HPE Integrity Superdome X and Superdome 2 Onboard Administrator Guide for Users

Transcription

1 HPE Integrity Superdome X and Superdome 2 Onboard Administrator Guide for Users Abstract This document describes the Onboard Administrator for the HPE Integrity Superdome X and Superdome 2 enclosures. Part Number: Published: April 2017 Edition: 16

2 Contents Introduction... 9 Overview... 9 Access requirements...11 Onboard Administrator overview...12 Detecting component insertion and removal...12 Identifying components Managing power and cooling Controlling components Managing partitions...13 Interfaces Onboard Administrator user interfaces Onboard Administrator authentication...14 Running Onboard Administrator for the first time...15 Logging on to the Onboard Administrator GUI...16 Running the setup wizard Using online help Changing enclosure and device configurations Recovering the administrator password...18 Insight Display...19 Insight Display overview Navigating the Insight Display...19 Health Summary screen...20 Enclosure Settings screen Enclosure Info screen Blade and Port Info screen...23 Turn Enclosure UID On/Off screen View User Note screen...25 Chat Mode screen...25 Insight Display errors Power errors...26 Cooling errors...26 Location errors Configuration errors...27 Device failure errors Superdome 2 Door Status Display Before running Door Display setup Setting up the Door Display Door Display status menu Display Settings menu Firmware Update menu...38 First Time Setup Wizard Before you begin...41 Enclosure Selection screen Contents

3 Configuration Management screen...43 Rack and Enclosure Settings screen Administrator Account Setup screen...46 Local User Accounts screen Enclosure Bay IP Addressing screen...50 Directory Groups screen Directory Settings screen...53 Onboard Administrator Network Settings screen...55 SNMP Settings screen...57 Power Management screen Finish...60 Navigating Onboard Administrator Navigation overview...61 Tree view...61 Graphical view navigation Complex Overview Complex Overview screen Compute Enclosures tab...69 Power and Thermal tab...70 Complex Information screen Status tab Information tab Complex Logs tab Complex CLI Tab...75 Complex Information: Firmware Management...76 Complex Firmware Summary screen...76 Online complex firmware update...78 Firmware Update screen...84 Enclosure DVD Module screen...87 Configuring compute enclosures and enclosure devices Viewing the status screens Enclosure information Enclosure Status AlertMail Date and Time...98 Enclosure TCP/IP Settings...99 Network Access Link Loss Failover Enclosure Bay IP Addressing SNMP Settings Configuration Scripts Device Summary Active to Standby Onboard Administrator Module Active Onboard Administrator Standby Onboard Administrator Device Bays Device Bay Information Interconnect Bays Interconnect Bay Information Contents 3

4 Interconnect Bay Information tab Interconnect Bay Virtual Buttons tab Interconnect Bay Port Mapping XFM Bays XFM Bay Information XFM Bay Status tab XFM Bay Information tab XFM Bay Virtual Buttons GPSM Bays GPSM Bay Information GPSM Status tab GPSM Bay Information tab GPSM Virtual Buttons Enclosure power management Power and Thermal Power Subsystem Fans and cooling management Thermal Subsystem Thermal Subsystem Fan Zones tab Fan Information Managing users Users/Authentication User roles and privilege levels Role-based user accounts Local Users screen Password Settings screen Directory Settings screen Uploading a certificate Directory Certificate Upload tab Directory Test Settings tab Directory Groups Add an LDAP Group Edit an LDAP Group SSH Administration HPE SSO Integration Edit Local User Certificate Information tab Two-Factor Authentication screen Two-Factor Authentication Certificate Information tab Two-Factor Authentication Certificate Upload tab Signed In users Session Options tab Insight Display Management network IP dependencies Superdome 2 IOX enclosures IOX Enclosure Information screen IOX Power and Thermal screen IOX Power Subsystem screen IOX Power Supply screen IOX Thermal Subsystem screen Port mapping Device bay port mapping for compute enclosures Device bay port mapping tabular view for compute enclosures Contents

5 Using the Command Line Interface Command line overview Setting up Onboard Administrator using the CLI Using the service port connection Using configuration scripts Configuration scripts Reset Factory Defaults Troubleshooting Onboard Administrator error messages Onboard Administrator factory default settings Onboard Administrator SNMP traps Enabling LDAP Directory Services Authentication to Microsoft Active Directory Certificate Services Preparing the directory Uploading the DC certificate (optional) Creating directory groups Testing the directory login solution Troubleshooting LDAP on Onboard Administrator Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts Introduction Configuring the directories Creating a directory to represent each CA and user Modifying and storing an OpenSSL configuration file in each CA directory Changing the default directories Creating a root CA Copying the OpenSSL configuration file to the rootca directory Creating the certificate and private key Creating a combined private key and certificate PEM file Creating subordinate CAs Creating the directories for the subordinate CA Providing x509 certificate information Generating a CSR and new server key Signing the level1ca CSR with the rootca key Creating user keys and CSRs Creating a directory for the user key and CSR database Providing x509 user certificate information Generating a user CSR and new server key Signing the user CSR with the level1ca key Verifying certificates Storing a user certificate on a smart card or browser Configuring the Onboard Administrator for Two-Factor Authentication with local accounts Establishing an Onboard Administrator recovery plan Configuring the Onboard Administrator session timeout Contents 5

6 Installing the CA chain for TFA Installing user certificates on the local Administrator account Enabling Two-Factor Authentication Logging into the Onboard Administrator web GUI using Enabling Two-Factor Authentication TFA+LDAP Authentication How TFA_LDAP authentication works Enabling TFA+LDAP authentication Methods for specifying the subject field on a CSR Troubleshooting TFA+LDAP authentication problems CLI examples configuring a user account and certificates Information about CAs and certificates available from the web Support and other resources Accessing Hewlett Packard Enterprise Support Accessing updates Customer self repair Remote support Warranty information Regulatory information Documentation feedback Time zone settings Universal time zone settings Africa time zone settings Americas time zone settings Asia time zone settings Oceanic time zone settings Europe time zone settings Polar time zone settings Connecting to the OA with a local PC Connecting a PC to the OA service port Connecting a PC to the OA serial port Modifying the serial connection baud rate Warranty and regulatory information Warranty information Regulatory information Belarus Kazakhstan Russia marking Turkey RoHS material content declaration Ukraine RoHS material content declaration Standard terms, abbreviations, and acronyms Contents

7 2010, 2017 Hewlett Packard Enterprise Development LP Notices The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website. Acknowledgments Intel, Itanium, Pentium, Intel Inside, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Java and Oracle are registered trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group. Revision History HPE Part Number Edition Publication Date Changes AH A First August 2010 AH A_ed 2 AH A_ed 3 Second November 2010 Third December 2010 AH B Fourth April 2011 AH C Fifth August 2011 AH D Sixth December 2011 AH E Seventh December 2012 AH F Eighth May 2013 AH G Ninth November 2013 AH H Tenth July Eleventh December Twelfth March 2015 Table Continued

8 HPE Part Number Edition Publication Date Changes Thirteenth September Fourteenth July Fifteenth September Sixteenth April 2017 Corrected trap ID in Onboard Administrator SNMP traps Added Superdome X support for Google Chrome 38 browser in Access requirements Revised Thermal Status description in GPSM Status tab

9 Introduction This guide describes the Onboard Administrator used to support HPE Integrity Superdome X and HP Superdome 2 systems. These systems include different features and hardware, so not everything in this guide applies to both systems. Refer to the service guide for your system for more information. Images and examples in this guide might depict only one type of system. Not all Superdome 2 images or examples have Superdome X equivalents in this guide. Overview The Integrity Superdome X and Superdome 2 compute enclosure Onboard Administrator (OA) is the complex management processor, subsystem, and firmware base used to support HPE Integrity Superdome X and Superdome 2 complexes and all the managed devices contained within the complex. The OA provides a single point from which to perform basic management tasks for the following complex devices: Compute enclosures IOXs (Superdome 2) Server blades I/O interconnects The OA performs configuration steps for the complex, enables run-time management and configuration of the complex components, and informs you of problems within the complex through , SNMP, WSMAN, or the Insight Display. Hewlett Packard Enterprise recommends that you read the service guide for your system for specific information before proceeding with the OA setup. This user guide provides information on the following topics: Initial setup and operation of the OA Use of the OA GUI Use of the compute enclosure Insight Display Initial setup and operation of the Superdome 2 Door Status Display The HPE Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface Guide covers the use of the CLI. The OA provides several features designed to simplify management of enclosures, blades, and interconnects. Compute enclosures within a complex can be configured with redundant OA modules to provide uninterrupted manageability of the entire complex in the event of a failure of a single OA module. The following table lists which OA feature is enhanced when an enclosure contains redundant OA modules. For an enclosure with only a single OA module, the table indicates the behavior of the enclosure if the single OA module has failed or is removed. Introduction 9

10 Table 1: Benefits of using a redundant Onboard Administrator versus a single Onboard Administrator OA feature Single OA in enclosure Single OA failed or removed Redundant OA in enclosure Power allocation and control of all blades and interconnects. Yes. Complete control. No. Power supplies continue to deliver power to all blades and interconnects. No power on requests can be made for blades or interconnects. Yes. Complete control, including sustaining a failure of either OA. Cooling for all blades and interconnects. Yes. Complete control. No. All enclosure fans will ramp to an unmanaged higher speed to protect blades and interconnects from overheating. Yes. Complete control, including sustaining a failure of either OA. EBIPA. Yes. Complete control. No. EBIPA IP addresses are lost after lease timeout. Yes. Complete control, including sustaining a failure of either OA. Ethernet communications to OA, server ilo, interconnect management processors such as Virtual Connect, which use the OA/iLO management port. Yes. Complete control. No. Ethernet management communications are not available, including internal management traffic such as Virtual Connect Manager to other VC modules in the enclosure. Yes. Complete control, including sustaining a failure of either OA. Information and health status reporting for all blades, interconnects, fans, power supplies, OAs, and enclosure through the OA GUI or CLI, AlertMail, or SNMP. Yes. Complete control. No. Additionally, no information is available from the OA, and no out-of-band information is available from VCM or ilo on any server. Yes. Complete control, including sustaining a failure of either OA. Insight Display. Yes. Complete control. No. Yes. Complete control, including sustaining a failure of either OA. Enclosure DVD. Yes. Complete control. No. Yes. Complete control, including sustaining a failure of either OA. 10 Introduction

11 Access requirements To access the OA web interface, you require the OA IP address and a compatible web browser. You must access the application through HTTPS (HTTP packets exchanged over an SSL-encrypted session). The OA web interface requires an XSLT-enabled browser with support for JavaScript 1.3 or the equivalent. The following browsers are officially supported for use with OA: Microsoft Internet Explorer 7 or later Mozilla Firefox 3.6 or later Google Chrome 38 or later (Superdome X) NOTE: Other browsers can be used but are not supported. For a list of browsers supported by OA, see the latest version of the OA Release Notes. Before running the web browser, you must enable the following browser settings: ActiveX (for Microsoft Internet Explorer) Cookies JavaScript If you receive a notice that your browser does not have the required functionality, be sure that your browser settings meet the preceding requirements. If you use an installed language pack with the OA GUI and the browser does not display all characters correctly, make sure the operating system has the corresponding language support installed. To access the OA CLI, use the OA IP address and a terminal or terminal application. To access the CLI interface, you must use Telnet or Secure Shell depending on which of these protocols are enabled. To access the CLI management and notification features, the ports listed on the following table must be open on any router between OA and any computers used to access or monitor OA. Protocol Incoming port Outgoing port Secure Shell 22 Telnet 23 SMTP 25 Browser access Browser access encrypted SNMP get/set 161 SNMP traps 162 LDAP 636 Terminal services pass-through from PC to OA 3389 Table Continued Access requirements 11

12 Protocol Incoming port Outgoing port Virtual media from PC to OA Remote syslog 514 LDAP and Remote syslog port number can be changed. If a protocol is disabled, the corresponding ports are also disabled. CAUTION: To ensure that the OA GUI continues to work after December 31, 2016, after upgrading from firmware version or earlier to version or later, the OA SHA-1 self-signed certificate will be removed and replaced with SHA256 self-signed certificate. To prevent security warnings, the customer is encouraged to re-generate the self-signed certificate with the common name (CN) matching exactly the OA hostname as known by the web browser. For more information, see Certificate Administration on page 116. Onboard Administrator overview NOTE: The Monarch OA is the Active OA in enclosure 1. It provides complex-wide administrative functions, such as partition management, event logs, and error diagnostics. IOX enclosure devices are managed through the Monarch OA. Many OA settings must be managed on the Monarch OA and are automatically copied to the other OAs in the complex, such as user accounts and settings, power options, and feature enablement. Some settings are managed locally on each OA, such as the IP configuration and OA certificates. Detecting component insertion and removal OA provides component control in compute enclosures. Component management begins after the component is detected and identified. The OA detects components in enclosures through presence signals on each bay. When you insert a component into a bay, or connect an IOX, the OA immediately recognizes and identifies the component. When you remove a component from a bay, the OA deletes the information about that component. In Superdome 2 systems, an IOX will be marked Failed if it is disconnected while the system is active. The Monarch OA must be rebooted to remove an IOX from the complex. Identifying components To identify a component, OA reads an FRU EEPROM that contains specific factory information about the component such as product name, part number, and serial number. All FRU EEPROMs in enclosures are powered on, even if the component is powered off. Therefore, OA can identify the component before granting power. For devices such as fans, power supplies, and Insight Display, OA directly reads the FRU EEPROMs. The server blades contain several FRU EEPROMs: one on the server board, which contains server information and embedded NIC information, and one on each installed mezzanine option cards. Server blade control options also include extensive blade hardware information including: Blade and partition firmware versions Blade name 12 Onboard Administrator overview

13 NIC and option card port IDs Port mapping OA provides easy-to-understand port mapping information for each server blade and interconnect module in each enclosure. The NIC and mezzanine option FRU data informs OA of the type of interconnects each server requires. Before power is provided to a server blade, OA compares this information with the FRU EEPROMs on installed interconnect modules to verify for electronic keying errors. For interconnect modules, OA provides virtual power control, dedicated serial consoles, and management Ethernet connections. While OA is identifying components, the progress appears as steps on the Insight Display. Discovery might take several minutes, and the number of installed mezzanine cards on each server increases the time taken as each card is identified and verified. Managing power and cooling The most important OA tasks are power control and thermal management. OA can remotely control the power state of all components in compute enclosures. For components in device bays on the front of each enclosure, OA communicates with ilo to control blades, and with a microcontroller to control options. A separate microcontroller controls power to the interconnect modules. After the components are powered on, the OA begins thermal management with Thermal Logic. The Thermal Logic feature minimizes power consumption by the enclosure fan subsystem by reading temperature sensors across the entire enclosure. Then, Thermal Logic changes the fan speed in the various zones in the enclosure to minimize power consumption and maximize cooling efficiency. Controlling components OA uses embedded management interfaces to provide detailed information and health status of all bays in the enclosure including presence detection signals in each bay, i2c, serial, USB, and Ethernet controllers. OA also offers information on firmware versions for most components in the enclosure and can be used to update those components. Managing partitions The OA also enables users to define and manage partitions in a complex. An npartition comprises one or more server blades working as a single system. I/O bays in IOX enclosures are assigned to npartitions and any I/O component of a server blade, including NICs and mezzanine cards are assigned to the npartition containing the server blade. In the complex, each npartition has its own dedicated portion of the complex hardware which can run a single instance of an operating system. Each npartition can boot, reboot, and operate independently of any other npartitions and hardware within the same complex. An npartition includes all hardware assigned to the npartition: all IOX I/O bays, I/O devices, and server blades. A complex can contain one or more npartitions, enabling the hardware to function as a single system or as multiple systems. NOTE: For more information about partition creation and management for HPE Integrity Superdome 2, see the HPE Superdome 2 Partitioning Administrator Guide. For more information about partition management for HPE Integrity Superdome X, see the HPE Integrity Superdome X Service. Managing power and cooling 13

14 Interfaces Each compute enclosure has several external management interfaces that connect the user to OA. The primary external management interface is the management port for OA, which is an RJ-45 jack providing Ethernet communications not only to OA, but also to every device or interconnect bay with a management processor. A serial port on the OA module provides full out-of-band CLI access to the OA. All enclosures support two enclosure link connectors that provide private communications among enclosures linked with CAT5 cable. In addition, the enclosure link-up connector provides an enclosure service port that enables you to temporarily connect a personal laptop computer to any linked enclosure OA for local diagnostics and debugging. NOTE: For complexes that have the Superdome 2 Door Status Display, the enclosure service port is routed through the rack-mounted E-Switch. Each compute enclosure includes an embedded Insight Display on the front of the enclosure, which provides status and information on all the bays in a compute enclosure and diagnostic information if the OA detects a problem in the enclosure. The Insight Display configures key settings in the OA, including the IP address of the OA. Onboard Administrator user interfaces The following user interfaces to the OA enable control and provide information about the enclosure and installed components: Web interface GUI Scriptable CLI Insight Display Remote network access to the OA GUI and CLI is available through the management Ethernet port. The serial port of the OA is available for local CLI access. The compute enclosure link-up port is also available as the service port for temporary local Ethernet access to the OA and devices in linked enclosures using either the GUI or CLI. See Connecting to the OA with a local PC for information about using the OA link-up or serial ports. NOTE: For complexes that have the Superdome 2 Door Status Display, the enclosure service port is routed through the rack-mounted E-Switch. Access the Insight Display directly through the buttons on the display, or remotely through the OA GUI. Onboard Administrator authentication Security is maintained for all OA user interfaces through user authentication. User accounts created in the OA define three user privilege levels and the component bays to which each level is granted access. OA stores the passwords for Local User accounts and can be configured to use LDAP authentication for user group accounts. The Insight Display can be protected against unauthorized access by an LCD PIN code or completely disabled. NOTE: User accounts are managed on the Monarch OA. Role-based user accounts 14 Interfaces

15 OA provides configurable user accounts that can provide complete isolation of multiple administrative roles such as server, LAN, and SAN. User accounts are configured with specific device bay or interconnect bay permissions and one of the three privilege levels: Administrator Operator User OA requires the user to log in to the web GUI or CLI with an account and password. The account can be a local account where the password is stored on OA, or an LDAP account. The OA contacts the defined LDAP server to verify the user credentials. Two-factor Authentication enables even tighter security for the user management session to OA. An account with administrator privileges, including OA bay permissions, can create or edit all user accounts on an enclosure. Operator privileges allow full information access and control of permitted bays. User privileges allow information access, but no control capability. For detailed information about OA account privileges, see the HPE Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. The default Administrator account from the Monarch OA is synchronized to the other OAs in the complex. Use the default credentials from the Monarch OA to access all OAs. Rather than requiring separate logins to multiple resources (once to each enclosure or once to every server management processor or both), OA enables single-point access. Thus, the administrator can use single sign-on to log in to a single OA and use the web GUI to graphically view and manage the components in the entire complex. For example, an IT administrator can automatically propagate management commands, such as changing the enclosure power mode, throughout the complex. NOTE: The single sign-on requires that all the enclosure active OAs have the same password. Running Onboard Administrator for the first time Setting up an enclosure using the OA is simplified by using the Insight Display setup process, followed by the use of the OA GUI First Time Setup Wizard or OA CLI to complete the reset of the enclosure settings. The OA modules and many interconnect modules default to DHCP for the management IP address. If the user has DHCP and connects the OA management port to the DHCP server, then the OA modules and interconnect modules supporting and configured to use the OA internal management network automatically get DHCP addresses from the user DHCP server. If you do not have a DHCP server for assigning IP addresses to management processors, then you must configure each OA with a static IP address using the Insight Display, then log in to the OA GUI and use the First Time Setup Wizard or log in to the OA CLI and configure and enable EBIPA for device bays and interconnect bays. Enabling EBIPA for a bay enables that server or interconnect module to be replaced and the new module automatically gets the previously configured IP address for that bay. See Enclosure Bay IP Addressing for more information on EBIPA. The initial credentials to log on to a new OA module are printed on a label on each module. The user is Administrator and the password is unique to each module. This password must be captured by the installer and communicated to the remote Administrator for the first remote logon to the OA GUI or OA CLI. The enclosure settings can be configured manually or uploaded from a configuration script or file. The web GUI offers a First Time Setup Wizard. The CLI can be accessed from the OA serial port, Ethernet management port, service port, or by using the enclosure KVM - OA CLI button. An alternative to manual configuration is to upload a enclosure configuration file to the active OA using either the GUI or CLI with an HTTP, FTP or TFTP network location for the configuration file, or use the Running Onboard Administrator for the first time 15

16 GUI, CLI or Insight Display to upload a configuration file from a USB key drive plugged into the enclosure DVD USB port. Hewlett Packard Enterprise recommends creating an enclosure configuration file to use the GUI, CLI, or Insight Display USB Menu to save the existing configuration to a file. The saved configuration file is a set of CLI text commands for each configuration item. The OA does not save user passwords when it saves a configuration file. The user can edit the configuration file and insert the password commands for each user account or use the Administrator local account to individually update all user passwords after restoring a previously saved enclosure configuration file. If the enclosure contains redundant OA modules, the remaining OA updates the new OA with all the settings. Logging on to the Onboard Administrator GUI If the Login Banner feature is enabled, you will be prompted to read and accept the conditions presented before being able to log in. Once the terms are accepted the main login page will appear. NOTE: Not all images or examples in this guide have been updated for Integrity Superdome X. Enter the user name and initial administration password for your OA account found on the tag attached to the OA. Possible issues that might occur when logging in include: The information has been entered incorrectly. Passwords are case-sensitive. The account information entered has not been set up for OA. The user name entered has been deleted, disabled, or locked out. The password for the account must be changed. Attempting to log on from an IP address that is not valid for the specified account. The password for the Administrator account has been forgotten or lost. To reset the Administrator password, see Recovering the administrator password on page 18. If you continue to have problems signing in, contact your administrator. 16 Logging on to the Onboard Administrator GUI

17 Running the setup wizard To run the setup wizard, log on to OA. The First Time Setup Wizard starts automatically when you log on to OA for the first time. This wizard assists you in setting up the functions of the OA. You can access the setup wizard at any time after initial setup by clicking the Wizards link on the top left of the center screen. For more information, see First Time Setup Wizard on page 41. Using online help To access online help, click the blue box with the white question mark located at the top right of the screen under the header bar. Online help displays information related to the section of OA that you are navigating. Running the setup wizard 17

18 Changing enclosure and device configurations After completing the First Time Setup Wizard, return to the OA GUI to make configuration changes at any time. See Configuring compute enclosures and enclosure devices on page 90 for information that helps you make changes to enclosure and device configuration, user setup, and LDAP server settings and LDAP groups. See Enclosure power management on page 149 for information on enclosure power settings. Recovering the administrator password If the administrator password has been lost, you can reset the administrator password to the factory default that shipped on the tag with the OA module. The OA resets a lost password to Lost Password mode. To recover the password and reset the administrator password to the factory default: IMPORTANT: The password is recovered from the Monarch OA. Procedure 1. Connect a computer to the serial port of the active OA using a null-modem cable. 2. With a null-modem cable (9600 N, 8, 1, VT100, locally connect to the OA), open HyperTerminal (in Microsoft Windows) or a suitable terminal window (in Linux). 3. Connect to the active OA. 4. Press the OA Reset button for 5 seconds. 5. Press L to boot the system in the Lost Password mode. The password appears as the system reboots. 18 Changing enclosure and device configurations

19 Insight Display NOTE: Images in this section might not reflect HPE Integrity Superdome X displays. Insight Display overview The Insight Display enables the rack technician to initially configure the enclosure. It also provides information about the health and operation of the enclosure. The color of the Insight Display varies with the condition of the enclosure health. Blue The Insight Display illuminates blue when the enclosure UID is active. The enclosure UID automatically turns on when the enclosure is powered up for the first time, and can be turned on by selecting Turn Enclosure UID On from the Main Menu or by pressing the enclosure UID button on the management interposer. When the enclosure UID is on, the Insight Display flashes after two minutes of inactivity. Pressing any button on the Insight Display stops the blinking and reactivates the screen. Green The Insight Display illuminates green when no error or alert conditions exist, and the enclosure is operating normally. After two minutes of inactivity, the Insight Display light turns off. Pressing any button on the Insight Display reactivates the screen. Amber The Insight Display illuminates amber when the OA detects an error or alert condition. The screen displays the details of the condition. After two minutes of inactivity, the Insight Display flashes amber indicating that an error or alert condition exists. If the enclosure UID is on and an error or alert condition exists, the Insight Display illuminates blue as the enclosure UID takes priority over the alert. Pressing any button on the Insight Display reactivates the screen. Dark (no power) The Insight Display has a two-minute inactivity period. If no action is taken and no alert condition exists, then the screen light turns off after two minutes. Pressing any button on the Insight Display reactivates the screen. The Enclosure Health icon is located at the bottom-left corner of every screen, indicating the condition of the enclosure health. Navigate the cursor to the Enclosure Health icon and pressing OK to access the Health Summary screen from any Insight Display screen. Navigating the Insight Display Navigate the menus and selections by using the arrow buttons on the Insight Display panel. The first menu displayed is the Main Menu. Insight Display 19

20 The Main Menu of the Insight Display has the following menu options: Health Summary Enclosure Settings Enclosure Info Blade or Port Info Turn Enclosure UID on/off View User Note Chat Mode If the active OA detects a USB key drive with any *.ROM, *.CFG or *.ISO files, a USB menu item appears at the bottom of the Main Menu. If the active OA detects KVM capability, a KVM menu button appears on the navigation bar of the Main Menu. Selecting KVM Menu causes the Insight Display to go blank and activate the VGA connection of OA. A USB key drive with the appropriate files and KVM capability is present in the Main Menu. TIP: Within any menu option, navigate the cursor to What is This, and press the OK button to view additional information about each setting, option, or alert. The navigation bar contains options to do the following: Navigate forward and backward through alert screens Return to the main menu Accept changes to current settings Cancel changes to current settings Access the Health Summary screen from any screen by selecting the Health Summary icon on the navigation bar Health Summary screen The Health Summary screen displays the current status of the enclosure. The Health Summary screen can be accessed by the following methods: Selecting Health Summary from the Main Menu Selecting the Health Summary icon from any Insight Display screen 20 Health Summary screen

21 When an error or alert condition is detected, the Health Summary screen displays the total number of error conditions and the error locations. Select Next Alert from the navigation bar, and then press the OK button to view each individual error condition. The Insight Display displays each error condition in the order of severity. Critical alerts display first (if one exists), followed by caution alerts. When the enclosure is operating normally, the Health Summary screen displays green. The bright green rectangles are components that are installed and are on. A light green rectangle represents a component that is installed, but powered off with no errors. When the enclosure is operating normally, the Health Summary screen displays green. The bright green rectangles are components that are installed and on. A dark green rectangle represents a component that is installed, but powered off with no errors. A black rectangle represents an empty bay. NOTE: A black DVD rectangle indicates no DVD is connected to the OA while a dark gray rectangle indicates the DVD drive is present, but that no media is present. A dark green rectangle indicates that media is present, but not actively connected to any server or that all connected servers have issued a disk eject command, so the disk can be removed from the drive. A bright green rectangle indicates that the media is present in the drive and actively connected to at least one server in the enclosure, and the drive tray is locked. If an error occurs, the Health Summary screen background changes from green to amber and the error is highlighted with yellow rectangles for caution and red rectangles for failures. Overall enclosure health icons at the bottom-left corner of the Insight Display screens indicate the overall enclosure health. To display the errors, select View Alert, and then press the OK button. To view the details of the error, select Details. Enclosure Settings screen The Enclosure Settings screen displays the following setting information about the enclosure: Power Mode settings Power Limit settings Dynamic Power settings Active and Standby OA IP addresses Enclosure Settings screen 21

22 Enclosure Name Rack Name DVD Drive Insight Display PIN# NOTE: The DVD Drive setting can attach or detach a CD or DVD loaded in the DVD drive to any or all partitions in the enclosure. This feature can be used to install an OS or software on the partitions. TIP: Set a PIN to protect the enclosure settings from changes. Navigate the cursor to a setting or to?, and press OK to change the setting or get help on that setting. Enclosure Info screen The Enclosure Info screen displays information about the enclosure, including the following: Active OA IP address Active OA Service IP address Current health status of the enclosure Current enclosure ambient temperature Current AC input power to the enclosure Enclosure number Enclosure name Enclosure serial number (Integrity Superdome X) Rack name 22 Enclosure Info screen

23 Blade and Port Info screen The Blade and Port Info screen displays information about a specific server blade. On the first screen, select the server blade number, and then press the OK button. Select Blade Info or Port Info, and press the OK button. To view information about the server blade, select Blade Info and press the OK button. NOTE: The screen below does not depict the fully loaded blade supported for this release. Blade and Port Info screen 23

24 To view the ports used by a specific server blade, select Port Info and press the OK button. The following screen shows a server blade with four embedded NICs. The other interconnect bays are empty. The four embedded NICs are connected to particular port numbers on the interconnect modules. Turn Enclosure UID On/Off screen The Main Menu displays Turn Enclosure UID Off when the enclosure UID is active, and displays Turn Enclosure UID on when the enclosure UID is off. Selecting Turn Enclosure UID On from the main menu turns on the rear enclosure UID LED and changes the color of the Insight Display screen to blue. 24 Turn Enclosure UID On/Off screen

25 Selecting Turn Enclosure UID Off from the main menu turns off the rear enclosure UID LED and changes the color of the Insight Display screen to the current alert condition. View User Note screen The View User Note screen displays six lines of text, each containing a maximum of 16 characters. Use this screen to display helpful information such as contact phone numbers. Change this screen using the remote OA user web interface. Both the background bitmap and the text can be changed. Chat Mode screen The Chat Mode screen is used by the remote administrator who uses the web interface to send a message to an enclosure Insight Display. The technician uses the Insight Display buttons to select from a set of prepared responses, or dials in a custom response message on the? line. To send a response back to the Administrator, navigate the cursor to Send, then press the OK button. The Chat Mode screen has top priority in the Insight Display and remains on the screen until you select Send. The technician can leave this chat screen temporarily and use the other Insight Display screens, then return to the Chat Mode screen from the Main Menu to send a response. After the response, the Chat Mode screen is cleared. Both the A and? responses then appear to the remote Administrator on the LCD Chat web interface. View User Note screen 25

