Integrated Dell Remote Access Controller 6 (iDRAC6) Version 1.
Notes and Cautions NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. ___________________ Information in this publication is subject to change without notice. © 2013 Dell Inc. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.
Contents 1 iDRAC6 Overview . . . . . . . . . . . . . . . . . . . What’s New in This Release. . . . . . . . . . . . . . . iDRAC6 Express Management Features. 20 . . . . . . . . . 21 . . . . . . . . . . . . . . . . . . 25 Supported Operating Systems . Supported Web Browsers . . . . . . . . . . . . . . 25 . . . . . . . . . . . . . . . 25 . . . . . . . . 26 . . . . . . . . . . . . . . . . . . . . . . 26 Supported Remote Access Connections iDRAC6 Ports . 19 . . . . . . . .
Software Installation and Configuration Overview . . . 36 . . . . . . . . . . . . 36 . . . . . . . . . . . . . . . . 36 Installing iDRAC6 Software . Configuring iDRAC6 . Installing the Software on the Managed System . . . . . . 37 . . . . . . 38 . . . . . . . . . . . . . . . . . 38 Installing the Software on the Management Station Installing and Removing RACADM on a Linux Management Station . . . . . . . Installing RACADM Uninstalling RACADM . . . . . . . . . . . . . . . .
Using Multiple Browser Tabs and Windows . Configuring the iDRAC6 NIC . . . . 48 . . . . . . . . . . . . . . 49 Configuring the Network and IPMI LAN Settings . . . . . . . . . . . . . . . . . . . . Configuring IP Filtering and IP Blocking Configuring Platform Events . 49 . . . . . . 54 . . . . . . . . . . . . . . 56 Configuring Platform Event Filters (PEF) . . . . . . 57 Configuring Platform Event Traps (PET) . . . . . . 58 . . . . . . . . . . . . . 59 Configuring E-Mail Alerts .
Internal Dual SD Module. . . . . . . . . . . . . . . . . Viewing Internal Dual SD Module Status Using GUI . . . . . . . . . 5 . . . . . . . . . Advanced iDRAC6 Configuration . Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring iDRAC6 for Viewing Serial Output Remotely Over SSH/Telnet . . . . . . . . . . . Configuring the iDRAC6 Settings to Enable SSH/Telnet . . . . . . . . . 85 85 . . . . . . . . 86 86 . . . . . . . . . . . . . . . 87 . . . . . . . . . . .
Configuring Terminal Mode . Configuring the iDRAC6 Network Settings 107 . . . . . . . Accessing the iDRAC6 Through a Network . . . . . . . 108 . . . . . . . . . . . . . . . . 110 RACADM Synopsis . . . . . . . . . . . . . . . . . 111 RACADM Options . . . . . . . . . . . . . . . . . . 111 Using RACADM Remotely Enabling and Disabling the RACADM Remote Capability . . . . . . . . . . . . . . . . . . . RACADM Subcommands . . . . . . 112 . . . . . . . . . . . . .
Using the RACADM Utility to Configure iDRAC6 Users. . . . . . . . . . . . . . . Before You Begin . . . . . . . 137 . . . . . . . . . . . . . . . . . 137 Adding an iDRAC6 User . . . . . . . . . . . . . . Removing an iDRAC6 User 7 . . . . . . . . . . . . 139 Enabling an iDRAC6 User With Permissions . . . 140 Using the iDRAC6 Directory Service . . . 141 Using iDRAC6 With Microsoft Active Directory . . . . 141 . . . . . 143 . . . . . .
Adding iDRAC Users and Privileges to Microsoft Active Directory . . . . . . . Configuring Microsoft Active Directory With Extended Schema Using the iDRAC6 Web-Based Interface. . . . . . . . . . . . . . . . 160 Configuring Microsoft Active Directory With Extended Schema Using RACADM . . . . . . 163 Standard Schema Active Directory Overview . . . . . 166 . . . . . . 167 Single Domain Versus Multiple Domain Scenarios . . . . . . . . . . . . . . . .
Prerequisites for Active Directory SSO and Smart Card Authentication . . . . . . . . . . . . . . . 186 . . . . . . . . 189 Configuring iDRAC6 to Use SSO . . . . . . . . . 189 Logging Into iDRAC6 Using SSO . . . . . . . . . 190 Using Microsoft Active Directory SSO Configuring Smart Card Authentication . . . . . . . . 191 Configuring Local iDRAC6 Users for Smart Card Logon . . . . . . . . . . . . . . . . . 191 Configuring Active Directory Users for Smart Card Logon . . . . . . . . . . . . .
Virtual Console Preview 210 . . . . . . . . . . . . . . Using iDRAC6 Virtual Console (Video Viewer) . . . . . 211 Disabling or Enabling Local Server Video . . . . . 216 . . . . . . . . . 217 Launching Virtual Console and Virtual Media Remotely . . . . . . . . . . . . . . . . . . . 217 . . . . . . . . . . . . . . 218 Launching Console Using URL Format General Error Scenarios Frequently Asked Questions on Virtual Console 10 Using the WS-MAN Interface Supported CIM Profiles . . . . . . . .
Creating an Image File for Windows Systems Preparing for Deployment . . 238 . . . . . . . . . . . . . . . 238 . . . . . . . . 238 . . . . . . . . . . . 239 . . . . . . . . . . . . . . . . 240 Configuring the Remote Systems . Deploying the Operating System . Using the VMCLI Utility . . . . . . . . . . . . 241 . . . . . . . . . . . . . . 242 . . . . . . . . . . . . . . . .
Booting From Virtual Media 15 Configuring vFlash SD Card and Managing vFlash Partitions . . . 268 . . . . . . . . 270 . . . . . . . 270 . . . . . . . . 271 . . . . 271 . . . . . . 271 Initializing the vFlash or Standard SD Card Getting the Last Status on the vFlash or Standard SD Card. . . . . . . . . . . . Resetting the vFlash or Standard SD Card . . . . . 272 . . . . . . . 272 . . . . . . . . . . . . 272 Managing vFlash Partitions Using iDRAC6 Web Interface . . . . . . . . . . . . . .
Managing vFlash Partitions Using RACADM . . . . . 282 Creating a Partition . . . . . . . . . . . . . . . . 284 Deleting a Partition . . . . . . . . . . . . . . . . 284 . . . . . . . . . 284 . . . . . . . . . . 284 . . . . . . . . . . . . . . . 285 Getting the Status of a Partition Viewing Partition Information . Booting to a Partition . . . . . . . 285 . . . . . . . . . . . . . . . 286 Attaching or Detaching a Partition . Modifying a Partition Frequently Asked Questions . . . . . . . .
Using RACADM . . . 296 . . . . . . . . . . . . . . 296 . . . . . . . . . . . . . . . . . . 297 Executing Power Control Operations on the Server Using the Web Interface Using RACADM . 17 Using the iDRAC6 Configuration Utility . . . . . . . . . . . . . . . . . . . . . Overview . 296 . . . . . . . . . . . . . . . . . . . . . . . . 299 299 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 . . . . . . . . . 300 . . . . . . . . . . . . . . . . . . . .
Disabling the Automatic Reboot Option in Windows Server 2003 . . . . . . . . . . . Configuring Platform Events . . . . . 314 . . . . . . . . . . . . . 314 . . . . . 315 . . . . . . . . . . . . . . . . . 317 Configuring Platform Event Filters (PEF) Configuring PET . . . . . . . . . . . . . 318 . . . . . . . . . . . . . . 319 Configuring E-Mail Alerts . Testing E-mail Alerting Testing the RAC SNMP Trap Alert Feature . Frequently Asked Question about SNMP A uthentication . . . . . . . . . . . .
Viewing the Last System Crash Screen . 20 Recovering and Troubleshooting the iDRAC6 . . . . . . . . . . . . . . . . . Using the RAC Log . 335 . . . . . . . . . . . . . 337 337 . . . . . . . . . . . . . . . . . . . Using the Command Line 338 . . . . . . . . . . . . . . . . Using the Diagnostics Console . . . . . . . . . . . . . 338 . . . . . . . . . . . . . . . . . . 340 Using the Trace Log . . . . . . . . . . . . . . . . . . . 340 Using the racdump . . . . . . . . . . . . . . . . . . . .
22 Configuring Security Features . . . . . . . . Security Options for the iDRAC6 Administrator . . . . 348 . . . . 348 . . . . . . . . 350 Disabling the iDRAC6 Local Configuration Disabling iDRAC6 Virtual Console Securing iDRAC6 Communications Using SSL and Digital Certificates . . . . . . . . . . . . Secure Sockets Layer (SSL) . . . . 351 . . . . . . . . . . . 351 Certificate Signing Request (CSR) Accessing the SSL Main Menu . . . . . . . . . 352 . . . . . . . . .
1 iDRAC6 Overview Integrated Dell Remote Access Controller6 (iDRAC6) is a systems management hardware and software solution that provides remote management capabilities, crashed system recovery, and power control functions for the Dell PowerEdge systems. The iDRAC6 uses an integrated System-on-Chip microprocessor for the remote monitor/control system. The iDRAC6 co-exists on the system board with the managed PowerEdge server.
iDRAC6 Express Management Features The iDRAC6 Express provides the following management features: 20 • Provides Dynamic Domain Name System (DDNS) registration. • Provides remote system management and monitoring using a Web interface and the Server Management Command Line Protocol (SM-CLP) command line over a serial, Telnet, or SSH connection.
• Adds IPv6 support such as providing access to the iDRAC6 Web interface using an IPv6 address, specifies iDRAC6 NIC IPv6 address, and specifies a destination number to configure an IPv6 SNMP alert destination. • Provides network accessible management using the Web Services for Management (WS-MAN) protocol. • Adds Server Management-Command Line Protocol (SM-CLP) support, which provides standards for systems management CLI implementations.
Table 1-1.
Table 1-1.
Table 1-1. iDRAC6 Feature List (continued) Feature BMC iDRAC6 Express iDRAC6 Enterprise iDRAC6 Enterprise with vFlash Historical Power Counters Logging System Event Log (SEL) RAC Log Remote Syslog Lifecycle Controller Unified Server Configurator 4 Remote Services (through WS-MAN) Part Replacement 1Two-factor 2Feature 3Virtual ins. authentication requires Internet Explorer. is available only through IPMI and not through a Web GUI.
The iDRAC6 provides the following security features: • Single Sign-on, Two-Factor Authentication, and Public Key Authentication. • User authentication through Active Directory (optional), LDAP authentication (optional) or hardware-stored user IDs and passwords. • Role-based authorization, which enables an administrator to configure specific privileges for each user. • User ID and password configuration through the Web-based interface or SM-CLP.
NOTE: Due to serious security flaws, support for SSL 2.0 has been discontinued. Your browser must be configured to enable SSL 3.0 in order to work properly. Internet Explorer 6.0 is not supported. Supported Remote Access Connections Table 1-2 lists the connection features. Table 1-2.
Table 1-4. iDRAC6 Client Ports Port Number Function 25 SMTP 53 DNS 68 DHCP-assigned IP address 69 TFTP 162 SNMP trap 636 LDAPS 3269 LDAPS for global catalog (GC) Other Documents You May Need In addition to this guide, the following documents available on the Dell Support website at dell.com/support/manuals provide additional information about the setup and operation of the iDRAC6 in your system. • The iDRAC6 online help provides detailed information about using the Web-based interface.
• The Dell OpenManage Management Station Software Installation Guide contains instructions to help you install Dell OpenManage management station software that includes Baseboard Management Utility, DRAC Tools, and Active Directory Snap-In. • The Dell OpenManage Server Administrator User’s Guide for information about installing and using Server Administrator. • The Dell Update Packages User’s Guide for information about obtaining and using Dell Update Packages as part of your system update strategy.
NOTE: Always read the updates first because they often supersede information in other documents. • Release notes or readme files may be included to provide last-minute updates to the system or documentation or advanced technical reference material intended for experienced users or technicians. Accessing Documents From Dell Support Site To access the documents from Dell Support site: 1 Go to dell.com/support/manuals.
iDRAC6 Overview
Getting Started With the iDRAC6 2 The iDRAC6 enables you to remotely monitor, troubleshoot, and repair a Dell system even when the system is down. The iDRAC6 offers features like Virtual Console, Virtual Media, Smart Card authentication, and Single SignOn (SSO). The management station is the system from which an administrator remotely manages a Dell system that has an iDRAC6. The systems that are monitored in this way are called managed systems.
6 Configure alerts for efficient systems management capability. 7 Configure the iDRAC6 Intelligent Platform Management Interface (IPMI) settings to use the standards-based IPMI tools to manage the systems on your network.
Basic Installation of the iDRAC6 3 This section provides information about how to install and set up your iDRAC6 hardware and software.
Configuring Your System to Use an iDRAC6 To configure your system to use an iDRAC6, use the iDRAC6 Configuration Utility. To run the iDRAC6 Configuration Utility: 1 Turn on or restart your system. 2 Press when prompted during POST. If your operating system begins to load before you press , allow the system to finish booting, and then restart your system and try again. 3 Configure the LOM. 34 a Use the arrow keys to select LAN Parameters and press . NIC Selection is displayed.
• Shared with Failover LOM2 — Select this option to share the network interface with the host operating system. The remote access device network interface is fully functional when the host operating system is configured for NIC teaming. The remote access device receives data through NIC 1 and NIC 2, but transmits data only through NIC 1. If NIC 1 fails, the remote access device fails over to NIC 2 for all data transmission. The remote access device continues to use NIC 2 for data transmission.
Software Installation and Configuration Overview This section provides a high-level overview of the iDRAC6 software installation and configuration process. For more information on the iDRAC6 software components, see "Installing the Software on the Managed System" on page 37. Installing iDRAC6 Software To install iDRAC6 software: 1 Install the iDRAC6 software on the managed system. See "Installing the Software on the Managed System" on page 37. 2 Install the iDRAC6 software on the management station.
Installing the Software on the Managed System Installing software on the managed system is optional. Without the managed system software, you cannot use the RACADM locally, and the iDRAC6 cannot capture the last crash screen. To install the managed system software, install the software on the managed system using the Dell Systems Management Tools and Documentation DVD.
Installing and Removing RACADM on a Linux Management Station To use the remote RACADM functions, install RACADM on a management station running Linux. NOTE: When you run Setup on the Dell Systems Management Tools and Documentation DVD, the RACADM utility for all supported operating systems is installed on your management station. Installing RACADM 1 Log on as root to the system where you want to install the management station components.
Updating the iDRAC6 Firmware Use one of the following methods to update your iDRAC6 firmware.
Updating the iDRAC6 Firmware Using the Web-Based Interface For detailed information, see "Updating the iDRAC6 Firmware/System Services Recovery Image" on page 75. Updating the iDRAC6 Firmware Using RACADM You can update the iDRAC6 firmware using the CLI-based RACADM tool. If you have installed Server Administrator on the managed system, use local RACADM to update the firmware. 1 Download the iDRAC6 firmware image from the Dell Support website at support.dell.com to the managed system.
Updating the iDRAC6 Firmware Using Dell Update Packages for Supported Windows and Linux Operating Systems Download and run the Dell Update Packages for supported Windows and Linux operating systems from Dell Support website at support.dell.com. For more information, see the Dell Update Package User’s Guide available on the Dell Support website at support.dell.com\manuals.
List of Trusted Domains When you access the iDRAC6 Web-based interface through the Web browser, you are prompted to add the iDRAC6 IP address to the list of trusted domains if the IP address is missing from the list. When completed, click Refresh or relaunch the Web browser to reestablish a connection to the iDRAC6 Web-based interface.
Linux If you are running Virtual Console on a Red Hat Enterprise Linux (version 4) client with a Simplified Chinese Graphical User Interface (GUI), the viewer menu and title may appear in random characters. This issue is caused by an incorrect encoding in the Red Hat Enterprise Linux (version 4) Simplified Chinese operating system. To fix this issue, access and modify the current encoding settings by performing the following steps: 1 Open a command terminal. 2 Type “locale” and press .
6 Log out and then log in to the operating system. 7 Relaunch the iDRAC6. When you switch from any other language to the Simplified Chinese language, ensure that this fix is still valid. If not, repeat this procedure. For advanced configurations of the iDRAC6, see "Advanced iDRAC6 Configuration" on page 85.
4 Configuring the iDRAC6 Using the Web Interface The iDRAC6 provides a Web interface that enables you to configure the iDRAC6 properties and users, perform remote management tasks, and troubleshoot a remote (managed) system for problems. For everyday systems management, use the iDRAC6 Web interface. This chapter provides information about how to perform common systems management tasks with the iDRAC6 Web interface and provides links to related information.
