white paper v1 - hammer huawei - home · 1.1 introduction to ibmc as a huawei's proprietary...

HUAWEI Server iBMC Intelligent ManagementSystem

White Paper V1.1

Issue 02

Date 2015-02-13

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 02 (2015-02-13) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

Contents

1 Overview.........................................................................................................................................11.1 Introduction to iBMC.....................................................................................................................................................21.2 System Design................................................................................................................................................................3

2 Functions.........................................................................................................................................42.1 Various Management Interfaces.....................................................................................................................................62.1.1 Standard IPMI 1.5 or IPMI 2.0 Interface.....................................................................................................................62.1.2 CLI...............................................................................................................................................................................82.1.3 HTTPS Interface..........................................................................................................................................................92.1.4 SNMP Interface.........................................................................................................................................................102.2 Fault Detection and Alarm Management......................................................................................................................122.2.1 Fault Detection..........................................................................................................................................................122.2.2 System Running Recorder.........................................................................................................................................122.2.3 Startup Self-Check Code...........................................................................................................................................132.2.4 Event Management....................................................................................................................................................142.2.5 Fault Reporting..........................................................................................................................................................152.3 Virtual KVM and Virtual Media..................................................................................................................................162.3.1 Virtual KVM..............................................................................................................................................................172.3.2 Virtual Media.............................................................................................................................................................182.4 HTTPS-based Visualization Management Interface....................................................................................................202.4.1 Viewing System Information.....................................................................................................................................202.4.2 Querying System Information...................................................................................................................................212.4.3 Real-Time Monitoring...............................................................................................................................................222.4.4 Device Location.........................................................................................................................................................252.5 Breakdown Screenshot and Breakdown Video............................................................................................................252.5.1 Breakdown Screenshot..............................................................................................................................................252.5.2 Breakdown Video......................................................................................................................................................262.6 Screen Snapshot and Screen Video..............................................................................................................................272.6.1 Screen Snapshot.........................................................................................................................................................272.6.2 Screen Video..............................................................................................................................................................292.7 Domain Management and Directory Service...............................................................................................................302.7.1 Domain Management................................................................................................................................................302.7.2 Directory Service.......................................................................................................................................................31

HUAWEI Server iBMC Intelligent Management SystemWhite Paper V1.1 Contents


ii

2.8 Firmware Management.................................................................................................................................................342.8.1 Firmware Dual-image Backup...................................................................................................................................342.8.2 Firmware Upgrade.....................................................................................................................................................342.9 Intelligent Power Management.....................................................................................................................................352.9.1 Power Control............................................................................................................................................................352.9.2 Power Capping..........................................................................................................................................................362.9.3 Power Statistics and Power History Line..................................................................................................................372.10 SOL and System Serial Port Running Information Record........................................................................................382.10.1 SOL..........................................................................................................................................................................382.10.2 Recording System Serial Port Information..............................................................................................................382.11 Security Management.................................................................................................................................................392.11.1 Scenario-based Login Restriction............................................................................................................................392.11.2 Account Security.....................................................................................................................................................402.11.3 SSL Certificate Management...................................................................................................................................412.11.4 Service Management...............................................................................................................................................422.11.5 Operation Log Management....................................................................................................................................432.11.6 Enhanced Encryption Algorithm.............................................................................................................................442.11.7 Hardware Encryption...............................................................................................................................................452.12 Access Management...................................................................................................................................................452.12.1 Management Network Port Auto-Adaptation..........................................................................................................452.12.2 NC-SI.......................................................................................................................................................................462.12.3 IPv6..........................................................................................................................................................................472.13 Unified User Management..........................................................................................................................................48

3 Technical Specifications.............................................................................................................50

HUAWEI Server iBMC Intelligent Management SystemWhite Paper V1.1 Contents


iii

Figures

Figure 1-1 System architecture................................................................................................................................3Figure 2-1 iBMC management interfaces................................................................................................................6Figure 2-2 System running recorder......................................................................................................................12Figure 2-3 Downloading black box data...............................................................................................................13Figure 2-4 Startup self-check code page................................................................................................................13Figure 2-5 System Events page.............................................................................................................................14Figure 2-6 SNMP trap configuration page............................................................................................................16Figure 2-7 SMTP configuration page....................................................................................................................16Figure 2-8 Remote console....................................................................................................................................17Figure 2-9 Virtual KVM in iBMC.........................................................................................................................18Figure 2-10 Virtual media in the iBMC................................................................................................................19Figure 2-11 Entering the iBMC IP address...........................................................................................................20Figure 2-12 iBMC login page................................................................................................................................20Figure 2-13 Overview page...................................................................................................................................21Figure 2-14 Firmware Version page......................................................................................................................22Figure 2-15 System Hardware page......................................................................................................................22Figure 2-16 Real-time data page............................................................................................................................23Figure 2-17 Sensor page........................................................................................................................................24Figure 2-18 Device Location page.........................................................................................................................25Figure 2-19 Rule of the breakdown screenshot.....................................................................................................25Figure 2-20 Breakdown screenshot.......................................................................................................................26Figure 2-21 Video playback console.....................................................................................................................27Figure 2-22 Obtaining screen snapshots................................................................................................................28Figure 2-23 Enabling/Disabling the screen video function...................................................................................29Figure 2-24 Video playback console.....................................................................................................................30Figure 2-25 Configuring DNS parameters............................................................................................................31Figure 2-26 Host Name page.................................................................................................................................31Figure 2-27 Directory service work process..........................................................................................................32Figure 2-28 LDAP User page................................................................................................................................33Figure 2-29 Firmware Upgrade page.....................................................................................................................34Figure 2-30 Firmware Upgrade page.....................................................................................................................35Figure 2-31 Power Control....................................................................................................................................36

HUAWEI Server iBMC Intelligent Management SystemWhite Paper V1.1 Figures


iv

Figure 2-32 Power Capping page..........................................................................................................................37Figure 2-33 Power Statistics page.........................................................................................................................37Figure 2-34 Power History page............................................................................................................................38Figure 2-35 SOL....................................................................................................................................................38Figure 2-36 Recording system serial port information..........................................................................................39Figure 2-37 Setting WebUI login rules.................................................................................................................40Figure 2-38 Account security configuration..........................................................................................................40Figure 2-39 SSL certificate management page......................................................................................................41Figure 2-40 SNMP configurations page................................................................................................................42Figure 2-41 Service configuration page.................................................................................................................43Figure 2-42 Viewing operation logs......................................................................................................................44Figure 2-43 Management network connection......................................................................................................46Figure 2-44 Configuring network port auto-adaptation.........................................................................................46Figure 2-45 NS-CI framework...............................................................................................................................47Figure 2-46 NS-CI data flow diagram...................................................................................................................47Figure 2-47 IPv6 address configuration screen.....................................................................................................48Figure 2-48 User management page......................................................................................................................49

HUAWEI Server iBMC Intelligent Management SystemWhite Paper V1.1 Figures


v

Tables

Table 2-1 Operating environment of clients..........................................................................................................10Table 2-2 System event parameters.......................................................................................................................15Table 2-3 OSs not supporting mouse synchronization (The OSs include, but not limited to the OSs in the table)................................................................................................................................................................................18Table 2-4 Threshold sensor parameters.................................................................................................................24Table 2-5 Encryption algorithms...........................................................................................................................44