26 Insight Display errors The enclosure installation is successful when all errors are corrected. The errors in the following sections are specific to installation and initial configuration of the enclosure. The following types of errors can occur when installing and configuring the enclosure: Power errors Cooling errors Location errors Configuration errors Device failure errors When the enclosure UID LED is off, the Insight Display is illuminated amber when any error condition exists. The navigation bar displays the following selections when an error condition exists: Health summary icon Displays the Health Summary screen Fix This Suggests corrective action to clear the current error Next Alert Displays the next alert, or if none exist, displays the Health Summary screen Previous Alert Displays the previous alert Power errors Procedure Power errors can occur because of insufficient power to bring up an enclosure. Power errors can occur on server blades or interconnect modules. To correct a power error, do the following: 1. Use the arrow buttons to navigate to Fix This, and then press OK. 2. Review and complete the corrective action suggested by the Insight Display. Use the OA tools for additional troubleshooting. Cooling errors Cooling errors occur when fans are missing from the enclosure, or when the existing fans are not installed in an effective configuration. Cooling errors can occur on server blades, interconnect modules, XFMs, and OAs. 26 Insight Display errors

27 Procedure To correct a cooling error, do the following: 1. Use the arrow buttons to navigate to Fix This, and then press OK. 2. Review and complete the corrective action suggested by the Insight Display. In most cases, you must either add fans to the enclosure, correct the fan configuration, or remove the indicated components. Location errors Procedure Location (installation) errors occur when the component is not installed in the appropriate bay. Location errors can occur on server blades, power supplies, and fans. Integrity Superdome X systems are configured such that these errors should not occur unless the components have been moved. To correct a location error, do the following: 1. Use the arrow buttons to navigate to Fix This, and then press OK. 2. Review and complete the corrective action suggested by the Insight Display. Remove the indicated component, and then install it into the correct bay. The Insight Display will indicate the correct bay number. Configuration errors Procedure Configuration errors can occur if the interconnect modules are installed in the wrong bays or if mezzanine cards are installed in the wrong connectors in the server blade. Configuration errors can occur on server blades and interconnect modules. Integrity Superdome X systems are configured such that these errors should not occur unless the components have been moved. To correct a configuration error, do the following: 1. Use the arrow buttons to navigate to Fix This, and then press OK. 2. Review and complete the corrective action suggested by the Insight Display. Depending on the error received, do one of the following: Remove the indicated interconnect module and then install it into the correct bay (the Insight Display indicates the correct bay). Remove the server blade to correct the mezzanine card installation (the Insight Display will indicate the correct bay). For information on installing the mezzanine card, see the server-specific user guide on the Documentation CD. Device failure errors Device failure errors occur when a component has failed. Device failure errors can occur on all components, including the following: Server blades Power supplies Interconnect modules OA modules Fans ac power inputs To correct a device failure error, do the following: Location errors 27

28 Procedure 1. Use the arrow buttons to navigate to Fix This, and then press OK. 2. Review and complete the corrective action suggested by the Insight Display. In most cases, you must remove the failed component to clear the error. 3. Replace the failed component with a spare, if applicable. NOTE: If the device failure error is an ac power input failure error, you must have the failed ac input repaired to clear the error. 28 Insight Display

29 Superdome 2 Door Status Display Superdome 2 SD2-16s and SD2-32s complexes that are factory integrated ship with the Superdome 2 Door Status Display. The Door Display is a quick method of getting basic complex status information by using the integrated touch screen on the rack door. NOTE: Superdome 2 SD2-8s and Integrity Superdome X complexes do not support the Door Display. The Door Display screen and LED backlighting displays the overall status of the complex by the following scheme: Solid blue The Door Display screen and LED backlight glows solid blue when the complex is operating under normal conditions. Flashing blue The Door Display screen and LED backlight flashes blue when the enclosure UID of any compute enclosure in the rack is turned on. Flashing amber The Door Display and LED backlight flashes amber if any compute enclosure in the rack has an error or alert condition. If an enclosure UID is on and an error or alert condition exists, the Door Display and LED backlight flashes blue as the enclosure UID takes priority over the alert. Dark (no power) The Door Display screen turns off after one hour of displaying a screen saver. Touch the Door Display screen to return to the last menu displayed. The LED backlight remains glowing to reflect the current complex status. NOTE: You can only disable the Door Display screen by using the Door Display menu. You cannot disable the screen remotely. After one hour of inactivity, the Door Display screen displays a screen saver. Touch the Door Display screen to return to the last menu that was onscreen. Before running Door Display setup Before running the Door Display setup, you must create OA accounts. The Door Display uses the OA accounts to access complex information and enables you to set the enclosure UID for compute enclosures in the rack. Setting up the Door Display When the complex is first powered on, a brief animation on the Door Display screen is displayed, and then the startup menu appears. NOTE: The startup menu will take several seconds to appear while the Door Display starts up. Superdome 2 Door Status Display 29

30 The startup menu has the following options: Disable Display A screen saver immediately appears for one hour, and then the Door Display shuts off. Setup Select this option to begin the Door Display setup. Complex configuration 30 Superdome 2 Door Status Display

31 1. Select the current complex configuration in the rack. 2. Press Next. IMPORTANT: This menu selection does not set the complex configuration on the OA. To correctly set up the Door display, you must select the current complex configuration present in the rack. Status display preferences Superdome 2 Door Status Display 31

32 Temperature Scale Select between displaying enclosure temperatures in C or F. Display IP Address Select to enable or disable the display of the IP addresses of the active OA and the complex service port. NOTE: The OA IP address does not appear until the setup process is complete. Press Next to continue. Two 16s complex setup If the complex configuration is two 16s complexes in a cabinet, unlike the other multi-enclosure configurations, each enclosure is a self-contained complex and each will require its own login and password information. 32 Superdome 2 Door Status Display

33 If you selected Two 16s as the complex configuration, then you are prompted to which complex displays status information on the Door Display screen. Lower Complex The Door Display screen displays status information for only the lower SD2-16s complex in the rack. Upper Complex The Door Display screen displays status information for only the upper SD2-16s complex in the rack. Both Complexes The Door Display screen displays status information for both SD2-16s complexes in the rack. Press Next. NOTE: Complex login If you select Both Complexes, you are prompted to enter two user names and passwords at the next menu. Superdome 2 Door Status Display 33

34 You must enter an OA account user name and password to enable the Door Display to log in to the complex and display complex status information. IMPORTANT: If you enter an OA Administrator or OA Operator-level user name, all complex information appears and the Door Display screen can be used to set the enclosure UID. If you enter an OA User-level user name, all complex information appears, but the Door Display screen cannot be used to set the enclosure UID. Press Login to complete setup or Cancel to quit Door Display setup. Door Display status menu Door Display status menu 34 Door Display status menu

35 The Door Display status menu displays the following information: Complex name The user-specified name of the complex. Complex health The current health status of the complex. If there is an enclosure in the complex that now has fault conditions, the enclosure will be highlighted amber and indicated with a fault symbol. Active (OA) IP address The IP address of the active OA. Service IP address The IP address of the complex service port. Enclosure power The current power consumption of the enclosures in the complex in kw. Enclosure temperature The current temperature of the enclosures in the complex in C or F. Enclosure UID If an enclosure in the complex has the enclosure UID enabled, then the enclosure will be indicated with a UID symbol. The Door Display status menu has the following menu buttons: Display Settings Display the Display Settings menu. UID Display the UID control overlay. If the rack contains two SD2-16s complexes, then the Door Display status menu displays the following buttons: Upper Complex Displays the status of the upper complex in the rack. Lower Complex Displays the status of the lower complex in the rack. Logon If the OA log on information is not specified for an enclosure in the rack, select this option to enter the OA log on information. UID control Superdome 2 Door Status Display 35

36 To change the UID of enclosures in the rack, push the On/Off toggle button for the enclosures. Press Confirm to turn the enclosure UIDs on or off and return to the Door Display status menu. To return to the Door Display status menu without making any changes, press Cancel. 36 Superdome 2 Door Status Display

37 Display Settings menu IMPORTANT: Accessing the Display Settings screen requires a valid door display login even if no settings are changed. If you cancel out of the Display Settings without entering the correct login information, the door display will continue to show the Login and Setup Info is required message. The Display Settings menu has the following options: Door Display Setup Runs the initial setup of the Door Display. Disable Display Erases all settings. A screen saver immediately appears for one hour, and then the Door Display shuts off. IMPORTANT: If you select this option, you must re-enter all setting information, such as user names and passwords before you can use the Door Display. Calibrate Screen Enters calibration mode for the touch screen. Display Settings menu 37

38 IMPORTANT: Hewlett Packard Enterprise recommends using a stylus or the back of a pencil to calibrate the screen. Using a finger is not precise enough to properly calibrate the screen. Do not use metal objects to calibrate the screen. Using a metal object might damage the LCD touch screen. Firmware Update Use this option to update the Door Display firmware. The current status of the Door Display firmware is displayed on the menu button. The firmware status is one of the following: Setup required first The initial Door Display setup has not been completed and the Door Display is unable to access firmware status. Up-to-date The current Door Display firmware matches the current revision available on the OA. No firmware update is required. If necessary, the Door Display firmware can be reloaded using the Firmware Update menu. Update Available A newer firmware revision is available for the Door Display. No Update Available The OA does not have firmware available for the Door Display. This occurs if the OA web server is disabled. NOTE: The Door Display firmware must be updated through the Door Display menu. Reboot Display Restarts the Door Display module only. IMPORTANT: You must reboot the Door Display after the OA reboots. The Door Display does not function until you reboot the Door Display after the OA reboots. Press Exit Display Settings to return to the Door Display status menu. Firmware Update menu NOTE: This menu is used to update the firmware of the Door Display only. The Firmware Update menu is available if the firmware status is displayed as Up-to-date or Update Available on the Firmware Update menu option. Choose one of the following options: To begin the firmware update process, press Start. To return to the Display Settings menu without updating the firmware, press Exit Firmware Update. 38 Firmware Update menu

39 NOTE: If the versions of the current Door Display firmware and the firmware available on the OA match, you are prompted to reload the firmware or cancel. Superdome 2 Door Status Display 39

40 When the firmware update is complete, you are prompted to reboot the Door Display to complete the firmware update. To reboot the Door Display only, press Reboot. After the Door Display reboots, you are prompted to calibrate the LCD touch screen. If you do not want to reboot the Door Display, press Not Now. The firmware update is not complete until the Door Display is rebooted. 40 Superdome 2 Door Status Display

41 First Time Setup Wizard NOTE: The First Time Setup Wizard is used only to configure compute enclosures and OA network settings. The First Time Setup Wizard does not enable you to set up and configure partitions. For more information about partition creation and management for HPE Integrity Superdome 2, see the HPE Superdome 2 Partitioning Administrator Guide. For more information about partition management for HPE Integrity Superdome X, see the HPE Integrity Superdome X Service Guide. Before you begin Procedure Before running the First Time Setup Wizard, complete the following tasks: 1. Install the OA modules. 2. Connect the OA modules to the network. 3. Complete the Insight Display installation wizard. You must at least configure the active OA IP address. 4. Run the Insight Display installation. Logging on to Onboard Administrator For information on logging on to the OA, see Logging on to the Onboard Administrator GUI. The first time you log on, the OA automatically runs the First Time Setup Wizard. To navigate the setup wizard, click the Next button to save your changes and go to the next step. Click the Skip button if you want to leave the step without saving the changes. You can return to previous wizard steps by selecting them in the left tree view. You can also run the wizard again at any time by selecting it from the Wizards menu. First Time Setup Wizard 41

42 Enclosure Selection screen The Enclosure Selection screen displays all discovered enclosures and selects the active enclosure, the enclosure you are signed in to by default. The check box beside each enclosure enables you to select or clear that enclosure. Selecting the check box beside All Enclosures toggles the check box for all enclosures. Click the Refresh Topology button to update the rack topology information. When you select Refresh Topology, the Enclosure Selection screen switches to the Linked Mode and all linked enclosures appear. 42 Enclosure Selection screen

43 If more than one enclosure is listed on the Enclosure Selection screen, select the enclosure you want to set up, and then click the Next button. For possible values and descriptions of each box, see Enclosure Status on page 91. Configuration Management screen The Configuration Management screen enables you to set up the selected enclosures using a configuration file saved from a previous setup. You can run scripts for multiple OAs before leaving the current screen. Configuration Management screen 43

44 To set up selected enclosures, using a configuration file: On the Configuration Management screen, select one of the following options: Local file: Browse for the configuration file, or enter the path of the script file into the textbox. The maximum number of characters in the file path is 256. Click Upload after entering the script file path. URL: Enter an path to the configuration file if it is located on a web server. The maximum number of characters in the file path is 256. Click Upload after entering the URL. A window opens and displays the results. If more than one enclosure is selected during the enclosure selection, select the enclosure to upload or apply the configuration file to use from the drop-down that appears. If multiple enclosures were selected, then repeat this process for each additional enclosure. You cannot select more than one enclosure at a time for configuration management. Rack and Enclosure Settings screen This screen enables you to assign time settings and a common name to your rack and to assign unique names and asset tags to your enclosures. 44 Rack and Enclosure Settings screen

45 Box Possible value Description Rack Name Date Time Primary NTP Server 1 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) yyyy-mm-dd, where: mm is an integer from 1 to 12 dd is an integer from 1 to 31 hh:mm:ss (24-hour time) hh is an integer from 0 to 23 mm is an integer from 0 to 59 ss is an integer from 0 to 59 ###.###.###.### where ### ranges from 0 to 255 The name of the rack in which the enclosure is installed The current date assigned to the enclosure The current time assigned to the enclosure IP address of primary NTP server that provides date and time information or the DNS name of the NTP server Table Continued First Time Setup Wizard 45

46 Box Possible value Description Secondary NTP Server Time Zone Enclosure Name Asset Tag ###.###.###.### where ### ranges from 0 to 255 Time zone settings Universal time zone settings Africa time zone settings Americas time zone settings Asia time zone settings Oceanic time zone settings Europe time zone settings Polar time zone settings 1 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) 0 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) IP address of secondary NTP server that provides date and time information or the DNS name of the NTP server The time zone assigned to the enclosure The name of the selected enclosure The asset tag is used for inventory control. The default asset tag is blank. See the HP Superdome 2 User Service Guide or HPE Integrity Superdome X Service Guide for Users for your system at for more information on connecting enclosures. Administrator Account Setup screen The Administrator Account Setup screen initially displays the name of the active enclosure and its current settings. If multiple enclosures are selected on the Enclosure Selection screen, a button is activated that enables you to expose separate inputs for each selected OA. 46 Administrator Account Setup screen

47 Box Possible value Description Password Password Confirm Full Name Contact 3 to 8 characters including all printable characters 3 to 8 characters including all printable characters 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space The password for the Administrator account Must match the Password value The full name of the user Contact information for the user account. The contact information can be the name of an individual, a telephone number, or other useful information. Table Continued First Time Setup Wizard 47

48 Box Possible value Description PIN Code PIN Code Confirm 1 to 6 characters from the character sets 0 to 9, a to z, and A to Z 1 to 6 characters from the character sets 0 to 9, a to z, and A to Z The PIN code for the enclosure Insight Display Must match the Insight Display PIN value Local User Accounts screen The Local User Accounts screen displays the user accounts assigned to the Active OA and provides choices for adding, editing, and deleting accounts. New: Click the New button to add a new user to the selected enclosure. A maximum of 30 user accounts can be added including the reserved accounts. The Add Local User screen appears. Edit: Select a user (only one can be selected) by selecting the check box next to the name of the user. Click the Edit button to change the settings on the Edit Local User screen, and then click Update User to save the information. Delete: Select a user or users to be deleted by selecting the check box next to the name of the user. Click the Delete button to delete the accounts. If an attempt is made to delete the last Administrator account, you will receive an alert warning that at least one Administrator account must exist and the delete action is canceled. User Settings screen 48 Local User Accounts screen

49 Procedure The User Settings screen displays configurable user information. 1. Enter user information in the User Information and User Permissions sections. 2. Click Add User to save the information. 3. To return to the Local User Accounts screen, click Previous. First Time Setup Wizard 49

50 4. For each user added, select the appropriate boxes to grant access to servers and interconnect bays. For possible values and descriptions of each box, see Managing users on page 171. Enclosure Bay IP Addressing screen The OA EBIPA feature is intended to help you provision a fixed IP address to a particular bay in an enclosure. The components plugged into the bays are set for DHCP, and interconnect modules are 50 Enclosure Bay IP Addressing screen

51 configured to use the internal management port to OA. If the component is configured for a static IP address, an EBIPA assignment to that bay has no effect. NOTE: If you use DHCP servers on your management network, then do not use EBIPA for management IP address assignments. For Integrity Superdome X systems, if you use fixed IP addresses for management processors, use EBIPA to assign IP addresses to the monarch ilo. Do not configure ilo to use static IP addresses directly. NOTE: The Superdome 2 ilo does not support hponcfg. NOTE: All IP addresses are supported, with the exception of address ranges x.y and x.y, which are reserved for internal management network. In addition, all the IP addresses must be within the same subnet defined by netmask and IP address so that all OAs as well as all ilos fit into that subnet. If the server blade is configured for static IP address, then it carries the same address even if the blade is moved to another enclosure. If the server blades are set for DHCP and the OA is configured for EBIPA addressing for that bay, then ilo will obtain an EBIPA-configured IP address when it is plugged into that enclosure. If your network has an external DHCP service or if you want to manually assign static IP addresses one by one to the server blades and interconnect modules, then to bypass this step, click the Skip button. EBIPA Settings screen First Time Setup Wizard 51

52 For information on how to set up EBIPA, see Enclosure Bay IP Addressing on page 103. Directory Groups screen LDAP is an open protocol for accessing information directories. While LDAP is based on the X.500 standard, it is significantly simpler. LDAP supports TCP/IP, which enables applications to work independently of the server hosting the directory. Use the Directory Group screen to set directory access for the now selected enclosures. 52 Directory Groups screen

53 On this screen, you can configure directory groups. For possible values and descriptions of each box, see Directory Groups on page 181. Directory Settings screen Use the Directory Settings screen to set directory access for the now selected enclosures. Directory Settings screen 53

54 Using the Directory Settings screen, you can configure the following settings: Enable LDAP Authentication: Enables a directory server to authenticate a user login. Enable Local Users: Enables a user to log on using a local user account instead of a directory account. Search Context Specify one to six search contexts. A search context is a search filter or shortcut to a common directory, defining the directory users search to start at the specified path. By specifying a search context, users do not have to specify their full DNs at login. A DN might be long and users might not be familiar with their DN or might have accounts in different directory context. The OA attempts to contact the directory service by DN and then applies the search contexts in order, beginning with Search Context 1 and continuing through any subsequent search contexts until successful. Search context is also applicable to LDAP directory groups, which are useful when LDAP nested groups are configured. When specifying the search context for an LDAP directory group, the exact context is not required. Use NT Account Name Mapping (DOMAIN\username): Enables NT name mapping so that you can enter the NT domain and user name. 54 First Time Setup Wizard

55 Box Possible value Description Directory Server Address ###.###.###.### where ### ranges from 0 to 255 or DNS name of the directory server or the name of the domain The IP address or the DNS name or the name of the domain of the directory service. This field is required. Directory Server SSL Port 0 to The port used for LDAP communications. The default port is port 636. This field is required. Search Context 1 Search Context 2 Search Context 3 Search Context 4 Search Context 5 Search Context 6 All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters First searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Second searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Third searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Fourth searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Fifth searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Sixth searchable path used to locate the user when the user is trying to authenticate using directory services. This path is also used to search for nesting LDAP group. Onboard Administrator Network Settings screen Use the Onboard Administrator Network Settings screen to modify network settings for all the OA modules in the selected enclosures. Settings for Standby OA modules appear only if the modules are present. Options for DHCP and static IP are supported. Changing network settings on the OA that you are signed in to might disconnect you from the OA. If this happens, you will have to sign in to the OA again. Onboard Administrator Network Settings screen 55

56 To continue, click Next. If you do not want to change network settings, click Skip. First Time Setup Wizard Network settings The OA allows the network configuration to be based either on dynamically assigned IP addresses obtained from a DHCP server or on static IP addresses that you specify manually. You choose the basis for network configuration by selecting the appropriate radio button. If you choose DHCP, you can enable Dynamic DNS. Use DHCP for all Active Onboard Administrators: Obtains the IP address for the OA from a DHCP server. The Standby checkbox is shown only if there is a Standby OA in the enclosure. Enable Dynamic DNS: Enable using the same host name for the OA over time, although the dynamically assigned IP address might change. The host name is registered with a DNS server. DDNS updates the DNS server with new or changed records for IP addresses. Use static IP settings for each Active Onboard Administrators: Manually set up static IP settings for the OA. The Standby checkbox is shown only if there is a Standby OA in the enclosure. For possible values and descriptions of each box, see Network Access on page First Time Setup Wizard

57 SNMP Settings screen Use the SNMP Settings screen to configure or modify the SNMP settings for the active OA. For possible values and descriptions of each box, see SNMP Settings on page 106. Power Management screen IMPORTANT: In a complex with one or more failed power supplies, it is possible for attempts to power on servers to fail if the resulting power allocation would result in the Power Redundancy Status becoming Failed. The administrator must explicitly reduce the redundancy setting to enable powering on servers prior to the failed power supplies being serviced. This applies to AC Redundant and Power Supply Redundant power modes. IMPORTANT: If redundancy mode is set to Redundant, AC Redundant, or Power Supply Redundant, and power redundancy is lost, then you must either add additional power supplies or change the redundancy mode setting in the OA to restore Power Subsystem status. One upper and one lower power supply must always be installed and operational. For corrective steps, see the Insight Display. SNMP Settings screen 57

58 The enclosure power management system enables you to customize the configuration of the enclosure. You can select from the various modes on the OA Power Management screen. The power modes are explained in the following table. 58 First Time Setup Wizard

59 Mode Insight Display name Description Redundant Redundant For DC power supplies only. In this configuration, N upper and N lower power supplies are used to provide power and N upper and N lower power supplies are used to provide redundancy (where N can equal 1, 2, or 3). Up to three upper and three lower power supplies can fail without causing the enclosure to fail. When correctly wired with redundant DC line feeds, this configuration also ensures that a DC line feed failure does not cause the enclosure to power off. AC Redundant AC Redundant For ac power supplies only. In this configuration, N upper and N lower power supplies are used to provide power and N upper and N lower power supplies are used to provide redundancy (where N can equal 1, 2, or 3). Up to three upper and three lower power supplies can fail without causing the enclosure to fail. When correctly wired with redundant ac line feeds, this configuration also ensures that an ac line feed failure does not cause the enclosure to power off. Power Supply Redundant Power Supply Up to six upper and six lower power supplies can be installed with one upper and one lower power supply always reserved to provide redundancy. In the event of a single upper or lower power supply failure, the redundant power supply in the same section (upper or lower) takes over the load. A line feed failure of more than one power supply in a section causes the system to power off. Not Redundant None There is no power redundancy and no power redundancy warnings are given. If all power supplies are needed to supply Present Power, then any power supply or line failure can cause the enclosure to power off. Dynamic Power Dynamic Power If enabled, Dynamic Power automatically places unused power supplies in standby mode to increase enclosure power supply efficiency, thereby minimizing enclosure power consumption during lower power demand. Increased power demands automatically return standby power supplies to full performance. This mode is not supported for low voltage on the enclosure. Static Power Limit Power Limit An optional setting to limit power. Whenever you attempt to power on a device, the total power demands of the new device and of the devices already on are compared against this Static Power Limit. If the total power demands exceed the limit, the new device is prevented from powering on. Dynamic Power: The default setting is Enabled. The following selections are valid: Enabled: Some power supplies can be automatically placed on standby to increase overall enclosure power subsystem efficiency. Disabled: All power supplies share the load. The power subsystem efficiency varies based on load. Dynamic Power is not supported for low voltage on the enclosure. First Time Setup Wizard 59

60 Finish Click Show Config to view the current configuration for the enclosure. To save the configuration as a text file: Microsoft Internet Explorer select Save As Mozilla Firefox select Save Page As Google Chrome select??? For security, the retrieved current configuration does not contain any user passwords. You can manually edit the script to add the user passwords after the user name on the ADD USER lines. Also, the retrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, and PIN Code). These settings cannot be added from the configuration script. You can clear the Do not automatically start this wizard again check box to force the First Time Setup Wizard to run again the next time a user signs into the OA. Click the Finish button to save and exit the First Time Setup Wizard. The First Time Setup Wizard screen closes and you are returned to the default main screen of the OA. 60 Finish

61 Navigating Onboard Administrator Navigation overview The main OA navigation system consists two views: Tree view: Lists all of the complex devices on the left side of the main page and remains visible at all times. Graphical view: Displays a physical picture of the enclosures in the complex. You can navigate the devices and functions in a complex through either of these views. Tree view The tree view aids in navigating individual compute enclosure devices, connected IOXs and functions for all complex compute enclosures in a hierarchical manner. The rendering of the tree view depends on several factors, including user permissions, device availability, and device status. If a user is configured to be an Operator or User, then some options are might not be visible in the tree view. Navigating Onboard Administrator 61

62 One of the main purposes of the tree view is to enable navigation using categories based on the major systems within the complex. When a category is expanded (by clicking the white plus icon on the blue box to the left of the category), an icon next to the category name can indicate a degraded status of the affected system. In the case of multiple components reporting status, the status icon indicates a cumulative worst-case status of all the devices in the same category. Individual device pages Clicking the link for an individual device selects the device, opens the device detail page, and selects the device in the graphical view in the right frame of the GUI. Individual device pages contain detailed information on the selected device and other device-related functions. 62 Navigating Onboard Administrator

63 Category summary pages Category summary pages contain summary information for each of the devices in that category. For example, clicking the Device Bays link opens the Device Bay Summary screen. Each parent element in the tree works in this manner. When you click a category summary link, no devices are selected in the graphical view navigation. Navigating Onboard Administrator 63

64 System forms pages Some devices, particularly OA, can have links to various system forms pages listed after their main links in the left tree navigation view. Form pages contain input text boxes, radio buttons, and other HTML input elements and are used to administer settings related to the device to which they belong. For example, you can use the OA system forms page to change IP address settings or update firmware. These forms are linked under the OA parent element. When you click a system forms link, the device to which the form page belongs is selected in the graphical view. For example, clicking the UID State link for the Active OA selects the Active OA device in the graphical view. Links to system forms do not display status icons. Graphical view navigation The second component of the OA GUI navigation system is a graphical representation of physical enclosures, called the graphical view. The graphical view consists of two subcomponents: a front view and a rear view. The following image shows the graphical view of a typical Integrity Superdome X compute enclosure.graphical view navigation 64 Graphical view navigation

65 Selecting a device To select a device, click the graphical representation of the device in the front or rear graphical view. When you select a device, its border changes from gray to light blue indicating that it is the now selected device. Selecting a device in the graphical view selects the corresponding device in the left navigation tree view. Every time you select a device from any part of the navigation system, the rest of the navigation reflects the device selection event and updates accordingly. Navigating Onboard Administrator 65

66 Status reporting The graphical view reports the status of every device in the enclosure. The status of each device is indicated next to the device by a small status icon. No status icon appears for a device that is working properly and has an OK status. However, all other status codes appear as status icons next to the device. Status icons are used instead of the health LED in the graphical view component images to convey the device status. To provide a consistent and clean GUI interface, the LED displayed by the OA GUI does not always match the actual LED on the hardware. Users should rely on the status icons on the GUI to determine the device health status. Device security Although the front and rear graphical views are both affected by user permissions, security on the graphical view is handled differently from the left tree view. If the user does not have the permissions to access a device, a blank bay appears regardless of whether a device is present in that bay, and a padlock icon appears in the bay table cell, indicating that the bay is locked to the current user. The user cannot select a locked bay. When the user hovers the mouse over the locked bay, a message appears, indicating that the user does not have permission to access devices in that bay. Minimizing the graphical view To minimize the graphical view from the main display, click the box with the arrow, located directly to the left of the name of the enclosure in the graphical view box. This minimizes the graphical view and gives more room for the main section of the display. This is useful when viewing the OA on a small monitor or on a monitor with low resolution. 66 Navigating Onboard Administrator

67 Navigating Onboard Administrator 67

68 Complex Overview Complex Overview screen The Complex Overview screen displays a graphical representation of each compute enclosure in the complex, called the graphical view. The graphical view consists of a front view and a rear view of each enclosure. The front view shows the presence and status of the following components: blades bulk power supplies the DVD module The rear view shows the presence and status of the following components: PDUs X-Fabric Modules GPSMs OAs interconnect modules Fans When you mouse over a device in the graphical view, a window appears with information on that device. The graphical view provides status on each device in the enclosure and gives you the option of selecting an individual device for viewing more detailed information. NOTE: Status icons are used instead of the health LED in the component images to convey the component status. Components with an OK status will not have status icons. 68 Complex Overview

69 Compute Enclosures tab Item Enclosure Name Enclosure ID Serial Number UUID Part Number Asset Tag UID State Insight Display Description The DNS name of the enclosure and the name of the enclosure in the rack. The ID for the enclosure in a multi-enclosure system. The unique serial number of the enclosure. The Universally Unique Identifier assigned to the enclosure. The part number of the enclosure used when getting a new or replacement enclosure. The tag used for inventory control. Displays On or Off, depending on whether the UID is active. A link to the Insight Display page of the enclosure. To update the complex topology information, click the Refresh Topology button. Compute Enclosures tab 69

70 Power and Thermal tab The Power and Thermal tab displays information about the temperature inside each compute enclosure and the thermal and power subsystem health status. A graphical view of the present power and power limit helps you determine the power status. NOTE: This information appears only for compute enclosures. Information is not included for IOXs. Table 2: Compute enclosure cooling requirements Item Current Btu/hr Max Btu/hr Description The sum of the amount of heat being generated by the complex enclosures measured in Btu per hour. The maximum amount of heat that can be generated by the complex enclosures under load measured in Btu per hour. 70 Power and Thermal tab

71 Table 3: Compute enclosure thermal and power status Item Enclosure Ambient Temperature Thermal Subsystem Status Power Subsystem Status Power Mode Present Power Power Limit Description This box displays the highest ambient temperature being reported by the installed blade devices. If no blade devices are installed, then this box displays the temperature of the OA module as an approximation of the ambient temperature. The overall thermal status of the enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. The overall power status of the enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. A user setting to configure the enclosure DC power capacity and the input power redundancy mode of the enclosure. See Power Management on page 151 for possible values. The amount of watts being consumed by all devices in the enclosure. The maximum amount of power available for consumption by the enclosure measured in watts. IMPORTANT: In a complex with one or more failed power supplies it is possible for attempts to power on servers to fail if the resulting power allocation would result in the Power Redundancy Status becoming Failed. The administrator must explicitly reduce the redundancy setting to enable powering on servers prior to the failed power supplies being serviced. This applies to AC Redundant and Power Supply Redundant power modes. NOTE: If redundancy mode is set to AC Redundant, or Power Supply Redundant, and power redundancy is lost, then you must either add additional power supplies or change the redundancy mode setting in the OA to restore Power Subsystem status. See the Insight Display for corrective steps. NOTE: The Power Limit is dependent on the enclosure power redundancy setting and the number and location of the power supplies in the enclosure. If a Static Power Limit has been specified, the Power Limit displays that limit. Complex Information screen The Complex Information screen has four tabs: Status Information Complex Logs Complex CLI Complex Information screen 71

