and click Add (see the following illustration). TIP: Select all networks listed by pressing and holding either Shift or Ctrl and then left-clicking the networks. Alternatively, select one of the networks and then use Ctrl+A to select all of the networks listed. 348 Step by step: Configuring an example data center using HP OneView

349 Add Networks to prod networks? prod Name 4 matches VLAN ID... prod_ prod_ prod_ prod_ selected Add Add + Cancel The Create network set dialog box shows the networks that you added to the network set. d. Select a network in the network set to receive untagged traffic. i. On the Create network set dialog box, under Networks, locate the first network. ii. Select the check box under Untagged. The network you select as untagged receives untagged traffic in addition to traffic tagged with the VLAN ID for the network. For example, if you select prod_1101 to receive untagged traffic, prod_1101 receives traffic that is tagged with VLAN ID 1101 and traffic that is not tagged with any VLAN ID. If you do not select a network to receive untagged traffic, untagged traffic is rejected. The following illustration shows the Networks panel of the Create network set dialog box after you add the production networks and select the untagged network. e. Click Create +. The appliance creates the prod networks network set and opens the Create network set dialog box. Behind the Create network sets dialog box, you might see the networks you create listed in the master pane of the Network Sets screen as those networks are added. 4. Create the network set for the development networks: a. For Name, enter dev networks and click Add networks. The Add Networks to dev networks dialog box opens. b. In the search box, enter dev to filter the list of networks. c. Select all of the dev networks listed and click Add. d. Select Untagged for the first network in the list of networks. e. Click Create +. A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 349

350 5. Create the network set for the test networks: a. For Name, enter test networks and click Add networks. The Add Networks to test networks dialog box opens. b. In the search box, enter test to filter the list of networks. c. Select all of the test networks listed and click Add. d. Select Untagged for the first network in the list of networks. e. Click Create. The Network Sets screen opens. As shown in the following illustration, if you select a network set in the master pane, the appliance displays details about that network set in the details pane. Network Sets 3 All labels V eset Create network set Name... prod networks dev networks test networks test networks General Preferred bandwidth Maximum bandwidth Overview 2.5 Gb/s 10 Gb/s V Actions V Used by none Networks 4 V test_1111 test_1112 test_ Untagged test_ A.5.4 Creating a logical interconnect group and its uplink sets You can create logical interconnect groups, including their uplink sets, and their associated enclosure groups in different ways: You can create them before you add enclosures to the appliance. You can create them during the enclosure add operation. In the following procedures, you will define the groups before you add any enclosures. Choose from: Creating a logical interconnect group for enclosure 1 (page 350) Creating a logical interconnect group for enclosure 2 (page 354) A Creating a logical interconnect group for enclosure 1 In this procedure, you will create a logical interconnect group for the first enclosure. It contains HP VC FlexFabric 10Gb/24-Port Modules and HP VC 8Gb 20 Port FC Modules. Creating the logical interconnect group 1. From the main menu, select Logical Interconnect Groups and click + Create logical interconnect group. The Create logical interconnect group dialog box opens. The large boxes on the screen represent enclosure interconnect bays, with bays 1 and 2 in the top row, bays 3 and 4 in the next row, and so forth. Only interconnects of the same model can be installed in horizontally adjacent bays. 2. For Name, enter Enclosure1LIG. 350 Step by step: Configuring an example data center using HP OneView

351 3. In the top left box (interconnect 1), click Add interconnect and select HP VC FlexFabric 10Gb/24-Port Module. 4. In the top right box (interconnect 2), click Add interconnect and select HP VC FlexFabric 10Gb/24-Port Module. 5. In interconnect 3, click Add interconnect and select HP VC 8Gb 20 Port FC Module. TIP: HP Virtual Connect Fibre Channel modules cannot be placed in bays 1 and In interconnect 4, click Add interconnect and select HP VC 8Gb 20 Port FC Module. 7. Leave the dialog box open so that you can create the uplink sets. Creating the uplink sets for the Fibre Channel networks The uplink sets assign data center networks to physical interconnect ports. Create uplink set 1. Click Add uplink set. The Add uplink set dialog box opens. General 2. Configure the uplink set for the FC 1 Fibre Channel network: a. For Name, enter FCUS1. Name FCUS1 b. For Type, select Fibre Channel. The dialog box expands to include additional configuration items. Type c. For Network, select FC Configure the uplink ports: a. For Networks Interconnect under Uplink Ports, select Interconnect: 3. The appliance displays the ports that you can use for Fibre Channel networks. Network Fibre Channel V b. Select ports X3 and X4. FC 1 Use the defaults displayed on the screen for Speed. x? Uplink ports Interconnect interconnect: 3 x Speed Auto V 4 Speed Auto V 4. Click Create + to add the FCUS2 uplink set to the Enclosure1LIG logical interconnect group and reopen the Add uplink set screen. Create Create + Cancel A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 351

352 5. Add the uplink set for FC 2: a. For Name, enter FCUS2. b. For Type, select Fibre Channel. c. For Network, select FC 2. d. Configure the uplink ports. For Interconnect under Uplink Ports, select Interconnect: 4 and then select ports X3 and X4. e. Click Create. V Create logical interconnect group General NOTE: Networks FC 3 and FC 4 will be added to enclosure 2.? General The Create logical interconnect group dialog box opens. See the following Name illustration Enclosure 1LIGfor an example. Logical Interconnect Group FCUS1 1 network 2 uplink ports X FCUS2 X 1 network 2 uplink ports Add uplink set 1 X1 X2 X3 X4 X5 X6 X7 X8 X1 X2 X3 X4 X5 X6 X7 X8 interconnect 1 interconnect 2 HP VC FlexFabric 10Gb/24-Port Module 2 HP VC FlexFabric 10Gb/24-Port Module interconnect 3 interconnect 4 HP VC 8Gb 20-Port FC Module 4 HP VC 8Gb 20-Port FC Module Creating the uplink sets for the Ethernet networks Create Create + Cancel The uplink sets assign data center networks to physical interconnect ports. TIP: If you click Cancel on the Create Logical Interconnect Group dialog box, all changes are discarded. Instead of adding all of the uplink sets in one session, you can click Create to create the logical interconnect group, and then edit the logical interconnect group to add additional uplink sets. 1. Click Add uplink set. The Add uplink set screen opens. 2. Configure the uplink set for the Ethernet networks: a. For Name, enter vsphereus. b. For Type, select Ethernet. The dialog box expands to include additional configuration items. c. For Connection Mode, select Automatic. The default value, automatic, instructs the system to determine the best load-balancing scheme by creating as many LAGs (link aggregation groups) as possible in a physical interconnect, enabling multiple links to behave as a single link. d. For LACP timer, use the default value. 352 Step by step: Configuring an example data center using HP OneView

353 e. Click Add networks to open the Add Networks to vsphereus dialog box. f. Add the ESXi networks: i. Select mgmt ii. Hold Ctrl and left-click vmotion iii. Click Add. g. Add the uplink ports: i. Click Add uplink ports to open the Add Uplink Ports to vsphereus dialog box. ii. In the search box, enter x1 to display only the interconnects that have X1 ports available. iii. Select the two interconnects displayed and click Add. iv. Do not select a preferred port. h. Click Create + to add the vsphereus uplink set to the Enclosure1LIG logical interconnect group and reopen the Add uplink set screen. 3. Add the uplink sets for the production networks. As you add networks to uplink sets for the logical interconnect group, note that the networks that have already been added to an uplink set are not listed. Networks production networks Uplink set produs Interconnect port X2 V When Create you logical finish interconnect entering thegroup produs General uplink set, click Create to add the uplink? set and close the dialog box. The Create logical interconnect group screen opens (see the following illustration). General NOTE: The Name development and test networks will be added to enclosure 2. Enclosure 1LIG Logical Interconnect Group vsphereus 2 networks 2 uplink ports X proudus X FCUS1 4 networks 4 networks 2 uplink ports 2 uplink ports X FCUS2 X 1 networks 2 uplink ports Add uplink set 1 X1 X2 X3 X4 X5 X6 X7 X8 X1 X2 X3 X4 X5 X6 X7 X8 interconnect 1 interconnect 2 HP VC FlexFabric 10Gb/24-Port Module 2 HP VC FlexFabric 10Gb/24-Port Module interconnect 3 interconnect 4 HP VC 8Gb/20-Port FC Module 4 HP VC 8Gb/20-Port FC Module 4. Click Create to create the logical interconnect group. Create Create + Cancel A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 353

354 Update logical-interconnect-groups Completed Administrator Today 5:32:10 pm V General V 5. InUsed the By details pane EncGrp1 of the Logical Interconnect Groups screen, you can use your pointer to hover over an uplink Encl1-LI set in the diagram to highlight the connections for that uplink set. Logical Interconnect Group Edit vsphereus 2 networks 2 uplink ports proudus FCUS1 4 networks 1 network 2 uplink ports 2 uplink ports FCUS2 1 network 2 uplink ports 1 X1 X2 X3 X4 X5 X6 X7 X8 X1 X2 X3 X4 X5 X6 X7 X8 HP VC FlexFabric 10Gb/24-Port Module 2 HP VC FlexFabric 10Gb/24-Port Module HP VC 8Gb 20-Port FC Module 4 HP VC 8Gb 20-Port FC Module A Creating a logical interconnect group for enclosure 2 In this procedure, you will create a logical interconnect group for the second enclosure. It contains an HP Virtual Connect FlexFabric-20/40 F8 Module. NOTE: See About the HP Virtual Connect FlexFabric 20/40 F8 interconnect module (page 168) for important considerations in using this module. Creating the logical interconnect group 1. From the main menu, select Logical Interconnect Groups and click + Create logical interconnect group. The Create logical interconnect group dialog box opens. The large boxes on the screen represent enclosure interconnect bays, with bays 1 and 2 in the top row, bays 3 and 4 in the next row, and so forth. Only interconnects of the same model can be installed in horizontally adjacent bays. 2. For Name, enter Enclosure2LIG. 3. In interconnect 1, click Add interconnect and select HP Virtual Connect FlexFabric 20/40 F8 Module. 4. In interconnect 2, click Add interconnect and select HP Virtual Connect FlexFabric-20/40 F8 Module. 5. Leave the dialog box open so that you can create the uplink sets. Creating the uplink sets for the Fibre Channel networks The uplink sets assign data center networks to physical interconnect ports. 1. Click Add uplink set. The Add uplink set dialog box opens. 2. Configure the uplink set for the FC 3 Fibre Channel network: a. For Name, enter FCUS3. b. For Type, select Fibre Channel. The dialog box expands to include additional configuration items. c. For Network, select FC Configure the uplink ports: a. For Interconnect under Uplink Ports, select Interconnect: 1. The appliance displays the ports that you can use for Fibre Channel networks. b. Select ports X3 and X4. Use the defaults displayed on the screen for Speed. 354 Step by step: Configuring an example data center using HP OneView

355 4. Click Create + to add the FCUS4 uplink set to the Enclosure2LIG logical interconnect group and reopen the Add uplink set screen. 5. Add the uplink set for FC 4: a. For Name, enter FCUS4. b. For Type, select Fibre Channel. c. For Network, select FC 4. d. Configure the uplink ports. For Interconnect under Uplink Ports, select Interconnect: 2 and then select ports X3 and X4. Create logical interconnect group General e. Click Create.? General The Create logical interconnect group dialog box opens. See the following illustration for an example. Name Enclosure 2LIG Logical Interconnect Group FCUS3 X 1 network 2 uplink ports FCUS4 1 network 2 uplink ports X Add uplink set Q1 interconnect Q Q Q Q1 interconnect Q Q Q4 HP VC FlexFabric 20/40 F8 Module X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 2 HP VC FlexFabric 20/40 F8 Module X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 Add Interconnect 3 4 Add Interconnect Creating the uplink sets for the Ethernet networks Create Create + Cancel You will create the uplink sets for the development and testing networks. Networks development networks test networks Uplink set devus testus Interconnect port Q1.1 Q Click Add uplink set. The Add uplink set screen opens. 2. Configure the uplink set for the development networks: a. For Name, enter devus. b. For Type, select Ethernet. The dialog box expands to include additional configuration items. c. For Connection Mode, select Automatic. The default value, automatic, instructs the system to determine the best load-balancing scheme by creating as many LAGs (link aggregation groups) as possible in a physical interconnect, enabling multiple links to behave as a single link. d. For LACP timer, use the default value. e. Click Add networks to open the Add Networks to devus dialog box. A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 355

