HPE OneView 3.0 User Guide for HPE Synergy

Transcription

1 HPE OneView 3.0 User Guide for HPE Synergy Abstract This guide describes HPE OneView features, interfaces, resource model design, and secure working environment. It describes up-front planning considerations and how to use the HPE OneView appliance UI or EST APIs to configure, manage, monitor, and troubleshoot your data center infrastructure. It also includes information about the SCMB (State-Change Message Bus). It is intended for infrastructure administrators, network administrators, and server administrators that plan, configure, and manage data center hardware and software throughout its lifecycle, and for backup administrators and operations personnel that monitor and troubleshoot data center hardware and software. Part Number: Published: October 2016 Edition: 1

2 Copyright Hewlett Packard Enterprise Development LP Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying. Consistent with FA and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgements Google is a registered trademark of Google Inc. Java is a trademark of Oracle or its affiliates. Microsoft, Windows, and Windows Server are trademarks of the Microsoft Group of companies.linux is a registered trademark of Linus Torvalds in the United States and other countries. VMware is a registered trademark of VMware Inc. Warranty Hewlett Packard Enterprise will replace defective delivery media for a period of 90 days from the date of purchase.

3 Contents I Learning about HPE OneView Learning about HPE OneView HPE Synergy composable infrastructure HPE OneView for composable infrastructure management Provisioning features esource templates, groups, and sets Server profiles and server profile templates Automatic discovery of server hardware Operating system deployment Storage provisioning and management Networking features Firmware and configuration change management features Simplified firmware management Simplified configuration change management Smart Update Tools features Monitoring the environment and responding to issues Data center environmental management esource utilization monitoring Activity and health management Hardware and firmware inventory information emote Support Backup and restore features Security features High availability features Graphical and programmatic interfaces Integration with other management software Other management software warnings HPE Synergy Image Streamer Open integration Understanding the resource model esource model summary diagram Appliance Connections Connection templates Data centers Domains Drive Enclosures Enclosures Enclosure groups Enclosure types Interconnects Interconnect types Logical enclosures Logical interconnects Logical interconnect groups Networks Network sets OS deployment servers...52 Contents 3

4 2.19 Power delivery devices acks SAN Managers SANs Server hardware Server hardware types Server profiles Server profile templates Storage Pools Storage Systems Unmanaged devices Uplink sets Volumes Volume Templates Understanding the security features of the Synergy Composer About security hardening Best practices for maintaining a secure Synergy Composer Creating a login session Authentication for Synergy Composer access Controlling access for authorized users Specifying user accounts and roles Mapping of SSO roles for ilo Mapping HPE OneView interactions with ilo and ipdu Protecting credentials Understanding the audit log Choosing a policy for the audit log Synergy Composer access over SSL Managing certificates from a browser Self-signed certificate Using a certificate authority Create a certificate signing request Create a self-signed certificate Import a certificate View the Certificate settings Downloading and importing a self-signed certificate into a browser Verifying a certificate Nonbrowser clients Passwords SSL connection Ports required for HPE OneView Controlling access to the Synergy Composer console Enable or disable authorized services access Files you can download from the Synergy Composer Navigating the graphical user interface About the graphical user interface Activity sidebar About the Activity sidebar Activity sidebar details Expand or collapse the Activity sidebar Audit tracking Banner and main menu Contents

5 4.5 Browsers Browser best practices for a secure environment Commonly used browser features and settings Browser requirements Set the browser for US or metric units of measurement Button functions Filters sidebar Help sidebar View the End-User License agreement View the Written Offer Appliance status screens Starting Oops Updating the appliance Temporarily unavailable esetting Waiting Icon descriptions Status and severity icons User control icons Informational icons Labels screen details Map view screen details Notifications area Log out of the appliance Organizing resources into groups by assigning labels View resources by label Performing an action on multiple resources Search help topics Help search features and limitations Search resources Clear the Smart Search box View resources according to their health status eset the health status view Using the EST APIs and other programmatic interfaces esource operations eturn codes UI format esource model format Log in to the appliance using EST APIs EST API version and backward compatibility Asynchronous versus synchronous operations Task resource Error handling Concurrency control using etags Querying resources and pagination using common EST API parameters State-Change Message Bus Metric Streaming Message Bus Analysis and troubleshooting HPE Operations Analytics integration with HPE OneView Developer tools in a web browser PowerShell and Python code sample libraries Contents 5

6 6 Accessing documentation and help Online help conceptual and task information as you need it This user guide supplements the online help Where to find HPE OneView documentation Enable off-appliance browsing of UI help and EST API help II Configuration quick starts Quick Start: Initial setup Initial hardware setup Verify hardware configuration Prerequisites Verifying hardware configuration About Hardware Setup Hardware setup screen details Checklist Inventory Configure the appliance network at first-time login Quick Start: Initial configuration of HPE OneView Initial configuration of resources in HPE OneView Prerequisites Configure resources in HPE OneView Define physical dimensions and power systems in HPE OneView Quick Start: Initial configuration of HPE Synergy Image Streamer Configure HPE Synergy Image Streamer for HPE OneView Prerequisites Configuring HPE OneView to work with HPE Synergy Image Streamer Configuring HPE OneView to deploy OS build artifacts to servers Quick Start: Initial hardware setup for an added management appliance Initial hardware setup for a management appliance Verify management appliance setup Quick Starts for networks, enclosures, and storage Quick Start: Add a network and associate it with an existing server Adding a network and associating it with an existing server Quick Start: Add an HPE ProLiant DL rack mount server to manage Adding an HPE ProLiant DL rack mount server to manage Quick Start: Configuring an HPE 5900 for management by HPE OneView Quick Start: Configuring a Cisco switch to be added as a SAN manager for management by HPE OneView Quick Start: Configure server hardware MAC address binding for FCoE server profiles Prerequisites Configuring server hardware MAC address binding for FCoE server profiles III Configuration and management Contents

7 11 Best practices Managing server hardware, server profiles, and server profile templates Managing server hardware oles Tasks for server hardware Server hardware management features Prerequisites for bringing server hardware into an appliance About server hardware How the appliance handles unsupported hardware About monitored server hardware About unmanaged devices Tasks for server hardware types About server hardware types How the ilo is changed as a result of HPE OneView management Launch the ilo console to manage servers remotely Managing server profiles oles Tasks for server profiles About server profiles Capturing best-practice configurations About editing a server profile About moving a server profile About migrating server profiles Working with server profiles to control remove-and-replace behavior About assigning a server profile to an empty device bay About server profile connections About server profile connections and changing server hardware types About server profiles and operating system deployment About server profiles and local storage About attaching SAN volumes to a server profile About server profile consistency validation Virtual functions When to use a server profile Managing server profile templates oles Tasks for server profile templates About server profile templates About creating a server profile template About editing a server profile template When to use a server profile template Learning more Managing fabrics oles About fabrics About reserved VLAN pools Managing licenses UI screens and EST API resources oles Tasks for licenses Contents 7

8 14.4 About licensing License types Interconnect licenses Server hardware licenses Other licenses About interconnect licensing Licensing for managed interconnects Licensing for unmanaged interconnects Purchasing or obtaining licenses License delivery License reporting Learning more Managing networks and network resources oles Tasks for networks Tasks for Fibre Channel networks Tasks for Ethernet networks Tasks for FCoE networks About networks About network sets About Fibre Channel networks Fibre Channel network types Fabric-attach Fibre Channel networks Direct-attach Fibre Channel networks About Ethernet networks About tagged Ethernet networks About untagged Ethernet networks About tunnel Ethernet networks About Smart Link About the HPE Image Streamer management network About Fibre Channel over Ethernet (FCoE) networks Data center switch port requirements Learning more Managing interconnects, logical interconnects, and logical interconnect groups Managing enclosure interconnect hardware oles Tasks for interconnects About interconnects About managed and monitored interconnects About unmanaged and unsupported interconnects FIP snooping Connectivity and synchronization with the appliance Learning more Managing logical interconnects and logical interconnect groups oles Tasks for logical interconnects Tasks for logical interconnect groups About logical interconnects About uplink sets About defining Image Streamer uplink sets in logical interconnects Contents

9 About internal networks About stacking links and stacking health Creating or deleting a logical interconnect About logical interconnect groups About the logical interconnect group graphical interface About multiple logical interconnect groups in an enclosure group About interconnect bay sets About redundancy modes Valid configurations for enclosure groups with multiple logical interconnect groups About copying a logical interconnect group About copying and resizing a logical interconnect group About uplink sets in a logical interconnect group About defining Image Streamer uplink sets in logical interconnect groups About Link Layer Discovery Protocol (LLDP) tagging About firmware associated with a logical interconnect About updating firmware for logical interconnects About loop protection About SNMP settings About Quality of Service for network traffic Add an uplink set Update firmware for logical interconnects within enclosures Stage and activate firmware for update from logical interconnect Stage firmware for later activation for update from logical interconnect Activate the firmware for update from logical interconnect Update the logical interconnect configuration from the logical interconnect group Create a logical interconnect group Learning more Managing enclosures, enclosure groups, and logical enclosures oles Managing enclosures Tasks for enclosures About enclosures or Synergy frames About an HPE Synergy Frame Checklist: connecting a server to a data center network Add a Synergy frame (enclosure) eset an HPE Synergy Frame Link Module to original factory settings Managing enclosure groups Tasks for enclosure groups About enclosure groups Enclosure groups and logical interconnect groups About configuring an HPE Synergy Image Streamer OS deployment network Create an enclosure group Prerequisites Creating an enclosure group Managing logical enclosures Tasks for logical enclosures About logical enclosures About inconsistent logical enclosures About deleting or forcibly deleting a logical enclosure About updating firmware from a logical enclosure About growing a logical enclosure About orchestrated and parallel activation Contents 9

10 Create a logical enclosure Update firmware from a logical enclosure Create a logical enclosure support dump file Learning more Managing firmware for managed devices Tasks for firmware About firmware bundles About unsupported firmware Best practices for managing firmware Create a custom SPP Update firmware on managed devices Update firmware on the logical enclosure Update firmware with a server profile Update firmware with a server profile template Learning more Managing power, temperature, and the data center Managing power oles Tasks for managing power About power delivery devices Managing your data center oles Tasks for data centers About data centers Managing racks oles Tasks for racks About racks Learning more Managing OS Deployment servers oles Tasks for OS deployment servers About OS Deployment Servers About HPE Synergy Image Streamer deployment server About designating the HPE Synergy Image Streamer primary cluster About deleting OS deployment server Managing storage Drive enclosures Tasks for drive enclosures About drive enclosures About drive enclosure and server hardware power sequencing requirements Storage systems oles Tasks About storage systems About HPE 3PA StoreServ Storage systems Storage pools oles Contents

11 Tasks About storage pools Volumes oles Tasks About volumes About snapshots Volume templates oles Tasks About volume templates SAN Managers oles Tasks About SAN managers About zone sets Configuring SAN managers to be managed by HPE OneView SANs Tasks About SANs About SAN zoning Learning more Managing users and authentication oles Tasks for managing users and groups About user accounts About user roles Action privileges for user roles About authentication settings About directory service authentication Managing user passwords eset the administrator password Learning more Backing up an appliance oles About backing up the Synergy Composer Best practices for backing up a Synergy Composer Determining your backup policy Back up a Synergy Composer manually Using EST APIs to create and download an appliance backup file Creating a custom script to create and download an appliance backup file Configure automatic remote backups Disable automatic remote backups Learning more estoring an appliance from a backup file oles About restoring the Synergy Composer Best practices for restoring a Synergy Composer estore a Synergy Composer from a backup file Using EST APIs to restore an appliance from a backup file Contents 11

12 24.6 Creating a custom script to restore an appliance Post-restoration tasks Managing the appliance Updating the appliance oles Tasks About appliance updates Learning more Administering a high-availability appliance cluster Determining the active and standby appliances of a Synergy frame About the high availability appliance cluster Activate the standby appliance emove a Synergy Composer from the appliance cluster Managing appliance availability oles Tasks Shut down the Synergy Composer from the UI estart the Synergy Composer from the UI How the appliance handles an unexpected shutdown Managing settings oles Tasks eset the Synergy Composer to the original factory settings About appliance proxy settings About scopes Scope-enabled resource categories Managing addresses and ID pools oles Tasks for addresses and identifiers About ID pools Image Streamer IPv4 address requirements Add an IPv4 subnet and address range Managing the security features of the appliance Enabling or disabling Hewlett Packard Enterprise support access to the appliance oles Tasks Managing TLS certificates oles Tasks Learning more Managing the Hewlett Packard Enterprise public key oles Tasks Downloading audit logs oles Tasks Download audit logs Learning more Connect to the Synergy console Connect to the Synergy console with a keyboard, video monitor, and mouse Prerequisites Connecting to the Synergy console with a keyboard, video monitor, and mouse Contents

13 Connect to the Synergy console with a notebook computer Prerequisites Connecting to the Synergy console with a notebook computer Prepare a USB flash drive for reimaging an appliance eimage the appliance with the preloaded USB drive IV Monitoring Monitoring data center status, health, and performance Daily monitoring Initial check: the Dashboard Activities Utilization graphs Monitor data center temperature Best practices for monitoring data centers Best practices for monitoring health with the appliance UI Best practices for monitoring health using SCMB or EST APIs Managing activities About Activity Activity types: alerts and tasks About alerts About tasks Activity states Activity statuses Service alerts Managing notifications About notification of alert messages Configure the appliance for notification of alerts Using the Dashboard screen Learning about the Dashboard Dashboard screen details How to interpret the Dashboard charts Customizing the dashboard Managing remote support About remote support About channel partners About data collection Monitoring power and temperature Monitoring power and temperature with the UI Monitoring data center temperature Manipulating the view of the data center visualization Monitoring power and temperature utilization About the Utilization panel About utilization graphs and meters EST API power and temperature monitoring Update enclosure power capacity settings Update server hardware power capacity settings Using a message bus to send data to subscribers About accessing HPE OneView message buses Using the State-Change Message Bus (SCMB) Contents 13

14 Connect to the SCMB Set up a queue to connect to the HPE OneView SCMB exchange JSON structure of message received from the SCMB Example to connect and subscribe to SCMB using.net C# Example to connect and subscribe to SCMB using Java Examples to connect and subscribe to SCMB using Python Installation Pika AMQP e-create the AMQP client certificate Using the Metric Streaming Message Bus (MSMB) Connect to the MSMB Set up a queue to connect to the HPE OneView MSMB exchange JSON structure of message received from the MSMB Example to connect and subscribe to MSMB using.net C# Example to connect and subscribe to MSMB using Java Examples to connect and subscribe to MSMB using Python Installation Pika AMQP e-create the AMQP client certificate Generating reports oles Tasks for reports About reports Using data services About data services About metric streaming About log forwarding to a remote syslog server EST API to enable metric streaming oles Tasks for metrics EST API EST API to leverage remote system logs oles Tasks for remotesyslog EST API V Troubleshooting Troubleshooting Basic troubleshooting techniques About the support dump file Create a support dump file Create a support dump file and write it to a USB drive from the UI Create a support dump for authorized technical support using EST API scripting Troubleshooting activity Alert is locked Alerts are not visible in the user interface Alert status is reported as blank or unexpected Alert state is unexpected Troubleshooting the appliance Contents

15 Synergy Composer performance is slow Unexpected appliance shutdown Cannot update Synergy Composer Appliance update file downloads, but update fails Appliance update is unsuccessful Browser does not display the HPE OneView user interface Icons are not visible on the appliance dashboard Could not retrieve the browser session Cannot create or download a backup file Support dump was not created Support dump file not saved Support dump does not contain data for standby appliance Cannot create unencrypted support dump Cannot download support dump to USB flash drive USB drive not recognized Unable to import a certificate Certificate was revoked Invalid certificate chain prevents operations Invalid certificate content prevents operations Audit log could not be downloaded Audit entries are not logged Audit log is absent estore action was unsuccessful Synergy Composer did not shut down Cannot restart the Synergy Composer after a shutdown You cannot log in Hardware setup user cannot log in Cannot log in after a factory reset action einstall the remote console Active and standby appliances are not connected Synergy Composer is offline, manual action is required Synergy Composer is offline and unusable Troubleshooting the appliance network setup Synergy Composer cannot access the network Synergy Composer cannot retrieve DNS information from DHCP server DNS server is unreachable Gateway server is unreachable Cannot change network settings NTP synchronization fails Troubleshooting notifications Cannot configure notification of alerts Unable to connect through <sending address host name> Host does not respond as an SMTP server Unable to deliver messages to some IDs Designated recipients are not receiving notifications of events Frequent, irrelevant messages Test message could not be sent Some test messages were not received Troubleshooting enclosures and enclosure groups Enclosure is no longer manageable Communication from Synergy Frame Link Module failed Enclosure configuration incomplete Enclosure inventory incomplete Frame Link Module port state is unlinked or disabled Troubleshooting firmware bundles Contents 15

16 Incorrect credentials Lost ilo connectivity SUM errors Failed firmware update on enclosure add Troubleshooting interconnects Interconnect edit is unsuccessful Troubleshooting licenses Licensing numbers appear to be inaccurate Could not view license details Could not add license Could not add license key Could not apply license Troubleshooting locale issues Troubleshooting logical interconnects I/O bay occupancy errors Uplink set warnings or errors Physical interconnect warnings or errors Firmware update errors Troubleshooting networks Network create operation is unsuccessful Troubleshooting the OS deployment server Unable to communicate with the selected primary cluster Troubleshooting reports Cannot view reports Troubleshooting scopes Cannot add scope Cannot edit or delete scope Troubleshooting server hardware Cannot control power on server Lost connectivity to server hardware after appliance restarts eplace a server with an assigned server profile eplace a server adapter on server hardware with an assigned server profile Troubleshooting server profiles Server profile is not created or updated correctly Cannot apply the server profile Profile operations are not successful Cannot update or delete profile Inconsistent firmware versions Troubleshooting storage Brocade Network Advisor (BNA) SAN manager fails to add Unable to establish connection with Brocade Network Advisor (BNA) SAN manager Volume not available to server hardware Volume is visible from the storage system but not visible on the appliance Target port failure Zone operations fail on Cisco SAN manager Storage system port is in an undesired state Troubleshooting user accounts Incorrect privileges Cannot modify local user account Cannot delete local user account Unauthenticated user or group User public key is not accepted Directory service not available Cannot add directory service Contents

17 Cannot add server for a directory service Cannot add directory group Cannot find directory group Documentation and troubleshooting resources for HPE Synergy HPE Synergy documentation HPE Synergy Configuration and Compatibility Guide HPE OneView User Guide for HPE Synergy HPE OneView Global Dashboard HPE Synergy Software Overview Guide Best Practices for HPE Synergy Firmware and Driver Updates HPE OneView Support Matrix for HPE Synergy HPE Synergy Image Streamer Support Matrix HPE Synergy Glossary HPE Synergy troubleshooting resources Troubleshooting within HPE OneView HPE Synergy Troubleshooting Guide HPE Error Message Guide HPE OneView Help HPE Synergy Quick Specs HPE Synergy documentation map Support and other resources Accessing Hewlett Packard Enterprise Support Accessing updates Websites emote support Customer self repair Documentation feedback A Backup and restore script examples A.1 Sample backup script A.2 Sample restore script B Authentication directory service B.1 Microsoft Active Directory configurations B.1.1 Users and groups in same OU B.1.2 Users and groups in different OUs, under same parent B.1.3 Users and groups in different OUs, under different parents B.1.4 Built-in groups B.2 OpenLDAP directory configuration B.3 Validate the directory server configuration B.4 LDAP schema object classes C Smart Update Tools installation with HPE Insight Control server provisioning D Maintenance console D.1 About the Maintenance console D.2 Access the Maintenance console Contents 17

18 D.3 Log in to the Maintenance console D.4 About the Maintenance console password D.5 About the factory reset operation D.6 Maintenance console main menu screen details D.7 Maintenance console Details screen details D.8 Maintenance console appliance states D.9 View the appliance details D.10 eset the Maintenance console password D.11 eset the administrator password with the Maintenance console D.12 estart the Synergy Composer using the Maintenance console D.13 Shut down the Synergy Composer using the Maintenance console D.14 Create a support dump file from the Maintenance console D.15 Perform a factory reset using the Maintenance console D.16 Configure appliance networking from the Maintenance console D.17 Activate the Synergy Composer manually when it is not highly available D.18 ecovering an HPE Synergy Composer Index Contents

19 Part I Learning about HPE OneView This part describes HPE OneView and its model for data center resources and introduces you to the terms and concepts used in this document and the appliance online help.

20 20

21 1 Learning about HPE OneView Designed for composable infrastructure environments, HPE OneView is a single integrated platform, packaged as an appliance, that implements a software-defined approach to managing your physical infrastructure through its entire life cycle. To learn more about HPE OneView, start with the introduction or select a topic from the following list. Provisioning features (page 23) Networking features (page 26) Firmware and configuration change management features (page 27) Monitoring the environment and responding to issues (page 29) Backup and restore features (page 31) Security features (page 32) High availability features (page 33) Graphical and programmatic interfaces (page 33) Integration with other management software (page 34) HPE Synergy Image Streamer (page 36) Open integration (page 36) 1.1 HPE Synergy composable infrastructure HPE OneView enables you to manage an HPE Synergy system throughout the hardware lifecycle. HPE OneView is designed to manage both traditional (operation-driven) and next generation (application-driven) workloads within a composable infrastructure such as HPE Synergy. The composable infrastructure is based on the following design principles: Hardware and management software in one Fluid pool of resources Software-defined intelligence Unified API Hardware and management software in one The HPE Synergy Frame contains a management appliance called the HPE Synergy Composer which hosts HPE OneView. Servers (compute modules), storage, networking (fabric), and management appliances (such as HPE Synergy Image Streamer), are easily plugged in and are automatically discovered. HPE Synergy frames (enclosures) can be connected as a group of frames to form a dedicated management network. With one instance of HPE OneView on one Synergy Composer, you can manage the entire group of frames. With an additional Synergy Composer, you can provide high availability management. Fluid pool of resources HPE Synergy provides a single infrastructure with virtualized compute servers, storage, and networks derived from the physical components in an HPE Synergy Frame. The same hardware can be configured and reconfigured through templates to support specific workloads. With a fluid pool of resources, you can tailor the infrastructure precisely, with the right amount of compute, storage, and connectivity to meet the needs of each workload. 1.1 HPE Synergy composable infrastructure 21

22 Software-defined intelligence HPE Synergy contains embedded software-defined intelligence (HPE OneView) that provides discovery, auto-integration, self-securing, self-orchestrating, and self-diagnosing capabilities. HPE OneView automates infrastructure management by taking a template-driven approach to provisioning and updating servers, storage, and networking. Unified API With a unified ESTful API, operational, and configuration changes can be easily automated and developers can manage the infrastructure with simplified code. The unified API provides a single interface to discover, search, inventory, configure, provision, update, and diagnose the composable infrastructure. For example, a single line of code can fully describe and provision the infrastructure required for an application, eliminating time-consuming scripting. More information Learning about HPE OneView (page 21) HPE OneView for composable infrastructure management (page 22) HPE Synergy documentation at HPE OneView for composable infrastructure management Optimized for collaboration, productivity, and reliability, HPE OneView is designed to provide simple, single-pane-of-glass lifecycle management for the complex aspects of enterprise IT servers, networking, software, power and cooling, and storage. Storage HPE Composable Infrastructure Servers Power and cooling Network Management software Servers are represented and managed through server profiles and server profile templates. Networking is an essential component to provisioning and managing data center servers. Management software is integrated with HPE OneView for seamless operation. In addition, other management appliances (HPE Synergy Image Streamer) can be added to the composable infrastructure through a management appliance module. 22 Learning about HPE OneView

23 Power and cooling and space planning requires that you consider all the equipment in the entire data center, including equipment not managed by HPE OneView. HPE OneView consolidates data center power and cooling information into one interface view. Storage provisioning with automated zoning is available. Storage devices connect to the enclosures using either Fibre Channel fabric attach (SAN switch) connections or Fibre Channel direct attach (flat SAN) connections. 1.3 Provisioning features Features for provisioning hardware and bringing resources under management include: esource templates, groups, and sets (page 23) Server profiles and server profile templates (page 24) Automatic discovery of server hardware (page 25) Operating system deployment (page 25) Storage provisioning and management (page 25) esource templates, groups, and sets With the HPE OneView template-driven approach, you can: Define server and networking configurations for specific environments. Provision multiple servers quickly and consistently without requiring someone to take action for every server you deploy. Simplify the distribution of configuration changes across your data center. HPE OneView is a scalable, resource-oriented solution focused on the entire life cycle from initial configuration to on-going monitoring and maintenance of both physical and logical resources: Physical resources are objects you can touch, such as server hardware, interconnects, top-of-rack switches, enclosures, drive enclosures, storage systems, and racks. Logical resources are virtual objects that represent a template or a configured resource. Some logical resources are templates that your experts define to meet various workload demands. These templates can then be applied over and over again to the physical resources ensuring quick and consistent configurations. Some examples include: server profile templates, logical interconnect groups, enclosure groups, and volume templates. Other logical resources represent the physical resource configured to work as needed in your environment. These resources actually run the workloads. Some examples include server profiles, logical interconnects, logical enclosures, and volumes. 1.3 Provisioning features 23

24 More information Understanding the resource model (page 39) Learning about HPE OneView (page 21) Server profiles and server profile templates Server profiles and server profile templates enable you to provision hardware quickly and consistently according to your best practices. Store your best practice configuration in a server profile template and then use the server profile template to create and deploy server profiles. A server profile captures key aspects of a server configuration in one place, including: Firmware update selection and scheduling OS deployment settings BIOS settings Local AID configuration Network connectivity Boot order configuration Local storage and SAN storage Unique IDs Server profiles enable your experts to specify a server configuration before the server arrives. When the server hardware is installed, your administrators can quickly bring the new server under management. For example, you can deploy a server profile from a template that is not assigned to a particular server, but specifies all the configuration aspects such as BIOS settings, network connections, 24 Learning about HPE OneView

25 and boot order to use for a type of server hardware. Before the server is installed in an enclosure bay, you can do one of the following: Assign the server profile at the time of creation to an empty bay in an enclosure where the server will eventually reside. Create an unassigned profile and assign it once the hardware arrives. You can move a server profile that has been assigned to hardware in an enclosure bay. You can copy server profiles to multiple servers by using server profile templates. You can control the server profile behavior. For example, you can assign a server profile to an empty bay and when an appropriate server is inserted into that bay, the server profile is automatically applied to the server hardware. The server profile can also be associated with a specific server to ensure that the profile is not applied if the wrong server is accidentally inserted into the bay. More information About server profiles (page 142) About server profile templates (page 156) Learning about HPE OneView (page 21) Automatic discovery of server hardware HPE Synergy enclosures (frames) are automatically discovered, including the server hardware and interconnects, and brought into HPE OneView as Monitored enclosures. After confirming the HPE Synergy frames are installed correctly, the frames can be managed by HPE OneView by creating a Logical Enclosure. More information About auto-discovering a Synergy frame (page 200) Learning about HPE OneView (page 21) Operating system deployment Server profiles and enclosure groups make it easier to prepare a bare-metal server for operating system deployment. For example, you can use server profiles in conjunction with deployment tools such as: HPE Insight Control server provisioning to install an operating system on the server HPE OneView for VMware vcenter Auto Deploy to deploy hypervisors from bare metal and add them to existing clusters automatically HPE Synergy Image Streamer for boot/run storage provisioning and operating system deployment More information Learning about HPE OneView (page 21) Storage provisioning and management HPE OneView provides automated, policy-driven provisioning of supported storage resources. It is fully integrated with server profiles so that you can manage your new or existing storage infrastructure. With HPE OneView you can view and manage your storage system and storage pools. You add existing volumes and create new volumes, and you can create volume templates to provision multiple volumes with the same configuration. Switched fabric, direct attach, and vsan SAN topologies are supported. 1.3 Provisioning features 25

26 Storage system are added to the appliance and are associated with networks. Storage pools are added from which HPE OneView creates volumes. The volumes can then be attached to servers. You can also add SAN managers to make their managed SANs available to the appliance. Managed SANs can be associated with Fibre Channel or Fibre Channel over Ethernet networks on the appliance to enable automated zoning and automatic detection of connectivity. Supported storage automation features Automated storage provisioning When you import supported storage systems and existing storage pools, HPE OneView can quickly create volumes. Automatic SAN zoning HPE OneView automatically manages SAN zoning for server profile volume attachments. Storage integration through server profiles Create and make new private volumes accessible to the server hardware by adding volume attachments to the server profile. Make existing private or shared volumes accessible to server hardware by adding volume attachments to the server profile. HPE OneView tracks the connection status between server profiles and SANs. Volume management You can use HPE OneView to manage the full life cycle of your volumes. You can add existing volumes, create new volumes, grow volumes, and remove or delete volumes using HPE OneView. You can also create volume snapshots, create a volume from a snapshot, and revert a volume to a snapshot using HPE OneView. Zoning policies HPE OneView enables you to set a zoning policy for your managed SANs. You can define SAN zoning policies which HPE OneView will follow as it auto-zones your SAN. Zone naming and aliases HPE OneView uses rules-based zone naming to give you full control of your zone names. You can use zone naming to incorporate your current naming structure, which HPE OneView will use during the automated zoning process. HPE OneView enables you to create aliases for initiators, targets, and target groups, which HPE OneView displays in place of their WWPNs. More information About storage systems (page 229) About SAN managers (page 231) HPE OneView Support Matrix for HPE Synergy 1.4 Networking features HPE OneView provides several networking features to streamline the provisioning of networking resources for server blades and to manage configuration changes, including firmware updates, to Virtual Connect interconnect modules. 26 Learning about HPE OneView

27 Supported networks The Virtual Connect interconnect modules in enclosures support the following types of data center networks: Ethernet for data networks, including tagged, untagged, or tunnel networks. Fibre Channel for storage networks, including Fibre Channel fabric attach (SAN switch) connections, and Fibre Channel direct attach (Flat SAN) connections to supported 3PA storage systems. Fibre Channel over Ethernet (FCoE) for storage networks where storage traffic is carried over a dedicated Ethernet VLAN. More information Logical interconnects Logical interconnect group Network set Learning about HPE OneView (page 21) 1.5 Firmware and configuration change management features Simplified firmware management HPE OneView provides fast, reliable, and simple firmware management across the appliance. When you add a resource to the appliance to be managed to ensure compatibility and seamless operation, the appliance automatically updates the resource firmware to the minimum version required to be managed by the appliance. Updating firmware for an entire HPE Synergy frame and every component inside can be done by a single administrator with minimal disruptions. Server firmware and driver updates can be staged and then activated during a maintenance window. A firmware bundle, also known as an SPP (Service Pack for ProLiant), is a tested update package of firmware, drivers, and utilities. Firmware bundles enable you to update firmware on managed server blades, and infrastructure (enclosures and interconnects). An on-appliance firmware repository enables you to upload SPP firmware bundles and deploy them across your environment according to your best practices. For example, you can: View the versions and contents of firmware bundles stored in the firmware repository. View the version of firmware installed on supported hardware from the Server Hardware. Set a firmware baseline a desired state for firmware versions on a managed resource, such as a server profile, or on a group of resources, such as all of the interconnects in a logical interconnect. Detect when a managed resource does not comply with the firmware baseline. Identify firmware compatibility issues. Update firmware for an entire enclosure. Update firmware for individual resources or for groups of resources, such as logical interconnects. 1 Update OS drivers and firmware emove a firmware bundle from the repository Hewlett Packard Enterprise occasionally releases component hotfixes between main SPP releases. Hewlett Packard Enterprise notifies you that a hotfix is available to upload and provides 1. Enclosure groups do not include a firmware baseline; therefore, updates to enclosure firmware are managed through a logical enclosure configuration. 1.5 Firmware and configuration change management features 27

28 details about the SPP to which the hotfix applies. Different mechanisms are available for applying a hotfix in HPE OneView. More information Best Practices for HPE Synergy Firmware and Driver Updates at synergy-docs Simplified configuration change management Templates and groups simplify the distribution of configuration changes across the appliance. For example: You can reduce errors by making multiple and complex changes to a group. Then, for each member of the group, you can use a single action to update the configuration to match the configuration of the group. The appliance notifies you when it detects that a device does not comply with the current template or group. You control when and if a device configuration is updated. The logical interconnect settings manage the firmware for physical interconnects to ensure that all interconnects within the logical enclosure have compatible firmware Smart Update Tools features Smart Update Tools (SUT) is an operating system utility for HPE OneView that enables an administrator to perform online firmware and driver updates. SUT polls HPE OneView every five minutes for new requests, processes those requests, and provides HPE OneView with a status. HPE OneView posts the progress in the Firmware section of the Server Profile page. SUT installs updates in the correct order and ensures that all dependencies are met before starting an update. If there are unmet dependencies, SUT prevents the installation and notifies the HPE OneView administrator that the installation cannot continue due to a dependency. Key features: Combined driver, software, and firmware updates Compliance reporting in the HPE OneView dashboard based on the status received from SUT An increase in the maximum uptime by minimizing the number of reboots required for activation The ability to perform firmware staging and development tasks outside of the actual maintenance window so that one reboot during the maintenance window activates both firmware and driver updates Multiple user roles: HPE OneView Infrastructure administrator who defines the desired state using the firmware options in the server profile SUT administrator who uses SUT to update the firmware and the software on the server Manual control and varying levels of automation: On demand or manual updates Semiautomatic when staging is automatic or staging and installation are automatic Fully automatic update 28 Learning about HPE OneView NOTE: SUT requires HPE ilo 4 version 2.30 and later to function correctly. If HPE OneView manages the server firmware, HPE OneView automatically updates the ilo firmware to enable SUT to proceed.

29 1.6 Monitoring the environment and responding to issues One user interface You use the same interface for monitoring that you use to provision resources. There are no additional tools or interfaces to learn. Isolated management network The appliance architecture is designed to separate the management traffic from the production network, which increases reliability and security of the overall solution. For example, your data center resources remain operational even in the unlikely event of an appliance outage. Automatic configuration for monitoring health and utilization When you add resources to the appliance, they are automatically configured for monitoring health, activity, alerts, and utilization. You can monitor resources immediately without performing additional configuration or discovery steps. Management from other platforms using the EST APIs and message buses The EST APIs and the SCMB (State-Change Message Bus) or MSMB (Metric Streaming Message Bus) also enable you to monitor the HPE OneView environment from other management platforms. For more information about message buses, see Using a message bus to send data to subscribers (page 303) Monitoring the environment and responding to issues Features for monitoring the environment and responding to issues include the following: The Dashboard screen (page 291), which displays a summary view of data center capacity and health information The Activity screen (page 285), which displays and enables you to filter all system tasks and alerts Data center environmental management (page 30) esource utilization monitoring (page 30) Activity and health management (page 30) Hardware and firmware inventory information (page 31) More information HPE ilo 4 with AMS traps supported for alerting in HPE OneView at oneview/docs 1.6 Monitoring the environment and responding to issues 29

30 1.6.1 Data center environmental management HPE OneView integrates these critical areas for environmental management of the data center: Thermal data visualization in 3D Power delivery infrastructure representation Physical asset location in 3D Feature Thermal data visualization Power delivery infrastructure representation Physical asset location Description 3D data center thermal mapping provides a view of the thermal status of your entire data center. The appliance collects thermal data from the managed resources in each data center rack and presents the data graphically, enabling easy identification of hot spots in a rack. HPE OneView collects and reports processor utilization and power and temperature history for your data center hardware. The appliance monitors power, automatically detects and reports power delivery errors, and provides precise power requirement information for HPE ProLiant Gen8 (or later) servers and HPE BladeSystem enclosures that you can use for planning rack and power usage. Power Discovery Services enable automatic discovery and visualization of the power delivery topology for your data center. HPE ipdus enable the appliance to map the rack power topology automatically. The appliance detects wiring errors such as lack of redundancy and updates electrical inventory automatically when new servers are installed. The appliance also supports per-outlet power control for remote power cycling of each ipdu outlet. You can manually define the power requirements and power topology for devices that do not support Power Discovery Services. Location Discovery Services enable the appliance to automatically display the exact 3D location of HPE ProLiant Gen8 (or later) servers in HPE Intelligent Series acks, reducing labor time, lowering operational costs, and eliminating human errors associated with inventory and asset management. You can manually define the positions of racks and devices that do not support Location Discovery Services. More information Managing power, temperature, and the data center (page 221) Monitoring power and temperature (page 297) esource utilization monitoring HPE OneView periodically collects and maintains CPU utilization information for all of the servers it manages. HPE OneView also collects port-level statistics for networking, including transmit, receive, and error counters. HPE OneView displays all of this data in the UI and makes the data available through the EST APIs. More information Monitoring power and temperature utilization (page 299) Utilization graphs (page 281) Activity and health management HPE OneView provides streamlined activity monitoring and management. The appliance automatically registers alerts and notifications from all managed resources, and resources added to the appliance are immediately available for monitoring and management. When the appliance notifies you of a problem, when possible, it suggests a way to correct the problem. 30 Learning about HPE OneView

31 Using the UI and EST APIs, you can: View all activities (alerts and tasks) by description or source, and filter activities using multiple filter criteria. Assign alerts to specific users. Annotate activities with notes from administrators, enabling the administrators of the data center to collaborate through the appliance instead of through outside tools such as . View alerts for a specific resource from the UI screen for that resource or using the EST API for that resource. Automatically forward SNMP traps from managed resources to enterprise monitoring consoles or centralized SNMP trap collectors. More information HPE ilo 4 with AMS traps supported for alerting in HPE OneView at oneview/docs Hardware and firmware inventory information HPE OneView provides detailed hardware and firmware inventory information about the resources it manages. You can access the following data through the UI and the EST APIs: Summary and detailed views of managed hardware, such as servers, enclosures, and interconnects. Summary of monitored hardware, such as servers and enclosures. Summary and detailed views of firmware bundle contents. Firmware inventory for server and enclosure components. You can use the Smart Search feature of the UI to find specific items in the inventory. eports are available to help you monitor your inventory as well as help you monitor your environment. The inventory reports provide information about your servers or enclosures such as model, serial number, part number, and so on. Other reports provide a picture of the overall status of your environment emote Support By registering for emote Support in HPE OneView, you enable Proactive Care and automatic case creation for hardware failures on Gen8 and newer servers and enclosures. Once enabled, all eligible devices added in the future will be automatically enabled for remote support. Hewlett Packard Enterprise will contact you to ship a replacement part or send an engineer for devices that are under warranty or support contract. emote support enables Proactive Care services including Proactive Scan reports and Firmware/Software Analysis reports with recommendations that are based on collected configuration data. More information About remote support (page 294) 1.7 Backup and restore features HPE OneView provides services to back up an appliance to a file, and to restore an appliance from a backup file. Backups can be scheduled to occur automatically and stored remotely. 1.7 Backup and restore features 31

32 One proprietary backup file for both the appliance and its database Backup files are proprietary and contain configuration settings and management data there is no need to create separate backup files for the appliance and its database. Flexible scheduling and an open interface for backup operations You can create backup files while the appliance is online. Also, you can use EST APIs to: Schedule a backup process from outside the appliance. Collect backup files according to your site policies. Integrate with enterprise backup and restore products. Utilize the backup and restore scripts. A backup file is a snapshot of the appliance configuration and management data at the time the backup file was created. Hewlett Packard Enterprise recommends that you create regular backups, preferably once a day and after you make hardware or software configuration changes in the managed environment. Specialized user role for creating backup files HPE OneView provides a user role (Backup administrator) specifically for backing up the appliance by permitting access to other resource views without permitting actions on those resources, or other tasks. ecovery from catastrophic failures You can recover from a catastrophic failure by restoring your appliance from the backup file. When you restore an appliance from a backup file, all management data and most configuration settings on the appliance are replaced with the data and settings in the backup file, including things like user names and passwords, audit logs, and available networks. The state of the managed environment is likely to be different from the state of that environment at the time the backup file was created. During a restore operation, the appliance reconciles the data in the backup file with the current state of the managed environment. After the restore operation, the appliance uses alerts to report any discrepancies that it cannot resolve automatically. More information Backing up an appliance (page 247) 1.8 Security features To ensure a secure platform for data center management, the appliance includes features such as the following: Separation of the data and management environments, which is critical to protect against Denial of Service attacks. Hewlett Packard Enterprise recommends that you follow best practices to protect and isolate management networks from production data networks. To ensure high availability and safeguard against various network attacks, it is recommended that the HPE Synergy Composer management network be isolated from the production network using appropriate mechanisms (such as firewalls and intrusion detection systems). BAC (role-based access control), which enables an administrator to establish access control and authorization for users based on their responsibilities for specific resources. Single sign-on to ilo without storing user-created credentials. 32 Learning about HPE OneView

33 Audit logging for all user actions. Support for authentication and authorization using an optional directory service such as Microsoft Active Directory. Use of certificates for authentication over Transport Layer Security (TLS). A UI that restricts access from host operating system users. An automated remote backup feature that allows you to set the day and time a backup will be performed and the ability to specify a remote SSH or SFTP server to store the backup files automatically. More information Understanding the security features of the Synergy Composer (page 63) 1.9 High availability features HPE OneView achieves high availability through an appliance cluster that comprises two appliances. The appliances are defined by their role of active or standby. The standby appliance monitors the active appliance and assumes control when contact is lost, protecting against data loss (management data and audit log) if the active appliance fails. In the unlikely event that HPE OneView experiences an outage, the managed resources continue to run. HA also protects against data loss (management data and audit log) if the active appliance fails. More information Best practices: Synergy Composer installation and configuration notes in the online help Maintenance console (page 441) 1.10 Graphical and programmatic interfaces HPE OneView was developed to use a single, consistent resource model embodied in a fast, modern, and scalable HTML5 user interface and industry-standard EST APIs for mobile, secure access, and open integration with other management software. User interface efficiency and simplicity by design The UI is designed for the way you work, providing powerful, easy-to use tools, including the following: Feature Dashboard screen Map view Smart Search box Labels view Scopes view Description Provides a graphical representation of the general health and capacity of the resources in your data center. From the Dashboard you can immediately see the areas that need your attention. Available from each resource, the Map view enables you to examine the configuration and understand the relationships between logical and physical resources in your data center. The banner of every screen includes the Smart Search feature, which enables you to find resource-specific information such as specific instances of resource names, serial numbers, WWNs, and IP and MAC addresses. Available from each resource, the Labels view enables you to organize resources into groups. For example, you might want to identify the servers that are used primarily by the Finance team, or identify the storage systems assigned to the Asia/Pacific division. A grouping of resources that can be used to restrict the range of an operation or action. The resources are arranged by categories. All the resources in these categories can be added to or removed from a scope, including enclosures, server hardware, networks, network sets, interconnects, logical interconnects, and logical interconnect groups. 1.9 High availability features 33

34 Feature Activity feed esource-specific management screens Description The Activity feed gives you a unique perspective into the health of your environment by interleaving the tasks, alerts, and administrator notes into a single view. The Activity feed simplifies the correlation of user activity with system health, allowing for timely resolution of issues. These screens enable you to focus on the resources you are authorized to view and manage. esource group screens enhance scalability by enabling you to manage multiple resources as one. The UI provides on-screen hints and tips to help you avoid and correct errors, and provides links to learn more about the tasks. At the top of each screen, the help icon gives you access to the entire help system. EST APIs automation and integration HPE OneView has a resource-oriented architecture that provides a uniform EST interface. The EST APIs: Provide an industry-standard interface for open integration with other management platforms. Are designed to be ubiquitous every resource has one UI (Uniform esource Identifier) and represents a physical device or logical construct. Enable you to automate anything you can do from the UI using your favorite scripting or programming language. Are designed to be highly scalable. More information Navigating the graphical user interface (page 77) Accessing documentation and help (page 107) HPE OneView EST API Scripting Help 1.11 Integration with other management software To use the integrated management software listed in this section, you must purchase HPE OneView Advanced licenses. For more information, see About licensing (page 161). HPE Integrated Lights-Out HPE OneView interacts seamlessly with the ilo management processor to provide complete management of server hardware. HPE OneView automatically configures the ilo according to the settings specified by the HPE OneView server profile. HPE OneView configures seamless access to the ilo graphical remote console, enabling you to launch the ilo remote console from the HPE OneView UI in a single click. Your ilo privileges are determined by the role assigned to your HPE OneView appliance account. HPE Insight Control Full licenses of HPE OneView Advanced include the right to use HPE Insight Control which delivers essential infrastructure management. Insight Control can save you time and money by making it easy to deploy, migrate, monitor, and optimize your IT infrastructure through a single, simple management console for your ProLiant ML/DL/SL and BladeSystem servers. You can elect to use either HPE OneView or the corresponding license for HPE Insight Control to manage devices. You do not need to purchase two licenses for the same server. However, you cannot operate HPE OneView and Insight Control licenses to manage the same server at the same time. The exception is Insight Control server provisioning, which can be used simultaneously with HPE OneView to manage the same server. 34 Learning about HPE OneView

35 HPE Insight Control is not included in the HPE OneView download or media, but can be downloaded from by using the HPE Insight Control license key provided during the entitlement or fulfillment process. HPE Insight Control server provisioning HPE OneView Advanced includes the right to use Insight Control server provisioning, a capability for multi-server, physical OS provisioning, and server configuration. Insight Control server provisioning software is not included in the HPE OneView media, but can be downloaded from HPE OneView for Microsoft System Center HPE OneView Advanced includes the right to use HPE OneView for Microsoft System Center. HPE OneView for Microsoft System Center fully integrates the HPE management ecosystem into Microsoft System Center, delivering capabilities such as proactive monitoring, remote management and provisioning of HPE servers, networking and storage. HPE OneView for Microsoft System Center can be downloaded from HPE OneView for VMware vcenter HPE OneView Advanced includes the right to use HPE OneView for VMware vcenter, HPE OneView for VMware vcenter/vealize Operations, and HPE OneView for VMware vcenter Log Insight. HPE OneView for VMware fully integrates the HPE management ecosystem to deliver capabilities such as proactive monitoring, deep troubleshooting, remote management, and provisioning of HPE servers, networking, and storage. HPE OneView integrations with VMware can be downloaded from Other management software warnings Do not use external managers, such as HPE Systems Insight Manager (SIM) or third-party management software, to manage hardware that is under management using HPE OneView. Using another external manager can cause errors and unexpected behavior. For example: ilo has a maximum of three trap destinations, one of which is HPE OneView. If external managers define additional trap destinations, ilo removes one of the existing trap destinations. If HPE OneView is the trap destination ilo removes, HPE OneView will no longer receive SNMP traps and will not display server health or lifecycle alerts. NOTE: Third-party tools do not provide a warning, so use caution if those tools make or require configuration changes to the server. If you attempt to change a resource managed by HPE OneView with other HPE management tools such as OM-Based Setup Utility (BSU) or UEFI System Utilities, a warning message displays. If you attempt to change server firmware using SUM, and the firmware baseline associated with the server profile for that server is not set to Managed manually, SUM displays a warning: HPE OneView is managing the server and it is configured for Service Pack for ProLiant version x. It cannot be updated to a different version directly using SUM. If HPE OneView manages the ilo, the ilo login screen displays a warning Integration with other management software 35

36 Figure 1 ilo warning If you attempt to make BIOS or ilo changes in Intelligent Provisioning, a warning displays HPE Synergy Image Streamer HPE Synergy Image Streamer is a management appliance used to deploy and customize operating systems for Synergy servers. Administrators build a library of templates and OS images that can be used for repeatable, reliable, and scalable deployment. HPE OneView and Image Streamer create a stateless server environment where bootable images are separated from the physical servers. With this stateless server environment, you can quickly replace the physical servers without the need to redeploy the operating system. Unified EST API access to Synergy Image Streamer enables programmatic control of its functions. Provisioning can be controlled from the HPE OneView UI or it can be seamlessly integrated into existing scripting processes. More information About HPE Synergy Image Streamer (page 200) HPE Synergy Image Streamer documentation at Open integration The single, consistent resource model, EST APIs, SCMB (State-Change Message Bus), and MSMB (Metric Streaming Message Bus) enable you to use scripting to integrate HPE OneView with other enterprise applications to address user needs and perform tasks such as: Automating standard workflows and troubleshooting steps Automating integrations with other software, such as a CMDB (configuration management database) Connecting to service desks Monitoring resources, collecting data, and mapping and modeling systems Exporting data to formats that suit your needs Attaching custom databases, data warehouses, or third-party business intelligence tools Integrating in-house user customizations The SCMB is an interface that uses asynchronous messaging to notify subscribers of changes to managed resources both logical and physical. For example, you can program applications to receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes without having to continuously poll the appliance for status using the EST APIs. 36 Learning about HPE OneView

37 More information HPE OneView EST API Scripting Help Using a message bus to send data to subscribers (page 303) 1.13 Open integration 37

38 38

39 2 Understanding the resource model HPE OneView uses a resource model that reduces complexity and simplifies the management of your data center. This model provides logical resources, including templates, groups, and sets, that when applied to physical resources, provides a common structure across your data center. The UI distinguishes between physical and virtual resources by using certain actions. For example: You can create, delete, or copy a logical resource, but not a physical resource You can add or remove a physical resource High-level overview esource model summary diagram (page 40) Server resources Server profile templates (page 57) Server profiles (page 56) Connections (page 41) Connection templates (page 42) Server hardware (page 55) Server hardware types (page 56) OS deployment servers (page 52) Network provisioning resources Enclosure groups (page 45) Enclosure types (page 45) Enclosures (page 44) Interconnect types (page 47) Interconnects (page 46) Logical enclosures (page 47) Logical interconnect groups (page 50) Logical interconnects (page 48) Uplink sets (page 60) Network resources Networks (page 51) Network sets (page 51) Storage resources Storage Systems (page 58) Storage Pools (page 58) Volumes (page 60) Volume Templates (page 61) SAN Managers (page 54) SANs (page 54) Drive Enclosures (page 44) Appliance resources Appliance (page 40) Domains (page 43) Data center power and cooling management resources Data centers (page 42) acks (page 53) Power delivery devices (page 52) Unmanaged devices (page 59) Learn more For a complete list of resources, see the HPE OneView EST API eference in the online help. For information about using HPE OneView, see the other chapters in this guide and the online help. 39

40 2.1 esource model summary diagram The following figure summarizes some of the most frequently used resources and shows the relationships between them. Figure 2 esource model summary diagram Volume Templates Volume Attachments Server Profile Templates Domains Appliance Connection Templates Network Sets SAN Manager Volumes Deployed Targets Server Profiles Connections or Networks SANs Storage Pools Deployment plan Power Delivery Devices SAS Logical JBOD Attach Drive IO Enclosure Adapter Drive Bay Drive Bay SAS Logical JBOD SAS Logical Interconnects SAS Logical Interconnect Groups Storage Systems Deployment Servers Has a type Specified in a server profile Physical resource Logical resource acks Data Centers Server Hardware Server Hardware Types Device Bay Device Bay Enclosures I/O Bay I/O Bay Logical Enclosure Enclosure Groups Enclosure Types SAS Interconnects Interconnects Uplink Sets Logical Interconnect Groups Interconnect Types Uplink Sets Logical Interconnects The UI and EST APIs are organized by resource. The documentation for the UI and EST APIs are also organized by resource. The complete list of resources are included in the HPE OneView EST API eference in the online help. The following sections introduce the resources shown in Figure 2: esource model summary diagram (page 40). More information Understanding the resource model (page 39) 2.2 Appliance The appliance resource defines configuration details specific to the HPE OneView appliance (as distinct from the resources HPE OneView manages). elationship to other resources An appliance resource is associated with the following resources in the resource summary diagram (page 40): Exactly one domain Zero or more instances of the other resources in the summary diagram (page 40) 40 Understanding the resource model

41 UI screens and EST API resources Several EST API resources are related to the appliance and appliance settings. See the resources in the following categories in the HPE OneView EST API eference in the online help: UI screen Settings EST API resource Appliance time, locale, and timezone settings appliance/configuration/timeconfig/locales appliance/configuration/time-locale Appliance device EAD community string appliance/device-read-community-string eset the appliance to the factory defaults appliance Upgrade or patch the appliance firmware appliance/firmware Health of appliance components appliance/health-status Configure and retrieve network information of the appliance appliance/network-interfaces Shut down or restart an appliance appliance/shutdown Generating and downloading support dumps from an appliance appliance/support-dumps Trap destinations in the management appliance appliance/trap-destinations OneView License Status of the End User License Agreement (EULA) and related data appliance/eula More information Managing the appliance (page 259) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.3 Connections A connection is the logical representation of a connection between a server and a network or network set. Connections can be configured in server profiles. A connection specifies the following: The network or network set to which the server is to be connected Configuration overrides (such as a change to the preferred bandwidth) to be made to the default configuration for the specified network or network set Boot order 2.3 Connections 41

42 elationship to other resources A connection resource is associated with the following resources in the resource summary diagram (page 40): Exactly one server profile resource. Exactly one connection template resource. Exactly one network or network set resource. The resources that are available to the connection depend on the configuration of the logical interconnect of the enclosure that contains the server hardware. UI screens and EST API resources UI screen Server Profiles EST API resources connections and server-profiles More information About server profiles (page 142) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.4 Connection templates A connection template defines default configuration characteristics, such as the preferred bandwidth and maximum bandwidth, for a network or network set. When you create a network or network set, HPE OneView creates a default connection template for the network or network set. elationship to other resources A connection template resource is associated with zero or more connection resources. A connection resource is associated with the appropriate connection template for a type of network or network set. UI screens and EST API resources UI screen None EST API resource connection-templates Notes The UI does not display or refer to connection templates, but connection templates determine the default values displayed for the connection when you select a network or network set. More information esource model summary diagram (page 40) Understanding the resource model (page 39) 2.5 Data centers In HPE OneView, a data center represents a physically contiguous area in which racks containing IT equipment such as servers, enclosures, and devices are located. You create a data center to describe a portion of a computer room, summarizing your environment and its power and thermal requirements. A data center resource is often a subset of your entire data center and can include equipment that is not managed by HPE OneView. By representing the physical layout 42 Understanding the resource model

43 of your data center equipment, including unmanaged devices, you can use detailed monitoring information for space planning and determining power and cooling requirements. In HPE OneView, you can: View a 3D model of the data center layout that includes a color-coding scheme to help you identify areas that are too hot or too cold. View temperature history data. More easily locate specific devices for hands-on servicing. elationship to other resources A data center resource is associated with the following resources in the resource summary diagram (page 40): Zero or more racks UI screens and EST API resources UI screen Data Centers EST API resource datacenters More information Managing your data center (page 222) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.6 Domains The domain resource describes the management domain for the appliance. All physical and logical resources managed by the appliance are part of a single management domain. elationship to other resources A domain resource is associated with the following resources in the resource summary diagram (page 40): Exactly one appliance Zero or more instances of the other resources in the summary diagram (page 40) UI screens and EST API resources UI screen None EST API resource domains Notes The UI does not display or refer to domains, but the domain resource provides information about limits such as the total number of networks that you can add to the appliance. You can use the domains EST API to obtain information about the domain. More information esource model summary diagram (page 40) Understanding the resource model (page 39) 2.6 Domains 43

44 2.7 Drive Enclosures Drive enclosures are hardware devices that contain a set of drive bays. A drive enclosure is installed in a device bay of an enclosure, and provides composable storage to servers. Server profile templates or server profiles allow you to automatically apply storage resource configuration to the storage devices within the drive enclosure. In the resource model: Drive enclosures are associated with the frame (enclosure) in which they are installed. Drive enclosures are associated with a logical JBOD, which is defined in a server profile, and which specifies attachments to server hardware. elationship to other resources A drive enclosure is associated with the following resources in the resource model summary diagram (page 40): One enclosure in which it is installed through one logical enclosure. One or more server profiles though logical JBODs, which specify which volumes in the drive enclosure are attached to specific server hardware. One or two SAS interconnects, through a logical interconnect. UI screens and EST API resources UI screen Drive Enclosures EST API resource drive-enclosures More information Drive enclosures (page 228) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.8 Enclosures An enclosure is a physical structure with device bays supporting server, networking, and storage building blocks. These building blocks share the enclosure's common power, cooling, and management infrastructure. The enclosure provides the hardware connections between the interconnect downlinks and the installed servers. The enclosure interconnects provide the physical uplinks to the data center networks. When you set up an HPE Synergy Frame, HPE OneView discovers and adds all of the components within the enclosure, including any installed servers and any installed interconnects. elationship to other resources An enclosure resource is associated with the following resources in the resource summary diagram (page 40): One logical enclosure Exactly one enclosure group Zero or more physical interconnects One or more logical interconnects and one or more logical interconnect groups (through the enclosure s association with an enclosure group and interconnects) 44 Understanding the resource model

45 Zero or one rack resource Zero or more power delivery devices UI screens and EST API resources UI screen Enclosures EST API resource enclosures More information Managing enclosures (page 195) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.9 Enclosure groups An enclosure group is a template that defines a consistent configuration for a logical enclosure. Network connectivity for an enclosure group is defined by the logical interconnect groups associated with the enclosure group. Using enclosure groups, you can quickly add many enclosures and have them configured into identical logical enclosures. elationship to other resources An enclosure group resource is associated with the following resources in the resource summary diagram (page 40): Zero or more logical enclosures Zero or more server profiles Zero or more logical interconnect groups UI screens and EST API resources UI screen Enclosure Groups EST API resource enclosure-groups More information Managing enclosure groups (page 204) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.10 Enclosure types An enclosure type defines characteristics of a specific Hewlett Packard Enterprise enclosure hardware model, such as an HPE Synergy Frame. elationship to other resources An enclosure type resource is associated with zero or more enclosures. 2.9 Enclosure groups 45

46 UI screens and EST API resources UI screen None EST API resource None Notes The UI does not refer to enclosure type, but the enclosure type is used by HPE OneView when you add an enclosure. The enclosures EST resource includes an enclosuretype attribute. More information esource model summary diagram (page 40) Understanding the resource model (page 39) 2.11 Interconnects An interconnect is a physical resource that enables communication between hardware in the enclosure and the data center Ethernet LANs and Fibre Channel SANs. An interconnect has the following types of ports: Port type Uplinks Downlinks Stacking links Interconnect Link Ports Description Uplinks are physical ports that connect the interconnect to the data center networks. For example, the Q1 port of an HPE Virtual Connect SE 40Gb Module for HPE Synergy is an uplink. Downlinks are physical ports that connect the interconnect to the server hardware through the enclosure midplane. Stacking links are external physical ports that join interconnects to provide redundant paths for Ethernet traffic from servers to the data center networks. Stacking links are based on the configuration of the associated logical interconnect group. Physical ports linking Interconnect Link Modules and an HPE VC SE 40Gb F8 Module to provide seamless support for a multi-frame solution. In the resource model: Interconnects that are managed are put in a Configured state when the HPE Synergy frame is configured by creating a logical enclosure. An unmanaged interconnect remains in the Monitored state when the HPE Synergy frame is configured by creating a logical enclosure. Interconnects are defined by a logical interconnect group, which in turn defines the logical interconnect configuration to be used for an enclosure. The physical interconnect configuration in the enclosure must match the logical interconnect group configuration before an interconnect can be managed. For an interconnect to be usable, it must be installed in an enclosure and must be defined as part of a logical interconnect. Each physical interconnect can contribute physical uplink ports to an uplink set. Firmware baselines and firmware updates for physical interconnects are managed by the logical interconnect. Serial Attached SCSI (SAS) interconnects, used to connect to storage, have their own logical interconnect group and logical interconnect. 46 Understanding the resource model

47 elationship to other resources An interconnect resource is associated with the following resources in the resource summary diagram (page 40): Exactly one enclosure One or more logical interconnects, and, through that logical interconnect, one or more logical interconnect groups UI screens and EST API resources UI screen Interconnects EST API resources interconnects, interconnect-types, and logical-interconnects More information Managing enclosure interconnect hardware (page 171) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.12 Interconnect types The interconnect type resource defines the characteristics of a model of interconnect, such as the following: Downlink capabilities and the number of downlink ports Uplink port capabilities and the number of uplink ports Supported firmware versions elationship to other resources An interconnect type resource is associated with the following resources in the resource summary diagram (page 40): Zero or more interconnects UI screens and EST API resources UI screen Interconnects EST API resource interconnect-types Notes The UI does not display or refer to the interconnect type resource specifically, but the information is used by HPE OneView when you add or manage an interconnect using the Interconnects screen. More information esource model summary diagram (page 40) Understanding the resource model (page 39) 2.13 Logical enclosures A logical enclosure contains the configuration intended for a set of physical enclosures. If the intended configuration in the logical enclosure does not match the actual configuration on the enclosure, the logical enclosure becomes inconsistent Interconnect types 47

48 You must manually create a logical enclosure for HPE Synergy frames for HPE OneView to manage them. elationship to other resources A logical enclosure resource is associated with the following resources in the resource summary diagram (page 40): One or more enclosures, and through the enclosure(s), one enclosure group UI screens and EST API resources UI screen Logical Enclosures EST API resource logical-enclosures More information Managing logical enclosures (page 207) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.14 Logical interconnects A logical interconnect is a single entity for multiple physical interconnects A logical interconnect is a single administrative entity that consists of the configuration for a set of interconnects in an enclosure. This configuration includes: Interconnects, which are required for the enclosure to connect to data center networks. Uplink sets, which map data center networks to physical uplink ports. If no uplink sets are defined, the logical interconnect cannot connect to data center networks, and the servers attached to the downlinks of the logical interconnect cannot connect to data center networks. Downlink ports, which connect through the enclosure midplane to the servers in the enclosure. A logical interconnect includes all of the physical downlinks of all of the member interconnects. The downlinks connect the interconnects to physical servers. The set of downlinks that share access to a common set of networks is called logical downlinks. Internal networks, which are used for server-to-server communications without traffic egressing any uplinks. Stacking links, if used, join interconnects through external cables between the external ports of the interconnects. The firmware baseline, which specifies the firmware version to be used by all of the member interconnects. The firmware baseline for physical interconnects is managed by the logical interconnect. A Serial Attached SCSI (SAS) logical interconnect connects storage hardware and servers. A SAS logical JBOD, a group of physical disk drives, is assigned to server hardware from server profiles or server profile templates. 48 Understanding the resource model

49 The Network administrator configures multiple paths from server bays to networks The Network administrator can ensure that every server bay of an enclosure has two independent paths to an Ethernet data center network by creating a logical interconnect for which the following conditions are true: The logical interconnect has at least two interconnects that are joined by stacking links, or two interconnects are defined in separate logical interconnect groups. The logical interconnect has at least one uplink set that includes uplinks to the network from at least two physical interconnects. HPE OneView detects and reports a configuration or state in which there is only one path (no redundant paths) to a network or in which there are no paths to a network. The Server administrator is not required to know the details about interconnect configurations Because a logical interconnect is managed as a single entity, the server administrator is isolated from the details of interconnect configurations. For example, if the network administrator configures the logical interconnect to ensure redundant access from each server bay in the enclosure to each Ethernet data center network, the server administrator must only ensure that a server profile includes two connections to a network or to a network set that includes that network. elationship to other resources A logical interconnect resource is associated with the following resources in the resource summary diagram (page 40): Zero or more interconnects. For a logical interconnect to be usable, it must include at least one interconnect. If there are zero interconnects, the enclosure and its contents do not have any uplinks to the data center networks. One or more logical interconnect groups associated with an enclosure group, which define the initial configuration of the logical interconnects. Zero or more uplink sets, which associate zero or more uplink ports and zero or more networks. Zero or one logical enclosure UI screens and EST API resources UI screen Logical Interconnects EST API resource logical-interconnects and logical-downlinks Notes You use the logical-downlinks EST API to obtain information about the common set of networks and capabilities available to a downlink. More information Managing logical interconnects and logical interconnect groups (page 173) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.14 Logical interconnects 49

50 2.15 Logical interconnect groups The logical interconnect group is a template that defines the physical and logical configuration of the interconnects that are configured together to form a logical interconnect. This configuration includes the following: The interconnect types, interconnect configurations, and interconnect downlink capabilities The interconnect ports used for stacking links The uplink sets, which map uplink ports to Ethernet or Fibre Channel networks The available networks based on the uplink sets and internal networks In the resource model: A logical interconnect group or groups is associated with an enclosure group instead of an individual enclosure. A multiple-enclosure logical interconnect group must match the interconnect link topology within the set of linked enclosures. All bays must be properly populated in all enclosures in the interconnect link topology. A Serial Attached SCSI (SAS) logical interconnect group is a single-enclosure logical interconnect group which can be applied to individual bays in individual enclosures in the interconnect link topology. The uplink sets defined by the logical interconnect group establish the initial configuration for uplink sets for each logical interconnect in the enclosure group. If you change uplink sets for an existing logical interconnect group: Only enclosures that you add after the configuration change are configured with the new uplink set configuration. Existing logical interconnects are reported as not being consistent with the logical interconnect group. You can then request that those existing logical interconnects be updated with the new configuration. After a logical interconnect has been created and associated with a logical interconnect group, it continues to be associated with that group and reports if its configuration differs from the group. You can then change the configuration of the logical interconnect to match the group. elationship to other resources A logical interconnect group resource is associated with the following resources in the resource summary diagram (page 40): Zero or more logical interconnects Zero or more enclosure groups The uplink sets defined by a logical interconnect group specify the initial configuration of the uplink sets of each logical interconnect in the group. UI screens and EST API resources UI screen Logical Interconnect Groups EST API resource logical-interconnect-groups More information Managing logical interconnects and logical interconnect groups (page 173) esource model summary diagram (page 40) 50 Understanding the resource model

51 Understanding the resource model (page 39) 2.16 Networks A network represents a Fibre Channel, Ethernet, or Fibre Channel over Ethernet (FCoE) network in the data center. elationship to other resources A network resource is associated with the following resources in the resource summary diagram (page 40): Zero or more connections Zero or one uplink set per logical interconnect For tagged, Ethernet networks, zero or more network sets UI screens and EST API resources UI screen Networks EST API resource fc-networks or ethernet-networks or fcoe-networks More information Managing networks and network resources (page 165) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.17 Network sets A network set represents a group of tagged, Ethernet networks identified by a single name. Network sets are used to simplify server profile configurations and server profile templates. When a connection in a server profile specifies a network set, it can access any of the member networks. Additionally, if networks are added to or deleted from a network set, server profiles that specify the network set are isolated from the change. One common use for network sets is as a trunk for multiple VLANs to a vswitch. In the resource model: A network set can contain zero or more tagged, Ethernet networks. A tagged, Ethernet network can be a member of zero or more network sets. A connection in a server profile can specify either a network or a network set. A network set cannot be a member of an uplink set. Other configuration rules apply. elationship to other resources A network set resource is associated with the following resources in the resource summary diagram (page 40): Zero or more connections, and, through those connections, zero or more server profiles Zero or more Ethernet networks 2.16 Networks 51

52 UI screens and EST API resources UI screen Network Sets EST API resource network-sets More information About network sets (page 166) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.18 OS deployment servers An OS deployment server is a resource that enables you to deploy (install and configure) operating systems for use by servers. HPE OneView connects to an OS deployment server and configures it for deploying operating systems. An HPE Synergy Image Streamer appliance hosts software used to deploy and customize operating systems for use by Synergy servers. HPE OneView manages the OS deployment server after it is configured and displays the list of attributes, management settings, the OS deployment plans, and the server profiles that reference the available OS deployment plans. elationship to other resources An OS deployment server is associated with the following resources in the resource model summary diagram (page 40): One Synergy Image Streamer management network to connect the Synergy Image Streamer and Synergy Composer appliances. One Synergy Image Streamer OS deployment network through which iscsi traffic flows between servers and volumes deployed by Synergy Image Streamer. One or more logical interconnect groups. Exactly one enclosure group. Exactly one logical enclosure. One or more server profiles with server-specific settings for OS deployment. One Synergy Image Streamer OS deployment plan through deployed targets. UI screens and EST API resources UI screen OS Deployment Servers EST API resource deployment-servers More information Managing OS Deployment servers (page 225) HPE Synergy Image Streamer documentation at esource model summary diagram (page 40) Understanding the resource model (page 39) 2.19 Power delivery devices A power delivery device is a physical resource that delivers power from the data center service entrance to the rack components. You create the power distribution device objects to describe 52 Understanding the resource model

53 the power source for one or more components in the rack. Power delivery devices can include power feeds, breaker panels, branch circuits, PDUs, outlet bars, outlets, and UPS devices. For a complete list of power delivery devices, see the screen details online help for the Power Delivery Devices screen. elationship to other resources A power delivery device resource is associated with the following resources in the resource summary diagram (page 40): Zero or more racks Zero or more unmanaged devices UI screens and EST API resources UI screen Power Delivery Devices EST API resource power-devices 2.20 acks More information Managing power (page 221) esource model summary diagram (page 40) Understanding the resource model (page 39) A rack is a physical structure that contains IT equipment such as enclosures, servers, power delivery devices, and unmanaged devices in a data center. By describing the physical location, size, and thermal limit of equipment in the racks, you enable space and power planning and power analysis features for your data center. elationship to other resources A rack resource is associated with the following resources in the resource summary diagram (page 40): Zero or one data centers Zero or more enclosures Zero or more instances of server hardware Zero or more unmanaged devices Zero or more power delivery devices UI screens and EST API resources UI screen acks EST API resource racks More information Managing power (page 221) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.20 acks 53

54 2.21 SAN Managers SAN Managers enables you to bring systems that manage SANs under management of HPE OneView. When you add a SAN manager to HPE OneView, the SANs that it manages become available to associate with HPE OneView networks that you can attach to server profiles. In the resource model: SAN managers are not associated with HPE OneView resources directly. The SANs they manage (known as managed SANs) can be associated with HPE OneView networks, which can then be configured in server profiles. elationship to other resources The SAN managers resource is associated with the following resources in the resource model summary diagram (page 40): A managed SAN on a SAN manager can be associated with one HPE OneView network, which can be associated with one server profile. UI screens and EST API resources UI screen SAN Managers EST API resource device-managers 2.22 SANs More information SAN Managers (page 231) esource model summary diagram (page 40) Understanding the resource model (page 39) SANs are discovered by SAN Managers and become managed when they are associated with HPE OneView networks. Server profile attachments to volumes over SANs auto configure the server, SAN zoning, and storage system enabling the server to access the volume. SANs are made available to HPE OneView when the SAN manager to which they belong is added. In the resource model: SANs are associated with the SAN Manager on which they reside. SANs can be associated with one or more Fibre Channel (FC) or Fibre Channel over Ethernet (FCoE) networks. elationship to other resources The SANs resource is associated with the following resources in the resource model summary diagram (page 40): A managed SAN on a SAN manager can be associated with one or more Fibre Channel (FC) and/or one or more Fibre Channel over Ethernet (FCoE) network. UI screens and EST API resources UI screen SANs EST API resource fc-sans 54 Understanding the resource model

55 More information SANs (page 233) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.23 Server hardware Server hardware represents an instance of server hardware. For information about the supported server hardware, see the HPE OneView Support Matrix for HPE Synergy. elationship to other resources A server hardware resource is associated with the following resources in the resource summary diagram (page 40): Zero or one server profile. If a server does not have a server profile assigned, you cannot perform actions that require the server profile resource, such as managing firmware or connecting to data center networks. However, you can: Add the managed server hardware to HPE OneView, including automatically updating the server firmware to the minimum version required for management by HPE OneView. NOTE: Attempts to add monitored servers with less than the minimum firmware version required by HPE OneView will fail, and the firmware must be updated outside of HPE OneView, for example, with Smart Update Manager. View inventory data. Power on or power off the server. Launch the ilo remote console. Monitor power, cooling, and utilization. Monitor health and alerts. Exactly one server hardware type. Exactly one device bay of an enclosure. This association also applies to full-height server blades, which occupy two device bays but are associated with the top bay only. UI screens and EST API resources UI screen Server Hardware EST API resource server-hardware Notes You use the server hardware resource, not the server profile resource, to perform actions such as powering off or powering on the server, resetting the server, and launching the HPE ilo remote console. You can launch the ilo remote console through the UI. The EST APIs do not include an API to launch the ilo remote console. More information Managing server hardware (page 135) esource model summary diagram (page 40) 2.23 Server hardware 55

56 Understanding the resource model (page 39) 2.24 Server hardware types A server hardware type captures details about the physical configuration of server hardware, and defines which settings are available to the server profiles assigned to that type of server hardware. For example, the server hardware type for the HPE Synergy 480 Gen9 Compute Module includes a complete set of default BIOS settings for that server blade hardware configuration. When you add an enclosure to HPE OneView, HPE OneView detects the servers installed in the enclosure and creates a server hardware type for each unique server configuration it discovers. When you add a unique rack mount server model, HPE OneView creates a new server hardware type for that server configuration. elationship to other resources A server hardware type resource is associated with the following resources in the resource summary diagram (page 40): Zero or more server profiles Zero or more server profile templates Zero or more servers of the type defined by that server hardware type UI screens and EST API resources UI screen Server Hardware Types EST API resource server-hardware-types More information About server hardware types (page 138) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.25 Server profiles Server profiles capture key aspects of the server configuration in one place, enabling you to provision converged infrastructure hardware quickly and consistently according to your best practices. A server profile can contain the following configuration information about the server hardware: Basic server identification information Operating system deployment settings Firmware versions Connections to Ethernet networks, Ethernet network sets, FCoE networks, and Fibre Channel networks Local storage SAN storage Boot settings BIOS settings Physical or virtual UUIDs (universally unique identifiers), MAC (media access control) addresses and WWN (World Wide Name) addresses 56 Understanding the resource model

57 elationship to other resources A server profile is associated with the following resources in the resource summary diagram (page 40): Zero or one server profile template Zero or more connection resources. You use a connection resource to specify connection from the server to a network or network set. If you do not specify at least one connection, the server cannot connect to data center networks. The networks and network sets that are available to a server profile connection depend on the configuration of the logical interconnect of the enclosure that contains the server hardware. Zero or one server hardware resource. Exactly one server hardware type resource. Exactly one enclosure group resource. To enable portability of server profiles, a server profile is associated with an enclosure group resource instead of an enclosure resource. Because enclosures in the enclosure group are configured identically, you can assign a server profile to any appropriate server hardware, regardless of which enclosure and bay in the enclosure group contains that server hardware. UI screens and EST API resources UI screen Server Profiles EST API resource server-profiles More information Managing server profiles (page 141) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.26 Server profile templates Server profile templates help to monitor, flag, and update server profiles in HPE OneView. A server profile template defines the source for the configuration of: Firmware versions Connections to Ethernet networks, Ethernet network sets, and Fibre Channel networks Local storage SAN storage Boot settings BIOS settings Profile affinity elationship to other resources A server profile template is associated with the following resource in the resource summary diagram (page 40): Zero or more server profile resources. Zero or more connection resources Server profile templates 57

58 Exactly one server hardware type resource. Exactly one enclosure group resource. To enable portability of server profiles, a server profile is associated with an enclosure group resource instead of an enclosure resource. Because enclosures in the enclosure group are configured identically, you can assign a server profile to any appropriate server hardware, regardless of which enclosure and bay in the enclosure group contains that server hardware. UI screens and EST API resources UI screen Server Profile Templates EST API resource server-profile-templates More information Managing server profile templates (page 155) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.27 Storage Pools A storage pool exists on a storage system and contains volumes. Storage pools are created on a storage system using the management software for that system. After you add a storage pool to HPE OneView, you can add existing volumes or create new volumes. In the resource model: A storage pool exists on only one storage system. A storage pool can contain zero or more volumes. A storage pool can be associated with zero or more volume templates. elationship to other resources A storage pool resource is associated with the following resources in the resource model summary diagram (page 40): One storage system, and through it, zero or more volumes, which can be connected to zero or more server profiles UI screens and EST API resources UI screen Storage Pools EST API resource storage-pools More information Storage pools (page 229) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.28 Storage Systems You can connect supported storage systems to HPE OneView to manage storage pools and volumes. 58 Understanding the resource model

59 In the resource model: A storage system can have zero or more storage pools. A storage system can have zero or more volumes in each storage pool. elationship to other resources A storage system resource is associated with the following resources in the resource model summary diagram (page 40): Zero or more storage pools, and through those storage pools, zero or more volumes. Zero or more server profiles, through zero or more volumes. UI screens and EST API resources UI screen Storage Systems EST API resource storage-systems More information Storage systems (page 228) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.29 Unmanaged devices An unmanaged device is a physical resource that is located in a rack or consumes power but is not currently managed by HPE OneView. Some unmanaged devices are unsupported devices that cannot be managed by HPE OneView. All devices connected to an Intelligent Power Distribution Unit (ipdu) using an Intelligent Power Discovery (IPD) connection are added to HPE OneView as unmanaged devices. Other devices that do not support IPD such as KVM switches, routers, in-rack monitors and keyboards are not added to the list of unmanaged devices automatically. To include these devices in HPE OneView, you can add them manually and describe their names, rack positions, and power requirements. elationship to other resources An unmanaged device resource is associated with the following resources in the resource summary diagram (page 40): Zero or more racks Zero or more power delivery devices UI screens and EST API resources UI screen Unmanaged Devices EST API resource unmanaged-devices Notes You can view, add, or edit the properties of unmanaged devices using either the UI or the EST APIs. To delete an unmanaged device, you must use the EST APIs. More information About unmanaged devices (page 138) 2.29 Unmanaged devices 59

