hpe integrity superdome x and superdome 2 onboard ... · interconnects. compute enclosures within a...

HPE Integrity Superdome X andSuperdome 2 Onboard AdministratorGuide for Users

Part Number: 794237–007Published: April 2018Edition: 17

AbstractThis document describes the Onboard Administrator for the HPE Integrity Superdome X andSuperdome 2 enclosures.

Contents

Introduction............................................................................................. 9Overview....................................................................................................................................... 9Access requirements...................................................................................................................11Onboard Administrator overview.................................................................................................12

Detecting component insertion and removal....................................................................12Identifying components.................................................................................................... 12Managing power and cooling........................................................................................... 13Controlling components................................................................................................... 13Managing partitions..........................................................................................................13

Interfaces.................................................................................................................................... 14Onboard Administrator user interfaces............................................................................ 14Onboard Administrator authentication..............................................................................15

Running Onboard Administrator for the first time........................................................................15Logging on to the Onboard Administrator GUI............................................................................16Running the setup wizard........................................................................................................... 17Using online help........................................................................................................................ 17Changing enclosure and device configurations.......................................................................... 18Recovering the administrator password......................................................................................18

Insight Display.......................................................................................19Insight Display overview............................................................................................................. 19Navigating the Insight Display.....................................................................................................19

Health Summary screen...................................................................................................21Enclosure Settings screen............................................................................................... 22Enclosure Info screen...................................................................................................... 22Blade and Port Info screen...............................................................................................23Turn Enclosure UID On/Off screen.................................................................................. 24View User Note screen.....................................................................................................25Chat Mode screen............................................................................................................25

Insight Display errors.................................................................................................................. 26Power errors.....................................................................................................................26Cooling errors...................................................................................................................27Location errors................................................................................................................. 27Configuration errors..........................................................................................................27Device failure errors......................................................................................................... 28

Superdome 2 Door Status Display...................................................... 29Before running Door Display setup............................................................................................. 29Setting up the Door Display........................................................................................................ 29

Door Display status menu................................................................................................ 34Display Settings menu..................................................................................................... 37Firmware Update menu....................................................................................................38

First Time Setup Wizard....................................................................... 41Before you begin.........................................................................................................................41Enclosure Selection screen........................................................................................................ 42

2 Contents

Configuration Management screen.............................................................................................43Rack and Enclosure Settings screen.......................................................................................... 44Administrator Account Setup screen...........................................................................................46Local User Accounts screen....................................................................................................... 48Enclosure Bay IP Addressing screen..........................................................................................50Directory Groups screen............................................................................................................. 52Directory Settings screen............................................................................................................53Onboard Administrator Network Settings screen........................................................................56SNMP Settings screen................................................................................................................57Power Management screen........................................................................................................ 58Finish...........................................................................................................................................61

Navigating Onboard Administrator..................................................... 62Navigation overview....................................................................................................................62

Tree view..........................................................................................................................62Graphical view navigation................................................................................................ 65

Complex Overview................................................................................ 69Complex Overview screen.......................................................................................................... 69

Compute Enclosures tab..................................................................................................70Power and Thermal tab....................................................................................................70

Complex Information screen....................................................................................................... 72Status tab......................................................................................................................... 72Information tab................................................................................................................. 75Complex Logs tab............................................................................................................ 76Complex CLI Tab..............................................................................................................76

Complex Information: Firmware Management............................................................................77Complex Firmware Summary screen...............................................................................77Online complex firmware update......................................................................................79Firmware Update screen..................................................................................................85

Enclosure DVD Module screen...................................................................................................90

Configuring compute enclosures and enclosure devices................ 92Viewing the status screens......................................................................................................... 92Enclosure information................................................................................................................. 93

Enclosure Status.............................................................................................................. 93AlertMail........................................................................................................................... 98Date and Time................................................................................................................101Enclosure TCP/IP Settings.............................................................................................103Network Access..............................................................................................................105Link Loss Failover.......................................................................................................... 107Enclosure Bay IP Addressing.........................................................................................107SNMP Settings............................................................................................................... 110Configuration Scripts...................................................................................................... 113Device Summary............................................................................................................ 114Active to Standby............................................................................................................115

Onboard Administrator Module................................................................................................. 115Active Onboard Administrator.........................................................................................115Standby Onboard Administrator.....................................................................................126

Device Bays.............................................................................................................................. 129Device Bay Information.................................................................................................. 131

Interconnect Bays..................................................................................................................... 137Interconnect Bay Information.................................................................................................... 139

Contents 3

Interconnect Bay Information tab................................................................................... 142Interconnect Bay Virtual Buttons tab..............................................................................143Interconnect Bay Port Mapping......................................................................................144

XFM Bays..................................................................................................................................146XFM Bay Information................................................................................................................ 147

XFM Bay Status tab....................................................................................................... 148XFM Bay Information tab............................................................................................... 149XFM Bay Virtual Buttons................................................................................................ 150

GPSM Bays...............................................................................................................................150GPSM Bay Information...................................................................................................151GPSM Status tab............................................................................................................151GPSM Bay Information tab............................................................................................ 152GPSM Virtual Buttons.................................................................................................... 153

Enclosure power management................................................................................................. 153Power and Thermal........................................................................................................153Power Subsystem.......................................................................................................... 166

Fans and cooling management.................................................................................................169Thermal Subsystem....................................................................................................... 169Thermal Subsystem Fan Zones tab............................................................................... 171Fan Information.............................................................................................................. 173

Managing users........................................................................................................................ 175Users/Authentication...................................................................................................... 175User roles and privilege levels....................................................................................... 175Role-based user accounts............................................................................................. 176Local Users screen.........................................................................................................177

Password Settings screen........................................................................................................ 180Directory Settings screen..........................................................................................................181

Uploading a certificate....................................................................................................182Directory Certificate Upload tab..................................................................................... 183Directory Test Settings tab............................................................................................. 183

Directory Groups.......................................................................................................................185Add an LDAP Group...................................................................................................... 187Edit an LDAP Group.......................................................................................................189

SSH Administration...................................................................................................................190HPE SSO Integration................................................................................................................ 191

Edit Local User Certificate Information tab.....................................................................193Two-Factor Authentication screen............................................................................................ 193

Two-Factor Authentication Certificate Information tab................................................... 194Two-Factor Authentication Certificate Upload tab..........................................................194

Signed In users......................................................................................................................... 195Session Options tab....................................................................................................... 196

Insight Display...........................................................................................................................196Management network IP dependencies....................................................................................196

Superdome 2 IOX enclosures............................................................ 197IOX Enclosure Information screen............................................................................................ 197IOX Power and Thermal screen................................................................................................199IOX Power Subsystem screen.................................................................................................. 200

IOX Power Supply screen.............................................................................................. 202IOX Thermal Subsystem screen............................................................................................... 202

Port mapping....................................................................................... 204Device bay port mapping for compute enclosures....................................................................204Device bay port mapping tabular view for compute enclosures................................................205

4 Contents

Using the Command Line Interface...................................................207Command line overview............................................................................................................207Setting up Onboard Administrator using the CLI...................................................................... 207Using the service port connection.............................................................................................208

Using configuration scripts............................................................... 209Configuration scripts................................................................................................................. 209Reset Factory Defaults..............................................................................................................211

Troubleshooting.................................................................................. 212Onboard Administrator error messages....................................................................................212Onboard Administrator factory default settings.........................................................................212Onboard Administrator SNMP traps......................................................................................... 212

Enabling LDAP Directory Services Authentication to MicrosoftActive Directory...................................................................................215

Certificate Services................................................................................................................... 215Preparing the directory..............................................................................................................215Uploading the DC certificate (optional)..................................................................................... 217Creating directory groups..........................................................................................................219Testing the directory login solution............................................................................................222Troubleshooting LDAP on Onboard Administrator....................................................................222

Creating CAs and configuring Two-Factor Authentication forlocal user and LDAP group accounts............................................... 225

Introduction............................................................................................................................... 225Configuring the directories........................................................................................................ 227

Creating a directory to represent each CA and user......................................................227Modifying and storing an OpenSSL configuration file in each CA directory...................228Changing the default directories.................................................................................... 228

Creating a root CA.................................................................................................................... 228Copying the OpenSSL configuration file to the rootCA directory................................... 228Creating the certificate and private key..........................................................................228Creating a combined private key and certificate PEM file..............................................229

Creating subordinate CAs.........................................................................................................229Creating the directories for the subordinate CA............................................................. 230Providing x509 certificate information............................................................................ 230Generating a CSR and new server key..........................................................................230Signing the level1CA CSR with the rootCA key............................................................. 231

Creating user keys and CSRs...................................................................................................232Creating a directory for the user key and CSR database...............................................232Providing x509 user certificate information.................................................................... 232Generating a user CSR and new server key..................................................................232Signing the user CSR with the level1CA key................................................................. 232

Verifying certificates.................................................................................................................. 234Storing a user certificate on a smart card or browser............................................................... 235Configuring the Onboard Administrator for Two-Factor Authentication with local accounts..... 237

Establishing an Onboard Administrator recovery plan................................................... 237Configuring the Onboard Administrator session timeout................................................238

Contents 5

Installing the CA chain for TFA.......................................................................................239Installing user certificates on the local Administrator account........................................241Enabling Two-Factor Authentication.............................................................................. 242Logging into the Onboard Administrator web GUI using Enabling Two-FactorAuthentication................................................................................................................ 243

TFA+LDAP Authentication........................................................................................................ 243How TFA_LDAP authentication works........................................................................... 243Enabling TFA+LDAP authentication...............................................................................244

Methods for specifying the subject field on a CSR................................................................... 244Troubleshooting TFA+LDAP authentication problems.............................................................. 245CLI examples configuring a user account and certificates........................................................246Information about CAs and certificates available from the web................................................ 247

Support and other resources.............................................................249Accessing Hewlett Packard Enterprise Support....................................................................... 249Accessing updates....................................................................................................................249Customer self repair..................................................................................................................250Remote support........................................................................................................................ 250Warranty information.................................................................................................................250Regulatory information..............................................................................................................251Documentation feedback.......................................................................................................... 251

Time zone settings..............................................................................252Universal time zone settings..................................................................................................... 252Africa time zone settings...........................................................................................................252Americas time zone settings..................................................................................................... 253Asia time zone settings............................................................................................................. 255Oceanic time zone settings.......................................................................................................256Europe time zone settings........................................................................................................ 257Polar time zone settings............................................................................................................258

Connecting to the OA with a local PC...............................................259Connecting a PC to the OA service port................................................................................... 259Connecting a PC to the OA serial port......................................................................................260Modifying the serial connection baud rate................................................................................ 261

Warranty and regulatory information................................................263Warranty information.................................................................................................................263Regulatory information..............................................................................................................263

Belarus Kazakhstan Russia marking............................................................................. 263Turkey RoHS material content declaration.....................................................................264Ukraine RoHS material content declaration................................................................... 264

Standard terms, abbreviations, and acronyms................................ 265

6 Contents

© Copyright 2010, 2018 Hewlett Packard Enterprise Development LP

NoticesThe information contained herein is subject to change without notice. The only warranties for HewlettPackard Enterprise products and services are set forth in the express warranty statements accompanyingsuch products and services. Nothing herein should be construed as constituting an additional warranty.Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions containedherein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession,use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, ComputerSoftware Documentation, and Technical Data for Commercial Items are licensed to the U.S. Governmentunder vendor's standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett PackardEnterprise has no control over and is not responsible for information outside the Hewlett PackardEnterprise website.

AcknowledgmentsIntel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation inthe United States and other countries.

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java® and Oracle® are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

Revision History

HPE PartNumber

Edition Publication Date Changes

AH337-9001A First August 2010

AH337-9001A_ed2

Second November 2010

AH337-9001A_ed3

Third December 2010

AH337-9001B Fourth April 2011

AH337-9001C Fifth August 2011

AH337-9001D Sixth December 2011

AH337-9001E Seventh December 2012

AH337-9001F Eighth May 2013

AH337-9001G Ninth November 2013

AH337-9001H Tenth July 2014

794237–001 Eleventh December 2014

794237–002 Twelfth March 2015

Table Continued

HPE PartNumber

Edition Publication Date Changes

794237–003 Thirteenth September 2015

794237–004 Fourteenth July 2016

794237–005 Fifteenth September 2016

794237–006 Sixteenth April 2017• Corrected trap ID 22002 in Onboard

Administrator SNMP traps

• Added Superdome X support for GoogleChrome 38 browser in Accessrequirements

• Revised Thermal Status description in GPSM Status tab

794237–007 Seventeenth April 2017

IntroductionThis guide describes the Onboard Administrator used to support HPE Integrity Superdome X and HPSuperdome 2 systems. These systems include different features and hardware, so not everything in thisguide applies to both systems. Refer to the service guide for your system for more information.

Images and examples in this guide might depict only one type of system. Not all Superdome 2 images orexamples have Superdome X equivalents in this guide.

OverviewThe Integrity Superdome X and Superdome 2 compute enclosure Onboard Administrator (OA) is thecomplex management processor, subsystem, and firmware base used to support HPE IntegritySuperdome X and Superdome 2 complexes and all the managed devices contained within the complex.

The OA provides a single point from which to perform basic management tasks for the following complexdevices:

• Compute enclosures

• IOXs (Superdome 2)

• Server blades

• I/O interconnects

The OA performs configuration steps for the complex, enables run-time management and configuration ofthe complex components, and informs you of problems within the complex through email, SNMP,WSMAN, or the Insight Display.

Hewlett Packard Enterprise recommends that you read the service guide for your system for specificinformation before proceeding with the OA setup.

This user guide provides information on the following topics:

• Initial setup and operation of the OA

• Use of the OA GUI

• Use of the compute enclosure Insight Display

• Initial setup and operation of the Superdome 2 Door Status Display

The HPE Integrity Superdome X and Superdome 2 Onboard Administrator Command Line InterfaceGuide covers the use of the CLI.

The OA provides several features designed to simplify management of enclosures, blades, andinterconnects. Compute enclosures within a complex can be configured with redundant OA modules toprovide uninterrupted manageability of the entire complex in the event of a failure of a single OA module.

The following table lists which OA feature is enhanced when an enclosure contains redundant OAmodules. For an enclosure with only a single OA module, the table indicates the behavior of theenclosure if the single OA module has failed or is removed.

Introduction 9

Table 1: Benefits of using a redundant Onboard Administrator versus a singleOnboard Administrator

OA feature Single OA in enclosure Single OA failed orremoved

Redundant OA inenclosure

Power allocation andcontrol of all blades andinterconnects.

Yes. Complete control. No. Power suppliescontinue to deliverpower to all blades andinterconnects. No poweron requests can bemade for blades orinterconnects.

Yes. Complete control,including sustaining afailure of either OA.

Cooling for all bladesand interconnects.

Yes. Complete control. No. All enclosure fanswill ramp to anunmanaged higherspeed to protect bladesand interconnects fromoverheating.


EBIPA. Yes. Complete control. No. EBIPA IP addressesare lost after leasetimeout.


Ethernetcommunications to OA,server iLO, interconnectmanagement —processors such asVirtual Connect, whichuse the OA/iLOmanagement port.

Yes. Complete control. No. Ethernetmanagementcommunications are notavailable, includinginternal managementtraffic such as VirtualConnect Manager toother VC modules in theenclosure.


Information and healthstatus reporting for allblades, interconnects,fans, power supplies,OAs, and enclosurethrough the OA GUI orCLI, AlertMail, or SNMP.

Yes. Complete control. No. Additionally, noinformation is availablefrom the OA, and noout-of-band informationis available from VCM oriLO on any server.


Insight Display. Yes. Complete control. No. Yes. Complete control,including sustaining afailure of either OA.

Enclosure DVD. Yes. Complete control. No. Yes. Complete control,including sustaining afailure of either OA.

10 Introduction

Access requirementsTo access the OA web interface, you require the OA IP address and a compatible web browser. You mustaccess the application through HTTPS (HTTP packets exchanged over an SSL-encrypted session).

The OA web interface requires an XSLT-enabled browser with support for JavaScript 1.3 or theequivalent.

The following browsers are officially supported for use with OA:

• Microsoft Internet Explorer 7 or later

• Mozilla Firefox 3.6 or later

• Google Chrome 38 or later (Superdome X)

NOTE:

Other browsers can be used but are not supported.

For a list of browsers supported by OA, see the latest version of the OA Release Notes.

Before running the web browser, you must enable the following browser settings:

• ActiveX (for Microsoft Internet Explorer)

• Cookies

• JavaScript

If you receive a notice that your browser does not have the required functionality, be sure that yourbrowser settings meet the preceding requirements.

If you use an installed language pack with the OA GUI and the browser does not display all characterscorrectly, make sure the operating system has the corresponding language support installed.

To access the OA CLI, use the OA IP address and a terminal or terminal application. To access the CLIinterface, you must use Telnet or Secure Shell depending on which of these protocols are enabled.

To access the CLI management and notification features, the ports listed on the following table must beopen on any router between OA and any computers used to access or monitor OA.

Protocol Incoming port Outgoing port

Secure Shell 22

Telnet 23

SMTP 25

Browser access 80 80

Browser access encrypted 443 443

SNMP get/set 161

SNMP traps 162

Table Continued

Access requirements 11

Protocol Incoming port Outgoing port

LDAP 636

Terminal services pass-through from PC to OA 3389

Virtual media from PC to OA 17988

Remote syslog 514

LDAP and Remote syslog port number can be changed.

If a protocol is disabled, the corresponding ports are also disabled.

NOTE:

The OA supports multiple simultaneous login sessions, whether through the OA web interface or CLI,except for LDAP/Active Directory users where only one login session is allowed per user.

CAUTION:

To ensure that the OA GUI continues to work after December 31, 2016, after upgrading fromfirmware version 7.6.0 or earlier to version 8.2.106 or later, the OA SHA-1 self-signed certificate willbe removed and replaced with SHA256 self-signed certificate. To prevent security warnings, thecustomer is encouraged to re-generate the self-signed certificate with the common name (CN)matching exactly the OA hostname as known by the web browser. For more information, see Certificate Administration on page 120.

Onboard Administrator overviewNOTE:

The Monarch OA is the Active OA in enclosure 1. It provides complex-wide administrative functions, suchas partition management, event logs, and error diagnostics. IOX enclosure devices are managed throughthe Monarch OA.

Many OA settings must be managed on the Monarch OA and are automatically copied to the other OAs inthe complex, such as user accounts and settings, power options, and feature enablement. Some settingsare managed locally on each OA, such as the IP configuration and OA certificates.

Detecting component insertion and removalOA provides component control in compute enclosures. Component management begins after thecomponent is detected and identified. The OA detects components in enclosures through presencesignals on each bay. When you insert a component into a bay, or connect an IOX, the OA immediatelyrecognizes and identifies the component. When you remove a component from a bay, the OA deletes theinformation about that component.

In Superdome 2 systems, an IOX will be marked Failed if it is disconnected while the system is active.The Monarch OA must be rebooted to remove an IOX from the complex.

Identifying componentsTo identify a component, OA reads an FRU EEPROM that contains specific factory information about thecomponent such as product name, part number, and serial number. All FRU EEPROMs in enclosures arepowered on, even if the component is powered off. Therefore, OA can identify the component before

12 Onboard Administrator overview

granting power. For devices such as fans, power supplies, and Insight Display, OA directly reads the FRUEEPROMs.

• The server blades contain several FRU EEPROMs: one on the server board, which contains serverinformation and embedded NIC information, and one on each installed mezzanine option cards.

• Server blade control options also include extensive blade hardware information including:

◦ Blade and partition firmware versions

◦ Blade name

◦ NIC and option card port IDs

◦ Port mapping

• OA provides easy-to-understand port mapping information for each server blade and interconnectmodule in each enclosure.

The NIC and mezzanine option FRU data informs OA of the type of interconnects each server requires.Before power is provided to a server blade, OA compares this information with the FRU EEPROMs oninstalled interconnect modules to verify for electronic keying errors. For interconnect modules, OAprovides virtual power control, dedicated serial consoles, and management Ethernet connections.

While OA is identifying components, the progress appears as steps on the Insight Display. Discoverymight take several minutes, and the number of installed mezzanine cards on each server increases thetime taken as each card is identified and verified.

Managing power and coolingThe most important OA tasks are power control and thermal management. OA can remotely control thepower state of all components in compute enclosures. For components in device bays on the front ofeach enclosure, OA communicates with iLO to control blades, and with a microcontroller to controloptions. A separate microcontroller controls power to the interconnect modules.

After the components are powered on, the OA begins thermal management with Thermal Logic. TheThermal Logic feature minimizes power consumption by the enclosure fan subsystem by readingtemperature sensors across the entire enclosure. Then, Thermal Logic changes the fan speed in thevarious zones in the enclosure to minimize power consumption and maximize cooling efficiency.

Controlling componentsOA uses embedded management interfaces to provide detailed information and health status of all baysin the enclosure including presence detection signals in each bay, i2c, serial, USB, and Ethernetcontrollers. OA also offers information on firmware versions for most components in the enclosure andcan be used to update those components.

Managing partitionsThe OA also enables users to define and manage partitions in a complex.

An nPartition comprises one or more server blades working as a single system. I/O bays in IOXenclosures are assigned to nPartitions and any I/O component of a server blade, including NICs andmezzanine cards are assigned to the nPartition containing the server blade.

In the complex, each nPartition has its own dedicated portion of the complex hardware which can run asingle instance of an operating system. Each nPartition can boot, reboot, and operate independently ofany other nPartitions and hardware within the same complex.

Managing power and cooling 13

An nPartition includes all hardware assigned to the nPartition: all IOX I/O bays, I/O devices, and serverblades.

A complex can contain one or more nPartitions, enabling the hardware to function as a single system oras multiple systems.

NOTE:

For more information about partition creation and management for HPE Integrity Superdome 2, see theHPE Superdome 2 Partitioning Administrator Guide. For more information about partition management forHPE Integrity Superdome X, see the HPE Integrity Superdome X Service.

InterfacesEach compute enclosure has several external management interfaces that connect the user to OA. Theprimary external management interface is the management port for OA, which is an RJ-45 jack providingEthernet communications not only to OA, but also to every device or interconnect bay with a managementprocessor.

A serial port on the OA module provides full out-of-band CLI access to the OA.

All enclosures support two enclosure link connectors that provide private communications amongenclosures linked with CAT5 cable. In addition, the enclosure link-up connector provides an enclosureservice port that enables you to temporarily connect a personal laptop computer to any linked enclosureOA for local diagnostics and debugging.

NOTE:

For complexes that have the Superdome 2 Door Status Display, the enclosure service port is routedthrough the rack-mounted E-Switch.

Each compute enclosure includes an embedded Insight Display on the front of the enclosure, whichprovides status and information on all the bays in a compute enclosure and diagnostic information if theOA detects a problem in the enclosure. The Insight Display configures key settings in the OA, includingthe IP address of the OA.

Onboard Administrator user interfacesThe following user interfaces to the OA enable control and provide information about the enclosure andinstalled components:

• Web interface GUI

• Scriptable CLI

• Insight Display

Remote network access to the OA GUI and CLI is available through the management Ethernet port. Theserial port of the OA is available for local CLI access. The compute enclosure link-up port is also availableas the service port for temporary local Ethernet access to the OA and devices in linked enclosures usingeither the GUI or CLI. See Connecting to the OA with a local PC for information about using the OAlink-up or serial ports.

NOTE:

For complexes that have the Superdome 2 Door Status Display, the enclosure service port is routedthrough the rack-mounted E-Switch.

Access the Insight Display directly through the buttons on the display, or remotely through the OA GUI.

14 Interfaces

Onboard Administrator authenticationSecurity is maintained for all OA user interfaces through user authentication. User accounts created in theOA define three user privilege levels and the component bays to which each level is granted access. OAstores the passwords for Local User accounts and can be configured to use LDAP authentication for usergroup accounts. The Insight Display can be protected against unauthorized access by an LCD PIN codeor completely disabled.

NOTE:

User accounts are managed on the Monarch OA.

Role-based user accounts

OA provides configurable user accounts that can provide complete isolation of multiple administrativeroles such as server, LAN, and SAN. User accounts are configured with specific device bay orinterconnect bay permissions and one of the three privilege levels:

• Administrator

• Operator

• User

OA requires the user to log in to the web GUI or CLI with an account and password. The account can bea local account where the password is stored on OA, or an LDAP account. The OA contacts the definedLDAP server to verify the user credentials. Two-factor Authentication enables even tighter security for theuser management session to OA.

An account with administrator privileges, including OA bay permissions, can create or edit all useraccounts on an enclosure. Operator privileges allow full information access and control of permitted bays.User privileges allow information access, but no control capability. For detailed information about OAaccount privileges, see the HPE Integrity Superdome X and Superdome 2 Onboard AdministratorCommand Line Interface User Guide.

The default Administrator account from the Monarch OA is synchronized to the other OAs in the complex.Use the default credentials from the Monarch OA to access all OAs.

Rather than requiring separate logins to multiple resources (once to each enclosure or once to everyserver management processor or both), OA enables single-point access. Thus, the administrator can usesingle sign-on to log in to a single OA and use the web GUI to graphically view and manage thecomponents in the entire complex. For example, an IT administrator can automatically propagatemanagement commands, such as changing the enclosure power mode, throughout the complex.

NOTE:

The single sign-on requires that all the enclosure active OAs have the same password.

Running Onboard Administrator for the first timeSetting up an enclosure using the OA is simplified by using the Insight Display setup process, followed bythe use of the OA GUI First Time Setup Wizard or OA CLI to complete the reset of the enclosure settings.

The OA modules and many interconnect modules default to DHCP for the management IP address. If theuser has DHCP and connects the OA management port to the DHCP server, then the OA modules andinterconnect modules supporting and configured to use the OA internal management networkautomatically get DHCP addresses from the user DHCP server.

If you do not have a DHCP server for assigning IP addresses to management processors, then you mustconfigure each OA with a static IP address using the Insight Display, then log in to the OA GUI and use

Onboard Administrator authentication 15

the First Time Setup Wizard or log in to the OA CLI and configure and enable EBIPA for device bays andinterconnect bays. Enabling EBIPA for a bay enables that server or interconnect module to be replacedand the new module automatically gets the previously configured IP address for that bay. See EnclosureBay IP Addressing for more information on EBIPA.

The initial credentials to log on to a new OA module are printed on a label on each module. The user isAdministrator and the password is unique to each module. This password must be captured by theinstaller and communicated to the remote Administrator for the first remote logon to the OA GUI or OACLI.

The enclosure settings can be configured manually or uploaded from a configuration script or file. Theweb GUI offers a First Time Setup Wizard. The CLI can be accessed from the OA serial port, Ethernetmanagement port, service port, or by using the enclosure KVM - OA CLI button.

An alternative to manual configuration is to upload a enclosure configuration file to the active OA usingeither the GUI or CLI with an HTTP, FTP or TFTP network location for the configuration file, or use theGUI, CLI or Insight Display to upload a configuration file from a USB key drive plugged into the enclosureDVD USB port.

Hewlett Packard Enterprise recommends creating an enclosure configuration file to use the GUI, CLI, orInsight Display USB Menu to save the existing configuration to a file. The saved configuration file is a setof CLI text commands for each configuration item. The OA does not save user passwords when it saves aconfiguration file. The user can edit the configuration file and insert the password commands for eachuser account—or use the Administrator local account to individually update all user passwords afterrestoring a previously saved enclosure configuration file.

If the enclosure contains redundant OA modules, the remaining OA updates the new OA with all thesettings.

Logging on to the Onboard Administrator GUIIf the Login Banner feature is enabled, you will be prompted to read and accept the conditions presentedbefore being able to log in. Once the terms are accepted the main login page will appear.

NOTE:

Not all images or examples in this guide have been updated for Integrity Superdome X.

Enter the user name and initial administration password for your OA account found on the tag attached tothe OA.

16 Logging on to the Onboard Administrator GUI

Possible issues that might occur when logging in include:

• The information has been entered incorrectly. Passwords are case-sensitive.

• The account information entered has not been set up for OA.

• The user name entered has been deleted, disabled, or locked out.

• The password for the account must be changed.

• Attempting to log on from an IP address that is not valid for the specified account.

• The password for the Administrator account has been forgotten or lost. To reset the Administratorpassword, see Recovering the administrator password on page 18.

If you continue to have problems signing in, contact your administrator.

Running the setup wizardTo run the setup wizard, log on to OA. The First Time Setup Wizard starts automatically when you log onto OA for the first time. This wizard assists you in setting up the functions of the OA. You can access thesetup wizard at any time after initial setup by clicking the Wizards link on the top left of the center screen.

For more information, see First Time Setup Wizard on page 41.

Using online helpTo access online help, click the blue box with the white question mark located at the top right of thescreen under the header bar. Online help displays information related to the section of OA that you arenavigating.

Running the setup wizard 17

Changing enclosure and device configurationsAfter completing the First Time Setup Wizard, return to the OA GUI to make configuration changes at anytime. See Configuring compute enclosures and enclosure devices on page 92 for information thathelps you make changes to enclosure and device configuration, user setup, and LDAP server settingsand LDAP groups.

See Enclosure power management on page 153 for information on enclosure power settings.

Recovering the administrator passwordIf the administrator password has been lost, you can reset the administrator password to the factorydefault that shipped on the tag with the OA module. The OA resets a lost password to Lost Passwordmode. To recover the password and reset the administrator password to the factory default:

IMPORTANT:

The password is recovered from the Monarch OA.

Procedure

1. Connect a computer to the serial port of the active OA using a null-modem cable.

2. With a null-modem cable (9600 N, 8, 1, VT100, locally connect to the OA), open HyperTerminal (inMicrosoft Windows) or a suitable terminal window (in Linux).

3. Connect to the active OA.

4. Press the OA Reset button for 5 seconds.

5. Press L to boot the system in the Lost Password mode. The password appears as the system reboots.

18 Changing enclosure and device configurations

Insight DisplayNOTE:

Images in this section might not reflect HPE Integrity Superdome X displays.

Insight Display overviewThe Insight Display enables the rack technician to initially configure the enclosure. It also providesinformation about the health and operation of the enclosure. The color of the Insight Display varies withthe condition of the enclosure health.

• Blue—The Insight Display illuminates blue when the enclosure UID is active.

The enclosure UID automatically turns on when the enclosure is powered up for the first time, and canbe turned on by selecting Turn Enclosure UID On from the Main Menu or by pressing the enclosureUID button on the management interposer.

When the enclosure UID is on, the Insight Display flashes after two minutes of inactivity. Pressing anybutton on the Insight Display stops the blinking and reactivates the screen.

• Green—The Insight Display illuminates green when no error or alert conditions exist, and theenclosure is operating normally.

After two minutes of inactivity, the Insight Display light turns off. Pressing any button on the InsightDisplay reactivates the screen.

• Amber—The Insight Display illuminates amber when the OA detects an error or alert condition. Thescreen displays the details of the condition.

After two minutes of inactivity, the Insight Display flashes amber indicating that an error or alertcondition exists. If the enclosure UID is on and an error or alert condition exists, the Insight Displayilluminates blue as the enclosure UID takes priority over the alert. Pressing any button on the InsightDisplay reactivates the screen.

• Dark (no power)—The Insight Display has a two-minute inactivity period. If no action is taken and noalert condition exists, then the screen light turns off after two minutes. Pressing any button on theInsight Display reactivates the screen.

The Enclosure Health icon is located at the bottom-left corner of every screen, indicating the condition ofthe enclosure health. Navigate the cursor to the Enclosure Health icon and pressing OK to access theHealth Summary screen from any Insight Display screen.

Navigating the Insight DisplayNavigate the menus and selections by using the arrow buttons on the Insight Display panel.

The first menu displayed is the Main Menu.

Insight Display 19

The Main Menu of the Insight Display has the following menu options:

• Health Summary

• Enclosure Settings

• Enclosure Info

• Blade or Port Info

• Turn Enclosure UID on/off

• View User Note

• Chat Mode

If the active OA detects a USB key drive with any *.ROM , *.CFG or *.ISO files, a USB menu itemappears at the bottom of the Main Menu.

If the active OA detects KVM capability, a KVM menu button appears on the navigation bar of the MainMenu. Selecting KVM Menu causes the Insight Display to go blank and activate the VGA connection ofOA.

A USB key drive with the appropriate files and KVM capability is present in the Main Menu.

TIP:

Within any menu option, navigate the cursor to What is This, and press the OK button to viewadditional information about each setting, option, or alert.

The navigation bar contains options to do the following:

• Navigate forward and backward through alert screens

• Return to the main menu

• Accept changes to current settings

• Cancel changes to current settings

• Access the Health Summary screen from any screen by selecting the Health Summary icon on thenavigation bar

20 Insight Display

Health Summary screenThe Health Summary screen displays the current status of the enclosure. The Health Summary screencan be accessed by the following methods:

• Selecting Health Summary from the Main Menu

• Selecting the Health Summary icon from any Insight Display screen

When an error or alert condition is detected, the Health Summary screen displays the total number oferror conditions and the error locations.

Select Next Alert from the navigation bar, and then press the OK button to view each individual errorcondition. The Insight Display displays each error condition in the order of severity. Critical alerts displayfirst (if one exists), followed by caution alerts.

When the enclosure is operating normally, the Health Summary screen displays green. The bright greenrectangles are components that are installed and are on. A light green rectangle represents a componentthat is installed, but powered off with no errors.

When the enclosure is operating normally, the Health Summary screen displays green. The bright greenrectangles are components that are installed and on. A dark green rectangle represents a component thatis installed, but powered off with no errors. A black rectangle represents an empty bay.

NOTE:

A black DVD rectangle indicates no DVD is connected to the OA while a dark gray rectangle indicates theDVD drive is present, but that no media is present. A dark green rectangle indicates that media ispresent, but not actively connected to any server or that all connected servers have issued a disk ejectcommand, so the disk can be removed from the drive. A bright green rectangle indicates that the media ispresent in the drive and actively connected to at least one server in the enclosure, and the drive tray islocked.

If an error occurs, the Health Summary screen background changes from green to amber and the error ishighlighted with yellow rectangles for caution and red rectangles for failures. Overall enclosure healthicons at the bottom-left corner of the Insight Display screens indicate the overall enclosure health.

To display the errors, select View Alert , and then press the OK button.

Health Summary screen 21

To view the details of the error, select Details .

Enclosure Settings screenThe Enclosure Settings screen displays the following setting information about the enclosure:

• Power Mode settings

• Power Limit settings

• Dynamic Power settings

• Active and Standby OA IP addresses

• Enclosure Name

• Rack Name

• DVD Drive

• Insight Display PIN#

NOTE:

The DVD Drive setting can attach or detach a CD or DVD loaded in the DVD drive to any or allpartitions in the enclosure. This feature can be used to install an OS or software on the partitions.

TIP:

Set a PIN to protect the enclosure settings from changes.

Navigate the cursor to a setting or to ?, and press OK to change the setting or get help on that setting.

Enclosure Info screenThe Enclosure Info screen displays information about the enclosure, including the following:

• Active OA IP address

• Active OA Service IP address

22 Enclosure Settings screen

• Current health status of the enclosure

• Current enclosure ambient temperature

• Current AC input power to the enclosure

• Enclosure number

• Enclosure name

• Enclosure serial number (Integrity Superdome X)

• Rack name

Blade and Port Info screenThe Blade and Port Info screen displays information about a specific server blade. On the first screen,select the server blade number, and then press the OK button. Select Blade Info or Port Info, and pressthe OK button.

To view information about the server blade, select Blade Info and press the OK button.

Blade and Port Info screen 23

NOTE:

The screen below does not depict the fully loaded blade supported for this release.

To view the ports used by a specific server blade, select Port Info and press the OK button.

The following screen shows a server blade with four embedded NICs. The other interconnect bays areempty. The four embedded NICs are connected to particular port numbers on the interconnect modules.

Turn Enclosure UID On/Off screenThe Main Menu displays Turn Enclosure UID Off when the enclosure UID is active, and displays TurnEnclosure UID on when the enclosure UID is off.

Selecting Turn Enclosure UID On from the main menu turns on the rear enclosure UID LED andchanges the color of the Insight Display screen to blue.

24 Turn Enclosure UID On/Off screen

Selecting Turn Enclosure UID Off from the main menu turns off the rear enclosure UID LED andchanges the color of the Insight Display screen to the current alert condition.

View User Note screenThe View User Note screen displays six lines of text, each containing a maximum of 16 characters. Usethis screen to display helpful information such as contact phone numbers. Change this screen using theremote OA user web interface. Both the background bitmap and the text can be changed.

Chat Mode screenThe Chat Mode screen is used by the remote administrator who uses the web interface to send amessage to an enclosure Insight Display. The technician uses the Insight Display buttons to select from aset of prepared responses, or dials in a custom response message on the ? line. To send a responseback to the Administrator, navigate the cursor to Send, then press the OK button.

The Chat Mode screen has top priority in the Insight Display and remains on the screen until you selectSend. The technician can leave this chat screen temporarily and use the other Insight Display screens,then return to the Chat Mode screen from the Main Menu to send a response. After the response, theChat Mode screen is cleared. Both the A and ? responses then appear to the remote Administrator onthe LCD Chat web interface.

View User Note screen 25

Insight Display errorsThe enclosure installation is successful when all errors are corrected. The errors in the following sectionsare specific to installation and initial configuration of the enclosure.

The following types of errors can occur when installing and configuring the enclosure:

• Power errors

• Cooling errors

• Location errors

• Configuration errors

• Device failure errors

When the enclosure UID LED is off, the Insight Display is illuminated amber when any error conditionexists. The navigation bar displays the following selections when an error condition exists:

• Health summary icon—Displays the Health Summary screen

• Fix This—Suggests corrective action to clear the current error

• Next Alert—Displays the next alert, or if none exist, displays the Health Summary screen

• Previous Alert—Displays the previous alert

Power errorsPower errors can occur because of insufficient power to bring up an enclosure. Power errors can occur onserver blades or interconnect modules.

To correct a power error, do the following:

26 Insight Display errors

Procedure

1. Use the arrow buttons to navigate to Fix This, and then press OK.

2. Review and complete the corrective action suggested by the Insight Display. Use the OA tools foradditional troubleshooting.

Cooling errorsCooling errors occur when fans are missing from the enclosure, or when the existing fans are not installedin an effective configuration. Cooling errors can occur on server blades, interconnect modules, XFMs, andOAs.

To correct a cooling error, do the following:

Procedure


2. Review and complete the corrective action suggested by the Insight Display. In most cases, you musteither add fans to the enclosure, correct the fan configuration, or remove the indicated components.

Location errorsLocation (installation) errors occur when the component is not installed in the appropriate bay. Locationerrors can occur on server blades, power supplies, and fans. Integrity Superdome X systems areconfigured such that these errors should not occur unless the components have been moved.

To correct a location error, do the following:

Procedure


2. Review and complete the corrective action suggested by the Insight Display. Remove the indicatedcomponent, and then install it into the correct bay. The Insight Display will indicate the correct baynumber.

Configuration errorsConfiguration errors can occur if the interconnect modules are installed in the wrong bays or if mezzaninecards are installed in the wrong connectors in the server blade. Configuration errors can occur on serverblades and interconnect modules. Integrity Superdome X systems are configured such that these errorsshould not occur unless the components have been moved.

To correct a configuration error, do the following:

Procedure


2. Review and complete the corrective action suggested by the Insight Display. Depending on the errorreceived, do one of the following:

Cooling errors 27

• Remove the indicated interconnect module and then install it into the correct bay (the InsightDisplay indicates the correct bay).

• Remove the server blade to correct the mezzanine card installation (the Insight Display will indicatethe correct bay). For information on installing the mezzanine card, see the server-specific userguide on the Documentation CD.

Device failure errorsDevice failure errors occur when a component has failed. Device failure errors can occur on allcomponents, including the following:

• Server blades

• Power supplies

• Interconnect modules

• OA modules

• Fans

• ac power inputs

To correct a device failure error, do the following:

Procedure


2. Review and complete the corrective action suggested by the Insight Display. In most cases, you mustremove the failed component to clear the error.

3. Replace the failed component with a spare, if applicable.

NOTE:

If the device failure error is an ac power input failure error, you must have the failed ac input repairedto clear the error.

28 Device failure errors

Superdome 2 Door Status DisplaySuperdome 2 SD2-16s and SD2-32s complexes that are factory integrated ship with the Superdome 2Door Status Display. The Door Display is a quick method of getting basic complex status information byusing the integrated touch screen on the rack door.

NOTE:

Superdome 2 SD2-8s and Integrity Superdome X complexes do not support the Door Display.

The Door Display screen and LED backlighting displays the overall status of the complex by the followingscheme:

• Solid blue — The Door Display screen and LED backlight glows solid blue when the complex isoperating under normal conditions.

• Flashing blue — The Door Display screen and LED backlight flashes blue when the enclosure UID ofany compute enclosure in the rack is turned on.

• Flashing amber— The Door Display and LED backlight flashes amber if any compute enclosure inthe rack has an error or alert condition.

If an enclosure UID is on and an error or alert condition exists, the Door Display and LED backlightflashes blue as the enclosure UID takes priority over the alert.

• Dark (no power) — The Door Display screen turns off after one hour of displaying a screen saver.Touch the Door Display screen to return to the last menu displayed. The LED backlight remainsglowing to reflect the current complex status.

NOTE:

You can only disable the Door Display screen by using the Door Display menu. You cannot disable thescreen remotely.

After one hour of inactivity, the Door Display screen displays a screen saver. Touch the Door Displayscreen to return to the last menu that was onscreen.

Before running Door Display setupBefore running the Door Display setup, you must create OA accounts. The Door Display uses the OAaccounts to access complex information and enables you to set the enclosure UID for computeenclosures in the rack.

Setting up the Door DisplayWhen the complex is first powered on, a brief animation on the Door Display screen is displayed, andthen the startup menu appears.

NOTE:

The startup menu will take several seconds to appear while the Door Display starts up.

Superdome 2 Door Status Display 29

The startup menu has the following options:

• Disable Display — A screen saver immediately appears for one hour, and then the Door Displayshuts off.

• Setup — Select this option to begin the Door Display setup.

Complex configuration

30 Superdome 2 Door Status Display

1. Select the current complex configuration in the rack.

IMPORTANT:

This menu selection does not set the complex configuration on the OA. To correctly set up theDoor display, you must select the current complex configuration present in the rack.

2. Press Next.

Status display preferences


• Temperature Scale — Select between displaying enclosure temperatures in °C or °F.

• Display IP Address — Select to enable or disable the display of the IP addresses of the active OAand the complex service port.

NOTE:

The OA IP address does not appear until the setup process is complete.

Press Next to continue.

Two 16s complex setup

If the complex configuration is two 16s complexes in a cabinet, unlike the other multi-enclosureconfigurations, each enclosure is a self-contained complex and each will require its own login andpassword information.


If you selected Two 16s as the complex configuration, then you are prompted to which complex displaysstatus information on the Door Display screen.

• Lower Complex — The Door Display screen displays status information for only the lower SD2-16scomplex in the rack.

• Upper Complex — The Door Display screen displays status information for only the upper SD2-16scomplex in the rack.

• Both Complexes — The Door Display screen displays status information for both SD2-16scomplexes in the rack.

NOTE:

If you select Both Complexes, you are prompted to enter two user names and passwords at the nextmenu.

Press Next.


Complex login

You must enter an OA account user name and password to enable the Door Display to log in to thecomplex and display complex status information.

IMPORTANT:

If you enter an OA Administrator or OA Operator-level user name, all complex information appearsand the Door Display screen can be used to set the enclosure UID.

If you enter an OA User-level user name, all complex information appears, but the Door Displayscreen cannot be used to set the enclosure UID.

Press Login to complete setup or Cancel to quit Door Display setup.

Door Display status menuDoor Display status menu

34 Door Display status menu

The Door Display status menu displays the following information:

• Complex name — The user-specified name of the complex.

• Complex health— The current health status of the complex.

If there is an enclosure in the complex that now has fault conditions, the enclosure will be highlightedamber and indicated with a fault symbol.

• Active (OA) IP address — The IP address of the active OA.

• Service IP address— The IP address of the complex service port.

• Enclosure power — The current power consumption of the enclosures in the complex in kW.

• Enclosure temperature — The current temperature of the enclosures in the complex in °C or °F.

• Enclosure UID — If an enclosure in the complex has the enclosure UID enabled, then the enclosurewill be indicated with a UID symbol.

The Door Display status menu has the following menu buttons:

• Display Settings — Display the Display Settings menu.

• UID — Display the UID control overlay.

If the rack contains two SD2-16s complexes, then the Door Display status menu displays the followingbuttons:

• Upper Complex — Displays the status of the upper complex in the rack.

• Lower Complex — Displays the status of the lower complex in the rack.

• Logon — If the OA log on information is not specified for an enclosure in the rack, select this option toenter the OA log on information.

UID control


To change the UID of enclosures in the rack, push the On/Off toggle button for the enclosures.

Press Confirm to turn the enclosure UIDs on or off and return to the Door Display status menu. To returnto the Door Display status menu without making any changes, press Cancel.


Display Settings menu

IMPORTANT:

Accessing the Display Settings screen requires a valid door display login even if no settings arechanged. If you cancel out of the Display Settings without entering the correct login information, thedoor display will continue to show the Login and Setup Info is required message.

The Display Settings menu has the following options:

• Door Display Setup — Runs the initial setup of the Door Display.

• Disable Display— Erases all settings. A screen saver immediately appears for one hour, and then theDoor Display shuts off.

IMPORTANT:

If you select this option, you must re-enter all setting information, such as user names andpasswords before you can use the Door Display.

• Calibrate Screen — Enters calibration mode for the touch screen.

Display Settings menu 37

IMPORTANT:

Hewlett Packard Enterprise recommends using a stylus or the back of a pencil to calibrate thescreen. Using a finger is not precise enough to properly calibrate the screen.

Do not use metal objects to calibrate the screen. Using a metal object might damage the LCDtouch screen.

• Firmware Update — Use this option to update the Door Display firmware. The current status of theDoor Display firmware is displayed on the menu button. The firmware status is one of the following:

◦ Setup required first — The initial Door Display setup has not been completed and the DoorDisplay is unable to access firmware status.

◦ Up-to-date — The current Door Display firmware matches the current revision available on the OA.No firmware update is required. If necessary, the Door Display firmware can be reloaded using theFirmware Update menu.

◦ Update Available — A newer firmware revision is available for the Door Display.

◦ No Update Available — The OA does not have firmware available for the Door Display. Thisoccurs if the OA web server is disabled.

NOTE:

The Door Display firmware must be updated through the Door Display menu.

• Reboot Display — Restarts the Door Display module only.

IMPORTANT:

You must reboot the Door Display after the OA reboots. The Door Display does not function untilyou reboot the Door Display after the OA reboots.

Press Exit Display Settings to return to the Door Display status menu.

Firmware Update menu

NOTE:

This menu is used to update the firmware of the Door Display only.

The Firmware Update menu is available if the firmware status is displayed as Up-to-date or UpdateAvailable on the Firmware Update menu option.

Choose one of the following options:

• To begin the firmware update process, press Start.

• To return to the Display Settings menu without updating the firmware, press Exit Firmware Update.

38 Firmware Update menu

NOTE:

If the versions of the current Door Display firmware and the firmware available on the OA match, you areprompted to reload the firmware or cancel.


When the firmware update is complete, you are prompted to reboot the Door Display to complete thefirmware update. To reboot the Door Display only, press Reboot. After the Door Display reboots, you areprompted to calibrate the LCD touch screen.

If you do not want to reboot the Door Display, press Not Now. The firmware update is not complete untilthe Door Display is rebooted.


First Time Setup WizardNOTE:

The First Time Setup Wizard is used only to configure compute enclosures and OA network settings. TheFirst Time Setup Wizard does not enable you to set up and configure partitions.

For more information about partition creation and management for HPE Integrity Superdome 2, see theHPE Superdome 2 Partitioning Administrator Guide. For more information about partition management forHPE Integrity Superdome X, see the HPE Integrity Superdome X Service Guide.

Before you beginBefore running the First Time Setup Wizard, complete the following tasks:

Procedure

1. Install the OA modules.

2. Connect the OA modules to the network.

3. Complete the Insight Display installation wizard. You must at least configure the active OA IP address.

4. Run the Insight Display installation.

Logging on to Onboard Administrator

For information on logging on to the OA, see Logging on to the Onboard Administrator GUI.

The first time you log on, the OA automatically runs the First Time Setup Wizard.

To navigate the setup wizard, click the Next button to save your changes and go to the next step. Clickthe Skip button if you want to leave the step without saving the changes.

You can return to previous wizard steps by selecting them in the left tree view. You can also run thewizard again at any time by selecting it from the Wizards menu.

First Time Setup Wizard 41

Enclosure Selection screenThe Enclosure Selection screen displays all discovered enclosures and selects the active enclosure, theenclosure you are signed in to by default. The check box beside each enclosure enables you to select orclear that enclosure. Selecting the check box beside All Enclosures toggles the check box for allenclosures.

Click the Refresh Topology button to update the rack topology information. When you select RefreshTopology, the Enclosure Selection screen switches to the Linked Mode and all linked enclosures appear.

42 Enclosure Selection screen

If more than one enclosure is listed on the Enclosure Selection screen, select the enclosure you want toset up, and then click the Next button.

For possible values and descriptions of each box, see Enclosure Status on page 93.

Configuration Management screenThe Configuration Management screen enables you to set up the selected enclosures using aconfiguration file saved from a previous setup. You can run scripts for multiple OAs before leaving thecurrent screen.

Configuration Management screen 43

To set up selected enclosures, using a configuration file:

On the Configuration Management screen, select one of the following options:

• Local file: Browse for the configuration file, or enter the path of the script file into the textbox. Themaximum number of characters in the file path is 256. Click Upload after entering the script file path.

• URL: Enter an http:// path to the configuration file if it is located on a web server. The maximumnumber of characters in the file path is 256. Click Upload after entering the URL. A window opens anddisplays the results.

If more than one enclosure is selected during the enclosure selection, select the enclosure to upload orapply the configuration file to use from the drop-down that appears. If multiple enclosures were selected,then repeat this process for each additional enclosure. You cannot select more than one enclosure at atime for configuration management.

Rack and Enclosure Settings screenThis screen enables you to assign time settings and a common name to your rack and to assign uniquenames and asset tags to your enclosures.

44 Rack and Enclosure Settings screen

Box Possible value Description

Rack Name 1 to 32 characters including all alphanumericcharacters, the dash (-), and the underscore(_)

The name of the rack in which theenclosure is installed

Date yyyy-mm-dd, where:

• mm is an integer from 1 to 12

• dd is an integer from 1 to 31

The current date assigned to theenclosure

Time hh:mm:ss (24-hour time)

• hh is an integer from 0 to 23


• ss is an integer from 0 to 59

The current time assigned to theenclosure

Table Continued



Primary NTPServer

###.###.###.### where ### ranges from 0 to255

IP address of primary NTP serverthat provides date and timeinformation or the DNS name of theNTP server

Secondary NTPServer

###.###.###.### where ### ranges from 0 to255

IP address of secondary NTP serverthat provides date and timeinformation or the DNS name of theNTP server

Time Zone Time zone settings

• Universal time zone settings

• Africa time zone settings

• Americas time zone settings

• Asia time zone settings

• Oceanic time zone settings

• Europe time zone settings

• Polar time zone settings

The time zone assigned to theenclosure

Enclosure Name 1 to 32 characters including all alphanumericcharacters, the dash (-), and the underscore(_)

The name of the selected enclosure

Asset Tag 0 to 32 characters including all alphanumericcharacters, the dash (-), and the underscore(_)

The asset tag is used for inventorycontrol. The default asset tag isblank.

See the HP Superdome 2 User Service Guide or HPE Integrity Superdome X Service Guide for Users foryour system at http://www.hpe.com/support/hpesc for more information on connecting enclosures.

Administrator Account Setup screenThe Administrator Account Setup screen initially displays the name of the active enclosure and its currentsettings. If multiple enclosures are selected on the Enclosure Selection screen, a button is activated thatenables you to expose separate inputs for each selected OA.

46 Administrator Account Setup screen

http://www.hpe.com/support/hpesc


Password 3 to 8 characters including allprintable characters

The password for theAdministrator account

Password Confirm 3 to 8 characters including allprintable characters

Must match the Password value

Full Name 0 to 20 characters including allalphanumeric characters, thedash (-), the underscore (_), andthe space

The full name of the user

Contact 0 to 20 characters including allalphanumeric characters, thedash (-), the underscore (_), andthe space

Contact information for the useraccount. The contact informationcan be the name of an individual,a telephone number, or otheruseful information.

Table Continued



PIN Code 1 to 6 characters from thecharacter sets 0 to 9, a to z, andA to Z

The PIN code for the enclosureInsight Display

PIN Code Confirm 1 to 6 characters from thecharacter sets 0 to 9, a to z, andA to Z

Must match the Insight DisplayPIN value

Local User Accounts screenThe Local User Accounts screen displays the user accounts assigned to the Active OA and provideschoices for adding, editing, and deleting accounts.

• New: Click the New button to add a new user to the selected enclosure. A maximum of 30 useraccounts can be added including the reserved accounts. The Add Local User screen appears.

• Edit: Select a user (only one can be selected) by selecting the check box next to the name of the user.Click the Edit button to change the settings on the Edit Local User screen, and then click UpdateUser to save the information.

• Delete: Select a user or users to be deleted by selecting the check box next to the name of the user.Click the Delete button to delete the accounts. If an attempt is made to delete the last Administratoraccount, you will receive an alert warning that at least one Administrator account must exist and thedelete action is canceled.

48 Local User Accounts screen

User Settings screen

The User Settings screen displays configurable user information.

Procedure

1. Enter user information in the User Information and User Permissions sections.

2. Click Add User to save the information.

3. To return to the Local User Accounts screen, click Previous.


4. For each user added, select the appropriate boxes to grant access to servers and interconnect bays.For possible values and descriptions of each box, see Managing users on page 175.

Enclosure Bay IP Addressing screenThe OA EBIPA feature is intended to help you provision a fixed IP address to a particular bay in anenclosure. The components plugged into the bays are set for DHCP, and interconnect modules are

50 Enclosure Bay IP Addressing screen

configured to use the internal management port to OA. If the component is configured for a static IPaddress, an EBIPA assignment to that bay has no effect.

NOTE:

If you use DHCP servers on your management network, then do not use EBIPA for management IPaddress assignments.

For Integrity Superdome X systems, if you use fixed IP addresses for management processors, useEBIPA to assign IP addresses to the monarch iLO. Do not configure iLO to use static IP addressesdirectly.

NOTE:

The Superdome 2 iLO does not support hponcfg.

NOTE:

All IP addresses are supported, with the exception of address ranges 169.254.x.y and 10.254.x.y, whichare reserved for internal management network. In addition, all the IP addresses must be within the samesubnet defined by netmask and IP address so that all OAs as well as all iLOs fit into that subnet.

If the server blade is configured for static IP address, then it carries the same address even if the blade ismoved to another enclosure.

If the server blades are set for DHCP and the OA is configured for EBIPA addressing for that bay, theniLO will obtain an EBIPA-configured IP address when it is plugged into that enclosure.

If your network has an external DHCP service or if you want to manually assign static IP addresses oneby one to the server blades and interconnect modules, then to bypass this step, click the Skip button.

EBIPA Settings screen


For information on how to set up EBIPA, see Enclosure Bay IP Addressing on page 107.

Directory Groups screenLDAP is an open protocol for accessing information directories. While LDAP is based on the X.500standard, it is significantly simpler. LDAP supports TCP/IP, which enables applications to workindependently of the server hosting the directory.

Use the Directory Group screen to set directory access for the now selected enclosures.

52 Directory Groups screen

On this screen, you can configure directory groups.

For possible values and descriptions of each box, see Directory Groups on page 185.

Directory Settings screenUse the Directory Settings screen to set directory access for the now selected enclosures.

Directory Settings screen 53

Using the Directory Settings screen, you can configure the following settings:

• Enable LDAP Authentication: Enables a directory server to authenticate a user login.

• Enable Local Users: Enables a user to log on using a local user account instead of a directoryaccount.

• Search Context — Specify one to six search contexts. A search context is a search filter or shortcutto a common directory, defining the directory users search to start at the specified path. By specifyinga search context, users do not have to specify their full DNs at login. A DN might be long and usersmight not be familiar with their DN or might have accounts in different directory context. The OAattempts to contact the directory service by DN and then applies the search contexts in order,beginning with Search Context 1 and continuing through any subsequent search contexts untilsuccessful.

54 First Time Setup Wizard

Search context is also applicable to LDAP directory groups, which are useful when LDAP nestedgroups are configured. When specifying the search context for an LDAP directory group, the exactcontext is not required.

• Use NT Account Name Mapping (DOMAIN\username): Enables NT name mapping so that you canenter the NT domain and user name.


Directory ServerAddress

###.###.###.### where ### rangesfrom 0 to 255 or DNS name of thedirectory server or the name of thedomain

The IP address or the DNS name orthe name of the domain of thedirectory service. This field is required.

Directory Server SSLPort

0 to 65535 The port used for LDAPcommunications. The default port isport 636. This field is required.

Search Context 1 All characters except " (quotes), not toexceed 127 characters

First searchable path used to locatethe user when the user is trying toauthenticate using directory services.This path is also used to search fornesting LDAP group.


Second searchable path used to locatethe user when the user is trying toauthenticate using directory services.This path is also used to search fornesting LDAP group.


Third searchable path used to locatethe user when the user is trying toauthenticate using directory services.This path is also used to search fornesting LDAP group.


Fourth searchable path used to locatethe user when the user is trying toauthenticate using directory services.This path is also used to search fornesting LDAP group.


Fifth searchable path used to locatethe user when the user is trying toauthenticate using directory services.This path is also used to search fornesting LDAP group.


Sixth searchable path used to locatethe user when the user is trying toauthenticate using directory services.This path is also used to search fornesting LDAP group.


Onboard Administrator Network Settings screenUse the Onboard Administrator Network Settings screen to modify network settings for all the OAmodules in the selected enclosures. Settings for Standby OA modules appear only if the modules arepresent. Options for DHCP and static IP are supported.

Changing network settings on the OA that you are signed in to might disconnect you from the OA. If thishappens, you will have to sign in to the OA again.

To continue, click Next.

If you do not want to change network settings, click Skip.

First Time Setup Wizard Network settings

The OA allows the network configuration to be based either on dynamically assigned IP addressesobtained from a DHCP server or on static IP addresses that you specify manually. You choose the basisfor network configuration by selecting the appropriate radio button. If you choose DHCP, you can enableDynamic DNS.

• Use DHCP for all Active Onboard Administrators: Obtains the IP address for the OA from a DHCPserver. The Standby checkbox is shown only if there is a Standby OA in the enclosure.

• Enable Dynamic DNS: Enable using the same host name for the OA over time, although thedynamically assigned IP address might change. The host name is registered with a DNS server.DDNS updates the DNS server with new or changed records for IP addresses.

• Use static IP settings for each Active Onboard Administrators: Manually set up static IP settingsfor the OA. The Standby checkbox is shown only if there is a Standby OA in the enclosure.

56 Onboard Administrator Network Settings screen

For possible values and descriptions of each box, see Network Access on page 105.

SNMP Settings screenUse the SNMP Settings screen to configure or modify the SNMP settings for the active OA.

SNMP Settings screen 57

For possible values and descriptions of each box, see SNMP Settings on page 110.

Power Management screenIMPORTANT:

In a complex with one or more failed power supplies, it is possible for attempts to power on serversto fail if the resulting power allocation would result in the Power Redundancy Status becomingFailed. The administrator must explicitly reduce the redundancy setting to enable powering onservers prior to the failed power supplies being serviced. This applies to AC Redundant and PowerSupply Redundant power modes.

IMPORTANT:

If redundancy mode is set to Redundant, AC Redundant, or Power Supply Redundant, and powerredundancy is lost, then you must either add additional power supplies or change the redundancymode setting in the OA to restore Power Subsystem status. One upper and one lower power supplymust always be installed and operational. For corrective steps, see the Insight Display.

58 Power Management screen

The enclosure power management system enables you to customize the configuration of the enclosure.You can select from the various modes on the OA Power Management screen. The power modes areexplained in the following table.


Mode Insight Display name Description

Redundant Redundant For DC power supplies only. In this configuration, N upperand N lower power supplies are used to provide power andN upper and N lower power supplies are used to provideredundancy (where N can equal 1, 2, or 3). Up to threeupper and three lower power supplies can fail withoutcausing the enclosure to fail. When correctly wired withredundant DC line feeds, this configuration also ensuresthat a DC line feed failure does not cause the enclosure topower off.

AC Redundant AC Redundant For ac power supplies only. In this configuration, N upperand N lower power supplies are used to provide power andN upper and N lower power supplies are used to provideredundancy (where N can equal 1, 2, or 3). Up to threeupper and three lower power supplies can fail withoutcausing the enclosure to fail. When correctly wired withredundant ac line feeds, this configuration also ensuresthat an ac line feed failure does not cause the enclosure topower off.

Power SupplyRedundant

Power Supply Up to six upper and six lower power supplies can beinstalled with one upper and one lower power supplyalways reserved to provide redundancy. In the event of asingle upper or lower power supply failure, the redundantpower supply in the same section (upper or lower) takesover the load. A line feed failure of more than one powersupply in a section causes the system to power off.

Not Redundant None There is no power redundancy and no power redundancywarnings are given. If all power supplies are needed tosupply Present Power, then any power supply or line failurecan cause the enclosure to power off.

Dynamic Power Dynamic Power If enabled, Dynamic Power automatically places unusedpower supplies in standby mode to increase enclosurepower supply efficiency, thereby minimizing enclosurepower consumption during lower power demand. Increasedpower demands automatically return standby powersupplies to full performance. This mode is not supported forlow voltage on the enclosure.

Static PowerLimit

Power Limit An optional setting to limit power. Whenever you attempt topower on a device, the total power demands of the newdevice and of the devices already on are compared againstthis Static Power Limit. If the total power demands exceedthe limit, the new device is prevented from powering on.

Dynamic Power: The default setting is Enabled. The following selections are valid:

• Enabled: Some power supplies can be automatically placed on standby to increase overall enclosurepower subsystem efficiency.

• Disabled: All power supplies share the load. The power subsystem efficiency varies based on load.

60 First Time Setup Wizard

Dynamic Power is not supported for low voltage on the enclosure.

FinishClick Show Config to view the current configuration for the enclosure.

To save the configuration as a text file:

• Microsoft Internet Explorer — select Save As

• Mozilla Firefox — select Save Page As

• Google Chrome — select ???

For security, the retrieved current configuration does not contain any user passwords. You can manuallyedit the script to add the user passwords after the user name on the ADD USER lines. Also, the retrievedcurrent configuration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, andPIN Code). These settings cannot be added from the configuration script.

You can clear the Do not automatically start this wizard again check box to force the First Time SetupWizard to run again the next time a user signs into the OA.

Click the Finish button to save and exit the First Time Setup Wizard. The First Time Setup Wizard screencloses and you are returned to the default main screen of the OA.

Finish 61

Navigating Onboard Administrator

Navigation overviewThe main OA navigation system consists two views:

• Tree view: Lists all of the complex devices on the left side of the main page and remains visible at alltimes.

• Graphical view: Displays a physical picture of the enclosures in the complex.

You can navigate the devices and functions in a complex through either of these views.

Tree viewThe tree view aids in navigating individual compute enclosure devices, connected IOXs and functions forall complex compute enclosures in a hierarchical manner. The rendering of the tree view depends on

62 Navigating Onboard Administrator

several factors, including user permissions, device availability, and device status. If a user is configured tobe an Operator or User, then some options are might not be visible in the tree view.

One of the main purposes of the tree view is to enable navigation using categories based on the majorsystems within the complex. When a category is expanded (by clicking the white plus icon on the bluebox to the left of the category), an icon next to the category name can indicate a degraded status of theaffected system. In the case of multiple components reporting status, the status icon indicates acumulative worst-case status of all the devices in the same category.

Individual device pages

Clicking the link for an individual device selects the device, opens the device detail page, and selects thedevice in the graphical view in the right frame of the GUI. Individual device pages contain detailedinformation on the selected device and other device-related functions.

Navigating Onboard Administrator 63

Category summary pages

Category summary pages contain summary information for each of the devices in that category. Forexample, clicking the Device Bays link opens the Device Bay Summary screen. Each parent element inthe tree works in this manner. When you click a category summary link, no devices are selected in thegraphical view navigation.


System forms pages

Some devices, particularly OA, can have links to various system forms pages listed after their main linksin the left tree navigation view. Form pages contain input text boxes, radio buttons, and other HTML inputelements and are used to administer settings related to the device to which they belong. For example,you can use the OA system forms page to change IP address settings or update firmware. These formsare linked under the OA parent element. When you click a system forms link, the device to which the formpage belongs is selected in the graphical view. For example, clicking the UID State link for the Active OAselects the Active OA device in the graphical view. Links to system forms do not display status icons.

Graphical view navigationThe second component of the OA GUI navigation system is a graphical representation of physicalenclosures, called the graphical view. The graphical view consists of two subcomponents: a front viewand a rear view.

The following image shows the graphical view of a typical Integrity Superdome X computeenclosure.Graphical view navigation

Graphical view navigation 65

Selecting a device

To select a device, click the graphical representation of the device in the front or rear graphical view.When you select a device, its border changes from gray to light blue indicating that it is the now selecteddevice. Selecting a device in the graphical view selects the corresponding device in the left navigationtree view. Every time you select a device from any part of the navigation system, the rest of the navigationreflects the device selection event and updates accordingly.


Status reporting

The graphical view reports the status of every device in the enclosure. The status of each device isindicated next to the device by a small status icon. No status icon appears for a device that is workingproperly and has an OK status. However, all other status codes appear as status icons next to the device.Status icons are used instead of the health LED in the graphical view component images to convey thedevice status. To provide a consistent and clean GUI interface, the LED displayed by the OA GUI doesnot always match the actual LED on the hardware. Users should rely on the status icons on the GUI todetermine the device health status.

Device security

Although the front and rear graphical views are both affected by user permissions, security on thegraphical view is handled differently from the left tree view. If the user does not have the permissions toaccess a device, a blank bay appears regardless of whether a device is present in that bay, and a padlockicon appears in the bay table cell, indicating that the bay is locked to the current user.

The user cannot select a locked bay. When the user hovers the mouse over the locked bay, a messageappears, indicating that the user does not have permission to access devices in that bay.

Minimizing the graphical view

To minimize the graphical view from the main display, click the box with the arrow, located directly to theleft of the name of the enclosure in the graphical view box. This minimizes the graphical view and givesmore room for the main section of the display. This is useful when viewing the OA on a small monitor oron a monitor with low resolution.

Navigating Onboard Administrator 67

Complex Overview

Complex Overview screenThe Complex Overview screen displays a graphical representation of each compute enclosure in thecomplex, called the graphical view. The graphical view consists of a front view and a rear view of eachenclosure.

The front view shows the presence and status of the following components:

• blades

• bulk power supplies

• the DVD module

The rear view shows the presence and status of the following components:

• PDUs

• X-Fabric Modules

• GPSMs

• OAs

• interconnect modules

• Fans

When you mouse over a device in the graphical view, a window appears with information on that device.The graphical view provides status on each device in the enclosure and gives you the option of selectingan individual device for viewing more detailed information.

NOTE:

Status icons are used instead of the health LED in the component images to convey the componentstatus. Components with an OK status will not have status icons.

Complex Overview 69

Compute Enclosures tab

Item Description

Enclosure Name The DNS name of the enclosure and the name of the enclosure in the rack.

Enclosure ID The ID for the enclosure in a multi-enclosure system.

Serial Number The unique serial number of the enclosure.

UUID The Universally Unique Identifier assigned to the enclosure.

Part Number The part number of the enclosure used when getting a new or replacementenclosure.

Asset Tag The tag used for inventory control.

UID State Displays On or Off, depending on whether the UID is active.

Insight Display A link to the Insight Display page of the enclosure.

To update the complex topology information, click the Refresh Topology button.

Power and Thermal tabThe Power and Thermal tab displays information about the temperature inside each compute enclosureand the thermal and power subsystem health status. A graphical view of the present power and powerlimit helps you determine the power status.

70 Compute Enclosures tab

NOTE:

This information appears only for compute enclosures. Information is not included for IOXs.

Table 2: Compute enclosure cooling requirements

Item Description

Current Btu/hr The sum of the amount of heat being generated by the complex enclosuresmeasured in Btu per hour.

Max Btu/hr The maximum amount of heat that can be generated by the complexenclosures under load measured in Btu per hour.

Table 3: Compute enclosure thermal and power status

Item Description

Enclosure AmbientTemperature

This box displays the highest ambient temperature being reported by theinstalled blade devices. If no blade devices are installed, then this boxdisplays the temperature of the OA module as an approximation of theambient temperature.

Thermal Subsystem Status The overall thermal status of the enclosure. Possible values areUnknown, OK, Degraded, or Critical Error.

Table Continued

Complex Overview 71

Item Description

Power Subsystem Status The overall power status of the enclosure. Possible values are Unknown,OK, Degraded, or Critical Error.

Power Mode A user setting to configure the enclosure DC power capacity and theinput power redundancy mode of the enclosure. See PowerManagement on page 155 for possible values.

Present Power The amount of watts being consumed by all devices in the enclosure.

Power Limit The maximum amount of power available for consumption by theenclosure measured in watts.

IMPORTANT:

In a complex with one or more failed power supplies it is possible for attempts to power on serversto fail if the resulting power allocation would result in the Power Redundancy Status becomingFailed. The administrator must explicitly reduce the redundancy setting to enable powering onservers prior to the failed power supplies being serviced. This applies to AC Redundant and PowerSupply Redundant power modes.

NOTE:

If redundancy mode is set to AC Redundant, or Power Supply Redundant, and power redundancy is lost,then you must either add additional power supplies or change the redundancy mode setting in the OA torestore Power Subsystem status. See the Insight Display for corrective steps.

NOTE:

The Power Limit is dependent on the enclosure power redundancy setting and the number and location ofthe power supplies in the enclosure. If a Static Power Limit has been specified, the Power Limit displaysthat limit.

Complex Information screenThe Complex Information screen has four tabs:

• Status

• Information

• Complex Logs

• Complex CLI

Status tabThe Status tab provides the current operational status of the entire complex and the status of eachcompute enclosure and IOX in the complex.

72 Complex Information screen

Item Description

Complex Status The overall health of the complex. Possible values are Unknown, OK, Degraded,and Failed.

CAMNET Status The overall health of the CAMNET fabric in the complex. Possible values areUnknown, OK, Degraded, and Failed.

Robust Store Status The health of the complex Robust Store. Possible values are Unknown, OK,Degraded, and Failed.

Cooling Status The overall health of the cooling systems in the complex. Possible values areUnknown, OK, Degraded, and Failed.

Thermal Status The overall thermal status of the complex. Possible values are Unknown, OK,Degraded, and Failed.

Product ID The overall status of product IDs of all devices in the complex. Possible valuesare Unknown, OK, Degraded, and Failed.

Table Continued

Complex Overview 73

Item Description

Enclosure ID The overall status of enclosure IDs of all enclosures in the complex. Possiblevalues are Unknown, OK, Degraded, and Failed.

Xfabric Status The overall status of the Xfabric. Possible values are Unknown, OK, Degraded,and Failed.

The Complex Status tab displays diagnostic information in the Diagnostic Information table.

Item Description

Overheat Check Temperature is above the danger threshold. Possible values are OK or Criticaltemperature threshold reached.

Cooling The status of the fans in the complex. Possible values are OK or Insufficient fansfor enclosure cooling.

Device Operational Indicates whether or not a device has been declared degraded by firmware whenstatus was not requested by the OA. Possible values are OK or Error. (Degradedstate is less severe than a failed state.)

Device Degraded Indicates whether or not a device has been declared degraded by firmware whenstatus was requested by the OA. Possible values are OK or Error.

Firmware Mismatch One or more components in the Complex contains firmware that is notcompatible with other components in the Complex.

The Complex Status tab displays general status information about each compute enclosure and IOX inthe complex in the Enclosure Status Overview table.

Enclosure Status Overview

Column Description

Enclosure ID The assigned number of the compute enclosure in the complex.

Enclosure Name The assigned name of the compute enclosure.

Status The overall health of the compute enclosure. Possible values are Unknown, OK,Degraded, and Failed.

IOX Status Overview (Superdome 2)

Column Description

IOX Number The number of the IOX in the complex.

Status The overall health of the IOX. Possible values are Unknown, OK, Degraded, andFailed.

74 Complex Overview

Information tabThe Information tab provides general information about the complex and an input box to change theComplex Name.

Item Description

Product Name Common descriptive name of the complex

Manufacturer Name of the company that manufactured the complex

Original ProductNumber

The original product number of the complex

Current ProductNumber

The current product number of the complex

Serial Number The unique manufacturer serial number of the complex

Universal UniqueIdentifier (UUID)

The Universally Unique Identifier number assigned to the complex

Table Continued

Information tab 75

Item Description

Monarch EnclosureNumber

The number of the compute enclosure in the complex designated as themonarch enclosure

Number of Enclosures The total number of compute enclosures in the complex

Number of IOXs The total number of IOXs in the complex

Complex FirmwareVersion

The now configured firmware bundle version on the complex

Settings box

The text input box below the Complex Information table enables you to change the Complex Name for thecomplex. After choosing a Complex Name, to save changes, click the Apply button.

Complex Logs tabThe Complex Logs tab displays links to launch log viewers in new windows. The available log viewers arethe System Event Log, Forward Progress Log and the Live Log.

Complex CLI TabThis tab opens a page that provides a link to launch a Command Line Interface shell on the Monarch OA.Only one CLI session may be launched from the OA GUI. The CLI shell is a separate applicationlaunched by the GUI and is displayed in its own separate window.

76 Complex Logs tab

Complex Information: Firmware ManagementThis option can be expanded to show links for the following:

• Complex Firmware Summary — see Complex Firmware Summary screen on page 77

• Updating Firmware — see Online complex firmware update

Complex Firmware Summary screenThe Firmware Summary screen displays the current status of firmware in the complex.

Superdome systems support two types of firmware, complex firmware that must be consistent across alldevices in the complex, and partition firmware that runs on the system processors of server blades.Firmware on the system can be in one of three states:

• Configured — the firmware that should be running on a specific entity.

• Installed — the firmware that is currently installed and will become active on the next boot.

• Active — the version of firmware currently running on the system.

A table with the configured complex firmware version appears at the top of the screen. If any entity withinthe complex does not have the correct complex firmware, a second table will be displayed indicatingwhich entities have mismatched firmware.

NOTE:

The displayed firmware version will depend on the firmware installed on your system.

Complex Information: Firmware Management 77

Table 4: Complex Firmware information

Item Description

Configured Complex Firmware Version The version of the firmware bundle currentlyconfigured on the complex.

Enclosure / Bay The compute enclosure and bay number of thedevice with mismatched firmware

Model The model number of the device

Installed Version The currently installed version of the firmware onthe device.

Each partition in the complex is displayed after the Complex Firmware, with the version of the firmwarecurrently configured and active on the partition. If any devices within a partition have firmware versionsthat do not match the currently installed version of the complex firmware on the partition, they aredisplayed below the partition firmware information.

78 Complex Overview

Table 5: Partition Firmware information

Item Description

Configured Partition Firmware Version The version of the firmware bundle currentlyconfigured on the partition.

Active Partition Firmware Version The version of the firmware bundle currently activeon the partition.

If the partition is not currently booted, the Activefirmware version will be displayed as “Unavailablewhile partition is inactive.”

NOTE:

The active version of the firmware will not matchthe configured version if the partition requires areboot after a firmware update.

Enclosure / Bay The compute enclosure and bay number of thedevice with mismatched firmware.

Model Type of device with mismatched firmware.

Installed Version The currently installed version of the firmware onthe device.

Online complex firmware update

IMPORTANT:

Online firmware updates are supported on Integrity Superdome X firmware version 5.73.0 or later.Updating from version 5.73.0 requires an intermediate firmware update to 6.0.42, and then to thelatest supported firmware release. See the release notes for the HPE Integrity Superdome X ServerFirmware Bundle.

IntroductionWhen performing an online complex firmware update, server management capabilities are inactive, andthis is something which operators should keep in mind. It should not be surprising that servermanagement entities throughout the complex will bear responsibility to update their own firmware FlashROMs, reboot updated firmware images, and reestablish internal communications with each other, but itis important to remind operators what kinds of management services will become temporarily unavailableat the server level during an online complex firmware update operation. This information is being providedto inform the user of such server management limitations, but will not be a complete listing of all possibleconsequences which may be encountered during an online complex firmware update.

Superdome 2 firmware updates

Superdome 2 complex firmware bundle version 2.2.27 and HP-UX 11i v3 September 2011 or later,supports online complex firmware updates. The ability to support online complex firmware updates candramatically reduce the amount of partition downtime required for a customer to update their Superdome2 systems to future firmware bundles. Under certain conditions, partition downtime needed to apply a newfirmware bundle can even be eliminated entirely. However, there may also be other partition maintenanceactivities (OS patch installations, for example) to complete during a maintenance window that will involve

Online complex firmware update 79

a partition reboot in order to take effect. Also, it should be understood that firmware updates which includenew partition firmware packages (system firmware) will require a partition reboot to activate, but the timingof such an operation can be done on an individual nPartition basis as determined by the operator to bestfit their individual needs.

NOTE:

Superdome 2 systems running firmware prior to 2.2.27 cannot perform an online complex firmwareupdate. Updating firmware from a release prior to 2.2.27 (1.3.1 for example) must be performed with allpartitions taken offline, and the xfabric powered off.

Integrity Superdome X firmware updates

For information about Integrity Superdome X complex firmware and driver updates, see the HPE IntegritySuperdome X Service Guide.

Services unavailableServer management features are unavailable during the process of an online complex firmware update.System firmware will continue to operate and support the OS running on partitions in the complex,however certain activities may require system firmware to interact with server management firmware, andthese operations will not work during the actual process of executing an online complex firmware update.These partition/complex firmware interactions may either be delayed until after the complex firmwareupdate operation has completed, or may be dropped or only partially used. Legacy sx2000 Superdomesystems also supported online update of server management entities (MP, ED, PDHC, CLU), andperforming such updates held similar consequences for that platform.

The following table shows the major classes of server management services which the OS andapplications use during normal runtime and details their Availability or Unavailability during the onlinecomplex firmware update process:

Service Status during online complex firmware update

Management processor access (for example:poweron/off, restart, TOC, console, logs)

Unavailable

IPMI services Unavailable

Console service to OS Unavailable, and some character loss is possible ifthe buffer fills up

System firmware services during boot, shutdown,MCA, INIT and CMC logging operations

Available

Network management services (SD2 hasadditional services). OS-debugger, HP SIM XMLquery, HP-SUM SOAP query, WEBES ws-manageevents and query.

Unavailable

Management Processor access

When an online complex firmware update is initiated, all current users are disconnected from the OA forthe duration of the complex firmware update process. This includes all OA CLI and GUI sessions, withone possible exception: If the operator initiates the firmware update from the CLI, then this session willremain active to allow for tracking the progress of the update for all but the last few minutes. The time ittakes for a complex firmware update to complete is highly variable based on system size and complexity(bigger systems take longer), and the number of firmware packages in the bundle which must be

80 Services unavailable

updated, but is not expected to exceed 150 minutes under any conditions. Typical firmware updates willtake less time to complete.

IPMI

During the process of an online complex firmware update, no IPMI requests can be serviced until theupdate completes. This means that partition configuration changes, including iCAP changes, will not beallowed. For reference purposes the following IPMI CLI commands are unavailable:

• parcreate• pardefault• parremove• parmodify• parstatus• vparcreate• vparremove• vparmodify• vparboot• vparreset• vparstatus• icapmodify• icapstatus

Event logs

Forward Progress Logs and System Event Logs normally captured by the server management system willnot be updated during the firmware update process.

IPMI Watchdog

During the online complex firmware update process, the IPMI watchdog timeout will be disabled. It will bere-enabled when the system wakes up. The OS will discover the watchdog timer has disappeared afterthe firmware update process has completed, and will recreate it by design.

Partition ID (HP-UX)

For Superdome 2 partitions running HP-UX, the # getconf _CS_PARTITION_IDENT command (whichreturns HP-UX partition ID), is used for licensing. It is a concatenation of UUID + nPartition # + vPar #.UUID is continuously available from the SMBIOS table. The latter two (nPartition, vPar #s) are obtainedusing an IPMI call which may fail during the firmware update process. HP-UX caches this informationafter the very first call to getconf _CS_PARTITION_IDENT, so this command would only fail if it hadnever been run before the firmware update process began.

For information about how the partition UUID is managed in Integrity Superdome X, see the HPE IntegritySuperdome X Service Guide.

Console

When the firmware update is in progress, the OS console cannot be serviced on the server managementside. Since all active sessions to the OA CLI and GUI interfaces are closed at the beginning of thefirmware update process, the OS console cannot be actively viewed during this process. The OS consoleis normally a quiet interface with little character traffic; however there are conditions (OS panics, forexample) where the character buffer could potentially fill up during the firmware update process. If the

Complex Overview 81

console character buffer is full during an active online complex firmware update, new incoming characterswill be dropped so the console does not hang on the OS side. This potential for console character lossdoes not extend to kernel memory (dmesg) or impact the OS syslog or crashdump area in any way, sothis should not inhibit OS problem diagnosis in the unlikely event something unexpected occurs at the OSlevel. The characters captured in the buffer will be drained once the firmware update process completes,and console operation will return to normal.

System firmware services during boot and shutdownCertain partition events which occur while the OS is running may not be handled if they occur whilemanagement firmware is unavailable:

• OS-requested restart (for example: TOC, shutdown –r)

• MCA

• On Superdome 2 systems, HP-UX boot might hang until firmware update completes

In the cases above, the OS shutdown or restart may not complete. The system design does not make anyguarantees about successful handling of OS restart, MCA, or boot that occurs during the online complexfirmware update process, so Hewlett Packard Enterprise recommends that the operator not attempt toinitiate operations like an OS shutdown, boot/reboot, cold installation, patch update, or a Serviceguardcluster reconfiguration request during the online complex firmware update process. Such actions shouldbe performed serially to avoid potential conflict consequences.

All PAL and SAL calls do work during an online complex firmware update, as these commands execute atthe partition level and do not access server management resources. The following services are notaffected by the online complex firmware update process, and will remain operational:

Get/SET EFI Variables: Calls to get/set EFI variables will work for the OS.

HPET Timer: The HPET timer will not be re-initialized, and this partition resource will remain availablethroughout the firmware update process.

EFI_SetTime: System firmware will continue to maintain the correct time during an online firmwareupdate.

Error Records: Error records can be generated as a result of INIT, CMC/CPE, and MCA.

• INITs are stored by system firmware in NVRAM, so these records will be available to the OS afterrestart. They will be also be available to CLI errdump once the firmware update completes.

• Logging of CMC/CPE error records are unaffected by a PDHC or OA restart – errors not logged beforea restart are saved in hardware and will be logged after the restart.

• MCA logs may be lost during this period, however system firmware will alert server management thatan MCA has occurred once the firmware update completes, and server management will ensure thepartition is reset and data integrity maintained.

Affected OS commandsThe HP-UX machinfo command can print the firmware versions. This command may malfunction duringan active online complex firmware update operation when it attempts to print the BMC firmware version,which is sourced via IPMI.

Network services to OAAll network services provided by the OA are interrupted by the firmware update process. These servicesinclude:

82 System firmware services during boot and shutdown

• XML inventory query from HP SIM

• WS-MAN partition query from HP SIM and plug-ins

• User interface (ssh, web, telnet) for all OA services

• SOAP request from GiCAP Group Manager, HP SUM

• Kernel debugger connection through OA network port

• Console access through the OA

• Ping, SNMP queries

This is the same as legacy MP or C7000 OA (depending on the protocol) behavior during an update.

Frequently asked questions:Some sample questions are included below to aid the operator wishing to perform an online complexfirmware update.

Can Oracle use IPMI to reset a partition?

Not during the online complex firmware update process.

Do virtual partition reboots proceed during online complex firmware updates?

GWLM tries a number of times and gives up, logs an error, will come back and retry later. Changeswon’t happen until it eventually tries later when the firmware update process has completed.

GWLM asks for dynamic resource change (for example, Vparmodify), what happens when it cannot execute for an hour?

GWLM tries a number of times and gives up, logs an error, will come back and retry later. Changeswon’t happen until it eventually tries later when the firmware update process has completed.

How does field support debug if something happened during an online complex firmwareupdate?

Kernel memory (dmesg), the OS syslog, and crashdump memory is unaffected, so this will not inhibitdebug for OS-related events. The loss of event logs during the firmware update process isunavoidable (as it was on legacy sx2000 Superdome systems), but the SEL will indicate start andfinish times for the update process.

What happens if Serviceguard or other cluster software tries to TOC during an online complexfirmware update?

If a node tries to TOC itself from an application running on the partition, the partition OS will shutdown to a point where it is ready to talk to server management. From an application viewpoint, thesystem is down. It may or may not automatically restart when the firmware update process completes.The service processor is unavailable during online complex firmware update, so a node cannotsuccessfully TOC another node.

Will agents that require licensing or UUID find that information available during an onlinecomplex firmware update?

• System firmware services are largely available during online firmware update

• Machinforeports system firmware revision, BMC revision, FPSW revision (HP-UX)

• See the Partition ID description under Services unavailable on page 80

Frequently asked questions: 83

for details (HP-UX)

Known issues:

NOTE:

Most of these issues are for HP-UX only.

The following observations are included to help the operator understand how the loss of servermanagement features might be visible from the OS perspective.

hpvminfo command qualifiers fail

The use of certain hpvminfo command qualifiers will return an ioctl error when executed during onlinefirmware update. This may also result in a delay before the results of the command are displayed.

The affected commands include: hpvminfo, hpvminfo -V, and hpvminfo -v.

Newly created HPVM guests cannot be started

Any newly created HPVM guest cannot be started during online firmware update. When you attempt tostart the guest, the hpvmstart command will hang at "Initializing Forward Progress Log." Thehpvmstart command will complete successfully after the Online Firmware Update has completed.

NOTE:

This issue only pertains to newly created guests that have never been started. Guests that have beenstarted at least once prior to the Online Firmware Update will start without any problems.

Serviceguard Manager performance degradation and proxy errors

Serviceguard Manager may experience some performance degradation or report proxy errors duringonline firmware update. These issues do not adversely affect the Serviceguard cluster or applicationsbeing managed by Serviceguard. If you do receive a message about a proxy error, you can resolve theissue by reloading the page. Performance returns to normal once the online firmware update hascompleted.

cimserver shutdown and startup fail

The cimserver command will timeout when attempting to shutdown or startup during online firmwareupdate. Stopping or starting the cimserver process should be performed before or after the onlinefirmware update.

The affected commands include: cimserver -s and cimserver.

cimauth is unable to add authorizations

cimauth will fail to add authorizations during online firmware update. These operations should beperformed before or after the online firmware update.

Example of a cimauth command: cimauth -a -u wbem -n root -R -Wcprop command qualifiers fail

The use of certain cprop command qualifiers will report “Connection timed out” when executed duringonline firmware update.

The affected commands include: cprop -summary -a and cprop -summary -Memory.

SMH is unable to query memory or enclosure information

The SMH is unable to query memory or enclosure information during online firmware update. Thisinformation is properly reported before and after the online firmware update.

84 Known issues:

setboot and related commands are unable to display or modify boot variables

The setboot command is unable to display or modify boot variables during online firmware update. Thisalso impacts any command that calls setboot.

The affected commands include: setboot, drd activate, drd status, vxbrk_rootmir, andvxrootmir.

wbemassist namespace error

wbemassist reports a namespace error when checking the WBEM Server response.

par* and vpar* commands fail

Parcon services are not available during online firmware update. Due to this unavailability, all par* andvpar* commands will fail.

The affected commands include, but are not limited to: parcreate, parmodify, parperm, parstatus,vparcreate, vparmodify, vparstatus, and others.

Firmware Update screen

IMPORTANT:

For Superdome 2 systems, you cannot update firmware through the OA GUI if you have complexfirmware earlier than firmware bundle 2.2.27.

If you have complex firmware earlier than the firmware bundle 2.2.27, to update complex firmware,see the UPDATE FIRMWARE section in the HPE Integrity Superdome X and Superdome 2Onboard Administrator Command Line Interface User Guide.

If you select the firmware update link in the left navigation panel, the firmware update selections screenwill be displayed.

Firmware Update screen 85

This screen displays the options available for firmware update:

• Analysis Only — Use this option to display the actions that will be executed by the update. Thisoption will run the analyze update and exit without executing the update. No Firmware will be modified.

• Force Downgrade — Use this option if you are downgrading the firmware to a previous version. Thefirmware update process will fail if you are downgrading and this option is not selected.

The next table on this screen allows for the selection of the Update Type:

86 Complex Overview

• Update All Firmware — This option will update ALL complex and partition firmware on the system.

• Update Complex Firmware — This option will update only the complex firmware on the system.

• Update nPartition Firmware — This option will update the nPartition firmware for the selectedentities.

NOTE:

If Update nPartition Firmware is selected, a new table will be appear that allows the selection ofunassigned blade resources and existing partitions.

You can select all or one or more partitions or blades from each list. After the update type and targets areselected, you will need to determine if the firmware image being installed is from a URL, located on aUSB drive plugged into the DVD module in enclosure 1, or in the archive storage of the monarchenclosure.

IMPORTANT:

To update firmware on a system, you must be an “Administrator” level user assigned access to thepartitions which you are attempting to update. Partition firmware update will not be allowed withoutassigned access to the partition.

Firmware image download

After starting an update, a progress bar showing the progress of the firmware image download will bedisplayed.

Firmware analysis

When the firmware bundle download completes, the GUI will display a wait bar while the system runs thefirmware analysis.

After the system completes the firmware analysis, the GUI will display the analysis results on an analysispage. This page will contain sections that may display notice, warning, and error messages. It will alsodisplay the list of partitions and components that will be updated if the analysis was successful.

Complex Overview 87

If the analysis fails, you will not be supplied with further options.

If the Analysis Only option was not selected, then the firmware update will automatically continue after30 seconds. During this time the you will have the option to cancel the update using the Cancel Updatebutton at the bottom of the analysis page.

Update Status

When the firmware update starts, the page will change to display the update status page. This page willshow the current status of the update.

88 Complex Overview

The following information will be displayed:

• The status of each component being updated.

• The total number of components that will be updated.

• The number of component updates either completed successfully or failed.

• The estimated time remaining in the update.

IMPORTANT:

When two Itanium processor family partitions share a single IOX, you will have to reboot bothpartitions in order to use the new firmware.

The interface does not allow the ability to do two or more concurrent updates. If another user attempts toinitiate an update, an alert appears.

Complex Overview 89

Enclosure DVD Module screenThe DVD module in a compute enclosure can be used by a partition to perform software installations andupdates in the same manner as a standard DVD drive is used in a computer system locally or remotely.

The DVD module is not connected to any partitions in the complex after initial installation. To use the DVDdrive, an administrator must first connect the DVD module to any or all partitions through the OA CLI or bynavigating to the Complex nPartitions menu and selecting the Virtual Devices tab.

For more information for Superdome 2, see the HP Superdome 2 Partitioning Administrator Guide. Formore information for HPE Integrity Superdome X, see the HPE Integrity Superdome X Service Guide.

Status and Information tab information

Item Description

Status Current status of the DVD module. Possible values are OK, Degraded, or NotPresent.

Product Name The common descriptive name of the DVD module.

Manufacturer The name of the company that manufactured the DVD module.

Serial Number The unique serial number of the DVD module.

Table Continued

90 Enclosure DVD Module screen

Item Description

Part Number The part number to use when ordering an additional DVD module of this type.

Spare Part Number The part number to use when ordering a replacement DVD module of thistype.

Engineering Date Code Manufacturing information about the DVD module.

Diagnostic Information

Item Description

Device IdentificationData

Contains information on model name, part number, serial number, and otherinformation used to identify the device. This data is also called FRU data.Device identification data error displays if the data is not present or notreadable by the OA.

Power AllocationRequest

There is insufficient power to adequately power the DVD module. Possiblevalues are OK or Insufficient enclosure power.

Device Operational Status of the DVD module. Possible values are OK or Error.

Partner DevicePresence

Not applicable for Superdome 2 or Integrity Superdome X systems. This linewill always display OK.

Device Indictment Indicates if the device has been indicted by the Superdome Analysis Engine.

Complex Overview 91

Configuring compute enclosures and enclosuredevices

Viewing the status screensEach compute enclosure in the complex can be selected from the left navigation tree. Clicking theenclosure name opens the main status screen of the enclosure.

On this page, four tabs are available at the top of the main page:

• Status

• Information

• Virtual Buttons

• Component Firmware

The Status tab displays one of the following values as Overall Enclosure Status:

• Critical/Failed

• Major

• Minor/Degraded

• Warning

• Normal/OK

• Disabled

• Unknown

• Informational

The Active HPE Superdome Onboard Administrator Status and Standby HPE Superdome OnboardAdministrator Status are similar to the Overall Enclosure Status and display a status for the OA. If aStandby OA is not present in the system, its status value is Absent.

Enclosure Power Mode displays the current power mode of the enclosure. The following values arepossible:

• AC Redundant

• Power Supply Redundant

• Not Redundant

The Enclosure Device Status Overview is divided into six sections:

• Device Bay Overview

• Interconnect Overview

• XFM Bay Overview

• GPSM Overview

92 Configuring compute enclosures and enclosure devices

• Power Subsystem

• Thermal Subsystem

For each of these sections, the following values are possible:

• Critical/Failed

• Major

• Minor/Degraded

• Warning

• Normal/OK

• Disabled

• Unknown

• Informational

Enclosure informationEnclosure Status

This section provides detailed procedures to configure the management functionality provided by the OA.

Select the tree view menu item Enclosure Information to view the enclosure Status screen.

Enclosure information 93

Enclosure Status tab

Table 6: Status information

Item Description

Enclosure Status The overall status of the enclosure. Possible values are Unknown, OK, Degraded,N/A, or Critical Error.1

Active OA Status The overall status of the active OA. Possible values are Unknown, OK, Degraded,and Failed.

Table Continued


Item Description

Standby OA Status The overall status of the standby OA. Possible values are Absent, Unknown, OK,Degraded, and Failed.

Power Mode The power redundancy mode. Possible values are AC Redundant, Power SupplyRedundant, Not Redundant, or Unknown. For information on these modes, seethe user guide for your system.

1 The enclosure status appears as N/A if the Enable Extended Data or GUI Login Page setting is disabled. This settingis accessible at Enclosure Settings > Network Access > Anonymous Data.

Diagnostic information

Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if afailure has occurred), or is sent by the device microcontroller, without being polled to report a failure.

Item Description


Contains information on model name, part number, serial number, and otherinformation used to identify the device. This data is also called FRU data.Device identification data error displays if the data is not present or not readableby the OA.


Device Operational Possible values are OK or Error. View the syslog for errors. Possible reasonsfor the error are mismatched firmware or a software or hardware failure.

Device Degraded Indicates whether or not a device has failed when status was requested by theOA. Possible values are OK or Error.

Management Buses Management bus status.

Redundancy Possible values are OK or Error. An error indicates the redundant OAs arehaving problems syncing up. Check the syslog for errors. Possible reasons forthe error are mismatched firmware or a software or hardware failure.

DVD DVD connection status.

Blades Blade status.

Device Indictment Indicates if the device has been indicted by the Superdome Analysis Engine.

Configuring compute enclosures and enclosure devices 95

Table 7: Subsystems and Devices information

Table Description

Device Bay Overview

All Device Bays

The overall status of all device bays. Possible values are Unknown, OK,Degraded, and Failed.

Interconnect BayOverview

All Interconnect Bays

The overall status of the interconnect bays. Possible values are Unknown,OK, Degraded, and Failed.

XFM Bay Overview

All XFM Bays

The overall status of the XFM bays. Possible values are Unknown, OK,Degraded, and Failed.

GPSM Bay Overview

All GPSM Bays

The overall status of the GPSM bays. Possible values are Unknown, OK,Degraded, and Failed.

Power Subsystem

System Status

The overall status of the Power Subsystem of the enclosure. Possible valuesare Unknown, OK, Degraded, and Failed.

Thermal Subsystem

System Status

The overall thermal status of the enclosure. Possible values are Unknown,OK, Degraded, and Failed.

NOTE:

If any subsystem contains a component with a status other than OK, all components of that subsystemwith a status other than OK are displayed inline.


Enclosure Information tab

Hardware information

Item Description

Part The general description of the enclosurecomponent

Model The model name of the enclosure component

Table Continued

Enclosure Information tab 97

Item Description

Manufacturer The name of the company that manufactured theenclosure component

Serial Number The unique serial number of the enclosurecomponent

Part Number The part number to be used when ordering anadditional enclosure component

Spare Part Number The part number to be used when ordering areplacement enclosure component

Changing settings

You can change enclosure settings from this screen. To save the settings after making the changes, clickthe Apply button.

Item Possible value Description

Enclosure Name 1 to 32 characters including allalphanumeric characters, thedash (-), and the underscore (_)

The name of the selectedenclosure

Rack Name 1 to 32 characters including allalphanumeric characters, thedash (-), and the underscore (_)

The name of the rack in whichthe enclosure is installed

Asset Tag 0 to 32 characters including allalphanumeric characters, thedash (-), and the underscore (_)

The asset tag is used forinventory control.

The default asset tag is blank

Virtual Buttons tab

To change the state of the enclosure UID, click the Toggle On/Off button. The enclosure UID is located tothe left of the enclosure link-down port.

AlertMailAlertMail enables users to receive system events by email instead of using SNMP traps. AlertMail iscompletely independent from SNMP, and both can be enabled at the same time. AlertMail uses standardSMTP commands to communicate with an SMTP-capable mail server. The "Reply To" address for eachemail sent by AlertMail is <Enclosure Name>@<Alert Sender Domain>. To enable the AlertMail feature,select the Enable AlertMail check box.

To test the AlertMail function:

1. Be sure that the email address, alert sender domain, and SMTP server settings are correct.

2. Select the Send Test AlertMail button.

3. To confirm that the test completed successfully, verify the recipient email account.

98 AlertMail

NOTE:

The Alert Sender Domain might not be required. The information in this box depends on the mail serversetup.


E-mail address <account>@<domain> This box is a valid email addressfor the administrator or otherdesignated individual receivingthe AlertMail

Alert Sender Domain A character string including allalphanumeric characters and thedash (-)

The domain in which the OAresides

SMTP Server ###.###.###.### where ###ranges from 0 to 255

An IP address for the SMTPserver

To enable the AlertMail feature:

Procedure

1. Select the Enable AlertMail check box to enable the AlertMail feature.

2. Enter values for the email address, alert sender domain, and SMTP server.

3. Click the Apply button to save the settings.

AlertMail, if enabled, sends alerts by email for the following events:

• Enclosure status change

• Enclosure information change

• Fan status change


• Fan inserted

• Fan removed

• Power supply status

• Power supply inserted

• Power supply removed

• Power supply overload

• Blade inserted

• Blade removed

• Blade status

• Blade thermal condition

• Blade fault

• Blade information change

• Tray status change

• Tray reset

• Switch connect

• Switch disconnect

All e-mails have the following header:

From: Enclosure ENCLOSURE-NAME <enclosure-name@serverdomain>Date: Date in standard formatSubject: HP AlertMail-SEQ: <SEVERITY> SUBJECT To: RECEIVER MAILBOX Where <SEVERITY> is one of the following (from highest to lowest):

• # FATAL

• # CRITICAL

• # WARNING MAJOR

• # WARNING MINOR

• # WARNING

• # NORMAL

Each subject line contains a unique sequence number to easily identify the order of events in case themail server distributes them in the wrong order. Sequence numbers range from 0 to 999 and restart at 0.

The mail body is used to give more detailed information regarding the event issued. The mail body alsocontains information on what the user must do to correct any issue and what the current enclosure statusis.


NOTE:

The enclosure status is displayed as the status at the time when the event is processed which can causethe status to show up as OK in an email saying a Fan has Failed if the user replaced the fan at the timethe event is sent out by AlertMail.

Sample emailSubject: HP AlertMail-010: (CRITICAL) Power Supply #1: FailedDate: Wed, 23 Apr 2006 15:02:22 +0200From: Enclosure EM-00508BEBA571 <[email protected]>To: user@domainX-OS: HP Superdome 2 Enclosure ManagerX-Priority: 1Content-Type: text/plain; charset=us-asciiEVENT (26 May 07:09): Power Supply #1 Status has changed to: Failed.Enclosure, EM-00508BEBA571, has detected that a power supply in bay 1 has changed from status OK to Failed.The power supply should be replaced with the appropriate spare part. You can ensure that the center wall assembly isoperating correctly by swapping the two power supplies. Make sure that there are no bent pins on the power supply connectors before reinserting and that each power supply is fully seated.An amber LED on the power supply indicates either an over-voltage, over-temperature, or loss of AC power has occurred.A blinking LED on the power supply indicates a current limit condition.Enclosure Status: DegradedEnclosure Management URL: https://16.181.75.213/- PLEASE DO NOT REPLY TO THIS EMAIL -

Date and Time

NOTE:

The RTC in an nPartition is synced to OA time when the nPartition is rebooted. If you change the time onthe OA, it may affect the RTC on the nPartition. Hewlett Packard Enterprise recommends that you use theNTP for both the OS and OA and also configure the NTPDATE_SERVER variable in /etc/rc.config.d/netdamons at OS startup. This is the most reliable setting for accurate OA, nPartition,and OS time.

Static date and time settings

The date and time are static and not updated in real-time. The date and time can only be set when NTP isdisabled.

Date and Time 101


Date yyyy-mm-dd


• dd is an integer from 1 to 31

The date assigned to the enclosure

Time hh:mm:ss (24-hour time, ss is optional)

• hh is an integer from 0 to 23


• ss is an integer from 0 to 59

The time assigned to the enclosure










NTP settings

To enable this feature, select Set time using an NTP server.

NOTE:

For accurate OA date and time, Hewlett Packard Enterprise recommends using a stable and accurateNTP server with a GPS receiver for the time source, or running at a higher level in the NTP time serverhierarchy.



Primary NTP Server DNS name or ###.###.###.### where ###ranges from 0 to 255

DNS name or IP address of primaryNTP server that provides date andtime information.

Secondary NTPServer

DNS name or ###.###.###.### where ###ranges from 0 to 255

DNS name or IP address ofsecondary NTP server that providesdate and time information.










To save the settings, click the Apply button.

Enclosure TCP/IP SettingsThis screen displays the current enclosure TCP/IP settings for the Active OA and enables you to changethe following settings:

• Enclosure IP Mode— The Enclosure IP Mode ensures all management applications point to theactive OA of the enclosure, using a single static IP address. This mode is for enclosures with an activeand standby OA. When the standby OA takes over the role of the active OA, the OA assumes the IPaddress of the previous active OA. This ensures the Enclosure IP Mode IP address is consistentlypointing to the active OA.

The Enclosure IP Mode requires the active OA to have a static IP address. Before enabling EnclosureIP Mode, you must configure a static IP address for the Active OA. The standby OA can be configuredfor DHCP or static IP settings. This mode is optional and is disabled by default.

The transition times from standby to active and active to standby varies, depending on theconfiguration, enclosure population, and various other factors. The transition of standby to active cantake several minutes. The transition of the previous active to standby will take longer.

IMPORTANT:

Replace the standby OA only while the enclosure is powered on to be sure that the Enclosure IPMode settings are not changed.

To ensure that the Enclosure IP Mode setting is not changed when removing an OA module from theenclosure, do not remove the module while it is in the failover transition phase (about six minutes aftera failover). After you remove a module, to ensure that all settings are transferred to the Standbymodule, add a replacement module and leave it in place for five minutes. If both the Active andStandby OA modules are powered off or removed from the enclosure at the same time, the Standby

Enclosure TCP/IP Settings 103

OA returns to the default network settings and all manually configured static network addresses arelost.

Active and Standby Onboard Administrator Network Settings

The OA allows network configuration to be based either on dynamically assigned IP addressesobtained from a DHCP server or on static IP addresses that you specify manually. You choose thebasis for network configuration by selecting either the DHCP radio button or the Static IP Settingsradio button. If you select DHCP, you can enable Dynamic DNS.

NOTE:

Changing network settings on the OA that you are signed in to might disconnect you from that OA, inwhich case after you apply settings, you must sign in to the OA again.

• DHCP — Obtains the IP address for the OA from a DHCP server

• Enable Dynamic DNS — With DHCP enabled, Dynamic DNS allows you to use the same host namefor the OA over time, although the dynamically assigned IP address might change. The host name isregistered with a DNS server. Dynamic DNS updates the DNS server with new or changed records forIP addresses.

• Static IP Settings— Enables you to manually set up static IP settings for the OA


DNS Host Name Can be 1 to 32 characters including allalphanumeric characters and the dash(-)

The DNS Name of the OA. The DNShost name can be assigned when usingeither DHCP or static IP settings.

Changing the OA DNS Name couldcause a host name mismatch on theSSL certificate. You may have toupdate the certificate information on theaffected OA, using the Active OACertificate Administration screen(Certificate Administration on page120) or the Standby OA CertificateAdministration screen as appropriate.

MAC Address This is an informational box and cannotbe changed

The OA MAC address

IP Address ###.###.###.### where ### rangesfrom 0 to 255

Static IP address for the OA (required ifstatic IP settings is selected)

Subnet Mask ###.###.###.### where ### rangesfrom 0 to 255

Subnet mask for the OA (required ifstatic IP settings is selected)

Gateway ###.###.###.### where ### rangesfrom 0 to 255

Gateway address for the OA (required ifstatic IP settings is selected)

DNS Server 1 ###.###.###.### where ### rangesfrom 0 to 255

The IP address for the primary DNSserver

DNS Server 2 ###.###.###.### where ### rangesfrom 0 to 255

The IP address for the secondary DNSserver


OA can employ up to two DNS servers for lookups, either static or DHCP assigned, but not both.

Click

Apply

to save new or changed settings.

NIC settings

• Auto-Negotiate — Automatically configures the best link. This is the default setting. This optionsupports a NIC speed of 10 Mb/s, 100 Mb/s, or 1000 Mb/s. The 1000 Mb/s setting is only availablewhen you select Auto-Negotiate.

• Forced Full Duplex — Enables you to manually specify which settings the external NIC uses whentrying to establish a link. OA does not verify that the forced Ethernet settings are valid on the network.The loss of communications can occur if the wrong or incompatible settings are used. Forced settingstake effect 3 seconds after enabling or disabling the settings. The forced option supports only NICspeeds of 10 Mbps or 100 Mb/s.

• NIC Speed — Selects an NIC speed of 10 Mb/s or 100 Mb/s.

To save the new settings, click the Apply button.

Network AccessIn this section, an administrator can configure settings relating to network access to the OA. Thesesettings are specific to the enclosure and do not affect the network configurations for server blades.

The Protocol Restrictions subcategory is used to restrict access to the OA. Up to six protocol settings canbe selected to allow or restrict access to the OA. An Enforce Strong Encryption option is also included.

• Enable Web Access (HTTP/HTTPS) — This check box is selected by default. Clearing this check boxdisables HTTP/HTTPS access to the OA. Port 80 is used for HTTP and port 443 is used for HTTPS.

CAUTION:

Disabling Web Access (HTTP/HTTPS) disconnects all users attached to the OA through HTTP/HTTPS, including the administrator.

• Enable Secure Shell — This check box is selected by default. Clearing this check box disablesSecure Shell connections to the OA. Secure Shell is disabled when Two-Factor Authentication isenabled. Disabling Two-Factor Authentication does not automatically re-enable Secure Shell. To re-enable Secure Shell, you must select the check box and then click Apply. Port 22 is used.

• Enable Telnet — This check box is selected by default. Clearing this check box disables Telnetconnections to the OA. Telnet is disabled when Two-Factor Authentication is enabled. Disabling Two-Factor Authentication does not automatically re-enable Telnet. To re-enable Telnet, you must select thecheck box and click Apply. Port 23 is used.

NOTE:

Telnet is disabled after a factory reset or when Two-Factor Authentication is enabled.

• Enable XML Reply — This check box is selected by default. Selecting this check box enables XMLdata to be shared between the OA and other Hewlett Packard Enterprise management tools such as

Network Access 105

HPE Systems Insight Manager. To display the information that is shared by the OA if this protocol isenabled, click View.

• Enable WS-Management — Selecting this check box enables the WS-Management connections tothe OA. WS-Management is enabled by default.


Login BannerEnabling the Login Banner option requires OA users to acknowledge the banner text before they can login.

Enable Display of Banner on User Login — Select this check box to enable the Login Banner option.Acknowledgment of the Login Banner text provides access to all systems connected to the primaryOnboard Administrator.

Banner Text — The field size is limited to 1,500 printable characters, excluding the % and \ characters.While spaces and line feeds are accepted, using only white space characters within this text field is notallowed.

NOTE:

The Login Banner accepts English (ASCII) characters only.

Apply — Click to validate the Banner Text field. If the Banner Text field is empty or contains only whitespace characters, but the Enable Display of Banner on User Login check box is selected, you areprompted to disable this feature.

Trusted Hosts tabThe Trusted Hosts subcategory is used to restrict access to the OA to all hosts except those listed. Whenenabled, this protocol allows access only to the OA to listed hosts.

This subcategory contains one dialog box, one entry box, and one display box, which, if enabled, is usedto list trusted IP addresses.

The Enable IP address access restriction check box is not selected by default. Selecting this check boxallows only those IP addresses listed as Trusted Addresses to connect to the OA.

CAUTION:

Enabling IP address access restriction without first entering the user IP address in the TrustedAddresses list disconnects the user from the OA.

CAUTION:

When using the Trusted Hosts feature in an environment with multiple enclosures connected viaenclosure link cables, ensure that all linked enclosures have the same Trusted Hosts settings.Linked enclosures that do not have the same Trusted Hosts settings may allow a web GUI user toaccess a protected enclosure from a non-trusted client.

The Trusted Addresses box is used to enter the IP addresses of all hosts that are to be trusted andallowed to connect remotely to the OA through the protocols set up in the Protocol Restrictionssubcategory. This box allows for IP addresses only.

Under the Trusted Addresses box is the list box of all trusted IP addresses, if trusted IP addresses areconfigured.

106 Login Banner

• To add a trusted host, enter the IP address in the Trusted Addresses box, and then click Add. You canadd a maximum of five Trusted Addresses.

• To remove a trusted host, select the IP address in the Trusted Addresses list, and then click Remove.

• To save the settings, click the Apply button.

Anonymous Data tabEnable Extended Data on GUI Login Page — This check box is selected by default. Clearing this checkbox disables the "+" functionality in the topology view on the login page for this enclosure. Disabling theextended data on the GUI login page prevents unauthenticated users from viewing additional information.To prevent additional information from appearing for each linked enclosure, you must clear this check boxfor each enclosure.


NOTE:

For Superdome 2 SD2–32s systems, Anonymous Data must be enabled for proper operation of the OAGUI. Do not clear the Enable Extended Data on GUI Login Page checkbox on Superdome 2 SD2–32ssystems.

Link Loss FailoverThis screen enables you to configure automatic OA redundancy failover based on network link status. ForLink Loss Failover to function correctly, the redundancy status of the OAs must be OK. An OK statusmeans that both OAs have the same firmware version, and that they are communicating properly.

Enable Link Loss Failover — This check box enables or disables automatic Link Loss Failover.

Failover Interval — The failover interval is the amount of time the active OA must be without a link on theexternal Ethernet interface before the system considers an automatic failover. The interval must bebetween 30 and 86400 seconds.


Enclosure Bay IP AddressingThe Enclosure Bay IP Addressing (EBIPA) screens allow you to configure fixed addresses for OAenclosure bays. The EBIPA feature helps to provision a fixed IP address on bay number, which preservesthe IP address for a particular bay even if a module is hot-replaced. The management interface forcomponents plugged into the bays must be set for DHCP and can only be used if the devices are set toboot from DHCP. If a device is configured for static IP, then it must be manually reconfigured to DHCP tochange the EBIPA IP address.

The OA GUI lists the IP address for the server blade iLO bay and interconnect module management bay.

The server blade iLO bays and interconnect module management bays can obtain IP addresses on themanagement network in the following ways:

• DHCP address — The server blade iLO defaults to DHCP addressing, through the network connectorof the active OA. Interconnect modules that have an internal management network connection to theOA may also default to the DHCP address.

• EBIPA— When a server blade or interconnect module is inserted into a bay that has EBIPA enabled,that management port will receive the specific static IP address from the OA if that device isconfigured for DHCP.

Anonymous Data tab 107

There is an important difference between the network the complex is connected to and the managementnetwork that the OA uses. Enclosure Bay IP Addressing is used to assign IP addresses to the iLOprocessors that are bridged through the OA and must not be confused with port mapping for the serverblade NICs or for network routers or switches. EBIPA does not assign IP addresses for any other deviceon the network, and cannot be used as a DHCP server on the network.

TIP: Link-local addresses:

To save IP addresses, link-local addressing can be used. Link-local IP addresses can be assignedto blades, iLOs, and interconnect bays within an enclosure. Link-local addresses are intended onlyfor use within a segment of a network and can be used for network configurations that do notrequire allocated IP addresses on the network.

As a best practice Hewlett Packard Enterprise recommends the following rules for assigning iLO IPaddresses:

• The Monarch Npar IP address should be assigned using EBIPA/DHCP.

• Do not use iLO interfaces to assign iLO static IP addresses.

• Auxiliary blades should be assigned using link-local addressing to save IP addresses. BL920sGen8 and Gen9 Auxiliary blades will automatically be assigned link-local addresses and cannotbe assigned public addresses.

• All IP addresses, with the exception of address ranges 169.254.x.y and 10.254.x.y (reserved forinternal management network), are supported as long they are not duplicated. In addition, all theIP addresses must be within the same subnet defined by netmask and IP address so that allOAs as well as all iLOs fit into that subnet.

For more information on setting up link-local addresses, see the HPE Integrity Superdome X andSuperdome 2 Onboard Administrator Command Line Interface User Guide.

The administrator sets an independent range for server blade bays and interconnect module bays usingthe OA EBIPA setup wizard. The first address in a range is assigned to the first bay and then consecutivebays through the range.

To set up your enclosure without an active network connection using EBIPA:

Procedure

1. Configure a static IP for each OA using the Insight Display, and note the active OA Service IP addresson the Insight Display Enclosure Info screen. Attach the client PC to the enclosure Service Port(enclosure Link Up connector) between the OA bays with a standard Ethernet patch cable. The clientPC NIC must be configured for DHCP because it gets an IP address in the range of approximately 1minute later.

2. Launch a web browser (or alternatively a Telnet or Secure Shell session), and select the OA ServiceIP address as displayed in the enclosure Insight Display on the Enclosure Info screen.

3. Log into the OA as Administrator, using the administrative password attached to the active OA.

4. While the First Time Setup Wizard is running (alternately, after first time setup you can change theEBIPA settings in the Enclosure Settings list), enable Device Bay EBIPA with a starting fixed IPaddress and enable Interconnect Bay EBIPA with a different starting IP address. The OA then creates16 sequential IP addresses for the device bays and eight sequential IP addresses for the interconnectbays. Servers in the device bays will automatically get the Device Bay EBIPA addresses within a


minute, but the interconnect switch modules must to be manually restarted by clicking the VirtualPower button on each OA Interconnect Module Information screen.

5. Use the OA Device list to be sure that the server blade iLO addresses have been set according to theEBIPA starting IP address and range.

Device list

Column Description

Bay The bay in the enclosure of the device.

Enabled Enables EBIPA settings for the device bay. EBIPA settings for all device bays canbe enabled by selecting the check box next to Enabled in the heading row orindividual device bays can be selected by clicking the check box for that particulardevice bay.

Table Continued


Column Description

EBIPA Address The static IP address you want to assign to the device bay.

Autofill Assigns consecutive IP addresses for the selected device bays below in thedevice list. Click the autofill down arrow to assign the IP addresses.

Current Address The current IP address of the device bay.

Device Type The type of device installed in the device bay.

Knowing your network configuration before setting up EBIPA ensures an easy setup and enables you toinstall your OA on to your network quickly. Record the information requested in the boxes on the EBIPAscreen, and verify before entering the data. Use only the possible values listed in the following table.

Interconnect list


Subnet Mask ###.###.###.### where ### ranges from0 to 255

Subnet mask for the device bays

Gateway ###.###.###.### where ### ranges from0 to 255

Gateway address for the device bays

Domain A character string with a maximum of 64characters, including all alphanumericcharacters and the dash (-)

Domain name for the device bays

DNS Server 1 ###.###.###.### where ### ranges from0 to 255

The IP address for the primary DNSserver


The IP address for the secondary DNSserver


The IP address for the tertiary DNSserver

SNMP SettingsThe OA supports SNMP Version 1 and several groups from the standard MIB-II MIB. Additionalinformation about the enclosure infrastructure is available in the HPE Rack Information MIB. CPQRACK-MIB, which is part of the Insight Management MIBs, is available on the Management CD in theSuperdome Essentials Foundation Pack.

The SNMP Settings screen enables you to enter system information and community strings anddesignate the management stations that can receive SNMP traps from the OA. If you select EnableSNMP, then the OA responds to SNMP requests over UDP port 162. Port 162 is the standard UDP portused to send and receive SNMP messages.

System Information settings

In the System Information subcategory, information about the OA SNMP system can be enabled andconfigured.

110 SNMP Settings

The Enable SNMP check box is not selected by default. When enabled, the OA can be polled for statusand basic information. The SNMP client can only clear SNMP alerts and status when the WriteCommunity string is enabled. Clearing the Enable SNMP check box disables SNMP access to the OA.



System Location 0 to 20 characters including allalphanumeric characters, the dash (-),the underscore (_), and the space

The SNMP location of the enclosure,typically used to identify the physical ortopographical location of the OA.

System Contact 0 to 20 characters including allalphanumeric characters, the dash (-),the underscore (_), and the space

The name of the system contact, used toidentify an individual or group ofindividuals who are to be contacted inthe event of any status change in theOA.

Read Community 0 to 20 characters including allalphanumeric characters, the dash (-),the underscore (_), and the space

The Read Community string enables theclient to read information, but not tomanipulate the alerts or status of the OAthrough SNMP. The default communityname is "public" and enables a user toreceive notification traps and alerts, butnot to change or manipulate the status.

Write Community 0 to 20 characters including allalphanumeric characters, the dash (-),the underscore (_), and the space

The Write Community string enables theclient to manipulate alerts of OA statusthrough SNMP. You can remotely clearalerts and mark them as "viewed" orotherwise through their SNMPmanagement client through the SNMPagents. The default value for the WriteCommunity string is blank.

Edit any of the fields in this subcategory, and to save the changes, click the Apply button.

SNMP Alert Destinations settings

In the SNMP Alert Destinations subcategory, the IP addresses and community strings for the SNMPmanagement clients are configured so that any alert or trap from the OA is sent to the appropriate systemwith the community string.


IP Address ###.###.###.### Where: ###ranges from 0 to 255

The management station IPaddress

Community String 0 to 20 characters including allalphanumeric characters, thedash (-), the underscore (_), andthe space

A text string that acts as apassword. It is used toauthenticate messages that aresent between HP SIM and OA.

Adding SNMP alert destinations

Procedure

1. Enter the IP address for management clients to which the traps are to be sent in the IP Address box.

2. Enter the appropriate community string in the Community String box directly under the IP Address box.

3. After the IP address and community string is entered, click the Add button.


A maximum of eight SNMP alert destinations can be added.

Removing SNMP alert destinations

Select the IP address from the list containing the trap destinations, and then click the Remove button.

Testing SNMP

To send a test SNMP trap to all the configured trap destinations, click the Send Test Alert button. SNMPmust be enabled to use this function.

Configuration ScriptsUse configuration scripts to maintain settings and configuration information, particularly when setting upmultiple enclosures and OA modules and eliminating the need to configure each enclosure manually.Configuration scripts can be created and used with OA in the browser or through the CLI, executing themin the same manner as a shell script is executed in Linux or UNIX.

You select to run the script from a URL, USB drive, or Archive Storage.

Current configuration

To view a current configuration for the enclosure:

Procedure

1. Click the SHOW CONFIG link. The configuration opens in a new browser window.

2. To save the configuration as a text file, select either of the following options:

• If you use Microsoft Internet Explorer 7 or later, select Save As.

• If you use Mozilla Firefox 3.6 or later, select Save Page As.

• If you use Google Chrome 38 or later, select ???

For security reasons, the retrieved current configuration does not contain any user passwords. You canmanually edit the script to add the user passwords after the user name on the ADD USER lines. Theenclosure Administrator account password cannot be added from the configuration script. Also, theretrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PINProtection, and PIN Code). These settings cannot be added from the configuration script.

Current enclosure inventory

To download a script of the current enclosure inventory, click the SHOW ALL link; the current enclosureinventory opens in a new browser window. To save the inventory as a text file, select either of thefollowing options:

• If you are using Microsoft Internet Explorer 7.0 or later, select Save As.

• If you are using Mozilla Firefox 2 or later, select Save Page As

• If you are using Google Chrome 38 or later, select ???

NOTE:

Saving the enclosure inventory does not save partitioning information.

The downloaded text file provides the same information as the CLI SHOW ALL command. The text filealso displays the current configuration of the enclosure.

Configuration Scripts 113

Device SummaryThe FRU Summary section provides information on all FRUs within the enclosure. Information provided inthis section can quickly aid the administrator in contacting Hewlett Packard Enterprise Support Center(HPESC) for troubleshooting, repairing, and ordering replacements.

The information is organized in tabular format and divided into subcategories within the Device Summarysection:

• Enclosure

• OA

• Blade

• Blade mezzanine

• Interconnect

114 Device Summary

• XFM

• GPSM

• Fan

• Power supply

• Insight Display

Active to StandbyWhen a second OA is installed, the menu item Active to Standby appears under the Enclosure Settingstree menu item, and both OAs are visible in the tree menu and in the enclosure view under the Status tab.

If more than one OA is installed in the enclosure, you can manually change the active OA. This featurecan be useful when troubleshooting the OA.

To perform a transition:

Procedure

1. Click the Transition Active to Standby button to force the change. A confirmation screen appears,confirming the transition.

2. Close your browser if you are logged in to the active OA.

3. Click OK to proceed, or click Cancel to exit without a change.

If only one OA is installed in the enclosure, the Active to Standby menu item does not appear.

You can also perform a transition using the FORCE TAKEOVER command from the OA CLI.

The transition times from Standby to Active and Active to Standby vary, depending on the configuration,enclosure population, and various other factors. Removing the previously Active OA early in the transitionprocess forces the transition time of the Standby to Active to increase.

Onboard Administrator ModuleActive Onboard Administrator

The Active OA screen under the Status and Information tab, has tables that provide detailed informationabout your OA.

Active to Standby 115

Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if afailure has occurred) or is sent by the device microcontroller, without being polled, to report a failure.

Active Onboard Administrator Status and Information tabStatus information

Item Description

Status The overall status of the enclosure. Possible values are Unknown, OK,Degraded, and Failed.

Role Active or Standby.

Bay Number The physical bay number where the OA is installed.

Table Continued

116 Active Onboard Administrator Status and Information tab

Item Description

Temperature The temperature of the enclosure in degrees Fahrenheit.

Caution Threshold The temperature at which the enclosure reports a status of caution.

Critical Threshold The temperature at which the enclosure reports a critical status and powers off.

Hardware information

Item Description

Device Name The common descriptive name of the OA.

Manufacturer The name of the company that manufactured the OA.


The version of the complex firmware image in the OA.

Hardware Version The version of the enclosure hardware.

Part Number The part number to use when ordering an additional or replacement OA.

Serial Number The serial number of the OA module.

Spare Part Number The spare part number to use when ordering an additional or replacement OA.

UUID The Universally Unique Identifier number of the OA.

Diagnostic information

Item Description


This row displays information such as model name, part number, serial number,and other information used to identify the device. This data is also called FRUdata. A device identification data error appears if the data is not present or notreadable by the OA. Possible values are OK or Error.

Enclosure ID The number of the enclosure in the complex.

OA USB Cable Status of the OA USB Cable.

Firmware Mismatch The standby OA with the lowest firmware version displays Error when two OAsare present and the firmware does not match.

Device Indictment Indicates if the device has been indicted by the Error Analysis Engine.

Active Onboard Administrator Virtual Buttons tabTo reset the OA:

Active Onboard Administrator Virtual Buttons tab 117

Procedure

1. To reset the OA, click the Reset button.

2. A confirmation screen appears, asking if you are sure that you want to perform the action and that youwill be signed out and disconnected from the OA.

3. Click OK to proceed, or click Cancel to exit without a change.

You can also click the Toggle On/Off button on this tab to change the OA module UID LED. This button isuseful in identifying a particular OA when there is more than one in the enclosure.


TCP/IP Settings

This screen displays the current enclosure TCP/IP settings for the active OA. To change these settings,select Click here.

For information on modifying the TCP/IP settings, see Certificate Administration on page 120.

TCP/IP Settings 119

Certificate Administration

Information tab

This screen displays the detailed information of the SSL certificate now in use by the OA. An SSLcertificate is used to certify the identity of OA and is required by the underlying HTTP server to establish asecure (encrypted) communications channel with the client web browser.

On initial start up, OA generates a default self-signed SSL certificate valid for 10 years, and the certificateis issued to the name of the OA. Because this default certificate is self-signed, the issued by box is alsoset to the same name.

Status information

Item Description

Cert Common Name The certificate subject common name.

Certificate information

120 Certificate Administration

Item Description

Issued by The certificate authority that issued the certificate.

Valid from The date from which the certificate is valid.

Valid until The date the certificate expires.

Serial Number The serial number assigned to the certificate by thecertifying authority.

Version Version number of current certificate.

MD5 Fingerprint A validation of authenticity embedded in thecertificate.

SHA1 Fingerprint A validation of authenticity embedded in thecertificate.

Required Information

Item Description

Country (C) The two-character country code that identifies the country where the OAis located.

State or Province (ST) The state or province where the OA is located.

City or Locality (L) The city or locality where the OA is located.

Organization Name (O) The company that owns this OA.

Optional data

Item Description

Contact Person The person responsible for the OA.

Email Address The email address of the person responsible for the OA.

Organizational Unit The unit within the company or organization that owns the OA.

Surname The surname of the person responsible for the OA.

Given Name The given name of the person responsible for the OA.

Initials The initials of the person responsible for the OA.

DN Qualifier The distinguished name qualifier of the OA.

Certificate-signing request attributes


Item Description

Unstructured Name This is for additional information.

Certificate Request tabThe Certificate Request tab enables you to enter the information needed to generate a self-signedcertificate or a standardized certificate-signing request to a certificate authority.Certificate Request tab


Required Information

Item Possible values Description

Country (C) Must be one to two characters in length.Acceptable characters are allalphanumeric, a space, and thefollowing punctuation marks: ' ( ) + , - . / := ?

A valid country code that identifies thecountry where the OnboardAdministrator is located.

State or Province(ST)

Must be 1 to 30 characters in length. The state or province where theOnboard Administrator is located.

City or Locality (L) Must be 1 to 50 characters in length. The city or locality where the OnboardAdministrator is located.

Organization Name(O)

Must be 1 to 60 characters in length. The organization that owns thisOnboard Administrator. When thisinformation is used to generate acertificate-signing request, the certificateissuing authority can be sure that theorganization requesting the certificate islegally entitled to claim ownership of thegiven company name or organization.

Common Name(CN)

Must be 1 to 60 characters in length. Toprevent security alerts, the value of thisbox must match exactly the host nameas it is known by the web browser. Theweb browser compares the host name inthe resolved web address to the namethat appears in the certificate. Forexample, if the web address in theaddress box is https://oa-001635.xyz.com, then the value mustbe oa-001635.xyz.com.

The Onboard Administrator name thatappears in the browser web addressbox.

Select Standby OA Host Name to include a request for a Standby Onboard Administrator certificate.Enter the information in the Standby Common Name (CN) box, which must be 1 to 60 characters inlength. This selection appears only if you have a Standby Onboard Administrator in the enclosure.

Optional Information


Item Possible values Description

Alternative Name Must be 0 to 512 characters in length. An alternate name for the OnboardAdministrator.

The field must either be empty orcontain a list of keyword:value pairsseparated by commas.

The valid keyword:value entries includeIP:<ip address> and DNS:<domainname>.

Contact Person Must be 0 to 60 characters in length. The person responsible for the OnboardAdministrator.

Email Address Must be 0 to 60 characters in length. The email address of the contact personresponsible for the OnboardAdministrator.

Organizational Unit Must be 0 to 60 characters in length. The unit within the company ororganization that owns the OnboardAdministrator.

Surname Must be 0 to 60 characters in length. The surname of the person responsiblefor the Onboard Administrator.

Given Name Must be 0 to 60 characters in length. The given name of the personresponsible for the OnboardAdministrator.

Initials Must be 0 to 20 characters in length. The initials of the person responsible forthe Onboard Administrator.

DN Qualifier Must be 0 to 60 characters in length.Acceptable characters are allalphanumeric, the space, and thefollowing punctuation marks: ' ( ) + , - . / := ?

The distinguished name qualifier of theOnboard Administrator.

Certificate-signing request attributes

Box Possible values Description

ChallengePassword

Must be 0 to 30 characters in length The password for the certificate-signingrequest

Confirm Password Must be 0 to 30 characters in length Confirm the Challenge Password

Unstructured Name Must be 0 to 60 characters in length This is for additional information (forexample, an unstructured name that isassigned to the Onboard Administrator)

To generate a self-signed certificate or a standardized certificate-signing request, click the Apply button.

Standardized certificate-signing request


This screen displays a standardized certificate signing request generated by the Onboard Administrator.The content of the request in the text box may can be sent to a certificate authority of your choice forsigning. Once signed and returned from the certificate authority, the certificate can be uploaded under theCertificate Upload tab.

If a static IP address is configured for Onboard Administrator when this certificate request is generated,the certificate request will be issued to the static IP address. Otherwise, it is issued to the dynamic DNSname of the Onboard Administrator. The certificate, by default, requests a valid duration of 10 years (thisvalue is now not configurable).

When submitting the request to the certificate authority, be sure to:

• Use the Onboard Administrator URL for the server.

• Request the certificate be generated in the RAW format.

• Include the Begin and End certificate lines.

Active Onboard Administrator Certificate Upload tabUpload certificates for use in an Onboard Administrator in the following ways:

• Paste certificate contents into the text box and click the Upload button.

• Paste the URL of the certificate into the URL box and click the Apply button.

The certificate to be uploaded must be from a certificate request sent out and signed by a certificateauthority for this particular Onboard Administrator. Otherwise, the certificate fails to match the private keysused to generate the certificate request, and the certificate is rejected. Also, if the Onboard Administratordomain has been destroyed or re-imported, then you must repeat the steps for generating a certificaterequest. The certificate is re-signed by a certificate authority because the private keys are destroyed andrecreated along with the Onboard Administrator domain.

If the new certificate is successfully accepted and installed by the Onboard Administrator, you areautomatically signed out. The HTTP server must be restarted so that the new certificate takes effect.

System logThe System Log subcategory can be found within the Active OA category. The System Log displayslogged information of events within the OA.

Events are logged from the top of the list to the bottom, with the most recent logged event appearing atthe top of the list. The system log can be scrolled using the scroll bar on the right of the log screen (if thelog is larger than the display box). The log has a maximum capacity of 18.42 KB and automaticallydeletes the oldest logged event first (FIFO).

To clear the list of all logged events, click the Clear button on the lower-right of the screen under thesystem log display.

Standby Onboard AdministratorWhen a second OA is placed in the enclosure, it becomes the standby OA. The standby OA is normallyplaced in the available OA tray at the rear of the enclosure. By selecting the Active to Standby screen inthe Enclosure Settings, you can force a transition within the OA user interface to make the active OAbecome the standby OA.

For an Active or Standby relationship, the two OA modules must have the same firmware versioninstalled. If the firmware versions are not identical, the Insight Display and the main status screen of theOA identifies this error and alerts the user through SNMP if enabled.

126 System log

If using two OAs, each OA has a unique IP address. Refer to the Insight Display to get the IP addressesfor the Active and Standby OAs and write them down. When looking at the enclosure from the rear, thebay on the left is bay 1, while the bay on the right is bay 2. When the Active OA transitions to the StandbyOA, the DNS host name and IP addresses remains the same. To connect to the new Active OA, you mustcompletely close your browser and connect to the host name or IP address of the former Standby OA.

Status, Information, and Virtual Buttons tabs

The information under the Status, Information, and Virtual Buttons tabs is the same as it is for an activeOA. For information on these tabs, see Active Onboard Administrator on page 115.

TCP/IP Settings for Standby Onboard AdministratorThis screen displays the current TCP/IP settings for the Standby OA:

• IPv4 Information

• General Information

IPv4 Information

TCP/IP Settings for Standby Onboard Administrator 127

Parameter Description

IP Address The IPv4 address of the Standby OA, withindication of the type of IP address assigned (staticor dynamic).

Subnet Mask The subnet mask for the Standby OA.

The mask determines to which subnet the ActiveOA IP address belongs.

Gateway The gateway address for the Standby OA.

General Information

Parameter Description

DNS Server 1 The IP address for the primary DNS server.

OA Name The name of the OA. The default for this box is theDNS host name.

MAC Address The OA MAC address.

NIC Settings The NIC settings for the Active OA, such as autonegotiation, duplex mode, and speed.

Link Status Indicates whether the NIC is actively connected tothe network.

To modify the TCP/IP settings, select Click here.

Standby Onboard Administrator Virtual Buttons tabThe Virtual Buttons tab is the same as it is for an active OA. For information on this tab, see ActiveOnboard Administrator Virtual Buttons tab on page 117.

Standby Certificate Request tabThe standby Certificate Request tab is the same as it is for an active OA.

Standby Onboard Administrator Certificate Upload tabThe standby Certificate Upload tab is the same as it is for an active OA. For information on this tab, see Uploading a certificate on page 182.

System log for Standby Onboard AdministratorThe System Log displays logged information of events within the OA.

Events are logged from the top of the list to the bottom, with the most recent logged event appearing atthe bottom of the list. If the list is longer than the display box, you can scroll using the scroll bar on theright side of the log screen.

When the log reaches maximum capacity, it automatically deletes the oldest logged event first (first in,first out).

128 Standby Onboard Administrator Virtual Buttons tab

To clear the list of all logged events, click Clear Log (below the system log display).

Standby to ActiveTo force the Standby OA to Active, click Transition Standby to Active. A confirmation screen appears,asking if you are sure that you want to perform the action. To proceed, click OK. To exit without a change,click Cancel.

This functionality is only available when you are signed into the Standby OA GUI.

You can also force the Standby OA to Active by using the FORCE TAKEOVER CLI command.

The transition times from Standby to Active and Active to Standby vary, depending on the configuration,enclosure population, and various other factors. Removing the previously Active OA early in the transitionprocess forces the transition time of the Standby to Active to increase.

Device Bays

Device Bay Summary

In the Systems and Devices menu, the Device Bays category lists all blades in the enclosure. SelectDevice Bays from the menu, and the device list appears with a grid showing the status of each blade inthe enclosure.

Use individual check boxes to select a specific blade. After selecting blades, select UID State from thedrop-down to perform the appropriate action.

NOTE:

c-Class blades also include options for Virtual Power, One Time Boot, and DVD. These options are notavailable for server blades.

Device List

Standby to Active 129

Item Description

Check boxes Select bays by selecting the check boxes to which you want to apply the Virtual Power,UID State, One Time Boot, or DVD features.

Bay The device bay within the enclosure.

Status The overall status of the device. Possible values are Unknown, OK, Degraded, Failed,and Other.

UID The status of the UID on the device. Possible values are On (blue), Off (gray) or Blink(flashing). When the UID light is flashing, a critical operation is being performed on thedevice and must not be interrupted.

Power State The power state of the device. Possible values are On or Off.

iLO IP Address The IP address of the iLO within the server blade.

NOTE:

Not applicable for Superdome 2 server blades or storage blades.

iLO Name The DNS name of the iLO within the server blade.

NOTE:


iLO DVD Status The status of the DVD connection to the server blade. A status of IncompatibleFirmware means the DVD feature is not supported with the iLO firmware installed onthe device.

NOTE:


Information on this page is current as of the last download. To view updated information, click theRefresh button.

UID State

The UID State drop-down is used to set the UID light on the blades. Turning on the UID light aids inlocating a specific blade within an enclosure. The UID lights can be turned on or off one at a time or asgroups, depending on the check boxes.

DVD

NOTE:

This menu is not present for Superdome 2 server blades or storage blades.

For connecting the selected blades to the enclosure media, the DVD menu enables you to select one ofthe following:


• Enclosure DVD, if present

• One of the listed ISO files from an attached USB key

• None

The enclosure media can be connected to multiple blades at the same time. Various USB key ISO filescan be attached to various servers at the same time. After the enclosure media is connected using theDVD menu, you can use the Virtual Power menu to reboot the selected server blades in the list.

Device Bay InformationSelecting a specific blade within the enclosure opens the Device Bay Information - xx screen, where xxis the bay selected. Information provided on this screen includes tabs for Status, Information, and VirtualDevices.

The Server Management section of the page contains a link to Port Mapping Information to aid themanagement of the server blade in the device bay.

iLO

Device Bay Information 131

NOTE:

This menu is not present for Superdome 2 or HPE Integrity Superdome X server blades.

Port Mapping Information

Information regarding port mapping for all devices in the device bay is available by clicking the PortMapping Information link.

Status information

Item Description

Status The overall status of the blade. Possible values are Unknown, OK,Degraded, Failed, or Other with an informational icon. The informational iconwith an Other status displays until the server blade is configured for VirtualConnect Manager. See the Diagnostic Information table for moreinformation.

Powered The power state of the blade. Possible values are On or Off.

Power Allocated The amount of power allocated to the blade in watts.

Virtual Fan The percentage of maximum RPM of the virtual fan.


Diagnostic information is gathered by polling a device microcontroller (resulting in a degraded status if afailure has occurred) or is sent by the device microcontroller, without being polled to report a failure.

Item Description

Device Identification Data Contains information on model name, part number, serial number, and otherinformation used to identify the device. This data is also called FRU data.Device identification data error displays if the data is not present or notreadable by the OA.

Management Processor Status of the iLO. Possible values are OK or Error.

I/O Configuration Device bay configuration is incorrect. If a storage blade is partnered with afull height server blade, and the server blade does not have the correctmezzanine card, an invalid I/O configuration will result. Possible values areOK or I/O mismatch detected. See the EBIPA section for more information.

Device Operational Device has failed; status was not requested by the OA. Possible values areOK or Error.

Device Degraded Device has failed; status was requested by the OA. Possible values are OKor Error.

iLO Network Detects an iLO network configuration problem. Possible values are OK oriLO network configuration problem, check connectivity to iLO defaultgateway. If the problem continues, then attempt to reset iLO using the OACLI HPONCFG command to send a script command to reset iLO.

Table Continued


Item Description

Device Informational Device has an error. Possible values are OK or an Informational message.

NOTE:

Not applicable for c-Class server blades.

Firmware Mismatch The now configured partition firmware version does not match the nowconfigured complex firmware bundle version. Possible values are OK orError.

NOTE:


Deconfigured Values are FAILED or OK. Failed means the blade, if part of an nPar, will notbe used at next boot.

PDHC Processor State of the PDHC management entity.

Device Indictment Indicates if the device has been indicted by the Superdome Analysis Engine.Possible values are OK or Error with an informational message.

NOTE:


CPU Status

Item Description

Resource Path The resource path for the processor socket.

Status The overall status of the processor. Possible values are Unknown, OK,Degraded, or Failed.

FRU Read Status The status of the FRU data for the processor. Possible values are Unknown,OK, Degraded or Failed.

Indictment Status The indictment status of the processor. Possible values are OK or Error withan informational message.

DIMM Status: CPU Socket 0 or 1

Item Description

Resource Path The resource path for the DIMM socket.

Status The overall status of the DIMM. Possible values are Unknown, OK,Degraded, or Failed.

Table Continued


Item Description

FRU Read Status The status of the FRU data for the DIMM. Possible values are Unknown,OK, Degraded or Failed.

Indictment Status The indictment status of the DIMM. Possible values are OK or Error with aninformational message.

Configuration Status The configuration status of the DIMM is either DECONFIGURED or OK. Adeconfigured DIMM will also cause a Critical Error Indictment Status.

Temperature Sensors

NOTE:

The Temperature Sensors table only displays when the blade is powered on.

Item Description

Sensor The sensor number

Location Location of sensor in the device

Status This is the status of the temperature sensor. The status matches the graphicpresentation of the temperature.

Temperature Graphic presentation of temperature


Server Blade Information tab

Server Blade Information tab 135

Device Information

Row Description

Blade Type Server blade

Manufacturer Name of the company that manufactured the server blade

Product Name Common descriptive name for the server blade

Part Number Part number used when ordering an additional or replacement server bladeof this type

System Board Spare PartNumber

Part number used when ordering an additional or replacement systemboard of this type

Serial Number The static factory serial number for the server blade

Serial Number (Logical) A relocatable serial number assigned to the server blade

UUID The universally unique identifier assigned to the server blade


Currently configured complex firmware version

Partition Firmware Version Currently configured partition firmware version

Server NIC Information

Item Description

Port: NIC 1 The MAC address of this NIC port

Port: NIC 2 The MAC address of this NIC port

Port: NIC 3 The MAC address of this NIC port.

Port: NIC 4 The MAC address of this NIC port.

Port: iLO The MAC address of the iLO port for the blade in this enclosure slot.

Mezzanine Card Information

Item Description

Mezzanine Slot The physical slot in which the mezzanine card is located.

Mezzanine Device The common or product name of the mezzanine device.

Mezzanine DevicePort

The port assigned to the mezzanine device.

Device ID The MAC address of the interconnect bay port.

CPU and memory information


Table 8: CPU Information

Item Description

Resource path The resource path to the processor socket

Part Number Model of processor

Speed (MHz) Clock speed of the processor

Part Number Processor part number used to order replacement processor of the same type

Serial Number Factory serial number of the processor

EngineeringDate Code

Manufacturing reference number

Table 9: DIMM Information: CPU Socket 0 or 1

Item Description

Resource path Path to DIMM socket

Part Number DIMM module part number used to order additional or replacement module of thesame type

Manufacturer Name of the manufacturer of the DIMM module

Speed (MHz) Bus speed of the DIMM module

Size (MB) Memory capacity of DIMM module. The total capacity of all DIMM modules is listedat the bottom.

Device bay virtual buttons tabUID Light

Clicking the Toggle On/Off button turns the UID light on the server blade on or off for identification of theselected server blade.

Interconnect BaysIn the Enclosure Information menu, the Interconnect Bays category lists all the interconnect deviceswithin the selected enclosure within the complex. Selecting the interconnect bays menu item directlyopens the interconnect device list with a grid that shows the status of each interconnect device within theenclosure, and the UID status, power state, tray type, management URL, and product name.

Device bay virtual buttons tab 137

The check box in the first column on the top row toggles all check boxes on or off for all enclosureinterconnect devices. This feature is useful if you want to toggle the UID state for all interconnect devicesat the same time. Otherwise, the first column contains check boxes that can be used to select individualinterconnects. After the appropriate interconnects are selected, the Virtual Power or UID state drop-downcan be selected to perform the appropriate action.

Item Description

Check box Select the check boxes next to the bay or bays where you want to apply the VirtualPower and UID State features.

Bay Bay in the enclosure of the corresponding interconnect device. This box displaysonly populated bays. Empty bays are not displayed in this table.

Status Overall status of the interconnect device. Possible values are Unknown, OK,Degraded, and Failed.

UID Status of the UID on the interconnect device. Possible values are On (blue) or Off(gray).

Power State Power state of the interconnect device. Possible values are On or Off.

Module Type Network interface type for the interconnect device installed in this bay. Possiblevalues are Ethernet or fiber.

Management URL Address where the interconnect device can be managed and configured for use inthe network.

Product Name Common descriptive name for the interconnect device.

Information on this page is current as of last download. To view updated information, click the Refreshbutton.

The Virtual Power menu enables you to turn an interconnect device on or off. Hewlett Packard Enterpriserecommends that only one device be turned on or off at a time using this feature.


The UID State menu is used to set the UID LED on the interconnect device. Turning on the UID LEDassists in locating a specific interconnect device within an enclosure. These LEDs can be turned on or offone at a time or as groups depending on the checkboxes.

Interconnect Bay InformationThe Interconnect Bay Information screen displays information about the bays where switches and routerscan be placed.

Click the Port Mapping Information link to display port mapping information on the interconnect bay youhave selected. The port mapping information can also be selected from the navigation tree.

Interconnect Bay Status tab

Interconnect Bay Information 139

Status information

Item Description

Status The overall status of the interconnect device. Possible values are Unknown, OK,Degraded, and Failed.

Thermal Status The thermal status of the interconnect device. Possible values are Unknown,OK, Degraded, and Failed.

Powered The power state of the interconnect device. Possible values are On or Off.



Row Description

Device Identification Data Contains information on model name, part number,serial number, and other information used toidentify the device. This data is also called FRUdata. Device identification data error displays if thedata is not present or not readable by the OA.

Management Processor Management processor is not responding. Possiblevalues are OK or Error.

Temperature Temperature is above the warning threshold.Possible values are OK or Temperature Warning.

Overheat Check Temperature is above the danger threshold.Possible values are OK or Critical temperaturethreshold reached.

Power Allocation Request There is insufficient power to adequately power theinterconnect. Possible values are OK or Insufficientenclosure power.

Device Operational Device has failed; status was not requested by theOA. Possible values are OK or Error.

Device Degraded Device has failed; status was requested by the OA.Possible values are OK or Error.


Interconnect Bay Information tab

Hardware Information

Item Description

Product Name The common descriptive name of the interconnect device.

Management IPAddress

IP address of the interconnect management interface.

Management URL Web address of the interconnect management interface.

User Assigned Name A name assigned to the interconnect by the user. If supported, the name isassigned using the interconnect Management Interface.

Part Number The part number to be used when ordering an additional interconnect device ofthis type.

Table Continued

142 Interconnect Bay Information tab

Item Description

Spare Part Number The part number to be used when ordering a replacement interconnect device ofthis type.

Serial Number The unique serial number of the interconnect device.

Type The interface type of the interconnect device. Possible values are Ethernet orfiber.

Manufacturer The name of the company that manufactured the interconnect device.

Temperature Sensor Indicates whether or not the interconnect device has a temperature sensor.

Firmware Version The firmware version of the interconnect module.

Connectivity information

Item Description

JS2 Connector This box displays the presence or absence of the JS2 connector.

Internal Ethernet Interfaceto OA

This box displays the presence or absence of an internal Ethernet interfaceto the OA.

Internal Ethernet Route toOA

This box displays the status of an internal Ethernet route to the OA.Possible values are Enabled or Disabled.

Internal Serial Interface toOA

This box displays the presence or absence of an internal serial interface tothe OA.

Internal Serial Route toOA

This box displays the status of an internal serial route to the OA. Possiblevalues are Enabled or Disabled.

Serial Port Baud Rate This box displays the serial port baud rate. This only displays if an externalserial port interface is present.

External Serial PortInterface

This box displays the presence or absence of an external serial portinterface.

External EthernetInterface

This box displays the presence or absence of an external Ethernet interface.

Interconnect Bay Virtual Buttons tabInterconnect bay virtual buttons enable you to cycle power, reset, or toggle the UID on the device of yourchoice from the OA GUI.

Interconnect Bay Virtual Buttons tab 143

Button Description

Power Off Clicking this button shuts the power off on the interconnect device.

Reset Clicking this button forces the interconnect device to power off and then power upagain, performing a reset.

Toggle On/Off Clicking this button turns the UID on the interconnect device on (blue) or off (gray) foreasy identification of the selected interconnect device.

Interconnect Bay Port MappingThe Interconnect Bay Port Mapping screen provides a graphical view and a tabular view of theinterconnect bay port mapping.

144 Interconnect Bay Port Mapping

Graphical view

When you mouse over the port on the interconnect, the graphical view provides the same information thatappears in the tabular view.

Tabular view

Item Description

Interconnect Bay Port The number of the interconnect bay port in order from 1 to 16

Port Status Current status of the port

Table Continued


Item Description

Device Bay The device bay corresponding with the interconnect port mapping

Server Mezzanine Slot The type of device placed into the mezzanine of the server blade

Server Mezzanine Port The physical port of the mezzanine device

Device ID The MAC address of the interconnect bay port

XFM BaysIn the Enclosure Information menu, the XFM Bays category lists the Xbar Fabric modules within theselected enclosure within the complex. Selecting the XFM Module bays menu item directly opens theXFM Module list with a grid that shows the status of each XFM Module within the enclosure and the UIDstatus, Engineering Date Code, part number and product name.

NOTE:

Some HPE Integrity Superdome X systems have XMF2 crossbar modules. This is displayed as “SXFM”by the Onboard Administrator.

The check box in the first column on the top row toggles all check boxes on or off for all XFMs. Thisfeature is useful if you want to toggle the UID state for all XFMs at the same time. Otherwise, the firstcolumn contains checkboxes that can be used to select individual XFMs. After the appropriateinterconnects are selected, the UID state drop-down can be selected to toggle the UID state.

Item Description

Check box Select the check box next to the bay or bays where you want to apply the UIDState features.

Bay Bay in the enclosure of the corresponding XFM. This box displays onlypopulated bays. Empty bays are not displayed in this table.

Status Overall status of the XFM. Possible values are Unknown, OK, Degraded, andFailed.

Table Continued

146 XFM Bays

Item Description

UID Status of the UID on the XFM. Possible values are On (blue) or Off (gray).

Power State Power state of the XFM. Possible values are On or Off.

Engineering DateCode

Manufacturing information about the XFM.

Part Number Part number of the XFM used to order replacement parts of the same type.

Product Name Common descriptive name for the XFM.

Information on this page is current as of last download. Click the Refresh button to view updatedinformation.

UID State

The UID State menu is used to set the UID LED on the XFM. Turning on the UID LED assists in locating aspecific XFM within an enclosure. These LEDs can be turned on or off one at a time or as groupsdepending on the checkboxes.

XFM Bay InformationThe XFM Bay screen displays information about the bays where XFMs can be placed.

XFM Bay Information 147

XFM Bay Status tab

Status information

Row Description

Status The overall status of the XFM. Possible values areUnknown, OK, Degraded, and Failed.

Inlet Thermal Status The thermal status of the airflow coming into theXFM. Possible values are Unknown, OK,Degraded, and Failed.

Outlet Thermal Status The thermal status of the airflow exiting the XFM.Possible values are Unknown, OK, Degraded, andFailed.

Powered The power state of the XFM. Possible values areOn or Off.


148 XFM Bay Status tab

Row Description

Device Identification Data Contains information on model name, part number,serial number, and other information used toidentify the device. This data is also called FRUdata. Device identification data error displays if thedata is not present or not readable by the OA.

Management Processor Management processor is not responding. Possiblevalues are OK or Error.

Temperature Temperature is above the warning threshold.Possible values are OK or Temperature Warning.

Overheat Check Temperature is above the danger threshold.Possible values are OK or Critical TemperatureThreshold Reached.

Power Allocation Request There is insufficient power to adequately power theXFM. Possible values are OK or InsufficientEnclosure Power.

Cooling Temperature is above the warning threshold.Possible values are OK or Temperature Warning.

Device Operational Device has failed; status was not requested by theOA. Possible values are OK or Error.

XFM Link Status

Column Description

Port Number Indicates the port on the XFM module.

Status Current status of link to connected device. Possiblevalues are OK, Error, Dormant, or Unknown.

XFM Bay Information tab

Device Information

XFM Bay Information tab 149

Item Description

Product Name The common descriptive name of the XFM.

Part Number The part number to be used when ordering an additional XFM of this type.

Spare Part Number The part number to be used when ordering a replacement XFM of this type.

Serial Number The unique serial number of the XFM.

Engineering Date Code Manufacturing information about the XFM.

Manufacturer The name of the company that manufactured the XFM.


Now configured firmware version on the XFM.

XFM Bay Virtual ButtonsXFM virtual buttons enables you to toggle the UID on the XFM of your choice from the OA GUI.

Click the Toggle On/Off button to turn UID on the XFM on (blue) or off (gray) for easy identification of theselected XFM.

GPSM BaysIn the Enclosure Information menu, the GPSM Bays category lists the Global Partition Services moduleswithin the selected enclosure within the complex. Selecting the GPSM bays menu item directly opens theGPSM list with a grid that shows the status of each GPSM within the enclosure and the UID status,Engineering Date Code, part number, and product name.

The checkbox in the first column on the top row toggles all checkboxes on or off for all GPSMs. Thisfeature is useful if you want to toggle the UID state for all GPSMs at the same time. Otherwise, the firstcolumn contains checkboxes that can be used to select individual GPSMs. After the appropriateinterconnects are selected, the UID state drop-down can be selected to toggle the UID state.

150 XFM Bay Virtual Buttons

Item Description

Check box Click the check box next to the bay or bays where you want to apply the UIDState features.

Bay Bay in the enclosure of the corresponding GPSM. This box displays onlypopulated bays. Empty bays are not displayed in this table.

Status Overall status of the GPSM. Possible values are Unknown, OK, Degraded, andFailed.

UID Status of the UID on the GPSM. Possible values are On (blue) or Off (gray).


Manufacturing information about the GPSM.

Part Number Part number of the GPSM used to order replacement parts of the same type.

Product Name Common descriptive name for the GPSM.

Information on this page is current as of the download. Click the Refresh button to view updatedinformation.

UID State

The UID State menu is used to set the UID LED on the GPSM. Turning on the UID LED assists in locatinga specific GPSM within an enclosure. These LEDs can be turned on or off one at a time or as groupsdepending on the checkboxes.

GPSM Bay InformationThe GPSM Bay Information screen displays information about the bays where GPSMs can be placed.

GPSM Status tab

Status information

GPSM Bay Information 151

Item Description

Status The overall status of the GPSM. Possible values are Unknown, OK, Degraded,and Failed.

Thermal Status The thermal status of the GPSM. Possible values are Unknown, OK, andCritical.


Item Description


Contains information on model name, part number, serial number, and otherinformation used to identify the device. This data is also called FRU data.Device identification data error appears if the data is not present or notreadable by the OA.

ManagementProcessor

Management processor is not responding. Possible values are OK or Error.

Temperature Temperature is above the warning threshold. Possible values are OK orTemperature Warning.

Firmware Mismatch The GPSM with a firmware version that does not match the installed Complexfirmware will display FAILED in this field.

Device Indictment Indicates if the device has been indicted by the Superdome Analysis Engine.Possible values are OK or Error with an informational message.

NOTE:


GPSM Bay Information tab

Device information

152 GPSM Bay Information tab

Item Description

Product Name The common descriptive name of the GPSM.

Part Number The part number to be used when ordering an additional GPSM of this type.

Spare Part Number The part number to be used when ordering a replacement GPSM of this type.

Serial Number The unique serial number of the GPSM.


Manufacturing information about the GPSM.

Manufacturer The name of the company that manufactured the GPSM.


Now configured firmware version on the GPSM.

GPSM Virtual ButtonsGPSM virtual buttons enables you to toggle the UID on the GPSM of your choice from the OA GUI.

Click the Toggle On/Off button to turn UID on the GPSM on (blue) or off (gray) for easy identification ofthe selected GPSM.

Enclosure power managementThe compute enclosures each contain twelve power supplies (six upper and six lower), which aremonitored directly by OA. At least one upper and one lower power supply must be installed at all times.

OA is responsible for calculating the redundancy status, total available power, and total power consumed.This information is displayed to the user and is used to manage power resources. The OA powersubsystem displays include status and information for each power supply, and the power enclosure itself.

Also included in the power fault realm is control of the electronic fuses between the power backplane andthe server or switch bays. The OA will alert on fuse trips to enable you to reset fuses manually.

Power and Thermal

GPSM Virtual Buttons 153

Item Description

Enclosure Ambient Temperature This box displays the highest ambient temperaturebeing reported by the installed blade devices. If noblade devices are installed, then this box displaysthe temperature of the OA module as anapproximation of the ambient temperature.

Thermal Subsystem Status The overall thermal status of the enclosure.Possible values are Unknown, OK, Degraded, orCritical Error.

Power Subsystem Status The overall power status of the enclosure. Possiblevalues are Unknown, OK, Degraded, or CriticalError.

Power Mode A user setting to configure the enclosure DC powercapacity and the input power redundancy mode ofthe enclosure. See Power Management forpossible values.

Present Power The amount of watts being consumed by alldevices in the enclosure.

Power Limit The maximum amount of power available forconsumption by the enclosure measured in watts.


NOTE:

The Power Limit is dependent on the enclosure power redundancy setting and the number and location ofthe power supplies in the enclosure. If a Static Power Limit has been specified, the Power Limit displaysthat limit.

Power ManagementTo set the power management options in OA, go to the menu on the left and select the enclosure to bemanaged, and then click Power and Thermal. The Power Management page appears below. ClickPower Management to display the following choices:

• AC Redundant

• Power Supply Redundant

• Not Redundant

Beneath the main power management choices is the Dynamic Power Savings mode check box whichenables you to enable Dynamic Power Savings Mode.

The AC Input VA Limit box enables you to set a VA limit for the enclosure. After this limit is met by theenclosure, it will not allow any additional blades, power supplies, fans, or switches to power on. If a valueis entered into the VA Limit box that is lower than the now used VA for the enclosure, the enclosure doesnot power off any devices within the enclosure. However, if a device is powered off, it cannot power onbecause of the VA limit rule set in the OA power management settings.

IMPORTANT:

If redundancy mode is set to Redundant, AC Redundant, or Power Supply Redundant, and powerredundancy is lost, then you must either add additional power supplies or change the redundancymode setting in the OA to restore Power Subsystem status. See the Insight Display for correctivesteps.

IMPORTANT:

To change the power redundancy mode, you must disable EDPC. After changing the powerredundancy mode, reset EDPC based on the new ranges.

The enclosure power management system enables you to customize the configuration of the enclosure.You can select from the different modes on the OA Power Management screen. The power modes areexplained in the following table.

Power Management 155

Mode Insight Displayname

Description

Redundant Redundant For DC power supplies only. In this configuration, N upperand N lower power supplies are used to provide power and Nupper and N lower power supplies are used to provideredundancy (where N can equal 1, 2, or 3). Up to three upperand three lower power supplies can fail without causing theenclosure to fail. When correctly wired with redundant DCline feeds, this configuration also ensures that a DC line feedfailure does not cause the enclosure to power off.

AC Redundant AC Redundant For ac power supplies only. In this configuration, N upper andN lower power supplies are used to provide power and Nupper and N lower power supplies are used to provideredundancy (where N can equal 1, 2, or 3). Up to three upperand three lower power supplies can fail without causing theenclosure to fail. When correctly wired with redundant ac linefeeds, this configuration also ensures that an ac line feedfailure does not cause the enclosure to power off.

Power SupplyRedundant

Power Supply Up to six upper and six lower power supplies can be installedwith one upper and one lower power supply always reservedto provide redundancy. In the event of a single upper or lowerpower supply failure, the redundant power supply in thesame section (upper or lower) takes over the load. A linefeed failure of more than one power supply in a sectioncauses the system to power off.

Not Redundant None There is no power redundancy and no power redundancywarnings are given. If all power supplies are needed tosupply Present Power, then any power supply or line failuremay cause the enclosure to brown-out.

Dynamic Power Dynamic Power If enabled, Dynamic Power automatically places unusedpower supplies in standby mode to increase enclosure powersupply efficiency, thereby minimizing enclosure powerconsumption during lower power demand. Increased powerdemands automatically return standby power supplies to fullperformance. This mode is not supported for low voltage onthe enclosure.

Power Limit Power Limit An optional setting to limit power. Whenever you attempt topower on a device, the total power demands of the newdevice and of the devices already on are compared againstthis Static Power Limit. If the total power demands exceedthe limit, the new device is prevented from powering on.

Dynamic Power—The default setting is Enabled. The following selections are valid:

• Enabled— Some power supplies can be automatically placed on standby to increase overallenclosure power subsystem efficiency.

• Disabled — All power supplies share the load. The power subsystem efficiency varies based on load.


Dynamic Power is not supported for low voltage on the enclosure.

Enclosure Power AllocationTo set the power management options in OA, go to the menu on the left and select the enclosure to bemanaged, and then click Power and Thermal. The Enclosure Power Allocation page appears. ClickEnclosure Power Allocation to display the following information:

Item Description

Subsystem Status The overall power status of the enclosure. Possible values are unknown,OK, Degraded, and Failed.

Power Allocated The amount of power consumed by the devices in the enclosure in watts.

Power Available The amount of power currently available for all unpowered devices in theenclosure measured in watts.

Power Capacity The amount of power possible for all the devices in the enclosuremeasured in watts.

The Power Allocation screen displays basic information regarding the total capacity of the powersubsystem, redundant capacity, and the allocated power in watts. The Enclosure Internal Power graphdisplays the watts that are allocated in green against a gray background, which represents the totalredundant capacity of the power supplies.

If you change the enclosure redundancy mode after power is allocated to the devices, then the powersubsystem might become degraded. Power is still allocated to the devices, but redundancy might notfunction properly. If zero watts are available and the power graph displays degraded, check your power

Enclosure Power Allocation 157

subsystem and redundancy configurations. You can resolve the degraded condition by changing yourredundancy mode or by adding more power supplies to the enclosure.

Power Capacity will equal Power Allocated in the case where redundancy is lost.

To refresh this display, click the Refresh button beneath the table on the right side of the page.


Enclosure Power Summary

Enclosure Power Summary 159

Enclosure Input Power Summary

Item Description

Present Power Input watts to the enclosure.

Max Input Power Highest expected input watts. For IntegritySuperdome X, this is the maximum input power forthe enclosure to operate at maximum DC outputcapacity.

Enclosure Dynamic Power Cap N/A for HPE Integrity Superdome X

Power Limit An optional setting to limit power. Whenever youattempt to power on a device, the total powerdemands of the new device and of the devicesalready on are compared against this Static PowerLimit. If the total power demands exceed the limit,the new device is prevented from powering on.

Enclosure Output Power Summary

Item Description

Present Capacity Watts possible for all devices in the enclosure.

Power Allocated Watts consumed by all devices in the enclosure.

Power Available Watts currently available to all devices in theenclosure.

Enclosure Bay Output Power Allocation

Item Description

Device Bays Watts allocated for all device bays.

Interconnect Bays Watts allocated for all interconnect bays.

XFM Watts allocated for all XFM bays.

Fans Watts allocated for all fans.

Bay Power Summaries

A separate table is displayed for these types of bays:

• device

• interconnect

• XFM

Each type of bay is listed by bay number. The name of the component in each bay and the powerallocated to it is displayed.


Fan Power Summary

Fan power is allocated based on a fan-rule. Fan-rule is determined according to the enclosure type andoccupied device bays. Both the power allocation for the fans and the total Present Power consumption ofall the fans are listed.

Enclosure Power MeterThe Enclosure Power Meter screen displays peak power use, average power use, and allocated poweravailable in a graph, which enables fast and easy interpretation of the power situation for the enclosure.The power meter is useful for showing trends in power consumption and can assist in troubleshooting thepower subsystem.

The power information is available in either graphical or tabular form.

Graphical View tabThis screen enables you to see a graphical view of the power readings for the enclosure.

Enclosure Power Meter 161

To toggle between Watts, Btu/hr, and Amps, click Show Values.


The Line Voltage value is used to provide conversion to Amps. The default value is based on thepower supply hardware model, not the actual line voltage. Select the actual line voltage for the enclosurefor a more accurate Amps conversion.

To view updated power meter information, click Refresh Page.

Average Power data graph

This graph displays the power usage of the enclosure over the previous 24 hours. The OA collects powerusage and Enclosure Dynamic Power Cap information from the enclosure every 5 minutes. For each 5minute time period, the peak and average power usage and the cap for that time period are stored in acircular buffer. These values appear in the form of a bar graph, with the average value in blue, the peakvalue in red, and the cap value in black. This data is reset when the enclosure is reset. You can choosewhat appears on the bar graph by selecting or clearing the Average, Cap, Derated, Rated, and Mincheck boxes.

Present Power

This value represents the number of watts being consumed by all devices in the enclosure.

Most Recent Power Meter Reading

This value represents the most recent power reading from the enclosure.

Peak Power data graph

This graph displays the peak power usage and the Enclosure Dynamic Power Cap over the previous 24hours.

The label Peak Power becomes Peak Power (Side A + Side B) when N+N redundant power is in place,indicating that the peak is divided across two circuits. Also, two graphs appear: one for Side A and one forSide B.

The power distribution between Side A and Side B is estimated from the number of active power supplieson each side. If redundancy is lost, the lost side displays peak power of zero.

Enclosure Dynamic Power Cap

This value represents the most recent Enclosure Dynamic Power Cap reading from the enclosure.

Average Power Reading

This value represents the average of the power readings from the enclosure over the last 24-hour period.If the enclosure has not been running for 24 hours, then the value is the average of all the readings sincethe enclosure was powered up.

Peak Power Reading

This value represents the peak power readings from the enclosure over the last 24-hour period. If theenclosure has not been running for 24 hours, then the value is the maximum of all the readings since theenclosure was powered up or the OA was reset.

The label Peak Power Reading becomes Peak Power Reading (Side A + Side B) when N+N redundantpower is in place, indicating that the peak is divided across two circuits.

Minimum Power Reading

This value represents the minimum power readings from the enclosure over the last 24-hour period. If theenclosure has not been running for 24 hours, then the value is the minimum of all the readings since theenclosure was powered up.

Table View tabThis screen enables you to view the power readings for the enclosure in a table format.


Enclosure Power Sumary

Row Description

Samples Number of samples taken.

Average(Watts,Btu/hr, orAmps)

This value shows the average of the power readings (Watts, Btu/hr, or Amps dependingon what you have selected) from the enclosure over the last 24 hour period. If theenclosure has not been running for 24 hours, the value is the average of all the readingssince the enclosure was powered up.

Table Continued


Row Description

Minimum(Watts,Btu/hr, orAmps)

This value shows the minimum power readings (Watts, Btu/hr, or Amps depending onwhat you have selected) from the enclosure over the last 24 hour period. If the enclosurehas not been running for 24 hours, the value is the minimum of all the readings since theenclosure was powered up.

Maximum(Watts,Btu/hr, orAmps)

(Side A +Side B)

This value shows the maximum power readings (Watts, Btu/hr, or Amps depending onwhat you have selected) from the enclosure over the last 24 hour period. If the enclosurehas not been running for 24 hours, the value is the maximum of all the readings since theenclosure was powered up.

PresentPower

This value shows the power being consumed by all devices in the enclosure.

Enclosure Power Detail

The Enclosure Power Detail table provides detailed information for each five minute sample period. ClickDate in the table heading to arrange the order of the detailed enclosure power information from presentdate to oldest date or oldest date to present date.

Row Description

Date Date the power reading sample was taken.

Time Time the power reading sample was taken.

Peak(Watts,Btu/hr, orAmps)

(Side A +Side B)

This value shows the maximum power readings (Watts, Btu/hr, or Amps depending onwhat you have selected) from the enclosure over the last 24 hour period. If the enclosurehas not been running for 24 hours, the value is the maximum of all the readings since theenclosure was powered up.

Min (Watts,Btu/hr, orAmps)

This value shows the minimum power readings (Watts, Btu/hr, or Amps depending onwhat you have selected) from the enclosure over the last 24 hour period. If the enclosurehas not been running for 24 hours, the value is the minimum of all the readings since theenclosure was powered up.

Average(Watts,Btu/hr, orAmps)

This value shows the average of the power readings (Watts, Btu/hr, or Amps dependingon what you have selected) from the enclosure over the last 24 hour period. If theenclosure has not been running for 24 hours, the value is the average of all the readingssince the enclosure was powered up.

Cap (Watts,Btu/hr, orAmps)

This value shows the maximum dynamic power cap readings (Watts, Btu/hr, or Ampsdepending on what you have selected) from the enclosure over the last 24 hour period. Ifthe enclosure has not been running for 24 hours, the value is the maximum of all thereadings since the enclosure was powered up.

Table Continued


Row Description

Derated(Watts,Btu/hr, orAmps)

This value shows the derated power readings (Watts, Btu/hr, or Amps depending on whatyou have selected) from the enclosure over the last 24 hour period. If the enclosure hasnot been running for 24 hours, the value is the maximum of all the readings since theenclosure was powered up.

Rated(Watts,Btu/hr, orAmps)

This value shows the rated power readings (Watts, Btu/hr, or Amps depending on whatyou have selected) from the enclosure over the last 24 hour period. If the enclosure hasnot been running for 24 hours, the value is the maximum of all the readings since theenclosure was powered up.

Power SubsystemPower supplies available for use in compute enclosures

All power supplies in one enclosure must have the same part number. The OA identifies which powersupplies must be replaced by displaying a caution icon.

Power Supply summary

The Power Subsystem screen provides status on the power subsystem, on each individual power supply,and fault conditions.

This screen provides status on the power subsystem and on each individual power supply.

Power Subsystem information

166 Power Subsystem

Item Description

Power Subsystem Status The status of the power subsystem. Possible values are Unknown, OK,Degraded, or Critical Error.

Power Mode A user setting to configure the enclosure DC power capacity and the inputpower redundancy mode of the enclosure. Possible values are Redundant,AC Redundant, Power Supply Redundant, Not Redundant, or Unknown.

Redundancy State Indicates the redundancy status of the power subsystem. Possible valuesare Redundant, Not Redundant, or Redundancy Lost.

Power supply status

Item Description

Bay The bay in the enclosure of the corresponding power supply. This boxdisplays only populated bays. Empty bays do not appear in this table.

Model The power supply model name.

Status The overall status of the power supply. Possible values are Unknown, OK,Degraded, and Critical Error.

Input Status The input status of the power supply. Possible values are Unknown, OK,Degraded, and Critical Error.

Present Output (Watts) This value is a measure of the present output of the power supply in watts.

Output Capacity (Watts) The amount of power provided by the power supply displayed in watts. Thisis a measure of the output in DC watts generated by the power supply.

Click Refresh to update the power subsystem information.

Power Supply InformationSelecting a specific power supply opens the Power Supply Information-Bay x screen, where x is the bayof the selected power supply. This screen provides status information on the selected power supply.

Power Supply Information 167

Status information

Item Description



Present Output The amount of power provided by the power supply displayed in watts.

Output Capacity The maximum amount of power that can be provided by the power supplydisplayed in watts.


Serial Number The unique serial number of the power supply.

Part Number The part number to be used when ordering an additional or replacement powersupply of this type.

Spare Part Number The spare part number to be used when ordering an additional or replacementpower supply.




Row Description


The device identification data is information such as model name, part number,serial number, and other information used to identify the device. This data isalso called FRU data. A device identification data error appears if the data is notpresent or not readable by the OA. Possible values are OK or Error.

Device Operational Device has failed; status was not requested by the OA. Possible values are OKand Error.

Power Cord Input power status. Possible values are OK and Error.

Device Indictment Indicates if the power supply has been indicted by the Superdome AnalysisEngine.

Click the Refresh button to update the power supply information.

Fans and cooling managementOA monitors up to 15 fans in the enclosure and adjusts fan speeds as necessary, based on thermal andpower measurements.

Thermal SubsystemThe speed of individual fans can be adjusted to reduce noise and power consumption, and tocompensate for airflow differences within the enclosure. The performance of each fan is monitored, andOA reports any failures or warnings to the system log and HP SIM (when SNMP is enabled).

Fans and cooling management 169

Fan Summary

This screen provides status on the thermal subsystem and each individual fan.

Fan subsystem status


Row Description

Thermal SubsystemStatus

Indicates the overall status of the fan subsystem. Possible values are Unknown,OK, Degraded, or Critical Error.

Redundancy Indicates the redundancy status of the fans. Possible values are Redundant orNot Redundant

Fan Location Rule The fan location rule indicates the proper location of the fans and the devicebays that are supported.

Fan status

Column Description

Fan The bay in the enclosure of the corresponding fan.

Model The fan model name.

Status The overall status of the fan. Possible values are Unknown, OK, Degraded,Failed, and Absent.

Fan Speed Fan speed as a percentage of maximum RPM.

When a fan module fails, the remaining fans automatically compensate by adjusting fan speeds.

You can view the status of each fan by selecting the fan bay either through the tree navigation or thegraphical navigation view. The Fan Information screen provides information about the overall status, thename, the amount of power consumed in watts, the spare part number, and the serial number. The FanInformation screen also includes diagnostic information such as internal data errors, location errors,device failures, and device degradation. Fan speeds appear in RPMs. To update information on this page,click the Refresh button.

Thermal Subsystem Fan Zones tabFan zones monitor the bay cooling efficiency and the status of the bays the fans are configured to cool.The zone speeds reported are targeted speeds. These values change with time as the fans speed andslow in response to cooling needs of the zone. The Fan Zones tab does not dynamically update. Toupdate information on this tab, click the Refresh button.

Thermal Subsystem Fan Zones tab 171

Fan speeds appear in percentage of total capacity, and fans operating in a zone without any blades run ata minimum RPM of 30% to maintain proper cooling in the entire enclosure.


Item Description

Thermal Zone The six cooling zones in the enclosure: upper left, upper right, middle left, middleright, lower left, and lower right.

Zone Speed The computed fan speed required based on the highest device need in the zone.

Device Bays The number of the device bays in a particular thermal zone.

Fan Bay The fan bay number. Fans in bays 3, 8, and 13 are shared between thermal zones.

Fan Status The overall status of each fan. Possible values are Unknown, OK, Degraded,Failed, and Absent.

Fan Speed The fan speed is displayed as a percentage of maximum RPM.

Enclosure fan location rulesThe enclosure ships with 15 HPE Active Cool fans. All 15 fans are required for optimum cooling of alldevice bays, GSPM bays, XFM bays and interconnect bay components.

15 Fan Rule

All fan bays are used to support the maximum configuration of eight server blades, eight interconnectmodules, two OA modules, two GPSMs, and four XFMs.

Fan InformationSelecting a specific fan opens the Fan Information - Bay x screen, where x is the bay of the selectedFan. This screen provides status information on the selected fan.

Enclosure fan location rules 173

Selecting a specific power supply opens the Power Supply Information – Bay x screen, where x is thebay of the selected power supply. This screen provides status information on the selected power supply.

Status information

Row Description

Status The overall status of the fan. Possible values are Unknown, OK, Degraded, andFailed.

Name The product name of the fan.

Present Power The amount of power consumed by the fan displayed in watts.

Part Number The part number to be used when ordering an additional fan of this type.

Spare Part Number The spare part number to be used when ordering a replacement fan of this type.

Serial Number The unique serial number of the fan.




Row Description

Device Identification Data The device identification data checked isinformation such as model name, part number,serial number, and other information used toidentify the device. This data is also called FRUdata. A device identification data error appears ifthe data is not present or not readable by the OA.Possible values are OK or Error.

Device Location Incorrect power supply location. Possible valuesare OK or Incorrect location for proper devicecooling.

Device Operational Device has failed; status was not requested by theOA. Possible values are OK and Error.

Device Degraded Device has failed; status was requested by the OA.Possible values are OK and Error.

Fan Presence Presence of a fan module. Possible values are OKand Not Present.

Device Indictment Indicates if the fan has been indicted by theSuperdome Analysis Engine.

To update the fan information, click the Refresh button.

For proper installation of the fans into the enclosure, see the service guide for your system.

Managing usersThis section explains the levels of user rights recognized by the OA and provides detailed procedures toconfigure the management functionality provided by the OA.

Users/AuthenticationThe Users/Authentication menu item cannot be selected and does not display overview information foruser accounts or settings. Instead, select any of the sublevel menu items for specific settings.

User roles and privilege levelsWithin the Users/Authentication category of OA, you can access the Local Users subcategory. In thissubcategory, you can create user accounts that individuals user to log in to the OA, and have ausername, password, and typically, contact information. Users can have one of the following privilegelevels:

• Administrator: Allows access to all aspects of the OA including configuration, firmware updates, usermanagement, and resetting default settings.

• Operator: Allows access to all but configuration changes and user management. This account is idealfor individuals who are required to periodically change configuration settings.

• User: Allows access to all information, but no changes can be made within OA. This account is forindividuals who must see the configuration of the OA but do not require the ability to change settings.

Managing users 175

The privilege level approach of OA to user permissions enables the maintenance of server blade bays.This approach operates according to the following principles:

• Users are assigned privilege levels in User Management.

• A user can have access to any combination of device bays, interconnect bays, and OA bays.

Access to a server blade by a user depends on the privilege level assigned to the user account. If youselect a user with Administrator or OA permission, the page grays out and disables access to the bladeand interconnect permissions and selects them all.

In cases where HP SIM is used, OA can integrate with HP SIM and use HP SIM users to enable a singlelogin from HP SIM into OA. For more information, see HPE SSO Integration on page 191.

Role-based user accountsRole-based user accounts on OA serves to control the functions to which a user has access on the OA.

There are two major aspects to the role-based user accounts on OA: bay permissions and a userprivilege level. Bay permissions determine which bays the user is allowed to access. Bay permissions areselected during user account creation and allow access to specific device bays, interconnect bays, or OAbays. The privilege level determines which administrative functions the user is allowed to perform. Auser's privilege level can be Administrator, Operator, or User.

A user with an Administrator privilege level and with permissions to the OA bays in the enclosure isautomatically given full access to all bays and can perform any function on the enclosure or baysincluding managing user accounts and configuring the enclosure. An Operator with permissions to onlythe OA bays can configure the enclosure, but the Operator can neither manage users or any securitysettings, nor access any other bays. A User with permission to the OA bays can view only configurationsettings, but the User cannot change the settings. The user accounts can be created with multiple baypermissions, but the same privilege level, across those bays.

User accounts configured to permit access to device bays can be created for server administrators. If theuser logs into the OA, the user is given information on the permitted server bays. If the user selects theiLO from the OA web GUI, the user is automatically logged into that iLO using a temporary user accountwith their privilege level. iLO users with administrator privilege level have complete control includingmodifying user accounts. Operators have full control over the server power and consoles. Users haveminimum read-only access to server information. Using this single-sign on feature greatly simplifiesmanaging multiple servers from the OA web GUI.

Permissions for interconnect modules are slightly different. Autologin is not supported for interconnectmodules, and all user levels have access to the Management Console link for interconnect bays to whichthey have permission. Administrators and operators can use the virtual buttons from OA to control powerand the UID light on the interconnect module. Users can view only status and information about theinterconnect module.

Examples

The following are examples of management scenarios and the user accounts that can be created toprovide the appropriate level of security.

Scenario 1: A member of an organization must have full access to the servers in bays 1-8 to view logs,control power, and use the remote console. The user does not have clearance to manage any settings onOA. The user account with this security level has an Administrator access level and permission to serverbays 1-8. Thus, the user does not have permission to OA bays or any interconnect bay.

Scenario 2: A member of an organization must manage ports on two interconnect modules in bays 3 and4. This person must know which ports on the switch map to certain servers, but this person must not beable to manage any of the servers. The user account with this security level has a User access level,permission to all server bays, and permission to interconnect bays 3 and 4. However, this user is not beable to control the power or UID LED for the interconnect modules or blades. To control the power or UID

176 Role-based user accounts

to the interconnect modules the user privilege has to be Operator. To restrict this user from performingserver operations such as power control or consoles, the account is restricted to just bay permissions forinterconnect bays 3 and 4.

Local Users screen

• New — To add a new user to the selected enclosure, click the New button. A maximum of 30 useraccounts can be added including the reserved accounts. The Add Local User screen appears.

• Edit — Select a user (only one can be selected) by selecting the check box next to the name of theuser. To change the settings on the Edit Local User screen, click the Edit button.

• Delete — Select a user or users to be deleted by selecting the check box next to the name of the user.To delete the accounts, click the Delete button. If an attempt is made to delete the last remainingAdministrator account, then you will receive an alert warning that one Administrator account mustremain and the delete action will be canceled.

Add Local User


Username 1 to 40 characters, including allalphanumeric characters, thedash (-), and the underscore (_)

A maximum of 30 user accountscan be added including thereserved accounts.

The user names ALL (case-insensitive), ADMINISTRATOR(case-insensitive), switch1,switch2, switch3, switch4,switch5, switch6, switch7,switch8, ldapuser, nobody, andvcmuser_ are reserved andcannot be used.

The user name must begin with aletter and is case-sensitive.

Password 3 to 40 characters, including allprintable characters

The password associated withthe user.

Password Confirm 3 to 40 characters, including allprintable characters

The password associated withthe user. This value must matchthe Password value.

Click the Add User button to save settings. The Edit Local User screen appears.

Edit Local UserUser information

Local Users screen 177


Username 1 to 40 characters, including allalphanumeric characters, the dash (-),and the underscore (_)

A maximum of 30 user accounts can beadded, including the reserved accounts.

The user names ALL (case-insensitive),ADMINISTRATOR (case-insensitive),switch1, switch2, switch3, switch4,switch5, switch6, switch7, switch8,ldapuser, nobody, vcmuser_ arereserved and cannot be used.

The user name must begin with a letterand is case-sensitive.

Password 3 to 40 characters, including all printablecharacters

The password associated with the user.

Password Confirm 3 to 40 characters, including all printablecharacters

The password associated with the user.This value must match the Passwordvalue.

Full Name 0 to 20 characters, including allalphanumeric characters, the dash (-),the underscore (_), and the space

The user's full name.

All users can modify their own full name.

Contact 0 to 20 characters, including allalphanumeric characters, the dash (-),the underscore (_), and the space

Contact information for the user account.The contact information can be the nameof an individual, a telephone number, orother useful information.

All users can modify their own contactinformation.

Privilege Level Administrator• Only the Administrator, with OA Bays

permission, can set the user privilegelevel.

• Can perform all actions on theenclosure when OA Bays permissionis selected. All Device Bays and AllInterconnect Bays are automaticallyselected when OA Bays is selected,and all the check boxes are grayedout.

• Without OA Bays permission, canonly see devices and interconnects towhich permissions have been given.

Table Continued



Privilege Level Operator• Can perform all actions on the

enclosure except for the functionsunder Configuration Scripts, ResetFactory Defaults, Active to Standby,and Users/Authentication when OABays, All Device Bays, and AllInterconnect Bays permissions areselected

• Without OA Bays permission, canonly see devices and interconnects towhich permissions have been given.

Privilege Level User (read only)• Can view all information the

Administrator and Operator canchange except the Network Access,DVD Drive, and Users/Authenticationinformation.

• Can launch web interfaces to otherdevices.

• Cannot change any configurationsettings.

• Without OA Bays permission, canonly manage devices andinterconnects to which permissionshave been given.

User Enabled must be selected to enable the user account. If a user account is disabled, then all opensessions for that account are ended (signed out).

Privilege level change

If a user account privilege level is changed, then all open sessions for that user account are terminated(signed out). The user must log on again after the privilege level change.

Check boxes

Selecting the device base bay check box does not give the user permission to a double-dense serverwithout also selecting A and B for that bay. Select only A or B for a device bay if restricting permission toa single server in a double-denser server blade.

User Permissions


Item Description

OA Bays Gives the user permissions for the OA bays and enables the user to see thefans and power supplies. If the user privilege level is Administrator, then AllDevice Bays and All Interconnect Bays are automatically selected when OABays is selected and all the check boxes are grayed out.

All Device Bays Gives the user permissions for all the device bays

Selected Device Bays Gives the user permissions for only the selected device bays

All Interconnect Bays Gives the user permissions for all the interconnect bays

Selected InterconnectBays

Gives the user permissions for only the selected interconnect bays

Click Update User to save the changes.

Edit Local User Certificate Information tabWhen Two-Factor Authentication is enabled, a user must have a user certificate to log on to the OA.Users with administrator privileges can upload or map a valid certificate to a selected user.

There are two methods for uploading certificates for use in OA:

• Paste certificate contents into the text box, and then click the Upload button.

• Paste the URL of the certificate into the URL box, and then click the Apply button.

When the certificate is successfully uploaded, the SHA1 fingerprint of the user certificate appears.

If a user already has a certificate mapped to an account, the SHA1 fingerprint of the certificate appears.Any user with administrator privileges can delete their certificate and upload a new user certificate.

Password Settings screenThis screen enables you to enforce strong password features. Only Administrators with OA permissionare allowed to manage strong passwords.

Procedure

1. To enable this feature, select Enable Strong Passwords.

2. To save the setting, click the Apply button.

The user password must contain three of the four following character types:

Character type Description

Uppercase An uppercase character from the character set A toZ.

Lowercase A lowercase character from the character set a toz.

Table Continued

180 Edit Local User Certificate Information tab

Character type Description

Numeric A numeric character from the character set 0 to 9.

Non-alphanumeric Any printable character that is not a space or analphanumeric character.

The minimum password length can be between 3 and 40 characters. If the minimum password length isnot configured, then the password defaults to three characters. To save the minimum password lengthsetting, click Apply.

Directory Settings screenLDAP is a protocol for accessing information directories. While LDAP is based on the X.500 standard, it issignificantly simpler. LDAP also supports TCP/IP and is an open protocol.

Use the Directory Settings screen to set directory access for the now selected enclosure. You canconfigure the following settings:

• Enable LDAP Authentication — Select this checkbox to enable a directory server to authenticate auser sign in.

• Enable Local Users — Select this checkbox to enable a user to sign in using a local user accountinstead of a directory account.

• Search Context — Specify one to six search contexts. A search context is a search filter or shortcutto a common directory, defining the directory users search to start at the specified path. By specifyinga search context, users do not have to specify their full DNs at login. A DN might be long and usersmight not be familiar with their DN or might have accounts in different directory context. The OAattempts to contact the directory service by DN and then applies the search contexts in order,beginning with Search Context 1 and continuing through any subsequent search contexts untilsuccessful.

Search context is also applicable to LDAP directory groups, which are useful when LDAP nestedgroups are configured. When specifying the search context for an LDAP directory group, the exactcontext is not required.


Directory Server Address ###.###.###.### where ###ranges from 0 to 255 or DNSname of the directory server orthe name of the domain

The IP address or the DNS nameor the name of the domain of thedirectory service. This field isrequired.

Directory Server SSL Port 0 to 65535 The port used for LDAPcommunications. The default portis port 636. This field is required.

Search Context 1 All characters except " (quotes),not to exceed 127 characters

First searchable path used tolocate the user when the user istrying to authenticate usingdirectory services. The path isalso used to search for a nestingLDAP group.

Table Continued

Directory Settings screen 181



Second searchable path used tolocate the user when the user istrying to authenticate usingdirectory services. The path isalso used to search for a nestingLDAP group.


Third searchable path used tolocate the user when the user istrying to authenticate usingdirectory services. The path isalso used to search for a nestingLDAP group.


Fourth searchable path used tolocate the user when the user istrying to authenticate usingdirectory services. The path isalso used to search for a nestingLDAP group.


Fifth searchable path used tolocate the user when the user istrying to authenticate usingdirectory services. The path isalso used to search for a nestingLDAP group.


Sixth searchable path used tolocate the user when the user istrying to authenticate usingdirectory services. The path isalso used to search for a nestingLDAP group.

Uploading a certificateCertificates protect user credentials from "man-in-the-middle" attacks. If certificates are not loaded ontothe OA, it is possible for a man-in-the-middle to view LDAP credentials for anyone who logs into the OA.The OA accepts multiple domain controller certificates, which can be uploaded using the CertificateUpload tab under Directory Settings.

To upload a certificate:

Procedure

1. Get the certificate from the domain controller by opening a browser and entering the following address:

https://<domain controller>:636where domain controller is the IP address for your network domain controller.

2. When prompted to accept a certificate, click View Certificate.

3. Click the Details tab, and then click the Copy to File button.

182 Uploading a certificate

4. From the list of export options, select Base-64 encoded x.509 (.CER).

5. Provide a name and location for the file, and finish the Upload a Certificate Wizard.

6. Locate the exported certificate file, and then rename it with a .txt extension (for example,dccert.txt).

7. Open the file in a text editor, and copy the entire contents to the clipboard. The following is an exampleof an exported certificate file:

-----BEGIN CERTIFICATE-----MIIFxDCCBKygAwIBAgIKJWUSwAAAAAAAAjANBgkqhkiG9w0BAQUFADBVMRMwEQYKCZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCaHAxFzAVBgoJkiaJk/IsZAEZFgdhdGxkZW1vMREwDwYDVQQDEwh3aW5kb3pDQTAeFw0wNjA4MjIyMDIzMTFaFw0wNzA4MjIyMDIzMTFaMCAxHjAcBgNVBAMTFXdpbmRvei5hdGxkZW1vLmhwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy4zeh3iXydUAWKVHIDsxLJ6BaRuVT9ZhkL5NQHIDeRjumsgc/jHSERDmHuyoY/qbF7JMhJ9Lh9QQHUg8QfEYsC1yqTvgisrZeHtvmrmecvSxZm27b4Bj5XYN0VYcrwqKnH7X/tVhmwqGls7/YZyahNU1lGB2OjoCq5eJxX+Ybx0CAwEAAaOCA00wggNJMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D…output truncated…-----END CERTIFICATE-----

8. Return to the OA, paste the certificate contents into the window, and click the Upload button.

Directory Certificate Upload tabUpload an LDAP certificate to the OA to establish a trusted relationship with the LDAP server. You canupload a maximum of three certificates.

Upload certificates for use in OA in the following ways:



Directory Test Settings tabThe directory Test Settings tab enables OA administrators to ensure that the configuration informationprovided allows the directory user access to the OA and to the resources in the enclosure. The TestSettings tab applies only to the current settings. Therefore, after making changes, you must click theApply button, and then select the Test Settings tab.

Use the Test Settings tab to run and report the tests. When the page initially appears, it contains a list oftests with the current status of Not Run. To run the tests, click Test Settings. The tests are run in theorder that they appear. The tests end when an error occurs. To perform the User Authentication and UserAuthorization tests, you must enter a user name and password in Directory Test Controls.

The following tests are performed in the order listed.

1. Overall Test Status

The Overall Test Status is an aggregation of all the tests run. The value is either Not Run, Passed, orFailed. If any of the individual tests fail, the status is Failed.

2. Ping Directory Server

A simple ping test is performed after a valid IP address or domain name is verified for the directoryserver. The ping test sends a maximum of four ping packets to the directory server and reportssuccess or failure.

Directory Certificate Upload tab 183

A successful test reports that OA can establish a network path to the directory server.

A failed test reports that OA cannot establish a network path to the directory server. Theadministrator must verify the host name or IP address.

3. Directory Server IP Address

If the LDAP configuration specifies an IP address instead of a DNS, then this test verifies that the IPaddress is a valid IPv4 address. Otherwise the test reports the Not Run status.

A successful test reports that the IP address stored for the directory server is a valid IPv4 address.

A failed test reports that the IP address stored for the directory server is not a valid IPv4 address.The administrator must verify the IP address entered and correct the IP address.

4. Directory Server DNS Name

The DNS lookup test determines if OA can resolve the domain name of the LDAP server. If the LDAPserver configuration uses IP addresses instead of a DNS name, then this test reports Not Run.

A successful test reports that OA is able to resolve the Directory Server host name using domainname.

A failed test reports that OA is unable to resolve the Directory Server host name. The administratormust be sure that the directory server host name is correct and that the host name is correct for thedirectory server.

5. Connect to Directory Server

This test attempts to connect to the specified directory server IP address and service port.

A successful test reports that OA can establish a connection to the directory server at the specifiedhost name or address and at the specified port number. The successful test indicates that networkservice is available, the directory service is running, and available at the specified directory serverand port.

A failed test reports that OA cannot establish a connection to the directory server. The unsuccessfultest reports that the network service is not available. The administrator must verify the host name oraddress and port number.

6. Connect using SSL

This test verifies that the directory server is providing the directory service over an SSL connection.

A successful test reports that OA can establish an SSL connection to the directory server host nameor IP address and port. The network service is available as a secure SSL connection.

A failed test reports that the network service is not available as a secure SSL connection and the OAdoes not allow this type of connection. The administrator must identify a directory server thatsupports SSL connections or reconfigure the directory server to use SSL connections.

7. Certificate of Directory Server

If the directory server SSL certificate has been loaded onto OA, use this test to verify that thecertificate provided by the directory server matches the current certificate stored on OA. If thedirectory server SSL certificate has not been loaded, then this test does not run.

A successful test reports that OA was able to validate the directory server certificate against thecertificates stored on OA for the specified directory server.

A failed test reports that the directory server certificate stored on OA does not match the certificateprovided on the SSL connection.


8. User Authentication

This test attempts to log in the user to the directory by using the user name and password providedin Directory Test Controls. If user authentication fails using the provided user name and password,then each search context is attempted. If a search context begins with the character @, then the DNused to log in is the search name concatenated to the user name entered. Otherwise, the search DNused to log in is constructed as follows: cn=<username>,<search context> . The result fromthis test identifies the search context that was successful in authenticating the user.

9. User Authorization

After a user has successfully authenticated and logged into OA, the configured directory group towhich the user belongs is identified. A user can belong to multiple directory groups, so the directorygroup that gives the user the most privileges is identified.

A successful test reports the directory group with the highest privilege levels for the authenticateduser.

A failed test reports that the authenticated user does not have any authorization on OA because theuser does not belong to any of the configured directory groups.

10. Test Log

This is a running log of the details associated with the tests that have run and the results of the tests.

11. Directory Test Controls

The user name and password are sent to the LDAP server for authentication before the UserAuthentication and User Authorization tests are performed. The OA limits the length of the username and password as indicated. Authentication requirements are defined by the LDAP server; thelength limits imposed by the LDAP server might be more restricted than the limits imposed by theOA.

• User Name — Accepts 0 to 256 characters

• Password — Accepts 0 to 1024 characters

Directory GroupsUse the Group Settings screen to configure directory groups and set directory access for the currentlyselected enclosure. Access to the enclosure can be granted using LDAP. To use the LDAP server, youmust create directory accounts.

The Directory Groups screen displays current directory groups that have been added to the PrimaryConnection enclosure. You may add user groups to all enclosures but you may edit and delete usergroups only from the Primary Connection enclosure. To use LDAP services, you must add at least onedirectory group.

Directory Groups 185

Item Description

Check box Used to select Directory Group for editing or deleting

Group Name 1 to 255 characters and contains the same characters as search contexts. The groupname is used to determine LDAP users group membership. The group name mustmatch one of the following properties of a directory group:

• Name

• Distinguished name

• Common name

• Display name

• SAM account name

For nested groups, matching is based on objectSid (an attribute that specifies thesecurity ID of the group). The distinguished name is recommended to uniquelyspecify the LDAP group. If the Onboard Administrator is configured to search the GCport and a distinguished name is not used, then an incorrect match in multipledomains may occur which could result in unintended authorization.

Privilege Level Administrator

• Only the Administrator, with OA Bays permission, can set the user privilege level.

• Can perform all actions on the enclosure when OA Bays permission is selected.All Device Bays and All Interconnect Bays are automatically selected when OABays is selected, and all the checkboxes are grayed out.

• Without OA Bays permission, cannot see fans and power supplies.

• Without OA Bays permission, can see only devices and interconnects to whichpermissions have been given.

Privilege Level Operator

• Can perform all actions on the enclosure except for the functions under Users/Authentication when OA Bays, All Device Bays, and All Interconnect Bayspermissions are selected.



Table Continued


Item Description

Privilege Level User (read-only)

• Can view all information the Administrator and Operator can change except theUsers/Authentication information.

• Can launch web interfaces to other devices.

• Cannot change any configuration settings.

• Without OA Bays permission, can manage only devices and interconnects towhich permissions have been given.


Description 0 to 58 characters, containing alphanumeric characters, the dash (-), the underscore(_), and the space. The description of the LDAP group, a more readable version ofthe group name, or other useful information.

• New: Click the New button to add a new Directory Group to the selected enclosure. You can add amaximum of 30 Directory Groups. The Add LDAP Group screen appears.

• Edit: Select a Directory Group to be edited by selecting the check box next to the name of the group.Click the Edit button to change the settings on the Edit LDAP Group screen.

• Delete: Select the Directory Group to be deleted by selecting the check box next to the name of thegroup. Click the Delete button to remove the group.

Add an LDAP GroupGroup Information

NOTE:

A maximum of 30 Directory Groups can be added.

Item Description

Check box Used to select Directory Group for editing or deleting


• Name


• Common name

• Display name


Table Continued

Add an LDAP Group 187

Item Description

















Group Permissions


Check box Description

OA Bays Gives the user permissions for the OA bays andenables the user to see the fans and powersupplies. If the user privilege level is Administrator,then All Device Bays and All Interconnect Bays areautomatically selected when OA Bays is selectedand all the checkboxes are grayed out.


Selected Device Bays Gives the user permissions for only the selecteddevice bays

All Interconnect Bays Gives the user permissions for all the interconnectbays

Selected Interconnect Bays Gives the user permissions for only the selectedinterconnect bays

Click the Add Group button to save settings.

Edit an LDAP GroupGroup Information

Item Description


• Name


• Common name

• Display name







Table Continued

Edit an LDAP Group 189

Item Description












Group Permissions

Item Description

OA Bays Gives the user permissions for the OA bays and enables the user to see thefans and power supplies. If the user privilege level is Administrator, then AllDevice Bays and All Interconnect Bays are automatically selected when OABays is selected and all the checkboxes are grayed out.


Selected Device Bays Gives the user permissions for only the selected device bays

All Interconnect Bays Gives the user permissions for all the interconnect bays

Selected InterconnectBays

Gives the user permissions for only the selected interconnect bays

Click the Update Group button to save settings.

SSH Administration

190 SSH Administration

This page lists the owner of each authorized Secure Shell key and enables adding new keys.

• SSH Fingerprint : Lists the public key portion of a public/private key pair.

• Authorized SSH Keys : Lists the authorized Secure Shell key data. The owner is always theAdministrator. To add additional Authorized Secure Shell Keys, enter the Secure Shell key in the textbox and click the Apply button. To clear all Authorized Secure Shell Keys, delete all the text in the textbox and click the Apply button.

• Download SSH Key File: In the URL to SSH Keys File box, enter the location of the public key file,and click the Apply button to download. All now authorized Secure Shell keys are replaced when theSecure Shell key file is downloaded. The key file must contain the Administrator name at the end ofthe public key. Each key is associated with the Administrator account.

HPE SSO IntegrationOA supports SSO with trusted applications, such as HP SIM. This feature enables you to log in to atrusted management application and then be able to automatically access any managed devices wherethe SSO certificate is installed.

To configure SSO to work through HP SIM:

HPE SSO Integration 191

Procedure

1. Set the SSO trust mode to ON. On the HP SIM Integration screen, select Trust by Certificate from theTrust mode menu.

NOTE:

When trust mode is disabled, the SSO single sign-on attempt fails, and you must enter OA credentialsto log on.

2. Download a certificate from the HP SIM system to manage the enclosure. On the HP SIM Integrationscreen, select the Certificate Upload tab, and then upload the certificate using one of the followingmethods:

• Paste the contents of the certificate into the text box and then click Upload.

• Enter the IP address of the HP SIM system that will be managing the enclosure and then clickApply.


Edit Local User Certificate Information tabWhen Two-Factor Authentication is enabled, a user must have a user certificate to log on to the OA.Users with administrator privileges can upload or map a valid certificate to a selected user.




When the certificate is successfully uploaded, the SHA1 fingerprint of the user certificate appears.

If a user already has a certificate mapped to an account, the SHA1 fingerprint of the certificate appears.Any user with administrator privileges can delete their certificate and upload a new user certificate.

Two-Factor Authentication screenTwo-Factor Authentication Settings tab

NOTE:

OA must be configured in Virtual Connect mode before enabling Two-Factor Authentication when usingVirtual Connect Manager and Two-Factor Authentication.

Edit Local User Certificate Information tab 193

When Two-Factor Authentication is enabled, only users with a valid user certificate are allowed to log onto OA. A valid user certificate is signed by a trusted Certificate Authority and is mapped to the respectiveuser on the OA.

To enable Two-Factor Authentication for user authentication during log on, select Enable Two-FactorAuthentication. When Two-Factor Authentication is enabled, Secure Shell and Telnet access is disabledby default. Disabling Two-Factor Authentication does not automatically re-enable Secure Shell and Telnet.You must go to the Network Access screen, and then select Enable Secure Shell and Enable Telnet.

To enable the OA to verify with the Certifying Authority that the certificate being used has been added tothe certificate revocation list (CRL), select Check for Certificate Revocation. If the certificate is on theCRL, the log on is denied.

Certificate Owner Field

You can configure the OA to use the user principle name in the SAN by selecting SAN or to use thecertificate subject name by selecting Subject when authenticating directory users with a directory server.

To save settings, click the Apply button.

Two-Factor Authentication Certificate Information tabThis screen displays all Certificate Authorities trusted by the OA. Any user certificates uploaded to the OAmust be signed by one of these Certificate Authorities. A maximum of three Certificate Authoritycertificates can be uploaded to the OA.

Row Description

Certificate Version Version number of current certificate

Issuer Organization Name of the organization that issued the certificate

Issuer OrganizationUnit

Name of the organizational unit that issued the certificate

Issued By The authority that issued the certificate

Subject Organization Subject name

Issued To Organization to whom the certificate was issued

Valid From The date from which the certificate is valid

Valid Upto The date on which the certificate expires

Serial Number The serial number assigned to the certificate by the certificate authority

Extension Count Number of extensions in the certificate

MD5 Fingerprint A validation of authenticity embedded in the certificate

SHA1 Fingerprint A validation of authenticity embedded in the certificate

Two-Factor Authentication Certificate Upload tabTo enable Two-Factor Authentication, upload at least one valid certificate belonging to a CA to the OA.


194 Two-Factor Authentication Certificate Information tab


• Paste the web address of the certificate into the URL box, and then click the Apply button.

Signed In usersThis screen displays all the current sessions signed in to the OA. This screen is only available toAdministrators with OA access. The Administrator can end sessions, disable users, and delete users fromthis screen.

• Current Session: This table lists the session created when you signed in to the OA.

• Other Sessions: This table lists the other users signed in to the OA.

Column Description

Check box Used to select a user or all users.

Username The name of the user signed in to the enclosure.

IP Address The user account IP address. The IP address of the session can be an enclosurelinked address if it looks like "169.254.1.x". These sessions are created by other linkedenclosures. Performing a delete, disable, or end session on a user with a linkedenclosure IP address might end the enclosure link sessions of other users.

For KVM and Serial logins the IP address box displays Local.

Age The length of time (measured in days, hours, minutes and seconds) that the useraccount has been signed in.

Idle Time The length of time (measured in days, hours, minutes and seconds) that the signed inaccount has been idle.

User Type The type of user signed in to the enclosure. Possible values are Local, LDAP, or HPSIM.

Session Type The type of session of the signed-in user. Possible values are Web, SSH, Telnet, KVM,Serial, and Factory Diagnostics.

OA Module The OA module the user is signed into. Possible values are Active or Standby.

• Delete Users: Select a user or users to be deleted by selecting the check box next to the name of theuser, and click the Delete Users button. You cannot delete your own account or the built-inAdministrator account.

• Disable Users: Select a user or users to be disabled by selecting the check box next to the name ofthe user, and click the Disable Users button. You cannot disable your own account or the built-inAdministrator account.

• Terminate Sessions: Select a user or users whose sessions you want to end by selecting the checkbox next to the name of the user, and click the Terminate Sessions button. You cannot end your ownsession.

Signed In users 195

Session Options tabThis screen enables you to specify the length of time a user session is valid if there is no activity.Sessions are checked every 5 minutes to see if they have been inactive for the amount of time specifiedby the system administrator. If any sessions have been inactive for the specified amount of time, they areremoved from the system.

Session Timeout: The number of minutes before an inactive session becomes invalid. Session Timeoutcan be any value between 10 and 1440 (24 hours). The default value for Session Timeout is 1440. Afterentering a Session Timeout value, click the Apply button.

Insight DisplayAll OA GUI users can access the Insight Display screens by selecting Insight Display from the Tree Viewor Rack Overview.

The Security tab can lock the Insight Display buttons and set a PIN code and enable PIN protection.

The User Note tab enables note text to be edited.

The Background tab allows a 320x240 px Windows bitmap to be uploaded as the user note backgroundimage.

The Chat Mode tab enables an administrator to initiate a chat with a user at the enclosure using theInsight Display.

Management network IP dependenciesOAs management port enables external clients to connect through OA to iLOs and interconnectmanagement processors that are configured to use OAs internal management network.

OA firmware bridges the client traffic to the enclosure from the management port to the internal enclosuremanagement network if the destination IP address is not OA. OA creates a route table entry for eachserver iLO IP address in an enclosure. This enables OA to conduct IP communications with that iLO.These iLO route table entries enable you to configure each iLO network in a different subnet than OA.Each iLO is configured with a valid gateway on its subnet that is accessible through OAs externalmanagement port connection. Routers must be present on the network connected to OA managementport to provide the multiple subnets and gateways on the management network. Use of different subnetsto attempt to isolate iLOs and OA management is not complete isolation of those networks.

196 Session Options tab

Superdome 2 IOX enclosuresEach IOX enclosure in the complex can be selected from the left navigation tree. Clicking the IOX nameopens the main status page of the IOX.

The following tabs are available at the top of the main page:

• Status

• Information

• Virtual Buttons

IOX Enclosure Information screenIOX Status tab

Item Description

IOX Status The overall status of the IOX. Possible values are Degraded, Failed, OK orUnknown.

Tray 1 Power Power status of I/O tray 1. Possible values are On or Off.

Tray 2 Power Power status of I/O tray 2. Possible values are On or Off.


Superdome 2 IOX enclosures 197

Item Description


Contains information on model name, part number, serial number, and otherinformation used to identify the IOX. This data is also called FRU data. Deviceidentification data error displays if the data is not present or not readable by theOA.

ManagementProcessor

Status of the IOX management processor. Possible values are OK or Error.

Temperature Temperature is above the warning threshold. Possible values are OK orTemperature Warning.


The IOX Status Overview is divided into four sections:

• Power Subsystem

• Thermal Subsystem

• Link Subsystem Status

• IO Slot Status

For the Power and Thermal Subsystem section, the following values are possible:

• OK

• Degraded

• Failed

• Unknown

For the Link Subsystem and IO Slot Status sections, the following values are possible:

• OK

• Failed

• Unknown

If any component of a subsystem has any status other than OK, the status of each component in thesubsystem is listed under the relevant section.

IOX Information tab

198 Superdome 2 IOX enclosures

Item Description

Product Name The common descriptive name of the IOX enclosure.

Enclosure Number The number of the IOX enclosure configured by dipswitches on the IOXenclosure hardware.

Manufacturer The name of the company that manufactured the IOX enclosure.

Part Number The part number to be used when ordering an additional IOX enclosure ofthis type.

Spare Part Number The part number to be used when ordering a replacement IOX enclosure ofthis type.

Serial Number The unique serial number of the IOX enclosure.

Engineering Date Code Manufacturing information about the IOX enclosure.


Now configured firmware version on the IOX enclosure.

IOX Virtual Buttons tab

Click the Toggle On/Off button to change the state of the IOX UID. The IOX UID is located on the lower-right side of the IOX enclosure faceplate.

IOX Power and Thermal screen

IOX Power and Thermal screen 199

Item Description

Ambient Temperature The temperature of the IOX enclosure in degrees Celsius and Fahrenheit.


The overall thermal status of the IOX enclosure. Possible values are Unknown,OK, Degraded, or Critical Error.

Power SubsystemStatus

The overall power status of the IOX enclosure. Possible values are Unknown,OK, Degraded, or Critical Error.

Redundancy State Indicates the redundancy status of the power subsystem. Possible values areRedundant or Redundancy Lost.

Present Power The amount of watts being consumed by all devices in the IOX.

Power Limit The maximum amount of power available for consumption by the enclosuremeasured in watts.

Present Power/Power Limit

The Present Power is the number of watts being consumed by all the devices in the now selected IOX.The Power Limit is the maximum amount of input power available for consumption by the enclosure. ThePower Limit is dependent on the number of power supplies present in the IOX.

To update information on this screen, click the Refresh button.

IOX Power Subsystem screenThe Power Subsystem screen shows the overall status of the IOX enclosure power subsystem andinformation about each power supply in the IOX enclosure.

200 IOX Power Subsystem screen

Power supplies available for use in IOX enclosures

All power supplies in one IOX enclosure must have the same part number. The OA identifies which powersupplies must be replaced by displaying a caution icon.

Power Supply summary

The Power Subsystem screen provides status on the power subsystem, on each individual power supply,and fault conditions.

Item Description

Power SubsystemStatus

The overall power status of the IOX enclosure. Possible values are Unknown,OK, Degraded, or Critical Error.

Redundancy State Indicates the redundancy status of the power subsystem. Possible values areRedundant, Not Redundant, or Redundancy Lost.

This screen provides status on the power subsystem and on each individual power supply.

Power Supply status


Item Description

Bay The bay in the IOX enclosure of the corresponding power supply. This boxdisplays only populated bays. Empty bays do not appear in this table.




Present Output (Watts) This value is a measure of the present output of the power supply in watts.

Output Capacity (Watts) The amount of power provided by the power supply displayed in watts. This isa measure of the output in DC watts generated by the power supply.

Click the Refresh button to update the power subsystem information.

IOX Power Supply screenSelecting a specific power supply opens the Power Supply Information-Bay x page, where x is the bay ofthe selected power supply. This screen provides status information of the selected power supply.

Status information

Item Description



Output Capacity The maximum amount of power that can be provided by the power supplydisplayed in watts.


Serial Number The unique serial number of the power supply.

Spare Part Number The spare part number to be used when ordering an additional orreplacement power supply.

IOX Thermal Subsystem screenOA monitors up to 4 fans in the enclosure and adjusts fan speeds as necessary, based on thermal andpower measurements. The performance of each fan is monitored, and OA reports any failures orwarnings to the system log and HP SIM (when SNMP is enabled).

202 IOX Power Supply screen

Thermal Subsystem information

Item Description


Indicates the overall status of the fan subsystem. Possible values areUnknown, OK, Degraded, or Critical Error.

Redundancy Indicates the redundancy status of the fans. Possible values are Redundant orNot Redundant

Ambient Temperature The temperature of the IOX enclosure in degrees Celsius and Fahrenheit.

Fans Good The total number of fans functioning with OK status in the IOX enclosure.

Fans Wanted The minimum number of fans required for optimum cooling.

Fans Needed The minimum number of fans required to ensure adequate cooling.

Fan information

Item Description

Fan The bay in the enclosure of the corresponding fan.

Status The overall status of the fan. Possible values are Unknown, OK, Degraded,Failed, and Absent.

Fan Speed Fan speed as a percentage of maximum RPM.

When a fan module fails, the remaining fans automatically compensate by adjusting fan speeds.

To update information on this page, click the Refresh button.


Port mapping

Device bay port mapping for compute enclosuresBL920s Gen8 or Gen9 Server Blade

Superdome 2 Server BladeProduct illustration

204 Port mapping

In this diagram, N equals the number of the blade in the enclosure and the port number for the switch. Forexample, if a blade is inserted into slot 1, it is considered device 1. Because full-height server blades takeup the space of two half-height server blades, the enclosure is limited to a maximum of eight full-heightserver blades. Port mapping from these full-height server blades can initially appear to be different fromthe half-height server blades, but they use similar conventions.

Just as in a half-height server blade, if a blade is inserted into slot 1, it is considered device 1, but it has asecond set of ports that also map to switches 1 and 2. With the full-height server blade, an N/N+8 schemeis used on the switches. Therefore, server blade 1 maps to ports 1 and 9 on both switches, as N=1. For aserver blade inserted into slot 2, the 4 ports used on switches 1 and 2 are 2 and 10, as N=2.

Device bay port mapping tabular view for computeenclosures

If a device is not present, the check box is disabled and the port cannot be viewed.

The server blades are mapped to the interconnect bays in the following manner:

Superdome 2 Server Blade

Server blade port Compute enclosure interconnect bay

FlexLOM 1 port 1 1

FlexLOM 1 port 2 2

FlexLOM 2 port 1 1

Table Continued

Device bay port mapping tabular view for compute enclosures 205

Server blade port Compute enclosure interconnect bay

FlexLOM 2 port 2 2

Mezzanine 1 port 1 3












HP Superdome 2 server blade

• Embedded NICs 1 and 3 (ENET:1 and ENET:3) map to interconnect bay 1.

• Embedded NICs 2 and 4 (ENET:2 and ENET:4) map to interconnect bay 2.

206 Port mapping

Using the Command Line Interface

Command line overviewThe Onboard Administrator CLI is available from the Onboard Administrator serial port, management port,or service port and provides access to all Onboard Administrator commands and information.

The CLI user must provide a valid user name/password to log into Onboard Administrator. The CLI isavailable for both local user accounts and LDAP users. Two-Factor Authentication is not available for theCLI.

Access to the Onboard Administrator CLI from either the Onboard Administrator Ethernet managementport or service port requires that Telnet or Secure Shell protocols are enabled on the OnboardAdministrator.

The Onboard Administrator serial port must be used for Onboard Administrator lost password recovery.

The Onboard Administrator serial port speed is fixed at 9600, N, 8, 1.

For more information about the CLI, see the HPE Integrity Superdome X and Superdome 2 OnboardAdministrator Command Line Interface User Guide.

Setting up Onboard Administrator using the CLIProcedure

1. Connect to the OA CLI using the serial port, management port, or service port. See Connecting tothe OA with a local PC for information about connecting a PC to the OA serial or service ports.

2. Log into the Onboard Administrator with the Administrator user account and the OA dogtagpassword.

3. Set OA name by running the SET OA NAME 1 <name> command.

4. If a redundant OA is present, run the SET OA NAME 2 <name> command.

5. Configure OA IP address:

a. Select either the OA1/OA2 IP address or Enclosure IP address.

b. Configure OA1 IP address as static or DHCP. Example for static, run the SET IPCONFIGSTATIC 1 <ipaddress> <netmask> command.

6. If a redundant OA is present, run the SET IPCONFIG STATIC 2 <ip address> <netmask>command.

7. Set OA gateway by running the SET OA GATEWAY 1 <ip address> command.

8. If a redundant OA is present, run the SET OA GATEWAY 2 <ip address> command.

9. Set the iLO IP address by running the SET EBIPA BLADE <ip address> <netmask>command. Allocate each IP address (up to 32) consecutive static IP addresses.

10. If a gateway exists on the management network, set the iLO gateway to the IP address, run the SETEBIPA BLADE GATEWAY <ip address> command.

Using the Command Line Interface 207

11. Start EBIPA for iLO by running the ENABLE EBIPA BLADE command.

12. Complete the remainder of the settings as required. For information on the enclosure defaults foreach setting, see the HPE Integrity Superdome X and Superdome 2 Onboard AdministratorCommand Line Interface User Guide.

Configuring server blade iLO IP addresses

Each server blade iLO factory default configuration enables DHCP network settings. To use the serverblade with a DHCP network, connect the OA management port to a network with a DHCP server and OAand all iLO management processors and supporting interconnect modules get IP addresses from theDHCP server.

To configure each server blade for static IP addresses, use OA to setup an IP address for each iLO usingEBIPA. This enables iLO to be addressed using TCP/IP so that the network settings can be reconfigured.

Configuring each server blade with an IP address using EBIPA provides a fixed network configurationincluding IP address, netmask and gateway that is based on the enclosure bay where the server isinstalled. The new iLO gets the IP address for that bay without additional configuration needed.

Using the service port connectionThe OA service port is the enclosure link-up connector which also has a laptop icon next to the up arrow.This port is a 100BaseT Ethernet jack and may be directly connected to a laptop or PC RJ45 Ethernetconnector using a standard CAT5 patch cable as the wiring on the link-up connector is crossed over toenable direct connect to a PC 100BaseT connector.

The Service Port provides direct connection to any of the active OA modules in the complex or just theactive OA module in a single enclosure if there are no other enclosures in the complex. The networkconnection is private to the enclosures and cannot be used to access any device outside the internalenclosure management network. Use the connection to directly access the active OA at the active serviceIP address, located on the enclosure Insight Display, Enclosure Info screen.

See Connecting a PC to the OA service port for information about connecting a local PC to the OAservice port for accessing the OA CLI.

208 Using the service port connection

Using configuration scripts

Configuration scriptsUse configuration scripts to maintain settings and configuration information, particularly when setting upmultiple enclosures and OA modules. This eliminates the need to manually configure each enclosure,saving time and effort in the process. Configuration scripts can be created and used with OA in thebrowser, or through the CLI, executing them in the same manner as a shell script is executed in Linux orUNIX.

NOTE:

Configuration scripts cannot be used to store partition information.

Current configuration

Using configuration scripts 209

To download a current configuration for the enclosure:

Procedure

1. Click the Click here link. The configuration opens in a new browser window.

2. To save the configuration, as a text file, select either of the following options:




You can also select a local file or a web address for the configuration script:

• Local file: You can browse for the configuration file or enter the path of the configuration file into thetextbox. The maximum number of characters in the file path cannot exceed 256. After entering theconfiguration file path, click the Upload button.

• URL: If the configuration file is located on a web server, enter an http:// path to it. The maximumnumber of characters in the file path cannot exceed 256. Click the Apply button after entering the webaddress.

For security reasons, the retrieved current configuration does not contain any user passwords. You canmanually edit the script to add the user passwords after the user name on the ADD USER lines. Also, theretrieved current configuration does not contain any of the LCD settings (Lock Buttons, Enable PINProtection, and PIN Code). These settings cannot be added from the configuration script.

Current enclosure inventory

To download a script of the current enclosure inventory, click the Click here link, and then the currentenclosure inventory opens in a new browser window. To save the inventory as a text file, select either ofthe following options:

• If you are using Microsoft Internet Explorer 7 or later, select Save As.

• If you are using Mozilla Firefox 3.6 or later, select Save Page As.

• If you are using Google Chrome 38 or later, select ???

The downloaded text file provides the same information as a CLI SHOW ALL command. The text file alsodisplays the current configuration for the enclosure.

USB Support

This box appears when a USB key is detected in the enclosure DVD module USB port and configurationfiles are present. To download a configuration file, select a file from the menu, and then click the Applybutton.

To save the current OA configuration file to the USB key, enter a simple file path, either a relative path inthe format path/file or with a leading dot (.), such as ./path/file, or an absolute path beginningwith a slash (/), in the format /path/file. Do not enter a URL. Do not include spaces within the filename. Click Apply.

210 Using configuration scripts

Reset Factory DefaultsWhen you reset the enclosure to the factory defaults, all enclosure settings are reset except the built-inAdministrator password. All AlertMail, Network and Network Protocol, SNMP, and Power Managementsettings are reset.

To reset the enclosure click the Reset Factory Defaults button. A confirmation screen appears, asking ifyou are sure that you want to perform the action. To confirm resetting the enclosure, click OK, or to exitwithout resetting the enclosure to factory defaults, click Cancel.

To download a current configuration for the enclosure:

Procedure

1. Click the Click here link. The configuration opens in a new browser window.

2. To save the configuration, as a text file, select either of the following options:




For security, the retrieved current configuration does not contain any user passwords. You can manuallyedit the script to add the user passwords after the user name on the ADD USER lines. The enclosureAdministrator account password cannot be added from the configuration script. Also, the retrieved currentconfiguration does not contain any of the LCD settings (Lock Buttons, Enable PIN Protection, and PINCode). These settings cannot be added from the configuration script.

Reset Factory Defaults 211

TroubleshootingOnboard Administrator error messages

Descriptive error messages can help identify hundreds of possible problems related to set up, privileges,user requests, OA failures, file uploads, incompatibilities, Insight Display, and more.

Onboard Administrator factory default settingsWhen resetting the OA to factory defaults, the administrator password is not reset to factory default. Itremains set to the password last specified. In the event that the administrator password must be reset tofactory defaults (as included on the tag that shipped with the OA), see Recovering the administratorpassword.

Resetting the OA to factory defaults also resets any certificates on the OA.

Onboard Administrator SNMP trapsThe OA supports the following SNMP traps.

Trap ID Trap name Description

22001 cpqRackNameChanged Rack Name has changed

22002 cpqRackEnclosureNameChanged Enclosure Name has changed

22003 cpqRackEnclosureRemoved Rack enclosure has been removed

22004 cpqRackEnclosureInserted Linked Enclosure insertion detected

22005 cpqRackEnclosureTempFailed Enclosure temperature above critical

22006 cpqRackEnclosureTempDegraded Enclosure temperature above warning

22007 cpqRackEnclosureTempOk Enclosure temperature is OK

22008 cpqRackEnclosureFanFailed Enclosure fan has failed

22009 cpqRackEnclosureFanDegraded Enclosure fan is degraded

22010 cpqRackEnclosureFanOk Enclosure fan is OK

22011 cpqRackEnclosureFanRemoved Enclosure fan is removed

22012 cpqRackEnclosureFanInserted Enclosure fan is inserted

22013 cpqRackPowerSupplyFailed Enclosure power supply has failed

22014 cpqRackPowerSupplyDegraded Enclosure power supply is degraded

22015 cpqRackPowerSupplyOk Enclosure power supply is OK

Table Continued

212 Troubleshooting


22016 cpqRackPowerSupplyRemoved Enclosure power supply is removed

22017 cpqRackPowerSupplyInserted Enclosure power supply is inserted

22018 cpqRackPowerSubsystemNotRedundant Enclosure power subsystem is notredundant

22019 cpqRackPowerSubsystemLineVoltageProblem

Enclosure power subsystem line voltageproblem

22020 cpqRackPowerSubsystemOverloadCondition

Enclosure power subsystem overloadcondition

22037 cpqRackEnclosureManagerDegraded Onboard Administrator degraded

22038 cpqRackEnclosureManagerOk Onboard Administrator OK

22039 cpqRackEnclosureManagerRemoved Onboard Administrator removed

22040 cpqRackEnclosureManagerInserted Onboard Administrator inserted

22041 cpqRackManagerPrimaryRole Onboard Administrator is Active

22042 cpqRackServerBladeEKeyingFailed Blade eKeying config failed

22044 cpqRackNetConnectorRemoved Interconnect removed

22045 cpqRackNetConnectorInserted Interconnect inserted

22046 cpqRackNetConnectorFailed Interconnect failed

22047 cpqRackNetConnectorDegraded Interconnect degraded

22048 cpqRackNetConnectorOk Interconnect OK

22049 cpqRackServerBladeToLowPower Blade requested too low power

22050 cpqRackServerBladeRemoved2 Blade removed

22051 cpqRackServerBladeInserted2 Blade inserted

22071 cpqRackInformationalEAETrap Error Analysis Engine Informational event(Superdome 2 only)

22072 cpqRackMinorEAETrap Error Analysis Engine Degraded/Warning orMinor event (Superdome 2 only)

22073 cpqRackMajorEAETrap Error Analysis Engine Major event(Superdome 2 only)

Table Continued

Troubleshooting 213


22074 cpqRackCriticalEAETrap Error Analysis Engine Critical or Fatal event(Superdome 2 only)

22079 cpqRackInformationalEAETrap Error Analysis Engine Informational event(Integrity Superdome X only)

22080 cpqRackMinorEAETrap Error Analysis Engine Degraded/Warning orMinor event (Integrity Superdome X only)

22081 cpqRackMajorEAETrap Error Analysis Engine Major event (IntegritySuperdome X only)

22082 cpqRackCriticalEAETrap Error Analysis Engine Critical or Fatal event(Integrity Superdome X only)

214 Troubleshooting

Enabling LDAP Directory ServicesAuthentication to Microsoft Active Directory

Certificate ServicesThe Microsoft implementation of LDAP over SSL requires that the Domain Controllers install DCcertificates from the CA of the organization. This process occurs when the Enterprise Root CA service isadded to a server in Active Directory. Hewlett Packard Enterprise strongly recommends using anEnterprise Root CA to minimize the complexities of requesting and accepting DC certificates from astandalone CA.

CAUTION:

To ensure that the OA GUI continues to work after December 31, 2016, after upgrading fromfirmware version 7.6.0 or earlier to version 8.2.106 or later, the OA SHA1 self-signed certificate willbe removed and replaced with SHA256 self-signed certificate. To prevent security warnings, thecustomer is encouraged to re-generate the self-signed certificate with the common name (CN)matching exactly the OA hostname as known by the web browser.

Preparing the directoryFor a normal production environment, similar groups exist in some form, but the following group namescan be used as-is if desired.

To prepare the directory:

Procedure

1. Create an Active Directory group named OA Admins, and then add a user named TestAdmin to thisgroup.

2. Create a group called OA Operators, and then add a user named TestOperator to this group. Userpermissions are irrelevant.

Enabling LDAP Directory Services Authentication to Microsoft Active Directory 215

Preparing the Onboard Administrator

To prepare the OA:

• Navigate to the Directory Settings screen for the enclosure located under Users/Authentications.

• Click Enable LDAP and then enter the IP address or the name of one of your DCs. See Troubleshooting LDAP on Onboard Administrator on page 222 for more information on verifyingthat the DC is listening on port 636. Alternatively, to force the DNS servers defined for the domain tooffer DCs, enter the domain name of your AD domain (DOMAIN.COM) instead of a server name. Forsimplicity during initial setup, Hewlett Packard Enterprise recommends using a single IP address. IfOnboard Administrator is configured to strong encryption mode, ensure to provide LDAP server fullyqualified domain name, matching CN(Common Name) field of the LDAP server certificate, as theDirectory server address. The Search Context is standard LDAP format. For example, if the useraccounts are in the Users OU in a domain named BLADEDEMO.HP.COM, the Search Context mustbe:

CN=Users,DC=bladedemo,DC=hp,DC=com

216 Enabling LDAP Directory Services Authentication to Microsoft Active Directory

Uploading the DC certificate (optional)You can upload multiple DC certificates. Upload a certificate that permits LDAP over SSL.

Procedure

1. Click the Certificate Upload tab.

2. Get the certificate from the DC by opening a new web browser window to https://domain_controller:636 (where domain_controller is your DC).

NOTE:

This is a secure HTTPS web address, so you are prompted to accept a certificate.

3. Click the View Certificate button.

Uploading the DC certificate (optional) 217

4. Click the Details tab, and then click the Copy to File... button.

5. Select Base-64 encoded x.509 (.CER) from the list of export options. Click the Next button.


6. Provide a name and location for the file (c:\dccert.cer) and click the Finish button to complete thewizard.

7. Locate the exported certificate file in Internet Explorer and rename it with a .txtextension(dccert.txt). Open the file in Notepad and copy the entire contents to the clipboard. The followingis an example of the certificate file contents:

-----BEGIN CERTIFICATE-----MIIFxDCCBKygAwIBAgIKJWUSwAAAAAAAAjANBgkqhkiG9w0BAQUFADBVMRMwEQYKCZImiZPyLGQBGRYDY29tMRIwEAYKCZImiZPyLGQBGRYCaHAxFzAVBgoJkiaJk/IsZAEZFgdhdGxkZW1vMREwDwYDVQQDEwh3aW5kb3pDQTAeFw0wNjA4MjIyMDIzMTFaFw0wNzA4MjIyMDIzMTFaMCAxHjAcBgNVBAMTFXdpbmRvei5hdGxkZW1vLmhwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy4zeh3iXydUAWKVHIDsxLJ6BaRuVT9ZhkL5NQHIDeRjumsgc/jHSERDmHuyoY/qbF7JMhJ9Lh9QQHUg8QfEYsC1yqTvgisrZeHtvmrmecvSxZm27b4Bj5XYN0VYcrwqKnH7X/tVhmwqGls7/YZyahNU1lGB2OjoCq5eJxX+Ybx0CAwEAAaOCA00wggNJMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4D…output truncated…-----END CERTIFICATE-----

8. Return to the OA Upload Certificate screen, paste the certificate contents into the window, and thenclick the Upload button.

Creating directory groupsOA authenticates users and assigns privileges by first verifying that the user name and passwordprovided to OA match the credentials in the Directory. When a match is verified, OA queries the Directoryto discover the names of the Active Directory groups the user is a member of. OA then matches thosegroup names against the Directory Group names that exist in OA. In the following example, OA DirectoryGroups are created. The group name is used to determine LDAP users group membership and mustmatch one of the following properties of a directory group:

Creating directory groups 219

• Name


• Common name

• Display name


To create a directory group:

Procedure

1. In OA, navigate to the User > Authentication > Directory Groups link.

2. Click the New button.

3. Create a group named OA Admins which is the same name as the one created in the Active Directory.

4. Assign this group full administrative privileges over all server bays and interconnect bays and thenclick the Add Group button.

5. Create a Second Directory Group named OA Operators to match the operator group created in ActiveDirectory. Assign the group Operator privilege level instead of Administrator, and do not allow thegroup access to Server Bays, but do allow access to Interconnect bays, and then click the Add button.


Testing the directory login solutionProcedure

1. Log out of the current OA session, and then close all browser windows.

2. Browse to the OA, and then log in using one of the following options:

• TestAdmin

• [email protected]

• DOMAIN\TestAdmin

3. Enter the corresponding password used for the user account. If you cannot log in with fullAdministrative privileges, see Troubleshooting LDAP on Onboard Administrator on page 222.

NOTE:

You cannot login using your user name. For example, if your Account name is Jeff Allen and youraccount is jallen, you cannot login as jallen because this format is not now supported by LDAP.

4. Log off or sign out of OA, and then attempt to log in as Test Operator using one of the followingoptions:

• TestOperator

• [email protected]

• DOMAIN\TestOperator

5. Enter the password used for the account. If this process succeeds, then the account has no access toany server blades, but full access to interconnect bays.

Troubleshooting LDAP on Onboard AdministratorSymptom

To be sure that SSL is working on the Domain Controllers in your domain, open a browser and thennavigate to https:// domain_controller:636 (substitute your Domain Controller for domain_controller). Youcan substitute domain in place of domain controller, which goes to DNS to verify which Domain Controlleris now answering requests for the domain. Test multiple Domain Controllers to be sure that all of themhave been issued a certificate. If SSL is operating properly on a Domain Controller (for example, aCertificate has been issued to it), you are prompted by the Security dialog whether you want to proceedwith accessing the site or view the certificate. If you click Yes, nothing happens. The test is intended tomake the Security Dialog prompt appear. A server not accepting connections on port 636 displays thepage cannot be displayed message. If this test fails, it means that the Domain Controller is notaccepting SSL connections, possibly because a certificate has not been issued. This process isautomatic, but might require a reboot.

To avoid a reboot, do the following:

222 Testing the directory login solution

Solution 1

Action

1. On the Domain Controller, load the "Computer Account" MMC Snap-in, and then navigate to thePersonal > Certificates folder.

2. Right-click the folder, and then select Request New Certificate. The type default is already "DomainController".

3. Click Next, and then repeat until the Domain Controller issues the certificate.

Solution 2

Cause

Another method for troubleshooting SSL is to go to the DC, and then run the following command:

C:\netstat -an | find /i "636"If the server is listening for requests on port 636, the following response appears:

TCP 0.0.0.0:636 0.0.0.0:0 LISTENINGOne of the problems can be that the domain controllers have not auto-enrolled. The DCs can take up to 8hours to auto-enroll and get their certificates issued because MS uses GPO to make the DCs aware ofthe newly installed CA. You can force this by running DSSTORE -pulse from the DCs (the tool is locatedin the w2k reskit). It is triggered by winlogon. Therefore for auto-enrollment to function, you must log offand then log on again. The certificates appear automatically in the CAs Issued Certs list. Make sure theCA is not listing them in Pending Certs. If it is, change the CA to auto-issue certificates when a requestcomes in. If the auto-enrollment feature still does not function, request the certificate:

Action

1. On the Domain Controller, open MMC, and then add Certificate Snap-in (Computer Account).

2. Navigate to Personal, and then right-click the folder.

3. Click Request New Cert, and then click Next.

4. Enter a name for the certificate.

If an RPC error occurs, be sure that the CA is listed in DNS and that the CA is running.

If the wizard does not start, force the server to see the CA and then enable the wizard to run.

To speed up the GPO process and make the DCs acknowledge the CA, use one of the followingcommands:

• Windows 2003: Gpupdate /force• Windows 2000:Secedit /refreshpolicy machine_policy /enforce

Be sure that the OA has all the appropriate network settings unique to your network (such as DNS)and that the time and date are correct (certificates are date sensitive). Be sure that OA can reach theDNS server (by pinging it from the OA CLI).

If LDAP is enabled while booting into Lost Password mode, the local Administrator password is reset,LDAP is disabled, and local login is re-enabled.


If the nested groups function is not displayed properly, verify the Domain Functional Level. Windows2000 and Windows 2003 domain controllers, by default, are placed in function level 2000 mixed. Whenusing this functional level, you cannot add or nest local groups.


Creating CAs and configuring Two-FactorAuthentication for local user and LDAP groupaccounts

IntroductionTwo-Factor Authentication (also known as Two-Step Authentication) is an optional feature that providesenhanced security for the OA. To permit access to the OA, two-Factor Authentication requires somethingthat a user has (a certificate) and something that a user knows (a password or PIN). The certificate isstored directly in a browser or on the accessing device (as a smartcard, dongle, or TPM).

You can use Two-Factor Authentication with either local user accounts or directory (LDAP) groupaccounts. For LDAP accounts, you can use the subject or subject alternate name to provide the LDAPlogin name. In all cases, the user certificate must be validated against a Certificate authority (CA).

Two-Factor Authentication public key infrastructure map

CAs are based on a tree structure. Root certificates are self signed. All other certificates can be tracedback to the root by following the certificate issuer field. User certificates may be issued by any of the CAsin the tree. The OA has limited storage space and therefore supports storing a maximum of 12 CAcertificates. The following diagram shows a tree structure similar to that used in the examples to follow.

Steps for creating CAs and configuring Two-Factor Authentication with local user and LDAPgroup accounts

The following sections provide instructions and examples for creating CAs and configuring Two-FactorAuthentication with local user and LDAP group accounts. For simplicity, the CA certificates in the provided

Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts 225

examples are created on a single system instead of multiple systems. A real CA implementation woulduse multiple systems.

The following table lists the steps for setting up Two-Factor Authentication with local user and LDAPgroup accounts, and indicates the section documenting each step plus any subordinate steps.

Step Section

1 Configuring the directories

• Create the initial directories for the root CA

• Modify and store an OpenSSL configuration file in each CA

• Modify the default directories to suit your structure

2 Creating a root CA

• Copy the OpenSSL configuration file to the root CA

• Create the root CA certificate and private key

• Create a combined root CA private key and certificate PEM file

3 Creating subordinate CAs: Creating subordinate CAs

• Create the directories for the subordinate CAs

• Provide x509 certificate information

• Generate a CSR and server key for each subordinate CA

• Have the root CA sign the CSR

4 Creating user keys and CSRs

• Create the directories for the user keys and CSRs

• Provide x509 certificate information

• Generate a CSR and server key for each user

• Have the appropriate subordinate CA sign the CSR

5 Verifying certificates

6 Storing a user certificate on a smart card or browser

Table Continued

226 Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts

Step Section

7 Configuring the Onboard Administrator for Two-Factor Authentication with localaccounts on page 237

• Establish an OA recovery plan

• Configure the OA session timeout

• Install the CA chain

• Install user certificates on the local Administrator account

• Enable Two-Factor Authentication

• Log in to the OA using Two-Factor Authentication

8 Enabling TFA+LDAP authentication on page 244

The following sections also include:

• Methods for specifying the subject field on a CSR

• Troubleshooting TFA+LDAP authentication problems

• CLI examples configuring a user account and certificates on page 246

• Information about CAs and certificates available from the web

Configuring the directoriesThis section describes the setup steps required prior to creating the root CA.

Creating a directory to represent each CA and userThe commands in the following example set up the initial directories for the root CA. A description of eachdirectory follows. In this and subsequent examples, user input to prompts is indicated by boldface type.

NOTE:

This is a tutorial for creating CAs in a simple test environment. In an actual production environment, theCA servers would be on separate servers. In this tutorial example, the CA servers are represented byseparate directories on a single server.

[~/]$ mkdir –m 0755 ~/examples[~/]$ mkdir -m 0755 \ ~/examples/rootCA \ ~/examples/rootCA/private \ ~/examples/rootCA/certs \ ~/examples/rootCA/newcerts \ ~/examples/rootCA/crl[~/]$ mkdir -m 0755 \ ~/examples/level1CA \ ~/examples/level1CA/private \ ~/examples/level1CA/certs \ ~/examples/level1CA/newcerts \ ~/examples/level1CA/crl[~/]$ mkdir -m 0755 \

Configuring the directories 227

~/examples/TestUser \ ~/examples/TestUser/private \ ~/examples/TestUser/certs Directory descriptions

• ./private — The location for private keys. Normally, permissions on this directory should be set torestrict read access to root (0200) or to the user account for the web server. This example starts withfull read/write access for everyone (0755).

• ./certs — The location for the CA certificates.

• ./newcerts — The location for new signed certificates. They are stored in unencrypted PEM formatwith a file name format <cert_serial_number>.pem (such as 03.pem).

• ./crl — The location for the certificate revocation list.

Modifying and storing an OpenSSL configuration file in each CA directoryThe OpenSSL configuration file (openssl.cnf) contains the default directory structure, names, andoptions. On most Linux distributions, a default openssl.cnf file is located in /etc/pki/tls.

[~/examples]$ cp -v /etc/pki/tls/openssl.cnf .`/etc/pki/tls/openssl.cnf' -> `./openssl.cnf'

Changing the default directoriesIn this example, a change is made for all CAs and users. You can use this file as a template for otherdirectories.

########################################################################[ CA_default ]

dir = . # CHANGE from “../../CA” # Everything is stored herecerts = $dir/certs # Issued certs are stored here

Creating a root CAThis section describes the steps for creating a root CA.

Copying the OpenSSL configuration file to the rootCA directoryCopy the openssl.cnf file to the root CA directory (rootCA in this example):

[~/examples]$ cp ~/examples/openssl.cnf ~/examples/rootCA/openssl-rootCA.cnf[~/examples]$ cd ~/examples/rootCA

Creating the certificate and private keyCreate the root CA key and certificate (rootCA-private.key and rootCA.crt). In the followingexample, the key length is set to 2048 and the hash signature algorithm to SHA256. When prompted,enter a secure passphrase. When using the -nodes option, you may omit the passphrase. Whenprompted for input such as the country, state, city, you may specify an empty field by entering a dot ("."),as shown.

[~/examples/ rootCA]$ openssl req -config ./openssl-rootCA.cnf -newkeyrsa:2048 -x509 -extensions v3_ca -keyout private/rootCA-private.key -outcerts/

228 Modifying and storing an OpenSSL configuration file in each CA directory

rootCA.crt -days 1825 -sha256 -nodesGenerating a 2048 bit RSA private key................+++............+++writing new private key to 'private/rootCA-private.key'-----You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blank.For some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]: .State or Province Name (full name) [Berkshire]: .Locality Name (eg, city) [Newbury]: .Organization Name (eg, company) [My Company Ltd]: .Organizational Unit Name (eg, section) []: .Common Name (eg, your name or your server's hostname) []: My Root CAEmail Address []: .

[~/examples/rootCA]$ ]$ ls -l private/ certs/certs/:total 4-rw-rw-r-- 1 xxx 1314 Nov 10 08:11 rootCA.crt

private/:total 4-rw-rw-r-- 1 xxx 1675 Nov 10 08:11 rootCA-private.key To verify that the newly created certificate is correct, view the certificate by entering the command shownin the following example:

[~/examples/rootCA]$ openssl x509 -in certs/rootCA.crt -text For a root self-signed certificate, the -issuer and -subject fields should match. To verify that theymatch, use the following command to display jus the -issuer and -subject fields:

[~/examples/rootCA]$ openssl x509 -in certs/rootCA.crt \ –noout –issuer –subject

Creating a combined private key and certificate PEM fileA combined private key and certificate PEM file is needed when your CA cross-signs other certificates.The file is referenced by the OpenSSL configuration file. The following commands change the defaultdirectory and create the combined private key and certificate PEM file cakey.pem:

[ ]$ cd ~/examples/rootCA[ rootCA]$ cat private/rootCA-private.key certs/rootCA.crt > private/cakey.pem

Creating subordinate CAsThis section describes the steps for creating server certificates that are issued (signed) by another CA.

Creating a combined private key and certificate PEM file 229

Creating the directories for the subordinate CAIf not already present, create the directory structure to contain the subordinate CA database, as shown inthe following example:

[~/]$ mkdir -m 0755 \ ~/examples/level1CA \ ~/examples/level1CA/private \ ~/examples/level1CA/certs \ ~/examples/level1CA/newcerts \ ~/examples/level1CA/crl Copy the modified openssl.cnf file to the working directory, as shown:

[~/examples]$ cp -v openssl.cnf level1CA/`openssl.cnf' -> `level1CA/openssl.cnf'

Providing x509 certificate informationA certificate includes numerous data items that describe the certificate. You can enter the data manuallywhen prompted or provide the data automatically via an OpenSSL configuration file. The followingexample shows a an example of how to create an OpenSSL configuration file via a script file.

#!/bin/sh#cat << _end_marker_ > openssl-level1CA.cnf[ req ]distinguished_name=req_DNattributes=req_attrprompt=no

[ req_DN ]CN=level1CAC=USST=TXL=HoustonO=DevelopmentsubjectAltName=otherName:[email protected]=.givenName=Frederickinitials=FGG# dnQualifier=name=George of the Jungle

[ req_attr ]# challengePassword=# unstructuredName=_end_marker

Generating a CSR and new server keyThis step generates a new key (-newkey) and generates a CSR that can be submitted to a CA. The newprivate key is stored in the keyout location. The CSR is dumped to the -out parameter. For simplicity,the -nodes option is used to eliminate the need for protection from a passphrase.

[~/examples/level1CA]$ openssl req -config ./openssl-level1CA.cnf -newkey rsa:2048 -sha256-keyout ./private/level1CA-private.key -nodes -out ./temp-level1CA.csr

230 Creating the directories for the subordinate CA

Generating a CSR without generating a new key (Optional)

You may choose to generate the CSR without generating a new private key, as shown in this example:

[~/examples/level1-ca]$ openssl req -config ./openssl-level-1-ca.cnf \-new -key ./level-1-CA-private.key -nodes -out ./level-1-CA.csr Viewing the private key

To view the private key, use the command shown in the following example:

[~/examples/level1CA]$ openssl rsa -in ./private/level1CA-private.key -text

Signing the level1CA CSR with the rootCA keyAfter a CSR is generated (in the preceding step), it must be signed by an established CA in the chain oftrust. After the first signing request (when only the root CA exists), the CSR must be signed by the rootCA. Subsequent CSRs may be signed by lower-level CAs, if they have permission to do so.

In this example, the root CA signs the first-level CSR (level-1-CA.csr).

Procedure

1. Go to the CA that is going to do the signing, then view the CSR and verify that you really want itsigned:

[ ]$ cd ~/examples/rootCA/[ rootCA]$ openssl req -in ../level1CA/temp-level1CA.csr -noout -text

2. Perform the following one-time setup step:

[ rootCA]$ echo '01' > serial[ rootCA]$ touch index.txt

3. After verifying that you want to sign the CSR, have the CSR signed by issuing the following command:

[~/examples/rootCA]$ openssl ca \ -config openssl-rootCA.cnf \ -extensions v3_ca -policy policy_anything \ -in ../level1CA/temp-level1CA.csr \ -cert certs/rootCA.crt \ -default_md sha256 \ -key private/rootCA-private.key The signed certificate is written to ./certs/{serialNumber}.pem . The files serial andindex.txt have been updated.

4. Install the certificate onto the first-level CA server, specifying the appropriate serial number (in thisexample, the serial number is 01).

[ ~]$ cp ~/examples/rootCA/newcerts/01.pem~/examples/level1CA/certs/level1CA.pem

Signing the level1CA CSR with the rootCA key 231

Creating user keys and CSRsThe steps for creating a new user key and CSR are similar to those for creating a CSR for a CA exceptyou specify a different type.

Creating a directory for the user key and CSR databaseIf not already present, create the directory structure to contain the user key and CSR database:

[~/]$ mkdir -m 0755 \ ~/examples/TestUser \ ~/examples/TestUser/private \ ~/examples/TestUser/certs Copy the modified openssl.cnf file to the working directory:

[~/examples]$ cp -v ~/examples/openssl.cnf ~/examples/TestUser/`~/examples/openssl.cnf' -> `~/examples/TestUser/openssl.cnf'

Providing x509 user certificate informationYou can enter the data manually when prompted or provide the data automatically via an OpenSSLconfiguration file. The default configuration file is sufficient.

Generating a user CSR and new server keyThis step generates a new key (-newkey) and generates a certificate request for a user. The resultingcertificate will include the subject field (-subj). You can specify the subject field on the OpenSSLcommand line as a single parameter or populate the subject field from various fields in the openssl.cnffile. For more information, see Methods for specifying the subject field on a CSR on page 244. TheCSR is written to the file specified by the -out parameter. In the following command example, the subjectfield is specified as a single parameter, and the CSR is written to ./temp-test-user.csr.

[~/examples/TestUser]$ openssl req \-subj "/O=Hewlett-Packard Company/OU=Employment Status - Employees/OU=VPN-WEB-H/CN=Jonathan Smith/[email protected]" \-config ./openssl.cnf \-newkey rsa:2048 –sha256 \-keyout ./private/test-user-private.key \-nodes \-out ./temp-test-user.csr View the CSR and verify that it is what you want signed. The following command displays the CSR:

[ ]$ openssl req -in ./temp-test-user.csr -text

Signing the user CSR with the level1CA keyTo sign and configure a user certificate:

Procedure

1. Sign the user CSR with the level1CA key, as in the following example:

232 Creating user keys and CSRs

[ ]$ cd ~/examples/level1CA/

2. View the CSR and verify that it is what you want to sign. The following command displays the CSR:

[ level1CA]$ openssl req -in ../TestUser/temp-test-user.csr -text

3. It is important to specify how the user certificate may be used. Do this using x509 extensions. Formore information about x509 extensions, see the OpenSSL website (http://www.openssl.org/docs/apps/x509v3_config.html#). The difference between a server certificate and a user certificate is thepermissions that the CA assigns to the certificate. For example, a CA certificate is typically used as anSSL server, while a user certificate needs to be used as an SSL client and smart card login.

To specify the extensions, modify the openssl.cnf file [ user_cert ] section, as shown in thefollowing example. Uncomment the nsCertType and keyUsage lines as shown. The modified linesare shown in boldface type.

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=critical, CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.# nsCertType = server

# For an object signing certificate this would be used.# nsCertType = objsign

# For normal client use this is typicalnsCertType = client, email # Uncomment this line

# and for everything including object signing:# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.# Uncomment this line: keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment# If extendedKeyUsage is specified, it MUST include all three items# to be used for Two-Factor authentication.# Client Authentication (1.3.6.1.5.5.7.3.2)# Code Signing (1.3.6.1.5.5.7.3.3)# Smart Card Login (1.3.6.1.4.1.311.20.2.2)#extendedKeyUsage=clientAuth,codeSigning,1.3.6.1.4.1.311.20.2.2

# This will be displayed in Netscape's comment listbox.nsComment = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.# Import the email address.# subjectAltName=email:copy# An alternative to produce certificates that aren't# deprecated according to PKIX.# subjectAltName=email:move

Creating CAs and configuring Two-Factor Authentication for local user and LDAP group accounts 233

http://www.openssl.org/docs/apps/x509v3_config.html

http://www.openssl.org/docs/apps/x509v3_config.html

# Copy subject details# issuerAltName=issuer:copy

# For testing purposes we will just use some well known CRnsCaRevocationUrl = http://onsitecrl.verisign.com/HewlettPackardCompanyITInfrastructure/LatestCRL.crl#nsBaseUrl#nsRevocationUrl#nsRenewalUrl#nsCaPolicyUrl#nsSslServerName

4. Sign the certificate request, as in the following example:

[level1CA]$ openssl ca -config ./openssl.cnf -extensions usr_cert -policy policy_anything -in ../TestUser/temp-test-user.csr -cert certs/level1CA.pem -md sha256 -keyfile private/level1CA-private.key

5. To view the results, issue the following command:

[ level1CA]$ openssl x509 -in newcerts/07.pem -noout –text6. To enable certificate usage in smart cards, the keyUsage field must include sslAuth and, if present,

the extendedKeyUsage field must specify client authentication, code signing, and smart card login.For more information, see Troubleshooting TFA+LDAP authentication problems on page 245.

7. Give the public certificate to the user, using the following command:

[ TestUser]$ cp -v ~/examples/level1CA/newcerts/07.pem~/examples/Test/User/certs/test-user.pem`../level1CA/newcerts/06.pem' -> `certs/test-user.pem'

8. Combine the public certificate and private key into a PKCS #12 .pem file by creating a PKCS #12certificate and providing a password (PIN) for the certificate. The user is prompted for the password(PIN). This password protects the private key contained in the PKCS #12 certificate.

[ ]$ cd ~/examples/TestUser[ TestUser]$ openssl pkcs12 -export -in certs/test-user.pem -inkeyprivate/test-user-private.key -out private/test-user-private.p12

Verifying certificatesTo verify the certificates, follow these steps.

Procedure

1. To verify the certificates, use the commands shown in the following example:

[ examples]$ mkdir CA

[ examples]$ cp -v rootCA/certs/rootCA.crt CA/CA.pem`rootCA/certs/rootCA.crt' -> `CA/CA.pem'

[ examples]$ cat level1CA/certs/level1CA.pem >> CA/CA.pem

[ examples]$ openssl verify -CAfile CA/CA.pem -verbose -purpose sslserver./level1CA/certs/level1CA.pem

234 Verifying certificates

./level1CA/certs/level1CA.pem: OK

2. Verify that the user certificate is not an SSL server by using the following command:

[examples]$ openssl verify -CAfile CA/CA.pem -verbose -purpose sslserver./TestUser/certs/test-user.pem./TestUser/certs/test-user.pem: /O=Hewlett-Packard Company/OU=Employment Status - Employees/OU=VPN-WEB-H/CN=Jonathan Smith/[email protected] 26 at 0 depth lookup:unsupported certificate purposeOK

3. Verify that the user certificate can be used for an SSL client by using the following command:

[user1@user1-station examples]$ openssl verify -CAfile CA/CA.pem -verbose -purpose sslclient ./TestUser/certs/test-user.pem./TestUser/certs/test-user.pem: OK

Storing a user certificate on a smart card or browserThis section explains how to store a user certificate on a smart card or browser. The browser informationin this section is based on Microsoft Internet Explorer.

The Microsoft Internet Explorer does not support PEM formatted files. Create a .p12 certificate thatcontains both the private and public keys, using a command such as the following:

[ TestUser]$ openssl pkcs12 -export -in certs/test-user.pem -inkey private/test-user-private.key -out private/test-user-private.p12 To install the .p12 certificate using Internet Explorer 8, follow these steps:

Procedure

1. Access the Internet Explorer Internet Certificate Wizard by clicking Tools > Internet Options >Content > Certificates:

2. Click Next.

Storing a user certificate on a smart card or browser 235

3. Click Browse.....

a. Locate the directory that contains the .p12 certificate file.

b. Change the file type to Personal Information Exchange (.p12).

c. Select the appropriate .p12 certificate file.

4. Select the .p12 file and click Next.

5. Enter the password specified when the PKCS#12 file was created. See Signing the user CSR withthe level1CA key on page 232. Accept the default check box values and click Next.

6. The Certificate Store window appears. Click Next.

7. To complete the Wizard installation import process, click Finish.


8. The next window informs you that an application is creating a protected item and indicates the securitylevel set for that item. Click OK.

9. The wizard informs you that the import was successful. Click OK.

Configuring the Onboard Administrator for Two-FactorAuthentication with local accounts

This section provides an example showing how to configure the OA to enforce Two-Factor Authentication.

Establishing an Onboard Administrator recovery planHewlett Packard Enterprise recommends establishing a recovery plan prior to configuring the OA for two-factor certificate authentication. If something goes wrong with the configuration, the OA configuration maybe recovered accessing the USB key drive either through the serial port or the Insight Display panel. Bothmethods require physical access to the OA.

IMPORTANT:

If an LCD PIN has been configured (and forgotten), and local accounts have been disabled or TFAhas been incorrectly configured, then the only way to recover is through a serial port. See Connecting a PC to the OA serial port.

The two most common situations where OA recovery is needed are when LDAP has been configured withlocal accounts disabled or when Two-Factor Authentication has been configured without certificateaccess (keyUsage).

Recovering via Insight Display and USB keyTo recover the OA via USB key, create a configuration file on the USB key to restore the needed settings.You can either set up the file to reset only what is needed to regain access or to completely restorefactory settings:

• GAIN_ACCESS.CFG (reset only what is needed to regain access):

◦ DISABLE TWOFACTOR◦ DISABLE LDAP◦ SET USER PASSWORD “Administrator” “My.Password123”

• SET_FACTORY.CFG (reset to factory defaults):

◦ SET FACTORY

To recover a configuration:

Procedure

1. Insert the USB key that contains the configuration file into the USB port of the OA.

2. Using the Insight Display display, navigate to the main menu, select USB Key Menu and click OK.

3. Select Restore Configuration, then click OK.

Configuring the Onboard Administrator for Two-Factor Authentication with local accounts 237

4. Select the listed configuration file, then click OK.

5. The Confirm Operation screen appears. Click OK.

Recovering via serial consoleTo recover the OA via the serial port, follow these steps:

Procedure

1. Ensure that you have the appropriate cables and software to connect to the OA serial port. The defaultserial connection setting is 9600, 8, N,1. For more information about the serial port pinout signals, see Connecting a PC to the OA serial port.

2. Press and hold the Reset button for five seconds.

3. On the serial console, when you are prompted for Flash Recovery or Reset Password, press the L key(Lost Password).

The console displays the built-in Administrator account password and local logins are enabled.

Configuring the Onboard Administrator session timeoutBy default, if a user session is inactive for one day (1440 minutes), a timeout occurs. Reduce this settingto a value that is suitable for your security policy. For testing purposes, you can set the timeout value to aminimum of 10 minutes. To modify the timeout setting, use the OA GUI or a CLI command. Valid timeoutvalues are 0 (which disables the timeout), or an integer ranging from 10 to 1440.

Using the GUI

Procedure

1. Navigate to the Signed in Users screen (Enclosure Information > Users/Authentication > Signedin Users) and select the Session Options tab.

2. Modify the Session Timeout field.

3. Click Apply.

Using the CLI

Use the following command, where <timeout-value> is the number of minutes:

238 Recovering via serial console

SET SESSION TIMEOUT <timeout-value>

Installing the CA chain for TFAA certificate chain consists of all the certificates needed to certify the subject identified by the endcertificate. In practice, this includes the end certificate, the certificates of intermediate CAs, and thecertificate of the root CA trusted by all parties in the chain. Every intermediate CA in the chain holds acertificate issued by the CA that is one level above it in the trust hierarchy. The root CA issues acertificate for itself.

This section describes how to install CAs for Two-Factor Authentication.

IMPORTANT:

Two-Factor Authentication and LDAP have separate repositories for CAs. Do not confuse them withone another.

To install CA certificates for Two-Factor Authentication, you can use the OA GUI as follows:

Procedure

1. Navigate to the Two-Factor Authentication screen: Enclosure Information > Users/Authentication >Two-Factor Authentication.

2. Click the Certificate Upload tab. The Certificate Upload screen appears.

3. Copy and paste the root CA certificate into the text box provided by the Certificate Upload screen.The certificate includes beginning and ending delimiters, as shown:

Installing the CA chain for TFA 239

-----BEGIN CERTIFICATE-----MIIDkTCCAnmgAwIBAgIJALg8cO2Ikvr8MA0GCSqGSIb3DQEBBQUAMDkxDDAKBgNVBAMTA2NhMDEUMBIGCgmSJomT8ixkARkWBHRlc3QxEzARBgoJkiaJk/IsZAEZFgNj...Ob6IFCSUTKbCVT95cYTRHiSbgBYaqDXBJk3Lyjvtb7ZovmMT5dnU/w061wV5MEceRZfXH3U=-----END CERTIFICATE-----

4. Click Upload. After the certificate is uploaded successfully, the Certificate Information tab displays.

5. Add an intermediate or end CA in the chain:

a. Return to the Certificate Upload tab.

b. Copy and paste the next CA certificate into the text box provided.

c. Click Upload. After the certificate is successfully uploaded, the Certificate Information tabappears. In this example, the CA1 certificate was issued by the root CA CA0.


d. To install additional CAs, repeat steps a through c for each CA.

CLI commands for administrating certificatesYou can use the following CLI commands to add, download, display, and remove certificates. For moreinformation, see the HPE Integrity Superdome X and Superdome 2 Onboard Administrator CommandLine Interface User Guide.

• ADD CA CERTIFICATE• DOWNLOAD CA CERTIFICATE• SHOW CA CERTIFICATE• REMOVE CA CERTIFICATE

Installing user certificates on the local Administrator accountInstall a user certificate on the OA administrator account, following these steps:

Procedure

1. Navigate to the Local Users Administrator screen (Edit Local User): Enclosure Information >Users/Authentication > Local Users > Administrator.

2. Click the Certificate Information tab. If an Administrator certificate has not yet been installed, theCertificate Information screen appears with an empty text box. Copy and paste the appropriate usercertificate into the text box.

CLI commands for administrating certificates 241

3. Click Upload. After the certificate is uploaded successfully, the Certificate Information tab displays.

Enabling Two-Factor AuthenticationAfter successfully uploading CA certificates for Two-Factor Authentication and uploading at least one OAadministrator account, you may enable Two-Factor Authentication:

Procedure

1. Navigate to the Two-Factor Authentication Settings tab (Enclosure Information > Users/Authentication > Local Users > Two-Factor Authentication).

2. Select the Enable Two-Factor Authentication check box. If you are using Two-Factor Authenticationin combination with LDAP, use the Certificate Owner field to specify whether to have the OA usethe subject alternative name field (SAN) or the certificate subject field (Subject). For more informationabout using Two-Factor Authentication with LDAP, see TFA+LDAP Authentication on page 243.

242 Enabling Two-Factor Authentication

3. Click Apply.

Logging into the Onboard Administrator web GUI using Enabling Two-Factor Authentication

Browse to the OA web GUI and click the appropriate user certificate. The browser should ask you toconfirm the certificate.

The certificate is necessary for establishing an SSL/TLS session with the OA. If the connection is madesuccessfully, you will be logged in to the OA as a local user.

If problems occur, refer to Troubleshooting TFA+LDAP authentication problems.

TFA+LDAP AuthenticationIn addition to normal two-factor authentication, the OA also supports TFA+LDAP authentication. In thismode, the user must:

• Have a user certificate installed on the OA

• Know the PIN to the certificate

• Know the associated LDAP password

The advantages of TFA+LDAP authentication are:

• Greater security is gained, as three items are required to authenticate instead of two.

• Authorization (access permission) is managed using LDAP groups instead of mapping user certificatesto individual local OA user accounts.

How TFA_LDAP authentication worksIf LDAP is configured and the Two-Factor Authentication user certificate is not mapped to a local OA useraccount, then when a user attempts to log in to the OA GUI login page, the OA extracts a user ID fromthe user certificate and prompts the user for the LDAP password.

The LDAP user name is extracted from either the subject or subject alternative name field of thecertificate and is visible in the OA login page, depending on your selection made on the Two-Factor

Logging into the Onboard Administrator web GUI using Enabling Two-Factor Authentication 243

Authentication Settings tab. For more information, see Enabling Two-Factor Authentication on page242. If subject is selected, then the user name is formatted according to RFC 2253 to create an FQDN. IfSAN (subject alternative name) is selected, the OA uses the first SAN field in the certificate that is of typeEMAIL, OTHERNAME, DNS, or URI. The CA controls the order and content of subject alternative namefields during the signing process. You cannot change the name used in the GUI.

After you specify the LDAP password, the following checks occur:

• The user certificate is verified against the CA certificates installed on the OA.

• The LDAP credentials are authenticated against the configured LDAP server.

• The LDAP user is verified as a member of an authorized group on the OA.

If all three conditions are met, a session to the OA is established and the user is fully logged in to the OA.

Enabling TFA+LDAP authenticationTo use TFA+LDAP authentication, perform the following steps:

Procedure

1. Configure the OA for Two-Factor Authentication, following the instructions in Configuring theOnboard Administrator for Two-Factor Authentication with local accounts on page 237.

2. Configure the Onboard Administrator to use LDAP authentication, as described in Directory Settingsscreen on page 53.

3. Log in to the Onboard Administrator using only Two-Factor Authentication and then re-enable LDAP,required because enabling Two-Factor Authentication automatically disables LDAP. For moreinformation about enabling LDAP, see Directory Settings screen on page 53 and Preparing thedirectory on page 215.

4. After verifying that everything works as expected, you may disable Local Account access bydeselecting the Enable Local Users check box on the Directory Settings screen.

Methods for specifying the subject field on a CSRYou can use any of several methods to control the content of the subject field on a CSR:

• Interactively on the OpenSSL command line

• Manually on the OpenSSL command line. For an example, see Generating a user CSR and newserver key on page 232.

• In the OpenSSL configuration file (.cnf)

• Through an abbreviated OpenSSL response file. The response file is generated by the CA andcontains your public key and is digitally signed by the CA; you install the response file on the webserver.

Use the method that best suits your needs.

244 Enabling TFA+LDAP authentication

Troubleshooting TFA+LDAP authentication problemsSymptom

This section describes solutions for problems that might be seen when attempting to authenticate usingTFA and LDAP certificates.

Problem:

Browser reports cannot display webpage or authentication attempt failed message.

Solution 1

Cause

For the cannot display webpage problem:

Action

1. Verify that the certificate has approved usage for the SSL client. For example, issue the followingcommand:

[user1@user1-station examples]$ openssl verify -CAfile CA/CA.pem -verbose\-purpose sslclient ./TestUser/certs/test-user.pem./TestUser/certs/test-user.pem: OK

2. Verify that this certificate is available to the browser. In Internet Explorer, refer to Tools > Options >Internet > Content > Certificates.

3. If the certificate is stored on a key or token, ensure that it has been properly installed on the key ortoken.

Solution 2

Cause

If you see the authentication attempt failed message from the browser, a certificate with SSLclient usage was available to establish the SSL/TLS session, but other issues exist. Try the followingsteps:

Action

1. Make sure the certificate is valid, using a command such as the following:

[level1CA]$ openssl verify -CAfile CA/CA.pem -verbose -purpose sslclient~/examples/level1CA/newcerts/0A.pem...error 9 at 0 depth lookup:certificate is not yet valid

2. If the certificate is not valid, follow the instructions provided by the OpenSSL error message. If thecertificate is not valid, the system clock might be defective. If the certificate cannot be verified, thecorresponding CA certificate might not be available. In addition, follow these steps:

a. Ensure that the dates associated with the certificate have not expired.

b. Examine the CSR OpenSSL configuration file [keyUsage] and extendedKeyUsage fields. ThekeyUsage field specifies usage restrictions.

If present, the extendedKeyUsage field places additional restrictions on usage.

Troubleshooting TFA+LDAP authentication problems 245

If the extendedKeyUsage field is present and specifies clientAuth only, the browser (InternetExplorer) will not pass the certificate to the Onboard Administrator. This leads to the cannotdisplay web page message.

If the extendedKeyUsage field is not present, the certificate can be used for smart card login. Toenable certificate usage in smart cards, the keyUsage field must include sslAuth and, if present, theextendedKeyUsage field must specify client authentication, code signing, and smart card login.

Examples:

The following certificate will not work because it is missing the sslClient usage:

X509v3 Key Usage: criticalDigital Signature, Non RepudiationThe following certificate will work because it contains everything needed:

X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection,Microsoft Smartcardlogin X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment

Solution 3

Cause

Problem:

Issues attempting to switch among multiple client users on the same system.

Solution:

Sometimes browsers cache credentials to a greater extent than necessary. Try clearing the browsercache, deleting all temporary files, and then closing all browser windows. Otherwise, the issue mightresolve simply by waiting a day for the sessions to expire.

To test multiple client certificates from the same client system, separate logins might be necessary.Otherwise, the browser might select the last known valid certificate.

CLI examples configuring a user account and certificatesThe following example shows Onboard Administrator CLI commands used for configuring a local useraccount and certificates. Commentary follows the example.

======================================= Add user, CA certs, and user cert=====================================set script mode onadd user "marc" "password"SET USER CONTACT "marc" "800-555-1212"SET USER FULLNAME "marc" "Marc Last-name"SET USER ACCESS "marc" ADMINISTRATORENABLE USER "marc"ASSIGN SERVER ALL "marc"ASSIGN INTERCONNECT ALL "marc"ASSIGN OA "marc"show user "marc"download ca certificate http://dev-srvr/certs/Common-Policy.cerdownload ca certificate http://dev-srvr/certs/SHA-1-Federal-Root-CA.cerdownload ca certificate http://dev-srvr/certs/DoD-Interoperability-Root-CA-1.cerdownload ca certificate http://dev-srvr/certs/DoD-Root-CA-2.cerdownload ca certificate http://dev-srvr/certs/DOD-EMAIL-CA-19.cer

246 CLI examples configuring a user account and certificates

download user certificate "marc" http://dev-srvr/certs/Marc-Lastname.cershow user "marc"set script mode off

==================================================== Go to the GUI, enable TFA, then== log in via the Web browser using the TFA token.==================================================

========================================= Remove Fed certificates and user=======================================set script mode onremove ca certificate "CD:78:54:4C:CA:C6:EA:15:72:81:86:EB:86:59:F6:E6:C0:FA:A7:41"remove ca certificate "B1:10:5C:D1:0F:C3:70:F5:6B:89:DD:1D:49:F6:D8:30:DF:35:F2:DE"remove ca certificate "FD:F3:F4:F8:C7:3B:5A:63:20:62:08:88:29:00:D1:92:B1:75:BA:E8"remove ca certificate "30:BE:4D:40:F6:10:E5:65:B3:53:F3:44:C7:27:64:1E:EE:E7:86:D2"remove ca certificate "CB:44:A0:97:85:7C:45:FA:18:7E:D9:52:08:6C:B9:84:1F:2D:51:B5"remove user certificate "Marc"remove user "marc"set script mode offThe commands in the first section of the example add a user with Administrator privileges and installcertificates:

• Adds a user account (ADD USER)

• Sets user properties (SET USER)

• Enables a user account (ENABLE USER)

• Assigns all server and interconnect bays to the control of the user (ASSIGN SERVER ALL, ASSIGNINTERCONNECT ALL)

• Grants the specified user access privilege to the Onboard Administrator's bays (ASSIGN OA)

• Displays user information, user access level, and bays assigned to the user (SHOW USER)

• Installs CA certificates from the specified locations (DOWNLOAD CA CERTIFICATE)

• Installs a user certificate from the specified location (DOWNLOAD USER CERTIFICATE)

The script comments are a reminder to use the OA GUI to enable Two-Factor Authentication and then tolog in via the web browser, using the appropriate TFA key.

The second section of the example:

• Removes CA certificates (REMOVE CA CERTIFICATE)

• Removes a user certificate (REMOVE USER CERTIFICATE)

• Removes a user (REMOVE USER)

Information about CAs and certificates available from theweb

For more information about managing CAs and certificates, refer to these websites:

Information about CAs and certificates available from the web 247

• OpenSSL documentation website (http://www.openssl.org/docs)

• Linux Documentation Project website (http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO) (Howto manage CAs and issue or sign SSL certificates)

• G-Loaded Journal website (http://www.g-loaded.eu/2005/11/10/be-your-own-ca/) (How to become aCA and issue server certificates)

• Debian Administration website (http://www.debian-administration.org/articles/284) (Creating andusing self-signed certificates)


http://www.openssl.org/docs

http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/

http://www.debian-administration.org/articles/284

Support and other resources

Accessing Hewlett Packard Enterprise Support• For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:

http://www.hpe.com/assistance

• To access documentation and support services, go to the Hewlett Packard Enterprise Support Centerwebsite:


Information to collect

• Technical support registration number (if applicable)

• Product name, model or version, and serial number

• Operating system name and version

• Firmware version

• Error messages

• Product-specific reports and logs

• Add-on products or components

• Third-party products or components

Accessing updates• Some software products provide a mechanism for accessing software updates through the product

interface. Review your product documentation to identify the recommended software update method.

• To download product updates:

Hewlett Packard Enterprise Support Centerwww.hpe.com/support/hpesc

Hewlett Packard Enterprise Support Center: Software downloadswww.hpe.com/support/downloads

Software Depotwww.hpe.com/support/softwaredepot

• To subscribe to eNewsletters and alerts:

www.hpe.com/support/e-updates

• To view and update your entitlements, and to link your contracts and warranties with your profile, go tothe Hewlett Packard Enterprise Support Center More Information on Access to Support Materialspage:

Support and other resources 249

http://www.hpe.com/assistance



http://www.hpe.com/support/downloads

http://www.hpe.com/support/softwaredepot

http://www.hpe.com/support/e-updates

www.hpe.com/support/AccessToSupportMaterials

IMPORTANT:

Access to some updates might require product entitlement when accessed through the HewlettPackard Enterprise Support Center. You must have an HPE Passport set up with relevantentitlements.

Customer self repairHewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If aCSR part needs to be replaced, it will be shipped directly to you so that you can install it at yourconvenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized serviceprovider will determine whether a repair can be accomplished by CSR.

For more information about CSR, contact your local service provider or go to the CSR website:

http://www.hpe.com/support/selfrepair

Remote supportRemote support is available with supported devices as part of your warranty or contractual supportagreement. It provides intelligent event diagnosis, and automatic, secure submission of hardware eventnotifications to Hewlett Packard Enterprise, which will initiate a fast and accurate resolution based on yourproduct's service level. Hewlett Packard Enterprise strongly recommends that you register your device forremote support.

If your product includes additional remote support details, use search to locate that information.

Remote support and Proactive Care informationHPE Get Connected

www.hpe.com/services/getconnectedHPE Proactive Care services

www.hpe.com/services/proactivecareHPE Proactive Care service: Supported products list

www.hpe.com/services/proactivecaresupportedproductsHPE Proactive Care advanced service: Supported products list

www.hpe.com/services/proactivecareadvancedsupportedproducts

Proactive Care customer informationProactive Care central

www.hpe.com/services/proactivecarecentralProactive Care service activation

www.hpe.com/services/proactivecarecentralgetstarted

Warranty informationTo view the warranty for your product, see the Safety and Compliance Information for Server, Storage,Power, Networking, and Rack Products document, available at the Hewlett Packard Enterprise SupportCenter:

www.hpe.com/support/Safety-Compliance-EnterpriseProducts

250 Customer self repair

http://www.hpe.com/support/AccessToSupportMaterials

http://www.hpe.com/support/selfrepair

http://www.hpe.com/services/getconnected

http://www.hpe.com/services/proactivecare

http://www.hpe.com/services/proactivecaresupportedproducts

http://www.hpe.com/services/proactivecareadvancedsupportedproducts

http://www.hpe.com/services/proactivecarecentral

http://www.hpe.com/services/proactivecarecentralgetstarted

http://www.hpe.com/support/Safety-Compliance-EnterpriseProducts

Additional warranty informationHPE ProLiant and x86 Servers and Options

www.hpe.com/support/ProLiantServers-WarrantiesHPE Enterprise Servers

www.hpe.com/support/EnterpriseServers-WarrantiesHPE Storage Products

www.hpe.com/support/Storage-WarrantiesHPE Networking Products

www.hpe.com/support/Networking-Warranties

Regulatory informationTo view the regulatory information for your product, view the Safety and Compliance Information forServer, Storage, Power, Networking, and Rack Products, available at the Hewlett Packard EnterpriseSupport Center:

www.hpe.com/support/Safety-Compliance-EnterpriseProducts

Additional regulatory information

Hewlett Packard Enterprise is committed to providing our customers with information about the chemicalsubstances in our products as needed to comply with legal requirements such as REACH (Regulation ECNo 1907/2006 of the European Parliament and the Council). A chemical information report for this productcan be found at:

www.hpe.com/info/reach

For Hewlett Packard Enterprise product environmental and safety information and compliance data,including RoHS and REACH, see:

www.hpe.com/info/ecodata

For Hewlett Packard Enterprise environmental information, including company programs, productrecycling, and energy efficiency, see:

www.hpe.com/info/environment

Documentation feedbackHewlett Packard Enterprise is committed to providing documentation that meets your needs. To help usimprove the documentation, send any errors, suggestions, or comments to Documentation Feedback([email protected]). When submitting your feedback, include the document title, part number,edition, and publication date located on the front cover of the document. For online help content, includethe product name, product version, help edition, and publication date located on the legal notices page.

Regulatory information 251

http://www.hpe.com/support/ProLiantServers-Warranties

http://www.hpe.com/support/EnterpriseServers-Warranties

http://www.hpe.com/support/Storage-Warranties

http://www.hpe.com/support/Networking-Warranties


http://www.hpe.com/info/reach

http://www.hpe.com/info/ecodata

http://www.hpe.com/info/environment

mailto:[email protected]

Time zone settings

Universal time zone settingsNOTE:

Time zones must be entered exactly as they appear.

The following table provides the Universal time zone settings that are supported by the OnboardAdministrator.

CET Etc/GMT-2 Etc/GMT+7 Etc/GMT-13 MST

CST6CDT Etc/GMT+2 Etc/GMT-8 Etc/GMT-14 MST7MDT

EET Etc/GMT-3 Etc/GMT+8 Etc/Greenwich Navajo

EST Etc/GMT+3 Etc/GMT-9 Etc/UCT PST8PDT

EST5EDT Etc/GMT-4 Etc/GMT+9 Etc/Universal UCT

Etc/GMT Etc/GMT+4 Etc/GMT-10 Etc/UTC Universal

Etc/GMT0 Etc/GMT-5 Etc/GMT+10 Etc/Zulu UTC

Etc/GMT-0 Etc/GMT+5 Etc/GMT-11 GMT WET

Etc/GMT+0 Etc/GMT-6 Etc/GMT+11 Greenwich W-SU

Etc/GMT-1 Etc/GMT+6 Etc/GMT-12 HST Zulu

Etc/GMT+1 Etc/GMT-7 Etc/GMT+12 MET -

Africa time zone settingsNOTE:


The following table provides the African time zone settings that are supported by the OnboardAdministrator.

Africa/Abidjan Africa/Ceuta Africa/Kinshasa Africa/Ndjamena

Africa/Accra Africa/Conakry Africa/Lagos Africa/Niamey

Africa/Addis_Ababa Africa/Dakar Africa/Libreville Africa/Nouakchott

Africa/Algiers Africa/Dar_es_Salaam Africa/Lome Africa/Ouagadougou

Table Continued

252 Time zone settings

Africa/Asmera Africa/Djibouti Africa/Luanda Africa/Porto-Novo

Africa/Bamako Africa/Douala Africa/Lubumbashi Africa/Sao_Tome

Africa/Bangui Africa/El_Aaiun Africa/Lusaka Africa/Timbuktu

Africa/Banjul Africa/Freetown Africa/Malabo Africa/Tripoli

Africa/Bissau Africa/Gaborone Africa/Maputo Africa/Tunis

Africa/Blantyre Africa/Harare Africa/Maseru Africa/Windhoek

Africa/Brazzaville Africa/Johannesburg Africa/Mbabane Egypt

Africa/Bujumbura Africa/Kampala Africa/Mogadishu Libya

Africa/Cairo Africa/Khartoum Africa/Monrovia -

Africa/Casablanca Africa/Kigali Africa/Nairobi -

Americas time zone settingsNOTE:


The following table provides the Americas time zone settings that are supported by the OnboardAdministrator.

America/Adak America/Indiana/Knox America/Santo_Domingo

America/Anchorage America/Indiana/Marengo America/Sao_Paulo

America/Anguilla America/Indianapolis America/Scoresbysund

America/Antigua America/Indiana/Vevay America/Shiprock

America/Araguaina America/Inuvik America/St_Johns

America/Aruba America/Iqaluit America/St_Kitts

America/Asuncion America/Jamaica America/St_Lucia

America/Atka America/Jujuy America/St_Thomas

America/Barbados America/Juneau America/St_Vincent

America/Belem America/Kentucky/Louisville America/Swift_Current

America/Belize America/Kentucky/Monticello America/Tegucigalpa

America/Boa_Vista America/Knox_IN America/Thule

Table Continued

Americas time zone settings 253

America/Bogota America/La_Paz America/Thunder_Bay

America/Boise America/Lima America/Tijuana

America/Buenos_Aires America/Los_Angeles America/Tortola

America/Cambridge_Bay America/Louisville America/Vancouver

America/Cancun America/Maceio America/Virgin

America/Caracas America/Managua America/Whitehorse

America/Catamarca America/Manaus America/Winnipeg

America/Cayenne America/Martinique America/Yakutat

America/Cayman America/Mazatlan America/Yellowknife

America/Chicago America/Mendoza Brazil/Acre

America/Chihuahua America/Menominee Brazil/DeNoronha

America/Cordoba America/Merida Brazil/East

America/Costa_Rica America/Mexico_City Brazil/West

America/Cuiaba America/Miquelon Canada/Atlantic

America/Curacao America/Monterrey Canada/Central

America/Dawson America/Montevideo Canada/Eastern

America/Dawson_Creek America/Montreal Canada/East-Saskatchewan

America/Denver America/Montserrat Canada/Mountain

America/Detroit America/Nassau Canada/Newfoundland

America/Dominica America/New_York Canada/Pacific

America/Edmonton America/Nipigon Canada/Saskatchewan

America/Eirunepe America/Nome Canada/Yukon

America/El_Salvador America/Noronha Chile/Continental

America/Ensenada America/Panama Chile/EasterIsland

America/Fortaleza America/Pangnirtung Cuba

America/Fort_Wayne America/Paramaribo Jamaica

America/Glace_Bay America/Phoenix Mexico/BajaNorte

Table Continued

254 Time zone settings

America/Godthab America/Port-au-Prince Mexico/BajaSur

America/Goose_Bay America/Porto_Acre Mexico/General

America/Grand_Turk America/Port_of_Spain US/Alaska

America/Grenada America/Porto_Velho US/Aleutian

America/Guadeloupe America/Puerto_Rico US/Arizona

America/Guatemala America/Rainy_River US/Central

America/Guayaquil America/Rankin_Inlet US/Eastern

America/Guyana America/Recife US/East-Indiana

America/Halifax America/Regina US/Indiana-Starke

America/Havana America/Rio_Branco US/Michigan

America/Hermosillo America/Rosario US/Mountain

America/Indiana/Indianapolis America/Santiago US/Pacific

Asia time zone settingsNOTE:


The following table provides the Asian time zone settings that are supported by the OnboardAdministrator.

Asia/Aden Asia/Damascus Asia/Krasnoyarsk Asia/Saigon Asia/Yakutsk

Asia/Almaty Asia/Dhaka Asia/Kuala_Lumpur Asia/Samarkand Asia/Yekaterinburg

Asia/Amman Asia/Dili Asia/Kuching Asia/Seoul Asia/Yerevan

Asia/Anadyr Asia/Dubai Asia/Kuwait Asia/Shanghai Hongkong

Asia/Aqtau Asia/Dushanbe Asia/Macao Asia/Singapore Iran

Asia/Aqtobe Asia/Gaza Asia/Magadan Asia/Taipei Israel

Asia/Ashgabat Asia/Harbin Asia/Manila Asia/Tashkent Japan

Asia/Ashkhabad Asia/Hong_Kong Asia/Muscat Asia/Tbilisi Mideast/Riyadh87

Asia/Baghdad Asia/Hovd Asia/Nicosia Asia/Tehran Mideast/Riyadh88

Asia/Bahrain Asia/Irkutsk Asia/Novosibirsk Asia/Tel_Aviv Mideast/Riyadh89

Table Continued

Asia time zone settings 255

Asia/Baku Asia/Istanbul Asia/Omsk Asia/Thimbu PRC

Asia/Bangkok Asia/Jakarta Asia/Phom_Penh Asia/Thimphu ROC

Asia/Beirut Asia/Jayapura Asia/Pyongyang Asia/Tokyo ROK

Asia/Bishkek Asia/Jerusalem Asia/Qatar Asia/Ujung_Pandang

Singapore

Asia/Brunei Asia/Kabul Asia/Rangoon Asia/Ulaanbaatar Turkey

Asia/Calcutta Asia/Kamchatka Asia/Riyadh Asia/Ulan_Bator -

Asia/Chungking Asia/Karachi Asia/Riyadh87 Asia/Urumqi -

Asia/Colombo Asia/Kashgar Asia/Riyadh88 Asia/Vientiane -

Asia/Dacca Asia/Katmandu Asia/Riyadh89 Asia/Vladivostok -

Oceanic time zone settingsNOTE:


The following table provides the Oceanic time zone settings that are supported by the OnboardAdministrator.

Atlantic/Azores Australia/NSW NZ-CHAT Pacific/Niue

Atlantic/Bermuda Australia/Perth Pacific/Apia Pacific/Norfolk

Atlantic/Canary Australia/Queensland Pacific/Auckland Pacific/Noumea

Atlantic/Cape_Verde Australia/South Pacific/Chatham Pacific/Pago_Pago

Atlantic/Faeroe Australia/Sydney Pacific/Easter Pacific/Palau

Atlantic/Jan_Mayen Australia/Tasmania Pacific/Efate Pacific/Pitcairn

Atlantic/Madeira Australia/Victoria Pacific/Enderbury Pacific/Ponape

Atlantic/Reykjavik Australia/West Pacific/Fakaofo Pacific/Port_Moresby

Atlantic/South_Georgia Australia/Yancowina Pacific/Fiji Pacific/Rarotonga

Atlantic/Stanley Iceland Pacific/Funafuti Pacific/Saipan

Atlantic/St_Helena Indian/Antananarivo Pacific/Galapagos Pacific/Samoa

Australia/ACT Indian/Chagos Pacific/Gambier Pacific/Tahiti

Australia/Adelaide Indian/Christmas Pacific/Guadalcanal Pacific/Tarawa

Table Continued

256 Oceanic time zone settings

Australia/Brisbane Indian/Cocos Pacific/Guam Pacific/Tongatapu

Australia/Broken_Hill Indian/Comoro Pacific/Honolulu Pacific/Truk

Australia/Canberra Indian/Kerguelen Pacific/Johnston Pacific/Wake

Australia/Darwin Indian/Mahe Pacific/Kiritimati Pacific/Wallis

Australia/Hobart Indian/Maldives Pacific/Kosrae Pacific/Yap

Australia/LHI Indian/Mauritius Pacific/Kwajalein US/Hawaii

Australia/Lindeman Indian/Mayotte Pacific/Majuro US/Samoa

Australia/Lord_Howe Indian/Reunion Pacific/Marquesas -

Australia/Melbourne Kwajalein Pacific/Midway -

Australia/North NZ Pacific/Nauru -

Europe time zone settingsNOTE:


The following table provides the European time zone settings that are supported by the OnboardAdministrator.

Eire Europe/Helsinki Europe/Paris Europe/Vaduz

Europe/Amsterdam Europe/Istanbul Europe/Prague Europe/Vatican

Europe/Andorra Europe/Kaliningrad Europe/Riga Europe/Vienna

Europe/Athens Europe/Kiev Europe/Rome Europe/Vilnius

Europe/Belfast Europe/Lisbon Europe/Samara Europe/Warsaw

Europe/Belgrade Europe/Ljubljana Europe/San_Marino Europe/Zagreb

Europe/Berlin Europe/London Europe/Sarajevo Europe/Zaporozhye

Europe/Bratislava Europe/Luxembourg Europe/Simferopol Europe/Zurich

Europe/Brussels Europe/Madrid Europe/Skopje GB

Europe/Bucharest Europe/Malta Europe/Sofia GB-Eire

Europe/Budapest Europe/Minsk Europe/Stockholm Poland

Europe/Chisinau Europe/Monaco Europe/Tallinn Portugal

Table Continued

Europe time zone settings 257

Europe/Copenhagen Europe/Moscow Europe/Tirane -

Europe/Dublin Europe/Nicosia Europe/Tiraspol -

Europe/Gibraltar Europe/Oslo Europe/Uzhgorod -

Polar time zone settingsNOTE:


The following table provides the Polar time zone settings that are supported by the OnboardAdministrator.

Antarctica/Casey Antarctica/McMurdo Antarctica/Vostok

Antarctica/Davis Antarctica/Palmer Arctic/Longyearbyen

Antarctica/DumontDUrville Antarctica/South_Pole -

Antarctica/Mawson Antarctica/Syowa -

258 Polar time zone settings

Connecting to the OA with a local PCA PC might be connected directly to the OA module in the following two ways:

• Using a terminal emulator through the OA service port (Ethernet). Use this port for normalcommunication with the OA. See Connecting a PC to the OA service port.

• Using a standard serial connection through the OA serial port (RS232). This is used for debuggingpurposes only and is not used for monitoring or modifying OA settings. See Connecting a PC to theOA serial port.

Connecting a PC to the OA service portThe OA service port is the compute enclosure link-up connector which also has a laptop icon next to theup arrow. When the enclosure link connectors are used to link enclosures, the top enclosure link-upconnector will be the Service Port for all the linked enclosures. This port is a 100BaseT Ethernet jack andmight be directly connected to a PC RJ45 Ethernet connector using a standard CAT5 patch cable as thewiring on the link-up connector is crossed over to allow direct connect to a PC 100BaseT connector.

The Service Port provides direct connection to any of the active OA modules in the complex or just theactive OA module in a single enclosure if there are no other enclosures in the complex. The networkconnection is private to the enclosures and cannot be used to access any device outside the internalenclosure management network. Use the connection to directly access the active OA at the active serviceIP address, located on the enclosure Insight Display, Enclosure Info screen.

The laptop or PC connected to the enclosure service port must have DHCP enabled its networkconnection. The laptop or PC gets a zero-conf IP address in the range of after a DHCP timeout if thelaptop or PC is running Windows. If the laptop or PC is running Linux, you must probably manually set thenetwork port to 169.254.2.1 with a netmask of 255.255.0.0.

Procedure

1. Connect a laptop or PC 100/1000Mb Ethernet port to the enclosure service (link-up) port on the OAinterposer using a standard CAT5e patch cable.

2. Access an active OA as follows:

• To access an active OA GUI: Use the active OA service IP address from the Insight Display onthat enclosure as the web address in your laptop or PC browser.

• To access an active OA CLI: Use a Telnet or Secure Shell program based on the configurednetwork access settings and connect to the active OA service IP address.

3. Log into the OA with the "Administrator" user account and the OA default password located on the OAtoe tag.

For information on using the OA CLI, see Using the Command Line Interface.

Because none of the configured device bay iLOs have an IP address in the zero-conf IP address range,you must manually add a network route on the laptop or PC to access the iLO IP address from theservice port. The syntax for using a Windows laptop or PC command shell is as follows:

route add iLO_IP_address mask 255.255.255.255 <OA_service_IP_address> After the route to an iLO has been added to the laptop or PC, the iLO can be accessed from the OA GUIor directly using Secure Shell.

Connecting to the OA with a local PC 259

The active OA does not support routing from the service port to an interconnect module managementprocessor. However, if the interconnect module supports the serial connection to the OA, then the OA CLICONNECT INTERCONNECT command can be used to connect to an interconnect module.

The service port connection is intended only as a temporary Ethernet connection to the enclosure privatenetwork to eliminate disconnecting the management port from the external management network foraccess to the OA during a maintenance event.

Connecting a PC to the OA serial portIf needed for debugging purposes, the OA can be accessed locally through a serial (debug) portconnector on the rear of the OA module. Use a laptop or another computer as a serial console tocommunicate with the OA.

IMPORTANT:

Use this interface only for OA debugging purposes or during initial setup for assigning active OAnetwork information. This connection cannot be maintained under normal server operations.

Procedure

1. Connect a serial cable between the serial port on the computer and the serial port on the OA module.The following table is for the DB9 serial (RS232) port and shows the pinout and signals for the RS232connector. The signal direction is DTE (computer) relative to the DCE (OA).

NOTE:

A laptop or PC connected to the OA serial port requires a null-modem cable. The minimum connectionto an external console is pins 2, 3, and 5.

Pin Name Signal direction Description

1 CD computer <<-- Carrier detect

2 RXD computer <<-- Receive data

3 TXD computer -->> Transmit data

4 DTR computer ->> Data terminal ready

5 GND System ground

6 DSR computer <<-- Data set ready

7 RTS computer -->> Request to send

8 CTS computer <<-- Clear to send

9 RI computer <<-- Ring indicator

2. Use any standard communication software to launch a terminal emulation session with the followingparameters:

260 Connecting a PC to the OA serial port

Parameter Value

Transmission rate 9600 bps

Data bits 8

Parity None

Stop bits 1

Protocol None

3. Log into the OA with the "Administrator" user account and the OA default password located on the OAtoe tag.

For information on using the OA CLI, see the HPE Integrity Superdome X and Superdome 2 OnboardAdministrator Command Line Interface User Guide.

Modifying the serial connection baud rateNOTE:

This information applies only to Integrity Superdome X systems.

If the serial baud rate must be adjusted from the OA to match the serial baud rate coming from the OS,modify the OS serial console from the default 9600 baud using HPONCFG command from the OA CLI. Setthe baud rate (serial speed) by entering the value shown in the table below.

SET SCRIPT MODE ON HPONCFG <bay#> << EOF <RIBCL VERSION="2.0"> <LOGIN USER_LOGIN="adminname" PASSWORD="password"> <RIB_INFO MODE="write"> <MOD_GLOBAL_SETTINGS> <SERIAL_CLI_SPEED value="1"/> </MOD_GLOBAL_SETTINGS> </RIB_INFO> </LOGIN> </RIBCL> EOF

SERIAL_CLI_SPEED Value

9600 1

19200 2

38400 3

57600 4

115200 5

Modifying the serial connection baud rate 261

NOTE:

For Linux systems, a CLI speed of 115200 baud (value=”5”) is recommended.

262 Connecting to the OA with a local PC

Warranty and regulatory informationFor important safety, environmental, and regulatory information, see Safety and Compliance Informationfor Server, Storage, Power, Networking, and Rack Products, available at www.hpe.com/support/Safety-Compliance-EnterpriseProducts.

Warranty informationHPE ProLiant and x86 Servers and Options

www.hpe.com/support/ProLiantServers-Warranties

HPE Enterprise Servers

www.hpe.com/support/EnterpriseServers-Warranties

HPE Storage Products

www.hpe.com/support/Storage-Warranties

HPE Networking Products

www.hpe.com/support/Networking-Warranties

Regulatory informationBelarus Kazakhstan Russia marking

Manufacturer and Local Representative Information

Manufacturer information:

Hewlett Packard Enterprise Company, 3000 Hanover Street, Palo Alto, CA 94304 U.S.

Local representative information Russian:

• Russia:

• Belarus:

• Kazakhstan:

Warranty and regulatory information 263



http://www.hpe.com/support/ProLiantServers-Warranties

http://www.hpe.com/support/EnterpriseServers-Warranties

http://www.hpe.com/support/Storage-Warranties

http://www.hpe.com/support/Networking-Warranties

Local representative information Kazakh:

• Russia:

• Belarus:

• Kazakhstan:

Manufacturing date:

The manufacturing date is defined by the serial number.

CCSYWWZZZZ (serial number format for this product)

Valid date formats include:

• YWW, where Y indicates the year counting from within each new decade, with 2000 as the startingpoint; for example, 238: 2 for 2002 and 38 for the week of September 9. In addition, 2010 is indicatedby 0, 2011 by 1, 2012 by 2, 2013 by 3, and so forth.

• YYWW, where YY indicates the year, using a base year of 2000; for example, 0238: 02 for 2002 and38 for the week of September 9.

Turkey RoHS material content declaration

Ukraine RoHS material content declaration

264 Turkey RoHS material content declaration

Standard terms, abbreviations, and acronymsACPI

Advanced configuration and power interface.

ASCII

American standard code for information interchange.

ASIC

Application-specific integrated circuit.

BBRAM

Battery-backed RAM.

BBWC

Battery-backed write cache.

BCH

Boot console handler.

BEN

Blade Entitlement Number

CAE

Core Analysis Engine

CCM

CAMnet completer module.

CE

Customer engineer.

CEC

Core electronics complex.

CMA

Cable management arm.

CMC

Corrected machine check.

CNA

Converged Network Adapter.

CPE

Correctable platform error.

CRAC

Computer room air conditioner.

CRAH

Compute room air handler.

Standard terms, abbreviations, and acronyms 265

CRU

Customer replaceable unit.

CSR

Control status registers.

DDNS

Dynamic domain name system.

DHCP

Dynamic host configuration protocol.

DLL

Dynamic-link library.

DMA

Direct memory access.

DMDC

Data multiplexer/demultiplexer controller.

DNS

Domain name system.

EBIPA

Enclosure Bay IP Addressing

EFI

Extensible firmware interface.

See also: UEFI

EIA

Electronic Industries Association.

EMS

Event management service.

ESD

Electrostatic discharge.

FC

Fibre channel.

FPL

Forward progress log.

FRU

Field replaceable unit.

FTP

File Transfer Protocol.

GPSM

Global partition services module.

266 Standard terms, abbreviations, and acronyms

HBA

Host bus adapter.

HR

Health Repository

IDC

Integrity Data Collector.

iLO 4

Integrated Lights-Out 4.

IRC

Integrated Remote Console.

IRS

Insight Remote Support.

KVM

Keyboard, Video, and Mouse.

LAN

Local Area Network.

LDAP

Lightweight directory access protocol.

LOM

LAN on motherboard.

LVM

Logical volume manager.

MCA

Machine check abort.

MPS

Maximum payload size.

NVRAM

Nonvolatile RAM.

OA

Onboard Administrator.

PA-RISC

Precision Architecture-Reduced Instruction Set Computing.

PCA

Printed circuit assembly.

PCI

Peripheral component interface.


PCIe

Peripheral component interconnect express.

POL

Point-of-load.

POSSE

Pre-OS system start-up environment.

POST

Power-on self-test.

QPI

Intel QuickPath Interconnect.

RETMA

Radio Electronics Television Manufacturers Association

SAS

Serial attached SCSI.

SATA

Serial ATA.

SBA

System bus adapter.

SDRAM

Synchronous dynamic random access memory.

SEL

System event log.

SFM

System fault management.

SFP

Small form-factor pluggable.

SFW

System Firmware.

SIM

System insight manager.

SMBIOS

System management BIOS.

SMH

System management home page.

SGPIO

Serial general purpose input/output.


SSH

Secure Shell.

STM

Support tool manager.

SUV

Serial, USB, Video. A single board containing these three functions. A single connector attaches tothe SUV board and has three ends, one for Serial (DB9), one for USB, and one for video (DB15).

SXFM

x86 enhanced performance crossbar fabric module.

TFTP

Trivial file transfer protocol.

TLB

Translation look-aside buffer.

ToC

Transfer of control.

TPM

Trusted platform module.

UART

Universal asynchronous receiver-transmitter.

UEFI

Unified extensible firmware interface, replaces EFI.

UID

Unit identification.

UPS

Uninterruptible power supply.

USB

Universal serial bus.

VRM

Voltage regulator module.

WBEM

Web-based enterprise management.

XBar

Crossbar.

XFM

Crossbar Fabric Module.

XFM2

Crossbar Fabric 2 Module. Displayed as SXFM by the OA.


XPF

x86/x64 Processor Family.


hpe integrity superdome x and superdome 2 onboard ... · interconnects. compute enclosures within a...

Documents