HUAWEI Server iBMC Intelligent Management SystemWhite Paper V1.1 Tables


vi

1 Overview

About This Chapter

1.1 Introduction to iBMC

1.2 System Design

HUAWEI Server iBMC Intelligent Management SystemWhite Paper V1.1 1 Overview


1

1.1 Introduction to iBMCAs a Huawei's proprietary intelligent management system, the integrated baseboard managementcontroller (iBMC) remotely manages servers,And the previous-generation BMC is iMana.iBMC complies with Intelligent Platform Management Interface 2.0 (IPMI 2.0) standards andSimple Network Management Protocol (SNMP). It provides various functions, includingkeyboard, video, and mouse (KVM) redirection, text console redirection, remote virtual media,and reliable hardware monitoring and management. iBMC supports various features, which aredescribed as follows:

l Various management interfaces

iBMC provides IPMI, command-line interface (CLI), Hypertext Transfer Protocol Secure(HTTPS), and SNMP interfaces, meeting various system integration requirements.

l Compliance with IPMI 1.5 and IPMI 2.0

iBMC provides standard IPMI management interfaces, which allow integration withstandard management systems.

l Fault detection and alarm management

iBMC implements fault detection and alarm management, ensuring stable uninterrupted24/7 system operation.

l Virtual KVM and virtual media

iBMC provides virtual KVM and virtual media, facilitating remote maintenance.

l Web-based user interface (WebUI)

iBMC provides the web-based UI, helping you rapidly set and query device information.

l Breakdown screenshots and videos

iBMC allows screenshots and videos to be created when the system collapses. Thescreenshots and videos help to identify the cause of system breakdown.

l Screen snapshots and videos

iBMC offers screen snapshots and videos, which simplify routine preventive maintenance,recording, and auditing.

l Support for DNS and LDAP

iBMC supports domain name system (DNS) and Lightweight Directory ApplicationProtocol (LDAP) to implement domain management and directory service. This featuresimplifies the server management network.

l Dual-image backup

iBMC provides software dual-image backups, which allows software to restart from thebackup image when a failure occurs. This feature enhances system security.

l Asset management

iBMC facilitates asset management.

l Intelligent power management

iBMC uses the power capping technology to improve deployment density and uses dynamicpower saving to reduce the operational expenditure (OPEX).

l Security management



2

iBMC implements security management in terms of access, account, transmission, andstorage. This feature ensures the server security.

1.2 System Design

Figure 1-1 shows the iBMC system architecture, iBMC uses the Hi1710 chip developed byHuawei Hisilicon. Hi1710 is used for board-level management based on the x86 CPU platform.It consists of a single-core A9 CPU with a maximum dominant frequency of 800 MHz, an 8051single-chip microcomputer, and a co-processor with a dominant frequency of 200 MHz. Hi1710supports remote KVM, IPMI, and PCIe for receiving and transmitting MCTP packets. It providesthe local VGA, GE, and RMII ports, as well as peripheral ports and other ports for board-levelmanagement. The following provide details about the Hi1710:

l The KVM module implements remote keyboard and mouse control. When the KVMmodule receives video data from x86 systems over the video graphics array (VGA) port,it compresses the video data and sends the compressed data to a remote KVM client overthe network. When the KVM module receives keyboard and mouse data from the remoteKVM client, it transmits the data to x86 systems by using a simulated USB keyboard andmouse device.

l iBMC uses a system running recorder (black box) to receive data from x86 systems overthe Peripheral Component Interconnect Express (PCIe) interface and to export the recordedinformation.

l iBMC communicates with x86 systems through a local PC interface to implement IPMImanagement.

l iBMC provides GE interfaces, through which remote management is performed over thenetwork using IPMI and HTTPS.

l iBMC uses sensors to monitor the temperature and voltage of servers. It also intelligentlymanages the fan modules and power supply units (PSUs) of servers.

l iBMC supports the network controller sideband interface (NC-SI) technology and VLANfunction, which allow more flexible management networking.

Figure 1-1 System architecture



3

2 Functions

About This Chapter

iBMC provides diversified functions to improve management efficiency and reduce the OPEX.

l As a Huawei home-grown intelligent management system, iBMC serves as the advancedsoftware for remotely managing servers. It supports KVM redirection, text consoleredirection, remote virtual media (mapping the DVD-ROM drive and floppy disk drive(FDD) from the terminal to the server), and IPMI 2.0-based hardware monitoring andmanagement. iBMC is designed based on the carrier-class reliability requirements andsupports dual-image backups for software.iBMC provides various user interfaces, such as the CLI, Web-based UI, IPMI integratedinterfaces, and SNMP integrated interfaces. All user interfaces adopt an authenticationmechanism and a highly secure encryption algorithm, ensuring access and transmissionsecurity.

l iBMC not only monitors servers, but also provides diversified alarms and detailed logs.For example, the logs contain the CPU core temperatures, voltages, fan speed, PSU faults,and bus faults. In addition, the iBMC allows you to query the information about CPUs,memory, and hard disks.

l When a server breaks down, iBMC automatically saves the last information displayed onthe screen, which is used for fault identification. iBMC allows a third party to set regularor periodical tasks for capturing screenshots, which requires no manual intervention andsaves maintenance time.

2.1 Various Management Interfaces

2.2 Fault Detection and Alarm Management

2.3 Virtual KVM and Virtual Media

2.4 HTTPS-based Visualization Management Interface

2.5 Breakdown Screenshot and Breakdown Video

2.6 Screen Snapshot and Screen Video

2.7 Domain Management and Directory Service

2.8 Firmware Management

HUAWEI Server iBMC Intelligent Management SystemWhite Paper V1.1 2 Functions


4

2.9 Intelligent Power Management

2.10 SOL and System Serial Port Running Information Record

2.11 Security Management

2.12 Access Management

2.13 Unified User Management



5

2.1 Various Management InterfacesiBMC is an out-of-band standalone management system, which complies with the industrymanagement standards. It is a subnode on the data center management network and manages,controls, and diagnoses servers. It provides various man-machine interfaces and machine-machine interfaces, meeting application and integration requirements for server management.

Figure 2-1 iBMC management interfaces

2.1.1 Standard IPMI 1.5 or IPMI 2.0 InterfaceiBMC complies with IPMI 1.5 and IPMI 2.0 standards. It effectively manages servers by usingthird-party tools, such as IPMITool, through a LPC-based Block Transfer (BT) or local areanetwork (LAN) User Datagram Protocol (UDP) or Internet Protocol (IP). If BT channels areused, the third-party tools must run on the operating system (OS) of the server. If LAN channelsare used, the third-party tools can remotely manage servers. iBMC uses the AES-CBC-128encryption algorithm and the HMAC-SHA1 algorithm for authentication and integrityverification. The third-party tools must support Windows or Linux.