60 esource model summary diagram (page 40) Understanding the resource model (page 39) 2.30 Uplink sets An uplink set assigns data center networks to uplink ports of interconnects. The uplinks must be from physical interconnects that are members of the logical interconnect to which the uplink set belongs. An uplink set is part of a logical interconnect. For each logical interconnect: An uplink set cannot include a network set. A network can be a member of one uplink set per logical interconnect group. An uplink set can contain one Fibre Channel network. An uplink set can contain multiple Ethernet networks. An uplink set can contain one or more FCoE networks, but the uplinks must be contained within a single FCoE-capable interconnect. Internal networks allow server-to-server connectivity within the logical interconnect. Internal networks are created by adding existing networks to internal networks and not associating them with an uplink set. If you add an internal network to an uplink set, the network is automatically removed from the internal networks. Uplink sets that support connections to Synergy Image Streamer in a multi-frame configuration must be assigned the type Image Streamer to correctly configure the associated ports. Image Streamer uplink sets consist of one network and four uplink ports. An uplink set in a single-frame Image Streamer configuration must be assigned the type Ethernet and use one uplink port. elationship to other resources An uplink set is part of a logical interconnect or a logical interconnect group. The uplink sets defined by a logical interconnect group specify the configuration for uplink sets used by logical interconnects that are members of the group. If the uplink sets of a logical interconnect do not match the uplink sets of the logical interconnect group, HPE OneView notifies you that the logical interconnect is not consistent with its group. UI screens and EST API resources UI screen Logical Interconnects or Logical Interconnect Groups EST API resource uplink-sets More information About uplink sets (page 174) Managing logical interconnects and logical interconnect groups (page 173) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.31 Volumes A volume is a virtual disk allocated from a storage pool. A server profile can define the attachment of a server to a volume. In the resource model: A volume exists in only one storage pool, which exists on only one storage system. A volume can be attached to zero, one, or many server profiles. 60 Understanding the resource model

61 elationship to other resources A volume resource is associated with the following resources in the resource model summary diagram (page 40): One storage pool, and through it, one storage system Zero, one, or many server profiles through volume attachments UI screens and EST API resources UI screen Volumes EST API resource storage-volumes More information Volumes (page 230) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.32 Volume Templates A volume template defines the settings for the volumes created from it. Use a volume templates to create multiple volumes with the same configuration. In the resource model: A volume template can be associated with one storage pool. elationship to other resources A volume template resource is associated with the following resources in the resource model summary diagram (page 40): One storage pool, which can have zero, one, or many volume templates associated with it UI screens and EST API resources UI screen Volume Templates EST API resource storage-volume-templates More information Volume templates (page 231) esource model summary diagram (page 40) Understanding the resource model (page 39) 2.32 Volume Templates 61

62 62

63 3 Understanding the security features of the Synergy Composer HPE OneView runs on a dedicated Synergy Composer (management software embedded into the hardware). HPE OneView is configured to be secure-hardened out-of-the-box. Only Transport Layer Security (TLS) protocols are now supported for GUI, EST API, and message bus access. Any reference in the documentation to "SSL" should be understood to mean "TLS" protocols. 3.1 About security hardening The following are the secure (hardened) features of HPE OneView: Best practice operating system security guidelines are followed: HPE OneView minimizes its vulnerability by running only the services required to provide functionality. HPE OneView enforces mandatory access controls. HPE OneView maintains a firewall that allows traffic on specific ports and blocks all unused ports. See Ports required for HPE OneView (page 74) for the list of network ports used. Key services run only with the required privileges; they do not run as privileged users. The operating system bootloader is password protected. HPE OneView cannot be compromised by someone attempting to boot in single-user mode. There are no users allowed at the operating system level (no interactive OS logins are allowed). Users interact with HPE OneView strictly through: EST APIs (either programmatically or through the graphical user interface) the State Change Message Bus (AMPQ interface) a captive CLI shell used to access unmanaged interconnects HPE OneView is designed to operate entirely on an isolated management LAN. Access to the production LAN is not required. BAC (role-based access control) enables an administrator to quickly establish access control and authorization for users based on their responsibilities for specific resources. BAC also simplifies what is shown in the UI: Users can initiate actions only for the resources for which they are authorized. For example, users with the role of Network administrator can initiate actions for the network resources only, and users with the role of Server administrator can initiate actions for the server resources only. Users with the role of Infrastructure administrator have full access to all screens and actions. HPE OneView supports integration with Microsoft Active Directory or OpenLDAP for user authentication. Local HPE OneView user accounts can be completely disabled when enterprise directories are in use. See About directory service authentication (page 242) for more information. HPE OneView enforces a password change at first login. The default password cannot be used again. 3.1 About security hardening 63

64 HPE OneView supports self-signed certificates and certificates issued by a certificate authority. HPE OneView is initially configured with a self-signed certificate. As the Infrastructure administrator, you can generate a CS (certificate signing request) and, upon receipt, upload the certificate. This ensures the integrity and authenticity of your HTTPS connection to the Synergy Composer. A UI that restricts access from host operating system users. All browser operations and EST API calls use HTTPS. All weak SSL (Secure Sockets Layer) ciphers are disabled. The firmware image of the Synergy Composer is digitally signed by HPE. When re-imaging the Composer in order to quickly bring it to a specific firmware revision level, the digital signature is verified by the re-imaging process. This ensures the authenticity and integrity of the image. HPE OneView supports a secure update procedure for installing patches or upgrading to the next version. The updates are digitally signed by HPE and the update procedure verifies the digital signature. The signature and verification ensures the authenticity and integrity of software updates. Data downloads are restricted to support dump files (encrypted by default), proprietary backup files, audit logs, and certificates. Backup files and transaction logs are proprietary. Support dumps are encrypted by default, but an Infrastructure administrator has the option to not encrypt them. Support dumps are automatically encrypted when a user with another role creates them, to protect customer information. HPE OneView supports Service console access which enables an HPE Support representative to obtain, with customer permission, a one-time password for privileged access to the Synergy Composer in order to perform advanced diagnostics. See Enable or disable authorized services access (page 75). Hewlett Packard Enterprise closely monitors security bulletins for threats to HPE OneView software components and, if necessary, issues software updates. 64 Understanding the security features of the Synergy Composer

65 3.2 Best practices for maintaining a secure Synergy Composer The following table comprises a partial list of security best practices that Hewlett Packard Enterprise recommends in both physical and virtual environments. Differing security policies and implementation practices make it difficult to provide a complete and definitive list. Topic Accounts Certificates Best Practice Limit the number of local accounts. Integrate HPE OneView with an enterprise directory solution such as Microsoft Active Directory or OpenLDAP. Use certificates signed by a trusted certificate authority (CA), if possible. HPE OneView uses certificates to authenticate and establish trust relationships. One of the most common uses of certificates is when a connection from a web browser to a web server is established. The machine level authentication is carried out as part of the HTTPS protocol, using TLS. Certificates can also be used to authenticate devices when setting up a communication channel. HPE OneView supports self-signed certificates and certificates issued by a CA. HPE OneView is initially configured with self-signed certificates for the web server and message broker software. Hewlett Packard Enterprise advises customers to examine their security needs (that is, to perform a risk assessment) and consider the use of certificates signed by a trusted CA. For the highest level of security, Hewlett Packard Enterprise recommends that you use certificates signed by a trusted certificate authority: Ideally, you should use your company's existing CA and import their trusted certificates. The trusted root CA certificate should be deployed to user s browsers that will contact systems and devices that will need to perform certificate validation. If your company does not have its own certificate authority, then consider using an external CA. There are numerous third-party companies that provide trusted certificates. You will need to work with the external CA to have certificates generated for specific devices and systems and then import these trusted certificates into the components that use them. As the Infrastructure administrator, you can generate a CS (certificate signing request) and, upon receipt, upload the certificate to the HPE OneView web server. This ensures the integrity and authenticity of your HTTPS connection to the Synergy Composer. Certificates can also be uploaded for the database and message broker. For more information, see Using a certificate authority (page 71). Network Hewlett Packard Enterprise recommends creating a private management LAN and keeping that separate from production LANs, using VLAN or firewall technology (or both). Management LAN Grant management LAN access to authorized personnel only. For example, Infrastructure administrators, Network administrators, and Server administrators. Do not connect management systems (for example, the Synergy Composer, the ilo) directly to the Internet. If you require inbound Internet access, use a corporate VPN (virtual private network) that provides firewall protection. For outbound Internet access (for example, for emote Support), use a secured web proxy. To set the web proxy, see Preparing for remote support registration or Configure the proxy settings in the online help for more information. 3.2 Best practices for maintaining a secure Synergy Composer 65

66 Topic Nonessential services Passwords oles Service Management Updates Managed Environment Best Practice HPE OneView is preconfigured so that nonessential services are removed or disabled in its management environment. Ensure that you continue to minimize services when you configure host systems, management systems, network devices (including network ports not in use) to significantly reduce the number of ways your environment could be attacked. Hewlett Packard Enterprise recommends that you integrate HPE OneView with an enterprise directory such as Microsoft Active Directory or OpenLDAP and disable local HPE OneView accounts. Your enterprise directory can then enforce common password management policies such as password lifetime, password complexity, and minimum password length. Clearly define, and assign roles to users according to the access they need to perform their tasks. The Infrastructure administrator role should be reserved for the highest access. Consider using the practices and procedures, such as those defined by the Information Technology Infrastructure Library (ITIL). For more information, see the following website: Sign up for HPE OneView bulletins at Install updates for all components in your environment on a regular basis. Educate administrators about changes to their roles and responsibilities. estrict access to console to authorized users. For more information, see Controlling access to the Synergy Composer console (page 74) If you use an Intrusion Detection System (IDS) solution in your environment, ensure that the solution has visibility into network traffic in the virtual switch. Maintain a zone of trust, for example, a DMZ (demilitarized zone) that is separate from production machines. Ensure proper access controls on Fibre Channel devices. Use LUN masking on both storage and compute hosts. Ensure that LUNs are defined in the host configuration, instead of being discovered. Use hard zoning (which restricts communication across a fabric) based on port WWNs (Worldwide Names), if possible. Ensure that communication with the WWNs is enforced at the switch-port level. 3.3 Creating a login session You create a login session when you log in to HPE OneView through the browser or some other client (for example, using the EST API). Additional requests to HPE OneView use the session ID, which must be protected because it represents the authenticated user. A session remains valid until you log out or the session times out (for example, if a session is idle for a longer period of time than the session idle timeout value). The default timeout value is 24 hours. To change the value on a per-session basis, use POST /rest/sessions/idle-timeout. 3.4 Authentication for Synergy Composer access Access to HPE OneView requires authentication using a user name and password. User accounts are configured in HPE OneView or in an enterprise directory. All access (browser and EST APIs), including authentication, occurs over SSL to protect the credentials during transmission over the network. 66 Understanding the security features of the Synergy Composer

67 3.5 Controlling access for authorized users Access to HPE OneView is controlled by roles, which describe what an authenticated user is permitted to do. Each user must be associated with at least one role Specifying user accounts and roles User login accounts in HPE OneView must be assigned a role, which determines what the user has permission to do. For information on each role, and the capabilities these roles provide, see About user roles (page 236). For information on how to add, delete, and edit user accounts, see the online help Mapping of SSO roles for ilo HPE OneView enables SSO (single sign-on) to ilo without storing user-created ilo credentials. The following table describes the mapping of roles between HPE OneView and ilo. HPE OneView role Infrastructure administrator Server administrator Network administrator ead only Backup administrator Storage administrator SSO to ilo roles Admin Admin User User None User HPE OneView roles See About user roles (page 236). ilo roles Administrator privileges enable assigning all administrative rights for server reset, remote console, and login tasks. User privileges have access restrictions, based on IP address, DNS name, or time Mapping HPE OneView interactions with ilo and ipdu HPE OneView performs configurations on the ilo and ipdu. The following table summarizes how HPE OneView interacts with these devices. For firewall information, see Ports required for HPE OneView (page 74). Protocol or interaction Description Use ilo Configure Configure Use ipdu Configure NTP Configures NTP SNMP Enables and configures SNMP to collect information SNMP traps Enables and configures SNMP traps sent to HPE OneView 3.5 Controlling access for authorized users 67

68 Protocol or interaction Description Use ilo Configure Configure Use ipdu Configure HTTPS (IBCL/SOAP/JSON) 1 Collects information (the specific protocol varies, but all use SSL) emote Console Links from the UI to the ilo emote Console SSH Not used Telnet Not used XML reply Collects generic system information SSO Enables and configures an SSO certificate for UI access. See Mapping of SSO roles for ilo (page 67) for the privileges that are granted. HPE OneView user account Configures and manages the system using an administrator-level user account (and randomly generated password) 1 SSL encrypts traffic on the network, but does not authenticate the remote system's certificate. 3.6 Protecting credentials Local user account passwords are stored using a salted hash; that is, they are combined with a random string, and then the combined value is stored as a hash. A hash is a one-way algorithm that maps a string to a unique value so that the original string cannot be retrieved from the hash. Passwords are masked in the browser. When transmitted between HPE OneView and the browser over the network, passwords are protected by SSL. Local user account passwords must be a minimum of eight characters, with at least one uppercase character. HPE OneView does not enforce additional password complexity rules. Site security policy determines password strength and expiration (see Best practices for maintaining a secure Synergy Composer (page 65)). Hewlett Packard Enterprise recommends that you integrate an external authentication directory service (also known as an enterprise directory) with HPE OneView. The directory service will enforce password management policies such as minimum length and complexity. 3.7 Understanding the audit log The audit log contains a record of actions performed on HPE OneView, which you can use for individual accountability. You must have Infrastructure administrator privileges to download the audit log. For information on downloading the audit log from the UI, see Download audit logs (page 271). Monitor the audit logs because they are rolled over periodically to prevent them from getting too large. Download the audit logs periodically to maintain a long-term audit history. 68 Understanding the security features of the Synergy Composer

69 Each user has a unique logging ID per session, enabling you to follow a user s trail in the audit log. Some actions are performed by HPE OneView and might not have a logging ID. A breakdown of an audit entry follows: Token Date/time Internal component ID eserved User domain User name/id Session ID Task ID Client host/ip esult Action Description The date and time of the event The unique identifier of an internal component The organization ID. eserved for internal use The login domain name of the user The user name The user session ID associated with the message The UI of the task resource associated with the message The client (browser) IP address identifies the client machine that initiated the request The result of the action, which can be one of the following values: SUCCESS FAILUE SOME_FAILUES CANCELED KILLED A description of the action, which can be one of the following values: ADD LIST UNSETUP CANCELED MODIFY ENABLE DEPLOY DELETE DISABLE STAT ACCESS SAVE DONE UN SETUP KILLED LOGIN LOGOUT DOWNLOAD_STAT Severity esource category esource UI/name Message A description of the severity of the event, which can be one of the following values, listed in descending order of importance: INFO NOTICE WANING EO ALET CITICAL For EST API category information, see the HPE OneView EST API eference in the online help. The resource UI/name associated with the task The output message that appears in the audit log Maintenance console entries The audit log includes entries for these Maintenance console events: 3.7 Understanding the audit log 69

70 Successful logins Unsuccessful logins Unsuccessful challenge-response authorization attempts Attempted HPE OneView restarts Attempted HPE OneView shutdowns Attempts to reset the administrator password Attempts to activate the Synergy Composer Service console launches and exits Entries in which no login was required 3.8 Choosing a policy for the audit log Choose a policy for downloading and examining the audit log. The audit log contains a record of actions performed on HPE OneView, which you can use for individual accountability. As the audit log gets larger, older information is deleted. To maintain a long-term audit history, you must periodically download and save the audit log. For more information about the audit log, see Understanding the audit log (page 68). 3.9 Synergy Composer access over SSL All access to HPE OneView is through HTTPS (HTTP over SSL), which encrypts data over the network and helps to ensure data integrity. For a list of supported cipher suites, see Algorithms for securing the appliance in the online help Managing certificates from a browser A certificate authenticates HPE OneView over SSL. The certificate contains a public key, and HPE OneView maintains the corresponding private key, which is uniquely tied to the public key. NOTE: This section discusses certificate management from the perspective of the browser. For information on how a non-browser client (such as cul) uses the certificate, see the documentation for that client. The certificate also contains the name of the Synergy Composer, which the SSL client uses to identify the Synergy Composer. The certificate has the following boxes: Common Name (CN) This name is required. By default it contains the fully qualified host name of the Synergy Composer. Alternative Name The name is optional, but Hewlett Packard Enterprise recommends supplying it because it supports multiple names (including IP addresses) to minimize name-mismatch warnings from the browser. By default, this name is populated with the fully qualified host name (if DNS is in use), a short host name, and the Synergy Composer IP address. NOTE: Name. If you enter Alternative Names, one of them must be your entry for the Common 70 Understanding the security features of the Synergy Composer

71 These names can be changed when you manually create a self-signed certificate or a certificate signing request Self-signed certificate The default certificate generated by HPE OneView is self-signed; it is not issued by a trusted certificate authority. By default, browsers do not trust self-signed certificates because they lack prior knowledge of them. The browser displays a warning dialog box; you can use it to examine the content of the self-signed certificate before accepting it Using a certificate authority Use a trusted CA (certificate authority) to simplify certificate trust management; the CA issues certificates that you import. If the browser is configured to trust the CA, certificates signed by the CA are also trusted. A CA can be internal (operated and maintained by your organization) or external (operated and maintained by a third party). You can import a certificate signed by a CA, and using it instead of the self-signed certificate. The overall steps are as follows: 1. You generate a CS (certificate signing request). 2. You copy the CS and submit it to the CA, as instructed by the CA. 3. The CA authenticates the requestor. 4. The CA sends the certificate to you, as stipulated by the CA. 5. You import the certificate. For information on generating the CS and importing the certificate, see the UI help Create a certificate signing request HPE OneView uses a certificate for authentication over SSL. The certificate contains a public key, and HPE OneView maintains the corresponding private key, which is uniquely tied to the public key. A certificate authority (CA) is a trusted party that issues a certificate that enables others, who trust the CA, to also trust the host. In essence, the CA vouches for the host. For information on creating a self-signed certificate, see Create a self-signed certificate (page 72). Prerequisites Minimum required privileges: Infrastructure administrator. Gather the information for the request, as required by the CA. Obtain the CA s challenge password. Creating a certificate signing request 1. From the main menu, select Settings. 2. Select Actions Create certificate signing request. 3. Supply the data requested on the screen. 4. Click OK. 5. Copy the certificate request data from the dialog box and send it to the CA. The CA designates how and where to send the certificate request data. 6. Click OK. Next steps: After you receive the certificate from the CA, import the certificate. See Import a certificate Managing certificates from a browser 71

72 Create a self-signed certificate HPE OneView uses a certificate for authentication over SSL. The certificate contains a public key, and HPE OneView maintains the corresponding private key, which is uniquely tied to the public key. A self-signed certificate indicates that a host vouches for itself, which, in some cases, might be adequate. By default, browsers do not trust self-signed certificates and display a warning. A more secure alternative is a certificate issued by a third-party certificate authority. For information on these certificates, see Create a certificate signing request (page 71). Prerequisites Minimum required privileges: Infrastructure administrator Creating a self-signed certificate 1. From the main menu, select Settings. 2. Click Security. 3. Select Actions Create self-signed certificate. 4. Supply the data requested on the screen. 5. Enter optional information, as needed. 6. Click OK. 7. Verify that the certificate was created. The certificate information is shown on the screen Import a certificate After sending a certificate signing request to the CA and receiving a certificate, you must import it. Prerequisites Minimum required privileges: Infrastructure administrator. Ensure that no other users are logged in to HPE OneView. Importing a certificate 1. From the main menu, select Settings. 2. Click Security. 3. Select Actions Import certificate. 4. Copy the certificate text and paste it into the box provided. 5. Click OK. 6. After the web server restarts and reconnects, log in to HPE OneView View the Certificate settings Prerequisites Minimum required privileges: Infrastructure administrator, Backup administrator, ead only Viewing the Certificate settings 1. Navigate from the main menu to the Settings screen. 2. Select Overview Security Certificate Downloading and importing a self-signed certificate into a browser The advantage of downloading and importing a self-signed certificate is to circumvent the browser warning. In a secure environment, it is never appropriate to download and import a self-signed certificate, unless you have validated the certificate and know and trust the specific appliance. 72 Understanding the security features of the Synergy Composer

73 In a lower security environment, it might be acceptable to download and import the appliance certificate if you know and trust the certificate originator. However, Hewlett Packard Enterprise does not recommend this practice. Microsoft Internet Explorer and Google Chrome share a common certificate store. A certificate downloaded with Internet Explorer can be imported with Google Chrome as well as Internet Explorer. Likewise, a certificate downloaded with Google Chrome can also be imported by both browsers. Mozilla Firefox has its own certificate store, and must be downloaded and imported with that browser only. The procedures for downloading and importing a self-signed certificate differ with each browser. Downloading a self-signed certificate with Microsoft Internet Explorer 1. Click in the Certificate error area. 2. Click View certificate. 3. Click the Details tab. 4. Verify the certificate. 5. Select Copy to File Use the Certificate Export Wizard to save the certificate as Base-64 encoded X.509 file. Importing a self-signed certificate with Microsoft Internet Explorer 1. Select Tools Internet Options. 2. Click the Content tab. 3. Click Certificates. 4. Click Import. 5. Use the Certificate Import Wizard. a. When it prompts you for the certificate store, select Place. b. Select the Trusted oot Certification Authorities store Verifying a certificate You can verify the authenticity of the certificate by viewing it with your browser. After logging in to HPE OneView, choose Settings Security to view the certificate. Make note of these attributes for comparison: Fingerprints (especially) Names Serial number Validity dates Compare this information to the certificate displayed by the browser, that is, when browsing from outside HPE OneView Nonbrowser clients HPE OneView supports an extensive number of EST APIs. Any client, not just a browser, can issue requests for EST APIs. The caller must ensure that they take appropriate security measures regarding the confidentiality of credentials, including: The session token, which is used for data requests. esponses beyond the encryption of the credentials on the wire using HTTPS Passwords Passwords are likely displayed and stored in clear text by a client like cul Nonbrowser clients 73

74 Take care to prevent unauthorized users from: Viewing displayed passwords Viewing session identifiers Having access to saved data SSL connection The client should specify HTTPS as the protocol to ensure SSL is used on the network to protect sensitive data. If the client specifies HTTP, it will be redirected to HTTPS to ensure that SSL is used. The appliance certificate, which the client requires, allows the SSL connection to succeed. A convenient way to obtain a certificate is to use a browser pointed at the appliance; for more information on obtaining a certificate with a browser, see Managing certificates from a browser (page 70) 3.12 Ports required for HPE OneView HPE OneView requires specific ports to be available to manage servers, enclosures, and interconnects. Table 1 Ports required for HPE OneView Port number Protocol Use Description 22 TCP Inbound and Outbound Used for SSH and SFTP. SSH is required to communicate with interconnect modules. SFTP is required for actions such as firmware upgrades and support dumps. 80 TCP Inbound Used for the HTTP interface. Typically, this port redirects to port 443; this port provides the access required by the ilo. 123 UDP Inbound HPE OneView acts as an NTP server, ilo requires access. 123 UDP Outbound Used as an NTP client to synchronize HPE OneView time. 161 UDP Outbound Supports SNMP GET calls to obtain status data from a server through ilo. Also used for ipdu. 162 UDP Inbound Used for SNMP trap support from the ilo, and ipdu devices. This port is also used to monitor the VC interconnects and trap forwarding. 443 TCP Inbound Used for the HTTPS interface to user interface and APIs. 443 TCP Outbound Used for secure SSL access to the ilo. Used for edfish, IBCL, SOAP, and ipdu communication UDP Inbound Used as an alternative SNMP trap port TCP Inbound Allows external scripts or applications to connect to and monitor messages from the SCMB (State-Change Message Bus) TCP Outbound Used for virtual media access to the ilo from HPE OneView TCP Browser to ilo Provides browser access to the remote console Controlling access to the Synergy Composer console Typical legitimate uses for access to the console are: Performing hardware setup operations Troubleshooting network configuration issues 74 Understanding the security features of the Synergy Composer

75 esetting an administrator password For information on how to reset the administrator password, see eset the administrator password (page 244). Enabling service access by an on-site authorized support representative Enable or disable authorized services access When you first start up HPE OneView, you can choose to enable or disable access by on-site authorized support representatives. By default, on-site authorized support representatives are allowed to access your system through the Synergy Composer console and diagnose issues that you have reported. Support access is privileged, which enables the on-site authorized support representative to debug any problems on the Synergy Composer. Access to the services access account requires the technician to obtain a one-time password using a challenge/response mechanism similar to the one for a password reset. Any time after the initial configuration of HPE OneView, an Infrastructure administrator can enable or disable services access through the UI with the following procedure: Prerequisites Minimum required privileges: Infrastructure administrator Enabling or disabling authorized services access 1. From the main menu, select Settings. 2. Click the Edit icon in the Security panel. The Edit Security window opens. 3. Select the appropriate setting for Service console access: Disabled to prevent access to the console. Enabled to allow access to the console. 4. Click OK. You can also use an /rest/appliance/settings EST API to enable or disable services access. CAUTION: Hewlett Packard Enterprise recommends that you enable access. Otherwise, the authorized support representative will not be able to access HPE OneView to troubleshoot issues Files you can download from the Synergy Composer You can download the following data files from HPE OneView: Support dump By default, all data in the support dump is encrypted and accessible by an authorized support representative only. Backup file All data in the backup file is in a proprietary format. Hewlett Packard Enterprise recommends that you encrypt the file according to your organization's security policy. Audit logs Session IDs are not logged, only the corresponding logging IDs are logged. Passwords and other sensitive data are not logged Files you can download from the Synergy Composer 75

76 76

77 4 Navigating the graphical user interface 4.1 About the graphical user interface To learn the names of common areas, icons, and controls on a UI screen, see the numbered descriptions that appear after the image. Figure 3 Screen topography 1 HPE OneView main menu: The primary menu for navigating to resources. Click 6 Session control: Tracks who is currently logged in to the appliance and the duration the icon or click anywhere in the area of each login session. Also enables you to 2 to expand the menu. View selector: Enables you to control the and edit some user account information, depending on your user credentials. information displayed about a resource 7 Help control: Expands (or hides) a sidebar so that you can focus only on what you which provides access to UI and EST API are interested in. help, the EULA and Written Offer, and the 3 Map view icon: Provides a graphical HPE OneView online user forum. representation of the relationships 8 Activity sidebar: Shows recent alerts and between the selected resource and other task activity for the current resource. Use resources. To see these relationships, the Activity control icon to open (or close) select the icon or the select the Map this sidebar. view in the view selector 9 Details pane: Provides all information 4 Actions menu: Provides the actions that known about a selected resource instance. are available to run on the current To see details about a particular resource resource. Actions include, but are not instance, click its name in the master pane. limited to: adding, creating, deleting, 10 Master pane: Lists all resource instances removing, and editing a resource instance. that have been configured on the If you do not have the appropriate appliance. In some cases, a status icon permissions to perform an action, the indicates general health of the resource. 4.1 About the graphical user interface 77

78 action does not appear on the Actions menu. 5 Activity control: Expands (or hides) a sidebar of recent appliance, resource, or user activity (from the current login session and browser window). In addition to the screen components shown in Figure 3 (page 77), every UI screen has a notifications area that notifies you when an event or activity requires your attention. Some screens also have a filters sidebar that enables you to control the type of information displayed in the master pane. 4.2 Activity sidebar About the Activity sidebar The Activity sidebar shows tasks initiated during the current session. The most recent task is displayed first. Task notifications provide information (including in-progress, error, and completion messages) about tasks that were launched. The Activity sidebar differs from the Activity screen because it displays only recent activity. The Activity screen, in contrast, displays all activities and allows you to list, sort, and filter them. For more information, see About Activity (page 285). Click an activity to show more details Activity sidebar details The Activity sidebar shows task activities generated during your current login session. Component Description Shows recent task activity generated during your login session. When the Activity sidebar is closed, the number of alert or task notifications that have not yet been viewed appears next to the Activity icon. Activity Describes the alert or task and the affected resource. A health status icon indicates the current status of the resource associated with the activity Expand or collapse the Activity sidebar Prerequisites Minimum required privileges: Network administrator, Server administrator, Infrastructure administrator, Backup administrator, ead only Expanding or collapsing the Activity filter sidebar 1. Use the right pin icon ( ) to expand the Activity filter sidebar. Use the left pin icon ( 2. Select an activity to reveal more details. Next step: Filter activities. 4.3 Audit tracking ) to collapse the Activity filter sidebar. Change tracking provides a history of the changes you make within an action dialog box, such as an add action. Click in the lower left corner in the dialog to view the changes. 78 Navigating the graphical user interface

79 Figure 4 Expanded view of audit tracking 4.4 Banner and main menu The main menu is the primary method for navigating to resources and the actions that can be performed on them. To expand the main menu, click inside the main menu area of the banner. Figure 5 Banner The main menu provides access to resources; each resource screen contains an Actions menu. If you are not authorized to view a resource, that resource does not appear in the main menu. If you do not have the appropriate permissions to perform an action, the action does not appear on the Actions menu. Figure 6 Expanded main menu 4.4 Banner and main menu 79

80 4.5 Browsers For general information about browser use, see the following topics: Browser best practices for a secure environment (page 80) Commonly used browser features and settings (page 80) Browser requirements (page 81) Set the browser for US or metric units of measurement (page 81) Browser best practices for a secure environment Best practice Use supported browsers Log out of the appliance before you close the browser Avoid linking to or from sites outside of the appliance UI Use a different browser to access sites outside the appliance Description See the HPE OneView Support Matrix for HPE Synergy to ensure that your browser and browser version are supported and the appropriate browser plug-ins and settings are configured. In the browser, a cookie stores the session ID of the authenticated user. Although the cookie is deleted when you close the browser, the session is valid on the appliance until you log out. Logging out ensures that the session on the appliance is invalidated. NOTE: If you close the browser, any open sessions will be invalidated within 24 hours. When you are logged in to the appliance, avoid clicking links to or from sites outside the appliance UI, such as links sent to you in or instant messages. Content outside the appliance UI might contain malicious code. When you are logged in to the appliance, avoid browsing to other sites using the same browser instance (for example, via a separate tab in the same browser). For example, to ensure a separate browsing environment, use Firefox for the appliance UI, and use Chrome for non-appliance browsing Commonly used browser features and settings Feature Screen resolution Language Close window Copy and paste Search in a screen Local history Description For optimum performance, the minimum screen size is pixels for desktop monitors and for laptop displays. The minimum supported screen size is pixels. US English, Japanese, and Simplified Chinese are the supported languages. You can close browser windows at any time. Closing the window while you are logged in invalidates your session after 24 hours. You can select and copy most text, with the exception of text in images. You can paste text into text entry boxes. Press Ctrl+F to search for text in the current screen. ight-click the browser back button to view the history of the active tab. Use this feature to determine how you arrived at the current screen. 80 Navigating the graphical user interface

81 Feature Back and forward buttons Bookmarks Open screens in a new tab or window Browser refresh Zoom in/zoom out Description You can use the browser back and forward buttons to navigate the UI. NOTE: Pop-up dialog boxes are not considered screens. If you click the back button while a pop-up dialog box is displayed, you return to the previous screen. If you click the forward button to go to a pop-up dialog box, you go instead to the screen with the link to the pop-up dialog box. The exceptions are screens that you access directly from the Actions menu. If you use the browser navigation buttons with these screens, you lose any unsaved changes you made on the screens. You can create bookmarks for commonly-used screens. You can these links to other users, who must log in and have the appropriate authorization for the screen. ight-click a hyperlink in the appliance to a resource or screen to open the link in a new tab or window. NOTE: If you right-click a link while in an edit screen, the actions you take on another screen do not automatically refresh the form in the first screen. If you click the browser refresh button to refresh a screen on which you have added but not saved information, you lose the information. Use the zoom in or zoom out feature to increase or decrease the text size Browser requirements The appliance has specific browser requirements that can affect its use. The following browsers are supported: Microsoft Internet Explorer: Version 10 and Version 11 Mozilla Firefox: ES Version 17, Personal edition (latest version) Google Chrome (latest version) Set the browser for US or metric units of measurement To configure how units of measurement are displayed either in United States (US) or metric units change the region portion of the language setting in your browser. Metric units are used for all regions except the United States region. Specify the United States as your region code if you want United States customary units. Specify any other region code if you want metric units. 4.5 Browsers 81

82 Table 2 Set US or metric units of measurement Browser Google Chrome Microsoft Internet Explorer Mozilla Firefox Procedure 1. Click the Google menu icon. 2. Select Settings Show advanced settings Scroll down to Languages and click Language and input settings Click Add and then select the language you want to use. 5. estart the browser to apply your changes. The browser locale and regions locale are derived from your Windows settings. 1. Select Tools+Internet Options+General (tab)+languages Language Preference. 2. Specify your own language tags. Click Add button in the Language Preferences dialog box, and then enter your language tag in the User-defined box. 3. Click OK. 4. estart the browser to apply your changes. The browser locale and regions locale are derived from the version of Firefox you are running. 1. Select Tools Options Content Languages Choose. 2. Select your preferred language and then click OK. 3. estart the browser to apply your changes. 4.6 Button functions UI buttons have the same function, whether they appear on screens or dialog boxes. Table 3 Standard UI buttons Button Add and Add + Create and Create + Close Cancel OK Description Adds items from your data center environment. for management or monitoring Add adds a single item and closes the screen or dialog box. Add + enables you to add another item in the same dialog box. Creates logical constructs used by the appliance (such as server profiles, logical interconnect templates, and network sets). Create creates a single item and closes the screen or dialog box. Create + enables you to create another item in the same session. Closes a screen or dialog box and returns you to the previous screen. Discards unsaved changes on a screen or dialog box and then closes the screen or dialog box. Confirms and saves your entries and then closes the screen or dialog box. 4.7 Filters sidebar Some resource screens have a Filters sidebar that enables you to control the amount and type of information displayed in the details pane. 82 Navigating the graphical user interface

83 Figure 7 Filters sidebar OneView Search 1 Enclosures 1 Filters eset Add enclosure + Status: All statuses Critical Warning OK Name Encl1 2 Unknown Disabled Labels: All labels finance mkting sales 1 Pin control: Switches between the Filters sidebar and Filters banner bar when clicked. When the filter banner is in view, the filter headings display across the screen below the resource title. Click the filter name to access the filter options when in the banner bar view. 2 Filtering criteria enables you to refine the information displayed for a resource in the master pane. 4.8 Help sidebar Click in the banner to open the help sidebar. The help sidebar provides hyperlinks to the help system, open source code used in the product, partner program, initial configuration procedures, license agreement, written offer, and the online user forum. Figure 8 Help sidebar 1 Opens context-sensitive help for the current screen in a new browser window or tab. 4.8 Help sidebar 83

84 2 Opens the top of the help contents in a new browser window, which enables you to navigate to the entire table of contents for the UI help. 3 Opens the top of the EST API eference contents in a new browser window, which enables you to navigate to the entire table of contents for the EST API eference. 4 Opens a new browser window to the Composable Infrastructure partner program website. 5 Opens the first-time setup help in a new browser window, which guides you through initial configuration tasks to make your data center resources known to the appliance and bring them under management. 6 Displays the End-User License agreement (EULA). 7 Displays the Written offer, which describes the open source products used by HPE OneView. 8 Opens a new browser window to the online user forum where you can share your experiences using HPE OneView and pose or answer questions View the End-User License agreement Use this procedure to view the End-User License agreement for HPE OneView. Viewing the End-User License agreement 1. Click the icon in the banner to open the Help sidebar. 2. Click End-User License agreement View the Written Offer Use this screen to review the Written offer, which describes how to send a request for source code, as stipulated under applicable third-party licenses. Viewing the Written Offer 1. Click the icon in the banner to open the Help sidebar. 2. Click Written Offer. 4.9 Appliance status screens Starting Oops Depending on certain conditions and situations, status screens will provide recommendations for corrective action or troubleshooting hints and tips. Should those screens appear, refer to the following topics for more information. The appliance is starting up or restarting. Initially, a rotating in-progress icon is displayed, eventually followed by a progress bar. As web applications for the appliance become active, a progress bar advances. On completion, the login screen displays. The appliance encountered a serious error and could not recover from it. estarting the appliance might resolve the error. The error message will advise you to create a support dump file and save it to a USB drive and contact your authorized support representative. CAUTION: Creating the support dump file overwrites any backup file that exists on the appliance Updating the appliance An appliance update is in progress. 84 Navigating the graphical user interface

85 The appliance will restart after it is updated and you will be presented with a login screen. This restart will not disrupt the operation of the systems under management Temporarily unavailable The appliance is off-line or unresponsive. This screen is also displayed after you shut down the appliance esetting The Synergy Composer is currently being reset to its original, factory defaults. The factory reset operation has the option to preserve or destroy the appliance network settings. If they were destroyed, you will need to reset the network settings. After the reset operation is complete, you need to determine the IP address to use in the browser window so that you can log in to the Synergy Composer. Do one of the following to configure the Synergy Composer: estore the Synergy Composer from a backup file. See estore a Synergy Composer from a backup file (page 256) Configure the Synergy Composer manually. See Initial configuration of resources in HPE OneView (page 115). IMPOTANT: The factory reset operation is not available while the appliance is highly available. Before you can perform the factory reset operation on the appliance, you must remove the standby appliance. The standby appliance is factory reset as part of the removal operation Waiting The UI will not be available from any monitor port of the frame link module unless you restore the appliance from a recent backup file. Otherwise you must also perform a factory reset of the frame link module. If the Maintenance console indicates the HPE Synergy Composer is offline and unusable or requires manual action, see Synergy Composer is offline and unusable (page 358) or Synergy Composer is offline, manual action is required (page 357), as needed. More information About the factory reset operation (page 446) The appliance is currently waiting for resources: To become available while it is restarting. The Starting status screen displays when those resources are available. To become available while it is being updated The Updating status screen displays when those resources are available. To quiesce while it is shutting down. The Temporarily unavailable status screen will be displayed. There is also the possibility that the appliance encountered an error. In that case, the Oops status screen will be displayed. 4.9 Appliance status screens 85

86 4.10 Icon descriptions HPE OneView uses icons as user controls and to show the current status of resources and activities. Status and severity icons (page 86) User control icons (page 86) Informational icons (page 87) Status and severity icons Large icon Small icon esource Activity Task Critical Critical Failed/Interrupted Warning Warning Warning OK Informational Success Disabled Canceled Unknown An In progress rotating icon indicates that a change is being applied or a task is running. This icon can appear in combination with any of the resource states. For example: User control icons Icon Name Expand menu View details Expand Action Expands a menu to show all options Identifies a title that has additional information. Clicking the title changes the view to display details. Expands a collapsed list item Collapse Collapses an expanded list item Edit Enables editing Delete or remove Search Deletes the current entry Searches for the text you enter in the Search box. This is especially useful for finding types of resources or specific resources by name. 86 Navigating the graphical user interface

87 Icon Name Pin Sort Action The left pin expands or collapses the Filters sidebar The right pin expands or collapses the Activity sidebar or Help sidebar Determines whether items are displayed in ascending or descending order UID Turns the light on or off on the corresponding device so that you can locate the device in the Data Center Informational icons Icon Name Map Description Provides a graphical representation of the relationships between the current resource and other resources Activity control Session control Help control Provides a recent history of user and appliance initiated tasks and alerts Displays your login name and the duration of your current session. Also provides a link you can use to log out of the appliance. To change your full name, password, and contact information, click the Edit icon next to your login name. When this icon is at the top of a dialog box, you can click it to open context-sensitive help for that topic in another window or tab. In the banner, this icon expands or collapses the Help sidebar, where you can browse the help documentation or find help on the screen currently displayed. The help sidebar provides the following: A Help on this page hyperlink to access context-sensitive help for the current screen A Browse help hyperlink to access the entire help system Links that you can use to display the EULA and the Written Offer. A link to the HPE OneView Forum, an online forum for customers and partners to share their experiences and pose questions related to using HPE OneView. Community members as well as Hewlett Packard Enterprise representatives are welcome to assist with answering questions Labels screen details The Labels view enables you to view the labels for a resource. Labels can be used to organize resources into groups. For example, you might want to identify the servers that are used primarily by the Finance team, or identify the storage systems assigned to the Asia/Pacific division. You can filter and search for labels across all resource types or within a specific resource Map view screen details The Map view enables you to examine the configuration and understand the relationships between logical and physical resources in your data center. This view gives you immediate visibility into your resources from the individual Ethernet, Fibre Channel, and FCoE networks all the way up to the enclosure, rack, and top-level physical data center. The Map view was designed to be highly interactive and useful even at scale Labels screen details 87

88 To open the relationship view for a resource, do one of the following: Select Map from the view selector. Select the icon. Providing context for a resource can be helpful when troubleshooting problems with the resource. By looking at the Map view, you can determine if anything related to the resource is also having a problem. A status icon indicates the general health of the resource and provides a quick path to track errors. Figure 9 Sample Map view The selected resource is located at the center of the Map view. Everything above the resource is an ancestor; everything below the resource is a descendant. A connecting line between boxes indicates a direct relationship, such as servers in an enclosure. Use your pointer to hover over any resource to see its direct relationships to other resources. Other items can be indirectly related to the resource, such as logical interconnect groups and server profiles. Click any resource that appears in a relationship view to open its specific Map view Notifications area The notifications area on a resource UI screen appears when an activity (an alert or task) has affected the resource, which might require your attention. By default, one line of information appears in the notifications area. Click anywhere in the yellow box to expand the notifications area and view more information associated with the activity. Click again to collapse the notifications area. 88 Navigating the graphical user interface

89 Figure 10 Notifications area 1! A, Slot 1 Overview Actions The system A, Slot 1 is not configured for redundant power because it has 1 c... All General > 2 Model! Manag Location Power Maximum Serial A, Slot 1 Overview The system A, Slot 1 is notconfigured for redundant power because it has 1 connected power input(s). The system must have at least 2 connected power inputs(s) to have redundant power. All Actions The system A, Slot 1 is... esolution: Configure the system with 1 more redundant power delivery device(s) or verify that the configuration matches the target system Powered by Maximum power Serial number parentls1 280 Watts a963fdec-ebfb-4ba4 1 A collapsed notifications area (the default). Select All to view all activity associated with the resource. 2 An expanded notifications area, which provides resolutions for critical or warning alerts that require your attention, with links to Details, when they are available Log out of the appliance 1. Click the Session control icon in the banner. 2. Select Logout Organizing resources into groups by assigning labels Labels identify resources so you can organize them into groups. After labeling your resources, you can quickly view them by searching on the labels. Prerequisites equired privileges: Edit privileges for the resource Adding a new label to a resource 1. From the main menu, select the resource, and then select the resource instance you want to label. 2. Select Labels from the view selector. 3. Select the icon Log out of the appliance 89

90 4. Follow these guidelines to create a label name: Labels are not case sensitive, but are displayed as entered. Labels must be alphanumeric and a maximum of 80 characters. Labels can contain spaces. 5. Click Add. The new labels are shown. 6. Click OK to add the labels to this resource. Adding an existing label to a resource 1. From the main menu, select the resource category, and then select the resource instance you want to label. 2. Select Labels from the view selector. 3. Select the icon. 4. Determine if you want to search for all labels or for a specific label. To search for all labels for this resource type, click. Scroll through the list to find the label you want. To search for a specific label, in the Name box, enter an existing label name or a portion of the name, and then click. 5. Select the existing label and click Add. 6. Click OK to add the label to the resource. emoving a label from a resource 1. From the main menu, select the resource, and then select the resource instance from which you want to remove a label. 2. Select Labels from the view selector. 3. Select the icon. 4. Click the Delete icon for the label you want to remove from this resource. 5. Click OK to remove the label from the resource. Searching for resources by label 1. Click in the Smart Search box and enter labels: followed by the label name. TIP: Enter complete words or names as your search criteria. Partial words or names might not return the expected results. To search for a label with a space, enter the label name in quotes. For example, labels: Asia Pacific Division. Search 90 Navigating the graphical user interface

91 2. Determine if you want to search for a specific label for the resource type, or search for a label across all resource types. To search for a label for a specific resource type: a. Select the Scope for the resource type. b. Press Enter. The resources that share that label are shown. To search for a label across all resource types: a. Select Everything for the Scope. a. Press Enter. A search results page lists the top matches for all resource types. b. Click on a resource instance (a hyperlink) on the results page to go to that resource View resources by label The Overview view for the resource is shown. On most screens, you can filter the view of resource instances based on their label. The default filter is All labels, which shows all resource instances. To filter the view based on a specific label or labels, select the label or labels from the Labels menu. All resource instances with those labels are shown. To clear selected label filters, select All labels. NOTE: Up to 100 labels are shown for the resource. If you do not see the label you are looking for, see Searching resources using labels. Filter resources using labels OneView labels:mkting labels:sales Server Hardware 2 All Statuses Labels eset All labels + Add server hardware mkting sales Name Model Server Profile Encl1, bay 1 Encl1, bay 2 BL660c Gen9 BL660c Gen9 none none 4.16 Performing an action on multiple resources For some actions, you can select multiple resources in the rather than performing the action on one resource at a time. For example, you can power on many server blades with one operation. Each action on a resource instance is logged individually in the Activity screen Performing an action on multiple resources 91

92 If the action cannot be performed on a specific resource instance, the resource is excluded from the action. For example, if you try to power on a server that is already powered on, the action is not performed on that server. Opening the for an action displays the results, which in this example, shows that one server was powered on and two were excluded: If any resource is excluded from the action, a critical or warning icon is displayed. A resource is excluded if the action is not possible, such as attempting to delete a server profile for a powered-on server. If multiple resources are excluded, select a single resource and try the action again to determine why a resource was excluded. Use the following key combinations to select multiple resources in the master pane: To select a contiguous range of objects, select the resource at the beginning of the range and press Shift and hold as you select the end of the range. To select individual objects, press Ctrl and hold as you point to and select each object. Use the Ctrl key to unselect any previously-selected objects Search help topics 1. On any screen, click the icon in the banner to open the help sidebar. 2. In the Help sidebar, select Help on this page. Context-specific help appears in a separate browser window. 3. In the new browser window where the help is displayed, click Search at the top of the left navigation pane, next to the Contents and Index links. Figure 11 UI help search box 4. Enter a search term in the Search box. 5. Press Enter or click List Topics to start the search process. Search results are presented as links to the sections in which the search term appears. 6. Scan the search results for the section title or titles that best match what you are looking for, and click the link to view the content. Each instance of your search term is highlighted in yellow for easy identification. 92 Navigating the graphical user interface

93 More information Help search features and limitations (page 93) Help search features and limitations Features Case sensitivy. Full word and phrase matches Wildcard characters Keyboard pasted characters Boolean operators Auto complete Highlighting Fuzzy search Proximity search Synonym search By default, searches are case-insensitive. The Case sensitive check box enables you to search matching the case of the word or phrase you enter. You can search for full or hyphenated words. Phrase search enables you to search for documents containing an exact sentence or phrase by entering the search text in double quotes ( ). Do not include special characters in the search text of a phrase search. The wildcard feature enables you to replace individual letters, or sequences of letters, within the search word. Use a question mark (?) to replace a single character. Use an asterisk (*) to represent several (or zero) characters. When entering a search keyword, you may find it useful to copy it from another window, right-click in the text box, and select Paste. This feature lets you combine keywords with the Boolean operators to produce more relevant results: Use a space character for Boolean AND. Use either O or or for Boolean O. Use a hyphen character (-) for NOT. Auto-complete monitors what you are typing and, after typing the first few characters, displays a list of suggested words. If one of those words matches what you intended to type, you can select it from the list. Search highlighting highlights the searched key words or phrase in the resulting documents. Like a spelling corrector, a fuzzy search tries to correct misspelled search text and suggests corrected text. Proximity search looks for documents where two or more word occurrences are at most ten words apart. The proximity search operators are NEA and FBY (meaning followed by ). These operators can be entered in upper or lower case. This feature suggests links to synonyms of the keyword. Limitations Special characters Special characters are not allowed in word search. The search function does not return topics or index entries that contain special characters, such as the copyright symbol Search help topics 93

94 The backslash character (\) is not allowed inside a phrase. Hyphen Common words Initials Boolean searches Proximity searches The search function does not return topics or index entries that contain a hyphen. The search feature does not return common words such as a, an, and the. The search function does not return topics or index entries that contain initials, such L.P.. Boolean operator names must be entered in English. The AND and O Boolean operators cannot be combined in a search text. NOT operators must be at the end of the search string. The proximity operators must be entered in English. More information Search help topics (page 92) 4.18 Search resources The banner of every screen includes the Smart Search feature, which enables you to find resource-specific information such as specific instances of resource names, serial numbers, WWNs (World Wide Names), and IP and MAC addresses. In general, anything that appears in a resource master pane is searchable. Smart Search makes locating resources easy, enabling you to inventory or take action on a desired set of devices. Perhaps you are looking for all resources in a given enclosure or need to find one server using a certain MAC address. Smart Search instantly gives you the information you are seeking. The default search behavior is to focus on the resource you are currently viewing. However, to broaden the scope of your search across all resources, you must select the option to search Everything, which searches all resources. Search the current resource 1. Click in the Smart Search box. Search all resources 1. Click in the Smart Search box. Search Search 2. Enter your search text and press Enter. The search results are focused in your current location in the UI. 2. Select Everything. 3. Enter your search text and press Enter. Some resources might not include the option to choose between the current resource or everything, in which case the default search is for everything. 94 Navigating the graphical user interface

95 When you start typing, search suggestions are provided based on pattern matching and previously-entered search criteria. You can either select a suggestion (the screen displays data containing that selection) or click Enter. If your search term is a resource, then the list of resources in a master pane is filtered to match your search input. TIP: Enter complete words or names as your search criteria. Partial words or names might not return the expected results. If you enter a multi-word search term, results show matches for all words you enter. Enclose a search term in double quotes ( ) if the search term contains spaces. When you find what you are looking for in the search results, which are organized by type, select the item to navigate to it. NOTE: The Smart Search feature does not search the help system. To learn how to search the UI and EST API help, see Search help topics (page 92). The most recent filter selection is displayed in the Smart Search box. Table 4 Advanced searching and filtering with properties Example of advanced filtering syntax Search results By model name: HPE Synergy 660 Gen9 All hardware that matches the model number and name. By name or address: name:enclosure10 name:" , PDU 1" name:" " name:"mysystem" An enclosure with the name enclosure10. A power delivery device with the name , PDU 1. A list of physical machines whose IP addresses begin with A list of physical machines for which the host name is mysystem. By health status: status:critical All resources that are in a critical state. For other health status values, see Activity statuses (page 289). By associated resource: Associated resource category:networks" All networks By user role: roles:"network administrator" All users (by name) assigned with the Network administrator role. For other values for role, see About user roles (page 236). By owner: owner:administrator All resources and messages owned by the Infrastructure administrator Search resources 95

96 Table 4 Advanced searching and filtering with properties (continued) Example of advanced filtering syntax Search results By date: created:<7d Created within the last 7 days. efine results by combining properties: A space character separating two of the same object operates as a logical O. model:"hpe Synergy 480 Gen9" model:"hpe Synergy 660 Gen9" status:critical status:warning All HPE Synergy 480 Gen9 and Synergy 660 Gen9 hardware. All resources that are in either a critical or warning state. A space character separating two dissimilar objects operates as an AND. owner:administrator firmware NTP status:critical status:unknown state:locked owner:administrator All activities owned by the Administrator and related to firmware. All critical messages related to NTP. All messages with unknown status, having a locked state, and owned by Administrator. Combining AND and O operations The O operator is useful for specifying similar objects. The AND operator is useful for combining dissimilar objects. status:critical O status:disabled name:host.example.com status:critical status:warning associatedresourcecategory:network O associatedresourcecategory:network sets associatedresourcecategory:power-devices AND status:warning O status:critical All messages with either a Critical or Warning status. All messages with either a Critical or Warning status and related to the resource host.example.com. All messages pertaining to either the Network or Network Sets resource categories. All Critical or Warning messages for the power devices resource category. NOT operation status:warning NOT model:"proliant BL465c G7" All messages with a Warning status except those that apply to ProLiant BL465c G7 models NOTE: You can only use NOT once in a query. NOT operators that follow are treated as text Clear the Smart Search box The Smart Search box retains filter options. Use this procedure to clear it before entering a search parameter. Clearing the Smart Search box 1. From the main menu, navigate to the Activity screen. 2. Click eset in the Activity heading or the Activity filter sidebar View resources according to their health status On most screens, you can filter the view of resource instances based on their health status, which might be useful for troubleshooting or maintenance purposes. 96 Navigating the graphical user interface

97 The default filtering is All statuses, which means that all resource members are shown, regardless of their health status. To filter that view based on a specific health status, select the health status you are interested in viewing from the Status menu. For more information about health status icons and what they mean, see Icon descriptions (page 86). Figure 12 Filter resource instances by their health status + OneView Server Hardware 32 Add server hardware Name Encl1, bay 1 Encl1, bay 2 Search Status All statuses Critical Warning Model Model Ok Dl 360P Gen8 DL660c Unknown Gen9 Dl 360P Gen8 BL660c Disabled Gen9 BL660c Gen9 All Labels Server Profile none none none eset the health status view OneView status:warning Server Hardware 6 Warning Labels eset 1 + Add server hardware Name Model Server Profile DL360p Gen DL380p Gen8 none none DL360 Gen9 none 1 To return to the default view, All statuses, click the eset link View resources according to their health status 97

98 98

99 5 Using the EST APIs and other programmatic interfaces EST (epresentational State Transfer) is a web service that uses basic CUD (Create, ead, Update and Delete) operations performed on resources using HTTP POST, GET, PUT, and DELETE. To learn more about EST concepts, see epresentational_state_transfer. The appliance has a resource-oriented architecture that provides a uniform EST interface. Every resource has one UI (Uniform esource Identifier) and represents a physical device or logical construct. You can use EST APIs to manipulate resources. 5.1 esource operations ESTful APIs are stateless. The resource manager maintains the resource state that is reported as the resource representation. The client maintains the application state and the client might manipulate the resource locally, but until a PUT or POST is made, the resource as known by the resource manager is not changed. Operation Create ead Update Delete HTTP Verb POST resource UI (payload = resource data) GET resource UI PUT resource UI (payload = update data) PATCH resource UI (payload = update data) DELETE resource UI Description Creates new resources. A synchronous POST returns the newly created resource. An asynchronous POST returns a Taskesource UI in the Location header. This UI tracks the progress of the POST operation. eturns the requested resource representation(s) Updates an existing resource Updates a part of the resource. For example, when you only need to update one field of the resource. Deletes the specified resource 5.2 eturn codes eturn code 2xx 4xx 5xx Description Successful operation Client-side error with error message returned Appliance error with error message returned NOTE: If an error occurs, indicated by a return code 4xx or 5xx, an ErrorMessage is returned. The expected resource model is not returned. 5.3 UI format All UIs point to resources. The client does not need to create or modify UIs. The UI for a resource is static and uses the format category/resource ID where: /rest /resource category The appliance address The type of UI The category of the resource (for example, server-profiles) 5.1 esource operations 99

100 /resource instance ID 5.4 esource model format The specific resource instance identifier (optional) The resources support JSON (JavaScript Object Notation) for exchanging data using a EST API. If not otherwise specified in the EST API operation, the default is JSON. 5.5 Log in to the appliance using EST APIs When you log in to the appliance using the login-sessions EST API, a session ID is returned. You use the session ID in all subsequent EST API operations in the auth header. The session ID is valid for 24 hours. Log in Operation POST API /rest/login-sessions equest headers EST API equest Headers equest body {"username":"yourusername","password":"yourpassword"} NOTE: This is an example of a local log in on the appliance. If you are using a directory service, you must add the following attributes: authnhost and authlogindomain. esponse The LoginSessionIdDTO that includes the session ID Log out Operation DELETE API /rest/login-sessions equest headers auth:{yoursessionid} EST API equest Headers equest body None esponse 204 No Content 5.6 EST API version and backward compatibility When you perform a EST API operation, an X-API-Version header is required. This version header corresponds to the EST API version of software currently running on the appliance. To determine the correct EST API version, perform /rest/version. This GET operation does not require an X-API-Version header. If multiple appliances are running in your environment, you need to determine the EST API version required by each appliance. NOTE: If an X-API-Version header is not included in the request, the APIs default to version 1. Because most APIs in HPE OneView have a minimum of 3 or greater, invoking an API without including the X-API-Version header will likely result in an HTTP 404 error, because that version of the API will not be found. The requests documented in the HPE OneView EST API Scripting Help correspond to the API eference version included in the product. Supported EST API versions This release of HPE OneView supports the latest EST API version in addition to supporting the EST API versions supported in previous releases of HPE OneView. The HPE OneView EST API documentation for older EST API versions is available online at and the documentation for the current version of supported EST APIs is included with the online help for this release as well as online. 100 Using the EST APIs and other programmatic interfaces

101 Backward compatibility The following list explains how to preserve your existing scripts when upgrading to a new version of HPE OneView, take advantage of new functionality, and find the current and previous versions of the HPE OneView EST API documentation. Prevent scripts from breaking To prevent your existing scripts from breaking that were written for a specific API version, use the same X-API-Version value for that specific EST API. This ensures that the same set of data is sent and returned in the response body during PUT and POST operations. NOTE: The set of possible enumerated values that may be returned in a given resource attribute may be extended from release to release (independent of the API version). Clients should ignore any values that they do not expect. To maintain backward compatibility, the set of enumerated values will not be reduced and the meaning of these values will not change for a given API version. NOTE: The Index or SCMB always returns the latest version of resource data, independent of what is sent in the X-API-Version header on the request (this header controls the Index DTO model, but not the data contained within). To obtain a specific version of a resource s data, perform a GET on the resource s UI with the desired X-API-Version header. Use new functionality To take advantage of new functionality, you must move to the new X-API-Version value. If the X-API-Version value is set globally in your scripts, moving to a new X-API-Version will likely impact multiple EST APIs. To view a list of EST APIs that have changed, see What's New in the HPE OneView API eference. If you do not need to use the new functionality, you can use a previous X-API-Version and avoid impacting your existing scripts. Hewlett Packard Enterprise recommends that you move to the new X-API-Version, because backward compatibility is not guaranteed from release to release, and older functionality will be deprecated. The current version of the EST APIs are documented in the HPE OneView EST API eference that is included on the appliance. To view previous versions of the EST API reference, go to Asynchronous versus synchronous operations A synchronous operation returns a response after the EST API operation completes. For example, POST /rest/server-profiles returns a newly created server profile in the response body. An asynchronous operation, such as creating an appliance backup, returns the UI of a task in the Location response header. You can use the task UI to retrieve the current status of the operation, and to obtain the associated resource once the task is complete. This is common behavior for all asynchronous APIs. You should not depend on any other behavior to get the current status of the operation (such as the content of the returned response body), as it varies from API to API. See the API eference for the behavior of each specific API. You should not depend on any other behavior to occur, as it is subject to change in the future, even for the same API version. 5.7 Asynchronous versus synchronous operations 101

102 Example 1 Example response header returned from an asynchronous appliance backup EST call HTTP/ Accepted Date: Tue, 26 Jan :19:14 GMT Server: Apache Location: Content-Length: 0 cache-control: no-cache 5.8 Task resource When you make an asynchronous EST API operation, HTTP status 202 Accepted is returned and the UI of a Taskesource resource model is returned in the Location header of the response. You can then perform a GET on the Taskesource model UI to poll for the status of the asynchronous operation. The Taskesource model also contains the name and UI of the resource that is affected by the task in the associatedesource attribute. Creating an appliance backup example 1. Create an appliance backup. /rest/backups The UI of a Taskesource in the Location header is returned in the response. 2. Poll for status of the backup using the Taskesource UI returned in step 1. /rest/tasks/{id} 3. When the task reaches the Completed state, use the associatedesource UI in the Taskesource to download the backup file. GET {associatedesource UI} 5.9 Error handling If an error occurs during a EST API operation, a 4xx (client-side) or 5xx (appliance) error is returned along with an error message (ErrorMessage resource model). The error message contains a description and might contain recommended actions to correct the error. A successful EST API POST operation returns the newly created resource (synchronous) or a Taskesource UI in the Location header (asynchronous) Concurrency control using etags A client uses etags to verify the version of the resource model. This prevents the client from modifying (PUT) a version of the resource model that is not current. For example, if a client performs a GET on a server profile and receives an etag in the response header, modifies the server profile, and then updates (PUT) the resource model, the etag in the PUT request header must match the resource model etag. If the etags do not match, the client PUT request will not complete and a 412 PECONDITION FAILED error is returned. 102 Using the EST APIs and other programmatic interfaces

103 5.11 Querying resources and pagination using common EST API parameters Querying resources You can use a set of common parameters to customize the results returned from a GET operation, such as sorting or filtering. Each EST API specification lists the set of available common parameters. Pagination when querying for a collection of resources When you perform a GET operation to retrieve multiple resources (that is, a GET on a collection UI, such as /rest/server-profiles), the resources are returned in a collection object that includes an array of resources along with information about the set of resources returned. This collection of resources may be automatically truncated into pages to improve performance when a query would return a large number of resources. The collection attributes (described below) provide information needed to determine whether the full set of resources were returned, or if additional queries are required to retrieve additional pages. For example, a collection object includes a next page and previous page UI. These UIs indicate whether additional pages are available, and can be retrieved via a GET operation on these UIs. This provides a simple model for ensuring all resources in the query have been retrieved, by doing iterative GETs on the nextpageuri attribute until the attribute comes back empty/null (See Example: eturn all resources in a specific collection query below.). It s also possible to query for a specific page of resources, using the start and count query parameters. These parameters indicate the index of the first resource to be returned, and the number of resources to return in the page, respectively. NOTE: Queries across multiple pages in a collection are stateless, and are based simply on the start index and a count of resources returned from that starting point at the time the query is made. For example, if any server profiles were added or deleted after you performed a GET operation using a specific next page UI from a collection of server profile resources, and you perform the GET again, the returned page using the same next page UI may not contain the same set of resources. Note also that the specific set of resources returned with a given start and count parameter is highly dependent on any filter, query and sort parameters sent in the request, therefore it s important to always pass the same filter, query and sort parameters on all requests for additional pages. The nextpageuri and prevpageuri attributes will be pre-populated with any filter, query and sort parameters from the current request. Attributes returned in all GET operations performed on a collection UI, for example/rest/server-profile: total count start members nextpageuri prevpageuri The total number of resources available in the requested collection (taking into account including any filters). Not necessarily what was returned. The actual number of resources returned (in the members attribute). The zero-based index of the first item returned (in the members attribute). The array of resources returned in the current result set. A UI that can be used to query for the next page in the result set (using the same count specified in the current query). A UI that can be used to query for the previous page in the result set (using the same count specified in the current query) Querying resources and pagination using common EST API parameters 103

104 NOTE: A null or empty nextpageuri or prevpageuri attribute is an indication that you have reached the last or first page (respectively) in the query. This allows scripts to iterate on nextpageuri until null, in order to retrieve the full set of resources in the query. Example: eturn all resources in a specific collection query The number of resources returned in a query might not match what was specified in the count parameter. Clients must always check the returned results to determine whether the full results set was returned or not. The two reasons that all the resources may not be returned in a query are: You've reached the last page of the query (and there are simply not that many resource left to return). This is also indicated by a returned prevpageuri with a null value. For performance reasons, the service may automatically truncate the returned result set, requiring additional GET requests (with appropriate start & count parameters set) in order to retrieve the full set of resources. The simplest way to make sure that you have retrieved all resources in a specific collection is to always perform iterative GET requests using the returned nextpageuri until the value is null. See the following example in pseudo-code based on any filters/queries and sort order: 5.12 State-Change Message Bus currentcollection = doget("/rest/server-hardware"); allesources = currentcollection.members; While (currentcollection.nextpageuri) { currentcollection = doget(currentcollection.nextpageuri); allesources.append(currentcollection.members); } The State-Change Message Bus (SCMB) is an interface that uses asynchronous messaging to notify subscribers of changes to managed resources both logical and physical. For example, you can program applications to receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes without having to continuously poll the appliance for status using the EST APIs. To learn more about receiving asynchronous messages about changes in the appliance environment, see Using a message bus to send data to subscribers (page 303) Metric Streaming Message Bus The Metric Streaming Message Bus (MSMB) is an interface that uses asynchronous messaging to notify subscribers about the most recent metrics for managed resources. You can configure the interval and the metrics that you want to receive using the EST APIs. To learn more, see Using a message bus to send data to subscribers (page 303) Analysis and troubleshooting You can use EST APIs to capture data obtained from remote system logs and ilo and make this data accessible for use by powerful troubleshooting and analysis tools HPE Operations Analytics integration with HPE OneView The integration of Operations Analytics and HPE OneView provides IT professionals with troubleshooting, analysis, and capacity planning information for devices managed using HPE OneView. Using HPE OneView EST APIs, you can capture data from logs, metrics, alerts, and inventories, and import them into Operations Analytics for graphical display and viewing. 104 Using the EST APIs and other programmatic interfaces

105 eal-time troubleshooting applications like Operations Analytics need access to HPE OneView resources, relationships, metrics, alerts, and logs at near real time intervals. This data is then used to pinpoint developing issues and avoid infrastructure downtime by predicting failure in advance. For technical information about Operations Analytics, see HPE Operations Analytics Manuals Developer tools in a web browser You can use developer/debug tools in your web browser to view the EST API operations as they happen in the UI. The UI uses EST APIs for all operations; therefore, anything you can do in the UI can be done using EST API operations PowerShell and Python code sample libraries Windows PowerShell and Python libraries are available on Git-compliant websites to download and use for your EST API scripting. The libraries are currently under the MIT Open Source license, and you can modify the source code for your own purposes. Each library provides methods for you to submit feedback, issues, and other discussions to Hewlett Packard Enterprise. About Git version control: The repository layouts and overall workflows use a very standard simple workflow where the master branch is always the top of tree trunk. Hewlett Packard Enterprise tags each release and branches a release only to fix an issue on a specific release. To learn more about using Git, see NOTE: If you have questions about EST API scripting or HPE OneView, post your questions to the user community forum at PowerShell library The PowerShell library is hosted on GitHub and is available here: HewlettPackard/POSH-HPOneView. To subscribe to the site and monitor the project, you need a valid Microsoft or GitHub account. Downloading releases or source code does not require authentication. For ease of use when the library is updated, a new installer is provided. You can use a browser or a GIT Windows client to download the source code and samples. To download the Windows client, see The GitHub site provides an issues tracker to submit issues or feature requests. Python library The Python library is hosted on a GitHub website and is available here: HewlettPackard/python-hpOneView. To receive development discussions, sign up on the public mailing list at groups.google.com/forum/#!forum/hp-oneview-python Developer tools in a web browser 105

106 106

107 6 Accessing documentation and help This chapter describes how to access help from the appliance, how to access the publicly available online information library, and where to find EST API help and reference documentation. 6.1 Online help conceptual and task information as you need it The online help documents both the UI and the EST APIs, and includes: Overviews of the appliance and its features Descriptions of resources and UI screens Quick-start instructions for bringing your data center under management Step-by-step instructions for using the UI to perform tasks Information about using EST API scripting to perform tasks The HPE OneView EST API eference Information about using the SCMB (State-Change Message Bus) to subscribe to state change messages EST API help design The EST API help is designed so that: Each resource is documented in its own chapter. Each EST API scripting chapter identifies the EST API calls you must invoke to complete the tasks. Each EST API call links to the HPE OneView EST API eference for details about the API, such as attributes and parameters, the resource model schema, and JSON (JavaScript Object Notation) examples. UI help design The online help for the UI is designed so that each resource is documented in its own chapter. At the top of each help chapter is a navigation box that directs you to: Tasks that you can perform using the UI An About section that provides conceptual information about the resource A screen details section for every screen, which provides definitions of screen components to assist you in data entry and decision making Troubleshooting information in case you encounter a problem Links to the help for the associated EST APIs if you prefer to use EST API scripting to perform a task 6.2 This user guide supplements the online help This user guide provides: Conceptual information and describes tasks you can perform using the UI or EST APIs. It does not duplicate the step-by-step instructions provided by the online help unless the information might be needed when the online help is not available. For procedures that use the EST APIs, the EST APIs are listed, but the complete syntax and usage information is included in the HPE OneView EST API eference in the online help. 6.1 Online help conceptual and task information as you need it 107

108 Planning information, including configuration decisions to make and tasks that you might need to perform before you install an appliance, add managed devices, or make configuration changes. Quick starts that provide high-level step-by-step instructions for selected tasks that might require that you configure multiple resources using the UI or EST APIs. 6.3 Where to find HPE OneView documentation User guides and other manuals HPE OneView user guides and other manuals are available on the Hewlett Packard Enterprise Information Library. See Websites (page 406) for other information resources. Online help To view help on the appliance, click in a new browser window or tab: Help on this page opens help for the current screen to open the Help sidebar. Links in the sidebar open help Browse help opens the top of the help system where you decide which help topics you want to read about Browse EST API help opens help for API scripting and reference information Clicking on a screen or dialog box opens context-sensitive help for that dialog box NOTE: To submit feedback about HPE OneView documentation, send to docsfeedback@hpe.com. 6.4 Enable off-appliance browsing of UI help and EST API help The off-appliance versions of the HPE OneView help systems are useful for developers who are writing EST API scripts or other users who prefer the convenience of accessing help locally without logging in to the appliance. NOTE: You can also browse the API eference at Downloading HTML UI help and HTML EST help 1. Go to the Enterprise Information Library: 2. Select the HPE OneView online help and API eference (download) zip and save it to your computer or to a local directory on a web server. 3. Use the utility of your choice to extract the contents of the.zip file. 4. Navigate to the content directory. 5. Double-click the index.html file to open the HPE OneView help system. 108 Accessing documentation and help

109 Part II Configuration quick starts The quick starts provided in this part describe the basic resource configuration tasks required to quickly bring the primary components of your hardware infrastructure under appliance management. Additional resource configuration and ongoing management tasks are documented in Part IV.

