HP Integrity Superdome 2 Onboard Administrator Command Line Interface User Guide Abstract This document contains specific information that is intended for users of this HP product.
© Copyright 2011 – 2013 Hewlett-Packard Development Company, L.P. Notices The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Confidential computer software.
Contents 1 Accessing the CLI.....................................................................................11 Remotely accessing the Onboard Administrator..........................................................................11 Locally accessing the Onboard Administrator.............................................................................11 2 Command line.........................................................................................13 Command line overview........................
REMOVE CA CERTIFICATE......................................................................................................32 REMOVE USER CERTIFICATE....................................................................................................32 SHOW CA CERTIFICATE.........................................................................................................32 SHOW TWOFACTOR INFO....................................................................................................
11 Enclosure network configuration commands................................................55 ADD OA DNS.......................................................................................................................55 ADD SNMP TRAPRECEIVER.....................................................................................................55 ADD SSHKEY.........................................................................................................................55 ADD TRUSTED HOST...........
POWERON XFABRIC..............................................................................................................72 RESTART OA .........................................................................................................................73 SET DISPLAY EVENTS..............................................................................................................73 SET ENCLOSURE ASSET...................................................................................................
SHOW BLADE POWERDELAY................................................................................................101 SHOW BLADE STATUS..........................................................................................................102 SHOW BLADE TEMP............................................................................................................103 15 IOX enclosure management commands...................................................104 SHOW SHOW SHOW SHOW IOX INFO................
PARCREATE.........................................................................................................................129 PARMODIFY........................................................................................................................132 PARREMOVE........................................................................................................................135 PARSTATUS.......................................................................................................
SHOW INFO.......................................................................................................................172 UPDATE FIRMWARE .............................................................................................................172 CLI UPDATE NPARTITION .....................................................................................................174 Effects messages............................................................................................................
RS......................................................................................................................................190 SEL.....................................................................................................................................190 TC......................................................................................................................................191 31 Event notifications.....................................................................
1 Accessing the CLI Remotely accessing the Onboard Administrator The Onboard Administrator CLI can be accessed remotely through any Telnet or Secure Shell session. Telnet session 1. 2. From a network-connected client, open a command-line window At the prompt, open a Telnet session to the IP address of the Onboard Administrator, and then press Enter. For example, telnet 192.168.100.130, where the IP address is the address of your Onboard Administrator. 3. 4. 5. 6.
1. 2. 3. 4. 5. 6. 12 Connect a serial cable between the serial port on the computer and the corresponding serial port on the Onboard Administrator module. The following table is for the DB9 serial (RS232) port and shows the pinout and signals for the RS232 connector. The signal direction is DTE (computer) relative to the DCE (modem).
2 Command line Command line overview You can also use the CLI to manage the Onboard Administrator. The following are some reasons to use the CLI: • HP Management Applications (for example, Systems Insight Manager, Insight Control tools, and so on) can query the Onboard Administrator for information that these tools must present for a complete management view of HP Integrity Superdome 2 enclosures and the devices contained within and connected IOX enclosures.
the Onboard Administrator. You can only change the password for the Administrator account. The following table indicates the capabilities of the user based on their privileges and permitted bays.
Account classification Capabilities Account name/privilege level Bays selected for this account own account • Can 'show' CLI commands Partition management capabilities User access to commands for managing the partition configuration and the partitions themselves can be controlled through the Parcon_Admin access right and partition access assignments using the ASSIGN PARCON_ADMIN and ASSIGN PARTITION commands. Access to ALL (current and future) or individual partitions by partition ID may be assigned.
LDAP users 16 • The Enable/Disable LDAP is an optional setting. LDAP enabled can be used with local users enabled or disabled. • The Onboard Administrator uses configured LDAP server and search context to request account authentication. • Configuration of the LDAP group determines the privileges instead of the user name. • If a user is configured for multiple groups with different privileges and bay permissions, then the user has the highest privileges and the combination of all permitted bays.