72 Status tab The Status tab provides the current operational status of the entire complex and the status of each compute enclosure and IOX in the complex. Item Complex Status CAMNET Status Robust Store Status Cooling Status Thermal Status Description The overall health of the complex. Possible values are Unknown, OK, Degraded, and Failed. The overall health of the CAMNET fabric in the complex. Possible values are Unknown, OK, Degraded, and Failed. The health of the complex Robust Store. Possible values are Unknown, OK, Degraded, and Failed. The overall health of the cooling systems in the complex. Possible values are Unknown, OK, Degraded, and Failed. The overall thermal status of the complex. Possible values are Unknown, OK, Degraded, and Failed. Table Continued 72 Status tab

73 Item Product ID Enclosure ID Xfabric Status Description The overall status of product IDs of all devices in the complex. Possible values are Unknown, OK, Degraded, and Failed. The overall status of enclosure IDs of all enclosures in the complex. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the Xfabric. Possible values are Unknown, OK, Degraded, and Failed. The Complex Status tab displays diagnostic information in the Diagnostic Information table. Item Overheat Check Cooling Device Operational Device Degraded Firmware Mismatch Description Temperature is above the danger threshold. Possible values are OK or Critical temperature threshold reached. The status of the fans in the complex. Possible values are OK or Insufficient fans for enclosure cooling. Indicates whether or not a device has been declared degraded by firmware when status was not requested by the OA. Possible values are OK or Error. (Degraded state is less severe than a failed state.) Indicates whether or not a device has been declared degraded by firmware when status was requested by the OA. Possible values are OK or Error. One or more components in the Complex contains firmware that is not compatible with other components in the Complex. The Complex Status tab displays general status information about each compute enclosure and IOX in the complex in the Enclosure Status Overview table. Enclosure Status Overview Column Enclosure ID Enclosure Name Status Description The assigned number of the compute enclosure in the complex. The assigned name of the compute enclosure. The overall health of the compute enclosure. Possible values are Unknown, OK, Degraded, and Failed. IOX Status Overview (Superdome 2) Column IOX Number Status Description The number of the IOX in the complex. The overall health of the IOX. Possible values are Unknown, OK, Degraded, and Failed. Complex Overview 73

74 Information tab The Information tab provides general information about the complex and an input box to change the Complex Name. Item Product Name Manufacturer Original Product Number Current Product Number Serial Number Universal Unique Identifier (UUID) Description Common descriptive name of the complex Name of the company that manufactured the complex The original product number of the complex The current product number of the complex The unique manufacturer serial number of the complex The Universally Unique Identifier number assigned to the complex Table Continued 74 Information tab

75 Item Monarch Enclosure Number Number of Enclosures Number of IOXs Complex Firmware Version Description The number of the compute enclosure in the complex designated as the monarch enclosure The total number of compute enclosures in the complex The total number of IOXs in the complex The now configured firmware bundle version on the complex Settings box The text input box below the Complex Information table enables you to change the Complex Name for the complex. After choosing a Complex Name, to save changes, click the Apply button. Complex Logs tab The Complex Logs tab displays links to launch log viewers in new windows. The available log viewers are the System Event Log, Forward Progress Log and the Live Log. Complex CLI Tab This tab opens a page that provides a link to launch a Command Line Interface shell on the Monarch OA. Only one CLI session may be launched from the OA GUI. The CLI shell is a separate application launched by the GUI and is displayed in its own separate window. Complex Logs tab 75

76 Complex Information: Firmware Management This option can be expanded to show links for the following: Complex Firmware Summary see Complex Firmware Summary screen on page 76 Updating Firmware see Online complex firmware update Complex Firmware Summary screen The Firmware Summary screen displays the current status of firmware in the complex. Superdome systems support two types of firmware, complex firmware that must be consistent across all devices in the complex, and partition firmware that runs on the system processors of server blades. Firmware on the system can be in one of three states: Configured the firmware that should be running on a specific entity. Installed the firmware that is currently installed and will become active on the next boot. Active the version of firmware currently running on the system. A table with the configured complex firmware version appears at the top of the screen. If any entity within the complex does not have the correct complex firmware, a second table will be displayed indicating which entities have mismatched firmware. NOTE: The displayed firmware version will depend on the firmware installed on your system. 76 Complex Information: Firmware Management

77 Table 4: Complex Firmware information Item Configured Complex Firmware Version Enclosure / Bay Model Installed Version Description The version of the firmware bundle currently configured on the complex. The compute enclosure and bay number of the device with mismatched firmware The model number of the device The currently installed version of the firmware on the device. Each partition in the complex is displayed after the Complex Firmware, with the version of the firmware currently configured and active on the partition. If any devices within a partition have firmware versions that do not match the currently installed version of the complex firmware on the partition, they are displayed below the partition firmware information. Complex Overview 77

78 Table 5: Partition Firmware information Item Configured Partition Firmware Version Active Partition Firmware Version Description The version of the firmware bundle currently configured on the partition. The version of the firmware bundle currently active on the partition. If the partition is not currently booted, the Active firmware version will be displayed as Unavailable while partition is inactive. NOTE: The active version of the firmware will not match the configured version if the partition requires a reboot after a firmware update. Enclosure / Bay Model Installed Version The compute enclosure and bay number of the device with mismatched firmware. Type of device with mismatched firmware. The currently installed version of the firmware on the device. Online complex firmware update IMPORTANT: Online firmware updates are supported on Integrity Superdome X firmware version or later. Updating from version requires an intermediate firmware update to , and then to the latest supported firmware release. See the release notes for the HPE Integrity Superdome X Server Firmware Bundle. Introduction When performing an online complex firmware update, server management capabilities are inactive, and this is something which operators should keep in mind. It should not be surprising that server management entities throughout the complex will bear responsibility to update their own firmware Flash ROMs, reboot updated firmware images, and reestablish internal communications with each other, but it is important to remind operators what kinds of management services will become temporarily unavailable at the server level during an online complex firmware update operation. This information is being provided to inform the user of such server management limitations, but will not be a complete listing of all possible consequences which may be encountered during an online complex firmware update. Superdome 2 firmware updates Superdome 2 complex firmware bundle version and HP-UX 11i v3 September 2011 or later, supports online complex firmware updates. The ability to support online complex firmware updates can dramatically reduce the amount of partition downtime required for a customer to update their Superdome 2 systems to future firmware bundles. Under certain conditions, partition downtime needed to apply a new firmware bundle can even be eliminated entirely. However, there may also be other partition maintenance activities (OS patch installations, for example) to complete during a maintenance window that will involve 78 Online complex firmware update

79 a partition reboot in order to take effect. Also, it should be understood that firmware updates which include new partition firmware packages (system firmware) will require a partition reboot to activate, but the timing of such an operation can be done on an individual npartition basis as determined by the operator to best fit their individual needs. NOTE: Superdome 2 systems running firmware prior to cannot perform an online complex firmware update. Updating firmware from a release prior to (1.3.1 for example) must be performed with all partitions taken offline, and the xfabric powered off. Integrity Superdome X firmware updates For information about Integrity Superdome X complex firmware and driver updates, see the HPE Integrity Superdome X Service Guide. Services unavailable Server management features are unavailable during the process of an online complex firmware update. System firmware will continue to operate and support the OS running on partitions in the complex, however certain activities may require system firmware to interact with server management firmware, and these operations will not work during the actual process of executing an online complex firmware update. These partition/complex firmware interactions may either be delayed until after the complex firmware update operation has completed, or may be dropped or only partially used. Legacy sx2000 Superdome systems also supported online update of server management entities (MP, ED, PDHC, CLU), and performing such updates held similar consequences for that platform. The following table shows the major classes of server management services which the OS and applications use during normal runtime and details their Availability or Unavailability during the online complex firmware update process: Service Management processor access (for example: poweron/off, restart, TOC, console, logs) IPMI services Console service to OS System firmware services during boot, shutdown, MCA, INIT and CMC logging operations Network management services (SD2 has additional services). OS-debugger, HP SIM XML query, HP-SUM SOAP query, WEBES ws-manage events and query. Status during online complex firmware update Unavailable Unavailable Unavailable, and some character loss is possible if the buffer fills up Available Unavailable Management Processor access When an online complex firmware update is initiated, all current users are disconnected from the OA for the duration of the complex firmware update process. This includes all OA CLI and GUI sessions, with one possible exception: If the operator initiates the firmware update from the CLI, then this session will remain active to allow for tracking the progress of the update for all but the last few minutes. The time it takes for a complex firmware update to complete is highly variable based on system size and complexity (bigger systems take longer), and the number of firmware packages in the bundle which must be Services unavailable 79

80 updated, but is not expected to exceed 150 minutes under any conditions. Typical firmware updates will take less time to complete. IPMI During the process of an online complex firmware update, no IPMI requests can be serviced until the update completes. This means that partition configuration changes, including icap changes, will not be allowed. For reference purposes the following IPMI CLI commands are unavailable: parcreate pardefault parremove parmodify parstatus vparcreate vparremove vparmodify vparboot vparreset vparstatus icapmodify icapstatus Event logs Forward Progress Logs and System Event Logs normally captured by the server management system will not be updated during the firmware update process. IPMI Watchdog During the online complex firmware update process, the IPMI watchdog timeout will be disabled. It will be re-enabled when the system wakes up. The OS will discover the watchdog timer has disappeared after the firmware update process has completed, and will recreate it by design. Partition ID (HP-UX) For Superdome 2 partitions running HP-UX, the # getconf _CS_PARTITION_IDENT command (which returns HP-UX partition ID), is used for licensing. It is a concatenation of UUID + npartition # + vpar #. UUID is continuously available from the SMBIOS table. The latter two (npartition, vpar #s) are obtained using an IPMI call which may fail during the firmware update process. HP-UX caches this information after the very first call to getconf _CS_PARTITION_IDENT, so this command would only fail if it had never been run before the firmware update process began. For information about how the partition UUID is managed in Integrity Superdome X, see the HPE Integrity Superdome X Service Guide. Console When the firmware update is in progress, the OS console cannot be serviced on the server management side. Since all active sessions to the OA CLI and GUI interfaces are closed at the beginning of the firmware update process, the OS console cannot be actively viewed during this process. The OS console is normally a quiet interface with little character traffic; however there are conditions (OS panics, for example) where the character buffer could potentially fill up during the firmware update process. If the console character buffer is full during an active online complex firmware update, new incoming characters will be dropped so the console does not hang on the OS side. This potential for console character loss does not extend to kernel memory (dmesg) or impact the OS syslog or crashdump area in any way, so this should not inhibit OS problem diagnosis in the unlikely event something unexpected occurs at the OS level. The characters captured in the buffer will be drained once the firmware update process completes, and console operation will return to normal. 80 Complex Overview

81 System firmware services during boot and shutdown Certain partition events which occur while the OS is running may not be handled if they occur while management firmware is unavailable: OS-requested restart (for example: TOC, shutdown r) MCA On Superdome 2 systems, HP-UX boot might hang until firmware update completes In the cases above, the OS shutdown or restart may not complete. The system design does not make any guarantees about successful handling of OS restart, MCA, or boot that occurs during the online complex firmware update process, so Hewlett Packard Enterprise recommends that the operator not attempt to initiate operations like an OS shutdown, boot/reboot, cold installation, patch update, or a Serviceguard cluster reconfiguration request during the online complex firmware update process. Such actions should be performed serially to avoid potential conflict consequences. All PAL and SAL calls do work during an online complex firmware update, as these commands execute at the partition level and do not access server management resources. The following services are not affected by the online complex firmware update process, and will remain operational: Get/SET EFI Variables: Calls to get/set EFI variables will work for the OS. HPET Timer: The HPET timer will not be re-initialized, and this partition resource will remain available throughout the firmware update process. EFI_SetTime: System firmware will continue to maintain the correct time during an online firmware update. Error Records: Error records can be generated as a result of INIT, CMC/CPE, and MCA. INITs are stored by system firmware in NVRAM, so these records will be available to the OS after restart. They will be also be available to CLI errdump once the firmware update completes. Logging of CMC/CPE error records are unaffected by a PDHC or OA restart errors not logged before a restart are saved in hardware and will be logged after the restart. MCA logs may be lost during this period, however system firmware will alert server management that an MCA has occurred once the firmware update completes, and server management will ensure the partition is reset and data integrity maintained. Affected OS commands The HP-UX machinfo command can print the firmware versions. This command may malfunction during an active online complex firmware update operation when it attempts to print the BMC firmware version, which is sourced via IPMI. Network services to OA All network services provided by the OA are interrupted by the firmware update process. These services include: XML inventory query from HP SIM WS-MAN partition query from HP SIM and plug-ins User interface (ssh, web, telnet) for all OA services SOAP request from GiCAP Group Manager, HP SUM Kernel debugger connection through OA network port Console access through the OA Ping, SNMP queries This is the same as legacy MP or C7000 OA (depending on the protocol) behavior during an update. System firmware services during boot and shutdown 81

82 Frequently asked questions: Some sample questions are included below to aid the operator wishing to perform an online complex firmware update. Can Oracle use IPMI to reset a partition? Not during the online complex firmware update process. Do virtual partition reboots proceed during online complex firmware updates? GWLM tries a number of times and gives up, logs an error, will come back and retry later. Changes won t happen until it eventually tries later when the firmware update process has completed. GWLM asks for dynamic resource change (for example, Vparmodify), what happens when it can not execute for an hour? GWLM tries a number of times and gives up, logs an error, will come back and retry later. Changes won t happen until it eventually tries later when the firmware update process has completed. How does field support debug if something happened during an online complex firmware update? Kernel memory (dmesg), the OS syslog, and crashdump memory is unaffected, so this will not inhibit debug for OS-related events. The loss of event logs during the firmware update process is unavoidable (as it was on legacy sx2000 Superdome systems), but the SEL will indicate start and finish times for the update process. What happens if Serviceguard or other cluster software tries to TOC during an online complex firmware update? If a node tries to TOC itself from an application running on the partition, the partition OS will shut down to a point where it is ready to talk to server management. From an application viewpoint, the system is down. It may or may not automatically restart when the firmware update process completes. The service processor is unavailable during online complex firmware update, so a node cannot successfully TOC another node. Will agents that require licensing or UUID find that information available during an online complex firmware update? Known issues: System firmware services are largely available during online firmware update Machinfo reports system firmware revision, BMC revision, FPSW revision (HP-UX) See the Partition ID description under Services unavailable on page 79 for details (HP-UX) NOTE: Most of these issues are for HP-UX only. The following observations are included to help the operator understand how the loss of server management features might be visible from the OS perspective. hpvminfo command qualifiers fail The use of certain hpvminfo command qualifiers will return an ioctl error when executed during online firmware update. This may also result in a delay before the results of the command are displayed. The affected commands include: hpvminfo, hpvminfo -V, and hpvminfo -v. Newly created HPVM guests cannot be started 82 Frequently asked questions:

83 Any newly created HPVM guest cannot be started during online firmware update. When you attempt to start the guest, the hpvmstart command will hang at "Initializing Forward Progress Log." The hpvmstart command will complete successfully after the Online Firmware Update has completed. NOTE: This issue only pertains to newly created guests that have never been started. Guests that have been started at least once prior to the Online Firmware Update will start without any problems. Serviceguard Manager performance degradation and proxy errors Serviceguard Manager may experience some performance degradation or report proxy errors during online firmware update. These issues do not adversely affect the Serviceguard cluster or applications being managed by Serviceguard. If you do receive a message about a proxy error, you can resolve the issue by reloading the page. Performance returns to normal once the online firmware update has completed. cimserver shutdown and startup fail The cimserver command will timeout when attempting to shutdown or startup during online firmware update. Stopping or starting the cimserver process should be performed before or after the online firmware update. The affected commands include: cimserver -s and cimserver. cimauth is unable to add authorizations cimauth will fail to add authorizations during online firmware update. These operations should be performed before or after the online firmware update. Example of a cimauth command: cimauth -a -u wbem -n root -R -W cprop command qualifiers fail The use of certain cprop command qualifiers will report Connection timed out when executed during online firmware update. The affected commands include: cprop -summary -a and cprop -summary -Memory. SMH is unable to query memory or enclosure information The SMH is unable to query memory or enclosure information during online firmware update. This information is properly reported before and after the online firmware update. setboot and related commands are unable to display or modify boot variables The setboot command is unable to display or modify boot variables during online firmware update. This also impacts any command that calls setboot. The affected commands include: setboot, drd activate, drd status, vxbrk_rootmir, and vxrootmir. wbemassist namespace error wbemassist reports a namespace error when checking the WBEM Server response. par* and vpar* commands fail Parcon services are not available during online firmware update. Due to this unavailability, all par* and vpar* commands will fail. The affected commands include, but are not limited to: parcreate, parmodify, parperm, parstatus, vparcreate, vparmodify, vparstatus, and others. Complex Overview 83

84 Firmware Update screen IMPORTANT: For Superdome 2 systems, you cannot update firmware through the OA GUI if you have complex firmware earlier than firmware bundle If you have complex firmware earlier than the firmware bundle , to update complex firmware, see the UPDATE FIRMWARE section in the HPE Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. If you select the firmware update link in the left navigation panel, the firmware update selections screen will be displayed. This screen displays the options available for firmware update: 84 Firmware Update screen

85 Analysis Only Use this option to display the actions that will be executed by the update. This option will run the analyze update and exit without executing the update. No Firmware will be modified. Force Downgrade Use this option if you are downgrading the firmware to a previous version. The firmware update process will fail if you are downgrading and this option is not selected. The next table on this screen allows for the selection of the Update Type: Update All Firmware This option will update ALL complex and partition firmware on the system. Update Complex Firmware This option will update only the complex firmware on the system. Update npartition Firmware This option will update the npartition firmware for the selected entities. NOTE: If Update npartition Firmware is selected, a new table will be appear that allows the selection of unassigned blade resources and existing partitions. You can select all or one or more partitions or blades from each list. After the update type and targets are selected, you will need to determine if the firmware image being installed is from a URL, located on a USB drive plugged into the DVD module in enclosure 1, or in the archive storage of the monarch enclosure. IMPORTANT: To update firmware on a system, you must be an Administrator level user assigned access to the partitions which you are attempting to update. Partition firmware update will not be allowed without assigned access to the partition. Firmware image download After starting an update, a progress bar showing the progress of the firmware image download will be displayed. Firmware analysis When the firmware bundle download completes, the GUI will display a wait bar while the system runs the firmware analysis. After the system completes the firmware analysis, the GUI will display the analysis results on an analysis page. This page will contain sections that may display notice, warning, and error messages. It will also display the list of partitions and components that will be updated if the analysis was successful. Complex Overview 85

86 If the analysis fails, you will not be supplied with further options. If the Analysis Only option was not selected, then the firmware update will automatically continue after 30 seconds. During this time the you will have the option to cancel the update using the Cancel Update button at the bottom of the analysis page. Update Status When the firmware update starts, the page will change to display the update status page. This page will show the current status of the update. 86 Complex Overview

87 The following information will be displayed: The status of each component being updated. The total number of components that will be updated. The number of component updates either completed successfully or failed. The estimated time remaining in the update. IMPORTANT: When two Itanium processor family partitions share a single IOX, you will have to reboot both partitions in order to use the new firmware. The interface does not allow the ability to do two or more concurrent updates. If another user attempts to initiate an update, an alert appears. Enclosure DVD Module screen The DVD module in a compute enclosure can be used by a partition to perform software installations and updates in the same manner as a standard DVD drive is used in a computer system locally or remotely. Enclosure DVD Module screen 87

88 The DVD module is not connected to any partitions in the complex after initial installation. To use the DVD drive, an administrator must first connect the DVD module to any or all partitions through the OA CLI or by navigating to the Complex npartitions menu and selecting the Virtual Devices tab. For more information for Superdome 2, see the HP Superdome 2 Partitioning Administrator Guide. For more information for HPE Integrity Superdome X, see the HPE Integrity Superdome X Service Guide. Status and Information tab information Item Status Product Name Manufacturer Serial Number Part Number Spare Part Number Engineering Date Code Description Current status of the DVD module. Possible values are OK, Degraded, or Not Present. The common descriptive name of the DVD module. The name of the company that manufactured the DVD module. The unique serial number of the DVD module. The part number to use when ordering an additional DVD module of this type. The part number to use when ordering a replacement DVD module of this type. Manufacturing information about the DVD module. 88 Complex Overview

89 Diagnostic Information Item Device Identification Data Power Allocation Request Device Operational Partner Device Presence Device Indictment Description Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the OA. There is insufficient power to adequately power the DVD module. Possible values are OK or Insufficient enclosure power. Status of the DVD module. Possible values are OK or Error. Not applicable for Superdome 2 or Integrity Superdome X systems. This line will always display OK. Indicates if the device has been indicted by the Superdome Analysis Engine. Complex Overview 89

90 Configuring compute enclosures and enclosure devices Viewing the status screens Each compute enclosure in the complex can be selected from the left navigation tree. Clicking the enclosure name opens the main status screen of the enclosure. On this page, four tabs are available at the top of the main page: Status Information Virtual Buttons Component Firmware The Status tab displays one of the following values as Overall Enclosure Status: Critical/Failed Major Minor/Degraded Warning Normal/OK Disabled Unknown Informational The Active HPE Superdome Onboard Administrator Status and Standby HPE Superdome Onboard Administrator Status are similar to the Overall Enclosure Status and display a status for the OA. If a Standby OA is not present in the system, its status value is Absent. Enclosure Power Mode displays the current power mode of the enclosure. The following values are possible: AC Redundant Power Supply Redundant Not Redundant The Enclosure Device Status Overview is divided into six sections: Device Bay Overview Interconnect Overview XFM Bay Overview GPSM Overview Power Subsystem Thermal Subsystem For each of these sections, the following values are possible: Critical/Failed Major Minor/Degraded Warning Normal/OK Disabled 90 Configuring compute enclosures and enclosure devices

91 Unknown Informational Enclosure information Enclosure Status This section provides detailed procedures to configure the management functionality provided by the OA. Select the tree view menu item Enclosure Information to view the enclosure Status screen. Enclosure Status tab Enclosure information 91

92 Table 6: Status information Item Enclosure Status Active OA Status Standby OA Status Power Mode Description The overall status of the enclosure. Possible values are Unknown, OK, Degraded, N/A, or Critical Error. 1 The overall status of the active OA. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the standby OA. Possible values are Absent, Unknown, OK, Degraded, and Failed. The power redundancy mode. Possible values are AC Redundant, Power Supply Redundant, Not Redundant, or Unknown. For information on these modes, see the user guide for your system. 1 The enclosure status appears as N/A if the Enable Extended Data or GUI Login Page setting is disabled. This setting is accessible at Enclosure Settings > Network Access > Anonymous Data. Diagnostic information Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred), or is sent by the device microcontroller, without being polled to report a failure. Item Device Identification Data Overheat Check Device Operational Device Degraded Management Buses Redundancy DVD Blades Device Indictment Description Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the OA. Temperature is above the danger threshold. Possible values are OK or Critical temperature threshold reached. Possible values are OK or Error. View the syslog for errors. Possible reasons for the error are mismatched firmware or a software or hardware failure. Indicates whether or not a device has failed when status was requested by the OA. Possible values are OK or Error. Management bus status. Possible values are OK or Error. An error indicates the redundant OAs are having problems syncing up. Check the syslog for errors. Possible reasons for the error are mismatched firmware or a software or hardware failure. DVD connection status. Blade status. Indicates if the device has been indicted by the Superdome Analysis Engine. 92 Configuring compute enclosures and enclosure devices

93 Table 7: Subsystems and Devices information Table Device Bay Overview All Device Bays Interconnect Bay Overview All Interconnect Bays XFM Bay Overview All XFM Bays GPSM Bay Overview All GPSM Bays Power Subsystem System Status Thermal Subsystem System Status Description The overall status of all device bays. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the interconnect bays. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the XFM bays. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the GPSM bays. Possible values are Unknown, OK, Degraded, and Failed. The overall status of the Power Subsystem of the enclosure. Possible values are Unknown, OK, Degraded, and Failed. The overall thermal status of the enclosure. Possible values are Unknown, OK, Degraded, and Failed. NOTE: If any subsystem contains a component with a status other than OK, all components of that subsystem with a status other than OK are displayed inline. Configuring compute enclosures and enclosure devices 93

94 Enclosure Information tab Hardware information Item Part Model Description The general description of the enclosure component The model name of the enclosure component Table Continued 94 Enclosure Information tab

95 Item Manufacturer Serial Number Part Number Spare Part Number Description The name of the company that manufactured the enclosure component The unique serial number of the enclosure component The part number to be used when ordering an additional enclosure component The part number to be used when ordering a replacement enclosure component Changing settings You can change enclosure settings from this screen. To save the settings after making the changes, click the Apply button. Item Possible value Description Enclosure Name Rack Name Asset Tag 1 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) 1 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) 0 to 32 characters including all alphanumeric characters, the dash (-), and the underscore (_) The name of the selected enclosure The name of the rack in which the enclosure is installed The asset tag is used for inventory control. The default asset tag is blank AlertMail Virtual Buttons tab To change the state of the enclosure UID, click the Toggle On/Off button. The enclosure UID is located to the left of the enclosure link-down port. AlertMail enables users to receive system events by instead of using SNMP traps. AlertMail is completely independent from SNMP, and both can be enabled at the same time. AlertMail uses standard SMTP commands to communicate with an SMTP-capable mail server. The "Reply To" address for each sent by AlertMail is <Enclosure Name>@<Alert Sender Domain>. To enable the AlertMail feature, select the Enable AlertMail check box. To test the AlertMail function: 1. Be sure that the address, alert sender domain, and SMTP server settings are correct. 2. Select the Send Test AlertMail button. 3. To confirm that the test completed successfully, verify the recipient account. AlertMail 95

96 NOTE: The Alert Sender Domain might not be required. The information in this box depends on the mail server setup. Box Possible value Description address This box is a valid address for the administrator or other designated individual receiving the AlertMail Alert Sender Domain A character string including all alphanumeric characters and the dash (-) The domain in which the OA resides SMTP Server ###.###.###.### where ### ranges from 0 to 255 An IP address for the SMTP server Procedure To enable the AlertMail feature: 1. Select the Enable AlertMail check box to enable the AlertMail feature. 2. Enter values for the address, alert sender domain, and SMTP server. 3. Click the Apply button to save the settings. AlertMail, if enabled, sends alerts by for the following events: Enclosure status change Enclosure information change Fan status change Fan inserted Fan removed Power supply status Power supply inserted 96 Configuring compute enclosures and enclosure devices

97 Power supply removed Power supply overload Blade inserted Blade removed Blade status Blade thermal condition Blade fault Blade information change Tray status change Tray reset Switch connect Switch disconnect All s have the following header: From: Enclosure ENCLOSURE-NAME Date: Date in standard format Subject: HP AlertMail-SEQ: <SEVERITY> SUBJECT To: RECEIVER MAILBOX Where <SEVERITY> is one of the following (from highest to lowest): # FATAL # CRITICAL # WARNING MAJOR # WARNING MINOR # WARNING # NORMAL Each subject line contains a unique sequence number to easily identify the order of events in case the mail server distributes them in the wrong order. Sequence numbers range from 0 to 999 and restart at 0. The mail body is used to give more detailed information regarding the event issued. The mail body also contains information on what the user must do to correct any issue and what the current enclosure status is. NOTE: The enclosure status is displayed as the status at the time when the event is processed which can cause the status to show up as OK in an saying a Fan has Failed if the user replaced the fan at the time the event is sent out by AlertMail. Sample Subject: HP AlertMail-010: (CRITICAL) Power Supply #1: Failed Date: Wed, 23 Apr :02: From: Enclosure EM-00508BEBA571 <EM-00508BEBA571@hp.com> To: user@domain X-OS: HP Superdome 2 Enclosure Manager X-Priority: 1 Content-Type: text/plain; charset=us-ascii EVENT (26 May 07:09): Power Supply #1 Status has changed to: Failed. Enclosure, EM-00508BEBA571, has detected that a power supply in bay 1 has changed from status OK to Failed. The power supply should be replaced with the appropriate spare part. You can ensure that the center wall assembly is Configuring compute enclosures and enclosure devices 97

98 operating correctly by swapping the two power supplies. Make sure that there are no bent pins on the power supply connectors before reinserting and that each power supply is fully seated. An amber LED on the power supply indicates either an over-voltage, overtemperature, or loss of AC power has occurred. A blinking LED on the power supply indicates a current limit condition. Enclosure Status: Degraded Enclosure Management URL: - PLEASE DO NOT REPLY TO THIS - Date and Time NOTE: The RTC in an npartition is synced to OA time when the npartition is rebooted. If you change the time on the OA, it may affect the RTC on the npartition. Hewlett Packard Enterprise recommends that you use the NTP for both the OS and OA and also configure the NTPDATE_SERVER variable in /etc/rc.config.d/netdamons at OS startup. This is the most reliable setting for accurate OA, npartition, and OS time. Static date and time settings The date and time are static and not updated in real-time. The date and time can only be set when NTP is disabled. Box Possible value Description Date Time Time Zone yyyy-mm-dd mm is an integer from 1 to 12 dd is an integer from 1 to 31 hh:mm:ss (24-hour time, ss is optional) hh is an integer from 0 to 23 mm is an integer from 0 to 59 ss is an integer from 0 to 59 Time zone settings Universal time zone settings Africa time zone settings Americas time zone settings Asia time zone settings Oceanic time zone settings Europe time zone settings Polar time zone settings The date assigned to the enclosure The time assigned to the enclosure The time zone assigned to the enclosure NTP settings To enable this feature, select Set time using an NTP server. NOTE: For accurate OA date and time, Hewlett Packard Enterprise recommends using a stable and accurate NTP server with a GPS receiver for the time source, or running at a higher level in the NTP time server hierarchy. 98 Date and Time