110 110

111 7 Quick Start: Initial setup The topics in this chapter describe how to plan for and use the appliance user interface to bring your IT infrastructure into HPE OneView. I want to... Initial hardware setup (page 111) Verify hardware configuration (page 111) Learn more About Hardware Setup (page 112) Hardware setup screen details (page 112) 7.1 Initial hardware setup Skip any steps you have already completed. 1. Install and connect the Synergy hardware in the appropriate bay with correct cabling for your planned configuration. See the HPE Synergy Frame Setup and Installation Guide and the HPE Synergy Configuration and Compatibility Guide for more information. 2. On a frame that contains an Synergy Composer appliance module, connect to the Synergy console. The HPE Synergy console starts and the screen displays a link to access HPE OneView. 3. Access the Hardware Setup screen in HPE OneView by doing one of the following: Log in as the HardwareSetup user Click the Hardware Setup button on the HPE OneView login screen. With a direct connection to the monitor port, you can access the HPE OneView hardware setup without providing credentials. Log in as Administrator See the HPE OneView User Guide for HPE Synergy for information about logging in as Administrator for the first time. 4. Verify your hardware configuration using the guidance on the HPE OneView Hardware Setup screen. More information About Hardware Setup (page 112) Verify hardware configuration Prerequisites You have completed Initial hardware setup. If you are going to configure the appliance network, you will need the network address Verifying hardware configuration 1. From the Hardware Setup screen, verify that the Inventory list contains all of the hardware that you expect. NOTE: A spinning icon at the top of the inventory section indicates when HPE OneView is bringing the enclosures and the devices within them under management. Devices may not be listed until the discovery process is complete. 7.1 Initial hardware setup 111

112 2. View and resolve any alerts in the Checklist. The Checklist will display Setup incomplete until all alerts are resolved, then it will display Setup complete. 3. Optional: configure the appliance network. NOTE: If you have logged in as Administrator for the first time, the Hardware Setup screen is displayed. However, in all subsequent logins, the Dashboard displays. To access the Hardware Setup screen from this location, select Hardware Setup in the main menu. More information HPE Synergy Troubleshooting Guide at HPE Synergy Interactive Cabling Guide at HPE Synergy Frame Setup and Installation Guide 7.3 About Hardware Setup The Hardware setup screen allows the Hardware setup user or Administrator to view a list of alerts and an inventory of discovered hardware. The alerts provide instructions and allow you to drill down into problem areas to inspect the affected resource or device. The Hardware setup user and the Administrator also have access to the consoles of installed server hardware and to the CLI management consoles of non-vc interconnects. Some examples of issues that you can troubleshoot using hardware setup: Faulty hardware such as memory, processors, disks, fans, and power supplies High temperature conditions Backplane connector seating Component connectivity, such as: Link faults Mezzanine ports Interconnect module downlinks and uplinks Link module management port status Link module link ports Server hardware and interconnect module management processor port links 7.4 Hardware setup screen details Checklist The checklist displays alerts Inventory Enclosures Displays the number of enclosures discovered by HPE OneView. Interconnects Displays the number of interconnects discovered by HPE OneView. 112 Quick Start: Initial setup

113 Server Hardware Displays the number of server hardware devices discovered by HPE OneView. 7.5 Configure the appliance network at first-time login The first time you log in to the appliance as administrator, you are instructed to configure the appliance network. However, if you are logging in from the console, you do not need to enter the networking configuration data. Prerequisites You have gathered the information you need to configure the appliance network. Ensure that the tasks for adding enclosures have completed. Ensure that the tasks for forming a high availability cluster have completed. Configuring the appliance network 1. Enter the appliance network configuration information described in the networking panel screen details. 2. Click OK to configure the network. A security warning is displayed. Click Proceed Anyway. 7.5 Configure the appliance network at first-time login 113

114 114

115 8 Quick Start: Initial configuration of HPE OneView Initial configuration of resources in HPE OneView is no different from configuring resources as part of routine maintenance. While HPE OneView is designed to allow flexibility in the order in which you create, add, and edit resources and devices, Hewlett Packard Enterprise recommends using the following workflow sequence for initial configuration or whenever you make significant additions or changes to your environment. To use EST APIs to configure the appliance and bring your environment under management for the first time, see the EST API help, which is available from the Help Sidebar. 8.1 Initial configuration of resources in HPE OneView Prerequisites You have completed hardware setup. See About Hardware Setup (page 112) and the HPE Synergy Frame Setup and Installation Guide for more information. You have configured the appliance network. You are logged on as Administrator Configure resources in HPE OneView 1. Add users to the appliance. Create user accounts with specific privileges and local or directory-based authentication: Add a fully authorized local user (Infrastructure administrator) Add a local user with specialized access Add a fully authorized user with authentication by membership in an organizational directory Add a user with role-based access and authentication by membership in an organizational directory Create user accounts assigned with predefined or specialized privileges with local or directory-based authentication. See the Users and Groups online help for more information. 2. Add firmware bundle to the appliance firmware repository. Add the latest firmware bundle to the appliance. See the Firmware Bundles online help for more information. 3. Create networks. Create Ethernet networks for data and Fibre Channel over Ethernet networks for storage. See the Networks online help for more information. 4. Create network sets. Create network sets to group Ethernet networks together to simplify management. See the Network Sets online help for more information. 5. Create one or more logical interconnect groups. Create one or more logical interconnect groups to define the connections between your networks and interconnect uplink ports. See the Logical Interconnect Groups online help for more information. 8.1 Initial configuration of resources in HPE OneView 115

116 6. Create an enclosure group. Create an enclosure group to define and maintain consistent configurations and to be able to detect and manage devices such as interconnects and server hardware in your enclosures. See the Enclosure Groups online help for more information. 7. Create a logical enclosure. Create a logical enclosure to define a set of enclosures to which to apply an enclosure group. See the Logical Enclosures online help for more information. 8. Optional: Add storage systems and storage pools. Add storage systems to the appliance and then add storage pools to the appliance. See the Storage Systems online help and the Storage Pools online help for more information. 9. Optional: Create volumes. Create volumes in the storage pools. You can also create volumes by creating volume templates. You can add existing volumes from storage systems to the appliance. See the Volumes online help and the Volume Templates online help for more information. 10. Optional: Add a SAN manager to the appliance to manage SAN storage. Add a SAN manager to access the SANs it manages. See the SAN Managers online help for more information. 11. Optional: Associate SANs with networks. Associate SANs with networks in HPE OneView. See the SAN Managers online help for more information. 12. Create server profiles and apply them to server hardware. Create and apply server profiles to define common configurations for your server hardware. See the Server Profiles online help for more information. 13. Optional: Attach a SAN volume to a server profile. Attach a SAN volume to a sever profile. See the Server Profiles online help for more information. 14. Save the appliance configuration to a backup file. Save the initial appliance configuration settings and database to a backup file in the event that you need to restore the appliance to its current configuration in the future. See the Settings online help for more information about creating and saving appliance backup files. 8.2 Define physical dimensions and power systems in HPE OneView Defining the physical dimensions of the space that the networking hardware inhabits and positioning enclosures, power delivery devices, server hardware, and other devices in racks within HPE OneView provides the appliance with an accurate diagram of the devices in your 116 Quick Start: Initial configuration of HPE OneView

117 data center and their physical connections. The appliance can then provide powerful monitoring and management functionality, including: The Data Centers screen generates a 3D model of your IT environment, which you can use for planning and organization. The Data Centers screen displays power and temperature data to enable you to analyze power consumption rates. The appliance reports peak temperatures for racks and their components to identify and alert you about potential cooling issues. The Power Delivery Devices screen provides data to enable you to analyze power consumption rates and power caps. 1. Add power devices. Define your power devices and power connections. See the Power Delivery Devices online help for more information. 2. Add racks and configure the rack layout. Add racks and configure the layout of enclosures, power delivery devices, and other rack devices. See the acks online help for more information. 3. Create data centers and position racks in them. Define the physical topology and cooling and power characteristics of your data center, which enables 3D visualization and temperature monitoring. See the Data Centers online help for more information. 8.2 Define physical dimensions and power systems in HPE OneView 117

118 118

119 9 Quick Start: Initial configuration of HPE Synergy Image Streamer HPE OneView uses Image Streamer to deploy stateless servers. Once you have correctly installed an Image Streamer appliance, you will need to configure HPE OneView resources to locate, allocate, and use the OS deployment artifacts provided by an Image Streamer OS deployment server. 9.1 Configure HPE Synergy Image Streamer for HPE OneView Prerequisites You have installed and configured HPE Synergy Image Streamer appliance. You have validated the hardware setup Configuring HPE OneView to work with HPE Synergy Image Streamer 1. Add an IPv4 subnet and address range. Define the range of IPv4 addresses and subnets to set aside for each Image Streamer appliance in the frame link topology, plus the number of operating system servers expected to be deployed in the settings screen. 2. Create a management network. Create a management network that is consistent with the HPE OneView management network. 3. Add an OS deployment server. Add an OS deployment server for use in HPE OneView to deploy operating systems to managed servers. 4. Create a deployment network. Create a deployment network to enable operating system deployment to servers using Image Streamer. 5. Create one or more logical interconnect groups. Create one or more logical interconnect groups to define the connections between Image Streamer appliances and the servers they will support. NOTE: If you are creating a single-frame configuration to use Synergy Image Streamer, create an Image Streamer uplink set choosing Ethernet for the type and containing one uplink port. 6. Create an enclosure group. Create an enclosure group that includes the Image Streamer configuration. NOTE: If you are creating a single-frame configuration to use Synergy Image Streamer, select External for the deployment network type. 7. Create a logical enclosure. Create a logical enclosure to define the set of frames to which to apply the Image Streamer enclosure group. NOTE: If you are creating a single-frame configuration to use Synergy Image Streamer, select the single Synergy frame. 9.1 Configure HPE Synergy Image Streamer for HPE OneView 119

120 9.1.3 Configuring HPE OneView to deploy OS build artifacts to servers Once you add an Image Streamer OS deployment server in HPE OneView, you can launch the Image Streamer graphical user interface from the HPE OneView OS Deployment Servers screen. 1. Upload artifacts from a bundle or create new artifacts From the Image Streamer interface, the software administrator can upload artifacts from a bundle for use in HPE OneView or use the Image Streamer interface to create golden images and other OS build artifacts. 2. Create or configure a server profile. Create and apply a server profile which includes an OS deployment selection and values for the server-specific settings for the selected OS deployment. 3. Verify operating system deployment. eview the online server profile screen details to view the operating system volume that has been created as a result of deployment. 4. Power on server. Power on server to boot from deployed operating system. More information Managing OS Deployment servers (page 225) Quick Start: Initial hardware setup for an added management appliance This section describes how to bring a management appliance, such as HPE Synergy Image Streamer into HPE OneView Initial hardware setup for a management appliance Install and connect the management appliance in the appropriate bay with correct cabling for your planned configuration. Cabling for a particular appliance depends on the software embedded on the appliance. See the HPE Synergy Frame Setup and Installation Guide and the HPE OneView Synergy Configuration and Compatibility Guide for specific guidance for the appliance that you are installing Verify management appliance setup With a direct connection to the DisplayPort in the HPE Synergy Frame Link Module, you can access the HPE OneView hardware setup without providing credentials. To access HPE OneView Hardware Setup from a direct connection to the Frame Link Module see About an HPE Synergy Frame Link Module (page 196). To verify the management appliance setup through HPE OneView remotely, continue with this procedure. Prerequisites Privileges: Infrastructure administrator The appliance network for Synergy Composer is configured. You have completed Initial hardware setup for a management appliance. 120 Quick Start: Initial configuration of HPE Synergy Image Streamer

121 Verifying management appliance setup 1. In a supported browser, type the IP address for the HPE OneView that is managing the frame containing the management appliance. 2. From the main menu, select Hardware Setup. 3. From the Hardware Setup screen, view and resolve any alerts in the Checklist related to your appliance. The Checklist will display Setup incomplete until all alerts are resolved, then it will display Setup complete. 4. Verify that the Inventory list contains the number of appliances that you expect. 5. From the main menu, select Enclosures and navigate to the Composable Infrastructure Appliances section to view details for your appliance(s). More information Hardware setup screen details (page 112) Configure HPE Synergy Image Streamer for HPE OneView 121

122 122

123 10 Quick Starts for networks, enclosures, and storage 10.1 Quick Start: Add a network and associate it with an existing server This quick start describes how to add a network to the appliance and enable existing servers to access that network. Prerequisites equired privileges: Infrastructure administrator or Network administrator for adding the network. equired privileges: Infrastructure administrator or Server administrator for changing the configurations of the server profiles. The enclosures and server hardware are added to the appliance. All data center switch ports that connect to the Virtual Connect interconnects are configured as described in Data center switch port requirements (page 170) Quick Start: Add a network and associate it with an existing server 123

124 Adding a network and associating it with an existing server When you add a network to the appliance, you might need to make configuration changes to the following resources: esource Networks Logical Interconnect Groups Logical Interconnects (one or more) Network Sets Task 1. Add the network. 2. Add the network to an uplink set or internal networks. 3. Do one of the following: Add the network to an uplink set or internal networks. Update the logical interconnect from the logical interconnect group. 4. (Optional) Add the network to a network set. Description Adding a network does not require that you take resources offline. For more information about networks, see Managing networks and network resources (page 165), the online help for the Networks screen, or the EST API scripting help for networks and network sets. You can either add the network to an existing uplink set or create an uplink set for the network. Changing the configuration of an uplink set does not require that you take resources offline. Configuration changes made to a logical interconnect group are not automatically propagated to the member logical interconnects. However, by changing the logical interconnect group, you can update each logical interconnect with a single action. For more information, see Managing interconnects, logical interconnects, and logical interconnect groups (page 171), the online help for the Logical Interconnect Groups screen, or the EST API scripting help for logical interconnects and the EST API for the uplink-sets resource. Changing the configuration of an uplink set does not require that you take resources offline. Configuration changes made to a logical interconnect group are not automatically propagated to the member logical interconnects. To update a logical interconnect with changes made to its logical interconnect group, do one of the following: Select Logical Interconnects Actions Update from group. Use the EST APIs to reapply the logical interconnect group. When adding a network, updating a logical interconnect from its group does not require that you take resources offline. You can make changes to a logical interconnect without also changing the logical interconnect group. In this case, you add the network to an uplink set on the logical interconnect. However, the appliance labels the logical interconnect as being inconsistent with its group. For more information, see Managing interconnects, logical interconnects, and logical interconnect groups (page 171), the online help for the Logical Interconnects screen, or the EST API scripting help for logical interconnects. Applies to Ethernet networks only. Adding a network to a network set does not require that you take resources offline. You do not need to update server profiles that have connections to the network set. For more information about network sets, see Managing networks and network resources (page 165), the online help for the Network Sets screen, or the EST API scripting help for networks and network sets. 124 Quick Starts for networks, enclosures, and storage

125 esource Server Profiles and Server Hardware Task 5. Power off the server before you edit the server profile. 6. Edit the server profile to add a connection to the network. 7. Power on the server after you apply the server profile. Description For a server to connect to the network, the server profile for the server hardware must include a connection to either the network or a network set that includes the network. If you add the network to a network set, server profiles that have connections to the network set automatically have access to the added network. You do not have to edit these server profiles. If the network is not added to a network set, you must add a connection to the network in the server profiles that you want to connect to that network. Power off the server hardware before adding the connection to a server profile. For more information about server profiles, see Managing server hardware, server profiles, and server profile templates (page 135), the online help for the Server Profiles screen, or the EST API scripting help for server profiles Quick Start: Add an HPE ProLiant DL rack mount server to manage This quick start describes the process for adding a rack mount server to manage. The features supported by the appliance vary by server model. For information about the features supported for HPE ProLiant DL servers, see Server hardware management features (page 136). Prerequisites equired privileges: Infrastructure administrator or Server administrator. The server is connected to a live power source. See Prerequisites for bringing server hardware into an appliance (page 137) for prerequisites and preparation you must complete before you add a server Quick Start: Add an HPE ProLiant DL rack mount server to manage 125

126 Adding an HPE ProLiant DL rack mount server to manage esource Server Hardware Task 1. Add the server using the Server Hardware screen or the EST APIs for the server-hardware resource. 2. Power on the server. Description When you add a server, you must provide the following information: Specify Managed. The ilo IP address or host name. The user name and password for an ilo account with administrator privileges. A license type to use for the server hardware. For more information about server hardware, see Managing server hardware, server profiles, and server profile templates (page 135), the online help for the Server Hardware screen, or the EST API scripting help for server hardware. If this server configuration differs from the other servers in the appliance, the appliance automatically adds a server hardware type for this model. Because this is a rack mount server: You cannot use the appliance to provision any networks for this server. The features supported by the appliance vary by server model. For information about the features supported for HPE ProLiant servers, see Server hardware management features (page 136) Quick Start: Configuring an HPE 5900 for management by HPE OneView To add an HPE 5900 to the appliance as a SAN manager, you must configure the switch as described in this document. The following procedures describe how to configure an HPE 5900 using the switch software so that you can add it to HPE OneView. See also: The SAN Managers chapter in the UI help The SAN Managers chapter in the EST API scripting help See the HPE OneView Support Matrix for HPE Synergy for more information about supported SAN managers. NOTE: In a cascaded switch environment, all zone and zone alias operations should be performed from a single switch that is added as SAN manager (device manager) in HPE OneView. Zone and zone aliases created through other switches in the fabric will not be visible in HPE OneView. 126 Quick Starts for networks, enclosures, and storage

127 Table 5 Enable SSH and create an SSH user Configuration Enable SSH on the HPE 5900 and create an SSH user (named a5900 with password sanlab1 in this example) on the HPE 5900 using the HPE 5900 software: 1. system-view 2. public-key local create rsa 3. public-key local create dsa 4. ssh server enable 5. user-interface vty authentication-mode scheme 7. quit 8. local-user a5900 class manage 9. password simple sanlab1 10. service-type ssh 11. authorization-attribute user-role network-admin 12. quit 13. ssh user a5900 service-type stelnet authentication-type password Table 6 Create an SNMPv3 user Configuration The 5900 has a predefined view named ViewDefault. This view grants access to the iso MIB but does not provide access to the snmpusmmib, snmpvasmmib, snmpmodules.18 MIBs. The following steps show how to assign a SNMP v3 user with default read permission. Create an SNMPv3 user with default read permissions Use this procedure if you want the user to have the default level of access. 1. Enter system-view on the HPE 5900 by issuing the command: system-view 2. Create a group (named DefaultGroup in this example) and set eadview permission to ViewDefault: snmp-agent group v3 DefaultGroup privacy read-view ViewDefault 3. Create an SNMPv3 user (named defaultuser with MD5 authentication password authpass123 and AES-128 privacy password privpass123 in this example) and add it to the group created in Step 1: snmp-agent usm-user v3 defaultuser DefaultGroup simple authentication-mode md5 authpass123 privacy-mode aes128 privpass Save the changes: save NOTE: AES-128 DES-56 HPE OneView supports the following privacy protocols: 10.4 Quick Start: Configuring a Cisco switch to be added as a SAN manager for management by HPE OneView To add a Cisco SAN manager to the appliance as a SAN manager, you must configure the switch as described in this document. The following procedures describe how to configure a Cisco SAN manager using the switch software so that you can add it to HPE OneView. See also: The SAN Managers chapter in the UI help The SAN Managers chapter in the EST API scripting help 10.4 Quick Start: Configuring a Cisco switch to be added as a SAN manager for management by HPE OneView 127

128 See the HPE OneView Support Matrix for HPE Synergy for more information about supported SAN managers. NOTE: In a cascaded switch environment, all zone and zone alias operations should be performed from a single switch that is added as SAN manager (device manager) in HPE OneView. Zone and zone aliases created through other switches in the fabric will not be visible in HPE OneView. Table 7 Create an SNMPv3 user with write permissions Configuration 1. Enter the config mode using the command config t 2. Create the user with required authentication and privacy snmp-server user <user name> auth <authentication mode, SHA or MD5> <auth password> priv <privacy protocol, AES128, DES> <priv password> <group/role name> example 1, creating a AUTHPIV user with SHA and AES128 and adding to network-admin group (switch)#snmp-server user AuthPrivUser auth sha authstring123 priv aes-128 privstring123 network-admin example 2, creating a AUTHPIV user with MD5 and DES and adding to network-admin group (switch)#snmp-server user AuthPrivUser auth md5 authstring123 priv privstring123 network-admin 3. Optional : To create a role for the user, use the following commands role name <role name> rule 1 permit read-write example 3, creating a AUTHNOPIV user with MD5 and adding to new role/group (switch)#role name newole (switch)#rule 1 permit read-write (switch)#snmp-server user AuthUser auth md5 authstring123 newole NOTE: Cisco supports AUTHPIV and AUTHNOPIV users only. The SNMP user can be added to the network-admin group/role which will be present on the switch or a role can be created and the user assigned to it. HPE OneView supports the following authentication protocols: SHA MD5 HPE OneView supports the following privacy protocols: AES-128 DES Quick Start: Configure server hardware MAC address binding for FCoE server profiles In order to configure a SAN so that the server profile volume attachments are visible to the server hardware, you need to perform a binding configuration for each server hardware Prerequisites You intend to attach volumes to server hardware using FCoE. You have configured at least one FCoE connection in a server profile. 128 Quick Starts for networks, enclosures, and storage

129 Configuring server hardware MAC address binding for FCoE server profiles 1. From the main menu, select Server Profiles. 2. In the master pane, select the server profile that specifies the server hardware with an FCoE connection. 3. From the View selector, select Connections. 4. For each connection that you want to bind to a vfc interface, click the expander to display the details of the connection. Note the MAC address of the connection. 5. Use SSH to bind the server hardware MAC address to the vfc interface on the vsan. See Adding a FCoE volume in a multi-hop FCoE environment in the FCOE Cookbook for HP Virtual Connect for information on binding the server hardware MAC addresses to vfc interfaces on the vsan Quick Start: Configure server hardware MAC address binding for FCoE server profiles 129

130 130

131 Part III Configuration and management The chapters in this part describe the configuration and management tasks for the appliance and the resources it manages.

132 132

133 11 Best practices Hewlett Packard Enterprise recommends the following best practices for HPE OneView: Best practices for maintaining a secure Synergy Composer (page 65) Best practices for backing up a Synergy Composer (page 249) Best practices for restoring a Synergy Composer (page 255) Best practices for managing firmware (page 216) Best practices for monitoring health with the appliance UI (page 282) 133

134 134

135 12 Managing server hardware, server profiles, and server profile templates Managing servers with the appliance involves interacting with several different resources on the appliance: A server profile captures the entire server configuration in one place, enabling you to consistently replicate new server profiles and to rapidly modify them to reflect changes in your data center environment. A server profile enables management of your server hardware. A server profile template provides a mechanism to store configurations for a server profile. All of the configuration constructs of a server profile are present in the server profile template. An instance of server hardware is a physical server, such as an HPE ProLiant BL460c Gen8 Server Blade, installed in an enclosure or an HPE ProLiant DL380p rack mount server. A server hardware type defines the characteristics of a specific server model and set of hardware options, such as mezzanine cards. A connection, which is associated with a server profile, connects a server to the data center networks. Server profiles provide most of the management features for servers, but server hardware and server profiles are independent of each other: A physical server, which is an instance of server hardware, might or might not have a server profile assigned to it. A server profile might be assigned to one instance of server hardware, or no server hardware at all. It is the combination of the server hardware and the server profile assigned to it that is the complete server in the appliance. You must use the server hardware resource to add physical servers to the appliance when you install a rack mount server. Server blades are added to the appliance automatically when you add an enclosure or install a server blade in an existing enclosure. UI screens and EST API resources UI screen Server Profiles Server Profile Templates Server Hardware Server Hardware Types EST API resource server-profiles and connections server-profile-templates server-hardware server-hardware-types 12.1 Managing server hardware Server hardware represents an instance of server hardware, such as a physical server blade installed in an enclosure, or a physical rack server. A server hardware type captures details about the physical configuration of server hardware, and defines which settings are available to the server profiles assigned to that type of server hardware Managing server hardware 135

136 oles Minimum required privileges: Infrastructure administrator or Server administrator Tasks for server hardware The appliance online help provides information about using the UI or the EST APIs to: Get information about the server hardware. Power on and power off a server. eset a server. Collect remote support data for server hardware. Launch the ilo remote console to manage servers remotely. Add a server to an existing enclosure. emove a server from an existing enclosure. efresh the connection between the appliance and the server hardware. View activities Server hardware management features HPE OneView, which is embedded on the HPE Synergy Composer, allows you to access and operate the following compute module functions and configurations from the HPE OneView user interface or EST API. Feature Supported server hardware Gen9 Power on or power off the server Turn on or turn off the UID light View inventory data Monitor power, cooling, and utilization Monitor health and alerts Launch ilo remote console SSO (single sign-on) to ilo web interface Automatic firmware upgrade (ilo) to minimum supported version when added to the HPE Synergy Composer and the enclosure is configured ack visualization and editing Automatic discovery of server hardware type emote support Server profile features when the server is managed: BIOS settings Firmware Connections to networks Boot order 136 Managing server hardware, server profiles, and server profile templates

137 Feature Supported server hardware Gen9 Local storage SAN storage Prerequisites for bringing server hardware into an appliance Server hardware model The server hardware must be a supported model listed in the HPE OneView 3.0 Support Matrix for HPE Synergy or the HPE OneView Synergy Configuration and Compatibility Guide. The server hardware is connected to a live power source. The server hardware must have a valid serial number and product ID to be managed by HPE OneView. ilo firmware The ilo (Integrated Lights-Out) firmware version must meet the minimum requirement listed in the HPE OneView 3.0 Support Matrix for HPE Synergy or the HPE OneView Synergy Configuration and Compatibility Guide. IP addresses IPv4 configuration is required. ilos on rack server hardware must have an IP address. Local user accounts ilos must be configured to allow for local user accounts About server hardware A server hardware resource represents an instance of server being managed or monitored by HPE OneView. For a managed server hardware resource, the configuration can be applied by assigning a server profile to it How the appliance handles unsupported hardware Unsupported hardware is any device that the appliance cannot manage. Unsupported devices are similar to unmanaged devices in that all unsupported devices are not managed by the appliance. The difference is that you can bring unmanaged devices under management of the appliance if you take the appropriate actions or properly configure them. Unsupported hardware can never be managed by the appliance. The appliance detects the unsupported hardware and displays the model name and other basic information that it obtains from the device for inventory purposes. The appliance also accounts for the physical space unsupported devices occupy in enclosures and racks. To account for the space a device occupies, the appliance represents unsupported hardware the same way it represents unmanaged devices. The action available for unsupported hardware is emove Managing server hardware 137

138 About monitored server hardware Any servers in a Synergy Frame are automatically added to the Synergy management appliance. If the frame is not yet part of a logical enclosure, then any newly discovered server will be placed in the monitored state. The monitored state allows you to see server details and health information as well as perform basic server operations like power on and off, activate the UID light, and access the ilo UI and remote console. Profiles cannot be applied to a server in the monitored state. Once the frame becomes part of a logical enclosure, the installed server hardware becomes "managed", and enters the "No profile applied" state. A server profile can now be applied to the server, moving it to the "Profile applied" state. Additional actions are available for server hardware in one of these managed states including making BIOS settings, updating firmware and configuring boot settings. CAUTION: The UID light blinks automatically to indicate that a critical operation is underway, such as emote Console access for server hardware or a firmware update. Do not remove power from server hardware when its UID light is blinking About unmanaged devices An unmanaged device is a device, such as a server, enclosure, KVM (keyboard, video and mouse) switch, in-rack monitor/keyboard, or router, that occupies space in a rack and/or consumes power but is not managed by the appliance. Unmanaged devices are created automatically to represent devices that are attached to an Intelligent Power Distribution Unit (ipdu) using Power Discovery Services connections. BladeSystem enclosures and ProLiant DL series servers are shown in the unmanaged or unsupported state in the Enclosures and Server Hardware in the master pane, respectively. These will be represented as unmanaged enclosures and servers; as such, they are not included in the Unmanaged Devices resource list. When creating an unmanaged device, you provide its name, model description, height in U-slots and maximum power requirements. These values are used in power and cooling capacity analysis and enable alerts to be generated identify potential power and cooling issues. Because there is no communication to the unmanaged device, the status is disabled unless appliance-generated alerts identify issues to be addressed. For purposes of power configuration, unmanaged devices are assumed to have two power supply connections to support redundant power. These are identified as power supplies 1 and 2. If an unmanaged device does not support redundant power, connect only power supply 1, then clear the alert about lack of redundant power to the device. For devices that are not discovered through Power Discovery Services connections, you can manually add these devices to the appliance for tracking, inventory, and power management purposes Tasks for server hardware types The appliance online help provides information about using the UI or the EST APIs to: Edit the name or description of the server hardware type. Delete a server hardware type About server hardware types A server hardware type defines the physical configuration for server hardware and defines the settings that are available to server profiles to be assigned to that type of server hardware. For example, the server hardware type for the HPE ProLiant BL460c Gen8 Server Blade includes a complete list of BIOS settings and the defaults for that model. 138 Managing server hardware, server profiles, and server profile templates

139 The appliance creates server hardware types according to the server hardware it detects. The server hardware type is used when you create a server profile to show which settings are available How the ilo is changed as a result of HPE OneView management When server hardware is being managed by the appliance, the following configuration changes are made to the ilo on the server: A management account (_HPOneViewadmin) is created and can be viewed on the ilo Overview and User Administration screens. SNMP is enabled and the appliance is added as an SNMP trap destination. ilos allow for three possible trap destinations, and on Synergy servers, the SNMP information is always written into the third entry for trap registration. WANING! If you modify the information in the third entry location, the Synergy appliance will overwrite the entry without warning. NTP is enabled and the appliance becomes the server hardware s NTP time source. An appliance certificate is installed to enable single sign-on operations. ilo firmware is updated to the minimum versions listed in the HPE OneView 3.0 Support Matrix for HPE Synergy or the HPE OneView Synergy Configuration and Compatibility Guide for managed servers. The Synergy management appliance is added as a destination for ESTful interface events. The ilo time zone is set to Atlantic/eykjavik as recommended by the ilo documentation. The time zone setting determines how the ilo adjusts UTC time to obtain the local time and how it adjusts for daylight savings time (summer time). For the entries in the ilo event log and IML to display the correct local time, you must specify the time zone in which the server is located. If you want ilo to use the time provided by the SNTP server, without adjustment, configure the ilo to use a time zone that does not apply an adjustment to UTC time. In addition, that time zone must not apply a daylight saving time (summer time) adjustment. There are several time zones that fit this requirement. One example is the Atlantic/eykjavik time zone. This time zone is neither east nor west of the prime meridian and time does not change in the spring or fall. More information About SNMP settings (page 187) Launch the ilo console to manage servers remotely The ilo remote console is only available for servers with an ilo license. The console enables you to remotely connect to the server to do the following: Access a screen on the physical server to install or use the operating system (Windows or Linux) Power on, power off, or reset a server Mount CD/DVD installation media from a remote client to enable an OS installation The ilo user web interface exposes these ilo features: Power monitoring Power on or power off 12.1 Managing server hardware 139

140 emote console Health data Account creation Security Other ilo management tasks You launch the ilo remote console from the Server Hardware or Server Profiles screen. The steps involved to launch the ilo remote console depend upon the client operating system (Windows or Linux) and your browser (Internet Explorer, Chrome, or Firefox). Prerequisites equired privileges: Infrastructure administrator or Server administrator Launching the ilo console to manage servers remotely 1. From the main menu, select one of the following: Server Hardware, and then select a server Server Profiles, and then select a server profile 140 Managing server hardware, server profiles, and server profile templates

141 2. Select Actions Launch console. Windows client with Internet Explorer, Chrome, or Firefox The ilo console is a Windows binary application that is installed on each client computer the first time the console is launched. Once the first-time installation completes, click the My installation is complete Launch console button to launch the remote console. After the console is installed, it can be launched directly from the Actions menu. NOTE: Installing the application provides the best user experience from HPE OneView. The initial Launch console action prompts for an installation and will attempt to open the installer. The number of dialog boxes presented during installation depends on the browser. In Internet Explorer, click un when prompted. If you attempt a Launch console action and no errors occur during installation, but no console is displayed, press and hold the Shift key and then select Actions Launch console to reinstall the remote console as described in einstall the remote console (page 356). In Chrome, when you click Install software, the downloaded HPE ilo Integrated emote Console installer file is displayed in the lower left corner of the browser. Click this file name to begin the installation. If you attempt a Launch console action and no errors occur during installation, but no console is displayed, press and hold the Shift key and then select Actions Launch console to reinstall the remote console as described in einstall the remote console (page 356). In Firefox, click the Save File button when Firefox first tries to open the installer, and then double-click the installer file when it is displayed in the Downloads dialog to begin the installation. If you attempt a Launch console action during installation you will receive a notification, press and hold the Shift key and then select Actions Launch console to reinstall the remote console as described in einstall the remote console (page 356). Windows client with Java plug-in If you are not running Internet Explorer, you can alternatively launch an ilo Java plug-in console by clicking the launch link in the Install software dialog. This is for cases where you are on a Windows workstation and are not permitted to install any software. With Internet Explorer, the Install software dialog is never displayed so you cannot launch the Java console. NOTE: The Java plug-in console opens a popup window. Hewlett Packard Enterprise recommends that you disable your browser s popup blocker. Linux client with any browser Linux clients will launch the Java plug-in console with single sign-on authentication directly on the ilo. This console requires JE to be installed on the client, otherwise you will be prompted to install it. The number of dialogs presented during installation depends on the browser Managing server profiles 12.2 Managing server profiles 141

142 oles Servers are represented and managed through their server profiles. A server profile captures key aspects of a server configuration in one place, including firmware levels, BIOS settings, network connectivity, boot order configuration, ilo settings, and unique IDs. Minimum required privileges: Infrastructure administrator or Server administrator Tasks for server profiles The appliance online help provides information about using the UI or the EST APIs for the following tasks: Get information about a server profile. Add a SAN volume to a server profile. Boot from an attached SAN volume. Create and apply a server profile or server profile template. Copy, edit, or delete a server profile. Install a firmware bundle using a server profile. Connect the server to data center networks by adding a connection to a server profile. Allocate virtual functions to a server profile connection. Manage local storage of a server. Manage SAN storage by attaching new or existing SAN volumes to the server profile. Manage the boot settings of a server. Manage the BIOS settings of a server. Manage virtual or physical IDs for the server hardware. Migrate an existing server profile. Move a server profile to another server. Power on and off the server hardware to which the server profile is assigned. Specify identifiers and addresses when creating a server profile. Update firmware with a server profile. Update the profile configuration from the server profile template. View activities About server profiles Capturing best-practice configurations (page 143) About editing a server profile (page 144) About moving a server profile (page 145) About migrating server profiles (page 145) Working with server profiles to control remove-and-replace behavior (page 146) About assigning a server profile to an empty device bay (page 146) About server profile connections (page 146) About server profile connections and changing server hardware types (page 147) 142 Managing server hardware, server profiles, and server profile templates

143 About server profiles and operating system deployment (page 147) About server profiles and local storage (page 149) About attaching SAN volumes to a server profile (page 152) Capturing best-practice configurations After setting up your data center, you can create server profiles to provision hundreds of servers as easily as you provision one server. A server profile is the configuration for a server instance. Server profiles and server profile templates capture the entire server configuration in one place, enabling you to replicate new server profiles and to modify them to reflect changes in your data center. A server profile includes: Basic server identification information Connectivity settings for Ethernet networks, network sets, Fibre Channel, and FCoE networks Firmware versions Local storage settings SAN storage settings Boot settings BIOS settings When you create a server profile, you can specify the server hardware to which you want to apply the profile. Leave the server hardware unassigned if the server hardware is not yet installed. Typically, you capture best-practice configurations in a server profile template, and then create individual server profiles. Server profiles enable you to create a provisioning baseline for server hardware types in an enclosure. When you create a server profile, it is designated for a server hardware type and enclosure group (for servers), whether the profile is assigned or unassigned. Server hardware can have only one profile assigned to it. By default, the server profile controls the server boot behavior. The server hardware type determines the available options you can select in the server profile. If applicable, you can select the boot mode and PXE boot policy. You also have the option of specifying the order in which the server hardware attempts to boot. HPE ProLiant Gen9 servers support both legacy BIOS and UEFI for configuring the boot process while HPE ProLiant Gen8 are legacy BIOS mode servers only. For more information about UEFI, see UEFI FAQs at Unified Extensible Firmware Interface Forum. By selecting to manage BIOS settings through the appliance, you can view all settings, only those you have modified, or only those that are different than the default values. The BIOS settings displayed depend on the supported server hardware. Applying the sections of a server profile to server hardware is a sequential process. The screen displays the current section being applied, followed by other sections that have been applied successfully. If a server profile needs to be reapplied due to an error, only the unconfigured sections and unapplied sections are reapplied. For example, if a firmware update succeeds, but the subsequent BIOS portion of the apply operation fails, the firmware is not applied a second time when the profile is reapplied. This helps to prevent unnecessary and time-consuming updates for the profile. Best practice: Perform server profile management tasks on one enclosure at a time For best performance, create, delete, edit, copy, or move server profiles for server hardware on one enclosure before managing server profiles on a different enclosure Managing server profiles 143

144 About editing a server profile Edit a server profile to change the settings associated with that profile. You can edit a server profile any time after it has been created. You can also edit a server profile with an Error condition to make corrections. When you edit a server profile, the state of the server changes. The appliance analyzes the changes and determines the actions to update the server. For example, if you change the BIOS settings but not the firmware baseline, the firmware is not updated. Only the requested changes are applied. NOTE: If you change the server settings or state using tools other than the appliance, the changes are not detected or managed. These changes might be overwritten the next time the profile is edited. When you edit a server profile, consider the following: Editing a profile is an asynchronous operation. Name and description changes take effect immediately, but other changes might take time to complete. If a profile is associated with a server profile template, changes can cause the profile to be out of compliance with its template. See About server profile consistency validation (page 153) for more information. Profile names must be unique. When unassigning a server profile with local storage configured, the logical drive contents are at risk of being lost. To preserve the logical drive, physically remove the disk drives or make a copy of the contents of the logical drive so that you can reassign the profile at a later time. BIOS settings are managed using the server profile and the settings on the server are overwritten when the server profile is applied. You cannot switch between virtual and physical identifiers for the following, unless you delete and recreate the profile connection: Serial number/uuid MAC address WWN To edit some server profile settings, the server hardware must be powered off; for others, the server hardware can remain powered on. You can edit the following settings with the server hardware powered on: Profile name Profile description Profile affinity equested bandwidth of an existing connection Network and network set of an existing connection except when the connection is bootable NOTE: You cannot change an existing connection between an Ethernet network or network set and a Fibre Channel network. A Fibre Channel network can only be changed to another Fibre Channel network on the same interconnect. Create, attach, and edit storage volumes. NOTE: disabled. If the server is configured to boot using the storage path, that path cannot be 144 Managing server hardware, server profiles, and server profile templates

145 Firmware and OS Drivers using Smart Update Tools Firmware only using Smart Update Tools The profile cannot be modified while the server hardware is powered on if the previous modification were not successfully applied, unless the failure was solely due to SAN storage About moving a server profile You can move a server profile to another piece of server hardware; for example, if you are removing one piece of server hardware and replacing it with another that is similar. The move operation enables you to quickly change the hardware destination without rebuilding the entire server profile. If you cannot move a server profile directly to the new server hardware, you can change it to unassigned. This enables you to retain server profiles that are not currently assigned to any server. IMPOTANT: When you move a server profile to a different server, and the profile is managing internal local storage, you must manually move the physical disks from the original server to the new server in order to preserve your data About migrating server profiles Existing server profiles can be assigned to new hardware when hardware is upgraded or added to your environment. For example, when you upgrade server hardware, the server hardware type can change and, as a result, an assigned server profile might no longer match the new hardware configuration. In this case, you can edit the existing server profile to update the server hardware type and not have to recreate a potentially complex server profile from scratch. The ability to edit existing server profiles and change the server hardware type and enclosure group allows you to perform tasks such as: Add or remove a mezzanine card to or from a server Move server hardware from one enclosure to another enclosure with a different configuration Move server profiles to servers with different adapters, different generations of hardware, and different hardware models Move workloads to different servers or enclosure configurations In an existing server profile, click the Change link adjacent to the Server hardware type or Enclosure group settings to change these values. If you change the server hardware type or enclosure group, other settings within a server profile can be affected. For most of the following attributes, settings remain unchanged so long as the selected server hardware type or enclosure group support the existing settings. If the settings do not support the selected server hardware type or enclosure group, the settings are removed. Exceptions are noted as follows. Affinity Firmware Connections Local storage SAN storage Boot settings Unchanged if supported, or removed (if the new configuration is a rack server). Unchanged if supported, or removed. Most settings are unchanged if supported, though ports will be set to Auto. Unsupported settings are removed. Unchanged if supported, or removed. Settings remain unchanged if supported, or storage paths are removed, or all SAN configurations are removed (if the new configuration is a rack server). Settings are always adjusted to support the new configuration Managing server profiles 145

146 BIOS Unchanged if supported, or removed if the profile is migrated to a different server model Working with server profiles to control remove-and-replace behavior In a server profile, the Affinity control sets the remove-and-replace behavior for server blade. If you apply a server profile to a servers and the server is subsequently removed from the device bay, the Affinity setting controls whether the server profile is reapplied when you insert a server into the empty bay. Server profiles for rack servers do not have affinity. Affinity value Device bay Device bay + server hardware Description The server profile you assign to the (empty) device bay is applied to any server you insert into the bay, provided the server hardware type of the inserted server matches the server hardware type specified in the server profile. Device bay affinity is the default. The server profile you assign to the (empty) device bay is not applied if you insert a different server into the bay. The serial number and server hardware type of the inserted server must match the values in the server profile. Affinity between the server profile and the server hardware is established when one of the following conditions is met: The server profile is assigned to server hardware in a device bay. The server profile is assigned to an empty device bay and you subsequently insert a server with a matching server hardware type into the bay. Editing a server profile resets its server hardware affinity. If you assign the server profile to a populated device bay, the server hardware in the bay becomes associated with the profile. If the server profile is unassigned or assigned to an empty device bay, any current association is cleared About assigning a server profile to an empty device bay You can assign a server profile to an empty bay. The server profile is applied automatically to the server hardware when the server is inserted into the bay and meets the following criteria: The enclosure bay is not assigned by another server profile (for example, you cannot assign a profile to bay 9 if a profile for a full-height server hardware type is assigned to bay 1). This is checked when the profile is assigned. The server hardware type of the hardware matches the server hardware type specified in the server profile. When you create the server profile, select Device bay or Device bay + server hardware affinity. If you select the affinity Device bay + server hardware for an empty bay, the UUID is set when a matching server hardware type is inserted into the bay About server profile connections The maximum number of connections supported by a profile is dependent on the total number of virtual ports defined by the server hardware type and enclosure group associated with the profile. The total number of virtual ports is determined by multiplying the number of virtual ports per FlexFabric adapter by the number of FlexFabric adapters defined by the server hardware type. The maximum number of connections is 50 or the total number of virtual ports (plus two for unassigned connections), whichever is greater. Supported software iscsi boot configurations You can use HPE OneView to select an iscsi software boot target. The following parameters are supported: 146 Managing server hardware, server profiles, and server profile templates

147 ipv4 Static IP (DHCP is not supported) Bootable Ethernet connection using iscsi software can only be on the first virtual function of the physical port NOTE: HPE OneView does not automatically discover iscsi configuration parameters About server profile connections and changing server hardware types When changing the server hardware type on a server profile with deployed connections, the new server hardware type must define enough ports to allow automatic port assignment of all currently deployed connections. If the new server hardware type does not have sufficient port capacity, automatic port assignment fails when applied to a server and results in the failure of the profile edit operation. To avoid this condition, do one of the following: Delete connections so that the remaining number can be automatically assigned. Edit the connections and set the port assignment to None so that those connections are not deployed About server profiles and operating system deployment Server profile OS Deployment settings control operating system installation and configuration. The deployment plan that you select defines the settings that display. The OS deployment plan specifies: The operating system image to deploy. The image can be a hypervisor or can include application software. The deployment settings to configure the operating system image with the user specified settings The settings do not specify the boot configuration, but with the deployment plan selection, the boot mode in the server profile is set to UEFI Optimized. The OS deployment plan, OS volume, and deployment settings will display in the UI. OS deployment plan A hyperlink to the deployment plan in the Image Streamer graphical user interface. Displays not set if OS deployment settings are not specified for the server profile. You can specify an OS deployment plan on the server profile only if the enclosure group has OS deployment configured, else a static message displays indicating that deployment is not supported. OS volume Deployment settings An OS volume is created as a result of an OS deployment when the server profile is applied on server hardware with a deployment plan. The server boots from this volume on power cycle. If the server profile has no assigned server hardware, pending assignment displays. OS volume is a hyperlink to the volume in the Image Streamer graphical user interface. Deployment settings (deployment plan attributes and their configured values) for the selected deployment plan. Each OS deployment plan is unique and contains deployment settings appropriate for that individual deployment plan. This can be empty if a deployment plan does not define any attributes Managing server profiles 147

148 A deployment plan indicates the operating system software to be installed and method for configuration. When you select a deployment plan, the deployment plan attributes configured with default values display as deployment settings. You can examine current values and provide new values for the deployment settings in the server profile. Changing the selected deployment plan or settings values results in Image Streamer redeploying an OS boot volume for the server configured. edeployment deletes the current OS volume and creates a new volume as a result of deployment. When a deployment plan is selected, two connections to the OS deployment network are automatically added in the UI and are used for booting from the OS volume. The port for the primary boot is set to the first 1:a adapter. The port for the secondary boot is set to the first 2:a adapter. The boot mode is automatically configured to UEFI optimized. For a server to access and boot from the new OS volume, the following iscsi configuration tasks occur automatically: The server is configured for iscsi boot using UEFI software. IP addresses are allocated from the deployment network IP pool and the network adapter on the server is configured. The iscsi initiator and target names are generated and configured on server hardware and volume. NOTE: Some server profile operations require operating system redeployment due to assignment to server hardware or the server's ability to access the OS volume.. See the HPE Synergy Image Streamer documentation at for more information. When a deployment plan is removed from a server profile, or the deployment plan is changed, the existing OS volume is deleted and the OS image is redeployed. The boot configuration is updated for the new OS volume. OS volumes and replacing server hardware If an OS volume is associated with a server profile and assigned to specific hardware, and then the hardware is replaced, the OS volume is retained when: The hardware is replaced with the same model, and if the affinity is set to Device bay and server hardware. The hardware is replaced with the same or different model, and if the affinity is set to Device bay. When the hardware is powered on, it can boot from the associated OS volume. estoring Image Streamer artifacts and server profiles If you restore an Image Streamer deployment server or the Synergy Composer from a backup, the OS deployment plan used by a server profile can be missing or might have changed. In this case, you can select a new deployment plan. estoring the Image Streamer deployment server reattaches the server profile to the server OS volume, if that OS volume is still present in the Image Streamer appliance. If the deployment plan has changed, redeploy the OS volume using the changed deployment plan by editing the server profile and configuring the deployment settings with new or updated values. If settings did not change, remove and add back the deployment plan and settings on the server profile. NOTE: You cannot edit or remove a deployment plan in use in a server profile. 148 Managing server hardware, server profiles, and server profile templates

149 If the deployment plan becomes missing due to Image Streamer failure, replacement, or restore from backup, a critical alert is created for the server profile indicating that the deployment plan associated with the server profile no longer exists. Server profile templates and OS deployment OS deployment settings are not specified in a server profile template. If a server profile template is used and an associated server profile has OS deployment configured, two network connections are automatically added in the server profile. The new connections cause the server profile template and server profile to become inconsistent. Avoid the inconsistency notifications by defining the needed connections in the server profile template. If the server profile template is configured for non UEFI boot mode and the server profile boot mode is set to UEFI optimized, the profile becomes inconsistent. Avoid the inconsistency notifications by setting the server profile template boot mode to UEFI optimized About server profiles and local storage You can manage local storage on server hardware using server profiles. Logical drives and unique identifiers (page 149) About AID level and controller (page 150) AID levels and number of physical drives (page 150) About local storage and integrated storage controllers (page 150) About local storage and mezzanine storage controllers (page 151) NOTE: HPE OneView does not erase data from physical drives when the server profile that specifies the drives is deleted or unassigned. It might be possible to access the data, so if you want to ensure the data is inaccessible, erase all sensitive data before you delete the server profile or the local storage configuration. IMPOTANT: Before deleting a profile with local storage settings, back up any important data. Logical JBODs and logical drives on mezzanine controllers are deleted when the profile is deleted and their data will not be recoverable. It is also recommended that you create a backup of the HPE OneView appliance before deleting such profiles as a way to recover access to the physical drives if the profile is deleted accidentally Logical drives and unique identifiers If you configure new logical drives in your server profile or import the existing logical drives from the server hardware, HPE OneView stores a unique identifier for each logical drive in the server profile configuration when the server profile is applied. On subsequent server profile apply operations, HPE OneView checks for the existence of the identifier on the physical drives of the assigned server hardware. If the identifier is missing, the apply operation fails in order to ensure that if the server profile is re-assigned to new server hardware, the physical drives are inserted correctly. HPE OneView erases the current identifier in a server profile apply operation if any of the following conditions exist: e-initialize internal storage is selected. The Logical drive has been deleted from the server profile. The storage controller is set to managed manually Managing server profiles 149

150 About AID level and controller You can use AID to define logical drives or HBA to present drives directly to the controller. The AID levels which the controller can support are defined in the specifications of each controller. You must check the specifications of each controller to verify which AID levels the controller supports. Supported AID levels depend on the server hardware type and on the physical server configuration. Ensure you have enough physical drives present for the selected AID level. NOTE: Although AID 50 and AID 60 are supported by some controllers, they are not supported by HPE OneView. To use AID 50 or AID 60, set the controller to manage manually in HPE OneView. More information AID levels and number of physical drives (page 150) AID levels and number of physical drives See the HPE OneView Support Matrix for HPE Synergy for information on the number of drives supported by specific server hardware. AID 0 Minimum of 1 drive, increments of 1. AID 1 equires 2 drives. AID 10 equires 4 drives, increments of 2. AID 1 ADM equires 3 drives. AID 5 Minimum of 3 drives, increments of 1. AID 6 Minimum of 4 drives, increments of About local storage and integrated storage controllers HPE OneView is not aware of existing local storage configuration in the integrated storage controller unless you import the local storage when applying a server profile to the server hardware. The import option is not a guarantee that no data will be lost. For example, if the server is currently in HBA mode, you must change it to AID mode before it can be imported, and that change in controller mode can cause data loss. Once you create a logical drive and apply it to server hardware, that logical drive can no longer be modified. While deleting or unassigning a server profile does not directly delete local storage data from the server hardware, data can be lost if a server profile that contains changes to the local storage configuration is applied to the server hardware in the future. The table below describes how to preserve your data when making profile or hardware changes. 150 Managing server hardware, server profiles, and server profile templates

151 Table 8 Make a change to server hardware/server profile and preserve integrated local storage data Change in server hardware Move server profile from one server hardware to another Assign a server profile to server hardware that has local storage configured Procedure Move physical drives to new server hardware 1. Unassign server profile from the current server hardware. 2. Physically remove the local storage drives from the server hardware. 3. Insert the local drives into new server hardware. 4. Do not select e-initialize internal storage when you apply the server profile to the new server hardware. A. Import existing drives and data 1. Delete or unassign the current server profile. 2. Select Import existing logical drives when applying the new server profile. B. Back up and copy data 1. Back up data. 2. Delete or unassign the server profile. 3. Select e-initialize internal storage when applying the new server profile. 4. Copy the backed-up data to the new logical drive on the server hardware. esult The appliance verifies that the physical drives have been inserted correctly by validating the saved unique identifier. The unique identifier is preserved. The existing logical drives and data are imported. A new logical drive is created with a new unique identifier. The backed-up data is copied to the new logical drive About local storage and mezzanine storage controllers Logical drives on a mezzanine storage controller are backed by a SAS logical JBOD. Once the logical drive gets instantiated (that is, not pending), you can view the details of the associated SAS logical JBOD on the Logical Interconnects screen. Effects of changing the mezzanine storage controller mode Changing between HBA and AID causes all logical drives or logical JBODs to be deleted from the controller. Changing from managed manually to HBA or AID causes all logical drives or logical JBODs to be deleted from the controller. Changing from HBA or AID to managed manually results in logical drives or logical JBODs already configured on the controller to remain attached to the storage controller with no data loss. However, the controller configuration settings and the logical drive tracking data are discarded from the server profile Managing server profiles 151

152 About attaching SAN volumes to a server profile Volumes are associated with server profiles through volume attachments. Attaching a volume to a server profile gives the server hardware assigned to the server profile access to storage space on a storage system. As you create or edit a server profile, you can attach an existing volume or dynamically create a new volume to attach. Newly created volumes can be marked as permanent so that they continue to exist after they are removed from the profile or if the profile is deleted. Otherwise, a nonpermanent volume is deleted when the server profile is deleted. Properties for attaching a volume can be configured through the server profile. For example, you can enable and disable storage paths from the server to the SAN storage. Storage targets Within a server profile, storage target ports for volume attachment can be assigned automatically or you can manually assign available ports. The target ports that are assigned automatically will belong to same port group. Target ports that you assign manually can belong to the same or different port groups. Port groups are created when you add a storage system to HPE OneView. Existing HPE 3PA volumes On 3PA StoreServ Storage systems, a host sees VLUN allows only a specific host to see a volume and a matched set VLUN allows only a specific host on a specific port to see the volume. To reuse a host sees configuration in HPE OneView when adding an existing 3PA volume to a profile, you must enter the exact LUN value as configured on the 3PA array. In HPE OneView, use the Manual LUN option to add the exact LUN value in the Add Volume dialog. To reuse end-to-end connectivity for the volume, manually specify the following: LUN value (matching the LUN on the 3PA storage system) Target ports Also, to attach (export) a 3PA volume as host sees, all storage paths to that volume must be enabled or disabled together. Some paths cannot be enabled while some are disabled. For more information, download the HPE 3PA StoreServ Storage Concepts Guide from the HPE Storage Information Library Managing server hardware, server profiles, and server profile templates

153 About server profile consistency validation Consistency checking is validating a server profile to ensure that it matches the configuration of its parent server profile template. The appliance monitors both the server profile and server profile template, compares the two, and checks the following for consistency. Profile section General Firmware Connections Local Storage SAN Storage Consistency checking Server hardware type Enclosure group Affinity NOTE: Server hardware type and enclosure group inconsistencies must be fixed manually; that is, you must edit the profile and change the hardware type and enclosure group to match the template. If firmware is not managed by a server profile template, then a firmware server profile configuration is not validated for consistency. Otherwise, the following configurations are validated for consistency. Firmware baseline Installation method NOTE: Forcibly installed firmware is compared only if the firmware baseline is inconsistent. Otherwise, forcibly installed firmware is not checked for consistency. Connections are compared to identify if extra or missing connections are present. For similar connections, the following attributes are checked for differences. Port Network equested bandwidth equested virtual functions (Ethernet) Connection boot settings NOTE: Extra connections in the server profile with port id None are not considered inconsistent. If local storage is not managed by server profile template, then local storage server profile configuration is not validated for consistency. Otherwise, the following configurations are validated for consistency. Controller mode Logical drives NOTE: Inconsistencies in local storage are not fixed automatically by Update from Template. They must be fixed manually. If SAN storage is not managed by server profile template, then SAN storage server profile configuration is not validated for consistency. Otherwise, for volumes with sharing type private, the profile requires the same number of private volumes as defined in the server profile template from the same storage pools, and that LUN numbers remain consistent. Any differences in the number of private volumes, their storage pool, or a LUN number will be flagged as an inconsistency. For volumes with sharing type shared,the profile must be attached to all the shared volumes associated to the server profile template with matching LUN numbers and storage paths to remain consistent. Additional shared volumes can be attached without causing a consistency state. The Host OS type designated in a profile must match the server profile template to remain compliant. NOTE: Extra attachments in the server profile do not cause inconsistency Managing server profiles 153

154 Profile section Boot Settings BIOS Settings Advanced Consistency checking If Boot settings are not managed by server profile template, then server profile configuration for boot settings is not validated for consistency. Otherwise, all configurations must match the server profile template. If BIOS settings are not managed by server profile template, then BIOS server profile configuration is not validated for consistency. Otherwise, all configuration must match the server profile template. Hide unused FlexNICs instruction must match the server profile template. If configurations match, the server profile Consistency state field is set to Consistent and is considered to be compliant. Any inconsistency results in an alert for the server profile and the Consistency state field is set to Inconsistent with template Virtual functions Virtual functions allow for sharing I/O devices by allocating a logical I/O hardware device to a virtual machine (VM). Virtual functions provide a mechanism by which a single Ethernet port can appear to be multiple separate physical devices, each containing the resources necessary for I/O operations. Single root, I/O virtualization (S-IOV)-capable devices provide configurable numbers of independent virtual functions, each with its own configuration space. You can assign one or more virtual functions to a virtual machine. Single networks, network sets, tunneled networks, and untagged networks are supported as virtualized functions. To take advantage of this capability, the server BIOS must support virtual functions and must be configured to enable this feature When to use a server profile A server profile allows you to do the following tasks: Manage the server hardware configuration separately from the actual server hardware. Easily reapply the configuration to the server hardware if the server hardware is serviced or replaced. Define the server configuration before the server hardware installation. Capture significant portions of the server configuration in one place, greatly simplifying and hastening server configuration. Depending on the hardware environment, you can configure many or all the following settings. Firmware (optional): Specify the Service Pack for ProLiant (SPP) version and the installation method to install the firmware and drivers while the server is powered on (the updates are applied over the management network). Specify to install the firmware without drivers regardless of whether the server is powered on or off (the server hardware will be powered on to install the firmware). Supported for Gen9 servers. BIOS settings (optional): Specify the BIOS settings to apply on the selected server hardware. Supported for Gen 9 servers. 154 Managing server hardware, server profiles, and server profile templates

155 Boot Order (optional): Specify the BIOS boot order or UEFI Boot Order to apply on the selected server hardware. Supported for Gen 9 servers. Local Storage configuration (optional): Configure the disk drives directly connected to the integrated Smart Array controlled with a specific AID level to create a logical volume. Configure multiple logical volumes depending on the number of disk drivers supported by the server hardware. Specify the local storage configuration for Gen 9. Connections (required for Virtual Connect): Describe which Ethernet networks and Fibre Channel SANs are accessible by the server hardware. Describe boot configuration options. Virtual Connect allows the MACs and WWNs to be virtualized, so that MACs and WWNs presented to the networks remain constant when the underlying hardware components change. Storage Attachments (requires Virtual Connect): Describes which StoreServ volumes are accessible by the server and supports creation of new StoreServ volumes, which are accessible using Fibre Channel or FCoE. Describes the StoreServ volumes to automate the presentation of the volumes to the server hardware to eliminate the need to manually configure zoning. More information HPE OneView Support Matrix for HPE Synergy HPE OneView Synergy Configuration and Compatibility Guide When to use a server profile template (page 156) 12.3 Managing server profile templates oles A server profile template serves as a structural reference when creating a server profile. All of the configuration constructs of a server profile are present in the server profile template. This template type defines the centralized source for the configuration of firmware, connections, local storage, SAN storage, boot, BIOS, profile affinity, and whether unused FlexNICs are hidden. Minimum required privileges: Infrastructure administrator or Server administrator Tasks for server profile templates The appliance online help provides information about using the UI or the EST APIs to: Create a server profile template. Copy, edit, or delete a server profile template Managing server profile templates 155

156 Update the profile configuration from the server profile template. Update firmware with a server profile template About server profile templates Server profile templates provide a mechanism to store configurations for a server profile. Typically, you capture best-practice configurations in a server profile template, and then create and deploy server profiles About creating a server profile template You can create one or more templates to store the configurations for all the settings of a server profile. When you create a server profile template, you can specify the server hardware type and the enclosure group. You cannot change the server hardware type and the enclosure group after creating the template. All profiles generated from the same template will have the same server hardware type and enclosure group. The connections are always mapped to ports; that is, a saved server profile template will never have connections with Port=Auto. You cannot configure connections with Port=None. You cannot add an existing private volume. For more information about creating a server profile template, see the online help Server Profile Template screen details About editing a server profile template Edit a server profile template to change the settings associated with that template. You can edit a server profile template any time after it has been created. You can also edit a server profile template that has an Error condition to make corrections. When you edit a server profile template, the appliance analyzes the changes and updates the template configuration. Then, all the server profiles created from the template are evaluated for compliance and a notification is given indicating the number of profiles that will be affected by the change. The profiles are marked as non-compliant. You can use Update from template option in Server Profiles to accept all the changes from the template. NOTE: Server hardware must be powered off to update from template, unless the changes that are made can be made online such as networks and network bandwidth. When you edit a server profile template, consider the following: Server profile template names must be unique. You cannot switch between virtual and physical identifiers for the following: Serial number/uuid MAC address WWN When to use a server profile template A server profile template allows you to do the following tasks: Manage the server hardware configuration separately from the actual server hardware. Easily reapply the configuration to the server hardware if the server hardware is serviced or replaced. Define the server configuration prior to the server hardware installation. Capture significant portions of the server configuration in one place, greatly simplifying and hastening server configuration. 156 Managing server hardware, server profiles, and server profile templates

157 Depending on the hardware environment, you can configure many or all of the server profile settings. Server profile templates are useful as you can: Manage many server profiles with the same configuration. Easily generate new server profiles from the template. Control configuration changes for multiple servers at once. HPE OneView checks compliance in all the server profiles that are referenced to the template. Automatically resolve the compliance issues using the Update from Template action. The server profile configuration is adjusted to match the server profile template. More information HPE OneView Synergy Configuration and Compatibility Guide 12.4 Learning more Understanding the resource model (page 39) About enclosures or Synergy frames (page 196) Managing licenses (page 161) Troubleshooting server hardware (page 379) Troubleshooting server profiles (page 382) 12.4 Learning more 157

158 158

159 13 Managing fabrics This chapter provides information on the creation of a fabric and what resources are associated with it. In addition to the resources, a fabric contains the reserved VLAN pool range. UI screens and EST API resources UI screen EST API resource fabrics 13.1 oles Minimum required privileges: Network administrator 13.2 About fabrics A fabric provides a common model and consistent state representation for both layer 2 and layer 3 network configurations and deployed network services associated with a physical network. The set of available networks in a domain are consistent among the networks, interconnect modules, and logical switches, when all are part of the same fabric. Creating and deleting a fabric A fabric is created and assigned a default name when a domain is created. A fabric is deleted when the domain is deleted. Only a single, default fabric is created for each domain. Multiple fabrics associated with one domain are not supported. Associating resources with fabrics The following resources are associated with a fabric: Networks Logical Interconnects Logical Interconnect Groups eserved VLAN pool When you create a resource, the resource is associated with a fabric. When you delete a resource, the association to the fabric is deleted About reserved VLAN pools A reserved VLAN pool is a range of VLANs used for allocation of non-tagged networks: Tunnel Untagged Tagged networks and FCoE networks use VLANs outside of the reserved pool. You cannot use a reserved VLAN for tagged or FCoE networks. The VLAN pool allows the number of available VLANs to be segregated between tagged and non-tagged networks. Because non-tagged networks use VLANs for internal translation resources, a reserved VLAN pool can provide a sufficient number of VLANs available for allocation of those internal VLANs. In addition, the reserved pool range removes the need for translation resources to be used on tagged networks. For the total number of VLANs allowed, see the HPE OneView 3.0 Support Matrix for HPE Synergy or the HPE OneView Synergy Configuration and Compatibility Guide oles 159

160 Creating and managing a reserved VLAN pool A reserved VLAN pool is unique within a fabric, but independently allocated within each logical interconnect. The reserved range is identical across all logical interconnects within a fabric. The remaining VLANs (outside of the pool) are shared among all the logical interconnects within the fabric. For HPE OneView running embedded on a HPE Synergy Frame, the default range starts at 3967 and the size is 128. The minimum size of the pool must be 50 VLANs to ensure the pool is not exhausted. The size of the pool cannot exceed 128 VLANs. To change the default range or the size of the VLAN pool, see Update a VLAN pool range in the EST API online help. 160 Managing fabrics

161 14 Managing licenses You manage licenses from the Settings screen or by using the EST APIs UI screens and EST API resources UI screen Settings EST API resource licenses 14.2 oles Minimum required privileges: Infrastructure administrator 14.3 Tasks for licenses The appliance online help provides information about using the UI or the EST APIs to: Add a license key to the appliance license pool. View licensing status information through license graphs About licensing License types (page 161) Purchasing or obtaining licenses (page 162) License delivery (page 163) License reporting (page 163) License types Interconnect licenses Synergy 8Gb FC Upgrade license The Synergy 8Gb FC Upgrade license is required for the following interconnects in order for them to use Fibre Channel uplinks. HPE Synergy 40Gb F8 Switch Module HPE Virtual Connect SE 40Gb Module for HPE Synergy Server hardware licenses An HPE OneView Advanced license is included with all HPE Synergy server hardware. There are no keys to redeem or manage. For Synergy server hardware, an ilo Advanced license is also included Other licenses EULA The appliance has a EULA (End-User License agreement) that you must accept before using the appliance for the first time. You can view the EULA from the Help sidebar UI screens and EST API resources 161

162 About interconnect licensing Certain interconnects will need an interconnect license assigned to the bay in which they are installed in order to use Fibre Channel uplinks. For unmanaged interconnects, Fibre Channel capabilities are disabled if you do not have sufficient licenses. You can purchase interconnects with licenses already installed, or you can purchase standalone licenses separately and manually add them to the Synergy Composer from the Licenses section of the Settings screen. Interconnect licensing is designed so that you set your licensing intent to the bay that contains the interconnect, not to the interconnect itself. This enables you to swap interconnects of the same model into the bay without making any changes to licensing Licensing for managed interconnects You assign licenses to managed interconnects by creating a Fibre Channel uplink set within the logical interconnect that specifies that interconnect. If you remove an interconnect and then re-insert the same model, a license is automatically re-applied. If you remove an interconnect and insert a different model, the license assigned to the bay is not automatically re-applied. If licenses are available, they are automatically assigned to interconnect bays that contain managed interconnects. When you physically remove a managed interconnect, the license remains assigned to the interconnect bay. When you remove the last remaining Fibre Channel uplink set from a managed interconnect, the interconnect bay license is released back to the license pool Licensing for unmanaged interconnects You assign licenses to unmanaged interconnects through the UI by specifying the licensing intent for the interconnect from the Logical Enclosures+Edit dialog under Interconnect Bay Licensing If you remove an interconnect and then re-insert the same model, a license is automatically re-applied. If you remove an interconnect and insert a different model, the license assigned to the bay is not automatically re-applied. When you insert an unmanaged interconnect and the bay has no licensing intent (license setting specified in the logical enclosure), the intent defaults to No. When you physically remove an unmanaged interconnect, the license is released back to the license pool Purchasing or obtaining licenses Purchasing factory-integrated (embedded) software and hardware provides the best licensing experience because the license is delivered on the hardware and HPE OneView automatically adds the licenses to the license pool on discovery of the hardware. If you purchase nonintegrated licenses, you must activate and register the licenses using the Hewlett Packard Enterprise licensing portal at My HPE Licensing. After you register your licenses, you add the license keys to the appliance. More information License types (page 161) 162 Managing licenses

163 License delivery Interconnect licenses License delivery depends on how the license is purchased. The license delivery methods for the Synergy 8Gb FC Upgrade license are: Embedded on an interconnect. All interconnect licenses are automatically added to the HPE OneView license pool when the interconnect with the embedded licenses is added to HPE OneView. Standalone license purchased separately from the hardware. You must manually add the license to the HPE OneView license pool. More information About interconnect licensing (page 162) License reporting Basic license reporting indicates whether the appliance has enough licenses for the interconnect bays in your environment. From the Licenses view on the Settings screen, you can view the following: The number of available licenses The number of licensed interconnect bays The number of licenses required for compliance (all interconnect bays licensed) 14.5 Learning more Troubleshooting licenses (page 372) 14.5 Learning more 163

164 164

165 15 Managing networks and network resources This chapter describes configuring and managing networks and network resources for the enclosures and server blades managed by the appliance. NOTE: The network features described in this chapter apply to enclosures and server blades only. The appliance does not monitor or manage the network features and hardware for rack mount servers or for networking equipment outside the enclosures. UI screens and EST API resources UI screen Networks Network Sets EST API resource connection-templates, ethernet-networks, fc-networks and fcoe-networks network-sets 15.1 oles Minimum required privileges: Infrastructure administrator or Network administrator 15.2 Tasks for networks You can manage Fibre Channel, Ethernet, and FCoE networks from the UI Networks screen or by using the EST APIs Tasks for Fibre Channel networks The appliance online help provides information about using the UI or the EST APIs to: Add and delete a Fibre Channel SAN. Edit a Fibre Channel SAN configuration. Associate a network with a managed SAN Tasks for Ethernet networks The appliance online help provides information about using the UI or the EST APIs to: Add, edit (change a network configuration), and delete a network. Add an untagged or tunnel network. Create the management network for Synergy Image Streamer. Create the deployment network for Synergy Image Streamer. Add, edit, and delete a network set oles 165

166 Tasks for FCoE networks The appliance online help provides information about using the UI or the EST APIs to: Add, edit (change a network configuration), and delete a network About networks The HPE Virtual Connect interconnects in enclosures support the following types of data center networks: Fibre Channel for storage networks using fabric-attach (SAN) Fibre Channel (FC) connections. Ethernet for data networks, including tagged, untagged, or tunnel networks. Fibre Channel over Ethernet (FCoE) for storage networks where storage traffic is carried over a dedicated Ethernet VLAN. IMPOTANT: The networking features described in this section apply to enclosures and servers only. The appliance does not monitor or manage the network features and hardware for rack mount servers or networking equipment outside the enclosures. About creating networks Before creating networks, be aware of the networking maximums. See the HPE OneView 3.0 Support Matrix for HPE Synergy or the HPE OneView Synergy Configuration and Compatibility Guide for more information. Before you create a connection in a server profile, you must: Create at least one network Add the network to a logical interconnect group Assign the network to internal networks or an uplink set You can create networks before you add an enclosure, which is known as pre-provisioning. About provisioning networks An Ethernet network is provisioned to an interconnect when the network is associated with an uplink set or internal networks in a logical interconnect. An FC or FCoE network is provisioned to an interconnect when the network is associated with an uplink set in a logical interconnect. An Ethernet and FCoE network must be provisioned to a logical interconnect and be consistent with the logical interconnect group to be deployed in a server profile connection About network sets A network set is a collection of tagged Ethernet networks that form a named group to simplify server profile creation. Network sets are useful in virtual environments where each server profile connection needs to access multiple networks. Use network sets in server profile connections to make all networks on a connection's downlink port available. Network sets define how packets will be delivered to the server when a server Ethernet connection is associated with the network set. Network sets also enable you to define a VLAN trunk and associate it with a server connection. 166 Managing networks and network resources

167 Instead of assigning a single network to a connection in a server profile, you can assign a network set to that connection. Using network sets, you can quickly deploy changes to the network environment to multiple servers. For example, you have 16 servers connected to a network set. To add a new network to all 16 servers, you only need to add it to the network set instead of each server individually. You can create a network set for your production networks and one for your development networks. Network set prerequisites All networks in a network set must be Ethernet networks and must have unique external VLAN IDs. Untagged and tunnel networks are single networks and do not use network sets. All networks in a network set must be configured in the same appliance. A network can be a member of multiple network sets. All networks in a network set must be added to uplink sets or internal networks in the logical interconnect group (and its logical interconnects) in order to be used in server profiles with connections to the logical interconnect. A network set can be empty (contain no networks) or can contain one or more of the networks configured in the logical interconnect group and logical interconnect. Empty network sets enable you to create network sets in the configuration before you create the member networks, or to remove all of the member networks before you add their replacements. However, if a server profile adds a connection to an empty network set, the server cannot connect to any data center networks using that connection. Creating, editing, and deleting network sets When you create or modify a network set, you can designate a network for untagged packets. If you do not designate an untagged network, untagged packets are rejected on the profile connection associated with this network set. Server traffic must be tagged with the VLAN ID of one of the Ethernet networks in the network set. Untagged server traffic is either sent to the untagged network (if an untagged network is defined) or is rejected (if no untagged network is defined). The untagged network can send tagged and untagged traffic between the server and the interconnect simultaneously. When you create or modify a network set, you define the maximum bandwidth and the preferred bandwidth for connections to that network set. A server profile can override the preferred bandwidth but not the maximum bandwidth. When a network is deleted, it is automatically deleted from all network sets to which it belonged. When you delete a network set, the networks that belong to the network set are not affected. However, any servers with a connection to that network set are affected because their connections are defined as being to the network set and not to the individual networks. Because the network set is no longer available, the network traffic to and from that server through that connection is stopped. When you delete a network set, any server profile connections that specified that network set become disconnected. When deleting networks in a network set, if all in-use networks are removed from the network set, all assigned profiles using this network set are in error and the server profile connections lose connectivity. To avoid connectivity loss, either leave at least one network in the network set or disassociate the network set from all server profiles About network sets 167

168 15.5 About Fibre Channel networks You can use Fibre Channel networks to connect to storage systems. Fibre Channel network types (page 168) Fabric-attach Fibre Channel networks (page 168) Fibre Channel network types The Virtual Connect interconnects in enclosures support the following type of Fibre Channel networks when connecting to storage systems: Fabric-attach networks The enclosure interconnects connect to data center SAN fabric switches Fabric-attach Fibre Channel networks SAN infrastructures typically use a Fibre Channel switching solution involving several SAN switches that implement NPIV (N-Port ID Virtualization) technology. NPIV uses N-ports and F-ports to build a Fibre Channel SAN fabric. NPIV enables multiple N_Ports to connect to a switch through a single F_Port, so that a server can share a single physical port with other servers, but access only its associated storage on the SAN. When you configure a fabric-attach Fibre Channel network, the port you choose for the uplink from the enclosure interconnect to the storage SAN must support NPIV (N_Port ID Virtualization) Direct-attach Fibre Channel networks NOTE: Connecting servers directly to an HPE 3PA Storage system using direct-attach Fibre Channel networks is not supported for Synergy frames About Ethernet networks You use Ethernet networks as data networks. You can create the following types of Ethernet networks: Tagged Untagged Tunnel About tagged Ethernet networks A tagged network uses virtual LANs (VLANs), allowing multiple networks to use the same physical connections. By sharing physical uplinks, you can separate traffic streams from different servers using the same set of uplinks. Tagged Ethernet networks that are connected to enclosure interconnects require a VLAN ID. Each network name in the appliance must be unique. Tagged Ethernet networks and network sets You can assign multiple tagged Ethernet networks to a named group called a network set. Later, when you add a connection in a server profile, you can select this network set to enable multiple networks to be selected for that single connection. Any change made to a network set is applied to all server profiles using the network set. 168 Managing networks and network resources

169 About untagged Ethernet networks An untagged network is a single dedicated network without a VLAN tag, used to pass traffic without VLAN tags. Any tagged packets are dropped. Forwarding is done by MAC address. You might want to configure an untagged network for iscsi storage traffic or set up networks without configuring VLANs About tunnel Ethernet networks A tunnel network is a single dedicated network with a dedicated set of uplink ports used to pass a group of VLANs without changing the VLAN tags. You can have a tunnel network with a maximum of 4094 VLANs About Smart Link Smart Link enables the server software to detect and respond to a loss of network connectivity on the interconnect uplink ports. With Smart Link enabled, the Virtual Connect interconnects will drop the Ethernet link on all server connections associated with the network if all uplink ports within an uplink set lose their connection to the data center switches. Smart Link causes the operating system to detect a failure and direct traffic to an alternate path. Smart Link can be helpful when using certain server network teaming (bonding) policies About the HPE Image Streamer management network The Image Streamer management network connects the Image Streamer and Synergy Composer appliances to support managing the OS deployment server from HPE OneView. The management network must have the same subnet, gateway, and DNS server configurations as HPE OneView. The management network must be defined in HPE OneView as a tagged network and must have an IP pool large enough to support configuration of all the Image Streamer appliances. Do not use the management network for any other purpose. IMPOTANT: The Image Streamer management network must be configured properly for Image Streamer to operate correctly. Otherwise, the misconfigured OS deployment server must be deleted and recreated. Image Streamer management network must be tagged to permit connection between the management network and interconnects. Tagging the Image Streamer management network will not change the HPE Synergy Frame Link Module MGMT port configuration. Access to HPE OneView and Image Streamer through MGMT ports will continue to be untagged. Do not change the HPE OneView network settings because HPE OneView will lose the ability to manage the Image Streamer deployment server. If the HPE OneView network settings must be changed, the deployment server must be deleted and recreated. HPE Synergy Image Streamer online help at About Fibre Channel over Ethernet (FCoE) networks FCoE networks are a combination of both Ethernet and Fibre Channel technology and are used when storage traffic is carried over a dedicated Ethernet VLAN. Like a tagged Ethernet network, FCoE networks use VLANs to allow multiple networks to use the same physical connection. See the HPE OneView 3.0 Support Matrix for HPE Synergy or the HPE OneView Synergy Configuration and Compatibility Guide for the number of FCoE networks that can be assigned to a single interconnect and for a single logical interconnect or logical interconnect group. Like FC traffic, FCoE traffic does not cross stacking links. FCoE networks lower cost through: 15.7 About the HPE Image Streamer management network 169

170 Cable consolidation eduction in the number of SAN fabric switches Adapter and interconnect consolidation FCoE network requirements Assigned VLAN ID, from 2 to 4094 Ethernet uplink set Uplink ports are FCoE-capable and come from a single FCoE-capable interconnect module 15.9 Data center switch port requirements Although you can configure an uplink set to receive incoming network traffic as untagged by designating a network in that uplink set as Native, traffic egressing the uplink set is always VLAN tagged (except for untagged uplink sets). The switch ports for data center network switches that connect to the Virtual Connect interconnects must be configured as follows: Spanning tree edge (because the Virtual Connect interconnects appear to the switch as access devices instead of switches). VLAN trunk ports (tagging) to support the VLAN IDs included in the uplink set that connects to the switch port. For example, if you configure an uplink set, produs, that includes the production networks prod 1101 through prod 1104 to use the Q ports of the interconnects in bay 1 and bay 2 of Enclosure 1, then the data center switch ports that connect to those Q ports must be configured to support VLAN IDs 1101, 1102, 1103, and If multiple uplinks in an uplink set connect the same logical interconnect to the same data center switch, you must configure the data center switch ports for LACP (Link Aggregation Control Protocol) in the same LAG (Link Aggregation Group) to ensure that all the uplinks in the uplink set are active. Set the frequency of control messages: short every 1 second with a 3 second timeout; or long every 30 seconds with a 90 second timeout Learning more Understanding the resource model (page 39) Managing interconnects, logical interconnects, and logical interconnect groups (page 171) Troubleshooting networks (page 378) 170 Managing networks and network resources

171 16 Managing interconnects, logical interconnects, and logical interconnect groups A logical interconnect group acts as a recipe for creating a logical interconnect representing the available networks, uplink sets, stacking links, and interconnect settings for a set of physical interconnects in a single enclosure. UI screens and EST API resources UI screen Interconnects Logical Interconnects Logical Interconnect Groups EST API resource interconnects logical-interconnects logical-interconnect-groups 16.1 Managing enclosure interconnect hardware oles When you add an enclosure, any interconnects in the enclosure are also added to the management domain, and they remain in the domain as long as the enclosure is part of the domain. You can manage enclosure interconnect hardware from the UI Interconnects screen or by using the EST APIs. Minimum required privileges: Infrastructure administrator or Network administrator Tasks for interconnects The appliance online help provides information about using the UI or the EST APIs to: Add or replace a physical interconnect. Clear port counters. Enable or disable uplink ports or downlink ports. eapply an interconnect configuration. eset loop protection. View data transfer statistics for uplink and downlink ports. Power on or off an interconnect in a HPE Synergy Frame. eset an interconnect in a HPE Synergy Frame. Power on or off an interconnect UID light in a HPE Synergy Frame About interconnects Interconnects enable communication between the server hardware in the enclosure and the data center networks About managed and monitored interconnects Interconnects are added automatically when the enclosure that contains them is added to the appliance. Managed HPE OneView manages the interconnects enabling you to apply configurations, collect statistics, and alert users to specific conditions Managing enclosure interconnect hardware 171

172 Monitored HPE OneView monitors hardware for inventory and hardware status only. Monitored interconnects are not associated with firmware baselines or logical interconnects. By default, newly added interconnects have their firmware in an unset state. Managed interconnects Managed interconnects are an integral part of an enclosure, and each managed interconnect is a member of a logical interconnect. Each logical interconnect is associated with a logical interconnect group, which is associated with an enclosure group. For more information about logical interconnects, see About logical interconnects (page 174). For information about the relationship that enclosures and enclosure groups have with interconnects, logical interconnects, and logical interconnect groups, see. You can update managed interconnect firmware using an SPP (Service Pack for ProLiant) About unmanaged and unsupported interconnects Unmanaged interconnects If you create a logical enclosure in which the interconnects installed in the enclosure do not match the associated logical interconnect group, each interconnect reports its state as unmanaged. An interconnect can be the expected type, but if the firmware is out of date it is listed as unmanaged. The physical interconnect configuration in the enclosure must match the logical interconnect group associated with the logical enclosure before an interconnect can be managed. HPE OneView allows you to monitor unmanaged interconnects and perform common actions such as power on, power off, or reset, as well as turn the UID light on or off. You can also assign an IP address for the enclosure group or use DHCP, and assign a Fibre Channel license for use with uplink ports. For interconnects not directly managed by HPE OneView, some support an embedded management interface. When available, you can launch that management console using the link provided. NOTE: When using the system console, accessing an interconnect s remote management interface is not supported. The interconnect s management UL will be displayed as text, and not as a link. If required, you can access the interconnect s serial (command line) interface when on the console. Unsupported interconnects Unsupported hardware is hardware that the appliance cannot manage. If you create a logical enclosure in which the interconnects installed in the enclosure do not match anything that is supported, each interconnect reports its state as unsupported FIP snooping Fibre Channel over Ethernet (FCoE) is used to transport Fibre Channel (FC) storage data over a dedicated Ethernet cable. FCoE Initialization Protocol (FIP) handles the FC discovery and login process for FCoE networks. FIP uses a Fibre Channel Forwarder (FCF), which is an Ethernet switch capable of handling FCoE. An FCF is like a Fibre Channel switch that has Ethernet ports. FIP provides an Ethernet MAC address used by FCoE to traverse the Ethernet network. FIP obtains the Fibre Channel ID (FC ID) from the Ethernet network, which is required on the Fibre Channel network. FIP snooping provides statistical data that can be used to monitor, verify, or troubleshoot connectivity. 172 Managing interconnects, logical interconnects, and logical interconnect groups

173 For a list of interconnects where FIP snooping is supported, see the appropriate support or compatibility matrix on the Hewlett Packard Enterprise Information Library. More information Additional uplink port details in the online help. Additional downlink port details in the online help Connectivity and synchronization with the appliance The appliance analyzes the health status of interconnects and issues alerts when there is a change in status of an interconnect or port. The appliance maintains the configuration that you specify on the interconnects that it manages. The appliance also tracks the connectivity status of interconnects. If the appliance loses connectivity with an interconnect, an alert is displayed until connectivity is restored. The appliance attempts to resolve connectivity issues and clear the alert. If it cannot, you have to resolve the issues and manually refresh the interconnect to synchronize it with the appliance. You can manually refresh the connection between the appliance and an interconnect from the Interconnects screen. See the online help for the Interconnects screen to learn more Learning more Interconnects (page 46) Networking features (page 26) Troubleshooting interconnects (page 371) 16.2 Managing logical interconnects and logical interconnect groups oles A logical interconnect represents the available networks, uplink sets, and stacking links for a set of physical interconnects in a single enclosure. The Logical Interconnects screen provides a graphical view of the logical interconnect configuration in an enclosure. Use this screen or the EST APIs to manage the uplink sets for the logical interconnect. When you add an enclosure, a logical interconnect is created automatically. The logical interconnect group serves as a template to ensure the consistent configuration of all of its logical interconnects. Minimum required privileges: Infrastructure administrator or Network administrator Tasks for logical interconnects The appliance online help provides information about using the UI or the EST APIs to: Add, edit, or delete an uplink set. Change Ethernet settings such as: IGMP (Internet Group Management Protocol) snooping and idle timeout interval. Loop protection. Configure a port to monitor network traffic. Edit internal networks Enable and disable physical ports. Update firmware for the interconnects via the logical interconnects Managing logical interconnects and logical interconnect groups 173