Accessing the Web Interface To access the iDRAC6 Web interface, perform the following steps: 1 Open a supported Web browser window. To access the Web interface using an IPv4 address, go to step 2. To access the Web interface using an IPv6 address, go to step 3. 2 Access the Web interface using an IPv4 address; you must have IPv4 enabled: In the browser Address bar, type: https:// Then, press . 3 Access the Web interface using an IPv6 address; you must have IPv6 enabled.
Logging In You can log in as either an iDRAC6 user or as a Microsoft Active Directory user. The default user name and password for an iDRAC6 user are root and calvin, respectively. You must have been granted Login to iDRAC privilege by the administrator to log in to iDRAC6. To log in, perform the following steps: 1 In the Username field, type one of the following: • Your iDRAC6 user name. The user name for local users is case-sensitive. Examples are root, it_user, or john_doe.
Logging Out 1 In the upper-right corner of the main window, click Logout to close the session. 2 Close the browser window. NOTE: The Logout button does not appear until you log in. NOTE: Closing the browser without logging out may cause the session to remain open until it times out. It is strongly recommended that you click the logout button to end the session; otherwise, the session may remain active until the session timeout is reached.
Table 4-1. User Privilege Behavior in Supported Browsers Browser Tab Behavior Window Behavior Microsoft Internet Explorer 6 Not applicable New session Microsoft IE7 and IE8 From latest session opened New session Configuring the iDRAC6 NIC This section assumes that the iDRAC6 has already been configured and is accessible on the network. See "Configuring iDRAC6" on page 36 for help with the initial iDRAC6 network configuration.
NOTE: Changes to the NIC IP address settings close all user sessions and users must reconnect to the iDRAC6 Web interface using the updated IP address settings. For all other changes the NIC must be reset, which may cause a brief loss in connectivity. Table 4-2.
Table 4-2. Network Settings (continued) Setting Description Auto Negotiation If set to On, displays the Network Speed and Mode by communicating with the nearest router or switch. If set to Off, allows you to set the Network Speed and Duplex Mode manually. If NIC Selection is not set to Dedicated, Auto Negotiation setting will always be enabled (On). NOTE: When the server is off, the embedded LOM ports support a maximum speed of 100Mbps.
Table 4-3. Common Settings (continued) Setting Description DNS Domain Name The default DNS Domain Name is blank. When the Auto Config Domain Name checkbox is selected, this option is disabled. Table 4-4. IPv4 Settings Setting Description Enable IPv4 If NIC is enabled, this selects IPv4 protocol support and sets the other fields in this section to be enabled. DHCP Enable Prompts the iDRAC6 to obtain an IP address for the NIC from the Dynamic Host Configuration Protocol (DHCP) server.
Table 4-5. IPv6 Settings Setting Description Enable IPv6 If the checkbox is selected, IPv6 is enabled. If the checkbox is not selected, IPv6 is disabled. The default is disabled. Autoconfiguration Enable Check this box to allow the iDRAC6 to obtain the IPv6 address for the iDRAC6 NIC from the Dynamic Host Configuration Protocol (DHCPv6) server. Enabling autoconfiguraion also deactivates and flushes out the static values for IP Address 1, Prefix Length, and IP Gateway.
Table 4-5. IPv6 Settings (continued) Setting Description Preferred DNS Server Configures the static IPv6 address for the preferred DNS server. To change this setting, you must first clear Use DHCP to obtain DNS Server Addresses. Alternate DNS Server Configures the static IPv6 address for the alternate DNS server. To change this setting, you must first clear Use DHCP to obtain DNS Server Addresses. Table 4-6.
2 Click Advanced Settings to configure the network security settings. Table 4-8 describes the Network Security Page Settings. 3 After configuring the settings, click Apply. Saves any new settings that you made to the Network Security page. Table 4-8. Network Security Page Settings Settings Description IP Range Enabled Enables the IP Range checking feature, which defines a range of IP addresses that can access the iDRAC. The default is off.
Configuring Platform Events Platform event configuration provides a mechanism for configuring the iDRAC6 to perform selected actions on certain event messages. The actions include no action, reboot system, power cycle system, power off system, and generate an alert (Platform Event Trap [PET] and/or e-mail). The filterable platform events are listed in Table 4-9. . Table 4-9.
Table 4-9. Platform Event Filters (continued) Index Platform Event 22 Removable Flash Media Warning Assert When a platform event occurs (for example, a battery warning assert), a system event is generated and recorded in the System Event Log (SEL). If this event matches a platform event filter (PEF) that is enabled and you have configured the filter to generate an alert (PET or e-mail), then a PET or e-mail alert is sent to one or more configured destinations.
4 In the Platform Event Filters List table, do the following for the filter(s) that you want to configure: • • Select one of the following actions: • Reboot System • Power Cycle System • Power Off System • No Action In the Generate Alert column, select the checkbox to enable alert generation or clear the checkbox to disable alert generation for the selected action. NOTE: Generate Alert must be enabled for an alert to be sent to any valid, configured destination (PET). 5 Click Apply.
c In Test Trap, click Send to test the configured alert. NOTE: Your user account must have Test Alerts permission to send a test trap. See Table 6-6 for more information. The changes you specified are displayed in either the IPv4 or IPv6 Destination List. 5 In the Community String field, enter the iDRAC SNMP community name. NOTE: The destination community string must be the same as the iDRAC6 community string. 6 Click Apply. The settings are saved.
b In the Destination E-mail Address field, type a valid e-mail address. c In the E-mail Description field, type a short description. 5 In Test Email, click Send to test the configured e-mail alert settings. 6 In the SMTP (e-mail) Server IP Address field, enter a valid IP address or FQDN (fully qualified domain name) of the SMTP server to be used in the configuration. NOTE: To successfully send a test e-mail, the SMTP (email) Server IP Address must be configured on the Email Alert Settings page.
3 Configure IPMI Serial over LAN (SOL). a In the System tree, click iDRAC Settings. b Click the Network/Security tab and then click Serial Over LAN. c In the Serial Over LAN page, select Enable Serial Over LAN. d Update the IPMI SOL baud rate. NOTE: To redirect the serial console over LAN, ensure that the SOL baud rate is identical to your managed system’s baud rate. e Click the Baud Rate drop-down menu, select the appropriate baud rate, and click Apply. f Update the minimum required privilege.
• In the Serial Connection menu, ensure that External Serial Connector is set to Remote Access Device. • Save and exit the BIOS Setup program. • Restart your system. If IPMI serial is in terminal mode, you can configure the following additional settings: • Delete control • Echo control • Line edit • New line sequences • Input new line sequences For more information about these properties, see the IPMI 2.0 specification.
Secure Sockets Layer (SSL) The iDRAC6 includes a Web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data over a network. Built upon public-key and private-key encryption technology, SSL is a widely accepted technology for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across a network.
Accessing SSL Through the Web-Based Interface 1 Click iDRAC Settings Network/Security. 2 Click SSL to open the SSL page. Use the SSL page to perform one of the following options: • Generate a Certificate Signing Request (CSR) to send to a CA. The CSR information is stored on the iDRAC6 firmware. • Upload a server certificate. • View a server certificate. Table 4-10 describes the above SSL page options. Table 4-10.
Generating a Certificate Signing Request 1 On the SSL page, select Generate Certificate Signing Request (CSR) and click Next. 2 On the Generate Certificate Signing Request (CSR) page, enter a value for each CSR attribute. Table 4-11 describes the CSR attributes. 3 Click Generate to create the CSR and download it onto to your local computer and save it to a specified directory. 4 Click Go Back to SSL Main Menu to return to the SSL page. Table 4-11.
Uploading a Server Certificate 1 On the SSL page, select Upload Server Certificate and click Next. The Upload Server Certificate page is displayed. 2 In the File Path field, type the path of the certificate in the Value field or click Browse to navigate to the certificate file. NOTE: The File Path value displays the relative file path of the certificate you are uploading. You must type the absolute file path, which includes the full path and the complete file name and file extension 3 Click Apply.
Configuring and Managing Active Directory The page enables you to configure and manage Active Directory settings. NOTE: You must have Configure iDRAC permission to use or configure Active Directory. NOTE: Before configuring or using the Active Directory feature, ensure that your Active Directory server is configured to communicate with iDRAC6.
Table 4-13. Active Directory Configuration and Management Page Options (continued) Attribute Description Schema Selection Specifies whether Standard Schema or Extended Schema is in use with Active Directory. NOTE: In this release, the Smart Card based Two Factor Authentication (TFA) feature is not supported if the Active Directory is configured for Extended schema. The Single SignOn (SSO) feature is supported for both Standard and Extended schema.
Table 4-13. Active Directory Configuration and Management Page Options (continued) Attribute Description Domain Controller Server Address 1-3 (FQDN or IP) Specifies the fully qualified domain name (FQDN) of the domain controller or the IP address. At least one of the 3 addresses is required to be configured. iDRAC6 attempts to connect to each of the configured addresses one-by-one until it makes a successful connection.
Table 4-13. Active Directory Configuration and Management Page Options (continued) Attribute Description Active Directory CA Certificate Certificate The certificate of the Certificate Authority that signs all the domain controllers’ Security Socket Layer (SSL) server certificate. Extended Schema Settings iDRAC Name: Specifies the name that uniquely identifies the iDRAC in Active Directory. This value is NULL by default.
Table 4-13. Active Directory Configuration and Management Page Options (continued) Attribute Description Standard Schema Settings Global Catalog Server Address 1-3 (FQDN or IP): Specifies the fully qualified domain name (FQDN) or the IP address of the Global Catalog server(s). At least one of the 3 addresses is required to be configured. iDRAC6 attempts to connect to each of the configured addresses one-by-one until it makes a successful connection.
Configuring iDRAC6 Services NOTE: To modify these settings, you must have Configure iDRAC permission. 1 Click iDRAC Settings Network/Security. Click the Services tab to display the Services configuration page. 2 Configure the following services, as required: • Local Configuration — see Table 4-14. • Web server — see Table 4-15 for Web server settings. • SSH — see Table 4-16 for SSH settings. • Telnet — see Table 4-17 for Telnet settings. • Remote RACADM — see Table 4-18 for Remote RACADM settings.
Table 4-15. Web Server Settings (continued) Setting Description Max Sessions The maximum number of simultaneous Web server sessions allowed for this system. This field is not editable. The maximum number of simultaneous sessions is five. Active Sessions The number of current sessions on the system, less than or equal to the value for Max Sessions. This field is not editable. Timeout The time, in seconds, that a connection is allowed to remain idle.
Table 4-17. Telnet Settings Setting Description Enabled Enables or disables Telnet. When checked, Telnet is enabled. Max Sessions Maximum number of simultaneous Telnet sessions allowed for this system. You cannot edit this field. NOTE: iDRAC6 supports up to 2 Telnet sessions simultaneously. Active Sessions Number of current Telnet sessions on the system, less than or equal to the setting for Max Sessions. You cannot edit this field. Timeout The Telnet idle timeout in seconds.
Table 4-20. Automated System Recovery Agent Setting Setting Description Enabled Enables/disables the Automated System Recovery Agent. When checked, the Automated System Recovery Agent is enabled. Updating the iDRAC6 Firmware/System Services Recovery Image NOTE: If the iDRAC6 firmware becomes corrupted, as could occur if the iDRAC6 firmware update progress is interrupted before it completes, you can recover the iDRAC6 using the iDRAC6 Web interface.
4 Click Upload. The file will be uploaded to the iDRAC6. This process may take several minutes to complete. The following message will be displayed until the process is complete: File upload in progress... 5 On the Status (page 2 of 3) page, you will see the results of the validation performed on the image file you uploaded. • If the system recovery image file uploaded successfully and passed all verification checks, the system recovery image file name will be displayed.
8 In the Updating (Step 3 of 3) page, you will see the status of the update. The progress of the update, measured in percentages, will appear in the Progress column. NOTE: While in the update mode, the update process will continue in the background even if you navigate away from this page. If the firmware update is successful, the iDRAC6 will reset automatically. You should close the current browser window and reconnect to the iDRAC6 using a new browser window.
3 Click Update to start the firmware update process. On the Updating (Step 3 of 3) page, you see the status of the rollback operation. The progress, measured in percentages, appear in the Progress column. NOTE: While in the update mode, the update process will continue in the background even if you navigate away from this page. If the firmware update is successful, the iDRAC6 will reset automatically. You should close the current browser window and reconnect to the iDRAC6 using a new browser window.
Table 4-21. Remote Syslog Settings (continued) Attribute Description Syslog Server 1–3 Enter the Remote Syslog server address to log iDRAC6 messages like SEL Log and RAC Log. Syslog server addresses allow alphanumeric, -, ., :, and _ symbols. Port Number Enter the port number of the Remote Syslog server. The port number should be between 1 to 65535. Default is 514. NOTE: The severity levels defined by the Remote Syslog protocol differ from the standard IPMI System Event Log (SEL) severity levels.
1 Open a supported Web browser window. 2 Log in to iDRAC6 Web interface. 3 In the system tree, select SystemSetupFirst Boot Device. The First Boot Device screen is displayed. Table 4-22 lists the First Boot Device settings. Table 4-22. First Boot Device Attribute Description First Boot Device Select the first boot device from the drop-down list. The system will boot from the selected device on next and subsequent reboots. Boot Once Selected = Enabled; Deselected = Disabled.
A filename with the IMG extension is redirected as a Virtual Floppy and a filename with the ISO extension is redirected as a Virtual CDROM. Remote file share supports only .IMG and .ISO image file formats. The RFS feature utilizes the underlying Virtual Media implementation in iDRAC6. You must have Virtual Media privileges to perform an RFS mounting. If a virtual drive is already used by Virtual Media, then the drive is not available to mount as RFS and vice versa.
Click Connect to connect to RFS. After successfully establishing the connection, Connect is disabled. NOTE: Even if you have configured remote file sharing, the GUI does not display this information due to security reasons. For remote file share, the remote RACADM command is: racadm remoteimage.
Devices screen of the system BIOS setup. For more information about the BIOS options for IDSDM, see the Hardware Owner’s Manual available on the Dell Support website at dell.com/support/manuals. NOTE: In the BIOS setup, Integrated Devices screen, the Internal USB Port option must be set to On. If this is set to Off, the IDSDM is not visible to the system as a boot device. One of the two SD cards can be the master.
• Internal SD Module Status — Displays the SD card state for SD1, SD2, and vFlash cards with the following information: – Status: • — Indicates that the card is ok. • — Indicates that the card is offline or write-protected. • — Indicates that an alert is issued. – Location — Location of the SD cards. – Online Status — SD1, SD2, and vFlash cards can be in one of the states listed in Table 4-25. Table 4-25.
Advanced iDRAC6 Configuration 5 This section provides information about advanced iDRAC6 configuration and is recommended for users with advanced knowledge of systems management and who want to customize the iDRAC6 environment to suit their specific needs. Before You Begin You should have completed the basic installation and setup of your iDRAC6 hardware and software. See "Basic Installation of the iDRAC6" on page 33 for more information.
failsafe baud rate....115200 remote terminal type....vt100/vt220 redirection after boot....Enabled Then, select Save Changes. 5 Press to exit the System Setup program and complete the System Setup program configuration. Configuring the iDRAC6 Settings to Enable SSH/Telnet Next, configure the iDRAC6 settings to enable ssh/Telnet, which you can do either through RACADM or the iDRAC6 Web interface.
To connect to the managed system text console, open an iDRAC6 command prompt (displayed through a Telnet or SSH session) and type: console com2 The console -h com2 command displays the contents of the serial history buffer before waiting for input from the keyboard or new characters from the serial port. The default (and maximum) size of the history buffer is 8192 characters.
Enabling Microsoft Telnet for Telnet Virtual Console NOTE: Some Telnet clients on the Microsoft operating systems may not display the BIOS setup screen correctly when BIOS Virtual Console is set for VT100/VT220 emulation. If this issue occurs, update the display by changing the BIOS Virtual Console to ANSI mode. To perform this procedure in the BIOS setup menu, select Virtual Console Remote Terminal Type ANSI.
To configure a Linux Telnet session to use the key: 1 Open a command prompt and type: stty erase ^h 2 At the prompt, type: telnet Using the Secure Shell (SSH) It is critical that your system’s devices and device management are secure. Embedded connected devices are the core of many business processes. If these devices are compromised, your business may be at risk, which requires new security demands for command line interface (CLI) device management software.