99 Box Possible value Description Primary NTP Server DNS name or ###.###.###.### where ### ranges from 0 to 255 DNS name or IP address of primary NTP server that provides date and time information. Secondary NTP Server Time Zone DNS name or ###.###.###.### where ### ranges from 0 to 255 Time zone settings Universal time zone settings Africa time zone settings Americas time zone settings Asia time zone settings Oceanic time zone settings Europe time zone settings Polar time zone settings DNS name or IP address of secondary NTP server that provides date and time information. The time zone assigned to the enclosure To save the settings, click the Apply button. Enclosure TCP/IP Settings This screen displays the current enclosure TCP/IP settings for the Active OA and enables you to change the following settings: Enclosure IP Mode The Enclosure IP Mode ensures all management applications point to the active OA of the enclosure, using a single static IP address. This mode is for enclosures with an active and standby OA. When the standby OA takes over the role of the active OA, the OA assumes the IP address of the previous active OA. This ensures the Enclosure IP Mode IP address is consistently pointing to the active OA. The Enclosure IP Mode requires the active OA to have a static IP address. Before enabling Enclosure IP Mode, you must configure a static IP address for the Active OA. The standby OA can be configured for DHCP or static IP settings. This mode is optional and is disabled by default. The transition times from standby to active and active to standby varies, depending on the configuration, enclosure population, and various other factors. The transition of standby to active can take several minutes. The transition of the previous active to standby will take longer. IMPORTANT: Replace the standby OA only while the enclosure is powered on to be sure that the Enclosure IP Mode settings are not changed. To ensure that the Enclosure IP Mode setting is not changed when removing an OA module from the enclosure, do not remove the module while it is in the failover transition phase (about six minutes after a failover). After you remove a module, to ensure that all settings are transferred to the Standby module, add a replacement module and leave it in place for five minutes. If both the Active and Standby OA modules are powered off or removed from the enclosure at the same time, the Standby OA returns to the default network settings and all manually configured static network addresses are lost. Active and Standby Onboard Administrator Network Settings The OA allows network configuration to be based either on dynamically assigned IP addresses obtained from a DHCP server or on static IP addresses that you specify manually. You choose the Enclosure TCP/IP Settings 99

100 basis for network configuration by selecting either the DHCP radio button or the Static IP Settings radio button. If you select DHCP, you can enable Dynamic DNS. NOTE: Changing network settings on the OA that you are signed in to might disconnect you from that OA, in which case after you apply settings, you must sign in to the OA again. DHCP Obtains the IP address for the OA from a DHCP server Enable Dynamic DNS With DHCP enabled, Dynamic DNS allows you to use the same host name for the OA over time, although the dynamically assigned IP address might change. The host name is registered with a DNS server. Dynamic DNS updates the DNS server with new or changed records for IP addresses. Static IP Settings Enables you to manually set up static IP settings for the OA Box Possible value Description DNS Host Name MAC Address IP Address Subnet Mask Gateway DNS Server 1 DNS Server 2 Can be 1 to 32 characters including all alphanumeric characters and the dash (-) This is an informational box and cannot be changed ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 The DNS Name of the OA. The DNS host name can be assigned when using either DHCP or static IP settings. Changing the OA DNS Name could cause a host name mismatch on the SSL certificate. You may have to update the certificate information on the affected OA, using the Active OA Certificate Administration screen (Certificate Administration on page 116) or the Standby OA Certificate Administration screen as appropriate. The OA MAC address Static IP address for the OA (required if static IP settings is selected) Subnet mask for the OA (required if static IP settings is selected) Gateway address for the OA (required if static IP settings is selected) The IP address for the primary DNS server The IP address for the secondary DNS server OA can employ up to two DNS servers for lookups, either static or DHCP assigned, but not both. Click Apply to save new or changed settings. NIC settings 100 Configuring compute enclosures and enclosure devices

101 Auto-Negotiate Automatically configures the best link. This is the default setting. This option supports a NIC speed of 10 Mb/s, 100 Mb/s, or 1000 Mb/s. The 1000 Mb/s setting is only available when you select Auto-Negotiate. Forced Full Duplex Enables you to manually specify which settings the external NIC uses when trying to establish a link. OA does not verify that the forced Ethernet settings are valid on the network. The loss of communications can occur if the wrong or incompatible settings are used. Forced settings take effect 3 seconds after enabling or disabling the settings. The forced option supports only NIC speeds of 10 Mbps or 100 Mb/s. NIC Speed Selects an NIC speed of 10 Mb/s or 100 Mb/s. To save the new settings, click the Apply button. Network Access In this section, an administrator can configure settings relating to network access to the OA. These settings are specific to the enclosure and do not affect the network configurations for server blades. The Protocol Restrictions subcategory is used to restrict access to the OA. Up to six protocol settings can be selected to allow or restrict access to the OA. An Enforce Strong Encryption option is also included. Enable Web Access (HTTP/HTTPS) This check box is selected by default. Clearing this check box disables HTTP/HTTPS access to the OA. Port 80 is used for HTTP and port 443 is used for HTTPS. CAUTION: Disabling Web Access (HTTP/HTTPS) disconnects all users attached to the OA through HTTP/ HTTPS, including the administrator. Enable Secure Shell This check box is selected by default. Clearing this check box disables Secure Shell connections to the OA. Secure Shell is disabled when Two-Factor Authentication is enabled. Disabling Two-Factor Authentication does not automatically re-enable Secure Shell. To reenable Secure Shell, you must select the check box and then click Apply. Port 22 is used. Enable Telnet This check box is selected by default. Clearing this check box disables Telnet connections to the OA. Telnet is disabled when Two-Factor Authentication is enabled. Disabling Two- Factor Authentication does not automatically re-enable Telnet. To re-enable Telnet, you must select the check box and click Apply. Port 23 is used. NOTE: Telnet is disabled after a factory reset or when Two-Factor Authentication is enabled. Enable XML Reply This check box is selected by default. Selecting this check box enables XML data to be shared between the OA and other Hewlett Packard Enterprise management tools such as HPE Systems Insight Manager. To display the information that is shared by the OA if this protocol is enabled, click View. Enable WS-Management Selecting this check box enables the WS-Management connections to the OA. WS-Management is enabled by default. To save the settings, click the Apply button. Login Banner Enabling the Login Banner option requires OA users to acknowledge the banner text before they can log in. Enable Display of Banner on User Login Select this check box to enable the Login Banner option. Acknowledgment of the Login Banner text provides access to all systems connected to the primary Onboard Administrator. Network Access 101

102 Banner Text The field size is limited to 1,500 printable characters, excluding the % and \ characters. While spaces and line feeds are accepted, using only white space characters within this text field is not allowed. NOTE: The Login Banner accepts English (ASCII) characters only. Apply Click to validate the Banner Text field. If the Banner Text field is empty or contains only white space characters, but the Enable Display of Banner on User Login check box is selected, you are prompted to disable this feature. Trusted Hosts tab The Trusted Hosts subcategory is used to restrict access to the OA to all hosts except those listed. When enabled, this protocol allows access only to the OA to listed hosts. This subcategory contains one dialog box, one entry box, and one display box, which, if enabled, is used to list trusted IP addresses. The Enable IP address access restriction check box is not selected by default. Selecting this check box allows only those IP addresses listed as Trusted Addresses to connect to the OA. CAUTION: Enabling IP address access restriction without first entering the user IP address in the Trusted Addresses list disconnects the user from the OA. CAUTION: When using the Trusted Hosts feature in an environment with multiple enclosures connected via enclosure link cables, ensure that all linked enclosures have the same Trusted Hosts settings. Linked enclosures that do not have the same Trusted Hosts settings may allow a web GUI user to access a protected enclosure from a non-trusted client. The Trusted Addresses box is used to enter the IP addresses of all hosts that are to be trusted and allowed to connect remotely to the OA through the protocols set up in the Protocol Restrictions subcategory. This box allows for IP addresses only. Under the Trusted Addresses box is the list box of all trusted IP addresses, if trusted IP addresses are configured. To add a trusted host, enter the IP address in the Trusted Addresses box, and then click Add. You can add a maximum of five Trusted Addresses. To remove a trusted host, select the IP address in the Trusted Addresses list, and then click Remove. To save the settings, click the Apply button. Anonymous Data tab Enable Extended Data on GUI Login Page This check box is selected by default. Clearing this check box disables the "+" functionality in the topology view on the login page for this enclosure. Disabling the extended data on the GUI login page prevents unauthenticated users from viewing additional information. To prevent additional information from appearing for each linked enclosure, you must clear this check box for each enclosure. To save the settings, click the Apply button. 102 Trusted Hosts tab

103 NOTE: For Superdome 2 SD2 32s systems, Anonymous Data must be enabled for proper operation of the OA GUI. Do not clear the Enable Extended Data on GUI Login Page checkbox on Superdome 2 SD2 32s systems. Link Loss Failover This screen enables you to configure automatic OA redundancy failover based on network link status. For Link Loss Failover to function correctly, the redundancy status of the OAs must be OK. An OK status means that both OAs have the same firmware version, and that they are communicating properly. Enable Link Loss Failover This check box enables or disables automatic Link Loss Failover. Failover Interval The failover interval is the amount of time the active OA must be without a link on the external Ethernet interface before the system considers an automatic failover. The interval must be between 30 and seconds. To save the settings, click the Apply button. Enclosure Bay IP Addressing The Enclosure Bay IP Addressing (EBIPA) screens allow you to configure fixed addresses for OA enclosure bays. The EBIPA feature helps to provision a fixed IP address on bay number, which preserves the IP address for a particular bay even if a module is hot-replaced. The management interface for components plugged into the bays must be set for DHCP and can only be used if the devices are set to boot from DHCP. If a device is configured for static IP, then it must be manually reconfigured to DHCP to change the EBIPA IP address. The OA GUI lists the IP address for the server blade ilo bay and interconnect module management bay. The server blade ilo bays and interconnect module management bays can obtain IP addresses on the management network in the following ways: DHCP address The server blade ilo defaults to DHCP addressing, through the network connector of the active OA. Interconnect modules that have an internal management network connection to the OA may also default to the DHCP address. EBIPA When a server blade or interconnect module is inserted into a bay that has EBIPA enabled, that management port will receive the specific static IP address from the OA if that device is configured for DHCP. There is an important difference between the network the complex is connected to and the management network that the OA uses. Enclosure Bay IP Addressing is used to assign IP addresses to the ilo processors that are bridged through the OA and must not be confused with port mapping for the server blade NICs or for network routers or switches. EBIPA does not assign IP addresses for any other device on the network, and cannot be used as a DHCP server on the network. Link Loss Failover 103

104 Procedure TIP: Link-local addresses: To save IP addresses, link-local addressing can be used. Link-local IP addresses can be assigned to blades, ilos, and interconnect bays within an enclosure. Link-local addresses are intended only for use within a segment of a network and can be used for network configurations that do not require allocated IP addresses on the network. As a best practice Hewlett Packard Enterprise recommends the following rules for assigning ilo IP addresses: The Monarch Npar IP address should be assigned using EBIPA/DHCP. Do not use ilo interfaces to assign ilo static IP addresses. Auxiliary blades should be assigned using link-local addressing to save IP addresses. BL920s Gen8 and Gen9 Auxiliary blades will automatically be assigned link-local addresses and cannot be assigned public addresses. All IP addresses, with the exception of address ranges x.y and x.y (reserved for internal management network), are supported as long they are not duplicated. In addition, all the IP addresses must be within the same subnet defined by netmask and IP address so that all OAs as well as all ilos fit into that subnet. For more information on setting up link-local addresses, see the HPE Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. The administrator sets an independent range for server blade bays and interconnect module bays using the OA EBIPA setup wizard. The first address in a range is assigned to the first bay and then consecutive bays through the range. To set up your enclosure without an active network connection using EBIPA: 1. Configure a static IP for each OA using the Insight Display, and note the active OA Service IP address on the Insight Display Enclosure Info screen. Attach the client PC to the enclosure Service Port (enclosure Link Up connector) between the OA bays with a standard Ethernet patch cable. The client PC NIC must be configured for DHCP because it gets an IP address in the range of approximately 1 minute later. 2. Launch a web browser (or alternatively a Telnet or Secure Shell session), and select the OA Service IP address as displayed in the enclosure Insight Display on the Enclosure Info screen. 3. Log into the OA as Administrator, using the administrative password attached to the active OA. 4. While the First Time Setup Wizard is running (alternately, after first time setup you can change the EBIPA settings in the Enclosure Settings list), enable Device Bay EBIPA with a starting fixed IP address and enable Interconnect Bay EBIPA with a different starting IP address. The OA then creates 16 sequential IP addresses for the device bays and eight sequential IP addresses for the interconnect bays. Servers in the device bays will automatically get the Device Bay EBIPA addresses within a minute, but the interconnect switch modules must to be manually restarted by clicking the Virtual Power button on each OA Interconnect Module Information screen. 5. Use the OA Device list to be sure that the server blade ilo addresses have been set according to the EBIPA starting IP address and range. 104 Configuring compute enclosures and enclosure devices

105 Device list Column Bay Enabled EBIPA Address Autofill Description The bay in the enclosure of the device. Enables EBIPA settings for the device bay. EBIPA settings for all device bays can be enabled by selecting the check box next to Enabled in the heading row or individual device bays can be selected by clicking the check box for that particular device bay. The static IP address you want to assign to the device bay. Assigns consecutive IP addresses for the selected device bays below in the device list. Click the autofill down arrow to assign the IP addresses. Table Continued Configuring compute enclosures and enclosure devices 105

106 Column Current Address Device Type Description The current IP address of the device bay. The type of device installed in the device bay. Knowing your network configuration before setting up EBIPA ensures an easy setup and enables you to install your OA on to your network quickly. Record the information requested in the boxes on the EBIPA screen, and verify before entering the data. Use only the possible values listed in the following table. Interconnect list Box Possible value Description Subnet Mask Gateway ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 Subnet mask for the device bays Gateway address for the device bays Domain A character string with a maximum of 64 characters, including all alphanumeric characters and the dash (-) Domain name for the device bays DNS Server 1 DNS Server 2 DNS Server 3 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 ###.###.###.### where ### ranges from 0 to 255 The IP address for the primary DNS server The IP address for the secondary DNS server The IP address for the tertiary DNS server SNMP Settings The OA supports SNMP Version 1 and several groups from the standard MIB-II MIB. Additional information about the enclosure infrastructure is available in the HPE Rack Information MIB. CPQRACK- MIB, which is part of the Insight Management MIBs, is available on the Management CD in the Superdome Essentials Foundation Pack. The SNMP Settings screen enables you to enter system information and community strings and designate the management stations that can receive SNMP traps from the OA. If you select Enable SNMP, then the OA responds to SNMP requests over UDP port 162. Port 162 is the standard UDP port used to send and receive SNMP messages. System Information settings In the System Information subcategory, information about the OA SNMP system can be enabled and configured. 106 SNMP Settings

107 The Enable SNMP check box is not selected by default. When enabled, the OA can be polled for status and basic information. The SNMP client can only clear SNMP alerts and status when the Write Community string is enabled. Clearing the Enable SNMP check box disables SNMP access to the OA. Configuring compute enclosures and enclosure devices 107

108 Box Possible value Description System Location System Contact Read Community Write Community 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space The SNMP location of the enclosure, typically used to identify the physical or topographical location of the OA. The name of the system contact, used to identify an individual or group of individuals who are to be contacted in the event of any status change in the OA. The Read Community string enables the client to read information, but not to manipulate the alerts or status of the OA through SNMP. The default community name is "public" and enables a user to receive notification traps and alerts, but not to change or manipulate the status. The Write Community string enables the client to manipulate alerts of OA status through SNMP. You can remotely clear alerts and mark them as "viewed" or otherwise through their SNMP management client through the SNMP agents. The default value for the Write Community string is blank. Edit any of the fields in this subcategory, and to save the changes, click the Apply button. SNMP Alert Destinations settings In the SNMP Alert Destinations subcategory, the IP addresses and community strings for the SNMP management clients are configured so that any alert or trap from the OA is sent to the appropriate system with the community string. Box Possible value Description IP Address ###.###.###.### Where: ### ranges from 0 to 255 The management station IP address Community String 0 to 20 characters including all alphanumeric characters, the dash (-), the underscore (_), and the space A text string that acts as a password. It is used to authenticate messages that are sent between HP SIM and OA. Adding SNMP alert destinations Procedure 1. Enter the IP address for management clients to which the traps are to be sent in the IP Address box. 2. Enter the appropriate community string in the Community String box directly under the IP Address box. 3. After the IP address and community string is entered, click the Add button. A maximum of eight SNMP alert destinations can be added. 108 Configuring compute enclosures and enclosure devices

109 Removing SNMP alert destinations Select the IP address from the list containing the trap destinations, and then click the Remove button. Testing SNMP To send a test SNMP trap to all the configured trap destinations, click the Send Test Alert button. SNMP must be enabled to use this function. Configuration Scripts Procedure Use configuration scripts to maintain settings and configuration information, particularly when setting up multiple enclosures and OA modules and eliminating the need to configure each enclosure manually. Configuration scripts can be created and used with OA in the browser or through the CLI, executing them in the same manner as a shell script is executed in Linux or UNIX. You select to run the script from a URL, USB drive, or Archive Storage. Current configuration To view a current configuration for the enclosure: 1. Click the SHOW CONFIG link. The configuration opens in a new browser window. 2. To save the configuration as a text file, select either of the following options: If you use Microsoft Internet Explorer 7 or later, select Save As. If you use Mozilla Firefox 3.6 or later, select Save Page As. If you use Google Chrome 38 or later, select??? For security reasons, the retrieved current configuration does not contain any user passwords. You can manually edit the script to add the user passwords after the user name on the ADD USER lines. The enclosure Administrator account password cannot be added from the configuration script. Also, the retrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, and PIN Code). These settings cannot be added from the configuration script. Current enclosure inventory To download a script of the current enclosure inventory, click the SHOW ALL link; the current enclosure inventory opens in a new browser window. To save the inventory as a text file, select either of the following options: If you are using Microsoft Internet Explorer 7.0 or later, select Save As. If you are using Mozilla Firefox 2 or later, select Save Page As If you are using Google Chrome 38 or later, select??? NOTE: Saving the enclosure inventory does not save partitioning information. The downloaded text file provides the same information as the CLI SHOW ALL command. The text file also displays the current configuration of the enclosure. Configuration Scripts 109

110 Device Summary The FRU Summary section provides information on all FRUs within the enclosure. Information provided in this section can quickly aid the administrator in contacting Hewlett Packard Enterprise Support Center (HPESC) for troubleshooting, repairing, and ordering replacements. The information is organized in tabular format and divided into subcategories within the Device Summary section: Enclosure OA Blade Blade mezzanine Interconnect XFM GPSM Fan 110 Device Summary

111 Power supply Insight Display Active to Standby Procedure When a second OA is installed, the menu item Active to Standby appears under the Enclosure Settings tree menu item, and both OAs are visible in the tree menu and in the enclosure view under the Status tab. If more than one OA is installed in the enclosure, you can manually change the active OA. This feature can be useful when troubleshooting the OA. To perform a transition: 1. Click the Transition Active to Standby button to force the change. A confirmation screen appears, confirming the transition. 2. Close your browser if you are logged in to the active OA. 3. Click OK to proceed, or click Cancel to exit without a change. If only one OA is installed in the enclosure, the Active to Standby menu item does not appear. You can also perform a transition using the FORCE TAKEOVER command from the OA CLI. The transition times from Standby to Active and Active to Standby vary, depending on the configuration, enclosure population, and various other factors. Removing the previously Active OA early in the transition process forces the transition time of the Standby to Active to increase. Onboard Administrator Module Active Onboard Administrator The Active OA screen under the Status and Information tab, has tables that provide detailed information about your OA. Active to Standby 111

112 Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred) or is sent by the device microcontroller, without being polled, to report a failure. Active Onboard Administrator Status and Information tab Status information Item Status Role Bay Number Description The overall status of the enclosure. Possible values are Unknown, OK, Degraded, and Failed. Active or Standby. The physical bay number where the OA is installed. Table Continued 112 Active Onboard Administrator Status and Information tab

113 Item Temperature Caution Threshold Critical Threshold Description The temperature of the enclosure in degrees Fahrenheit. The temperature at which the enclosure reports a status of caution. The temperature at which the enclosure reports a critical status and powers off. Hardware information Item Device Name Manufacturer Complex Firmware Version Hardware Version Part Number Serial Number Spare Part Number UUID Description The common descriptive name of the OA. The name of the company that manufactured the OA. The version of the complex firmware image in the OA. The version of the enclosure hardware. The part number to use when ordering an additional or replacement OA. The serial number of the OA module. The spare part number to use when ordering an additional or replacement OA. The Universally Unique Identifier number of the OA. Diagnostic information Item Device Identification Data Enclosure ID OA USB Cable Firmware Mismatch Device Indictment Description This row displays information such as model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. A device identification data error appears if the data is not present or not readable by the OA. Possible values are OK or Error. The number of the enclosure in the complex. Status of the OA USB Cable. The standby OA with the lowest firmware version displays Error when two OAs are present and the firmware does not match. Indicates if the device has been indicted by the Error Analysis Engine. Active Onboard Administrator Virtual Buttons tab To reset the OA: Active Onboard Administrator Virtual Buttons tab 113

114 Procedure 1. To reset the OA, click the Reset button. 2. A confirmation screen appears, asking if you are sure that you want to perform the action and that you will be signed out and disconnected from the OA. 3. Click OK to proceed, or click Cancel to exit without a change. You can also click the Toggle On/Off button on this tab to change the OA module UID LED. This button is useful in identifying a particular OA when there is more than one in the enclosure. 114 Configuring compute enclosures and enclosure devices

115 TCP/IP Settings This screen displays the current enclosure TCP/IP settings for the active OA. To change these settings, select Click here. For information on modifying the TCP/IP settings, see Certificate Administration on page 116. TCP/IP Settings 115

116 Certificate Administration Information tab This screen displays the detailed information of the SSL certificate now in use by the OA. An SSL certificate is used to certify the identity of OA and is required by the underlying HTTP server to establish a secure (encrypted) communications channel with the client web browser. On initial start up, OA generates a default self-signed SSL certificate valid for 10 years, and the certificate is issued to the name of the OA. Because this default certificate is self-signed, the issued by box is also set to the same name. Status information Item Cert Common Name Description The certificate subject common name. Certificate information 116 Certificate Administration

117 Item Issued by Valid from Valid until Serial Number Version MD5 Fingerprint SHA1 Fingerprint Description The certificate authority that issued the certificate. The date from which the certificate is valid. The date the certificate expires. The serial number assigned to the certificate by the certifying authority. Version number of current certificate. A validation of authenticity embedded in the certificate. A validation of authenticity embedded in the certificate. Required Information Item Country (C) State or Province (ST) City or Locality (L) Organization Name (O) Description The two-character country code that identifies the country where the OA is located. The state or province where the OA is located. The city or locality where the OA is located. The company that owns this OA. Optional data Item Contact Person Address Organizational Unit Surname Given Name Initials DN Qualifier Description The person responsible for the OA. The address of the person responsible for the OA. The unit within the company or organization that owns the OA. The surname of the person responsible for the OA. The given name of the person responsible for the OA. The initials of the person responsible for the OA. The distinguished name qualifier of the OA. Certificate-signing request attributes Configuring compute enclosures and enclosure devices 117

118 Item Unstructured Name Description This is for additional information. Certificate Request tab The Certificate Request tab enables you to enter the information needed to generate a self-signed certificate or a standardized certificate-signing request to a certificate authority.certificate Request tab 118 Configuring compute enclosures and enclosure devices

119 Configuring compute enclosures and enclosure devices 119

120 Required Information Item Possible values Description Country (C) Must be one to two characters in length. Acceptable characters are all alphanumeric, a space, and the following punctuation marks: ' ( ) +, -. / : =? A valid country code that identifies the country where the Onboard Administrator is located. State or Province (ST) Must be 1 to 30 characters in length. The state or province where the Onboard Administrator is located. City or Locality (L) Must be 1 to 50 characters in length. The city or locality where the Onboard Administrator is located. Organization Name (O) Must be 1 to 60 characters in length. The organization that owns this Onboard Administrator. When this information is used to generate a certificate-signing request, the certificate issuing authority can be sure that the organization requesting the certificate is legally entitled to claim ownership of the given company name or organization. Common Name (CN) Must be 1 to 60 characters in length. To prevent security alerts, the value of this box must match exactly the host name as it is known by the web browser. The web browser compares the host name in the resolved web address to the name that appears in the certificate. For example, if the web address in the address box is oa xyz.com, then the value must be oa xyz.com. The Onboard Administrator name that appears in the browser web address box. Select Standby OA Host Name to include a request for a Standby Onboard Administrator certificate. Enter the information in the Standby Common Name (CN) box, which must be 1 to 60 characters in length. This selection appears only if you have a Standby Onboard Administrator in the enclosure. Optional Information 120 Configuring compute enclosures and enclosure devices

121 Item Possible values Description Alternative Name Must be 0 to 512 characters in length. An alternate name for the Onboard Administrator. The field must either be empty or contain a list of keyword:value pairs separated by commas. The valid keyword:value entries include IP:<ip address> and DNS:<domain name>. Contact Person Must be 0 to 60 characters in length. The person responsible for the Onboard Administrator. Address Must be 0 to 60 characters in length. The address of the contact person responsible for the Onboard Administrator. Organizational Unit Must be 0 to 60 characters in length. The unit within the company or organization that owns the Onboard Administrator. Surname Must be 0 to 60 characters in length. The surname of the person responsible for the Onboard Administrator. Given Name Must be 0 to 60 characters in length. The given name of the person responsible for the Onboard Administrator. Initials Must be 0 to 20 characters in length. The initials of the person responsible for the Onboard Administrator. DN Qualifier Must be 0 to 60 characters in length. Acceptable characters are all alphanumeric, the space, and the following punctuation marks: ' ( ) +, -. / : =? The distinguished name qualifier of the Onboard Administrator. Certificate-signing request attributes Box Possible values Description Challenge Password Must be 0 to 30 characters in length The password for the certificate-signing request Confirm Password Must be 0 to 30 characters in length Confirm the Challenge Password Unstructured Name Must be 0 to 60 characters in length This is for additional information (for example, an unstructured name that is assigned to the Onboard Administrator) To generate a self-signed certificate or a standardized certificate-signing request, click the Apply button. Standardized certificate-signing request Configuring compute enclosures and enclosure devices 121

122 System log This screen displays a standardized certificate signing request generated by the Onboard Administrator. The content of the request in the text box may can be sent to a certificate authority of your choice for signing. Once signed and returned from the certificate authority, the certificate can be uploaded under the Certificate Upload tab. If a static IP address is configured for Onboard Administrator when this certificate request is generated, the certificate request will be issued to the static IP address. Otherwise, it is issued to the dynamic DNS name of the Onboard Administrator. The certificate, by default, requests a valid duration of 10 years (this value is now not configurable). When submitting the request to the certificate authority, be sure to: Use the Onboard Administrator URL for the server. Request the certificate be generated in the RAW format. Include the Begin and End certificate lines. Active Onboard Administrator Certificate Upload tab Upload certificates for use in an Onboard Administrator in the following ways: Paste certificate contents into the text box and click the Upload button. Paste the URL of the certificate into the URL box and click the Apply button. The certificate to be uploaded must be from a certificate request sent out and signed by a certificate authority for this particular Onboard Administrator. Otherwise, the certificate fails to match the private keys used to generate the certificate request, and the certificate is rejected. Also, if the Onboard Administrator domain has been destroyed or re-imported, then you must repeat the steps for generating a certificate request. The certificate is re-signed by a certificate authority because the private keys are destroyed and recreated along with the Onboard Administrator domain. If the new certificate is successfully accepted and installed by the Onboard Administrator, you are automatically signed out. The HTTP server must be restarted so that the new certificate takes effect. The System Log subcategory can be found within the Active OA category. The System Log displays logged information of events within the OA. Events are logged from the top of the list to the bottom, with the most recent logged event appearing at the top of the list. The system log can be scrolled using the scroll bar on the right of the log screen (if the log is larger than the display box). The log has a maximum capacity of KB and automatically deletes the oldest logged event first (FIFO). To clear the list of all logged events, click the Clear button on the lower-right of the screen under the system log display. Standby Onboard Administrator When a second OA is placed in the enclosure, it becomes the standby OA. The standby OA is normally placed in the available OA tray at the rear of the enclosure. By selecting the Active to Standby screen in the Enclosure Settings, you can force a transition within the OA user interface to make the active OA become the standby OA. For an Active or Standby relationship, the two OA modules must have the same firmware version installed. If the firmware versions are not identical, the Insight Display and the main status screen of the OA identifies this error and alerts the user through SNMP if enabled. 122 System log

123 If using two OAs, each OA has a unique IP address. Refer to the Insight Display to get the IP addresses for the Active and Standby OAs and write them down. When looking at the enclosure from the rear, the bay on the left is bay 1, while the bay on the right is bay 2. When the Active OA transitions to the Standby OA, the DNS host name and IP addresses remains the same. To connect to the new Active OA, you must completely close your browser and connect to the host name or IP address of the former Standby OA. Status, Information, and Virtual Buttons tabs The information under the Status, Information, and Virtual Buttons tabs is the same as it is for an active OA. For information on these tabs, see Active Onboard Administrator on page 111. TCP/IP Settings for Standby Onboard Administrator This screen displays the current TCP/IP settings for the Standby OA: IPv4 Information General Information IPv4 Information TCP/IP Settings for Standby Onboard Administrator 123

124 Parameter IP Address Subnet Mask Gateway Description The IPv4 address of the Standby OA, with indication of the type of IP address assigned (static or dynamic). The subnet mask for the Standby OA. The mask determines to which subnet the Active OA IP address belongs. The gateway address for the Standby OA. General Information Parameter DNS Server 1 OA Name MAC Address NIC Settings Link Status Description The IP address for the primary DNS server. The name of the OA. The default for this box is the DNS host name. The OA MAC address. The NIC settings for the Active OA, such as auto negotiation, duplex mode, and speed. Indicates whether the NIC is actively connected to the network. To modify the TCP/IP settings, select Click here. Standby Onboard Administrator Virtual Buttons tab The Virtual Buttons tab is the same as it is for an active OA. For information on this tab, see Active Onboard Administrator Virtual Buttons tab on page 113. Standby Certificate Request tab The standby Certificate Request tab is the same as it is for an active OA. Standby Onboard Administrator Certificate Upload tab The standby Certificate Upload tab is the same as it is for an active OA. For information on this tab, see Uploading a certificate on page 178. System log for Standby Onboard Administrator The System Log displays logged information of events within the OA. Events are logged from the top of the list to the bottom, with the most recent logged event appearing at the bottom of the list. If the list is longer than the display box, you can scroll using the scroll bar on the right side of the log screen. When the log reaches maximum capacity, it automatically deletes the oldest logged event first (first in, first out). 124 Standby Onboard Administrator Virtual Buttons tab

