November 2009 LES1208A LES1216A LES1248A LES1108A LES1116A LES1148A Value-Line and Advanced Console Servers User’s Manual Securely manage data center and network BLACK BOX equipment from anywhere in the world. ® Customer Support Information Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S.
Value-Line and Advanced Console Servers Manual Trademarks Used in this Manual Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc. Mac is a registered trademark of Apple Computers, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Windows, Windows Me, Windows NT, and Windows Vista are a registered trademarks of Microsoft Corporation. Nagios is a registered trademark of Nagios Enterprises LLC.
Value-Line and Advanced Console Servers Manual We‘re here to help! If you have any questions about your application or our products, contact Black Box Tech Support at 724-746-5500 or go to blackbox.com and click on “Talk to Black Box.” You’ll be live with one of our technical experts in less than 20 seconds. 724-746-5500 | blackbox.
Value-Line and Advanced Console Servers Manual Federal Communications Commission and Industry Canada Radio Frequency Interference Statements This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause interference to radio communication.
Value-Line and Advanced Console Servers Manual Instrucciones de Seguridad (Normas Oficiales Mexicanas Electrical Safety Statement) 1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. 2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. 3. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas. 4.
INDEX INTRODUCTION INSTALLATION 2.1 Models 11 15 15 2.1.1 2.1.2 2.1.3 16 16 17 2.2 2.2.1 2.2.2 2.2.3 Kit components LES1208A, LES1216A and LES1248A Advanced Console Servers Kit components LES1116A and LES1148A Console Servers Kit components LES1108A Console Server Power connection 17 LES1208A, LES1216A and LES1248A power LES1116A and LES1148A power LES1108A power 17 17 18 2.3 Network connection 2.4 Serial Port connection 2.5 USB Port Connection SYSTEM CONFIGURATION 3.
FAILOVER AND OoB DIAL-IN 5.1 OoB Dial-In Access 58 58 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 59 61 61 62 62 Configure Dial-In PPP Using SDT Connector client Set up Windows XP/ 2003/Vista/7 client Set up earlier Windows clients Set up Linux clients for dial-in 5.2 OoB broadband access 5.3 Broadband Ethernet Failover 5.4 Dial-Out Failover SECURE SSH TUNNELING AND SDT CONNECTOR 6.1 Configuring for SSH Tunneling to Hosts 6.2 SDT Connector Client Configuration 62 62 63 65 66 66 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.
.1.1 8.1.2 8.1.3 8.1.4 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.2.6 8.3 8.3.1 8.3.2 8.3.
12.5.1 12.5.2 Configuring the Dashboard Creating custom widgets for the Dashboard 159 161 MANAGEMENT 13.1 Device Management 13.2 Port and Host Logs 13.3 Serial Port Terminal Connection 13.4 Power Management CONFIGURATION FROM THE COMMAND LINE 14.1 Accessing config from the command line 14.2 Serial Port configuration 14.3 Adding and removing Users 14.4 Adding and removing user Groups 14.5 Authentication 14.6 Network Hosts 14.7 Trusted Networks 14.8 Cascaded Ports 14.9 UPS Connections 14.
15.6.1 15.6.2 15.6.3 15.6.4 15.6.5 15.6.6 15.6.7 15.6.8 SSH Overview Generating Public Keys (Linux) Installing the SSH Public/Private Keys (Clustering) Installing SSH Public Key Authentication (Linux) Generating public/private keys for SSH (Windows) Fingerprinting SSH tunneled serial bridging SDT Connector Public Key Authentication 204 205 205 206 207 209 210 212 15.7 Secure Sockets Layer (SSL) Support 15.8 HTTPS 213 213 15.8.1 15.8.2 15.8.3 15.8.
Chapter 1 INTRODUCTION Introduction This Manual This User’s Manual walks you through installing and configuring your Black Box Console Server (LES1108A, LES1116A, LES1148A) or Advanced Console Server (LES1208A, LES1216A, LES1248A). Each of these products is referred to generically in this manual as a “console server.
. Status Reports View a dashboard summary and detailed status and logs of serial and network connected devices (ports, hosts, power, and environment) 13. Management Includes port controls that Users can access. 14 Basic Configuration Command line installation and configuration using the config command. 15. Advanced Config More advanced command line configuration activities where you will need to use Linux commands. The latest update of this manual can be found online at www.Black Box.com/download.
A User can also use the Management Console, but has limited menu access to control select devices, review their logs and access them using the built-in java terminal or control power to them. The console server runs an embedded Linux operating system, and experienced Linux® and UNIX® users may prefer to configure it at the command line.