174 Manage SNMP (Simple Network Management Protocol) trap destinations. Manage the frequency of control messages through the LACP timer. eapply the logical interconnect configuration to its physical interconnects. Update the logical interconnect configuration from the logical interconnect group. View and download the MAC address table. Define Quality of Service (QoS) settings for the logical interconnect Tasks for logical interconnect groups The appliance online help provides information about using the UI or the EST APIs to: Create a logical interconnect group Edit a logical interconnect group Delete a logical interconnect group Copy a logical interconnect group esize a logical interconnect group Add or edit an uplink set that supports connections to Image Streamer Define Quality of Service (QoS) settings to apply to the logical interconnect About logical interconnects A logical interconnect is a single administrative entity that consists of the configuration for a set of interconnects in a single enclosure or a frame link topology, and includes: The uplink sets, which connect to data center networks. The mapping of networks to physical uplink ports, which is defined by the uplink sets for a logical interconnect. The internal networks, which are used for server-to-server communications without traffic egressing any uplinks. The downlink ports, which connect through the enclosure midplane to the servers in the enclosure. The connections between interconnects, which are called stacking links. Stacking links are external cables between the external ports of interconnects. See the appropriate support or compatibility matrix on the Hewlett Packard Enterprise Information Library for the maximum number of networks that can be provisioned on a logical interconnect. For a server administrator, a logical interconnect represents the available networks through the interconnect uplinks and the interconnect downlink capabilities through a physical server s interfaces. For a network administrator, a logical interconnect represents an Ethernet stacking configuration, aggregation layer connectivity, stacking topology, network reachability, statistics, and troubleshooting tools About uplink sets An uplink set defines a single, dedicated network or a group of networks and physical ports on a set of interconnects in an enclosure. An uplink set enables you to attach the interconnects to the data center networks. An uplink set enables multiple ports to support port aggregation (multiple ports connected to a single external interconnect) and link failover with a consistent set of VLAN networks. 174 Managing interconnects, logical interconnects, and logical interconnect groups

175 Uplink sets that support connections to Image Streamer in a multi-frame configuration must be assigned the type Image Streamer to correctly configure the associated ports. Image Streamer uplink sets consist of one network and four uplink ports. An uplink set in a single-frame Image Streamer configuration must be assigned the type Ethernet and use one uplink port. For tagged Ethernet networks, an uplink set enables you to identify interconnect uplinks that carry multiple networks over the same cable. For untagged or tunnel Ethernet networks, an uplink set identifies interconnect uplinks that are dedicated to a single network. For Fibre Channel networks, you can add one network to an uplink set. Fibre Channel does not allow virtual networks or VLANs. For Fibre Channel over Ethernet (FCoE) networks, an uplink set enables you to carry multiple Fibre Channel and tagged Ethernet networks over the same set of Ethernet cables. For HPE VC SE 16Gb FC Modules, the total number of ports that you can assign to uplink sets or use as a network analyzer port cannot exceed 12 ports per interconnect. An uplink set is part of a logical interconnect. The initial configuration of the uplink sets for a logical interconnect is determined by the configuration of the uplink sets for the logical interconnect group, but you can change (override) the uplink sets for a specific logical interconnect. Changes you make to the uplink sets for a logical interconnect group are not automatically propagated to existing logical interconnects. For example, to propagate a newly added VLAN to a logical interconnect group uplink set to its existing logical interconnects, you must individually update each logical interconnect configuration from the logical interconnect group. For each logical interconnect: You can define zero or more uplink sets. See networking limits in the HPE OneView 3.0 Support Matrix for HPE Synergy or the HPE OneView Synergy Configuration and Compatibility Guide for the maximum number of supported uplink sets and the maximum network types supported in an uplink set. If you do not define any uplink sets, the servers in the enclosure cannot connect to data center networks. A network can be a member of one uplink set per logical interconnect group only. An uplink set can contain one or more tagged Ethernet networks. An uplink set for an untagged or a tunnel network can only contain that one untagged or tunnel network. An uplink set can contain one or more FCoE networks, but the uplinks must be contained within a single FCoE-capable interconnect. See firmware requirements in About Fibre Channel over Ethernet (FCoE) networks (page 169). Within a logical interconnect group or logical interconnect, all VLAN IDs must be unique across uplink sets and internal networks. Internal networks allow server-to-server connectivity within the logical interconnect. Internal networks are created by adding existing networks to the internal networks set. Internal networks can be added to uplink sets which automatically removes them from the internal networks set. Ethernet networks in an uplink set must be specified individually and cannot be specified by selecting a network set. The use of network sets in uplink sets is not supported for the following reasons: The networking configuration is intended to be managed by users with a role of Network administrator. Because users with a role of Server administrator can create and edit network sets, allowing network sets to be members of uplink sets could result in server 16.2 Managing logical interconnects and logical interconnect groups 175

176 administrators changing the mapping of networks to uplink ports without the knowledge of the network administrator. Because a network can be a member of more than one network set, allowing network sets to be members of uplink sets would make it more difficult to ensure that no single network is a member of more than one uplink set, especially as the network set configurations change over time About defining Image Streamer uplink sets in logical interconnects When you edit an Image Streamer uplink set to support connections to Image Streamer in a multi-frame configuration, you designate four uplink ports. Both MGMT ports for link modules in the same HPE Synergy Frame with an Image Streamer appliance must be connected to uplink ports on different interconnects. In a configuration with two enclosures, cross-connect the four MGMT and four uplink ports for high availability, as outlined in the following table. Enclosure MGMT port Interconnect Uplink port A 1 A 1 A 2 B 1 B 1 A 2 B 2 B 2 An uplink set in a single-frame Image Streamer configuration must be assigned the type Ethernet and one uplink port. More information About uplink sets (page 174) About defining Image Streamer uplink sets in logical interconnect groups (page 184) HPE Synergy Frame Setup and Installation Guide About internal networks An internal network is a network that has no uplink ports and is used for server-to-server communications within a logical interconnect. Servers that communicate with each other over internal networks do so without the traffic egressing any uplinks. Only tagged, untagged, and tunnel Ethernet networks can be members of internal networks. If network connectivity outside of the logical enclosure is required, the network must be in an uplink set associated with an uplink. NOTE: A network is not available for profile connections until it is added to an uplink set or internal networks in a logical interconnect group and the associated logical interconnect. Adding and removing internal networks Each logical interconnect group and logical interconnect has an internal network list which is initially empty. Adding a network to the internal network list in both the logical interconnect group and logical interconnect allows it to be used in server profile connections that can be mapped to downlinks on the interconnects within the logical interconnect. IMPOTANT: Duplicate networks in the internal networks list on more than one logical interconnect can result in the inability for the servers in the enclosure to communicate. 176 Managing interconnects, logical interconnects, and logical interconnect groups

177 You can add or remove internal networks from the Logical Interconnects or Logical Interconnect Groups screen. The internal network configuration created in the logical interconnect group is inherited by associated logical interconnects. A logical interconnect can be made consistent with the parent logical interconnect group by selecting Actions Update from group. Networks in the internal networks list appear as available networks for uplink sets. They are automatically removed from internal networks if they are added to an uplink set. emoving an Ethernet network from an uplink set in a logical interconnect automatically moves it to internal networks so network connectivity is not lost for server profile connections using the network. However, if you remove an Ethernet network from an uplink set in a logical interconnect group, the network does not get moved automatically to the internal networks. If you want the network to be internal, edit the logical interconnect group and add the network to the internal networks About stacking links and stacking health Stacking links Stacking links apply to Ethernet networks only. You can connect all the interconnects to one another through stacking links so that Ethernet traffic from a server connected to an interconnect downlink can reach the data center networks through that interconnect or through a stacking link from that interconnect to another interconnect. Before discovering enclosures, create a single logical interconnect group with a single logical interconnect that contains all interconnects within the enclosure. This creates a fully stacked enclosure. To set up an enclosure that is not stacked, configure multiple logical interconnect groups where each interconnect is in a separate logical interconnect group (and subsequently separate logical interconnects). You can also set up a partially-stacked enclosure where you have more than one interconnect in a logical interconnect group. See About multiple logical interconnect groups in an enclosure group (page 179) for more information. Stacking health The appliance detects the topology within an enclosure of the connections between interconnects, and determines the redundancy of paths between servers and data center networks. The appliance reports redundancy information as the stacking health of the logical interconnect, which is one of the following: edundantly Connected Connected Disconnected Not applicable Creating or deleting a logical interconnect Creating a logical interconnect in an enclosure There are at least two independent paths between any pair of interconnects in the logical interconnect, and there are at least two independent paths from any downlink port on any interconnect in the logical interconnect to any other port (uplink or downlink) in the logical interconnect. There is a single path between any pair of interconnects in the logical interconnect, and there is a single path from any downlink port on any interconnect in the logical interconnect to any other port (uplink or downlink) in the logical interconnect. At least one interconnect is not connected to the other member interconnects in the logical interconnect. Interconnects do not support stacking or there is a single interconnect in the logical interconnect. During discovery, the interconnects and other enclosure hardware are brought into HPE OneView in a Monitored state. To manage the interconnects and other hardware in HPE OneView, the 16.2 Managing logical interconnects and logical interconnect groups 177

178 enclosure must be configured by creating a logical enclosure. When you create the logical enclosure, the following occurs: The appliance detects the physical interconnects and their stacking links, if any. The appliance automatically creates a single logical interconnect for each logical interconnect group defined in the enclosure group. NOTE: The number of logical interconnects that are created depends on how the enclosure group was defined. See Edit a logical interconnect group in the online help. The appliance automatically names the logical interconnects using the following naming convention: logical_enclosure_name-logical_interconnect_group_name The data for the logical interconnects displays on the Logical Interconnects screen. To add or change logical interconnects, see for more information. Deleting a logical interconnect To delete a logical interconnect, you must remove the logical interconnect group from the enclosure group, and then perform an update from group on the logical enclosure. This deletes the logical interconnect from the logical enclosure About logical interconnect groups About the logical interconnect group graphical interface (page 179) About multiple logical interconnect groups in an enclosure group (page 179) About interconnect bay sets (page 180) About redundancy modes (page 180) Valid configurations for enclosure groups with multiple logical interconnect groups (page 181) About copying a logical interconnect group (page 183) About copying and resizing a logical interconnect group (page 183) About uplink sets in a logical interconnect group (page 184) About defining Image Streamer uplink sets in logical interconnect groups (page 184) About Link Layer Discovery Protocol (LLDP) tagging (page 185) One or more logical interconnect groups are associated with an enclosure group and are used to define the logical interconnect configuration for every enclosure that is using that enclosure group. Logical interconnect group configurations include the I/O bay occupancy, uplink sets, available networks based on the uplink sets and internal networks, and downlinks. There are different kinds of logical interconnect groups. A multiple-enclosure logical interconnect group must match the interconnect link topology within the set of linked enclosures. All bays must be properly populated in all enclosures in the interconnect link topology. A multiple-enclosure logical interconnect group must include an HPE VC SE 40Gb F8 Module and HPE Synergy Interconnect Link Module configuration. Single-enclosure logical interconnect groups, such as a Serial Attached SCSI (SAS) logical interconnect group, pertain only to the enclosure in which they are applied. A single-enclosure logical interconnect group can be applied to individual bays in individual enclosures in the interconnect link topology. 178 Managing interconnects, logical interconnects, and logical interconnect groups

179 All references to a logical interconnect group by an enclosure group or logical interconnect must be removed before you can delete the logical interconnect group About the logical interconnect group graphical interface Figure 13 Logical interconnect group screen topography 1 Edit icon: Click to edit the associated object, such as uplink set or internal 3 Add uplink set: Click to add an additional uplink set to the logical interconnect networks, for configuration group. changes. 4 Uplink set connections: 2 Delete icon: Click to Provides a graphical 6 remove the associated representation of the uplink object, such as an uplink set, from the configuration. set configuration with the associated networks and uplink ports. Hovering over the uplink set or uplink ports highlights the configuration connections About multiple logical interconnect groups in an enclosure group 5 Uplink port: The assigned uplink port and its status. Hovering over the port displays additional port information. Enclosure bay number: Identifies the interconnect bay of the enclosure. Multiple logical interconnect groups can be associated with one enclosure group. The advantage of configuring multiple logical interconnect groups to an enclosure group is to create an air-gap separation between Ethernet networks and allow the isolation of network traffic. You must configure multiple logical interconnect groups if you want to use more than one interconnect bay set in an enclosure group. See About interconnect bay sets (page 180) for more information Managing logical interconnects and logical interconnect groups 179

180 Logical interconnect group requirements Interconnects in a logical interconnect group cannot span across interconnect bay sets. Thus, a logical interconnect group can be specified for bays 1 and 4, or 2 and 5, or 3 and 6. Only one HPE Virtual Connect SE 40Gb Module for HPE Synergy for each interconnect bay set side. You must choose a redundancy mode. Once the redundancy mode is set, it cannot be changed. For uplink sets: Only QSFP ports 1 6 are eligible ports QSFP 7 and 8 are reserved for logical interconnect stacking port connectivity When to create a logical interconnect group To utilize the benefits of multiple logical interconnect groups, create multiple groups after all the HPE Synergy frames are discovered and placed in a monitored state. See About multiple logical interconnect groups in an enclosure group (page 179) for more information. Create logical interconnect groups with the interconnects that you want in each logical interconnect. Add the logical interconnect groups to an enclosure group Create a logical enclosure using the enclosure group to bring the HPE Synergy frames under management About interconnect bay sets Interconnects have both a number and a side which are based on the placement of the interconnect bays in the enclosure. The bays are paired for adjacency based on the mezzanine card to which the pair connects. The following table summarizes the relationship between the interconnect bays, interconnect bay set number and side, and mezzanine port. Interconnect Bay Interconnect Bay Set Number Interconnect Bay Set Side M1 M2 M3 M4 M5 Mezzanine ports M6 M7 M8 M9 M10 M11 M A Port 1 Port 1 Port 1 Port A Port 1 Port 1 Port 1 Port A Port 1 Port 1 Port 1 Port B Port 2 Port 2 Port 2 Port B Port 2 Port 2 Port 2 Port B Port 2 Port 2 Port 2 Port About redundancy modes edundancy is used to prevent loss of connectivity in the event of a failure. An interconnect is duplicated so if it fails, a backup interconnect is available. HPE OneView uses the following modes of redundancy. 180 Managing interconnects, logical interconnects, and logical interconnect groups

181 High Availability edundant Non redundant side A Non redundant side B Two interconnects on opposite sides of two enclosures that are both available to all enclosures connected with interconnect link modules. This configuration allows for the loss of any single interconnect or enclosure without affecting connectivity of the remaining enclosures. The same interconnect type on both sides of a single enclosure. This configuration allows for the loss of the interconnect on one side without affecting connectivity of the enclosure. The loss of the interconnects on both sides causes the enclosure to lose connectivity. One interconnect in a single side A bay (1, 2, or 3) in an enclosure that can be connected to other enclosures that have an interconnect link module in the same bay. Loss of any interconnect results in loss of connectivity. One interconnect in a single side B bay (4, 5, or 6) in an enclosure that can be connected to other enclosures that have an interconnect link module in the same bay. Loss of any interconnect results in loss of connectivity Valid configurations for enclosure groups with multiple logical interconnect groups The interconnects must be in a valid configuration before you can select them when creating a logical enclosure. Valid single enclosure configurations edundancy setting edundant Non redundant side A Side A Module HPE VC SE 40Gb F8 Module HPE VC SE 40Gb F8 Module Side B Module HPE VC SE 40Gb F8 Module Empty Modules in side A and side B must occupy the same bay set. Valid multiple enclosure configurations This table shows valid enclosure configurations. For two-enclosure configurations, disregard Enclosure 3 5 entries Managing logical interconnects and logical interconnect groups 181

182 NOTE: With 20Gb HPE Synergy Interconnect Link Modules, you can include up to 3 enclosures. With 10Gb HPE Synergy Interconnect Link Modules, you can include up to 5 enclosures. NOTE: To use HPE Synergy Image Streamer for operating system deployment in a highly available environment, a pair of Synergy Image Streamer appliances is required for each HPE VC SE 40Gb F8 Module and HPE Synergy Interconnect Link Module set of Synergy frames. edundancy setting Enclosure Bay Module High Availability Enclosure 1 3 HPE VC SE 40Gb F8 Module 6 HPE Synergy Interconnect Link Module (10Gb or 20Gb) Enclosure 2 3 HPE Synergy Interconnect Link Module (10Gb or 20Gb) 6 HPE VC SE 40Gb F8 Module Enclosure 3 3 HPE Synergy Interconnect Link Module (10Gb or 20Gb) 6 HPE Synergy Interconnect Link Module (10Gb or 20Gb) Enclosure 4 3 HPE Synergy Interconnect Link Module (10Gb only, if 10Gb in enclosures 1-3) 6 HPE Synergy Interconnect Link Module (10Gb only, if 10Gb in enclosures 1-3) Enclosure 5 3 HPE Synergy Interconnect Link Module (10Gb only, if 10Gb in enclosures 1-3) 6 HPE Synergy Interconnect Link Module (10Gb only, if 10Gb in enclosures 1-3) Non redundant side A Enclosure 1 3 HPE VC SE 40Gb F8 Module Enclosure 2 3 HPE Synergy Interconnect Link Module (10Gb or 20Gb) Enclosure 3 3 HPE Synergy Interconnect Link Module (10Gb or 20Gb) Enclosure 4 3 HPE Synergy Interconnect Link Module (10Gb only, if 10Gb in enclosures 1-3) Enclosure 5 3 HPE Synergy Interconnect Link Module (10Gb only, if 10Gb in enclosures 1-3) Non redundant side B Enclosure 1 6 HPE VC SE 40Gb F8 Module Enclosure 2 6 HPE Synergy Interconnect Link Module (10Gb or 20Gb) Enclosure 3 6 HPE Synergy Interconnect Link Module (10Gb or 20Gb) Enclosure 4 6 HPE Synergy Interconnect Link Module (10Gb only, if 10Gb in enclosures 1-3) Enclosure 5 6 HPE Synergy Interconnect Link Module (10Gb only, if 10Gb in enclosures 1-3) For more information, see the HPE Synergy Configuration and Compatibility Guide at Managing interconnects, logical interconnects, and logical interconnect groups

183 About copying a logical interconnect group To streamline the creation of logical interconnect groups, you can copy existing logical interconnect groups. When you copy a logical interconnect group, all the settings, uplink sets, and networks copy to the new group. The new group is not associated automatically with enclosure groups or logical interconnects. After copying a logical interconnect group, you can edit the logical interconnect group or associate it to an enclosure group. For example, you have an existing logical interconnect group and you want a new group with the same settings, except a different internal network. Copy the existing logical interconnect group, and then edit the new logical interconnect group to change the internal network. NOTE: If you change the number of enclosures, you are copying and resizing the logical interconnect group. More information Copy a logical interconnect group in the online help About copying and resizing a logical interconnect group esizing a logical interconnect group is the same as copying a logical interconnect group in that you create a new logical interconnect group. When you resize, you also grow or shrink the number of HPE Synergy frames in the new logical interconnect group. Copying and resizing a logical interconnect group creates a new logical configuration in HPE OneView. To use the new logical interconnect group, you must associate it to an enclosure group. The enclosure group can then be used to grow a logical enclosure. NOTE: You cannot resize the following logical interconnect groups: A SAS logical interconnect group An HPE VC SE 16Gb FC Module logical interconnect group NOTE: If one or more HPE VC SE 16Gb FC Modules are already associated with the original enclosure group, you can grow the logical enclosure. However, you cannot add any new HPE VC SE 16Gb FC Modules when growing a logical enclosure. Single-frame resizing Growing from one frame to multiple frames HPE OneView changes the redundancy in the new logical interconnect group based on the redundancy of the original logical interconnect group and the number of frames. For example, a Non-redundant (A-side only) grows to the same redundancy. A edundant frame, however, grows to Highly available. When growing to two or three frames, HPE OneView logically adds HPE Synergy 20Gb Interconnect Link Modules. If you prefer to use HPE Synergy 10Gb Interconnect Link Modules, you can edit the logical interconnect group and change the interconnect link modules after the resize. When growing to four or five frames, HPE OneView logically adds HPE Synergy 10Gb Interconnect Link Modules Managing logical interconnects and logical interconnect groups 183

184 Multiframe resizing Growing from two to three frames Growing to four or five frames Shrinking to one frame HPE OneView logically adds the same HPE Synergy Interconnect Link Modules as the original logical interconnect group. HPE OneView logically adds HPE Synergy 10Gb Interconnect Link Modules. If 20Gb interconnect link modules were used in frames one through three, HPE OneView automatically changes the interconnect link modules to 10Gb. Only 10Gb interconnect link modules can be used in four- to five-frame configurations. HPE OneView changes the redundancy in the new logical interconnect group based on the redundancy of the original logical interconnect group. For example, a Non-redundant (A-side only) shrinks to the same redundancy. A Highly available frame, however, shrinks to edundant. All HPE Synergy Interconnect Link Modules are removed. For Highly available or Non-redundant (B-side only)frames, if an HPE Virtual Connect SE 40Gb Module for HPE Synergy is associated with the second frame, HPE OneView logically associates the 40Gb module to the first frame. More information Copy and resize a logical interconnect group in the online help Valid configurations for enclosure groups with multiple logical interconnect groups (page 181) About uplink sets in a logical interconnect group The uplink sets portion of the logical interconnect group defines the initial configuration for uplink sets for each logical interconnect in the enclosure group. If you change the uplink sets for an existing logical interconnect group, only enclosures that you add after the configuration change are configured with the new uplink set configuration. Changing uplink sets in a logical interconnect group makes the logical enclosure and logical interconnects associated with it inconsistent with the logical interconnect group. Select Update from group to bring the logical enclosure and logical interconnect back into compliance with the changes made to the logical interconnect group. Uplink sets that support connections to Image Streamer in a multi-frame configuration must be assigned the type Image Streamer to correctly configure the associated ports. An uplink set in a single-frame Image Streamer configuration must be assigned the type Ethernet and one uplink port About defining Image Streamer uplink sets in logical interconnect groups When you to support connections to Image Streamer in a multi-frame configuration, you designate four uplink ports. Both MGMT ports for link modules in the same HPE Synergy Frame with an Image Streamer appliance must be connected to uplink ports on different interconnects. In a configuration with two enclosures, cross-connect the four MGMT and four uplink ports for high availability, as outlined in the following table. Enclosure MGMT port Interconnect Uplink port A 1 A 1 A 2 B Managing interconnects, logical interconnects, and logical interconnect groups

185 Enclosure MGMT port Interconnect Uplink port B 1 A 2 B 2 B 2 An uplink set in a single-frame Image Streamer configuration must be assigned the type Ethernet and one uplink port. When creating a logical interconnect group with an uplink set for Image Streamer, the edundancy mode is determined by the type of configuration: A multi-frame Image Streamer configuration requires edundant A single-frame Image Streamer configuration requires Non-redundant (A-side only) You cannot delete an Image Streamer uplink set from a logical interconnect group if the logical interconnect group is associated with an enclosure group which has OS deployment configured. More information About uplink sets (page 174) HPE Synergy Frame Setup and Installation Guide HPE Synergy Image Streamer online help at About Link Layer Discovery Protocol (LLDP) tagging Link Layer Discovery Protocol (LLDP) information is sent by devices at a fixed interval in the form of an Ethernet frame. Each frame contains one LLDP Data Unit (LLDPDU). Each LLDPDU is a sequence of type-length-value (TLV) structures. Untagged LLDP frames By default, Virtual Connect interconnects use untagged LLDP frames to advertise their identity and learn about their link partners. LLDP advertises the Virtual Connect interconnect s management IP addresses to uplink, downlink, and stacking link ports. LLDP frames also identify stacking links in a logical interconnect. Only the IPv4 address of the interconnect in the lowest number bay in the logical interconnect is used in the LLDP management address TLV. Make sure that you have assigned IPv4 addresses to the interconnects statically or with DHCP. Tagged LLDP frames LLDP can also be used to communicate with a virtual switch in the hypervisor through the use of tagged LLDP frames on downlink ports. The tagged frame contains the VLAN ID that identifies the subport of the configured FlexNIC. This information is used to build the network topology. LLDP tagging can be enabled or disabled through the HPE OneView UI or EST API. More information Interconnect settings in the online help Enable or disable LLDP tagging in the online help or EST API Scripting help About logical interconnect groups (page 178) About logical interconnects (page 174) About firmware associated with a logical interconnect All components in a logical enclosure must either run the same firmware version or run firmware versions that are compatible to each other. You can select a single Service Pack for ProLiant (SPP) and apply it to all components in an enclosure, therefore minimizing the chance of downtime due to firmware incompatibility. You can also apply an SPP to a logical interconnect, which results 16.2 Managing logical interconnects and logical interconnect groups 185

186 in all associated interconnects having the same firmware baseline. This operation, by default, updates firmware only on those member interconnects that are running a different version of firmware and ignores the interconnects that are running the same firmware version. The firmware version associated with the logical interconnect is automatically updated when an enclosure is added and an SPP is selected for the firmware baseline. Network or traffic disruptions do not occur as long as server profiles have not yet been defined or applied in the new enclosure. However, if manage manually is selected during an enclosure add, the baseline for the interconnects is Not set. If subsequent firmware updates apply to the enclosure only, the baseline is still shown in HPE OneView as Not set. A baseline can be set for logical interconnect firmware update either when adding the enclosure using the Enclosures screen, or when updating the firmware from the Logical Enclosures screen and selecting Enclosure + logical interconnect + server profiles. If a baseline for logical interconnect is never set, the firmware for the enclosure must be managed manually About updating firmware for logical interconnects Firmware activation options allow you to maintain network availability and reduce the probability of outages due to human error. You also have the option of staging the firmware for later activation. You can activate the staged firmware on an individual interconnect or on all interconnects. You have the following options when updating firmware based on the logical interconnect: Option Update firmware (stage + activate) Stage firmware for later activation Activate firmware Description Stages (uploads) the selected firmware to the secondary flash memory on the interconnect, and then activates the firmware as the baseline. At the end of this operation, all member interconnects are running the same firmware baseline and are compliant with one another. This option and parallel activation affects the connectivity to and from the servers until the activation is complete, but does update the firmware in the shortest time. Stages (uploads) the selected firmware to the secondary flash memory on the interconnect, but does not activate the firmware. You can activate the firmware at a later time. This option allows manual sequencing of the firmware activation and is the preferred approach to minimize service interruption. Activates the selected staged firmware. When updating firmware based on the logical interconnect, if one or more interconnects are already running the targeted firmware version, HPE OneView excludes those interconnects from the firmware update About loop protection The loop protection feature enables detection of loops on physical downlink ports. HPE OneView network loop protection uses two methods to detect loops: 1. The interconnect monitors the downlinks for special packets transmitted from upstream devices. 2. The interconnect reviews and intercepts common loop detection frames used in other switches, such as Cisco and ProCurve to prevent loop protection on the upstream switch, where externally generated frames are used to detect a loop condition. When network loop protection is enabled on the Logical Interconnects screen, and a loop detection frame is received on a downlink port, the server is disabled immediately. The interconnect automatically re-enables the downlink port when the loop detection frames are no longer being received on that port. 186 Managing interconnects, logical interconnects, and logical interconnect groups

187 About SNMP settings Network management systems use SNMP (Simple Network Management Protocol) to monitor network-attached devices for conditions that require administrative attention. By configuring settings on the Logical Interconnect Groups and Logical Interconnects screens, you can enable third-party SNMP managers to monitor (read-only) network status information of the interconnects. An SNMP manager typically manages a large number of devices, and each device can have a large number of objects. It is impractical for the manager to poll information from every object on every device. Instead, each SNMP agent on a managed device notifies the manager without solicitation by sending a message known as an event trap. HPE OneView enables you to control the ability of SNMP managers to read values from an interconnect. You can designate the SNMP manager to which traps will be forwarded. By default, SNMP is enabled with no trap destinations set. When you create a logical interconnect, it inherits the SNMP settings from its logical interconnect group. To customize the SNMP settings at the logical interconnect level, use the Logical Interconnects screen or EST APIs About Quality of Service for network traffic Quality of Service (QoS) is a set of service requirements that the network must meet in order to ensure an adequate service level for data transmission. The goal of QoS is a guaranteed delivery system for network traffic. The QoS feature enables administrators to configure traffic queues for different priority network traffic, categorize and prioritize ingress traffic, and adjust priority settings on egress traffic. Administrators can use these settings to ensure that important traffic receives the highest priority handling while less important traffic is handled at a lower priority. Network traffic is categorized, and then classified. After being classified, traffic is given priorities and scheduled for transmission. For end-to-end QoS, all hops along the way must be configured with similar QoS policies of classification and traffic management. Traffic prioritization happens because of two things in an end-to-end QoS policy. At the interconnect, the packets are egressed based on the associated queue bandwidth. The more the bandwidth, the higher the priority for the associated traffic at the queue. Egress dot1p remarking helps achieve priority at the next hops in the network. If the queue egress traffic is remarked to a dot1p value, and that dot1p value is mapped to a queue in the next hops with higher bandwidth, then these packets in the end-to-end network are treated with higher priority. QoS configuration is defined in the logical interconnect group and applied to the logical interconnect. QoS statistics are collected by the interconnects. On HPE Synergy Frames, the QoS configuration option is available only for the HPE VC SE 40Gb F8 Module logical interconnect group type. Consistency state of a logical interconnect with QoS configurations The UI displays only the currently active QoS configuration that is applied on the interconnects. In addition, two inactive QoS configurations are stored for Custom (with FCoE) and Custom (without FCoE) configuration types. These are the last known QoS configurations for the corresponding configuration types, applied previously on the associated logical interconnect and logical interconnect group. While checking for consistency of a logical interconnect to its associated logical interconnect group, the compliance of inactive QoS configurations is also checked (inactive QoS configurations are not visible in the UI). Even if active QoS configurations are exactly the same between a logical interconnect and associated logical interconnect group, because of inconsistencies in inactive 16.2 Managing logical interconnects and logical interconnect groups 187

188 QoS configurations stored internally, a logical interconnect s consistency status can be shown as Inconsistent. Perform an Update from group to bring the logical interconnect group and logical interconnect into a consistent state Add an uplink set Each uplink set must have a unique name within the logical interconnect or logical interconnect group and contain at least one network. For more information about uplink sets, see About logical interconnects (page 174). Prerequisites equired privileges: Infrastructure administrator or Network administrator Adding an uplink set 1. From the main menu, select Logical Interconnects, and then select the logical interconnect to edit. 2. Select Actions Edit. 3. Click the Add uplink set button. 4. Enter the data requested on the screen. See Add or edit uplink sets in Logical Interconnects screen details in the online help for more information. 5. Click Add networks and select the networks to assign to the uplink set. 6. Click Add, or click Add + to add another network. 7. Click Add uplink ports and select the uplink ports. 8. Click Add, or click Add + to add another port. 9. Confirm the information you are entering is correct and click Create. 10. Click OK. 11. Verify that the uplink set was created in the details pane Update firmware for logical interconnects within enclosures To update logical interconnect firmware, choose one of the following options: Update firmware (stage + activate) Stage firmware for later activation Activate firmware NOTE: When a logical interconnect firmware update is in progress, do not initiate a firmware update from the logical enclosure of that logical interconnect Stage and activate firmware for update from logical interconnect To upload the firmware and stage for activation, perform the following steps. To activate firmware that is already staged, see Activate the logical interconnect firmware in the online help. Prerequisites equired privileges: Network administrator, Server administrator (for HPE Synergy 12Gb SAS Connection Modules), or Infrastructure administrator At least one enclosure with two interconnects added and at least one logical interconnect At least one or more supported SPPs uploaded to the appliance Staging and activating firmware for update from logical interconnect 1. From the main menu, select Logical Interconnects. 188 Managing interconnects, logical interconnects, and logical interconnect groups

189 2. From the master pane, select the logical interconnect and then do one of the following: Select Actions Update firmware. Select Update firmware from the Firmware panel. 3. From Update action, select Update firmware (stage + activate). 4. From Firmware baseline, select the firmware bundle to install. 5. Optional: Select Force installation to update firmware on all member interconnects and driver enclosures regardless of whether or not a member already has the updated firmware. To install a firmware version that is older than the version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware is known to cause a problem in your environment. 6. Select the firmware activation method and delay for the interconnects on which to activate the firmware. 7. Click OK. 8. Verify the firmware version associated with the logical interconnect and its associated interconnects in the Logical Interconnects page under the Firmware view. NOTE: If the firmware is already at the selected firmware baseline, the firmware is not updated and a message displays in the Activity screen saying no update required Stage firmware for later activation for update from logical interconnect To upload the firmware and stage for activation later, perform the following steps. To activate firmware that was already staged, see Activate the logical interconnect firmware in the online help. Prerequisites equired privileges: Network administrator, Server administrator (for HPE Synergy 12Gb SAS Connection Modules), or Infrastructure administrator At least one enclosure with two interconnects added and at least one logical interconnect At least one or more supported SPPs uploaded to the appliance Staging firmware for later activation for update from logical interconnect 1. From the main menu, select Logical Interconnects. 2. From the master pane, select the logical interconnect and then do one of the following: Select Actions Update firmware. Select Update firmware from the Firmware pane. 3. From Update action, select Stage firmware for later activation. 4. From Firmware baseline, select the firmware bundle to install. 5. Optional: Select Force installation to update firmware on all member interconnects and drive enclosures regardless of whether or not a member already has the updated firmware. To install a firmware version that is older than the version contained in the SPP, you must select the Force installation. You might want to install older firmware if the newer firmware is known to cause a problem in your environment. 6. Click OK. 7. Verify the firmware version associated with the logical interconnect and its associated interconnects in the Logical Interconnects page under the Firmware view. NOTE: If the firmware is already at the selected firmware baseline, the firmware is not updated and a message displays in the Activity screen saying no update required Managing logical interconnects and logical interconnect groups 189

190 Activate the firmware for update from logical interconnect During staging for later activation, the firmware is written (uploaded) into the secondary flash memory of the interconnect but is not activated. You need to activate the staged firmware for it to become the new firmware baseline. A failure while staging the firmware on one or more interconnects automatically ends the firmware update operation. Both the current firmware baseline and the installed or staged firmware versions are displayed for each interconnect on the Logical Interconnects screen. Prerequisites equired privileges: Network administrator, Server administrator (for HPE Synergy 12Gb SAS Connection Modules), or Infrastructure administrator At least one enclosure with two interconnects added and at least one logical interconnect Previously staged firmware Activating the firmware for update from logical interconnect 1. From the main menu, select Logical Interconnects, and then select the logical interconnect to manage its firmware. 2. Select Actions Update firmware. 3. For Update action, select Activate firmware. NOTE: This will interrupt traffic through the module until the activation is complete. 4. Select the firmware activation method and delay for the interconnects on which to activate firmware. 5. Click OK. 6. Check the Activity screen to determine if the firmware update action was completed. 7. To verify that the firmware version was installed after the firmware is activated, select the Firmware view and compare the Installed and Baseline version number Update the logical interconnect configuration from the logical interconnect group Consistency checking is the validation of a logical interconnect to ensure that it matches the configuration of its parent logical interconnect group. The appliance monitors both the logical interconnect and logical interconnect group, comparing the two, and checks the following for consistency: Items Ethernet interconnect settings Uplink Sets Consistency checking Are there differences in the following logical interconnect settings from the expected configuration defined by the logical interconnect group? Enabling IGMP snooping IGMP idle timeout intervals Loop protection Are there differences in port assignments or network associations from the configuration defined by the logical interconnect group? Did you add an uplink set? 190 Managing interconnects, logical interconnects, and logical interconnect groups

191 Items Internal networks Interconnect maps Quality of Service (QoS) settings Consistency checking Are there difference in the network assignments for server-to-server communication from the configuration defined by the logical interconnect group? Is an OS deployment network different from what is defined by the logical interconnect group? NOTE: An OS deployment network is one of the networks connected to interconnect with an uplink set. There could be other networks on the logical interconnect group, such as a management network. Has the logical interconnect group been edited? Have the network service requirements been edited? If both configurations match, the logical interconnect Consistency state field is set to Consistent and is considered to be compliant. Any inconsistency results in an alert for the logical interconnect and the Consistency state field is set to Inconsistent with group. Updating the logical interconnect configuration from the logical interconnect group To bring a non-consistent (Inconsistent with group) logical interconnect configuration back into consistency (Consistent) with the logical interconnect group, you must reapply the settings from the logical interconnect group. NOTE: You can also select Update from group in the logical enclosure because a non-consistent logical interconnect results in a non-consistent logical enclosure. 1. From the Logical Interconnects screen, select Actions Update from group. NOTE: The Update from group option is not available if the logical interconnect group and logical interconnect are already compliant (Consistency state field is set to Consistent). Consistency alerts are cleared automatically and settings now match the logical interconnect group. NOTE: You cannot always make a logical interconnect compliant by editing or by manually clearing the alert; typically you must select Actions Update from group. Clearing an alert will impact the health status of the logical interconnect resource (health is equal to the state of the most severe alert that is not cleared). This is a valid use case if you intend for the logical interconnect to not be consistent but want the dashboard to report a healthy (green) status. 2. Check the confirmation box, confirming you understand all of the implications. 3. Click Yes, update to confirm. 4. To verify that the activity is successful, check the activity for a green status in the Notifications area (page 88) area. If the activity is not successful, follow the instructions in the proposed resolution Create a logical interconnect group Create a logical interconnect group based on the interconnects expected to be in a logical enclosure. If you want to use an existing logical interconnect group as a template, copy the logical interconnect group rather than create a new one Managing logical interconnects and logical interconnect groups 191

192 Prerequisites equired privileges: Network administrator, Server administrator (for HPE Synergy 12Gb SAS Connection Modules), or Infrastructure administrator Creating a logical interconnect group 1. From the main menu, select Logical Interconnect Groups, and then do one of the following: Select Actions Create. Click + Create logical interconnect group. 2. Enter a name for the logical interconnect group. 3. Select the Interconnect type. 4. Enter any data requested on the screen, and then click Select interconnects. See the Create Logical Interconnect Group screen details for more information. 5. Select from the list of available interconnects for an enclosure. 6. If you selected interconnect type HPE Synergy 12Gb SAS Connection Module, skip to step Click the Edit icon of the internal network area in the graphical view. 8. Click Add networks to select from available networks. 9. Click OK when you are finished adding the internal networks. 10. Click Add uplink set. 11. Enter the data requested on the screen for each uplink set you want to create. See Add an uplink set (page 188) for more information. 12. Click Create to finish, or click Create + to create additional uplink sets. 13. Optional: Scroll down and, if necessary, make changes to the interconnect settings. Any logical interconnects created from the interconnect group inherit these settings. For more information, see Interconnect settings screen details in the online help. 14. Optional: Make any changes to the SNMP settings. Any logical interconnects created from the interconnect group inherit these settings. For more information, see SNMP screen details in the online help. 15. Optional: Make any changes to the Quality of Service (QoS) settings. 16. Click Create to finish, or click Create + to create additional logical interconnect groups. 17. To verify that the logical interconnect group was created, locate the group in the details pane. 18. Optional: Select the logical interconnect group to edit, and then select Actions Edit to make changes to the utilization sampling settings, if necessary. NOTE: If you selected interconnect type HPE Synergy 12Gb SAS Connection Module, this option is not available. These settings are used in data collection for the utilization graphs displayed on the Interconnects screen. For more information, see Utilization Sampling screen details. 19. Click OK to apply any changes. 20. To verify the changes, locate them in the General view. More information About logical interconnect groups (page 178) About defining Image Streamer uplink sets in logical interconnect groups (page 184) 192 Managing interconnects, logical interconnects, and logical interconnect groups

193 Learning more Logical interconnect groups (page 50) Logical interconnects (page 48) Uplink sets (page 60) Troubleshooting logical interconnects (page 376) 16.2 Managing logical interconnects and logical interconnect groups 193

194 194

195 17 Managing enclosures, enclosure groups, and logical enclosures Enclosures integrate the power, cooling, and I/O infrastructure needed to support modular server hardware, interconnect, and storage components. An enclosure group specifies a standard configuration for all of its member enclosures. Enclosure groups enable administrators to provision multiple enclosures in a consistent, predictable manner in seconds. A logical enclosure represents a logical view of a set of physical enclosures with an enclosure group serving as a template. If the intended configuration in the logical enclosure does not match the actual configuration on the enclosure, the logical enclosure becomes inconsistent. UI screens and EST API resources UI screen Enclosures Enclosure Groups Logical enclosures EST API resource enclosures enclosure-groups logical-enclsoures 17.1 oles Minimum required privileges: Infrastructure administrator or Server administrator 17.2 Managing enclosures Tasks for enclosures HPE OneView online help provides information about using the UI or the EST APIs to: Add an HPE Synergy frame Add a remote enclosure (frame) Add server hardware and other components to managed enclosures. Collect remote support data for enclosures Edit an enclosure. Power on the appliance eapply the enclosure configuration. efresh the enclosure to re-synchronize it with HPE OneView. emove a monitored (unmanaged) HPE Synergy from HPE OneView. emove a configured (managed) HPE Synergy frame from HPE OneView. emove a server and other components from an existing enclosure. eset an HPE Synergy Frame Link Module eset an HPE Synergy Frame Link Module to original factory settings. Turn on or off a UID light in an HPE Synergy frame or its devices. View activities (alerts and tasks) oles 195

196 About enclosures or Synergy frames An enclosure or Synergy frame is a physical structure with device bays supporting compute, networking, and storage building blocks. These building blocks share the enclosure's common power, cooling, and management infrastructure. For information about enclosures, see the following topics. About an HPE Synergy Frame (page 196) About an HPE Synergy Frame Link Module (page 196) About an HPE Synergy management appliance (composable appliance) (page 198) About an HPE Synergy Composer (page 200) About interconnect link topology (page 201) About frame link topology (page 201) About adding remote enclosures (remote frame link topology) (page 202) About an HPE Synergy Frame A single HPE Synergy frame is an enclosure that consists of: One or two HPE Synergy Frame Link Modules. One or two HPE Synergy Composers. The Composer hosts HPE OneView. Other components such as servers, interconnects, power supplies, and fans. Optionally, other HPE Synergy appliances such as Synergy Image Streamer. See HPE Synergy Image Streamer documentation at for more information. One or more Synergy frames can be cabled together and managed by the active Composer within those Synergy frames. See the HPE OneView Synergy Configuration and Compatibility Guide for the number of frames that are supported. For hardware setup and cabling information, see the HPE Synergy Frame Setup and Installation Guide at synergy-docs. More information About auto-discovering a Synergy frame (page 200) About configuring a Synergy frame (page 201) About interconnect link topology (page 201) About frame link topology (page 201) About EFuse (page 201) About an HPE Synergy Frame Link Module The frame link module is used by HPE OneView to discover and manage the Synergy frame. The frame link module manages: Power and cooling Management network Inventory and configuration checking The system monitor port and USB port for setup, diagnostics, and consoles 196 Managing enclosures, enclosure groups, and logical enclosures

197 The frame link module is also an access point for hardware setup and the physical management of the Synergy frames cabled together in the data center. Use the monitor port on the front panel of the Synergy frame to connect to a display, keyboard, and mouse to: Perform the initial configuration of HPE OneView and enable remote management using a web browser Perform tasks such as changing a password or restoring a backup A single Synergy frame or enclosure has one or two frame link modules. For redundancy, or to link multiple Synergy frames together, each frame must have two frame link modules. These link modules automatically negotiate so that one frame link module takes on an Active state and the other takes on a Standby state. Management of the Synergy frame is automatically maintained during a failover. To manually change which frame link module is active, see Set an HPE Synergy Frame Link Module to active in the EST API Scripting Help. In the event that both frame link module fail, see Communication from Synergy Frame Link Module failed (page 367). You can view screen details about the HPE Synergy Frame Link Modules from the Enclosures screen, Link Modules view. Synergy frame link modules are located in the rear panel of the frame. For more information about the hardware, see also Synergy frame link module ports MGMT The port labeled MGMT on the frame link module is used to provide network connectivity to the management LAN or to OS deployment software. For each frame containing a Composer, connect the MGMT port on the frame link module that is in the same frame and bay as the Composer to the management LAN. For example, if the Composer is in appliance bay 1, connect the MGMT port of frame link module bay 1 to the management LAN. Connecting the MGMT port on other frame link modules (that do not have a Composer) to the management LAN is optional and can be done for redundancy. For each frame containing Image Streamer, connect the MGMT port on the frame link module to a Virtual Connect interconnect. LINK The port labeled LINK on the frame link module is used to provide connectivity to a group of Synergy frames cabled together. Connect multiple Synergy frames together to manage all the resources of the connected frames with one instance of HPE OneView. To connect the frames, connect a cable from the LINK port in one frame link module to a LINK port in another frame link module. The last frame in the group must have its frame link module cabled to the frame link module of the first frame, forming a management ring. As you make the cable connection, each new Synergy frame is automatically discovered. For more information on cabling, see the HPE Synergy Frame Setup and Installation Guide at For a single Synergy frame, the two LINK ports must be cabled together Managing enclosures 197

198 Figure 14 HPE Synergy Frame Link Module ports 1 2 MGMT port connector used for network connectivity to the management LAN Health LED light light 3 4 UID button button turns on the frame link module UID light for location purposes USB port connector used 5 6 LINK port connector used to link to other frame link modules Monitor port connector used to connect a monitor indicates status of the frame link module Solid green OK Blinking amber Warning Blinking red Critical to connect a keyboard or mouse for Synergy console use About an HPE Synergy management appliance (composable appliance) A Synergy frame has two appliance bays, which can host different types of appliances. The Synergy Composer is a management appliance that hosts HPE OneView. Synergy Image Streamer is the management appliance that hosts software used to deploy and customize operating systems for use by Synergy servers. You can view details about the management appliances on the Enclosures screen in the Composable Infrastructure Appliances panel. 198 Managing enclosures, enclosure groups, and logical enclosures

199 Figure 15 An HPE Synergy management appliance 1 UID LED button to toggle on and off the UID light Solid blue Locator Blinking blue Appliance firmware update or management console activity, do not power off or remove Health LED light indicates status of this appliance 3 Active LED Blinks green indicates the appliance is being reimaged. 4 Power LED light indicates power state of the appliance Off No power Blinking amber Appliance is powered off and ilo is initializing Solid green Powered on 2 6 Solid green OK Blinking amber Warning Blinking red Failed 5 eset button recessed button used to reset the appliance using a paper clip or similar item Press and release reboots the appliance Press and hold reimages the appliance USB port port used for support dumps or to reimage the appliance The appliances are located in the front panel of the frame. For more information, see also the HPE Synergy Frame Setup and Installation Guide at More information About an HPE Synergy Composer (page 200) About HPE Synergy Image Streamer (page 200) Power on the appliance in the online help Shut down the appliance from the UI in the online help 17.2 Managing enclosures 199

200 About an HPE Synergy Composer The Composer is an appliance that runs HPE OneView and manages the group of Synergy frames cabled together. You select the initial, active Composer during hardware setup by connecting the Synergy monitor port to a frame link module in the same bay number as the Composer you want to configure. A second Composer is automatically selected to create a high-availability (HA) cluster for managing the Synergy frame in a standby role. If the active Composer fails, the standby Composer automatically becomes the active Composer About HPE Synergy Image Streamer Synergy Image Streamer is a composable infrastructure appliance that hosts software used to deploy and customize operating systems for use by Synergy servers. HPE OneView automatically discovers the presence of an Image Streamer appliance once it is inserted into the Synergy frame and cabled into the network. Adding a deployment server configures the Image Streamer appliances to support deployment. Image Streamer hosts the operating system boot disk external to the Synergy servers. This stateless server arrangement enables you to replace the physical servers without the need to redeploy the operating system because the Image Streamer appliance acts as an OS volume storage. Hewlett Packard Enterprise recommends configuring Image Streamer in a highly available, three-frame link topology. However, a single frame configuration can be used for certain purposes About using Synergy Image Streamer in a single-frame configuration A single HPE Synergy frame can be configured for development and testing of Image Streamer deployment plans and artifacts. The configuration, as a proof of concept, can demonstrate full management and deployment functionality. A single-frame configuration must use an external deployment network and a single uplink port. IMPOTANT: A single-frame configuration is not highly available. If there is only one Image Streamer appliance, HPE OneView will issue an alert because two appliances are expected. To change a single-frame configuration into a highly-available configuration, the single-frame configuration must be removed from HPE OneView (the logical enclosure is deleted) and recreated. The physical frame must be reconfigured. The artifacts stored on the Image Streamer appliance can be bundled and exported to the new highly-available configuration. More information About HPE Synergy Image Streamer deployment server (page 225) HPE Synergy Configuration and Compatibility Guide at HPE Synergy Image Streamer documentation at About auto-discovering a Synergy frame When a Synergy frame is cabled, powered on, and hardware setup is started, HPE OneView automatically discovers the frame and its components and puts the frame in a Monitored state. Using the Enclosures screen, you can view the Synergy frame, frame link modules, Composer and other HPE Synergy appliances, servers, fans, interconnects, and power supplies. See Enclosure screen details in the online help for more information. A monitored enclosure or Synergy frame enables you to analyze power, thermal, and health conditions. To fully utilize or manage the Synergy frame, the Synergy frame must be configured. More information About configuring a Synergy frame (page 201) 200 Managing enclosures, enclosure groups, and logical enclosures

201 About configuring a Synergy frame After confirming that the Synergy frame was installed correctly, configure the Synergy frame so that it can be managed by HPE OneView. A managed Synergy frame enables you to apply configurations, deploy server profiles, monitor operation status, collect statistics, and alert users to specific conditions. To configure the frame, see Create a logical enclosure in the online help About interconnect link topology An interconnect link topology is a physically cabled connection of interconnects in a Master/Satellite Fabric of a Synergy system. The topology connections are very specific, based on the hardware (interconnects) installed. In HPE OneView, an interconnect link topology consists of two or more Synergy frames where an HPE Synergy Interconnect Link Module in one Synergy frame is connected to an HPE VC SE 40Gb F8 Module in the other Synergy frame via interconnect link cables. This allows servers in one Synergy frame to access the HPE VC SE 40Gb F8 Module in the other Synergy frame for sending and receiving data to and from end-of-row switches. Currently, the allowed topologies consist of up to five Synergy frames in a high availability, non-redundant A-side, or non-redundant B-side configuration. A mix of Synergy 10/40Gb Pass-Thru Modules and any other interconnect is not allowed in the same bay set. To learn more about supported configurations, see About multiple logical interconnect groups in an enclosure group (page 179).To grow an interconnect link topology without disrupting the existing environment, see About growing a logical enclosure (page 209) About frame link topology A frame link topology is a series of Synergy frames that are physically connected by way of the LINK ports of the frame link modules within each frame. See the HPE OneView Support Matrix for HPE Synergy for the number of frames supported in a frame link topology. You can configure primary and remote frame link topologies. Primary frame link topology emote frame link topology More information About an HPE Synergy Frame Link Module (page 196) About EFuse The primary frame link topology contains at least one Synergy Composer (two for high availability). The primary frame link topology is connected to the management LAN using the MGMT ports on the frame link modules. emote frame link topologies do not include Synergy Composers. Management LAN connectivity enables remote frame link topologies to be managed by the Synergy Composers in the primary frame link topology. You can use the Add remote enclosures option to bring remote frame link topologies under management. The remote frame link topology must be in the same subnet as the primary frame link topology. In the event that it becomes necessary to completely remove power from a device, EFuse allows you to reset conditions without physically removing and re-inserting the device. Use the HPE OneView EST API for EFuse to remove, then restore power to the device bay. Use of EFuse addresses any firmware-related initialization issues with the device. In the rare case that the issue is related to connectors in the device bay, physically removing the device from the bay and re-inserting might be needed to restore the device to proper functioning Managing enclosures 201

202 NOTE: Performing an EFuse will disrupt the functioning of the device, any workload executing on the device, and any management processor of the device. The device is removed from HPE OneView appliance and then re-discovered by HPE OneView. This process may take several minutes. See the HPE OneView EST API eference documentation of the PATCH operation on /rest/enclosures for additional details about how to perform an EFuse operation About adding remote enclosures (remote frame link topology) The Add remote enclosures option enables you to bring remote frame link topologies under management of HPE OneView. You can use the Add remote enclosures option to manage enclosures for which LINK cabling is not directly connected to the primary frame link topology. This allows HPE OneView to manage enclosures that are spread across racks and rows in the datacenter. More information See Add remote enclosures (remote frame link topology) in the online help Checklist: connecting a server to a data center network The following configuration elements are required for a server to connect to a data center network. The server must have a networking mezzanine card in a slot corresponding to the location of the Virtual Connect interconnects in the enclosure. Configuration requirement A logical interconnect group must be defined Why you need it A logical interconnect group defines the standard configurations to be used for the interconnects in the enclosure. Determine if you want to define single or multiple logical interconnect groups for the enclosure. See About multiple logical interconnect groups in an enclosure group (page 179). At least one uplink set must be added to the logical interconnect group, with at least one network and one uplink port The uplink set determines which data center networks are permitted to send traffic over which physical uplink ports. It defines the networks that are to be accessible from this logical interconnect and which uplink ports can accept traffic from which networks. An enclosure group must be defined and associated with one or more logical interconnect groups Enclosure must belong to a logical enclosure Server profile must be assigned to server hardware The enclosure group specifies a standard configuration for all of its member enclosures and identifies its member logical interconnect groups. The enclosure group defines the logical interconnect configurations in the physical enclosure through the logical interconnect groups. The logical enclosure identifies the enclosure group for the enclosure and the associated logical interconnect groups and logical interconnects. The server hardware provides the physical connections to at least one interconnect that is part of the logical interconnect. Server profile must have at least one connection, which must specify a network or network set Add a Synergy frame (enclosure) You do not have to know the hardware configuration, but you do have to choose an available network or network set to specify which networks the server is to use. A Synergy frame is automatically added during hardware setup. If the Synergy frame is connected to a group of linked Synergy frames, each Synergy frame in the group is discovered as part of hardware setup. Additional Synergy frames added after initial hardware setup are discovered automatically when a cable is connected from the LINK port on the frame link module of an already discovered frame 202 Managing enclosures, enclosure groups, and logical enclosures

203 to the LINK port on the frame link module of another frame with factory settings. See About an HPE Synergy Frame Link Module (page 196) eset an HPE Synergy Frame Link Module to original factory settings A factory reset of the frame link module clears all configuration settings and other data to restore it to factory settings. Perform this procedure when instructed by HPE OneView resolution messages, or when resetting an appliance to its original factory settings or when moving the frame to a different group of managed enclosures. CAUTION: Do not perform this procedure when server hardware and interconnects are in use. esetting a frame link module disrupts workloads and results in a significant disruption until HPE OneView reclaims and reconfigures the frame. When resetting or reimaging an HPE Synergy Composer to factory settings, you must also reset all the frame link modules managed by that HPE Synergy Composer to their factory settings. However, if you intend to restore the HPE Synergy Composer settings from a backup after it is reset or reimaged, and that backup contains the management configuration for the frame components, you do not need to reset all the frame link modules. esetting a Synergy frame link module to original factory settings 1. Locate the pinhole reset button on the Front Panel. 2. Use an applicator or a paper clip to depress the pinhole reset button for more than ten seconds. NOTE: Momentarily depressing this button causes the HPE Synergy Frame Link Module to reboot and reset, but does not perform a factory reset. The UID LED turns on when the button is pressed and will start blinking after 10 seconds 3. elease the button. The reset operation starts. 4. Wait for the factory reset to complete successfully. Use the HPE Synergy console to determine that the factory reset completed successfully. Select the on the HPE Synergy console. For information on the Synergy Console, see the HPE Synergy Frame Setup and Installation Guide. HPE OneView manages the frame after the factory reset operation Managing enclosures 203

204 5. Perform the appropriate step: If the factory reset of the frame link module was performed without resetting the HPE Synergy Composer, the enclosure will be brought back under management by HPE OneView when its presence is detected. If you performed a factory reset on a single enclosure when multiple enclosures are under management, the enclosure will automatically be brought back under management. Perform these actions if you have a single enclosure under management: a. Navigate to the Enclosures page. b. Select Action efresh If you performed this factory reset in conjunction with a factory reset of the HPE Synergy Composer, then either restore it from the backup file or rerun Hardware Setup to bring the frame back under management. More information To restore the appliance, you need to access HPE OneView using the IPv6 link local address, which is available from the Maintenance console. If you cannot use an IPv6 link local address, then you must set up the hardware to enable networking. After the restore operation is complete, you need to perform another factory reset of the HPE Synergy frame link module. eset the Synergy Composer to the original factory settings (page 265) estore a Synergy Composer from a backup file (page 256) About the Maintenance console (page 441) Quick Start: Initial setup (page 111) 17.3 Managing enclosure groups Tasks for enclosure groups The HPE OneView online help provides information about using the UI or the EST APIs to: Create an enclosure group Edit an enclosure group Delete an enclosure group About enclosure groups An enclosure group is a template that defines a consistent configuration for a logical enclosure. The network connectivity for an enclosure group is defined by the logical interconnect groups associated with the enclosure group. An enclosure group can contain up to five enclosures Enclosure groups and logical interconnect groups A logical interconnect group that is assigned to a bay within an enclosure group must have that bay populated within the logical interconnect group. All populated bays in a logical interconnect group must be assigned to the enclosure group. For example, a logical interconnect group that has bays 1 and 2 populated must be assigned to bays 1 and 2 of the enclosure group in order for the enclosure group to be created. An enclosure group can contain logical interconnect groups that are highly available, redundant, A-side only, or A-side and B-side. See About interconnect bay sets (page 180). 204 Managing enclosures, enclosure groups, and logical enclosures

205 Multiple-enclosure logical interconnect groups must have the proper bays populated in all enclosures in the interconnect link topology. See About multiple logical interconnect groups in an enclosure group. Single-enclosure logical interconnect groups, such as a Serial Attached SCSI (SAS) logical interconnect group, can be applied to individual bays in individual enclosures in the interconnect link topology About configuring an HPE Synergy Image Streamer OS deployment network To enable operating system deployment to servers from HPE Synergy Image Streamer, you must specify the deployment network type and deployment network in an enclosure group. Through this OS deployment network, iscsi traffic flows between servers and volumes deployed by Synergy Image Streamer. For paired Synergy Image Streamer appliances, the AID data traffic between appliances flows through the same deployment network. The appliances and servers are on the same subnet defined in the deployment network. The OS deployment network must be a tagged Ethernet network. When creating a logical enclosure, the OS deployment network must be associated with a subnet with sufficient IP addresses available. OS deployment network types Internal The Synergy Image Streamer appliance is directly connected to a Virtual Connect interconnect. The network carries redundant storage data traffic between appliances to support High Availability (HA). See Figure 16: Internal Image Streamer OS deployment network configuration. An internal OS deployment network must be assigned to the Image Streamer uplink set in one of the logical interconnect groups associated with this enclosure group. An internal OS deployment network is recommended. External None An external network indicates a single-frame configuration. See Figure 17: External Image Streamer single-frame configuration (proof of concept) An external OS deployment network must be assigned to an Ethernet uplink set in one of the logical interconnect groups associated with this enclosure group. OS deployment is disabled Managing enclosure groups 205

206 Figure 16 Internal Image Streamer OS deployment network configuration Composer (HPE OneView) Frame Link Module Frame Link Module LINK MGMT LINK MGMT Datacenter Management Network Composer (HPE OneView) Frame Link Module LINK MGMT Image Streamer Frame Link Module LINK MGMT Interconnect Internal Image Streamer Frame Link Module Frame Link Module LINK MGMT LINK MGMT Interconnect Figure 17 External Image Streamer single-frame configuration (proof of concept) Composer (HPE OneView) Image Streamer Frame Link Module Frame Link Module LINK MGMT LINK MGMT Datacenter Management Network Interconnect External More information About HPE Synergy Image Streamer (page 200) About OS Deployment Servers (page 225) Add an IPv4 subnet and address range (page 269) About using Synergy Image Streamer in a single-frame configuration (page 200) OS deployment setting changes and impacts OS deployment settings in the enclosure group can be changed. However, once the logical enclosure is created from this enclosure group, you cannot change the OS deployment settings in the logical enclosure. Any OS deployment setting changes in the enclosure group would cause the logical enclosure to become inconsistent and you would not be able to update the logical enclosure from the enclosure group. If OS deployment setting changes are required in the logical 206 Managing enclosures, enclosure groups, and logical enclosures

207 enclosure, delete the logical enclosure and recreate the logical enclosure using the updated enclosure group Create an enclosure group An enclosure group is a logical resource that defines a consistent configuration for a set of enclosures making up a logical enclosure. The network connectivity for an enclosure group is defined by the logical interconnect groups associated with the enclosure group Prerequisites equired privileges: Infrastructure administrator or Server administrator At least one created logical interconnect group For OS deployment using Synergy Image Streamer, the OS deployment network must be defined and assigned to the appropriate Creating an enclosure group 1. From the main menu, select Enclosure Groups, then: Select Actions Create. Click Create enclosure group 2. Specify a unique name for a new enclosure group. 3. Choose how IPv4 addresses are managed. 4. Enter the data requested on the screen. See the Enclosure Groups screen details in the online help if you need assistance with your entries. NOTE: For OS deployment using Synergy Image Streamer, select the logical interconnect group that is associated with the OS deployment network. 5. Click Create to create the enclosure group, or click Create + to create multiple enclosure groups. 6. Verify that the enclosure group has been added by confirming it is listed in the master pane. More information About enclosure groups (page 204) About configuring an HPE Synergy Image Streamer OS deployment network (page 205) 17.4 Managing logical enclosures Tasks for logical enclosures The appliance online help provides information about using the UI or the EST APIs to: Create a logical enclosure Edit a logical enclosure Delete a logical enclosure Grow a logical enclosure Update firmware from a logical enclosure Update the logical enclosure from the enclosure group eapply the configuration of the logical enclosure Create a logical enclosure support dump 17.4 Managing logical enclosures 207

208 About logical enclosures A logical enclosure contains the configuration intended for a set of physical enclosures. Its initial values are taken from an enclosure group and applied to the physical enclosures. If the intended configuration in the logical enclosure does not match the actual configuration on the enclosures, the logical enclosure becomes inconsistent. Use the Logical Enclosures screen to manage firmware, create a support dump, and to apply updates made from the Enclosure Groups screen to the enclosures in the logical enclosure. After Synergy frames are discovered automatically during hardware setup, you must manually create a logical enclosure. The logical enclosure must contain the number of Synergy frames that are connected together with interconnect link cables. For example, if you have three Synergy frames cabled together, create a logical enclosure that contains all three Synergy frames About inconsistent logical enclosures A logical enclosure can become inconsistent in the following cases: The enclosure group referenced by the logical enclosure has changed to a new enclosure group as part of a grow logical enclosure. The enclosure group referenced by the logical enclosure has been modified. For example, a logical interconnect group has been added, modified, or removed from the enclosure group. The logical interconnects are inconsistent with the logical interconnect groups Any other logical enclosure configuration is inconsistent with the enclosure group There are extra or missing logical interconnects when compared to the enclosure group's inventory of logical interconnect groups. More information Update the logical enclosure configuration from the enclosure group in the online help About deleting or forcibly deleting a logical enclosure About deleting a logical enclosure Delete a logical enclosure if you intend to remove the physical frames that make up the logical enclosure from the data center, or you no longer want to manage the frames. When you delete a logical enclosure, the state of the Synergy frames in the logical enclosure are changed to Monitored, including all physical resources such as interconnects. All configuration is removed. Before deleting a logical enclosure, consider editing a logical enclosure or growing the logical enclosure. About forcibly deleting a logical enclosure You should only forcibly delete a logical enclosure if you are attempting to delete the logical enclosure and your attempts to establish communication with a Synergy frame within the logical enclosure have failed. By forcibly deleting the logical enclosure in HPE OneView: All logical interconnects on the logical enclosure are deleted. The Synergy frames that can still communicate with HPE OneView are put in a Monitored state where they can be configured in another logical enclosure. All data about physical resources are deleted for any Synergy frame where HPE OneView cannot communicate with the link module. The affected frame must be factory reset before the frame can be managed again. 208 Managing enclosures, enclosure groups, and logical enclosures

209 More information See Delete a logical enclosure in the online help About updating firmware from a logical enclosure You can update firmware from a logical enclosure for shared infrastructure, shared infrastructure and profiles, HPE Synergy Frame Link Module only and unmanaged interconnect modules, if there are any. From the Logical Enclosures screen, you can initiate firmware updates. Firmware is updated in the following order: 1. HPE Synergy Frame Link Module 2. Logical interconnects and SAS interconnects 3. Unmanaged interconnects 4. Server hardware and their associated server profiles NOTE: The HPE Synergy Frame Link Modules in a group of connected frames are updated one at a time to avoid disrupting the group. More information Update the firmware in a logical enclosure in the online help About growing a logical enclosure In HPE OneView, you can grow your HPE Synergy interconnect link topology configuration from a single frame to a maximum of five HPE Synergy frames using HPE Synergy Interconnect Link Modules. In HPE OneView, the Synergy frames are added to the logical enclosure by associating a new enclosure group with the logical enclosure and performing an update from group. HPE OneView completes the change without disassociating frames from existing logical enclosures or causing an outage to the existing environment. Single-frame growth A single-frame growth occurs when a redundant, single-frame configuration expands to a two-frame high availability configuration. This physical growth occurs after a technician moves an HPE VC SE 40Gb F8 Module from the B-side of an existing Synergy frame to the B-side of the second Synergy frame. Then adds an HPE Synergy Interconnect Link Module to the B-side of the existing Synergy frame and to the A-side of the second Synergy frame. The logical growth occurs in HPE OneView when you grow the logical enclosure. When growing from one to two frames, the maximum speed of all downlinks will be based on the speed of the Interconnect Link Module being used. For example, if the HPE Synergy 10Gb Interconnect Link Module is used to grow to two frames, then the maximum speed of all downlinks in that logical interconnect is 10Gb. Multiframe growth A multiframe growth occurs when a configuration with two or more frames expands up to five frames, depending on the type of the HPE Synergy Interconnect Link Module. The physical growth occurs when a technician adds Synergy frames with HPE Synergy Interconnect Link Modules. The logical growth occurs in HPE OneView when you grow the logical enclosure. Frames configured to support HPE Synergy Image Streamer can grow from three to a four- or five-frame configuration. Supported and unsupported growth configurations See Valid configurations for enclosure groups with multiple logical interconnect groups (page 181) for a list of supported configurations Managing logical enclosures 209

210 The following configurations are not supported when growing a logical enclosure: An OS deployment configuration A SAS logical interconnect configuration An HPE VC SE 16Gb FC Module logical interconnect configuration If one or more HPE VC SE 16Gb FC Modules are already associated with the original enclosure group, you can grow the logical enclosure. However, you cannot add any new HPE VC SE 16Gb FC Modules when growing a logical enclosure. More information About an HPE Synergy Frame (page 196) About orchestrated and parallel activation Orchestrated activation allows non-disruptive updates where no outages will be caused during the update, as at any point in time there will be at least one connection link that is active. The firmware update first happens on the standby (or secondary) interconnect. After the update the standby interconnect becomes the active (or primary) interconnect and the interconnect that was formerly the active becomes the standby device. The firmware is then updated on the new standby interconnect. Parallel activation activates all interconnect modules at the same time. This means network and storage connectivity for all compute modules connecting through the interconnect modules are disrupted. Perform parallel activation during a maintenance window when you can better coordinate the downtime Create a logical enclosure After Synergy frames are discovered automatically, you must manually create a logical enclosure. The interconnect link topology of the interconnects in the enclosures determines whether a logical enclosure can be created from them. To learn more about supported configurations, see About logical interconnect groups (page 178). Prerequisites equired privileges: Infrastructure administrator or Server administrator At least one created logical interconnect group At least one created enclosure group For Image Streamer: For multiframe configurations, one pair of Image Streamer appliances is installed and cabled correctly. See the HPE Synergy Configuration and Compatibility Guide at One logical enclosure corresponds to one pair of Image Streamer appliances. For a single-frame Image Streamer configuration, one Image Streamer appliance is installed and cabled correctly. See the HPE Synergy Configuration and Compatibility Guide at A deployment network is created and associated to a subnet with an appropriate address range. An OS Deployment server is created. Creating a logical enclosure 1. From the main menu, select Logical Enclosures, and then select Actions Create. 210 Managing enclosures, enclosure groups, and logical enclosures

211 2. Enter the data requested on the screen. See Create Logical Enclosure in the Logical Enclosure screen details section of the online help. 3. Click Create to complete the action or click Create + to create another logical enclosure. 4. Verify that the logical enclosure has been created in the master pane and that one or more enclosures are now in a Configured state. If the logical enclosure is configured for OS deployment using Image Streamer, the Create Logical Enclosure task creates the Image Streamer deployment cluster and allocates the storage addresses for the Image Streamer appliances using the IP addresses from the pool associated with the deployment network. See also About logical enclosures (page 208) About configuring an HPE Synergy Image Streamer OS deployment network (page 205) eturn to Quick Start: Initial configuration of resources in HPE OneView eturn to Quick Start: Initial configuration of HPE Synergy Image Streamer (page 119) Update firmware from a logical enclosure You can update HPE Synergy Frame Link Modules, logical interconnects, serial attached SCSI (SAS) interconnects, unmanaged interconnects (if any), and the servers with server profiles to set the firmware to a specified baseline. NOTE: When a logical enclosure firmware update is in progress, do not initiate a firmware update from a logical interconnect that is part of that logical enclosure. Prerequisites equired privileges: Infrastructure administrator or Server administrator One or more SPPs are added to the appliance firmware repository. Power off any servers that do not have server profiles or that have been set to offline mode or managed manually in the server profile. Updating firmware from a logical enclosure 1. From the main menu, select Logical Enclosures. 2. In the master pane, select the logical enclosure for which you want to update the firmware bundle. 3. Select Actions Update firmware. 4. Enter the data requested on the screen. See screen details in the online help. 5. Click OK. As the update progresses, if any one component of the update fails, the logical enclosure update will fail. 6. Verify that the new firmware baseline is listed in the details pane of the Logical Enclosures screen. More information About updating firmware from a logical enclosure (page 209) Create a logical enclosure support dump file A logical enclosure support dump file includes content from each member logical interconnect in addition to the content of the appliance support dump. The entire bundle of files is compressed 17.4 Managing logical enclosures 211

212 and encrypted for downloading. The consolidated logical enclosure support dump is encrypted as support dump information from the logical interconnects includes proprietary HPE intellectual property. NOTE: You can view the contents of an unencrypted appliance support dump by creating a support dump file from the Settings: Appliance screen. If instructed to create a support dump from more than one logical enclosure, navigate to each logical enclosure screen individually and create a support dump. You must wait for each support dump to complete before creating a subsequent support dump. By default, the logical enclosure support dump includes the appliance support dump. If instructed to create a logical enclosure support dump that does not contain the appliance support dump, you must use the logical enclosure EST APIs. For more information, see the EST API scripting online help for logical enclosures. Prerequisites A logical enclosure resource Any user role can create a support dump Creating a logical enclosure support dump 1. From the main menu, select Logical Enclosures, and then select a logical enclosure. 2. Select Actions Create logical enclosure support dump. 3. Click Yes, create to confirm. You can continue doing other tasks while the support dump is created in the background. 4. When this task completes, the support dump zip file is downloaded to your browser default download folder, or you are prompted to indicate where to download the file. The logical enclosure support dump file name has the format host_name-le-name-date-time.sdmp. 5. Verify the zip file is in the specified file location. 6. Contact your authorized support representative for instructions on delivering the support dump file. More information About the support dump file (page 334) About logical enclosures (page 208) 17.5 Learning more Understanding the resource model (page 39) Managing licenses (page 161) 212 Managing enclosures, enclosure groups, and logical enclosures

213 18 Managing firmware for managed devices NOTE: This chapter describes how to manage the firmware for devices managed by the appliance. For information about updating the firmware for the appliance, see Updating the appliance (page 259). A firmware bundle, also known as an HPE Service Pack for ProLiant (SPP), comprises a set of deliverables, a full-support ISO file, and six subset ISOs divided by HPE ProLiant server family and operating system. An SPP is a comprehensive collection of firmware and system software, all tested together as a single solution stack that includes drivers, agents, utilities, and firmware packages for HPE ProLiant servers, controllers, storage, server blades, and enclosures. Each SPP deliverable contains the Smart Update Manager (SUM), and software and firmware smart components. UI screens and EST API resources UI screen Firmware Bundles EST API resource firmware-bundles 18.1 Tasks for firmware The HPE OneView online help provides information about using the UI or the EST APIs to: Add a firmware bundle to the appliance firmware repository Create a custom SPP. Downgrade firmware Establish a firmware baseline for your managed devices emove a firmware bundle from the firmware bundle repository Update firmware on managed devices View the firmware repository for firmware bundles to see the following: List of firmware bundles in the repository Contents of a firmware bundle Available storage space for the repository 18.2 About firmware bundles The appliance provides firmware management across the data center with no additional tools to download and install. Using the firmware management features built in to the appliance, you can define firmware baselines and perform firmware updates across many resources. When you add a resource to the appliance, the appliance automatically updates the resource firmware to the minimum version required to be managed by the appliance or version defined to be a baseline. See also About unsupported firmware (page 215). A firmware bundle, also known as an Service Pack for ProLiant (SPP), is a comprehensive collection of firmware and system software components, all tested together as a single solution stack that includes drivers, agents, utilities, and firmware packages. Firmware bundles enable you to update firmware on HPE ProLiant servers, controllers, storage, servers, and enclosures. You can forcibly downgrade appliance firmware to an older version, but be aware that doing so can result in slower installation speeds and has the potential to render the device unusable Tasks for firmware 213

214 Firmware repository An embedded firmware repository enables you to upload SPP firmware bundles and hotfixes to the appliance and deploy them across your environment according to your best practices. You can view the versions and contents of the SPPs in the repository from the Firmware Bundles screen. Selecting a firmware bundle displays its release date, supported languages and operating systems, and the bundle components. The screen also displays the amount of storage space available for additional firmware bundles on the appliance. You cannot add a firmware bundle that is larger than the amount of space available in the repository. NOTE: To ensure that your hardware has the latest and most robust firmware bundle that takes advantage of all available management features, download the latest firmware bundle to your appliance and add it to the firmware repository. HPE OneView supports 128 parallel server firmware updates for Windows and Linux, and 10 parallel server firmware updates for ESXi. About applying SPPs as baselines You can apply SPPs as baselines to enclosures, interconnects, and server profiles, establishing a desired version for firmware and drivers across devices. When you download an SPP from to your local system, upload it to the firmware bundle repository on the appliance. Each SPP deliverable contains the Smart Update Manager and firmware smart components. Managing firmware for the whole enclosure can be initiated from the Enclosures screen. Logical interconnect firmware can be updated from the Logical Interconnects screen. From the Server Profiles screen, you can set the firmware baseline for the assigned server hardware. The appliance identifies firmware compatibilities issues, highlighting out-of-compliance devices for updates with the selected firmware baseline. You can remove any or all SPPs from the firmware bundle repository. However, Hewlett Packard Enterprise recommends you have at least one SPP available at all times because an SPP is required when adding resources to the appliance that are below the minimum firmware versions for monitoring or managing. If you want to delete an SPP, Hewlett Packard Enterprise recommends that you re-assign all resources to a different SPP before removing the SPP. You assign an SPP by editing the server profile or enclosure and setting the Firmware baseline field. If a SPP is specified, the HPE Synergy Frame Link Module and interconnects firmware will update to match the version in the SPP. The baseline is also set on each of the logical interconnects in the enclosure. For HPE Synergy frames, select Not set if you do not want to select a firmware baseline. About uploading and using hotfixes Hewlett Packard Enterprise sometimes releases component hotfixes between main SPP releases. Hewlett Packard Enterprise notifies you that a hotfix is available to upload and provides details about the SPP to which the hotfix applies. Create a custom SPP in HPE OneView using the base SPP and the hotfix. See Upload a hotfix in the EST API Scripting Help for more information. The new custom SPP can be used to set the baseline on the various managed resources in HPE OneView. If a hotfix pertains to a managed resource that is already on the baseline, then the hotfix alone is applied. NOTE: If the firmware update target system is Linux OS, the HPE ProLiant System OM version listed is the OM Linux hotfix component. If not, the latest OM version updated in the SPP bundle is listed. 214 Managing firmware for managed devices

215 18.3 About unsupported firmware When you add a resource to bring it under management, the resource firmware must be updated to the minimum supported level. The appliance attempts to automatically update the firmware while the resource is being added to the appliance. If the update fails, an alert is generated. NOTE: You must upload a supported SPP to the appliance firmware repository before you can update device firmware. See to obtain HPE OneView software updates and product-specific firmware bundles. Unsupported firmware for firmware bundles If you attempt to add a firmware bundle that contains firmware below the minimum versions supported, an alert is generated and the firmware bundle is not added to the appliance firmware repository. Unsupported firmware for enclosures When adding an enclosure, the appliance: Generates an alert if the logical interconnect firmware for the interconnects is below the required minimum level or if the interconnect firmware levels do not match. You must update the logical interconnect firmware from the Logical Interconnects screen or EST APIs. Updates the ilo firmware automatically, if below the required minimum (Must have a supported SPP installed on the appliance) Unsupported firmware for logical enclosures When adding a logical enclosure, the appliance: Generates an alert if the actual firmware versions for one or more components do not match the required minimum. Even if you do not specify a baseline SPP, HPE Synergy Frame Link Module and ilo firmware will be updated automatically, if below the required minimum (Must have a supported SPP installed on the appliance). Select the firmware baseline from the Logical Enclosures screen or EST APIs. Unsupported firmware for server profiles You are prevented from applying server profiles if the associated ilo firmware is below the minimum supported version, and instead, are directed to the Server Hardware screen to update ilo firmware. Unsupported firmware for interconnects If you attempt to add an interconnect with firmware that is below the minimum supported version, an alert is generated. You must update the logical interconnect firmware from the Logical Interconnects screen or EST APIs. The Firmware panel of the Logical Interconnects screen displays the installed version of firmware and the firmware baseline for each interconnect About unsupported firmware 215