The following describes the ipmitool command.

l ipmitool command syntax: ipmitool [interface] [parameter] <command>

l ipmitool interfaces:Interfaces:open Linux OpenIPMI Interface [default]imb Intel IMB Interfacelan IPMI v1.5 LAN Interfacelanplus IPMI v2.0 RMCP+ LAN Interface

l ipmitool parameters:



6

Parameters:-h This help-V Show version information-v Verbose (can use multiple times)-c Display output in comma separated format-d N Specify a /dev/ipmiN device to use (default=0)-I intf Interface to use-H hostname Remote host name for LAN interface-p port Remote RMCP port [default=623]-U username Remote session username-f file Read remote session password from file-S sdr Use local file for remote SDR cache-a Prompt for remote password-e char Set SOL escape character-C ciphersuite Cipher suite to be used by lanplus interface-k key Use Kg key for IPMIv2 authentication-y hex_key Use hexadecimal-encoded Kg key for IPMIv2 authentication-L level Remote session privilege level [default=ADMINISTRATOR] Append a '+' to use name/privilege lookup in RAKP1-A authtype Force use of auth type NONE, PASSWORD, MD2, MD5 or OEM-P password Remote session password-E Read password from IPMI_PASSWORD environment variable-K Read kgkey from IPMI_KGKEY environment variable-m address Set local IPMB address-b channel Set destination channel for bridged requestt address Bridge request to remote target address-B channel Set transit channel for bridged request (dual bridge)-T address Set transit address for bridge request (dual bridge)-l lun Set destination lun for raw commands-o oemtype Setup for OEM (use 'list' to see available OEM types)-O seloem Use file for OEM SEL event descriptions

l ipmitool commands:Commands:raw Send a RAW IPMI request and print responsei2c Send an I2C Master Write-Read command and print responsespd Print SPD info from remote I2C devicelan Configure LAN Channelschassis Get chassis status and set power statepower Shortcut to chassis power commandsevent Send pre-defined events to MCmc Management Controller status and global enablessdr Print Sensor Data Repository entries and readingssensor Print detailed sensor informationfru Print built-in FRU and scan SDR for FRU locatorsgendev Read/Write Device associated with Generic Device locators sdrsel Print System Event Log (SEL)pef Configure Platform Event Filtering (PEF)sol Configure and connect IPMIv2.0 Serial-over-LANtsol Configure and connect with Tyan IPMIv1.5 Serial-over-LAN



7

isol Configure IPMIv1.5 Serial-over-LANuser Configure Management Controller userschannel Configure Management Controller channelssession Print session informationsunoem OEM Commands for Sun serverskontronoem OEM Commands for Kontron devicespicmg Run a PICMG/ATCA extended cmdfwum Update IPMC using Kontron OEM Firmware Update Managerfirewall Configure Firmware Firewalldelloem OEM Commands for Dell systemsshell Launch interactive IPMI shellexec Run list of commands from fileset Set runtime variable for shell and exechpm Update HPM components using PICMG HPM.1 fileekanalyzer Run FRU-Ekeying analyzer using FRU files

l For example, to query all the local users on iBMC, run the following command:BT-based ipmitool command: ipmitool user listLAN-based ipmitool command: ipmitool -H *.*.*.* -I lanplus -U <user name> -P<password> user list 1– H: Enter the IP address of the iBMC network port after H.– I: Enter a transmission protocol after I. lan indicates non-encryption. lanplus indicates

encryption.– U: Enter the local user name after U.– P: Enter the password for a local user after P.

2.1.2 CLIiBMC offers the easy-to-use CLI and supports two basic commands: ipmcget and ipmcset.iBMC uses these two commands to remotely manage servers. You can log in to iBMC over SSHand Telnet to run the two commands.

l ipmcget command syntax:Usage: ipmcget [-t target] -d dataitem [-v value]-t <target>fru0 Get the information of the fru0sensor Print detailed sensor informationsmbios Get the information of smbiostrap Get SNMP trap statusservice Get service information

-d <dataitem>faninfo Get fan mode and the percentage of the fan speedport80 Get the diagnose code of port 80diaginfo Get diagnostic info of management subsystemsystemcom Get system com datablackbox Get black box databootdevice Get boot deviceshutdowntimeout Get graceful shutdown timeout valuepowerstate Get power statehealth Get health statushealthevents Get health eventssel Print System Event Log (SEL)operatelog Print operation logversion Get iBMC version



8

serialnumber Get system serial numberuserlist List all user infofruinfo Get fru informationtime Get system timemacaddr Get mac addressserialdir Get currently connected serial directionrollbackstatus Get rollback statuspasswordcomplexity Get password complexity check enable stateledinfo Get led informationipinfo Get ip informationethport Get usable eth port

l ipmcset command syntax:Usage: ipmcset [-t target] -d dataitem [-v value]-t <target>fru0 Operate with fru0trap Operate SNMP trapservice Operate with serviceuser Operate with user

-d <dataitem>fanmode Set fan mode,you can choose manual or autofanlevel Set fan speed percentreset Reboot iBMC systemidentify Operate identify ledupgrade Upgrade componentclearcmos Clear CMOSbootdevice Set boot deviceshutdowntimeout Set graceful shutdown timeout valuefrucontrol Fru controlpowerstate Set power statesel Clear SELadduser Add userpassword Modify user passworddeluser Delete userprivilege Set user privilegeserialdir Set serial directionprintscreen Print current screen to iBMCrollback Perform a manual rollbacktimezone Set time zonepasswordcomplexity Set password complexity check enable stateipaddr Set ip addressipmode Set ip modegateway Set gatewayipaddr6 Set ipv6 addressipmode6 Set ipv6 modegateway6 Set ipv6 gatewaynetmode Set net modeactiveport Set EthGroup active portvlan Set sideband vlanrestore Restore factory settingnotimeout Set no timeout stateemergencyuser Set emergency user

2.1.3 HTTPS InterfaceiBMC offers visual web-based UI for management by using HTTPS.

l You can quickly set parameters and query tasks on the UI.



9

l iBMC monitors the OS startup, OS operations, and DVD-ROM drive or FDD mappingover a remote console.

Open Internet Explorer, enter the IPv4 or IPv6 address or domain name of the iBMC networkport in the address box, and press Enter. The login page is displayed. Enter a local user accountor LDAP domain account to log in to the iBMC Web.

Table 2-1 lists the OSs, browsers, and Java runtime environment (JRE) supported by the iBMCWeb.

Table 2-1 Operating environment of clients

RunningEnvironment

Configuration Requirement

OS Windows 7 32-bit or 64-bit

Windows 8 32-bit or 64-bit

Windows Server 2008 R2 64-bit

Windows Server 2012 64-bit

Red Hat Enterprise Linux 4.3 64-bit

Red Hat Enterprise Linux 6.0 64-bit

Mac OS X v10.7

Web browser Internet Explorer 8.0 and 10.0 (applicable only to Windows)

Mozilla Firefox 9.0 or 23.0

Chrome 13.0 and 31.0 (applicable only to Windows)

Safari 5.1 (applicable only to Mac)

JRE JRE 1.6.0 U25 or 1.7.0 U40

2.1.4 SNMP InterfaceSNMP is a communication protocol between Network Management Services (NMSs) andAgents. It defines the standard management framework, common languages in communication,and security and access control mechanisms used for monitoring and managing devices on anetwork.

SNMP has the following advantages:

l TCP/IP-based standard protocol, with UDP as the transport layer protocol

l Automatically manages the network. Administrators can search and modify information,identify and diagnose network problems, plan for capacity, and generate reports on networknodes using the SNMP platform.



10

l Shields physical differences between various devices, implementing automaticmanagement of products from different vendors. Offering only the basic set of functions,SNMP makes the management tasks independent of both the physical features of themanaged devices and the underlying networking technology. Therefore, SNMP achieveseffective management of devices from different vendors.

l Combines simple request-reply mode and active notification mode and provides a timeoutand retransmission mechanism.

l Few packet types and simple packet format, which facilitates resolution andimplementation.

l Authentication and encryption mechanisms provided in SNMPv3, which enhances securityby the user-based and view-based access control function.

iBMC provides SNMP interfaces. SNMP provides operations including Get, Set, and Trap,enabling third-party software to manage servers in a centralized manner by using the SNMPinterfaces. The SNMP agent supports SNMPv1, v2c, and v3. Only SNMPv3 is enabled bydefault. Different community names are used for the Get and Set operations for SNMPv1 andSNMPv2c. SNMPv3 supports Message Digest Algorithm 5 (MD5) or Secure Hash Algorithm(SHA) for authorization and Data Encryption Standard (DES) or Advanced Encryption Standard(AES) for encryption. The security user name and login user name are the same. The SNMPv3security user shares the same set of local user names with the web-based UI, CLI, SMASH-CLP,and IPMI LAN interfaces. The password of the SNMPv3 security user must contain at least eightcharacters.