For more information on cfgSerialSshEnable and cfgRacTuneSshPort properties, see the RACADM iDRAC6 and CMC Command Line Reference Guide available on the Dell Support website at dell.com/support/manuals. The iDRAC6 SSH implementation supports multiple cryptography schemes, as shown in Table 5-1. Table 5-1.
Configuring Linux for Serial Console During Boot The following steps are specific to the Linux GRand Unified Bootloader (GRUB). Similar changes would be necessary if you use a different boot loader. NOTE: When you configure the client VT100 emulation window, set the window or application that is displaying the redirected Virtual Console to 25 rows x 80 columns to ensure proper text display; otherwise, some text screens may be garbled. Edit the /etc/grub.
Table 5-2. Sample File: /etc/grub.conf (continued) # root (hd0,0) # kernel /boot/vmlinuz-version ro root= /dev/sdal # initrd /boot/initrd-version.img # #boot=/dev/sda default=0 timeout=10 #splashimage=(hd0,2)/grub/splash.xpm.gz serial --unit=1 --speed=57600 terminal --timeout=10 serial title Red Hat Linux Advanced Server (2.4.9-e.3smp) root (hd0,0) kernel /boot/vmlinuz-2.4.9-e.3smp ro root= /dev/sda1 hda=ide-scsi console=ttyS0 console= ttyS1,115200n8r initrd /boot/initrd-2.4.9-e.3smp.
Enabling Login to the Virtual Console After Boot Edit the file /etc/inittab as follows: Add a new line to configure agetty on the COM2 serial port: co:2345:respawn:/sbin/agetty -h -L 57600 ttyS1 ansi Table 5-3 shows a sample file with the new line. Table 5-3. Sample File: /etc/innitab # # inittab This file describes how the INIT process should set up # the system in a certain run-level. # # Author: Miquel van Smoorenburg # Modified for RHS Linux by Marc Ewing and Donnie Barnes # # Default runlevel.
Table 5-3. Sample File: /etc/innitab (continued) l0:0:wait:/etc/rc.d/rc l1:1:wait:/etc/rc.d/rc l2:2:wait:/etc/rc.d/rc l3:3:wait:/etc/rc.d/rc l4:4:wait:/etc/rc.d/rc l5:5:wait:/etc/rc.d/rc l6:6:wait:/etc/rc.d/rc 0 1 2 3 4 5 6 # Things to run in every runlevel. ud::once:/sbin/update # Trap CTRL-ALT-DELETE ca::ctrlaltdel:/sbin/shutdown -t3 -r now # When our UPS tells us power has failed, assume we have a few # minutes of power left. Schedule a shutdown for 2 minutes from now.
Table 5-3.
Table 5-4 shows a sample file with the new line. Table 5-4. Sample File: /etc/securetty vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 ttyS1 NOTE: Use the Break Key Sequence (~B) to execute the Linux Magic SysRq key commands on serial console using IPMI Tool.
Configuring iDRAC6 for Serial Connection You can use any of the following interfaces for connecting to the iDRAC6 via serial connection: • iDRAC6 CLI • Direct Connect Basic mode • Direct Connect Terminal mode To set up your system to use any of these interfaces, perform the following steps. 1 Configure the BIOS to enable serial connection: a Turn on or restart your system.
To configure iDRAC6 settings to enable serial connections using the iDRAC6 Web interface, follow these steps: 1 Expand the System tree and click iDRAC Settings. 2 Click the Network/Security tab and then click Serial. 3 Select Enabled under the RAC Serial section. 4 Click Apply Changes. When you are connected serially with the previous settings, you should see a login prompt. Enter the iDRAC6 username and password (default values are root, calvin, respectively).
For Direct Connect Terminal mode: Under the IPMI Serial section change the Connection Mode Settings drop-down menu to Direct Connect Terminal Mode. 4 Click Apply Changes. For more information about Direct Connect Basic and Direct Connect Terminal modes, see "Configuring Serial and Terminal Modes" on page 105. Direct Connect Basic mode will enable you to use such tools as ipmish directly through the serial connection.
Switching Between RAC Serial Interface Communication Mode and Serial Console iDRAC6 supports Escape key sequences that allow switching between RAC Serial Interface communication and Serial Console. To set your system to allow this behavior, do the following: 1 Turn on or restart your system. 2 Press immediately after you see the following message: = System Setup 3 Scroll down and select Serial Communication by pressing .
To switch to RAC Serial Interface Communication Mode when in Serial Console Mode, use the following key sequence: + <9> The key sequence above directs you either to the "iDRAC Login" prompt (if the RAC is set to "RAC Serial" mode) or to the "Serial Connection" mode where terminal commands can be issued (if the RAC is set to "IPMI Serial Direct Connect Terminal Mode").
Table 5-5.
3 If you do not have a Minicom configuration file, go to the next step. If you have a Minicom configuration file, type minicom and skip to step 17. 4 At the Xterm command prompt, type minicom -s. 5 Select Serial Port Setup and press . 6 Press and select the appropriate serial device (for example, /dev/ttyS0). 7 Press and set the Bps/Par/Bits option to 57600 8N1. 8 Press and set Hardware Flow Control to Yes and set Software Flow Control to No.
Required Minicom Settings for Serial Console Emulation Use Table 5-6 to configure any version of Minicom. Table 5-6.
7 Set the Telnet terminal ID: to ANSI. 8 Click Terminal Setup and set Screen Rows to 26. 9 Set Columns to 80 and click OK. Table 5-7. Management Station COM Port Settings Setting Description Required Setting Bits per second 57600 Data bits 8 Parity None Stop bits 1 Flow control Hardware Configuring Serial and Terminal Modes Configuring IPMI and iDRAC6 Serial 1 Expand the System tree and click iDRAC Settings. 2 Click the Network/Security tab and then click Serial.
Table 5-8. IPMI Serial Settings (continued) Setting Description Flow Control • None — Hardware Flow Control Off • RTS/CTS — Hardware Flow Control On Channel Privilege Level Limit • Administrator • Operator • User Table 5-9. iDRAC6 Serial Settings Setting Description Enabled Enables or disables the iDRAC6 serial console. Checked= Enabled; Unchecked=Disabled Timeout The maximum number of seconds of line idle time before the line is disconnected. The range is 60 to 1920 seconds.
5 Click Apply Changes. 6 Click the appropriate Terminal Mode Settings page button to continue. See the iDRAC6 Online Help for description of the Terminal Mode Settings page buttons. Table 5-10. Terminal Mode Settings Setting Description Line Editing Enables or disables line editing.
Accessing the iDRAC6 Through a Network After you configure the iDRAC6, you can remotely access the managed system using one of the following interfaces: • Web-based interface • RACADM • Telnet Console • SSH • IPMI Table 5-11 describes each iDRAC6 interface. Table 5-11. iDRAC6 Interfaces Interface Description Web-based interface Provides remote access to the iDRAC6 using a graphical user interface.
Table 5-11. iDRAC6 Interfaces (continued) Interface Description Telnet Console Provides access to the iDRAC6 and support for serial and RACADM commands including powerdown, powerup, powercycle, and hardreset commands. NOTE: Telnet is not a secure protocol and Telnet transmits all data, including passwords,in plain text. When transmitting sensitive information, use the SSH interface.
Using RACADM Remotely NOTE: Configure the IP address on your iDRAC6 before using the RACADM remote capability. For more information about setting up your iDRAC6 and a list of related documents, see "Basic Installation of the iDRAC6" on page 33. RACADM provides a remote capability option (-r) that allows you to connect to the managed system and execute RACADM subcommands from a remote Virtual Console or management station.
2 Find the location of the default CA certificate bundle on the management station. For example, for RHEL5 64-bit, it is /etc/pki/tls/cert.pem. 3 Append the PEM formatted CA certificate to the management station CA certificate. For example, use the cat command: - cat testcacert.pem >> cert.pem RACADM Synopsis racadm -r -u -p racadm -i -r For example: racadm -r 192.168.0.
Table 5-12. racadm Command Options (continued) Option Description -u Specifies the user name that is used to authenticate the command transaction. If the -u option is used, the -p option must be used, and the -i option (interactive) is not allowed. -p Specifies the password used to authenticate the command transaction. If the -p option is used, the -i option is not allowed. -S Specifies that RACADM should check for invalid certificate errors.
Table 5-13. RACADM Subcommands Command Description help Lists iDRAC6 subcommands. help Lists usage statement for the specified subcommand. arp Displays the contents of the ARP table. ARP table entries may not be added or deleted. clearasrscreen Clears the last ASR (crash) screen (last blue screen). clrraclog Clears the iDRAC6 log. A single entry is made to indicate the user and time that the log was cleared. config Configures the iDRAC6.
Table 5-13. RACADM Subcommands (continued) Command Description getraclog Displays the iDRAC6 log. clrsel Clears the System Event Log entries. gettracelog Displays the iDRAC6 trace log. If used with -i, the command displays the number of entries in the iDRAC6 trace log. sslcsrgen Generates and downloads the SSL CSR. sslcertupload Uploads a CA certificate or server certificate to the iDRAC6. sslcertdownload Downloads a CA certificate.
Frequently Asked Questions About RACADM Error Messages After performing an iDRAC6 reset (using the racadm racreset command), I issue a command and the following message is displayed: ERROR: Unable to connect to RAC at specified IP address What does this message mean? You must wait until the iDRAC6 completes the reset before issuing another command. When I use the racadm commands and subcommands, I get errors that I don’t understand.
Configuring Multiple iDRAC6 Controllers Using RACADM, you can configure one or more iDRAC6 controllers with identical properties. When you query a specific iDRAC6 controller using its group ID and object ID, RACADM creates the .cfg configuration file from the retrieved information. Filename is user specified, for example racadm.cfg. By exporting the file to one or more iDRAC6, you can configure your controllers with identical properties in a minimal amount of time.
• Display all configuration properties in a group (specified by group name and index) • Display all configuration properties for a user by user name The config subcommand loads the information into the other iDRAC6. Use config to synchronize the user and password database with Server Administrator. The initial configuration file, racadm.cfg, is named by the user. In the following example, the configuration file is named myfile.cfg.
is found in the .cfg file. The user must correct all errors before any configuration can take place. The -c option may be used in the config subcommand, which verifies syntax only and does not perform a write operation to the iDRAC6. Use the following guidelines when you create a .cfg file: • If the parser encounters an indexed group, the index of the group is used as the anchor. Any modifications to the objects within the indexed group is also associated with the index value.
• Use the racresetcfg subcommand to reset the iDRAC6 to original defaults, and then run the racadm config -f .cfg command. Ensure that the .cfg file includes all required objects, users, indexes, and other parameters. CAUTION: Use the racresetcfg subcommand to reset the database and the iDRAC6 NIC settings to the original default settings and remove all users and user configurations. While the root user is available, other users’ settings are also reset to the default settings.
The following example displays a group name, object, and the object’s property value. Example: [cfgLanNetworking] -{group name} cfgNicIpAddress=143.154.133.121 {object name} • All parameters are specified as "object=value" pairs with no white space between the object, =, or value. White spaces that are included after the value are ignored. A white space inside a value string remains unmodified.
# # Object Group "cfgLanNetworking" # [cfgLanNetworking] cfgNicIpAddress=10.35.10.110 cfgNicGateway=10.35.10.1 This file will be updated as follows: # # Object Group "cfgLanNetworking" # [cfgLanNetworking] cfgNicIpAddress=10.35.9.143 # comment, the rest of this line is ignored cfgNicGateway=10.35.9.1 The command racadm config -f myfile.cfg parses the file and identifies any errors by line number. A correct file will update the proper entries.
The commands provide the same configuration functionality as the iDRAC6 Configuration Utility at boot-up when you are prompted to type . For more information about configuring network properties with the iDRAC6 Configuration Utility, see "Configuring Your System to Use an iDRAC6" on page 34. The following is an example of how the command may be used to configure desired LAN network properties.
iDRAC6 Modes The iDRAC6 can be configured in one of four modes: • Dedicated • Shared • Shared with Failover LOM2 • Shared with Failover All LOMs Table 5-14 provides a description of each mode. Table 5-14. iDRAC6 NIC Configurations Mode Description Dedicated The iDRAC6 uses its own NIC (RJ-45 connector) and the iDRAC MAC address for network traffic. Shared The iDRAC6 uses LOM1 on the planar. Shared with Failover LOM2 The iDRAC6 uses LOM1 and LOM2 as a team for failover.
(if certificate issued to IP) of the iDRAC6 (for example, 192.168.0.120) or the registered DNS iDRAC6 name (if certificate issued to iDRAC registered name). To ensure that the CSR matches the registered DNS iDRAC6 name: 1 In the System tree, click iDRAC Settings. 2 Click the Network/Security tab and then click Network. 3 In the Common Settings table: a Select the Register iDRAC on DNS check box. b In the DNS iDRAC Name field, enter the iDRAC6 name. 4 Click Apply Changes.
When accessing the iDRAC6 Web-based interface, I get a security warning stating the SSL certificate was issued by a certificate authority (CA) that is not trusted. iDRAC6 includes a default iDRAC6 server certificate to ensure network security for the Web-based interface and remote RACADM features. This certificate was not issued by a trusted CA. To address this security concern, upload a iDRAC6 server certificate issued by a trusted CA (for example, Microsoft Certificate Authority, Thawte or Verisign).
Advanced iDRAC6 Configuration
Adding and Configuring iDRAC6 Users 6 To manage your system with the iDRAC6 and maintain system security, create unique users with specific administrative permissions (or role-based authority). For additional security, you can also configure alerts that are e-mailed to specific users when a specific system event occurs.
3 On the User Configuration page, configure the following: • The username, password, and access permissions for a new or existing iDRAC user. Table 6-3 describes General User Settings. • The user’s IPMI privileges. Table 6-4 describes the IPMI User Privileges for configuring the user’s LAN privileges. • The iDRAC user privileges. Table 6-5 describes the iDRAC User Privileges. • The iDRAC Group access permissions. Table 6-6 describes the iDRAC Group Permissions. 4 When completed, click Apply Changes.
Table 6-2. Smart Card Configuration Options Option Description Upload User Certificate Enables the user to upload the user certificate to iDRAC6 and import it to the user profile. View User Certificate Displays the user certificate page that has been uploaded to the iDRAC. Upload Trusted CA Certificate Enables you to upload the trusted CA certificate to iDRAC and import it to the user profile. View Trusted CA Certificate Displays the trusted CA certificate that has been uploaded to the iDRAC.
Table 6-3. General User Settings (continued) New Password Enter a Password with up to 16 characters. The characters will not be displayed and are masked. The following characters are supported: • 0-9 • A-Z • a-z • Special characters: Confirm New Password + & ? > - } | . ! ( ' , _ [ " @ # ) * ; $ ] / § % = < : { I \ Retype the iDRAC user’s password to confirm. Table 6-4.
Table 6-5. iDRAC User Privileges (continued) Property Description Configure iDRAC Enables the user to configure the iDRAC. Configure Users Enables the user to allow specific users to access the system. CAUTION: This privilege is normally reserved for users who are members of the Administrator role on iDRAC. However, users in the ‘Operator’ role can be assigned this privilege. A user with this privilege can modify any user’s configuration.
Public Key Authentication over SSH iDRAC6 supports the Public Key Authentication (PKA) over SSH. This authentication method improves SSH scripting automation by removing the need to embed or prompt for a user ID/password. Before You Begin You can configure up to 4 public keys per user that can be used over an SSH interface. Before adding or deleting public keys, ensure that you use the view command to see what keys are already set up, so a key is not accidentally overwritten or deleted.
To use the PuTTY Key Generator for Windows clients to create the basic key: 1 Start the application and select either SSH-2 RSA or SSH-2 DSA for the type of key to generate. (SSH-1 is not supported). 2 The supported key generation algorithms are RSA and DSA only. Enter the number of bits for the key. The number should be between 768 and 4096 bits for RSA and 1024 bits for DSA. 3 Click Generate and move the mouse in the window as directed. After the key is created, you can modify the key comment field.
Logging in Using Public Key Authentication After the public keys are uploaded, you can log into the iDRAC6 over SSH without entering a password. You also have the option of sending a single RACADM command as a command line argument to the SSH application. The command line options behave similar to remote RACADM since the session ends after the command is completed. For example: Logging in: ssh username@ or ssh username@ where IP_address is the IP address of the iDRAC6.
Table 6-7. SSH Key Configurations Option Description Upload SSH Key(s) Allows the local user to upload a Secure Shell (SSH) public key file. If a key is uploaded, the content of the key file is displayed in a non-editable text box on the User Configuration page. View/Remove SSH Key(s) Allows the local user to view or delete a specified SSH key or all SSH keys. The Upload SSH Key(s) page enables you to upload a Secure Shell (SSH) public key file.