216 18.4 Best practices for managing firmware Best practice Upload the latest current SPP. Set the same firmware baseline for all devices in an enclosure. Description Download the latest SPP from and then upload the SPP to your appliance repository. Apply your favorite filter to download an environment specific SPP. NOTE: Each SPP deliverable contains the Smart Update Manager and firmware smart components. Hewlett Packard Enterprise recommends that you set the firmware baseline using the Update Firmware option on the Logical Enclosures screen. This action updates all of the devices in the enclosure to the specified SPP level. If you choose to create custom SPPs, use SPP custom Download to create them. Login to the web portal of SPP custom download at to create a custom SPP using environment specific filters. Apply server model filter or operating system filter to create a smaller sized SPP. TIP: Save the filter for convenience. Update firmware in the proper sequence. Update firmware and drivers using Smart Update Tools (SUT) when the server is powered on and running an OS Verify the managed device setting before updating the firmware. Store SPPs in a separate location from the appliance. emove older SPPs from the firmware repository. Although Hewlett Packard Enterprise recommends that you set the firmware baseline for all devices in an enclosure which will cause all firmware to be installed in the proper order, you can update firmware on specific components. If you choose to update component firmware independently, upgrade the firmware in the following order: logical interconnect, and then the server profile. Hewlett Packard Enterprise recommends that you install the drivers from the same SPP that contains the firmware. Firmware and drivers can be updated via the server profile when using Smart Update Tools. See the Smart Update Tools User Guide at for installation instructions. Set SUT mode to AutoStage or AutoDeploy. eboot in the maintenance window. Do not update the firmware using SUM or another external tool on a managed device unless the firmware baseline is set to Manage manually. HPE OneView does not back up the firmware repository, so store SPPs in a repository that is not on the appliance, such as in the SUM repository used to create the custom SPP. Have at least one SPP available at all times because an SPP is required when adding resources to the appliance that are below the minimum firmware versions for monitoring or managing. If you want to delete an older SPP, re-assign all resources using that SPP to a different SPP before removing the SPP. More information Managing firmware for managed devices (page 213) Best Practices for HPE Synergy Firmware and Driver Updates at synergy-docs 18.5 Create a custom SPP HPE sometimes releases component hotfixes between main SPP releases. Create a custom SPP in HPE OneView using the base SPP and the hotfix. To apply the hotfix on the managed resources, create a customized SPP with the hotfix. Different mechanisms are available for applying a hotfix in OneView: Use SPP custom download to create a new SPP with the hotfix (Hewlett Packard Enterprise recommended approach). Use SUM to create a new SPP with the hotfix. Upload the hotfix and create a custom SPP using HPE OneView. 216 Managing firmware for managed devices

217 NOTE: For any custom SPP you create, you must include ilo, and Virtual Connect firmware. For VC and ilo hotfixes, please ensure to upload the.scexe version of the hotfix. Prerequisites equired privileges: Infrastructure administrator, Network administrator, or Server administrator Software that enables you to mount an ISO (image) file Option 1: Use SPP custom download to create a custom SPP Hewlett Packard Enterprise recommends using the SPP custom download feature to upload a customized SPP into HPE OneView. For instructions and access, go to spp. Option 2: Use SUM to create a custom ISO SPP 1. Download SUM from 2. Unzip the SUM file to a directory. 3. Download the SPP ISO file from to a local directory. 4. Mount the SPP ISO file on a file system you can access, following your software instructions. 5. Start SUM by double-clicking hpsum.bat in the \hpsum directory. 6. From the SUM main menu, select Baseline Library +Add Baselines. The hotfix is included in the custom baseline. 7. For Location Details, browse to the hpe\swpackages directory of the mounted SPP. 8. Click Add. Let the add operation complete before proceeding. 9. Add any other components (updates) you have downloaded from HPE to the baseline library that you want to include in the custom SPP. 10. Select the SPP and the components from the baseline library. 11. Select Actions Create Custom. 12. Select any of the filters you want to use; however, the following filters are required: Overview: Select Bootable ISO OS Type: Select HEL 5 and HEL Click Create ISO to create the new firmware bundle. 14. Add a firmware bundle to the appliance firmware repository. See the online help for more information. 15. Verify that the upload completed by viewing the firmware bundle contents in the details pane on the Firmware Bundles screen. Option 3: Upload hotfix and create a custom SPP Prerequisites equired privileges: Infrastructure administrator, Network administrator, or Server administrator Minimum one valid hotfix should be available in the repository 1. From the main menu, select Firmware Bundles. 2. Select Actions Create Custom firmware bundle. 3. Enter a custom spp name and select a base SPP. 4. Click Add Hotfix to add available hotfixes. 5. Click OK. 6. Verify that the upload completed by viewing the firmware bundle contents in the details pane on the Firmware Bundles screen Create a custom SPP 217

218 You can also use EST APIs to upload a hotfix and create a custom SPP. See the EST API scripting help for more information. NOTE: Uploading a hotfix to create a custom SPP is to be specifically used for applying hotfix(es) on a managed resource Update firmware on managed devices Firmware bundles enable you to update firmware on managed servers and infrastructure (enclosures and interconnects). You can choose to update all the resources within an enclosure, just the HPE Synergy Frame Link Module firmware, the firmware within a logical interconnect, or firmware for a specific server using a server profile. When you choose to update all resources within an enclosure, all servers are updated even if they are not associated with a sever profile. From the Logical Enclosures screen, you can initiate firmware updates for HPE Synergy Frame Link Modules. See Update firmware from a logical enclosure (page 211) for more information. You can also choose to update individual component firmware. As a best practice when updating component firmware independently, update the firmware in this order: 1. HPE Synergy Frame Link Module 2. Server Profiles Update firmware on the logical enclosure Prerequisites equired privileges: Infrastructure administrator or Server administrator (for enclosures) One or more SPPs are added to the appliance firmware repository. Updating the HPE Synergy Frame Link Module firmware on the logical enclosure You can update logical enclosure firmware to set the HPE Synergy Frame Link Module firmware to a specified baseline. 1. From the main menu, select Logical Enclosures. 2. In the master pane, select the logical enclosure on which you want to update the firmware bundle. 3. Select Actions Update firmware. 4. From Firmware baseline, select the firmware bundle to install. If you select a firmware baseline, the HPE Synergy Frame Link Module firmware is updated to the specified baseline during configuration. If the ilo firmware is below the minimum version supported, it is updated to the version in the baseline. If you select Not Set, the HPE Synergy Frame Link Module and ilo firmware are updated only if they are below the minimum version supported, in which case, they are updated to the version in the most recent SPP available in HPE OneView. NOTE: To install an older firmware version than the version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware is known to cause a problem in your environment. CAUTION: Be aware that downgrading firmware can render a server unusable and might result in slower installation speeds. 5. Click OK. 6. Verify that the new firmware baseline is listed in the details pane of the Logical Enclosures screen. 218 Managing firmware for managed devices

219 Update firmware with a server profile Prerequisites equired privileges: Infrastructure administrator or Server administrator Updating firmware with a server profile To update the firmware for a specific server, edit the existing server profile or create a new server profile and specify the version of the SPP. NOTE: The firmware baseline in the server profile will not be reapplied unless it has changed. 1. From the main menu, select Server Profiles, and then do one of the following: Click Create profile in the master pane. Select a server profile in the master pane, and then select Actions Edit. 2. Select the firmware bundle for Firmware baseline. To install an older firmware version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware already installed on the server is known to cause a problem in your environment, as noted in the elease Notes CAUTION: Be aware that downgrading firmware can render an appliance unusable and might result in slower installation speeds. For example, if the ilo Firmware is downgraded to a previous version that does not use ich Infrastructure Specification (IS), the communication between Smart Update Tools and HPE OneView will break. 3. To complete the update, do one of the following: If this is a new profile, click Create to create the server profile. If you are editing an existing profile, click OK to update the server profile. 4. Power on the server to activate the firmware. a. From the main menu, select Server Hardware. b. Select the server and then select Actions Power on. 5. Verify that the new firmware baseline is listed in the details pane on the Server Profiles screen Update firmware with a server profile template Prerequisites equired privileges: Infrastructure administrator or Server administrator Updating firmware with a server profile template To update the firmware for a specific server, edit the existing server profile template or create a new server profile template and specify the version of the SPP. NOTE: The firmware baseline in the server profile template will not be reapplied unless it has changed. 1. From the main menu, select Server Profile Templates, and then do one of the following: Click Create server profile template in the master pane. Select a server profile template in the master pane, and then select Actions Edit Update firmware on managed devices 219

220 2. Select the firmware bundle for Firmware baseline. To install an older firmware version contained in the SPP, you must select the Force installation option to downgrade the firmware. You might want to install older firmware if the newer firmware already installed on the server is known to cause a problem in your environment, perhaps as noted in the elease Notes. CAUTION: Be aware that downgrading firmware can render an appliance unusable and might result in slower installation speeds. For example, if the ilo Firmware is downgraded to a previous version that does not use ich Infrastructure Specification (IS), the communication between Smart Update Tools and HPE OneView will break. 3. To complete the update, do one of the following: If this is a new template, click Create to create the server profile template. If you are editing an existing template, click OK to update the server profile template. 4. Verify that the new firmware baseline is listed in the details pane on the Server Profile Templates screen Learning more Troubleshooting firmware bundles (page 370) About enclosures or Synergy frames (page 196) About firmware associated with a logical interconnect (page 185) About server profiles (page 142) 220 Managing firmware for managed devices

221 19 Managing power, temperature, and the data center You can use the appliance to manage the power and temperature of your IT hardware. To manage and monitor hardware temperature, add your server hardware to racks, position the server hardware in the racks, and then add the racks to one or more data centers Managing power To manage power, you describe your power delivery devices to the appliance using the Power Delivery Devices screen or the EST APIs. The appliance discovers HPE Intelligent Power Delivery Devices (ipdus) and their connections automatically. UI screens and EST API resources UI screen Power Delivery Devices EST API resource power-devices enclosures (power capacity) server-hardware (power capacity) oles equired privileges: Infrastructure administrator or Server administrator Tasks for managing power The appliance online help provides information about using the UI and EST APIs to: Add a power delivery device. Add a power connection. Filter power delivery devices. View last 5 minutes of power consumption for an ipdu. View last 24 hours of power consumption for an ipdu. Edit the properties of a power delivery device. Power on or off the locator light for a power delivery device. Power down a power delivery device. emove a power delivery device. esolve connectivity issues between an ipdu and the appliance. Add an ipdu currently being managed by another management system. View power utilization statistics. Update enclosure power capacity settings (EST API only). Update server hardware power capacity settings (EST API only) About power delivery devices Power delivery devices provide power to IT hardware. A typical power topology in a data center includes power delivery devices such as power feeds, breaker panels, branch circuits, and power distribution units (PDUs), as well as the load segments, outlet bars, and outlet components of 19.1 Managing power 221

222 these devices. Adding your power delivery devices to the appliance enables power management using thermal limits, rated capacity, and derated capacity. The Power Delivery Devices screen describes the following classes of devices: Intelligent Power Distribution Units (ipdus), which the appliance can automatically discover and control. Other power delivery devices that the appliance cannot discover. By manually adding these devices to the appliance, they become available for tracking, inventory, and power management purposes. egardless of how power delivery devices are added to the appliance, the appliance automatically generates the same types of analysis (capacity, redundancy, and configuration). For ipdus, the appliance gathers statistical data and reports errors. Connectivity and synchronization with the appliance The appliance monitors the connectivity status of ipdus. If the appliance loses connectivity with an ipdu, an alert displays until connectivity is restored. The appliance will try to resolve connectivity issues and clear the alert automatically, but if it cannot, you must resolve the issue and manually refresh the ipdu to bring it in synchronization with the appliance. The appliance also monitors ipdu to remain synchronized with changes to hardware and power connections. However, some changes to devices made outside of the control of the appliance (from ilo for example) may cause them to become out of synchronization with the appliance. You may have to manually refresh devices that lose synchronization with the appliance. NOTE: Hewlett Packard Enterprise recommends that you do not use ilo to make changes to a device. Making changes to a device from its ilo could cause it to lose synchronization with the appliance. You can manually refresh the connection between the appliance and an ipdu from the Power Delivery Devices screen. See the online help for the Power Delivery Devices screen to learn more Managing your data center In the appliance, a data center represents a physically contiguous area in which racks containing IT equipment such as servers, enclosures, and devices are located. The data center describes a portion of a computer room and provides a useful grouping to summarize your environment and its power and thermal requirements. UI screens and EST API resources UI screen Data Centers EST API resource datacenters oles equired privileges: Infrastructure administrator or Server administrator Tasks for data centers The appliance online help provides information about using the UI and EST APIs to: Add and edit a data center. Manipulate the view of a data center visualization. 222 Managing power, temperature, and the data center

223 Monitor data center temperature. emove a data center from management About data centers A data center represents a physically contiguous area in which racks containing IT equipment are located. For example, you have IT equipment in two rooms or on separate floors. You could create a data center for each of these areas. Each server, enclosure, or power distribution device in your data center can report its power requirements, but it can be difficult to understand the power and cooling requirements for your data center as a whole. The appliance enables you to bring power and cooling management of your servers, enclosures, and power delivery devices together in a single management system. The Layout view of the data center is color-coded to depict the peak temperature recorded in the last 24 hours. Default data center: Datacenter 1 When you initialize the appliance for the first time, it creates a data center named Datacenter 1. The appliance provides this data center as a place to visualize your racks. You can rename or edit this data center to match the values and layout of your data center, you can use it as the basis for a planned data center model, or you can delete this data center without adverse effects. Default rack placement When you add a rack to the appliance for management, the appliance displays the rack in all data centers even though its actual location is not known. If you view a data center that displays unpositioned racks, a warning appears to alert you that unpositioned racks are being displayed. When you assign a rack to a data center, it is no longer displayed in other data centers Managing racks acks allow you to manage temperature, power, and depict the layout of enclosures. UI screens and EST API resources UI screen acks EST API resource racks oles equired privileges: Infrastructure administrator or Server administrator Tasks for racks Add, edit, or remove a rack. Change layout of devices in a rack. Set the thermal limit of a rack About racks A rack is a physical structure that contains IT equipment such as enclosures, servers, power delivery devices, and unmanaged devices (an unmanaged device uses slots in the rack and consumes power or exhausts heat, but it is not managed by the appliance). You can manage 19.3 Managing racks 223

224 your racks and the equipment in them by adding them to the appliance. Having your racks managed by the appliance enables you to use the appliance for space and power planning. The appliance also gathers statistical data and monitors the power and temperature of the racks it manages. When you add an enclosure to the appliance, it automatically creates a rack and places the enclosure in it. The appliance places into the rack all enclosures connected by management link cables. When enclosures are added, the appliance places them in the rack from top to bottom. When an enclosure is placed in an Intelligent Series ack, the enclosure slots are automatically detected. For other racks, to accurately depict the layout of your enclosures within the rack you must edit the rack to place the enclosure in the proper slots. You can use the appliance to view and manage your rack configuration and power delivery topology. You can specify the physical dimensions of the rack (width, height, and depth), the number of U slots, and the location of each piece of equipment in the rack. You can specify the rack PDUs that provide power to the rack, and their physical position in the rack or on either side. You can also describe how the devices in the rack are connected to those PDUs. After adding a rack to the appliance for management, you can add the rack to a data center to visualize the data center layout and to monitor device power and cooling data. After the rack is under management, you can configure the power delivery topology with redundant and uninterruptible power supplies to the devices in the rack. ack naming The way a rack is named and how you change the name of a rack depends on how it was added to the appliance. Table 9 ack naming Add method Automatically discovered from a ProLiant server with Location Discovery Services for Synergy frames Manually from the acks screen 19.4 Learning more Initial naming method Assigned using rack serial number as rack name Defined by the user Name change method Edit rack Edit rack Monitoring power and temperature (page 297) About utilization graphs and meters (page 299) 224 Managing power, temperature, and the data center

225 20 Managing OS Deployment servers UI screens and EST API resources UI screen OS Deployment Servers EST API resource deployment-servers 20.1 oles equired privileges: Infrastructure administrator 20.2 Tasks for OS deployment servers Add, edit, or delete an OS deployment server Change the primary appliance for an Image Streamer OS deployment server 20.3 About OS Deployment Servers An OS deployment server is a resource that enables you to deploy (install and configure) operating systems for use by servers. HPE OneView connects to an OS deployment server and configures it for deploying operating systems. HPE OneView manages the OS deployment server after it is configured and displays the list of attributes, management settings, the OS deployment plans, and the server profiles that reference the available OS deployment plans About HPE Synergy Image Streamer deployment server You can add only a single Image Streamer deployment server. Once you add an Image Streamer OS deployment server in HPE OneView, you can launch the Image Streamer graphical user interface from the HPE OneView OS Deployment Servers screen. An Image Streamer OS deployment server supports the deployment of plans that define the operating system artifacts necessary for server hardware operation. Adding a deployment server causes Image Streamer appliances to be clustered and configured to manage OS deployment artifacts. A software administrator can create, modify, and delete deployment plans using artifacts stored on the Image Streamer appliance. These artifacts include the following: Plan script: Plan scripts are used to accomplish the personalization (deployment) or generalization (capture) processes. Build plan: Build plans are recipes that modify the contents of a server volume to make the golden image specific to the server for deployment or to retain server-specific content as part of capture. Golden image: A golden image is a generic format of any image that can be customized for deployment using other artifacts provided by Image Streamer. Deployment plan: Deployment plan is a combination of a golden image and build plan. The deployment plans have the operating system, driver, and application software to be installed and configured along with the recipe for configuration. The deployment plans take values for configuration of a deployment instance for a server from server profiles About designating the HPE Synergy Image Streamer primary cluster The primary appliance: 20.1 oles 225

226 is the cluster where the Image Streamer user interface runs. provides the interface for managing artifacts and detailed status and maintenance of Image Streamer appliances. coordinates deployment as directed by the server profile. The server profile is the interface for controlling deployment. The primary appliance is selected when the Image Streamer deployment server is added. Any Image Streamer appliance can be selected as the primary appliance. Changing the primary does not disrupt server access to OS volumes. All Image Streamer appliances not designated as the primary are considered secondary appliances. A secondary appliance hosts and serves the operating system volumes for the compute modules in its logical enclosure and acts as a backup in case the primary appliance fails. If there are appliance-related issues or a need to remove or decommission the primary appliance, another Image Streamer can be selected as primary cluster by editing the deployment server. OS deployment is not possible until the deployment server is edited to select a primary. The new primary requires time to reconfigure and take control of the group of appliances. During this time servers continue to have uninterrupted access to OS volumes. Before the primary is physically removed, a new primary should be selected. If the primary is removed before selecting a new primary, it will not be possible to manage artifacts and OS deployment will fail. Once a new primary is selected, normal operation will resume. One cluster is composed of an Image Streamer appliance pair. An appliance is clustered for high availability. This is important for mission critical use because the Image Streamer hosts the OS volumes that servers use. Each logical enclosure has a cluster. The number of clusters possible is limited by the maximum number of enclosures that can be managed by HPE OneView in a multi-frame configuration About deleting OS deployment server Deleting an Image Streamer OS deployment server removes the management and storage networking configurations of all the Image Streamer appliances configured in HPE OneView. In addition, the Image Streamer appliances are reset to factory defaults, removing all OS deployment artifacts and all OS volumes. 226 Managing OS Deployment servers

227 21 Managing storage This chapter describes the storage resources and the tasks associated with those resources. Storage systems: hardware that contains multiple storage disks such as the HPE 3PA StoreServ Storage system. Storage pools: groups of physical disks in a storage system. Volumes: logical storage spaces provisioned from storage pools that you can attach to server profiles. Volume templates: you can create multiple volumes with the same configuration. SAN managers: hardware or software systems that manages SANs SANs: you can use SANs to automate fabric zoning. Drive enclosures: hardware, installed in enclosure bays, that contains multiple physical disks from which you can dynamically create virtual drives. Figure 18 Storage management overview UI screens and EST API resources UI screen SAN Managers Storage Systems Storage Pools Volumes Volume Templates Drive Enclosures EST API resource fc-sans/device-managers fc-sans/providers fc-sans/managed-sans storage-systems storage-pools storage-volumes storage-volume-templates drive-enclosures 227

228 21.1 Drive enclosures Tasks for drive enclosures The HPE OneView online help provides information about using the UI or the EST APIs to: efresh a drive enclosure eset a drive enclosure Power a drive enclosure on or off Power the UID light for a drive enclosure on or off About drive enclosures Drive enclosures are hardware devices that contain a set of drive bays. A drive enclosure is installed in a device bay of an enclosure, and provides composable storage to servers. Composable storage is a group of physical drives that you can dynamically define as virtual drives. These virtual drives are called logical JBODs. A JBOD (just a bunch of disks) is a group of physical disk drives that are assigned to server hardware. Unlike a AID configuration, a JBOD is a not redundant configuration. You can specify a AID configuration when you create a logical JBOD. Logical JBODs are created and assigned to server hardware from server profiles or server profile templates. More information About local storage and mezzanine storage controllers (page 151) About drive enclosure and server hardware power sequencing requirements The server hardware must be powered off for changes to the server profile to be applied, including attaching drives from a drive enclosure. After you have attached a drive enclosure to server hardware, you can physically add and remove drives in the drive enclosure without powering the server hardware on and off. A drive enclosure that contains drives attached to server hardware must be powered on before the server hardware is powered on in order for the drives to be visible to the server hardware. If you power off or move a drive enclosure, you must power off all server hardware that have attached drives in the drive enclosure, and power the server hardware back on after the drive enclosure is powered on. More information About interconnects (page 171) About logical interconnects (page 174) 21.2 Storage systems A storage system is hardware that contains multiple storage disks such as the HPE 3PA StoreServ Storage system. 228 Managing storage

229 oles Tasks Minimum required privileges: Infrastructure administrator or Storage administrator The appliance online help provides information about using the UI and EST APIs to: Add, edit, edit credentials, refresh, and remove a storage system Add a volume About storage systems A storage system (or storage array) is a storage device from which logical disks (volumes) can be provisioned and mapped or masked to servers. Bringing SAN storage systems under management of the appliance enables you to add and create volumes. You can then attach volumes to server profiles through volume attachments. This enables the server hardware assigned to the server profiles to access the SAN storage system. When adding a storage system, you must choose a domain on the storage system. You can then select storage pools from that domain on the storage system to add to the appliance. After you add storage pools, you can assign networks to the storage ports associated with the storage system. See the HPE OneView Support Matrix for HPE Synergy for a list of supported storage systems About HPE 3PA StoreServ Storage systems You can connect supported HPE 3PA StoreServ Storage systems to the appliance. You must configure a 3PA system using the 3PA software to bring it under management of the appliance. Partner port states Port state none failing over failed over failed recovering partner port failed over partner failed Definition Normal state, not failed over. The port is offline and is in the process of failing over to the partner port. The port is offline and has failed over to the partner port. The port is off offline and cannot fail over to the partner port. The port is online and in the process of returning to a normal state. The partner port has failed over and the port is the partner port traffic. The partner port has failed and the fail over operation was not successful. Equivalent 3PA state none failover_pending failed_over active_down failback_pending active active_down 21.3 Storage pools Storage pools are groups of physical disks in a storage system that you can divide into logical volumes Storage pools 229

230 oles Tasks Minimum required privileges: Infrastructure administrator or Storage administrator The appliance online help provides information about using the UI and EST APIs to: Add and remove a storage pool About storage pools A storage pool is an aggregation of physical storage resources (disks) in a storage system. Storage systems contain information about the storage ports through which they can be accessed. You can provision logical storage spaces, known as volumes, from storage pools. You can choose one or more storage pools when adding a storage system to the appliance. Storage pools are created on a storage system using the management software for that system. You cannot create or delete storage pools from the appliance you can only add or remove them from management. After you add storage pools, you can provision volumes on them Volumes oles Tasks Volumes are logical storage spaces provisioned in storage pools. You can create multiple volumes with the same configuration using a volume template. Minimum required privileges: Infrastructure administrator, Storage administrator, or Network administrator The appliance online help provides information about using the UI and EST APIs to: Create, add, edit, delete, and increase the capacity of a volume Create a volume snapshot, create a volume from snapshot, and revert volume to snapshot About volumes A volume represents a logical disk provisioned from a storage pool on a storage system. You can attach volumes to one or more servers by configuring a volume attachment in the server profile. The volume attachment manages volume presentation on the storage system ( StoreServ port selection, host and vlun creation) as well as SAN zoning on SANs (with automatic zoning enabled) that connect the server and storage system. Using volume templates, you can create multiple volumes with the same configuration. You can increase (grow) the capacity of a volume by editing it. You cannot decrease the capacity of a volume About snapshots A snapshot is a virtual copy of an existing volume at a point in time. You can use a snapshot as a backup of a volume, and then use the snapshot to revert a volume to the backup, or to create new volumes from the snapshot. A snapshot is a static copy of a volume at the point the snapshot is created. Snapshots are not updated to reflect changes in the volume since the snapshot was taken. 230 Managing storage

231 A new volume created from a snapshot will be the same size as the snapshot and will contain all of the data in the snapshot. The new volume has no relationship with the volume that was used to create the snapshot. everting a volume to a snapshot will revert to the data the volume contained when the snapshot was taken. The size of the volume will remain the same as when it was reverted. For example, if you take a snapshot of a 50 GiB volume, grow the volume to 100 GiB, and then revert to the snapshot, the volume will be 100 GiB with the data from the 50 GiB snapshot. everting to a snapshot of a volume will cause all data created or changed since the snapshot was taken to be lost. Backup your data to prevent data loss Volume templates oles Tasks You can use volume templates to create multiple volumes with the same configuration. Minimum required privileges: Infrastructure administrator or Storage administrator The appliance online help provides information about using the UI and EST APIs to: Add, edit and delete a volume template About volume templates A volume template is a logical resource that enables you to create a standard configuration from which multiple volumes can be created SAN Managers oles Tasks A SAN manager is a hardware or software system that manages SANs. A SAN manager is not required to attach a volume to a server profile, but SAN managers enable automated fabric zoning. Minimum required privileges: Infrastructure administrator or Storage administrator The appliance online help provides information about using the UI or the EST APIs to: Add, edit, and remove a SAN manager About SAN managers SAN Managers are a resource in HPE OneView that represent a connection to an external entity through which SANs are discovered and managed. The external entity can be vendor-specific management software or a physical switch. SANs are created outside of HPE OneView in the SAN manager vendor s management interface. Once created, SANs can be discovered and managed in HPE OneView using the SAN Manager resource. When creating SAN managers, it is possible to have two SAN managers discovering the same SAN, causing it to show up twice in the SAN view. When associating an HPE OneView network to the SAN, the choice of which SAN to associate determines which SAN manager will be used to manage the SAN, and the other will be removed (hidden) as HPE OneView does not permit a SAN to be managed through more than one SAN manager Volume templates 231

232 HPE OneView supports SAN managers from different vendors. See the HPE OneView Support Matrix for HPE Synergy for a list of supported SAN managers About zone sets A zone set is a set of zones you can configure all zones on a SAN manager by activating a zone set from the SAN manager. HPE OneView modifies the active zone set when performing zoning or alias configuration. Zone sets are not exposed in HPE OneView. Active zone set Inactive zone set The zone set currently enforced by the fabric. The inactive zone sets for the SAN. Only one zone set can be activate at a time. SAN manager HPE Cisco Brocade (BNA) Term for Inactive zone set Standby zone set Local zone set Zone configurations Configuring SAN managers to be managed by HPE OneView You must configure SAN managers using the management software provided by the SAN manager vendor to properly manage them in HPE OneView. After properly configuring the SAN manager, you can add it to HPE OneView. CAUTION: Performing zone operations from multiple switches without executing a full zone set distribution might result in the loss of zoning data. NOTE: Switch vendors support fabric world wide name (FWWN) or node port world wide name (PWWN) zone memberships. HPE OneView only uses PWWN for zone membership. Best Practice: SAN managers Always use a single switch to perform all zoning operations, regardless of the management software you use to perform the zoning. Always use the full zone set distribution commands and settings when making zone changes. HPE OneView does this on the SAN manager and SAN through which it is managing by default. Configuring HPE SAN managers You must have a valid SNMP v3 user with default read permissions. See Quick Start: Configuring an HPE 5900 for management by HPE OneView (page 126). HPE SANs must only be managed by a single HPE OneView appliance. Configuring Cisco SAN manager You must have a valid SNMP v3 user with write permissions. See Quick Start: Configuring a Cisco switch to be added as a SAN manager for management by HPE OneView (page 127). Cisco SANs must only be managed by a single HPE OneView appliance. Configuring Brocade Network Advisor (BNA) SAN manager You must have a valid user account with SMI Agent running. See the documentation for your SAN manager for more information. To allow HPE OneView to see SAN fabric topology changes automatically, you must disable Track Fabric Changes on the BNA. Otherwise, you must perform an Accept Changes 232 Managing storage

233 21.7 SANs Tasks operation on the BNA whenever you make changes to the SAN fabric topology for HPE OneView to see them. See the BNA documentation for more information on disabling Track Fabric Changes. BNA based SANs can be managed by one or more HPE OneView appliances. The appliance online help provides information about using the UI or the EST APIs to: Associate a managed SAN with a network Turn automated zoning on or off for a managed SAN Edit a SAN Download SAN endpoints table Generate an Unexpected Zoning eport About SANs SANs are Fibre Channel (FC) or Fibre Channel over Ethernet (FCoE) storage area networks that connect servers to storage systems. The possible states for SANs are: Discovered Managed Direct-attach SANs A SAN that is not associated with a network. SANs are automatically discovered when a SAN manager is added to HPE OneView. A SAN that is associated with one or more networks in HPE OneView. Only managed SANs can be configured to be automatically zoned by HPE OneView. HPE OneView creates a direct-attach SAN (flat SAN) automatically when you configure an enclosure with a logical interconnect that contains a direct-attach uplink set. HPE OneView names the direct-attach SAN using the format <interconnect><uplink set>. The SAN that HPE OneView creates is a Fibre Channel (FC) direct-attach SAN that is not zoned, and cannot be edited. NOTE: HPE OneView creates a SAN for each interconnect module that is connected to a direct-attach Fibre Channel network. Connecting servers directly to an HPE 3PA Storage system using direct-attach Fibre Channel networks is not supported for Synergy frames About SAN zoning Zoning policy A SAN zone enables communication between devices connected to the SAN. SAN zoning policies determine how zoning should be configured on a SAN. SAN zoning policies define whether or not zoning is automated as well as the naming format of zones and aliases. In HPE OneView, you can specify the name format of the zones and aliases that will be created when you associate a storage volume to a server profile via a volume attachment. By specifying zone name and alias formats using text strings and server profile objects, you can create names that are meaningful and conform with your naming conventions. NOTE: HPE OneView performs zoning only when you add a connection to a server profile and attach a SAN storage volume to it. When you do this, HPE OneView will determine if the current zoning allows connectivity. If current zoning does not allow connectivity, HPE OneView will create the necessary zoning based on the specified zoning policy SANs 233

234 Automate zoning Automated zoning enables HPE OneView to automatically create, edit, and delete zones on a zoned SAN when you attach storage volumes to servers through a volume attachment in a server profile. Yes Zoning is automated. HPE OneView takes full control of the zone naming and contents based on the zoning policy for the SAN. Use automated zoning when you want HPE OneView to configure new zones for volume attachments to server profiles. Existing zones are not modified unless the SAN storage attributes defined in a server profile change. No 21.8 Learning more Zoning is not modified by HPE OneView. You must manually manage zoning. Understanding the resource model (page 39) Troubleshooting storage (page 388) 234 Managing storage

235 22 Managing users and authentication The appliance requires users to log in with a valid user name and password, and security is maintained through user authentication and role based authorization. User accounts can be local, where the credentials are stored on the appliance or can be on a company or organizational directory (Microsoft Active Directory, for example) hosted elsewhere, where the appliance contacts the defined directory server to verify user credentials. UI screens and EST API resources UI screen Users and Groups EST API resource users, roles, authz, logindomains, logindomains/global-settings, and logindomains/grouptorolemapping 22.1 oles Minimum required privileges: Infrastructure administrator 22.2 Tasks for managing users and groups The appliance online help provides information about using the user interface or the EST APIs to: Add, edit (including updating a user password), or remove a user with local authentication. Add a user with directory-based authentication. Add a group with directory-based authentication. Designate user privileges. eset the administrator password. Add an authentication directory service. Allow or disable local logins. Change the authentication directory service settings. Set an authentication directory service as the default directory. emove an authentication directory service from the appliance About user accounts ole-based access The appliance provides default roles to separate responsibilities in an organization. A user role enables access to specific resources managed from the appliance. ole-based access control enforces permissions to perform operations that are assigned to specific roles. You assign specific roles to system users or processes, which gives them permission to perform certain system operations. Because a user is not assigned permissions directly, but instead acquires them through their role (or roles), individual user rights are managed by assigning the appropriate roles to the user. At initial appliance startup, there is a default administrator account with full access (Infrastructure administrator) privileges. For more information about the actions each role can perform, see Action privileges for user roles (page 237) oles 235

236 Local authentication You can add a user authorized to access all resources managed by the appliance (full access user) or add a user who has access based on their job responsibilities (role-based specialist). For each of these users, authentication is confirmed by comparing the user login information to an authentication directory hosted locally on the appliance. The default administrator login for the appliance is automatically assigned with full access (Infrastructure administrator) privileges. Directory-based authentication You can add a user authorized by membership to access all resources managed by the appliance (full access user) or add a user authorized by membership who has access based on their job responsibilities (role-based specialist). For each of these users, authentication is confirmed by comparing the user login information to an enterprise directory About user roles User roles enable you to assign permissions and privileges to users based on their job responsibilities. You can assign full privileges to a user, or you can assign a subset of permissions to view, create, edit, or remove resources managed by the appliance. Table 10 User role permissions ole Full ead only Specialized Type of user Infrastructure administrator ead only Backup administrator Network administrator Permissions or privileges View, create, edit, or remove resources managed or monitored by the appliance, including management of the appliance, through the UI or using EST APIs. An Infrastructure administrator can also manage information provided by the appliance in the form of activities, notifications, and logs. Only an Infrastructure administrator can restore an appliance from a backup file. View managed or monitored resource information. Cannot add, create, edit, remove, or delete resources. Create and download backup files, view the appliance settings and activities. Has the authority to use scripts to log in to the appliance and run scripts to back up the appliance. Cannot restore the appliance from a backup file. NOTE: This role is specifically intended for scripts using EST APIs to log into the appliance to perform scripted backup creation and download so that you do not expose the Infrastructure administrator credentials for backup operations. Hewlett Packard Enterprise recommends that users with this role should not initiate interactive login sessions through the HPE OneView user interface. View, create, edit, or remove networks, network sets, connections, interconnects, uplink sets, and firmware bundles. View related activities, logs, and notifications. Cannot manage user accounts. 236 Managing users and authentication

237 Table 10 User role permissions (continued) ole HardwareSetup Type of user Server administrator Storage administrator Software Administrator Permissions or privileges View, create, edit, or remove server profiles and templates, network sets, enclosures, and firmware bundles. Access the physical servers and hypervisor registration. View connections, networks, racks, power, and related activities, logs, and notifications. Add volumes, but cannot add storage pools or storage systems. Cannot manage user accounts. View, add, edit, or remove storage systems. View, add, or remove storage pools. View, create, edit, add, or delete volumes. View, create, edit, or delete volume templates. View, add, or edit SAN managers. View or edit SANs. Creates and modifies Image Streamer artifacts like plan scripts, build plans, and deployment plans. Assigns a golden image for deployment. Performs a capture from a web server. Performs all the actions pertaining to the artifact bundles. Can perform activities like appliance restart, shutdown, update firmware, backup, restore, and activate standby. A credential-less login for data center technicians that allows them to verify cabling of Hewlett Packard Enterprise Synergy hardware and fix alerts related to first time setup of hardware Action privileges for user roles The following table lists the user action privileges associated with each user role. The Use privilege is a special case that allows you to associate objects to objects that you own but you are not allowed to change. For example, in a logical interconnect group, a user assigned the role of Server administrator is not allowed to define logical interconnect groups, but can use them when adding a frame. Table 11 Action privileges for user roles Category Action privileges for user roles (C=Create, =ead, U=Update, D=Delete, Use) Infrastructure administrator Server administrator Network administrator Backup administrator Storage administrator ead only Hardware setup Software administrator activities CUD CU CU CU CU CU alerts UD UD UD UD UD UD appliance CUD artifactbundles CUD CUD CUD audit logs C backups CUD CD 22.5 Action privileges for user roles 237

238 Table 11 Action privileges for user roles (continued) Category Action privileges for user roles (C=Create, =ead, U=Update, D=Delete, Use) Infrastructure administrator Server administrator Network administrator Backup administrator Storage administrator ead only Hardware setup Software administrator community string U CU connections CUD C connection templates CUD, Use, Use CUD console users CUD data centers CUD CUD CUD debug logs CUD CU CU CU deployedtargets CUD CUD deploymentclusters CUD deploymentgroups CUD deploymentmanagers CUD device bays CUD CUD CUD domains CUD CU enclosures CUD CUD CUD enclosure groups CUD, Use CUD, Use Ethernet networks CUD CUD events CU CU CU C CU fabrics CUD CUD FC aliases CUD CUD FC device managers CUD CUD FC endpoints FC networks CUD CUD FCOE networks CUD, Use CUD, Use FC ports FC providers FC SANs CUD CUD 238 Managing users and authentication

239 Table 11 Action privileges for user roles (continued) Category Action privileges for user roles (C=Create, =ead, U=Update, D=Delete, Use) Infrastructure administrator Server administrator Network administrator Backup administrator Storage administrator ead only Hardware setup Software administrator FC SAN services CUD CUD FC switches FC tasks FC zones CUD CUD firmware drivers CUD CUD CUD global settings CUD CUD CUD CUD CUD CUD goldenimages CUD CUD goldenvolumes CUD CUD grouptorole mappings CUD i3smaintenanceservices CUD i3s-volumeservices CUD CUD CUD ID range vmacs (MAC addresses) CUD CU ID range vsns (serial numbers) CUD CU ID range vwwns (World Wide Names) CUD CU integrated tools CUD interconnects CUD C CUD CUD, Use interconnect types, Use CUD CUD labels CUD CUD CUD CUD CUD licenses CUD C logical downlinks logical interconnects CU, Use, Use U, Use 22.5 Action privileges for user roles 239

240 Table 11 Action privileges for user roles (continued) Category Action privileges for user roles (C=Create, =ead, U=Update, D=Delete, Use) Infrastructure administrator Server administrator Network administrator Backup administrator Storage administrator ead only Hardware setup Software administrator logical interconnects groups CUD, Use, Use CUD, Use login domains CUD login sessions CUD U U U U U managed SANs CUD, Use, Use CUD, Use migratable VC domains CUD, Use networks CUD, Use, Use CUD, Use network sets CUD, Use CUD 1 CUD notifications CUD CD CD oe-buildplans CUD CUD oedeploymentplans CUD CUD organizations CUD osdeploymentplans CUD CUD os-volumes CUD CUD plan-scripts CUD CUD ports U, Use U, Use power devices CUD CUD CUD racks CUD CUD CUD reports restores CUD roles CUD SANS CUD, Use CUD, Use SAN manager CUD, Use CUD, Use server hardware CUD, Use CUD, Use CUD, Use 240 Managing users and authentication

241 Table 11 Action privileges for user roles (continued) Category Action privileges for user roles (C=Create, =ead, U=Update, D=Delete, Use) Infrastructure administrator Server administrator Network administrator Backup administrator Storage administrator ead only Hardware setup Software administrator server hardware types CUD, Use CUD, Use CUD, Use server profiles CUD CUD statelessservers CUD CUD storage pools CD CUD storage systems CUD CUD storage target ports CUD CUD storage volumes CUD CUD CUD storage volume attachments CUD CUD CUD storage volumes templates CUD CUD switches CUD, Use U CUD tasks trap forwarding U unmanaged devices CUD CUD CUD uplink sets CUD CUD users CUD user preferences CUD 1 Server administrators cannot edit bandwidths About authentication settings Security is maintained through user authentication and role-based authorization. User accounts can be local, where the user credentials are stored on the appliance, or they can be in a directory (Microsoft Active Directory, for example) hosted elsewhere, where the appliance contacts the designated directory server to verify the user credentials. When logging in to the appliance, each user is authenticated by the authentication directory service, which confirms the user name and password. Use the Authentication settings panel to configure authentication settings on the appliance, which is populated with default values during first-time setup of the appliance About authentication settings 241

242 To view or make changes to Authentication settings, log in with Infrastructure administrator privileges. No other users are permitted to change or view these settings. View and access the Authentication settings by using the UI and selecting Settings Security Authentication or with the EST APIs About directory service authentication You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to provide a single sign-on for groups of users instead of maintaining individual local login accounts. Each user in a group is assigned the same role (for example, Infrastructure administrator). An example of an authentication directory service is a corporate directory that uses LDAP (Lightweight Directory Access Protocol). After the directory service is configured, any user in the group can log in to the appliance. On the login window, a user: Enters their user name (typically, the Common-Name attribute, CN). The format for the user name depends on the Directory type. Enters their password. Selects the authentication directory service. In the Session control, ( ) the user is identified by their name preceded by the authentication directory service. For example: CorpDir\pat IMPOTANT: Unlike local users, if a user is deleted from an authentication directory, their active sessions remain active until that user logs out. If there is a change in the group-to-role assignment (including a deletion) for an authentication directory group while a user from that group is logged in, their current active session is not affected until they log out. Local users sessions are ended when such modifications are made. Authenticating users When you add an authentication directory service to the appliance, you provide location criteria so that the appliance can find the group. Adding a directory server If you replicate the authentication directory service for high availability or disaster tolerance, add the replicated directory service as a separate directory service. After configuring and adding a directory server, you can designate it as the default directory service. After you add an authentication directory service and server You can: Add a group, which had already been defined in the directory service, so that all its members can login on the appliance. Allow local logins only, which is the default. Allow both local logins and logins for user accounts authenticated by the directory service. Disable local logins so that only users whose accounts are authenticated by the directory service can log in. Local accounts are prevented from logging in. 242 Managing users and authentication

243 Considerations for configuring a Microsoft Active Directory directory service The following maps the Active Directory attribute to the LDAP property: LDAP property cn uid userprincipalname samaccountname Active Directory attribute Common-Name UID User-Principal-Name SAM-Account-Name If the user name does not contain either character (to denote a UPN) or a \ character (to denote a domain\login), then these logins are attempted in this order: 1. The user name is treated as the samaccountname and directory-name gets prepended (directory-name\user-name) 2. The user name is treated as a UID. 3. The user name is treated as a CN. If a user object is created in the Active Directory Users and Computers Microsoft Management Console, the names default as follows. Specify the following components of the user s name, displayed here with the corresponding attribute: User name component First Name Intials Last Name Attribute givenname initial sn The field labeled Full Name defaults to this format and this string is assigned to the cn attribute (Common Name). givenname.initials.givenname.initial.sn In the New Object user dialog box, you are also required to specify a User logon name. This, in combination with the DNS domain name, becomes the userprincipalname. The userprincipalname is an alternative name that the user can use for logging in. It is in the form: LogonName@DNSDomain For example: JoeUser@exampledomain.example.com Finally, as you enter the User logon name, the first twenty characters are automatically filled in in the pre-windows 2000 logon name field, which becomes the samaccountname attribute. CN-logins for built-in Active Directory user accounts, like Administrator, are not accepted. Other login formats are acceptable if their respective attributes (samaccountname, userprincipalname, and UID) are set properly Managing user passwords A user with Infrastructure administrator privileges can manage the passwords of all local users on the appliance using the UI or the EST APIs. Users without Infrastructure administrator privileges can manage only their own passwords Managing user passwords 243

244 As Infrastructure administrator, you can view all users logged in to the appliance with the Users and Groups screen or EST APIs. Select any user, and then edit their password or assigned role. All other local users can edit their own passwords by using the UI or the EST APIs. In the UI, click the Session icon in the top banner, and then click the Edit icon to change their current password or contact information eset the administrator password If you lose or forget the administrator password, use the following operation to reset it. The operation allows you to set a single-use password for the local administrator account. NOTE: This operation resets the password for a local administrator account on the appliance. It does not apply to administrator accounts authenticated by a directory service. In an appliance cluster, this operation resets the password for the administrator account on both appliances. You will need to access the Maintenance console from the appliance console, access a unique request code, and telephone your authorized support representative, who will send an authorization code after verifying your information. Prerequisites You have access to the appliance console. esetting the administrator password with the Maintenance console 1. Access the appliance console. 2. Access the Maintenance console main menu. 3. Select eset password. The Maintenance console displays a request code. IMPOTANT: The request code is valid only while you are on the Password reset screen of the Maintenance console. If you return to the main menu or end the Maintenance console session, the request code will be invalid. You will need to start this procedure over again to acquire a new request code. 4. Telephone your authorized support representative and provide that person with the following information: The name of the person requesting the password to be reset. The name of the company that owns the appliance. The request code from the Maintenance console. The authorized support representative verifies the information and then sends a message to the authorized address on file. This message contains the authorization code, also known as a response code. An ISO image, which is also the authorization code, is attached to the message. For information on how to contact Hewlett Packard Enterprise, see Accessing Hewlett Packard Enterprise Support (page 405). 5. Do one of the following to enter the authorization code in the response field. IMPOTANT: invalid. You must enter the authorization code within one hour or it becomes 244 Managing users and authentication

245 If you are able to paste information into the Maintenance console, copy the authorization code from the message and paste it into the response field of the Maintenance console. ead the authorization code from the ISO image: 1. Save the ISO image attached to the message. 2. Mount the ISO image as a virtual media mount (a virtual CD-OM). 3. Select ead from ISO in the Maintenance console. 4. The Maintenance console reads the ISO image and, after a moment, automatically fills in the response field with the authorization code. Type the authorization code into the response field. 6. Determine a single-use administrator password. 7. When prompted, enter and reenter the new password. 8. Select OK to set the single-use password. 9. Log into the UI with this account, using the single-use password. 10. Set a new password for this account in the screen provided. 11. Verify by logging out, then logging into this account with the new password. See also Accessing Hewlett Packard Enterprise Support (page 405). [Conditionalized for FusionGuide and FusionHelp] About the Maintenance console (page 441) Learning more Controlling access for authorized users (page 67) Learning more 245

246 246

247 23 Backing up an appliance This chapter describes how to use the UI, EST APIs, or a custom-written PowerShell script to save your appliance resource configuration settings and management data to a backup file. UI screens and EST API resources UI screen Settings Actions EST API resource backups 23.1 oles Users with Infrastructure administrator and Backup administrator privileges can create and download backup files, however, only the Infrastructure administrator can restore an appliance from a backup file. The Backup administrator has the authority to use scripts to log in to the appliance and run scripts to back up the appliance. This role is specifically intended for scripted backup creation and download. Hewlett Packard Enterprise recommends that users with this role should not initiate interactive login sessions through the HPE OneView user interface About backing up the Synergy Composer HPE OneView provides the ability to save your configuration settings and management data to a backup file and enables you to use that backup to restore a corrupted appliance in the event of a catastrophic failure. The backup process involves creating a backup file and then downloading that file so that you can store it to a safe and secure (off-appliance) location for future use. You can schedule automatic backup operations and designate a remote location for the backup file. For advice on creating and archiving a backup file, see Best practices for backing up a Synergy Composer (page 249). For the procedure on creating a backup file from the UI, see Back up a Synergy Composer manually (page 249). To configure automatic backups stored remotely, see Configure automatic remote backups (page 251). IMPOTANT: In the unlikely event you need to restore the appliance, Hewlett Packard Enterprise recommends backing up your appliance configuration on a regular basis, preferably daily and especially: After adding hardware After changing the appliance configuration Before and after updating the appliance firmware After performing a factory reset of the frame To prevent a backup file from being overwritten or deleted, download it and save it to an off-appliance location before running the next backup process. The appliance stores one backup file or one support dump file on the appliance at a time. Creating a backup file replaces the current backup file or support dump file. Likewise, creating a support dump file replaces the previous support dump or the backup file. If you start a backup while a support dump is in progress, the backup operation does not proceed until the support dump operation completes. If you (as the Infrastructure administrator) start a support dump while a backup operation is in progress, you have the option of cancelling the backup and proceeding with the support dump oles 247

248 HPE OneView provides a Backup administrator user role specifically for backing up the appliance by permitting access to other resource views without permitting actions on those resources, or other tasks. Only the Infrastructure administrator or the Backup administrator can create a backup file, either through the UI or EST APIs. What the backup process backs up HPE OneView database System files: Non-database data Audit log License files What the backup process does not back up Non-data files: Static files that are installed as part of the execution environment, and are not specific to the appliance or managed environment configuration Log files (except the Audit log file) Appliance network configuration First-time setup configuration files Firmware bundles Any server settings, such as the following, that HPE OneView has not set: Boot and BIOS configuration settings. SAN and Local storage configurations Network configurations Settings such as these are neither validated by nor persisted by HPE OneView Use a backup file to do the following: estore the appliance from which the backup file was created. estore the settings to a different appliance. For example, if an appliance fails and cannot be repaired, you can use a backup file to restore the management configuration settings and management data to a replacement appliance created from the same version of the machine image. EST APIs let you: Schedule a backup process from outside the appliance. Collect backup files according to your site policies. Integrate with enterprise backup and restore products. Considerations for a clustered appliance In a clustered appliance, the backup covers both cluster members. In an appliance cluster, you can perform the following: Create a backup file from an appliance cluster and use it to restore an appliance cluster. Create a backup file from a standalone appliance and use it to restore an appliance cluster. Create a backup file from an appliance cluster and use it to restore a standalone appliance. However, both the backup appliance and the restored appliance must be the same model and their versions must be compatible. 248 Backing up an appliance

249 23.3 Best practices for backing up a Synergy Composer Method Creating Frequency Description Always use the HPE OneView backup feature to back up your appliance. Hewlett Packard Enterprise recommends backing up your appliance configuration with the automatic remote backup feature regularly, preferably daily. Hewlett Packard Enterprise also recommends backing up your appliance manually: After adding hardware After changing the appliance configuration Before and after updating the appliance firmware You should always have a backup file with the same firmware version as the appliance. Otherwise, a restore operation will fail. Before and after importing an enclosure After performing a factory reset of the frame You can back up the appliance while it is in use and while normal activity is taking place. You do not need to wait for tasks to stop before creating a backup file. Archiving The backup file format is proprietary. Hewlett Packard Enterprise recommends that you: 1. Create and download the backup file. 2. Store the backup file in a safe, off-appliance location to protect your sensitive data. Hewlett Packard Enterprise provides EST APIs for integration with enterprise backup products Determining your backup policy A backup file is an snapshot of the appliance configuration and management data at the time the backup file was created. Hewlett Packard Enterprise recommends that you create regular backups, preferably once a day and after you make hardware or software configuration changes in the managed environment. As an alternative to using Settings Backup Actions Create backup from the appliance UI, you can write and run a script to automatically create and download an appliance backup file. You can schedule the backup script to run automatically in interactive or batch mode on a regular basis. Only a user with Backup administrator or Infrastructure administrator privileges can run the script interactively. Hewlett Packard Enterprise provides and recommends a remote backup facility for storing backup files. After an initial configuration, backups are taken automatically on the specified day and time and sent to a user s folder on an SSH or SFTP server Back up a Synergy Composer manually A backup file saves the configuration settings and management data for your appliance. You can recover from a catastrophic failure by restoring your appliance from the backup file. For more information, see About backing up the Synergy Composer (page 247). NOTE: To reduce the size of the backup file and the time it takes to create it, the firmware bundles you have uploaded to the appliance are not included in the backup file. Prerequisites Minimum required privileges: Infrastructure administrator, Software administrator, or Backup administrator You have completed all the best practices for backing up an appliance Best practices for backing up a Synergy Composer 249

250 Backing up a Synergy Composer manually 1. From the main menu, select Settings and do one of the following: Click Create backup in the Backup panel. Click Backup on the Settings screen, and then select Actions Create backup. While the backup file is being created, a progress bar appears in the Overview pane. Wait for the backup file creation to complete. 2. Optionally, click the Create backup notification banner for more information and the name of the backup file, which has the format: appliance-host-name_backup_yyyy-mm-dd_hhmmss.bkp 3. Verify that the backup file was created correctly. The backup file name should reflect the current date and time. 4. After the backup file is created, do one of the following to download the backup file from the appliance: Click Download backup in the Backup panel. Select Actions Download backup. 5. Select the appropriate option in the dialog box to save the backup file for safekeeping: Select Transfer backup to remote backup location to store the backup file in the specified remote backup location. For information on configuring the remote backup location and enabling that feature, see Configure automatic remote backups (page 251). Select Download the backup to my computer to store the backup file on the local computer. Do not store the backup file on the appliance. More information About backing up the appliance Best practices for backing up an appliance Configure automatic remote backups Troubleshooting: Backup file creation or download action fails ecovering an HPE Synergy Composer (page 455) 23.6 Using EST APIs to create and download an appliance backup file After the backup is initiated, a Taskesource UI is created that you use to track the progress of the backup. When the backup is complete, you can use a GET EST API operation to download and change the backup file name. The latest backup is stored on the appliance and is replaced when a new backup is initiated. Prerequisites Minimum required session ID privileges: Backup administrator Creating and downloading an appliance backup file using EST APIs 1. Create the backup file. POST /rest/backups 2. Download the backup file. GET /rest/backups/archive/{backup UI} 250 Backing up an appliance

251 NOTE: After the POST operation is complete, a Taskesource UI and backup UI are returned. You can use the Taskesource UI to monitor the progress of the backup. Use the backup UI to refer to a specific backup when downloading the backup file or performing another operation Creating a custom script to create and download an appliance backup file If you prefer to write a customized script to create and download your appliance backup file, and schedule that script to run on a schedule according to your IT policies, see Sample backup script (page 409) for a sample PowerShell script Configure automatic remote backups Prerequisites Minimum required privileges: Infrastructure administrator, Backup administrator User account on a remote computer and the credentials for that account. Configuring automatic remote backups 1. From the main menu, select Settings. 2. Do one of the following: In the Backup panel, click. Click Backup, and then select Actions Edit backup. 3. Supply the data requested in the Edit Backup screen. NOTE: Some fields are hidden or revealed according to selections. When scheduling an automatic remote backup, enter the Time as two numeric values separated by a colon. 4. Click OK. 5. Verify the success of the configuration by monitoring the progress of the test backup file that is generated and transmitted. More information About backing up the Synergy Composer (page 247) 23.9 Disable automatic remote backups Prerequisites Minimum required privileges: Infrastructure administrator Disabling automatic remote backups 1. From the main menu, select Settings. 2. Do one of the following: In the Backup panel, click. Click Backup, and then select Actions Edit backup. 3. In the Edit Backup screen, select Enable remote backup location to remove the check mark. The remainder of the screen is no longer displayed Creating a custom script to create and download an appliance backup file 251

252 4. Click OK. The scheduling data is retained in case you want to enable automatic remote backups again. More information About backing up the Synergy Composer (page 247) Learning more Basic troubleshooting techniques (page 333) 252 Backing up an appliance

253 24 estoring an appliance from a backup file This chapter describes how to use the UI, EST APIs, or a custom-written PowerShell script to restore a corrupted appliance from a backup file. A restore operation is required only to recover from catastrophic failures, not to fix minor problems that can be resolved in other ways. UI screens and EST API resources UI screen Settings Actions EST API resource restores For more information about restoring an appliance, see the online help for the Settings screen. IMPOTANT: an appliance. Always use the HPE OneView UI and EST API restore operations to restore 24.1 oles Users with Infrastructure administrator or Backup administrator privileges can create and download backup files, however, only an Infrastructure administrator can restore an appliance from a backup file About restoring the Synergy Composer estoring an appliance from a backup file replaces all management data and most configuration settings with the data and settings in the backup file, including user names and passwords, audit logs, but does not include the appliance IP address settings. The appliance is not operational during the restore operation and it can take several hours to perform; the more resources and devices to restore, the longer the restore operation takes. A restore operation cannot be canceled or undone after it has started. The appliance blocks login requests while a restore operation is in progress. IMPOTANT: A restore operation is required to recover from catastrophic failures, not to fix minor problems that can be resolved in other ways. Therefore, after the restore operation is complete, you can restore an appliance from a backup file that was created on the same appliance or, if an appliance fails and cannot be repaired, from 24.1 oles 253

254 a backup file from a different appliance. In this case, the backup file must have been created from an appliance running the same version of HPE OneView. Actions during the restore operation Validates the resource inventory ediscovers enclosures to validate contents Clears virtual IDs Description During a restore operation, the appliance firmware validates the resource inventory (enclosures, servers, interconnects) and reconciles the data in the backup file with the current state of the managed environment. The state of the managed environment is likely to be different from the state of that environment at the time the backup file was created. After the restore operation, the appliance uses alerts to report any discrepancies that it cannot resolve automatically. During the restore operation, the appliance rediscovers each enclosure to validate its contents especially to ensure that the appliance can still claim them and that the given instance of HPE OneView is the manager of the enclosure. The appliance clears virtual IDs for server hardware that does not have a profile assigned but does have virtual IDs configured. These servers most likely had a profile assigned after the last backup was made. See also Post-restoration tasks (page 258). You can use the UI to upload a backup file and restore the appliance from it. You can also use EST APIs for this purpose. Considerations for a clustered appliance In general, during the restore operation: The active appliance is restored from the backup file. The standby appliance joins the active appliance, forming the clustered appliance. The standby appliance has its data synchronized with the restored active appliance. IMPOTANT: These network settings are not restored: The host name of the clustered appliance The IP address of the clustered appliance The gateway IP The subnet mask The IP address of the DNS server NOTE: The HPE Synergy Composer and HPE Synergy Frame Link Module are paired with credentials and a claimed management IP address. The Synergy Composer needs the credentials to access and manage the frame link module. The synchronization happens during the initial discovery of hardware when both the Synergy Composer and frame link module are in the factory fresh state. A Synergy Composer can only recover the credentials by restoring a backup. eplacing a Synergy Composer when highly available does not require any remediation steps except to replace the failed clustered appliance. 254 estoring an appliance from a backup file

255 24.3 Best practices for restoring a Synergy Composer Topic Before you begin Inform users Use the right backup file Best Practice 1. Note the passwords you use. Maintain a list of the current user accounts on the appliance. The restore operation resets the user names and passwords to those that were in effect when the backup file was created. 2. Create a support dump. Use the support dump to diagnose failures that occurred before the restore operation. 3. Download the existing audit logs, and store them for safekeeping. The restore operation restores the audit logs from the backup file, overwriting the existing logs. 4. Stop all automatically scheduled backups. If HPE OneView is configured for automatic backups, backups resume after the appliance is restored. 5. Make the backup file accessible to the appliance from which you plan to issue the upload request. If you are using an enterprise backup product to archive backup files, follow any steps required by your backup product to prepare for the restore operation. WANING! The local backup file is removed during the restore process. Download the backup file and store it in a safe, off-appliance location for future restorations. 6. If you added hardware to the appliance after the backup file was created, that hardware is not in the appliance database when the restore process completes. Then, if you restore from the backup file, you must add that hardware to the appliance and then repeat any other configuration changes (such as assigning server profiles) that were made between the time the backup file was created and the restore process completed. Make sure that all users logged in to the appliance log out. Users who are logged in when the restore operation begins are automatically logged out, losing whatever work was in progress. All users are blocked from logging in during the restore operation. Use the latest backup file to restore the appliance. The backup file will not include any changes made after the backup file was created. Make sure the appliance IP addresses are the ones you want the appliance to use after the restore operation. Appliance IP addresses are not restored from the backup file. Ensure that the appliance being restored and the appliance on which the backup file was created have the same firmware version; otherwise, the restore operation fails. The platform type, hardware model, and the major and minor numbers of the appliance firmware must match to restore a backup. The format of the appliance firmware version is as follows: majornumber.minornumber.revisionnumber-buildnumber The revision and build numbers do not need to match. If the backup file is incompatible with the firmware on the appliance, the upload returns an error and the restore operation stops. You will need to update the firmware or select a different backup file. If it is necessary to restore a backup to a new appliance and the old appliance is still functioning (the hardware has not failed), remove the old appliance. Deleting the appliance ensures that it no longer manages the devices it was managing when the backup file was created. Serious errors can occur if multiple appliances attempt to manage the same devices. If the backup file was created on an appliance that is different from the one you are restoring, reconfigure the original appliance so that it no longer manages the devices it was managing when the backup file was created. Serious errors can occur if multiple appliances attempt to manage the same devices Best practices for restoring a Synergy Composer 255

256 24.4 estore a Synergy Composer from a backup file estoring an appliance from a backup file replaces all management data and most configuration settings on the appliance. You are directed to re-enter unresolved data, if applicable. For more information, see About restoring the Synergy Composer (page 253). Prerequisites Minimum required privileges: Infrastructure administrator or Software administrator. You have completed all the best practices for restoring an appliance. IMPOTANT: If you are using a backup file created on another appliance to restore a new or replacement appliance: 1. Install HPE OneView on the new or replacement appliance. For instructions, see the HPE OneView Installation Guide. 2. Configure the new appliance with the same network settings as the appliance on which the backup file was created. Thus, you can use the network to upload the backup file to the new appliance. For more information on the network configuration settings, see the online help for the add or edit appliance screen details. If the network configuration for the new appliance does not exactly match the network configuration in the backup file, the network configuration will not match the information in the network certificates in the backup file. As a result, the browser loses connection with the appliance and the appliance cannot be restored. 3. When the new appliance network is configured, continue the restore operation described in the following procedure. estoring a Synergy Composer from a backup file Follow the procedure for the scenario that applies to your environment and practices: Scenario: Select a backup file and start the restoration immediately Scenario: Select a backup file and start the restoration later Scenario: Select a backup file and start the restoration immediately 1. From the main menu, select Settings, and then select Backup. 2. Select Actions estore from backup. A dialog box opens. 3. ead the on-screen notification, then select Select a backup file. 4. Do one of the following: Drag the backup file and drop it into the indicated text box. Click Browse, and then select the backup file to upload. NOTE: Not all browsers and browser versions offer the ability to drag and drop files onto applications. 5. Click Upload and restore. Wait until the restore process is complete. A status page indicates progress. When the restore process completes, you are returned to the login page where you can log in to the restored appliance. 256 estoring an appliance from a backup file

257 6. Upload the firmware bundles used by your server profiles, enclosures, and logical interconnects. These were not saved as part of the backup file. efer to each profile's Firmware baseline setting to determine the file name for the required baseline. If you used HPE OneView to create a custom SPP, use the CMDLET estore-hpovcustombaseline to re-create the custom SPP after the base SPP and the hotfixes are uploaded to the repository. For more information, see HewlettPackard/POSH-HPOneView/wiki/estore-HPOVCustomBaseline. 7. Verify that the restore operation was successful by logging in to the appliance and successfully resolving any discrepancies that the restore operation cannot resolve automatically. See Post-restoration tasks (page 258). Scenario: Select a backup file and start the restoration later 1. From the main menu, select Settings, and then select Backup. 2. Select Actions estore from backup. A dialog box opens. 3. ead the on-screen notification, then select Select a backup file. 4. Do one of the following: Drag the backup file and drop it into the indicated text box. Click Browse, and then select the backup file to upload. NOTE: Not all browsers and browser versions offer the ability to drag and drop files onto applications. 5. Click Upload only. Wait until the file upload is complete. A progress bar appears. The file name, creation date, and version are displayed when the file upload is complete. 6. When you are ready to restore the appliance from the backup file, return to the dialog box and verify that the backup file is correct and uploaded. 7. Select estore from a backup file. 8. Click estore. Wait until the restore process is complete. A status page indicates progress. When the restore process completes, you are returned to the login page where you can log in to the restored appliance. 9. Upload the firmware bundles used by your server profiles, enclosures, and logical interconnects. These were not saved as part of the backup file. efer to each profile's Firmware baseline setting to determine the file name for the required baseline. You do not need to upload the default baseline, Service Pack for ProLiant - Base Firmware, which is included in the appliance image. If you used HPE OneView to create a custom SPP, use the CMDLET estore-hpovcustombaseline to re-create the custom SPP after the base SPP and the hotfixes are uploaded to the repository. For more information, see HewlettPackard/POSH-HPOneView/wiki/estore-HPOVCustomBaseline. 10. Verify the restore operation was successful by logging in to the appliance and successfully resolve any discrepancies that the restore operation cannot resolve automatically. See Post-restoration tasks (page 258) estore a Synergy Composer from a backup file 257

258 24.5 Using EST APIs to restore an appliance from a backup file Prerequisites Minimum required session ID privileges: Infrastructure administrator You have uploaded a backup file to the appliance. estoring the appliance from a backup file using EST APIs 1. Initiate the restore process. POST /rest/restores The {restore UI} is returned. 2. List the status of the restore process. GET /rest/restores 24.6 Creating a custom script to restore an appliance If you prefer to write a script to restore an appliance from a backup file, see Sample restore script (page 420) for a sample PowerShell script that you can customize for your environment Post-restoration tasks During a restore operation, the appliance reconciles the data in the backup file with the current state of the managed environment. There are some discrepancies that a restore operation cannot resolve automatically; for example, if servers were added after the backup file was created. The network configuration on these servers is unknown to the appliance after a restore and could result in duplicate MAC addresses and World Wide Names (WWNs), as a result. After a restore operation completes, you must manually resolve any remaining alerts and add these servers back into the appliance to eliminate the risk of duplicate IDs. You must also perform manual cleanup of hardware (servers, interconnects, and enclosures) if server profiles are forcibly unassigned or the hardware is forcibly removed without first being unconfigured. Preventing duplicate IDs on the network after a restore 1. After a restore operation is complete, re-add any enclosure or server hardware added since the selected backup. 2. For any server profile alerts about the profile not matching the server hardware: a. Identify all server profiles with a mismatch-type of error message. Make a list of these server profiles and the assigned server hardware. b. Power off the server, and then unassign all of the server profiles individually. From the Server Profiles screen, select Actions Edit, and then select Unassign from the server hardware drop down selector. Click OK. c. Select Actions Edit again, and then reassign all of the documented profiles to the documented server hardware. 3. For any alerts about ID ranges, the Network administrator should examine the address and identifier ranges and edit them, if needed. 4. e-create any profiles for the servers in any enclosures that were added in step estoring an appliance from a backup file

259 25 Managing the appliance 25.1 Updating the appliance You manage appliance updates from the Settings screen or by using the EST APIs. UI screens and EST API resources UI screen Settings EST API resource appliance/firmware oles Tasks Minimum required privileges: Infrastructure administrator Updating the appliance requires a single user accessing the appliance and causes the appliance to restart. This does not disrupt the operation of the devices under management, but does result in an outage of the appliance. The appliance online help provides information about using the UI or the EST APIs to: Determine if a newer appliance update is available. (Minimum required privileges: ead only, Network administrator, or Infrastructure administrator) Update the appliance. (Minimum required privileges: Infrastructure administrator) About appliance updates The appliance runs a combination of software and firmware. Maintaining up-to-date appliance software and firmware fixes problems, improves performance, and adds new features to the appliance. The appliance does not automatically notify you when an update is available, you must determine if an appliance update file has been released. To view the installed version of appliance firmware, use the Settings Appliance view. Then, verify if a newer version of an appliance update file is available to download from the website. Before you update the appliance, examine the HPE OneView elease Notes to learn about supported upgrade paths, new features delivered in the update, best practices, limitations, troubleshooting hints and tips, and whether you must restart the appliance after it is updated. NOTE: When you download the appliance update file, a link to the update HPE OneView elease Notes appears in the download dialog box. Hewlett Packard Enterprise recommends clicking that link to read and then save and print the information for future reference. Once the download starts, you cannot access that link again. You manage appliance updates from the Settings Appliance Actions Update appliance menu or by using the EST APIs. An appliance update is installed from a single file during the update process. You can either download the file directly to the appliance or to another computer and then transfer the file to the appliance. When you install an appliance update, the appliance restarts and goes offline. When the appliance is offline, it does not affect the managed resources they continue to operate while the appliance is offline. Considerations for a clustered appliance 25.1 Updating the appliance 259

260 If an appliance update fails, the appliance reverts to its initial software version. When a high availability cluster is updated, both appliances (first the active appliance and then the standby appliance) are updated to the new software version. If the active appliance cannot be updated, it (and the standby appliance) reverts to the software version before the update. If the update succeeds for the active appliance but not for the standby appliance, the high availability appliance cluster is lost. eimage the standby appliance so that its version matches the active appliance. Then, bringing it up causes it to join the active appliance and form the appliance cluster. Appliance services are available while the standby appliance is updated. However, the appliance cluster is not restored until the update of the standby appliance is complete Learning more For more information about obtaining software updates, see Support and other resources (page 405) Administering a high-availability appliance cluster Determining the active and standby appliances of a Synergy frame 1. From the main menu, select Settings Appliance. 2. Locate the Appliance panel. If an appliance cluster is formed, they are identified. The active appliance and standby appliance are each identified by frame and bay number within the frame. More information About high availability About the high availability appliance cluster HPE OneView achieves high availability through an appliance cluster that comprises two appliances. The appliances are defined by their role: ole active standby unused Function Currently hosts the services for the appliance cluster. eady to become the active appliance in case the active appliance becomes unavailable. The standby appliance becomes active when: The active appliance is physically removed or loses power. The connection between the cluster members is broken or interrupted. The active appliance experiences repeated software faults, causing it to reboot itself. eady to become a standby appliance if it has a compatible firmware version and the previous standby appliance is no longer configured for standby or was removed from the enclosure. The standby appliance monitors the active appliance and assumes control when contact is lost. 260 Managing the appliance

261 Consider two cluster members A and B: The standby appliance (B) detects that it can no longer communicate with the active appliance (A). Cluster member B causes A to reboot. Cluster member B assumes control of operations as the active appliance. Cluster member A becomes the standby appliance. The appliance cluster becomes highly available again Activate the standby appliance Use this procedure to activate the standby appliance from the UI in order to force the standby appliance to exchange roles with the active appliance. NOTE: The appliance is unavailable during the role exchange and unable to respond to requests while services are reassigned. HPE OneView services will be stopped on the active appliance and restarted on the standby appliance. Operations in progress might fail and need to be restarted. Prerequisites Minimum required privileges: Infrastructure administrator or Software administrator. The standby appliance must be accessible to and fully synchronized with the active appliance. Activating the standby appliance 1. From the main menu, select Settings and click Appliance on the Settings screen. 2. Select Actions Activate standby 3. Verify that the standby appliance is activated either by examining the screen or by using the View details command of Maintenance console. For more information, see View the appliance details in the HPE OneView User Guide for HPE Synergy. See also About the high availability appliance cluster (page 260) emove a Synergy Composer from the appliance cluster Use this procedure to remove a reachable appliance from the appliance cluster in HPE OneView. You will need to remove the appliance from the cluster before removing the HPE Synergy Composer from the enclosure for service or replacement. Only a standby appliance can be removed from the appliance cluster. To remove the active appliance from the cluster, you must activate the standby appliance so that both appliances swap roles. When the standby appliance is removed from the cluster and if there is an unused appliance that is powered on and available, that unused appliance assumes the role of the standby appliance if: The unused appliance is powered on. The unused appliance is same model as the active appliance. The unused appliance runs the same version of HPE OneView as the active appliance. Otherwise, the active appliance becomes a standalone appliance Administering a high-availability appliance cluster 261

262 IMPOTANT: emoving an appliance from cluster resets that appliance to its original factory settings and then powers it off. That appliance cannot join the cluster until it is powered on. Prerequisites Minimum required privileges: Infrastructure administrator. emoving a Synergy Composer from the appliance cluster 1. From the main menu, select Settings and click Appliance on the Settings screen. 2. Use the information on the Appliance panel to determine if the appliance you want to remove is the active appliance or the standby appliance. 3. To remove the active appliance, activate the standby appliance. At the end of the operation, the appliances have swapped roles so the previous active appliance is now the standby appliance and the previous standby appliance is the current active appliance. 4. Select Actions emove standby. 5. Select Yes, remove standby. 6. Verify that the standby appliance is removed from the cluster either by examining the screen or by using the View details command of Maintenance console. For more information, see View the appliance details in the HPE OneView User Guide for HPE Synergy. See also About the high availability appliance cluster (page 260) Activate the standby appliance (page 261) For information on physically removing an HPE Synergy Composer from the frame, see HPE Synergy Appliance Maintenance and Service Guide Managing appliance availability In the event of an appliance shutdown, your managed resources continue to operate. For more information about how the appliance handles an unexpected shutdown, and what you can do to recover, see: How the appliance handles an unexpected shutdown (page 264) What to do when an appliance restarts (page 264) The appliance online help provides information about using the UI or the EST APIs to shut down or restart the appliance. UI screens and EST API resources UI screen Settings EST API resource appliance/shutdown oles Tasks Minimum required privileges: Infrastructure administrator The appliance online help provides information about using the UI or the EST APIs to: Shut down the appliance (Minimum required privileges: Infrastructure administrator) estart the appliance. (Minimum required privileges: Infrastructure administrator) 262 Managing the appliance

263 Shut down the Synergy Composer from the UI Use this procedure to perform a graceful shutdown of the appliance from the UI. NOTE: For a clustered appliance, this action shuts down both the standby appliance and the active appliance, in that order. However, if the standby appliance is not connected, then this action powers off the active appliance. The only way to restart it is to power it back on. If the active appliance is restarted but the standby appliance is still not connected, you will need to activate it from the Maintenance console. For more information, see About the Maintenance console in the HPE OneView User Guide for HPE Synergy. Prerequisites Minimum required privileges: Infrastructure administrator, Software administrator. Ensure that all tasks have been completed or stopped, and that all other users are logged off. Shutting down the Synergy Composer from the UI 1. From the main menu, select Settings and then click Appliance. 2. Select Actions Shut down. A dialog box opens to inform you that all users will be logged out and ongoing tasks will be canceled. 3. Select Yes, shut down in the dialog box. 4. Verify by observing the shutdown estart the Synergy Composer from the UI Use this procedure to perform a graceful shutdown and restart of the appliance from the UI. You are returned to the login screen. NOTE: For a clustered appliance: Both the active appliance and the standby appliance are restarted. The appliance that completes the restart operation first becomes the active appliance. The other appliance becomes the standby appliance when they form the appliance cluster. Prerequisites Minimum required privileges: Infrastructure administrator, Software administrator. Ensure that all tasks have been completed or stopped, and that all other users are logged off. Otherwise, restarting the appliance disconnects users and interrupts running tasks. estarting the Synergy Composer from the UI 1. From the main menu, select Settings and then click Appliance. 2. Select Actions estart. A dialog box opens to inform you that users will be logged out and running tasks will be interrupted. 3. Select Yes, restart in the dialog box. 4. Verify by logging in when the login screen reappears. IMPOTANT: If the standby appliance is not connected, activate it after it restarts by using the Maintenance console. For more information, see About the Maintenance console in the HPE OneView User Guide for HPE Synergy Managing appliance availability 263

264 How the appliance handles an unexpected shutdown The appliance has features, such as automatic backup and high availability, to enable it to automatically recover from an unexpected shutdown, and managed resources continue to operate while the appliance is offline. However, Hewlett Packard Enterprise recommends that you use the appliance high-availability and backup features to ensure that the appliance is backed up daily, and when you make significant configuration changes, such as adding or deleting a network. Appliance recovery operations When the appliance restarts, it performs the following operations: Detects tasks that were in progress and resumes those tasks, if it is safe to do so. If the appliance cannot complete a task, it notifies you that the task has been interrupted or is in some other error state. Attempts to detect differences between the current environment and the environment at the time the appliance shut down, and then refreshes its database with the detected changes. If you determine that the appliance data does not match the current environment, you can request that the appliance refresh the data for certain resources, such as enclosures. Appliance recovery during a firmware update of a managed resource If the appliance shuts down during a firmware update of a managed resource, when the appliance restarts, it detects the failed update and marks the firmware update tasks as being in an error state. To update the firmware for this resource, you must re-initiate the firmware update task. What to do when an appliance restarts The online help provides information about using the user interface or the EST APIs to: Check for critical alerts or failed tasks and follow the provided resolution instructions Manually refresh a resource if the resource information displayed appears to be incorrect or inconsistent Create a support dump (recommended for unexpected crashes to help support personnel to troubleshoot a problem) Update firmware for a resource, if a firmware update task was in progress when the appliance shut down Managing settings On the Settings screen, appliance information is divided into panels where, at a glance, you see the current status of such categories as Scopes and Proxy settings. UI screens and EST API resources UI screen Settings Scopes Settings Proxy EST API resource /rest/scopes /rest/proxy 264 Managing the appliance

265 oles Tasks equired privileges: Infrastructure administrator The online help provides information on the following tasks: Create, delete, and edit a new scope. Assign a resource to a scope. Configure the appliance HTTPS proxy settings eset the Synergy Composer to the original factory settings A factory reset restores the appliance to the original factory settings. It does not change the installed firmware version. You have the option of preserving or erasing the appliance network settings. A factory reset with preserved network settings is necessary for recovering a Synergy Composer from an unrecoverable error state. This option clears most faults so that you can restore the appliance from a backup file. You might need to reset the appliance either to decommission it (so that you can migrate the hardware) or to return the appliance to a known state for reuse (for example, to restore the appliance from a backup file). CAUTION: This action erases appliance data including logs and managed device settings in HPE OneView. This action does not affect the configuration of managed devices in any way. Therefore, manual clean-up of devices might be required if HPE OneView will no longer manage them. EST API calls and GUI operations are not allowed during the reset action. If the Synergy Composer does not return to a normal state with factory setting, it might be necessary to reimage the appliance Managing settings 265