3 General commands CLEAR SCREEN • Command: CLEAR SCREEN NOTE: • CLS is also a valid command. Description: Clears the terminal screen • Access level: All EXIT • Command: EXIT • Description: Exits the CLI • Access level: All HELP • Command: HELP • Description: If you supply a command, the usage and help text for the command appears. If no argument is given, all base commands appear.
LOGOUT • Command: LOGOUT • Description: Exits the command line interface • Access level: All QUIT • Command: QUIT • Description: Exits the command line interface • Access level: All 18 General commands
4 Rack commands SET RACK NAME • Command: SET RACK NAME • Description: Sets the rack name • Access level/Bay level: OA Administrator, OA Operator • Restrictions: The must be a maximum of 32 characters long and includes all alphanumeric, the dash, and the underscore characters. UnnamedRack is the default rack name.
• Restrictions: You must be logged on to the monarch OA to perform this command. • Example: The output for this command will depend on how the enclosures are linked. SHOW TOPOLOGY Detecting linked enclosures .. Complex Topology Complex UUID: 09USE7332000 Complex Name: ComplexOne Rack Name: MyRack Enc# Enclosure Name ---- --------------1 Enclosure11 Status Local IP Address UUID ------- ------- -------------- ---------------OK Yes 15.255.99.
UPLOAD DEBUG • Command: UPLOAD DEBUG { | ARCHIVE <"directory"> | USB <"directory"> } • Description: This command collects relevant system logs and files from the Complex and uploads them to a URL, a USB connected to the enclosure, or Archive Storage. • Access level/Bay level: Monarch OA • • Restrictions: ◦ If your FTP server does not support anonymous logins, you can specify a username and password within the url formatted as: ftp://username:password@host/path/filename.
5 User account commands ADD USER • Command: ADD USER "" [""] • Description: Adds a user to the system. If you do not provide a password, you are prompted for one. If SCRIPT MODE is enabled and the password is not provided, the password is assigned an unmatched string. This unmatched string requires an enclosure administrator to change the password to enable the new user to access the system.
ASSIGN OA • Command: ASSIGN OA {"" | LDAP GROUP ""} • Description: Assigns the Onboard Administrators specified to an existing user or group • Access level/Bay level: OA Administrator • Restrictions: The is case-sensitive. DISABLE USER • Command: DISABLE USER "" • Description: Disables a user account. The system immediately logs out the user and prevents the user from logging in until the account is enabled.
ENABLE STRONG PASSWORDS • Command: ENABLE STRONG PASSWORDS • Description: When enabled, this command requires that a user's password contain at least one character from three of the four categories: • ◦ Uppercase ◦ Lowercase ◦ Numeric ◦ Nonalphanumeric Access level/Bay level: OA Administrator • Restrictions: Only Administrators with Onboard Administrator permission are permitted to manage strong passwords.
REMOVE USER • Command: REMOVE USER {ALL | "" | CERTIFICATE ""} • Description: Removes a user from the system or any certificate mapped to the user or both. If you specify ALL, then the command is run for all users except the default system accounts. • Access level/Bay level: OA Administrator • Restrictions: ◦ The is case-sensitive. ◦ You cannot remove the Administrator account.
SET SESSION TIMEOUT IMPORTANT: On Superdome 2 systems, the following long-running commands are not immediately subject to the session timeout defined by the SET SESSION TIMEOUT command: • SHOW {HR | FPL | LIVELOGS | SEL | SYSLOG | PARTITION CONSOLELOG} • CONNECT {BLADE | INTERCONNECT | PARTITION } • CO • FPL • SEL If a user has one of these commands active, their session will not be removed when a session timeout occurs; instead it will be removed once they exit the long-running command and interact
• • Access level/Bay level: ◦ All users can modify their own contact information. ◦ The OA Administrator can modify all users. Restrictions: ◦ The is case-sensitive. The must be a maximum of 20 characters long and includes all alphanumeric characters, the dash, the underscore, and spaces. ◦ The default contact information is blank. ◦ You must use double quotes if the contact information contains any spaces.
