LES1108A LES1116A LES1132A LES1148A LES1208A-R2 LES1216A-R2 LES1232A LES1248A-R2 LES1308A LES1316A LES1332A LES1348A LES1408A LES1416A LES1432A LES1448A LES1508A Value-Line and Advanced Console Servers User’s Manual Securely manage data center and network BLACK BOX equipment from anywhere in the world. ® Customer Support Information Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S.
Value-Line and Advanced Console Servers Manual Trademarks Used in this Manual Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc. Cisco is a registered trademark of Cisco Technology, Inc. Mac is a registered trademark of Apple Computers, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Windows, Windows Me, Windows NT, and Windows Vista are a registered trademarks of Microsoft Corporation.
Value-Line and Advanced Console Servers Manual We‘re here to help! If you have any questions about your application or our products, contact Black Box Tech Support at 724-746-5500 or go to blackbox.com and click on “Talk to Black Box.” You’ll be live with one of our technical experts in less than 30 seconds. 724-746-5500 | blackbox.
Value-Line and Advanced Console Servers Manual Federal Communications Commission and Industry Canada Radio Frequency Interference Statements This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause interference to radio communication.
Value-Line and Advanced Console Servers Manual Instrucciones de Seguridad (Normas Oficiales Mexicanas Electrical Safety Statement) 1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. 2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. 3. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas. 4.
INDEX INTRODUCTION INSTALLATION 2.1 Models 2.1.1 2.1.2 2.1.3 2.1.4 2.1.5 2.2 2.2.1 2.2.2 2.2.2 2.2.
4.1.8 4.2 4.3 4.4 4.5 4.6 4.6.1 4.6.2 4.6.3 4.6.4 Cisco USB console connection 56 Add/ Edit Users Authentication Network Hosts Trusted Networks Serial Port Cascading 56 60 60 61 62 Automatically generate and upload SSH keys Manually generate and upload SSH keys Configure the slaves and their serial ports Managing the Slaves 62 63 65 66 4.7 4.8 4.9 Serial Port Redirection Managed Devices IPsec VPN 66 67 69 4.10 OpenVPN 71 4.9.1 4.10.1 4.10.2 4.10.3 4.
6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.3 6.4 6.5 6.6 6.7 6.8 6.8.1 6.8.2 6.9 6.9.1 6.9.2 6.10 6.10.1 6.10.2 6.10.
8.1 8.1.1 8.1.2 8.1.3 8.1.4 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.2.6 8.3 8.3.1 8.3.2 8.3.
11.3 Configure Date and Time 11.4 Configuration Backup 11.5 Delayed Configuration Commit 11.6 FIPS Mode STATUS REPORTS 12.1 Port Access and Active Users 12.2 Statistics 12.3 Support Reports 12.4 Syslog 12.5 Dashboard 197 198 201 202 203 203 203 204 204 205 12.5.1 12.5.2 Configuring the Dashboard Creating custom widgets for the Dashboard MANAGEMENT 13.1 Device Management 13.2 Port and Host Logs 13.3 Serial Port Terminal Connection 209 209 210 210 13.3.1 13.3.
15.1.8 15.1.9 Backing-up the configuration and restoring using a local USB stick Backing-up the configuration off-box 15.2.1 15.2.2 Portmanager commands External Scripts and Alerts 15.3.1 15.3.2 Access to serial ports Accessing the console/modem port 15.5.1 15.5.2 /etc/config/snmpd.conf Adding more than one SNMP server 243 244 15.2 Advanced Portmanager 245 245 246 15.3 Raw Access to Serial Ports 247 247 248 15.4 IP- Filtering 15.5 Modifying SNMP Configuration 15.6 15.6.1 15.6.2 15.6.3 15.6.
APPENDIX A. CLI Commands and Source Code B. Hardware Specification C. Safety and Certifications D. Connectivity and Serial I/O E. Terminology F. End User License Agreement G. Service and Warranty _____________________________________________________________________ 724-746-5500 | blackbox.
Chapter 1 INTRODUCTION Introduction This Manual This User’s Manual walks you through installing and configuring your Black Box Console Server (LES1108A, LES1116A, LES1132A, LES1148A, LES1508A) or Advanced Console Server (LES1208A-R2, LES1216A-R2, LES1232A, LES1248A-R2, LES1308A, LES1316A, LES1332A, LES1348A, LES1408A, LES1416A, LES1432A, LES1448A). Each of these products is referred to generically in this manual as a “console server.
10. Nagios Integration Describes how to set Nagios central management with SDT extensions and configure the console server as a distributed Nagios server. 11. System Management Covers access to and configuration of services that will run on the console server. 12. Status Reports View a dashboard summary and detailed status and logs of serial and network connected devices (ports, hosts, power, and environment) 13. Management Includes port controls that Users can access.
ports and serially connected devices, network connected hosts, and connected power devices; and to view associated logs and configure alerts. A User can also use the Management Console, but has limited menu access to control select devices, review their logs and access them using the built-in java terminal or control power to them. The console server runs an embedded Linux operating system, and experienced Linux® and UNIX® users may prefer to configure it at the command line.
Date September 2011 October 2011 December 2012 Revision 1.1 2.0 3.0 Update details Prerelease Release for V2.8 firmware and later Release for V3.5 firmware and later _____________________________________________________________________ 724-746-5500 | blackbox.
Copyright ©Black Box Corporation 2011. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on the part of Black Box. Black Box provides this document “as is,” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose.
Chapter 2 INSTALLATION Installation Introduction This chapter describes how to install the console server hardware and connect it to controlled devices. To avoid physical and electrical hazards please read Appendix C on Safety. 2.
If you are installing the console server in a rack, you will need to attach the rack mounting brackets supplied with the unit, then install the unit in the rack. Make sure you follow the Safety Precautions listed in Appendix C. Connect your console server to the network, to the serial ports of the controlled devices, and to power as outlined next. 2.1.
DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors USB micro-AB adapter cable Antenna with 10 foot extension cable Dual IEC AC power cords Printed Quick Start Guide and User’s Manual on CD-ROM 2.1.
2.1.4 Kit components LES1116A, LES1132A and LES1148A Console Servers LES1116A, LES1132A or LES1148A Console Server (2) UTP CAT5 blue cables DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors IEC AC power cord Printed Quick Start Guide and User’s Manual on CD-ROM 2.1.5 Kit components LES1108A Console Server LES1108A Console Server (2) UTP CAT5 blue cables DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors 5-VDC, 2.
VDC connector from the power supply plugs into the 12VDC (PWR) power socket on the side of the LES1508A. 2.2.2 LES1408A - LES1448A, LES1308A- LES1348A and LES1208A - LES1248A power The Advanced Console Server models (LES1208A-R2, LES1216A-R2, LES1232A, LES1248A-R2, LES1308A, LES1316A, LES1332A, LES1348A, LES1408A, LES1416A, LES1432A and LES1448A) all have dual universal AC power supplies with auto failover built in.
2.2.4 LES1108A power The LES1108A includes an external DC power supply unit. This unit accepts an AC input voltage between 100 and 250 VAC with a frequency of 50Hz or 60Hz. The DC power supply has an IEC AC power socket, which accepts a conventional IEC AC power cord. The power cord for North America is included in the kit. The 5-VDC connector from the power supply plugs into the 5VDC power socket on the rear of the LES1108A. 2.
PIN 1 2 3 4 5 6 7 8 SIGNAL RTS DSR DCD RXD TXD GND DTR CTS DEFINITION Request To Send Data Set Ready Data Carrier Detect Receive Data Transmit Data Signal Ground Data Terminal Ready Clear To Send DIRECTION Output Input Input Input Output NA Output Input The LES1208A-R2, LES1216A-R2, LES1232A, LES1248A-R2, LES1308A, LES1316A, LES1332A, LES1348A, LES1408A, LES1416A, LES1432A and LES1448A Advanced Console Servers have the Cyclades RJ-45 pinout shown next: PIN 1 2 3 4 5 6 7 8 SIGNAL RTS DTR TXD GND CTS RXD
− connecting to USB consoles of Managed Devices (e.g. for managing UPS supplies) − attaching other external USB peripherals (e.g. an external USB memory stick or modem) − adding supported Sierra Wireless cellular USB modems − plugging in USB hubs to provide additional ports The USB1.1 port is best reserved for use with an external USB memory stick dedicated to recovery firmware boot images/ extended log file storage etc. 2.
Chapter 3 SYSTEM CONFIGURATION Initial System Configuration Introduction This chapter provides step-by-step instructions for the console server’s initial configuration, and for connecting it to the Management or Operational LAN. The Administrator must: Activate the Management Console. Change the Administrator password. Set the IP address console server’s principal LAN port. Select the network services that will be supported.
o Subnet mask: 255.255.255.0 If you want to retain your existing IP settings for this network connection, click Advanced and Add the above as a secondary IP connection. If it is not convenient to change your PC/workstation network address, you can use the ARP-Ping command to reset the console server IP address. To do this from a Windows PC: Click Start -> Run (or select All Programs then Accessories then Run). Type cmd and click OK to bring up the command line.
You will be prompted to log in. Enter the default administration username and administration password: Username: root Password: default Note Console servers are factory configured with HTTPS access enabled and HTTP access disabled. A Welcome screen, which lists initial installation configuration steps, will be displayed: - Change the default administration password on the Users page (Chapter 3). - Configure the local network settings on the System/IP page (Chapter 3).
After completing each of the above steps, you can return to the configuration list by clicking in the top left corner of the screen on the Black Box logo. Note If you are not able to connect to the Management Console at 192.168.0.1 or if the default Username/Password were not accepted, then reset your console server (refer to Chapter 11). 3.2 Administrator Password For security reasons, only the administrator user named root can initially log into your console server.
Click Apply. Since you have changed the password you will be prompted to log in again. This time, use the new password. Note If you are not confident that your console server has the current firmware release, you can upgrade. Refer to Upgrade Firmware—Chapter 10. 3.2.1 Set up new administrator It is also recommended that you set up a new Administrator user as soon as convenient and log-in as this new user for all ongoing administration functions (rather than root).
The next step is to enter an IP address for the principal Ethernet (LAN/Network/Network1) port on the console server; or enable its DHCP client so that it automatically obtains an IP address from a DHCP server on the network it will connect to. On the System: IP menu, select the Network Interface page then check dhcp or static for the Configuration Method. If you selected Static, you must manually enter the new IP Address, Subnet Mask, Gateway, and DNS server details.
3.3.1 IPv6 configuration You can also configure the console server Network and Management LAN Interfaces for IPv6 operation: On the System: IP menu select General Settings page and check Enable IPv6. Then, configure the IPv6 parameters on each Interface page. 3.3.2 Dynamic DNS (DDNS) configuration With Dynamic DNS (DDNS) a console server whose IP address is dynamically assigned (and that may change from time to time) can be located using a fixed host or domain name.
3.4 System Services The Administrator can access and configure the console server (and connected devices) using a range of access protocols/services – and for each such access, the particular service must be running with access through the firewall enabled. Service Access specifies which access protocols/services can be used to access the console server (and connected serial ports). By default HTTP, HTTPS, Telnet and SSH services are running, and these services are enabled on all network interfaces.
The Services Access settings specify which services the Administrator can use over which network interface to access the console server. It also nominates the enabled services that the Administrator and the User can use to connect through the console server to attached serial and network connected devices. The following general service access options can be specified: HTTPS This ensures secure browser access to all the Management Console menus.
in rackmount models. To modify the default SNMP settings, the Administrator must make the edits at the command line as described in Chapter 15—Advanced Configuration. TFTP This service will set up the default tftp server on the USB flash card (and is relevant to LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers only).
To enable a service check Enable. For some servces you will be asked to specify the TCP/IP port to be used for thie service. There are also some serial port access parameters that you can configure on this menu: Base The console server uses specific default ranges for the TCP/IP ports for the various access services that Users and Administrators can use to access devices attached to serial ports (as covered in Chapter 4—Configuring Serial Ports).
Black Box provides the SDT Connector Java applet as the recommended client software tool. You can use other generic tools such as PuTTY and SSHTerm. These tools are all described below as well. 3.5.1 SDT Connector Each console server has an unlimited number of SDT Connector licenses to use with that console server.