125 To clear the list of all logged events, click Clear Log (below the system log display). Standby to Active To force the Standby OA to Active, click Transition Standby to Active. A confirmation screen appears, asking if you are sure that you want to perform the action. To proceed, click OK. To exit without a change, click Cancel. This functionality is only available when you are signed into the Standby OA GUI. You can also force the Standby OA to Active by using the FORCE TAKEOVER CLI command. The transition times from Standby to Active and Active to Standby vary, depending on the configuration, enclosure population, and various other factors. Removing the previously Active OA early in the transition process forces the transition time of the Standby to Active to increase. Device Bays Device Bay Summary In the Systems and Devices menu, the Device Bays category lists all blades in the enclosure. Select Device Bays from the menu, and the device list appears with a grid showing the status of each blade in the enclosure. Use individual check boxes to select a specific blade. After selecting blades, select UID State from the drop-down to perform the appropriate action. NOTE: c-class blades also include options for Virtual Power, One Time Boot, and DVD. These options are not available for server blades. Device List Standby to Active 125

126 Item Check boxes Bay Status UID Power State ilo IP Address Description Select bays by selecting the check boxes to which you want to apply the Virtual Power, UID State, One Time Boot, or DVD features. The device bay within the enclosure. The overall status of the device. Possible values are Unknown, OK, Degraded, Failed, and Other. The status of the UID on the device. Possible values are On (blue), Off (gray) or Blink (flashing). When the UID light is flashing, a critical operation is being performed on the device and must not be interrupted. The power state of the device. Possible values are On or Off. The IP address of the ilo within the server blade. NOTE: Not applicable for Superdome 2 server blades or storage blades. ilo Name The DNS name of the ilo within the server blade. NOTE: Not applicable for Superdome 2 server blades or storage blades. ilo DVD Status The status of the DVD connection to the server blade. A status of Incompatible Firmware means the DVD feature is not supported with the ilo firmware installed on the device. NOTE: Not applicable for Superdome 2 server blades or storage blades. Information on this page is current as of the last download. To view updated information, click the Refresh button. UID State The UID State drop-down is used to set the UID light on the blades. Turning on the UID light aids in locating a specific blade within an enclosure. The UID lights can be turned on or off one at a time or as groups, depending on the check boxes. DVD NOTE: This menu is not present for Superdome 2 server blades or storage blades. For connecting the selected blades to the enclosure media, the DVD menu enables you to select one of the following: Enclosure DVD, if present One of the listed ISO files from an attached USB key None 126 Configuring compute enclosures and enclosure devices

127 The enclosure media can be connected to multiple blades at the same time. Various USB key ISO files can be attached to various servers at the same time. After the enclosure media is connected using the DVD menu, you can use the Virtual Power menu to reboot the selected server blades in the list. Device Bay Information Selecting a specific blade within the enclosure opens the Device Bay Information - xx screen, where xx is the bay selected. Information provided on this screen includes tabs for Status, Information, and Virtual Devices. The Server Management section of the page contains a link to Port Mapping Information to aid the management of the server blade in the device bay. ilo NOTE: This menu is not present for Superdome 2 or HPE Integrity Superdome X server blades. Port Mapping Information Information regarding port mapping for all devices in the device bay is available by clicking the Port Mapping Information link. Device Bay Information 127

128 Status information Item Status Powered Power Allocated Virtual Fan Description The overall status of the blade. Possible values are Unknown, OK, Degraded, Failed, or Other with an informational icon. The informational icon with an Other status displays until the server blade is configured for Virtual Connect Manager. See the Diagnostic Information table for more information. The power state of the blade. Possible values are On or Off. The amount of power allocated to the blade in watts. The percentage of maximum RPM of the virtual fan. Diagnostic Information Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred) or is sent by the device microcontroller, without being polled to report a failure. Item Device Identification Data Management Processor I/O Configuration Device Operational Device Degraded ilo Network Device Informational Description Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the OA. Status of the ilo. Possible values are OK or Error. Device bay configuration is incorrect. If a storage blade is partnered with a full height server blade, and the server blade does not have the correct mezzanine card, an invalid I/O configuration will result. Possible values are OK or I/O mismatch detected. See the EBIPA section for more information. Device has failed; status was not requested by the OA. Possible values are OK or Error. Device has failed; status was requested by the OA. Possible values are OK or Error. Detects an ilo network configuration problem. Possible values are OK or ilo network configuration problem, check connectivity to ilo default gateway. If the problem continues, then attempt to reset ilo using the OA CLI HPONCFG command to send a script command to reset ilo. Device has an error. Possible values are OK or an Informational message. NOTE: Not applicable for c-class server blades. Table Continued 128 Configuring compute enclosures and enclosure devices

129 Item Firmware Mismatch Description The now configured partition firmware version does not match the now configured complex firmware bundle version. Possible values are OK or Error. NOTE: Not applicable for c-class server blades. Deconfigured PDHC Processor Device Indictment Values are FAILED or OK. Failed means the blade, if part of an npar, will not be used at next boot. State of the PDHC management entity. Indicates if the device has been indicted by the Superdome Analysis Engine. Possible values are OK or Error with an informational message. NOTE: Not applicable for c-class server blades. CPU Status Item Resource Path Status FRU Read Status Indictment Status Description The resource path for the processor socket. The overall status of the processor. Possible values are Unknown, OK, Degraded, or Failed. The status of the FRU data for the processor. Possible values are Unknown, OK, Degraded or Failed. The indictment status of the processor. Possible values are OK or Error with an informational message. DIMM Status: CPU Socket 0 or 1 Item Resource Path Status FRU Read Status Indictment Status Configuration Status Description The resource path for the DIMM socket. The overall status of the DIMM. Possible values are Unknown, OK, Degraded, or Failed. The status of the FRU data for the DIMM. Possible values are Unknown, OK, Degraded or Failed. The indictment status of the DIMM. Possible values are OK or Error with an informational message. The configuration status of the DIMM is either DECONFIGURED or OK. A deconfigured DIMM will also cause a Critical Error Indictment Status. Configuring compute enclosures and enclosure devices 129

130 Temperature Sensors NOTE: The Temperature Sensors table only displays when the blade is powered on. Item Sensor Location Status Temperature Description The sensor number Location of sensor in the device This is the status of the temperature sensor. The status matches the graphic presentation of the temperature. Graphic presentation of temperature 130 Configuring compute enclosures and enclosure devices

131 Server Blade Information tab Server Blade Information tab 131

132 Device Information Row Blade Type Manufacturer Product Name Part Number System Board Spare Part Number Serial Number Serial Number (Logical) UUID Complex Firmware Version Partition Firmware Version Description Server blade Name of the company that manufactured the server blade Common descriptive name for the server blade Part number used when ordering an additional or replacement server blade of this type Part number used when ordering an additional or replacement system board of this type The static factory serial number for the server blade A relocatable serial number assigned to the server blade The universally unique identifier assigned to the server blade Currently configured complex firmware version Currently configured partition firmware version Server NIC Information Item Port: NIC 1 Port: NIC 2 Port: NIC 3 Port: NIC 4 Port: ilo Description The MAC address of this NIC port The MAC address of this NIC port The MAC address of this NIC port. The MAC address of this NIC port. The MAC address of the ilo port for the blade in this enclosure slot. Mezzanine Card Information Item Mezzanine Slot Mezzanine Device Mezzanine Device Port Device ID Description The physical slot in which the mezzanine card is located. The common or product name of the mezzanine device. The port assigned to the mezzanine device. The MAC address of the interconnect bay port. CPU and memory information 132 Configuring compute enclosures and enclosure devices

133 Table 8: CPU Information Item Resource path Part Number Speed (MHz) Part Number Serial Number Engineering Date Code Description The resource path to the processor socket Model of processor Clock speed of the processor Processor part number used to order replacement processor of the same type Factory serial number of the processor Manufacturing reference number Table 9: DIMM Information: CPU Socket 0 or 1 Item Resource path Part Number Manufacturer Speed (MHz) Size (MB) Description Path to DIMM socket DIMM module part number used to order additional or replacement module of the same type Name of the manufacturer of the DIMM module Bus speed of the DIMM module Memory capacity of DIMM module. The total capacity of all DIMM modules is listed at the bottom. Device bay virtual buttons tab UID Light Clicking the Toggle On/Off button turns the UID light on the server blade on or off for identification of the selected server blade. Interconnect Bays In the Enclosure Information menu, the Interconnect Bays category lists all the interconnect devices within the selected enclosure within the complex. Selecting the interconnect bays menu item directly opens the interconnect device list with a grid that shows the status of each interconnect device within the enclosure, and the UID status, power state, tray type, management URL, and product name. Device bay virtual buttons tab 133

134 The check box in the first column on the top row toggles all check boxes on or off for all enclosure interconnect devices. This feature is useful if you want to toggle the UID state for all interconnect devices at the same time. Otherwise, the first column contains check boxes that can be used to select individual interconnects. After the appropriate interconnects are selected, the Virtual Power or UID state drop-down can be selected to perform the appropriate action. Item Check box Bay Status UID Power State Module Type Description Select the check boxes next to the bay or bays where you want to apply the Virtual Power and UID State features. Bay in the enclosure of the corresponding interconnect device. This box displays only populated bays. Empty bays are not displayed in this table. Overall status of the interconnect device. Possible values are Unknown, OK, Degraded, and Failed. Status of the UID on the interconnect device. Possible values are On (blue) or Off (gray). Power state of the interconnect device. Possible values are On or Off. Network interface type for the interconnect device installed in this bay. Possible values are Ethernet or fiber. Management URL Address where the interconnect device can be managed and configured for use in the network. Product Name Common descriptive name for the interconnect device. Information on this page is current as of last download. To view updated information, click the Refresh button. The Virtual Power menu enables you to turn an interconnect device on or off. Hewlett Packard Enterprise recommends that only one device be turned on or off at a time using this feature. 134 Configuring compute enclosures and enclosure devices

135 The UID State menu is used to set the UID LED on the interconnect device. Turning on the UID LED assists in locating a specific interconnect device within an enclosure. These LEDs can be turned on or off one at a time or as groups depending on the checkboxes. Interconnect Bay Information The Interconnect Bay Information screen displays information about the bays where switches and routers can be placed. Click the Port Mapping Information link to display port mapping information on the interconnect bay you have selected. The port mapping information can also be selected from the navigation tree. Interconnect Bay Status tab Interconnect Bay Information 135

136 Status information Item Status Thermal Status Powered Description The overall status of the interconnect device. Possible values are Unknown, OK, Degraded, and Failed. The thermal status of the interconnect device. Possible values are Unknown, OK, Degraded, and Failed. The power state of the interconnect device. Possible values are On or Off. Diagnostic Information 136 Configuring compute enclosures and enclosure devices

137 Row Device Identification Data Management Processor Temperature Overheat Check Power Allocation Request Device Operational Device Degraded Description Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the OA. Management processor is not responding. Possible values are OK or Error. Temperature is above the warning threshold. Possible values are OK or Temperature Warning. Temperature is above the danger threshold. Possible values are OK or Critical temperature threshold reached. There is insufficient power to adequately power the interconnect. Possible values are OK or Insufficient enclosure power. Device has failed; status was not requested by the OA. Possible values are OK or Error. Device has failed; status was requested by the OA. Possible values are OK or Error. Configuring compute enclosures and enclosure devices 137

138 Interconnect Bay Information tab Hardware Information Item Product Name Management IP Address Management URL User Assigned Name Part Number Description The common descriptive name of the interconnect device. IP address of the interconnect management interface. Web address of the interconnect management interface. A name assigned to the interconnect by the user. If supported, the name is assigned using the interconnect Management Interface. The part number to be used when ordering an additional interconnect device of this type. Table Continued 138 Interconnect Bay Information tab

139 Item Spare Part Number Serial Number Type Manufacturer Temperature Sensor Firmware Version Description The part number to be used when ordering a replacement interconnect device of this type. The unique serial number of the interconnect device. The interface type of the interconnect device. Possible values are Ethernet or fiber. The name of the company that manufactured the interconnect device. Indicates whether or not the interconnect device has a temperature sensor. The firmware version of the interconnect module. Connectivity information Item JS2 Connector Internal Ethernet Interface to OA Internal Ethernet Route to OA Internal Serial Interface to OA Internal Serial Route to OA Serial Port Baud Rate External Serial Port Interface External Ethernet Interface Description This box displays the presence or absence of the JS2 connector. This box displays the presence or absence of an internal Ethernet interface to the OA. This box displays the status of an internal Ethernet route to the OA. Possible values are Enabled or Disabled. This box displays the presence or absence of an internal serial interface to the OA. This box displays the status of an internal serial route to the OA. Possible values are Enabled or Disabled. This box displays the serial port baud rate. This only displays if an external serial port interface is present. This box displays the presence or absence of an external serial port interface. This box displays the presence or absence of an external Ethernet interface. Interconnect Bay Virtual Buttons tab Interconnect bay virtual buttons enable you to cycle power, reset, or toggle the UID on the device of your choice from the OA GUI. Interconnect Bay Virtual Buttons tab 139

140 Button Power Off Reset Toggle On/Off Description Clicking this button shuts the power off on the interconnect device. Clicking this button forces the interconnect device to power off and then power up again, performing a reset. Clicking this button turns the UID on the interconnect device on (blue) or off (gray) for easy identification of the selected interconnect device. Interconnect Bay Port Mapping The Interconnect Bay Port Mapping screen provides a graphical view and a tabular view of the interconnect bay port mapping. 140 Interconnect Bay Port Mapping

141 Graphical view When you mouse over the port on the interconnect, the graphical view provides the same information that appears in the tabular view. Tabular view Item Description Interconnect Bay Port The number of the interconnect bay port in order from 1 to 16 Port Status Current status of the port Table Continued Configuring compute enclosures and enclosure devices 141

142 Item Device Bay Server Mezzanine Slot Server Mezzanine Port Device ID Description The device bay corresponding with the interconnect port mapping The type of device placed into the mezzanine of the server blade The physical port of the mezzanine device The MAC address of the interconnect bay port XFM Bays In the Enclosure Information menu, the XFM Bays category lists the Xbar Fabric modules within the selected enclosure within the complex. Selecting the XFM Module bays menu item directly opens the XFM Module list with a grid that shows the status of each XFM Module within the enclosure and the UID status, Engineering Date Code, part number and product name. NOTE: Some HPE Integrity Superdome X systems have XMF2 crossbar modules. This is displayed as SXFM by the Onboard Administrator. The check box in the first column on the top row toggles all check boxes on or off for all XFMs. This feature is useful if you want to toggle the UID state for all XFMs at the same time. Otherwise, the first column contains checkboxes that can be used to select individual XFMs. After the appropriate interconnects are selected, the UID state drop-down can be selected to toggle the UID state. Item Check box Bay Status Description Select the check box next to the bay or bays where you want to apply the UID State features. Bay in the enclosure of the corresponding XFM. This box displays only populated bays. Empty bays are not displayed in this table. Overall status of the XFM. Possible values are Unknown, OK, Degraded, and Failed. Table Continued 142 XFM Bays

143 Item UID Power State Engineering Date Code Part Number Product Name Description Status of the UID on the XFM. Possible values are On (blue) or Off (gray). Power state of the XFM. Possible values are On or Off. Manufacturing information about the XFM. Part number of the XFM used to order replacement parts of the same type. Common descriptive name for the XFM. Information on this page is current as of last download. Click the Refresh button to view updated information. UID State The UID State menu is used to set the UID LED on the XFM. Turning on the UID LED assists in locating a specific XFM within an enclosure. These LEDs can be turned on or off one at a time or as groups depending on the checkboxes. XFM Bay Information The XFM Bay screen displays information about the bays where XFMs can be placed. XFM Bay Information 143

144 XFM Bay Status tab Status information Row Status Inlet Thermal Status Outlet Thermal Status Powered Description The overall status of the XFM. Possible values are Unknown, OK, Degraded, and Failed. The thermal status of the airflow coming into the XFM. Possible values are Unknown, OK, Degraded, and Failed. The thermal status of the airflow exiting the XFM. Possible values are Unknown, OK, Degraded, and Failed. The power state of the XFM. Possible values are On or Off. Diagnostic Information 144 XFM Bay Status tab

145 Row Device Identification Data Management Processor Temperature Overheat Check Power Allocation Request Cooling Device Operational Description Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the OA. Management processor is not responding. Possible values are OK or Error. Temperature is above the warning threshold. Possible values are OK or Temperature Warning. Temperature is above the danger threshold. Possible values are OK or Critical Temperature Threshold Reached. There is insufficient power to adequately power the XFM. Possible values are OK or Insufficient Enclosure Power. Temperature is above the warning threshold. Possible values are OK or Temperature Warning. Device has failed; status was not requested by the OA. Possible values are OK or Error. XFM Link Status Column Port Number Status Description Indicates the port on the XFM module. Current status of link to connected device. Possible values are OK, Error, Dormant, or Unknown. XFM Bay Information tab Device Information XFM Bay Information tab 145

146 Item Product Name Part Number Spare Part Number Serial Number Engineering Date Code Manufacturer Complex Firmware Version Description The common descriptive name of the XFM. The part number to be used when ordering an additional XFM of this type. The part number to be used when ordering a replacement XFM of this type. The unique serial number of the XFM. Manufacturing information about the XFM. The name of the company that manufactured the XFM. Now configured firmware version on the XFM. XFM Bay Virtual Buttons XFM virtual buttons enables you to toggle the UID on the XFM of your choice from the OA GUI. Click the Toggle On/Off button to turn UID on the XFM on (blue) or off (gray) for easy identification of the selected XFM. GPSM Bays In the Enclosure Information menu, the GPSM Bays category lists the Global Partition Services modules within the selected enclosure within the complex. Selecting the GPSM bays menu item directly opens the GPSM list with a grid that shows the status of each GPSM within the enclosure and the UID status, Engineering Date Code, part number, and product name. The checkbox in the first column on the top row toggles all checkboxes on or off for all GPSMs. This feature is useful if you want to toggle the UID state for all GPSMs at the same time. Otherwise, the first column contains checkboxes that can be used to select individual GPSMs. After the appropriate interconnects are selected, the UID state drop-down can be selected to toggle the UID state. 146 XFM Bay Virtual Buttons

147 Item Check box Bay Status UID Engineering Date Code Part Number Product Name Description Click the check box next to the bay or bays where you want to apply the UID State features. Bay in the enclosure of the corresponding GPSM. This box displays only populated bays. Empty bays are not displayed in this table. Overall status of the GPSM. Possible values are Unknown, OK, Degraded, and Failed. Status of the UID on the GPSM. Possible values are On (blue) or Off (gray). Manufacturing information about the GPSM. Part number of the GPSM used to order replacement parts of the same type. Common descriptive name for the GPSM. Information on this page is current as of the download. Click the Refresh button to view updated information. UID State The UID State menu is used to set the UID LED on the GPSM. Turning on the UID LED assists in locating a specific GPSM within an enclosure. These LEDs can be turned on or off one at a time or as groups depending on the checkboxes. GPSM Bay Information The GPSM Bay Information screen displays information about the bays where GPSMs can be placed. GPSM Status tab Status information GPSM Bay Information 147

148 Item Status Thermal Status Description The overall status of the GPSM. Possible values are Unknown, OK, Degraded, and Failed. The thermal status of the GPSM. Possible values are Unknown, OK, and Critical. Diagnostic Information Item Device Identification Data Management Processor Temperature Firmware Mismatch Device Indictment Description Contains information on model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. Device identification data error appears if the data is not present or not readable by the OA. Management processor is not responding. Possible values are OK or Error. Temperature is above the warning threshold. Possible values are OK or Temperature Warning. The GPSM with a firmware version that does not match the installed Complex firmware will display FAILED in this field. Indicates if the device has been indicted by the Superdome Analysis Engine. Possible values are OK or Error with an informational message. NOTE: Not applicable for c-class server blades. GPSM Bay Information tab Device information 148 GPSM Bay Information tab

149 Item Product Name Part Number Spare Part Number Serial Number Engineering Date Code Manufacturer Complex Firmware Version Description The common descriptive name of the GPSM. The part number to be used when ordering an additional GPSM of this type. The part number to be used when ordering a replacement GPSM of this type. The unique serial number of the GPSM. Manufacturing information about the GPSM. The name of the company that manufactured the GPSM. Now configured firmware version on the GPSM. GPSM Virtual Buttons GPSM virtual buttons enables you to toggle the UID on the GPSM of your choice from the OA GUI. Click the Toggle On/Off button to turn UID on the GPSM on (blue) or off (gray) for easy identification of the selected GPSM. Enclosure power management The compute enclosures each contain twelve power supplies (six upper and six lower), which are monitored directly by OA. At least one upper and one lower power supply must be installed at all times. OA is responsible for calculating the redundancy status, total available power, and total power consumed. This information is displayed to the user and is used to manage power resources. The OA power subsystem displays include status and information for each power supply, and the power enclosure itself. Also included in the power fault realm is control of the electronic fuses between the power backplane and the server or switch bays. The OA will alert on fuse trips to enable you to reset fuses manually. Power and Thermal GPSM Virtual Buttons 149

150 Item Enclosure Ambient Temperature Thermal Subsystem Status Power Subsystem Status Power Mode Present Power Power Limit Description This box displays the highest ambient temperature being reported by the installed blade devices. If no blade devices are installed, then this box displays the temperature of the OA module as an approximation of the ambient temperature. The overall thermal status of the enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. The overall power status of the enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. A user setting to configure the enclosure DC power capacity and the input power redundancy mode of the enclosure. See Power Management for possible values. The amount of watts being consumed by all devices in the enclosure. The maximum amount of power available for consumption by the enclosure measured in watts. 150 Configuring compute enclosures and enclosure devices

151 NOTE: The Power Limit is dependent on the enclosure power redundancy setting and the number and location of the power supplies in the enclosure. If a Static Power Limit has been specified, the Power Limit displays that limit. Power Management To set the power management options in OA, go to the menu on the left and select the enclosure to be managed, and then click Power and Thermal. The Power Management page appears below. Click Power Management to display the following choices: AC Redundant Power Supply Redundant Not Redundant Beneath the main power management choices is the Dynamic Power Savings mode check box which enables you to enable Dynamic Power Savings Mode. The AC Input VA Limit box enables you to set a VA limit for the enclosure. After this limit is met by the enclosure, it will not allow any additional blades, power supplies, fans, or switches to power on. If a value is entered into the VA Limit box that is lower than the now used VA for the enclosure, the enclosure does not power off any devices within the enclosure. However, if a device is powered off, it cannot power on because of the VA limit rule set in the OA power management settings. IMPORTANT: If redundancy mode is set to Redundant, AC Redundant, or Power Supply Redundant, and power redundancy is lost, then you must either add additional power supplies or change the redundancy mode setting in the OA to restore Power Subsystem status. See the Insight Display for corrective steps. IMPORTANT: To change the power redundancy mode, you must disable EDPC. After changing the power redundancy mode, reset EDPC based on the new ranges. The enclosure power management system enables you to customize the configuration of the enclosure. You can select from the different modes on the OA Power Management screen. The power modes are explained in the following table. Power Management 151

152 Mode Insight Display name Description Redundant Redundant For DC power supplies only. In this configuration, N upper and N lower power supplies are used to provide power and N upper and N lower power supplies are used to provide redundancy (where N can equal 1, 2, or 3). Up to three upper and three lower power supplies can fail without causing the enclosure to fail. When correctly wired with redundant DC line feeds, this configuration also ensures that a DC line feed failure does not cause the enclosure to power off. AC Redundant AC Redundant For ac power supplies only. In this configuration, N upper and N lower power supplies are used to provide power and N upper and N lower power supplies are used to provide redundancy (where N can equal 1, 2, or 3). Up to three upper and three lower power supplies can fail without causing the enclosure to fail. When correctly wired with redundant ac line feeds, this configuration also ensures that an ac line feed failure does not cause the enclosure to power off. Power Supply Redundant Power Supply Up to six upper and six lower power supplies can be installed with one upper and one lower power supply always reserved to provide redundancy. In the event of a single upper or lower power supply failure, the redundant power supply in the same section (upper or lower) takes over the load. A line feed failure of more than one power supply in a section causes the system to power off. Not Redundant None There is no power redundancy and no power redundancy warnings are given. If all power supplies are needed to supply Present Power, then any power supply or line failure may cause the enclosure to brown-out. Dynamic Power Dynamic Power If enabled, Dynamic Power automatically places unused power supplies in standby mode to increase enclosure power supply efficiency, thereby minimizing enclosure power consumption during lower power demand. Increased power demands automatically return standby power supplies to full performance. This mode is not supported for low voltage on the enclosure. Power Limit Power Limit An optional setting to limit power. Whenever you attempt to power on a device, the total power demands of the new device and of the devices already on are compared against this Static Power Limit. If the total power demands exceed the limit, the new device is prevented from powering on. Dynamic Power The default setting is Enabled. The following selections are valid: Enabled Some power supplies can be automatically placed on standby to increase overall enclosure power subsystem efficiency. Disabled All power supplies share the load. The power subsystem efficiency varies based on load. Dynamic Power is not supported for low voltage on the enclosure. 152 Configuring compute enclosures and enclosure devices

153 Enclosure Power Allocation To set the power management options in OA, go to the menu on the left and select the enclosure to be managed, and then click Power and Thermal. The Enclosure Power Allocation page appears. Click Enclosure Power Allocation to display the following information: Item Subsystem Status Power Allocated Power Available Power Capacity Description The overall power status of the enclosure. Possible values are unknown, OK, Degraded, and Failed. The amount of power consumed by the devices in the enclosure in watts. The amount of power currently available for all unpowered devices in the enclosure measured in watts. The amount of power possible for all the devices in the enclosure measured in watts. The Power Allocation screen displays basic information regarding the total capacity of the power subsystem, redundant capacity, and the allocated power in watts. The Enclosure Internal Power graph displays the watts that are allocated in green against a gray background, which represents the total redundant capacity of the power supplies. If you change the enclosure redundancy mode after power is allocated to the devices, then the power subsystem might become degraded. Power is still allocated to the devices, but redundancy might not function properly. If zero watts are available and the power graph displays degraded, check your power subsystem and redundancy configurations. You can resolve the degraded condition by changing your redundancy mode or by adding more power supplies to the enclosure. Enclosure Power Allocation 153

154 Power Capacity will equal Power Allocated in the case where redundancy is lost. To refresh this display, click the Refresh button beneath the table on the right side of the page. 154 Configuring compute enclosures and enclosure devices

155 Enclosure Power Summary Enclosure Power Summary 155

156 Enclosure Input Power Summary Item Present Power Max Input Power Enclosure Dynamic Power Cap Power Limit Description Input watts to the enclosure. Highest expected input watts. For Integrity Superdome X, this is the maximum input power for the enclosure to operate at maximum DC output capacity. N/A for HPE Integrity Superdome X An optional setting to limit power. Whenever you attempt to power on a device, the total power demands of the new device and of the devices already on are compared against this Static Power Limit. If the total power demands exceed the limit, the new device is prevented from powering on. Enclosure Output Power Summary Item Present Capacity Power Allocated Power Available Description Watts possible for all devices in the enclosure. Watts consumed by all devices in the enclosure. Watts currently available to all devices in the enclosure. Enclosure Bay Output Power Allocation Item Device Bays Interconnect Bays XFM Fans Description Watts allocated for all device bays. Watts allocated for all interconnect bays. Watts allocated for all XFM bays. Watts allocated for all fans. Bay Power Summaries A separate table is displayed for these types of bays: device interconnect XFM Each type of bay is listed by bay number. The name of the component in each bay and the power allocated to it is displayed. Fan Power Summary 156 Configuring compute enclosures and enclosure devices

157 Fan power is allocated based on a fan-rule. Fan-rule is determined according to the enclosure type and occupied device bays. Both the power allocation for the fans and the total Present Power consumption of all the fans are listed. Enclosure Power Meter The Enclosure Power Meter screen displays peak power use, average power use, and allocated power available in a graph, which enables fast and easy interpretation of the power situation for the enclosure. The power meter is useful for showing trends in power consumption and can assist in troubleshooting the power subsystem. The power information is available in either graphical or tabular form. Graphical View tab This screen enables you to see a graphical view of the power readings for the enclosure. Enclosure Power Meter 157

158 To toggle between Watts, Btu/hr, and Amps, click Show Values. 158 Configuring compute enclosures and enclosure devices

159 The Line Voltage value is used to provide conversion to Amps. The default value is based on the power supply hardware model, not the actual line voltage. Select the actual line voltage for the enclosure for a more accurate Amps conversion. To view updated power meter information, click Refresh Page. Average Power data graph This graph displays the power usage of the enclosure over the previous 24 hours. The OA collects power usage and Enclosure Dynamic Power Cap information from the enclosure every 5 minutes. For each 5 minute time period, the peak and average power usage and the cap for that time period are stored in a circular buffer. These values appear in the form of a bar graph, with the average value in blue, the peak value in red, and the cap value in black. This data is reset when the enclosure is reset. You can choose what appears on the bar graph by selecting or clearing the Average, Cap, Derated, Rated, and Min check boxes. Present Power This value represents the number of watts being consumed by all devices in the enclosure. Most Recent Power Meter Reading This value represents the most recent power reading from the enclosure. Peak Power data graph This graph displays the peak power usage and the Enclosure Dynamic Power Cap over the previous 24 hours. The label Peak Power becomes Peak Power (Side A + Side B) when N+N redundant power is in place, indicating that the peak is divided across two circuits. Also, two graphs appear: one for Side A and one for Side B. The power distribution between Side A and Side B is estimated from the number of active power supplies on each side. If redundancy is lost, the lost side displays peak power of zero. Enclosure Dynamic Power Cap This value represents the most recent Enclosure Dynamic Power Cap reading from the enclosure. Average Power Reading This value represents the average of the power readings from the enclosure over the last 24-hour period. If the enclosure has not been running for 24 hours, then the value is the average of all the readings since the enclosure was powered up. Peak Power Reading This value represents the peak power readings from the enclosure over the last 24-hour period. If the enclosure has not been running for 24 hours, then the value is the maximum of all the readings since the enclosure was powered up or the OA was reset. The label Peak Power Reading becomes Peak Power Reading (Side A + Side B) when N+N redundant power is in place, indicating that the peak is divided across two circuits. Minimum Power Reading This value represents the minimum power readings from the enclosure over the last 24-hour period. If the enclosure has not been running for 24 hours, then the value is the minimum of all the readings since the enclosure was powered up. Table View tab This screen enables you to view the power readings for the enclosure in a table format. Configuring compute enclosures and enclosure devices 159

160 Enclosure Power Sumary Row Samples Average (Watts, Btu/hr, or Amps) Description Number of samples taken. This value shows the average of the power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the average of all the readings since the enclosure was powered up. Table Continued 160 Configuring compute enclosures and enclosure devices