Local RACADM and Remote RACADM: racadm sshpkauth -i <2 to 16> -k <1 to 4> -f racadm sshpkauth -i <2 to 16> -k <1 to 4> -t Telnet/SSH/Serial RACADM: racadm sshpkauth -i <2 to 16> -k <1 to 4> -t Example: Upload a valid key to the iDRAC6 User 2 in the first key space using a file: $ racadm sshpkauth -i 2 -k 1 -f pkkey.key PK SSH Authentication Key file successfully uploaded to the RAC. CAUTION: The "key text" option is supported on local and remote RACADM.
Using the RACADM Utility to Configure iDRAC6 Users NOTE: You must be logged in as user root to execute RACADM commands on a remote Linux system. Single or multiple iDRAC6 users can be configured using the RACADM command line that is installed with the iDRAC6 agents on the managed system.
type the following command once for each index of 1–16: racadm getconfig -g cfgUserAdmin -i NOTE: You can also type racadm getconfig -f and view or edit the myfile.cfg file, which includes all iDRAC6 configuration parameters. Several parameters and object IDs are displayed with their current values.
Example The following example describes how to add a new user named "John" with a "123456" password and LOGIN privileges to the RAC.
Enabling an iDRAC6 User With Permissions To enable a user with specific administrative permissions (role-based authority), first locate an available user index by performing the steps in "Before You Begin" on page 137. Next, type the following command lines with the new user name and password. NOTE: For a list of valid bit mask values for specific user privileges, see the iDRAC6 and CMC Command Line Reference Guide available on the Dell Support website at dell.com/support/manuals.
7 Using the iDRAC6 Directory Service A directory service maintains a common database for storing information about users, computers, printers, etc. on a network. If your company uses either the Microsoft Active Directory or the LDAP Directory Service software, you can configure the software to provide access to iDRAC6, allowing you to add and control iDRAC6 user privileges to your existing users in your directory service.
Table 7-1.
Prerequisites for Enabling Microsoft Active Directory Authentication for iDRAC6 To use the Active Directory authentication feature of the iDRAC6, you must have already deployed an Active Directory infrastructure. See the Microsoft website for information on how to set up an Active Directory infrastructure, if you do not already have one.
3 In the Automatic Certificate Request Setup Wizard, click Next and select Domain Controller. 4 Click Next and click Finish. Exporting the Domain Controller Root CA Certificate to the iDRAC6 NOTE: If your system is running Windows 2000 or if you are using a standalone CA, the following steps may vary. 1 Locate the domain controller that is running the Microsoft Enterprise CA service. 2 Click StartRun. 3 In the Run field, type mmc and click OK.
To upload the certificate using the Web-based interface, see "Configuring Microsoft Active Directory With Extended Schema Using the iDRAC6 Web-Based Interface" on page 160 or "Configuring Microsoft Active Directory With Standard Schema Using the iDRAC6 Web-Based Interface" on page 168.
5 Click Next and select whether you would like Windows to automatically select the certificate store based on the type of certificate, or browse to a store of your choice. 6 Click Finish and click OK. Supported Active Directory Authentication Mechanisms You can use Active Directory to define user access on the iDRAC6 through two methods: you can use the extended schema solution, which Dell has customized to add Dell-defined Active Directory objects.
unique Attributes and Classes to solve environment-specific needs. Dell has extended the schema to include the necessary changes to support remote management Authentication and Authorization. Each Attribute or Class that is added to an existing Active Directory Schema must be defined with a unique ID.
The iDRAC Device object is the link to the iDRAC firmware for querying Active Directory for authentication and authorization. When a iDRAC is added to the network, the Administrator must configure the iDRAC and its device object with its Active Directory name so users can perform authentication and authorization with Active Directory. Additionally, the Administrator must add the iDRAC to at least one Association Object in order for users to authenticate.
Users, user groups, or nested user groups from any domain can be added into the Association Object. Extended Schema solutions support any user group type and any user group nesting across multiple domains allowed by Microsoft Active Directory. Accumulating Privileges Using Extended Schema The Extended Schema Authentication mechanism supports Privilege Accumulation from different privilege objects associated with the same user through different Association Objects.
For example, Priv1 has these privileges: Login, Virtual Media, and Clear Logs and Priv2 has these privileges: Login to iDRAC, Configure iDRAC, and Test Alerts. As a result, User1 now has the privilege set: Login to iDRAC, Virtual Media, Clear Logs, Configure iDRAC, and Test Alerts, which is the combined privilege set of Priv1 and Priv2.
Extending the Active Directory Schema Important: The schema extension for this product is different from the previous generations of Dell Remote Management products. You must extend the new schema and install the new Active Directory Users and Computers Microsoft Management Console (MMC) Snap-in on your directory. The old schema does not work with this product. NOTE: Extending the new schema or installing the new extension to Active Directory User and Computer Snap-in has no impact on previous products.
The LDIF files and Dell Schema Extender are located on your Dell Systems Management Tools and Documentation DVD in the following respective directories: • DVD drive:\SYSMGMT\ManagementStation\support\OMActiveDirectory_ Tools\Remote_Management_Advanced\LDIF_Files • :\SYSMGMT\ManagementStation\support\OMActiveDirecto ry_Tools\Remote_Management_Advanced\Schema_Extender NOTE: The Remote_Management folder is for extending the Schema on older remote access products like DRAC 4 and DRAC 5, and the Re
Table 7-2. Class Definitions for Classes Added to the Active Directory Schema Class Name Assigned Object Identification Number (OID) delliDRACDevice 1.2.840.113556.1.8000.1280.1.7.1.1 delliDRACAssociation 1.2.840.113556.1.8000.1280.1.7.1.2 dellRAC4Privileges 1.2.840.113556.1.8000.1280.1.1.1.3 dellPrivileges 1.2.840.113556.1.8000.1280.1.1.1.4 dellProduct 1.2.840.113556.1.8000.1280.1.1.1.5 Table 7-3. dellRacDevice Class OID 1.2.840.113556.1.8000.1280.1.7.1.
Table 7-5. dellRAC4Privileges Class OID 1.2.840.113556.1.8000.1280.1.1.1.3 Description Used to define the privileges (Authorization Rights) for the iDRAC device. Class Type Auxiliary Class SuperClasses None Attributes dellIsLoginUser dellIsCardConfigAdmin dellIsUserConfigAdmin dellIsLogClearAdmin dellIsServerResetUser dellIsConsoleRedirectUser dellIsVirtualMediaUser dellIsTestAlertUser dellIsDebugCommandAdmin Table 7-6. dellPrivileges Class OID 1.2.840.113556.1.8000.1280.1.1.1.
Table 7-8. List of Attributes Added to the Active Directory Schema Attribute Name/Description Assigned OID/Syntax Object Identifier Single Valued dellPrivilegeMember 1.2.840.113556.1.8000.1280.1.1.2.1 FALSE List of dellPrivilege Objects that belong to this Attribute. Distinguished Name (LDAPTYPE_DN 1.3.6.1.4.1.1466.115.121.1.12) dellProductMembers 1.2.840.113556.1.8000.1280.1.1.2.2 FALSE List of dellRacDevice and Distinguished Name (LDAPTYPE_DN DelliDRACDevice Objects that 1.3.6.1.4.1.1466.115.
Table 7-8. List of Attributes Added to the Active Directory Schema (continued) Attribute Name/Description Assigned OID/Syntax Object Identifier Single Valued dellIsVirtualMediaUser 1.2.840.113556.1.8000.1280.1.1.2.9 TRUE TRUE if the user has Virtual Media rights on the device. Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.1.7) dellIsTestAlertUser 1.2.840.113556.1.8000.1280.1.1.2.10 TRUE if the user has Test Alert User rights on the device. Boolean (LDAPTYPE_BOOLEAN 1.3.6.1.4.1.1466.115.121.
Installing Dell Extension to Microsoft Active Directory Users and Computers Snap-In When you extend the schema in Active Directory, you must also extend the Active Directory Users and Computers Snap-in so the administrator can manage iDRAC devices, Users and User Groups, iDRAC Associations, and iDRAC Privileges.
3 Click Add/Remove Snap-in. 4 Select the Active Directory Users and Computers Snap-in and click Add. 5 Click Close and click OK. Adding iDRAC Users and Privileges to Microsoft Active Directory Using the Dell-extended Active Directory Users and Computers Snap-in, you can add iDRAC users and privileges by creating iDRAC, Association, and Privilege objects.
5 Click OK. 6 Right-click the privilege object that you created, and select Properties. 7 Click the Remote Management Privileges tab and select the privileges that you want the user to have. Creating an Association Object NOTE: The iDRAC Association Object is derived from Group and its scope is set to Domain Local. 1 In the Console Root (MMC) window, right-click a container. 2 Select New Dell Remote Management Object Advanced. This opens the New Object window. 3 Type a name for the new object.
Adding Privileges 1 Select the Privileges Object tab and click Add. 2 Type the Privilege Object name and click OK. Click the Products tab to add one iDRAC device connected to the network that is available for the defined users or user groups. Multiple iDRAC devices can be added to an Association Object. Adding iDRAC Devices To add iDRAC devices: 1 Select the Products tab and click Add. 2 Type the iDRAC device name and click OK. 3 In the Properties window, click Apply and click OK.
8 (Optional: For AD authentication) Under Upload Kerberos Keytab, type the path of the keytab file or browse to locate the file. Click Upload. The Kerberos keytab is uploaded into iDRAC6. 9 Click Next. The Active Directory Configuration and Management Step 2 of 4 page is displayed. 10 Select Enable Active Directory. CAUTION: In this release, the Smart Card based Two Factor Authentication (TFA) feature is not supported if the Active directory is configured for Extended schema.
addresses of the domain controllers where the iDRAC6 device object and the Association objects are located. NOTE: The FQDN or IP address that you specify in the Domain Controller Server Address field should match the Subject or Subject Alternative Name field of your domain controller certificate if you have certificate validation enabled. 15 Click Next. The Active Directory Configuration and Management Step 3 of 4 page is displayed. 16 Under Schema Selection, select Extended Schema. 17 Click Next.
Configuring Microsoft Active Directory With Extended Schema Using RACADM Use the following commands to configure the iDRAC6 Microsoft Active Directory feature with Extended Schema using the RACADM CLI tool instead of the Web-based interface.
If you want to use DNS lookup to obtain the Active Directory Domain Controller server address, type the following command: racadm config -g cfgActiveDirectory -o cfgADDcSRVLookupEnable=1 • To perform the DNS lookup with the domain name of the login user: racadm config -g cfgActiveDirectory -o cfgADDcSRVLookupbyUserdomain=1 • To specify the domain name to use on the DNS lookup: racadm config -g cfgActiveDirectory -o cfgADDcSRVLookupDomainName If you want to disable
2 If you want to specify the time in seconds to wait for Active Directory (AD) queries to complete before timing out, type the following command: racadm config -g cfgActiveDirectory -o cfgADAuthTimeout
Standard Schema Active Directory Overview As shown in Figure 7-3, using standard schema for Active Directory integration requires configuration on both Active Directory and iDRAC6. Figure 7-3. Configuration of iDRAC with Microsoft Active Directory and Standard Schema Configuration on iDRAC Side Configuration on Active Directory Side Role Group Role Group Name and Domain Name Role Definition User On the Active Directory side, a standard group object is used as a role group.
Table 7-9.
3 Configure the name of the group and the domain name on iDRAC6 using either the Web-based interface or RACADM. For more information, see "Configuring Microsoft Active Directory With Standard Schema Using the iDRAC6 Web-Based Interface" on page 168 or "Configuring Microsoft Active Directory With Standard Schema Using RACADM" on page 171. Configuring Microsoft Active Directory With Standard Schema Using the iDRAC6 Web-Based Interface 1 Open a supported Web browser window.
12 Click Add to enter the user domain name. 13 Type the user domain name in the prompt and click OK. 14 In the Timeout fields, type the time (in seconds) iDRAC must wait for Active Directory responses. The default is 120 seconds. 15 Select one of the following options: a Look Up Domain Controllers with DNS option to obtain the Active Directory domain controllers from a DNS lookup. Domain Controller Server Addresses 1-3 are ignored.
19 Select one of the following options: • Select the Look Up Global Catalog Servers with DNS option and enter the Root Domain Name to use on a DNS lookup to obtain the Active Directory Global Catalog Servers. Global Catalog Server Addresses 1-3 are ignored. iDRAC6 attempts to connect to each of the addresses (first 4 addresses returned by the DNS lookup) one by one until it makes a successful connection.
24 Click Apply to save the role group settings. The iDRAC6 Web server automatically returns you to the Step 4a of 4 Active Directory Configuration and Management page where your settings are displayed. 25 Configure additional Role Groups, if required. 26 Click Finish to return to the Active Directory Configuration and Management page. 27 Click Test Settings to check the Active Directory Standard Schema settings. 28 Type your iDRAC6 user name and password. The test results and the test log are displayed.
racadm config -g cfgStandardSchema -i -o cfgSSADRoleGroupPrivilege NOTE: For Bit Mask Number values, see the RACADM iDRAC6 and CMC Command Line Reference Guide available on the Dell Support website at dell.com/support/manuals.
• To specify the domain name to use on the DNS lookup: racadm config -g cfgActiveDirectory -o cfgADDcSRVLookupDomainName To specify the Global Catalog server address, type the following command: racadm config -g cfgActiveDirectory -o cfgADGlobal Catalog1 racadm config -g cfgActiveDirectory -o cfgADGlobal Catalog2 racadm config -g c
If you want to enforce the certificate validation during SSL handshake, type the following RACADM command: racadm config -g cfgActiveDirectory -o cfgADCertValidationEnable 1 In this case, you must also upload the CA certificate using the following RACADM command: racadm sslcertupload -t 0x2 -f Using the following RACADM command may be optional. See "Importing the iDRAC6 Firmware SSL Certificate" on page 145 for additional information.
5 If you want to configure a list of user domains so that you only need to enter the user name during login to the Web-based interface, type the following command: racadm config -g cfgUserDomain -o cfgUserDomainName -i Up to 40 user domains can be configured with index numbers between 1 and 40.See "Generic LDAP Directory Service" on page 176 for details about user domains.
Generic LDAP Directory Service iDRAC6 provides a generic solution to support Lightweight Directory Access Protocol (LDAP) based authentication. This feature does not require any schema extension on your directory services. To make the iDRAC6 LDAP implementation generic, the commonality between different directory services is utilized to group users and then map the user-group relationship. The directory service specific action is the schema.
The Generic LDAP Configuration and Management Step 1 of 3 page is displayed. Use this page to configure the digital certificate used during initiation of SSL connections when communicating with a generic LDAP server. These communications use LDAP over SSL (LDAPS). If you enable certificate validation, upload the certificate of the Certificate Authority (CA) that issued the certificate used by the LDAP server during initiation of SSL connections.
8 Enter the following information: • Select Enable Generic LDAP. NOTE: In this release, nested group is not supported. The firmware searches for the direct member of the group to match the user DN. Also, only single domain is supported. Cross domain is not supported. 178 • Select the Use Distinguished Name to Search Group Membership option to use the Distinguished Name (DN) as group members. iDRAC6 compares the User DN retrieved from the directory to compare with the members of the group.
• In the Search Filter field, enter a valid LDAP search filter. Use the filter if the user attribute cannot uniquely identify the login user within the chosen Base DN. If not specified, the value defaults to objectClass=*, which searches for all objects in the tree. This additional search filter configured by the user applies only to userDN search and not the group membership search. 9 Click Next. The Generic LDAP Configuration and Management Step 3a of 3 page is displayed.
14 Configure additional role groups if required. 15 Click Finish to return to the Generic LDAP Configuration and Management summary page. 16 Click Test Settings to check the generic LDAP settings. 17 Enter the user name and password of a directory user that is chosen to test the LDAP settings. The format depends on what Attribute of User Login is used and the user name entered must match the value of the chosen attribute. The test results and the test log are displayed.
Additional settings to test BindDN option racadm config -g cfgldap -o cfgLdapBindDN "cn= idrac_admin,ou=iDRAC_admins,ou=People,dc=common,dc= com" racadm config -g cfgldap -o cfgLdapBindPassword password NOTE: Configure iDRAC6 to use a Domain Name Server, which resolves the LDAP server hostname that iDRAC6 is configured to use in the LDAP server address. The hostname must match the "CN" or "Subject" in the LDAP server's certificate.
I enabled certificate validation but my Active Directory login failed. I ran the diagnostics from the GUI and the test results show the following error message: ERROR: Can't contact LDAP server, error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed: Please check the correct Certificate Authority (CA) certificate has been uploaded to iDRAC.
3 Disable certificate validation if you choose to trust this domain controller without certificate validation during the SSL handshake. I am using extended schema in a multiple domain environment. How should I configure the domain controller address(es)? This should be the host name (FQDN) or the IP address of the domain controller(s) that serves the domain in which the iDRAC6 object resides.
What should I check if I cannot log into the iDRAC6 using Active Directory? You can diagnose the problem by clicking Test Settings at the bottom of the Active Directory Configuration and Management page in the iDRAC6 Web-based interface. Then, you can fix the specific problem indicated by the test results. For additional information, see "Testing Your Configurations" on page 175.
8 Configuring iDRAC6 for Single SignOn or Smart Card Login This section provides information to configure iDRAC6 for Smart Card login for local users and Active Directory users, and Single Sign-On (SSO) login for Active Directory users. iDRAC6 supports Kerberos based Active Directory authentication to support Active Directory Smart Card and SSO logins. About Kerberos Authentication Kerberos is a network authentication protocol that allows systems to communicate securely over a non-secure network.
Prerequisites for Active Directory SSO and Smart Card Authentication The pre-requisites for both Active Directory SSO and Smart Card authentication are: • Configure the iDRAC6 for Active Directory login. For more information, see "Using the iDRAC6 Directory Service" on page 141. • Register the iDRAC6 as a computer in the Active Directory root domain. To do this: a Click iDRAC Settings Network/Security tab Network subtab. b Provide a valid Preferred/Alternate DNS Server IP address.
Since the iDRAC6 is a device with a non-Windows operating system, run the ktpass utility—part of Microsoft Windows—on the domain controller (Active Directory server) where you want to map the iDRAC6 to a user account in Active Directory. For example, use the following ktpass command to create the Kerberos keytab file: C:\>ktpass -princ HOST/dracname.domainname.com@DOMAINNAME.
Browser Settings to Enable Active Directory SSO To configure the browser settings for Internet Explorer: 1 Open Internet Explorer Web browser 2 Select ToolsInternet Options SecurityLocal Intranet. 3 Click Sites. 4 Select the following options only: • Include all local (intranet) sites not listed on other zones. • Include all sites that bypass the proxy server. 5 Click Advanced.
Using Microsoft Active Directory SSO The SSO feature enables you to log into the iDRAC6 directly after logging into your workstation without entering your domain user authentication credentials, such as user name and password. To log into the iDRAC6 using this feature, you should have already logged into your system using a valid Active Directory user account. Also, you should have configured the user account to log into the iDRAC6 using the Active Directory credentials.
7 Click Next until the last page is displayed. If Active Directory is configured to use standard schema, then Active Directory Configuration and Management Step 4a of 4 page is displayed. If Active Directory is configured to use extended schema, then Active Directory Configuration and Management Step 4 of 4 page is displayed. 8 Click Finish to apply the settings.
You are logged into the iDRAC6 with appropriate Microsoft Active Directory privileges if: • You are a Microsoft Active Directory user. • You are configured in the iDRAC6 for Active Directory login. • The iDRAC6 is enabled for Kerberos Active Directory authentication. Configuring Smart Card Authentication The iDRAC6 supports the Two Factor Authentication (TFA) feature by enabling Smart Card Logon. The traditional authentication schemes use user name and password to authenticate users.
to a file in the Base64 encoded form. You should upload this file as the trusted CA certificate for the user. Configure the user with the username that forms the user’s User Principal Name (UPN) in the Smart Card certificate. NOTE: To log into the iDRAC6, the user name that you configure in the iDRAC6 should have the same case as the User Principal Name (UPN) in the Smart Card certificate. For example, in case the Smart Card certificate has been issued to the user, "sampleuser@domain.
3 Click Apply. Table 8-1. Smart Card Settings Setting Description Configure Smart Card • Disabled — Disables Smart Card logon. Subsequent logins Logon from the graphical user interface (GUI) display the regular login page. All command line out-of-band interfaces including secure shell (SSH), Telnet, Serial, and remote RACADM retain their state. • Enabled — Enables Smart Card logon. After applying the changes, logout, insert your Smart Card and then click Login to enter your Smart Card PIN.
Table 8-1. Smart Card Settings (continued) Setting Description Enable CRL check for This check is available only for Smart Card local users. Select Smart Card Logon this option if you want iDRAC6 to check the Certificate Revocation List (CRL) for revocation of the user's Smart Card certificate. The user's iDRAC certificate, which is downloaded from the Certificate Revocation List (CRL) distribution server is checked for revocation in the CRL.
https://: where IP address is the IP address for the iDRAC6 and port number is the HTTPS port number. The iDRAC6 Login page is displayed prompting you to insert the Smart Card. 2 Insert the Smart Card into the reader and click Login. The iDRAC6 prompts you for the Smart Card’s PIN. 3 Enter the Smart Card PIN for local Smart Card users and if the user is not created locally, iDRAC6 will prompt to enter the password for the user’s Active Directory account. .
Troubleshooting the Smart Card Logon in iDRAC6 Use the following tips to debug an inaccessible Smart Card: ActiveX plug-in unable to detect the Smart Card reader Ensure that the Smart Card is supported on the Microsoft Windows operating system. Windows supports a limited number of Smart Card cryptographic service providers (CSPs).
• For 64–bit Windows platforms, the iDRAC6 authentication Active–X plug–in is not installed if a 64–bit version of Microsoft Visual C++ 2005 Redistributable Package is deployed. To install and run the Active–X plug–in properly, deploy the 32–bit version of Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). This package is required to launch the Virtual Console session on a Internet Explorer browser. • If you receive the following error message "Not able to load the Smart Card Plug–in.
of 18:00 which would require you to enter 360 in the above command for the offset. You can also use cfgRacTuneDaylightoffset to allow for daylight savings variation. This saves you from having to change the time on those two occasions every year when the daylight savings adjustments are made, or allow for it in the above offset using 300 in the above example. Frequently Asked Questions About SSO SSO login fails on Windows Server 2008 R2 x64.
5 Enable all the options. 6 Click OK. You can now log in to iDRAC using SSO. Perform the following additional settings for Extended Schema: 1 In the Local Group Policy Editor window, navigate to Local Computer SettingsWindows SettingsSecurity SettingsLocal Policies Security Options. 2 Right-click Network Security: Restrict NTLM: Outgoing NTLM traffic to remote server and select Properties. 3 Select Allow all. 4 Click OK and then close the Local Group Policy Editor window. 5 Go to Start and run cmd.
Configuring iDRAC6 for Single Sign-On or Smart Card Login
Using GUI Virtual Console 9 This section provides information about using the iDRAC6 Virtual Console feature. Overview The iDRAC6 Virtual Console feature enables you to access the local console remotely in either graphic or text mode. Using Virtual Console, you can control one or more iDRAC6-enabled systems from one location. You do not have to sit in front of each server to perform all the routine maintenance.
The following rules apply to a Virtual Console session: • A maximum of four simultaneous Virtual Console sessions are supported. All sessions view the same managed server console simultaneously. • From 1.5 release version onwards, multiple sessions to multiple remote servers is possible from the same client, based on the order in which they are opened. If a Virtual Console session using Java plug-in is open, you can open another Virtual Console session using ActiveX plug-in.
Configuring Your Management Station To use Virtual Console on your management station, perform the following procedures: 1 Install and configure a supported Web browser. See the following sections for more information: • "Supported Web Browsers" on page 25 • "Configuring a Supported Web Browser" on page 41 2 If you are using Firefox or want to use the Java Viewer with Internet Explorer, install a Java Runtime Environment (JRE).
5 It is recommended that you configure your monitor display resolution to 1280x1024 pixels or higher. NOTE: If your system is running a Linux operating system, an X11 console may not be viewable on the local monitor. Press at the iDRAC6 Virtual Console to switch Linux to a text console. NOTE: Occasionally, you may encounter the following Java Script Compilation Error: "Expected: ;".
To clear older versions of Java viewer in Windows or Linux, do the following: 1 At the command prompt, run javaws-viewer or javaws-uninstall 2 The Java Cache viewer is displayed. 3 Delete the items titled iDRAC6 Virtual Console Client. Internet Explorer Browser Configurations for ActiveX based Virtual Console and Virtual Media Applications This section provides information about the Internet Explorer browser settings required to launch and run ActiveX based Virtual Console and Virtual Media applications.
Additional Settings for Windows Vista or Newer Microsoft Operating Systems The Internet Explorer browsers in Windows Vista or newer operating systems have an additional security feature called ‘Protected Mode’. You can launch and run ActiveX applications in Internet Explorer browsers with ‘Protected Mode’ in one of the following ways: • Go to Program Files Internet Explorer. Right-click iexplore.exe and click Run as administrator. • Add the iDRAC IP address to the Trusted Sites.
Configuring Virtual Console in the iDRAC6 Web Interface To configure Virtual Console in the iDRAC6 Web interface, perform the following steps: 1 Click System Console/MediaConfiguration to configure iDRAC6 Virtual Console settings. 2 Configure the Virtual Console properties. Table 9-2 describes the settings for Virtual Console. 3 When completed, click Apply to save the new settings. Table 9-2.
Table 9-2. Virtual Console Configuration Properties (continued) Property Description Video Encryption Enabled Checked indicates that video encryption is enabled. All traffic going to the video port is encrypted. Unchecked indicates that video encryption is disabled. Traffic going to the video port is not encrypted. The default is Encrypted. Disabling encryption can improve performance on slower networks.
To open a Virtual Console session in the Web interface, perform the following steps: 1 Click System Console/MediaVirtual Console and Virtual Media. 2 Use the information in Table 9-3 to ensure that a Virtual Console session is available. If you want to reconfigure any of the property values displayed, see "Configuring Virtual Console in the iDRAC6 Web Interface" on page 207. Table 9-3.
3 If a Virtual Console session is available, click Launch Virtual Console on the Virtual Console and Virtual Media page. NOTE: Multiple message boxes may appear after you launch the application. To prevent unauthorized access to the application, navigate through these message boxes within three minutes. Otherwise, you will be prompted to relaunch the application. NOTE: If one or more Security Alert windows appear in the following steps, read the information in the window and click Yes to continue.
Table 9-4. Virtual Console Preview Options (continued) Option Descritpion Settings Click this link to view or edit the Virtual Console configuration settings on the Console/Media Configuration page. NOTE: You must have configure iDRAC privileges to edit the Virtual Console configuration settings. Refresh Click this link to refresh the displayed Virtual Console image.
Table 9-5 describes the menu options that are available for use in the viewer. Table 9-5. Viewer Menu Bar Selections Menu Item Item Description "Pin" icon NA Click on the "pin" icon to lock the iDRAC6 Virtual Console menu bar. This prevents the tool bar from auto-hiding. NOTE: This is applicable only for the Active-X Viewer and not for Java plug-in. Virtual Media Launch Virtual Media The Virtual Media Session is displayed which lists the devices available for mapping in the main window.
Table 9-5. Viewer Menu Bar Selections (continued) Menu Item Item Description View Refresh Refreshes the view of the Video Virtual Console. The Virtual Console requests a reference video frame from the server. Full Screen/Windowed View the Video Virtual Console in full screen mode. To exit from full screen mode, click Windowed. Fit Resizes the Video Virtual Console window to the minimum size that is need to display the server's video. This menu item is not available in full screen mode.
Table 9-5. Viewer Menu Bar Selections (continued) Menu Item Item Description Macros • Alt+Ctrl+Del When you select a macro, or enter the hotkey specified for the macro, the action is executed on the remote system.
Table 9-5. Viewer Menu Bar Selections (continued) Menu Item Item Description Tools Session Options The Sessions Options window provides additional session viewer control adjustments. This window has the General and Mouse tabs. You can control the Keyboard pass through mode from the General tab. Select Pass all keystrokes to target to pass your management station's keystrokes to the remote system. The mouse tab contains two sections: Single Cursor and Mouse Acceleration.
Table 9-5. Viewer Menu Bar Selections (continued) Menu Item Item Description Power Power ON System Powers on the system. Power OFF System Powers off the system. Graceful Shutdown Shuts down the system. NOTE: Ensure that the shutdown option is configured for the operating system before you perform a graceful shutdown using this option. If you use this option without configuring it on the operating system, it reboots the managed system instead of performing a shutdown operation.
3 To disable (turn off) local video on the server, clear the Local Server Video Enabled checkbox on the Configuration page, and then click Apply. The default value is OFF. NOTE: If the local server video is turned ON, it will take 15 seconds to turn OFF. 4 To enable (turn on) local video on the server, check the Local Server Video Enabled checkbox on the Configuration page, and then click Apply.
If Virtual Console is disabled in iDRAC6, the user or administrator can still launch the Virtual Media, if their privileges are sufficient. For more information on sufficient priveleges, see "Launching Virtual Console and Virtual Media Remotely" on page 217. General Error Scenarios Table 9-6 lists general error scenarios, the reasons for those errors, and the iDRAC6 behavior. Table 9-6.
Frequently Asked Questions on Virtual Console Table 9-7 lists frequently asked questions and answers. Table 9-7. Using Virtual Console: Frequently Asked Questions Question Answer Virtual Console fails to log out when the out–of–band Web GUI is logged out. The Virtual Console and Virtual Media sessions stays active even if the Web session is logged off. Close the Virtual Media and Virtual Console viewer applications to log out of the corresponding session. Can a new remote console Yes.
Table 9-7. Using Virtual Console: Frequently Asked Questions (continued) Question Answer How can I get the current status of the local server video? The status is displayed on the Virtual Console Configuration page of the iDRAC6 Web interface. I cannot see the bottom of the system screen from the Virtual Console window. Ensure that the management station’s monitor resolution is set to 1280x1024. Try using the scroll bars on the iDRAC6 Virtual Console client, as well. The console window is garbled.
Table 9-7. Using Virtual Console: Frequently Asked Questions (continued) Question Answer Why can't I use a keyboard or mouse while installing a Microsoft operating system remotely by using iDRAC6 Virtual Console? When you remotely install a supported Microsoft operating system on a system with Virtual Console enabled in the BIOS, you receive an EMS Connection Message that requires that you select OK before you can continue. You cannot use the mouse to select OK remotely.
Table 9-7. Using Virtual Console: Frequently Asked Questions (continued) Question Answer What are the minimum The management station requires an Intel Pentium III system requirements for my 500 MHz processor with at least 256 MB of RAM. management station to run Virtual Console? Why do I see a No Signal message within the iDRAC6 Virtual Console Video Viewer? You may see this message because the iDRAC6 Virtual Console plugin is not receiving the remote server desktop video.
Using the WS-MAN Interface 10 Web Services for Management (WS–MAN) is a Simple Object Access Protocol (SOAP)–based protocol used for systems management. WS–MAN provides an interoperable protocol for devices to share and exchange data across networks. iDRAC6 uses WS–MAN to convey Distributed Management Task Force (DMTF) Common Information Model (CIM)–based management information; the CIM information defines the semantics and information types that can be manipulated in a managed system.
Table 10-1. Standard DMTF (continued) 4 SM CLP Admin Domain Defines CIM classes for representing CLP’s configuration. iDRAC6 uses this profile for its own implementation of CLP. 5 Power State Management Defines CIM classes for power control operations. iDRAC6 uses this profile for the host server’s power control operations. 6 Power Supply (version 1.1) Defines CIM classes for representing power supplies.
Table 10-1. Standard DMTF (continued) 17 Profile Registration Defines CIM classes for advertising the profile implementations. iDRAC6 uses this profile to advertise its own implemented profiles, as described in this table. 18 Base Metrics Defines CIM classes for representing metrics. iDRAC6 uses this profile to represent the host server’s metrics to describe power consumption, such as high and low power consumption watermarks.
Table 10-1. Standard DMTF (continued) Dell Extensions 1 Dell Active Directory Client Version 2.0.0 Defines CIM and Dell extension classes for configuring iDRAC6 Active Directory client and the local privileges for Active Directory groups. 2 Dell Virtual Media Defines CIM and Dell extension classes for configuring iDRAC6 Virtual Media. Extends USB Redirection Profile. 3 Dell Ethernet Port Defines CIM and Dell extension classes for configuring NIC Side-Band interface for the iDRAC6 NIC.
Table 10-1. Standard DMTF (continued) 11 Dell RAID Profile Defines CIM and Dell extension classes to represent the configuration of the host's RAID storage. 12 Dell Power Supply Profile Defines CIM and Dell extension classes to represent the host's power supply inventory information. 13 Dell iDRAC Card Profile Defines CIM and Dell extension classes to represent the iDRAC6 inventory information. This profile also provides representation and methods to configure iDRAC attributes and user accounts.
For more information on Dell Lifecycle Controller Remote Services, see the following documents: • User's Guide • Release Notes • Error Messages and Troubleshooting List To access these documents: 1 Go to dell.com/support/manuals. 2 Click Software Systems Management Dell Unified Server Configurator and Lifecycle Controller . 3 Click the relevant version to view the all the documents for a particular release.
Using the iDRAC6 SM-CLP Command Line Interface 11 This section provides information about the Distributed Management Task Force (DMTF) Server Management-Command Line Protocol (SM-CLP) that is incorporated in the iDRAC6. NOTE: This section assumes that you are familiar with the Systems Management Architecture for Server Hardware (SMASH) Initiative and the SM-CLP specifications. For more information on these specifications, see the DMTF website at dmtf.org.
SM-CLP Features The SM-CLP promotes the concept of verbs and targets to provide system management capabilities through the CLI. The verb indicates the operation to perform, and the target determines the entity (or object) that runs the operation. See the following example of the SM-CLP command line syntax. [] [] [] During a typical SM-CLP session, you can perform operations using the verbs listed in Table 11-1. Table 11-1.
SM-CLP Targets Table 11-2 provides a list of targets provided through the SM-CLP to support the operations described in Table 11-1 above. Table 11-2.
Table 11-2.
Table 11-2.
Table 11-2.
Table 11-2.
Table 11-2.
12 Deploying Your Operating System Using VMCLI The Virtual Media Command Line Interface (VMCLI) utility is a command-line interface that provides Virtual Media features from the management station to the iDRAC6 in the remote system. Using VMCLI and scripted methods, you can deploy your operating system on multiple remote systems in your network. This section provides information on integrating the VMCLI utility into your corporate network.
Creating a Bootable Image File Before you deploy your image file to the remote systems, ensure that a supported system can boot from the file. To test the image file, transfer the image file to a test system using the iDRAC6 Web user interface and then reboot the system. The following sections provide specific information for creating image files for Linux and Microsoft Windows systems.
When you create the image file, do the following: • Follow standard network-based installation procedures • Mark the deployment image as read only to ensure that each target system boots and executes the same deployment procedure 4 Perform one of the following procedures: • Integrate IPMItool and VMCLI into your existing operating system deployment application. Use the sample vm6deploy script as a guide to using the utility. • Use the existing vm6deploy script to deploy your operating system.
where: • is the iDRAC6 user name, for example root • is the password for the iDRAC6 user, for example calvin • is the path to an ISO9660 image of the operating system installation CD or DVD • -f {} is the path to the device containing the operating system installation CD, DVD, or Floppy • is the path to a valid floppy image The vm6deploy script passes its command line options to the VMCLI utility.
Before you run the utility, ensure that you have Virtual Media user privilege to the iDRAC6. CAUTION: It is recommended to use the interactive flag '-i' option, when starting up the VMCLI command line utility. This ensures tighter security by keeping the username and password private because on many Windows and Linux operating systems, the username and password are visible when processes are examined by other users.
The Dell Systems Management Tools and Documentation DVD includes vm6deploy—a sample script that illustrates how to use the VMCLI and IPMItool utilities to deploy software to multiple remote systems. NOTE: The vm6deploy script is dependent upon the other files that are present in its directory when it is installed. If you want to use the script from another directory, you must copy all of the files with it.
iDRAC6 User Name -u This parameter provides the iDRAC6 user name that will run Virtual Media. The must have the following attributes: • Valid user name • iDRAC6 Virtual Media User permission If iDRAC6 authentication fails, an error message is displayed and the command is terminated. iDRAC6 User Password -p This parameter provides the password for the specified iDRAC6 user.
For example, a device is specified as: -f a:\ (Windows system) -f /dev/sdb4 # 4th partition on device /dev/sdb (Linux system) NOTE: Red Hat Enterprise Linux version 4 does not provide support for multiple LUNs. However, the kernel supports this functionality. Enable Red Hat Enterprise Linux version 4 to recognize a SCSI device with multiple LUNs by following these steps: 1 Edit /etc/modprobe.conf and add the following line: options scsi_mod max_luns=8 (You can specify 8 LUNs or any number greater than 1.
CD/DVD Device or Image File -c { | } where is a valid CD/DVD drive letter (Windows systems) or a valid CD/DVD device file name (Linux systems) and is the file name and path of a valid ISO-9660 image file. This parameter specifies the device or file that will supply the virtual CD/DVD-ROM media: For example, an image file is specified as: -c c:\temp\mydvd.img (Windows systems) -c /tmp/mydvd.
Encrypted Data -e When this parameter is included in the command line, VMCLI will use an SSL-encrypted channel to transfer data between the management station and the iDRAC6 in the remote system. If this parameter is not included in the command line, the data transfer is not encrypted. NOTE: Using this option does not change the displayed Virtual Media encryption status to enabled in other iDRAC6 configuration interfaces like RACADM or the Web interface.
13 Configuring Intelligent Platform Management Interface This section provides information about configuring and using the iDRAC6 IPMI interface. The interface includes the following: • IPMI over LAN • IPMI over Serial • Serial over LAN The iDRAC6 is fully IPMI 2.0 compliant.
Configuring IPMI Using the RACADM CLI 1 Login to the remote system using any of the RACADM interfaces. See "Using RACADM Remotely" on page 110. 2 Configure IPMI over LAN. Open a command prompt, type the following command, and press : racadm config -g cfgIpmiLan -o cfgIpmiLanEnable 1 NOTE: This setting determines the IPMI commands that can be executed from the IPMI over LAN interface. For more information, see the IPMI 2.0 specifications. a Update the IPMI channel privileges.
where is a 20-character encryption key in a valid hexadecimal format. 3 Configure IPMI Serial over LAN (SOL). At the command prompt, type the following command and press : racadm config -g cfgIpmiSol -o cfgIpmiSolEnable 1 a Update the IPMI SOL minimum privilege level. NOTE: The IPMI SOL minimum privilege level determines the minimum privilege required to activate IPMI SOL. For more information, see the IPMI 2.0 specification.
For example: racadm config -g cfgIpmiSol -o cfgIpmiSolBaudRate 57600 c Enable SOL for an individual user. NOTE: SOL can be enabled or disabled for each individual user. At the command prompt, type the following command and press : racadm config -g cfgUserAdmin -o cfgUserAdminSolEnable -i 2 where is the user’s unique ID. 4 Configure IPMI Serial. a Change the IPMI serial connection mode to the appropriate setting.
d Set the IPMI serial channel minimum privilege level.
Using the IPMI Remote Access Serial Interface In the IPMI serial interface, the following modes are available: • IPMI terminal mode — Supports ASCII commands that are submitted from a serial terminal. The command set has a limited number of commands (including power control) and supports raw IPMI commands that are entered as hexadecimal ASCII characters.
Configuring and Using Virtual Media 14 Overview The Virtual Media feature, accessed through the Virtual Console viewer, provides the managed server access to media connected to a remote system on the network. Figure 14-1 shows the overall architecture of Virtual Media. Figure 14-1.
Using Virtual Media, administrators can remotely boot their managed servers, install applications, update drivers, or even install new operating systems remotely from the virtual CD/DVD and diskette drives. NOTE: Virtual media requires a minimum available network bandwidth of 128 Kbps. Virtual media defines two devices for the managed server’s operating system and BIOS: a floppy disk device and an optical disk device. The management station provides the physical media or image file across the network.
Linux-Based Management Station To run the Virtual Media feature on a management station running the Linux operating system, install a supported version of Firefox. A 32-bit Java Runtime Environment (JRE) is required to run the Virtual Console plugin. You can download a JRE from java.sun.com. CAUTION: To successfully launch Virtual Media, ensure that you have installed a 32-bit or 64-bit JRE version on a 64-bit operating system or a 32-bit JRE version on a 32-bit operating system.
Table 14-2. Virtual Media Configuration Properties (continued) Attribute Value Virtual Media Encryption Enabled Select or deselect the checkbox to enable or disable encryption on Virtual Media connections. Selected enables encryption; deselected disables encryption. Floppy Emulation Indicates whether the Virtual Media appears as a floppy drive or as a USB key to the server. If Floppy Emulation is checked, the Virtual Media device appears as a floppy device on the server.
Running Virtual Media CAUTION: Do not issue a racreset command when running a Virtual Media session. Otherwise, undesirable results may occur, including loss of data. NOTE: The Console Viewer window application must remain active while you access the Virtual Media.
3 Select SystemConsole/MediaVirtual Console and Virtual Media. 4 The Virtual Console and Virtual Media page is displayed. If you want to change the values of any of the displayed attributes, see "Configuring Virtual Media" on page 255. NOTE: The Floppy Image File under Floppy Drive (if applicable) may appear, as this device can be virtualized as a virtual floppy. You can select one optical drive and one floppy/USB flash drive at the same time to be virtualized.
Disconnecting Virtual Media 1 Click Tools Launch Virtual Media. 2 Clear the box next to the media you want to disconnect. The media is disconnected and the Status window is updated. 3 Click Exit to terminate the Virtual Media Session wizard. NOTE: Whenever a Virtual Media session is initiated or a vFlash is connected, an extra drive named "LCDRIVE" is displayed on the host operating system and the BIOS. The extra drive disappears when the vFlash or the Virtual Media session is disconnected.
Installing Operating Systems Using Virtual Media This section describes a manual, interactive method to install the operating system on your management station that may take several hours to complete. A scripted operating system installation procedure using Virtual Media may take less than 15 minutes to complete. See "Deploying the Operating System" on page 239 for more information. 1 Verify the following: • The operating system installation CD is inserted in the management station’s CD drive.
To use the Boot Once Feature, do the following: 1 Log in to the iDRAC6 through the Web interface and click System Console/Media Configuration. 2 Select the Enable Boot Once option under Virtual Media. 3 Power up the server and enter the BIOS Boot Manager. 4 Change the boot sequence to boot from the remote Virtual Media device. 5 Power cycle the server. The server boots from the remote Virtual Media device. The next time the server reboots, the remote Virtual Media connection is detached.
Frequently Asked Questions about Virtual Media Table 14-3 lists frequently asked questions and answers. Table 14-3. Using Virtual Media: Frequently Asked Questions Question Answer Sometimes, I notice my Virtual When a network timeout occurs, the iDRAC6 Media client connection drop. firmware drops the connection, disconnecting the Why? link between the server and the Virtual Drive.
Table 14-3. Using Virtual Media: Frequently Asked Questions (continued) Question Answer An installation of the Windows operating system through Virtual Media seems to take too long. Why? If you are installing the Windows operating system using the Dell Systems Management Tools and Documentation DVD and a slow network connection, the installation procedure may require an extended amount of time to access the iDRAC6 Web interface due to network latency.
Table 14-3. Using Virtual Media: Frequently Asked Questions (continued) Question Answer I cannot locate my Virtual Floppy/Virtual CD device on a system running Red Hat Enterprise Linux or the SUSE Linux operating system. My Virtual Media is attached and I am connected to my remote floppy. What should I do? Some Linux versions do not automount the Virtual Floppy Drive and the Virtual CD drive in a similar manner.
Table 14-3. Using Virtual Media: Frequently Asked Questions (continued) Question Answer I cannot locate my Virtual Floppy/Virtual CD device on a system running Red Hat Enterprise Linux or the SUSE Linux operating system. My Virtual Media is attached and I am connected to my remote floppy. What should I do? (Answer Continued) To mount the Virtual CD drive, locate the device node that Linux assigns to the Virtual CD drive.
Table 14-3. Using Virtual Media: Frequently Asked Questions (continued) Question Answer Why are all my USB devices detached after I connect a USB device? Virtual Media devices and vFlash devices are connected as a composite USB device to the Host USB BUS, and they share a common USB port.
15 Configuring vFlash SD Card and Managing vFlash Partitions The vFlash SD card is a Secure Digital (SD) card that plugs into the optional iDRAC6 Enterprise card slot at the back of your system. It provides storage space and behaves like a common USB Flash Key device. It is the storage location for user-defined partition(s) that can be configured to be exposed to the system as a USB device and also used to create a bootable USB device.
A standard SD card can be of any size but supports only one partition. The size of the partition is limited to 256MB. The label name for the partition is VFLASH by default. NOTE: Ensure that you only insert a vFlash SD card or standard SD card in the iDRAC6 Enterprise card slot. If you insert a card in any other format (example, MultiMedia Card (MMC)), the following error message is displayed when you initialize the card: An error has occurred while initializing SD card.
Table 15-1 lists the properties displayed for the SD card. Table 15-1. SD Card Properties Attribute Description Name Displays the name of the card inserted into the server's iDRAC6 Enterprise card slot. If the card supports the new enhanced vFlash features, it displays vFlash SD Card. If it supports limited vFlash features, it displays SD Card. Size Displays the size of the card in gigabytes (GB). Available Space Displays the unused space on the vFlash SD card in MB.
5 Click Initialize. All existing partitions are removed and the card is reset. A confirmation message is displayed. 6 Click OK. After initialize operation is complete, a successful message is displayed. NOTE: Initialize is enabled only if you select the vFlash Enabled option. If any vFlash partition is attached, the initialize operation fails and an error message is displayed.
Enabling or Disabling the vFlash or Standard SD Card Open a telnet/SSH/Serial console to the server, log in, and enter the following commands: • To enable vFlash or standard SD card: racadm config -g cfgvFlashsd -o cfgvflashSDEnable 1 • To disable vFlash or standard SD card: racadm config -g cfgvFlashsd -o cfgvflashSDEnable 0 NOTE: The RACADM command functions only if a vFlash or standard SD card is present. If a card is not present, the following message is displayed: ERROR: SD Card not present.
Resetting the vFlash or Standard SD Card Open a telnet/SSH/Serial console to the server, log in, and enter: racadm vflashsd initialize For more information about vflashsd, see the RACADM Command Line Reference Guide for iDRAC6 and CMC available on the Dell Support website at dell.com/support/manuals. NOTE: The racadm vmkey reset command is deprecated from 1.5 release onwards. The functionality of this command is now covered by vflashsd initialize.
Before creating an empty partition, ensure the following: • The card is initialized. • The card is not write-protected. • An initialize operation is not already being performed on the card. To create an empty vFlash partition: 1 On the iDRAC6 Web interface, select SystemvFlash tabCreate Empty Partition subtab. The Create Empty Partition page is displayed. 2 Enter the information mentioned in Table 15-2. 3 Click Apply. A new partition is created.
Table 15-2. Create Empty Partition Page Options (continued) Field Description Emulation Type Select the emulation type for the partition from the dropdown list. The available options are Floppy and Hard Disk. Size Enter the partition size in megabytes (MB). The maximum partition size is 4GB, or less than or equal to the available space on the vFlash SD card. NOTE: For the standard SD card, the partition size is 256MB and cannot be changed.
Before creating a partition from an image file, ensure the following: • The card is initialized. • The card is not write-protected. • An initialize operation is not already being performed on the card. NOTE: When creating partition from an image file, ensure that the image type and the emulation type match. iDRAC emulates the image as the image type specified. There may be issues when the uploaded image and the emulation type do not match.
Table 15-3. Create Partition from Image File Page Options Field Description Index Select a partition index. Only unused indices are displayed in the drop-down list. The lowest available index is selected by default. You can change it to any other index value from the drop-down list. NOTE: For the standard SD card, only index 1 is available. Label Enter a unique label for the new partition. This can contain up to six alphanumeric characters. Do not include spaces in the label name.
To format vFlash partition: 1 On the iDRAC6 Web interface, select SystemvFlash tabFormat subtab. The Format Partition page is displayed. 2 Enter the information mentioned in Table 15-4. 3 Click Apply. A warning message indicating that all the data on the partition will be erased is displayed. Click OK. The selected partition is formatted to the specified file system type. An error message is displayed if: • The card is write-protected. • An initialize operation is already being performed on the card.
2 For each partition, you can view the information mentioned in Table 15-5. Table 15-5. Viewing Available Partitions Field Description Index Partitions are indexed from 1 to 16. The partition index is unique for a particular partition. It is specified when the partition is created. Label Identifies the partition. It is specified when the partition is created. Size Size of the partition in megabytes (MB). Read-Only Read-write access state of the partition. • Checked = Read-only partition.