3.5.3 To use PuTTY for an SSH terminal session from a Windows client, enter the console server’s IP address as the ”Host Name (or IP address).” To access the console server command line, select “SSH” as the protocol, and use the default IP Port 22. Click “Open” and the console server login prompt will appear. (You may also receive a “Security Alert” that the host’s key is not cached. Choose “yes” to continue.) Using the Telnet protocol is similarly simple but you use the default port 23.
3.6.1 Enable the Management LAN The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers provide a firewall, router, and DHCP server. You need to connect an external LAN switch to Network 2 to attach hosts to this management LAN. This Management LAN feature is disabled by default. To configure the Management LAN gateway: Select the Management LAN page on the System: IP menu and uncheck Disable.
Note You can configure the second Ethernet port as either a gateway port or as an OOB/Failover port (but not both). Make sure you did not allocate Network 2 as the Failover Interface when you configured the principal Network connection on the System: IP menu. The management gateway function is now enabled with default firewall and router rules. By default, these rules are configured so the Management LAN can only be accessible by SSH port forwarding.
Enter the Default Lease time and Maximum Lease time in seconds. The lease time is the time that a dynamically assigned IP address is valid before the client must request it again. Click Apply. The DHCP server will sequentially issue IP addresses from a specified address pool(s): Click Add in the Dynamic Address Allocation Pools field. Enter the DHCP Pool Start Address and End Address and click Apply.
By default, the failover is not enabled. To enable, select the Network page on the System: IP menu. Select the Failover Interface to be used if the main fails. This can be: o Management LAN - an alternate broadband Ethernet connection (which would be the Network2 port on the LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232A and LES1248AR2 console server) or o Internal Modem - the internal V.
Click Apply. You have selected the failover method. It is not active until you specify the external sites to be probed to trigger failover, and set up the failover ports themselves. This is covered in Chapter 5. Note You can configure the second Ethernet port as either a gateway port or as an OOB/Failover port, but not both. Make sure you did not enable the Management LAN function on Network 2. 3.6.
Select Enable Bridging on the System: IP General Settings menu. Select Bridge Interfaces or Bond Interfaces 3.6.5 o When bridging is enabled, network traffic is forwarded across all Ethernet ports with no firewall restrictions. All the Ethernet ports are all transparently connected at the data link layer (layer 2) so they do retain their unique MAC addresses. o With bonding the network traffic is carried between the ports but they present with one MAC address.
To add to the static route to the route table of the system: Select the Route Settings tab on the System: IP General Settings menu. Enter a meaningful Route Name for the route . In the Destination Network/Host field enter the IP address of the destination network/host that the route provides access to. Enter a value in the Destination netmask field that identifies the destination network or host. Any number between 0 and 32. A subnet mask of 32 identifies a host route.
Chapter 4 Serial Port, Host, Device & User Configuration SERIAL PORT AND NETWORK HOST Introduction The Black Box console server enables access and control of serially attached devices and network attached devices (hosts). The Administrator must configure access privileges for each of these devices, and specify the services that can be used to control the devices. The Administrator can also set up new users and specify each user’s individual access and control privileges.
1) Console Server Mode is the default and this enables general access to serial console port on the serially attached devices. 2) Device Mode sets the serial port up to communicate with an intelligent serial controlled PDU, UPS, or Environmental Monitor Device (EMD). 3) SDT Mode enables graphical console access (with RDP, VNC, HTTPS, etc.) to hosts that are serially connected. 4) Terminal Server Mode sets the serial port to wait for an incoming terminal login session.
Specify a label for the port. Select the appropriate Baud Rate, Parity, Data Bits, Stop Bits, and Flow Control for each port. (Note: The RS-485/RS-422 option is not relevant for console servers.) Before proceeding with further serial port configuration, connect the ports to the serial devices they will be controlling, and make sure they have matching settings. Note The serial ports are all set at the factory to RS232 9600 baud, no parity, 8 data bits, 1 stop bit, and Console server Mode.
Logging Level This specifies the level of information to be logged and monitored (referto Chapter 7— Alerts and Logging). Telnet When the Telnet service is enabled on the console server, a Telnet client on a User or Administrator’s computer can connect to a serial device attached to this serial port on the console server. The Telnet communications are unencrypted, so this protocol is generally recommended only for local connections. With Win2000/XP/NT you can run telnet from the command prompt (cmd.exe).
If the remote communications are tunneled with SDT Connector, then you can use Telnet to securely access these attached devices (refer to the Note below). Note In Console Server mode, Users and Administrators can use SDT Connector to set up secure Telnet connections that are SSH tunneled from their client PC/workstations to the serial port on the console server. SDT Connector can be installed on Windows 2000, XP, 2003, Vista, and Windows 7 PCs and on most Linux platforms.
PuTTY can be downloaded at http://www.tucows.com/preview/195286.html SSH We recommend that you use SSH as the protocol where the User or Administrator connects to the console server (or connects through the console server to the attached serial consoles) over the Internet or any other public network.
For a User named “fred” to access serial port 2, when setting up the SSHTerm or the PuTTY SSH client, instead of typing username = fred and ssh port = 3002, the alternate is to type username = fred:port02 (or username = fred:ttyS1) and ssh port = 22. Or, by typing username=fred:serial and ssh port = 22. A port selection option appears to the User: This syntax enables Users to set up SSH tunnels to all serial ports with only opening a single IP port 22 in their firewall/gateway.
Web Terminal Selecting Web Terminal enables web browser access to the serial port via Manage: Devices: Serial using the Management Console's built in AJAX terminal. Web Terminal connects as the currently authenticated Management Console user and does not reauthenticate. See section 13.3 for more details.
For configuration details, refer to Chapter 6.6—Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server. 4.1.4 Device (RPC, UPS, EMD) Mode This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply (UPS), Remote Power Controller/Power Distribution Unit (RPC) or Environmental Monitoring Device (EMD).
4.1.6 Serial Bridging Mode With serial bridging, the serial data on a nominated serial port on one console server is encapsulated into network packets and then transported over a network to a second console server. It is then represented on its serial port again as serial data. The two console servers effectively act as a virtual serial cable over an IP network. One console server is configured as the Server.
For example, if the computer attached to serial port 3 should never send anything out on its serial console port, the Administrator can set the Facility for that port to local0 (local0 .. local7 are for site local values), and the Priority to critical. At this priority, if the console server syslog server does receive a message, it will automatically raise an alert. Refer to Chapter 7—Alerts & Logging. 4.1.
Users can be authorized to access specified console server serial ports and specified network-attached hosts. These users can also be given full Administrator status (with full configuration and management and access privileges). To simplify user set up, they can be configured as members of Groups. There are six Groups set up by default (admin and user). admin Provides users with unlimited configuration and management privileges pptpd Group to allow access to the PPTP VPN server.
3. If a user is set up with pptd, dialin, ftp or pmshell group membership they will have restricted user shell access to the nominated managed devices but they will not have any direct access to the console server itself. To add this the users must also be a member of the "users" or "admin" groups 4. The Administrator can also set up additional Groups with specific power device, serial port and host access permissions.
Note The User Name can contain from 1 to 127 alphanumeric characters (you can also use the special characters “-”, “_”, and “.” ). There are no restrictions on the characters that you can use in the user Password (each can contain up to 254 characters). Only the first eight Password characters are used to make the password hash. Specify which Group (or Groups) you want the user to join. SSH pass-key authentication can be used. This is more secure than password based authentication.
4.3 Authentication Refer to Chapter 9.1— Remote Authentication Configuration for authentication configuration details. 4.4 Network Hosts To access a locally networked computer or device (referred to as a Host), you must identify the Host and specify the TCP or UDP ports/services that will be used to control that Host. Selecting Serial & Network: Network Hosts presents all the network connected Hosts that have been enabled for access, and the related access TCP ports/services.
If the console server has been configured with distributed Nagios monitoring enabled, then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored (refer to Chapter 10— Nagios Integration). Click Apply. This will create the new Host and also create a new Managed Device (with the same name). 4.
Network Mask 255.255.255.255 If, however, you want to allow all the users operating from within a specific range of IP addresses (for example, any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted connection to the nominated port: Host /Subnet Address 204.15.5.128 Subnet Mask 255.255.255.224 Click Apply. Note The above Trusted Networks will limit Users and Administrators access to the console serial ports.
Select System: Administration on Master’s Management Console. Check Generate SSH keys automatically and click Apply. Next, you must select whether to generate keys using RSA and/or DSA (if unsure, select only RSA). Generating each set of keys will require approximately two minutes, and the new keys will destroy any old keys of that type that may previously been uploaded.
Next, you must register the Public Key as an Authorized Key on the Slave. In a case that has only one Master with multiple Slaves, you only need to upload the one RSA or DSA public key for each Slave. Note Using key pairs can be confusing since one file (Public Key) fulfills two roles— Public Key and Authorized Key. For a more detailed explanation, refer to the Authorized Keys section of Chapter 15.6. Also, refer to this chapter if you need to use more than one set of Authorized Keys in the Slave.
Once the SSH connection has been established, the system asks you to accept the key. Answer yes and the fingerprint will be added to the list of known hosts. For more details on Fingerprinting, refer to Chapter 15.6. If the system asks you to supply a password, then there is a problem with uploading keys. The keys should remove any need to supply a password. 4.6.
Once you have added all the Slave console servers, you can assign and access the Slave serial ports and the connected devices from the Master’s Management Console menu. You can also access them through the Master’s IP address. Select the appropriate Serial & Network: Serial Port and Edit to configure the serial ports on the Slave. Select the appropriate Serial & Network: Users & Groups to add new users with access privileges to the Slave serial ports (or to extend existing users’ access privileges).
This serial port redirector software is loaded in your desktop PC, and it allows you to use a serial device that’s connected to the remote console server as if it were connected to your local serial port. 4.8 Managed Devices Managed Devices presents a consolidated view of all the connections to a device that you can access and monitor through the console server. To view the connections to the devices: Select Serial & Network: Managed Devices.
Select the connection type for the new connection (Serial, Network Host, UPS, or RPC) and then select the specific connection from the presented list of configured unallocated hosts/ports/outlets. To add a new network-connected Managed Device: The Administrator adds a new network-connected Managed Device using Add Host on the Serial & Network: Network Host menu. This automatically creates a corresponding new Managed Device (as covered in Section 4.4—Network Hosts).
Note To set up a new serially connected RPC UPS or EMD device, configure the serial port, designate it as a Device, then enter a Name and Description for that device in the Serial & Network: RPC Connections (or UPS Connections or Environmental). When applied, this will automatically create a corresponding new Managed Device with the same Name /Description as the RPC/UPS Host (refer to Chapter 8—Power and Environment). All the outlet names on the PDU will by default be “Outlet 1” and “Outlet 2.
console servers provide a simple GUI interface for basic set up as described below. However for more detailed information on configuring Openswan IPsec at the command line and interconnecting with other IPsec VPN gateways and road warrior IPsec software refer http://wiki.openswan.org 4.9.
If the VPN gateway is serving as a VPN gateway to a local subnet (e.g. the console server has a Management LAN configured) enter the private subnet details in Left Subnet. Use the CIDR notation (where the IP address number is followed by a slash and the number of ‘one’ bits in the binary notation of the netmask). For example 192.168.0.0/24 indicates an IP address where the first 24 bits are used as the network address. This is the same as 255.255.255.0.
Enter any descriptive name you wish to identify the OpenVPN Tunnel you are adding, for example NorthStOutlet-VPN Select the Device Driver to be used, either Tun-IP or Tap-Ethernet. The TUN (network tunnel) and TAP (network tap) drivers are virtual network drivers that support IP tunneling and Ethernet tunneling, respectively. TUN and TAP are part of the Linux kernel. Select either UDP or TCP as the Protocol. UDP is the default and preferred protocol for OpenVPN.
o If Server has been selected, enter the IP Pool Network address and the IP Pool Network mask for the IP Pool. The network defined by the IP Pool Network address/mask is used to provide the addresses for connecting clients. Click Apply to save changes To enter authentication certificates and files, Edit the OpenVPN tunnel. Select the Manage OpenVPN Files tab. Upload or browse to relevant authentication certificates and files. Apply to save changes.