356 f. Add the dev networks: i. In the search box, enter dev to display only the development networks. ii. Select all of the dev networks listed. iii. Click Add. g. Add the uplink ports: i. Click Add uplink ports to open the Add Uplink Ports to devus dialog box. Add Uplink Ports to dev US? Interconnect Module Bay 44 out of 48 Port... HP VC FlexFabric-20/40 F8 Module 1 Q1.1 HP VC FlexFabric-20/40 F8 Module 1 Q1.2 HP VC FlexFabric-20/40 F8 Module 1 Q1.3 HP VC FlexFabric-20/40 F8 Module 1 Q1.4 HP VC FlexFabric-20/40 F8 Module 1 Q2.1 HP VC FlexFabric-20/40 F8 Module 1 Q2.2 HP VC FlexFabric-20/40 F8 Module 1 Q2.3 HP VC FlexFabric-20/40 F8 Module 1 Q2.4 HP VC FlexFabric-20/40 F8 Module 1 Q3.1 HP VC FlexFabric-20/40 F8 Module 1 Q3.2 HP VC FlexFabric-20/40 F8 Module 1 Q3.3 0 selected Add Add + Cancel ii. iii. iv. In the search box, enter Q1.1 to display only the interconnects that have Q1.1 ports available. Select the two interconnects displayed and click Add. Do not select a preferred port. h. Click Create + to add the devus uplink set to the Enclosure2LIG logical interconnect group and reopen the Add uplink set screen. 3. Add the uplink sets for the test networks. When you finish entering the values for the last uplink set you want to create, click Create to add the uplink set and close the dialog box. The Create logical interconnect group screen opens (see the following illustration). 356 Step by step: Configuring an example data center using HP OneView

357 Name Enclosure 2LIG Logical Interconnect Group FCUS3 X 1 network 2 uplink ports FCUS4 1 network 2 uplink ports X devus X testus X 1 network 1 network 2 uplink ports 2 uplink ports Add uplink set Q1 interconnect Q Q Q Q1 interconnect Q Q Q4 HP VC FlexFabric 20/40 F8 Module X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 2 HP VC FlexFabric 20/40 F8 Module X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 Add Interconnect 3 Add Interconnect 1 Changed: Name to Enclosure2LIG 4. Click Create to create the logical interconnect group. Create Create + Cancel A.5.5 Creating an enclosure group for enclosure 1 An enclosure group defines a set of enclosures that use the same configuration for network connectivity. The network connectivity for an enclosure group is defined by the logical interconnect group associated with the enclosure group. Create an enclosure group that captures the logical interconnect group and its uplink configuration: 1. From the main menu, select Enclosure Groups, and click Create enclosure group. The Create enclosure group dialog box appears. 2. For Name, enter EncGrp1. 3. For Logical interconnect group, select Enclosure1LIG. 4. Click Create. A.5.6 Adding enclosure 1 Adding an enclosure brings the rack, the enclosure, and the enclosure's contents server hardware and interconnects under managed control. You add an enclosure by providing its IP address or host name, along with the enclosure's Onboard Administrator credentials. In this procedure, you will also establish a firmware baseline for the enclosure. NOTE: The name associated with the enclosure is the enclosure name, which is set in the Onboard Administrator, and is not the name of the Onboard Administrator. In this procedure you will add one enclosure: Attribute Enclosure 1 primary Onboard Administrator IP address Onboard Administrator credentials (same for both enclosures) Description User name Password OAAdmin S&leP@ssw0rd 1. From the main menu, select Enclosures and click Add enclosure. The Add Enclosure dialog box opens. A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 357

358 2. Enter the following information to indicate you want HP OneView to manage this enclosure: For OA IP address or host name, enter the primary Onboard Administrator IP address for enclosure 1. For Add enclosure as, select Managed. 3. Enter additional information: For User name and Password, enter the Onboard Administrator credentials in the preceding table. These credentials establish a trust relationship between the appliance and the Onboard Administrator. For Enclosure group, select EncGrp1. For Licensing, select HP OneView Advanced to apply both an HP OneView and a permanent ilo Advanced license to the servers in the enclosure. The appliance applies this licensing policy only to enclosures and servers that do not have factory-embedded licenses. See License types (page 149) for more information. For Firmware baseline, select the firmware bundle that you added in Downloading the latest firmware bundle and adding it to the appliance (page 345). 4. Click Add. When you add an enclosure to be managed, the appliance: Detects the server blades installed in the enclosure and adds them to the appliance. For each unique server blade hardware configuration, the appliance automatically adds a server hardware type. Detects and adds the interconnect modules installed in the enclosure. Because you selected an existing enclosure group, the appliance does the following: 1. Compares the interconnect hardware configuration to the interconnect configuration specified by the logical interconnect group associated with the enclosure group. 2. Notifies you if the two configurations do not match. 358 Step by step: Configuring an example data center using HP OneView

359 A.5.7 Viewing the server hardware types After you add the enclosure, you can view the server hardware and server hardware types that the appliance added automatically. Viewing server hardware types From the main menu, select Server Hardware Types. The Server Hardware Types screen lists server hardware types for each unique server hardware configuration added to the appliance. The default name assigned to each server hardware type starts with an abbreviated form of the server model name and ends with an enumerator. For example, BL460c Gen8 1 is an HP ProLiant BL460c server with a Flexible LOM and an HP FlexFabric 10Gb 2-port 554FLB Adapter. If you add an HP ProLiant BL460c server that has a different adapter, the default name for that server hardware type is: BL460c Gen8 2 Editing server hardware types You can change the name of a server hardware type and add a description: 1. In the master pane of the Server Hardware Types screen, select the BL460c Gen8 1 server hardware type. 2. Select Actions Edit. The Edit BL460c Gen8 1 dialog box opens. 3. For Name, enter BL460c Gen For Description, enter Standard hardware type for vsphere hypervisor host servers. 5. Click OK. The Server Hardware Types screen is updated with your changes. Server Hardware Types 2 eset Sort by Name BL460c Gen8 1 General V Actions V BL460c Gen8 1 FlexibleLOM 1 HP FlexFabric 20Gb 2-port 630FLB Adapter Mezzanine 1 HP FlexFabric 20Gb 2-port 630M Adapter Mezzanine 2 QLogic QMH2572 8Gb FC HBA for HP Blade System c-class General Server model Form factor Description Used by Adapters Proliant BL460c Gen8 Half-height none 24 server hardware BL660c Gen8 1 FlexibleLOM 1 HP FlexFabric 20Gb 2-port 630FLB Adapter Mezzanine 1 HP FlexFabric 20Gb 2-port 630M Adapter Mezzanine 2 QLogic QMH2572 8Gb FC HBA for HP Blade System c-class Mezzanine 3 HP Ethernet 1Gb 4-port 366M Location Model Device Type Max Port Physical Virtual PXE Ethernet FC Speed Ports Ports... FlexibleLOM HP FlexFabric 20Gb 2-port 630FLB Adapter Ethernet 20Gb/s 2 8 Yes Yes Yes 1 Mezzanine 1 HP FlexFabric 20Gb 2-port 630M Adapter Ethernet 20Gb/s 2 8 Yes Yes Yes Mezzanine 2 QLogic QMH2572 8Gb FC HBA for HP BladeSystem c- Class Fibre Channel 8 Gb/s 2 0 No No Yes View information about the server hardware From the main menu, select Server Hardware. The master pane of the Server Hardware screen displays a list of all the servers in the appliance. The details pane displays detailed information about the selected server. The online help for the Server Hardware screen describes the information shown on the screen. A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 359

360 A.5.8 Creating a server profile to use as a template Now that you have defined the server hardware types and the enclosure groups, you can start creating the server profile to use as a template for servers to be provisioned as hosts by VMware vsphere Auto Deploy. 1. From the main menu, select Server Profiles and then click + Create profile. The Create Server Profile dialog box opens. 2. Under General, enter the following information: For Name, enter vsphere Template. For Description, enter Standard server profile for stateless autodeploy. For Server hardware, select unassigned. For Server hardware type, select BL460c Gen8 1. For Enclosure group, select EncGrp1. For Affinity, select Device bay. 3. For Firmware baseline, you can select manage manually or one of the other firmware bundles in the repository. For this example, select manage manually. You will change the firmware baseline when you copy the profile in Copying the template server profile to four servers (page 363) 4. Add the connections for this server profile. Click Add Connection to open the Add Connection dialog box: a. Add two connections to the mgmt 1131 network. When you finish entering the information for a connection, click Add + to add this connection and reopen the dialog box so that you can add the connections in the next step. Attribute Device type Network equested bandwidth Port Boot Value Ethernet mgmt (the default value) Auto (the default value) For the first connection, select Primary. For the second connection, select Secondary. b. Add two connections to the vmotion 1132 network. When you finish entering the information for a connection, click Add +. Attribute Device type Network equested bandwidth Port Boot Value Ethernet vmotion (the default value) Auto (the default value) For both connections, select Not bootable 360 Step by step: Configuring an example data center using HP OneView

361 c. Add two connections to the prod networks network set. When you finish entering the information for a connection, click Add +. Attribute Device type Network equested bandwidth Port Boot Value Ethernet prod networks 2.5 (the default value) Auto (the default value) For both connections, select Not bootable d. Add one connection to the FC 1 network. Enter the information shown in the following table, and then click Add + to add the connection and reopen the dialog box for the next step. Attribute Device type Network equested bandwidth Port Boot Value Fibre Channel FC (the default value) Auto (the default value) Not bootable e. Add one connection to the FC 2 network. Enter the information shown in the following table, and then click Add to add the connection and close the dialog box. Attribute Device type Network equested bandwidth Port Boot Value Fibre Channel FC (the default value) Auto (the default value) Not bootable The following illustration shows all the connections added. A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 361

362 Connections ID Type Address Network equested Port Boot bandwidth (Gb/s)... 1 Ethernet MAC (V) mgmt 1131 vlan FlexibleLOM 1:1- a Primary 2 Ethernet MAC mgmt 1131 vlan FlexibleLOM 1:2- Secondary X (V) a X 3 Ethernet MAC vmotion FlexibleLOM 1:1- Not (V) vlan1132 b bootable X 4 Ethernet MAC vmotion 1132 (V) vlan FlexibleLOM 1:2- Not b bootable X 5 Ethernet MAC (V) prod networks (network set) 2.5 FlexibleLOM 1:1- c Not bootable 6 Ethernet MAC prod networks (network 2.5 FlexibleLOM 1:2- Not (V) set) c bootable X X 7 Fibre Channel Auto FC Auto Not bootable X 8 Fibre Channel Auto FC Auto Not bootable X Add Connection 5. Scroll down to see other items in the dialog box. 6. Configure the boot order for this server profile. Manage boot order is selected by default. Drag and drop the items so that they are in this order: 1. PXE 2. HardDisk 3. CD 4. Floppy 5. USB Notice that the number next to each item is adjusted automatically when you use the drag-and-drop method to change the order. 7. Edit the BIOS settings: a. Select Manage BIOS. b. Click Edit settings. The Edit BIOS Settings dialog box opens. The server hardware type that you selected for this profile determines the default values for the BIOS settings. c. Scroll to Administrator Info Text and make the following edits: For Admin Name Text, enter the name of the server administrator responsible for all servers that will use this server profile (for example Sanjay Bharata). For Other Text, enter See company directory. d. Click OK to save the edits and close the dialog box. The Create Server Profile dialog box displays the BIOS settings whose values differ from the default values. 8. Under Advanced, ensure that Virtual is selected for Serial Number/UUID, MAC addresses, and WWN addresses. Selecting Virtual for these settings provides flexibility because the appliance assigns these numbers and addresses. For example, when you assign this server profile to a server bay in an enclosure, any server hardware inserted in that server bay uses the same serial number, MAC address, and WWN address. Therefore, you can replace the server hardware without affecting other resources (such as interconnects). 362 Step by step: Configuring an example data center using HP OneView