The SNMP agent interface supports query of the following information: system health status,system health events, hardware status, memory and CPU models, alarm reporting configuration,local user and domain account (LDAP) configuration, power statistics, asset information, heatdissipation management, firmware version, network management, power capping, and DNS.

SNMP interface application scenario:

l Scenario 1—open-source based management

You can use the third-party MIB tool, such as MG-SOFT MIB Browser, and CLI tool to performoperations on each MIB node over SNMP, usually for testing or temporary remote managementand maintenance for servers.

l Scenario 2—simple integration management

Network management software compiles and imports SNMP MIB definition files. Using thenetwork management software, you can manage servers over SNMP interfaces, set trigger scriptsfor important information, and re-map trap events. Huawei network management software isconnected to command management software, such as CA, IBM System Director, and HP SIM.

l Scenario 3—in-depth integration management

Network management software supports various integrated management plug-ins for differentserver vendors. The plug-in can receive operation commands from the network managementsoftware, query and set iBMC information over the SNMP interface, and send back theinformation to the network management software for display in the format defined by theinterface. Huawei has developed plug-ins for VMware vCenter and Microsoft System Center.



11

2.2 Fault Detection and Alarm Management

2.2.1 Fault DetectioniBMC not only monitors servers, but also provides reliable fault detection and fault predictmechanisms. iBMC detects the following faults:

l CPU hardware faults (CAT ERROR, self-checking failures, and configuration errors)l High temperature faults (for air intake vents, CPUs, DIMMs, and PSUs)l Mainboard and board voltage faultl Fan faultsl PSU faults (AC/DC input lost, high temperatures, and fan module faults for PSUs)l Bus faults (I2C and IPMB)l Memory faults (number of correctable ECC errors exceeds the threshold, high

temperatures, and configuration errors)l Hard disk faults (PFAs and invalid RAID)l System breakdown

2.2.2 System Running RecorderiBMC provides the system running recorder function. The system running recorder consists ofa black box (KBox) module, FPGA, iBMC, and analysis tool (hwkbox). The function is disabledby default. Figure 2-2 shows how the Linux system running recorder works. The system runningrecorder records the kernel stack information when kernel panic occurs, and exports and providesthe information to the third party. The third party defines the information itself. The fault data(black box data) cannot be lost upon system startup and power-on or power off, but can be lostonly at AC power failure.

Figure 2-2 System running recorder



12

Application scenario 1

When kernel panic occurs, the registered black box automatically records the kernel stackinformation and saves the location information to a DDR using a DDR controller over a PCIeinterface. Only 16 MB data can be saved. After the system restarts, a system-side location toolreads and analyzes the location information in the DDR over the PCIe interface. Even if thesystem cannot be started, iBMC can export the information from the DDR (as shown in Figure2-3)and analyzes the information using a dedicated analysis tool. Currently, the locationinformation can be exported only to the OS and analyzed using the hwkbox analysis tool.

Application scenario 2

The third-party application records a maximum of 2 MB run logs to the iBMC DDR using awrite interface of the black box. When the application is faulty, the system reads and analyzesthe run logs using a read interface on the black box or iBMC. This facilitates fault location.

Figure 2-3 Downloading black box data

2.2.3 Startup Self-Check CodeA startup self-check code records information about the self-check performed upon systemstartup. The information indicates whether a specific fault occurs. Different codes indicatedifferent faults. You can locate the startup faults by querying the fault code table. See Figure2-4. Digits in the square brackets indicate the fault code.

Figure 2-4 Startup self-check code page

iBMC:/->ipmcget -d port80

port80 diagnose code:

02-03-06-70-74-76-7C-A1-A3-A3-A7-A9-A7-A7-A7-A8A9-A9-A9-AA-AA-AA-AE-AF-B0-B1-B4-B2-B3-B6-B7-B8B9-BA-B7-BB-BC-BF-83-4B-52-4D-4B-59-5A-A2-10-1112-13-15-FF-20-1A-1A-16-17-18-1D-26-16-17-18-1617-18-27-28-F9-[59]-5A-A2-10-11-12-13-15-FF-20-1A1A-16-17-18-1D-26-16-17-18-16-17-18-27-28-F9-7BC5-C3-25-2F-F8-E0-60-FB-D0-41-E0-8B-13-CA-13-EC91-39-2D-AD-FE-6E-E4-12-F3-D9-64-DB-02-14-CD-78E5-CF-A9-2E-34-25-2B-5A-57-18-17-F5-5E-0C-D5-BCD0-E7-FB-E0-41-4C-FE-52-46-B5-41-BA-90-85-1B-54D2-C2-E6-61-DA-EA-B9-58-4D-2F-09-84-93-F1-3A-0B25-E2-1E-0D-8E-17-0A-F2-57-6B-A2-97-3A-53-1F-D5



13

8B-6B-F6-CD-D5-BB-C6-18-E8-85-5C-D7-68-68-52-9AB1-67-47-A2-EC-CB-52-F9-D8-D4-74-0A-E9-23-7A-C4FE-28-74-A7-1C-F3-C2-0C-E5-BF-D0-BC-88-05-22-1B71-E9-AE-F1-E3-0C-BB-83-FD-10-BA-53-3B-86-B0-40

2.2.4 Event ManagementiBMC provides the following alarm management functions:

l Monitoring and alarm management for all hardware

l Detailed log description

l Local storage and archiving

l Log management based on visualization, filtering, sorting, and downloading

l Remote alarm reporting over SNMP trap, and emails

l Alarm reporting to multiple destinations

System events are recorded in files in real time. When 2000 events are recorded, automaticbackup occurs. Only one backup file can be saved. If there are more than one file, the old backupfile is automatically deleted.

The System Events page allows you to query, sort, filter, and clear all system events, as shownin Figure 2-5.

Figure 2-5 System Events page

Table 2-2 describes the system event parameters.



14

Table 2-2 System event parameters

Parameter Description

Severity Indicates the severity level of the event. Values: OK, Minor, Major, andCritical

Generation time Specifies the time when the event is generated.

Sensor Specifies the sensor where the event is generated.

Eventdescription

Provides information about the event.

Event source

State Indicates the current status of the event. Values: Generated and Cleared

2.2.5 Fault ReportingiBMC monitors hardware and system status in real time and reports alarms to remote destinationservers over SNMP trap and emails.

SNMP trap supports the following features: A maximum of four destinations. You can set status,IP addresses, ports, and alarm formats for the destinations. Event reporting based on severity.Versions of v1, v2c, and v3. SNMPv1 is enabled by default. If you use SNMPv3, select a trapv3 security user from local users and configure v3 authentication and encryption algorithms.Host identifiers and location contained in trap messages. A host identifier can be a board SN,product asset label, or host name. Test messages can be sent to the destinations. See Figure2-6.

SMTP supports a maximum of four destinations. The following operations are supported:

Set the addresses and states of the mail boxes that receive logs and alarms.

Send test mails to the destinations.

Log in to the SMTP server with or without authentication.

Enable TLS to encrypt mails.

Configure the title and mail sender of the email template. See Figure 2-7.



15

Figure 2-6 SNMP trap configuration page

Figure 2-7 SMTP configuration page

2.3 Virtual KVM and Virtual MediaOn the Remote Control page, you can use the virtual KVM, virtual media, and manual recordingfunctions to power on, power off, or restart servers. Figure 2-8 shows the Remote Control page.