◦ The character set includes all printable characters. ◦ You must specify the password when in SCRIPT MODE.
• Access level/Bay level: All • Restrictions: The is case-sensitive. Users who do not have OA Administrator or OA Operator access levels can view only their user information.
UNASSIGN OA • Command: UNASSIGN OA {"" | LDAP GROUP ""} • Description: Removes the Onboard Administrator from the control of the user that it is currently assigned • Access level/Bay level: OA Administrator • Restrictions: The is case-sensitive.
6 Two-Factor Authentication commands DISABLE CRL • Command: DISABLE CRL • Description: Disables certificate revocation checks • Access level/Bay level: OA Administrator • Restrictions: None DISABLE TWOFACTOR • Command: DISABLE TWOFACTOR • Description: Disables Two-Factor Authentication • Access level/Bay level: OA Administrator • Restrictions: None DOWNLOAD CA CERTIFICATE • Command: DOWNLOAD CA CERTIFICATE "" • Description: Downloads a CA certificate to act as the trusted certificati
DOWNLOAD USER CERTIFICATE • Command: DOWNLOAD USER CERTIFICATE "" • • Description: ◦ Downloads an x.509 certificate for the user from . The file at must be a Base64 PEM encoded file. ◦ Downloads a CA certificate used in Two-Factor Authentication.
• Access level/Bay level: All • Restrictions: None • Example: OA-0016355E560A> SHOW CA CERTIFICATE Details for ca certificate 1 certificateVersion = 3 issuerOrganization = ca.com issuerOrganizationalUnit = IT Infrastructure issuerCommonName = Hewlett-Packard Primary Class 2 Certification Authority subjectOrganization subjectOrganizationalUnit subjectCommonName = hp.
7 Directory commands ADD LDAP CERTIFICATE • Command: ADD LDAP CERTIFICATE • Description: Adds an LDAP certificate on the command line. To add the certificate: 1. 2. 3. Start with a string that does not appear within the certificate (the end marker). Paste the certificate. Terminate the command with the end marker. • Access level/Bay level: OA Administrator • Restrictions: The certificate text cannot exceed 3071 characters.
• Access level/Bay level: OA Administrator • Restrictions: None ASSIGN OA LDAP GROUP • Command: ASSIGN OA {"" | LDAP GROUP ""} • Description: Assigns the specified group access to the Onboard Administrator. • Access level/Bay level: OA Administrator • Restrictions: None DISABLE LDAP NOTE: If LDAP is enabled, local accounts are disabled, and the LDAP server becomes unavailable, you can recover by booting into Lost Password mode.
ENABLE LDAP NOTE: If LDAP is enabled, local accounts are disabled, and the LDAP server becomes unavailable, you can recover by booting into Lost Password mode. When booting in Lost Password mode, the local Administrator password will be reset, LDAP is disabled, and Local Logins are re-enabled. • Command: ENABLE LDAP [NOLOCAL] • Description: Enables directory authentication. If you use the NOLOCAL option, local users are not enabled.
SET LDAP GROUP ACCESS • Command SET LDAP GROUP ACCESS "" {ADMINISTRATOR | OPERATOR | USER} • • Description: ◦ Sets the LDAP group access level. ◦ Additionally, use the ASSIGN OA command to give a user or group rights to the Onboard Administrator.
SET LDAP PORT • Command: SET LDAP PORT • Description: Sets the TCP port number of the LDAP SSL service. Port 636 is the standard value. • Access level/Bay level: OA Administrator • Restrictions: The valid port number range is 1 to 65535.
• Restrictions: None • Example: OA-0016355E560A> SHOW LDAP CERTIFICATE 1 Certificate name: 17D6A5ECBF51A1A47D44C1CDD29D19EE.
• Restrictions: None • Example: OA-0018FE27577F> SHOW LDAP INFO Directory Services (LDAP) Enabled Local Users Enabled NT Name Mapping Directory Server Directory Server SSL Port Search Context #1 Search Context #2 Search Context #3 : : : : : : : : Disabled Enabled Disabled 0 TEST LDAP • Command: TEST LDAP [""] [""] • Description: Run LDAP tests and optionally attempt to login to the LDAP server using the user name and password.