363 9. Click Create to create the server profile and close the dialog box. The master pane of the Server Profiles screen lists the profile you created. If you select a server profile in the master pane, the appliance displays information about that server profile in the details pane. A.5.9 Copying the template server profile to four servers In this procedure, you will copy the server profile you created to use as a template and assign the profile to four servers. 1. In the master pane of the Server Profiles screen, select vsphere Template. 2. Copy the vsphere Template server profile and assign the profile to a specific instance of server hardware: a. Select Actions Copy. The Copy vsphere Template dialog box opens. All of the configuration information for this profile, except for Name, is obtained from the profile you are copying. b. For Name, enter vsphere01. c. For Server hardware, click to view the available servers, and then select Encl1, bay 11. d. For Firmware baseline, select the firmware bundle that was included with the appliance. e. Click Create. The appliance validates the parameters and the server hardware is booted using the HP Intelligent Provisioning environment embedded in the ilo management processor of HP ProLiant Gen8 servers. 3. Copy the vsphere Template server profile and assign it to the other three servers: Name vsphere02 vsphere03 vsphere04 Server hardware Encl1, bay 12 Encl1, bay 13 Encl1, bay (Optional) View the progress of the create profile action from the Server Profiles screen. Optionally, launch the ilo remote console to view the progress of the boot and firmware load operations for the server: a. From the main menu, select Server Hardware. b. In the master pane, select an instance of server hardware. c. Select Actions Launch console. The appliance launches the remote console for the selected server. A.5.10 Creating an enclosure group for enclosure 2 An enclosure group defines a set of enclosures that use the same configuration for network connectivity. The network connectivity for an enclosure group is defined by the logical interconnect group associated with the enclosure group. Create an enclosure group that captures the logical interconnect group and its uplink configuration: 1. From the main menu, select Enclosure Groups, and click Create enclosure group. The Create enclosure group dialog box appears. 2. For Name, enter EncGrp2. 3. For Logical interconnect group, select Enclosure2LIG. 4. Click Create. A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 363

364 A.5.11 Adding enclosure 2 Adding an enclosure brings the rack, the enclosure, and the enclosure's contents server hardware and interconnects under managed control. You add an enclosure by providing its IP address or host name, along with the enclosure's Onboard Administrator credentials. In this procedure, you will also establish a firmware baseline for the enclosure. NOTE: The name associated with the enclosure is the enclosure name, which is set in the Onboard Administrator, and is not the name of the Onboard Administrator. In this procedure you will add one enclosure: Attribute Enclosure 2 primary Onboard Administrator IP address Onboard Administrator credentials (same for both enclosures) Description User name Password OAAdmin S&leP@ssw0rd 1. From the main menu, select Enclosures and click Add enclosure. The Add Enclosure dialog box opens. 2. Enter the following information to indicate you want HP OneView to manage this enclosure: For OA IP address or host name, enter the primary Onboard Administrator IP address for enclosure 2. For Add enclosure as, select Managed. 3. Enter additional information: For User name and Password, enter the Onboard Administrator credentials in the preceding table. These credentials establish a trust relationship between the appliance and the Onboard Administrator. For Enclosure group, select EncGrp2. For Licensing, select HP OneView Advanced to apply both a OneView and a permanent ilo Advanced license to the servers in the enclosure. The appliance applies this licensing policy only to enclosures and servers that do not have factory-embedded licenses. See License types (page 149) for more information. For Firmware baseline, select the firmware bundle that you added in Downloading the latest firmware bundle and adding it to the appliance (page 345). 4. Click Add. When you add an enclosure to be managed, the appliance: Detects the server blades installed in the enclosure and adds them to the appliance. For each unique server blade hardware configuration, the appliance automatically adds a server hardware type. Detects and adds the interconnect modules installed in the enclosure. Because you selected an existing enclosure group, the appliance does the following: 1. Compares the interconnect hardware configuration to the interconnect configuration specified by the logical interconnect group associated with the enclosure group. 2. Notifies you if the two configurations do not match. NOTE: (Optional) View and edit server hardware types. A.5.12 Creating a server profile for enclosure 2 Create the server profile to use as a template for the last four servers to be provisioned as hosts by VMware vsphere Auto Deploy. 364 Step by step: Configuring an example data center using HP OneView

365 1. From the main menu, select Server Profiles and then click + Create profile. The Create Server Profile dialog box opens. 2. Under General, enter the following information: For Name, enter vsphere Template2. For Description, enter Optional server profile for stateless autodeploy. For Server hardware, select unassigned. For Server hardware type, select BL660c Gen8 1. For Enclosure group, select EncGrp2. For Affinity, select Device bay. 3. For Firmware baseline, you can select manage manually or one of the other firmware bundles in the repository. For this example, select manage manually. You will change the firmware baseline when you copy the profile in Copying the template server profile to four servers (page 363) 4. Add the connections for this server profile. Click Add Connection to open the Add Connection dialog box: a. Add two connections to the dev networks network set. When you finish entering the information for a connection, click Add +. Attribute Device type Network equested bandwidth Port Boot Value Ethernet dev networks 2.5 (the default value) Auto (the default value) For both connections, select Not bootable b. Add two connections to the test networks network set. When you finish entering the information for a connection, click Add +. Attribute Device type Network equested bandwidth Port Boot Value Ethernet test networks 2.5 (the default value) Auto (the default value) For both connections, select Not bootable c. Add one connection to the FC 3 network. Enter the information shown in the following table, and then click Add + to add the connection and reopen the dialog box for the next step. Attribute Device type Network equested bandwidth Value Fibre Channel FC (the default value) A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 365

366 Attribute Port Boot Value Auto (the default value) Not bootable d. Add one connection to the FC 4 network. Enter the information shown in the following table, and then click Add to add the connection and close the dialog box. Attribute Device type Network equested bandwidth Port Boot Value Fibre Channel FC (the default value) Auto (the default value) Not bootable The following illustration shows all the connections added. Connections ID Type Address Network equested Port Boot bandwidth (Gb/s)... 1 Ethernet Auto dev networks 2.5 Auto Not bootable X 2 Ethernet Auto dev networks 2.5 Auto Not bootable X 3 Ethernet Auto test networks 2.5 Auto Not bootable X 4 Ethernet Auto tsst networks 2.5 Auto Not bootable X 5 Fibre Channnel Auto FC Auto Not bootable X 6 Fibre Channnel Auto FC Auto Not bootable X Add Connection 5. Scroll down to see other items in the dialog box. 6. Configure the boot order for this server profile. Manage boot order is selected by default. Drag and drop the items so that they are in this order: 1. PXE 2. HardDisk 3. CD 4. Floppy 5. USB Notice that the number next to each item is adjusted automatically when you use the drag-and-drop method to change the order. 7. Edit the BIOS settings: a. Select Manage BIOS. b. Click Edit Settings. The Edit BIOS Settings dialog box opens. The server hardware type that you selected for this profile determines the default values for the BIOS settings. 366 Step by step: Configuring an example data center using HP OneView

367 c. Scroll to Administrator Info Text and make the following edits: For Admin Name Text, enter the name of the server administrator responsible for all servers that will use this server profile (for example Sanjay Bharata). For Other Text, enter See company directory. d. Click OK to save the edits and close the dialog box. The Create Server Profile dialog box displays the BIOS settings whose values differ from the default values. 8. Under Advanced, ensure that Virtual is selected for Serial Number/UUID, MAC addresses, and WWN addresses. Selecting Virtual for these settings provides flexibility because the appliance assigns these numbers and addresses. For example, when you assign this server profile to a server bay in an enclosure, any server hardware inserted in that server bay uses the same serial number, MAC address, and WWN address. Therefore, you can replace the server hardware without affecting other resources (such as interconnects). 9. Click Create to create the server profile and close the dialog box. The master pane of the Server Profiles screen lists the profile you created. If you select a server profile in the master pane, the appliance displays information about that server profile in the details pane. A.5.13 Copying the second template server profile to four servers In this procedure, you will copy the second server profile you created to use as a template and assign the profile to four servers. 1. In the master pane of the Server Profiles screen, select vsphere Template2. 2. Copy the vsphere Template2 server profile and assign the profile to a specific instance of server hardware: a. Select Actions Copy. The Copy vsphere Template2 dialog box opens. All of the configuration information for this profile, except for Name, is obtained from the profile you are copying. b. For Name, enter vsphere05. c. For Server hardware, click to view the available servers, and then select Encl2, bay 2. d. For Firmware baseline, select the firmware bundle that was included with the appliance. e. Click Create. The appliance validates the parameters and the server hardware is booted using the HP Intelligent Provisioning environment embedded in the ilo management processor of HP ProLiant Gen8 servers. 3. Copy the vsphere Template2 server profile and assign it to the other three servers: Name vsphere06 vsphere07 vsphere08 Server hardware Enc2, bay 12 Enc2, bay 13 Enc2, bay 14 A.5 Provisioning eight host servers for VMware vsphere Auto Deploy 367

368 4. (Optional) View the progress of the create profile action from the Server Profiles screen. Optionally, launch the ilo remote console to view the progress of the boot and firmware load operations for the server: a. From the main menu, select Server Hardware. b. In the master pane, select an instance of server hardware. c. Select Actions Launch console. The appliance launches the remote console for the selected server. A.6 Bringing an HP ProLiant DL360p Gen8 rack mount server under management This example demonstrates bringing the following HP ProLiant DL360p Gen8 rack mount server under management. NOTE: You can create profiles on HP ProLiant Gen8 & Gen9 rack servers for the purpose of managing: Firmware (can set a firmware baseline) Boot settings (boot order) BIOS/UEFI settings Attribute Model Name ilo IP address Description HP ProLiant DL360p Gen8 DL360pGen ilo administrator credential: Physical location Assumptions User name Password ack 173, U26 iloadmin S&leP@ssw0rd The appliance is installed. The ilo management processor for the server is configured with the IP address and administrator credentials listed in the preceding table. The server is connected to a live power source. You do not have an embedded license for this server, but all of the other servers managed by the appliance have licenses. Because this is an HP ProLiant DL rack mount server: You cannot use this appliance to provision any networks for the server. A.6.1 Workflow 1. Adding the server hardware (page 368). 2. Powering on the server (page 370). 3. Viewing information about the server (page 370). 4. Adding a license for the server (page 372). A.6.2 Adding the server hardware 1. From the main menu, select Server Hardware, and then click + Add server hardware. 368 Step by step: Configuring an example data center using HP OneView

369 2. Enter the following information to indicate you want HP OneView to manage this server hardware: For ilo IP address, enter For Add server hardware as, select Managed. 3. Enter additional information. Enter the credentials for the ilo administrator account: User name iloadmin and password For Licensing, select HP OneView Advanced to apply both an HP OneView and a permanent ilo Advanced license to the servers. The appliance applies this licensing policy only to servers that do not have factory-embedded licenses. See License types (page 149) for more information. 4. Click Add. The server is added to the appliance. In this case, the server does not have an embedded license, so the appliance adds the server, but displays an alert. A.6 Bringing an HP ProLiant DL360p Gen8 rack mount server under management 369

370 5. Click the alert to display details. For information about adding a license, see Adding a license for the server (page 372). A.6.3 Powering on the server 1. From the Server Hardware screen, select the server you added Select Actions Power on. A.6.4 Viewing information about the server 1. On the Server Hardware screen, select the server you added The details pane displays information about the server. 2. To display only the Hardware, either click the Hardware panel or use the view selector to select Hardware. NOTE: To view utilization data or connect to the remote console, the server must have the appropriate licenses. See Adding a license for the server (page 372). 3. Explore the links to additional information. Some items in the Hardware panel are links. The cursor changes when you use your pointer to hover over a link. In this example: If you click the IP address shown for ilo under Host name or IPv4, you launch the ilo remote console for the server. If you click the value for Server hardware type, DL360p Gen8 1, the appliance displays the Server Hardware Types screen with details about the DL360p Gen8 1 server hardware type in the details pane. If you click the value for Location, ack-173, the appliance displays the acks screen with details about ack-173 in the details pane. To return to the Server Hardware screen, click the link for the server in the Layout panel. 370 Step by step: Configuring an example data center using HP OneView