When the OpenVPN software is started, the C:\Program Files\OpenVPN\config folder will be scanned for “.opvn” files. This folder will be rechecked for new configuration files whenever the OpenVPN GUI icon is right-clicked. So once OpenVPN is installed, a configuration file will need to be created: Using a text editor, create an xxxx.ovpn file and save in C:\Program Files\OpenVPN\config. For example, C:\Program Files\OpenVPN\config\client.
dev tun dev tap remote Port Keepalive http-proxy ca cert key dh Nobind persist-key persist-tun cipher BF-CBC Blowfish (default) cipher AES-128-CBC AES cipher DES-EDE3-CBC Triple-DES comp-lzo syslog 5 = helps with debugging connection problems 9 = extremely verbose, excellent for troubleshooting Select ‘dev tun’ to create a routed IP tunnel or ‘dev tap’ to create an Ethernet tunnel.
The log file will be displayed as the connection is established Once established, the OpenVPN icon will display a message notifying of the successful connection and assigned IP. This information, as well as the time the connection was established, is available anytime by scrolling over the OpenVPN icon. Note: An alternate OpenVPN Windows client can be downloaded from http://www.openvpn.net/index.php/openvpn-client/downloads.html. Refer to http://www.openvpn.net/index.
4.11 PPTP VPN The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232 and LES1248A-R2 console servers include a PPTP (Point-to-Point Tunneling Protocol) server. PPTP is typically used for communications over a physical or virtual serial link. The PPP endpoints define a virtual IP address to themselves. Routes to networks can then be defined with these IP addresses as the gateway, which results in traffic being sent across the tunnel.
Select the Enable check box to enable the PPTP Server Select the Minimum Authentication Required. Access is denied to remote users attempting to connect using an authentication scheme weaker than the selected scheme. The schemes are described below, from strongest to weakest.
Enable Verbose Logging to assist in debugging connection problems Click Apply Settings 4.11.2 Add a PPTP user Select Users & Groups on the Serial & Networks menu and complete the fields as covered in section 4.2. Ensure the pptpd Group has been checked, to allow access to the PPTP VPN server. Note users in this group will have their password stored in clear text. Keep note of the username and password for when you need to connect to the VPN connection Click Apply 4.11.
Note: To connect remote VPN clients to the local network, you need to know the user name and password for the PPTP account you added, as well as the Internet IP address of the console server. If your ISP has not allocated you a static IP address, consider using a dynamic DNS service. Otherwise you must modify the PPTP client configuration each time your Internet IP address changes. _____________________________________________________________________ 724-746-5500 | blackbox.
Chapter 5 Access Firewall, Failover and OoB Dial FIREWALL, FAILOVER AND OoB DIAL-IN Introduction The console server has a number of fail-over and out-of-band access capabilities to make sure it’s available if there are difficulties accessing the console server through the principal network path. The console server also has routing, NAT (Network Address Translation), packet filtering and port forwarding support. This chapter covers: 5.
external modem via a serial cable to the DB9 port, and you can configure the second Ethernet port for broadband OoB access. Make sure you unplug the console server power before installing the modem. When it next boots, it will detect the modem and a PC Card Modem tab will appear under System -> Dial.
In the Remote Address field, enter the IP address to be assigned to the dial-in client. You can select any address for the Remote IP Address. It, and the Local IP Address, must both be in the same network range (e.g. 200.100.1.12 and 200.100.1.67). In the Local Address field, enter the IP address for the Dial-In PPP Server. This is the IP address that will be used by the remote client to access console server once the modem connection is established.
Note: The User name and Password to be used for the dial-in PPP link are setup when the User is initially set up with dialin Group membership. The dialin Group supports multiple dial-in users. Any dial-back phone numbers are also configured when the User is set up. Note Chapter 15—Advanced Configuration) has examples of Linux commands that you can use to control the modem port operation at the command line level. 5.1.
Enter the PPP User name and Password you set up for the console server. 5.1.4 Set up earlier Windows clients For Windows 2000, the PPP client set up procedure is the same as above, except you get to the Dial-Up Networking Folder by clicking the Start button and selecting Settings. Then, click Network and Dial-up Connections and click Make New Connection. Similarly, for Windows 98, you double click My Computer on the Desktop, then open Dial-Up Networking and double click Make New Connection.
active broadband access paths to the console server, if you are unable to access it through the primary management network (Network or Network1), you can still access it through the alternate broadband path (for example, a T1 link). On the System: IP menu select Network 2 and configure the IP Address, Subnet Mask, Gateway, and DNS with the access settings for the alternate link. Make sure that when you configure the principal Network 1 Settings connection, the Failover Interface is set to None. 5.
On the Management LAN Interface - Network 2, configure the IP Address/Subnet Mask/Gateway the same as Network Interface - Network 1. In this mode, Network 2 (eth1) is available as the transparent back-up port to Network 1 (eth0) for accessing the management network. Network 2 will automatically and transparently take over the work of Network 1, if Network 1 becomes unavailable for any reason. When Network 1 becomes available again, it takes over the work again. 5.
_____________________________________________________________________ 724-746-5500 | blackbox.
5.4.2 Failover dial-out The console server modem can be configured so a dial-out PPP connection is automatically set up in the event of a disruption in the principal management network. When configuring the principal network connection in System: IP specify the Failover Interface that will be used when a fault has been detected with Network / Network1 (eth0).
Note: Your 3G carrier may have provided you with details for configuring the connection including APN (Access Point Name), Pin Code (optional PIN code which may be required to unlock the SIM card), Phone Number (the sequence to dial to establish the connection, defaults to *99***1#), Username/ Password (optional) and Dial string (optional AT commands). However you generally will only need to enter your provider’s APN and leave the other fields blank. Enter the carrier’s APN e.g.
5.6.2 Connect to the CDMA EV-DO carrier network The LES1408A, LES1416A, LES1432A and LES1448A console servers have an internal CDMA modem. The LES1508A, LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers also support attaching an external USB CDMA cellular modem from Sierra Wireless to one of its USB 2.0 ports. Both will connect to the Verizon network in North America.
Navigate to the Internal Cellular Modem tab on System: Dial. To connect to your carriers 3G network enter the appropriate phone number (usually #777) and a Username and Password if directed to by your account/plan documentation Select Enable and then click Apply to initiate the Always On Out-of-Band connection 5.6.3 Verify cellular connection Out-of-band access is enabled by default so the cellular modem connection should now be on.
5.7 Cellular Operation When set up as a console server the 3G cellular modem can be set up to connect to the carrier in either: - Failover mode. In this case a dial-out cellular connection is only established in event of a ping failure - OOB mode. In this mode the dial-out connection to the carrier cellular network is always on - awaiting any incoming access (from a remote site wanting to access to the console server or attached serial consoles/network hosts) - Cellular router mode.
Specify the Probe Addresses of two sites (the Primary and Secondary) that the console server is to ping to determine if the principal network is still operational In event of a failure of the principal network the 3G network connection is activated as the access path to the console server (and its Managed Devices).
5.8 Firewall & Forwarding The console server has routing, NAT, packet filtering and port forwarding support on all physical and virtual network interfaces. This enables the console server to function as an Internet or external network gateway: − Network Forwarding allows the network packets on one network interface (i.e. LAN1/ eth0) to be forwarded to another network interface (i.e. LAN2/eth1 or dial-out/cellular).
− With Firewall Rules, packet filtering inspects each packet passing through the firewall and accepts or rejects it based on user-defined rules. − Then Service Access Rules can be set for connecting to the console server/router itself 5.8.1 Configuring network forwarding and IP masquerading To use a console server as an Internet or external network gateway requires establishing an external network connection and then setting up forwarding and masquerading.
IP Masquerading performs Source Network Address Translation (SNAT) on outgoing packets, to make them appear like they've come from the console server (rather than devices on the internal network). When response packets come back devices on the external network, the console server will translate the packet address back to the internal IP, so that it is routed correctly. This allows the console server to provide full outgoing connectivity for internal devices using a single IP Address on the external network.
Click on the Disabled link next to DHCP Server which will bring up the System: DHCP Server page Check Enable DHCP Server To configure the DHCP server, tick the Use interface address as gateway check box Set the DNS server address(es) to be the same as used on the external network i.e. if the console server is acting as an internet gateway or a cellular router, then use the ISP provided DNS server address Enter the Default Lease time and Maximum Lease time in seconds.
Source Address: This allows the user to restrict access to a port forward to a specific address. In most cases, this should be left blank Input Port Range: The range of ports to forward to the destination IP. These will be the port(s) specified when accessing the port forward. These ports need not be the same as the output port range. Protocol: The protocol of the data being forwarded. The options are TCP or UDP Output Address: The target of the port forward.
Click New Firewall Rule Fill in the following fields: Name: Name the rule. This name should describe the policy the firewall rule is being used to implement (e.g. block ftp, Allow Tony) Interface: Select the interface that the firewall rule will be applied to (i.e. Any, Dialout/Cellular, VPN, Network Interface, Dial-in etc) Port Range: Specify the Port or range of Ports (e.g. 1000 – 1500) that the rule will apply to.
Protocol: TCP Direction: Egress Action: Block The firewall rules are processed in a set order- from top to bottom. So rule placement is important.
Chapter 6 Secure SSH Tunneling & SDT Connector SECURE SSH TUNNELING AND SDT CONNECTOR Introduction Each Black Box console server has an embedded SSH server and uses SSH tunneling so remote users can securely connect through the console server to Managed Devices—using text-based console tools (such as SSH, telnet, SoL) or graphical tools (such VNC, RDP, HTTPS, HTTP, X11, VMware, DRAC, iLO).
Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server (Section 6.4). The chapter then covers more advanced SDT Connector and SSH tunneling topics: 6.1 Using SDT Connector for out-of-band access (Section 6.5). Automatic importing and exporting configurations (Section 6.6). Configuring Public Key Authentication (Section 6.7). Setting up a SDT Secure Tunnel for Remote Desktop (Section 6.8).
6.2.1 SDT Connector installation The SDT Connector set up program (SDTConnector Setup-1.n.exe or sdtcon-1.n.tar.gz) is included on the CD supplied with your Black Box console server. Run the set-up program. Note For Windows clients, the SDTConnectorSetup-1.n.exe application will install the SDT Connector 1.n.exe and the config file defaults.xml. If there is already a config file on the Windows PC, then it will not be overwritten.
configure clients to run on the PC that will use the service to connect to the hosts and serial port devices (refer to Section 6.2.7 and 6.2.9). You can also set up SDT Connector to connect out-of-band to the console server (refer to Section 6.2.9). 6.2.2 Configuring a new console server gateway in the SDT Connector client To create a secure SSH tunnel to a new console server: Click the New Gateway icon or select the File: New Gateway menu option.
Or, enter a Descriptive Name to display instead of the IP or DNS address, and any Notes or a Description of this gateway (such as its firmware version, site location, or anything special about its network configuration). Click OK and an icon for the new gateway will now appear in the SDT Connector home page.
Note 6.2.4 configure access to network connected Hosts that the user is authorized to access and set up (for each of these Hosts) the services (for example, HTTPS, IPMI2.0) and the related IP ports being redirected. configure access to the console server itself (this is shown as a Local Services host). configure access with the enabled services for the serial port devices connected to the console server.
Note The SDT Connector client can be configured with unlimited number of Gateways (that is, console servers). You can configure each Gateway to port forward to an unlimited number of locally networked Hosts. There is no limit on the number of SDT Connector clients that can be configured to access the one Gateway. Nor are there limits on the number of Host connections that an SDT Connector client can concurrently have open through the one Gateway tunnel.
6.2.6 Manually adding new services to the new hosts To extend the range of services that you can use when accessing hosts with SDT Connector: Select Edit: Preferences and click the Services tab. Click Add. Enter a Service Name and click Add. Under the General tab, enter the TCP Port that this service runs on (for example, 80 for HTTP). Or, select the client to use to access the local endpoint of the redirection. Select which Client application is associated with the new service.
An example is the Dell RAC service. The first redirection is for the HTTPS connection to the RAC server— it has a client associated with it (web browser) that it launches immediately when you click the button for this service. The second redirection is for the VNC service that you may choose to later launch from the RAC web console. It automatically loads in a Java client served through the web browser, so it does not need to have a local client associated with it.