161 Row Minimum (Watts, Btu/hr, or Amps) Maximum (Watts, Btu/hr, or Amps) (Side A + Side B) Present Power Description This value shows the minimum power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the minimum of all the readings since the enclosure was powered up. This value shows the maximum power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. This value shows the power being consumed by all devices in the enclosure. Enclosure Power Detail The Enclosure Power Detail table provides detailed information for each five minute sample period. Click Date in the table heading to arrange the order of the detailed enclosure power information from present date to oldest date or oldest date to present date. Row Date Time Peak (Watts, Btu/hr, or Amps) (Side A + Side B) Min (Watts, Btu/hr, or Amps) Average (Watts, Btu/hr, or Amps) Cap (Watts, Btu/hr, or Amps) Description Date the power reading sample was taken. Time the power reading sample was taken. This value shows the maximum power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. This value shows the minimum power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the minimum of all the readings since the enclosure was powered up. This value shows the average of the power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the average of all the readings since the enclosure was powered up. This value shows the maximum dynamic power cap readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. Table Continued Configuring compute enclosures and enclosure devices 161

162 Row Derated (Watts, Btu/hr, or Amps) Rated (Watts, Btu/hr, or Amps) Description This value shows the derated power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. This value shows the rated power readings (Watts, Btu/hr, or Amps depending on what you have selected) from the enclosure over the last 24 hour period. If the enclosure has not been running for 24 hours, the value is the maximum of all the readings since the enclosure was powered up. Power Subsystem Power supplies available for use in compute enclosures All power supplies in one enclosure must have the same part number. The OA identifies which power supplies must be replaced by displaying a caution icon. Power Supply summary The Power Subsystem screen provides status on the power subsystem, on each individual power supply, and fault conditions. This screen provides status on the power subsystem and on each individual power supply. Power Subsystem information 162 Power Subsystem

163 Item Power Subsystem Status Power Mode Redundancy State Description The status of the power subsystem. Possible values are Unknown, OK, Degraded, or Critical Error. A user setting to configure the enclosure DC power capacity and the input power redundancy mode of the enclosure. Possible values are Redundant, AC Redundant, Power Supply Redundant, Not Redundant, or Unknown. Indicates the redundancy status of the power subsystem. Possible values are Redundant, Not Redundant, or Redundancy Lost. Power supply status Item Bay Model Status Input Status Present Output (Watts) Output Capacity (Watts) Description The bay in the enclosure of the corresponding power supply. This box displays only populated bays. Empty bays do not appear in this table. The power supply model name. The overall status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The input status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. This value is a measure of the present output of the power supply in watts. The amount of power provided by the power supply displayed in watts. This is a measure of the output in DC watts generated by the power supply. Click Refresh to update the power subsystem information. Power Supply Information Selecting a specific power supply opens the Power Supply Information-Bay x screen, where x is the bay of the selected power supply. This screen provides status information on the selected power supply. Power Supply Information 163

164 Status information Item Status Input Status Present Output Output Capacity Model Serial Number Part Number Spare Part Number Description The overall status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The input status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The amount of power provided by the power supply displayed in watts. The maximum amount of power that can be provided by the power supply displayed in watts. The power supply model name. The unique serial number of the power supply. The part number to be used when ordering an additional or replacement power supply of this type. The spare part number to be used when ordering an additional or replacement power supply. Diagnostic Information Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred) or is sent by the device microcontroller, without being polled to report a failure. 164 Configuring compute enclosures and enclosure devices

165 Row Device Identification Data Device Operational Power Cord Device Indictment Description The device identification data is information such as model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. A device identification data error appears if the data is not present or not readable by the OA. Possible values are OK or Error. Device has failed; status was not requested by the OA. Possible values are OK and Error. Input power status. Possible values are OK and Error. Indicates if the power supply has been indicted by the Superdome Analysis Engine. Click the Refresh button to update the power supply information. Fans and cooling management OA monitors up to 15 fans in the enclosure and adjusts fan speeds as necessary, based on thermal and power measurements. Thermal Subsystem The speed of individual fans can be adjusted to reduce noise and power consumption, and to compensate for airflow differences within the enclosure. The performance of each fan is monitored, and OA reports any failures or warnings to the system log and HP SIM (when SNMP is enabled). Fans and cooling management 165

166 Fan Summary This screen provides status on the thermal subsystem and each individual fan. Fan subsystem status 166 Configuring compute enclosures and enclosure devices

167 Row Thermal Subsystem Status Redundancy Fan Location Rule Description Indicates the overall status of the fan subsystem. Possible values are Unknown, OK, Degraded, or Critical Error. Indicates the redundancy status of the fans. Possible values are Redundant or Not Redundant The fan location rule indicates the proper location of the fans and the device bays that are supported. Fan status Column Fan Model Status Fan Speed Description The bay in the enclosure of the corresponding fan. The fan model name. The overall status of the fan. Possible values are Unknown, OK, Degraded, Failed, and Absent. Fan speed as a percentage of maximum RPM. When a fan module fails, the remaining fans automatically compensate by adjusting fan speeds. You can view the status of each fan by selecting the fan bay either through the tree navigation or the graphical navigation view. The Fan Information screen provides information about the overall status, the name, the amount of power consumed in watts, the spare part number, and the serial number. The Fan Information screen also includes diagnostic information such as internal data errors, location errors, device failures, and device degradation. Fan speeds appear in RPMs. To update information on this page, click the Refresh button. Thermal Subsystem Fan Zones tab Fan zones monitor the bay cooling efficiency and the status of the bays the fans are configured to cool. The zone speeds reported are targeted speeds. These values change with time as the fans speed and slow in response to cooling needs of the zone. The Fan Zones tab does not dynamically update. To update information on this tab, click the Refresh button. Thermal Subsystem Fan Zones tab 167

168 Fan speeds appear in percentage of total capacity, and fans operating in a zone without any blades run at a minimum RPM of 30% to maintain proper cooling in the entire enclosure. 168 Configuring compute enclosures and enclosure devices

169 Item Thermal Zone Zone Speed Device Bays Fan Bay Fan Status Fan Speed Description The six cooling zones in the enclosure: upper left, upper right, middle left, middle right, lower left, and lower right. The computed fan speed required based on the highest device need in the zone. The number of the device bays in a particular thermal zone. The fan bay number. Fans in bays 3, 8, and 13 are shared between thermal zones. The overall status of each fan. Possible values are Unknown, OK, Degraded, Failed, and Absent. The fan speed is displayed as a percentage of maximum RPM. Enclosure fan location rules The enclosure ships with 15 HPE Active Cool fans. All 15 fans are required for optimum cooling of all device bays, GSPM bays, XFM bays and interconnect bay components. 15 Fan Rule All fan bays are used to support the maximum configuration of eight server blades, eight interconnect modules, two OA modules, two GPSMs, and four XFMs. Fan Information Selecting a specific fan opens the Fan Information - Bay x screen, where x is the bay of the selected Fan. This screen provides status information on the selected fan. Enclosure fan location rules 169

170 Selecting a specific power supply opens the Power Supply Information Bay x screen, where x is the bay of the selected power supply. This screen provides status information on the selected power supply. Status information Row Status Name Present Power Part Number Spare Part Number Serial Number Description The overall status of the fan. Possible values are Unknown, OK, Degraded, and Failed. The product name of the fan. The amount of power consumed by the fan displayed in watts. The part number to be used when ordering an additional fan of this type. The spare part number to be used when ordering a replacement fan of this type. The unique serial number of the fan. Diagnostic Information Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if a failure has occurred) or is sent by the device microcontroller, without being polled to report a failure. 170 Configuring compute enclosures and enclosure devices

171 Row Device Identification Data Device Location Device Operational Device Degraded Fan Presence Device Indictment Description The device identification data checked is information such as model name, part number, serial number, and other information used to identify the device. This data is also called FRU data. A device identification data error appears if the data is not present or not readable by the OA. Possible values are OK or Error. Incorrect power supply location. Possible values are OK or Incorrect location for proper device cooling. Device has failed; status was not requested by the OA. Possible values are OK and Error. Device has failed; status was requested by the OA. Possible values are OK and Error. Presence of a fan module. Possible values are OK and Not Present. Indicates if the fan has been indicted by the Superdome Analysis Engine. To update the fan information, click the Refresh button. For proper installation of the fans into the enclosure, see the service guide for your system. Managing users This section explains the levels of user rights recognized by the OA and provides detailed procedures to configure the management functionality provided by the OA. Users/Authentication The Users/Authentication menu item cannot be selected and does not display overview information for user accounts or settings. Instead, select any of the sublevel menu items for specific settings. User roles and privilege levels Within the Users/Authentication category of OA, you can access the Local Users subcategory. In this subcategory, you can create user accounts that individuals user to log in to the OA, and have a username, password, and typically, contact information. Users can have one of the following privilege levels: Administrator: Allows access to all aspects of the OA including configuration, firmware updates, user management, and resetting default settings. Operator: Allows access to all but configuration changes and user management. This account is ideal for individuals who are required to periodically change configuration settings. User: Allows access to all information, but no changes can be made within OA. This account is for individuals who must see the configuration of the OA but do not require the ability to change settings. The privilege level approach of OA to user permissions enables the maintenance of server blade bays. This approach operates according to the following principles: Managing users 171

172 Users are assigned privilege levels in User Management. A user can have access to any combination of device bays, interconnect bays, and OA bays. Access to a server blade by a user depends on the privilege level assigned to the user account. If you select a user with Administrator or OA permission, the page grays out and disables access to the blade and interconnect permissions and selects them all. In cases where HP SIM is used, OA can integrate with HP SIM and use HP SIM users to enable a single login from HP SIM into OA. For more information, see HPE SSO Integration on page 186. Role-based user accounts Role-based user accounts on OA serves to control the functions to which a user has access on the OA. There are two major aspects to the role-based user accounts on OA: bay permissions and a user privilege level. Bay permissions determine which bays the user is allowed to access. Bay permissions are selected during user account creation and allow access to specific device bays, interconnect bays, or OA bays. The privilege level determines which administrative functions the user is allowed to perform. A user's privilege level can be Administrator, Operator, or User. A user with an Administrator privilege level and with permissions to the OA bays in the enclosure is automatically given full access to all bays and can perform any function on the enclosure or bays including managing user accounts and configuring the enclosure. An Operator with permissions to only the OA bays can configure the enclosure, but the Operator can neither manage users or any security settings, nor access any other bays. A User with permission to the OA bays can view only configuration settings, but the User cannot change the settings. The user accounts can be created with multiple bay permissions, but the same privilege level, across those bays. User accounts configured to permit access to device bays can be created for server administrators. If the user logs into the OA, the user is given information on the permitted server bays. If the user selects the ilo from the OA web GUI, the user is automatically logged into that ilo using a temporary user account with their privilege level. ilo users with administrator privilege level have complete control including modifying user accounts. Operators have full control over the server power and consoles. Users have minimum read-only access to server information. Using this single-sign on feature greatly simplifies managing multiple servers from the OA web GUI. Permissions for interconnect modules are slightly different. Autologin is not supported for interconnect modules, and all user levels have access to the Management Console link for interconnect bays to which they have permission. Administrators and operators can use the virtual buttons from OA to control power and the UID light on the interconnect module. Users can view only status and information about the interconnect module. Examples The following are examples of management scenarios and the user accounts that can be created to provide the appropriate level of security. Scenario 1: A member of an organization must have full access to the servers in bays 1-8 to view logs, control power, and use the remote console. The user does not have clearance to manage any settings on OA. The user account with this security level has an Administrator access level and permission to server bays 1-8. Thus, the user does not have permission to OA bays or any interconnect bay. Scenario 2: A member of an organization must manage ports on two interconnect modules in bays 3 and 4. This person must know which ports on the switch map to certain servers, but this person must not be able to manage any of the servers. The user account with this security level has a User access level, permission to all server bays, and permission to interconnect bays 3 and 4. However, this user is not be able to control the power or UID LED for the interconnect modules or blades. To control the power or UID to the interconnect modules the user privilege has to be Operator. To restrict this user from performing server operations such as power control or consoles, the account is restricted to just bay permissions for interconnect bays 3 and Role-based user accounts

173 Local Users screen New To add a new user to the selected enclosure, click the New button. A maximum of 30 user accounts can be added including the reserved accounts. The Add Local User screen appears. Edit Select a user (only one can be selected) by selecting the check box next to the name of the user. To change the settings on the Edit Local User screen, click the Edit button. Delete Select a user or users to be deleted by selecting the check box next to the name of the user. To delete the accounts, click the Delete button. If an attempt is made to delete the last remaining Administrator account, then you will receive an alert warning that one Administrator account must remain and the delete action will be canceled. Add Local User Item Possible value Description Username Password Password Confirm 1 to 40 characters, including all alphanumeric characters, the dash (-), and the underscore (_) 3 to 40 characters, including all printable characters 3 to 40 characters, including all printable characters A maximum of 30 user accounts can be added including the reserved accounts. The user names ALL (caseinsensitive), ADMINISTRATOR (case-insensitive), switch1, switch2, switch3, switch4, switch5, switch6, switch7, switch8, ldapuser, nobody, and vcmuser_ are reserved and cannot be used. The user name must begin with a letter and is case-sensitive. The password associated with the user. The password associated with the user. This value must match the Password value. Click the Add User button to save settings. The Edit Local User screen appears. Edit Local User User information Local Users screen 173

174 Item Possible value Description Username Password Password Confirm Full Name Contact 1 to 40 characters, including all alphanumeric characters, the dash (-), and the underscore (_) 3 to 40 characters, including all printable characters 3 to 40 characters, including all printable characters 0 to 20 characters, including all alphanumeric characters, the dash (-), the underscore (_), and the space 0 to 20 characters, including all alphanumeric characters, the dash (-), the underscore (_), and the space A maximum of 30 user accounts can be added, including the reserved accounts. The user names ALL (case-insensitive), ADMINISTRATOR (case-insensitive), switch1, switch2, switch3, switch4, switch5, switch6, switch7, switch8, ldapuser, nobody, vcmuser_ are reserved and cannot be used. The user name must begin with a letter and is case-sensitive. The password associated with the user. The password associated with the user. This value must match the Password value. The user's full name. All users can modify their own full name. Contact information for the user account. The contact information can be the name of an individual, a telephone number, or other useful information. All users can modify their own contact information. Privilege Level Administrator Only the Administrator, with OA Bays permission, can set the user privilege level. Can perform all actions on the enclosure when OA Bays permission is selected. All Device Bays and All Interconnect Bays are automatically selected when OA Bays is selected, and all the check boxes are grayed out. Without OA Bays permission, can only see devices and interconnects to which permissions have been given. Table Continued 174 Configuring compute enclosures and enclosure devices

175 Item Possible value Description Privilege Level Operator Can perform all actions on the enclosure except for the functions under Configuration Scripts, Reset Factory Defaults, Active to Standby, and Users/Authentication when OA Bays, All Device Bays, and All Interconnect Bays permissions are selected Without OA Bays permission, can only see devices and interconnects to which permissions have been given. Privilege Level User (read only) Can view all information the Administrator and Operator can change except the Network Access, DVD Drive, and Users/Authentication information. Can launch web interfaces to other devices. Cannot change any configuration settings. Without OA Bays permission, can only manage devices and interconnects to which permissions have been given. User Enabled must be selected to enable the user account. If a user account is disabled, then all open sessions for that account are ended (signed out). Privilege level change If a user account privilege level is changed, then all open sessions for that user account are terminated (signed out). The user must log on again after the privilege level change. Check boxes Selecting the device base bay check box does not give the user permission to a double-dense server without also selecting A and B for that bay. Select only A or B for a device bay if restricting permission to a single server in a double-denser server blade. User Permissions Item OA Bays All Device Bays Selected Device Bays Description Gives the user permissions for the OA bays and enables the user to see the fans and power supplies. If the user privilege level is Administrator, then All Device Bays and All Interconnect Bays are automatically selected when OA Bays is selected and all the check boxes are grayed out. Gives the user permissions for all the device bays Gives the user permissions for only the selected device bays Table Continued Configuring compute enclosures and enclosure devices 175

176 Item All Interconnect Bays Selected Interconnect Bays Description Gives the user permissions for all the interconnect bays Gives the user permissions for only the selected interconnect bays Click Update User to save the changes. Edit Local User Certificate Information tab When Two-Factor Authentication is enabled, a user must have a user certificate to log on to the OA. Users with administrator privileges can upload or map a valid certificate to a selected user. There are two methods for uploading certificates for use in OA: Paste certificate contents into the text box, and then click the Upload button. Paste the URL of the certificate into the URL box, and then click the Apply button. When the certificate is successfully uploaded, the SHA1 fingerprint of the user certificate appears. If a user already has a certificate mapped to an account, the SHA1 fingerprint of the certificate appears. Any user with administrator privileges can delete their certificate and upload a new user certificate. Password Settings screen Procedure This screen enables you to enforce strong password features. Only Administrators with OA permission are allowed to manage strong passwords. 1. To enable this feature, select Enable Strong Passwords. 2. To save the setting, click the Apply button. The user password must contain three of the four following character types: Character type Uppercase Lowercase Description An uppercase character from the character set A to Z. A lowercase character from the character set a to z. Numeric A numeric character from the character set 0 to 9. Non-alphanumeric Any printable character that is not a space or an alphanumeric character. The minimum password length can be between 3 and 40 characters. If the minimum password length is not configured, then the password defaults to three characters. To save the minimum password length setting, click Apply. Directory Settings screen LDAP is a protocol for accessing information directories. While LDAP is based on the X.500 standard, it is significantly simpler. LDAP also supports TCP/IP and is an open protocol. 176 Edit Local User Certificate Information tab

177 Use the Directory Settings screen to set directory access for the now selected enclosure. You can configure the following settings: Enable LDAP Authentication Select this checkbox to enable a directory server to authenticate a user sign in. Enable Local Users Select this checkbox to enable a user to sign in using a local user account instead of a directory account. Search Context Specify one to six search contexts. A search context is a search filter or shortcut to a common directory, defining the directory users search to start at the specified path. By specifying a search context, users do not have to specify their full DNs at login. A DN might be long and users might not be familiar with their DN or might have accounts in different directory context. The OA attempts to contact the directory service by DN and then applies the search contexts in order, beginning with Search Context 1 and continuing through any subsequent search contexts until successful. Search context is also applicable to LDAP directory groups, which are useful when LDAP nested groups are configured. When specifying the search context for an LDAP directory group, the exact context is not required. Box Possible value Description Directory Server Address ###.###.###.### where ### ranges from 0 to 255 or DNS name of the directory server or the name of the domain The IP address or the DNS name or the name of the domain of the directory service. This field is required. Directory Server SSL Port 0 to The port used for LDAP communications. The default port is port 636. This field is required. Search Context 1 Search Context 2 Search Context 3 All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters First searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Second searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Third searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Table Continued Configuring compute enclosures and enclosure devices 177

178 Box Possible value Description Search Context 4 Search Context 5 Search Context 6 All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters All characters except " (quotes), not to exceed 127 characters Fourth searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Fifth searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Sixth searchable path used to locate the user when the user is trying to authenticate using directory services. The path is also used to search for a nesting LDAP group. Uploading a certificate Procedure Certificates protect user credentials from "man-in-the-middle" attacks. If certificates are not loaded onto the OA, it is possible for a man-in-the-middle to view LDAP credentials for anyone who logs into the OA. The OA accepts multiple domain controller certificates, which can be uploaded using the Certificate Upload tab under Directory Settings. To upload a certificate: 1. Get the certificate from the domain controller by opening a browser and entering the following address: controller>:636 where domain controller is the IP address for your network domain controller. 2. When prompted to accept a certificate, click View Certificate. 3. Click the Details tab, and then click the Copy to File button. 4. From the list of export options, select Base-64 encoded x.509 (.CER). 5. Provide a name and location for the file, and finish the Upload a Certificate Wizard. 6. Locate the exported certificate file, and then rename it with a.txt extension (for example, dccert.txt). 7. Open the file in a text editor, and copy the entire contents to the clipboard. The following is an example of an exported certificate file: -----BEGIN CERTIFICATE----- MIIFxDCCBKygAwIBAgIKJWUSwAAAAAAAAjANBgkqhkiG9w0BAQUFADBVMRMwEQYK CZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCaHAxFzAVBgoJkiaJk/Is ZAEZFgdhdGxkZW1vMREwDwYDVQQDEwh3aW5kb3pDQTAeFw0wNjA4MjIyMDIzMTFa Fw0wNzA4MjIyMDIzMTFaMCAxHjAcBgNVBAMTFXdpbmRvei5hdGxkZW1vLmhwLmNv btcbnzanbgkqhkig9w0baqefaaobjqawgykcgyeay4zeh3ixyduawkvhidsxlj6b aruvt9zhkl5nqhiderjumsgc/jhserdmhuyoy/qbf7jmhj9lh9qqhug8qfeysc1y qtvgisrzehtvmrmecvsxzm27b4bj5xyn0vycrwqknh7x/tvhmwqgls7/yzyahnu1 lgb2ojocq5ejxx+ybx0caweaaaoca00wggnjmasga1uddwqeawifodbebgkqhkig 9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D 178 Uploading a certificate

179 output truncated -----END CERTIFICATE Return to the OA, paste the certificate contents into the window, and click the Upload button. Directory Certificate Upload tab Upload an LDAP certificate to the OA to establish a trusted relationship with the LDAP server. You can upload a maximum of three certificates. Upload certificates for use in OA in the following ways: Paste certificate contents into the text box, and then click the Upload button. Paste the URL of the certificate into the URL box, and then click the Apply button. Directory Test Settings tab The directory Test Settings tab enables OA administrators to ensure that the configuration information provided allows the directory user access to the OA and to the resources in the enclosure. The Test Settings tab applies only to the current settings. Therefore, after making changes, you must click the Apply button, and then select the Test Settings tab. Use the Test Settings tab to run and report the tests. When the page initially appears, it contains a list of tests with the current status of Not Run. To run the tests, click Test Settings. The tests are run in the order that they appear. The tests end when an error occurs. To perform the User Authentication and User Authorization tests, you must enter a user name and password in Directory Test Controls. The following tests are performed in the order listed. 1. Overall Test Status The Overall Test Status is an aggregation of all the tests run. The value is either Not Run, Passed, or Failed. If any of the individual tests fail, the status is Failed. 2. Ping Directory Server A simple ping test is performed after a valid IP address or domain name is verified for the directory server. The ping test sends a maximum of four ping packets to the directory server and reports success or failure. A successful test reports that OA can establish a network path to the directory server. A failed test reports that OA cannot establish a network path to the directory server. The administrator must verify the host name or IP address. 3. Directory Server IP Address If the LDAP configuration specifies an IP address instead of a DNS, then this test verifies that the IP address is a valid IPv4 address. Otherwise the test reports the Not Run status. A successful test reports that the IP address stored for the directory server is a valid IPv4 address. A failed test reports that the IP address stored for the directory server is not a valid IPv4 address. The administrator must verify the IP address entered and correct the IP address. 4. Directory Server DNS Name The DNS lookup test determines if OA can resolve the domain name of the LDAP server. If the LDAP server configuration uses IP addresses instead of a DNS name, then this test reports Not Run. A successful test reports that OA is able to resolve the Directory Server host name using domain name. A failed test reports that OA is unable to resolve the Directory Server host name. The administrator must be sure that the directory server host name is correct and that the host name is correct for the directory server. 5. Connect to Directory Server Directory Certificate Upload tab 179

180 This test attempts to connect to the specified directory server IP address and service port. A successful test reports that OA can establish a connection to the directory server at the specified host name or address and at the specified port number. The successful test indicates that network service is available, the directory service is running, and available at the specified directory server and port. A failed test reports that OA cannot establish a connection to the directory server. The unsuccessful test reports that the network service is not available. The administrator must verify the host name or address and port number. 6. Connect using SSL This test verifies that the directory server is providing the directory service over an SSL connection. A successful test reports that OA can establish an SSL connection to the directory server host name or IP address and port. The network service is available as a secure SSL connection. A failed test reports that the network service is not available as a secure SSL connection and the OA does not allow this type of connection. The administrator must identify a directory server that supports SSL connections or reconfigure the directory server to use SSL connections. 7. Certificate of Directory Server If the directory server SSL certificate has been loaded onto OA, use this test to verify that the certificate provided by the directory server matches the current certificate stored on OA. If the directory server SSL certificate has not been loaded, then this test does not run. A successful test reports that OA was able to validate the directory server certificate against the certificates stored on OA for the specified directory server. A failed test reports that the directory server certificate stored on OA does not match the certificate provided on the SSL connection. 8. User Authentication This test attempts to log in the user to the directory by using the user name and password provided in Directory Test Controls. If user authentication fails using the provided user name and password, then each search context is attempted. If a search context begins with the then the DN used to log in is the search name concatenated to the user name entered. Otherwise, the search DN used to log in is constructed as follows: cn=<username>,<search context>. The result from this test identifies the search context that was successful in authenticating the user. 9. User Authorization After a user has successfully authenticated and logged into OA, the configured directory group to which the user belongs is identified. A user can belong to multiple directory groups, so the directory group that gives the user the most privileges is identified. A successful test reports the directory group with the highest privilege levels for the authenticated user. A failed test reports that the authenticated user does not have any authorization on OA because the user does not belong to any of the configured directory groups. 10. Test Log This is a running log of the details associated with the tests that have run and the results of the tests. 11. Directory Test Controls The user name and password are sent to the LDAP server for authentication before the User Authentication and User Authorization tests are performed. The OA limits the length of the user name and password as indicated. Authentication requirements are defined by the LDAP server; the length limits imposed by the LDAP server might be more restricted than the limits imposed by the OA. User Name Accepts 0 to 256 characters Password Accepts 0 to 1024 characters 180 Configuring compute enclosures and enclosure devices

181 Directory Groups Use the Group Settings screen to configure directory groups and set directory access for the currently selected enclosure. Access to the enclosure can be granted using LDAP. To use the LDAP server, you must create directory accounts. The Directory Groups screen displays current directory groups that have been added to the Primary Connection enclosure. You may add user groups to all enclosures but you may edit and delete user groups only from the Primary Connection enclosure. To use LDAP services, you must add at least one directory group. Item Check box Group Name Privilege Level Privilege Level Description Used to select Directory Group for editing or deleting 1 to 255 characters and contains the same characters as search contexts. The group name is used to determine LDAP users group membership. The group name must match one of the following properties of a directory group: Name Distinguished name Common name Display name SAM account name For nested groups, matching is based on objectsid (an attribute that specifies the security ID of the group). The distinguished name is recommended to uniquely specify the LDAP group. If the Onboard Administrator is configured to search the GC port and a distinguished name is not used, then an incorrect match in multiple domains may occur which could result in unintended authorization. Administrator Only the Administrator, with OA Bays permission, can set the user privilege level. Can perform all actions on the enclosure when OA Bays permission is selected. All Device Bays and All Interconnect Bays are automatically selected when OA Bays is selected, and all the checkboxes are grayed out. Without OA Bays permission, cannot see fans and power supplies. Without OA Bays permission, can see only devices and interconnects to which permissions have been given. Operator Can perform all actions on the enclosure except for the functions under Users/ Authentication when OA Bays, All Device Bays, and All Interconnect Bays permissions are selected. Without OA Bays permission, cannot see fans and power supplies. Without OA Bays permission, can see only devices and interconnects to which permissions have been given. Table Continued Directory Groups 181

182 Item Privilege Level Description Description User (read-only) Can view all information the Administrator and Operator can change except the Users/Authentication information. Can launch web interfaces to other devices. Cannot change any configuration settings. Without OA Bays permission, can manage only devices and interconnects to which permissions have been given. Without OA Bays permission, cannot see fans and power supplies. 0 to 58 characters, containing alphanumeric characters, the dash (-), the underscore (_), and the space. The description of the LDAP group, a more readable version of the group name, or other useful information. New: Click the New button to add a new Directory Group to the selected enclosure. You can add a maximum of 30 Directory Groups. The Add LDAP Group screen appears. Edit: Select a Directory Group to be edited by selecting the check box next to the name of the group. Click the Edit button to change the settings on the Edit LDAP Group screen. Delete: Select the Directory Group to be deleted by selecting the check box next to the name of the group. Click the Delete button to remove the group. Add an LDAP Group Group Information NOTE: A maximum of 30 Directory Groups can be added. Item Check box Group Name Description Used to select Directory Group for editing or deleting 1 to 255 characters and contains the same characters as search contexts. The group name is used to determine LDAP users group membership. The group name must match one of the following properties of a directory group: Name Distinguished name Common name Display name SAM account name Table Continued 182 Add an LDAP Group

183 Item Privilege Level Privilege Level Privilege Level Description Description Administrator Only the Administrator, with OA Bays permission, can set the user privilege level. Can perform all actions on the enclosure when OA Bays permission is selected. All Device Bays and All Interconnect Bays are automatically selected when OA Bays is selected, and all the checkboxes are grayed out. Without OA Bays permission, cannot see fans and power supplies. Without OA Bays permission, can see only devices and interconnects to which permissions have been given. Operator Can perform all actions on the enclosure except for the functions under Users/ Authentication when OA Bays, All Device Bays, and All Interconnect Bays permissions are selected. Without OA Bays permission, cannot see fans and power supplies. Without OA Bays permission, can see only devices and interconnects to which permissions have been given. User (read-only) Can view all information the Administrator and Operator can change except the Users/Authentication information. Can launch web interfaces to other devices. Cannot change any configuration settings. Without OA Bays permission, can manage only devices and interconnects to which permissions have been given. Without OA Bays permission, cannot see fans and power supplies. 0 to 58 characters, containing alphanumeric characters, the dash (-), the underscore (_), and the space. The description of the LDAP group, a more readable version of the group name, or other useful information. Group Permissions Check box OA Bays All Device Bays Selected Device Bays Description Gives the user permissions for the OA bays and enables the user to see the fans and power supplies. If the user privilege level is Administrator, then All Device Bays and All Interconnect Bays are automatically selected when OA Bays is selected and all the checkboxes are grayed out. Gives the user permissions for all the device bays Gives the user permissions for only the selected device bays Table Continued Configuring compute enclosures and enclosure devices 183

184 Check box All Interconnect Bays Selected Interconnect Bays Description Gives the user permissions for all the interconnect bays Gives the user permissions for only the selected interconnect bays Click the Add Group button to save settings. Edit an LDAP Group Group Information Item Group Name Privilege Level Privilege Level Description 1 to 255 characters and contains the same characters as search contexts. The group name is used to determine LDAP users group membership. The group name must match one of the following properties of a directory group: Name Distinguished name Common name Display name SAM account name Administrator Only the Administrator, with OA Bays permission, can set the user privilege level. Can perform all actions on the enclosure when OA Bays permission is selected. All Device Bays and All Interconnect Bays are automatically selected when OA Bays is selected, and all the checkboxes are grayed out. Without OA Bays permission, cannot see fans and power supplies. Without OA Bays permission, can see only devices and interconnects to which permissions have been given. Operator Can perform all actions on the enclosure except for the functions under Users/ Authentication when OA Bays, All Device Bays, and All Interconnect Bays permissions are selected. Without OA Bays permission, cannot see fans and power supplies. Without OA Bays permission, can see only devices and interconnects to which permissions have been given. Table Continued 184 Edit an LDAP Group