UNASSIGN OA LDAP GROUP • Command: UNASSIGN OA {"" | LDAP GROUP ""} • Description: Disables access to the Onboard Administrator for the group specified • Access level/Bay level: OA Administrator • Restrictions: None UNASSIGN OA LDAP GROUP 41
8 HP SIM commands ADD HPSIM CERTIFICATE • Command: ADD HPSIM CERTIFICATE • Description: Adds an HP SIM certificate on the command line: 1. Start with a string that does not appear within the certificate (the end marker). 2. Paste the certificate. 3. Terminate the command with the end marker. • Access level/Bay level: OA Administrator • Restrictions: ◦ This command is only available in SCRIPT MODE. ◦ The certificate text cannot exceed 3071 characters.
SET HPSIM TRUST MODE • Command: SET HPSIM TRUST MODE {CERTIFICATE [ON] | DISABLED [OFF]} • Description: Enables or disables the HP SIM SSO mode. When enabled, the trusted applications can access the Onboard Administrator GUI data without requiring additional authentication. • Access level/Bay level: OA Administrator • Restrictions: The CERTIFICATE (On) mode trusts only applications with certificates that have been uploaded to the Onboard Administrator.
9 General management commands DOWNLOAD OA CERTIFICATE • Command: DOWNLOAD OA CERTIFICATE [] • • Description: ◦ Downloads a CA supplied pkcs#7 file to replace the current security certificate on Onboard Administrator specified by . If you omit , then the current Onboard Administrator is targeted. ◦ Supported protocols are HTTP, FTP, and TFTP. Access level/Bay level: OA Administrator • Restrictions: You must format the as protocol://host/path/file.
Generate certificate prompts Prompt Description OA Host Name (CN) This is the most important field. This is the Onboard Administrator name that appears in the browser web address box. This certificate attribute is generally referred to as the common name. Restrictions Must be 1 to 60 characters long. To prevent security alerts, the value of this field must match the host name exactly as it is known by the web browser.
• Access level/Bay level: All • Restrictions: The must be in the form ###.###.###.###, where each ### ranges from 0 to 255. SET DEVICE SERIAL_NUMBER BLADE • Command: SET DEVICE SERIAL_NUMBER BLADE "" • Description: Sets the serial number of the specified Storage, Tape, or I/O expansion blade. • Access level/Bay level: OA Administrator • Restrictions: ◦ Length must be 10 characters. All printable characters are permitted.
SET SCRIPT MODE • Command: SET SCRIPT [MODE] {ON | OFF} • • Description: ◦ Ceases all prompting and verifying of entries when SCRIPT MODE is on. ◦ The ADD USER command must have a password argument if executed in SCRIPT MODE. ◦ Default values are used for any parameters that would normally require user interaction. Access level/Bay level: All • Restrictions: None SHOW ALL • Command: SHOW ALL • Description: Executes all SHOW commands in succession.
SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SHOW SERVER STATUS ALL SERVER TEMP ALL PARTITION DVD SERVER POWERDELAY ALL SERVER BOOT ALL SYSLOG SERVER ALL SYSLOG ILO ALL TOPOLOGY USBKEY USER(current user) USER SESSIONS USER LIST LDAP INFO LDAP CERTIFICATE LDAP GROUP LIST CA CERTIFICATE TWOFACTOR INFO PASSWORD SETTINGS UPDATE SYSLOG SETTINGS VCMODE SESSION TIMEOUT VLAN URB DEVICE SERIAL_NUM
• • Access level/Bay level: ◦ All ◦ Bay specific Restrictions: Dependent on bay privileges • Example: OA-0016355E560A> SHOW DEVICE SERIAL_NUMBER BLADE Serial number: USM81500RP SHOW INTERCONNECT SESSIONS • Command: SHOW INTERCONNECT SESSIONS • Description: Displays which users have serial console sessions in progress for each interconnect • • Access level/Bay level: ◦ OA Administrator, OA Operator ◦ Bay specific Restrictions: You must have access to the specified bay.