Copyright ©Black Box Corporation 2009. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on the part of Black Box. Black Box provides this document “as is,” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose.
Chapter 2 INSTALLATION Installation Introduction This chapter describes how to install the console server hardware and connect it to controlled devices. To avoid physical and electrical hazards please read Appendix C on Safety. 2.
2.1.1 Kit components LES1208A, LES1216A and LES1248A Advanced Console Servers LES1208A, LES1216A, or LES1248A Advanced Console Server (2) UTP CAT5 blue cables DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors Dual IEC AC power cords Printed Quick Start Guide and User’s Manual on CD-ROM 2.1.
2.1.3 Kit components LES1108A Console Server LES1108A Console Server (2) UTP CAT5 blue cables DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors 5-VDC, 2.0A, Power Supply with IEC Socket and AC power cable Printed Quick Start Guide and this User‘s Manual on CD-ROM 2.2 Power connection 2.2.1 LES1208A, LES1216A and LES1248A power The LES1208A, LES1216A and LES1248A console servers all have dual universal AC power supplies with auto failover built in.
Both LES1116A and LES1148A models have an IEC AC power socket located in the rear of the metal case. This IEC power inlet uses a conventional IEC AC power cord, and the power cords for various regions are available. Call Black Box Technical Support for details at 724-746-5500. (The North American power cord is provided by default.) There is a warning notice printed on the back of each unit. To avoid electrical shock, connect the power cord grounding conductor to ground. 2.2.
The LES1208A, LES1216A, and LES1248A Advanced Console Servers have the Cyclades RJ-45 pinout shown next: PIN 1 2 3 4 5 6 7 8 SIGNAL RTS DTR TXD GND CTS RXD DCD DSR DEFINITION Request To Send Data Terminal Ready Transmit Data Signal Ground Clear To Send Receive Data Data Carrier Detect Data Set Ready DIRECTION Output Output Output NA Input Input Input Input The console servers also have a DB9 LOCAL (Console/Modem) port that is on the LE1108A’s rear panel and on the rackmount units’ front panels.
Chapter 3 SYSTEM CONFIGURATION Initial System Configuration Introduction This chapter provides step-by-step instructions for the console server’s initial configuration, and for connecting it to the Management or Operational LAN. The Administrator must: Activate the Management Console. Change the Administrator password. Set the IP address console server’s principal LAN port. Select the network services that will be supported.
o Subnet mask: 255.255.255.0 If you want to retain your existing IP settings for this network connection, click Advanced and Add the above as a secondary IP connection. If it is not convenient to change your PC/workstation network address, you can use the ARP-Ping command to reset the console server IP address. To do this from a Windows PC: Click Start -> Run (or select All Programs then Accessories then Run). Type cmd and click OK to bring up the command line.
You will be prompted to log in. Enter the default administration username and administration password: Username: root Password: default Note Console servers are factory configured with HTTPS access enabled and HTTP access disabled. A Welcome screen, which lists four initial installation configuration steps, will be displayed: 1. Change the default administration password on the System/Administration page (Chapter 3). 2. Configure the local network settings on the System/IP page (Chapter 3). 3.
Note: We recommend that you set up a new Administrator user as soon as convenient and log in as this new user for all ongoing administration functions (rather than root). This Administrator can be configured in the admin group with full access privileges through the Serial & Network: Users & Groups menu as detailed in Chapter 4. Select System: Administration. Enter a new System Password then re-enter it in Confirm System Password.
If you selected DHCP, the console server will look for configuration details from a DHCP server on your management LAN. This selection automatically disables any static address. The console server MAC address is printed on a label on the base plate. Note In its factory default state (with no Configuration Method selected) the console server has its DHCP client enabled, so it automatically accepts any network IP address assigned by a DHCP server on your network.
3.3.1 IPv6 configuration You can also configure the console server Network and Management LAN Interfaces for IPv6 operation: On the System: IP menu select General Settings page and check Enable IPv6. Then, configure the IPv6 parameters on each Interface page. 3.4 System Services The Administrator can access and configure the console server and connect to the managed devices using a range of access protocols (services).
Select the System: Services option, then select/deselect for the service to be enabled/disabled. The following access protocol options are available: HTTPS This ensures secure browser access to all the Management Console menus. It also allows appropriately configured Users secure browser access to selected Management Console Manage menus. If you enable HTTPS, the Administrator will be able to use a secure browser connection to the Console server’s Management Console.
sets 8000 as a secondary base for telnet, then serial port #2 on the console server can be accessed via telnet at IP Address:2002 and at IP Address:8002. The default base for SSH is 3000; for Raw TCP is 4000; and for RFC2217 it is 5000. Click Apply. As you apply your services selections, the screen will be updated with a confirmation message: Message Changes to configuration succeeded. 3.