266 IMPOTANT: In an appliance cluster, the standby appliance must be removed from the cluster before resetting the active appliance. emoving the standby appliance resets it to factory settings and shuts it down. If you intend to restore the HPE Synergy Composer settings from a backup file after it the Composer is reset or reimaged, and that backup file contains the management configuration for the enclosures, you do not need to reset all managed frames to their factory settings. If you intend to re-import and manage the HPE Synergy frames, you must perform these actions: 1. eset the HPE OneView appliance to its factory settings. 2. Then, reset all the frames managed by that HPE Synergy Composer to their factory settings. esetting HPE Synergy frames to factory defaults also removes the networking configuration on the Interconnects in those frames, which disrupts workloads running on compute modules in those frames. If you do not have a backup file for HPE OneView, you will need to perform a factory reset on all the devices in the domain. Prerequisites Minimum required privileges: Infrastructure administrator Ensure that all tasks have been completed or stopped, and that all other users are logged off. esetting the Synergy Composer to the original factory settings 1. If you are decommissioning the appliance and its managed environment, remove all hardware from HPE OneView management, for example: Delete or un-assign all server profiles. Delete all logical enclosures. Delete any storage volumes allocated within HPE OneView. eset managed devices (configured through IP address pools) to default IP addressing. 2. From the main menu, select Settings and then click Appliance. 3. Select Actions Factory eset. 4. Optionally select Preserve appliance network settings to erase the appliance data without losing network connectivity, for example, to rebuild the appliance. 5. Select OK. 6. If you are decommissioning the appliance, ensure that all hardware managed by HPE OneView is removed from management. This action displays a progress bar while it is running. Logins are disabled automatically. When the appliance reset is completed after several minutes, you can log in and set up your appliance as you did for the first time About appliance proxy settings The Proxy panel allows you to set the HTTPS proxy, port number for client connections, and whether authentication requires a username and a password. 266 Managing the appliance

267 About scopes A scope is a grouping of resources that can be used to restrict the range of an operation or action. For example, you can create scopes based on: Organization or department (Marketing, esearch and Development, Finance) Usage (Production, Development, Testing) Skills (Linux, Windows) When scopes are defined and resources assigned to them, you: estrict the resources displayed in the user interface (UI) to those assigned to the scope. Can configure filtered notifications for alerts based on previously-defined scopes. Scope-enabled resource categories (page 267) lists the categories of resources that can be added to a scope. There are categories of resources that cannot be added to a scope. More information About notification of alerts Scope-enabled resource categories Only the following resource types can be added to or removed from a scope: Enclosures Server Hardware Networks (Ethernet, FC, and FCoE) Network Sets Interconnects, excluding SAS resources Logical Interconnects, excluding SAS resources Logical Interconnect Groups, excluding SAS resources IMPOTANT: For notification of alerts, resources that are not categorized here are included in any scope. An notification filter that specifies one or more scopes does not eliminate alerts generated by resources that are not currently categorized here are sent. Inhibiting alerts from non-scope resources requires the use of associated resource categories, which is described in Edit an recipient and filter entry in the online help Managing addresses and ID pools A default set of virtual ID pools for MAC addresses, WWNs, and serial numbers are provided at startup. If you need additional addresses or identifiers, you can add autogenerated or custom ranges of ID pools. You manage the ID pools from the UI Settings screen or by using the EST APIs. UI screens and EST API resources UI screen Settings EST API resource id-pools 25.5 Managing addresses and ID pools 267

268 oles Minimum required privileges: Infrastructure administrator Tasks for addresses and identifiers The appliance online help provides information about using the UI or the EST APIs to: View a list of active ID pools and their properties. Add an IPv4 subnet and address range. Add an autogenerated ID pool for MAC addresses, WWNs, or serial numbers. Add a custom ID pool range for MAC addresses, WWNs, or serial numbers About ID pools An ID pool is a collection of one or more ranges that you can be randomly generate or specify to provide large address spaces. By default, one virtual ID pool each of contiguous MAC addresses, WWNs, and serial numbers are created automatically when you initialize the appliance. The pools are composed of address and ID ranges. You can individually enable or disable a range, or delete any unused ranges. ID pool ranges do not conflict with physical IDs, provided the virtual ranges you create exclude the physical ID ranges. Use an IPv4 address pool in a variety of applications: Create an IPv4 subnet with one or more IPv4 address ranges you define. To assign static IP addresses to device bays, associate these IP ranges with an enclosure group, in which case IP addresses are assigned to the ilos of server hardware populating these bays. IP ranges are also associated with interconnect bays, in which case IP addresses are assigned to the interconnect modules. Associate an IPv4 subnet with an Ethernet network. If this is an iscsi network used as a deployment network, then Image Streamer appliances can consume an IP address from one of the ranges for management of the appliance. For Image Streamer, assign IPv4 addresses as deployment addresses (iscsi initiators) for servers to boot from their OS volumes hosted on Image Streamer appliances. NOTE: You cannot use IPv4 addresses in the reserved range of to HPE OneView uses this range on an internal private VLAN within the enclosure domain. Supported ID pools ID pool IPv4 addresses Virtual MAC addresses (vmac) Virtual World Wide Names (vwwn) Virtual Serial Numbers (vsn) Description Dot-decimal notation with four octets (decimals 0-255) separated by dots, for example, byte quantity represented as 12 hexadecimal characters, bytes separated by a colon (:) Unicast address ranges only, multicast bit must not be set 8 byte quantity represented as 16 hexadecimal characters, bytes separated by a colon (:) 10 alphanumeric characters, uppercase 268 Managing the appliance

269 More information Image Streamer IPv4 address requirements (page 269) Image Streamer IPv4 address requirements When planning for IPv4 subnets and addresses for Image Streamer configurations, consider the following: Five IPv4 addresses are required per Image Streamer appliance pair Additional Image Streamer appliance pairs require additional IPv4 addresses (five per Image Streamer appliance pair) Additional deployment networks require additional IPv4 addresses. Every server that needs to boot from a pair of Image Streamer appliances needs one IPv4 address Add an IPv4 subnet and address range An IPv4 subnet and address range can be added to support an iscsi network. Prerequisites Minimum required privileges: Network administrator, Infrastructure administrator Image Streamer IPv4 address requirements (page 269) Adding an IPv4 subnet and address range 1. From the main menu, select Settings, and then do one of the following: Click Addresses and Identifiers, and then click Actions Edit. Hover your pointer in the Addresses and Identifiers panel, and then click the Edit icon. 2. Click Add IPv4 subnet and address range and enter the requested subnet information. 3. Click Add address range and enter the requested address information. 4. Click Add, or Add + to add additional address ranges. 5. Click Add, or Add + to add additional subnets and address ranges. 6. Click OK to submit the changes. 7. Confirm that the new address range appears in the IPv4 Subnets and Address anges panel Managing the security features of the appliance To learn about the security features of the appliance, see Understanding the security features of the Synergy Composer (page 63) Enabling or disabling Hewlett Packard Enterprise support access to the appliance HPE OneView contains a technical feature that will allow an on-site authorized support representative to access your system, through the system console, to assess problems that you have reported. This access will be controlled by a password generated by Hewlett Packard Enterprise that will only be provided to the authorized support representative. You can disable access at any time while the system is running Managing the security features of the appliance 269

270 UI screens and EST API resources UI screen Settings EST API resource appliance/settings oles Tasks Minimum required privileges: Infrastructure administrator The appliance online help provides information to enable or disable Hewlett Packard Enterprise support access from either the Settings screen or the EST APIs Managing TLS certificates A Transport Layer Security (TLS) certificate certifies the identity of the appliance. The certificate is required by the underlying HTTP server to establish a secure (encrypted) communications channel with the client web browser. You manage certificates from the Settings screen or by using the appliance settings EST APIs. UI screens and EST API resources UI screen Settings EST API resource certificates oles Tasks Minimum required privileges for all tasks except as noted: Infrastructure administrator The appliance online help provides information about using the UI or the EST APIs to: Create a self-signed certificate. Create a certificate signing request. Import a certificate. View the TLS certificate settings (Minimum required privileges: Infrastructure administrator, Backup administrator, or ead only) Learning more See Understanding the security features of the Synergy Composer (page 63) Managing the Hewlett Packard Enterprise public key The Hewlett Packard Enterprise public key verifies that: Hewlett Packard Enterprise created its software packages (PMs) and updates. The code was not modified after it was signed. 270 Managing the appliance

271 oles Tasks Minimum required privileges: Infrastructure administrator The appliance online help provides information about managing public keys from the Settings screen or by using the EST APIs to: Acquire and install the Hewlett Packard Enterprise public key. View the Hewlett Packard Enterprise public key Downloading audit logs The audit log helps the security administrator understand what security-related actions took place. You can gather log files and other information that your authorized support representative needs so that they can diagnose and troubleshoot an appliance. UI screens and EST API resources UI screen Settings EST API resource audit-logs oles Tasks Minimum required privileges: Infrastructure administrator The appliance online help provides information how to download the audit logs from the Settings screen or by using the EST APIs Download audit logs The audit log shows the security administrator what security-related actions took place. You can download log files and other information for your authorized support representative to use to diagnose and troubleshoot an appliance. NOTE: There is only one audit log for the clustered appliance. It can be downloaded from either appliance. Prerequisites Minimum required privileges: Infrastructure administrator Downloading audit logs 1. From the main menu, select Settings. 2. Click Security. 3. Select Actions Download audit logs. 4. The appliance generates a compressed file of the audit logs and downloads it to your local computer. The compressed file is named following this format: audit-logs-yyyy_mm_dd-hh_mm_ss yyyy_mm_dd indicates the date, and hh_mm_ss indicates the time the file was created. The name of the audit log file is displayed on the screen Downloading audit logs 271

272 The audit log file is downloaded to the default download folder. If no default download folder is configured in your browser, you are prompted to specify a destination file. 5. Verify the log was downloaded to the correct folder Learning more Understanding the audit log (page 68) Choosing a policy for the audit log (page 70) Connect to the Synergy console You can connect to the Synergy console using either a notebook computer or a video monitor, keyboard, and mouse Connect to the Synergy console with a keyboard, video monitor, and mouse Prerequisites You have physical access to the frame A video monitor with a monitor port cable, or an appropriate active adapter A USB keyboard and mouse NOTE: There is only a single USB port at each connection location. If your keyboard and mouse require more than one USB port, you must use a USB hub Connecting to the Synergy console with a keyboard, video monitor, and mouse 1. Connect the video monitor to the monitor port, and connect the keyboard and mouse to the USB port. There are two locations to which you can connect the video monitor, keyboard, and mouse: On the front of the frame, on the front panel module (illustration on left) On the rear of the frame, on either HPE Synergy Frame Link Module (illustration on right) 2. On connection, the Synergy console displays. 272 Managing the appliance

273 Connect to the Synergy console with a notebook computer Prerequisites You have physical access to the frame You have configured the notebook computer Ethernet port for DHCP and enabled auto-negotiation A CAT5 cable Connecting to the Synergy console with a notebook computer 1. Connect the CAT5 cable to the Ethernet port on the notebook computer. 2. Connect the CAT5 cable to the notebook port on the front of the frame, on the front panel module (see illustration) 3. On the notebook computer, launch a VNC client application to connect to the Synergy console. If prompted by the VNC client, enter the IP address (including port 5900) of the Synergy frame to use for the connection: The Synergy console is now available using the VNC client connection Prepare a USB flash drive for reimaging an appliance IMPOTANT: Hewlett Packard Enterprise recommends preparing a USB flash drive immediately after updating the appliance firmware so that you always have a USB flash drive that matches the currently installed version of HPE OneView. For environments with multiple versions of HPE OneView, create separate USB drives, one for each version. Prerequisites Computer running either Linux or a Microsoft Windows operating system USB flash drive with 4 GB of memory, or greater Internet connection Preparing a USB drive for reimaging an HPE Synergy Composer 1. Insert the USB flash drive in the computer s USB port. 2. If necessary delete any unnecessary partitions to ensure adequate disk space Prepare a USB flash drive for reimaging an appliance 273

274 3. Format the USB flash drive for one FAT32 partition using these guidelines: For a Linux operating system, use /sbin/fdisk /dev/sdx command, where x represents the numerical drive of the USB port used. For a Windows operating system, right click the USB icon in the Computer window and select Format. NOTE: For specific information on the procedure to format the USB flash drive, see the online help for the operating system. Specify a label for your USB drive. It can be any name you want, except EMBEDDED, which is a reserved name. Consider using the date as part of the label. Create only 1 primary partition. Delete any existing partitions if necessary. If prompted, specify the maximum value for Capacity. The partition type is W95 FAT32 or FAT32. If prompted, specify an allocation unit size of 4096 bytes. If prompted, accept default values for the first and last block. 4. Download the compressed image from this website: 5. Unzip the compressed image. 6. Copy the contents of the compressed image to the USB flash drive. IMPOTANT: Do not rename the files. 7. Optionally, remove the USB flash drive and store it for future use. More information eimage the appliance with the preloaded USB drive (page 274) ecovering an HPE Synergy Composer (page 455) eimage the appliance with the preloaded USB drive Use this procedure to reimage an HPE Synergy Composer that you either want to add to the current configuration or that must replace a defective Synergy Composer. eimaging a Synergy Composer ensures that it has the same firmware version as any other Synergy Composer in the configuration. CAUTION: This operation destroys data on the reimaged HPE Synergy Composer. 274 Managing the appliance

275 Should I reset the frame to factory settings?: If you intend to restore the HPE Synergy Composer settings from a backup file after it is reimaged, and that backup file contains the management configuration for the enclosures it managed, you should not reset the managed frames to factory settings. See the factory reset instructions in the online help. Otherwise, you must reset all the frame components managed by that HPE Synergy Composer to their factory settings. In cases where you have to reset the frame components, make sure that you do not factory reset the frame link modules while HPE Synergy Composer is being reimaged. The frame link modules should be reset after the HPE Synergy Composer is reimaged. Prerequisites Preloaded USB flash drive Access to the faceplate of the HPE Synergy Composer eimaging the HPE Synergy Composer with the preloaded USB flash drive 1. If there are two HPE Synergy Composer appliances in the frame, determine the one that you need to reimage. If those appliances form a cluster, remove the standby appliance. If you cannot remove the appliance, then remove the peer appliance from the frame. You can reinsert it after imaging is underway. 2. Insert the preloaded USB flash drive into the USB port of the HPE Synergy Composer that you need to reimage. 3. Hewlett Packard Enterprise recommends using the Synergy console to monitor the reimaging and rebooting operations: eimage the appliance with the preloaded USB drive 275

276 a. Connect a keyboard, video, and mouse to the monitor and USB ports located: On the Front Panel of the frame (illustration on left), or On either HPE Synergy Frame Link Module at the rear of the frame (illustration on right) On connection, the Synergy console is displayed. b. Click the monitor icon located at the top right of the screen. c. Select the HPE Synergy Composer to monitor from the Appliances submenu. A serial console window opens. d. Press Enter. 4. Locate the Power/eset button on the HPE Synergy Composer faceplate. See the illustration in step 2. If there are two Composer appliances, locate the button for the one you need to reimage. 1. Pinhole within Power/eset button 2. Power/eset 3. Active LED 276 Managing the appliance

277 5. Use the applicator or paperclip to depress the pinhole in the Power/eset button for more than ten seconds. NOTE: Momentarily depressing this button causes the HPE Synergy Composer to reboot, but does not reimage it. After ten seconds, the Active LED starts to flash, which means that the reimage process was triggered. 6. elease the pinhole button as soon as you see the flashing Active LED. If connected, the Synergy console shows progress messages. After reimaging, the HPE Synergy Composer reboots, updates the firmware to the version stored on the preloaded USB drive, and starts HPE OneView. eimaging should be completed in approximately one hour; at which time the initial HPE OneView login screen appears in the Synergy console. 7. Verify that the Synergy Composer is reimaged by examining the firmware version number either on the Appliance panel of the Settings screen or by using the View details command of Maintenance console. 8. Optionally, remove the preloaded USB flash drive and store it for possible future use. 9. estore the Synergy Composer from a backup file. Next step Quick Start: Initial setup (page 111) More information Prepare a USB flash drive for reimaging an appliance (page 273) About restoring the Synergy Composer (page 253) Best practices for restoring a Synergy Composer (page 255) ecovering an HPE Synergy Composer (page 455) eimage the appliance with the preloaded USB drive 277

278 278

279 Part IV Monitoring The chapters in this part describe using the appliance to monitor your data center. You use the information in this part after the appliance has been configured and the data center resources have been added to the appliance.

280 280

281 26 Monitoring data center status, health, and performance This chapter describes the recommended best practices for monitoring data center status, health, and performance using HPE OneView Daily monitoring As part of the daily monitoring of your data center, it is important to be able to quickly scan the appliance-managed resources to assess the overall health of your data center. By reviewing the UI screens, you are able to rapidly analyze the state and condition of your data center Initial check: the Dashboard The Dashboard provides an at-a-glance visual health summary of the appliance resources you are authorized to view. The Dashboard can display a health summary of the following: Server Profiles Server Hardware Enclosures Logical Interconnects Storage Pools Volumes Appliance alerts The status of each resource is indicated by an icon: OK ( ), Warning ( ), or Critical ( ). You can link to the resource screens in the UI for more information by clicking on the status icons displayed for each resource. To learn more about the Dashboard screen, see Using the Dashboard screen (page 291) Activities The Activity screen provides a log of health and status notifications. The appliance verifies the current activity of resources in your environment, and posts alerts to the Activity screen and to the associated resource screens for you to review. The Activity screen is also a database of all tasks that have been run, either synchronously or asynchronously, and initiated by the user or system. It is similar to an audit log, but provides more detail and is easily accessed from the UI Utilization graphs For certain resources, the appliance collects CPU, power, and temperature utilization statistics from management processors (the ilo and ipdu). Utilization graphs enable you to understand recent utilization statistics relative to available capacity, see utilization trends over time, and see historical utilization over time. Hover over the utilization area in the UI to display tool tips. The Enclosures screen The Server Hardware screen The Power Delivery Devices screen View historical metrics of power consumption (average, peak, and power cap) and temperature. View historical metrics of CPU utilization/cpu frequency, power consumption (average, peak, and power cap), and temperature. View historical metrics of power consumption (average and peak and previous 5 minutes, previous 24 hours) Daily monitoring 281

282 The acks screen The Interconnects screen The Storage systems screen View historical metrics of power consumption (average, peak, and power cap) and temperature. View uplink port statistics of the bit transfer rates (transmitted and received). View capacity amount of storage in tebibyte (TiB) of space. To learn more about utilization graphs, see Monitoring power and temperature (page 297) Monitor data center temperature The appliance provides detailed monitoring data that you can use to determine the power and cooling capabilities of the devices in your data center. The overall cooling in your data center might be sufficient; however, there might be areas that are insufficiently cooled due to conditions such as poor airflow, concentration of excessive heat output, or wrap-around airflow at the ends of aisles. To easily identify temperature issues and look for thermal hotspots in all areas in your data center, use the 3D visualization features provided by the Data Centers UI screen. To learn more about temperature, see Monitoring power and temperature (page 297) Best practices for monitoring data centers The following are recommended best practices for using HPE OneView appliance to ensure the health of the managed components in your data center environment Best practices for monitoring health with the appliance UI Hewlett Packard Enterprise recommends the following best practices to monitor the health of the resources in your environment. General health monitoring steps Monitoring step 1. Navigate to the Activity screen and filter activities, using the filtering options that work best for the situation. You can also start from the Dashboard screen to see alerts for specific resources. 2. Navigate to a specific resource screen to view the specific activities for that resource. On the resource screen, verify the state of the resource instances via health status icons. 3. Investigate each resource instance with a warning or error status. elated information About Activity (page 285) Using the Dashboard screen (page 291) Icon descriptions (page 86) 4. Expand critical and warning alerts to see their full descriptions, and click Event details to view additional information about the event(s) that caused the alert. 5. Follow the instructions in the recommended resolution (if any) or research the alert to correct the problem. NOTE: If an alert is Active and no action is required, you can clear the alert. If an alert is Locked, you cannot clear the alert without fixing the condition that caused it. To monitor the current health of a network, navigate to the Interconnects and Logical Interconnects resources to view recent activity, alerts and notifications, and current health status. 282 Monitoring data center status, health, and performance

283 Best practices for monitoring health using SCMB or EST APIs To ensure the health of the components in your data center environment, use the State-Change Message Bus (SCMB) to receive health status messages. SCMB uses asynchronous messaging to notify subscribers of changes to managed resources both logical and physical. For example, you can receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes. To use EST APIs to monitor health, see the following: Overall health monitoring Server hardware health monitoring Network health monitoring Overall health monitoring NOTE: You can view health and alerts on all managed servers and some monitored servers. To see what servers can be monitored, see monitored server hardware in the HPE OneView Support Matrix for HPE Synergy. Monitoring step Filter alerts based on severity or date to view current health issues. GET /rest/alerts?filter="severity='{unknown, OK, WANING, CITICAL}'"&filter="created='{YYYY-MM-DDThh:mm:ss.sssZ}'" NOTE: The DISABLED severity is not applicable to alerts. See the EST API scripting online help for more information about alerts. Get alerts for a specific physical resource type, such as server hardware. GET /rest/alerts?filter="physicalesourcetype='{physical_server}'" See the EST API scripting online help for more information about server hardware. View the originating event(s) that caused a specific alert. 1. Select an alert. GET /rest/alerts/ 2. Get a specific alert using the alert ID. GET /rest/alerts/{id} 3. Get the associated event(s). GET /rest/events/{id} Fix the problem. Use the recommended fix (perform a GET operation on the specific alert resource and view the correctiveaction attribute), or research the alert Best practices for monitoring data centers 283

284 Server hardware health monitoring A server or servers turn to a warning or critical status when there are problems detected in the server hardware. If a server profile has been applied to server hardware in an error state, the server profile will also be in an error state. Monitoring step Use details from the alert to fix the problem. When available, attempt the recommended fix first. In some cases, additional research of the alert might be needed to best determine the fix. GET /rest/alerts?filter="physicalesourcetype='{physical_servers}'"&filter="severity='{waning, CITICAL}'" See the EST API scripting online help for more information on alerts. Make sure that server profiles are appropriately assigned to the server hardware. See the EST API scripting online help for more information on server profiles. Network health monitoring To determine the current health of a network or networks on the appliance, view alerts for interconnects and logical interconnects to verify the correct connections. To list alerts, you can perform a GET operation on alerts and filter for alerts related to interconnects. To list states, you can perform a GET operation on interconnects and logical interconnects and filter for an OK state. 284 Monitoring data center status, health, and performance

285 Monitoring step View alerts for interconnects. 1. Select an interconnect alert. GET /rest/alerts?filter="physicalesourcetype='{interconnect}'"&filter="severity='{waning, CITICAL}'" 2. Get a specific alert using the alert ID. GET /rest/alerts/{id} See the EST API chapter in the online help for more information on interconnects. Filter for logical interconnects with unhealthy stacking. 1. Get unhealthy logical interconnect. GET /rest/logical-interconnects?filter="stackinghealth='{unknown, Disconnected}'" 2. View specific unhealthy interconnect using the interconnect ID. GET /rest/logical-interconnects/{id} See the EST API chapter in the online help for more information on logical interconnects. Use information provided in the alert to fix the problem. Use the recommended fix if there is one, or research the alert. See the EST API scripting online help for more information on alerts Managing activities The appliance online help provides information about using the UI or the EST APIs to: View activities for a resource. Filter activities by health, status, or date. Assign an owner to an alert. Add a note to an alert. Clear an alert. estore a cleared activity to the active state About Activity The Activity screen lists alerts and other notifications about appliance activity and events occurring in your data center. You can filter, sort, and expand areas of the screen to refine how information is displayed. Links within activity details also enable you to view additional information about specific resources, especially if the notification is reporting an event that requires immediate attention. Activity screen components The image shown here illustrates the important areas on the screen that you can use to monitor, resolve, and manage activity Managing activities 285

286 OneView Search Activity All All types All statuses All states All time All owners eset 2 Actions 6 Name esource Date 7 State Owner 3 Worst case power consumption for the power delivery device Lab N32 ack [4,2] PDU A is 7,676 Watts which exceeds its capacity by 3,683 Watts Lab N32 ack [4,2] PDU A Power Delivery Devices Nov 20 12:35 pm Active unassigned v X esolution Verify that the capacity of 3,9993 Watts is specified correctly. Change the system configuration or apply a power cap to prevent the attached devices from exceeding the capacity. 5 Notes Write a note Health category Power 4 Event details corrective Action 1 By default, the Activity screen shows All alerts, tasks, and events that have occurred. To quickly filter the default activity list to display the notifications that require your attention, click the icon to switch from All to Needs attention. Use the filters and date range selectors on the Filters menu bar to pinpoint the type of activity you want to see. To expand choices for any filtering selector on the filter banner, click the icon next to each filtering selector 2 Use the Actions menu to assign, clear, or restore selected notifications. 3 To assign an alert or other notification to a specific user, select a name listed in the Owner column of each notification. 4 When a notification is expanded, click the Event details link to view more details about this notification, which is where you might find specific corrective action for an activity that requires your attention. 5 Start typing in the note box to add instructions or other information to a notification. 6 TIP: You can click and drag the lower right corner of the note box to expand the box for better viewing or easier editing. Click the icon to expand the view of a notification to see all information about it. Click the icon to collapse the notification into a single-line summary. 7 If a notification is reporting a status other than OK (green), click the link to view details about the resource that generated the notification Activity types: alerts and tasks About alerts The appliance uses alert messages to report issues with the resources it manages and monitors. The resources generate alerts to notify you that some meaningful event occurred and that an action might be required. An event describes a single problem or change that occurred on a resource. For example, an event might be an SNMP trap received from a server's (ilo) management processor. 286 Monitoring data center status, health, and performance

287 Each alert includes the following information about the event it reports: severity, state, description, and urgency. You can clear alerts, assign owners to alerts, and add notes to alerts. While alerts have an active or locked state, they contribute to a resource s overall displayed status. After you change their state to Cleared, they no longer affect the displayed status. IMPOTANT: The appliance keeps a running count of incoming alerts. At intervals of 500 alert messages, the appliance determines if the number of alerts has reached 75,000. When it does, an auto-cleanup occurs, which deletes alert messages until the total number is fewer than 74,200. When the auto-cleanup runs, it first removes the oldest cleared alerts. Then it deletes the oldest alerts by severity starting with the least severe. More information Service alerts (page 289) About HPE Synergy Frame alerts The HPE OneView server health monitoring feature on an HPE Synergy Frame does not forward trap messages as is from various devices. Instead, it forwards HPE Synergy server and frame link module-related alerts created in HPE OneView as SNMP traps. These alerts are created in HPE OneView based on Agentless Management Services (AMS) SNMP traps and ich Infrastructure Services (IS) events sent by the server ilos and frame link modules, respectively. The alerts are forwarded as HPE OneView traps to the IP address destinations you specify in the SNMP panel on the Settings screen. See also the online help for Add Trap Destination. The cpqoneview.mib file defines the trap formats. The file is a unique MIB that provides alert definitions specific to HPE OneView-managed HPE Synergy Frame enclosures. To download the HPE OneView traps MIB, do either of the following: Enter the IP address of your HPE OneView appliance in the following UL: Obtain it from the HPE Systems Insight Manager MIB Kit at: hpsc/doc/public/display?docid=emr_na-c =en-us;cc=us See also: HPE ilo 4 with AMS traps supported for alerting in HPE OneView at support/synergy/docs/ About tasks All user- or system-initiated tasks are reported as activities: User-initiated tasks are created when a user adds, creates, removes, updates, or deletes resources. Other tasks are created by processes running on the appliance, such as gathering utilization data for a server. The task log provides a valuable source of information that you can use to resolve an issue. You can determine the type of task performed, whether the task was completed, when the task was completed, and who initiated the task Managing activities 287

288 The types of tasks are: Task type User Appliance Background Description A user-initiated task, such as creating, editing, or removing an enclosure group or a network set An appliance-initiated task, such as updating utilization data A task performed in the background. This type of task is not displayed in the log. IMPOTANT: The appliance maintains a tasks database that holds information for approximately 6 months' worth of tasks or 50,000 tasks. If the tasks database exceeds 50,000 tasks, blocks of 500 tasks are deleted until the count is fewer than 50,000. Tasks older than 6 months are removed from the database. The tasks database and the stored alerts database are separate Activity states Activity Alert Service alert State Active Locked Cleared Pending Submitted eceived Open Closed Error None Description The alert has not been cleared or resolved. A resource s active alerts are considered in the resource s overall health status. Active alerts contribute to the alert count summary. An Active alert that was set (locked) by an internal resource manager. You cannot manually clear a Locked alert. Examine the corrective action associated with an alert to determine how to fix the problem. After the problem is fixed, the resource manager moves the alert to the Active state. At that time, you can clear or delete the alert. A resource s locked alerts contribute to its overall status. The alert was addressed, noted, or resolved. You clear an activity when it no longer needs to be tracked. The appliance clears certain activities automatically. Cleared activities do not affect the resource s health status and they are not counted in the displayed summaries. The support case is pending submission to HPE. The support case has been submitted to HPE. HPE has received the support case. The support case is open. The support case is closed. NOTE: A support case can be closed without any action: If it is for a test event If the device is not enabled for remote support If the device is not covered under support contract or under warranty The service request encountered an error during processing. There is no service alert. This is the default value. 288 Monitoring data center status, health, and performance

289 Activity Task State Completed unning Pending Interrupted Error Terminated Warning Description The task started and ran to completion. The task has started and is running, but has not yet completed. The task has not yet run. The task ran, but was interrupted. For example, it could be waiting for a resource A task failed or generated a Critical alert. Investigate Error states immediately. A task was gracefully shut down or cancelled. An event occurred that might require your attention. A warning can mean that something is not correct within the appliance. Investigate Warning states immediately Activity statuses For most HPE OneView resources, the status shown represents a single resource and not a roll-up value for subcomponents, except for HPE Synergy frames. The overall health status of an HPE Synergy frame is shown in the Master pane and reflects the most serious health status of all infrastructure components. A health status icon for each component, such as a fan or server, in an HPE Synergy frame, can be seen on the Front View or ear View panels on the Enclosures screen. If a problem occurs with a particular infrastructure component, an alert is generated and displays in the Notification panel on the Enclosures screen. For example, if the HPE Synergy Composer detects a warning condition for a fan, the HPE Synergy Composer displays a Warning status for the fan and generates an alert. Similarly, the Composer generates a Critical status for a power supply and generates an alert. The overall status of the HPE Synergy frame is Critical in this situation. Status Critical Warning OK Unknown Disabled Description A critical alert message was received, or a task failed or was interrupted. Investigate Critical status activities immediately. An event occurred that might require your attention. A warning can mean that something is not correct within the appliance and it needs your attention. Investigate Warning status activities immediately. For an alert, OK indicates normal behavior or information from a resource. For a task, OK indicates that it completed successfully. The status of the alert or task is unknown. The status of a task that is set to run at a later time is Unknown. A task was prevented from continuing or completing Service alerts A device (for example, an ilo) might generate a service alert associated with an alert. When it is displayed in the Activity screen, the service alert provides service information including a case identifier (Case ID) and primary contact information to facilitate a service call. The primary contact information was entered when emote Support was configured Managing activities 289

290 For devices that are under warranty or actively covered under a support contract, emote Support automatically closes and clears service alerts when conditions become normal; for example, after a faulty fan is replaced. emote Support takes no action on devices that are not actively covered under a support contract. More information Activity states (page 288) 26.4 Managing notifications The appliance online help provides information about using the UI to: Configure the appliance for notification of alerts. Add an recipient and filter. Edit an recipient and filter entry. Enable or disable an recipient and filter. Clear an alert. Delete an recipient and filter entry About notification of alert messages This feature notifies specified recipients when a certain alert occurs. When this feature is configured and enabled, the appliance performs these steps in addition to posting the alert: The appliance compares the alert to configured search criteria. If the alert matches, it creates an message containing the text of the alert. The appliance sends the message to designated recipients in both plain text and HTML MIME types. Sending in both types allows the recipient s mail application to determine the display. You can enable or disable this notification feature, or you can enable or disable individual filter notifications, as required. The appliance provides for as many as 100 recipient and filter combinations, and allows as many as 50 recipients in a single message. This flexibility lets you fine-tune which alert messages are sent and to whom. For example, you can configure the appliance to send Warning alerts to one recipient and Critical alerts to another. You can verify the configuration by sending test messages Configure the appliance for notification of alerts Use this procedure to configure the appliance for sending messages of alerts. Later, you can add, edit, or delete entries for recipients or filters. NOTE: notification filters can only be configured for alert messages. Prerequisites Minimum required privileges: Infrastructure administrator Configuring the appliance for notification of alerts 1. From the main menu, navigate to the Settings screen. 2. Locate the Notifications panel and click. 3. Supply the data requested in the panel of the Edit Notifications screen: 290 Monitoring data center status, health, and performance

291 NOTE: The SMTP server is automatically determined from the domain name in the address for the appliance. If you need to specify the SMTP settings, click SMTP options to supply them. 4. Proceed to add one or more entries Using the Dashboard screen Learning about the Dashboard The charts on the Dashboard provide a visual representation of the general health and status of the appliance and managed resources in your data center. From the Dashboard, you can immediately see resources that need your attention. For direct access to resources needing your attention, click the resource name. Each time you log in to the appliance, the Dashboard is the first screen you see. Select Dashboard from the main menu any time you want to see the Dashboard charts. The Dashboard displays status of the most relevant resources that are associated with assigned user roles. If you are assigned multiple roles, such as Network and Storage roles, the default dashboard displays the combination of resources that each role would see on the dashboard. You can customize your Dashboard display by adding, deleting, and moving resource panels Dashboard screen details IMPOTANT: The Dashboard is blank the first time you log in to the appliance because you have not yet configured any resources. If this is the first time you are logging in to the appliance, see Quick Start: Initial setup (page 111) to define your data center environment and bring your infrastructure under appliance management. Hover your pointer over a chart slice to view the count of resource instances being represented by that slice. If you hover over a different slice in the same chart, the text and count displayed in the center of the chart changes. Click on a slice to be taken to the resource page filtered by the status or value associated with the slice. If you view the Dashboard on a narrow screen, the charts are arranged vertically for resources with multiple charts, and you can use the scroll bar to navigate to each chart Using the Dashboard screen 291

292 The Dashboard displays the following chart types: Chart type Status Servers with profiles Blade bays Description A Status chart summarizes health status. The number displayed next to the resource name indicates the total number of resource instances known to the appliance. To learn more, click the resource name to display the resource's main screen and view detailed health and status information. On a Status chart, a dark-gray chart slice indicates the number of resources that are not reporting information because they are either disabled or are not being managed by the appliance. To filter the view of a resource based on its status, click the status icon. To learn more about health status and severity icons, see Icon descriptions (page 86). The Servers with profiles chart reports the count of server hardware instances with server profiles assigned to them. If the chart is not solid blue, hover your pointer over the light-gray chart slice to see the count of servers without server profile assignments. The Blade bays chart reports the count of server hardware instances in all managed enclosure bays. If the chart is not solid blue, hover your pointer over the light-gray chart slice to see the count of empty enclosure bays How to interpret the Dashboard charts Dashboard chart colors help you to quickly interpret the reported data. Table 12 Dashboard chart colors Color Green Yellow ed Blue Light gray Dark gray Indication A healthy status An event has occurred that might require your attention A critical condition requires your immediate attention For a status graph, the resource instances that match the data being measured (a solid blue chart indicates 100%) For custom graphs, there may be different shades of blue, each representing a different value for an attribute. The resource instances that do not match the data being measured (used in combination with blue to total 100%) esource instances reporting status other than OK, Warning, or Critical, that is, they are Disabled or Unknown Status icons To assist you in identifying resources that are not in a healthy state, status icons indicate the number of resources with a status of OK ( ), Warning ( ), or Critical ( ). You can select a status icon to view the resource s main screen, with resource instances filtered by that status or click on the donut slice of the same color. If no resources are defined or if no resource instances are detected with a particular status (indicated by the number zero), the associated icon is nearly colorless (very pale gray). To learn how to interpret the data displayed on the charts, see the numbered descriptions that appear after the figure. 292 Monitoring data center status, health, and performance

293 Figure 19 Dashboard sample 1 Click a resource name to view the resource s main screen for more information. The adjacent number identifies how many instances of that resource are being managed by the appliance. In this example, three enclosures have been added to the appliance, and one is in a healthy status. 2 When you hover your pointer over a dashboard panel, additional icons appear as shown on the Enclosures panel. The remove or delete (x) icon removes the panel from the dashboard. The move ( ) cursor allows you to move the panel to a different position on the dashboard. For custom panels, the edit ( ) icon also appears, which allows you toedit a custom panel. 3 The sample chart for the Interconnects resource shows a total of seven interconnects of which four are in a Critical state and the other three are reporting a healthy status. Click the Critical status icon to open the Interconnects screen to begin investigating the cause. 4 On a Status chart, a dark-gray slice represents the count of resources that are not reporting status information because the resource is disabled or the status is not known. The sample chart for the Server Hardware resource shows a total of 30 instances of server hardware, of which 14 are either disabled or are unknown devices. Hover your pointer over the dark-gray chart slice to see a count of server hardware instances with a Disabled and Unknown status. 5 The icon enables you to customize your dashboard by adding custom or pre-defined panels. See Customizing the dashboard (page 294) to learn more about customizing panels. 6 The Ethernet Networks chart illustrates a customized panel where a user has defined the number of Ethernet networks assigned to that user. For more examples, see Customizing the dashboard (page 294). 7 The Storage Pools chart reports the state of storage pools that are being managed by the appliance, if any. See About storage pools (page 230) to learn more about storage pools Using the Dashboard screen 293

294 8 The Appliance Alerts area summarizes important appliance-related alerts, typically about back up and licensing issues. Alerts related to other resources are not included here. If one appliance alert is detected, the alert text appears here. For multiple alerts, the number of alerts are shown, and you can click Appliance to go directly to the Activity screen for a filtered view of all appliance-related alerts. See About Activity (page 285) to learn more about alerts Customizing the dashboard You can customize the dashboard to show panels that interest you. You can select from a set of pre-defined panels such as Unassigned Alerts or Server Profiles. You can create or edit your own custom panel by selecting the data you want to view through the use of dashboard queries. You can rearrange or move panels on the dashboard to suit your needs. You can remove panels that do not interest you. NOTE: If you want to clear any dashboard customizations and restore the dashboard to the default, see the online help for information on resetting the dashboard Managing remote support About remote support egister with Hewlett Packard Enterprise to allow automatic case creation for hardware failures on servers and enclosures and to enable Proactive Care. Once enabled, all eligible devices added in the future will be automatically enabled for remote support. Eligible devices are Gen8 and newer blades and enclosures. NOTE: Servers must be at ilo 2.1 firmware level or above to be enabled for remote support Hewlett Packard Enterprise will contact you to ship a replacement part or send an engineer for devices that are under warranty or support contract. emote support enables Proactive Care services including Proactive Scan reports and Firmware/Software Analysis reports with recommendations that are based on collected configuration data. emote support is secure. No business data is collected, only device-specific configuration and fault data. All communications are outbound only and use industry standard TLS encryption ensuring confidentiality and integrity of the information. More information emote support doc About channel partners The Partner ID uniquely identifies a partner as an HPE Authorized Partner. Hewlett Packard Enterprise is the default channel partner if no other channel partner is assigned. HPE Authorized esellers By enabling remote support, you enable the reseller to access configuration reports and contract warranty reports in Insight Online in the HPE Support Center, as well as configuration details and some contract and warranty details. 294 Monitoring data center status, health, and performance

295 HPE Authorized Service Partners In addition to the above information provided to Authorized esellers, the Service Partner has access to service event status and reports, with links into the HPE Channel Services Network portal About data collection Basic collection sends configuration information to Hewlett Packard Enterprise for analysis and proactive services in accordance with your warranty and service agreements. This data is transmitted every 30 days. Active health sends information about the server s health, configuration, and run-time telemetry to Hewlett Packard Enterprise. This information is used to troubleshoot issues and closed-loop quality analysis. This data is transmitted every 7 days Managing remote support 295

296 296

297 27 Monitoring power and temperature HPE OneView enables you to monitor the power and temperature of your hardware environment. Power and temperature monitoring feature overview The appliance: Displays 3D color-coded hardware temperature visualization (UI only) Collects and reports power metric statistics Collects and reports temperature metric statistics Displays utilization statistics using customizable utilization graphs (UI only) Power and temperature monitoring features by resource Data Centers Color-coded temperature visualization of racks and the server hardware in them Enclosures and Server Hardware Alerts for degraded and critical temperature and power Proactive analysis and alerting for power configuration errors Utilization graphs for power and temperature statistics Power Delivery Devices Alerts on power thresholds Proactive analysis and alerting for power configuration errors Utilization graphs for power and temperature statistics acks Proactive analysis and alerting for power configuration errors Utilization graphs for power and temperature statistics 27.1 Monitoring power and temperature with the UI The Data Centers screen provides a 3D visualization of your hardware environment, and uses a color-coded system to display temperature data for your hardware. The Utilization panel and Utilization graphs display utilization power and temperature statistics via the Utilization view on the Enclosures, Interconnects (utilization graphs only), Power Delivery Devices, acks, and Server Hardware screens Monitoring data center temperature The Data Centers resource provides a visualization of the racks in your data center and displays their peak temperature using a color-coded system. To enable this, you must first specify the physical positions of your racks and the position of the components in them using the Data Centers resource. You can use temperature visualization to identify over-cooled areas of your data center. You can close vent tiles in areas that have low peak temperatures to increase airflow to areas that have 27.1 Monitoring power and temperature with the UI 297

298 insufficient cooling. If the entire data center is over-cooled, you can raise the temperature to save on cooling costs. Prerequisites equired privileges: Server administrator. You have created a data center and positioned your racks in it. The placement of racks in your data center accurately depicts their physical locations. You have specified a thermal limit for your rack using the acks screen, if your policy dictates a limit (optional). Temperature collection and visualization details The visualization displays peak rack temperature using a color-coded system. The rack is colored based on the highest peak temperature (over the last 24 hours) of the device in the rack with the highest peak temperature recorded (of devices which support ambient temperature history reporting). Temperatures are determined using the temperature utilization data collected from each device. Background data collection occurs at least once a day, so the reported peak temperature for a rack will be within the past 48 hours. acks without an observed peak temperature with 48 hours are depicted without color coding (gray). Figure 20 3D data center visualization Manipulating the view of the data center visualization You can zoom in or zoom out and adjust the viewing angle of the data center from the Overview view or Layout view of the Data Centers screen. 298 Monitoring power and temperature

299 Prerequisites equired privileges: Server administrator NOTE: The data center view controls do not appear in the Layout panel of the Overview view until you hover your pointer over the panel. Manipulating the view of the data center visualization To change the data center view, do one or more of the following: Move the horizontal slider left to zoom in and right to zoom out. Move the vertical slider up and down to change the vertical viewing angle. Click and drag the rotation dial to change the horizontal viewing angle Monitoring power and temperature utilization Utilization statistics for power and temperature are displayed on: The Utilization panel Utilization graphs in the Utilization view About the Utilization panel The Enclosures, Power Delivery Devices, acks, Server Hardware, and Storage Systems screens display a Utilization panel in the Overview for each resource. The possible states of the Utilization panel are: Panel contents Utilization meters display utilization data. A licensing message is displayed. no data is displayed. not set is displayed (a gray meter with hash marks). not supported is displayed. eason The appliance has collected data and it is being displayed. Server hardware without an ilo Advanced license will not display utilization data. The appliance has not collected data during the previous 24 hours. The meter might not be set for the following reasons: The page is loading and the data is not yet available. There is no utilization data prior to the most recent 5 minute collection period. There may be historic data in the utilization graphs. Enclosures will not display temperature data if none of the servers are powered on. acks will not display data if there are no devices mounted on the rack and the rack thermal limit is not set. Utilization data gathering is not supported on the device. See the online help for Utilization for more information About utilization graphs and meters The appliance gathers and reports CPU, power consumption, temperature, and capacity data for certain resources via utilization graphs and utilization meters Monitoring power and temperature with the UI 299

300 NOTE: The minimum data collection interval is 5 minutes (averaged) and the maximum is one hour (averaged). Utilization graphs can display a range of data up to a maximum of three years. Table 13 Utilization statistics gathered by resource Utilization metric esource CPU Power Temperature Custom Capacity Enclosures acks Power Delivery Devices Server Hardware Storage Systems NOTE: You can use the Interconnects screen to view utilization graphs that display data transfer statistics for interconnect ports. See the online help for the Interconnects screen. Utilization statistics and licensing Utilization statistics and graphs are disabled for server hardware that does not have an ilo license assigned. See About licensing (page 161) to learn more. If utilization is disabled, the Utilization panel displays a message stating the reason it is disabled in the details pane for the unlicensed resource. 300 Monitoring power and temperature

301 Utilization graphs 1 Primary graph: The large primary utilization graph displays metric data (vertical axis) for your devices over an interval of time (horizontal axis) using a line to graph data points. 2 Horizontal axis: The horizontal axis on the primary utilization graph depicts the time interval for the data being displayed, with the most recent interval data on the right. The minimum time interval is two minutes and the maximum is five days. 3 Vertical axis: The vertical axis on the primary utilization graph depicts the interval for the metric displayed in the corresponding unit of measurement down the left side of the graph. The interval for each unit of measurement is fixed and cannot be changed. Graphs that display two metrics with different units of measurement have a second interval down the right side of the graph. The measurement value at the top of the graph represents the maximum utilization capacity for a given metric. 4 Navigation graph: The navigation graph below the primary graph displays the maximum time interval of available data. Use the navigation graph to select the time interval you want to display in the primary graph by highlighting the interval with your pointing device. See the online help for more information on creating a custom utilization graph and how to change the level of detail that the graph displays EST API power and temperature monitoring Update enclosure power capacity settings To update the enclosure capacity settings, perform a PUT operation that includes only the calibratedmaxpower attribute. View the enclosure capacity settings attributes by using a GET operation, edit the calibratedmaxpower attribute, and then perform a PUT operation that includes only the edited calibratedmaxpower attribute EST API power and temperature monitoring 301

302 Prerequisites Minimum required session ID privileges: Server administrator Updating enclosure capacity settings using EST APIs 1. Select an enclosure UI. GET /rest/enclosures 2. Get the enclosure capacity using the UI from step 1. GET {enclosure UI}/environmentalConfiguration 3. Edit the enclosure capacity. The only attribute to send in the response body is calibratedmaxpower. Do not send all attributes from the GET operation. 4. Update the enclosure capacity. PUT {enclosure UI}/environmentalConfiguration Update server hardware power capacity settings To update server hardware capacity settings, perform a PUT operation that includes only the calibratedmaxpower attribute. View server hardware capacity settings attributes by using a GET operation, edit the calibratedmaxpower attribute, and then perform a PUT operation that includes only the edited calibratedmaxpower attribute. Prerequisites Minimum required session ID privileges: Server administrator Updating server hardware capacity settings using EST APIs 1. Select a server hardware UI. GET /rest/server-hardware 2. Get the current server hardware capacity using the UI from step 1. GET {server hardware UI}/environmentalConfiguration 3. Edit the server hardware capacity. The only attribute to send in the response body is calibratedmaxpower. Do not send all attributes from the GET operation. 4. Update the server hardware capacity. PUT {server hardware UI}/environmentalConfiguration 302 Monitoring power and temperature

303 28 Using a message bus to send data to subscribers 28.1 About accessing HPE OneView message buses HPE OneView supports asynchronous messaging to notify subscribers of changes to managed resources both logical and physical and changes to metrics on managed resources. For example, you can program applications to receive notifications when new server hardware is added to the managed environment or when the health status of physical resources changes, and you can stream power, thermal and CPU metrics for managed resources. Using HPE OneView EST APIs, you can obtain certificates to access the two message buses described in this chapter: the State-Change Message Bus or the Metric Streaming Message Bus. The message content is sent in JSON (JavaScript Object Notation) format and includes the resource model. Before you can set up subscription to messages, you must create and download an AMQP (Advanced Message Queuing Protocol ) certificate from the appliance using EST APIs. Next, you connect to the message bus using the EXTENAL authentication mechanism with or without specifying a user name and password. This ensures that you use certificate-based authentication between the message bus and your client. After connecting to the message bus, you set up a queue with the queue name empty, and AMQP generates a unique queue name. You use this queue name to bind your client to exchanges and receive messages. To connect to the message and set up a queue, you must use a client that supports the AMQP Using the State-Change Message Bus (SCMB) Connect to the SCMB Prerequisites Minimum required session ID privileges: Infrastructure administrator To use the SCMB, you must do the following tasks: Use EST APIs to create and download an Advanced Message Queuing Protocol (AMQP) certificate from the appliance. Connect to the SCMB using one or both of these methods: Use the EXTENAL authentication mechanism Connect without sending a user name and password Using one of these methods ensures that certificate-based authentication is used. Set up a queue with an empty queue name. AMQP generates a unique queue name. You use this queue name to bind to exchanges and receive messages About accessing HPE OneView message buses 303

304 Create and download the AMQP client certificate Creating and downloading the client certificate, private key, and root CA certificate 1. Create the certificate. POST /rest/certificates/client/rabbitmq equest body: {"type":"abbitmqclientcertv2","commonname":"default"} 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 4. After you connect the client to the SCMB, you can Set up a queue to connect to the HPE OneView SCMB exchange (page 304) Figure 21 Connecting the client to the SCMB 1 The SCMB consumer requests a client certificate as part of the registration process. 2 The appliance manages the client certificates in a JVK (Java KeyStore) file. 3 The appliance issues a client certificate to the SCMB consumer. 5 The appliance can revoke the SCMB client certificate to deny access to the SCMB 4 The SCMB client provides client. The client is managed an SSL client certificate to into a CL (Certificate create a connection with the evocation List) file. appliance. 6 The appliance authenticates the SCMB client using the client certificate Set up a queue to connect to the HPE OneView SCMB exchange The state change messages are published to the HPE OneView SCMB exchange name. To subscribe to messages, you must create a queue or connect to an existing queue that receives messages from the SCMB exchange based on a routing key. When you create a queue, you define the routing key associated with the queue to receive specific messages. 304 Using a message bus to send data to subscribers

305 NOTE: The routing key is case sensitive. The change-type requires an initial capital letter. The resource-category and resource-uri are lower-case. For example, if you set the change-type in the routing key to created instead of Created, you do not receive any messages. The routing key syntax is: scmb.resource-category.change-type.resource-uri where: scmb resource-category change-type resource-uri The HPE OneView exchange name. The category of resource. For a complete list of resources, see the HPE OneView EST API eference chapter in the online help. The type of change that is reported. Valid values are Created, Updated, and Deleted. The UI of the specific resource associated with the state-change message. NOTE: The task resources routing key syntax is scmb.resource-category and does not use change-type and resource-uri. To receive messages about all task resources: scmb.# scmb.tasks Sample queues Subscription eceive all SCMB messages for physical servers eceive all messages for created connections eceive all messages for the enclosure with the UI /rest/enclosures/enc1234 eceive all created messages (for all resource categories and types) Example scmb.server-hardware.# NOTE: To match everything after a specific point in the routing key, use the # character. This example uses # in place of resource-uri. The message queue receives all server-hardware resource UIs. scmb.connections.created.# scmb.enclosures.*./rest/enclosures/enc1234 NOTE: To match everything for an individual field in the routing key, use the asterisk (*). This example uses * in place of change-type. The message queue receives all change types: Created, Updated, and Deleted. scmb.*.created.# JSON structure of message received from the SCMB The following table lists the attributes included in the JSON payload of each message from the SCMB. The resource model for the HPE OneView resource is included in the resource attribute. To view all resource models, see the HPE OneView EST API eference chapter in the online help. Attribute resourceuri changetype Data type String String Description The UI for the resource. The state-change type: Created, Updated, or Deleted. For details, see ChangeType values (page 306) Using the State-Change Message Bus (SCMB) 305

306 Attribute newstate etag timestamp newsubstate resource associatedtask userinitiatedtask changedattributes data Data type String String String String Object String String Array Object Description The new state of the resource. The ETag for the resource when the state change occurred. The time the message was sent. If substate messages are required (for substate machines associated with a primary state), this is the resource-specific substate. The resource model. If a task is not associated with this message, the value is null. The value of the userinitiated attribute included in the associatedtask attribute. A list of top-level attributes that have changed based on the POST or PUT call that caused the state-change message to be sent. Additional information about the resource state change. ChangeType values ChangeType value Created Updated Deleted Description The resource is created or is added to HPE OneView. The resource state, attributes, or both are updated. The resource is permanently removed from HPE OneView. Example 2 JSON example { } "resourceuri" : "/rest/enclosures/123xyz", "changetype" : "Created", "newstate" : "Managed", "etag" : "123456", "timestamp" : " T18:30:44Z", "newsubstate" : "null", "resource" : { "category" : "enclosures", "created" : " T18:30:00Z",... }, "associatedtask" : "/rest/tasks/4321", "userinitiatedtask" : "true", "changedattributes" : [], "data" : {}, Example to connect and subscribe to SCMB using.net C# Prerequisites In addition to completing the prerequisites, you must complete the example-specific prerequisites before using the.net C# examples. 306 Using a message bus to send data to subscribers

307 To use the.net C# examples, add the following to the Windows certificate store: CA root certificate. Client certificate Private key To try the.net C# examples, do the following: 1. Download the root CA certificate. GET /rest/certificates/ca 2. Save the contents in the response body into a text file named rootca.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. 3. Import the rootca.crt file into the Windows certificate store under Trusted oot Certification Authorities. 4. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 5. Save the contents of the client certificate and private key in the response body into a text file named scmb.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE----- for the client certificate. Next, copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY----- for the private key. You must include the dashes, but do not include the quotes Using the State-Change Message Bus (SCMB) 307

308 Example 3 Using.Net C# to directly reference client certificate Convert the client certificate and private key to PKCS format for.net. openssl.exe pkcs12 -passout pass:default -export -in scmb.crt -out scmb.p12 Example public void Connect() { string exchangename = "scmb"; string hostname = "OneView.domain"; string queuename = ""; string routingkey = "scmb.#"; }; ConnectionFactory factory = new ConnectionFactory(); factory.authmechanisms = new abbitmq.client.authmechanismfactory[] { new ExternalMechanismFactory() factory.hostname = hostname; factory.port = 5671; factory.ssl.certpath factory.ssl.certpassphrase = "default"; factory.ssl.servername = hostname; factory.ssl.enabled = true; IConnection connection = factory.createconnection(); IModel model = connection.createmodel(); queuename = model.queuedeclare(queuename, false, false, false, null); model.queuebind(queuename, exchangename, routingkey, null); } using (Subscription sub = new Subscription(model, queuename)) { foreach (BasicDeliverEventArgs ev in sub) { DoSomethingWithMessage(ev); sub.ack(); } } Example 4 Using.Net C# to import certificate to Microsoft Windows certificate store Import the scmb.crt into your preferred Windows certificate store. Example public void Connect() { string exchangename = "scmb"; string hostname = "OneView.domain"; string queuename = ""; string routingkey = "scmb.#"; string username = "rabbitmq_readonly"; X509Store store = new X509Store(StoreName.oot, StoreLocation.LocalMachine); store.open(openflags.eadwrite); X509Certificate cert = store.certificates.find(x509findtype.findbysubjectname, username, false).oftype<x509certificate>().first(); }; ConnectionFactory factory = new ConnectionFactory(); factory.authmechanisms = new abbitmq.client.authmechanismfactory[] { new ExternalMechanismFactory() factory.hostname = hostname; factory.port = 5671; factory.ssl.certs = new X509CertificateCollection(new X509Certificate[] { cert }); factory.ssl.servername = hostname; factory.ssl.enabled = true; IConnection connection = factory.createconnection(); IModel model = connection.createmodel(); queuename = model.queuedeclare(queuename, false, false, false, null); model.queuebind(queuename, exchangename, routingkey, null); } using (Subscription sub = new Subscription(model, queuename)) { foreach (BasicDeliverEventArgs ev in sub) { DoSomethingWithMessage(ev); sub.ack(); } } 308 Using a message bus to send data to subscribers

309 NOTE:.Net C# code example 2 (Microsoft Windows certificate store) is referencing the Trusted oot Certificate Authorities store, located under Local Computer. StoreName.oot = Trusted oot Certificate Authorities StortLocation.LocalMachine = Local Computer Example to connect and subscribe to SCMB using Java 1. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 2. Save the contents of the client certificate in the response body into a text file named default-client.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. 3. Save the contents of the private key in the response body into a text file named default-client.key. You must copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY-----, including the dashes, but not including the quotes. 4. Create a PKCS12 keystore from the private key and the public certificate. openssl pkcs12 -export -name myclientcert -in default-client.crt -inkey default-client.key -out myclient.p12 5. Convert the PKCS12 keystore into a JKS keystore. keytool -importkeystore -destkeystore c:\\mykeystore -srckeystore myclient.p12 -srcstoretype pkcs12 -alias myclient 28.2 Using the State-Change Message Bus (SCMB) 309

310 Example 5 Example to connect and subscribe to SCMB using Java //c://mykeystore contains client certificate and private key. Load it into Java Keystore final char[] keypassphrase = "MyKeyStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); ks.load(new FileInputStream("c://MyKeyStore"), keypassphrase); final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, keypassphrase); //c://mytruststore contains CA certificate. Load it into Java Trust Store final char[] trustpassphrase = "MyTrustStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); tks.load(new FileInputStream("c:\\MyTrustStore"), trustpassphrase); final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(tks); //load SSLContext with keystore and truststore. final SSLContext c = SSLContext.getInstance("SSL"); c.init(kmf.getkeymanagers(), tmf.gettrustmanagers(), new Secureandom()); final ConnectionFactory factory = new ConnectionFactory(); factory.sethost(" "); //Set Auth mechanism to "EXTENAL" so that commonname of the client certificate is mapped to AMQP user name. Hence, No need to set userid/password here. factory.setsaslconfig(defaultsaslconfig.extenal); factory.setport(5671); factory.usesslprotocol(c); final Connection conn = factory.newconnection(); final Channel channel = conn.createchannel(); //do not specify queue name. AMQP will create a queue with random name starting with amq.gen* e.g. amq.gen-32sfqz95qj85k_lmbhu6ha final DeclareOk queue = channel.queuedeclare("", true, false, true, null); //Now get the queue name from above call and bind it to required Exchange with required routing key. channel.queuebind(queue.getqueue(), "scmb", "scmb.#"); //Now you should be able to receive messages from queue final Getesponse chesponse = channel.basicget(queue.getqueue(), false); if (chesponse == null) { System.out.println("No message retrieved"); } else { final byte[] body = chesponse.getbody(); System.out.println("eceived: " + new String(body)); } channel.close(); conn.close(); Examples to connect and subscribe to SCMB using Python The Python code examples show how to connect and subscribe to the SCMB. For more information about Python (Pika AMQP client library and AMQP client library), see pika.readthedocs.org/, and Installation 1. Install the pika and amqp libraries. a. Download and install the setuptools (Python setup.py install) at pypi/setuptools#downloads. b. Install the pika tools. When you install the pika or amqp libraries, run the same python setup.py install command from the downloaded pika or amqp directory. 2. Create the certificate. POST /rest/certificates/client/rabbitmq equest body: {"type":"abbitmqclientcertv2","commonname":"default"} 3. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 310 Using a message bus to send data to subscribers

311 Pika 4. Save the contents of the client certificate in the response body into a text file named client.pem. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). 5. Save the contents of the private key in the response body into a text file named key.pem. You must copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). 6. Download the root CA certificate. GET /rest/certificates/ca 7. Save the contents in the response body into a text file named caroot.pem. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). Example 6 Pika example When you invoke the script, you must pass host:{hostname or IP}. See the following examples: --host: host:my-appliance.example.com IMPOTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. import pika, ssl from optparse import OptionParser from pika.credentials import ExternalCredentials import json import logging logging.basicconfig() ############################################### # Callback function that handles messages def callback(ch, method, properties, body): msg = json.loads(body) timestamp = msg['timestamp'] resourceuri = msg['resourceuri'] resource = msg['resource'] changetype = msg['changetype'] print print ("%s: Message received:" %(timestamp)) print ("outing Key: %s" %(method.routing_key)) print ("Change Type: %s" %(changetype)) print ("esource UI: %s" %(resourceuri)) print ("esource: %s" %(resource)) # Pem Files needed, be sure to replace the \n returned from the APIs with C/LF # caroot.pem - the CA oot certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq equest body: {"type":"abbitmqclientcert","commonname":"default"} # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CETIFICATE----- # key.pem is the key with -----BEGIN SA PIVATE KEY----- # Setup our ssl options ssl_options = ({"ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", "cert_reqs": ssl.cet_equied, "server_side": False}) parser = OptionParser() parser.add_option('--host', dest='host', 28.2 Using the State-Change Message Bus (SCMB) 311

312 ) help='pika server to connect to (default: %default)', default='localhost', AMQP options, args = parser.parse_args() # Connect to abbitmq host = options.host print ("Connecting to %s:5671, to change use --host hostname " %(host)) connection = pika.blockingconnection( pika.connectionparameters( host, 5671, credentials=externalcredentials(), ssl=true, ssl_options=ssl_options)) # Create and bind to queue EXCHANGE_NAME = "scmb" OUTING_KEY = "scmb.#" channel = connection.channel() result = channel.queue_declare() queue_name = result.method.queue channel.queue_bind(exchange=exchange_name, queue=queue_name, routing_key=outing_key) channel.basic_consume(callback, queue=queue_name, no_ack=true) # Start listening for messages channel.start_consuming() Example 7 AMQP example When you invoke the script, you must pass host:{hostname or IP}. See the following examples: --host: host:my-appliance.example.com IMPOTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. #!/usr/bin/env python from optparse import OptionParser from functools import partial import amqplib.client_0_8 as amqp def callback(channel, msg): for key, val in msg.properties.items(): print ('%s: %s' % (key, str(val))) for key, val in msg.delivery_info.items(): print ('> %s: %s' % (key, str(val))) print ('') print (msg.body) print (' ') print msg.delivery_tag channel.basic_ack(msg.delivery_tag) # # Cancel this callback # if msg.body == 'quit': channel.basic_cancel(msg.consumer_tag) def main(): parser = OptionParser() parser.add_option('--host', dest='host', help='amqp server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args() host = options.host+":5671" # Pem Files needed, be sure to replace the \n returned from the APIs with C/LF # caroot.pem - the CA oot certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq equest body: {"type":"abbitmqclientcert","commonname":"default"} 312 Using a message bus to send data to subscribers

313 # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CETIFICATE----- # key.pem is the key with -----BEGIN SA PIVATE KEY----- ssl_options = ({"ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", # "cert_reqs": CET_EQUIED, "server_side": False}) print ('Connecting to host %s, to change use --host hostname ' %host) conn = amqp.connection(host, login_method='extenal', ssl=ssl_options) print ('Successfully connected, creating and binding to queue') ch = conn.channel() qname, _, _ = ch.queue_declare() ch.queue_bind(qname, 'scmb', 'scmb.#') ch.basic_consume(qname, callback=partial(callback, ch)) print ('Successfully bound to queue, waiting for messages') #pyamqp:// # # Loop as long as the channel has callbacks registered # while ch.callbacks: ch.wait() ch.close() conn.close() if name == ' main ': main() e-create the AMQP client certificate If you change the appliance name, you must re-create the AMQP client certificate. Prerequisites Minimum required session ID privileges: Infrastructure administrator e-creating and downloading the client certificate, private key, and root CA certificate 1. evoke the certificate. DELETE /rest/certificates/ca/rabbitmq_readonly equest body is not required. NOTE: When you revoke the default client certificate, the appliance re-generates the CA certificate, AMQP server certificate, and the default client certificate. 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 28.3 Using the Metric Streaming Message Bus (MSMB) The Metric Streaming Message Bus (MSMB) is an interface that uses asynchronous messaging to notify subscribers about the most recent metrics of the managed resources. You can configure the interval and the metrics that you want to receive using the EST APIs Using the Metric Streaming Message Bus (MSMB) 313

314 Connect to the MSMB Prerequisites To use the MSMB, you must do the following tasks: Use EST APIs to create and download an Advanced Message Queuing Protocol (AMQP) certificate from the appliance. Connect to the MSMB using one or both of these methods: Use the EXTENAL authentication mechanism Connect without sending a user name and password Using one of these methods ensures that certificate-based authentication is used. Set up a queue with an empty queue name. AMQP generates a unique queue name. You use this queue name to bind to exchanges and receive messages. Create and download the AMQP client certificate Creating and downloading the client certificate, private key, and root CA certificate 1. Create the certificate. POST /rest/certificates/client/rabbitmq equest body: {"type":"abbitmqclientcertv2","commonname":"default"} 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 4. After you connect the client to the MSMB, you can Set up a queue to connect to the HPE OneView MSMB exchange (page 315). Figure 22 Connecting the client to the MSMB 1 The MSMB consumer requests a client certificate as part of the registration process. 3 The appliance issues a client certificate to the MSMB consumer. 4 The MSMB client provides a SSL client certificate to 5 The appliance can revoke the MSMB client certificate to deny access to the MSMB client. The client is managed 314 Using a message bus to send data to subscribers

315 2 The appliance manages the client certificates in a JVK create a connection with the appliance. into a CL (Certificate evocation List) file. (Java KeyStore) file. 6 The appliance authenticates the MSMB client using the client certificate Set up a queue to connect to the HPE OneView MSMB exchange The metric streaming messages are published to the HPE OneView MSMB exchange name. To subscribe to messages, you must create a queue or connect to an existing queue that receives messages from the MSMB exchange based on a routing key. When you create a queue, you define the routing key associated with the queue to receive specific messages. Exchange Name: msmb outing Key: msmb.# where: msmb The HPE OneView exchange name for metric streaming. Sample queues Subscription eceive all MSMB messages for physical servers, enclosures, and power devices Example The exchange is msmb The routing key is msmb.# Configure metric relay using Metric Streaming configuration API JSON structure of message received from the MSMB The following table lists the attributes included in the JSON payload of each message from the MSMB. The resource model for the HPE OneView resource is included in the resource attribute. To view all resource models, see the HPE OneView EST API eference chapter in the online help. Attribute resourceuri changetype newstate etag timestamp newsubstate resource associatedtask userinitiatedtask changedattributes data Data type String String String String String String MetricData String String Array Object Description The UI for the resource. The state-change type: Created, Updated, or Deleted. The new state of the resource. The ETag for the resource when the state change occurred. The time the message was sent. If substate messages are required (for substate machines associated with a primary state), this is the resource-specific substate. The resource model. If a task is not associated with this message, the value is null. The value of the userinitiated attribute included in the associatedtask attribute. A list of top-level attributes that have changed based on the POST or PUT call that caused the state-change message to be sent. Additional information about the resource state change Using the Metric Streaming Message Bus (MSMB) 315

316 MetricData Attribute starttime sampleintervalinseconds numberofsamples resourcetype resourcedatalist uri category created modified etag type Data type String Integer Integer String List String String Timestamp Timestamp String String Description The starting time of the metric collection. Interval between samples. Number of samples in the list for each metric type. Identifies the category of resource. The supported devices are server-hardware, enclosures, and power-devices. Metric sample list. Canonical UI of the resource. Identifies the category of resource. The supported devices are server-hardware, enclosures, and power-devices. Date and time when the resource was created. Date and time when the resource was last modified. Entity tag/version ID of the resource, the same value that is returned in the ETag header on a GET of the resource. Uniquely identifies the type of the JSON object. 316 Using a message bus to send data to subscribers

317 Example 8 Structure of message received from the MSMB { "etag": null, "resourceuri": "/rest/enclosures/09sgh100x6j1", "changetype": "Updated", "newstate": null, "newsubstate": null, "associatedtask": null, "userinitiatedtask": false, "changedattributes": null, "data": null, "resource": { "type": "MetricData", "resourcetype": "enclosures", "resourcedatalist": [ { "metricsamplelist": [ { "valuearray": [ null ], "name": "atedcapacity" }, { "valuearray": [ 523 ], "name": "AveragePower" }, { "valuearray": [ 573 ], "name": "PeakPower" }, { "valuearray": [ null ], "name": "PowerCap" }, { "valuearray": [ 23 ], "name": "AmbientTemperature" }, { "valuearray": [ null ], "name": "DeratedCapacity" } ], "resourceid": "09SGH100X6J1" } ], "numberofsamples": 1, "sampleintervalinseconds": 300, "starttime": " T08:43:36.294Z", "etag": null, "modified": null, "created": null, "category": "enclosures", 28.3 Using the Metric Streaming Message Bus (MSMB) 317

318 } "uri": "/rest/enclosures/09sgh100x6j1" }, "timestamp": " T08:48:36.819Z" Example to connect and subscribe to MSMB using.net C# Prerequisites In addition to completing the prerequisites, you must complete the example-specific prerequisites before using the.net C# examples. To use the.net C# examples, add the following to the Windows certificate store: CA root certificate. Client certificate Private key To try the.net C# examples, do the following: 1. Download the root CA certificate. GET /rest/certificates/ca 2. Save the contents in the response body into a text file named rootca.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. 3. Import the rootca.crt file into the Windows certificate store under Trusted oot Certification Authorities. 4. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 5. Save the contents of the client certificate and private key in the response body into a text file named msmb.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE----- for the client certificate. Next, copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY----- for the private key. You must include the dashes, but do not include the quotes. 318 Using a message bus to send data to subscribers

319 Example 9 Using.Net C# to directly reference client certificate Convert the client certificate and private key to PKCS format for.net. openssl.exe pkcs12 -passout pass:default -export -in msmb.crt -out msmb.p12 Example public void Connect() { string exchangename = "msmb"; string hostname = "OneView.domain"; string queuename = ""; string routingkey = "msmb.#"; }; ConnectionFactory factory = new ConnectionFactory(); factory.authmechanisms = new abbitmq.client.authmechanismfactory[] { new ExternalMechanismFactory() factory.hostname = hostname; factory.port = 5671; factory.ssl.certpath factory.ssl.certpassphrase = "default"; factory.ssl.servername = hostname; factory.ssl.enabled = true; IConnection connection = factory.createconnection(); IModel model = connection.createmodel(); queuename = model.queuedeclare(queuename, false, false, false, null); model.queuebind(queuename, exchangename, routingkey, null); } using (Subscription sub = new Subscription(model, queuename)) { foreach (BasicDeliverEventArgs ev in sub) { DoSomethingWithMessage(ev); sub.ack(); } } Example 10 Using.Net C# to import certificate to Microsoft Windows certificate store Import the msmb.crt into your preferred Windows certificate store. Example public void Connect() { string exchangename = "msmb"; string hostname = "OneView.domain"; string queuename = ""; string routingkey = "msmb.#"; string username = "rabbitmq_readonly"; X509Store store = new X509Store(StoreName.oot, StoreLocation.LocalMachine); store.open(openflags.eadwrite); X509Certificate cert = store.certificates.find(x509findtype.findbysubjectname, username, false).oftype<x509certificate>().first(); }; ConnectionFactory factory = new ConnectionFactory(); factory.authmechanisms = new abbitmq.client.authmechanismfactory[] { new ExternalMechanismFactory() factory.hostname = hostname; factory.port = 5671; factory.ssl.certs = new X509CertificateCollection(new X509Certificate[] { cert }); factory.ssl.servername = hostname; factory.ssl.enabled = true; IConnection connection = factory.createconnection(); IModel model = connection.createmodel(); queuename = model.queuedeclare(queuename, false, false, false, null); model.queuebind(queuename, exchangename, routingkey, null); } using (Subscription sub = new Subscription(model, queuename)) { foreach (BasicDeliverEventArgs ev in sub) { DoSomethingWithMessage(ev); sub.ack(); } } 28.3 Using the Metric Streaming Message Bus (MSMB) 319

320 NOTE: Using.Net C# to import certificate to Microsoft Windows certificate store references the Trusted oot Certificate Authorities store, located under Local Computer. StoreName.oot = Trusted oot Certificate Authorities StortLocation.LocalMachine = Local Computer Example to connect and subscribe to MSMB using Java 1. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 2. Save the contents of the client certificate in the response body into a text file named default-client.crt. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. 3. Save the contents of the private key in the response body into a text file named default-client.key. You must copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY-----, including the dashes, but not including the quotes. 4. Create a PKCS12 keystore from the private key and the public certificate. openssl pkcs12 -export -name myclientcert -in default-client.crt -inkey default-client.key -out myclient.p12 5. Convert the PKCS12 keystore into a JKS keystore. keytool -importkeystore -destkeystore c:\\mykeystore -srckeystore myclient.p12 -srcstoretype pkcs12 -alias myclient 320 Using a message bus to send data to subscribers

321 Example 11 Example to connect and subscribe to MSMB using Java //c://mykeystore contains client certificate and private key. Load it into Java Keystore final char[] keypassphrase = "MyKeyStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); ks.load(new FileInputStream("c://MyKeyStore"), keypassphrase); final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, keypassphrase); //c://mytruststore contains CA certificate. Load it into Java Trust Store final char[] trustpassphrase = "MyTrustStorePassword".toCharArray(); final KeyStore ks = KeyStore.getInstance("jks"); tks.load(new FileInputStream("c:\\MyTrustStore"), trustpassphrase); final TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(tks); //load SSLContext with keystore and truststore. final SSLContext c = SSLContext.getInstance("SSL"); c.init(kmf.getkeymanagers(), tmf.gettrustmanagers(), new Secureandom()); final ConnectionFactory factory = new ConnectionFactory(); factory.sethost(" "); //Set Auth mechanism to "EXTENAL" so that commonname of the client certificate is mapped to AMQP user name. Hence, No need to set userid/password here. factory.setsaslconfig(defaultsaslconfig.extenal); factory.setport(5671); factory.usesslprotocol(c); final Connection conn = factory.newconnection(); final Channel channel = conn.createchannel(); //do not specify queue name. AMQP will create a queue with random name starting with amq.gen* e.g. amq.gen-32sfqz95qj85k_lmbhu6ha final DeclareOk queue = channel.queuedeclare("", true, false, true, null); //Now get the queue name from above call and bind it to required Exchange with required routing key. channel.queuebind(queue.getqueue(), "msmb", "msmb.#"); //Now you should be able to receive messages from queue final Getesponse chesponse = channel.basicget(queue.getqueue(), false); if (chesponse == null) { System.out.println("No message retrieved"); } else { final byte[] body = chesponse.getbody(); System.out.println("eceived: " + new String(body)); } channel.close(); conn.close(); Examples to connect and subscribe to MSMB using Python The Python examples show how to connect and subscribe to the MSMB. For more information about Python (Pika AMQP client library and AMQP client library), see Introduction to Pika ( pika.readthedocs.org/, and AMQP Client Library ( pypi.python.org/pypi/amqplib/) Installation 1. Install the pika and amqp libraries. a. Download and install the setup tools (Python setup.py install) at pypi.python.org/pypi/setuptools#downloads. b. Install the pika tools. When you install the pika or amqp libraries, run the same python setup.py install command from the downloaded pika or amqp directory. 2. Create the certificate. POST /rest/certificates/client/rabbitmq equest body: {"type":"abbitmqclientcertv2","commonname":"default"} 28.3 Using the Metric Streaming Message Bus (MSMB) 321

322 Pika 3. Download the client certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 4. Save the contents of the client certificate in the response body into a text file named client.pem. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). 5. Save the contents of the private key in the response body into a text file named key.pem. You must copy and paste everything from -----BEGIN SA PIVATE KEY----- to -----END SA PIVATE KEY-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). 6. Download the root CA certificate. GET /rest/certificates/ca 7. Save the contents in the response body into a text file named caroot.pem. You must copy and paste everything from -----BEGIN CETIFICATE----- to -----END CETIFICATE-----, including the dashes, but not including the quotes. You must replace all instances of \n with C/LF (carriage return / line feed). Example 12 Pika example When you invoke the script, you must pass host:{hostname or IP}. See the following examples: --host: host:my-appliance.example.com IMPOTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. import pika, ssl from optparse import OptionParser from pika.credentials import ExternalCredentials import json import logging logging.basicconfig() ############################################### # Callback function that handles messages def callback(ch, method, properties, body): msg = json.loads(body) timestamp = msg['timestamp'] resourceuri = msg['resourceuri'] resource = msg['resource'] changetype = msg['changetype'] print print ("%s: Message received:" %(timestamp)) print ("outing Key: %s" %(method.routing_key)) print ("Change Type: %s" %(changetype)) print ("esource UI: %s" %(resourceuri)) print ("esource: %s" %(resource)) # Pem Files needed, be sure to replace the \n returned from the APIs with C/LF # caroot.pem - the CA oot certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq equest body: {"type":"abbitmqclientcert","commonname":"default"} # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CETIFICATE----- # key.pem is the key with -----BEGIN SA PIVATE KEY----- # Setup our ssl options ssl_options = ({"ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", 322 Using a message bus to send data to subscribers

323 AMQP "cert_reqs": ssl.cet_equied, "server_side": False}) parser = OptionParser() parser.add_option('--host', dest='host', help='pika server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args() # Connect to abbitmq host = options.host print ("Connecting to %s:5671, to change use --host hostname " %(host)) connection = pika.blockingconnection( pika.connectionparameters( host, 5671, credentials=externalcredentials(), ssl=true, ssl_options=ssl_options)) # Create and bind to queue EXCHANGE_NAME = "msmb" OUTING_KEY = "msmb.#" channel = connection.channel() result = channel.queue_declare() queue_name = result.method.queue channel.queue_bind(exchange=exchange_name, queue=queue_name, routing_key=outing_key) channel.basic_consume(callback, queue=queue_name, no_ack=true) # Start listening for messages channel.start_consuming() Example 13 AMQP example When you invoke the script, you must pass host:{hostname or IP}. See the following examples: --host: host:my-appliance.example.com IMPOTANT: If the connection fails on the first attempt to invoke this script after an appliance reboot, try invoking the script again. #!/usr/bin/env python from optparse import OptionParser from functools import partial import amqplib.client_0_8 as amqp def callback(channel, msg): for key, val in msg.properties.items(): print ('%s: %s' % (key, str(val))) for key, val in msg.delivery_info.items(): print ('> %s: %s' % (key, str(val))) print ('') print (msg.body) print (' ') print msg.delivery_tag channel.basic_ack(msg.delivery_tag) # # Cancel this callback # if msg.body == 'quit': channel.basic_cancel(msg.consumer_tag) def main(): parser = OptionParser() parser.add_option('--host', dest='host', help='amqp server to connect to (default: %default)', default='localhost', ) options, args = parser.parse_args() 28.3 Using the Metric Streaming Message Bus (MSMB) 323

324 host = options.host+":5671" # Pem Files needed, be sure to replace the \n returned from the APIs with C/LF # caroot.pem - the CA oot certificate - GET /rest/certificates/ca # client.pem, first POST /rest/certificates/client/rabbitmq equest body: {"type":"abbitmqclientcert","commonname":"default"} # GET /rest/certificates/client/rabbitmq/keypair/default # client.pem is the key with -----BEGIN CETIFICATE----- # key.pem is the key with -----BEGIN SA PIVATE KEY----- ssl_options = ({"ca_certs": "caroot.pem", "certfile": "client.pem", "keyfile": "key.pem", # "cert_reqs": CET_EQUIED, "server_side": False}) print ('Connecting to host %s, to change use --host hostname ' %host) conn = amqp.connection(host, login_method='extenal', ssl=ssl_options) print ('Successfully connected, creating and binding to queue') ch = conn.channel() qname, _, _ = ch.queue_declare() ch.queue_bind(qname, 'msmb', 'msmb.#') ch.basic_consume(qname, callback=partial(callback, ch)) print ('Successfully bound to queue, waiting for messages') #pyamqp:// # # Loop as long as the channel has callbacks registered # while ch.callbacks: ch.wait() ch.close() conn.close() if name == ' main ': main() e-create the AMQP client certificate If you change the appliance name, you must re-create the AMQP client certificate. NOTE: If the certificates are already created, you can skip this step. Prerequisites Minimum required session ID privileges: Infrastructure administrator e-creating and downloading the client certificate, private key, and root CA certificate 1. evoke the certificate. DELETE /rest/certificates/ca/rabbitmq_readonly equest body is not required. NOTE: When you revoke the default client certificate, the appliance re-generates the CA certificate, AMQP server certificate, and the default client certificate. 2. Download the certificate and private key. GET /rest/certificates/client/rabbitmq/keypair/default 3. Download the root CA certificate. GET /rest/certificates/ca 324 Using a message bus to send data to subscribers

325 29 Generating reports HPE OneView offers predefined reports to help you manage your appliance and its environment. You can view the reports in the UI or generate them using EST API. You can also save the reports as a Microsoft Excel workbook (*.xlsx) or CSV MS-DOS (*.csv). UI screens and EST API resources UI screen eports EST API resource reports 29.1 oles Minimum required privileges: Infrastructure administrator (for local users report) 29.2 Tasks for reports The appliance online help provides information about using the UI or the EST APIs to: View a report. Save a report About reports HPE OneView offers reports to help you monitor your inventory as well as help you monitor your environment. The inventory reports provide information about your servers or enclosures such as model, serial number, part number, and so on. Other reports provide a picture of the overall status of your environment. Select a report, by name, from the left navigation column of the eports screen. You can view or save the report. For more information, see View and save a report in the online help. The main pane of the screen describes the report chosen. It provides a bar chart, a donut chart, or both, and tabular data for more detailed information oles 325

326 326

327 30 Using data services Using EST APIs, you can collect metrics from devices managed by HPE OneView and preserve that data remotely from the HPE OneView appliance for viewing in other software tools. This gives you the flexibility to further analyze the data in meaningful ways About data services Using data services, you can make data available for offline analysis and troubleshooting. For information on supported data types, see the following sections on metric streaming and log forwarding About metric streaming The HPE OneView EST APIs allow you to configure the relay of enclosure, server-hardware, and power-devices performance metrics over MSMB. Following is the list of metrics supported. Enclosures: ated Capacity: The limit of the enclosure s peak power consumption, in watts. Derated Capacity: The limit of the enclosure s average power consumption, in watts. Ambient Temperature: The temperature of the enclosure over the time interval in Celsius or Fahrenheit. Average Power: The average power consumption of the device over the time interval, in watts. Powercap: The power cap set for the enclosure, in watts. Peak Power: The peak power consumption of the enclosure over the time interval, in watts. Power-devices: Average Power: The average power consumption of the device over the time interval, in watts. Peak Power: The peak power consumption of the device over the time period, in watts. Server-hardware: CPU Utilization: The percentage of CPU utilized by the device over the time interval. CPU Average Frequency: The speed of the device CPU over the time interval, in GHz. Ambient Temperature: The temperature of the enclosure over the time interval in Celsius or Fahrenheit. Average Power: The average power consumption of the device over the time interval, in watts. Powercap: The user-defined power cap set for server-hardware. Peak Power: The peak power consumption of the device over the time period, in watts About log forwarding to a remote syslog server EST APIs can be used to configure the remote syslog destination. Once configured, the logs are streamed directly from the device using rsyslog About data services 327

328 30.2 EST API to enable metric streaming Metrics for managed resources can be streamed at a specified interval. /rest/metrics/capability /rest/metrics/configuration Table 14 ecommended metric frequency of relay for a maximum number of devices by device type Device type Max devices Frequency (sec) Max devices Frequency (sec) Max devices Frequency (sec) Max devices Frequency (sec) Max devices Frequency (sec) Enclosure Power-devices Server-hardware oles For example, the recommended configuration for 640 servers, 80 power devices, and 40 enclosures is as follows: { "sourcetypelist": [ { "frequencyofelayinseconds": 3600, "sampleintervalinseconds": 300, "sourcetype": "/rest/server-hardware" }, { "frequencyofelayinseconds": 3600, "sampleintervalinseconds": 300, "sourcetype": "/rest/power-devices" }, { "frequencyofelayinseconds": 1800, "sampleintervalinseconds": 300, "sourcetype": "/rest/enclosures" } ] } Minimum required privileges: Infrastructure administrator Tasks for metrics EST API The appliance online help provides information about using the EST APIs to Fetch metric streaming capability Fetch metric streaming configuration Update metric streaming configuration NOTE: license. When configured, metrics are streamed only for servers with HPE OneView Advanced 30.3 EST API to leverage remote system logs The remotesyslog EST API allows you to implement a remote system log server to receive and retain remote Syslog data and to configure the data relay. 328 Using data services

329 oles This EST API allows you to configure a remote syslog destination server and port. Once configured, all servers with HPE OneView Advanced license and enclosures will forward the logs to this remote syslog server. /rest/logs/remotesyslog Minimum required privileges: Infrastructure administrator Tasks for remotesyslog EST API The appliance online help provides information about using the EST APIs to Fetch remotesyslog configuration Update remotesyslog configuration 30.3 EST API to leverage remote system logs 329

330 330

331 Part V Troubleshooting The chapters in this part include information you can use when troubleshooting issues in your data center, and information about restoring the appliance from a backup file in the event of a catastrophic failure.

332 332

333 31 Troubleshooting HPE OneView has a variety of troubleshooting tools you can use to resolve issues. By following a combined approach of examining screens and logs, you can obtain a history of activity and of the errors encountered along the way. For specific troubleshooting instructions, select a topic from the following list. Category Activity Appliance Appliance network setup Enclosures and enclosure groups Firmware bundles Interconnects Licensing Logical interconnects Networks Server hardware Server profiles Storage User accounts and groups Learn more Basic troubleshooting techniques (page 333) Create a support dump file (page 335) Create a support dump for authorized technical support using EST API scripting (page 338) Troubleshooting locale issues (page 376) 31.1 Basic troubleshooting techniques HPE OneView has a variety of troubleshooting tools you can use to resolve issues. By following a combined approach of examining screens and logs, you can obtain a history of activity and the errors encountered. The Activity screen displays a log of all changes made on the appliance, whether user-initiated or appliance-initiated. It is similar to an audit log, but with finer detail and it is easier to access from the UI. The Activity screen also provides a log of health alerts and status notifications. Download an audit log to help an administrator understand what security relevant actions took place on the system. Create a support dump file to gather logs and other information required for debugging into an encrypted, compressed file that you can send to your authorized support representative for analysis. eview reports for interconnect, server, and enclosure status. eports can also provide inventory information and help you see the types of server models and processors in your data center. They can also show you what firmware needs to be updated Basic troubleshooting techniques 333

334 NOTE: If the UI is not available, you can use the Maintenance console for troubleshooting. ecommendation Look for a message Examine the Activity screen Details About syntax errors: The user interface checks for syntax when you enter a value. If you make a syntax error, an instructional message appears next to the entry. The user interface or command line continues to display messages until you enter the correct value. About network setup errors: Before applying them, the appliance verifies key network parameters like the IP address and the fully qualified domain name (FQDN), to ensure that they have the proper format. After network settings are applied, the appliance performs additional validation, such as reachability checks and host name to IP lookup. If a parameter is incorrect, the appliance generates an alert that describes validation errors for the Network Interface Card (NIC), and the connection between the browser and the appliance can be lost. About reported serious errors: Check connectivity to the enclosure from the appliance. Create a support dump and contact your authorized support representative. To find a message for an activity: NOTE: You might need to perform these steps from the virtual console. 1. Locate recent activities with a Critical or Warning status. 2. Expand the activity to see recommendations on how to resolve the error. 3. Follow the instructions About the support dump file Some error messages recommend that you create a support dump of the Synergy Management appliance and send it to an authorized support representative for analysis. The support dump process performs the following functions: Deletes any existing support dump file Gathers logs and other information required for debugging Creates a compressed file with a name in the following format: hostname-identifier timestamp.sdmp Where, for support dump files created from the UI, identifier is either CI (indicating an appliance support dump) or LE (indicating a logical enclosure support dump). The support dump contains data that might be considered customer sensitive such as hostnames, IP addresses, and the appliance audit log. Unless you specify otherwise, all data in the support dump file is encrypted so that only an authorized support representative can access it. You can choose not to encrypt the support dump file if you are an Infrastructure administrator. This can be useful if you have an onsite, authorized support representative or if your environment prohibits outside connections. You can also validate the contents of the support dump file and verify that it does not contain data considered sensitive in your environment. 334 Troubleshooting

335 IMPOTANT: If the appliance is in an error state, a special Oops screen is displayed. Anyone can create an encrypted support dump file from that screen without the need for logging in or other authentication. Creating the support dump file will remove the backup file that exists on the Synergy Management appliance. Move the backup file to an external location before proceeding. The support dump file contains the following: Operating system logs Product logs The results of certain operating system and product-related commands Items logged in the support dump file are recorded according to UTC time. About support dump created from a clustered appliance When created from a clustered appliance, the support dump file contains information from both the active appliance and the standby appliance. If the standby appliance is not reachable, its dump file data is not included only the active appliance dump data is available; the support dump will be named with the fully-qualified domain name, the enclosure name, and the appliance bay of the active appliance, and can be retrieved using the Maintenance console on the active appliance. About logical enclosure support dumps You can create a logical enclosure support dump, which, by default, includes the appliance support dump. The logical enclosure support dump file includes content from each member logical interconnect. After the logical enclosure support dump is created, it is incorporated into the appliance support dump and the entire bundle of files is compressed into a zip file and encrypted for downloading. NOTE: To create a logical enclosure support dump that does not contain the appliance support dump, you must use the logical enclosure EST APIs. For more information, see the EST API scripting online help for logical enclosures. See also Create a support dump file (page 335) 31.3 Create a support dump file Use this procedure to create a support dump file for the appliance only or for the logical enclosure and the appliance. CAUTION: Creating the support dump file could overwrite an existing backup file. If a backup file exists on the appliance, move it to an external location for safekeeping before creating the support dump Create a support dump file 335

336 Prerequisites Minimum required privileges: Network administrator, Server administrator, Infrastructure administrator, Backup administrator, ead only NOTE: Only the Infrastructure administrator has the option of not encrypting a support dump file. When a user with a different role creates a support dump file, it is encrypted automatically. Creating a support dump file 1. For an appliance support dump file, do one of the following: From the main menu, click Settings, and then in the Appliance panel, click Create support dump. From the main menu, click Settings, click Appliance, and then select Actions Create support dump. 2. If you are an Infrastructure administrator, choose whether or not to encrypt the support dump file: a. To encrypt the support dump file, confirm that the Enable support dump encryption check box is selected. b. To turn off encryption, clear the Enable support dump encryption check box. 3. Click Yes, create. You can continue doing other tasks while the support dump file is created. 4. The support dump file is downloaded when this task is completed. If your browser settings specify a default download folder, the support dump file is placed in that folder. Otherwise, you are prompted to indicate where to download the file. 5. Verify that the support dump file was saved to the correct folder. 6. Contact your authorized support representative for instructions on how to transfer the support dump file to Hewlett Packard Enterprise. For information on contacting Hewlett Packard Enterprise, see Accessing Hewlett Packard Enterprise Support (page 405). IMPOTANT: Unless you specify otherwise, the support dump file is encrypted so that only an authorized support representative can view its contents. The Hewlett Packard Enterprise data retention policy requires that all sent support dump files be deleted after use. See also About the support dump file (page 334) Troubleshooting: Cannot create a support dump file 31.4 Create a support dump file and write it to a USB drive from the UI This procedure describes how to use the UI to create a support dump file from the console of a physical appliance and store it on a USB drive. CAUTION: Creating the support dump file could overwrite a backup file. If a backup file exists on the USB drive, move it to an external location for safekeeping before creating the support dump. 336 Troubleshooting

337 NOTE: The support dump file is encrypted by default. Only the Infrastructure administrator has the option to save the support dump file without encryption. Prerequisites Use a USB 2.0 or 3.0 device drive, formatted as an NTFS or FAT32 file system and with only one partition. If necessary, use a computer to format the USB drive. The USB drive must have enough free space (typically 1 to 4 GB) to store the support dump file. USB drives with a capacity of up to 16 GB have been tested successfully. The USB drive must be installed in the USB port of the active appliance. Ensure that a backup file is not currently being created. If so, creating a new support dump stops that operation and overwrites the backup file. Creating a support dump file and writing it to a USB drive 1. Access HPE OneView on the physical console. 2. From the main menu, select Settings and do one of the following: Click Create support dump in the Appliance panel. Click Appliance on the Settings screen, and then select Actions Create support dump. Alternatively, you can create a support dump file from the Oops screen by selecting Create support dump. You will be required to log in as an Infrastructure administrator. 3. If you are an Infrastructure administrator, choose whether or not to encrypt the support dump file: a. To encrypt the support dump file, confirm that the Enable support dump encryption check box is selected. b. To turn off encryption, clear the Enable support dump encryption check box. 4. Click Yes, create. You can continue doing other tasks while the support dump file is created. 5. Wait until the support dump file is downloaded. There will be an message on the screen stating that the support dump was successfully created and that it is safe to remove the USB drive. 6. Verify that the support dump file was saved by examining the contents of the USB drive for the support dump file name. 7. If necessary, contact your authorized support representative for instructions on how to send the support dump file to Hewlett Packard Enterprise. See also About the support dump file (page 334) Accessing Hewlett Packard Enterprise Support (page 405) Create a support dump file and write it to a USB drive from the UI 337

338 31.5 Create a support dump for authorized technical support using EST API scripting Some error messages recommend that you create a support dump of the appliance to send to an authorized support representative for analysis. The support dump process: Deletes any existing support dump file Gathers logs and other information required for debugging Creates a compressed file Unless you specify otherwise, all data in the support dump file is encrypted so that it is accessible only by an authorized support representative. You might choose not to encrypt the support dump file if you have an onsite, authorized support representative or if your environment prohibits outside connections. You can also validate the contents of the support dump file and verify that it does not contain sensitive data such as passwords. IMPOTANT: If the appliance is in an error state, you can still create an encrypted support dump file without logging in or other authentication. The support dump file contains the following: Operating system logs (from /var/log) Product logs (from /ci/logs) The results of certain operating system and product-related commands Items logged in the support dump file are recorded in UTC (Coordinated Universal Time). Prerequisites Minimum required session ID privileges: Infrastructure administrator Creating a support dump using EST APIs 1. Create a support dump. POST /rest/appliance/support-dumps 2. Use the value of the uri element in the esponse Body from the POST in step 1 to download the support dump. GET /rest/appliance/support-dumps/{file name} IMPOTANT: Unless you specify otherwise, the support dump file is encrypted so that only authorized support personnel can view its contents. In accordance with the Hewlett Packard Enterprise data retention policy, support dump files sent to Hewlett Packard Enterprise are deleted after use Troubleshooting activity Use the following information to troubleshoot alerts that appear on the Activity screen Alert is locked Symptom An alert is locked and cannot be cleared. Cause The locked alert was created by a resource. 338 Troubleshooting

339 Action 1. Expand the alert and follow the recommended action described in esolution. 2. If you need more information, expand the Event details and see the details for correctiveaction. 3. When the resource detects a change, it will automatically change the alert status to Cleared Alerts are not visible in the user interface Symptom You cannot access the Alerts screen or alerts are not posted there. Cause Improper permission Action 1. If possible, log in as a privileged user. Otherwise, request that the Infrastructure administrator change your role so that you can see alerts for the physical resource type. 2. Log in again. 3. View the Activity screen Alert status is reported as blank or unexpected Symptom The status of the alert is other than: Critical Warning OK Unknown Cause Action 1. Clear the alert. 2. estore the alert Alert state is unexpected Symptom The state of the alert is other than Active Locked Cleared Cause A resource reported an unexpected alert state for an underlying problem Troubleshooting activity 339

340 Action 1. Expand the alert and follow the recommended action described in esolution. 2. If you need more information, expand the Event details and see the details for correctiveaction. 3. When the resource detects a change, it will automatically change the alert state to Cleared Troubleshooting the appliance Audit log: Audit log is absent (page 351) Audit log could not be downloaded (page 351) Audit entries are not logged (page 351) Backup/estore: Cannot create or download a backup file (page 345) estore action was unsuccessful (page 352) estart/shutdown: Synergy Composer did not shut down (page 353) Cannot restart the Synergy Composer after a shutdown (page 354) Unexpected appliance shutdown (page 341) Security/Authentication: Unable to import a certificate (page 350) Certificate was revoked (page 350) Invalid certificate chain prevents operations (page 350) Invalid certificate content prevents operations (page 351) You cannot log in (page 355) Hardware setup user cannot log in (page 355) Cannot log in after a factory reset action (page 355) Support dump: Support dump was not created (page 347) Support dump file not saved (page 347) Support dump does not contain data for standby appliance (page 348) Cannot create unencrypted support dump (page 348) Cannot download support dump to USB flash drive (page 349) Update: Cannot update Synergy Composer (page 342) Appliance update file downloads, but update fails (page 343) Appliance update is unsuccessful (page 343) Other: Synergy Composer performance is slow (page 341) Browser does not display the HPE OneView user interface (page 344) 340 Troubleshooting

341 Icons are not visible on the appliance dashboard (page 344) Could not retrieve the browser session (page 345) USB drive not recognized (page 349) einstall the remote console (page 356) Active and standby appliances are not connected (page 356) Synergy Composer is offline, manual action is required (page 357) Synergy Composer is offline and unusable (page 358) Synergy Composer performance is slow Symptom The appliance operates, but its performance is slow. Cause The appliance configuration is not set for optimum performance. Action 1. Ensure that the physical components satisfy the requirements described in the HPE OneView Support Matrix for HPE Synergy. 2. Ensure proper network connection between the appliance and managed devices. 3. Ensure power management is not enabled. 4. Ensure the available storage is acceptable. 5. Ensure the host is not overloaded. 6. From the local computer, use the ping command to determine if the round-trip time of the ping is acceptable. Long times can indicate browser problems. 7. Determine that the browser settings are correct. 8. Consider bypassing the proxy server. 9. Ensure the scale limits are not exceeded. See the HPE OneView Support Matrix for HPE Synergy. 10. Create a support dump and contact your authorized support representative Unexpected appliance shutdown Symptom Appliance crash Cause Unplanned shutdowns Actions to take after a crash Unexpected shutdowns are rare. Check for critical alerts or failed tasks. Follow the resolution instructions, if provided. Manually refresh a resource (Actions efresh) if the resource information displayed appears to be incorrect or inconsistent. Create a support dump (Settings Actions Create support dump) for unexpected shutdowns to help your authorized support representative troubleshoot the problem Troubleshooting the appliance 341

342 Cannot update Synergy Composer Solution 1 Solution 2 Solution 3 Solution 4 Symptom The update appliance operation fails. Cause Improper permission Action equired privileges: Infrastructure administrator 1. Log in to the appliance as the Infrastructure administrator. 2. Perform the update operation again. Cause Appliance cannot access the network. Action Synergy Composer cannot access the network (page 359) Cause Appliance certificate is invalid, expired, or changed. Action 1. Examine the certificate settings from the Security pane of the Settings screen. 2. Acquire a new appliance certificate if it is invalid or expired. Depending on the certificate type, see Create a self-signed certificate (page 72) or Create a certificate signing request (page 71). 3. efresh the browser page. 4. Accept the new certificate. 5. etry the update operation. Cause Not enough disk space. The update operation requires twice the amount of disk space as the update file, update.bin. Action 1. Perform the following EST API call to free disk space by deleting files related to the update operation: DELETE Accept: application/json Auth: authorization X-Api-Version: etry the update operation. 342 Troubleshooting

343 Appliance update file downloads, but update fails Solution 1 Solution 2 Solution 3 Symptom The update file was successfully downloaded but the update operation does not update the appliance. Cause The download file is too large for the browser. Action 1. Verify that the download size is within the capabilities of the browser. 2. Use a different browser. Cause File was deleted from the appliance. Action 1. Download the update file. 2. etry the update operation. Cause, See the online help for details. The version of the appliance is outside the range of versions that apply to the update. Action 1. Download a supported version (based on the appliance version) of the update file. 2. etry the update operation. For information, see the online help Appliance update is unsuccessful Any blocking or warning conditions affecting the appliance update are displayed prior to the update operation. Symptom Update fails Cause Action 1. Confirm you are not upgrading to the same version already installed. 2. Verify that all status indicators for LAN, CPU, and memory in the Appliance panel in the Settings screen are green before retrying the update. 3. Create a support dump and contact your HPE support representative Troubleshooting the appliance 343

344 Browser does not display the HPE OneView user interface Solution 1 Solution 2 Solution 3 Solution 4 Symptom The browser does not display the HPE OneView user interface. Cause The browser is not supported. Action Use a supported browser. Cause The browser cache is full. Action 1. Clear the browser cache and try again. 2. efresh or reload the browser. Cause Javascript is not enabled. Action Enable Javascript on the browser. Cause There is a connectivity issue with the appliance. Action 1. Verify that the browser proxy setting is accurate. 2. efresh or reload the browser. 3. Verify that the appliance can access the network. Synergy Composer cannot access the network (page 359) Icons are not visible on the appliance dashboard Symptom The dashboard is displayed without icons. Cause A timeout occurred before the browser could load the icons 344 Troubleshooting

345 Action 1. efresh or reload the browser. 2. Verify that the appliance can access the network. Synergy Composer cannot access the network (page 359) Could not retrieve the browser session Solution 1 Solution 2 Symptom The browser does not display the session or the session appears frozen. Cause Session timed out Action 1. Log out. 2. Log back in to start a new session. Cause You were logged out of the session. Action Log in to start a new session Cannot create or download a backup file Solution 1 Symptom A backup file could not be created or downloaded. Cause Other related operations are in progress. Only one backup file can be created at a time. A backup file cannot be created during the restore operation or while a previous backup file is being uploaded or downloaded. Action equired privileges: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. Verify that no other backup or restore operation is running. Look for a progress bar in the Settings screen or a completion noted in the Activity sidebar. 3. Wait until the operation is complete. 4. If an alert appears, follow its resolution to a. etry the backup operation. b. If the backup operation fails, restart the appliance. c. un the backup operation again after restarting the appliance Troubleshooting the appliance 345

346 Solution 2 Solution 3 Cause Network connectivity issues prevent the download. Action Ensure that the network is correctly configured and performing as expected. Cause A profile operation was running during the backup operation resulting in any of the following: Duplicate GUIDs in the network Server with settings from a previous profile Error message: The operation was interrupted Error message: The configuration is inconsistent Action 1. Log in as the Infrastructure administrator. 2. Identify the server affected. 3. Unassign the profile from the server. 4. eassign the profile to the server. 5. If either error message was reported, determine any factors (not related to HPE OneView) that contributed to this condition, such as: Was the server moved? Was the server power turned off? 6. Create a support dump file. 7. eport this issue to your authorized support representative. Symptom Cannot download the backup file because a related operation is in progress. Cause A backup file cannot be uploaded or downloaded while a backup file creation or restore operation is in progress. Action Ensure that another backup or restore operation is not running. They are indicated with a progress bar in the Settings screen. Symptom The backup file does not appear to be downloading. Cause Downloading a large backup file can take several minutes or more, depending on the complexity of the appliance configuration. 346 Troubleshooting

347 Action Wait until the operation completes. Monitor the operation by observing the progress bar in the Settings screen Support dump was not created Solution 1 Solution 2 Symptom Cannot find the expected support dump Cause Insufficient time elapsed Action 1. Wait. Creating a support dump file can take several minutes. If the log files are large or if the system is extensive, creating a support dump file can take even longer. 2. etry the create support dump action. Cause Only the Infrastructure administrator can create a support dump file from the Oops screen. Action Provide the credentials for the Infrastructure administrator and try again Support dump file not saved Solution 1 Solution 2 Symptom The support dump file is absent on the appliance. Cause You can easily miss notifications of automatic downloads if the browser settings are not set correctly. Action 1. Verify that the download has completed. 2. Verify the browser settings. 3. etry the create support dump action and examine the download progress bar in the Activity sidebar. Cause Insufficient disk space for the support dump file on the client side Troubleshooting the appliance 347

348 Action 1. Ensure that the local computer has enough disk space to accommodate the support dump file. 2. etry the create support dump action Support dump does not contain data for standby appliance Solution 1 Solution 2 Symptom The support dump file contains the data for the active appliance of a cluster, but not the standby appliance. Cause The appliance does not have enough free space to accommodate all the data. Action 1. Optional: Move the support dump file to an off-appliance location. 2. Delete the support dump file on the appliance. 3. Locate and delete any unnecessary files. 4. etry the create support dump action. Cause Standby appliance is not online Action 1. Ensure that the standby appliance is online. 2. etry the create support dump action. 3. Access the Maintenance console of the standby appliance and use the Maintenance console to create a support dump file Cannot create unencrypted support dump Symptom You can create an encrypted support dump file, but not an unencrypted one. Cause You do not have proper authorization to create an unencrypted support dump file. Only the Infrastructure administrator can do so. Action 1. Log into the appliance as the Infrastructure administrator. 2. etry the create support dump action. 3. Specify the unencrypted support dump option. 4. Create the support dump. 5. Verify success by examining the progress bar. 348 Troubleshooting

349 Cannot download support dump to USB flash drive Solution 1 Solution 2 Solution 3 Symptom Attempts to create and download a support dump file to a USB flash drive fail. Cause The USB flash drive does not have enough disk space to accommodate the support dump file. Action 1. Ensure that the USB flash drive has 1 GB to 4 GB of free disk space. 2. Use a computer running either a Linux or Windows operating system to remove unneeded files. 3. etry the create support dump procedure to download the support dump file to the USB flash drive. Cause Either the USB flash drive is not mounted or its format is incompatible. Action 1. Do one of the following: Ensure that the USB flash drive is properly mounted. eformat the USB flash drive as an NTFS or exfat file system. Use a different USB flash drive formatted as an NTFS or exfat file system. 2. etry the create support dump procedure to download the support dump file to the USB flash drive. Cause The file system type of the USB flash drive is FAT32, and the support dump file exceeds 4 GB. Action 1. Do one of the following: eformat the USB flash drive as an NTFS or exfat file system. Use another USB flash drive formatted as an NTFS or exfat file system. 2. etry the create support dump procedure to download the support dump file to the USB flash drive USB drive not recognized Symptom A No USB mounted message was encountered. Cause The USB flash drive file system exceeds 16 GB Troubleshooting the appliance 349

350 Action 1. Ensure that you are inserting the USB flash drive into the correct enclosure. 2. Use a USB flash drive formatted with a single file system less than or equal to 16 GB in size. The maximum size of a FAT32 file system is 4 GB. 3. etry the create support dump procedure to download the support dump file to the USB flash drive Unable to import a certificate Solution 1 Solution 2 Symptom The appliance did not allow or accept the action of importing a certificate. Cause Your login account does not give you permission to import a certificate. Action equired privileges: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. Try the action again. Cause Appliance lost connection with browser. Action equired privileges: Infrastructure administrator 1. Verify that the network is working properly. Synergy Composer cannot access the network (page 359) 2. Wait for the web server to restart, and then try the action again Certificate was revoked Symptom The Certificate Authority no longer recognizes the certificate. Cause The certificate is no longer valid. Action 1. As Infrastructure administrator, create or acquire a new certificate for the appliance. 2. Generate a new signing request Invalid certificate chain prevents operations Symptom The certificate chain in the remote appliance was corrupted. 350 Troubleshooting

351 Action equired privileges: Infrastructure administrator 1. As Infrastructure administrator, create or acquire a new certificate for the appliance. 2. Generate a new signing request Invalid certificate content prevents operations Symptom Cause The format of the certificate is invalid. Action equired privileges: Infrastructure administrator 1. As Infrastructure administrator, create or acquire a new appliance with a valid format. Create a certificate signing request (page 71) or Create a self-signed certificate (page 72) 2. Import the new certificate Audit log could not be downloaded Symptom No action menu item for downloading the audit log is visible. Cause Improper authorization. Action 1. Log in as the Infrastructure administrator. 2. Download the audit log Audit entries are not logged Symptom Entries in the audit log are missing. Cause The audit log was edited which resulted in stopping the logging. Action estart the appliance to resume logging Audit log is absent Symptom The audit log was deleted. Action estart the appliance to create an audit log and resume logging Troubleshooting the appliance 351

352 estore action was unsuccessful Solution 1 Solution 2 Symptom The restore and factory reset operations failed, and the appliance could not restart. Cause The backup file is incompatible. Action 1. Log in as Infrastructure administrator. 2. etry the restore operation with a recent backup file that fulfills this criteria: The appliance being restored has the same HPE OneView major and minor version numbers as the appliance on which the backup file was created. The Settings screen displays the version number in this format: Version major.minor.nn-nnnnn month day year 3. econcile any discrepancies that the restore operation could not resolve automatically. Cause A serious error occurred. Action 1. Log in as Infrastructure administrator. 2. Create a support dump file, in case you might need to contact an authorized support representative. 3. If possible, reset the appliance to factory settings. Otherwise, reimage the Synergy Composer. 4. etry the restore operation. Cause estore operation failed. Action equired privileges: Infrastructure administrator 1. Log in as Infrastructure administrator. 2. Create a support dump file, in case you might need to contact an authorized support representative. 3. Do one or both of the following: etry the restore operation, specifying the most recent backup file. Try the restore operation with another backup file that is compatible with the appliance. 4. If the problem persists, contact your authorized support representative. 352 Troubleshooting

353 Cause The status of the restore operation is IN POGESS, but the percentage of change does not change for 2.5 hours or more. Action 1. Log in as Infrastructure administrator. 2. estart the appliance. 3. Do one or both of the following: etry the restore operation, specifying the most recent backup file. Try the restore operation with another backup file that is compatible with the appliance. Symptom Server hardware is booting from wrong device or incorrect BIOS settings Cause BIOS, firmware, and boot settings were changed after the backup and before the restore operation. Action 1. Log in as the Infrastructure administrator. 2. Verify the BIOS firmware, and boot settings. 3. Unassign the profiles. 4. eassign each profile to its corresponding server. Symptom estore operation does not restore server profile. Cause The restore operation timed out or failed. Action equired privilege: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. Create a support dump file. 3. Do one of the following: a. etry the restore operation, specifying the most recent backup file. b. Try the restore operation with another backup file that is compatible with the appliance. 4. Verify that all the necessary actions were followed to put the profiles back in-line with the environment. If there is a profile still in an inconsistent state, there might be incorrect behavior in the data center Synergy Composer did not shut down Symptom The appliance stayed up in spite of a shutdown operation. Cause An internal server error might have occurred Troubleshooting the appliance 353

354 Action equired privileges: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. etry the shutdown action. 3. etry the shutdown action from the Maintenance console. 4. If the problem persists, create a support dump. 5. Contact your authorized support representative and provide them with the support dump. Accessing Hewlett Packard Enterprise Support (page 405) Cannot restart the Synergy Composer after a shutdown Symptom The restart action resulted in a shutdown, but not a restart. Cause An internal server error might have occurred. Action equired privileges: Infrastructure administrator 1. Log in as the Infrastructure administrator. 2. etry the restart action. 3. etry the restart action from the Maintenance console. 4. If the problem persists, create a support dump. 5. Contact your authorized support representative and provide them with the support dump. Accessing Hewlett Packard Enterprise Support (page 405). 354 Troubleshooting

355 You cannot log in Symptom There is no login screen. There is a login screen, but the appliance rejects your login. Possible cause and recommendation Appliance not yet started or browser not behaving correctly 1. Wait for the appliance to start completely. 2. efresh your browser and try again. 3. Open a new browser and try again. 4. As Infrastructure administrator, use the EST APIs to restart the appliance. Authentication for the local user account is invalid 1. etype your login name and password in case you made an error. 2. Verify your login name and role settings with the Infrastructure administrator. If the appliance was reset to its original factory settings, the Infrastructure administrator might need to reinstate you. 3. As Infrastructure administrator, do the following: a. Verify the account name and ensure that a role is assigned to the user. b. estart the appliance and try again. Authentication for the Authentication directory service is invalid 1. etype your login name and password, and choose the correct authentication directory in case you made an error. 2. Verify your login name and your group and role settings with the Infrastructure administrator. If the appliance was reset to its original factory settings, the Infrastructure administrator might need to reinstate you. 3. As Infrastructure administrator, do the following: a. Verify the account name and ensure that the user is a member of the group in the directory service. b. Verify that the authentication directory service is configured properly. c. Verify that the directory service server is operational. See Directory service not available (page 395) d. Verify that the directory service host certificate is valid. If not, reacquire a certificate and install it. e. Contact the directory service provider to ensure that the credentials are accurate. f. estart the appliance and try again Hardware setup user cannot log in Symptom The authorization for the hardware setup user is blocked. Cause The appliance is configured to deny access to the hardware setup user. Action 1. Log in as Infrastructure administrator. 2. Access the Edit Security screen. 3. Enable Hardware setup access. For more information, see the online help. 4. Log out and log back in as the Hardware setup user. 5. etry the operation Cannot log in after a factory reset action Symptom Log in not accepted following a factory reset operation Troubleshooting the appliance 355

356 Cause The authentication was deleted by the factory reset. Action Log in to the appliance with the default credentials that you used when you logged in for the first time einstall the remote console When running Firefox or Chrome on a Windows client, the first-time installation of the ilo remote console prevents the installation dialog box from being displayed again. If you need to reinstall the console software, you must reset the installation dialog box. Symptom Installation dialog box is not displayed. Cause If you installed the ilo remote console software using one browser (Firefox or Chrome), but are using another browser, the dialog box that prompts you to install the software is displayed, even if the software is already installed. Action To reinstall the console, press the Shift key and select Actions Launch console. einstall the software 1. Click Install software and close all of the dialog boxes for installing the application. 2. Click My installation is complete Launch console to launch the console after it is installed Active and standby appliances are not connected Solution 1 Solution 2 Symptom The Appliance panel of the Settings page shows that the active appliance and the standby appliance are not connected. Cause The standby appliance is not powered on. Action 1. Log in as the Infrastructure administrator. 2. Open the Enclosures page. 3. Ensure that the standby appliance is powered on. 4. Log into the Maintenance console to verify the health status of the appliance. Cause The enclosure is not powered on. 356 Troubleshooting

357 Action 1. Log in as the Infrastructure administrator. 2. Open the Enclosures page. 3. Ensure that the enclosure is powered on Synergy Composer is offline, manual action is required Solution 1 Solution 2 Symptom The Maintenance console indicates that the appliance is offline and manual action is required to restore operation safely. Neither appliance in the appliance cluster is active. Constraints for data integrity prevent the automatic activation of the appliance. Cause Network issues or multiple disconnects in the link enclosure network might have caused the outage. A cable that connects the LINK ports of the enclosures is disconnected. Action 1. estore high availability by correcting the cause of the outage, if possible: a. epair network connectivity. Ensure that all link enclosure network cables are properly connected. b. econnect the cable connecting the LINK ports. 2. Bring the enclosure back online. Use the Maintenance console View details command to identify the appliance for which the status cannot be confirmed. The appliance is identified in terms of its enclosure and appliance bay number. If the corresponding enclosure or frame link module is offline, powering it on could correct the problem. 3. Move the appliance to an operational enclosure if the enclosure or frame link module cannot be brought back online. Cause Whenever possible, install clustered appliances in different enclosures to improve fault protection. An appliance is nonfunctional and high availability cannot be restored. Action IMPOTANT: This procedure requires you to override data integrity protection. Use extreme care when following this procedure 1. Determine the location of both appliances in the appliance cluster. The location is given in terms of the enclosure and appliance bay. The Maintenance console View details action, from either appliance, can provide this information for the other appliance. CAUTION: Misidentifying the appliance can result in unrecoverable data loss Troubleshooting the appliance 357

358 2. Determine whether each appliance: Is present in the enclosure. Is powered on. Shows a warning in the Maintenance console Notification banner regarding changes that have not been synchronized between appliances. 3. Select the appliance to activate. Use the following criteria: If one appliance shows an unsynchronized changes warning, select it. Select the other appliance if an appliance: Is lost and cannot be recovered. Cannot be brought online. If the lost appliance contained unsynchronized changes, unrecoverable data loss could occur. 4. Ensure the unselected appliance: Is powered off, Is removed from the enclosure, or Was just restarted. This step is critical to ensure that both appliances do not become active at the same time. Otherwise, it will be impossible to resynchronize them, and unrecoverable data loss will result. 5. In the Maintenance console of the selected appliance, select Activate and confirm the action. See Activate the Synergy Composer manually when it is not highly available (page 455). efer to the appliance state to monitor progress Synergy Composer is offline and unusable Symptom The Maintenance console indicates that an appliance is offline and unusable because of incomplete data. Neither appliance in the appliance cluster is active. Constraints for data integrity prevent the automatic activation of the appliance. Cause An appliance in an Offline / Unusable (incomplete data) state experienced an outage while its data was being synchronized or it encountered a disk write error. The appliance cannot be activated in this state. Action 1. econnect the offline/unusable appliance with the other appliance in the cluster. The other appliance likely has the most up-to-date data. eestablishing a connection between the appliances will allow data synchronization to complete. 2. Bring the up-to-date appliance enclosure back online. Use the View details command in the up-to-date appliance Maintenance console to locate its location (enclosure and appliance bay). 358 Troubleshooting

359 If its enclosure or frame link module is offline, powering it on could correct the problem. 3. Move the up-to-date appliance to an operational enclosure if the enclosure or frame link module cannot be brought back online. Whenever possible, install clustered appliances in different enclosures to improve fault protection. 4. epair the connectivity between LINK ports If the up-to-date appliance is operational, the cable linking LINK ports might be disconnected. Ensure that all such cables are connected properly. econnecting them could resolve the problem. 5. estore from backup If the up-to-date appliance is in an irrecoverable state, use a backup copy of the appliance data to restore operation: a. Factory reset or reimage both appliances. b. estore one appliance from a recent compatible backup file. c. Allow the other (or another) appliance to join into a high availability cluster with the restored appliance. If a replacement appliance is required, you can add it later to restore high availability Troubleshooting the appliance network setup Synergy Composer cannot access the network Symptom Operations that require network access do not function. Cause The appliance network was not properly configured. Action 1. Log in as Infrastructure administrator. 2. Verify that the IP address assignment is correct. 3. Verify that the DNS IP address is correct. 4. Verify that the DNS server is not behind a firewall. If it is, modify the firewall settings. 5. Verify that the DNS server is operational. 6. Verify the gateway address for your network is correct. 7. Log in to the appliance as Infrastructure administrator and correct the network settings Synergy Composer cannot retrieve DNS information from DHCP server Symptom The DHCP server does not provide access to IP addresses. Cause DNS or the DHCP server was not properly configured 31.8 Troubleshooting the appliance network setup 359

360 Action 1. Verify that each DNS IP address is correct. 2. Verify that the DNS server is not behind a firewall. If it is, you might need to modify the firewall settings. 3. Verify that the DNS server is operational. 4. If necessary, use static address assignment instead of DHCP DNS server is unreachable Symptom An alert message reports that an IP address is not responding as a DNS server. Action equired privileges: Infrastructure administrator 1. Verify that each DNS IP address is correct. 2. Verify that the DNS server is operational. 3. Verify that the DNS server is not behind a firewall. If it is, you might need to modify the firewall settings. 4. Change the network settings accordingly Gateway server is unreachable Symptom An alert message reports that an IP address is not a valid gateway. Cause Action equired privileges: Infrastructure administrator 1. Verify the gateway address for your network. 2. Verify that the gateway server is operational. 3. Change the network settings accordingly Cannot change network settings Symptom You are unable to change network settings. Cause Improper permission Action 1. If possible, log in as a privileged user. Otherwise, request that the Infrastructure administrator change your role so that you can change network settings. 2. Log in again. 3. Change the network setting. 360 Troubleshooting

361 NTP synchronization fails Solution 1 Solution 2 Symptom Appliance time and date settings do not match the NTP server. Cause Appliance is not properly configured for NTP. The configuration of the appliance contains an error. Action 1. As an Infrastructure administrator, verify that the host name or IP address you specified is an NTP server. 2. Examine the Appliance panel of the Settings screen to confirm that the IP address of the NTP server is correct. 3. Verify that the NTP server is not behind a firewall. If it is, you might need to modify the firewall settings. 4. Verify that the NTP server is up and communicating. 5. Synchronize the appliance clock with the NTP server. For more information, see the online help. Cause Allow sufficient time for the appliance and the NTP server to synchronize. This could be as long as one hour for a global NTP server. Appliance time differs from NTP server by more than 1000 seconds. The appliance cannot synchronize with the NTP server. Action 1. Edit the appliance time and locale settings to set the appliance s time manually. For the procedure, see the online help. 2. Verify that the time according to the appliance matches the NTP server s time. 3. Synchronize the appliance with the NTP server. For more information, see the online help. NOTE: HPE recommends using four NTP servers while synchronizing the appliance. Allow sufficient time for the appliance and the NTP server to synchronize. This could be as long as ten minutes Troubleshooting notifications Use the following information to troubleshoot alerts that appear on the Notifications panel of the Settings screen Cannot configure notification of alerts Symptom You cannot configure the notification of alerts feature Troubleshooting notifications 361

362 Cause You do not have the necessary permissions to use this feature. Action 1. Log in to the appliance as the Infrastructure administrator. 2. Add or edit an recipient and filter entry. 3. Verify that you were able to add or edit the recipient and filter entry successfully. The recipient will be listed in the panel Unable to connect through <sending address host name> Solution 1 Solution 2 Symptom The appliance is not able to connect through the sending host name. The appliance cannot send alert messages using the configured address. Cause One or more parameters for configuring notification is invalid, preventing the appliance from reaching the host used for sending . Action 1. As Infrastructure administrator, view the configuration parameters. See the online help for more information. 2. Correct any invalid configuration parameter. 3. Save the configuration. 4. Verify the configuration either by pinging the host or by sending a test message. Cause The appliance is experiencing network issues, which prevents the appliance from sending messages. Action 1. As Infrastructure administrator, verify that the host name for the sending address is on the network by pinging the host. 2. See Appliance cannot access the network to resolve problems connecting with the network Host does not respond as an SMTP server Solution 1 Symptom The host name, which should send the messages, is not responding as an SMTP server. Cause The host name was not configured correctly. 362 Troubleshooting

363 Solution 2 Solution 3 Action 1. As Infrastructure administrator, verify that the host name for the sending address is on the network by pinging the host. 2. Verify the port number used is correct. 3. View the parameters for configuring notification of alerts. For information, see the online help. 4. Update the parameters as needed. 5. Save the configuration. 6. Verify the configuration with the telnet command. For example: telnet mail.example.com Verify also by monitoring notifications. Cause The SMTP server used for sending notification has TLS/SSL security protocols. Action 1. Verify the connection to the SMTP server using the correct port with the telnet command. For example: telnet mail.example.com View the parameters for configuring notification of alerts. For information, see the online help. 3. Ensure that the SMTP server does not have TLS/SSL support. Update the parameters as needed. 4. Save the configuration. 5. Verify the configuration with the telnet command. For example: telnet mail.example.com Verify also by monitoring notifications. Cause The notification configuration has an invalid password for the SMTP server. The cannot be sent because it fails to provide the correct authentication. Action 1. Use the telnet command to connect to the SMTP server to verify the password. For example: telnet mail.example.com 2. View the parameters for configuring notification of alerts. For information, see the online help. 3. Ensure that the SMTP server password is correct. Update the parameters as needed. 4. Save the configuration. 5. Verify by monitoring notifications Troubleshooting notifications 363

364 Unable to deliver messages to some IDs Solution 1 Solution 2 Symptom Some users receive messages regarding alerts but other users do not receive the same messages. Cause The recipient is either not configured or not configured correctly. Action 1. As Infrastructure administrator, follow the procedure for editing an recipient in the online help so that you can view the recipient and filter entries. 2. Verify that the recipient is specified. Correct the entry as needed. 3. Verify that the address of each recipient is valid. Correct the entry as needed. 4. Verify by monitoring notifications. Cause The message is filtered and thus not delivered because it is considered junk mail or spam. Action 1. If the host sending the and the recipient are in the same domain, examine the application of the recipient. 2. Ensure that the application does not block the message and that it does not treat the message as spam or send it to a junk folder. 3. Verify by monitoring notifications Designated recipients are not receiving notifications of events Solution 1 Symptom No configured recipient is receiving notification of alerts. Cause notification is currently disabled. Action 1. As the Infrastructure administrator, view the configuration parameters. 2. Ensure that notification feature is enabled. 3. Ensure that each recipient and filter entry is appropriately enabled or disabled. 4. Verify by monitoring notifications. 364 Troubleshooting

365 Solution 2 Solution 3 Cause ecipients cannot receive messages because their parameters are not configured properly. Action 1. As the Infrastructure administrator, view the configuration parameters. 2. Verify that the recipient is specified and that their address is valid. 3. If the recipient is not specified, do one of the following, as appropriate: Include the recipient in the list of addresses for an existing filter by editing the recipient and filter entry. Add the recipient to a new filter. For information on these procedures, see the online help. 4. Verify by monitoring notifications. Cause The configuration for the recipient contains an invalid filter specification that does not capture any alerts for notification. Action 1. As Infrastructure administrator, follow the procedure for editing an recipient in the online help to view the filter entries. 2. Examine the alerts reported in the Activity screen and note the alerts you believe should have been captured by the filter. 3. eview the filter entries. Ensure that the filter is defined precisely and accurately. 4. Save the recipient and filter entry. 5. Verify the configuration by monitoring notifications Frequent, irrelevant messages Symptom messages that do not pertain to certain recipients are sent to them. Cause The configuration for the recipient contains a filter specification that allows unwanted, irrelevant alerts. Action equired privileges: Infrastructure administrator 31.9 Troubleshooting notifications 365

366 1. As Infrastructure administrator, follow the procedure for editing an recipient in the online help to view the filter entries. 2. eview the filter entries: Ensure that there are no empty filter entries. When the filter entry is empty, an message is generated for any alert. Ensure that filter entries are unique. Otherwise, at least twice as many messages are sent. Be precise when specifying the filter criteria. Edit the filter entry so that it acts on only the alerts for which you want to be notified. 3. Save the recipient and filter entry. 4. Verify the configuration by monitoring notifications Test message could not be sent Solution 1 Solution 2 Symptom A test message was sent, but none of the recipients received it. Cause One or more parameters for configuring notification is invalid, preventing the appliance from reaching the host used for sending . Action 1. As Infrastructure administrator, view the parameters for configuring notification of alerts. For more information, see the online help. 2. Correct any invalid configuration parameter. 3. Save the configuration. 4. Verify the configuration either by pinging the host or by sending a test message again. Cause The appliance is experiencing network issues, which prevents the appliance from sending messages. Action 1. As Infrastructure administrator, verify that the host name for the sending address is on the network by pinging the host. 2. See Appliance cannot access the network to resolve problems connecting with the network Some test messages were not received Solution 1 Symptom Some recipients receive the test message but other recipients do not receive the same message. Cause The recipient is either not configured or not configured correctly. 366 Troubleshooting

367 Solution 2 Action 1. As Infrastructure administrator, follow the procedure for editing an recipient in the online help so that you can view the recipient and filter entries. 2. Verify that the recipient is specified. Correct the entry as needed. 3. Verify that the address of each recipient is valid. Correct the entry as needed. 4. Verify by sending another test message. Cause The test message was filtered and thus not delivered because it is considered junk mail or spam. Action 1. If the host sending the and the recipient are in the same domain, examine the application of the recipient. 2. Ensure that the application does not block the message and that it does not treat the message as spam or send it to a junk folder. 3. Verify by sending another test message Troubleshooting enclosures and enclosure groups Communication from Synergy Frame Link Module failed (page 367) Enclosure configuration incomplete (page 368) Enclosure is no longer manageable (page 367) Enclosure inventory incomplete (page 368) Frame Link Module port state is unlinked or disabled (page 369) Enclosure is no longer manageable Symptom An alert or error displays: Link port on link module is disconnected. Cause An HPE Synergy frame is not properly configured for redundancy due to a disconnected cable. Action Connect each frame to another frame within the group, and cable every LINK port to another LINK port Communication from Synergy Frame Link Module failed Symptom An alert or error indicates a Communication error with an HPE Synergy frame. Cause Connection with an HPE Synergy frame failed or was interrupted. Common causes of communication failures are: Troubleshooting enclosures and enclosure groups 367

368 HPE Synergy frame link module is being reset or factory reset Firmware update is in progress Frame link module failover in progress LINK connections changing between frame link modules Action 1. Wait for any actions such as those listed above to complete. If connectivity is not restored, follow the resolution instructions listed in the alert. 2. Verify that all alerts related to LINK port connectivity have been addressed for all HPE Synergy frames in the group of connected HPE Synergy frames. 3. If connectivity is not restored, see efresh the communication between an enclosure and the appliance in the online help. 4. If communication continues to fail, see eset the HPE Synergy frame link module in the online help. 5. If the problem persists, contact your authorized support representative Enclosure configuration incomplete Symptom An alert or error indicates that Enclosure management settings are not fully applied. Cause An add or refresh of an HPE Synergy frame failed and not all settings could be applied Action 1. Follow the resolution instructions listed in the alert. If instructed to reset the frame link module, see eset frame link module in the online help for more information. Do not perform this step unless instructed. 2. eview all alerts on the frame to check if other frame link modules or other hardware components are functioning properly. For each alert, follow the resolution instructions. 3. Verify that each frame link module is properly seated and the health indicator light on the link module is green. 4. See efresh the communication between an enclosure and the appliance in the online help. 5. If the problem persists, contact your authorized support representative Enclosure inventory incomplete Symptom An alert or error indicates that Enclosure inventory may be incomplete. Cause Gathering information about the resources in the HPE Synergy frame failed Common causes of gathering information failures are: A communication error occurred A device such as a fan, power supply, server, frame link module, or interconnect was recently inserted and is not ready to be discovered 368 Troubleshooting

369 Action 1. Follow the resolution instructions listed in the alert. 2. eview all alerts pertaining to this specific device. For each alert, follow the resolution instructions. 3. Verify that the device is properly seated and the health indicator light on the device is green. 4. If the problem persists, perform an EFuse using HPE OneView EST API on the device or physically remove the device and re-insert it. See Perform a hard reset on a bay using EFuse in the HPE OneView EST API Scripting Help. 5. If the problem persists, contact your authorized support representative Frame Link Module port state is unlinked or disabled Symptom An alert or error indicates that the LINK port is connected to an unknown device. Cause Cable connecting the frame link modules are not cabled correctly or the LINK port is connected to an unknown device. Action esolution: 1. Check the cabling. For multiple HPE Synergy frames, check that each frame link module in a group of frames is cabled to another frame link module in the group through the LINK port. The last frame in the group must have its link module cabled to the link module of the first frame. For a single HPE Synergy frame, check that the two frame link modules are cabled together. 2. If the cabling is correct, then try re-seating the frame link module. For more information on cabling, see the HPE Synergy Configuration and Compatibility Guide at Symptom An alert or error indicates that the LINK port is not connected. Cause The cable attached to the LINK port is disconnected. Action Check the cabling and make sure each frame link module in a group of linked frames are cabled to another frame link module in the group through the LINK port. Symptom An alert or error indicates a Link module mismatch enclosure is managed by another appliance. Cause The frame link module is connected to another frame link module in a different HPE Synergy frame group Troubleshooting enclosures and enclosure groups 369

370 Action esolution: 1. Disconnect the frame link module that is connected to the frame in a different group of frames. 2. Check the cabling and make sure each frame link module in the same group is cabled to another frame link module in the group through the LINK port. For more information on cabling, see the HPE Synergy Configuration and Compatibility Guide at 3. Perform a factory reset of the HPE Synergy frame link module so that it can communicate with the new group of frames. Symptom An alert or error indicates that the MGMT port is disconnected. Cause The MGMT port of the frame link module corresponding to the HPE OneView appliance is disconnected. Action Check the cabling. The MGMT port on a frame link module associated with a Synergy management appliance bay must be connected to your management network. For example, there is a frame link module in bay #1, and an HPE Synergy Composer in appliance bay #1, the MGMT port of frame link module 1 should be connected to the management network. For more information on cabling, see the HPE Synergy Configuration and Compatibility Guide at Troubleshooting firmware bundles Incorrect credentials Symptom The ilo user name or password is not valid Cause While attempting to update server firmware, the user name or password you supplied is not valid for an ilo management processor or incorrect credentials specified for a server. Action To resolve the issue, enter the correct credentials and add the enclosure again Lost ilo connectivity Symptom Connection error Cause Action ecommendation 1. eset the server to restore network connectivity to the server's management processor 2. Update the firmware again. 370 Troubleshooting

371 SUM errors Symptom Unable to remove the firmware upgrade log files Cause Action ecommendation 1. estart the appliance. 2. Update the firmware again. Symptom Unable to initiate the firmware update request Cause Action Update the firmware again Failed firmware update on enclosure add NOTE: When adding an enclosure, the ilo firmware might fail to update to the minimum version due to network or power outages, or other issues. The device is listed in an Unmanaged state. Symptom ilo firmware failed to update Cause Action ecommendation 1. From the main menu, select Server Hardware. 2. In the master pane, select the unmanaged server hardware. 3. Select Actions Update ilo firmware. NOTE: You will only see "Update ilo firmware" if the ilo firmware is below the minimum required and the server hardware is listed in an Unmanaged Unsupported Firmware state. 4. Click OK. 5. To verify that the activity is successful, check the activity for a green status in the Notifications area. If the activity is not successful, follow the instructions in the proposed resolution Troubleshooting interconnects Interconnect edit is unsuccessful Symptom A notification displays that modifying an interconnect was unsuccessful Troubleshooting interconnects 371

372 Cause Interconnect edit is unsuccessful. Action 1. Verify that the prerequisites listed in the online help are met. 2. Follow the instructions provided by any notification message. NOTE: When the interconnect has been edited successfully, a notification will display in the banner at the top of the screen, and the desired port setting and port status will be displayed Troubleshooting licenses Licensing numbers appear to be inaccurate Symptom ecently added or assigned licenses are not reported in the licensing graphs. Cause The license graphs are not up to date. Action efresh the Settings screen for the license graphs to display recent changes. Symptom The license graphs show a higher number of licensed server hardware than the current number of server hardware under management. Cause Server hardware that has been assigned an HPE OneView Advanced license has been removed from management. When server hardware that has been assigned an HPE OneView Advanced license is removed from management, the license remains assigned to it. This could cause the number of servers licensed to be higher than the number of licensed server hardware currently being managed. Action Use the EST API to view the entire list of all servers assigned to licenses. Symptom Cannot find license count for HPE OneView Standard license. Cause The appliance does not display HPE OneView Standard license counts. Action To obtain a count of server hardware licensed with an HPE OneView Standard license: 1. From the Server Hardware screen, click in the Smart Search box and for Scope select Server Hardware. 2. In the Smart Search box, type state:monitored and press Enter. The master pane will display all monitored server hardware. All monitored server hardware is assigned an HPE OneView Standard license. 372 Troubleshooting

373 Could not view license details Symptom License details are not available for the appliance. Cause There is no license assigned to the appliance. Action equired privileges: Infrastructure administrator 1. Log in as Infrastructure administrator. 2. Assign the license. 3. View the license details again. Symptom The filter criteria is blank or incorrect. The appliance could not return any results. Cause The filter criteria was not accurate and could not return any results. Action equired privileges:infrastructure administrator 1. Log in as Infrastructure administrator. 2. Correct the filter criteria. 3. View the license details again Could not add license Solution 1 Solution 2 Symptom You are unable to add a license for the appliance. Cause License key is blank, incorrect, or invalid. Action 1. Log in as Infrastructure administrator. 2. Verify the license key that you entered. 3. Provide proper values and make sure that the license key format is valid. 4. Try again. 5. If the problem persists, contact your authorized support representative. Cause The license key expired Troubleshooting licenses 373

374 Solution 3 Action 1. Log in as Infrastructure administrator. 2. Acquire a valid, current license key. 3. Try again with the new license key. Cause Invalid date and time setting for appliance. The license is not yet active. It is too early to add the license. Action 1. Confirm the date and time setting of the appliance. 2. Inspect the date and time when the license becomes active. 3. If the problem persists, contact your authorized support representative Could not add license key Solution 1 Solution 2 Solution 3 Symptom You are unable to add a license key for the appliance. Cause The license key is blank, incorrect, or invalid. Action equired privileges: Infrastructure administrator 1. Log in as Infrastructure administrator. 2. Verify the license key that you entered. 3. Provide proper values and make sure that the license key format is valid. 4. Try again. 5. If the problem persists, contact your authorized support representative. Cause License key has expired. Action 1. Log in as Infrastructure administrator. 2. Acquire a valid, current license key. 3. Try again with the new license key. Cause Invalid date and time setting for appliance. The license is not yet active. It is too early to add the license. 374 Troubleshooting

375 Action 1. Confirm the date and time setting of the appliance. 2. Inspect the date and time when the license becomes active. 3. If the problem persists, contact your authorized support representative Could not apply license Solution 1 Solution 2 Solution 3 Symptom A license or license key could not be applied to an instance. Cause All the licenses in the license key are in use. The instance that you tried to license is recorded as unlicensed. Action 1. Log in as Infrastructure administrator. 2. Acquire a new license key. 3. Try again with the new license key. Cause The license that you are trying to apply is already in use. Action 1. If there are remaining unused licenses, try again with another license. 2. Otherwise, acquire a license key with unused licenses and try again with a license from the new license key. Cause The license was applied to an instance or a product that is already licensed. Action 1. Verify the instance or product that you are trying to license. 2. If necessary, try again with the correct instance or product name Troubleshooting licenses 375

376 31.14 Troubleshooting locale issues Symptom Possible cause and recommendation Messages returned from EST API calls specifying Chinese (zh) or Japanese (ja) in the Accept-Language header are not displayed correctly When using a Microsoft Windows Command Prompt window to invoke EST APIs (either directly or via scripts run in the Command Prompt window), messages returned from EST API calls specifying Chinese (zh) or Japanese (ja) in the Accept-Language header are not displayed correctly. HPE OneView returns messages using the UTF-8 encoding. This is not supported by current versions of the Command Prompt window 1. When using a Command Prompt window, set the EST API accept-language header to a locale that is supported by Command Prompt such as en-us. 2. edirect the output of the EST call to a text file and view the file using Windows tools such and Notepad which supports UTF Use other third-party tools available for Windows that support UTF-8. For example, users have reported that the Cygwin environment for Windows supports UTF Troubleshooting logical interconnects I/O bay occupancy errors Symptom Cause Change in interconnect state Action Interconnect state errors can be caused by: Interconnect missing from an IO bay (Interconnect state is Absent) Unsupported interconnect model found in an IO bay (Interconnect state is Unsupported) Unable to manage interconnect in IO bay due to unsupported firmware (Interconnect state is Unmanaged) Mismatch between the interconnect type and the type specified by logical interconnect group Mismatch of horizontally adjacent interconnect modules Uplink set warnings or errors Symptom Uplink set not operational Cause Uplink set not operational due to: One or more uplinks are not in operation due to a bad cable, no cable, lack of transceiver, or invalid transceiver No networks assigned DCBX information is missing for an FCoE network 376 Troubleshooting

377 Action 1. Verify that the following prerequisites are met: At least one network is defined You have Network administrator privileges or equivalent to manage networks. DCBX information is required for FCoE networks 2. Verify that the data you entered on the Add Uplink Set screen is correct, and that the uplink set name is unique. 3. etry the operation Physical interconnect warnings or errors Symptom Interconnect-level warnings or errors Cause Interconnect warnings or errors can be caused by: Downlink with a deployed connection is not operational Incorrect firmware version (different from firmware baseline version) Configuration error Hardware fault Lost communication Administratively disabled ports Action Firmware update errors Symptom Firmware update fail entries shown in the Activity log. Cause Interconnect firmware errors can be caused by: estarting interconnect modules while a firmware update is in progress. Starting a firmware update while another firmware update is already in progress. An interconnect in the Logical Interconnect is not in a Configured state before starting the upgrade. HPE OneView cannot communicate with the enclosure. Action Do not restart interconnect modules while a firmware update is in progress. Check the Activity Log for more information about the root cause. 1. If staging firmware failed, check the Activity Log, correct the problem and restart the update. 2. If activating firmware failed, check the Activity Log, and then manually activate the firmware Troubleshooting logical interconnects 377

378 Make sure that all interconnects in the Logical Interconnect are in the Configured state before starting the upgrade. If a firmware update persistently fails, see the online help to create a logical interconnect support dump file and contact your Hewlett Packard Enterprise support representative Troubleshooting networks Network create operation is unsuccessful Symptom Network creation is unsuccessful. Cause The network configuration is incorrect. Action 1. Verify that: The network name is unique. The VLAN ID is appended to the network name when creating multiple tagged networks using a bulk operation. The number of networks does not exceed the maximum as indicated in the HPE OneView Support Matrix for HPE Synergy. The number of private networks does not exceed the maximum as indicated in the HPE OneView Support Matrix for HPE Synergy. 2. etry the create network operation Troubleshooting the OS deployment server Unable to communicate with the selected primary cluster Symptom HPE OneView is unable to communicate with the selected primary cluster. Cause The selected primary cluster is unpaired or unavailable. Action Select a new primary cluster by performing an edit operation on the OS deployment server and restore deployment server backup to the new primary cluster Troubleshooting reports Cannot view reports Symptom You cannot access any reports. Cause Improper authorization 378 Troubleshooting

379 Action Log out, then log in with a user role that allows you to review reports. For example: Infrastructure administrator Network administrator Server administrator Storage administrator ead only Troubleshooting scopes Cannot add scope Solution 1 Solution 2 Symptom Clicking Create or Create+ does not generate a scope. Cause The scope name was entered with invalid characters. Action e-enter the scope name using only alphanumeric characters, the plus sign (+), and space characters for the scope name. Cause The name given for the scope is already in use. Action Supply a unique name for the scope Cannot edit or delete scope Symptom EST API call failed with Error 412, Precondition Failed. Cause The etag passed in the If-Match request header does not match the current etag of the scope being edited or deleted. Action Try the operation again with either a current etag or the etag set to * Troubleshooting server hardware For information on specific server hardware issues, see the HPE OneView elease Notes Troubleshooting scopes 379

380 Cannot control power on server If you have difficulty with server power control, examine recent configuration and security changes which might affect this feature. Often the ilo event log can be a useful starting point to see these changes. Hardware could have failed as well. Use the Integrated Management Log (IML) on the ilo for Power On Self Test (POST) errors to determine if a hardware failure has occurred. If a power on or power off action fails, follow the instructions in the notification message Lost connectivity to server hardware after appliance restarts When the appliance restarts after a crash, the server inventory is evaluated for any long-running activity that failed, such as applying server profile settings, that might have been in progress when the crash occurred. You can recover by performing the same action again, such as reapplying the server profile settings. The appliance resynchronizes the servers. During resynchronization, each server hardware enters the resyncpending state. A full resynchronization of individual server hardware includes rediscovering the server hardware, verifying the server hardware power state and updating the resource state accordingly, and updating the health status. The appliance creates a task queue for each task during a resynchronization operation eplace a server with an assigned server profile Symptom Server Hardware failure Cause Server hardware failed and must be replaced. Action 1. Gracefully shut down the server hardware. 2. emove the original server and install the replacement server. 3. If the server hardware type of the replacement server matches the server hardware type of the original server then: a. If the Affinity defined in the profile is set to Device bay, the server profile will be automatically re-assigned to the new server. Proceed to step 5. b. If the Affinity is set to Device bay + server hardware, the server profile must be edited and re-saved to allow the appliance to reconfigure the profile for the new server. No changes to the server profile are required. Proceed to step If the server hardware type of the replacement server does not match the server hardware type of the original server a new profile must be created that matches the server hardware type of the replacement server. The original profile assigned to the server must be unassigned or deleted and the new profile assigned to the replacement server. Or, the server hardware type must be updated to match the inserted hardware. 5. If the ilo firmware version is greater than or equal to the minimum required firmware version, proceed to Step 6. The minimum ilo firmware version is available in the HPE OneView Support Matrix for HPE Synergy. If the replacement server has an ilo firmware version less than the minimum required firmware version, an alert on the Server Hardware screen is displayed and the server status is Unmanaged/Unsupported Firmware. 380 Troubleshooting

381 a. Select Actions Update ilo firmware. b. Click OK. 6. If the ilo firmware version is different from the baseline and the server profile is assigned to a Gen8 server or later, the ilo server firmware can be updated automatically with the re-assignment of the server profile. a. From the main menu, select Server Profiles, and then select the server profile to edit. b. Select Actions Edit. If needed, select the proper server hardware. c. To manage the firmware update manually, from the Firmware baseline list, select managed manually. d. To automatically update the firmware, select the appropriate firmware baseline. To force install the firmware, select Force installation. e. Click OK. If the firmware version is different from the baseline and the server profile is assigned to a G7 server, you must update the firmware outside of the appliance eplace a server adapter on server hardware with an assigned server profile IMPOTANT: The replacement adapter must match the old adapter. If the replacement adapter does not match the old adapter, the server hardware type will change. If a server profile was assigned to that server hardware, a new server profile must be created to support the changed server hardware type. Symptom Server adapter failure Cause Server adapter failed and must be replaced. Action 1. Gracefully shut down the server. 2. eplace the adapter on the server. 3. If the corresponding server profile is configured with virtual identifiers (MAC & WWN addresses) proceed to step 4. If the profile is configured with physical identifiers (MAC & WWN), consider the following: a. Due to change in the identifiers, any Ethernet network configurations may be lost on the OS and may require a reconfiguration. b. The server host WWN may need to be updated in your storage network zone and on the storage array. 4. Check the firmware version of the new adapter. a. From the main menu, select Server Hardware or Server Profiles, and then select the server hardware or server profile that contains the replaced adapter. b. From the Server Hardware screen or Server Profile screen, select Actions Launch console. The ilo emote Console is launched. c. Power on the server and check the firmware version of the new adapter during boot Troubleshooting server hardware 381

382 NOTE: To check that the firmware version matches your firmware baseline, from the main menu, select Firmware Bundles, and select your firmware baseline. Scroll through the list of firmware to find what is offered in your baseline and compare it to your adapter firmware. 5. If the firmware version is different from the baseline and the server profile is assigned to a Gen8 server or later, the server firmware can be updated automatically with the re-assignment of the server profile. a. From the main menu, select Server Profiles, and then select the server profile to edit. b. Select Actions Edit. If needed, select the proper server hardware. c. To manage the firmware update manually, from the Firmware baseline list, select managed manually. d. To automatically update the firmware, select the appropriate firmware baseline. To force install all of the firmware, even if it is the same or newer, select Force installation. e. Click OK Troubleshooting server profiles Server profile is not created or updated correctly When a server profile is not created or updated correctly, a notification appears at the top of the screen stating the profile operation was not successful; click the notification area to show more details. Also, the status icon next to the server profile name indicates it is in an Error condition ( ). The profile remains on the appliance, but you must edit the profile to correct it. When you correct the server profile, the profile status changes to OK ( ). Symptom Cause Server profile is not created or updated correctly. Action Verify the following conditions: 1. Verify that the prerequisites listed in the online help have been met. 2. Verify that the following conditions are TUE: The latest SPP is installed and applied A profile name has been entered and is unique The selected server hardware is powered off The server hardware is in the No Profile Applied state, has the correct firmware, the ports are mapped to the correct interconnect, and the device bay has no profile assigned to it The server hardware is able to power cycle, and a user did not shut down the server hardware while the profile settings were being applied You applied the correct ilo and system OM firmware levels You are using supported server hardware The ilo has an IP address and network connectivity 382 Troubleshooting

383 Communication exists with the server hardware ilo, including but not limited to whether the ilo is functioning, network cabling is connected and functional, and there are no problems with switches or interconnects in the management network The appliance and managed resources are not separated by a firewall The add enclosure operation successfully completed. The add server hardware operation successfully completed. The specified network or network set is available on the server hardware port. The interconnects are in the Configured state, and have the correct firmware. The logical interconnect configuration matches its logical interconnect group. There are no duplicate networks on a physical port. If multiple adapters are installed, all adapters must have the same firmware version. User-specified addresses are unique and have correct format 3. When the issues have been addressed, either edit the profile or delete the profile and create another profile. If the server profile has duplicate networks on the same physical port: Change the connection to a different port Change the connection to use a different VLAN Symptom Cannot find a network when adding a connection Cause Action Verify that the following condition is true: The logical interconnect group is set up with the networks configured into uplink sets. Symptom Cannot add a connection from the profile Cause Action Verify that the following conditions are true: The interconnects in the logical interconnect group are in the Configured state and have the correct firmware. The servers are in the No Profile Applied state, have the correct firmware, and the ports are mapped to the correct interconnect. Symptom A profile operation timeout when applying BIOS settings. Cause The server hardware or its ilo are powered-off/reset or the appliance cannot collect progress information from the ilo Troubleshooting server profiles 383

384 Action In most cases, retrying the operation resolves the problem. Symptom Auto-assignment for FlexNIC fails while assigning or deploying connections. Cause Invalid configuration Auto-assignment for FlexNIC connections does not validate the following: Action Bandwidth oversubscription on the physical port Maximum networks (VLANs) on the physical port Duplicate networks (VLANs) on the physical port Manual assignment is required Cannot apply the server profile Symptom Cannot apply the server profile Cause Action If you received an error that Intelligent Provisioning failed to boot in the required period of time, perform these steps: 1. Attempt to boot into Intelligent Provisioning manually on the affected system by pressing F10 during POST. 2. If manually booting to Intelligent Provisioning works, then retry the operation from HPE OneView. If manual booting still fails, reboot the ilo and then retry step If the previous steps fail and the server is a BL465c with an active Smart Array Controller, disable the IOMMU on the server temporarily using BSU. a. During system boot, press F9 to enter the BSU. b. Select System Options. c. Select Processor Options. d. Select AMD-Vi (IOMMU). e. Select Disabled. f. Save and exit BSU. 4. If booting still fails, install the latest version of Intelligent Provisioning found at info/intelligentprovisioning.. Symptom Cannot verify the status of the server hardware 384 Troubleshooting

385 Cause Action To verify the operational status of the server hardware: 1. Click Cancel to exit from the Create Server Profile screen. 2. From the main menu, navigate to the Server Hardware screen. 3. Find, and then select the server hardware Profile operations are not successful Symptom Message indicates that the server is managed by another management system Cause The enclosure is no longer managed by HPE OneView. Action To prevent losing all allocated virtual IDs, perform the following steps before forcibly deleting the server profile. 1. Use EST APIs or Powershell to get the server profile. GET /rest/server-profiles 2. Force delete the profile using the UI or EST APIs. 3. ecreate the IDs using the User Specified option in the UI, or use EST APIs to create the server profile: a. Get the server profile. GET /rest/server-profiles b. Edit the server profile. 1) emove uri, serverhardwaretypeuri, enclosuregroupuri, enclosureuri, and enclosurebay. 2) Change the serverhardwareuri value to the server the profile is going to be associated to. 3) Change serialnumbertype from Virtual to UserDefined. 4) In the connections property, change mactype from Virtual to UserDefined. 5) In the connections property, change wwpntype from Virtual to UserDefined. 6) In the connections property, if applicable change networkuri with the correct networks. c. Create the server profile. POST /rest/server-profiles Cannot update or delete profile Symptom Unable to update profile: MyProfile or make additional firmware changes Cause A firmware update is in progress Troubleshooting server profiles 385

386 Solution 1 Solution 2 Action Wait until the firmware install is complete. Symptom Unable to delete profile: MyProfile or cannot make additional firmware changes Cause A firmware update is in progress. Action Do one of the following: 1. Wait until the firmware installation is complete. It is highly recommended that you do not abort before the installation is completed. 2. Select the Force delete option. Cause Server is not powered off. Action To delete a profile: Power off the server. NOTE: Momentary press is allowed at all times but Press and Hold is restricted as it might send the server to an inconsistent state. Symptom Unable to power off server profile Cause Press and hold operation is denied. Action Do one of the following: Momentarily press the power button and SUT will ensure none of the hardware goes to an inconsistent state. Try the Press and hold power operation after SUT has moved to a terminal state. NOTE: The Press and hold power operation is not allowed while Smart Update Tools is updating firmware or drivers. It is highly recommended that you wait until the firmware installation is complete and that you do not abort the process. Symptom Cannot complete firmware installation 386 Troubleshooting

387 Cause The firmware on {server} does not match the firmware baseline. Action If you selected to update firmware using HPE SUT, you need to install HPE SUT to complete the firmware and driver update Inconsistent firmware versions Solution 1 Solution 2 Symptom Firmware installation not complete or does not match baseline. Cause Firmware does not match firmware baseline. Action Do one of the following: Install and run Smart Update Tools. Edit the server profile to use the Firmware only option for firmware baseline installation. Symptom Unable to update firmware Cause Baseline not supported with Smart Update Tools. Action Do one of the following: Select a baseline that has HP SUM 7.4 or above and ilo firmware version 2.30 or above. For information about HP SUM, see the HP SUM Best Practices Implementation Guide at: Edit the affected server profiles to use Firmware only. Cause Server does not have required license for virtual media. Action Apply an ilo Advanced license on the server or apply an ilo hotfix for Symptom Servers powered on, but not configured for SUT. Cause Servers are powered on but their server profiles are not configured to use Smart Update Tools Troubleshooting server profiles 387

388 Action Edit the affected server profiles and select a firmware update option that uses Smart Update Tools. NOTE: This symptom can also appear when attempting Logical Enclosure shared infrastructure and server profile firmware update. Symptom Any failure to update firmware and OS drivers. Cause Some components did not deploy. Action 1. If a few components fail to deploy, log in to the target server OS and run gatherlogs bat/sh (use either bat or sh based on whether the OS is Windows or Linux, respectively). gatherlogs is located in the target server staging directory. 2. To identify the staging directory, use the hpesut status command from the staging directory and send the report to HPE for troubleshooting. See the Smart Update Tools User Guide at: Troubleshooting storage Brocade Network Advisor (BNA) SAN manager fails to add Solution 1 Solution 2 Solution 3 Symptom Adding the SAN manager fails with the error No SAN manager can be found at the specified location. Cause The BNA or the Standalone SMI Agent is not installed on a server Action See the BNA software documentation. Cause A BNA administrator account with full access is not configured and available for use by the appliance. Action See the BNA software documentation. Cause The Common Information Model Object Manager (CIMOM) is not installed and configured on the server. 388 Troubleshooting