Note SDT Connector can also tunnel UDP services. SDT Connector tunnels the UDP traffic through the TCP SSH redirection, so it is a “tunnel within a tunnel.” Enter the UDP port where the service is running on the host. This will also be the local UDP port that SDT Connector binds as the local endpoint of the tunnel. Note that for UDP services, you still need to specify a TCP port under General. This will be an arbitrary TCP port that is not in use on the gateway. An example of this is the SOL Proxy service.
Enter a Name for the client. Enter the Path to the executable file for the client (or click Browse to locate the executable). Enter a Command Line associated with launching the client application. SDT Connector typically launches a client using command line arguments to point it at the local endpoint of the redirection. There are three special keywords for specifying the command line format.
Click OK. 6.2.8 Dial in configuration If the client PC is dialing into Local/Console port on the console server, you will need to set up a dial-in PPP link: Configure the console server for dial-in access (following the steps in the Configuring for Dial-In PPP Access section in Chapter 5, Configuring Dial In Access). Set up the PPP client software at the remote User PC (following the Set up the remote Client section in Chapter 5).
Click the HTTP or HTTPS Services icon to access the Management Console, and/or click SSH or Telnet to access the command line console. Note: To enable SDT access to the console, you must also configure the console server to allow the port forwarded network access to itself: 6.4 Browse to the console server and select Network Hosts from Serial & Network, click Add Host, and in the IP Address/DNS Name field enter 127.0.0.1 (this is the Black Box network loopback address).
Assuming you have already set up the target console server as a gateway in your SDT Connector client (with username/ password etc), select this gateway and click the Host icon to create a host. Or, select File -> New Host. Enter 127.0.0.1 as the Host Address and select Serial Port 2 for Service. In Descriptive Name, enter something such as Loopback ports, or Local serial ports. Click OK.
Description, and Password/Confirm. Select 127.0.0.1 from Accessible Host(s) and select Port 2 from Accessible Port(s). Click Apply. 6.5 Using SDT Connector for out-of-band connection to the gateway You can also set up SDT Connector to connect to the console server (gateway) out-of-band (OoB). OoB access uses an alternate path for connecting to the gateway to that used for regular data traffic. OoB access is useful for when the primary link into the gateway is unavailable or unreliable.
where network_connection is the name of the network connection as displayed in Control Panel -> Network Connections, login is the dial-in username, and password is the dial-in password for the connection. To initiate a pre-configured dial-up connection under Linux, use the following Start Command: pon network_connection where network_connection is the name of the connection. Enter the command or path to a script to stop the OoB connection in Stop Command.
To enable the distribution of pre-configured client config files, SDT Connector has an Export/Import facility: To save a configuration.xml file (for backup or for importing into other SDT Connector clients) select File -> Export Preferences and select the location where you want to save the configuration file. To import a configuration, select File -> Import Preferences and select the .xml configuration file to install. 6.
6.8 Setting up SDT for Remote Desktop access The Microsoft Remote Desktop Protocol (RDP) enables the system manager to securely access and manage remote Windows computers—to reconfigure applications and user profiles, upgrade the server’s operating system, reboot the machine, etc. Black Box’s Secure Tunneling uses SSH tunneling, so this RDP traffic is securely transferred through an authenticated and encrypted tunnel.
To set the user(s) who can remotely access the system with RDP, click Add on the Remote Desktop Users dialog box. Note If you need to set up new users for Remote Desktop access, open User Accounts in the Control Panel and follow the steps to nominate the new user’s name, password, and account type (Administrator or Limited). Note With Windows XP Professional and Vista, you have only one Remote Desktop session and it connects directly to the Windows root console.
In Computer, enter the appropriate IP Address and Port Number: Where there is a direct local or enterprise VPN connection, enter the IP Address of the console server, and the Port Number of the SDT Secure Tunnel for the console server serial port that you attach to the Windows computer you want to control. For example, if the Windows computer is connected to serial Port 3 on a console server located at 192.168.0.50, then you would enter 192.168.0.50:7303.
Click Connect. Note The Remote Desktop Connection software is pre-installed with Windows XP, Vista and Server 2003/2008. For earlier Windows PCs, you need to download the RDP client: Go to the Microsoft Download Center site http://www.microsoft.com/downloads/details.
Note The rdesktop client is supplied with Red Hat 9.0: rpm -ivh rdesktop-1.2.0-1.i386.rpm For Red Hat 8.0 or other distributions of Linux; download source, untar, configure, make, make, then install. rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http://www.rdesktop.org/ C. On a Macintosh client: Download Microsoft's free Remote Desktop Connection client for Mac OS X http://www.microsoft.com/mac/otherproducts/otherproducts.
6.9 SDT SSH Tunnel for VNC With SDT and Virtual Network Computing (VNC), Users and Administrators can securely access and control Windows 98/NT/2000/XP/2003, Linux, Macintosh, Solaris, and UNIX computers. There’s a range of popular free and commercial VNC software available (UltraVNC, RealVNC, TightVNC). To set up a secure VNC connection, install and configure the VNC Server software on the computer the user will access, then install and configure the VNC Viewer software on the Viewer PC. 6.9.
To set up a persistent VNC server on Red Hat Enterprise Linux 4: Set a password using vncpasswd Edit /etc/sysconfig/vncservers Enable the service with chkconfig vncserver on Start the service with service vncserver start Edit /home/username/.vnc/xstartup if you want a more advanced session than just twm and an xterm. C. For Macintosh servers (and clients): o o o o o OSXvnc http://www.redstonesoftware.com/vnc.
To establish the VNC connection, first configure the VNC Viewer, entering the VNC Server IP address. A. When the Viewer PC is connected to the console server thru an SSH tunnel (over the public Internet, or a dial-in connection, or private network connection), enter localhost (or 127.0.0.1) as the IP VNC Server IP address; and the source port you entered when setting SSH tunneling /port forwarding (in Section 6.2.6) e.g. :1234 B. When the Viewer PC is connected directly to the console server (i.e.
Note For general background reading on Remote Desktop and VNC access we recommend the following: The Microsoft Remote Desktop How-To. http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx The Illustrated Network Remote Desktop help page. http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.ht ml What is Remote Desktop in Windows XP and Windows Server 2003? by Daniel Petri. http://www.petri.co.il/what's_remote_desktop.
B. For Windows XP and 2003 computers, follow the steps below to set up an advanced network connection between the Windows computer, through its COM port to the console server. Both Windows 2003 and Windows XP Professional allow you to create a simple dial in service which can be used for the Remote Desktop/VNC/HTTP/X connection to the console server: Open Network Connections in Control Panel and click the New Connection Wizard. Select Set up an advanced connection and click Next.
Specify which Users will be allowed to use this connection. This should be the same Users who were given Remote Desktop access privileges in the earlier step. Click Next. On the Network Connection screen select TCP/IP and click Properties. Select Specify TCP/IP addresses on the Incoming TCP/IP Properties screen, select TCP/IP. Nominate a From: and a To: TCP/IP address, and click Next.
Or, you can set the advanced connection and access on the Windows computer to use the console server defaults: Specify 10.233.111.
C. For earlier version Windows computers, follow the steps in Section B. above. To get to the Make New Connection button: For Windows 2000, click Start, and select Settings. At the Dial-Up Networking Folder, click Network and Dial-up Connections, and click Make New Connection. You may need to first set up a connection over the COM port using Connect directly to another computer before proceeding to Set up an advanced connection.
6.10.3 Set up SDT Connector to SSH port forward over the console server Serial Port In the SDT Connector software running on your remote computer, specify the gateway IP address of your console server and a username/password for a user you set up on the console server that has access to the desired port. Next, add a New SDT Host. In the Host address, put portxx, where xx = the port you are connecting to. Example: for port 3 you would have a Host Address of: port03. Then select the RDP Service check box. 6.
In the Session menu, enter the IP address of the console server in the Host Name or IP address field. For dial-in connections, this IP address will be the Local Address that you assigned to the console server when you set it up as the Dial-In PPP Server. For Internet (or local/VPN connections) connections, this will be the console server’s public IP address. Select the SSH Protocol, and the Port will be set as 22.
Destination as portXX:3389 (where XX is the SDT enabled serial port number). For example, if port 4 is on the console server is to carry the RDP traffic, then specify port04:3389 Note http://www.jfitz.com/tips/putty_config.html has useful examples on configuring PuTTY for SSH tunneling. Select Local and click the Add button. Click Open to SSH connect the Client PC to the console server. You will now be prompted for the Username/Password for the console server user.
Chapter 7 and Logging Alerts, Auto-response ALERTS AND LOGGING Introduction This chapter describes the automated response, alert generation and logging features of the console server. The new Auto-Response facility (in firmware V3.5.1 and later) extends on the basic Alert facility available in earlier firmware revisions. With the new facility the console server monitors selected serial ports, logins, the power status and environmental monitors and probes for Check Condition triggers.
To configure a new Auto-Response: Select New Auto-Response in the Configured Auto-Response field.
7.2 Check Conditions To configure the condition that will trigger the Auto-Response: 7.2.1 Click on the Check Condition type (e.g.
7.2.3 Serial Login/Logout To monitor serial ports and check for login/logout or pattern matches for Auto-Response triggers events: Note: Click on Serial Login/Logout as the Check Condition. Then in the Serial Login/Logout Check menu select Trigger on Login (to trigger when any user logs into the serial port) or Trigger on Logout and specify Serial Port to perform check on, and/or Click on Serial Signal as the Check Condition.
Click on Custom Check as the Check Condition Create an executable trigger check script file e.g. /etc/config/test.sh #!/bin/sh logger "A test script" logger Argument1 = $1 logger Argument2 = $2 logger Argument3 = $3 logger Argument4 = $4 if [ -f /etc/config/customscript.0 ]; then rm /etc/config/customscript.0 exit 7 fi touch /etc/config/customscript.0 exit 1 Refer online FAQ for a sample web page html check and other script file templates Enter the Script Executable file name (e.g.
Note: The SMS command trigger condition can only be set if there is an internal or external USB cellular modem detected 7.3 Trigger Actions To configure the sequence of actions that is to be taken in the event of the trigger condition: Note: For a nominated Auto-Response - with a defined Check Condition - click on Add Trigger Action (e.g. Send Email or Run Custom Script) to select the action type to be taken.
Specify the Recipient Email Address to send this email to and the Subject of the email. For multiple recipients you can enter comma separated addresses Note Edit the Email Text message to send and click Save New Action An SMS alert can also be sent via an SMTP (email) gateway. You will need to specify the Recipient Email Address in the format specified by the gateway provider (e.g. for T-Mobile it is phonenumber @tmomail.net) 7.3.2 Send SMS Click on Send SMS as the Add Trigger Action.
Click Save New Action Note: To notify the central Nagios server of Alerts, NSCA must be enabled under System: Nagios and Nagios must be enabled for each applicable host or port 7.4 Resolve Actions Actions can also be scheduled to be taken a trigger condition has been resolved: For a nominated Auto-Response - with a defined trigger Check Condition - click on Add Resolve Action (e.g.
In the SMTP Server field, enter the outgoing mail Server’s IP address. If this mail server uses a Secure Connection, specify its type. You may enter a Sender email address which will appear as the “from” address in all email notifications sent from this console server. Many SMTP servers check the sender’s email address with the host domain name to verify the address as authentic. So it may be useful to assign an email address for the console server such as consoleserver2@mydomain.
Select a Secure Connection (if applicable) and specify the SMTP port to be used (if other than the default port 25) You may also enter a Sender email address which will appear as the “from” address in all email notifications sent from this console server. Some SMS gateway service providers only forward email to SMS when the email has been received from authorized senders.
Note The option to directly send SMS alerts via the cellular modem was included in the Management GUI in V3.4. Advanced console servers already had the gateway software (SMS Server Tools 3) embedded however you this could only be accessed from the command line to send SMS messages. 7.5.
Note All console servers have the snmptrap daemon to send traps/notifications to remote SNMP servers on defined trigger events as detailed above. LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232 and LES1248A-R2 console servers also embed the net-snmpd daemon. It accepts SNMP requests from remote SNMP management servers and provides information on network interface, running processes, etc. (refer to Chapter 15.