In full screen or split-screen mode of the remote console, press Ctrl+Alt+Shift to show thetoolbar.



16

Figure 2-8 Remote console

2.3.1 Virtual KVMThe virtual KVM function allows you to monitor and control remote devices in real time byusing the local KVM. You can operate remote devices using the virtual KVM. The virtual KVMsupports:

l 640 x 480 to 1920 x 1280 resolution

l Mouse synchronization: Ensure that the remote OSs support mouse synchronization. Table2-3 lists the OSs that do not support mouse synchronization.

l Absolute, relative, and single mouse modes

l Exclusive and collaborative modes: Both parties in collaborative mode can operate a remoteserver at the same time. To ensure security, use the exclusive mode.

l Operating environment: To enable the virtual KVM function, the browser, OS, and JREversions on the client must meet the software requirements listed in Table 2-1.

l Color depth: 32-bit color, providing a maximum of 16.77 million colors.

l Combination key: allows users to customize any six-key combination for sendingcommands.

l Encryption: The AES128 CBC encryption algorithm is adopted for video, keyboard, andcontrol command data.

For OSs that cannot provide the position of the mouse in absolute mode, the virtual KVM doesnot support the mouse synchronization function.



17

Table 2-3 OSs not supporting mouse synchronization (The OSs include, but not limited to theOSs in the table)

OS Not Supporting Mouse Synchronization

SUSE Linux Enterprise Server 11 Service Pack 1 for x86 (32-Bit)

SUSE Linux Enterprise Server 11 Service Pack 1 for Intel EM64T (64-Bit)

Figure 2-9 shows how the virtual KVM is implemented.

l When receiving data from a remote client, iBMC compresses the data and transmits thecompressed data to the local client over a network. The local client console decompressesthe data received and displays the data on the local client.

l The virtual KVM console captures local mouse and keyboard events and transmits theevents to a remote client over a network. iBMC simulates the local keyboard and mouse totransmit the events to a remote server service system over the USB channel.

Figure 2-9 Virtual KVM in iBMC

2.3.2 Virtual MediaThe virtual media function allows you to use a virtual USB DVD-ROM drive or an FDD toremotely access the local media (such as the DVD-ROM drive, FDD, DVD-ROM image file,and floppy disk image file) over a network. The virtual media data is encrypted using the AES128CBC encryption algorithm. To use the virtual media function, the client must be equipped withthe OS and the JRE of proper versions. For details, see Table 2-1.

The purpose of virtual media is to virtualize the local media devices to the media devices on theremote client over a network. Figure 2-10 shows how virtual media is implemented.



18

Figure 2-10 Virtual media in the iBMC

iBMC exchanges data with hosts through USB 2.0 channels. The virtual media provides thefollowing functions:

l Virtualizing devicesThe PC or image file on a client is mapped to a connected server. Then the server can detectthe client as a USB device.The following can be virtualized:FDDDVD-ROM driveAn FDD can be virtualized along with other devices.

l The virtual media provides the following features:The virtual DVD-ROM drive supports a transmission rate of up to 32 Mbit/s and 24 Mbit/s in a VLAN.The virtual FDD supports a maximum transmission rate of 4 Mbit/s.

l Preparing image filesThe content on a floppy disk or a DVD-ROM can be created as an image file and storedon a hard disk.



19

2.4 HTTPS-based Visualization Management InterfaceiBMC offers web-based UI for visual management by using HTTPS. You can quickly set andquery information on the UI. Table 2-1 shows OSs and browsers supported by iBMC. Thefollowing uses the RH1288 V3 as ax example.

To log in to the iBMC Web, perform the following steps:

Step 1 Open Internet Explorer, enter https://iBMC IP[:sslport] in the address box, and press Enter. SeeFigure 2-11.

NOTE

The port number is optional. If the port number is not 80 or the sslport port number is not 443, you mustenter the port number after the IP address. For a method of changing the port number, see 2.11.4 ServiceManagement.

Figure 2-11 Entering the iBMC IP address

Step 2 On the login page, enter the user name and password or select a domain if a domain account isused, and click Log In, as shown in Figure 2-12.

Figure 2-12 iBMC login page

----End

2.4.1 Viewing System InformationThe Overview page displays the system information, including the system status, iBMCinformation, system configurations, virtual buttons, and power saving statistics, and provideslinks to common operations, as shown in Figure 2-13.



20

Figure 2-13 Overview page

2.4.2 Querying System InformationThe system information includes the firmware versions, asset information, and system hardwareinformation.

Firmware VersionThe firmware version information includes the iBMC, BIOS, U-Boot and CPLD versions, aswell as baseboard PCB versions, baseboard IDs, baseboard manufacturers, baseboard models,and baseboard serial numbers. See Figure 2-14.



21

Figure 2-14 Firmware Version page

System HardwareThe system hardware information includes the configured number and maximum number of keysystem components, and component models. Figure 2-15 shows the System Hardware page.

Figure 2-15 System Hardware page

2.4.3 Real-Time MonitoringReal-time monitoring involves monitoring of components, sensors, and indicators.



22

Real-Time DataFigure 2-16 shows the history lines of real-time data for items including CPU usage, memorybandwidth usage, and air intake vent temperature. The CPU usage and memory bandwidth usageare measured every minute and the air intake vent temperature is measured every 10 minutes.This allows users to view the data in real time and understand the service running status.

Figure 2-16 Real-time data page

SensorThe Sensor page displays all sensor information, as shown in Figure 2-17. Table 2-4 describessensor parameters.



23

Figure 2-17 Sensor page

Table 2-4 Threshold sensor parameters


Sensor Name of a sensor

Current value Current value of the sensor

Unit Unit of the sensor value

Lower critical The system generates a critical alarm when the sensor value exceedsthis threshold.

Lower major The system generates a major alarm when the sensor value exceedsthis threshold.

Lower minor The system generates a minor alarm when the sensor value exceedsthis threshold.

Upper minor The system generates a minor alarm when the sensor value exceedsthis threshold.

Upper major The system generates a major alarm when the sensor value exceedsthis threshold.



24


Upper critical The system generates a critical alarm when the sensor value exceedsthis threshold.

2.4.4 Device LocationThe Device Location page allows you to set the status of the location indicator. By illuminatingthe UID indicator on the device panel, you can quickly locate the device to be operated amonga large number of devices in the equipment room. See Figure 2-18.

Figure 2-18 Device Location page

2.5 Breakdown Screenshot and Breakdown Video

2.5.1 Breakdown ScreenshotWhen detecting a system breakdown, iBMC stores the last screenshot in a specific format, asshown in Figure 2-19. You can log in to iBMC to view the screenshot or remotely downloadthe screenshot to a local folder to locate a fault.

Figure 2-19 Rule of the breakdown screenshot

iBMC stores a maximum of three breakdown screenshots. The oldest screenshot will beoverwritten when a new screenshot is created.



25

You can choose Events and Logs > Remote System Screen > Last Screen to viewscreenshots, as shown in Figure 2-20.

Figure 2-20 Breakdown screenshot

2.5.2 Breakdown VideoWhen iBMC detects a system breakdown, it records the screen output that was displayed 1minute around the breakdown and stores the compressed screen video to an external storagedevice. iBMC supports automatic video recording when the host CAT error, system power-off,or system restart occurs. For the host CAT error, the recording files are stored in iBMC flashmemory, and for the other two situations, the recording files are stored in the iBMC memory.When a server breaks down, you can log in to iBMC to export the video clip to a local folderand view the video using the video playback console for fault location.