371 4. In the view selector, select Map. The Map view shows the relationships between this resource and other resources. Use your pointing device to hover over any resource to see its direct relationships to other resources. A connecting line between boxes indicates a direct relationship. In this example, the server is related to ack-173 and the DL360p Gen 8 1 server hardware type. 5. Click ack-173 to display the Map view for the rack. A.6 Bringing an HP ProLiant DL360p Gen8 rack mount server under management 371

372 6. To return to the Server Hardware screen, click the Server Hardware box. A.6.5 Adding a license for the server If you do not purchase licenses that are embedded in the enclosure or server hardware, you must add licenses to the appliance. The online help provides detailed information about licensing and how the appliance manages licenses. To add an HP OneView Advanced license for the server you added in Adding the server hardware (page 368): 1. Do one of the following: From the warning message for the server you just added, click the Add license key link. From the main menu, select Settings, and then select Actions Add license. The Add license dialog box opens. 2. Enter or paste your license key into the License Key box, and then click Add. The appliance adds the license to the license pool. 3. On the Server Hardware screen, select Select Actions efresh. The Server Hardware screen displays the utilization data for the server. A.7 Adding a storage system to the data center First, add a storage system and storage pools, then you can add or create volumes and then attach them to server profiles to make the volumes available to server hardware. There are two types of connections for storage systems: Fabric attach In a Fabric attach connection, the storage system is attached to the enclosure SAN switches. Direct attach In a Direct attach connection, the storage system is attached directly to the interconnects. This example demonstrates: 1. Adding an HP 3PA StoreServ Storage system to the appliance 2. Creating volumes and adding external volumes 3. Creating direct attach networks (Direct attach configuration only) 372 Step by step: Configuring an example data center using HP OneView

373 4. Adding a SAN manager and associating its managed SANs with Fibre channel networks (optional) 5. Attaching volumes to a sever profile to make them available to server hardware A.7.1 Adding an HP 3PA StoreServ Storage system Assumptions You have added enclosure 2 as described in the previous procedure. The HP 3PA StoreServ Storage system is powered on and properly configured. The HP 3PA StoreServ Storage system is physically connected to the SAN switches (Fabric attach). If you are using a SAN manager, it is powered on and properly configured. A Adding an HP 3PA StoreServ Storage system to the appliance In this procedure you will add one storage system: Attribute Storage system name Storage system IP address Description StorageSystem Credentials User name Password SSAdmin P#55word! Storage domain Storage pool StorageDomain1 PrimaryStoragePool Add a storage system 1. From the main menu, select Storage Systems, and do one of the following: Click + Add storage system in the master pane. Select Actions Add. NOTE: The Actions menu is not present until you add at least one storage system. 2. For IP address or host name, enter For User name, enter SSAdmin. 4. For Password, enter P#55word!. 5. Click Connect. The appliance connects to the storage system and retrieves name, model, and storage ports. 6. For Storage domain, select StorageDomain1. 7. Click Add storage pools. 8. Select PrimaryStoragePool from the list and click Add. NOTE: If you are going to add a SAN manager, you do not have to manually assign networks to storage system ports. Skip the next step. 9. Under Storage System Ports: a. Select the FC 3 network for port 0:1:1. b. Select the FC 4 network for port 0:1:2. A.7 Adding a storage system to the data center 373

374 10. Click Add to save your settings and add the storage system. A Creating volumes and adding external volumes You can add volumes that exist on the storage system to the appliance and you can create new volumes on the storage system. In this example, you will add an existing volume and create a new volume. Add an existing volume 1. From the main menu, select Storage Systems. NOTE: The Actions menu is not present until you add or create at least one volume. 2. Select Actions Add Volume. 3. For Storage system, select StorageSystem For Volume ID, enter the logical unit number (LUN) World Wide Name (WWN) of the existing volume you want to add. 5. For Name, enter ExistingVolume1 as the name for the volume on the appliance. 6. For Sharing, choose Shared. Shared enables the volume to be used by more than one server profile. Private makes the volume available to only one server profile, and is required to enable booting from the volume. 7. Click Add to save your settings and add the volume. Create a volume 1. From the main menu, select Volumes, and do one of the following: Click + Create volume in the master pane. Select Actions Create. NOTE: The Actions menu is not present until you add or create at least one volume. 2. For Name, enter NewVolume1. 3. For Volume Template, select None. 4. For Storage pool, select PrimaryStoragePool. 5. For Capacity, enter a value between 1 GiB and 16 tebibytes (TiB). 6. For Provisioning, choose Thin or Full. Thin will expand the volume to fill the capacity as it is used. Full will create the volume at the full capacity. 374 Step by step: Configuring an example data center using HP OneView

375 7. For Sharing, choose Shared or Private. Shared enables the volume to be used by more than one server profile. Private makes the volume available to only one server profile, and is required to enable booting from the volume. 8. Click Create to save your settings and create the volume. A Creating Direct attach networks and adding them to the uplink sets You can connect an HP 3PA StorServe Storage system directly to the interconnects. This is called a Direct attach network configuration, also known as Flat SAN. To see a graphical representation of the configuration, see Figure 20 (page 341). If you are using a Direct attach connection, you must create Direct attach Fibre Channel networks. When you create the Direct attach networks, you do not need to know what physical connections are used or which enclosure is connected to the storage system. The physical connections are specified in the uplink sets. For this procedure, you must supply the names of the networks, and decide if you want to change the default values the appliance provides for configuration attributes like preferred bandwidth, maximum bandwidth, and uplink speed. Create Direct attach networks 1. From the main menu, select Networks. 2. Click Create Network. 3. For Name, enter Direct A. 4. For Type, select Fibre Channel. 5. For Fabric type, select Direct attach. 6. For this data center, use the default values for the other configuration attributes. 7. Click Create +. The appliance creates the network and opens the Create network dialog box. This dialog box uses the configuration values you selected in the preceding steps, except for the name. 8. In Name, enter Direct B and click Create. The Networks screen opens. Add Direct attach Fibre Channel networks to the uplink sets The uplink sets assign data center networks to physical interconnect ports. You must edit the uplink set you created previously to replace the fabric attach networks with direct attach networks. A.7 Adding a storage system to the data center 375

376 1. From the main menu, select Logical Interconnect Groups and do one of the following: In the master pane, select the Enclosure2LIG logical enclosure group and select Actions Edit. Hover your pointer device in the details pane and click the Edit icon. 2. Click the gear icon on the FCUS1 uplink set. 3. For the Network select Direct A. 4. Click OK. 5. Click the gear icon on the FCUS2 uplink set. 6. For the Network select Direct B. 7. Click OK. A Adding a SAN manager and associating its managed SANs with Fibre channel networks This example demonstrates: 1. Adding a SAN manager to the appliance 2. Associating the SAN manager s managed SANs with Fibre Channel networks NOTE: A SAN manager is not required when adding a storage system to the appliance. Adding a SAN manager enables automated zoning of the SAN fabric. If you do not have a SAN manager, continue to Attaching volumes to a sever profile to make them available to server hardware. In this procedure you will add one SAN manager: Attribute Brocade Network Advisor IP address Port SSL Credentials Description Enabled User name Password SANadmin St0rage? SAN fabrics BrownFabric GoldFabric 376 Step by step: Configuring an example data center using HP OneView

377 Add a SAN manager 1. From the main menu, select SAN Managers, and do one of the following: Click + Add SAN manager in the master pane. Select Actions Add. NOTE: The Actions menu is not present until you add at least one SAN manager. The following image shows the screen for adding a Brocade Network Advisor SAN manager. 2. For SAN manager type, select Brocade Network Advisor. 3. For Host, enter For Port, leave the default setting of Select Use SSL. 6. For User name, enter SANadmin. 7. For Password, enter St0rage?. 8. Click Add to save your settings and add the SAN manager. Associating the SAN manager s managed SANs with Fibre Channel networks 1. From the main menu, select Networks, then do one of the following: In the master pane, select the FC 3 network for Fabric attach or the Direct A network for Direct attach and select Actions Edit. Hover your pointer in the details pane and click the Edit icon. 2. For Associate with SAN, select BrownFabric from the list. A.7 Adding a storage system to the data center 377

378 3. Click OK to save your changes to the network. 4. From the main menu, select Networks, then do one of the following: In the master pane, select the FC 4 network for Fabric attach or Direct B for Direct attach and select Actions Edit. Hover your pointer in the details pane and click the Edit icon. 5. For Associate with SAN, select GoldFabric from the list. 6. Click OK to save your changes to the network. Now that you have added a SAN manager and associated its SANs with Fibre channel networks, you can Attach a volume to a server profile. A Attaching volumes to a sever profile to make them available to server hardware Attach a volume to a server profile 1. From the main menu, select Server Profiles, and do one of the following: In the master pane, select the vsphere Template2 server profile and select Actions Edit. Hover your pointer device in the details pane and click the Edit icon. 2. Under Connections, click Add Connection. 3. For Device type, select Fibre Channel. 4. For Network, select FC Click Add For Device type, select Fibre Channel. 7. For Network, select FC Click Add to save your changes and add the connections. 9. Under SAN Storage, select Manage SAN Storage. 10. Click Add Volume. 11. For Volume Name, select NewVolume For LUN, choose Auto or Manual. 13. For Storage paths, click Add storage path and select FC 3 and FC Click Add to add the storage paths. 15. Click Add to add the volume. 16. Click OK to save your changes to the server profile. The volume is now attached to the server profile and available to the server hardware that belongs to the profile. 378 Step by step: Configuring an example data center using HP OneView

379 B Using the virtual appliance console B.1 Using the virtual appliance console The virtual appliance console has a restricted browser interface that supports the following: Appliance networking configuration in non-dhcp environments Password reset requests for the Administrator account Advanced diagnostics for authorized support representatives Use the virtual appliance console to access the appliance and configure the appliance network for the first time. The virtual appliance console enables you to bootstrap an appliance onto the network in non-dhcp environments. The virtual appliance console is not intended to be a full-featured replacement for your browser. The virtual appliance console starts a browser session; The browser takes up the full screen; you cannot add tabs. You cannot perform any operation that requires you to select a file from a dialog box, including uploading software updates and firmware bundles (SPPs). Only basic browsing, including forward and backward navigation, are enabled. Table 29 Key combinations for the virtual appliance console Key combination Alt- Alt- Ctrl-+ Ctrl-- Ctrl-0 Ctrl-F Ctrl- or F5 Ctrl-Alt-Backspace (Alt and left arrow) (Alt and right arrow) (Ctrl and plus sign) (Ctrl and hyphen) (Ctrl and zero) Function Browse backward Browse forward Zoom in Zoom out eset zoom Search eload/efresh estart the browser interface B.1 Using the virtual appliance console 379

380 380

381 C Backup and restore script examples C.1 Sample backup script As an alternative to using Settings Actions Create backup from the appliance UI, you can write and run a script to automatically create and download an appliance backup file. Example 14 Sample backup.ps1 script provides a sample PowerShell script that uses EST calls to create and download an appliance backup file. Cut and paste this sample script into a file on a Windows system that runs PowerShell version 3.0, and edit the script to customize it for your environment. See the EST API online help for more information about EST APIs. You can schedule the backup script to run automatically in interactive or batch mode on a regular basis (HP recommends daily backups). Only a user with Backup administrator or Infrastructure administrator privileges can run the script interactively. To run the script interactively, do not include any parameters. The script prompts you to enter the appliance host name, appliance user name and password, and the name of a file to store these parameters for batch mode executions. Enter the name and password of a user with the Backup administrator or Infrastructure administrator role. The user name and password are stored encrypted. HP recommends that you run the script interactively the first time. Then, you can schedule the script to run automatically in the background using the parameter file created by the first run. To run the script in batch mode, specify the name of the file containing the parameters on the command line. HP recommends that you install cul with the SSL option to improve performance. The sample script works without cul, but it might take several hours to download a large backup file. To download cul, see: NOTE: You might also need to install Microsoft Visual C++ edistributable, the MSVC100.dll file, available here: 64 bit: 32 bit: Make sure the path environment variable includes the path for cul. Sample script The sample script makes the following calls to create and download a backup file: 1. Calls queryfor-credentials() to get the appliance host name, user name, and password by either prompting the user or reading the values from a file. 2. Calls login-appliance() to issue a EST request to obtain a session ID used to authorize backup EST calls. 3. Calls backup-appliance() to issue a EST request to start a backup. 4. Calls waitfor-completion() to issue EST requests to poll for backup status until the backup completes. 5. Calls get-backupesource() to issue a EST request to get the download UI. 6. Calls download-backup() to issue a EST request to download the backup. C.1 Sample backup script 381