Select the Alerts & Logging: Port Log menu option and specify the Server Type to be used, and the details to enable log server access From the Manage: Devices menu the Administrator will can view serial, network and power device logs stored in the console reserve memory (or flash USB). The User will only see logs for the Managed Devices they (or their Group) have been given access privileges for (Refer Chapter 13).
Level 4 Logs all data transferred to the port and all changes in hardware flow control status and all User connection events Click Apply Note A cache of the most recent 8K of logged data per serial port is maintained locally (in addition to the Logs which are transmitted for remote/USB flash storage). To view the local cache of logged serial port data select Manage: Port Logs 7.6.
Chapter 8 Power & Environmental Management POWER & ENVIRONMENTAL MANAGEMENT Introduction Black Box console servers manage embedded software that you can use to manage connected Power Distribution Systems (PDUs), IPMI devices, and Uninterruptible Power Supplies (UPSs) supplied by a number of vendors, and some environmental monitoring devices. 8.
Select the Serial & Network: RPC Connections menu. This will display all the RPC connections that have already been configured. Click Add RPC.
Select the appropriate RPC Type for the PDU (or IPMI) being connected: If you are connecting to the RPC via the network, you will be presented with the IPMI protocol options and the SNMP RPC Types currently supported by the embedded Network UPS Tools.
Enter the Username and Password used to login into the RPC (Note that these login credentials are not related to the Users and access privileges you configured in Serial & Networks: Users & Groups). If you selected SNMP protocol, enter the SNMP v1 or v2c Community for Read/Write access (by default this would be “private”). Check Log Status and specify the Log Rate (minutes between samples) if you want the status from this RPC to be logged. View these logs from the Status: RPC Status screen.
Turn OFF Cycle Status You will only be presented with icons for those operations that are supported by the Target you have selected. 8.1.4 RPC status You can monitor the current status of your network and serially connected PDUs and IPMI RPCs. Select the Status: RPC Status menu and a table with the summary status of all connected RPC hardware will be displayed.
8.2.1 Managed UPS connections A Managed UPS is a UPS that is directly connected as a Managed Device to the console server. You can connect it via serial or USB cable or by the network. The console server becomes the master of this UPS, and runs a upsd server to allow other computers that are drawing power through the UPS (slaves) to monitor the UPS status and take appropriate action, such as shutdown when the UPS battery is low.
For serial UPSes attach the UPS to the selected serial port on the console server. From the Serial and Network: Serial Port menu, configure the Common Settings of that port with the RS-232 properties, etc. required by the UPS (refer to Chapter 4.1.1—Common Settings). Then select UPS as the Device Type. For each network connected UPS, go to the Serial & Network: Network Hosts menu and configure the UPS as a connected Host by specifying it as Device Type: UPS and clicking Apply.
Select if the UPS will be Connected Via USB, over a pre-configured serial port, or via SNMP/HTTP/HTTPS over the preconfigured network Host connection. When you select a network UPS connection, then the corresponding Host Name/Description that you set up for that connection will be entered as the Name and Description for the power device.
Note: These login credentials are not related to the Users and access privileges you configured in Serial & Networks: Users & Groups. If you have multiple UPSes and require them to be shut down in a specific order, specify the Shutdown Order for this UPS. This is a whole positive number, or -1. 0s shut down first, then 1s, 2s, etc. -1s are not shut down at all. Defaults to 0. Select the Driver that you will use to communicate with the UPS.
Enter the Name of the particular remote UPS that you want to remotely monitor. This name must be the name that the remote UPS was configured with on the remote console server (because the remote console server may itself have multiple UPSes attached that it manages locally with NUT). Optionally, enter a Description. Enter the IP Address or DNS name of the remote console server* that is managing the remote UPS.
on battery. In contrast, more critical servers may not be shut down until a low battery warning is received). Refer to the online NUT documentation for details on how to do this: http://eu1.networkupstools.org/doc/2.2.0/INSTALL.html http://linux.die.net/man/5/upsmon.conf http://linux.die.net/man/8/upsmon An example upsmon.conf entry might look like: MONITOR managedups@192.168.0.1 1 username password slave - managedups is the UPS Name of the Managed UPS - 192.168.0.
Click on any particular All Data for any UPS System in the table for more status and configuration information about the selected UPS System. Select UPS Logs and you will be presented with the log table of the load, battery charge level, temperature, and other status information from all the Managed and Monitored UPS systems. This information will be logged for all UPSes that were configured with Log Status checked. The information is also presented graphically. 8.2.
NUT is built on a networked model with a layered scheme of drivers, server and clients: The driver programs talk directly to the UPS equipment and run on the same host as the NUT network server (upsd). Drivers are provided for a wide assortment of equipment from most of the popular UPS vendors and understand the specific language of each UPS. They communicate with serial, USB, and SNMP network connected UPS hardware and map the communications back to a compatibility layer.
The latest release of NUT (2.4) also controls PDU systems. It can do this either natively using SNMP or through a binding to Powerman (open source software from Livermore Labs that also is embedded in Black Box console servers). These NUT clients and servers all are embedded in each Black Box console server (with a Management Console presentation layer added) —and they also are run remotely on distributed console servers and other remote NUT monitoring systems.
8.3.1 Connecting the EMD The Environmental Monitor Device (EMD) connects to any serial port on the console server via a special EMD Adapter and standard CAT5 cable. The EMD is powered over this serial connection and communicates using a custom handshake protocol. It is not an RS-232 device and should not be connected without the adapter: Plug the male RJ plug on the EMD Adapter into EMD and then connect it to the console server serial port using the provided UTP cable.
Note: You can attach two external sensors onto the terminals on EMDs that are connected to LES1108A, LES1116A, LES1132 and LES1148A console servers. LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216AR2, LES1232 and LES1248A-R2 console servers only support attaching a single sensor to each EMD. You can only use the EMD with a Black Box console server; you cannot connect it to standard RS-232 serial ports on other appliances.
Check Log Status and specify the Log Rate (minutes between samples) if you want to log the status from this EMD. These logs can be views from the Status: Environmental Status screen. Click Apply. This will also create a new Managed Device (with the same name). 8.3.2 Environmental alerts You can now set temperature, humidity and probe status alerts using Alerts & Logging: Alerts (refer to Chapter 7). 8.3.3 Environmental status You can monitor the current status of all EMDs and their probes.
Chapter 9 Authentication AUTHENTICATION Introduction The console server is a dedicated Linux computer with a myriad of popular and proven Linux software modules for networking, secure access (OpenSSH), and communications (OpenSSL), and sophisticated user authentication (PAM, RADIUS, TACACS+ and LDAP). 9.
You can configure the console server to the default (Local) or using an alternate authentication method (TACACS, RADIUS, or LDAP). Optionally, you can select the order in which local and remote authentication is used: Local TACACS /RADIUS/LDAP: Tries local authentication first, falling back to remote if local fails. TACACS /RADIUS/LDAP Local: Tries remote authentication first, falling back to local if remote fails.
In addition to multiple remote servers, you can also enter separate lists of Authentication/ Authorization servers and Accounting servers. If no Accounting servers are specified, the Authentication/Authorization servers are used instead. Enter and confirm the Server Password. Then select the method to be used to authenticate to the server (defaults to PAP).
Enter the Server Address (IP or host name) of the remote Authentication/ Authorization server. Multiple remote servers may be specified in a comma-separated list. Each server is tried in succession. In addition to multiple remote servers, you can also enter separate lists of Authentication/ Authorization servers and Accounting servers. If no Accounting servers are specified, the Authentication/Authorization servers are used instead. Enter the Server Password. Click Apply.
Enter the Server Address (IP or host name) of the remote Authentication server. Multiple remote servers may be specified in a comma-separated list. Each server is tried in succession. Enter the Server Password. Note To interact with LDAP requires that the user account exist on our console server to work with the remote server. (You can't just create the user on your LDAP server and not tell the console server about it.) You need to add the user account. Click Apply.
9.1.5 RADIUS/TACACS User Configuration Users may be added to the local console server appliance. If they are not added and they log in via remote AAA, a user will be added for them. This user will not show up in the Black Box configurators unless they are specifically added, at which point they are transformed into a completely local user. The newly added user must authenticate from the remote AAA server, and will have no access if it is down.
Select Serial & Network: Authentication Select the relevant Authentication Method Check the Use Remote Groups button 9.1.7 Remote groups with RADIUS authentication Enter the RADIUS Authentication and Authorization Server Address and Server Password Click Apply. Edit the Radius user’s file to include group information and restart the Radius server When using RADIUS authentication, group names are provided to the console server using the Framed-Filter-Id attribute.
For example, in an existing Active Directory setup, a group of users may be part of the “UPS Admin” and “Router Admin” groups. On the console server, these users will be required to have access to a group “Router_Admin”, with access to port 1 (connected to the router), and another group “UPS_Admin”, with access to port 2 (connected to the UPS). Once LDAP is setup, users that are members of each group will have the appropriate permissions to access the router and UPS.
9.1.9 Remote groups with TACACS+ authentication When using TACACS+ authentication, there are two ways to grant a remotely authenticated user privileges. The first is to set the priv-lvl and port attributes of the raccess service to 12, this is discussed further in section 9.2 of this document. Additionally or alternatively, group names can be provided to the console server using the groupname custom attribute of the raccess service.
Note: Kerberos is very sensitive to time differences between the Key Distribution Center (KDC) authentication server and the client device. Please make sure that NTP is enabled, and the time zone is set correctly on the console server. When authenticating against Active Directory, the Kerberos Realm will be the domain name, and the Master KDC will be the address of the primary domain controller. 9.1.
TACACS+ LDAP - pam_tacplus (http://echelon.pl/pubs/pam_tacplus.html) - pam_ldap (http://www.padl.com/OSS/pam_ldap.html) Further modules can be added as required. Changes may be made to files in /etc/config/pam.d/ that will persist, even if the authentication configurator runs. Users added on demand: When a user attempts to log in, but does not already have an account on the console server, a new user account will be created. This account will have no rights, and no password set.
If there is already a Framed-Filter-Id, simply add the list of group_names after the existing entries, including the separating colon “:”. 9.3 SSL Certificate The console server uses the Secure Socket Layer (SSL) protocol for encrypted network traffic between itself and a connected user. When establishing the connection, the console server has to expose its identity to the user’s browser using a cryptographic certificate.
Select System: SSL Certificate and fill out the fields as explained below: Common name This is the network name of the console server once it is installed in the network (usually the fully qualified domain name). It is identical to the name that is used to access the console server with a web browser (without the “http://” prefix). In case the name given here and the actual network name differ, the browser will pop up a security warning when the console server is accessed using HTTPS.
Key length This is the length of the generated key in bits. 1024 Bits are supposed to be sufficient for most cases. Longer keys may result in slower response time of the console server when establishing connection. Once this is done, click on the button Generate CSR which will initiate the Certificate Signing Request generation. The CSR can be downloaded to your administration machine with the Download button. Send the saved CSR string to a Certification Authority (CA) for certification.
Chapter 10 Nagios Integration NAGIOS INTEGRATION Introduction Nagios is a powerful, highly extensible open source tool for monitoring network hosts and services. The core Nagios software package will typically be installed on a server or virtual server, the central Nagios server. Console servers operate in conjunction with a central/upstream Nagios server to distribute and monitor attached network hosts and serial devices.
10.1 Nagios Overview Nagios provides central monitoring of the hosts and services in your distributed network. Nagios is freely downloadable, open source software. This section offers a quick background of Nagios and its capabilities. A complete overview, FAQ, and comprehensive documentation are available at: http://www.nagios.org Nagios does take some time to install and configure, however once Nagios is up and running however, it provides an outstanding network monitoring system.
Distributed console servers Black Box console servers. Serial and network hosts are attached to each console server. Each runs Nagios plug-ins, NRPE, and NSCA add-ons, but not a full Nagios server. Clients Typically a client PC, laptop, etc., running Windows, Linux, or Mac OS X. Runs SDT Connector client software 1.5.0 or later. Possibly remote to the central Nagios server or distributed console servers (i.e. a road warrior).