Figure 2-21 shows the video playback console.



26

Figure 2-21 Video playback console

2.6 Screen Snapshot and Screen Video

2.6.1 Screen SnapshotThe screen snapshot function is designed for system inspection. You can capture and save thescreen outputs of the system using the CLI and WebUI. You can remotely obtain screen outputs



27

from a local client and view screens of all inspected servers using Secure File Transfer Protocol(SFTP).

Compared with the virtual KVM, the screen snapshot does not need login over HTTPS. Youcan obtain screen snapshots by using the CLI. The CLI allows scripts to be executed, whichfacilitates automatic server inspection. You can also obtain current system screen snapshots onthe WebUI.

Obtaining Screen Snapshots Using the CLI

Syntax

ipmcset -d printscreen -v wakeup

Parameter description

When the wakeup parameter is used, the system takes a screenshot for the current informationand is woken up from the Screen Saver mode.

Usage guidelines

After the printscreen command is executed, iBMC automatically saves the screenshot as thescreen.jpg file to the tmp directory. You need to load the file to a client that supports viewing .jpgfiles over FTP or SFTP before viewing the screenshot.

Obtaining Screen Snapshots from the Web Page

On the iBMC WebUI, you can choose Events and Logs > Remote System Screen > Manualto obtain the screen snapshot, as shown in Figure 2-22.

Figure 2-22 Obtaining screen snapshots



28

2.6.2 Screen VideoThe screen video is a remote KVM recording function provided by the remote console, and canbe enabled. The video format is defined by a user and the video file is saved in the local (theKVM console is opened). It records virtual KVM operations to ensure security or meet otherspecial requirements. When the screen video function is enabled, the virtual KVM consoleautomatically records all information displayed on the screen and all operations that have beenperformed to a self-defined video file.

Figure 2-23 Enabling/Disabling the screen video function

iBMC integrates a video file playback tool for playing videos.



29

Figure 2-24 Video playback console

2.7 Domain Management and Directory ServiceWith development of enterprise applications, IT infrastructure capacity is increasing, whichincreases workloads in asset management and daily management. iBMC provides domainmanagement and directory service to streamline tedious IT infrastructure management.

2.7.1 Domain ManagementYou can add all managed servers to a domain and visit access iBMC using the domain name. Ifthe domain name is the asset number of a managed server, the domain controller can help countassets. This greatly reduces IT asset management costs.

Step 1 Add the computer to the domain.

1. Log in to iBMC WebUI using the domain name, and open the DNS tab. See Figure 2-25.

NOTE

Domain Name System (DNS) is an Internet service. The DNS maps easy-to-remember domain namesand IP addresses. This helps you easily access the network.

2. The UI shown in Figure 2-25 enables you to set DNS bound network port and methods ofobtaining DNS information. Click OK to save the settings.

3. Set Domain Name, Primary DNS Server, and Secondary DNS Server if ManuallyObtain DNS Information is selected.



30

Figure 2-25 Configuring DNS parameters

Step 2 Set a host name. See Figure 2-26.

----End

Figure 2-26 Host Name page

----End

2.7.2 Directory ServiceThe directory service integrates user management, rights assignment, and validity periodmanagement on iBMC into the directory server, as shown in Figure 2-27. This minimizesrepeated user configuration tasks and improves management efficiency. In addition, centralizeduser management greatly enhances the security of iBMC.

The advantages of LDAP are as follows:

Scalability: dynamically add users on the LDAP server in all iBMCs at the same time.

Security: User password policies are all implemented on the LDAP server.

Real-time performance: Any account update on the LDAP server takes effect immediately onall iBMCs.

High efficiency: integrates user management, rights assignment, and validity management oniBMC into the catalog server. This minimizes repeated user configuration tasks and improvesmanagement efficiency.

Supports the active directory and New Technology LAN Manager (NTLM) authenticationfunction.



31

To ensure security, LDAP supports only LDAPS that uses the SSL encryption algorithm andallows you to modify LDAPS port information. Plain text-based LDAP is not supported. Toensure the authenticity of an LDAP server, LDAP supports certificate authentication for serversand you can import the root CA certificate of the LDAP server into iBMC for verification. Setthe domain controller address to the user name of the root CA certificate because the consistencyof the two needs to be checked during authentication.

Figure 2-27 Directory service work process

The LDAP User page is displayed, as shown in Figure 2-28.

NOTE

LDAP is a protocol for accessing online directory services over an IP network. LDAP directories can helpstore any types of data, such as email addresses and mail routing information, so that you can query theinformation conveniently.

View or set the LDAP user information on the LDAP User page, as shown in Figure 2-28.



32

Figure 2-28 LDAP User page

On the LDAP User page, you can perform the following operations:

l Enable or disable LDAP.

l Enable certificate verification.

l Set the LADPS port number. The default value is 636.

l Import LDAP root certificate.

l Set a domain controller address.

The domain controller address is the IP address or domain name of the server where theactive directory is located. The domain controller address consists of a maximum of 255characters.

l Set a user domain.

The user domain is the domain for logging in to the iBMC page in the active directory. Theuser domain name can contain a maximum of 255 characters.

l Set a group name.

The group name is the name for logging in to the iBMC page in the active directory. Thegroup name can contain a maximum of 32 characters.

l Set a group domain.

The group domain is the domain for logging in to the iBMC page in the active directory.The group domain name can contain a maximum of 255 characters.

l Set the group privilege.

The group privilege is the permission for logging in to the iBMC page in the active directory.There are three types of users: administrators, operators, and common users. They aregranted with different operation permissions.



33

2.8 Firmware ManagementFirmware management involves the iBMC firmware, BIOS, CPLD, and LCD. It allows you toquery firmware version, upgrade firmware, and switch over dual images.

2.8.1 Firmware Dual-image BackupiBMC uses firmware dual-image backup to improve system reliability. When flashmisoperations occur or storage modules are damaged, the system automatically switches to thebackup image and generates an alarm, indicating that image redundancy becomes invalid.

Switching Over Images on the Web PageIn the navigation tree, choose System Management > Firmware Upgrade. The FirmwareUpgrade page is displayed, as shown in Figure 2-29.

The iiBMC and BIOS version information are displayed on this page, and a user is allowed toswitch images and restart iBMC.

Figure 2-29 Firmware Upgrade page

2.8.2 Firmware UpgradeThe firmware upgrade involves iBMC firmware, BISO, CPLD (mainboard, backplane, mezzcard, and expansion card), and LCD upgrades. iBMC firmware upgrade supports versionrollback and manual and automatic modes. Figure 2-30 shows the Firmware Upgrade page.For the compatibility purpose, you are advised to upgrade active and standby iBMC images tothe same version.



34

Figure 2-30 Firmware Upgrade page

2.9 Intelligent Power ManagementiBMC provides multiple intelligent power management methods to reduce total cost ofownership (TCO).

2.9.1 Power ControlThe Power Control page allows you to control the power supply for a server, as shown inFigure 2-31.

You can perform the following operations:

l Power On: powers on the server.

l Graceful Power Off: powers off a server. iBMC sends an ACPI interrupt to the OS. If theOS supports the ACPI interrupt, iBMC shuts down the OS (ends all running processes) andthen powers off the device. If the OS does not support the ACPI interrupt, iBMC powersoff the device forcibly after the graceful power-off timeout period ends. The result is thesame as the operation that you press the power button on the front panel of the server.

l Forcibly Power Off: powers off a server without waiting for the response from the OS.This option has the same result as the operation that you hold down the power button onthe front panel of the server.

l Restart: indicates cold reset. iBMC can reset the system through the southbridge directly,without the need of powering off the OS.

l Graceful Reboot: powers off and then powers on the server. iBMC shuts down the OS andthen power off the server. iBMC powers off the server forcibly after the graceful power-off timeout period ends, and then powers on the server.

l NMI: sends a non-maskable interrupt (NMI) to the OS to collect kernel stack informationand sends the information to the console, which is used for identifying the causes of systemexceptions.

l Disable Panel Power Button: disables buttons on a server panel.