185 Item Privilege Level Description Description User (read-only) Can view all information the Administrator and Operator can change except the Users/Authentication information. Can launch web interfaces to other devices. Cannot change any configuration settings. Without OA Bays permission, can manage only devices and interconnects to which permissions have been given. Without OA Bays permission, cannot see fans and power supplies. 0 to 58 characters, containing alphanumeric characters, the dash (-), the underscore (_), and the space. The description of the LDAP group, a more readable version of the group name, or other useful information. Group Permissions Item OA Bays All Device Bays Selected Device Bays All Interconnect Bays Selected Interconnect Bays Description Gives the user permissions for the OA bays and enables the user to see the fans and power supplies. If the user privilege level is Administrator, then All Device Bays and All Interconnect Bays are automatically selected when OA Bays is selected and all the checkboxes are grayed out. Gives the user permissions for all the device bays Gives the user permissions for only the selected device bays Gives the user permissions for all the interconnect bays Gives the user permissions for only the selected interconnect bays Click the Update Group button to save settings. SSH Administration SSH Administration 185

186 This page lists the owner of each authorized Secure Shell key and enables adding new keys. SSH Fingerprint : Lists the public key portion of a public/private key pair. Authorized SSH Keys : Lists the authorized Secure Shell key data. The owner is always the Administrator. To add additional Authorized Secure Shell Keys, enter the Secure Shell key in the text box and click the Apply button. To clear all Authorized Secure Shell Keys, delete all the text in the text box and click the Apply button. Download SSH Key File: In the URL to SSH Keys File box, enter the location of the public key file, and click the Apply button to download. All now authorized Secure Shell keys are replaced when the Secure Shell key file is downloaded. The key file must contain the Administrator name at the end of the public key. Each key is associated with the Administrator account. HPE SSO Integration OA supports SSO with trusted applications, such as HP SIM. This feature enables you to log in to a trusted management application and then be able to automatically access any managed devices where the SSO certificate is installed. To configure SSO to work through HP SIM: 186 HPE SSO Integration

187 Procedure 1. Set the SSO trust mode to ON. On the HP SIM Integration screen, select Trust by Certificate from the Trust mode menu. NOTE: When trust mode is disabled, the SSO single sign-on attempt fails, and you must enter OA credentials to log on. 2. Download a certificate from the HP SIM system to manage the enclosure. On the HP SIM Integration screen, select the Certificate Upload tab, and then upload the certificate using one of the following methods: Paste the contents of the certificate into the text box and then click Upload. Enter the IP address of the HP SIM system that will be managing the enclosure and then click Apply. Configuring compute enclosures and enclosure devices 187

188 Edit Local User Certificate Information tab When Two-Factor Authentication is enabled, a user must have a user certificate to log on to the OA. Users with administrator privileges can upload or map a valid certificate to a selected user. There are two methods for uploading certificates for use in OA: Paste certificate contents into the text box, and then click the Upload button. Paste the URL of the certificate into the URL box, and then click the Apply button. When the certificate is successfully uploaded, the SHA1 fingerprint of the user certificate appears. If a user already has a certificate mapped to an account, the SHA1 fingerprint of the certificate appears. Any user with administrator privileges can delete their certificate and upload a new user certificate. Two-Factor Authentication screen Two-Factor Authentication Settings tab NOTE: OA must be configured in Virtual Connect mode before enabling Two-Factor Authentication when using Virtual Connect Manager and Two-Factor Authentication. When Two-Factor Authentication is enabled, only users with a valid user certificate are allowed to log on to OA. A valid user certificate is signed by a trusted Certificate Authority and is mapped to the respective user on the OA. 188 Edit Local User Certificate Information tab

189 To enable Two-Factor Authentication for user authentication during log on, select Enable Two-Factor Authentication. When Two-Factor Authentication is enabled, Secure Shell and Telnet access is disabled by default. Disabling Two-Factor Authentication does not automatically re-enable Secure Shell and Telnet. You must go to the Network Access screen, and then select Enable Secure Shell and Enable Telnet. To enable the OA to verify with the Certifying Authority that the certificate being used has been added to the certificate revocation list (CRL), select Check for Certificate Revocation. If the certificate is on the CRL, the log on is denied. Certificate Owner Field You can configure the OA to use the user principle name in the SAN by selecting SAN or to use the certificate subject name by selecting Subject when authenticating directory users with a directory server. To save settings, click the Apply button. Two-Factor Authentication Certificate Information tab This screen displays all Certificate Authorities trusted by the OA. Any user certificates uploaded to the OA must be signed by one of these Certificate Authorities. A maximum of three Certificate Authority certificates can be uploaded to the OA. Row Certificate Version Issuer Organization Issuer Organization Unit Issued By Subject Organization Issued To Valid From Valid Upto Serial Number Extension Count MD5 Fingerprint SHA1 Fingerprint Description Version number of current certificate Name of the organization that issued the certificate Name of the organizational unit that issued the certificate The authority that issued the certificate Subject name Organization to whom the certificate was issued The date from which the certificate is valid The date on which the certificate expires The serial number assigned to the certificate by the certificate authority Number of extensions in the certificate A validation of authenticity embedded in the certificate A validation of authenticity embedded in the certificate Two-Factor Authentication Certificate Upload tab To enable Two-Factor Authentication, upload at least one valid certificate belonging to a CA to the OA. There are two methods for uploading certificates for use in OA: Paste certificate contents into the text box, and then click the Upload button. Paste the web address of the certificate into the URL box, and then click the Apply button. Two-Factor Authentication Certificate Information tab 189

190 Signed In users This screen displays all the current sessions signed in to the OA. This screen is only available to Administrators with OA access. The Administrator can end sessions, disable users, and delete users from this screen. Current Session: This table lists the session created when you signed in to the OA. Other Sessions: This table lists the other users signed in to the OA. Column Check box Username IP Address Age Idle Time User Type Session Type OA Module Description Used to select a user or all users. The name of the user signed in to the enclosure. The user account IP address. The IP address of the session can be an enclosure linked address if it looks like " x". These sessions are created by other linked enclosures. Performing a delete, disable, or end session on a user with a linked enclosure IP address might end the enclosure link sessions of other users. For KVM and Serial logins the IP address box displays Local. The length of time (measured in days, hours, minutes and seconds) that the user account has been signed in. The length of time (measured in days, hours, minutes and seconds) that the signed in account has been idle. The type of user signed in to the enclosure. Possible values are Local, LDAP, or HP SIM. The type of session of the signed-in user. Possible values are Web, SSH, Telnet, KVM, Serial, and Factory Diagnostics. The OA module the user is signed into. Possible values are Active or Standby. Delete Users: Select a user or users to be deleted by selecting the check box next to the name of the user, and click the Delete Users button. You cannot delete your own account or the built-in Administrator account. Disable Users: Select a user or users to be disabled by selecting the check box next to the name of the user, and click the Disable Users button. You cannot disable your own account or the built-in Administrator account. Terminate Sessions: Select a user or users whose sessions you want to end by selecting the check box next to the name of the user, and click the Terminate Sessions button. You cannot end your own session. Session Options tab This screen enables you to specify the length of time a user session is valid if there is no activity. Sessions are checked every 5 minutes to see if they have been inactive for the amount of time specified by the system administrator. If any sessions have been inactive for the specified amount of time, they are removed from the system. Session Timeout: The number of minutes before an inactive session becomes invalid. Session Timeout can be any value between 10 and 1440 (24 hours). The default value for Session Timeout is After entering a Session Timeout value, click the Apply button. 190 Signed In users

191 Insight Display All OA GUI users can access the Insight Display screens by selecting Insight Display from the Tree View or Rack Overview. The Security tab can lock the Insight Display buttons and set a PIN code and enable PIN protection. The User Note tab enables note text to be edited. The Background tab allows a 320x240 px Windows bitmap to be uploaded as the user note background image. The Chat Mode tab enables an administrator to initiate a chat with a user at the enclosure using the Insight Display. Management network IP dependencies OAs management port enables external clients to connect through OA to ilos and interconnect management processors that are configured to use OAs internal management network. OA firmware bridges the client traffic to the enclosure from the management port to the internal enclosure management network if the destination IP address is not OA. OA creates a route table entry for each server ilo IP address in an enclosure. This enables OA to conduct IP communications with that ilo. These ilo route table entries enable you to configure each ilo network in a different subnet than OA. Each ilo is configured with a valid gateway on its subnet that is accessible through OAs external management port connection. Routers must be present on the network connected to OA management port to provide the multiple subnets and gateways on the management network. Use of different subnets to attempt to isolate ilos and OA management is not complete isolation of those networks. Insight Display 191

192 Superdome 2 IOX enclosures Each IOX enclosure in the complex can be selected from the left navigation tree. Clicking the IOX name opens the main status page of the IOX. The following tabs are available at the top of the main page: Status Information Virtual Buttons IOX Enclosure Information screen IOX Status tab Item IOX Status Tray 1 Power Tray 2 Power Description The overall status of the IOX. Possible values are Degraded, Failed, OK or Unknown. Power status of I/O tray 1. Possible values are On or Off. Power status of I/O tray 2. Possible values are On or Off. Diagnostic Information 192 Superdome 2 IOX enclosures

193 Item Device Identification Data Management Processor Temperature Overheat Check Description Contains information on model name, part number, serial number, and other information used to identify the IOX. This data is also called FRU data. Device identification data error displays if the data is not present or not readable by the OA. Status of the IOX management processor. Possible values are OK or Error. Temperature is above the warning threshold. Possible values are OK or Temperature Warning. Temperature is above the danger threshold. Possible values are OK or Critical temperature threshold reached. The IOX Status Overview is divided into four sections: Power Subsystem Thermal Subsystem Link Subsystem Status IO Slot Status For the Power and Thermal Subsystem section, the following values are possible: OK Degraded Failed Unknown For the Link Subsystem and IO Slot Status sections, the following values are possible: OK Failed Unknown If any component of a subsystem has any status other than OK, the status of each component in the subsystem is listed under the relevant section. IOX Information tab Superdome 2 IOX enclosures 193

194 Item Product Name Enclosure Number Manufacturer Part Number Spare Part Number Serial Number Engineering Date Code Complex Firmware Version Description The common descriptive name of the IOX enclosure. The number of the IOX enclosure configured by dipswitches on the IOX enclosure hardware. The name of the company that manufactured the IOX enclosure. The part number to be used when ordering an additional IOX enclosure of this type. The part number to be used when ordering a replacement IOX enclosure of this type. The unique serial number of the IOX enclosure. Manufacturing information about the IOX enclosure. Now configured firmware version on the IOX enclosure. IOX Virtual Buttons tab Click the Toggle On/Off button to change the state of the IOX UID. The IOX UID is located on the lowerright side of the IOX enclosure faceplate. IOX Power and Thermal screen 194 IOX Power and Thermal screen

195 Item Ambient Temperature Thermal Subsystem Status Power Subsystem Status Redundancy State Present Power Power Limit Description The temperature of the IOX enclosure in degrees Celsius and Fahrenheit. The overall thermal status of the IOX enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. The overall power status of the IOX enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. Indicates the redundancy status of the power subsystem. Possible values are Redundant or Redundancy Lost. The amount of watts being consumed by all devices in the IOX. The maximum amount of power available for consumption by the enclosure measured in watts. Present Power/Power Limit The Present Power is the number of watts being consumed by all the devices in the now selected IOX. The Power Limit is the maximum amount of input power available for consumption by the enclosure. The Power Limit is dependent on the number of power supplies present in the IOX. To update information on this screen, click the Refresh button. IOX Power Subsystem screen The Power Subsystem screen shows the overall status of the IOX enclosure power subsystem and information about each power supply in the IOX enclosure. Power supplies available for use in IOX enclosures All power supplies in one IOX enclosure must have the same part number. The OA identifies which power supplies must be replaced by displaying a caution icon. Power Supply summary The Power Subsystem screen provides status on the power subsystem, on each individual power supply, and fault conditions. IOX Power Subsystem screen 195

196 Item Power Subsystem Status Redundancy State Description The overall power status of the IOX enclosure. Possible values are Unknown, OK, Degraded, or Critical Error. Indicates the redundancy status of the power subsystem. Possible values are Redundant, Not Redundant, or Redundancy Lost. This screen provides status on the power subsystem and on each individual power supply. Power Supply status Item Bay Model Status Description The bay in the IOX enclosure of the corresponding power supply. This box displays only populated bays. Empty bays do not appear in this table. The power supply model name. The overall status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. Table Continued 196 Superdome 2 IOX enclosures

197 Item Input Status Present Output (Watts) Output Capacity (Watts) Description The input status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. This value is a measure of the present output of the power supply in watts. The amount of power provided by the power supply displayed in watts. This is a measure of the output in DC watts generated by the power supply. Click the Refresh button to update the power subsystem information. IOX Power Supply screen Selecting a specific power supply opens the Power Supply Information-Bay x page, where x is the bay of the selected power supply. This screen provides status information of the selected power supply. Status information Item Status Input Status Output Capacity Model Serial Number Spare Part Number Description The overall status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The input status of the power supply. Possible values are Unknown, OK, Degraded, and Critical Error. The maximum amount of power that can be provided by the power supply displayed in watts. The power supply model name. The unique serial number of the power supply. The spare part number to be used when ordering an additional or replacement power supply. IOX Thermal Subsystem screen OA monitors up to 4 fans in the enclosure and adjusts fan speeds as necessary, based on thermal and power measurements. The performance of each fan is monitored, and OA reports any failures or warnings to the system log and HP SIM (when SNMP is enabled). IOX Power Supply screen 197

198 Thermal Subsystem information Item Thermal Subsystem Status Redundancy Ambient Temperature Fans Good Fans Wanted Fans Needed Description Indicates the overall status of the fan subsystem. Possible values are Unknown, OK, Degraded, or Critical Error. Indicates the redundancy status of the fans. Possible values are Redundant or Not Redundant The temperature of the IOX enclosure in degrees Celsius and Fahrenheit. The total number of fans functioning with OK status in the IOX enclosure. The minimum number of fans required for optimum cooling. The minimum number of fans required to ensure adequate cooling. Fan information Item Fan Status Fan Speed Description The bay in the enclosure of the corresponding fan. The overall status of the fan. Possible values are Unknown, OK, Degraded, Failed, and Absent. Fan speed as a percentage of maximum RPM. When a fan module fails, the remaining fans automatically compensate by adjusting fan speeds. To update information on this page, click the Refresh button. 198 Superdome 2 IOX enclosures

199 Port mapping Device bay port mapping for compute enclosures BL920s Gen8 or Gen9 Server Blade Superdome 2 Server BladeProduct illustration Port mapping 199

200 In this diagram, N equals the number of the blade in the enclosure and the port number for the switch. For example, if a blade is inserted into slot 1, it is considered device 1. Because full-height server blades take up the space of two half-height server blades, the enclosure is limited to a maximum of eight full-height server blades. Port mapping from these full-height server blades can initially appear to be different from the half-height server blades, but they use similar conventions. Just as in a half-height server blade, if a blade is inserted into slot 1, it is considered device 1, but it has a second set of ports that also map to switches 1 and 2. With the full-height server blade, an N/N+8 scheme is used on the switches. Therefore, server blade 1 maps to ports 1 and 9 on both switches, as N=1. For a server blade inserted into slot 2, the 4 ports used on switches 1 and 2 are 2 and 10, as N=2. Device bay port mapping tabular view for compute enclosures If a device is not present, the check box is disabled and the port cannot be viewed. The server blades are mapped to the interconnect bays in the following manner: Superdome 2 Server Blade Server blade port Compute enclosure interconnect bay FlexLOM 1 port 1 1 FlexLOM 1 port 2 2 FlexLOM 2 port 1 1 Table Continued 200 Device bay port mapping tabular view for compute enclosures

201 Server blade port Compute enclosure interconnect bay FlexLOM 2 port 2 2 Mezzanine 1 port 1 3 Mezzanine 1 port 2 4 Mezzanine 1 port 3 3 Mezzanine 1 port 4 4 Mezzanine 2 port 1 5 Mezzanine 2 port 2 6 Mezzanine 2 port 3 7 Mezzanine 2 port 4 8 Mezzanine 3 port 1 7 Mezzanine 3 port 2 8 Mezzanine 3 port 3 5 Mezzanine 3 port 4 6 HP Superdome 2 server blade Embedded NICs 1 and 3 (ENET:1 and ENET:3) map to interconnect bay 1. Embedded NICs 2 and 4 (ENET:2 and ENET:4) map to interconnect bay 2. Port mapping 201

202 Using the Command Line Interface Command line overview The Onboard Administrator CLI is available from the Onboard Administrator serial port, management port, or service port and provides access to all Onboard Administrator commands and information. The CLI user must provide a valid user name/password to log into Onboard Administrator. The CLI is available for both local user accounts and LDAP users. Two-Factor Authentication is not available for the CLI. Access to the Onboard Administrator CLI from either the Onboard Administrator Ethernet management port or service port requires that Telnet or Secure Shell protocols are enabled on the Onboard Administrator. The Onboard Administrator serial port must be used for Onboard Administrator lost password recovery. The Onboard Administrator serial port speed is fixed at 9600, N, 8, 1. For more information about the CLI, see the HPE Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. Setting up Onboard Administrator using the CLI Procedure 1. Connect to the OA CLI using the serial port, management port, or service port. See Connecting to the OA with a local PC for information about connecting a PC to the OA serial or service ports. 2. Log into the Onboard Administrator with the Administrator user account and the OA dogtag password. 3. Set OA name by running the SET OA NAME 1 <name> command. 4. If a redundant OA is present, run the SET OA NAME 2 <name> command. 5. Configure OA IP address: a. Select either the OA1/OA2 IP address or Enclosure IP address. b. Configure OA1 IP address as static or DHCP. Example for static, run the SET IPCONFIG STATIC 1 <ipaddress> <netmask> command. 6. If a redundant OA is present, run the SET IPCONFIG STATIC 2 <ip address> <netmask> command. 7. Set OA gateway by running the SET OA GATEWAY 1 <ip address> command. 8. If a redundant OA is present, run the SET OA GATEWAY 2 <ip address> command. 9. Set the ilo IP address by running the SET EBIPA BLADE <ip address> <netmask> command. Allocate each IP address (up to 32) consecutive static IP addresses. 10. If a gateway exists on the management network, set the ilo gateway to the IP address, run the SET EBIPA BLADE GATEWAY <ip address> command. 11. Start EBIPA for ilo by running the ENABLE EBIPA BLADE command. 12. Complete the remainder of the settings as required. For information on the enclosure defaults for each setting, see the HPE Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. Configuring server blade ilo IP addresses Each server blade ilo factory default configuration enables DHCP network settings. To use the server blade with a DHCP network, connect the OA management port to a network with a DHCP server and OA 202 Using the Command Line Interface

203 and all ilo management processors and supporting interconnect modules get IP addresses from the DHCP server. To configure each server blade for static IP addresses, use OA to setup an IP address for each ilo using EBIPA. This enables ilo to be addressed using TCP/IP so that the network settings can be reconfigured. Configuring each server blade with an IP address using EBIPA provides a fixed network configuration including IP address, netmask and gateway that is based on the enclosure bay where the server is installed. The new ilo gets the IP address for that bay without additional configuration needed. Using the service port connection The OA service port is the enclosure link-up connector which also has a laptop icon next to the up arrow. This port is a 100BaseT Ethernet jack and may be directly connected to a laptop or PC RJ45 Ethernet connector using a standard CAT5 patch cable as the wiring on the link-up connector is crossed over to enable direct connect to a PC 100BaseT connector. The Service Port provides direct connection to any of the active OA modules in the complex or just the active OA module in a single enclosure if there are no other enclosures in the complex. The network connection is private to the enclosures and cannot be used to access any device outside the internal enclosure management network. Use the connection to directly access the active OA at the active service IP address, located on the enclosure Insight Display, Enclosure Info screen. See Connecting a PC to the OA service port for information about connecting a local PC to the OA service port for accessing the OA CLI. Using the service port connection 203

204 Using configuration scripts Configuration scripts Use configuration scripts to maintain settings and configuration information, particularly when setting up multiple enclosures and OA modules. This eliminates the need to manually configure each enclosure, saving time and effort in the process. Configuration scripts can be created and used with OA in the browser, or through the CLI, executing them in the same manner as a shell script is executed in Linux or UNIX. NOTE: Configuration scripts cannot be used to store partition information. Current configuration 204 Using configuration scripts

205 Procedure To download a current configuration for the enclosure: 1. Click the Click here link. The configuration opens in a new browser window. 2. To save the configuration, as a text file, select either of the following options: If you use Microsoft Internet Explorer 7 or later, select Save As. If you use Mozilla Firefox 3.6 or later, select Save Page As. If you use Google Chrome 38 or later, select??? You can also select a local file or a web address for the configuration script: Local file: You can browse for the configuration file or enter the path of the configuration file into the textbox. The maximum number of characters in the file path cannot exceed 256. After entering the configuration file path, click the Upload button. URL: If the configuration file is located on a web server, enter an path to it. The maximum number of characters in the file path cannot exceed 256. Click the Apply button after entering the web address. For security reasons, the retrieved current configuration does not contain any user passwords. You can manually edit the script to add the user passwords after the user name on the ADD USER lines. Also, the retrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, and PIN Code). These settings cannot be added from the configuration script. Current enclosure inventory To download a script of the current enclosure inventory, click the Click here link, and then the current enclosure inventory opens in a new browser window. To save the inventory as a text file, select either of the following options: If you are using Microsoft Internet Explorer 7 or later, select Save As. If you are using Mozilla Firefox 3.6 or later, select Save Page As. If you are using Google Chrome 38 or later, select??? The downloaded text file provides the same information as a CLI SHOW ALL command. The text file also displays the current configuration for the enclosure. USB Support This box appears when a USB key is detected in the enclosure DVD module USB port and configuration files are present. To download a configuration file, select a file from the menu, and then click the Apply button. To save the current OA configuration file to the USB key, enter a simple file path, either a relative path in the format path/file or with a leading dot (.), such as./path/file, or an absolute path beginning with a slash (/), in the format /path/file. Do not enter a URL. Do not include spaces within the file name. Click Apply. Reset Factory Defaults When you reset the enclosure to the factory defaults, all enclosure settings are reset except the built-in Administrator password. All AlertMail, Network and Network Protocol, SNMP, and Power Management settings are reset. To reset the enclosure click the Reset Factory Defaults button. A confirmation screen appears, asking if you are sure that you want to perform the action. To confirm resetting the enclosure, click OK, or to exit without resetting the enclosure to factory defaults, click Cancel. To download a current configuration for the enclosure: Reset Factory Defaults 205

206 Procedure 1. Click the Click here link. The configuration opens in a new browser window. 2. To save the configuration, as a text file, select either of the following options: If you use Microsoft Internet Explorer 7 or later, select Save As. If you use Mozilla Firefox 3.6 or later, select Save Page As. If you use Google Chrome 38 or later, select??? For security, the retrieved current configuration does not contain any user passwords. You can manually edit the script to add the user passwords after the user name on the ADD USER lines. The enclosure Administrator account password cannot be added from the configuration script. Also, the retrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, and PIN Code). These settings cannot be added from the configuration script. 206 Using configuration scripts

207 Troubleshooting Onboard Administrator error messages Descriptive error messages can help identify hundreds of possible problems related to set up, privileges, user requests, OA failures, file uploads, incompatibilities, Insight Display, and more. Onboard Administrator factory default settings When resetting the OA to factory defaults, the administrator password is not reset to factory default. It remains set to the password last specified. In the event that the administrator password must be reset to factory defaults (as included on the tag that shipped with the OA), see Recovering the administrator password. Resetting the OA to factory defaults also resets any certificates on the OA. Onboard Administrator SNMP traps The OA supports the following SNMP traps. Trap ID Trap name Description cpqracknamechanged Rack Name has changed cpqrackenclosurenamechanged Enclosure Name has changed cpqrackenclosureremoved Rack enclosure has been removed cpqrackenclosureinserted Linked Enclosure insertion detected cpqrackenclosuretempfailed Enclosure temperature above critical cpqrackenclosuretempdegraded Enclosure temperature above warning cpqrackenclosuretempok Enclosure temperature is OK cpqrackenclosurefanfailed Enclosure fan has failed cpqrackenclosurefandegraded Enclosure fan is degraded cpqrackenclosurefanok Enclosure fan is OK cpqrackenclosurefanremoved Enclosure fan is removed cpqrackenclosurefaninserted Enclosure fan is inserted cpqrackpowersupplyfailed Enclosure power supply has failed cpqrackpowersupplydegraded Enclosure power supply is degraded cpqrackpowersupplyok Enclosure power supply is OK Table Continued Troubleshooting 207

208 Trap ID Trap name Description cpqrackpowersupplyremoved Enclosure power supply is removed cpqrackpowersupplyinserted Enclosure power supply is inserted cpqrackpowersubsystemnotredundant Enclosure power subsystem is not redundant cpqrackpowersubsystemlinevoltageproble m cpqrackpowersubsystemoverloadconditio n Enclosure power subsystem line voltage problem Enclosure power subsystem overload condition cpqrackenclosuremanagerdegraded Onboard Administrator degraded cpqrackenclosuremanagerok Onboard Administrator OK cpqrackenclosuremanagerremoved Onboard Administrator removed cpqrackenclosuremanagerinserted Onboard Administrator inserted cpqrackmanagerprimaryrole Onboard Administrator is Active cpqrackserverbladeekeyingfailed Blade ekeying config failed cpqracknetconnectorremoved Interconnect removed cpqracknetconnectorinserted Interconnect inserted cpqracknetconnectorfailed Interconnect failed cpqracknetconnectordegraded Interconnect degraded cpqracknetconnectorok Interconnect OK cpqrackserverbladetolowpower Blade requested too low power cpqrackserverbladeremoved2 Blade removed cpqrackserverbladeinserted2 Blade inserted cpqrackinformationaleaetrap Error Analysis Engine Informational event (Superdome 2 only) cpqrackminoreaetrap Error Analysis Engine Degraded/Warning or Minor event (Superdome 2 only) cpqrackmajoreaetrap Error Analysis Engine Major event (Superdome 2 only) Table Continued 208 Troubleshooting

209 Trap ID Trap name Description cpqrackcriticaleaetrap Error Analysis Engine Critical or Fatal event (Superdome 2 only) cpqrackinformationaleaetrap Error Analysis Engine Informational event (Integrity Superdome X only) cpqrackminoreaetrap Error Analysis Engine Degraded/Warning or Minor event (Integrity Superdome X only) cpqrackmajoreaetrap Error Analysis Engine Major event (Integrity Superdome X only) cpqrackcriticaleaetrap Error Analysis Engine Critical or Fatal event (Integrity Superdome X only) Troubleshooting 209

210 Enabling LDAP Directory Services Authentication to Microsoft Active Directory Certificate Services The Microsoft implementation of LDAP over SSL requires that the Domain Controllers install DC certificates from the CA of the organization. This process occurs when the Enterprise Root CA service is added to a server in Active Directory. Hewlett Packard Enterprise strongly recommends using an Enterprise Root CA to minimize the complexities of requesting and accepting DC certificates from a standalone CA. CAUTION: To ensure that the OA GUI continues to work after December 31, 2016, after upgrading from firmware version or earlier to version or later, the OA SHA1 self-signed certificate will be removed and replaced with SHA256 self-signed certificate. To prevent security warnings, the customer is encouraged to re-generate the self-signed certificate with the common name (CN) matching exactly the OA hostname as known by the web browser. Preparing the directory Procedure For a normal production environment, similar groups already exist in some form, but the following group names can be used as-is if desired. To prepare the directory: 1. Create an Active Directory group named OA Admins, and then add a user named TestAdmin to this group. 2. Create a group called OA Operators, and then add a user named TestOperator to this group. User permissions are irrelevant. 210 Enabling LDAP Directory Services Authentication to Microsoft Active Directory

211 Preparing the Onboard Administrator To prepare the OA: Navigate to the Directory Settings screen for the enclosure located under Users/Authentications. Click Enable LDAP and then enter the IP address or the name of one of your DCs. See Troubleshooting LDAP on Onboard Administrator on page 217 for more information on verifying that the DC is listening on port 636. Alternatively, to force the DNS servers defined for the domain to offer DCs, enter the domain name of your AD domain (DOMAIN.COM) instead of a server name. For simplicity during initial setup, Hewlett Packard Enterprise recommends using a single IP address. The Search Context is standard LDAP format. For example, if the user accounts are in the Users OU in a domain named BLADEDEMO.HP.COM, the Search Context must be: CN=Users,DC=bladedemo,DC=hp,DC=com Uploading the DC certificate (optional) You can upload multiple DC certificates. Upload a certificate that permits LDAP over SSL. Uploading the DC certificate (optional) 211

212 Procedure 1. Click the Certificate Upload tab. 2. Get the certificate from the DC by opening a new web browser window to (where domain_controller is your DC). NOTE: This is a secure HTTPS web address, so you are prompted to accept a certificate. 3. Click the View Certificate button. 212 Enabling LDAP Directory Services Authentication to Microsoft Active Directory

213 4. Click the Details tab, and then click the Copy to File... button. 5. Select Base-64 encoded x.509 (.CER) from the list of export options. Click the Next button. Enabling LDAP Directory Services Authentication to Microsoft Active Directory 213

214 6. Provide a name and location for the file (c:\dccert.cer) and click the Finish button to complete the wizard. 7. Locate the exported certificate file in Internet Explorer and rename it with a.txtextension (dccert.txt). Open the file in Notepad and copy the entire contents to the clipboard. The following is an example of the certificate file contents: -----BEGIN CERTIFICATE----- MIIFxDCCBKygAwIBAgIKJWUSwAAAAAAAAjANBgkqhkiG9w0BAQUFADBVMRMwEQYK CZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCaHAxFzAVBgoJkiaJk/Is ZAEZFgdhdGxkZW1vMREwDwYDVQQDEwh3aW5kb3pDQTAeFw0wNjA4MjIyMDIzMTFa Fw0wNzA4MjIyMDIzMTFaMCAxHjAcBgNVBAMTFXdpbmRvei5hdGxkZW1vLmhwLmNv btcbnzanbgkqhkig9w0baqefaaobjqawgykcgyeay4zeh3ixyduawkvhidsxlj6b aruvt9zhkl5nqhiderjumsgc/jhserdmhuyoy/qbf7jmhj9lh9qqhug8qfeysc1y qtvgisrzehtvmrmecvsxzm27b4bj5xyn0vycrwqknh7x/tvhmwqgls7/yzyahnu1 lgb2ojocq5ejxx+ybx0caweaaaoca00wggnjmasga1uddwqeawifodbebgkqhkig 9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D output truncated -----END CERTIFICATE Return to the OA Upload Certificate screen, paste the certificate contents into the window, and then click the Upload button. Creating directory groups OA authenticates users and assigns privileges by first verifying that the user name and password provided to OA match the credentials in the Directory. When a match is verified, OA queries the Directory to discover the names of the Active Directory groups the user is a member of. OA then matches those group names against the Directory Group names that exist in OA. In the following example, OA Directory Groups are created. The group name is used to determine LDAP users group membership and must match one of the following properties of a directory group: Name Distinguished name 214 Creating directory groups