10.2.2 Set up distributed console servers This section provides a brief walkthrough on configuring a single console server to monitor the status of one attached network host (a Windows IIS server running HTTP and HTTPS services) and one serially attached device (the console port of a network router), and to send alerts back to the Nagios server when an Administrator connects to the router or IIS server.
Remove all Permitted Services. This server will be accessible using Terminal Services, so check TCP, Port 3389 and log level 1 and click Add. Remove and re-add the service to enable logging. Scroll down to Nagios Settings and check Enable Nagios. Click New Check and select Check Ping. Click check-host-alive. Click New Check and select Check Permitted TCP. Select Port 3389 Click New Check and select Check TCP. Select Port 80. Click New Check and select Check TCP. Select Port 443. Click Apply.
Select Users & Groups from the Serial & Network menu. Click Add User. In Username, enter: sdtnagiosuser, then enter and confirm a Password. In Accessible Hosts click the IP address/DNS name of the IIS server, and in Accessible Ports click the serial port that has the router console port attached. Click Apply. 10.
When NRPE and NSCA are both enabled, NSCA is preferred method for communicating with the upstream Nagios server— check Prefer NRPE to use NRPE whenever possible (that is, for all communication except for alerts). 10.3.2 Enable NRPE monitoring Enabling NRPE allows you to execute plug-ins (such as check_tcp and check_ping) on the remote Console server to monitor serial or network attached remote servers. This will offload CPU load from the upstream Nagios monitoring machine.
Select System: Nagios and check NSCA Enabled. Select the Encryption to be used from the drop down menu, then enter a Secret password and specify a check Interval. Refer to the sample Nagios configuration section below for some examples of configuring specific NSCA checks. 10.3.4 Configure Selected Serial Ports for Nagios Monitoring The individual Serial Ports connected to the console server to be monitored must be configured for Nagios checks. Refer to Chapter 4.
10.3.6 Configure the upstream Nagios monitoring host Refer to the Nagios documentation (http://www.nagios.org/docs/) for configuring the upstream server: The section entitled Distributed Monitoring steps through what you need to do to configure NSCA on the upstream server (under Central Server Configuration). NRPE Documentation was recently added that steps through configuring NRPE on the upstream server http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf.
service_description host_name use check_command } NRPE Daemon Black Box generic-service check_nrpe_daemon ; Serial Status define command { command_name check_serial_status command_line $USER1$/check_nrpe -H 192.168.254.
} define service { service_description port-log-server host_name server use generic-service check_command check_port_log active_checks_enabled 0 passive_checks_enabled 1 } define servicedependency{ name host_name dependent_host_name dependent_service_description service_description execution_failure_criteria } Black Box_nrpe_daemon_dep Black Box server Port Log NRPE Daemon w,u,c ; Ping define command{ command_name check_ping_via_Black Box command_line $USER1$/check_nrpe -H 192.168.254.
execution_failure_criteria } w,u,c ; SSH Port define command{ command_name check_conn_via_Black Box command_line $USER1$/check_nrpe -H 192.168.254.
check_serial_signals is used to monitor the handshaking lines on the serial ports check_port_log is used to monitor the data logged for a serial port. 10.4.
Time No encryption 3DES SSH tunnel NSCA for single check ~ ½ second ~ ½ second ~ ½ second NSCA for 100 sequential checks 100 seconds 100 seconds 100 seconds NSCA for 10 sequential checks, batched upload 1 ½ seconds 2 seconds 1 second NSCA for 100 sequential checks, batched upload 7 seconds 11 seconds 6 seconds No encryption SSL no encryption tunneled over existing SSH session NRPE time to service 1 check 1/10th second 1/3rd second 1/8th second NRPE time to service 10 simultaneous
II. Remote site In this scenario, configure the console server NRPE server or NSCA client to actively check configured services and upload the checks to the Nagios server that’s waiting passively. You can also configure it to service NRPE commands to perform checks on demand. In this situation, the console server will perform checks based on both serial and network access. Remote site with restrictive firewall In this scenario, the role of the console server will vary.
Remote site with no network access In this scenario the console server allows dial-in access for the Nagios server. Periodically, the Nagios server will establish a connection to the console server and execute any NRPE commands, before dropping the connection. _____________________________________________________________________ 724-746-5500 | blackbox.
Chapter 11 System Management SYSTEM MANAGEMENT Introduction This chapter describes how the Administrator can perform a range of general console server system administration and configuration tasks such as: Applying Soft and Hard Resets to the gateway. Re-flashing the Firmware. Configuring the Date, Time and NTP. Setting up Backup of the configuration files.
Pushing the Erase button on the rear panel twice. A ball-point pen or bent paper clip is a suitable tool for this procedure. Do not use a graphite pencil. Press the button gently twice (within a couple of seconds) while the unit is powered ON. This will reset the console server back to its factory default settings and clear the console server’s stored configuration information. The hard erase will clear all custom settings and return the unit back to factory default settings (i.e.
Select the System: Date & Time menu option. Manually set the Year, Month, Day, Hour and Minute using the Date and Time selection boxes, then click Set Time. The gateway can synchronize its system time with a remote time server using the Network Time Protocol (NTP). Configuring the NTP time server ensures that the console server clock will be accurate soon after the Internet connection is established.
With all console servers, you can save the backup file remotely on your PC and you can restore configurations from remote locations: Click Save Backup in the Remote Configuration Backup menu. The config backup file (System Name_date_config.opg) will be downloaded to your PC and saved in the location you nominate. To restore a remote backup: Click Browse in the Remote Configuration Backup menu and select the Backup File you want to restore. Click Restore and click OK.
To backup to the USB, enter a brief Description of the backup in the Local Configuration Backups menu and select Save Backup. The Local Configuration Backup menu will display all the configuration backup files you have stored onto the USB flash. To restore a backup from the USB simply select Restore on the particular backup you wish to restore and click Apply. After saving a local configuration backup, you may choose to use it as the alternate default configuration.
11.5 Delayed Configuration Commit With Advanced Console Servers (LES1208A-R2, LES1216A-R2, LES1232A, LES1248A-R2), a Delayed Config Commit mode is available which allows the grouping or queuing of configuration changes and the simultaneous application of these changes to a specific device. For example, changes to authentication methods or user accounts may be grouped and run once to minimize system downtime.
Click Apply to run the systemsettings configurator The Commit Config button will no longer be displayed in the top right-hand corner of the screen and configurations will no longer be queued. 11.6 FIPS Mode The Advanced Console Servers (LES1208A-R2, LES1216A-R2, LES1232A, LES1248A-R2) all use an embedded cryptographic module that has been validated to meet the FIPS 140-2 standards.
Chapter 12 Status Reports STATUS REPORTS Introduction This chapter describes the dashboard feature and the status reports that are available: Port Access and Active Users Statistics Support Reports Syslog Dashboard Other status reports that are covered elsewhere include: UPS Status (Chapter 8.2) RPC Status (Chapter 8.1) Environmental Status (Chapter 8.3) 12.
Select the Status: Statistics You can find detailed statistics reports by selecting the various submenus. 12.3 Support Reports The Support Report provides useful status information that will assist the Black Box Technical Support team to solve any problems you may experience with your console server. If you do experience a problem and have to contact tech support, make sure you include the Support Report with your email support request.
Enter the remote Syslog Server Address and Syslog Server Port details and click Apply. The console maintains a local Syslog. To view the local Syslog file: Select Status: Syslog To make it easier to find information in the local Syslog file, use the provided pattern matching filter tool. Specify the Match Pattern that you want to search for (for example, the search for mount is shown below) and click Apply.
Select System: Configure Dashboard and select the user (or group) you are configuring this custom dashboard layout for. Click Next. Note: You can configure a custom dashboard for any admin user or for the admin group or you can reconfigure the default dashboard. The Status:Dashboard screen is the first screen displayed when admin users (other than root) log into the console manager.
Note: The Alerts widget is a new screen that shows the current alerts status. When an alert gets triggered, a corresponding .XML file is created in /var/run/alerts/. The dashboard scans all these files and displays a summary status in the alerts widget. When an alert is deleted, the corresponding .XML files that belong to that alert are also deleted.
12.5.2 Creating custom widgets for the Dashboard T o run a custom script inside a dashboard widget: Create a file called "widget-.sh" in the folder /etc/config/scripts/ where can be anything. You can have as many custom dashboard files as you want. Inside this file you can put any code you want. When configuring the dashboard, choose "widget.sh" in the dropdown list.
Chapter 13 Management MANAGEMENT Introduction The console server has a small number of Manage reports and tools that are available to both Administrators and Users: Access and control authorized devices. View serial port logs and host logs for those devices. Use SDT Connector or the Web terminal to access serially attached consoles. Control power devices (where authorized). All other Management Console menu items are available to Administrators only. 13.
13.2 Port and Host Logs Administrators and Users can view logs of data transfers to connected devices. Select Manage: Port Logs and the serial Port # to be displayed. To display Host logs, select Manage: Host Logs and the Host to be displayed. 13.
13.3.1.2 Web Terminal to Serial Device To enable the Web Terminal service for each serial port you want to access: Select Serial & Network: Serial Port and click Edit.
13.4 Power Management Administrators and Users can access and manage the connected power devices. Select Manage: Power _____________________________________________________________________ 724-746-5500 | blackbox.
Chapter 14 Command Line Configuration CONFIGURATION FROM THE COMMAND LINE Introduction For those who prefer to configure their console server at the Linux command line level (rather than use a browser and the Management Console), this chapter describes how to use command line access and the config tool to manage the console server and configure the ports, etc.
o If you are connecting over the LAN, then you will need to interconnect the Ethernet ports and direct your terminal emulator program to the IP address of the console server (192.168.0.1 by default). Log on to the console server by pressing “return” a few times. The console server will request a username and password. Enter the username root and the password default. You should now see the command line prompt which is a hash (#). This chapter is not intended to teach you Linux.
-v –verbose Log extra debug information. -d –del=id Remove the given configuration element specified by a '.' separated identifier. -g –get=id Display the value of a configuration element. -p –path=file Specify an alternate configuration file to use. The default file is located at /etc/config/config.xml. -r –run=configurator Run the specified registered configurator. Registered configurators are listed below. -s --set=id=value Change the value of configuration element specified by a '.
Note: The config command does not verify whether the nodes edited/added by the user are valid. This means that any node may be added to the tree. If a user runs the following command: # /bin/config -s config.fruit.apple=sweet The configurator will not complain, but this command is useless. When the configurators are run (to turn the config.xml file into live config) they will simply ignore this node. Administrators must make sure of the spelling when typing config commands.
Console server mode The command to set the port in portmanager mode: # config -s config.ports.port5.mode=portmanager To set the following optional config elements for this mode: Data accumulation period 100 ms Escape character % (default is ~) log level 2 (default is 0) Shell power command menu Enabled RFC2217 access Enabled Limit pot to 1 connection Enabled SSH access Enabled TCP access Enabled telnet access Disabled Unauthorized telnet access Disabled # config -s config.ports.port5.
Terminal server mode Enable a TTY login for a local terminal attached to serial port 5: # config -s config.ports.port5.mode=terminal # config -s config.ports.port5.terminal=[vt220 | vt102 | vt100 | linux | ansi] The default terminal is vt220. Serial bridge mode Create a network connection to a remote serial port via RFC-2217 on port 5: # config -s config.ports.port5.mode=bridge Optional configurations for the network address of RFC-2217 server of 192.168.3.
14.3 Adding and Removing Users First, determine the total number of existing Users (if you have no existing Users you can assume this is 0): # config -g config.users.total This command should display config.users.total 1. Note that if you see config.users.total this means you have 0 Users configured. Your new User will be the existing total plus 1. If the previous command gave you 0, then you start with user number 1. If you already have 1 user your new user will be number 2, etc.
# config -s config.sdt.hosts.host5.users.user1=John # config -s config.sdt.hosts.host5.users.total=1 (total number of users having access to host) To give another user called “Peter” access to the same host: # config -s config.sdt.hosts.host5.users.user2=Peter # config -s config.sdt.hosts.host5.users.total=2 (total number of users having access to host) To edit any of the user element values, use the same approach as when adding user elements, that is, use the “-s” parameter.