382 Example 14 Sample backup.ps1 script # (C) Copyright Hewlett-Packard Development Company, L.P. ########################################################################################################################### # Name: backup.ps1 # Usage: directory\backup.ps1 or directory\backup.ps1 filepath # Parameter: $filepath: optional, uses the file in that path as the login credentials. ie: host address, username, # password, and, optionally, the Active Directory domain name # Purpose: uns the backup function on the appliance and downloads it onto your machine's drive # in current user's home directory # Notes: To improve performance, this script uses the curl command if it is installed. The curl command must # be installed with the SSL option. # Windows PowerShell 3.0 must be installed to run the script ########################################################################################################################### #tells the computer that this is a trusted source that we are connecting to (brute force, could be refined) [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $true $global:interactivemode = 0 # The scriptapiversion is the default Api version (if the appliance supports this level # or higher). This variable may be changed if the appliance is at a lower Api level. $global:scriptapiversion = 3 # Using this Api version or greater requires a different interaction when creating a backup. Set-Variable taskesourcev2apiversion -option Constant -value 3 try #this log must be added if not already on your computer New-EventLog -LogName Application -Source backup.ps1 -ErrorAction stop catch [System.Exception] #this is just to keep the error "already a script" from showing up on the screen if it is already created ##### Querying user for login info ##### function queryfor-credentials () <#.DESCIPTION Gathers information from User if in manual entry mode (script ran with zero arguments) or runs silently and gathers info from specified path (script ran with 1 argument).inputs None, this function does not take inputs..outputs eturns an object that contains the login name, password, hostname and ActiveDirectory domain to connect to. #>.EXAMPLE $variable = queryfor-credentials #runs function, saves json object to variable. if ($args[0] -eq $null) Write-Host "Enter appliance name ( $appliance = ead-host # Correct some common errors $appliance = $appliance.trim().tolower() if (!$appliance.startswith(" if ($appliance.startswith(" $appliance = $appliance.eplace("http","https") else $appliance = " + $appliance Write-Host "Enter username" $username = ead-host -AsSecureString ConvertFrom-SecureString Write-Host "Enter password" $SecurePassword = ead-host -AsSecureString ConvertFrom-SecureString Write-Host "If using Active Directory, enter the Active Directory domain" Write-Host " (Leave this field blank if not using Active Directory.)" $ADName = ead-host Write-Host "Would you like to save these credentials to a file? (username and password encrypted)" $savequery = ead-host $loginvals = [pscustomobject]@ username = $username; password = $SecurePassword; hostname = $appliance; authlogindomain = $ADName $loginjson = $loginvals convertto-json $global:interactivemode = Backup and restore script examples

383 if ($savequery[0] -eq "y") #enters into the mode to save the credentials Write-Host "Enter file path and file name to save credentials (example: C:\users\bob\machine1.txt)" $storagepath = ead-host try $loginjson Out-File $storagepath -NoClobber -ErrorAction stop catch [System.Exception] Write-Host $_.Exception.message if ($_.Exception.getType() -eq [System.IO.IOException]) # file already exists throws an IO exception do Write-Host "Overwrite existing credentials for this machine?" [string]$overwritequery = ead-host if ($overwritequery[0] -eq 'y') $loginjson Out-File $storagepath -ErrorAction stop $exitquery = 1 elseif ($overwritequery[0] -eq 'n') $exitquery = 1 else Write-Host "Please respond with a y or n" $exitquery = 0 while ($exitquery -eq 0) else Write-Host "Improper filepath or no permission to write to given directory" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Improper filepath, $storagepath " $_.Exception.message return $savedloginjson = Get-Content $storagepath Write-Host "un backup?" $continue = 0 do $earlyexit = ead-host if ($earlyexit[0] -eq 'n') return elseif ($earlyexit[0] -ne 'y') Write-Host "Please respond with a y or n" else $continue = 1 while ($continue -eq 0) else return $loginjson elseif ($args.count -ne 1) Write-Host "Incorrect number of arguments, use either filepath parameter or no parameters." return else foreach ($arg in $args) $storagepath = $arg try $savedloginjson = Get-Content $storagepath -ErrorAction stop catch [System.Exception] Write-Host "Login credential file not found. Please run script without arguments to access manual entry mode." C.1 Sample backup script 383

384 Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Login credential file not found. Please run script without arguments to access manual entry mode." return return $savedloginjson ##### getapiversion: Get X_API_Version ##### function getapiversion ([int32] $currentapiversion,[string]$hostname) <#.DESCIPTION Sends a web request to the appliance to obtain the current Api version. eturns the lower of: Api version supported by the script and Api version supported by the appliance..paamete currentapiversion Api version that the script is currently using.paamete hostname The appliance address to send the request to (in format).inputs None, does not accept piping.outputs Outputs the new active Api version #>.EXAMPLE $global:scriptapiversion = getapiversion() # the particular Uri on the Appliance to reqest the Api Version $versionuri = "/rest/version" # append the Uri to the end of the IP address to obtain a full Uri $fullversionuri = $hostname + $versionuri # use setup-request to issue the EST request api version and get the response try $applianceversionjson = setup-request -Uri $fullversionuri -method "GET" -accept "application/json" -contenttype "application/json" if ($applianceversionjson -ne $null) $applianceversion = $applianceversionjson convertfrom-json $currentapplianceversion = $applianceversion.currentversion if ($currentapplianceversion -lt $currentapiversion) return $currentapplianceversion return $currentapiversion catch [System.Exception] if ($global:interactivemode -eq 1) Write-Host $error[0].exception.message else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message ##### Sending login info ##### function login-appliance ([string]$username,[string]$password,[string]$hostname,[string]$adname) <#.DESCIPTION Attempts to send a web request to the appliance and obtain an authorized sessionid..paamete username The username to log into the remote appliance.paamete password The correct password associated with username.paamete hostname The appliance address to send the request to (in format).paamete ADName The Active Directory name (optional).inputs None, does not accept piping.outputs 384 Backup and restore script examples

385 Outputs the response body containing the needed session ID. #>.EXAMPLE $authtoken = login-appliance $username $password $hostname $ADName # the particular Uri on the Appliance to reqest an "auth token" $loginuri = "/rest/login-sessions" # append the Uri to the end of the IP address to obtain a full Uri $fullloginuri = $hostname + $loginuri # create the request body as a hash table, then convert it to json format if ($ADName) $body username = $username; password = $password; authlogindomain = $ADName convertto-json else # null or empty $body username = $username; password = $password convertto-json # use setup-request to issue the EST request to login and get the response try $loginesponse = setup-request -Uri $fullloginuri -method "POST" -accept "application/json" -contenttype "application/json" -Body $body if ($loginesponse -ne $null) $loginesponse convertfrom-json catch [System.Exception] if ($global:interactivemode -eq 1) Write-Host $error[0].exception.message else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message ##### Executing backup ###### function backup-appliance ([string]$authvalue,[string]$hostname) <#.DESCIPTION Gives the appliance the command to start creating a backup.paamete authvalue The authorized sessionid given by login-appliance.paamete hostname The location of the appliance to connect to (in format).inputs None, does not accept piping.outputs The task esource returned by the appliance, converted to a hashtable object #>.EXAMPLE $taskesource = backup-appliance $sessionid $hostname # append the EST Uri for backup to the IP address of the Appliance $bkupuri = "/rest/backups/" $fullbackupuri = $hostname + $bkupuri # create a new webrequest and add the proper headers (new header, auth, is needed for authorization # in all functions from this point on) try if ($global:scriptapiversion -lt $taskesourcev2apiversion) $taskesourcejson = setup-request -Uri $fullbackupuri -method "POST" -accept "application/json" -contenttype "application/json" -authvalue $authvalue else $taskuri = setup-request -Uri $fullbackupuri -method "POST" -accept "application/json" -contenttype "application/json" -authvalue $authvalue -returnlocation $true if ($taskuri -ne $null) $taskesourcejson = setup-request -Uri $taskuri -method "GET" -accept "application/json" -contenttype "application/json" -authvalue $authvalue if ($taskesourcejson -ne $null) C.1 Sample backup script 385

386 return $taskesourcejson ConvertFrom-Json catch [System.Exception] if ($global:interactivemode -eq 1) Write-Host $error[0].exception.message else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message ##### Polling to see if backup is finished ###### function waitfor-completion ([object]$taskesource,[string]$authvalue,[string]$hostname) <#.DESCIPTION Checks the status of the backup every twenty seconds, stops when status changes from running to a different status.paamete taskesource The response object from the backup-appliance method.paamete authvalue The authorized session ID.PAAMETE hostname The appliance to connect to (in format).inputs None, does not accept piping.outputs The new task resource object, which contains the Uri to get the backup resource in the next function #>.EXAMPLE $taskesource = waitfor-completion $taskesource $sessionid $hostname # extracts the Uri of the task esource from itself, to poll repeatedly $taskesourceuri = $taskesource.uri if ($taskesourceuri -eq $null) # Caller will provide the error message return # appends the Uri to the hostname to create a fully-qualified Uri $fulltaskuri = $hostname + $taskesourceuri # retries if unable to get backup progress information $errorcount = 0 $errormessage = "" if ($global:interactivemode -eq 1) Write-Host "Backup initiated." Write-Host "Checking for backup completion, this may take a while." # a while loop to determine when the backup process is finished do try # creates a new webrequest with appropriate headers $taskesourcejson = setup-request -Uri $fulltaskuri -method "GET" -accept "application/json" -authvalue $authvalue -issilent $true # converts the response from the Appliance into a hash table $taskesource = $taskesourcejson convertfrom-json # checks the status of the task manager $status = $taskesource.taskstate catch $errormessage = $error[0].exception.message $errorcount = $errorcount + 1 $status = "equestfailed" Start-Sleep -s 15 continue # Update progress bar if ($global:interactivemode -eq 1) $trimmedpercent = ($taskesource.completedsteps) / Backup and restore script examples

387 $progressbar = "[" + "=" * $trimmedpercent + " " * (20 - $trimmedpercent) + "]" Write-Host "`r Backup progress: $progressbar " $taskesource.completedsteps "%" -NoNewline # eset the error count since progress information was successfully retrieved $errorcount = 0 # If the backup is still running, wait a bit, and then check again if ($status -eq "unning") Start-Sleep -s 20 while (($status -eq "unning" -or $status -eq "equestfailed") -and $errorcount -lt 20); # if the backup reported an abnormal state, report the state and exit function if ($status -ne "Completed") if ($global:interactivemode -eq 1) Write-Host "`n" Write-Host "Backup stopped abnormally" Write-Host $errormessage else #log error message Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Backup stopped abnormally" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $errormessage return $null # upon successful completion of task, outputs a hash table which contains task resource else Write-Host "`n" $taskesource return ##### Gets the backup resource ##### function get-backupesource ([object]$taskesource,[string]$authvalue,[string]$hostname) <#.DESCIPTION Gets the Uri for the backup resource from the task resource and gets the backup resource.paamete taskesource The task resource object that we use to get the Uri for the backup resource.paamete authvalue The authorized sessionid.paamete hostname the appliance to connect to (in format).inputs None, does not accept piping.outputs The backup resource object #>.EXAMPLE $backupesource = get-backupesource $taskesource $sessionid $appliancename # the backup esource Uri is extracted from the task resource if ($global:scriptapiversion -lt $taskesourcev2apiversion) $backupuri = $taskesource.associatedesourceuri else $backupuri = $taskesource.associatedesource.resourceuri if ($backupuri -eq $null) # Caller will provide the error message return # construct the full backup esource Uri from the hostname and the backup resource uri $fullbackupuri = $hostname + $backupuri # get the backup resource that contains the Uri for downloading try # creates a new webrequest with appropriate headers $backupesourcejson = setup-request -Uri $fullbackupuri -method "GET" -accept "application/json" -auth $authvalue if ($backupesourcejson -ne $null) C.1 Sample backup script 387