35

Figure 2-31 Power Control

2.9.2 Power CappingCurrently, data centers are facing a challenge that enterprises consume a lot of electric powerand space and have high refrigeration costs. The available resources can hardly meet ever-increasing energy and refrigeration requirements. The top priority for data centers is to saveenergy and reduce energy consumption using innovative technologies. In traditional data centers,customers spend enormous amounts building electric power infrastructure to ensure servicecontinuity. In addition, IT administrators usually use excessive power supply to meet systempower requirements. The power capping technology helps control energy consumption of eachserver, avoiding excessive energy supply. The saved energy realized by the power cappingtechnology can be used for capacity expansion in data centers.

In the navigation tree, choose PS Management > Power History. The Power History page isdisplayed, as shown in Figure 2-32.

You can set the power upper limit. If the system power exceeds the upper limit, specific actionsare triggered to ensure that the chassis power is properly distributed.

iBMC collects system power data every one second for 40 times or more during system startup.It deletes the invalid values, calculates the average value, and then multiples the value by acoefficient varying by product. The calculation result is the minimum power.

Set Power Capping State, Power Limit, and Follow-up Action After Power Capping Failsas required, and click OK, as shown in Figure 2-32. After the configuration, Operationperformed successfully is displayed.

Follow-up Action After Power Capping Fails has the following value options:

l Event log: logs information about a power capping failure in the system event file. Thisfunction is enabled by default.

l Power off: iBMC forcibly powers off the server within 15s.



36

Figure 2-32 Power Capping page

2.9.3 Power Statistics and Power History LineiBMC provides accurate energy monitoring information and historical power statistics. Thishelps system administrators know about the actual usage of electric power and heat dissipationresources. You can adjust the server consumption based on historical power data.

In the navigation tree, choose PS Management > Power Statistics. The Power Statistics pageis displayed, as shown in Figure 2-33. The page displays Current Power, Total CPU Power,Total Memory Power, Peak System Power, Average System Power, and ConsumedElectricity.

Click Recollect to recollect information about the peak system power, average system power,and consumed electricity.

Figure 2-33 Power Statistics page

In the navigation tree, choose PS Management > Power History. The power history userinterface (UI) is displayed, as shown in Figure 2-34.

iBMC collects and saves the system power every 10 minutes. The Power History page displaysthe recent power history in a line chart. To view the power statistics in recent periods, click LastWeek or Last Day. To refresh the line charts and tables, click Recollect. To download historicalpower information, click Download.

On this page, you can view the recent device power changes and understand the device runningstatus in a certain period.



37

Figure 2-34 Power History page

2.10 SOL and System Serial Port Running InformationRecord

2.10.1 SOLiBMC provides the SOL function. This function redirects the serial port data, which is sent onlythrough a serial cable originally, to the remote network devices for sending, and allows thesystem to receive data from remote network devices. Figure 2-35 shows how the SOL functionis implemented. Management personnel can query the data using a network terminal sent by theserial port in real time and perform operations on the OS. The effect is the same as that a near-end serial port is used.

Figure 2-35 SOL

2.10.2 Recording System Serial Port InformationiBMC records system serial port information. Figure 2-36 shows how the function isimplemented. iBMC records real-time system serial port data to a DDR. If the data volume



38

exceeds 1 MB, the earliest data will be overwritten. When the system breaks down or restarts,you can export and view the serial port information from iBMC.

Figure 2-36 Recording system serial port information

2.11 Security Management

2.11.1 Scenario-based Login RestrictionTo ensure security, iBMC restricts the server management access to the minimum scope basedon time, location (IP address or MAC address), and roles. This feature is applicable only to thelogin from the web.

You can set the login whitelist that supports a maximum of three login rules. A user who followsany of these rules can log in to iBMC; otherwise, login fails.

Each login rule contains the duration, user source IP address segment, and user source MACaddress segment. A login rule is followed only when all the three conditions are met. Login rulesare applicable to each local user and LDAP user group. By default, users have no login rule.

After the access duration has expired, login users are forced to log out. iBMC supports anemergency administrator who has no login restriction when the password is invalid. You canlog in to iBMC as the emergency administrator for management when other user accounts cannotlog in.

The three fields of a login rule are described as follows:

Duration: includes the start time and end time in the format of YYYY-MM-DD HH:MM, YYYY-MM-DD, or HH:MM. The value can be empty.

IP address: supports a single IPv4 address or IPv4 address segment, and does not support anIPv6 address. The value can be empty.

MAC address: supports a single MAC address of MAC address segment (specifies the NICvendor by using only the first three fields in an MAC address). The value can be empty.

The page allows you to set and enable login rules, as shown in Figure 2-37.



39

Figure 2-37 Setting WebUI login rules

2.11.2 Account SecurityAccount security measures include the password complexity check, password validity period,maximum historical password repetition times, and account lock.

The password validity period is applicable to all local users, in the unit of day. You can log into iBMC for management only within the validity period. When the validity period expires, youare not allowed to log in to iBMC, but login user can continue to access iBMC.

The validity period of a password ranges from 0 to 365 days. 0 indicates that the password ispermanently valid. The validity period starts from the creation date and counted by natural time.The days when servers with AC power failures are also included in the validity period. Theperiod is not affected even if the iBMC system time changes. When the iBMC system timechanges, iBMC automatically updates the start time of the validity period of each user password.When your password will expire within 10 days, the system reminds you to change the passwordin a timely manner after you log in from the web or CLI. The system records a security log aftera password validity period has expired.

To prevent the inconvenience caused by expired passwords, you can perform the followingoperations:

1. Configure an emergency administrator account whose password is permanently valid andwho can log in to iBMC during login restriction.

2. Log in to the BIOS and change the password of user 2, which is an administrator by default.3. Log in to the OS on the local device and use a third-party tool (for example, IPMItool) to

set a new password through BT channels.4. Set a new password for a blade server by using the management module (MM).

Figure 2-38 Account security configuration



40

2.11.3 SSL Certificate ManagementThe SSL certificate is used by a Web service terminal.

SSL certificate management enables you to view the current certificate information, such as theuser, certificate authority, validity period, and serial number, generate a CSR file, import thesignature certificate (only public key and PKCS#10) generated by the CSR file, and import aself-defined certificate (including public and private keys and PKSC#12). When the certificatethat maps to the CSR file is successfully imported, or the default setting is restored, the CSR fileis deleted. The certificate format is Base 64 X.509 and the encapsulation format is PKCS#10 orPKCS#12. The certificate in PKCS#12 supports setting of a password for the private key.

The SSL certificate for servers using iBMC is a self-signed certificate by default. The certificateis signed using SHA1 and RSA (2048-bit). iBMC provides two non-signed certificate generationmethods:

Method 1

1. Log in to the iBMC WebUI, and modify the user information on the WebUI.

2. Generate a CSR file.

3. Export the CSR file.

4. Submit the CSR file to the CA.

5. Generate a signature certificate in the PKCS#10 format.

6. Import the signature certificate to iBMC.

7. Restart iBMC for the certificate to take effect.

Note: The signature certificate must correspond to the CSR file, that is, you have to use themapped CSR file to apply for a server certificate from the CA.