Attention: The rmuser script is a generic script to remove any config element from config.xml correctly. However, any dependencies or references to this group will not be affected. Only the group details are deleted. The Administrator is responsible for going through config.xml and removing group dependencies and references manually, specifically if the group had access to a host or RPC device. The following command will synchronize the live system with the new configuration: # config -a 14.
14.6 Network Hosts To determine the total number of currently configured hosts: # config -g config.sdt.hosts.total Assume this value is equal to 3. If you add another host, make sure you increment the total number of hosts from 3 to 4: # config -s config.sdt.hosts.total=4 If the output is config.sdt.hosts.total then assume 0 hosts are configured.
If you want to add the new host as a managed device, make sure you use the current total number of managed devices + 1, for the new device number. To get the current number of managed devices: # config -g config.devices.total Assuming we already have one managed device, our new device will be device 2. Issue the following commands: # config -s config. devices.device2.connections.connection1.name=192.168.3.10 # config -s config. devices.device2.connections.connection1.type=Host # config -s config. devices.
# config -s config.cascade.slaves.slave1.address=192.168.0.153 # config -s "config.cascade.slaves.slave1.description=CM in office 42" # config -s config.cascade.slaves.slave1.label=les1116-5 # config -s config.cascade.slaves.slave1.ports=16 The total number of slaves must also be incremented. If this is the first slave you’re adding, type: # config -s config.cascade.slaves.total=1 Increment this value when adding more slaves.
Make sure to increment the total monitors: # config -s config.ups.monitors.total=1 The five commands below will add the UPS to Managed devices. Assuming there are already two managed devices configured: # config -s "config.devices.device3.connections.connection1.name=My UPS" # config -s "config.devices.device3.connections.connection1.type=UPS Unit" # config -s "config.devices.device3.name=My UPS" # config -s "config.devices.device3.description=UPS in toom 5" # config -s config.devices.
Logging Log interval Number of power outlets Enabled 600 second 4 (depends on the type/model of the RPC) # config -s config.ports.port2.power.type=APC 7900 # config -s config.ports.port2.power.name=MyRPC # config -s "config.ports.port2.power.description=RPC in room 5" # config -s config.ports.port2.power.username=rpclogin # config -s config.ports.port2.power.password=secret # config -s config.ports.port2.power.snmp.community=v1 # config -s config.ports.port2.power.log.enabled=on # config -s config.ports.
To get the total number of managed devices: # config -g config.devices.total Make sure you use the total + 1 for the new device below: # config -s config. devices.device5.connections.connection1.name=Envi4 # config -s "config. devices.device5.connections.connection1.type=EMD Unit" # config -s config. devices.device5.name=Envi4 # config -s "config. devices.device5.description=Monitor in room 5" # config -s config.devices.
Error Notice Warning Assume the remote log server needs a username 'name1' and password 'secret': # config -s config.eventlog.server.username=name1 # config -s config.eventlog.server.password=secret To set the remote path as '/Black Box/logs' to save logged data: # config -s config.eventlog.server.path=/Black Box/logs # config -s config.eventlog.server.type=[none | syslog | nfs | cifs | usb] If the server type is set to usb, none of the other values need to be set.
# config -s config.alerts.alert2.signal=[ DSR | DCD | CTS ] # config -s config.alerts.alert2.type=signal Pattern Match Alert To trigger an alert if the regular expression '.*0.0% id' is found in serial port 10's character stream. # config -s "config.alerts.alert2.pattern=.*0.0% id" # config -s config.alerts.alert2.port10=on # config -s config.alerts.alert2.sensor=temp # config -s config.alerts.alert2.signal=DSR # config -s config.alerts.alert2.
# config -s config.alerts.alert2.enviro.high.critical=300 # config -s config.alerts.alert2.enviro.high.warning=280 # config -s config.alerts.alert2.enviro.hysteresis=20 # config -s config.alerts.alert2.enviro.low.critical=50 # config -s config.alerts.alert2.enviro.low.warning=70 # config -s config.alerts.alert2.rpc1=RPCInRoom20 # config -s config.alerts.alert2.sensor=load # config -s config.alerts.alert2.signal=DSR # config -s config.alerts.alert2.
# config -s config.system.smtp.encryption2=SSL (can also be TLS or None ) # config -s config.system.smtp.sender2=John@Black Box.com # config -s config.system.smtp.username2=john # config -s config.system.smtp.password2=secret # config -s config.system.smtp.subject2=SMTP alerts The following command will synchronize the live system with the new configuration: # config -a 14.16 SNMP To set-up the SNMP agent on the device: # config -s config.system.snmp.protocol=[ UDP | TCP ] # config -s config.system.snmp.
# config -s config.interfaces.wan.address=192.168.0.23 # config -s config.interfaces.wan.netmask=255.255.255.0 # config -s config.interfaces.wan.gateway=192.168.0.1 # config -s config.interfaces.wan.dns1=192.168.0.1 # config -s config.interfaces.wan.dns2=192.168.0.2 # config -s config.interfaces.wan.mode=static # config -s config.interfaces.wan.media=[ Auto | 100baseTx-FD | 100baseTx-HD | 10baseT-HD ] 10baseT-FD To enable bridging between all interfaces: # config -s config.system.bridge.
To change the timezone: # config -s config.system.timezone=US/Eastern The following command will synchronize the live system with the new configuration: # config -r time 14.20 Dial-in settings To enable dial-in access on the DB9 serial port from the command line with the following attributes: Local IP Address Remote IP Address Authentication Type: Serial Port Baud Rate: Serial Port Flow Control: Custom Modem Initialization: Callback phone User to dial as Password for user 172.24.1.1 172.24.1.
DNS server1 DNS server2 Domain name Default gateway IP pool 1 start address IP pool 1 end address Reserved IP address MAC to reserve IP for Name to identify this host 192.168.2.3 192.168.2.4 company.com 192.168.0.1 192.168.0.20 192.168.0.100 192.168.0.50 00:1e:67:82:72:d9 John-PC Issue the commands: # config -s config.interfaces.lan.dhcpd.enabled=on # config -s config.interfaces.lan.dhcpd.defaultlease=200000 # config -s config.interfaces.lan.dhcpd.maxlease=300000 # config -s config.interfaces.lan.dhcpd.
# config -s config.services.rfc2217.portbase='port base number' Default: 5000 # config -s config.services.unauthtel.portbase='port base number Default: 6000 The following command will synchronize the live system with the new configuration: # config -a 14.23 NAGIOS To configure NAGIOS with the following settings: NAGIOS host name NAGIOS host address NAGIOS server address Enable SDT for NAGIOS ext. SDT gateway address Prefer NRPE over NSCA console at R3 (Name of this system) 192.168.0.
Chapter 15 Advanced Configuration ADVANCED CONFIGURATION Introduction Black Box console servers run the embedded Linux operating system. So Administrator class users can configure the console server and monitor and manage attached serial console and host devices from the command line using Linux commands and the config utility as described in Chapter 14. The Linux kernel in the console server also supports GNU bash shell script enabling the Administrator to run custom scripts.
# dos2unix /etc/config/rc.local Another scenario would be to call another custom script from the /etc/config/rc.local file, making sure that your custom script will run whenever the system is booted. 15.1.2 Running custom scripts when alerts are triggered Whenever an alert gets triggered, specific scripts get called. These scripts all reside in /etc/scripts/.
15.1.3 Example script - Power Cycling on Pattern Match For example, we have an RPC (PDU) connected to port 1 on a console server and also have some telecommunications device connected to port 2 (which is powered by the RPC outlet 3). Now assume the telecom device transmits a character stream "EMERGENCY" out on its serial console port every time that it encounters some specific error, and the only way to fix this error is to power cycle the telecom device.
delete-node is a general script for deleting any node you desire (users, groups, hosts, UPSes, etc.) from the command line. The script deletes the specified node and shuffles the remainder of the node values. For example, if we have five users configured and we use the script to delete user 3, then user 4 will become user 3, and user 5 will become user 4. This creates an obvious complication because this script does NOT check for any other dependencies that the node being deleted may have.
NUMBER=`echo $LASTFIELD | sed 's/^[a-zA-Z]*//g'` TOTALNODE=`echo ${1%.*} | sed 's/\(.*\)/\1.total/'` TOTAL=`config -g $TOTALNODE | sed 's/.* //'` NEWTOTAL=$[ $TOTAL -1 ] # Make backup copy of config file cp /etc/config/config.xml /etc/config/config.bak echo "backup of /etc/config/config.xml saved in /etc/config/config.bak" if [ -z $NUMBER ] # test whether a singular node is being \ #deleted e.g. config.sdt.
config -g $ROOTNODE.$LASTFIELDTEXT$((NUMBER+COUNTER)) \ | while read LINE do config -s \ "`echo "$LINE" | sed -e "s/$LASTFIELDTEXT$((NUMBER+ \ COUNTER))/$LASTFIELDTEXT$((NUMBER+COUNTER-1))/" \ -e 's/ /=/'`" done done let COUNTER++ # deleting last user config -d $ROOTNODE.$LASTFIELDTEXT$TOTAL # Modifying item total. config -s "$TOTALNODE=$NEWTOTAL" else echo Done exit 0 echo "error: item being deleted has an index greater than total items. Increase the total count variable." exit 0 fi 15.1.
The above command will cause the ping-detect script to continuously ping the host at 192.168.22.2 which is the router. If the router crashes, it will no longer respond to ping requests. If this happens, the two commands pmpower and date will run. The output from these commands is sent to the file /tmp/output.log so that we have a record. The ping-detect is also run in the background using the "&". Remember the rc.local script only runs by default when the system boots. You can manually run the rc.
15.1.7 Running custom scripts when a configurator is invoked A configurator is responsible for reading the values in /etc/config/config.xml and making the appropriate changes live. Some changes made by the configurators are part of the Linux configuration itself, such as user passwords or ipconfig. Currently there are nineteen configurators. Each one is responsible for a specific group of config (for example, the "users" configurator makes the user configurations in the config.xml file live).
To save the configuration: # /etc/scripts/backup-usb save config-20May To check if the backup was saved correctly: # /etc/scripts/backup-usb list If this command does not display "* config-20May" then there was an error saving the configuration. The set-default command takes an input file as an argument and renames it to "default.opg". This default configuration remains stored on the USB disk. The next time you want to load the default config, it will be sourced from the new default.opg file.
This will extract the contents of the previously created backup to /tmp, and then synchronize the /etc/config directory with the copy in /tmp. One problem that can crop up here is that there is not enough room in /tmp to extract files to.
For more information on using chat (and pmchat) you should consult the UNIX man pages: http://techpubs.sgi.com/library/tpl/cgibin/getdoc.cgi?coll=linux&db=man&fname=/usr/share/catman/ man8/chat.8.html pmusers The pmusers command is used to query the portmanager for active user sessions. Example: To detect which users are currently active on which serial ports: # pmusers This command will output nothing if there are no active users currently connected to any ports.
- The portmanager will attempt to execute /etc/config/scripts/portXX.alert (where XX is the port number, e.g. 08) - The script is run with STDIN containing the data which triggered the alert, and STDOUT redirected to /dev/null, NOT to the serial port. If you want to communicate with the port, use pmshell or pmchat from within the script. - If the script cannot be executed, then the alert will be mailed to the address configured in the system administration section.
With stty, the changes made to the port only “stick” until that port is closed and opened again. People probably will not want to use stty for more than initial debugging of the serial connection. If you want to use stty to configure the port, you can put stty commands in /etc/config/scripts/portXX.init which gets run whenever portmanager opens the port. Otherwise, any setup you do with stty will get lost when the portmanager opens the port.
system. - Rules are added which explicitly allow network traffic to access enabled services, for example, TTP, SNMP, etc. - Rules are added that explicitly allow traffic network traffic access to serial ports over enabled protocols e.g. Telnet, SSH and raw TCP. If the standard system firewall configuration is not adequate for your needs you can bypass it safely by creating a file at /etc/config/filter-custom containing commands to build a specialized firewall.
sysname syslocation Not defined (edit /etc/default/snmpd.conf) Not defined (edit /etc/default/snmpd.conf) Simply change the values of sysdescr, syscontact, sysname and syslocation to the desired settings and restart snmpd. The snmpd.conf provides is extremely powerful and too flexible to completely cover here. The configuration file itself is commented extensively and good documentation is available at the net-snmp website http://www.net-snmp.org, specifically: Man Page: http://www.net-snmp.