388 $resource = $backupesourcejson convertfrom-json if ($global:interactivemode -eq 1) Write-Host "Obtained backup resource. Now downloading. This may take a while..." $resource return catch [System.Exception] if ($global:interactivemode -eq 1) Write-Host $error[0].exception.message else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message ##### Function to download the backup file ##### function download-backup ([PSCustomObject]$backupesource,[string]$authValue,[string]$hostname) <#.DESCIPTION Downloads the backup file from the appliance to the local system. Tries to use the curl command. The curl command has significantly better performance especially for large backups. If curl isn't installed, invokes download-backup-without-curl to download the backup..paamete backupesource Backup resource containing Uri for downloading.paamete authvalue The authorized sessionid.paamete hostname The IP address of the appliance.inputs None, does not accept piping.outputs The absolute path of the download file #>.EXAMPLE download-backup $backupesource $sessionid $downloaduri = $hostname + $backupesource.downloaduri $filedir = [environment]::getfolderpath("personal") $filepath = $filedir + "\" + $backupesource.id + ".bkp" $curldownloadcommand = "curl -o " + $filepath + " -s -f -L -k -X GET " + "-H 'accept: application/octet-stream' " + "-H 'auth: " + $authvalue + "' " + "-H 'X-API-Version: $global:scriptapiversion' " + $downloaduri $curlgetdownloaderrorcommand = "curl -s -k -X GET " + "-H 'accept: application/json' " + "-H 'auth: " + $authvalue + "' " + "-H 'X-API-Version: $global:scriptapiversion' " + $downloaduri try $testcurlssloption = curl -V if ($testcurlssloption -match "SSL") invoke-expression $curldownloadcommand else if ($global:interactivemode -eq 1) Write-Host "Version of curl must support SSL to get improved download performance." else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Version of curl must support SSL to get improved download performance" return download-backup-without-curl $backupesource $authvalue $hostname if ($LASTEXITCODE -ne 0) $erroresponse = invoke-expression $curlgetdownloaderrorcommand if ($global:interactivemode -eq 1) 388 Backup and restore script examples

389 Write-Host "Download using curl error: $erroresponse" else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Download error: $erroresponse" if (Test-Path $filepath) emove-item $filepath return if ($global:interactivemode -eq 1) Write-Host "Backup download complete!" catch [System.Management.Automation.CommandNotFoundException] return download-backup-without-curl $backupesource $authvalue $hostname catch [System.Exception] Write-Host "Not able to download backup" Write-Host $error[0].exception return return $filepath ##### Function to download the Backup file without using the curl command ##### function download-backup-without-curl ([PSCustomObject]$backupesource,[string]$authValue,[string]$hostname) <#.DESCIPTION Downloads the backup file from the appliance to the local system (without using curl).paamete backupesource Backup resource containing Uri for downloading.paamete authvalue The authorized sessionid.paamete hostname The IP address of the appliance.inputs None, does not accept piping.outputs The absolute path of the download file #>.EXAMPLE download-backup-without-curl $backupesource $sessionid # appends Uri ( obtained from previous function) to IP address $downloaduri = $hostname + $backupesource.downloaduri $downloadtimeout = # 12 hours $buffersize = # bytes # creates a new webrequest with appropriate headers [net.httpswebequest]$downloadequest = [net.webequest]::create($downloaduri) $downloadequest.method = "GET" $downloadequest.allowautoedirect = $TUE $downloadequest.timeout = $downloadtimeout $downloadequest.eadwritetimeout = $downloadtimeout $downloadequest.headers.add("auth", $authvalue) $downloadequest.headers.add("x-api-version", $global:scriptapiversion) # accept either octet-stream or json to allow the response body to contain either the backup or an exception $downloadequest.accept = "application/octet-stream;q=0.8,application/json" # creates a variable that stores the path to the file location. Note: users may change this to other file paths. $filedir = [environment]::getfolderpath("personal") try # connects to the Appliance, creates a new file with the content of the response [net.httpswebesponse]$response = $downloadequest.getesponse() $responsestream = $response.getesponsestream() $responsestream.eadtimeout = $downloadtimeout #saves file as the name given by the backup ID $filepath = $filedir + "\" + $backupesource.id + ".bkp" $sr = New-Object System.IO.FileStream ($filepath,[system.io.filemode]::create) $responsestream.copyto($sr,$buffersize) C.1 Sample backup script 389

390 $response.close() $sr.close() if ($global:interactivemode -eq 1) Write-Host "Backup download complete!" catch [Net.WebException] $errormessage = $error[0].exception.message #Try to get more information about the error try $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $rawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json if (($errorobject.message.length -gt 0) -and ($errorobject.recommendedactions.length -gt 0)) $errormessage = $errorobject.message + " " + $errorobject.recommendedactions catch [System.Exception] #Use exception message if ($global:interactivemode -eq 1) Write-Host $errormessage else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $errormessage return return $filepath function setup-request ([string]$uri,[string]$method,[string]$accept,[string]$contenttype = "",[string]$authvalue = "",[object]$body = $null,[bool]$issilent=$false, [bool]$returnlocation=$false) try [net.httpswebequest]$request = [net.webequest]::create($uri) $request.method = $method $request.accept = $accept $request.headers.add("accept-language: en-us") if ($contenttype -ne "") $request.contenttype = $contenttype if ($authvalue -ne "") $request.headers.item("auth") = $authvalue $request.headers.item("x-api-version") = $global:scriptapiversion if ($body -ne $null) $requestbodystream = New-Object IO.StreamWriter $request.getequeststream() $requestbodystream.writeline($body) $requestbodystream.flush() $requestbodystream.close() # attempt to connect to the Appliance and get a response [net.httpswebesponse]$response = $request.getesponse() if ($returnlocation) $taskuri = $response.getesponseheader("location") $response.close() return $taskuri else # response stored in a stream $responsestream = $response.getesponsestream() $sr = New-Object IO.Streameader ($responsestream) #the stream, which contains a json object, is read into the storage variable $rawesponsecontent = $sr.readtoend() $response.close() return $rawesponsecontent catch [Net.WebException] 390 Backup and restore script examples

391 $errormessage = $error[0].exception.message #Try to get more information about the error try $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $rawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json if (($errorobject.message.length -gt 0) -and ($errorobject.recommendedactions.length -gt 0)) $errormessage = $errorobject.message + " " + $errorobject.recommendedactions catch [System.Exception] #Use exception message if ($issilent) throw $errormessage elseif ($global:interactivemode -eq 1) Write-Host $errormessage else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $errormessage #No need to rethrow since already recorded error return ##### Start of function calls ##### #gets the credentials from user, either manual entry or from file $savedloginjson = queryfor-credentials $args[0] if ($savedloginjson -eq $null) #if an error occurs, it has already been logged in the queryfor-credentials function return #extracts needed information from the credential json try $savedloginjson = "[" + $savedloginjson + "]" $savedloginvals = $savedloginjson convertfrom-json $SecStrLoginname = $savedloginvals.username ConvertTo-SecureString -ErrorAction stop $loginname = [untime.interopservices.marshal]::ptrtostringauto([untime.interopservices.marshal]::securestringtobst($secstrloginname)) $hostname = $savedloginvals.hostname $SecStrPassword = $savedloginvals.password ConvertTo-SecureString -ErrorAction stop $password = [untime.interopservices.marshal]::ptrtostringauto([untime.interopservices.marshal]::securestringtobst($secstrpassword)) $adname = $savedloginvals.authlogindomain catch [System.Exception] if ($global:interactivemode -eq 1) Write-Host "Failed to get credentials: " + $error[0].exception.message else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Failed to get credentials: " + $error[0].exception.message #determines the active Api version $global:scriptapiversion = getapiversion $global:scriptapiversion $hostname if ($global:scriptapiversion -eq $null) if ($global:interactivemode -eq 1) Write-Host "Could not determine appliance Api version" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not determine appliance Api version" return C.1 Sample backup script 391

392 #sends the login request to the machine, gets an authorized session ID if successful $authvalue = login-appliance $loginname $password $hostname $adname if ($authvalue -eq $null) if ($global:interactivemode -eq 1) Write-Host "Failed to receive login session ID." Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Failed to receive login session ID." return #sends the request to start the backup process, returns the taskesource object $taskesource = backup-appliance $authvalue.sessionid $hostname if ($taskesource -eq $null) if ($global:interactivemode -eq 1) Write-Host "Could not initialize backup" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not initialize backup" return #loops to keep checking how far the backup has gone $taskesource = waitfor-completion $taskesource $authvalue.sessionid $hostname if ($taskesource -eq $null) if ($global:interactivemode -eq 1) Write-Host "Could not fetch backup status" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not fetch backup status" return #gets the backup resource $backupesource = get-backupesource $taskesource $authvalue.sessionid $hostname if ($backupesource -eq $null) if ($global:interactivemode -eq 1) Write-Host "Could not get the Backup esource" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not get the Backup esource" return #downloads the backup file to the local drive $filepath = download-backup $backupesource $authvalue.sessionid $hostname if ($filepath -eq $null) if ($global:interactivemode -eq 1) Write-Host "Could not download the backup" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not download the backup" return if ($global:interactivemode -eq 1) Write-Host "Backup can be found at $filepath" Write-Host "If you wish to automate this script in the future and re-use login settings currently entered," Write-Host "then provide the file path to the saved credentials file when running the script." Write-Host "ie: " $MyInvocation.MyCommand.Definition " filepath" else Write-Host "Backup completed successfully." Write-Host "The backup can be found at $filepath." Write-EventLog -EventId 0 -LogName Application -Source backup.ps1 -Message "script completed successfully" C.2 Sample restore script As an alternative to using Settings Actions estore from backup from the appliance UI, you can write and run a script to automatically restore the appliance from a backup file. NOTE: Only a user with Infrastructure administrator privileges can restore an appliance. 392 Backup and restore script examples

393 Example 15 Sample restore.ps1 script provides a sample script that restores the appliance from a backup file or obtains progress about an ongoing restore process. Sample script If you do not pass parameters to the script, the script uploads and restores a backup file. 1. Calls query-user() to get the appliance host name, user name and password, and backup file path. 2. Calls login-appliance() to issue a EST request to get a session ID used to authorize restore EST calls. 3. Calls uploadto-appliance() to upload the backup to the appliance. 4. Calls start-restore() to start the restore. 5. Calls restore-status() to periodically check the restore status until the restore completes. If you pass the -status option to the script, the script verifies and reports the status of the last or an ongoing restore until the restore process is complete: 1. Calls recover-restoreid() to get the UI to verify the status of the last or an ongoing restore. 2. Calls restore-status() to periodically verify the restore status until the restore completes. C.2 Sample restore script 393