Modifying a Partition Ensure that the card is enabled to modify the partition. You can change a read-only partition to read-write or vice-versa. To do this: 1 On the iDRAC6 Web interface, select SystemvFlash tabManage subtab. The Manage Partitions page is displayed. 2 In the Read-Only column, select the checkbox for the partition(s) that you want to change to read-only or clear the checkbox for the partition(s) that you want to change to read-write.
To attach or detach partitions: 1 On the iDRAC6 Web interface, select SystemvFlash tabManage subtab. The Manage Partitions page is displayed. 2 In the Attached column, select the checkbox for the partition(s) that you want to attach or clear the checkbox for the partition(s) that you want to detach. NOTE: The detached partitions are not displayed in the boot sequence. 3 Click Apply. The partitions are attached or detached based on the selections.
To delete existing partition(s): 1 On the iDRAC6 Web interface, select SystemvFlash tabManage subtab. The Manage Partitions page is displayed. 2 In the Delete column, click the delete icon for the partition(s) that you want to delete and click Apply. The partition(s) are deleted. Downloading Partition Contents You can download the contents of a vFlash partition to a local or remote location as an image file in the .img or .iso format.
Booting to a Partition You can set an attached vFlash partition as the boot device for the next boot operation. The vFlash partition must contain a bootable image (in the .img or .iso format) to set it as a boot device. Ensure that the card is enabled to set a partition as a boot device and to perform the boot operation. NOTE: You must have Access Virtual Media privileges to set a partition as the boot device. You can perform the boot operation for the vFlash or standard SD card.
Options only valid with the create action: -o
Creating a Partition • To create a 20MB empty partition: racadm vflashpartition create -i 1 -o drive1 -t empty -e HDD -f fat16 -s 20 • To create a partition using an image file on a remote system: racadm vflashpartition create –i 1 –o drive1 –e HDD –t image –l //myserver/sharedfolder/foo.iso –u root –p mypassword NOTE: This command is case sensitive for the image file name extension. If the file name extension is in upper case, for example FOO.ISO instead of FOO.
Booting to a Partition • To list the available devices in the boot list: racadm getconfig –g cfgServerInfo –o cfgServerFirstBootDevice If it is a vFlash SD card, the label names of the attached partitions appears in the boot list. If it is a standard SD card and if the partition is attached, then VFLASH appears in the boot list.
Modifying a Partition • To change a read-only partition to read-write: racadm config –g cfgvflashpartition cfgvflashPartitionAccessType 1 • –i 1 –o To change a read-write partition to read-only: racadm config –g cfgvflashpartition cfgvflashPartitionAccessType 0 –i 1 –o For more information about the RACADM subcommands and the iDRAC6 property database group and object definitions, see the RACADM Command Line Reference Guide for iDRAC6 and CMC available on the Dell Support website at dell.
Power Monitoring and Management 16 Dell PowerEdge systems incorporate many new and enhanced power management features. The entire platform, from hardware to firmware to systems management software, has been designed with a focus on power efficiency, power monitoring, and power management. The base hardware design has been optimized from a power perspective: • High efficiency power supplies and voltage regulators have been incorporated in to the design.
Power Inventory, Power Budgeting, and Capping From a usage perspective, you may have a limited amount of cooling at the rack level. With a user-defined power cap, you can allocate power as needed to meet your performance requirements. The iDRAC6 monitors power consumption and dynamically throttles processors to meet your defined power cap level, which maximizes performance while meeting your power requirements. Power Monitoring The iDRAC6 monitors the power consumption in PowerEdge servers continuously.
Viewing the Health Status of the Power Supply Units The Power Supplies page displays the status and rating of the power supply units installed in the server. Using the Web-Based Interface To view the health status of the power supply units: 1 Log in to the iDRAC6 Web-based interface. 2 Select Power Supplies in the system tree.
• Severe indicates at least one failure alert has been issued. Failure status indicates a power failure on the server, and corrective action must be taken immediately. – Location displays the name of the power supply unit: PS-n, where n is the power supply number. – Type displays the type of power supply, such as AC or DC (AC-to-DC or DC-to-DC voltage conversion).
Viewing Power Budget The server provides power budget status overviews of the power subsystem on the Power Budget Information page. Using the Web Interface NOTE: To perform power management actions, you must have Administrative privilege. 1 Log in to the iDRAC6 Web-based interface. 2 Click the Power tab. 3 Select the Power Budget option. 4 The Power Budget Information page displays.
Power Budget Threshold Power Budget Threshold, if enabled, allows a power capping limit to be set for the system. System performance will be dynamically adjusted to maintain power consumption near the specified threshold. Actual power consumption may be less for light workloads and may momentarily exceed the threshold until performance adjustments have completed. If you check Enabled for the Power budget Threshold, the system will enforce the user-specified threshold.
Using RACADM racadm config -g cfgServerPower -o cfgServerPowerCapWatts racadm config -g cfgServerPower -o cfgServerPowerCapBTUhr racadm config -g cfgServerPower -o cfgServerPowerCapPercent racadm config -g cfgServerPower -o cfgServerPowerCapEnable <1 to enable, 0 to disable> NOTE: When setting the power budget threshold in BTU/hr, the conversion to Watts is rounded to the nearest integer.
• Warning Threshold: Displays the acceptable power consumption (in Watts and BTU/hr) recommended for system operation. Power consumption that exceeds this value results in warning events. • Failure Threshold: Displays the highest acceptable power consumption (in Watts and BTU/hr) required for system operation. Power consumption that exceeds this value results in critical/failure events.
• Measurement Finish Time displays the current date and time when the system energy consumption was calculated for display. Peak Time displays the time when the peaks occurred. NOTE: Power Tracking Statistics are maintained across system resets and so reflect all activity in the interval between the stated Start and Finish times. The Reset button will reset the respective field back to zero.
Show Graph Click Show Graph to display graphs showing the iDRAC6 Power and Current Consumption in Watts and Amperes, respectively, over the last hour. The user has the option to view these statistics up to a week before, using the drop-down menu provided above the graphs. NOTE: Each data point plotted on the graphs represents the average of readings over a 5 minute period. As a result, the graphs may not reflect brief fluctuations in power or current consumption.
– Power Off System turns OFF the server’s power. This option is disabled if the system is already powered OFF. – NMI (Non-Masking Interrupt) generates an NMI to halt system operation. – Graceful Shutdown shuts down the system. NOTE: Ensure that the shutdown option is configured for the operating system before you perform a graceful shutdown using this option. If you use this option without configuring it on the operating system, it reboots the managed system instead of performing a shutdown operation.
Power Monitoring and Management
17 Using the iDRAC6 Configuration Utility Overview The iDRAC6 Configuration Utility is a pre-boot configuration environment that allows you to view and set parameters for the iDRAC6 and for the managed server.
Starting the iDRAC6 Configuration Utility 1 Turn on or restart the server by pressing the power button on the front of the server. 2 When you see the Press for Remote Access Setup within 5 sec..... message, immediately press . NOTE: If your operating system begins to load before you press , allow the system to finish booting, then restart your server and try again. The iDRAC6 Configuration Utility window is displayed.
The following sections describe the iDRAC6 Configuration Utility menu items. iDRAC6 LAN Use , , and the spacebar to select between On and Off. The iDRAC6 LAN is enabled in the default configuration. The LAN must be enabled to permit the use of iDRAC6 facilities, such as the Web-based interface, Telnet/SSH, Virtual Console, and Virtual Media. If you choose to disable the LAN the following warning is displayed: iDRAC6 Out-of-Band interface will be disabled if the LAN Channel is OFF.
LAN Parameters Press to display the LAN Parameters submenu. When you have finished configuring the LAN parameters, press to return to the previous menu. Table 17-1. LAN Parameters Item Description Common Settings NIC Selection Press , , and spacebar to switch between the modes. The available modes are Dedicated, Shared, Shared with Failover LOM2, and Shared with Failover All LOMs.
Table 17-1. LAN Parameters (continued) Item Description Domain Name If Domain Name from DHCP is set to Off, press to edit the Current Domain Name text field. Press when you have finished editing. Press to return to the previous menu. The domain name must be a valid DNS domain, for example mycompany.com. Host Name String Press to edit. Enter the name of the host for Platform Event Trap (PET) alerts. LAN Alert Enabled Select On to enable the PET LAN alert.
Table 17-1. LAN Parameters (continued) Item Description Default Gateway If the IP Address Source is set to DHCP, this field displays the IP address of the default gateway obtained from DHCP. If the IP Address Source is set to Static, enter the IP address of the default gateway. The default is 192.168.0.1. DNS Servers from DHCP Select On to retrieve DNS server addresses from a DHCP service on the network. Select Off to specify the DNS server addresses below.
Table 17-1. LAN Parameters (continued) Item Description DNS Servers from DHCP Select On to retrieve DNS server addresses from a DHCP service on the network. Select Off to specify the DNS server addresses below. DNS Server 1 If DNS Servers from DHCP is Off, enter the IP address of the first DNS server. DNS Server 2 If DNS Servers from DHCP is Off, enter the IP address of the first DNS server.
vFlash Press to select Enabled or Disabled. • Enabled - vFlash is available for partition management. • Disabled - vFlash is not available for partition management. CAUTION: vFlash cannot be disabled if one or more partitions are in-use or is attached. Initialize vFlash Choose this option to initialize the vFlash card. Initialize operation erases existing data on the SD card and all existing partitions are removed.
• Write Protected - Displays whether the vFlash SD card is write-protected or not. • Health - Displays the overall health of the vFlash SD card. This can be: – OK – Warning – Critical Press to exit. Smart Card Logon Press to select Enabled or Disabled. This option configures the Smart Card Logon feature. The available options are Enabled, Disabled, and Enabled with RACADM.
Collect System Inventory on Restart Select Enabled to allow the collection of inventory during boot. See the Dell Lifecycle Controller User Guide available on the Dell Support Website at dell.com/support/manuals for more information. NOTE: Modifying this option restarts the server after you have saved your settings and exited from the iDRAC6 Configuration Utility. NOTE: If you choose to restore to factory defaults, the settings for Collect System Inventory on Restart does not change.
LCD Remote Virtual Select Enabled to display the text Virtual Console whenever a Console Indication Virtual Console is active on the unit. LCD Front Panel Access Press , , and spacebar to switch between the options: Disabled, View And Modify, and View Only. This setting defines the user access level for the LCD. LAN User Configuration The LAN user is the iDRAC6 administrator account, which is root by default. Press to display the LAN User Configuration submenu.
Table 17-3. LAN User Configuration Item Description Auto-Discovery The auto-discovery feature enables automated discovery of unprovisioned systems on the network; further, it securely establishes initial credentials so that these discovered systems can be managed. This feature enables iDRAC6 to locate the provisioning server. iDRAC6 and provisioning service server mutually authenticate each other.
Table 17-3. LAN User Configuration (continued) Item Description Auto–Discovery (continued...) Before adding your Dell system to the network and using the auto–discovery feature, ensure that: • Dynamic Host Configuration Protocol (DHCP) server/Domain Name System (DNS) are configured. • Provisioning Web services is installed, configured, and registered. Provisioning Server This field is used to configure the provisioning server.
System Event Log Menu The System Event Log Menu allows you to view System Event Log (SEL) messages and to clear the log messages. Press to display the System Event Log Menu. The system counts the log entries and then displays the total number of records and the most recent message. The SEL retains a maximum of 512 messages. To view SEL messages, select View System Event Log and press .
18 Monitoring and Alert Management This section explains how to monitor the iDRAC6 and provides procedures to configure your system and the iDRAC6 to receive alerts. Configuring the Managed System to Capture the Last Crash Screen Before the iDRAC6 can capture the last crash screen, you must configure the managed system with the following prerequisites. 1 Install the managed system software. For more information about installing the managed system software, see the Server Administrator User's Guide.
Disabling the Windows Automatic Reboot Option To ensure that the iDRAC6 Web-based interface last crash screen feature works properly, disable the Automatic Reboot option on managed systems running the Microsoft Windows Server 2008 and Windows Server 2003 operating systems. Disabling the Automatic Reboot Option in Windows 2008 Server 1 Open the Windows Control Panel and double-click the System icon. 2 Click Advanced System Settings under Tasks on the left. 3 Click the Advanced tab.
5 Temperature Warning Assert Filter 6 Temperature Critical Assert Filter 7 Intrusion Critical Assert Filter 8 Redundancy Degraded Filter 9 Redundancy Lost Filter 10 Processor Warning Assert Filter 11 Processor Critical Assert Filter 12 Processor Absent Critical Assert Filter 13 Power Supply Warning Assert Filter 14 Power Supply Critical Assert Filter 15 Power Supply Absent Critical Assert Filter 16 Event Log Critical Assert Filter 17 Watchdog Critical Assert Filter 18 System Power Warning Assert Filter 19 S
Configuring PEF Using the Web-Based Interface For detailed information, see "Configuring Platform Event Filters (PEF)" on page 57. Configuring PEF Using the RACADM CLI 1 Enable PEF. Open a command prompt, type the following command, and press : racadm config -g cfgIpmiPef -o cfgIpmiPefEnable -i 1 1 where 1 and 1 are the PEF index and the enable/disable selection, respectively. The PEF index can be a value from 1 through 22. The enable/disable selection can be set to 1 (Enabled) or 0 (Disabled).
Configuring PET Configuring PET Using the Web User Interface For detailed information, see "Configuring Platform Event Traps (PET)" on page 58. Configuring PET Using the RACADM CLI 1 Enable your global alerts. Open a command prompt, type the following command, and press : racadm config -g cfgIpmiLan -o cfgIpmiLanAlertEnable 1 2 Enable PET.
3 Configure your PET policy. At the command prompt, type the following command and press : iPv4:racadm config -g cfgIpmiPet -o cfgIpmiPetAlertDestIPAddr -i 1 iPv6:racadm config -g cfgIpmiPetIpv6 -o cfgIpmiPetIPv6AlertDestIPAddr -i 1 where 1 is the PET destination index and and are the destination IP addresses of the system that receives the platform event alerts. 4 Configure the Community Name string.
where 1 and 1 are the e-mail destination index and the enable/disable selection, respectively. The e-mail destination index can be a value from 1 through 4. The enable/disable selection can be set to 1 (Enabled) or 0 (Disabled). For example, to enable e-mail with index 4, type the following command: racadm config -g cfgEmailAlert -o cfgEmailAlertEnable -i 4 1 3 Configure your e-mail settings.
Testing the RAC SNMP Trap Alert Feature The RAC SNMP trap alerting feature allows SNMP trap listener configurations to receive traps for system events that occur on the managed system. The following example shows how a user can test the SNMP trap alert feature of the RAC. racadm testtrap -i 2 Before you test the RAC SNMP trap alerting feature, ensure that the SNMP and trap settings are configured correctly.
To access/configure the iDRAC6 SNMP agent community name using the Web-based interface, go to iDRAC Settings Network/Security Services and click SNMP Agent. To prevent SNMP authentication errors from being generated, you must enter community names that will be accepted by the agent. Since the iDRAC6 only allows one community name, you must use the same get and set community name for IT Assistant discovery setup.
Monitoring and Alert Management
19 Recovering and Troubleshooting the Managed System This section explains how to perform tasks related to recovering and troubleshooting a crashed remote system using the iDRAC6 Web-based interface. • "First Steps to Troubleshoot a Remote System" on page 323. • "Managing Power on a Remote System" on page 324. • "Using the POST Boot Logs" on page 334. • "Viewing the Last System Crash Screen" on page 335.
Managing Power on a Remote System The iDRAC6 enables you to remotely perform several power management actions on the managed system so you can recover after a system crash or other system event. Selecting Power Control Actions from the iDRAC6 Web-Based Interface To perform power management actions using the Web-based interface, see "Executing Power Control Operations on the Server" on page 296.
The System Details page displays information about the following system components: • Main System Chassis • Remote Access Controller To access the System Details page, expand the System tree and click the PropertiesSystem Details tab. Main System Chassis NOTE: To receive Host Name and OS Name information, you must have iDRAC6 services installed on the managed system. Table 19-1. System Information Field Description Description System description. BIOS Version System BIOS version.
Table 19-2. Auto Recovery (continued) Field Description Present Countdown The current value, in seconds, of the countdown timer. Table 19-3. Embedded NIC MAC Addresses Field Description Virtual MAC Displays Virtual Media Access Control (MAC) addresses. Virtual MAC data is obtained from hardware inventory, hence the hardware Inventory needs to be collected once before viewing the vMAC data. Click System Inventory. The Inventory data is updated and displayed on the System Inventory page.