Method 2

1. Generate a self-defined certificate using the customer's CA server or purchase a certificatefrom the CA.

2. Log in to the iBMC WebUI, and import the certificate to iBMC.

3. Restart iBMC for the certificate to take effect.

Figure 2-39 SSL certificate management page



41

2.11.4 Service ManagementSecurity risks exist in insecure protocols and default ports. The service management functionenables you to enable, disable, or modify settings for protocols and ports. The insecure protocols,including the FTP, Telnet, HTTP, RMCP, and SNMPv1 and v2c, are disabled by default.

iBMC provides the following services: Web, FTP, SSH, Telnet, Remote Control, SNMP Agent,and IPMI LAN. See Figure 2-40 and Figure 2-41.

Figure 2-40 SNMP configurations page



42

Figure 2-41 Service configuration page

2.11.5 Operation Log ManagementiBMC records all non-query operations through all interfaces, both successful operations andfailed operations. Operation logs include Linux OS logs and user process logs. The user processlog records the operation time, interfaces, source IP addresses, source users, and actiondescriptions.

Operation logs are saved in files in real time. When the size of operation logs exceeds 200 KB,automatic backup occurs. Only one backup file can be saved. If there are more than one file, theold backup file is automatically deleted.

The operation log management function enables you to view and export operation logs usingthe WebUI.



43

Figure 2-42 Viewing operation logs

2.11.6 Enhanced Encryption AlgorithmThe enhanced encryption algorithm ensures:

l Confidentiality: Sensitive data is not obtained by unauthorized entities. For example, apassword is adopted or the stored data is encrypted so that only the user having the key canaccess the protected data.

l Integrity: The data integrity is ensured using cryptographic methods during transmissionand storage. For example, you can use the hash function to perform data check for security.

l Authenticity: Use cryptographic algorithm methods to identify remote users or systemusers. For example, the SSL certificate on the web server ensures that the user is connectedto the correct server.

l Non-repudiation: A user that performs one operation can be accurately located. The usercannot deny his or her operation.

The encryption algorithms supported by iBMC are as follows:

Table 2-5 Encryption algorithms

EncryptionAlgorithm

Application Scenario Function

DSA/RSA 2048 bit Web server certificate and SSH host certificate Digitalsignature

AES 128 CBC IPMI LAN transmission encryptionKVM, video, and control data encryption VMMdata encryptionWeb HTTPS transmission encryptionSNMPv3 transmission encryptionSSH transmission encryption

Encryption



44

EncryptionAlgorithm

Application Scenario Function

AES 256 CBC Web HTTPS transmission encryption and SSHtransmission encryption

Encryption

DES 64 SNMPv3 transmission encryption Encryption

HMAC-MD5-96 SNMPv3 authentication Authentication

HMAC-SHA1-96 SNMPv3 authentication and IPMI LANauthentication

Authentication

SHA256 HTTPS integrity check and Linux user passwordencryption

Integrity andencryption

2.11.7 Hardware EncryptionThe Hi1710 chip integrates with a security engine, which is a hardware acceleration module forenhancing security functions of the CPU. The engine primarily applies to authentication anddata encryption and decryption. The engine supports the DES/3DES, AES, SHA-1,SHA-256/224, and MD5 algorithms, as well as the HMAC algorithm based on SHA-1,SHA-256/224, and MD5. DES/3DES supports the ECB, CBC, CFB, and OFB working modes,and AES supports the ECB, CBC, CFB, OFB, and CTR working modes. AES supports 128-,192-, and 256-bit keys; SHA-1 and SHA-256/224 support 160-, 256-, and 224-bit messagedigests; MD5 supports 128-bit message digests.

2.12 Access ManagementiBMC supports both IPv4 and IPv6 addresses and access over a dedicated management port orshared network port using the NC-SI function. The shared network port supports the VLANfunction.

2.12.1 Management Network Port Auto-AdaptationA rack server or node server has two management network ports: a GE management networkport and a sideband network port using NC-SI (share the physical management network portwith the host). The NC-SI function automatically associates the logical network port with aphysical network port based on the network port link status.

After auto-adaptation is enabled for a network port and the server network is changed, you canuse a network cable to connect to the dedicated management network port or sidebandmanagement network port to access the management GUI without any new network settings andperform smooth switch. This eliminates complicated configuration and improves themaintenance efficiency.



45

Figure 2-43 Management network connection

The page for configuring network port auto-adaptation allows you to query the network portmode and set port parameters. If the network port is in auto-adaptation mode, you can specifya host network port as the sideband network port, which is network port 1 by default, as shownin Figure 2-44.

Figure 2-44 Configuring network port auto-adaptation

2.12.2 NC-SINS-CI enables the management system and the host system to share a physical network port onthe host using the NC-SI technology, implementing management and service handling,simplifying networking, and reducing ports on the switch. Preferentially considering the servicedata, the maximum bandwidth for data management is 100 Mbit/s. For the security purpose,divide the management and service in different network segments using the VLAN technology.



46

Figure 2-45 NS-CI framework

Figure 2-46 NS-CI data flow diagram

2.12.3 IPv6iBMC supports IPv6 to ensure sufficient IP addresses because the IPv4 address is insufficient.iBMC supports the Web, Telnet, SSH, and SNMP interfaces, which support IPv6. Physical



47

channels using the dedicated management network port and the shared network port (NC-SI)also support IPv6.

Figure 2-47 IPv6 address configuration screen

Manually set the IPv6 address or obtain it from a iBMC DHCP server.

2.13 Unified User ManagementiBMC is a management subsystem based on the built-in CPU and the OS and provides only fixedmaintenance and integration ports. The OS and applications are integrated. The OS (CLI),SNMP, IPMI LAN, and Web interfaces are independently managed by respective local users.To access iBMC through these interfaces, users have to set each interface. However, the unifieduser management function enables a user to access iBMC through all those interfaces as longas one interface is set. iBMC synchronizes the setting among all interfaces.

iBMC supports a maximum of 17 users including anonymous users with ID 1 and enables youto add, modify, and delete users. The user types and user rights are as follows:

Administrator: The user has all configuration and control rights for iBMC.

Operator: The user has all configuration and control rights, excluding user management andsecurity configuration.

Common user: The user has only permission to view information, excluding OS informationand operation logs.

Customized group: The user specifies its right.



48

Figure 2-48 User management page



49

3 Technical Specifications

Component Specifications

Supported products RH1288A V2, RH2288A V2, RH1288 V3, RH2288 V3, RH2288H V3,RH8100 V3, XH622 V3, XH628 V3, CH121 V3, CH140 V3, CH220V3, CH222 V3, and CH242 V3

KVM l Maximum resolution: 1920 x 1280l Minimum resolution: 640 x 480l 32-bit color, providing 16.77 million colors

Network port l One integrated 1000 Mbit/s dedicated Ethernet portl One integrated 100 Mbit/s shared Ethernet port

Virtual media l The virtual DVD-ROM drive supports a maximum transmissionrate of 32 Mbit/s.

l The virtual FDD supports a maximum transmission rate of 4 Mbit/s.

User interface l HTTPSl IPMI LAN/BTl SNMPl CLI

Security feature l User managementl Role authenticationl Data encryptionl Scenario-based login restrictionl Account securityl SSL certificate management

HUAWEI Server iBMC Intelligent Management SystemWhite Paper V1.1 3 Technical Specifications


50

white paper v1 - hammer huawei - home · 1.1 introduction to ibmc as a huawei's proprietary...

Documents