.. replacing yourusername with the username config.system.snmp.username2 (3 only) To set the Engine ID field (SNMP version 3 only) config --set config.system.snmp.password2=yourpassword .. replacing yourpassword with the password Once the fields are set, apply the configuration with the following command: config --run snmp You can add a third or more SNMP servers by incrementing the "2" in the above commands, e.g. config.system.snmp.protocol3, config.system.snmp.address3, etc. 15.
15.6.2 Generating Public Keys (Linux) To generate new SSH key pairs use the Linux ssh-keygen command. This will produce an RSA or DSA public/private key pair and you will be prompted for a path to store the two key files, for example, id_dsa.pub (the public key) and id_dsa (the private key). For example: $ ssh-keygen -t [rsa|dsa] Generating public/private [rsa|dsa] key pair. Enter file in which to save the key (/home/user/.
15.6.4 Installing SSH Public Key Authentication (Linux) Alternately, the public key can be installed on the unit remotely from the linux host with the scp utility as follows. Assuming the user on the Management Console is called "fred"; the IP address of the console server is 192.168.0.1 (default); and the public key is on the linux/unix computer in ~/.ssh/id_dsa.pub. Execute the following command on the linux/unix computer: scp ~/.ssh/id_dsa.pub \ root@192.168.0.1:/etc/config/users/fred/.
If the Black Box device selected to be the server will only have one client device, then the authorized_keys file is simply a copy of the public key for that device. If one or more devices will be clients of the server, then the authorized_keys file will contain a copy of all of the public keys. RSA and DSA keys may be freely mixed in the authorized_keys file.
More documentation on OpenSSH can be found at: http://openssh.org/portable.html http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 http://www openbsd.org/cgi-bin/man.cgi?query=sshd. 15.6.5 Generating public/private keys for SSH (Windows) This section describes how to generate and configure SSH keys using Windows. First create a new user from the Black Box Management (the following example uses a user called "testuser") making sure it is a member of the "users" group.
- Execute the PUTTYGEN.EXE program. - Select the desired key type SSH2 DSA (you may use RSA or DSA) within the Parameters section. - It is important that you leave the passphrase field blank. - Click on the Generate button. - Follow the instruction to move the mouse over the blank area of the program in order to create random data used by PUTTYGEN to generate secure keys. Key generation will occur once PUTTYGEN has collected sufficient random data.
To automate connection of the SSH tunnel from the client on every power-up you need to make the clients /etc/config/rc.local look like the following: #!/bin/sh ssh -L9001:127.0.0.1:4001 -N -o StrictHostKeyChecking=no testuser@ & This will run the tunnel redirecting local port 9001 to the server port 4001. 15.6.6 Fingerprinting Fingerprints are used to ensure you are establishing an SSH session to who you think you are.
If the host key has been legitimately changed, it can be removed from the ~/.ssh/known_hosts file and the new fingerprint added. If it has not changed, this indicates a serious problem that should be investigated immediately. 15.6.7 SSH tunneled serial bridging You have the option to apply SSH tunneling when two Black Box console servers are configured for serial bridging.
For simplicity going forward, the term private key will be used to refer to either id_rsa or id_dsa and public key to refer to either id_rsa.pub or id_dsa.pub. To generate the keys using OpenBSD's OpenSSH suite, we use the ssh-keygen program: $ ssh-keygen -t [rsa|dsa] Generating public/private [rsa|dsa] key pair. Enter file in which to save the key (/home/user/.ssh/id_[rsa|dsa]): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.
then the authorized_keys file will contain a copy of all of the public keys. RSA and DSA keys may be freely mixed in the authorized_keys file. For example, assume we already have one server, called bridge_server, and two sets of keys, for the control_room and the plant_entrance: $ ls /home/user/keys control_room control_room.pub plant_entrance plant_entrance.pub $ cat /home/user/keys/control_room.pub /home/user/keys/plant_entrance.
The console server includes OpenSSL. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
15.8.3 Installing the key and certificate We recommend that you use an SCP (Secure Copying Protocol) client to copy files securely to the console server unit. The scp utility is distributed with OpenSSH for most Unix distributions, while Windows users can use something like the PSCP command line utility available with PuTTY. You can install remotely the files created in the steps above with the scp utility as follows: scp ssl_key.pem root@
:/etc/config/ scp ssl_cert.15.9.1 The PowerMan tool PowerMan provides power management in a data center or compute cluster environment. It performs operations such as power on, power off, and power cycle via remote power controller (RPC) devices. Synopsis powerman [-option] [targets] pm [-option] [targets] Options -1, --on Power ON targets. -0, --off Power OFF targets. -c, --cycle Power cycle targets. -r, --reset Assert hardware reset for targets (if implemented by RPC). -f, --flash Turn beacon ON for targets (if implemented by RPC).
should not be confused with regular expression character classes (also denoted by ''[]''). For example, foo[19] does not represent foo1 or foo9, but rather represents a degenerate range: foo19. This range syntax is meant only as a convenience on clusters with a prefix NN naming convention and specification of ranges should not be considered necessary—the list foo1,foo9 could be specified as such, or by the range foo[1,9]. Some examples of powerman targets follows. Power on hosts bar,baz,foo01,foo02,...
The first is to have scripts to support the particular RPC included in either the open source PowerMan project (http://sourceforge.net/projects/powerman) or the open source NUT UPS Tools project. The PowerMan device specifications are rather weird and it is suggested that you leave the actual writing of these scripts to the PowerMan authors. Documentation on how they work can be found at http://linux.die.net/man/5/powerman.dev.
15.10 IPMItool The console server includes the ipmitool utility for managing and configuring devices that support the Intelligent Platform Management Interface (IPMI) version 1.5 and version 2.0 specifications. IPMI is an open standard for monitoring, logging, recovery, inventory, and control of hardware that is implemented independent of the main CPU, BIOS, and OS.
-A Specify an authentication type to use during IPMIv1.5 lan session activation. Supported types are NONE, PASSWORD, MD5, or OEM. -c Present output in CSV (comma separated variable) format. This is not available with all commands. -C The remote server authentication, integrity, and encryption algorithms to use for IPMIv2 lanplus connections. See table 22-19 in the IPMIv2 specification.
The ipmitool documentation highlights that there are several security issues to be considered before enabling the IPMI LAN interface. A remote station has the ability to control a system's power state as well as being able to gather certain platform information.
channels session Print session information exec Run list of commands from file set Set runtime variable for shell and exec ipmitool chassis help Chassis Commands: status, power, identify, policy, restart_cause, poh, bootdev ipmitool chassis power help chassis power Commands: status, on, off, cycle, reset, diag, soft You will find more details on ipmitools at http://ipmitool.sourceforge.net/manpage.html 15.
This script would, for example, parse each port log file line by line, each time it sees 'LOGIN: username', it adds username to the list of connected users for that port, each time it sees 'LOGOUT: username' it removes it from the list. The list can then be nicely formatted and displayed. You can run the script on the remote log server.
Appendix A Linux Commands & Source Code The console server platform is a dedicated Linux computer, optimized to provide monitoring and secure access to serial and network consoles of critical server systems and their supporting power and networking infrastructure. Black Box console servers are built on the 2.4 uCLinux kernel as developed by the uCLinux project. This is GPL code and source can be found at http://cvs.uclinux.org. Some uCLinux commands have config files that can be altered (e.g.
flashw flatfsd ftp gen-keys getopt * gettyd grep * gunzip * gzip * hd hostname * httpd hwclock inetd inetd-echo init ip ipmitool iptables ip6tables iptablesrestore iptables-save kill * ln * login loopback loopback1 loopback2 loopback8 loopback16 loopback48 ls * mail mkdir * mkfs.
pgrep pidof ping ping6 pkill pmchat pmdeny pminetd pmloggerd pmshell pmusers portmanager portmap pppd ps * pwd * reboot * rm * rmdir * routed routed routef routel rtacct rtmon scp sed * setmac setserial sh showmac sleep * smbmnt smbmount smbumount snmpd snmptrap sredird ssh ssh-keygen sshd sslwrap stty stunnel Display process(es) selected by regex pattern Find the process ID of a running program Send ICMP ECHO_REQUEST packets to network hosts IPv6 ping Sends a signal to process(es) selected by regex patter
sync * sysctl syslogd tar * tc tcpdump telnetd tftp tftpd tip top touch * traceroute traceroute6 true * umount * uname * usleep * vconfig * vi * w zcat * Flush file system buffers Configure kernel parameters at runtime System logging utility The tar archiving utility Show traffic control settings Dump traffic on a network Telnet protocol server Client to transfer a file from/to tftp server Trivial file Transfer Protocol (tftp) server Simple terminal emulator/cu program for connecting to modems and serial d
There are also a number of other CLI commands related to other open source tools embedded in the console server including: • PowerMan provides power management for many preconfigured remote power controller (RPC) devices. For CLI details refer http://linux.die.net/man/1/powerman • Network UPS Tools (NUT) provides reliable monitoring of UPS and PDU hardware and ensure safe shutdowns of the systems which are connected - with a goal to monitor every kind of UPS and PDU. For CLI details refer http://www.
false fc [-e ename] [-nlr] [first] [last] fg [job_spec] for NAME [in WORDS ... ;] do COMMA function NAME { COMMANDS ; } or NA getopts optstring name [arg] hash [-r] [-p pathname] [name ...] help [-s] [pattern ...] history [-c] [-d offset] [n] or hi if COMMANDS; then COMMANDS; [ elif jobs [-lnprs] [jobspec ...] or job kill [-s sigspec | -n signum | -si let arg [arg ...] type [-apt] name [name ...] typeset [-afFrxi] [-p] name[=value ulimit [SHacdflmnpstuv] [limit] umask [-p] [-S] [mode] unalias [-a] [name ..
Appendix B Hardware Specifications FEATURE VALUE Dimensions LES1408A/16A/32A/48A, LES1308A/16A/32A/48A, LES1208AR2/16A-R2/32A/48A-R2: 17 x 12 x 1.75 in (43.2 x 31.3. x 4.5 cm) LES1116A/32A/48A: 17 x 8.5 x 1.75 in (43.2 x 21x 4.5 cm) LES1108A: 8.2 x 4.9 x 1.2 in (20.8 x 12.6 x 4.5 cm) Weight LES1408A/16A/32A/48A, LES1308A/16A/32A/48A, LES1208AR2/16A-R2/32A/48A-R2:: 5.4 kg (11.8 lbs) LES1116A/32A/48A: 3.9 kg (8.5 lbs) LES1108A: 1.7 kg (3.
Appendix C Safety & Certifications Please take care to follow the safety precautions below when installing and operating the console server: - Do not remove the metal covers. There are no operator serviceable components inside. Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock. Refer all service to Black Box qualified personnel. - To avoid electric shock the power cord protective grounding conductor must be connected through to ground.
Appendix F End User License Agreement READ BEFORE USING THE ACCOMPANYING SOFTWARE YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING SOFTWARE, THE USE OF WHICH IS LICENSED FOR USE ONLY AS SET FORTH BELOW. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT USE THE SOFTWARE. IF YOU USE ANY PART OF THE SOFTWARE, SUCH USE WILL INDICATE THAT YOU ACCEPT THESE TERMS.
Sale of Goods is hereby excluded in its entirety and does not apply to this EULA. If you acquired this Software in a country outside of the United States, that country’s laws may apply. In any action or suit to enforce any right or remedy under this EULA or to interpret any provision of this EULA, the prevailing party will be entitled to recover its costs, including reasonable attorneys’ fees. ENTIRE AGREEMENT.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7.
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS _____________________________________________________________________ 724-746-5500 | blackbox.
_____________________________________________________________________ 724-746-5500 | blackbox.
Black Box Tech Support: FREE! Live. 24/7. Tech support the way it should be. Great tech support is just 30 seconds away at 724-746-5500 or blackbox.com. About Black Box Black Box Network Services is your source for an extensive range of networking and infrastructure products. You’ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free, live 24/7 Tech support available in 30 seconds or less. © Copyright 2012.