• Access level/Bay level: ◦ • OA Administrator, OA Operator Restrictions: None • Example: [MFG Shell Enabled]iduno-oa> show user sessions Username Age Idle Type IP Address ------------------ -------------- ---------------Administrator 3s 0s Local 16.127.73.207 Administrator 2h 53m 56s 2h 53m 52s Local 16.191.144.136 Administrator 6h 24m 30s 3m 45s Local 16.119.117.
10 Enclosure Bay IP Addressing commands ADD EBIPA • Command: ADD EBIPA { BLADE | INTERCONNECT } DNS [ { , | - } ] NOTE: • SERVER is a valid alias for BLADE. Description: Adds a DNS server IP address to the list of DNS servers for either BLADE bays or INTERCONNECT bays • Access Level/Bay level: Administrator, Operator • Restrictions: ◦ A maximum of three DNS servers can be added for EBIPA. ◦ The must be in the form ###.###.###.
NOTE: • SERVER is a valid alias for BLADE. Description: Enables the Onboard Administrator to provide IP addresses to the devices in the bays using DHCP. If you do not specify any bay numbers, then EBIPA is enabled for all bays. DHCP traffic from iLO and the switch modules can no longer go outside the enclosure. This causes a reset of the iLO, which causes it to attempt to get an IP address. The interconnect is power-cycled.
If no bays are specified when setting the , then all the bays are assigned an IP address in the range starting from the . The keyword NONE can be used in the place of , , or to clear the IP address. NOTE: Link-local IP addresses can be assigned to blades, iLOs, and interconnect bays within an enclosure.
4A 4B 5 5A 5B 6 6A 6B 7 7A 7B 8 8A 8B 9 9A 9B 10 10A 10B 11 11A 11B 12 12A 12B 13 13A 13B 14 14A 14B 15 15A 15B 16 16A 16B No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.
11 Enclosure network configuration commands ADD OA DNS • Command: ADD OA DNS [] • Description: Adds an IP address of a DNS server to the list. DNS servers are used if the system is configured to use a static IP address. If a bay number is not specified, the command defaults to the active Onboard Administrator. • Access level/Bay level: OA Administrator, OA Operator • Restrictions: A maximum of two DNS servers can be added. The must be in the form ###.###.###.
• Access level/Bay level: Administrator • Restrictions: ◦ SSHKEY is only available for the Administrator local account. ◦ The SSHKEY string is limited to 8 KB. ADD TRUSTED HOST • Command: ADD TRUSTED HOST • Description: Adds an IP address to the list of systems permitted connectivity with the Onboard Administrator. • Access level /Bay level: OA Administrator, OA Operator • Restrictions: You can add a maximum of five IP addresses to the IP Manager.
OA Bays • Restrictions: ◦ All blades in the enclosure must be powered off before clearing the VCMODE. ◦ The enclosure is no longer managed by Virtual Connect, and blades revert to default Ethernet MAC and Fibre Channel WWN assignments. Virtual Connect might disconnect the servers from Ethernet networks and Fibre Channel fabrics.
DISABLE SECURESH • Command: DISABLE SECURESH • Description: Disables SSH access to the Onboard Administrator. Disabling SSH prevents access to the web-based user interface and the SSH terminal interface until a terminal session re-enables the SSH protocol. • Access level/Bay level: OA Administrator, OA Operator • Restrictions: None DISABLE SNMP • Command: DISABLE SNMP • • Description: ◦ Disables SNMP support for the Onboard Administrator.
DISABLE TRUSTED HOST • Command: DISABLE TRUSTED HOST • Description: Disables the host-based access to the Onboard Administrator. Disabling TRUSTED HOSTS allows all hosts to connect to the Onboard Administrator.
To execute a configuration script from a USB key, use usb:///