394 Example 15 Sample restore.ps1 script #(C) Copyright Hewlett-Packard Development Company, L.P. ########################################################################################################################### # Name: restore.ps1 # Usage: directory\restore.ps1 or directory\restore.ps1 -status # Purpose: Uploads a backup file to the appliance and then restores the appliance using the backup data # Notes: To improve performance, this script uses the curl command if it is installed. The curl command # must be installed with the SSL option. # Windows PowerShell 3.0 must be installed to run the script ########################################################################################################################### # tells the computer that this is a trusted source we are connecting to (brute force, could be refined) [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $true # The scriptapiversion is the default Api version (if the appliance supports this level # or higher). This variable may be changed if the appliance is at a lower Api level. $global:scriptapiversion = 3 ##### Obtain information from user ##### function query-user () <#.DESCIPTION Obtains information needed to run the script by prompting the user for input..inputs None, does not accept piping.outputs Outputs an object containing the obtained information..example $uservals = query-user #> Write-Host "estoring from backup is a destructive process, continue anyway?" $continue = 0 do $earlyexit = ead-host if ($earlyexit[0] -eq 'n') return elseif ($earlyexit[0] -ne 'y') Write-Host "Please respond with a y or n" else $continue = 1 while ($continue -eq 0) do Write-Host "Enter directory backup is located in (ie: C:\users\joe\)" $backupdirectory = ead-host # Add trailing slash if needed if (!$backupdirectory.endswith("\")) $backupdirectory = $backupdirectory + "\" Write-Host "Enter name of backup (ie: appliance_vm1_backup_ _ bkp)" $backupfile = ead-host # Check if file exists $fullfilepath = $backupdirectory + $backupfile if (! (Test-Path $fullfilepath)) Write-Host "Sorry the backup file $fullfilepath doesn't exist." while (! (Test-Path $fullfilepath)) Write-Host "Enter appliance IP address (ie: $hostname = ead-host # Correct some common errors $hostname = $hostname.trim().tolower() if (!$hostname.startswith(" if ($hostname.startswith(" $hostname = $hostname.eplace("http","https") else $hostname = " + $hostname 394 Backup and restore script examples

395 Write-Host "Enter username" $secusername = ead-host -AsSecureString $username = [untime.interopservices.marshal]::ptrtostringauto([untime.interopservices.marshal]::securestringtobst($secusername)) Write-Host "Enter password" $secpassword = ead-host -AsSecureString $password = [untime.interopservices.marshal]::ptrtostringauto([untime.interopservices.marshal]::securestringtobst($secpassword)) $absolutepath = $backupdirectory + $backupfile Write-Host "If using Active Directory, enter the Active Directory domain" Write-Host " (Leave this field blank if not using Active Directory.)" $ADName = ead-host $loginvals hostname = $hostname; username = $username; password = $password; backuppath = $absolutepath; backupfile = $backupfile; authlogindomain = $ADName; return $loginvals ##### getapiversion: Get X_API_Version ##### function getapiversion ([int32] $currentapiversion,[string]$hostname) <#.DESCIPTION Sends a web request to the appliance to obtain the current Api version. eturns the lower of: Api version supported by the script and Api version supported by the appliance..paamete currentapiversion Api version that the script is currently using.paamete hostname The appliance address to send the request to (in format).inputs None, does not accept piping.outputs Outputs the new active Api version #>.EXAMPLE $global:scriptapiversion = getapiversion() # the particular Uri on the Appliance to reqest the Api Version $versionuri = "/rest/version" # append the Uri to the end of the IP address to obtain a full Uri $fullversionuri = $hostname + $versionuri # use setup-request to issue the EST request api version and get the response try $applianceversionjson = setup-request -Uri $fullversionuri -method "GET" -accept "application/json" -contenttype "application/json" if ($applianceversionjson -ne $null) $applianceversion = $applianceversionjson convertfrom-json $currentapplianceversion = $applianceversion.currentversion if ($currentapplianceversion -lt $currentapiversion) return $currentapplianceversion return $currentapiversion catch [System.Exception] if ($global:interactivemode -eq 1) Write-Host $error[0].exception.message else Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message ##### Send the login request to the appliance ##### function login-appliance ([string]$username,[string]$password,[string]$hostname,[string]$adname) <#.DESCIPTION Attempts to send a web request to the appliance and obtain an authorized sessionid. C.2 Sample restore script 395

396 .PAAMETE username The username to log into the remote appliance.paamete password The correct password associated with username.paamete hostname The appliance address to send the request to (in format).paamete ADName The Active Directory name (optional).inputs None, does not accept piping.outputs Outputs the response body containing the needed session ID. #>.EXAMPLE $authtoken = login-appliance $username $password $hostname $ADName # the particular UI on the Appliance to reqest an "auth token" $loginui = "/rest/login-sessions" # append the UI to the end of the IP address to obtain a full UI $fullloginui = $hostname + $loginui # create the request body as a hash table, then convert it to json format if ($ADName) $body username = $username; password = $password; authlogindomain = $ADName convertto-json else # null or empty $body username = $username; password = $password convertto-json try # create a new webrequest object and give it the header values that will be accepted by the Appliance, get response $loginequest = setup-request -Uri $fullloginui -method "POST" -accept "application/json" -contenttype "application/json" -Body $body Write-Host "Login completed successfully." catch [System.Exception] Write-Host $_.Exception.message Write-Host $error[0].exception return #the output for the function, a hash table which contains a single value, "sessionid" $loginequest convertfrom-json return ##### Upload the backup file to the appliance ##### function uploadto-appliance ([string]$filepath,[string]$authinfo,[string]$hostname,[string]$backupfile) <#.DESCIPTION Attempts to upload a backup file to the appliance. Tries to use the curl command. The curl command has significantly better performance especially for large backups. If curl isn't installed, invokes uploadto_appliance-without-curl to upload the file..paamete filepath The absolute filepath to the backup file..paamete authinfo The authorized session ID returned by the login request.paamete hostname The appliance to connect to.paamete backupfile The name of the file to upload. Only used to tell the server what file is contained in the post request..inputs None, does not accept piping.outputs The response body to the upload post request. #>.EXAMPLE $uploadesponse = uploadto-appliance $filepath $sessionid $hostname $filename $uploaduri = "/rest/backups/archive" $fulluploaduri = $hostname + $uploaduri $curluploadcommand = "curl -s -k -X POST " Backup and restore script examples

397 "-H 'content-type: multipart/form-data' " + "-H 'accept: application/json' " + "-H 'auth: " + $authinfo + "' " + "-H 'X-API-Version: $global:scriptapiversion' " + "-F file=@" + $filepath + " " + $fulluploaduri Write-Host "Uploading backup file to appliance, this may take a few minutes..." try $testcurlssloption = curl -V if ($testcurlssloption -match "SSL") $rawuploadesponse = invoke-expression $curluploadcommand if ($rawuploadesponse -eq $null) return $uploadesponse = $rawuploadesponse convertfrom-json if ($uploadesponse.status -eq "SUCCEEDED") Write-Host "Upload complete." return $uploadesponse else Write-Host $uploadesponse return else Write-Host "Version of curl must support SSL to get improved upload performance." return uploadto-appliance-without-curl $filepath $authinfo $hostname $backupfile catch [System.Management.Automation.CommandNotFoundException] return uploadto-appliance-without-curl $filepath $authinfo $hostname $backupfile catch [System.Exception] Write-Host "Not able to upload backup" Write-Host $error[0].exception return ##### Upload the backup file to the appliance without using the curl command ##### function uploadto-appliance-without-curl ([string]$filepath,[string]$authinfo,[string]$hostname,[string]$backupfile) <#.DESCIPTION Attempts to upload a backup to the appliance without using curl..paamete filepath The absolute filepath to the backup file..paamete authinfo The authorized session ID returned by the login request.paamete hostname The appliance to connect to.paamete backupfile The name of the file to upload. Only used to tell the server what file is contained in the post request..inputs None, does not accept piping.outputs The response body to the upload post request. #>.EXAMPLE $uploadesponse = uploadto-appliance $filepath $sessionid $hostname $filename $uploaduri = "/rest/backups/archive" $fulluploaduri = $hostname + $uploaduri $uploadtimeout = # 12 hours $buffersize = # bytes try [net.httpswebequest]$uploadequest = [net.webequest]::create($fulluploaduri) $uploadequest.method = "POST" $uploadequest.timeout = $uploadtimeout $uploadequest.eadwritetimeout = $uploadtimeout $uploadequest.sendchunked = 1 $uploadequest.allowwritestreambuffering = 0 C.2 Sample restore script 397

398 $uploadequest.accept = "application/json" $boundary = " bac8d687982e" $uploadequest.contenttype = "multipart/form-data; boundary= bac8d687982e" $uploadequest.headers.add("auth", $authinfo) $uploadequest.headers.add("x-api-version", $global:scriptapiversion) $fs = New-Object IO.FileStream ($filepath,[system.io.filemode]::open) $rs = $uploadequest.getequeststream() $rs.writetimeout = $uploadtimeout $disposition = "Content-Disposition: form-data; name=""file""; filename=""encryptedbackup""" $contype = "Content-Type: application/octet-stream" [byte[]]$boundarybytes = [System.Text.Encoding]::UTF8.GetBytes("--" + $boundary + "`r`n") $rs.write($boundarybytes,0,$boundarybytes.length) [byte[]]$contentdisp = [System.Text.Encoding]::UTF8.GetBytes($disposition + "`r`n") $rs.write($contentdisp,0,$contentdisp.length) [byte[]]$contenttype = [System.Text.Encoding]::UTF8.GetBytes($conType + "`r`n`r`n") $rs.write($contenttype,0,$contenttype.length) $fs.copyto($rs,$buffersize) $fs.close() [byte[]]$endboundarybytes = [System.Text.Encoding]::UTF8.GetBytes("`n`r`n--" + $boundary + "--`r`n") $rs.write($endboundarybytes,0,$endboundarybytes.length) $rs.close() catch [System.Exception] Write-Host "Not able to send backup" Write-Host $error[0].exception try [net.httpswebesponse]$response = $uploadequest.getesponse() $responsestream = $response.getesponsestream() $responsestream.eadtimeout = $uploadtimeout $streameader = New-Object IO.Streameader ($responsestream) $rawuploadesponse = $streameader.readtoend() $response.close() if ($rawuploadesponse -eq $null) return $uploadesponse = $rawuploadesponse convertfrom-json if ($uploadesponse.status -eq "SUCCEEDED") Write-Host "Upload complete." return $uploadesponse else Write-Host $rawuploadesponse Write-Host $uploadesponse return catch [Net.WebException] Write-Host $error[0] $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $frawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json Write-Host $errorobject.errorcode $errorobject.message $errorobject.resolution return ##### Initiate the restore process ##### function start-restore ([string]$authinfo,[string]$hostname,[object]$uploadesponse) <#.DESCIPTION Sends a POST request to the restore resource to initiate a restore..paamete authinfo The authorized sessionid obtained from login..paamete hostname The appliance to connect to..paamete uploadesponse The response body from the upload request. Contains the backup UI needed for restore call..inputs None, does not accept piping 398 Backup and restore script examples

399 .OUTPUTS Outputs the response body from the POST restore call..example $restoreesponse = start-restore $sessionid $hostname $uploadesponse #> # append the appropriate UI to the IP address of the Appliance $backupuri = $uploadesponse.uri $restoreuri = "/rest/restores" $fullestoreuri = $hostname + $restoreui $body type = "ESTOE"; uriofbackuptoestore = $backupuri convertto-json # create a new webrequest and add the proper headers try $rawestoreesponse = setup-request -uri $fullestoreuri -method "POST" -accept "application/json" -contenttype "application/json" -authvalue $authinfo -Body $body $restoreesponse = $rawestoreesponse convertfrom-json return $restoreesponse catch [Net.WebException] Write-Host $_.Exception.message ##### Check for the status of ongoing restore ##### function restore-status ([string]$authinfo = "foo",[string]$hostname,[object]$restoreesponse,[string]$recovereduri = "") <#.DESCIPTION Uses GET requests to check the status of the restore process..paamete authinfo **to be removed once no longer a required header**.paamete hostname The appliance to connect to.paamete restoreesponse The response body from the restore initiation request..paamete recovereduri In case of a interruption in the script or connection, the Uri for status is instead obtained through this parameter..inputs None, does not accept piping.outputs None, end of script upon completion or fail..example restore-status *$authinfo* -hostname $hostname -restoreesponse $restoreesponse or #> restore-status -hostname $hostname -recovereduri $recovereduri $retrycount = 0 $retrylimit = 5 $retrymode = 0 # append the appropriate UI to the IP address of the Appliance if ($recovereduri -ne "") $fullstatusuri = $hostname + $recovereduri write-host $fullstatusuri else $fullstatusuri = $hostname + $restoreesponse.uri do try # create a new webrequest and add the proper headers (new header, auth is needed for authorization $rawstatusesp = setup-request -uri $fullstatusuri -method "GET" -accept "application/json" -contenttype "application/json" -authvalue $authinfo $statusesponse = $rawstatusesp convertfrom-json $trimmedpercent = ($statusesponse.percentcomplete) / 5 $progressbar = "[" + "=" * $trimmedpercent + " " * (20 - $trimmedpercent) + "]" Write-Host "`restore progress: $progressbar " $statusesponse.percentcomplete "%" -NoNewline catch [Net.WebException] try C.2 Sample restore script 399

400 $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $rawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json Write-Host $errorobject.message $errorobject.recommendedactions catch [System.Exception] Write-Host "`r`n" $error[1].exception # The error may be transient; retry several times. If it still fails, return with an error. $retrycount++ $retrymode = 1 if ($retrycount -le $retrylimit) Write-Host "In restore-status retrying GET on $fullstatusuri. retry count: $retrycount`r`n" sleep 5 continue else Write-Host "`r`nestore may have failed! Could not determine the status of the restore." return if ($statusesponse.status -eq "SUCCEEDED") Write-Host "`r`nestore complete!" return if ($statusesponse.status -eq "FAILED") Write-Host "`r`nestore failed! System should now undergo a reset to factory defaults." Start-Sleep 10 while (($statusesponse.status -eq "IN_POGESS") -or ($retrymode -eq 1)) return ##### ecovers Uri to the restore resource if connection lost ##### function recover-restoreid ([string]$hostname) <#.DESCIPTION Uses GET requests to check the status of the restore process..paamete hostname The appliance to end the request to..inputs None, does not accept piping.outputs The Uri of the restore task in string form. #>.EXAMPLE $reacquireduri = recover-restoredid $hostname $iduri = "/rest/restores/" $fulliduri = $hostname + $iduri try $rawidesp = setup-request -uri $fulliduri -method "GET" -contenttype "application/json" -accept "application/json" -authvalue "foo" $idesponse = $rawidesp convertfrom-json catch [Net.WebException] $_.Exception.message return return $idesponse.members[0].uri function setup-request ([string]$uri,[string]$method,[string]$accept,[string]$contenttype = "",[string]$authvalue="0", [object]$body = $null) <#.DESCIPTION A function to handle the more generic web requests to avoid repeated code in every function..paamete uri The full address to send the request to (required).paamete method The type of request, namely POST and GET (required) 400 Backup and restore script examples

401 .PAAMETE accept The type of response the request accepts (required).paamete contenttype The type of the request body.paamete authvalue The session ID used to authenticate the request.paamete body The message to put in the request body.inputs None.OUTPUTS The response from the appliance, typically in Json form..example $responsebody = setup-request -uri -method "GET" -accept "application/json" #> try [net.httpswebequest]$request = [net.webequest]::create($uri) $request.method = $method $request.accept = $accept $request.headers.add("accept-language: en-us") if ($contenttype -ne "") $request.contenttype = $contenttype if ($authvalue -ne "0") $request.headers.item("auth") = $authvalue $request.headers.add("x-api-version: $global:scriptapiversion") if ($body -ne $null) #write-host $body $requestbodystream = New-Object IO.StreamWriter $request.getequeststream() $requestbodystream.writeline($body) $requestbodystream.flush() $requestbodystream.close() # attempt to connect to the Appliance and get a response [net.httpswebesponse]$response = $request.getesponse() # response stored in a stream $responsestream = $response.getesponsestream() $sr = New-Object IO.Streameader ($responsestream) #the stream, which contains a json object is read into the storage variable $rawesponsecontent = $sr.readtoend() $response.close() return $rawesponsecontent catch [Net.WebException] try $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $rawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json Write-Host "errorcode returned:" $errorobject.errorcode Write-Host "when requesting a $method on $uri`r`n" Write-Host $errorobject.message ";" $errorobject.recommendedactions catch [System.Exception] Write-Host $error[1].exception.message throw return ##### Begin main ##### #this checks to see if the user wants to just check a status of an existing restore if ($args.count -eq 2) foreach ($item in $args) C.2 Sample restore script 401

402 if ($item -eq "-status") [void]$foreach.movenext() $hostname = $foreach.current # Correct some common errors in hostname $hostname = $hostname.trim().tolower() if (!$hostname.startswith(" if ($hostname.startswith(" $hostname = $hostname.eplace("http","https") else $hostname = " + $hostname else Write-Host "Invalid arguments." return $reacquireduri = recover-restoreid -hostname $hostname if ($reacquireduri -eq $null) Write-Host "Error occurred when fetching active restore ID. No restore found." return restore-status -recovereduri $reacquireduri -hostname $hostname return elseif ($args.count -eq 0) $loginvals = query-user if ($loginvals -eq $null) Write-Host "Error passing user login vals from function query-host, closing program." return #determines the active Api version $global:scriptapiversion = getapiversion $global:scriptapiversion $loginvals.hostname if ($global:scriptapiversion -eq $null) Write-Host "Could not determine appliance Api version" return $authinfo = login-appliance $loginvals.username $loginvals.password $loginvals.hostname $loginvals.authlogindomain if ($authinfo -eq $null) Write-Host "Error getting authorized session from appliance, closing program." return $uploadesponse = uploadto-appliance $loginvals.backuppath $authinfo.sessionid $loginvals.hostname $loginvals.backupfile if ($uploadesponse -eq $null) Write-Host "Error attempting to upload, closing program." return $restoreesponse = start-restore $authinfo.sessionid $loginvals.hostname $uploadesponse if ($restoreesponse -eq $null) Write-Host "Error obtaining response from estore request, closing program." return restore-status -hostname $loginvals.hostname -restoreesponse $restoreesponse -authinfo $authinfo.sessionid return else Write-Host "Usage: restore.ps1" Write-Host "or" Write-Host "restore.ps1 -status return 402 Backup and restore script examples

403 D Authentication directory service This appendix provides additional information to help you correctly apply search context fields for adding an authentication directory service to the HP OneView appliance. D.1 Microsoft Active Directory configurations D.1.1 Users and groups in same OU The following table provides the general mapping for the Search context fields in the Add Directory screen for a Microsoft Active Directory configuration in which the users and groups are organized under the same organizational unit, OU. For information on the Add Directory screen, see the online help. Field 1 Field 2 Field 3 Search context CN CN=Organizational_Unit DC=domain,DC=domain In this example, the domain is example.com, and users and groups are located under the Users container, the default organizational unit. The entries for the Search context fields that would authenticate the user named server_admin are: Field 1 Field 2 Field 3 Search context CN CN=Users DC=example,DC=com D.1.2 Users and groups in different OUs, under same parent The following table provides the general mapping for the Search context fields in the Add Directory screen for a Microsoft Active Directory configuration in which the users and groups are in separate D.1 Microsoft Active Directory configurations 403

404 OUs, but those OUs are both under another parent OU. For information on the Add Directory screen, see the online help. Field 1 Field 2 Field 3 Search context CN OU=Organizational_Unit DC=domain,DC=domain In this example, there is a parent OU named Accounts with two children, Users and Groups. The domain is example.com. The entries for the Search context fields that would authenticate a user in the Users OU are: Field 1 Field 2 Field 3 Search context CN OU=Accounts DC=example,DC=com D.1.3 Users and groups in different OUs, under different parents The following table provides the general mapping for the Search context fields in the Add Directory screen for a Microsoft Active Directory configuration in which the user and group accounts are in separate OUs (shown as OU1 and OU2). For information on the Add Directory screen, see the online help. Field 1 Field 2 Field 3 Search context CN OU=child_OU,OU=parent_OU +... DC=domain,DC=domain In this example, there are two separate OUs, User Accounts and Group Accounts in the domain example.com. 404 Authentication directory service

405 Specifying the OU takes the form: OU=child_OU,OU=parent_OU In the example, there are four different accounts that can be specified: OU=Admin Users,OU=User Accounts,DC=example.DC=com OU=Finance Users,OU=User Accounts,DC=example.DC=com OU=Admin,OU=Group Accounts,DC=example.DC=com OU=Others,OU=Group Accounts,DC=example.DC=com You can combine search contexts, up to 10, by using the + character in Field 2. This construct is known as multiple elative Distinguished Names (DNs). For this example, the entries for the Search context fields to authenticate these users and groups are: Field 1 Field 2 Field 3 Search context CN OU=Admin Users,OU=User Accounts + OU=Finance Users,OU=User Accounts + OU=Admin,OU=Group Accounts + OU=Others,OU=Group Accounts DC=example,DC=com D.1.4 Built-in groups Microsoft Active Directory features built-in groups, in which certain groups are automatically located in predefined containers. These built-in groups include: Domain Users Domain Admins Enterprise Admins The Microsoft Active Directory Domain Users group contains all users that were created in the domain. In this example, all the user accounts under Users are included in Domain Users: D.1 Microsoft Active Directory configurations 405

406 However, user accounts in the Domain Users group will not be authenticated. You must specify the organizational unit or units. For more information on built-in groups and their behavior, see the Microsoft documentation. D.2 OpenLDAP directory configuration The following table provides the general mapping for the Search context fields in the Add Directory screen for an OpenLDAP configuration in which the users and groups are organized under different organizational units, OUs. For information on the Add Directory screen, see the online help. Field 1 Field 2 Field 3 Search context CN OU=Organizational_Unit DC=domain,DC=domain In this example, user accounts are located under the People OU and groups are located under the Groups OU: 406 Authentication directory service

407 For this example, the entries for the Search context fields to authenticate users, but not groups, are: Field 1 Field 2 Field 3 Search context CN OU=People DC=example,DC=com NOTE: The Groups OU is not valid for Search context field 2. By default, all groups are only searched under the Groups OU. For OpenLDAP, groups must always be created under the Groups OU. D.3 Validating the directory server configuration To successfully configure an authentication directory, the server that hosts the authentication directory service must: Communicate through SSL. Agree on the SSL port for LDAP. Be accessible through a fully qualified domain name or IP address. Have an available SSL certificate, based on an SA algorithm. For information on these requirements, see Add Directory Server screen details and Add Directory Server screen details in the online help. In addition, there must be valid search contexts so that the group or groups can be identified and accessed. Use the following procedure to verify a proper directory server configuration: 1. Determine if there is a connection to the directory server with the ping command: ping directory_server_host_name 2. Verify that the public key for the directory server s certificate is based on an SA algorithm. If the directory server is a DNS servers are running as a round robin DNS server, each directory server has a unique certificate. Use the nslookup to list the servers and choose one. Connect to a server using the openssl s_client command. Specify the host name and port. Copy the server s certificate to the Certificate field of the Add Directory Server screen. Verify that the certificate specifies the public key as SA (n bits). The default option for Microsoft Active Directory is SA 2048 bits. D.3 Validating the directory server configuration 407

408 3. Ensure that the certificate s timestamp is older than the appliance time. This could be a concern if the appliance and the directory are synchronized to different time servers or if they are running in different time zones. 4. Validate the search contexts by running ldapsearch command from the appliance console. Field 1 Field 2 Field 3 Search context CN CN=Users DC=example,DC=com Username: server_admin For this example, the ldapsearchcommand, using TLS/SSL, would resemble the following: LDAPTLS_CACET=location_of_certificate ldapsearch -LLL Z -H ldaps://host_name:port -b "base-dn" -D "bind-dn" W [cn/uid/ssamaccountname/userprincipalname] For this example, the ldapsearch, not using TLS/SSL, would resemble the following: ldapsearch -LLL -H ldap://ip_address:389 -b "cn=users,dc=example,dc=com" -D "cn=server_admin,cn=users,dc=example,dc=com" W CN D.4 LDAP schema object classes The following illustrates groups, by directory type, created with object classes. Such LDAP groups need to be added to HP OneView and assigned roles. See the online help for information on assigning roles. Active Directory Under Active Directory, a group can be created with any of these LDAP schema object classes: groupofnames groups groupofuniquenames View group members by examining the properties of the group name as in this example: 408 Authentication directory service

409 OpenLDAP Under OpenLDAP, a group can be created with either of these LDAP Schema object classes: groupofuniquenames groupofnames A group created with the objectclass as groupofuniquenames has its members under uniquemember as in this example. A group created with the objectclass as groupofnames or groups has its members under member as shown here. D.4 LDAP schema object classes 409