389 Solution 4 Action See the BNA software documentation. Cause The BNA SSL setting and the SSL setting for the BNA on the appliance do not match. Action 1. Use the BNA software to verify whether or not SSL is enabled. See the BNA software documentation for more information. 2. From the SAN Managers screen, verify that the Use SSL setting on the appliance for BNA matches the SSL setting in the BNA software. If the SSL setting does not match: a. From the main menu, select SAN Managers, and do one of the following: In the master pane, select the BNA and select Actions Edit. Hover your pointer device in the details pane and click the Edit icon. 3. For Use SSL, change the value so that it matches the SSL setting in the BNA software. 4. Click Ok to save your changes Unable to establish connection with Brocade Network Advisor (BNA) SAN manager Symptom Unable to establish a connection with the SAN manager Possible cause and recommendation The CIMOM is not bound to the NIC that is on the same subnet as the appliance Binding the CIMOM to an NIC on the same subnet as the appliance is required for the appliance to connect and communicate with the BNA network management software. See the BNA software documentation Volume not available to server hardware Solution 1 Symptom Volume not accessible on the server. Cause A possible cause of a volume not being accessible on the server is that the SAN zone is improperly configured or missing. Action The following are recommended solutions: e-enable the attachment (Managed SAN case) 1. From the main menu, select Server Profiles. 2. In the master pane, select a server profile and select Actions Edit. 3. Under SAN Storage locate the volume attachment and select Enable. 4. Click OK Troubleshooting storage 389

390 Solution 2 Create or configure the zone using the SAN management software (no managed SAN) See the SAN manager documentation. Using managed SANs 1. Verify that the SAN manager and SAN is associated with the network. 2. Verify that Automate zoning is enabled. Automated zoning is not enabled on the SAN Verify that the zone has been manually configured. 1. See the SAN manager documentation. Cause A possible cause of a volume not being accessible on the server is that the Server initiators are not logged into the fabric because the interconnect port is disabled. Action The following are recommended solutions: Enable the interconnect port on the appliance 1. From the main menu, select Interconnects. 2. In the master pane, select an interconnect and select Actions Edit. 3. Locate the port you want to enable and select Enable. 4. Click OK. You can also use the EST API to complete this task. EST API: /rest/interconnects/{id}/ports See the HPE OneView EST API eference for more information. e-configure the logical interconnect group 1. From the main menu, select Logical Interconnect Groups. 2. In the master pane, select a logical interconnect group and select Actions Edit. 3. Edit the uplink sets to connect the networks with the desired interconnect ports. 4. Click OK. 5. Verify that the logical interconnect group link comes online. 6. From the main menu, select Logical Interconnects. 7. In the master pane, select a logical interconnect and select Actions Update from group. You can also use the EST API to complete this task. EST API: /rest/logical-interconnect-groups/{id} and /rest/logical-interconnects/{id}/compliance See the HPE OneView EST API eference for more information. Verify the cabling 1. Verify the physical cabling is configured as intended. Cause A possible cause of a volume not being accessible on the server is that the connection has not been defined in the server profile. 390 Troubleshooting

391 Action Add a connection to a network in the server profile 1. From the main menu, select Server Profiles. 2. In the master pane, select a server profile and select Actions Edit. 3. Under Connections click Add Connection. 4. For Device type select Fibre Channel over Ethernet. 5. For Network select a network that is connected to the storage system and click Add. 6. Click OK Volume is visible from the storage system but not visible on the appliance Symptom Volume is not in a normal state Possible cause and recommendation A possible cause of a volume not being visible on the appliance is that the volume has been moved to a storage pool that is not managed by the appliance. Move the volume to a pool that is managed by the appliance and refresh the volume using the storage system software See the storage system documentation. Bring the storage pool in which the volume resides under management of the appliance NOTE: If the volume was moved by Adaptive Optimization, Hewlett Packard Enterprise recommends bringing all pools that Adaptive Optimization might use under management of the appliance. This will ensure that the volume is still available to the appliance if it is moved by Adaptive Optimization. 1. From the main menu, select Storage Pools, and do one of the following: Click + Add storage pool in the master pane. Select Actions Add. 2. For Storage System, select the storage system that contains the storage pools you want to add. 3. For Storage Pool, select the storage pool you want to add. 4. Click Add to add the storage pool, or click Add + add another pool. You can also use the EST API to complete this task. EST API: /rest/storage-pools See the HPE OneView EST API eference for more information Target port failure Solution 1 Symptom Target port is in a failure state. Cause Target port failure is that the Actual and Expected network are mismatched. The expected network needs to be updated on the appliance. Action To update the expected network on the appliance 1. From the main menu, select Storage Systems. 2. In the master pane, select the storage system and select Actions Edit Troubleshooting storage 391

392 Solution 2 Solution 3 3. For the port change the Expected Network so that it matches the Actual Network. 4. Click OK. You can also use the EST API to complete this task. EST API: /rest/storage-systems/{id} See the HPE OneView EST API eference for more information. Cause The physical cabling is improperly configured (Fabric attach). Action Verify that the cabling between the storage system and the SAN switch is properly configured. Cause Port failed on device. Action Examine your storage system hardware. epair as necessary Zone operations fail on Cisco SAN manager Symptom Zone operations on Cisco SAN manager fail. Cause The snmpd service has crashed. View the SAN manager log from the SAN manager software to verify that the snmpd service has crashed. One cause of the snmpd service crashing is out-of-date firmware on the SAN manager. Action Update the firmware on the SAN manager to the latest version 1. Follow the manufacturer s instructions for updating the firmware on the SAN manager. 2. e-try the zone operation on the appliance Storage system port is in an undesired state Storage system port is in a failing over state Cause The port is offline and is in the process of failing over to the partner port. Action Wait for the state to change. Storage system port is in a failed over state Cause The port is offline and has failed over to the partner port. 392 Troubleshooting

393 Action esolve the issue with the port on the storage system. Verify connectivity to the infrastructure. Storage system port is in a failed state Cause The port is off offline and cannot fail over to the partner port. Action Verify the status and configuration of both storage ports. Verify cabling or other infrastructure issues. Storage system port is in a recovering state Cause The port is online and in the process of returning to a normal state. Action Wait for the state to change. Storage system port is in a partner port failed over state Cause The partner port has failed over and the port is the partner port traffic. Action esolve the issue with the partner port on the storage system. Verify port connectivity to the infrastructure. Storage system port is in a partner failed state Cause The partner port has failed and the fail over operation was not successful. Action Verify the status and configuration of both storage ports. Verify for cabling or other infrastructure issues Troubleshooting user accounts Incorrect privileges Users must have view privileges (at minimum) on a managed object to see that object in the user interface. Symptom Unable to see specific resource information or perform a resource task Cause Your assigned role does not have the correct privileges Troubleshooting user accounts 393

394 Action equest a different role or an additional role from the Infrastructure administrator in order to do your work Cannot modify local user account Symptom You cannot add, edit, or delete a local user account. Improper authorization Cause You do not have proper authorization or you entered invalid parameters. Action Network issues 1. Log in to the appliance as the Infrastructure administrator. 2. Try to add, edit, or delete the user account again. Action 1. Log in to the appliance as the Infrastructure administrator. 2. See Synergy Composer cannot access the network (page 359) 3. Try to add, edit, or delete the user account again. Appliance certificate needs to be updated Cause The appliance certificate is invalid or it has expired. Action 1. Log in to the appliance as the Infrastructure administrator. 2. Acquire a new appliance certificate. 3. efresh the browser page. 4. Accept the new certificate. 5. Add the user account. 6. Try to add, edit, or delete the user account again Cannot delete local user account Symptom The deletion fails with error code 500. Action 1. Perform the following EST API call to modify the user account to be deleted: PUT 2. Try to delete the user account again Unauthenticated user or group Each user is authenticated on login to the appliance by the authentication service that confirms the user name and password. The Edit Authentication screen enables you to configure 394 Troubleshooting

395 authentication settings on the appliance; the default values are initially populated during first time setup of the appliance. Symptom Unable to configure a directory user or group Cause Authentication settings incorrect Action To configure authentication settings: 1. From the Users screen, click Add Directory User or Group. 2. Click add a directory. 3. From the Edit Authentication screen, click Add directory. 4. Provide the requested information. 5. Click OK User public key is not accepted Symptom User public key does not work or is not accepted. Cause Hidden characters introduced during a copy/paste operation change the key code. Action Enter the key again, taking care to prevent special characters from being injected into the key when pasting it into the public key field. Only SA keys are supported Directory service not available Solution 1 Symptom The directory service could not be accessed by the appliance. The server for the directory service cannot be accessed. Cause Either the server for the directory service or the network is down. Action 1. un theping command on the directory server IP address or host name to determine if it is online. 2. Verify that the appliance network is operating correctly. 3. Contact the directory service administrator to determine if the server is down Troubleshooting user accounts 395

396 Solution 2 Cause Configuration errors prevent the directory service from being reached Action 1. Verify that the name of the directory service is unique and entered correctly. Duplicate names are not accepted. 2. Verify that the Directory type is correct. 3. Ensure that the Base DN fields and, for OpenLDAP, the User naming attribute field, and Organizational unit fields are correct. 4. Verify that the credentials of the authentication directory service administrator are correct. 5. Verify that the group is configured in the directory service. 6. Ensure that the role assigned to the group is correct Cannot add directory service Solution 1 Solution 2 Symptom You cannot add a directory service to the appliance. Cause An external problem disconnected the directory server host. Action 1. Log in as the Infrastructure administrator 2. Verify that the settings for the directory service host are accurate. 3. Locally run the ping command on the directory server s IP address or host name to determine if it is on-line. 4. Verify that the port for LDAP communication with the directory service is port Verify that the port (default port 636) you are using for communication is not blocked by any firewalls. See Ports required for HPE OneView (page 74). 6. Verify that the appliance network is operating correctly. 7. Determine that the appliance is functioning properly and that there are enough resources. Cause The directory server host is refusing to authenticate the appliance because the certificate has expired. Action 1. Log in as the Infrastructure administrator 2. Verify the login name and password are accurate. Contact the directory service provider to ensure that the credentials are accurate. 3. eacquire and install the directory service host certificate. 396 Troubleshooting

397 Solution 3 Solution 4 Solution 5 Cause The certificate is not in valid x509 format. Action 1. Log in as the Infrastructure administrator 2. Correct the configuration and try again. 3. e-acquire and install the directory service host certificate, if necessary. 4. Contact the directory service provider to ensure that the credentials are accurate. Cause The certificate does not contain the x509v3 key usage extension. Action 1. Log in as the Infrastructure administrator 2. Ensure that the certificate contains the key usage extension. 3. e-acquire and install the directory service host certificate, if necessary. Cause The directory server host cannot authenticate the appliance because the credentials are invalid. Action 1. Log in as the Infrastructure administrator 2. Verify the login name and password are accurate. 3. Verify the search context information is accurate; you might be trying to access a different account or group. 4. e-acquire and install the directory service host certificate. 5. Contact the directory service provider to ensure that the credentials are accurate Cannot add server for a directory service Solution 1 Symptom You cannot configure a server for the directory service. Cause The appliance lost connection with the directory service, but that connection was lost. Action 1. Verify that the settings for the directory service host are accurate. 2. Verify that the correct port is used for the directory service. 3. Verify that the port (default port 636) you are using for communication is not blocked by any firewalls. See Ports required for HPE OneView (page 74) Troubleshooting user accounts 397

398 Solution 2 Solution 3 4. Locally run the ping command on the directory service host s IP address or host name to determine if it is on-line. 5. Verify that the appliance network is operating correctly. Cause There is an authentication error when logging in to the server for the directory service. 1. Verify that the login name and password are accurate. 2. eacquire and install the directory service host certificate. 3. Contact the directory service provider to ensure that the credentials are accurate. Cause There are incorrect parameters when the directory service was configured. Action 1. Verify that the name of the directory service is unique and entered correctly. Duplicate names are not accepted. 2. Verify that the Directory type is correct. 3. Ensure that the Base DN fields and, for OpenLDAP, the User naming attribute field, and Organizational unit fields are correct. 4. Verify that the credentials of the authentication directory service administrator are correct. 5. Verify that the group is configured in the directory service Cannot add directory group Solution 1 Solution 2 Symptom The directory group could not be added as a group on the appliance. Cause The specified authentication directory and group specified already exist. Groups must be unique. Action 1. Log in as Infrastructure administrator. 2. eassign the current group to another role, or otherwise make the group unique. Cause An external problem disconnected the directory server host. Action 1. Log in as the Infrastructure administrator. 2. Verify that the settings for the directory service host are accurate. 3. Verify that the correct port is used for the directory service. 398 Troubleshooting

399 Solution 3 4. Verify that the port (default port 636) you are using for communication is not blocked by any firewalls. See Ports required for HPE OneView (page 74). 5. Locally run the ping command on the directory service host IP address or host name to determine if it is online. 6. Verify that the appliance network is operating correctly. Cause Authentication problems prevented the appliance from logging in to the directory service. Action 1. Log in as the Infrastructure administrator. 2. Verify that the login name and password are accurate. 3. eacquire and install the directory service host certificate. 4. Contact the directory service provider to ensure that the credentials are accurate Cannot find directory group Solution 1 Solution 2 Symptom A specified group could not be found in the authentication directory service. Cause Either the group is not configured in the authentication directory service or the search parameters contained an error. Action 1. Log in as the Infrastructure administrator 2. Verify the credentials for the authentication directory service. 3. Verify that the directory service is operational. 4. Verify the name of the group. 5. Contact the directory service administrator to verify that the group account is configured in the directory service. 6. Try to find the group again. Cause For more information, see About directory service authentication (page 242). The directory type was incorrectly specified. For example, an Active Directory service might have be specified as OpenLDAP. Action 1. Log in as the Infrastructure administrator 2. Verify that the settings for the directory service are accurate Troubleshooting user accounts 399

400 Solution 3 Solution 4 Solution 5 Cause The specified search of the authentication directory service does not contain any groups. Action 1. Log in as the Infrastructure administrator 2. Verify the directory server configuration. 3. For OpenLDAP, ensure that the directory server user has read privileges (rscdx) so that HPE OneView can read the search results. 4. For OpenLDAP, add all search contexts to retrieve the wanted group or groups. Use the Add button to generate additional multiple organizational units, with which to specify the UID or CN. Cause An error occurred while accessing directory groups. Directory service servers could not be reached. Action 1. Log in as the Infrastructure administrator 2. Verify the directory server configuration. 3. Verify the connection to the directory server host. 4. For OpenLDAP, add all search contexts to retrieve the wanted group or groups. Use the Add button to generate additional multiple organizational units, with which to specify the UID or CN. Cause An external problem prevented the appliance from reaching the server configured for the directory service. Action 1. Log in as the Infrastructure administrator 2. Verify the connection to the directory server host. See Cannot add server for a directory service (page 397). 3. Verify the directory server configuration. 400 Troubleshooting

401 32 Documentation and troubleshooting resources for HPE Synergy 32.1 HPE Synergy documentation The Hewlett Packard Enterprise Information Library ( is a task-based repository that includes installation instructions, user guides, maintenance and service guides, best practices, and links to additional resources. Use this website to obtain the latest documentation, including: Learning about HPE Synergy technology Installing and cabling HPE Synergy Updating the HPE Synergy components Using and managing HPE Synergy Troubleshooting HPE Synergy 32.2 HPE Synergy Configuration and Compatibility Guide The HPE Synergy Configuration and Compatibility Guide, in the Hewlett Packard Enterprise Information Library ( provides an overview of HPE Synergy management and fabric architecture, detailed hardware component identification and configuration, and cabling examples HPE OneView User Guide for HPE Synergy The HPE OneView User Guide for HPE Synergy, in the Hewlett Packard Enterprise Information Library ( describes resource features, planning tasks, configuration quick start tasks, navigational tools for the graphical user interface, and more support and reference information for HPE OneView HPE OneView Global Dashboard The HPE OneView Global Dashboard provides a unified view of health, alerting, and key resources managed by HPE OneView across multiple platforms and data center sites. The HPE OneView Global Dashboard User Guide in the Hewlett Packard Enterprise Information Library ( provides instructions for installing, configuring, navigating, and troubleshooting the HPE OneView Global Dashboard HPE Synergy Software Overview Guide The HPE Synergy Software Overview Guide, in the Hewlett Packard Enterprise Information Library ( provides detailed references and overviews of the various software and configuration utilities to support HPE Synergy. The guide is task-based and covers the documentation and resources for all supported software and configuration utilities available for HPE Synergy setup and configuration, OS deployment, firmware updates, troubleshooting, and remote support Best Practices for HPE Synergy Firmware and Driver Updates The Best Practices for HPE Synergy Firmware and Driver Updates, in the Hewlett Packard Enterprise Information Library ( provides information on recommended best practices to update firmware and drivers through HPE Synergy Composer, which is powered by HPE OneView HPE Synergy documentation 401

402 32.7 HPE OneView Support Matrix for HPE Synergy The HPE OneView Support Matrix for HPE Synergy, in the Hewlett Packard Enterprise Information Library ( maintains the latest software and firmware requirements, supported hardware, and configuration maximums for HPE OneView HPE Synergy Image Streamer Support Matrix The HPE Synergy Image Streamer Support Matrix, in the Hewlett Packard Enterprise Information Library ( maintains the latest software and firmware requirements, supported hardware, and configuration maximums for HPE Synergy Image Streamer HPE Synergy Glossary The HPE Synergy Glossary, in the Hewlett Packard Enterprise Information Library ( defines common terminology associated with HPE Synergy HPE Synergy troubleshooting resources HPE Synergy troubleshooting resources are available within HPE OneView and in the Hewlett Packard Enterprise Information Library ( Troubleshooting within HPE OneView HPE OneView graphical user interface includes alert notifications and options for troubleshooting within HPE OneView. The UI provides multiple views of HPE Synergy components, including colored icons to indicate resource status and potential problem resolution in messages. You can also use the Enclosure view and Map view to quickly see the status of all discovered HPE Synergy hardware HPE Synergy Troubleshooting Guide The HPE Synergy Troubleshooting Guide, in the Hewlett Packard Enterprise Information Library ( provides information for resolving common problems and courses of action for fault isolation and identification, issue resolution, and maintenance for both HPE Synergy hardware and software components HPE Error Message Guide The HPE Error Message Guide, in the Hewlett Packard Enterprise Information Library ( provides information for resolving common problems associated with specific error messages received for both HPE Synergy hardware and software components HPE OneView Help The HPE OneView Help, the HPE OneView EST API Scripting Help, and the HPE OneView API eference are readily accessible, embedded online help available within the HPE OneView user interface. These help files include Learn more links to common issues, as well as procedures and examples to troubleshoot issues within HPE Synergy. The help files are also available in the Hewlett Packard Enterprise Information Library ( Documentation and troubleshooting resources for HPE Synergy

403 32.15 HPE Synergy Quick Specs HPE Synergy has system specifications as well as individual product and component specifications. For complete specification information, see the Synergy and individual Synergy product Quick Specs on the Hewlett Packard Enterprise website ( HPE Synergy documentation map Planning HPE Synergy Site Planning Guide HPE Synergy Configuration and Compatibility Guide HPE OneView Support Matrix for HPE Synergy HPE Synergy Image Streamer Support Matrix HPE Synergy Setup Overview Installing hardware HPE Synergy Start Here Poster (included with frame) HPE Synergy Frame Setup and Installation Guide HPE ack ails Installation Instructions (included with frame) HPE Synergy Frame ack Template (included with frame) Hood labels User guides HPE Synergy Interactive Cabling Guide HPE OneView Help for HPE Synergy Hardware setup Configuring for managing and monitoring HPE OneView Help for HPE Synergy HPE OneView User Guide for HPE Synergy HPE OneView API eference HPE OneView EST API Scripting Help HPE ilo 4 with AMS traps supported for alerting in HPE OneView User Guides Managing HPE OneView User Guide for HPE Synergy HPE Synergy Image Streamer Help HPE Synergy Image Streamer User Guide HPE Synergy Image Streamer API eference Monitoring HPE OneView User Guide for HPE Synergy HPE OneView Global Dashboard Help HPE OneView Global Dashboard User Guide Maintaining Product maintenance and service guides Best Practices for HPE Synergy Firmware and Driver Updates Guide HPE OneView Help for HPE Synergy HPE OneView User Guide for HPE Synergy Troubleshooting HPE OneView alert details HPE Synergy Troubleshooting Guide HPE Error Message Guide HPE OneView API eference HPE Synergy Image Streamer API eference HPE Synergy Quick Specs 403

404 404

405 33 Support and other resources Accessing Hewlett Packard Enterprise Support Accessing updates (page 405) Websites (page 406) Customer self repair Documentation feedback 33.1 Accessing Hewlett Packard Enterprise Support For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: Information to collect Technical support registration number (if applicable) Product name, model or version, and serial number Operating system name and version Firmware version Error messages Product-specific reports and logs Add-on products or components Third-party products or components 33.2 Accessing updates Some software products provide a mechanism for accessing software updates through the product interface. eview your product documentation to identify the recommended software update method. To download product updates, go to either of the following: Hewlett Packard Enterprise Support Center Get connected with updates page: Software Depot website: To view and update your entitlements, and to link your contracts and warranties with your profile, go to the Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: Accessing Hewlett Packard Enterprise Support 405

406 33.3 Websites IMPOTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements. Website Hewlett Packard Enterprise Information Library Hewlett Packard Enterprise Support Center Contact Hewlett Packard Enterprise Worldwide HPE OneView Docs Subscription Service/Support Alerts Software Depot Customer Self epair emote Support for HPE OneView FAQ document Single Point of Connectivity Knowledge (SPOCK) Storage compatibility matrix HPE Virtual Connect user guides HPE Virtual Connect command line references HPE 3PA StoreServ Storage HPE Integrated Lights-Out HPE BladeSystem enclosures HPE ProLiant server hardware websites Storage white papers and analyst reports Link emote support doc General information: BL series server blades: blades DL series rack mount servers: servers/dl emote support emote support is available with supported devices as part of your warranty or contractual support agreement. It provides intelligent event diagnosis, and automatic, secure submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast and accurate resolution based on your product's service level. Hewlett Packard Enterprise strongly recommends that you register your device for remote support. If your product includes additional remote support details, use search to locate that information. emote support and Proactive Care information HPE Get Connected HPE Proactive Care services Support and other resources

407 HPE Proactive Care service: Supported products list HPE Proactive Care advanced service: Supported products list Proactive Care customer information Proactive Care central Proactive Care service activation Customer self repair Hewlett Packard Enterprise customer self repair (CS) programs allow you to repair your product. If a CS part needs to be replaced, it will be shipped directly to you so that you can install it at your convenience. Some parts do not qualify for CS. Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CS. For more information about CS, contact your local service provider or go to the CS website: Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page Customer self repair 407

408 408

409 A Backup and restore script examples A.1 Sample backup script As an alternative to using Settings Actions Create backup from the appliance UI, you can write and run a script to automatically create and download an appliance backup file. Example 14 Sample backup.ps1 script provides a sample PowerShell script that uses EST calls to create and download an appliance backup file. Cut and paste this sample script into a file on a Windows system that runs PowerShell version 3.0, and edit the script to customize it for your environment. See the EST API online help for more information about EST APIs. You can schedule the backup script to run automatically in interactive or batch mode on a regular basis (Hewlett Packard Enterprise recommends daily backups). Only a user with Backup administrator or Infrastructure administrator privileges can run the script interactively. To run the script interactively, do not include any parameters. The script prompts you to enter the appliance host name, appliance user name and password, and the name of a file to store these parameters for batch mode executions. Enter the name and password of a user with the Backup administrator or Infrastructure administrator role. The user name and password are stored encrypted. Hewlett Packard Enterprise recommends that you run the script interactively the first time. Then, you can schedule the script to run automatically in the background using the parameter file created by the first run. To run the script in batch mode, specify the name of the file containing the parameters on the command line. Hewlett Packard Enterprise recommends that you install cul with the SSL option to improve performance. The sample script works without cul, but it might take several hours to download a large backup file. To download cul, see: NOTE: You might also need to install Microsoft Visual C++ edistributable, the MSVC100.dll file, available here: 64 bit: 32 bit: Make sure the path environment variable includes the path for cul. Sample script The sample script makes the following calls to create and download a backup file: 1. Calls queryfor-credentials() to get the appliance host name, user name, and password by either prompting the user or reading the values from a file. 2. Calls login-appliance() to issue a EST request to obtain a session ID used to authorize backup EST calls. 3. Calls backup-appliance() to issue a EST request to start a backup. 4. Calls waitfor-completion() to issue EST requests to poll for backup status until the backup completes. 5. Calls get-backupesource() to issue a EST request to get the download UI. 6. Calls download-backup() to issue a EST request to download the backup. A.1 Sample backup script 409

410 Example 14 Sample backup.ps1 script # (C) Copyright Hewlett Packard Enterprise Development LP ########################################################################################################################### # Name: backup.ps1 # Usage: {directory}\backup.ps1 or {directory}\backup.ps1 filepath # Parameter: $filepath: optional, uses the file in that path as the login credentials. ie: host address, username, # password, and, optionally, the Active Directory domain name # Purpose: uns the backup function on the appliance and downloads it onto your machine's drive # in current user's home directory # Notes: To improve performance, this script uses the curl command if it is installed. The curl command must # be installed with the SSL option. # Windows PowerShell 3.0 must be installed to run the script ########################################################################################################################### #tells the computer that this is a trusted source that we are connecting to (brute force, could be refined) [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } $global:interactivemode = 0 # The scriptapiversion is the default Api version (if the appliance supports this level # or higher). This variable may be changed if the appliance is at a lower Api level. $global:scriptapiversion = 3 # Using this Api version or greater requires a different interaction when creating a backup. Set-Variable taskesourcev2apiversion -option Constant -value 3 try { #this log must be added if not already on your computer New-EventLog -LogName Application -Source backup.ps1 -ErrorAction stop } catch [System.Exception] { #this is just to keep the error "already a script" from showing up on the screen if it is already created } ##### Querying user for login info ##### function queryfor-credentials () { <#.DESCIPTION Gathers information from User if in manual entry mode (script ran with zero arguments) or runs silently and gathers info from specified path (script ran with 1 argument).inputs None, this function does not take inputs..outputs eturns an object that contains the login name, password, hostname and ActiveDirectory domain to connect to. #>.EXAMPLE $variable = queryfor-credentials #runs function, saves json object to variable. if ($args[0] -eq $null) { Write-Host "Enter appliance name ( $appliance = ead-host # Correct some common errors $appliance = $appliance.trim().tolower() if (!$appliance.startswith(" { if ($appliance.startswith(" { $appliance = $appliance.eplace("http","https") } else { $appliance = " + $appliance } } Write-Host "Enter username" $username = ead-host -AsSecureString ConvertFrom-SecureString Write-Host "Enter password" $SecurePassword = ead-host -AsSecureString ConvertFrom-SecureString Write-Host "If using Active Directory, enter the Active Directory domain" Write-Host " (Leave this field blank if not using Active Directory.)" $ADName = ead-host Write-Host "Would you like to save these credentials to a file? (username and password encrypted)" $savequery = ead-host $loginvals = [pscustomobject]@{ username = $username; password = $SecurePassword; hostname = $appliance; authlogindomain = $ADName } $loginjson = $loginvals convertto-json $global:interactivemode = Backup and restore script examples

411 if ($savequery[0] -eq "y") #enters into the mode to save the credentials { Write-Host "Enter file path and file name to save credentials (example: C:\users\bob\machine1.txt)" $storagepath = ead-host try { $loginjson Out-File $storagepath -NoClobber -ErrorAction stop } catch [System.Exception] { Write-Host $_.Exception.message if ($_.Exception.getType() -eq [System.IO.IOException]) # file already exists throws an IO exception { do { Write-Host "Overwrite existing credentials for this machine?" [string]$overwritequery = ead-host if ($overwritequery[0] -eq 'y') { $loginjson Out-File $storagepath -ErrorAction stop $exitquery = 1 } elseif ($overwritequery[0] -eq 'n') { $exitquery = 1 } else { Write-Host "Please respond with a y or n" $exitquery = 0 } } while ($exitquery -eq 0) } else { Write-Host "Improper filepath or no permission to write to given directory" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Improper filepath, $storagepath " $_.Exception.message return } } $savedloginjson = Get-Content $storagepath Write-Host "un backup?" $continue = 0 do { $earlyexit = ead-host if ($earlyexit[0] -eq 'n') { return } elseif ($earlyexit[0] -ne 'y') { Write-Host "Please respond with a y or n" } else { $continue = 1 } } while ($continue -eq 0) } else { return $loginjson } } elseif ($args.count -ne 1) { Write-Host "Incorrect number of arguments, use either filepath parameter or no parameters." return } else { foreach ($arg in $args) { $storagepath = $arg } try { $savedloginjson = Get-Content $storagepath -ErrorAction stop } catch [System.Exception] { Write-Host "Login credential file not found. Please run script without arguments to access manual entry mode." A.1 Sample backup script 411

412 Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Login credential file not found. Please run script without arguments to access manual entry mode." return } } return $savedloginjson } ##### getapiversion: Get X_API_Version ##### function getapiversion ([int32] $currentapiversion,[string]$hostname) { <#.DESCIPTION Sends a web request to the appliance to obtain the current Api version. eturns the lower of: Api version supported by the script and Api version supported by the appliance..paamete currentapiversion Api version that the script is currently using.paamete hostname The appliance address to send the request to (in format).inputs None, does not accept piping.outputs Outputs the new active Api version #>.EXAMPLE $global:scriptapiversion = getapiversion() # the particular Uri on the Appliance to reqest the Api Version $versionuri = "/rest/version" # append the Uri to the end of the IP address to obtain a full Uri $fullversionuri = $hostname + $versionuri # use setup-request to issue the EST request api version and get the response try { $applianceversionjson = setup-request -Uri $fullversionuri -method "GET" -accept "application/json" -contenttype "application/json" if ($applianceversionjson -ne $null) { $applianceversion = $applianceversionjson convertfrom-json $currentapplianceversion = $applianceversion.currentversion if ($currentapplianceversion -lt $currentapiversion) { return $currentapplianceversion } return $currentapiversion } } catch [System.Exception] { if ($global:interactivemode -eq 1) { Write-Host $error[0].exception.message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message } } } ##### Sending login info ##### function login-appliance ([string]$username,[string]$password,[string]$hostname,[string]$adname) { <#.DESCIPTION Attempts to send a web request to the appliance and obtain an authorized sessionid..paamete username The username to log into the remote appliance.paamete password The correct password associated with username.paamete hostname The appliance address to send the request to (in format).paamete ADName The Active Directory name (optional).inputs None, does not accept piping.outputs 412 Backup and restore script examples

413 Outputs the response body containing the needed session ID. #>.EXAMPLE $authtoken = login-appliance $username $password $hostname $ADName # the particular Uri on the Appliance to reqest an "auth token" $loginuri = "/rest/login-sessions" # append the Uri to the end of the IP address to obtain a full Uri $fullloginuri = $hostname + $loginuri # create the request body as a hash table, then convert it to json format if ($ADName) { $body username = $username; password = $password; authlogindomain = $ADName } convertto-json } else # null or empty { $body username = $username; password = $password } convertto-json } # use setup-request to issue the EST request to login and get the response try { $loginesponse = setup-request -Uri $fullloginuri -method "POST" -accept "application/json" -contenttype "application/json" -Body $body if ($loginesponse -ne $null) { $loginesponse convertfrom-json } } catch [System.Exception] { if ($global:interactivemode -eq 1) { Write-Host $error[0].exception.message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message } } } ##### Executing backup ###### function backup-appliance ([string]$authvalue,[string]$hostname) { <#.DESCIPTION Gives the appliance the command to start creating a backup.paamete authvalue The authorized sessionid given by login-appliance.paamete hostname The location of the appliance to connect to (in format).inputs None, does not accept piping.outputs The task esource returned by the appliance, converted to a hashtable object #>.EXAMPLE $taskesource = backup-appliance $sessionid $hostname # append the EST Uri for backup to the IP address of the Appliance $bkupuri = "/rest/backups/" $fullbackupuri = $hostname + $bkupuri # create a new webrequest and add the proper headers (new header, auth, is needed for authorization # in all functions from this point on) try { if ($global:scriptapiversion -lt $taskesourcev2apiversion) { $taskesourcejson = setup-request -Uri $fullbackupuri -method "POST" -accept "application/json" -contenttype "application/json" -authvalue $authvalue } else { $taskuri = setup-request -Uri $fullbackupuri -method "POST" -accept "application/json" -contenttype "application/json" -authvalue $authvalue -returnlocation $true if ($taskuri -ne $null) { $taskesourcejson = setup-request -Uri $taskuri -method "GET" -accept "application/json" -contenttype "application/json" -authvalue $authvalue } } if ($taskesourcejson -ne $null) { A.1 Sample backup script 413

414 return $taskesourcejson ConvertFrom-Json } } catch [System.Exception] { if ($global:interactivemode -eq 1) { Write-Host $error[0].exception.message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message } } } ##### Polling to see if backup is finished ###### function waitfor-completion ([object]$taskesource,[string]$authvalue,[string]$hostname) { <#.DESCIPTION Checks the status of the backup every twenty seconds, stops when status changes from running to a different status.paamete taskesource The response object from the backup-appliance method.paamete authvalue The authorized session ID.PAAMETE hostname The appliance to connect to (in format).inputs None, does not accept piping.outputs The new task resource object, which contains the Uri to get the backup resource in the next function #>.EXAMPLE $taskesource = waitfor-completion $taskesource $sessionid $hostname # extracts the Uri of the task esource from itself, to poll repeatedly $taskesourceuri = $taskesource.uri if ($taskesourceuri -eq $null) { # Caller will provide the error message return } # appends the Uri to the hostname to create a fully-qualified Uri $fulltaskuri = $hostname + $taskesourceuri # retries if unable to get backup progress information $errorcount = 0 $errormessage = "" if ($global:interactivemode -eq 1) { Write-Host "Backup initiated." Write-Host "Checking for backup completion, this may take a while." } # a while loop to determine when the backup process is finished do { try { # creates a new webrequest with appropriate headers $taskesourcejson = setup-request -Uri $fulltaskuri -method "GET" -accept "application/json" -authvalue $authvalue -issilent $true # converts the response from the Appliance into a hash table $taskesource = $taskesourcejson convertfrom-json # checks the status of the task manager $status = $taskesource.taskstate } catch { $errormessage = $error[0].exception.message $errorcount = $errorcount + 1 $status = "equestfailed" Start-Sleep -s 15 continue } # Update progress bar if ($global:interactivemode -eq 1) { $trimmedpercent = ($taskesource.completedsteps) / Backup and restore script examples

415 $progressbar = "[" + "=" * $trimmedpercent + " " * (20 - $trimmedpercent) + "]" Write-Host "`r Backup progress: $progressbar " $taskesource.completedsteps "%" -NoNewline } # eset the error count since progress information was successfully retrieved $errorcount = 0 # If the backup is still running, wait a bit, and then check again if ($status -eq "unning") { Start-Sleep -s 20 } } while (($status -eq "unning" -or $status -eq "equestfailed") -and $errorcount -lt 20); # if the backup reported an abnormal state, report the state and exit function if ($status -ne "Completed") { if ($global:interactivemode -eq 1) { Write-Host "`n" Write-Host "Backup stopped abnormally" Write-Host $errormessage } else { #log error message Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Backup stopped abnormally" Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $errormessage } return $null } # upon successful completion of task, outputs a hash table which contains task resource else { Write-Host "`n" $taskesource return } } ##### Gets the backup resource ##### function get-backupesource ([object]$taskesource,[string]$authvalue,[string]$hostname) { <#.DESCIPTION Gets the Uri for the backup resource from the task resource and gets the backup resource.paamete taskesource The task resource object that we use to get the Uri for the backup resource.paamete authvalue The authorized sessionid.paamete hostname the appliance to connect to (in format).inputs None, does not accept piping.outputs The backup resource object #>.EXAMPLE $backupesource = get-backupesource $taskesource $sessionid $appliancename # the backup esource Uri is extracted from the task resource if ($global:scriptapiversion -lt $taskesourcev2apiversion) { $backupuri = $taskesource.associatedesourceuri } else { $backupuri = $taskesource.associatedesource.resourceuri } if ($backupuri -eq $null) { # Caller will provide the error message return } # construct the full backup esource Uri from the hostname and the backup resource uri $fullbackupuri = $hostname + $backupuri # get the backup resource that contains the Uri for downloading try { # creates a new webrequest with appropriate headers $backupesourcejson = setup-request -Uri $fullbackupuri -method "GET" -accept "application/json" -auth $authvalue if ($backupesourcejson -ne $null) A.1 Sample backup script 415

416 { $resource = $backupesourcejson convertfrom-json if ($global:interactivemode -eq 1) { Write-Host "Obtained backup resource. Now downloading. This may take a while..." } $resource return } } catch [System.Exception] { if ($global:interactivemode -eq 1) { Write-Host $error[0].exception.message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message } } } ##### Function to download the backup file ##### function download-backup ([PSCustomObject]$backupesource,[string]$authValue,[string]$hostname) { <#.DESCIPTION Downloads the backup file from the appliance to the local system. Tries to use the curl command. The curl command has significantly better performance especially for large backups. If curl isn't installed, invokes download-backup-without-curl to download the backup..paamete backupesource Backup resource containing Uri for downloading.paamete authvalue The authorized sessionid.paamete hostname The IP address of the appliance.inputs None, does not accept piping.outputs The absolute path of the download file #>.EXAMPLE download-backup $backupesource $sessionid $downloaduri = $hostname + $backupesource.downloaduri $filedir = [environment]::getfolderpath("personal") $filepath = $filedir + "\" + $backupesource.id + ".bkp" $curldownloadcommand = "curl -o " + $filepath + " -s -f -L -k -X GET " + "-H 'accept: application/octet-stream' " + "-H 'auth: " + $authvalue + "' " + "-H 'X-API-Version: $global:scriptapiversion' " + $downloaduri $curlgetdownloaderrorcommand = "curl -s -k -X GET " + "-H 'accept: application/json' " + "-H 'auth: " + $authvalue + "' " + "-H 'X-API-Version: $global:scriptapiversion' " + $downloaduri try { $testcurlssloption = curl -V if ($testcurlssloption -match "SSL") { invoke-expression $curldownloadcommand } else { if ($global:interactivemode -eq 1) { Write-Host "Version of curl must support SSL to get improved download performance." } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Version of curl must support SSL to get improved download performance" } } return download-backup-without-curl $backupesource $authvalue $hostname if ($LASTEXITCODE -ne 0) { $erroresponse = invoke-expression $curlgetdownloaderrorcommand if ($global:interactivemode -eq 1) 416 Backup and restore script examples

417 { Write-Host "Download using curl error: $erroresponse" } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Download error: $erroresponse" } } if (Test-Path $filepath) { emove-item $filepath } return if ($global:interactivemode -eq 1) { Write-Host "Backup download complete!" } } catch [System.Management.Automation.CommandNotFoundException] { return download-backup-without-curl $backupesource $authvalue $hostname } catch [System.Exception] { Write-Host "Not able to download backup" Write-Host $error[0].exception return } } return $filepath ##### Function to download the Backup file without using the curl command ##### function download-backup-without-curl ([PSCustomObject]$backupesource,[string]$authValue,[string]$hostname) { <#.DESCIPTION Downloads the backup file from the appliance to the local system (without using curl).paamete backupesource Backup resource containing Uri for downloading.paamete authvalue The authorized sessionid.paamete hostname The IP address of the appliance.inputs None, does not accept piping.outputs The absolute path of the download file #>.EXAMPLE download-backup-without-curl $backupesource $sessionid # appends Uri ( obtained from previous function) to IP address $downloaduri = $hostname + $backupesource.downloaduri $downloadtimeout = # 12 hours $buffersize = # bytes # creates a new webrequest with appropriate headers [net.httpswebequest]$downloadequest = [net.webequest]::create($downloaduri) $downloadequest.method = "GET" $downloadequest.allowautoedirect = $TUE $downloadequest.timeout = $downloadtimeout $downloadequest.eadwritetimeout = $downloadtimeout $downloadequest.headers.add("auth", $authvalue) $downloadequest.headers.add("x-api-version", $global:scriptapiversion) # accept either octet-stream or json to allow the response body to contain either the backup or an exception $downloadequest.accept = "application/octet-stream;q=0.8,application/json" # creates a variable that stores the path to the file location. Note: users may change this to other file paths. $filedir = [environment]::getfolderpath("personal") try { # connects to the Appliance, creates a new file with the content of the response [net.httpswebesponse]$response = $downloadequest.getesponse() $responsestream = $response.getesponsestream() $responsestream.eadtimeout = $downloadtimeout #saves file as the name given by the backup ID $filepath = $filedir + "\" + $backupesource.id + ".bkp" $sr = New-Object System.IO.FileStream ($filepath,[system.io.filemode]::create) $responsestream.copyto($sr,$buffersize) A.1 Sample backup script 417

418 $response.close() $sr.close() if ($global:interactivemode -eq 1) { Write-Host "Backup download complete!" } } catch [Net.WebException] { $errormessage = $error[0].exception.message #Try to get more information about the error try { $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $rawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json if (($errorobject.message.length -gt 0) -and ($errorobject.recommendedactions.length -gt 0)) { $errormessage = $errorobject.message + " " + $errorobject.recommendedactions } } catch [System.Exception] { #Use exception message } if ($global:interactivemode -eq 1) { Write-Host $errormessage } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $errormessage } return } } return $filepath function setup-request ([string]$uri,[string]$method,[string]$accept,[string]$contenttype = "",[string]$authvalue = "",[object]$body = $null,[bool]$issilent=$false, [bool]$returnlocation=$false) { try { [net.httpswebequest]$request = [net.webequest]::create($uri) $request.method = $method $request.accept = $accept $request.headers.add("accept-language: en-us") if ($contenttype -ne "") { $request.contenttype = $contenttype } if ($authvalue -ne "") { $request.headers.item("auth") = $authvalue } $request.headers.item("x-api-version") = $global:scriptapiversion if ($body -ne $null) { $requestbodystream = New-Object IO.StreamWriter $request.getequeststream() $requestbodystream.writeline($body) $requestbodystream.flush() $requestbodystream.close() } # attempt to connect to the Appliance and get a response [net.httpswebesponse]$response = $request.getesponse() if ($returnlocation) { $taskuri = $response.getesponseheader("location") $response.close() return $taskuri } else { # response stored in a stream $responsestream = $response.getesponsestream() $sr = New-Object IO.Streameader ($responsestream) #the stream, which contains a json object, is read into the storage variable $rawesponsecontent = $sr.readtoend() $response.close() return $rawesponsecontent } } catch [Net.WebException] 418 Backup and restore script examples

419 { $errormessage = $error[0].exception.message #Try to get more information about the error try { $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $rawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json if (($errorobject.message.length -gt 0) -and ($errorobject.recommendedactions.length -gt 0)) { $errormessage = $errorobject.message + " " + $errorobject.recommendedactions } } catch [System.Exception] { #Use exception message } if ($issilent) { throw $errormessage } elseif ($global:interactivemode -eq 1) { Write-Host $errormessage } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $errormessage } #No need to rethrow since already recorded error return } } ##### Start of function calls ##### #gets the credentials from user, either manual entry or from file $savedloginjson = queryfor-credentials $args[0] if ($savedloginjson -eq $null) { #if an error occurs, it has already been logged in the queryfor-credentials function return } #extracts needed information from the credential json try { $savedloginjson = "[" + $savedloginjson + "]" $savedloginvals = $savedloginjson convertfrom-json $SecStrLoginname = $savedloginvals.username ConvertTo-SecureString -ErrorAction stop $loginname = [untime.interopservices.marshal]::ptrtostringauto([untime.interopservices.marshal]::securestringtobst($secstrloginname)) $hostname = $savedloginvals.hostname $SecStrPassword = $savedloginvals.password ConvertTo-SecureString -ErrorAction stop $password = [untime.interopservices.marshal]::ptrtostringauto([untime.interopservices.marshal]::securestringtobst($secstrpassword)) $adname = $savedloginvals.authlogindomain } catch [System.Exception] { if ($global:interactivemode -eq 1) { Write-Host "Failed to get credentials: " + $error[0].exception.message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Failed to get credentials: " + $error[0].exception.message } } #determines the active Api version $global:scriptapiversion = getapiversion $global:scriptapiversion $hostname if ($global:scriptapiversion -eq $null) { if ($global:interactivemode -eq 1) { Write-Host "Could not determine appliance Api version" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not determine appliance Api version" return } A.1 Sample backup script 419

420 #sends the login request to the machine, gets an authorized session ID if successful $authvalue = login-appliance $loginname $password $hostname $adname if ($authvalue -eq $null) { if ($global:interactivemode -eq 1) { Write-Host "Failed to receive login session ID." } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Failed to receive login session ID." return } #sends the request to start the backup process, returns the taskesource object $taskesource = backup-appliance $authvalue.sessionid $hostname if ($taskesource -eq $null) { if ($global:interactivemode -eq 1) { Write-Host "Could not initialize backup" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not initialize backup" return } #loops to keep checking how far the backup has gone $taskesource = waitfor-completion $taskesource $authvalue.sessionid $hostname if ($taskesource -eq $null) { if ($global:interactivemode -eq 1) { Write-Host "Could not fetch backup status" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not fetch backup status" } return #gets the backup resource $backupesource = get-backupesource $taskesource $authvalue.sessionid $hostname if ($backupesource -eq $null) { if ($global:interactivemode -eq 1) { Write-Host "Could not get the Backup esource" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not get the Backup esource" } return #downloads the backup file to the local drive $filepath = download-backup $backupesource $authvalue.sessionid $hostname if ($filepath -eq $null) { if ($global:interactivemode -eq 1) { Write-Host "Could not download the backup" } Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message "Could not download the backup" } return if ($global:interactivemode -eq 1) { Write-Host "Backup can be found at $filepath" Write-Host "If you wish to automate this script in the future and re-use login settings currently entered," Write-Host "then provide the file path to the saved credentials file when running the script." Write-Host "ie: " $MyInvocation.MyCommand.Definition " filepath" } else { Write-Host "Backup completed successfully." Write-Host "The backup can be found at $filepath." } Write-EventLog -EventId 0 -LogName Application -Source backup.ps1 -Message "script completed successfully" A.2 Sample restore script As an alternative to using Settings Actions estore from backup from the appliance UI, you can write and run a script to automatically restore the appliance from a backup file. NOTE: Only a user with Infrastructure administrator privileges can restore an appliance. 420 Backup and restore script examples

421 Example 15 Sample restore.ps1 script provides a sample script that restores the appliance from a backup file or obtains progress about an ongoing restore process. Sample script If you do not pass parameters to the script, the script uploads and restores a backup file. 1. Calls query-user() to get the appliance host name, user name and password, and backup file path. 2. Calls login-appliance() to issue a EST request to get a session ID used to authorize restore EST calls. 3. Calls uploadto-appliance() to upload the backup to the appliance. 4. Calls start-restore() to start the restore. 5. Calls restore-status() to periodically check the restore status until the restore completes. If you pass the -status option to the script, the script verifies and reports the status of the last or an ongoing restore until the restore process is complete: 1. Calls recover-restoreid() to get the UI to verify the status of the last or an ongoing restore. 2. Calls restore-status() to periodically verify the restore status until the restore completes. A.2 Sample restore script 421

422 Example 15 Sample restore.ps1 script #(C) Copyright Hewlett Packard Enterprise Development LP ########################################################################################################################### # Name: restore.ps1 # Usage: {directory}\restore.ps1 or {directory}\restore.ps1 -status # Purpose: Uploads a backup file to the appliance and then restores the appliance using the backup data # Notes: To improve performance, this script uses the curl command if it is installed. The curl command # must be installed with the SSL option. # Windows PowerShell 3.0 must be installed to run the script ########################################################################################################################### # tells the computer that this is a trusted source we are connecting to (brute force, could be refined) [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } # The scriptapiversion is the default Api version (if the appliance supports this level # or higher). This variable may be changed if the appliance is at a lower Api level. $global:scriptapiversion = 3 ##### Obtain information from user ##### function query-user () { <#.DESCIPTION Obtains information needed to run the script by prompting the user for input..inputs None, does not accept piping.outputs Outputs an object containing the obtained information..example $uservals = query-user #> Write-Host "estoring from backup is a destructive process, continue anyway?" $continue = 0 do { $earlyexit = ead-host if ($earlyexit[0] -eq 'n') { return } elseif ($earlyexit[0] -ne 'y') { Write-Host "Please respond with a y or n" } else { $continue = 1 } } while ($continue -eq 0) do { Write-Host "Enter directory backup is located in (ie: C:\users\joe\)" $backupdirectory = ead-host # Add trailing slash if needed if (!$backupdirectory.endswith("\")) { $backupdirectory = $backupdirectory + "\" } Write-Host "Enter name of backup (ie: appliance_vm1_backup_ _ bkp)" $backupfile = ead-host # Check if file exists $fullfilepath = $backupdirectory + $backupfile if (! (Test-Path $fullfilepath)) { Write-Host "Sorry the backup file $fullfilepath doesn't exist." } } while (! (Test-Path $fullfilepath)) Write-Host "Enter appliance IP address (ie: $hostname = ead-host # Correct some common errors $hostname = $hostname.trim().tolower() if (!$hostname.startswith(" { if ($hostname.startswith(" { $hostname = $hostname.eplace("http","https") } else { $hostname = " + $hostname } } 422 Backup and restore script examples

423 Write-Host "Enter username" $secusername = ead-host -AsSecureString $username = [untime.interopservices.marshal]::ptrtostringauto([untime.interopservices.marshal]::securestringtobst($secusername)) Write-Host "Enter password" $secpassword = ead-host -AsSecureString $password = [untime.interopservices.marshal]::ptrtostringauto([untime.interopservices.marshal]::securestringtobst($secpassword)) $absolutepath = $backupdirectory + $backupfile Write-Host "If using Active Directory, enter the Active Directory domain" Write-Host " (Leave this field blank if not using Active Directory.)" $ADName = ead-host $loginvals hostname = $hostname; username = $username; password = $password; backuppath = $absolutepath; backupfile = $backupfile; authlogindomain = $ADName; } } return $loginvals ##### getapiversion: Get X_API_Version ##### function getapiversion ([int32] $currentapiversion,[string]$hostname) { <#.DESCIPTION Sends a web request to the appliance to obtain the current Api version. eturns the lower of: Api version supported by the script and Api version supported by the appliance..paamete currentapiversion Api version that the script is currently using.paamete hostname The appliance address to send the request to (in format).inputs None, does not accept piping.outputs Outputs the new active Api version #>.EXAMPLE $global:scriptapiversion = getapiversion() # the particular Uri on the Appliance to reqest the Api Version $versionuri = "/rest/version" # append the Uri to the end of the IP address to obtain a full Uri $fullversionuri = $hostname + $versionuri # use setup-request to issue the EST request api version and get the response try { $applianceversionjson = setup-request -Uri $fullversionuri -method "GET" -accept "application/json" -contenttype "application/json" if ($applianceversionjson -ne $null) { $applianceversion = $applianceversionjson convertfrom-json $currentapplianceversion = $applianceversion.currentversion if ($currentapplianceversion -lt $currentapiversion) { return $currentapplianceversion } return $currentapiversion } } catch [System.Exception] { if ($global:interactivemode -eq 1) { Write-Host $error[0].exception.message } else { Write-EventLog -EventId 100 -LogName Application -Source backup.ps1 -Message $error[0].exception.message } } } ##### Send the login request to the appliance ##### function login-appliance ([string]$username,[string]$password,[string]$hostname,[string]$adname) { <#.DESCIPTION Attempts to send a web request to the appliance and obtain an authorized sessionid. A.2 Sample restore script 423

424 .PAAMETE username The username to log into the remote appliance.paamete password The correct password associated with username.paamete hostname The appliance address to send the request to (in format).paamete ADName The Active Directory name (optional).inputs None, does not accept piping.outputs Outputs the response body containing the needed session ID. #>.EXAMPLE $authtoken = login-appliance $username $password $hostname $ADName # the particular UI on the Appliance to reqest an "auth token" $loginui = "/rest/login-sessions" # append the UI to the end of the IP address to obtain a full UI $fullloginui = $hostname + $loginui # create the request body as a hash table, then convert it to json format if ($ADName) { $body username = $username; password = $password; authlogindomain = $ADName } convertto-json } else # null or empty { $body username = $username; password = $password } convertto-json } try { # create a new webrequest object and give it the header values that will be accepted by the Appliance, get response $loginequest = setup-request -Uri $fullloginui -method "POST" -accept "application/json" -contenttype "application/json" -Body $body Write-Host "Login completed successfully." } catch [System.Exception] { Write-Host $_.Exception.message Write-Host $error[0].exception return } #the output for the function, a hash table which contains a single value, "sessionid" $loginequest convertfrom-json return } ##### Upload the backup file to the appliance ##### function uploadto-appliance ([string]$filepath,[string]$authinfo,[string]$hostname,[string]$backupfile) { <#.DESCIPTION Attempts to upload a backup file to the appliance. Tries to use the curl command. The curl command has significantly better performance especially for large backups. If curl isn't installed, invokes uploadto_appliance-without-curl to upload the file..paamete filepath The absolute filepath to the backup file..paamete authinfo The authorized session ID returned by the login request.paamete hostname The appliance to connect to.paamete backupfile The name of the file to upload. Only used to tell the server what file is contained in the post request..inputs None, does not accept piping.outputs The response body to the upload post request. #>.EXAMPLE $uploadesponse = uploadto-appliance $filepath $sessionid $hostname $filename $uploaduri = "/rest/backups/archive" $fulluploaduri = $hostname + $uploaduri $curluploadcommand = "curl -s -k -X POST " Backup and restore script examples

425 "-H 'content-type: multipart/form-data' " + "-H 'accept: application/json' " + "-H 'auth: " + $authinfo + "' " + "-H 'X-API-Version: $global:scriptapiversion' " + "-F file=@" + $filepath + " " + $fulluploaduri Write-Host "Uploading backup file to appliance, this may take a few minutes..." try { $testcurlssloption = curl -V if ($testcurlssloption -match "SSL") { $rawuploadesponse = invoke-expression $curluploadcommand if ($rawuploadesponse -eq $null) { return } $uploadesponse = $rawuploadesponse convertfrom-json if ($uploadesponse.status -eq "SUCCEEDED") { Write-Host "Upload complete." return $uploadesponse } else { Write-Host $uploadesponse return } } else { Write-Host "Version of curl must support SSL to get improved upload performance." return uploadto-appliance-without-curl $filepath $authinfo $hostname $backupfile } } catch [System.Management.Automation.CommandNotFoundException] { return uploadto-appliance-without-curl $filepath $authinfo $hostname $backupfile } catch [System.Exception] { Write-Host "Not able to upload backup" Write-Host $error[0].exception return } } ##### Upload the backup file to the appliance without using the curl command ##### function uploadto-appliance-without-curl ([string]$filepath,[string]$authinfo,[string]$hostname,[string]$backupfile) { <#.DESCIPTION Attempts to upload a backup to the appliance without using curl..paamete filepath The absolute filepath to the backup file..paamete authinfo The authorized session ID returned by the login request.paamete hostname The appliance to connect to.paamete backupfile The name of the file to upload. Only used to tell the server what file is contained in the post request..inputs None, does not accept piping.outputs The response body to the upload post request. #>.EXAMPLE $uploadesponse = uploadto-appliance $filepath $sessionid $hostname $filename $uploaduri = "/rest/backups/archive" $fulluploaduri = $hostname + $uploaduri $uploadtimeout = # 12 hours $buffersize = # bytes try { [net.httpswebequest]$uploadequest = [net.webequest]::create($fulluploaduri) $uploadequest.method = "POST" $uploadequest.timeout = $uploadtimeout $uploadequest.eadwritetimeout = $uploadtimeout $uploadequest.sendchunked = 1 $uploadequest.allowwritestreambuffering = 0 A.2 Sample restore script 425

426 $uploadequest.accept = "application/json" $boundary = " bac8d687982e" $uploadequest.contenttype = "multipart/form-data; boundary= bac8d687982e" $uploadequest.headers.add("auth", $authinfo) $uploadequest.headers.add("x-api-version", $global:scriptapiversion) $fs = New-Object IO.FileStream ($filepath,[system.io.filemode]::open) $rs = $uploadequest.getequeststream() $rs.writetimeout = $uploadtimeout $disposition = "Content-Disposition: form-data; name=""file""; filename=""encryptedbackup""" $contype = "Content-Type: application/octet-stream" [byte[]]$boundarybytes = [System.Text.Encoding]::UTF8.GetBytes("--" + $boundary + "`r`n") $rs.write($boundarybytes,0,$boundarybytes.length) [byte[]]$contentdisp = [System.Text.Encoding]::UTF8.GetBytes($disposition + "`r`n") $rs.write($contentdisp,0,$contentdisp.length) [byte[]]$contenttype = [System.Text.Encoding]::UTF8.GetBytes($conType + "`r`n`r`n") $rs.write($contenttype,0,$contenttype.length) $fs.copyto($rs,$buffersize) $fs.close() [byte[]]$endboundarybytes = [System.Text.Encoding]::UTF8.GetBytes("`n`r`n--" + $boundary + "--`r`n") $rs.write($endboundarybytes,0,$endboundarybytes.length) $rs.close() } catch [System.Exception] { Write-Host "Not able to send backup" Write-Host $error[0].exception } try { [net.httpswebesponse]$response = $uploadequest.getesponse() $responsestream = $response.getesponsestream() $responsestream.eadtimeout = $uploadtimeout $streameader = New-Object IO.Streameader ($responsestream) $rawuploadesponse = $streameader.readtoend() $response.close() if ($rawuploadesponse -eq $null) { return } $uploadesponse = $rawuploadesponse convertfrom-json if ($uploadesponse.status -eq "SUCCEEDED") { Write-Host "Upload complete." return $uploadesponse } else { Write-Host $rawuploadesponse Write-Host $uploadesponse return } } catch [Net.WebException] { Write-Host $error[0] $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $frawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json Write-Host $errorobject.errorcode $errorobject.message $errorobject.resolution return } } ##### Initiate the restore process ##### function start-restore ([string]$authinfo,[string]$hostname,[object]$uploadesponse) { <#.DESCIPTION Sends a POST request to the restore resource to initiate a restore..paamete authinfo The authorized sessionid obtained from login..paamete hostname The appliance to connect to..paamete uploadesponse The response body from the upload request. Contains the backup UI needed for restore call..inputs None, does not accept piping 426 Backup and restore script examples

427 .OUTPUTS Outputs the response body from the POST restore call..example $restoreesponse = start-restore $sessionid $hostname $uploadesponse #> # append the appropriate UI to the IP address of the Appliance $backupuri = $uploadesponse.uri $restoreuri = "/rest/restores" $fullestoreuri = $hostname + $restoreui $body type = "ESTOE"; uriofbackuptoestore = $backupuri } convertto-json # create a new webrequest and add the proper headers try { $rawestoreesponse = setup-request -uri $fullestoreuri -method "POST" -accept "application/json" -contenttype "application/json" -authvalue $authinfo -Body $body $restoreesponse = $rawestoreesponse convertfrom-json return $restoreesponse } catch [Net.WebException] { Write-Host $_.Exception.message } } ##### Check for the status of ongoing restore ##### function restore-status ([string]$authinfo = "foo",[string]$hostname,[object]$restoreesponse,[string]$recovereduri = "") { <#.DESCIPTION Uses GET requests to check the status of the restore process..paamete authinfo **to be removed once no longer a required header**.paamete hostname The appliance to connect to.paamete restoreesponse The response body from the restore initiation request..paamete recovereduri In case of a interruption in the script or connection, the Uri for status is instead obtained through this parameter..inputs None, does not accept piping.outputs None, end of script upon completion or fail..example restore-status *$authinfo* -hostname $hostname -restoreesponse $restoreesponse or #> restore-status -hostname $hostname -recovereduri $recovereduri $retrycount = 0 $retrylimit = 5 $retrymode = 0 # append the appropriate UI to the IP address of the Appliance if ($recovereduri -ne "") { $fullstatusuri = $hostname + $recovereduri write-host $fullstatusuri } else { $fullstatusuri = $hostname + $restoreesponse.uri } do { try { # create a new webrequest and add the proper headers (new header, auth is needed for authorization $rawstatusesp = setup-request -uri $fullstatusuri -method "GET" -accept "application/json" -contenttype "application/json" -authvalue $authinfo $statusesponse = $rawstatusesp convertfrom-json $trimmedpercent = ($statusesponse.percentcomplete) / 5 $progressbar = "[" + "=" * $trimmedpercent + " " * (20 - $trimmedpercent) + "]" Write-Host "`restore progress: $progressbar " $statusesponse.percentcomplete "%" -NoNewline } catch [Net.WebException] { try A.2 Sample restore script 427

428 { $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $rawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json Write-Host $errorobject.message $errorobject.recommendedactions } catch [System.Exception] { Write-Host "`r`n" $error[1].exception } # The error may be transient; retry several times. If it still fails, return with an error. $retrycount++ $retrymode = 1 if ($retrycount -le $retrylimit) { Write-Host "In restore-status retrying GET on $fullstatusuri. sleep 5 continue retry count: $retrycount`r`n" } else { Write-Host "`r`nestore may have failed! Could not determine the status of the restore." return } } if ($statusesponse.status -eq "SUCCEEDED") { Write-Host "`r`nestore complete!" return } if ($statusesponse.status -eq "FAILED") { Write-Host "`r`nestore failed! System should now undergo a reset to factory defaults." } Start-Sleep 10 } while (($statusesponse.status -eq "IN_POGESS") -or ($retrymode -eq 1)) } return ##### ecovers Uri to the restore resource if connection lost ##### function recover-restoreid ([string]$hostname) { <#.DESCIPTION Uses GET requests to check the status of the restore process..paamete hostname The appliance to end the request to..inputs None, does not accept piping.outputs The Uri of the restore task in string form. #>.EXAMPLE $reacquireduri = recover-restoredid $hostname $iduri = "/rest/restores/" $fulliduri = $hostname + $iduri try { $rawidesp = setup-request -uri $fulliduri -method "GET" -contenttype "application/json" -accept "application/json" -authvalue "foo" $idesponse = $rawidesp convertfrom-json } catch [Net.WebException] { $_.Exception.message return } return $idesponse.members[0].uri } function setup-request ([string]$uri,[string]$method,[string]$accept,[string]$contenttype = "",[string]$authvalue="0", [object]$body = $null) { <#.DESCIPTION A function to handle the more generic web requests to avoid repeated code in every function..paamete uri The full address to send the request to (required).paamete method The type of request, namely POST and GET (required) 428 Backup and restore script examples

429 .PAAMETE accept The type of response the request accepts (required).paamete contenttype The type of the request body.paamete authvalue The session ID used to authenticate the request.paamete body The message to put in the request body.inputs None.OUTPUTS The response from the appliance, typically in Json form..example $responsebody = setup-request -uri -method "GET" -accept "application/json" #> try { [net.httpswebequest]$request = [net.webequest]::create($uri) $request.method = $method $request.accept = $accept $request.headers.add("accept-language: en-us") if ($contenttype -ne "") { $request.contenttype = $contenttype } if ($authvalue -ne "0") { $request.headers.item("auth") = $authvalue } $request.headers.add("x-api-version: $global:scriptapiversion") if ($body -ne $null) { #write-host $body $requestbodystream = New-Object IO.StreamWriter $request.getequeststream() $requestbodystream.writeline($body) $requestbodystream.flush() $requestbodystream.close() } # attempt to connect to the Appliance and get a response [net.httpswebesponse]$response = $request.getesponse() # response stored in a stream $responsestream = $response.getesponsestream() $sr = New-Object IO.Streameader ($responsestream) #the stream, which contains a json object is read into the storage variable $rawesponsecontent = $sr.readtoend() $response.close() return $rawesponsecontent } catch [Net.WebException] { try { $erroresponse = $error[0].exception.innerexception.esponse.getesponsestream() $sr = New-Object IO.Streameader ($erroresponse) $rawerrorstream = $sr.readtoend() $error[0].exception.innerexception.esponse.close() $errorobject = $rawerrorstream convertfrom-json Write-Host "errorcode returned:" $errorobject.errorcode Write-Host "when requesting a $method on $uri`r`n" Write-Host $errorobject.message ";" $errorobject.recommendedactions } catch [System.Exception] { Write-Host $error[1].exception.message } throw return } } ##### Begin main ##### #this checks to see if the user wants to just check a status of an existing restore if ($args.count -eq 2) { foreach ($item in $args) A.2 Sample restore script 429

430 { if ($item -eq "-status") { [void]$foreach.movenext() $hostname = $foreach.current # Correct some common errors in hostname $hostname = $hostname.trim().tolower() if (!$hostname.startswith(" { if ($hostname.startswith(" { $hostname = $hostname.eplace("http","https") } else { $hostname = " + $hostname } } } } else { Write-Host "Invalid arguments." return } $reacquireduri = recover-restoreid -hostname $hostname if ($reacquireduri -eq $null) { Write-Host "Error occurred when fetching active restore ID. No restore found." return } restore-status -recovereduri $reacquireduri -hostname $hostname return } elseif ($args.count -eq 0) { $loginvals = query-user if ($loginvals -eq $null) { Write-Host "Error passing user login vals from function query-host, closing program." return } #determines the active Api version $global:scriptapiversion = getapiversion $global:scriptapiversion $loginvals.hostname if ($global:scriptapiversion -eq $null) { Write-Host "Could not determine appliance Api version" return } $authinfo = login-appliance $loginvals.username $loginvals.password $loginvals.hostname $loginvals.authlogindomain if ($authinfo -eq $null) { Write-Host "Error getting authorized session from appliance, closing program." return } $uploadesponse = uploadto-appliance $loginvals.backuppath $authinfo.sessionid $loginvals.hostname $loginvals.backupfile if ($uploadesponse -eq $null) { Write-Host "Error attempting to upload, closing program." return } $restoreesponse = start-restore $authinfo.sessionid $loginvals.hostname $uploadesponse if ($restoreesponse -eq $null) { Write-Host "Error obtaining response from estore request, closing program." return } restore-status -hostname $loginvals.hostname -restoreesponse $restoreesponse -authinfo $authinfo.sessionid return } else { Write-Host "Usage: restore.ps1" Write-Host "or" Write-Host "restore.ps1 -status return } 430 Backup and restore script examples

431 B Authentication directory service This appendix provides additional information to help you correctly apply search context fields for adding an authentication directory service to the HPE OneView appliance. B.1 Microsoft Active Directory configurations B.1.1 Users and groups in same OU The following table provides the general mapping for the Search context fields in the Add Directory screen for a Microsoft Active Directory configuration in which the users and groups are organized under the same organizational unit, OU. For information on the Add Directory screen, see the online help. Field 1 Field 2 Field 3 Search context CN CN=Organizational_Unit DC=domain,DC=domain In this example, the domain is example.com, and users and groups are located under the Users container, the default organizational unit. The entries for the Search context fields that would authenticate the user named server_admin are: Field 1 Field 2 Field 3 Search context CN CN=Users DC=example,DC=com B.1.2 Users and groups in different OUs, under same parent The following table provides the general mapping for the Search context fields in the Add Directory screen for a Microsoft Active Directory configuration in which the users and groups B.1 Microsoft Active Directory configurations 431

432 are in separate OUs, but those OUs are both under another parent OU. For information on the Add Directory screen, see the online help. Field 1 Field 2 Field 3 Search context CN OU=Organizational_Unit DC=domain,DC=domain In this example, there is a parent OU named Accounts with two children, Users and Groups. The domain is example.com. The entries for the Search context fields that would authenticate a user in the Users OU are: Field 1 Field 2 Field 3 Search context CN OU=Accounts DC=example,DC=com B.1.3 Users and groups in different OUs, under different parents The following table provides the general mapping for the Search context fields in the Add Directory screen for a Microsoft Active Directory configuration in which the user and group accounts are in separate OUs (shown as OU1 and OU2). For information on the Add Directory screen, see the online help. Field 1 Field 2 Field 3 Search context CN OU=child_OU,OU=parent_OU +... DC=domain,DC=domain In this example, there are two separate OUs, User Accounts and Group Accounts in the domain example.com. 432 Authentication directory service

433 Specifying the OU takes the form: OU=child_OU,OU=parent_OU In the example, there are four different accounts that can be specified: OU=Admin Users,OU=User Accounts,DC=example.DC=com OU=Finance Users,OU=User Accounts,DC=example.DC=com OU=Admin,OU=Group Accounts,DC=example.DC=com OU=Others,OU=Group Accounts,DC=example.DC=com You can combine search contexts, up to 10, by using the + character in Field 2. This construct is known as multiple elative Distinguished Names (DNs). For this example, the entries for the Search context fields to authenticate these users and groups are: Field 1 Field 2 Field 3 Search context CN OU=Admin Users,OU=User Accounts + OU=Finance Users,OU=User Accounts + OU=Admin,OU=Group Accounts + OU=Others,OU=Group Accounts DC=example,DC=com B.1.4 Built-in groups Microsoft Active Directory features built-in groups, in which certain groups are automatically located in predefined containers. These built-in groups include: Domain Users Domain Admins Enterprise Admins The Microsoft Active Directory Domain Users group contains all users that were created in the domain. In this example, all the user accounts under Users are included in Domain Users: B.1 Microsoft Active Directory configurations 433

434 However, user accounts in the Domain Users group will not be authenticated. You must specify the organizational unit or units. For more information on built-in groups and their behavior, see the Microsoft documentation. B.2 OpenLDAP directory configuration The following table provides the general mapping for the Search context fields in the Add Directory screen for an OpenLDAP configuration in which the users and groups are organized under different organizational units, OUs. For information on the Add Directory screen, see the online help. Field 1 Field 2 Field 3 Search context CN OU=Organizational_Unit DC=domain,DC=domain In this example, user accounts are located under the People OU and groups are located under the Groups OU: 434 Authentication directory service

435 For this example, the entries for the Search context fields to authenticate users, but not groups, are: Field 1 Field 2 Field 3 Search context CN OU=People DC=example,DC=com NOTE: The Groups OU is not valid for Search context field 2. By default, all groups are only searched under the Groups OU. For OpenLDAP, groups must always be created under the Groups OU. B.3 Validate the directory server configuration For information on these requirements, see Add Directory screen details and Add Directory Server screen details in the online help. In addition, there must be valid search contexts so that the group or groups can be identified and accessed. Use the following procedure to verify a proper directory server configuration. Prerequisites Minimum required privileges: Infrastructure administrator. The server that hosts the authentication directory service must: Communicate through SSL. Agree on the SSL port for LDAP. Be accessible through a fully qualified domain name or IP address. Have an available SSL certificate, based on an SA algorithm. Validating the directory server configuration 1. Determine if there is a connection to the directory server with the ping command: ping directory_server_host_name 2. Verify that the public key for the directory server certificate is based on an SA algorithm. If the directory server is actually a number of DNS servers that are running as a round robin DNS server, each server has a unique certificate. Use the nslookup to list the servers and choose one. B.3 Validate the directory server configuration 435

436 Connect to a server using the openssl s_client command. Specify the host name and port. Copy the server certificate to the Certificate field of the Add Directory Server screen. Verify that the certificate specifies the public key as SA (n bits). The default option for Microsoft Active Directory is SA 2048 bits. 3. Ensure that the certificate s timestamp is older than the appliance time. This can be a concern if the appliance and the directory are synchronized to different time servers or if they are running in different time zones. 4. Validate the search contexts by running ldapsearch command from the appliance console. Search context CN CN=Users DC=example,DC=com Username: server_admin For this example, the ldapsearch command, using TLS/SSL, would resemble the following: LDAPTLS_CACET=location_of_certificate ldapsearch -LLL Z -H ldaps://host_name:port -b "base-dn" -D "bind-dn" W [cn/uid/ssamaccountname/userprincipalname] For this example, ldapsearch, not using TLS/SSL, would resemble the following: ldapsearch -LLL -H ldap://ip_address:389 -b "cn=users,dc=example,dc=com" -D "cn=server_admin,cn=users,dc=example,dc=com" W CN B.4 LDAP schema object classes The following illustrates groups, by directory type, created with object classes. Such LDAP groups need to be added to HPE OneView and assigned roles. See the online help for information on assigning roles. Active Directory Under Active Directory, a group can be created with any of these LDAP schema object classes: groupofnames groups groupofuniquenames View group members by examining the properties of the group name as in this example: 436 Authentication directory service

437 OpenLDAP Under OpenLDAP, a group can be created with either of these LDAP Schema object classes: groupofuniquenames groupofnames A group created with the objectclass as groupofuniquenames has its members under uniquemember as in this example. A group created with the objectclass as groupofnames or groups has its members under member as shown here. B.4 LDAP schema object classes 437

438 438 Authentication directory service

439 C Smart Update Tools installation with HPE Insight Control server provisioning See the Smart Update Tools User Guide at for installation instructions.smart Update Tools (SUT) can be installed along with HPE Insight Control server provisioning on ProLiant servers. SUT is installed in Auto Deploy mode. In Auto Stage mode, SUT stages the components on the host server in a temporary location. After SUT is installed, any further action requires the OS administrator to run commands from the command line. To change the deploy mode for SUT to On Demand, Manual or scripted mode, which allows you to control all requests as command-line arguments on the server, see the Smart Update Tools User Guide at To perform scaled deployments across all servers in your data center, see the Smart Update Tools User Guide at NOTE: When you set SUT to run in automatic mode, SUT runs in the background on the host server. HPE OneView and SUT communicate via the HPE ilo EST interface. The firmware install state displayed in HPE OneView is always kept up to date. 439

440 440

441 D Maintenance console About the Maintenance console (page 441) Access the Maintenance console (page 443) Log in to the Maintenance console (page 445) About the Maintenance console password (page 445) About the factory reset operation (page 446) Maintenance console main menu screen details (page 447) Maintenance console Details screen details (page 447) Maintenance console appliance states (page 449) View the appliance details (page 450) eset the Maintenance console password (page 450) eset the administrator password with the Maintenance console (page 451) estart the Synergy Composer using the Maintenance console (page 452) Shut down the Synergy Composer using the Maintenance console (page 452) Create a support dump file from the Maintenance console (page 453) Perform a factory reset using the Maintenance console (page 454) Configure appliance networking from the Maintenance console (page 454) ecovering an HPE Synergy Composer (page 455) Activate the Synergy Composer manually when it is not highly available (page 455) D.1 About the Maintenance console The Maintenance console, shown in Figure 23 (page 442), provides a limited set of administrative commands for an appliance. The Maintenance console is an important tool for troubleshooting appliance issues when HPE OneView is not available. The Maintenance console is always available from the front panel console or from an SSH session if maintenance IPs are configured. For information on accessing the Maintenance console, see Access the Maintenance console. D.1 About the Maintenance console 441

442 Figure 23 Example of the Maintenance console main menu In the upper left of most Maintenance console screens, the local appliance is identified by its location (enclosure identifier and appliance bay number) or its host name. The Maintenance console displays an icon and a message about the state of the appliance, which can indicate one of following actions is occurring: Normal operation Appliance is offline Appliance is being updated Appliance is synchronizing with the other appliance in the cluster Appliance is starting up, shutting down, restarting, or temporarily unavailable Appliance is being restored from a backup file Appliance is being reset to factory default settings Commands The body of the main menu contains commands that can be used: To view the appliance details. To restart the local appliance. To shut down the appliance. To activate an offline appliance. To reset the administrator password. To perform a factory reset of the appliance. To launch a service console, which an authorized support representative can use to diagnose or repair a problem. 442 Maintenance console

443 To create a support dump or to download an existing support dump to a USB storage device (connected to the appliance USB port). To log out of the Maintenance console. Be sure to log out before removing a console (monitor, keyboard, and mouse). Otherwise, you might be leaving the Maintenance console ready to perform a command like Shutdown the next time a console is attached and the Enter key is pressed. NOTE: The commands displayed by the Maintenance console depend on the current state of the appliance and how the Maintenance console was accessed. Navigation Use the tab and arrow keys to navigate within the Maintenance console screen. Commands are displayed with corresponding hot keys. These keys are shown within brackets in Figure 23 (page 442). Pressing a hot key selects the command. You can use the Enter key to invoke a selection. That is, after you make a selection, pressing Enter runs the command. See also Access the Maintenance console Log in to the Maintenance console View the appliance details estart the appliance using the Maintenance console Shut down the appliance using the Maintenance console eset the administrator password with the Maintenance console Perform a factory reset of the appliance using the Maintenance console D.2 Access the Maintenance console Access the Maintenance console through the appliance console or through an SSH connection. NOTE: Use the credentials for the local Infrastructure administrator credentials when prompted. You can reset the administrator password from the Maintenance console. Access the Maintenance console from an SSH connection NOTE: Hewlett Packard Enterprise recommends the use of these tools for accessing the Maintenance console through an SSH connection: PuTTY MTPuTTY Accessing the Maintenance console using SSH 1. Invoke one of the recommended tools on your local computer. 2. Access the appliance by specifying its fully qualified domain name or its IP address. 3. Enter the user name maintenance at the login prompt. 4. Log into the Maintenance console. D.2 Access the Maintenance console 443

444 Accessing the Maintenance console from an HPE Synergy Frame Link Module 1. Connect a keyboard, video, and mouse using the monitor port and USB ports located: On the front panel of the frame (illustration on left) On a HPE Synergy Frame Link Module at the rear of the frame (illustration on right) On connection, the HPE Synergy Frame Link Module GUI is displayed. 2. Click the monitor icon located at the top right of the screen. 3. Choose either of the HPE Synergy Composers from the Appliances submenu. A blank text window opens. 4. Press Enter. 5. Enter the user name maintenance at the login prompt. 6. See Log into the Maintenance console. Accessing the Maintenance console through a notebook or laptop Prerequisites You have physical access to the frame You have configured the notebook computer Ethernet port for DHCP and enabled auto-negotiation A CAT5 cable 1. Connect the CAT5 cable to the Ethernet port on the notebook computer. 2. Connect the CAT5 cable to the notebook port on the front of the frame, on the front panel module (see illustration) 444 Maintenance console