SDT Connector can be installed on Windows 2000, XP, 2003, Vista PCs, and on most Linux, UNIX, and Solaris computers. 3.5.2 PuTTY You can also use communications packages like PuTTY to connect to the console server command line (and to connect serially attached devices as covered in Chapter 4). PuTTY is a freeware implementation of Telnet and SSH for Windows and UNIX platforms. It runs as an executable application without needing to be installed onto your system.
3.6 Management network configuration (LES1208A, LES1216A and LES1248A only) The LES1208A, LES1216A, and LES1248A console servers have a second network port that you can configure as a management LAN port or as a failover/ OOB access port. 3.6.1 Enable the Management LAN The LES1208A, LES1216A, and LES1248A console servers provide a firewall, router, and DHCP server. You need to connect an external LAN switch to Network 2 to attach hosts to this management LAN.
Note You can configure the second Ethernet port as either a gateway port or as an OOB/Failover port (but not both). Make sure you did not allocate Network 2 as the Failover Interface when you configured the principal Network connection on the System: IP menu. The management gateway function is now enabled with default firewall and router rules. By default, these rules are configured so the Management LAN can only be accessible by SSH port forwarding.
Enter the Gateway address that you want to issue to the DHCP clients. If you leave this field blank, the console server’s IP address will be used. Enter the Primary DNS and Secondary DNS address to issue the DHCP clients. If you leave this field blank, the console server’s IP address is used. So, leave this field blank for automatic DNS server assignment. Optionally, enter a Domain Name suffix to issue DHCP clients. Enter the Default Lease time and Maximum Lease time in seconds.
The DHCP server also supports pre-assigning IP addresses to be allocated only to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses. To reserve an IP addresses for a particular host: Click Add in the Reserved Addresses field. Enter the Hostname, the Hardware Address (MAC), and the Statically Reserved IP address for the DHCP client and click Apply.
o the internal modem, or o an external serial modem connected to the Console port (for dialing out to an ISP or the remote management office). Click Apply. You have selected the failover method. It is not active until you specify the external sites to be probed to trigger failover, and set up the failover ports themselves. This is covered in Chapter 5.
Select Enable Bridging on the System: IP General Settings menu. All the Ethernet ports are all transparently connected at the data link layer (layer 2) and they are configured collectively using the Network Interface menu. When bridging is enabled, network traffic is forwarded between all Ethernet ports with no firewall restrictions. This mode also removes all the Management LAN Interface and Out-of-Band/Failover Interface functions, and disables the DHCP Server.
Chapter 4 Serial Port, Host, Device & User Configuration SERIAL PORT AND NETWORK HOST Introduction The Black Box console server enables access and control of serially attached devices and network attached devices (hosts). The Administrator must configure access privileges for each of these devices, and specify the services that can be used to control the devices. The Administrator can also set up new users and specify each user’s individual access and control privileges.
3) SDT Mode enables graphical console access (with RDP, VNC, HTTPS, etc.) to hosts that are serially connected. 4) Terminal Server Mode sets the serial port to wait for an incoming terminal login session. 5) Serial Bridge Mode enables transparently interconnects two serial port devices over a network. Select Serial & Network: Serial Port and you will see the current labels, modes, logging levels, and RS-232 protocol options that are currently set up for each serial port.
Specify a label for the port. Select the appropriate Baud Rate, Parity, Data Bits, Stop Bits, and Flow Control for each port. (Note: The RS-485/RS-422 option is not relevant for console servers.) Before proceeding with further serial port configuration, connect the ports to the serial devices they will be controlling, and make sure they have matching settings. Note The serial ports are all set at the factory to RS232 9600 baud, no parity, 8 data bits, 1 stop bit, and Console server Mode.
Logging Level This specifies the level of information to be logged and monitored (referto Chapter 7— Alerts and Logging). Telnet When the Telnet service is enabled on the console server, a Telnet client on a User or Administrator’s computer can connect to a serial device attached to this serial port on the console server. The Telnet communications are unencrypted, so this protocol is generally recommended only for local connections. With Win2000/XP/NT you can run telnet from the command prompt (cmd.exe).
If the remote communications are tunneled with SDT Connector, then you can use Telnet to securely access these attached devices (refer to the Note below). Note In Console Server mode, Users and Administrators can use SDT Connector to set up secure Telnet connections that are SSH tunneled from their client PC/workstations to the serial port on the console server. SDT Connector can be installed on Windows 2000, XP, 2003, Vista, and Windows 7 PCs and on most Linux platforms.
PuTTY can be downloaded at http://www.tucows.com/preview/195286.html SSH We recommend that you use SSH as the protocol where the User or Administrator connects to the console server (or connects through the console server to the attached serial consoles) over the Internet or any other public network.
For a User named “fred” to access serial port 2, when setting up the SSHTerm or the PuTTY SSH client, instead of typing username = fred and ssh port = 3002, the alternate is to type username = fred:port02 (or username = fred:ttyS1) and ssh port = 22. Or, by typing username=fred:serial and ssh port = 22. A port selection option appears to the User: This syntax enables Users to set up SSH tunnels to all serial ports with only opening a single IP port 22 in their firewall/gateway.
Accumulation Period By default, once a connection is established for a particular serial port (such as a RFC2217 redirection or Telnet connection to a remote computer) then any incoming characters on that port are forwarded over the network on a character by character basis. The accumulation period changes this by specifying a period of time that incoming characters will be collected before then being sent as a packet over the network.
For configuration details, refer to Chapter 6.6—Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server. 4.1.4 Device (RPC, UPS, EMD) Mode This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply (UPS), Remote Power Controller/Power Distribution Unit (RPC) or Environmental Monitoring Device (EMD).
Select Serial Bridging Mode and specify the IP address of the Server console server and the TCP port address of the remote serial port (for RFC2217 bridging this will be 5001-5048). By default, the bridging client will use RAW TCP. Select RFC2217 if this is the console server mode you have specified on the server console server. Console Server COM port connected control PC Local Ethernet LAN Serially connected control PC You may secure the communications over the local Ethernet by enabling SSH.
4.2 Add/ Edit Users The Administrator uses this menu selection to set up, edit, and delete users, and to define the access permissions for each of these users. Users can be authorized to access specified console server serial ports and specified network-attached hosts. These users can also be given full Administrator status (with full configuration and management and access privileges). To simplify user set up, they can be configured as members of Groups.
the Administrator can also set up users who are not a member of any Groups. They will have the same access as users in the additional groups. To set up new Groups and new users, and to classify users as members of particular Groups: Select Serial & Network: Users & Groups to display the configured Groups and Users. Click Add Group to add a new Group.
Click Apply. The new user can now access the Network Devices, Ports, and RPC Outlets you nominated as accessible. Plus, if the user is a Group member they can also access any other device/port/outlet that was set up as accessible to the Group. Note There are no specific limits on the number of users you can set up; nor on the number of users per serial port or host. Multiple users (Users and Administrators) can control/monitor one port or host. There are no specific limits on the number of Groups.
Enter the IP Address or DNS Name and a Host Name (up to 254 alphanumeric characters) for the new network connected Host (and optionally enter a Description). Add or edit the Permitted Services (or TCP/UDP port numbers) that are authorized to be used in controlling this host. Only these permitted services will be forwarded through by SDT to the Host. All other services (TCP/UDP ports) will be blocked.
Select Serial & Network: Trusted Networks. To add a new trusted network, select Add Rule. Select the Accessible Port(s) that the new rule is to be applied to. Then, enter the Network Address of the subnet to be permitted access. Then, specify the range of addresses that are to be permitted by entering a Network Mask for that permitted IP range, for example: To permit all the users located with a particular Class C network (for example, 204.15.5.
Note The above Trusted Networks will limit Users and Administrators access to the console serial ports. They do not restrict access to the console server itself or to attached hosts. To change the default settings for this access, you will to need to edit the IPtables rules as described in Chapter 14—Advanced. 4.6 Serial Port Cascading Cascaded Ports enables you to cluster distributed console servers.
Next, you must select whether to generate keys using RSA and/or DSA (if unsure, select only RSA). Generating each set of keys will require approximately two minutes, and the new keys will destroy any old keys of that type that may previously been uploaded. Also, while the new generation is underway on the master, functions relying on SSH keys (for example, cascading) may stop functioning until they are updated with the new set of keys. To generate keys: Select RSA Keys and/or DSA Keys. Click Apply.
Next, you must register the Public Key as an Authorized Key on the Slave. In a case that has only one Master with multiple Slaves, you only need to upload the one RSA or DSA public key for each Slave. Note Using key pairs can be confusing since one file (Public Key) fulfills two roles— Public Key and Authorized Key. For a more detailed explanation, refer to the Authorized Keys section of Chapter 15.6. Also, refer to this chapter if you need to use more than one set of Authorized Keys in the Slave.
If the system asks you to supply a password, then there is a problem with uploading keys. The keys should remove any need to supply a password. 4.6.3 Configure the slaves and their serial ports You can now begin setting up the Slaves and configuring Slave serial ports from the Master console server: Select Serial & Network: Cascaded Ports on the Master’s Management Console: To add clustering support, select Add Slave.
Select the appropriate Serial & Network: Users & Groups to add new users with access privileges to the Slave serial ports (or to extend existing users’ access privileges). Select the appropriate Serial & Network: Trusted Networks to specify network addresses that can access nominated Slave serial ports . Select the appropriate Alerts & Logging: Alerts to configure Slave port Connection, State Change, or Pattern Match alerts.
Remote Console Server Retail data systems Serial device applications Remote Console Server Remote Console Server Serial/IP redirector virtual COM ports Building automation systems Controllers Sensors This serial port redirector software is loaded in your desktop PC, and it allows you to use a serial device that’s connected to the remote console server as if it were connected to your local serial port. 4.
Select the connection type for the new connection (Serial, Network Host, UPS, or RPC) and then select the specific connection from the presented list of configured unallocated hosts/ports/outlets. To add a new network-connected Managed Device: The Administrator adds a new network-connected Managed Device using Add Host on the Serial & Network: Network Host menu. This automatically creates a corresponding new Managed Device (as covered in Section 4.4—Network Hosts).
Click Add Connection and select Serial and the Port that connects to the Managed Device. To add a UPS/RPC power connection or network connection or another serial connection, click Add Connection. Click Apply. Note To set up a new serially connected RPC UPS or EMD device, configure the serial port, designate it as a Device, then enter a Name and Description for that device in the Serial & Network: RPC Connections (or UPS Connections or Environmental).
Chapter 5 Failover and OoB Dial Access FAILOVER AND OoB DIAL-IN Introduction The console server has a number of fail-over and out-of-band access capabilities to make sure it’s available if there are difficulties accessing the console server through the principal network path. This chapter covers: 5.1 out-of-band (OoB) access from a remote location using dial-up modem. out-dial failover. OoB access using an alternate broadband link (LES1208A, LES1216A, and LES1248A models only).
5.1.1 Configure Dial-In PPP To enable dial-in PPP access on the modem: Select the System: Dial menu option and the port to be configured (Serial DB9 Port or Internal Modem Port). Note The console server console/modem serial port is set by default to 115200 baud, No parity, 8 data bits and 1 stop bit, with software (Xon-Xoff) flow control enabled for the Serial DB9 Port and 9600 baud for the Internal modem and PC Card Ports.
You must select the Authentication Type to apply to the dial-in connection. The console server uses authentication to challenge Administrators who dial-in to the console server. (For dial-in access, the username and password received from the dial-in client are verified against the local authentication database stored on the console server). The Administrator must also configure the client PC/workstation to use the selected authentication scheme. Select PAP, CHAP, MSCHAPv2, or None, and click Apply.
5.1.2 Using SDT Connector client Administrators can use their SDT Connector client to set up secure OoB dial-in access to all their remote console servers. With a point and click, you can initiate a dial up connection. Refer to Chapter 6.5. 5.1.3 Set up Windows XP/ 2003/Vista/7 client Open Network Connections in Control Panel and click the New Connection Wizard. Select Connect to the Internet and click Next. On the Getting Ready screen, select Set up my connection manually and click Next.
5.1.4 Set up earlier Windows clients For Windows 2000, the PPP client set up procedure is the same as above, except you get to the Dial-Up Networking Folder by clicking the Start button and selecting Settings. Then, click Network and Dial-up Connections and click Make New Connection. Similarly, for Windows 98, you double click My Computer on the Desktop, then open Dial-Up Networking and double click Make New Connection. Then, proceed as above. 5.1.
When configuring the principal network connection, specify Network 2 (eth1) as the Failover Interface to use when a fault is detected with Network 1 (eth0). Specify the Probe Addresses of two sites (the Primary and Secondary) that the Advanced Console Server is to ping to determine if Network 1 (eth0) is still operating. On the Management LAN Interface - Network 2, configure the IP Address/Subnet Mask/Gateway the same as Network Interface - Network 1.
Specify the Probe Addresses of two sites (the Primary and Secondary) that the console server is to ping to determine if Network1 is still operating. Select the System: Dial menu option and the port to be configured (Serial DB9 Port or Internal Modem Port). Select the Baud Rate and Flow Control that will communicate with the modem. Note You can further configure the console/modem port (for example, to include modem init strings) by editing /etc/mgetty.config files as described in Chapter 13.
Chapter 6 Secure SSH Tunneling & SDT Connector SECURE SSH TUNNELING AND SDT CONNECTOR Introduction Each Black Box console server has an embedded SSH server and uses SSH tunneling so remote users can securely connect through the console server to Managed Devices—using text-based console tools (such as SSH, telnet, SoL) or graphical tools (such VNC, RDP, HTTPS, HTTP, X11, VMware, DRAC, iLO).
Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server (Section 6.4). The chapter then covers more advanced SDT Connector and SSH tunneling topics: 6.1 Using SDT Connector for out-of-band access (Section 6.5). Automatic importing and exporting configurations (Section 6.6). Configuring Public Key Authentication (Section 6.7). Setting up a SDT Secure Tunnel for Remote Desktop (Section 6.8).
6.2.1 SDT Connector installation The SDT Connector set up program (SDTConnector Setup-1.n.exe or sdtcon-1.n.tar.gz) is included on the CD supplied with your Black Box console server. Run the set-up program. Note For Windows clients, the SDTConnectorSetup-1.n.exe application will install the SDT Connector 1.n.exe and the config file defaults.xml. If there is already a config file on the Windows PC, then it will not be overwritten.
(refer to Section 6.2.7 and 6.2.9). You can also set up SDT Connector to connect out-of-band to the console server (refer to Section 6.2.9). 6.2.2 Configuring a new console server gateway in the SDT Connector client To create a secure SSH tunnel to a new console server: Click the New Gateway icon or select the File: New Gateway menu option. Enter the IP or DNS Address of the console server and the SSH port that you will use (typically 22).
Or, enter a Descriptive Name to display instead of the IP or DNS address, and any Notes or a Description of this gateway (such as its firmware version, site location, or anything special about its network configuration). Click OK and an icon for the new gateway will now appear in the SDT Connector home page.
Note 6.2.4 The Retrieve Hosts function will auto-configure all user classes (that is, they can be members of user or admin or some other group or no group. SDT Connector will not auto-configure the root (and we recommend that you only use this account for initial config and to add an initial admin account to the console server). Make an SDT connection through the gateway to a host Simply point at the host to be accessed and click on the service to use to access that host.
Note You can configure the SDT Connector client can be configured with unlimited number of Gateways (that is, console servers). You can configure each Gateway to port forward to an unlimited number of locally networked Hosts. There is no limit on the number of SDT Connector clients that can be configured to access the one Gateway. Nor are there limits on the number of Host connections that an SDT Connector client can concurrently have open through the one Gateway tunnel.
6.2.6 Manually adding new services to the new hosts To extend the range of services that you can use when accessing hosts with SDT Connector: Select Edit: Preferences and click the Services tab. Click Add. Enter a Service Name and click Add. Under the General tab, enter the TCP Port that this service runs on (for example, 80 for HTTP). Or, select the client to use to access the local endpoint of the redirection. Select which Client application is associated with the new service.
An example is the Dell RAC service. The first redirection is for the HTTPS connection to the RAC server— it has a client associated with it (web browser) that it launches immediately when you click the button for this service. The second redirection is for the VNC service that you may choose to later launch from the RAC web console. It automatically loads in a Java client served through the web browser, so it does not need to have a local client associated with it.
Note SDT Connector can also tunnel UDP services. SDT Connector tunnels the UDP traffic through the TCP SSH redirection, so it is a ―tunnel within a tunnel.‖ Enter the UDP port where the service is running on the host. This will also be the local UDP port that SDT Connector binds as the local endpoint of the tunnel. Note that for UDP services, you still need to specify a TCP port under General. This will be an arbitrary TCP port that is not in use on the gateway. An example of this is the SOL Proxy service.
Enter a Name for the client. Enter the Path to the executable file for the client (or click Browse to locate the executable). Enter a Command Line associated with launching the client application. SDT Connector typically launches a client using command line arguments to point it at the local endpoint of the redirection. There are three special keywords for specifying the command line format.
Click OK. 6.2.8 Dial in configuration If the client PC is dialing into Local/Console port on the console server, you will need to set up a dial-in PPP link: Configure the console server for dial-in access (following the steps in the Configuring for Dial-In PPP Access section in Chapter 5, Configuring Dial In Access). Set up the PPP client software at the remote User PC (following the Set up the remote Client section in Chapter 5).
Click the HTTP or HTTPS Services icon to access the Management Console, and/or click SSH or Telnet to access the command line console. Note: To enable SDT access to the console, you must also configure the console server to allow the port forwarded network access to itself: 6.4 Browse to the console server and select Network Hosts from Serial & Network, click Add Host, and in the IP Address/DNS Name field enter 127.0.0.1 (this is the Black Box network loopback address).
Assuming you have already set up the target console server as a gateway in your SDT Connector client (with username/ password etc), select this gateway and click the Host icon to create a host. Or, select File -> New Host. Enter 127.0.0.1 as the Host Address and select Serial Port 2 for Service. In Descriptive Name, enter something such as Loopback ports, or Local serial ports. Click OK.
6.5 Using SDT Connector for out-of-band connection to the gateway You can also set up SDT Connector to connect to the console server (gateway) out-of-band (OoB). OoB access uses an alternate path for connecting to the gateway to that used for regular data traffic. OoB access is useful for when the primary link into the gateway is unavailable or unreliable.
pon network_connection where network_connection is the name of the connection. Enter the command or path to a script to stop the OoB connection in Stop Command. To stop a pre-configured dial-up connection under Windows, use the following Stop Command: cmd /c start "Stopping Out of Band Connection" /wait /min rasdial network_connection /disconnect where network connection is the name of the network connection as displayed in Control Panel -> Network Connections.
To import a configuration, select File -> Import Preferences and select the .xml configuration file to install. 6.7 SDT Connector Public Key Authentication SDT Connector can authenticate against an SSH gateway using your SSH key pair instead of requiring you to enter your password. This is known as public key authentication.
SDT with RDP also allows remote Users to connect to Windows XP, Vista, Server2003, and Server 2008 computers and to Windows 2000 Terminal Servers; and to access to all of the applications, files, and network resources (with full graphical interface just as though they were in front of the computer screen at work). To set up a secure Remote Desktop connection, enable Remote Desktop on the target Windows computer that you want to access and configure the RPD client software on the client PC. 6.8.
To set the user(s) who can remotely access the system with RDP, click Add on the Remote Desktop Users dialog box. Note If you need to set up new users for Remote Desktop access, open User Accounts in the Control Panel and follow the steps to nominate the new user‘s name, password, and account type (Administrator or Limited). Note With Windows XP Professional and Vista, you have only one Remote Desktop session and it connects directly to the Windows root console.
In Computer, enter the appropriate IP Address and Port Number: Where there is a direct local or enterprise VPN connection, enter the IP Address of the console server, and the Port Number of the SDT Secure Tunnel for the console server serial port that you attach to the Windows computer you want to control. For example, if the Windows computer is connected to serial Port 3 on a console server located at 192.168.0.50, then you would enter 192.168.0.50:7303.
Note The Remote Desktop Connection software is pre-installed with Windows XP, Vista and Server 2003/2008. For earlier Windows PCs, you need to download the RDP client: Go to the Microsoft Download Center site http://www.microsoft.com/downloads/details.aspx?familyid=80111F21-D48D-426E-96C208AA2BD23A49&displaylang=en and click the Download button This software package will install the client portion of Remote Desktop on Windows 95, Windows 98 and 98 Second Edition, Windows Me, Windows NT 4.
Note The rdesktop client is supplied with Red Hat 9.0: rpm -ivh rdesktop-1.2.0-1.i386.rpm For Red Hat 8.0 or other distributions of Linux; download source, untar, configure, make, make, then install. rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http://www.rdesktop.org/ C. On a Macintosh client: Download Microsoft's free Remote Desktop Connection client for Mac OS X http://www.microsoft.com/mac/otherproducts/otherproducts.
6.9 SDT SSH Tunnel for VNC With SDT and Virtual Network Computing (VNC), Users and Administrators can securely access and control Windows 98/NT/2000/XP/2003, Linux, Macintosh, Solaris, and UNIX computers. There’s a range of popular free and commercial VNC software available (UltraVNC, RealVNC, TightVNC). To set up a secure VNC connection, install and configure the VNC Server software on the computer the user will access, then install and configure the VNC Viewer software on the Viewer PC. 6.9.
To set up a persistent VNC server on Red Hat Enterprise Linux 4: o o o o o Set a password using vncpasswd Edit /etc/sysconfig/vncservers Enable the service with chkconfig vncserver on Start the service with service vncserver start Edit /home/username/.vnc/xstartup if you want a more advanced session than just twm and an xterm. C. For Macintosh servers (and clients): OSXvnc http://www.redstonesoftware.com/vnc.
A. When the Viewer PC is connected to the console server thru an SSH tunnel (over the public Internet, or a dial-in connection, or private network connection), enter localhost (or 127.0.0.1) as the IP VNC Server IP address; and the source port you entered when setting SSH tunneling /port forwarding (in Section 6.2.6) e.g. :1234 B. When the Viewer PC is connected directly to the console server (i.e.
Note For general background reading on Remote Desktop and VNC access we recommend the following: The Microsoft Remote Desktop How-To. http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx The Illustrated Network Remote Desktop help page. http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.ht ml What is Remote Desktop in Windows XP and Windows Server 2003? by Daniel Petri. http://www.petri.co.il/what's_remote_desktop.
Windows 2003 and Windows XP Professional allow you to create a simple dial in service which can be used for the Remote Desktop/VNC/HTTP/X connection to the console server: Open Network Connections in Control Panel and click the New Connection Wizard. Select Set up an advanced connection and click Next. On the Advanced Connection Options screen, select Accept Incoming Connections and click Next. Select the Connection Device (i.e.
Specify which Users will be allowed to use this connection. This should be the same Users who were given Remote Desktop access privileges in the earlier step. Click Next. On the Network Connection screen select TCP/IP and click Properties. Select Specify TCP/IP addresses on the Incoming TCP/IP Properties screen, select TCP/IP. Nominate a From: and a To: TCP/IP address, and click Next.
Note The above notes describe setting up an incoming connection for Windows XP. The steps are similar for Vista and Windows Server 2003/2008, but the set up screens present slightly differently: You need to put a check in the box for Always allow directly connected devices such as palmtop….. The option for to Set up an advanced connection is not available in Windows 2003 if RRAS is configured. If RRAS has been configured, you can enable the null modem connection for the dialin configuration. C.
Select the Serial & Network: Serial Port menu option and click Edit (for the particular Serial Port that is connected to the Windows computer COM port). On the SDT Settings menu, select SDT Mode (this will enable port forwarding and SSH tunneling) and enter a Username and User Password. Note When you enable SDT, it will override all other Configuration protocols on that port.
- SSH Tectia is leading end-to-end commercial communications security solution for the enterprise. - Reflection for Secure IT (formerly F-Secure SSH) is another good commercial SSH-based security solution. For example, the steps below show how to establish an SSH tunneled connection to a network connected device using the PuTTY client software. In the Session menu, enter the IP address of the console server in the Host Name or IP address field.
be accessed using SSH tunneling (except by the “root” user who can tunnel to any IP address the console server can route to). If your destination computer is serially connected to the console server, set the Destination as :3389. For example, if the Label you specified on the serial port on the console server is win2k3, then specify the remote host as win2k3:3389. Or, you can set the Destination as portXX:3389 (where XX is the SDT enabled serial port number).
If you are connecting as an Administrator (in the “admin” group), then you can connect to any configured Host or Serial Ports (that has SDT enabled). To set up the secure SSH tunnel for a HTTP browser connection to the Managed Device, specify port 80 (instead of port 3389 that was used for RDP) in the Destination IP address.
Chapter 7 Alerts and Logging ALERTS AND LOGGING Introduction This chapter describes the alert generation and logging features of the console server. The Alert facility monitors the serial ports, all logins, the power status, and environmental monitors and probes, and sends emails, SMS, Nagios, or SNMP alerts when specified trigger events occur. First, enable and configure the service that will be used to carry the alert (Section 7.1).
In the SMTP Server field, enter the outgoing mail Server’s IP address. If this mail server uses a Secure Connection, specify its type. You may enter a Sender email address which will appear as the “from” address in all email notifications sent from this console server. Many SMTP servers check the sender’s email address with the host domain name to verify the address as authentic. So it may be useful to assign an email address for the console server such as consoleserver2@mydomain.
In the SMTP SMS Server field in the Alerts & Logging: SMTP &SMS menu, enter the IP address of the outgoing mail Server (and Secure Connection if applicable). You may enter a Sender email address, which will appear as the “from” address in all email notifications sent from this console server. Some SMS gateway service providers only forward email to SMS when the email has been received from authorized senders. You might need to assign a specific authorized email address for the console server.
To configure for SNMP v3, you will need to enter an ID and authentication password and contact information for the local Administrator (in the Security Name). Click Apply to activate SNMP. Note All console servers have the snmptrap daemon to send traps/notifications to remote SNMP servers on defined trigger events as detailed above. LES1208A, LES1216A, and LES1248A console servers also embed the net-snmpd daemon.
Select Alerts & Logging: Alerts, which will display all the alerts currently configured. Click Add Alert. 7.2.1 Add a new alert The first step is to specify the alert service that this event will use for sending notification, who to notify there, and what port/host/device is to be monitored: At Add a New Alert, enter a Description for this new alert. