Main: Integrity LOM
From Servers4Linux
Many HP servers have lights out management capabilities. The ones I have seen on Integrity servers all seem pretty similar, I'd bet that they all share a common architecture and software. The point to having access to lights out is that you can remotely see the environmental or power status, shut the power off, turn the power on, cycle the power, and most importantly if properly configured, get access to the system console.
The specific LOM used in this write-up is from a rx2620. The LOM in a rx2620 is an optional card that may or may not be installed in a used machine. It's pretty easy to spot, if it has a LOM installed, the LOM ports will have connectors available, if not, then there will be mesh across the holes where the connectors should be.
Contents |
RTFM
A good first step is to find, get and read the manual. Yes, I know it's tempting not to do so, but read the fscking manual (RTFM). In this case, go to HP Doc's section on rx2620 and read the "HP Integrity and HP 9000 iLO MP Operations Guide, Fifth Edition". It really does save you some grief later. I'm only going to highlight the "gotchas" as I saw them, I'll assume for normal trivial operations that you read the manual and I won't go into nit-noid detail on every little configuration step.
Decide on Some Configuration Parameters
The whole point of getting the LOM going is access it from the network. In order to do this, you'll need to know the usual networking parameters.
- Passwords and users. The LOM comes with 2 built in users, Admin and Oper. You'll need to set good passwords for these. Optionally, you can make new users.
- A host name for the LOM. This is in addition to the host name of the host. You need 2 names, one for the host, one for the lom. In my example, the host name is ipf00, and the name for the lom is ipf00-lom.
- The usual networking parameters, IP address, gateway, subnet mask, DNS servers, etc. You need 2 IP addresses, one for the host, one for the lom. (You could optionally use DHCP, but having the management port's IP address be variable and subject to change seems a bit silly).
Making the Initial Serial Connection
In order to do any configuration to a LOM, you need to be able to get to it somehow to do the initial setup. Usually the initial connection is via the serial port. Once you get into it, usually you configure the networking parameters, and then further accesses are via the network.
On a rx2620, the LOM has a couple idiosyncrasies. First, just to confuse the easily confused, there are two ports labelled console. This comes from the fact that this LOM is optional. If you chose NOT to get a LOM, then DB-9 serial port on the main chassis labelled "CONSOLE" is indeed the console. If however, you have a LOM, then the LOM "steals" the chassis console connection. This means that if equipped with LOM, the main chassis console port is not connected (always dead) and that the serial console is redirected to the "CONSOLE/REMOTE/UPS" port on the LOM card.
The second not so obvious "gotcha" with this LOM is that although it appears that the LOM console port is a standard DB-25 serial connection, it's not. One clue about this is that it is labelled "CONSOLE/REMOTE/UPS". Huh? Yes, it really is three ports duplexed (triplexed?) together. They did this magic by making you have to use a special cable (called a "W" cable by some, others call it a "M" cable). Whatever. If you don't have the special cable, you can't use the LOM console port. That pretty much sucks. I bought a HP A6144-63001 L3000 M-CABLE from these guys used for about $40.
So anyway, assuming that you have the special cable, then you need to hook something to it that speaks serial. You could use an actual serial terminal if you have one laying around. I like these. They are bulletproof, and once configured, they are always on. You don't have to wait to boot, or log in, or start a program, they are just on. If you want a real serial terminal, then look for a late model HP C1099A. These are the latest serial terminals HP made, and these are what HP intended you to use for a serial console. I bought mine for $150 used. I keep it on a roll-y cart with a coffee can full of connectors so I can roll it around from rack to rack as I need it.
Lots of folks use a older laptop that still has its own serial port. Serial ports on laptops are becoming less and less common. If you have a laptop with a serial port, then you can easily hook it to the console port, and use Hyperterminal or whatever to talk to the serial port.
Thankfully, these LOM ports default to the usual 9600 baud, 8/None/1 that many (most?) serial consoles tend to use.
Check out this page for more on general serial console issues.
Initial Log In
Once you get something connected that speaks serial, you should get a log in banner.
MP login: MP password:
Hmm. Either the former owners used the LOM or they didn't. If they didn't then the passwords are still set to factory default. Try hitting the enter key a few times. If never configured, you'll get a hint like so:
MP login: MP password: ************************************************************************* This is a private system. Do not attempt to login unless you are an authorized user. Any authorized or unauthorized access or use may be monitored and can result in criminal or civil prosecution under applicable law. ************************************************************************* ************************************************************************* Only default users are configured. Use one of the following user/password pairs to login: Admin/Admin Oper/Oper ************************************************************************* MP login:
If you don't see the hint on how to log in, then the previous owners must have configured it. You'll have to reset it, so that you can log in with the defaults. Thankfully HP made this easy on this LOM. There's a small button on back panel of the chassis labeled "MP RESET". Push it with something poky, like a straightened paper clip or a pencil. Press and hold for 4 seconds and you'll get something like:
MP login: HP Management Processor Firmware Revision E.03.32 Nov 1 2007,03:25:16 (c) Copyright Hewlett-Packard Company 1999-2007. All Rights Reserved. Resetting MP. Press 'p' now to clear all MP passwords and users..p Confirm you would like to clear passwords and users? (Y/[N]) y All MP passwords and user information is cleared.
Log in as Admin. You'll see the following:
MP login: Admin
MP password: *****
Hewlett-Packard Integrated Lights-Out HP Integrity and HP 9000
(c) Copyright Hewlett-Packard Company 1999-2007. All Rights Reserved.
MP Host Name: mp00306e3afab3
Revision E.03.32
*************************************************************************
MP ACCESS IS NOT SECURE
Default MP users are currently configured and remote access is enabled.
Modify default users passwords or delete default users (see UC command)
OR
Disable all types of remote access (see SA command)
*************************************************************************
*************************************************************************
Your Certificate is expired.
Use the SO command to generate a new certificate.
*************************************************************************
MP MAIN MENU:
CO: Console
VFP: Virtual Front Panel
CM: Command Menu
CL: Console Log
SL: Show Event Logs
CSP: Connect to Service Processor
SE: Enter OS Session
HE: Main Help Menu
X: Exit Connection
[mp00306e3afab3] MP>
Secure the LOM
There's probably lots of things you'll want to configure. RTFM. It's all in there, and HP documented it well. Like the warning says, you need to change the user passwords. That's probably the first thing to do. Do this for both users, Admin and Oper. (Optionally make some additional users as required). Make good passwords so the script kiddies don't get into your LOM.
[mp00306e3afab3] MP> cm
(Use Ctrl-B to return to MP main menu.)
[mp00306e3afab3] MP:CM> uc
UC
This command allows you to modify the user configuration.
User Configuration Menu:
L - List current users
N - Add a New user
C - Change a current user
D - Delete a current user
Enter menu item or [Q] to Quit: c
c
Current User Configuration:
Login ID User Name Access Rights Enabled
--------------------------------------------------------------------------
1 - Admin Default Admin C, P, M, U Yes
2 - Oper Default Operator C Yes
Select User to modify by number, or [Q] to Quit: 1
1
Current User Parameters:
L - User Login ID : Admin
P - User Password : ************
U - User Name : Default Admin
W - User Workgroup :
R - User Access Rights : Console access, Power control,
MP configuration, User administration
- - User Operating Mode : Multiple
- - User Enabled/Disabled : Enabled
D - Modem Dial-back : Disabled
T - Modem Dial-back Phone :
Enter parameter(s) to change, A to modify All, or [Q] to Quit: p
p
For each parameter, enter:
New value, or
<CR> to retain the current value, or
Q to Quit
User Password:
6-24 characters
<CR> to retain current password
Enter New Password:
Enter New Password for confirmation:
-> Password will be updated
New User Parameters (* modified values):
L - User Login ID : Admin
* P - User Password : ************
U - User Name : Default Admin
W - User Workgroup :
R - User Access Rights : Console access, Power control,
MP configuration, User administration
- - User Operating Mode : Multiple
- - User Enabled/Disabled : Enabled
D - Modem Dial-back : Disabled
T - Modem Dial-back Phone :
Enter Parameter(s) to revise, Y to confirm, or [Q] to Quit: y
y
User may be disconnected in this process
*************************************************************************
This is a private system.
Do not attempt to login unless you are an authorized user.
Any authorized or unauthorized access or use may be monitored and can
result in criminal or civil prosecution under applicable law.
*************************************************************************
MP login:
Make the Certificate Warning Go Away
Once the user passwords are changed, you'll continue to get a warning that looks like this:
*************************************************************************
Your Certificate is expired.
Use the SO command to generate a new certificate.
*************************************************************************
This is apparently the SSL certificate the embedded web server uses to offer https secured pages. Generate a new one as follows (it takes a minute or two, be patient):
[mp00306e3afab3] MP> cm
(Use Ctrl-B to return to MP main menu.)
[mp00306e3afab3] MP:CM> so
SO
This command allows you to modify the security options.
For User Configuration see the UC command.
For SNMP Configuration see the ID command.
For SSH enable/disable see the SA command.
Security Options Menu:
O - Security Options
L - SSL Certificate
- - SSH Key Pairs (MP Feature Not Licensed)
Enter menu item or [Q] to Quit: l
l
Current SSL Certificate parameters:
SSL Certificate : Generated
Certificate Expiration : Jan 1 2000
Current SSL Certificate status:
N - Common Name : mp00306e3afab3
O - Organization : organization
U - Organizational Unit : unit
C - Country : country
R - Region/State : region
L - Locality/City : locality
E - Email Address : email
Enter parameter(s) to change, A to modify All, or [Q] to Quit: a
a
For each parameter, enter:
New value, or
<CR> to retain the current value, or
DEFAULT to set the default value, or
Q to Quit
Current Common Name: mp00306e3afab3
Enter new value, or Q to Quit: ipf00-lom
ipf00-lom
-> Common Name will be updated
Current Organization: organization
Enter new value, or Q to Quit: Computer Science Dept.
Computer Science Dept.
-> Organization will be updated
Current Organizational Unit: unit
Enter new value, or Q to Quit: Cal Poly, SLO
Cal Poly, SLO
-> Organizational Unit will be updated
Current Country: country
Enter new value, or Q to Quit: USA
USA
-> Country will be updated
Current Region/State: region
Enter new value, or Q to Quit: CA
CA
-> Region/State will be updated
Current Locality/City: locality
Enter new value, or Q to Quit: San Luis Obispo
San Luis Obispo
-> Locality/City will be updated
Current Email Address: email
Enter new value, or Q to Quit: admins@csc.calpoly.edu
admins@csc.calpoly.edu
-> Email Address will be updated
New SSL Certificate parameters (* modified values):
SSL Certificate : Generated
Certificate Expiration : Jan 1 2000
New SSL Certificate status (* modified values):
* N - Common Name : ipf00-lom
* O - Organization : Computer Science Dept.
* U - Organizational Unit : Cal Poly, SLO
* C - Country : USA
* R - Region/State : CA
* L - Locality/City : San Luis Obispo
* E - Email Address : admins@csc.calpoly.edu
Enter Parameter(s) to revise, Y to confirm, or [Q] to Quit: y
y
Please wait ..........................
-> Restart MP and browser for new security settings to take effect.
-> Security Options have been updated.
Security Options Menu:
O - Security Options
L - SSL Certificate
- - SSH Key Pairs (MP Feature Not Licensed)
Enter menu item or [Q] to Quit: q
q
[mp00306e3afab3] MP:CM> (ctrl+b to go back to main menu)
MP MAIN MENU:
CO: Console
VFP: Virtual Front Panel
CM: Command Menu
CL: Console Log
SL: Show Event Logs
CSP: Connect to Service Processor
SE: Enter OS Session
HE: Main Help Menu
X: Exit Connection
[mp00306e3afab3] MP>
Once you have generated a new certificate, verify this by logging out and logging in again. You should not see the expired certificate warning any more. (You could also use the SO menu and list the certificate to see the setting in the new certificate you just made).
MP login: root
MP password: ********
Hewlett-Packard Integrated Lights-Out HP Integrity and HP 9000
(c) Copyright Hewlett-Packard Company 1999-2007. All Rights Reserved.
MP Host Name: mp00306e3afab3
Revision E.03.32
MP MAIN MENU:
CO: Console
VFP: Virtual Front Panel
CM: Command Menu
CL: Console Log
SL: Show Event Logs
CSP: Connect to Service Processor
SE: Enter OS Session
HE: Main Help Menu
X: Exit Connection
[mp00306e3afab3] MP>
Configure the Network
Now configure the network. You should have a host name, static IP address, and all the associated network parameters for the LOM. In my example, my parameters are as follows (you'll have your own, don't use mine):
- Host name: ipf00-lom
- DHCP: Disabled
- IP address: 129.65.157.51
- Gateway: 129.65.157.250
- Subnet mask: 255.255.255.0
After you set these, you'll reset the LOM. Then you can plug it into a hot network wire and be on the network.
[mp00306e3afab3] MP> cm
(Use Ctrl-B to return to MP main menu.)
[mp00306e3afab3] MP:CM> ls
LS
Current LAN Configuration:
MAC Address : 0x00306e3afab3
DHCP Status : Enabled
IP Address : 0.0.0.0
MP Host Name : mp00306e3afab3
Subnet Mask : 0.0.0.0
Gateway Address : 0.0.0.0
Link State : Auto Negotiate
Remote Serial Console Port : 2023
SSH Access Port : - (MP Feature Not Licensed)
IPMI / LAN Port : 623
LAN status: UP and RUNNING
[mp00306e3afab3] MP:CM> lc
LC
Current LAN Configuration:
- - MAC Address : 0x00306e3afab3
D - DHCP Status : Enabled
- - IP Address : 0.0.0.0
M - MP Host Name : mp00306e3afab3
- - Subnet Mask : 0.0.0.0
- - Gateway Address : 0.0.0.0
L - Link State : Auto Negotiate
W - Remote Serial Console Port : 2023
- - SSH Access Port : - (MP Feature Not Licensed)
- - IPMI / LAN Port : 623
Enter parameter(s) to change, A to modify All, or [Q] to Quit: a
a
For each parameter, enter:
New value, or
<CR> to retain the current value, or
DEFAULT to set the default value, or
Q to Quit
Host Name:
Current -> mp00306e3afab3 (default)
Enter new value, or Q to Quit: ipf00-lom
ipf00-lom
-> Host Name will be updated
Remote Serial Console Port:
Current -> 2023 (default)
Options: 2000 to 2400
Modifying RSC Port number will cause all present
connections to be dropped.
Enter new value, or Q to Quit:
-> Current Remote Serial Console Port has been retained
DHCP Status:
D - Disabled
Current -> E - Enabled (default)
Modifying this parameter will cause all present LAN and Web
connections to be dropped.
Enter new value, or Q to Quit: d
d
-> DHCP Status will be updated
Link State:
Current -> A - Auto Negotiate (default)
T - 10BaseT
Modifying this parameter will cause all present LAN and Web
connections to be dropped.
Enter new value, or Q to Quit:
-> Current Link State has been retained
New LAN Configuration (* modified values):
- - MAC Address : 0x00306e3afab3
* D - DHCP Status : Disabled
* I - IP Address : 127.0.0.1
* M - MP Host Name : ipf00-lom
* S - Subnet Mask : 255.255.255.0
* G - Gateway Address : 127.0.0.1
L - Link State : Auto Negotiate
W - Remote Serial Console Port : 2023
- - SSH Access Port : - (MP Feature Not Licensed)
- - IPMI / LAN Port : 623
-> Check all LAN parameters to ensure they are correct before commit.
-> All LAN and Web connections will be dropped if you confirm the changes.
Enter Parameter(s) to revise, Y to confirm, or [Q] to Quit: i
i
For each parameter, enter:
New value, or
<CR> to retain the current value, or
DEFAULT to set the default value, or
Q to Quit
IP Address:
Current -> 0.0.0.0
127.0.0.1 (default)
Modifying this parameter will cause all present LAN and Web
connections to be dropped.
Enter new value, or Q to Quit: 129.65.157.51
129.65.157.51
-> IP Address will be updated
New LAN Configuration (* modified values):
- - MAC Address : 0x00306e3afab3
* D - DHCP Status : Disabled
+ I - IP Address : 129.65.157.51
* M - MP Host Name : ipf00-lom
+ S - Subnet Mask : 255.255.255.0
+ G - Gateway Address : 127.0.0.1
L - Link State : Auto Negotiate
W - Remote Serial Console Port : 2023
- - SSH Access Port : - (MP Feature Not Licensed)
- - IPMI / LAN Port : 623
+ indicates inconsistent parameters
Enter parameter(s) to revise, or [Q] to Quit: g
g
For each parameter, enter:
New value, or
<CR> to retain the current value, or
DEFAULT to set the default value, or
Q to Quit
Gateway Address:
Current -> 0.0.0.0
127.0.0.1 (default)
Enter new value, or Q to Quit: 129.65.157.250
129.65.157.250
-> Gateway Address will be updated
New LAN Configuration (* modified values):
- - MAC Address : 0x00306e3afab3
* D - DHCP Status : Disabled
* I - IP Address : 129.65.157.51
* M - MP Host Name : ipf00-lom
* S - Subnet Mask : 255.255.255.0
* G - Gateway Address : 129.65.157.250
L - Link State : Auto Negotiate
W - Remote Serial Console Port : 2023
- - SSH Access Port : - (MP Feature Not Licensed)
- - IPMI / LAN Port : 623
-> Check all LAN parameters to ensure they are correct before commit.
-> All LAN and Web connections will be dropped if you confirm the changes.
Enter Parameter(s) to revise, Y to confirm, or [Q] to Quit: y
y
-> LAN Configuration has been updated.
-> Reset MP (XD command option 'R') for configuration to take effect.
[ipf00-lom] MP:CM> xd -r
XD -r
-> MP reset requested
Confirm? (Y/[N]): y
y
MP is now being reset...
HP Management Processor
Firmware Revision E.03.32 Nov 1 2007,03:25:16
(c) Copyright Hewlett-Packard Company 1999-2007. All Rights Reserved.
Now log in and verify that the LAN is on and configured as you specified.
MP login: root
MP password: ********
Hewlett-Packard Integrated Lights-Out HP Integrity and HP 9000
(c) Copyright Hewlett-Packard Company 1999-2007. All Rights Reserved.
MP Host Name: ipf00-lom
Revision E.03.32
MP MAIN MENU:
CO: Console
VFP: Virtual Front Panel
CM: Command Menu
CL: Console Log
SL: Show Event Logs
CSP: Connect to Service Processor
SE: Enter OS Session
HE: Main Help Menu
X: Exit Connection
[ipf00-lom] MP> cm
(Use Ctrl-B to return to MP main menu.)
[ipf00-lom] MP:CM> ls
LS
Current LAN Configuration:
MAC Address : 0x00306e3afab3
DHCP Status : Disabled
IP Address : 129.65.157.51
MP Host Name : ipf00-lom
Subnet Mask : 255.255.255.0
Gateway Address : 129.65.157.250
Link State : Auto Negotiate
Remote Serial Console Port : 2023
SSH Access Port : - (MP Feature Not Licensed)
IPMI / LAN Port : 623
LAN status: UP and RUNNING
Other Fun and Games with LOM
Hey! You did it! The LOM is live on the web. Good job. Now you can do most LOM functions remotely with a browser.
So by default, with the "stock" LOM functionality, you can access the LOM via telnet and a web browser. It's a little scary to do anything via telnet these days. That is an aging communication protocol, and is inherently insecure. For example, telnet sends user names and passwords in the clear across the network. I wouldn't use telnet to talk to a LOM unless I had to. I also wouldn't use a super-dee-duper secret root password for a LOM password, telnet passwords are easy to sniff.
You can buy an upgrade to the LOM functionality, that enables secure shell (secure telnet replacement) and a bunch of other stuff. HP calls this Insight software Integrated Lights-Out Advanced. It's something like $500 retail, which is probably more than you paid for your server. Personally, I think that having to spend $500 to turn on ssh is ridiculous, but there it is. I've never bothered to spend the extra money, so I don't know if it really works or if it's worth it.
Using telnet to access the LOM looks like this:
glporter@crimson:~ $ telnet ipf00-lom
Trying 129.65.157.51...
Connected to ipf00-lom.
Escape character is '^]'.
*************************************************************************
This is a private system.
Do not attempt to login unless you are an authorized user.
Any authorized or unauthorized access or use may be monitored and can
result in criminal or civil prosecution under applicable law.
*************************************************************************
MP login: Admin
MP password: ********
Hewlett-Packard Integrated Lights-Out HP Integrity and HP 9000
(c) Copyright Hewlett-Packard Company 1999-2007. All Rights Reserved.
MP Host Name: ipf00-lom
Revision E.03.32
MP MAIN MENU:
CO: Console
VFP: Virtual Front Panel
CM: Command Menu
CL: Console Log
SL: Show Event Logs
HE: Main Help Menu
X: Exit Connection
[ipf00-lom] MP>
So the point of all of this is to get remote console. You finally have a working LOM, users you can log in with, and the LOM on the network so you can access it remotely. To actually get console, you need to verify a couple of things:
- That the server is set in "BIOS" to use the serial port for console (not the VGA (video) port).
- That the operating system knows to consider the console serial port as the console, and to send all output there.
If you don't have this configured, then even if you have "console" you won't see anything. Perhaps the server is displaying stuff on the VGA (video) port. Perhaps the OS is using the wrong (maybe non-existant) serial port for console. Make sure that neither case is so, and then you should be able to use the serial console via LOM through a browser (or telnet).
More to come...