Table 19-3. Embedded NIC MAC Addresses (continued) Field Description Virtual MAC Displays Virtual Media Access Control (MAC) addresses. Virtual MAC data is obtained from hardware inventory, hence the hardware Inventory needs to be collected once before viewing the vMAC data. Click System Inventory. The Inventory data is updated and displayed on the System Inventory page. Click System Details again. The Virtual MACs for each of the Embedded LAN Ports is now displayed on the System Details page.
Table 19-4. RAC Information (continued) Field Description MAC Address The Media Access Control (MAC) address that uniquely identifies each node in a network Table 19-5. IPv4 Information Field Description IPv4 Enabled Yes or No IP Address The 32-bit address that identifies the Network Interface Card (NIC) to a host. The value is in the dot separated format, such as 143.166.154.127.
Table 19-6. IPv6 Information Fields (continued) Field Description IP Address 2...15 Specifies the additional IPv6 addresses for the iDRAC6 NIC, if available. AutoConfig Enabled Yes or No. AutoConfig lets the Server Administrator obtain the IPv6 address for the iDRAC NIC from the Dynamic Host Configuration Protocol (DHCPv6) server. Use DHCPv6 to obtain DNS server Addresses Yes or No. Indicates if you want to use DHCPv6 to obtain DNS server addresses.
NOTE: If the CSIOR (Collect System Inventory on Reboot) is not enabled, it takes some time to collect the data, So it is recommended to run the CSIOR first and collect the system inventory on the reboot, and then click the System Inventory tab. After new hardware addition or removal to the system, the System Inventory page may not update the changes automatically. This is because inventory data collected during manufacturing process may not be updated with new changes.
Using the System Event Log (SEL) The SEL page displays system-critical events that occur on the managed system. To view the System Event Log: 1 In the System tree, click System. 2 Click the Logs tab and then click System Event Log. The System Event Log page displays the event severity and provides other information as shown in Table 19-7. 3 Click the appropriate System Event Log page button to continue. For more information see the iDRAC6 Online Help. 4 Click Clear Log to clear the SEL.
Enabling/Disabling OEM Event Logs The OEM event logs are displayed on the System Event Log page automatically. The Advanced Settings button on the SystemsLogs tab allows you to enable/disable the OEM event messages from the managed system from appearing on the System Event Log page. To disable the OEM Event Logs from appearing on the System Event Log Page, select the OEM SEL Event Filter Enabled option. NOTE: The the OEM SEL Event Filter Enabled option is not selected by default.
The Work Notes page displays enables you to enter work notes and provides other information as shown in Table 19-8. To enter the work notes: 1 In the Work Notes page, under the Add Work Notes section, enter the work note in the field displayed. NOTE: A maximum of 50 alphanumeric characters is supported for the work note. 2 Click Save. The new work note is displayed in the work notes table below the Add Work Notes section. T Table 19-8.
Using the POST Boot Logs NOTE: All logs are cleared after you reboot the iDRAC6. The Boot Capture page provides access to recordings of up to the last three available boot cycles. They are arranged in the order of latest to oldest. If the server has experienced no boot cycles then No Recording Available is displayed. Click Play after selecting an available boot cycle to display it in a new window. NOTE: Viewing Boot Capture is supported only on Java and not Active-X.
The iDRAC6 Express Card is bonded to iDRAC6 when you enter the Unified Server Configurator (USC) application by pressing F10 during boot. If bonding is successful, the following message is logged in the SEL and LCD— iDRAC6 Upgrade Successful. If bonding fails, the following message is logged in the SEL and LCD—iDRAC6 Upgrade Failed.
Recovering and Troubleshooting the Managed System
20 Recovering and Troubleshooting the iDRAC6 This section explains how to perform tasks related to recovering and troubleshooting a crashed iDRAC6. You can use one of the following tools to troubleshoot your iDRAC6: • RAC Log • Diagnostics Console • Identify Server • Trace Log • racdump • coredump Using the RAC Log The RAC Log is a persistent log maintained in the iDRAC6 firmware.
The iDRAC Log page displays the information listed in Table 20-1. Table 20-1. iDRAC Log Page Information Field Description Date/ Time The date and time (for example, Dec 19 16:55:47). When the iDRAC6 initially starts and is unable to communicate with the managed system, the time will be displayed as System Boot. Source The interface that caused the event. Description A brief description of the event and the user name that logged into the iDRAC6.
To access the Diagnostics Console page: 1 In the System tree, click iDRAC Settings Troubleshooting tab Diagnostics Console. 2 Type a command and click Submit. Table 20-2 describes the commands that can be used. The debugging results appear in the Diagnostics Console page. 3 To refresh the Diagnostics Console page, click Refresh. To execute another command, click Go Back to the Diagnostics Page. Table 20-2.
Using Identify Server The Identify page allows you to enable the system identification feature. To identify the server: 1 Click System iDRAC SettingsTroubleshooting Identify. 2 On the Identify screen, select the Identify Server checkbox to enable blinking of the LCD and the rear identify server LED. 3 The Identify Server Timeout field displays the number of seconds the LCD blinks. Enter the amount of time (in seconds) that you want the LCD to blink. Timeout range is 1 to 255 seconds.
The Trace Log tracks the following information: • DHCP — Traces packets sent to and received from a DHCP server. • IP — Traces IP packets sent and received. The trace log may also contain iDRAC6 firmware-specific error codes that are related to the internal iDRAC6 firmware, not the managed system’s operating system. NOTE: The iDRAC6 will not echo an ICMP (ping) with a packet size larger than 1500 bytes.
Recovering and Troubleshooting the iDRAC6
Sensors 21 Hardware sensors or probes help you to monitor the systems on your network in a more efficient way by enabling you to take appropriate actions to prevent disasters, such as system instability or damage. You can use the iDRAC6 to monitor hardware sensors for batteries, fan probes, chassis intrusion, power supplies, power consumed, temperature, and voltages. Battery Probes The Battery probes provide information about the system board CMOS and storage RAM on motherboard (ROMB) batteries.
Power Supplies Probes The power supplies probes provides information on: • Status of the power supplies • Power supply redundancy, that is, the ability of the redundant power supply to replace the primary power supply if the primary power supply fails. NOTE: If there is only one power supply in the system, the Power Supply Redundancy will be set to Disabled. Removable Flash Media Probes The Removable Flash Media sensor provides information about the vFlash SD card status (active or absent).
Voltage Probes The following are typical voltage probes. Your system may have these and/or others present. • CPU [n] VCORE • System Board 0.9V PG • System Board 1.5V ESB2 PG • System Board 1.5V PG • System Board 1.8V PG • System Board 3.3V PG • System Board 5V PG • System Board Backplane PG • System Board CPU VTT • System Board Linear PG The voltage probes indicate whether the status of the probes is within the pre-set warning and critical threshold values.
Sensors
22 Configuring Security Features The iDRAC6 provides the following security features: • Advanced Security options for the iDRAC6 administrator: • The Virtual Console disable option allows the local system user to disable Virtual Console using the iDRAC6 Virtual Console feature.
Security Options for the iDRAC6 Administrator Disabling the iDRAC6 Local Configuration Administrators can disable local configuration through the iDRAC6 graphical user interface (GUI) by selecting iDRAC Settings Network/Security Services. When the Disable the iDRAC Local Configuration using option ROM check box is selected, the iDRAC6 Configuration Utility—accessed by pressing during system boot—operates in read-only mode, preventing local users from configuring the device.
Disabling Local Configuration From Local RACADM This feature disables the ability of the managed system’s user to configure the iDRAC6 using the local RACADM or the Dell OpenManage Server Administrator utilities. racadm config -g cfgRacTuning -o cfgRacTuneLocalConfigDisable 1 CAUTION: These features severely limit the ability of the local user to configure the iDRAC6 from the local system, including performing a reset to default of the configuration.
administrators have disabled all local iDRAC6 users and allow only Microsoft Active Directory directory service users to log in to the iDRAC6, and the Active Directory authentication infrastructure subsequently fails, the administrators may be unable to log in.
Several situations might call for disabling iDRAC6 Virtual Console. For example, administrators may not want a remote iDRAC6 user to view the BIOS settings that they configure on a system, in which case they can disable Virtual Console during the system POST by using the LocalConRedirDisable command.
An SSL-enabled system: • Authenticates itself to an SSL-enabled client • Allows the client to authenticate itself to the server • Allows both systems to establish an encrypted connection This encryption process provides a high level of data protection. The iDRAC6 employs the 128-bit SSL encryption standard, the most secure form of encryption generally available for Internet browsers in North America. The iDRAC6 Web server includes a Dell self-signed SSL digital certificate (Server ID).
Accessing the SSL Main Menu 1 Expand the System tree and click iDRAC Settings. 2 Click the Network/Security tab and then click SSL. Use the SSL Main Menu (see Table 22-1) to generate a CSR, upload an existing server certificate, or view an existing server certificate. The CSR information is stored on the iDRAC6 firmware. For information on the buttons available on the SSL page, see the iDRAC6 Online Help. Table 22-1.
3 Click Generate to open or save the CSR. 4 Click the appropriate Generate Certificate Signing Request (CSR) page button to continue. For more information on the buttons available on the Generate Certificate Signing Request (CSR) page see the iDRAC6 Online Help. Table 22-2. Generate Certificate Signing Request (CSR) Page Options Field Description Common Name The exact name being certified (usually the Web server's domain name, for example, xyzcompany.com).
Viewing a Server Certificate 1 In the SSL Main Menu page, select View Server Certificate and click Next. Table 22-3 describes the fields and associated descriptions listed in the Certificate window. 2 Click the appropriate View Server Certificate page button to continue. Table 22-3.
• SNMP agent (Table 22-9) • Automated System Recovery Agent (Table 22-10) Use the Automated Systems Recovery Agent to enable the Last Crash Screen functionality of the iDRAC6. NOTE: Server Administrator must be installed with its Auto Recovery feature activated by setting the Action to either: Reboot System, Power Off System, or Power Cycle System, for the Last Crash Screen to function in the iDRAC6. 4 Click Apply Changes to apply the Services page settings. Table 22-4.
Table 22-5. Web Server Settings (continued) Setting Description HTTP Port Number The port used by the iDRAC that listens for a server connection. The default setting is 80. HTTPS Port Number The port used by the iDRAC that listens for a server connection. The default setting is 443. Table 22-6. Setting SSH Settings Description Enabled Enables or disable SSH. When selected, SSH is enabled. Timeout The secure shell idle timeout, in seconds. The Timeout range is 60 to 1920 seconds.
Table 22-9. SNMP Agent Settings Setting Description Enabled Enables or disables the SNMP agent. Checked=Enabled; Unchecked=Disabled. Community Name Define the SNMP community string to be used. The Community Name can be up to 31 non-blank characters in length. The default setting is public. Table 22-10. Automated System Recovery Agent Setting Setting Description Enabled Enables the Automated System Recovery Agent.
IP Filtering (IpRange) IP address filtering (or IP Range Checking) allows iDRAC6 access only from clients or management workstations whose IP addresses are within a user-specific range. All other logins are denied.
Table 22-11. IP Address Filtering (IpRange) Properties (continued) Property Description cfgRacTuneIpRangeMask Defines the significant bit positions in the IP address. The subnet mask should be in the form of a netmask, where the more significant bits are all 1’s with a single transition to all zeros in the lower-order bits. Enabling IP Filtering See the following example command for IP filtering setup. See "Using RACADM Remotely" on page 110 for more information about RACADM and RACADM commands.
IP Filtering Guidelines Use the following guidelines when enabling IP filtering: • Ensure that cfgRacTuneIpRangeMask is configured in the form of a netmask, where all most significant bits are 1’s (which defines the subnet in the mask) with a transition of all 0’s in the lower-order bits. • Use the range base address you prefer as the value for cfgRacTuneIpRangeAddr. The 32-bit binary value of this address should have zeros in all the low-order bits where there are zeros in the mask.
Table 22-12 lists the user-defined parameters. Table 22-12. Login Retry Restriction Properties Property Definition cfgRacTuneIpBlkEnable Enables the IP blocking feature. When consecutive failures (cfgRacTuneIpBlkFailCount) from a single IP address are encountered within a specific amount of time (cfgRacTuneIpBlkFailWindow), all further attempts to establish a session from that address are rejected for a certain timespan (cfgRacTuneIpBlkPenaltyTime).
The following example prevents more than three failed attempts within one minute, and prevents additional login attempts for an hour.
Table 22-13. Network Security Page Settings (continued) Settings Description IP Range Address Determines the acceptable IP address bit pattern, depending on the 1's in the subnet mask. This value is bitwise AND’d with the IP Range Subnet Mask to determine the upper portion of the allowed IP address. Any IP address that contains this bit pattern in its upper bits is allowed to establish an iDRAC6 session. Logins from IP addresses that are outside this range will fail.
Index A accessing SSL with web interface, 62 Active Directory adding iDRAC6 users, 158 configure, 31 configuring access to iDRAC6, 150 managing certificates, 67 objects, 147 schema extensions, 146 using with extended schema, 146 using with iDRAC6, 141 using with standard schema, 166 ASR configuring with web interface, 72 attach or detach partition, 279 authenticating Smart Card, 31 Auto Discovery, 310 B battery probes, 343 boot once enabling, 256 boot to a partition, 282 creating, 238 C Certificate Signi
Configuring a VFlash Media Card for Use With iDRAC6, 267 configuring and managing power, 288 Configuring Generic LDAP Directory Service Using RACADM, 180 Configuring Generic LDAP Directory Service Using the iDRAC6 Web-Based Interface, 176 Configuring iDRAC Direct Connect Basic Mode and Direct Connect Terminal Mode, 98 configuring PET with web interface, 58 configuring platform events, 56 configuring SOL using web interface, 252 console redirection configuring, 207 opening a session, 208 using, 201 creating
configuring using web interface, 318 configuring with web interface, 59 Empty Partition, 272 exporting Smart Card certificate, 191 I Identify Server, 340 iDRAC KVM disabling or enabling using console redirection, 216 firmware/system services recovery image updating with web interface, 75 iDRAC6 accessing through a network, 108 adding and configuring users, 127 configuring, 36 configuring Active Directory with extended schema, 160 configuring advanced, 85 configuring network settings, 107 configuring stan
configuring, 105 iDRAC6 services configuring, 72 iDRAC6 user enabling permissions, 140 Image File, 274 installing and configuring iDRAC6 software, 36 installing Dell extensions Active Directory Users and Computers snap-in, 157 integrated System-on-Chip microprocessor, 19 IpRange checking about, 359 IPv6 Settings, 53 L LAN Parameters, 302 last crash screen capturing on managed system, 313 Linux configuring for serial console redirection, 91 IP blocking about, 361 configuring with web interface, 54 enablin
configuring, 121 configuring manually, 121 Network Security Page Settings, 55 NIC mode dedicated, 34 shared, 34 shared with Failover All LOMs, 35 NIC modes shared with failover LOM2, 34 PET, 56 platform events configuring, 314 platform events filters table, 56 platforms supported, 25 POST log using, 334 power capping, 287 power inventory and budgeting, 287 O power monitoring, 287, 344 operating system installing (manual method), 260 power supplies probe, 344 P password-level security management, 20 PE
configuring, 355 configuring with web interface, 72 role-based authority, 20, 127 S setting up iDRAC6, 31 screen resolutions, support, 206 Single Sign-On, 189 SD Card Properties, 268 Smart Card Authentication, 195 Secure Shell (SSH) using, 89, 355 Smart Card authentication, 31 secure sockets layer, 63 Standard Schema Active Directory Overview, 166 Secure Sockets Layer (SSL) about, 351 importing the firmware certificate, 145 security options enabling, 358 SEL managing with iDRAC6 configuration ut
Two-factor-authentication TFA, 191 V vFlash Partitions, 267 vFlash SD card, 267 U vFlash SD Card Properties, 270 Unified Server Configurator, 27, 307-308 System Services, 307-308 system services, 27 video viewer using, 211 updating the firmware iDRAC6, 39 updating the iDRAC6 firmware/system services recovery image, 75 preserve configuration, 76 upload/rollback, 75 USB flash drive emulation type, 305 USB Flash Key, 267 user configuration, 127 general user settings, 128 iDRAC group permissions, 128 IPMI
return codes, 246 syntax, 242 using, 240 voltage probe, 345 W web browser configuring, 41 supported, 25 web interface accessing, 46 for configuring iDRAC6, 45 logging in, 47 logging out, 48 WS-MAN protocol, 21 372 Index