215 Procedure Common name Display name SAM account name To create a directory group: 1. In OA, navigate to the User > Authentication > Directory Groups link. 2. Click the New button. 3. Create a group named OA Admins which is the same name as the one created in the Active Directory. 4. Assign this group full administrative privileges over all server bays and interconnect bays and then click the Add Group button. 5. Create a Second Directory Group named OA Operators to match the operator group created in Active Directory. Assign the group Operator privilege level instead of Administrator, and do not allow the group access to Server Bays, but do allow access to Interconnect bays, and then click the Add button. Enabling LDAP Directory Services Authentication to Microsoft Active Directory 215

216 216 Enabling LDAP Directory Services Authentication to Microsoft Active Directory

217 Testing the directory login solution Procedure 1. Log out of the current OA session, and then close all browser windows. 2. Browse to the OA, and then log in using one of the following options: TestAdmin DOMAIN\TestAdmin 3. Enter the corresponding password used for the user account. If you cannot log in with full Administrative privileges, see Troubleshooting LDAP on Onboard Administrator on page 217. NOTE: You cannot login using your user name. For example, if your Account name is Jeff Allen and your account is jallen, you cannot login as jallen because this format is not now supported by LDAP. 4. Log off or sign out of OA, and then attempt to log in as Test Operator using one of the following options: TestOperator DOMAIN\TestOperator 5. Enter the password used for the account. If this process succeeds, then the account has no access to any server blades, but full access to interconnect bays. Troubleshooting LDAP on Onboard Administrator Symptom Solution 1 Action Procedure To be sure that SSL is working on the Domain Controllers in your domain, open a browser and then navigate to domain_controller:636 (substitute your Domain Controller for domain_controller). You can substitute domain in place of domain controller, which goes to DNS to verify which Domain Controller is now answering requests for the domain. Test multiple Domain Controllers to be sure that all of them have been issued a certificate. If SSL is operating properly on a Domain Controller (for example, a Certificate has been issued to it), you are prompted by the Security dialog whether you want to proceed with accessing the site or view the certificate. If you click Yes, nothing happens. The test is intended to make the Security Dialog prompt appear. A server not accepting connections on port 636 displays the page cannot be displayed message. If this test fails, it means that the Domain Controller is not accepting SSL connections, possibly because a certificate has not been issued. This process is automatic, but might require a reboot. To avoid a reboot, do the following: 1. On the Domain Controller, load the "Computer Account" MMC Snap-in, and then navigate to the Personal > Certificates folder. 2. Right-click the folder, and then select Request New Certificate. The type default is already "Domain Controller". 3. Click Next, and then repeat until the Domain Controller issues the certificate. Testing the directory login solution 217

218 Solution 2 Cause Action Procedure Another method for troubleshooting SSL is to go to the DC, and then run the following command: C:\netstat -an find /i "636" If the server is listening for requests on port 636, the following response appears: TCP : :0 LISTENING One of the problems can be that the domain controllers have not auto-enrolled. The DCs can take up to 8 hours to auto-enroll and get their certificates issued because MS uses GPO to make the DCs aware of the newly installed CA. You can force this by running DSSTORE -pulse from the DCs (the tool is located in the w2k reskit). It is triggered by winlogon. Therefore for auto-enrollment to function, you must log off and then log on again. The certificates appear automatically in the CAs Issued Certs list. Make sure the CA is not listing them in Pending Certs. If it is, change the CA to auto-issue certificates when a request comes in. If the auto-enrollment feature still does not function, request the certificate: 1. On the Domain Controller, open MMC, and then add Certificate Snap-in (Computer Account). 2. Navigate to Personal, and then right-click the folder. 3. Click Request New Cert, and then click Next. 4. Enter a name for the certificate. If an RPC error occurs, be sure that the CA is listed in DNS and that the CA is running. If the wizard does not start, force the server to see the CA and then enable the wizard to run. To speed up the GPO process and make the DCs acknowledge the CA, use one of the following commands: Windows 2003: Gpupdate /force Windows 2000:Secedit /refreshpolicy machine_policy /enforce Be sure that the OA has all the appropriate network settings unique to your network (such as DNS) and that the time and date are correct (certificates are date sensitive). Be sure that OA can reach the DNS server (by pinging it from the OA CLI). If LDAP is enabled while booting into Lost Password mode, the local Administrator password is reset, LDAP is disabled, and local login is re-enabled. If the nested groups function is not displayed properly, verify the Domain Functional Level. Windows 2000 and Windows 2003 domain controllers, by default, are placed in function level 2000 mixed. When using this functional level, you cannot add or nest local groups. 218 Enabling LDAP Directory Services Authentication to Microsoft Active Directory

219 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts Introduction Two-Factor Authentication (also known as Two-Step Authentication) is an optional feature that provides enhanced security for the OA. To permit access to the OA, two-factor Authentication requires something that a user has (a certificate) and something that a user knows (a password or PIN). The certificate is stored directly in a browser or on the accessing device (as a smartcard, dongle, or TPM). You can use Two-Factor Authentication with either local user accounts or directory (LDAP) group accounts. For LDAP accounts, you can use the subject or subject alternate name to provide the LDAP login name. In all cases, the user certificate must be validated against a Certificate authority (CA). Two-Factor Authentication public key infrastructure map CAs are based on a tree structure. Root certificates are self signed. All other certificates can be traced back to the root by following the certificate issuer field. User certificates may be issued by any of the CAs in the tree. The OA has limited storage space and therefore supports storing a maximum of 12 CA certificates. The following diagram shows a tree structure similar to that used in the examples to follow. Steps for creating CAs and configuring Two-Factor Authentication with local user and LDAP group accounts The following sections provide instructions and examples for creating CAs and configuring Two-Factor Authentication with local user and LDAP group accounts. For simplicity, the CA certificates in the provided Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts 219

220 examples are created on a single system instead of multiple systems. A real CA implementation would use multiple systems. The following table lists the steps for setting up Two-Factor Authentication with local user and LDAP group accounts, and indicates the section documenting each step plus any subordinate steps. Step Section 1 Configuring the directories Create the initial directories for the root CA Modify and store an OpenSSL configuration file in each CA Modify the default directories to suit your structure 2 Creating a root CA Copy the OpenSSL configuration file to the root CA Create the root CA certificate and private key Create a combined root CA private key and certificate PEM file 3 Creating subordinate CAs: Creating subordinate CAs Create the directories for the subordinate CAs Provide x509 certificate information Generate a CSR and server key for each subordinate CA Have the root CA sign the CSR 4 Creating user keys and CSRs Create the directories for the user keys and CSRs Provide x509 certificate information Generate a CSR and server key for each user Have the appropriate subordinate CA sign the CSR 5 Verifying certificates 6 Storing a user certificate on a smart card or browser 7 Configuring the Onboard Administrator for Two-Factor Authentication with local accounts on page 230 Establish an OA recovery plan Configure the OA session timeout Install the CA chain Install user certificates on the local Administrator account Enable Two-Factor Authentication Log in to the OA using Two-Factor Authentication 8 Enabling TFA+LDAP authentication on page 237 The following sections also include: Methods for specifying the subject field on a CSR Troubleshooting TFA+LDAP authentication problems CLI examples configuring a user account and certificates on page 239 Information about CAs and certificates available from the web 220 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts

221 Configuring the directories This section describes the setup steps required prior to creating the root CA. Creating a directory to represent each CA and user The commands in the following example set up the initial directories for the root CA. A description of each directory follows. In this and subsequent examples, user input to prompts is indicated by boldface type. NOTE: This is a tutorial for creating CAs in a simple test environment. In an actual production environment, the CA servers would be on separate servers. In this tutorial example, the CA servers are represented by separate directories on a single server. [~/]$ mkdir m 0755 ~/examples [~/]$ mkdir -m 0755 \ ~/examples/rootca \ ~/examples/rootca/private \ ~/examples/rootca/certs \ ~/examples/rootca/newcerts \ ~/examples/rootca/crl [~/]$ mkdir -m 0755 \ ~/examples/level1ca \ ~/examples/level1ca/private \ ~/examples/level1ca/certs \ ~/examples/level1ca/newcerts \ ~/examples/level1ca/crl [~/]$ mkdir -m 0755 \ ~/examples/testuser \ ~/examples/testuser/private \ ~/examples/testuser/certs Directory descriptions./private The location for private keys. Normally, permissions on this directory should be set to restrict read access to root (0200) or to the user account for the web server. This example starts with full read/write access for everyone (0755)../certs The location for the CA certificates../newcerts The location for new signed certificates. They are stored in unencrypted PEM format with a file name format <cert_serial_number>.pem (such as 03.pem)../crl The location for the certificate revocation list. Modifying and storing an OpenSSL configuration file in each CA directory The OpenSSL configuration file (openssl.cnf) contains the default directory structure, names, and options. On most Linux distributions, a default openssl.cnf file is located in /etc/pki/tls. [~/examples]$ cp -v /etc/pki/tls/openssl.cnf. `/etc/pki/tls/openssl.cnf' -> `./openssl.cnf' Changing the default directories In this example, a change is made for all CAs and users. You can use this file as a template for other directories. ######################################################################## [ CA_default ] Configuring the directories 221

222 dir =. # CHANGE from../../ca # Everything is stored here certs = $dir/certs # Issued certs are stored here Creating a root CA This section describes the steps for creating a root CA. Copying the OpenSSL configuration file to the rootca directory Copy the openssl.cnf file to the root CA directory (rootca in this example): [~/examples]$ cp ~/examples/openssl.cnf ~/examples/rootca/openssl-rootca.cnf [~/examples]$ cd ~/examples/rootca Creating the certificate and private key Create the root CA key and certificate (rootca-private.key and rootca.crt). In the following example, the key length is set to 2048 and the hash signature algorithm to SHA256. When prompted, enter a secure passphrase. When using the -nodes option, you may omit the passphrase. When prompted for input such as the country, state, city, you may specify an empty field by entering a dot ("."), as shown. [~/examples/ rootca]$ openssl req -config./openssl-rootca.cnf -newkeyrsa: x509 -extensions v3_ca -keyout private/rootca-private.key -outcerts/ rootca.crt -days sha256 -nodes Generating a 2048 bit RSA private key writing new private key to 'private/rootca-private.key' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [GB]:. State or Province Name (full name) [Berkshire]:. Locality Name (eg, city) [Newbury]:. Organization Name (eg, company) [My Company Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []: My Root CA Address []:. [~/examples/rootca]$ ]$ ls -l private/ certs/ certs/: total 4 -rw-rw-r-- 1 xxx 1314 Nov 10 08:11 rootca.crt private/: total 4 -rw-rw-r-- 1 xxx 1675 Nov 10 08:11 rootca-private.key To verify that the newly created certificate is correct, view the certificate by entering the command shown in the following example: 222 Creating a root CA

223 [~/examples/rootca]$ openssl x509 -in certs/rootca.crt -text For a root self-signed certificate, the -issuer and -subject fields should match. To verify that they match, use the following command to display jus the -issuer and -subject fields: [~/examples/rootca]$ openssl x509 -in certs/rootca.crt \ noout issuer subject Creating a combined private key and certificate PEM file A combined private key and certificate PEM file is needed when your CA cross-signs other certificates. The file is referenced by the OpenSSL configuration file. The following commands change the default directory and create the combined private key and certificate PEM file cakey.pem: [ ]$ cd ~/examples/rootca [ rootca]$ cat private/rootca-private.key certs/rootca.crt > private/ cakey.pem Creating subordinate CAs This section describes the steps for creating server certificates that are issued (signed) by another CA. Creating the directories for the subordinate CA If not already present, create the directory structure to contain the subordinate CA database, as shown in the following example: [~/]$ mkdir -m 0755 \ ~/examples/level1ca \ ~/examples/level1ca/private \ ~/examples/level1ca/certs \ ~/examples/level1ca/newcerts \ ~/examples/level1ca/crl Copy the modified openssl.cnf file to the working directory, as shown: [~/examples]$ cp -v openssl.cnf level1ca/ `openssl.cnf' -> `level1ca/openssl.cnf' Providing x509 certificate information A certificate includes numerous data items that describe the certificate. You can enter the data manually when prompted or provide the data automatically via an OpenSSL configuration file. The following example shows a an example of how to create an OpenSSL configuration file via a script file. #!/bin/sh # cat << _end_marker_ > openssl-level1ca.cnf [ req ] distinguished_name=req_dn attributes=req_attr prompt=no [ req_dn ] CN=level1CA Creating a combined private key and certificate PEM file 223

224 C=US ST=TX L=Houston O=Development subjectaltname=othername:gorilla OU=Jungle surname=. givenname=frederick initials=fgg # dnqualifier= name=george of the Jungle [ req_attr ] # challengepassword= # unstructuredname= _end_marker Generating a CSR and new server key This step generates a new key (-newkey) and generates a CSR that can be submitted to a CA. The new private key is stored in the keyout location. The CSR is dumped to the -out parameter. For simplicity, the -nodes option is used to eliminate the need for protection from a passphrase. [~/examples/level1ca]$ openssl req -config./openssl-level1ca.cnf -newkey rsa:2048 -sha256 -keyout./private/level1ca-private.key -nodes -out./temp-level1ca.csr Generating a CSR without generating a new key (Optional) You may choose to generate the CSR without generating a new private key, as shown in this example: [~/examples/level1-ca]$ openssl req -config./openssl-level-1-ca.cnf \ -new -key./level-1-ca-private.key -nodes -out./level-1-ca.csr Viewing the private key To view the private key, use the command shown in the following example: [~/examples/level1ca]$ openssl rsa -in./private/level1ca-private.key -text Signing the level1ca CSR with the rootca key Procedure After a CSR is generated (in the preceding step), it must be signed by an established CA in the chain of trust. After the first signing request (when only the root CA exists), the CSR must be signed by the root CA. Subsequent CSRs may be signed by lower-level CAs, if they have permission to do so. In this example, the root CA signs the first-level CSR (level-1-ca.csr). 1. Go to the CA that is going to do the signing, then view the CSR and verify that you really want it signed: [ ]$ cd ~/examples/rootca/ [ rootca]$ openssl req -in../level1ca/temp-level1ca.csr -noout -text 2. Perform the following one-time setup step: 224 Generating a CSR and new server key

225 [ rootca]$ echo '01' > serial [ rootca]$ touch index.txt 3. After verifying that you want to sign the CSR, have the CSR signed by issuing the following command: [~/examples/rootca]$ openssl ca \ -config openssl-rootca.cnf \ -extensions v3_ca -policy policy_anything \ -in../level1ca/temp-level1ca.csr \ -cert certs/rootca.crt \ -default_md sha256 \ -key private/rootca-private.key The signed certificate is written to./certs/{serialnumber}.pem. The files serial and index.txt have been updated. 4. Install the certificate onto the first-level CA server, specifying the appropriate serial number (in this example, the serial number is 01). [ ~]$ cp ~/examples/rootca/newcerts/01.pem ~/examples/level1ca/certs/level1ca.pem Creating user keys and CSRs The steps for creating a new user key and CSR are similar to those for creating a CSR for a CA except you specify a different type. Creating a directory for the user key and CSR database If not already present, create the directory structure to contain the user key and CSR database: [~/]$ mkdir -m 0755 \ ~/examples/testuser \ ~/examples/testuser/private \ ~/examples/testuser/certs Copy the modified openssl.cnf file to the working directory: [~/examples]$ cp -v ~/examples/openssl.cnf ~/examples/testuser/ `~/examples/openssl.cnf' -> `~/examples/testuser/openssl.cnf' Providing x509 user certificate information You can enter the data manually when prompted or provide the data automatically via an OpenSSL configuration file. The default configuration file is sufficient. Generating a user CSR and new server key This step generates a new key (-newkey) and generates a certificate request for a user. The resulting certificate will include the subject field (-subj). You can specify the subject field on the OpenSSL command line as a single parameter or populate the subject field from various fields in the openssl.cnf file. For more information, see Methods for specifying the subject field on a CSR on page 237. The CSR is written to the file specified by the -out parameter. In the following command example, the subject field is specified as a single parameter, and the CSR is written to./temp-test-user.csr. [~/examples/testuser]$ openssl req \ -subj "/O=Hewlett-Packard Company/OU=Employment Status - Employees/OU=VPN- Creating user keys and CSRs 225

226 WEB-H/CN=Jonathan \ -config./openssl.cnf \ -newkey rsa:2048 sha256 \ -keyout./private/test-user-private.key \ -nodes \ -out./temp-test-user.csr View the CSR and verify that it is what you want signed. The following command displays the CSR: [ ]$ openssl req -in./temp-test-user.csr -text Signing the user CSR with the level1ca key Procedure To sign and configure a user certificate: 1. Sign the user CSR with the level1ca key, as in the following example: [ ]$ cd ~/examples/level1ca/ 2. View the CSR and verify that it is what you want to sign. The following command displays the CSR: [ level1ca]$ openssl req -in../testuser/temp-test-user.csr -text 3. It is important to specify how the user certificate may be used. Do this using x509 extensions. For more information about x509 extensions, see the OpenSSL website ( apps/x509v3_config.html#). The difference between a server certificate and a user certificate is the permissions that the CA assigns to the certificate. For example, a CA certificate is typically used as an SSL server, while a user certificate needs to be used as an SSL client and smart card login. To specify the extensions, modify the openssl.cnf file [ user_cert ] section, as shown in the following example. Uncomment the nscerttype and keyusage lines as shown. The modified lines are shown in boldface type. [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicconstraints=critical, CA:FALSE # Here are some examples of the usage of nscerttype. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nscerttype = server # For an object signing certificate this would be used. # nscerttype = objsign # For normal client use this is typical nscerttype = client, # Uncomment this line # and for everything including object signing: # nscerttype = client, , objsign # This is typical in keyusage for a client certificate. 226 Signing the user CSR with the level1ca key

227 # Uncomment this line: keyusage = critical, nonrepudiation, digitalsignature, keyencipherment # If extendedkeyusage is specified, it MUST include all three items # to be used for Two-Factor authentication. # Client Authentication ( ) # Code Signing ( ) # Smart Card Login ( ) # extendedkeyusage=clientauth,codesigning, # This will be displayed in Netscape's comment listbox. nscomment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectkeyidentifier=hash authoritykeyidentifier=keyid,issuer # This stuff is for subjectaltname and issueraltname. # Import the address. # subjectaltname= copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectaltname= move # Copy subject details # issueraltname=issuer:copy # For testing purposes we will just use some well known CR nscarevocationurl = LatestCRL.crl #nsbaseurl #nsrevocationurl #nsrenewalurl #nscapolicyurl #nssslservername 4. Sign the certificate request, as in the following example: [level1ca]$ openssl ca -config./openssl.cnf -extensions usr_cert -policy policy_anything -in../testuser/temp-test-user.csr -cert certs/level1ca.pem -md sha256 -keyfile private/level1ca-private.key 5. To view the results, issue the following command: [ level1ca]$ openssl x509 -in newcerts/07.pem -noout text 6. To enable certificate usage in smart cards, the keyusage field must include sslauth and, if present, the extendedkeyusage field must specify client authentication, code signing, and smart card login. For more information, see Troubleshooting TFA+LDAP authentication problems on page Give the public certificate to the user, using the following command: [ TestUser]$ cp -v ~/examples/level1ca/newcerts/07.pem ~/examples/test/user/certs/test-user.pem `../level1ca/newcerts/06.pem' -> `certs/test-user.pem' 8. Combine the public certificate and private key into a PKCS #12.pem file by creating a PKCS #12 certificate and providing a password (PIN) for the certificate. The user is prompted for the password (PIN). This password protects the private key contained in the PKCS #12 certificate. [ ]$ cd ~/examples/testuser [ TestUser]$ openssl pkcs12 -export -in certs/test-user.pem -inkey Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts 227

228 private/test-user-private.key -out private/test-user-private.p12 Verifying certificates Procedure To verify the certificates, follow these steps. 1. To verify the certificates, use the commands shown in the following example: [ examples]$ mkdir CA [ examples]$ cp -v rootca/certs/rootca.crt CA/CA.pem `rootca/certs/rootca.crt' -> `CA/CA.pem' [ examples]$ cat level1ca/certs/level1ca.pem >> CA/CA.pem [ examples]$ openssl verify -CAfile CA/CA.pem -verbose -purpose sslserver./level1ca/certs/level1ca.pem./level1ca/certs/level1ca.pem: OK 2. Verify that the user certificate is not an SSL server by using the following command: [examples]$ openssl verify -CAfile CA/CA.pem -verbose -purpose sslserver./testuser/certs/test-user.pem./testuser/certs/test-user.pem: /O=Hewlett-Packard Company/OU=Employment Status - Employees/OU=VPN-WEB-H/CN=Jonathan Smith/ Address=jonathan.smith@hp.com error 26 at 0 depth lookup:unsupported certificate purpose OK 3. Verify that the user certificate can be used for an SSL client by using the following command: [user1@user1-station examples]$ openssl verify -CAfile CA/CA.pem -verbose - purpose sslclient./testuser/certs/test-user.pem./testuser/certs/test-user.pem: OK Storing a user certificate on a smart card or browser This section explains how to store a user certificate on a smart card or browser. The browser information in this section is based on Microsoft Internet Explorer. The Microsoft Internet Explorer does not support PEM formatted files. Create a.p12 certificate that contains both the private and public keys, using a command such as the following: [ TestUser]$ openssl pkcs12 -export -in certs/test-user.pem -inkey private/ test-user-private.key -out private/test-user-private.p12 Procedure To install the.p12 certificate using Internet Explorer 8, follow these steps: 1. Access the Internet Explorer Internet Certificate Wizard by clicking Tools > Internet Options > Content > Certificates: 228 Verifying certificates

229 2. Click Next. 3. Click Browse... a. Locate the directory that contains the.p12 certificate file. b. Change the file type to Personal Information Exchange (.p12). c. Select the appropriate.p12 certificate file. 4. Select the.p12 file and click Next. 5. Enter the password specified when the PKCS#12 file was created. See Signing the user CSR with the level1ca key on page 226. Accept the default check box values and click Next. Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts 229

230 6. The Certificate Store window appears. Click Next. 7. To complete the Wizard installation import process, click Finish. 8. The next window informs you that an application is creating a protected item and indicates the security level set for that item. Click OK. 9. The wizard informs you that the import was successful. Click OK. Configuring the Onboard Administrator for Two-Factor Authentication with local accounts This section provides an example showing how to configure the OA to enforce Two-Factor Authentication. Establishing an Onboard Administrator recovery plan Hewlett Packard Enterprise recommends establishing a recovery plan prior to configuring the OA for twofactor certificate authentication. If something goes wrong with the configuration, the OA configuration may be recovered accessing the USB key drive either through the serial port or the Insight Display panel. Both methods require physical access to the OA. IMPORTANT: If an LCD PIN has been configured (and forgotten), and local accounts have been disabled or TFA has been incorrectly configured, then the only way to recover is through a serial port. See Connecting a PC to the OA serial port. The two most common situations where OA recovery is needed are when LDAP has been configured with local accounts disabled or when Two-Factor Authentication has been configured without certificate access (keyusage). Recovering via Insight Display and USB key To recover the OA via USB key, create a configuration file on the USB key to restore the needed settings. You can either set up the file to reset only what is needed to regain access or to completely restore factory settings: GAIN_ACCESS.CFG (reset only what is needed to regain access): DISABLE TWOFACTOR DISABLE LDAP SET USER PASSWORD Administrator My.Password123 SET_FACTORY.CFG (reset to factory defaults): SET FACTORY To recover a configuration: 230 Configuring the Onboard Administrator for Two-Factor Authentication with local accounts

231 Procedure 1. Insert the USB key that contains the configuration file into the USB port of the OA. 2. Using the Insight Display display, navigate to the main menu, select USB Key Menu and click OK. 3. Select Restore Configuration, then click OK. 4. Select the listed configuration file, then click OK. 5. The Confirm Operation screen appears. Click OK. Recovering via serial console Procedure To recover the OA via the serial port, follow these steps: 1. Ensure that you have the appropriate cables and software to connect to the OA serial port. The default serial connection setting is 9600, 8, N,1. For more information about the serial port pinout signals, see Connecting a PC to the OA serial port. 2. Press and hold the Reset button for five seconds. 3. On the serial console, when you are prompted for Flash Recovery or Reset Password, press the L key (Lost Password). The console displays the built-in Administrator account password and local logins are enabled. Configuring the Onboard Administrator session timeout Procedure By default, if a user session is inactive for one day (1440 minutes), a timeout occurs. Reduce this setting to a value that is suitable for your security policy. For testing purposes, you can set the timeout value to a minimum of 10 minutes. To modify the timeout setting, use the OA GUI or a CLI command. Valid timeout values are 0 (which disables the timeout), or an integer ranging from 10 to Using the GUI 1. Navigate to the Signed in Users screen (Enclosure Information > Users/Authentication > Signed in Users) and select the Session Options tab. 2. Modify the Session Timeout field. 3. Click Apply. Using the CLI Use the following command, where <timeout-value> is the number of minutes: Recovering via serial console 231

232 SET SESSION TIMEOUT <timeout-value> Installing the CA chain for TFA Procedure A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice, this includes the end certificate, the certificates of intermediate CAs, and the certificate of the root CA trusted by all parties in the chain. Every intermediate CA in the chain holds a certificate issued by the CA that is one level above it in the trust hierarchy. The root CA issues a certificate for itself. This section describes how to install CAs for Two-Factor Authentication. IMPORTANT: Two-Factor Authentication and LDAP have separate repositories for CAs. Do not confuse them with one another. To install CA certificates for Two-Factor Authentication, you can use the OA GUI as follows: 1. Navigate to the Two-Factor Authentication screen: Enclosure Information > Users/Authentication > Two-Factor Authentication. 2. Click the Certificate Upload tab. The Certificate Upload screen appears. 3. Copy and paste the root CA certificate into the text box provided by the Certificate Upload screen. The certificate includes beginning and ending delimiters, as shown: -----BEGIN CERTIFICATE----- MIIDkTCCAnmgAwIBAgIJALg8cO2Ikvr8MA0GCSqGSIb3DQEBBQUAMDkxDDAKBgNV BAMTA2NhMDEUMBIGCgmSJomT8ixkARkWBHRlc3QxEzARBgoJkiaJk/IsZAEZFgNj 232 Installing the CA chain for TFA

233 ... Ob6IFCSUTKbCVT95cYTRHiSbgBYaqDXBJk3Lyjvtb7ZovmMT5dnU/w061wV5MEce RZfXH3U= -----END CERTIFICATE Click Upload. After the certificate is uploaded successfully, the Certificate Information tab displays. 5. Add an intermediate or end CA in the chain: a. Return to the Certificate Upload tab. b. Copy and paste the next CA certificate into the text box provided. c. Click Upload. After the certificate is successfully uploaded, the Certificate Information tab appears. In this example, the CA1 certificate was issued by the root CA CA0. Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts 233

234 d. To install additional CAs, repeat steps a through c for each CA. CLI commands for administrating certificates You can use the following CLI commands to add, download, display, and remove certificates. For more information, see the HPE Integrity Superdome X and Superdome 2 Onboard Administrator Command Line Interface User Guide. ADD CA CERTIFICATE DOWNLOAD CA CERTIFICATE SHOW CA CERTIFICATE REMOVE CA CERTIFICATE Installing user certificates on the local Administrator account Procedure Install a user certificate on the OA administrator account, following these steps: 1. Navigate to the Local Users Administrator screen (Edit Local User): Enclosure Information > Users/Authentication > Local Users > Administrator. 2. Click the Certificate Information tab. If an Administrator certificate has not yet been installed, the Certificate Information screen appears with an empty text box. Copy and paste the appropriate user certificate into the text box. 234 CLI commands for administrating certificates

235 3. Click Upload. After the certificate is uploaded successfully, the Certificate Information tab displays. Enabling Two-Factor Authentication Procedure After successfully uploading CA certificates for Two-Factor Authentication and uploading at least one OA administrator account, you may enable Two-Factor Authentication: 1. Navigate to the Two-Factor Authentication Settings tab (Enclosure Information > Users/ Authentication > Local Users > Two-Factor Authentication). 2. Select the Enable Two-Factor Authentication check box. If you are using Two-Factor Authentication in combination with LDAP, use the Certificate Owner field to specify whether to have the OA use the subject alternative name field (SAN) or the certificate subject field (Subject). For more information about using Two-Factor Authentication with LDAP, see TFA+LDAP Authentication on page 236. Enabling Two-Factor Authentication 235

236 3. Click Apply. Logging into the Onboard Administrator web GUI using Enabling Two- Factor Authentication Browse to the OA web GUI and click the appropriate user certificate. The browser should ask you to confirm the certificate. The certificate is necessary for establishing an SSL/TLS session with the OA. If the connection is made successfully, you will be logged in to the OA as a local user. If problems occur, refer to Troubleshooting TFA+LDAP authentication problems. TFA+LDAP Authentication In addition to normal two-factor authentication, the OA also supports TFA+LDAP authentication. In this mode, the user must: Have a user certificate installed on the OA Know the PIN to the certificate Know the associated LDAP password The advantages of TFA+LDAP authentication are: Greater security is gained, as three items are required to authenticate instead of two. Authorization (access permission) is managed using LDAP groups instead of mapping user certificates to individual local OA user accounts. How TFA_LDAP authentication works If LDAP is configured and the Two-Factor Authentication user certificate is not mapped to a local OA user account, then when a user attempts to log in to the OA GUI login page, the OA extracts a user ID from the user certificate and prompts the user for the LDAP password. The LDAP user name is extracted from either the subject or subject alternative name field of the certificate and is visible in the OA login page, depending on your selection made on the Two-Factor Authentication Settings tab. For more information, see Enabling Two-Factor Authentication on page 235. If subject is selected, then the user name is formatted according to RFC 2253 to create an FQDN. If SAN (subject alternative name) is selected, the OA uses the first SAN field in the certificate that is of type , OTHERNAME, DNS, or URI. The CA controls the order and content of subject alternative name fields during the signing process. You cannot change the name used in the GUI. 236 Logging into the Onboard Administrator web GUI using Enabling Two-Factor Authentication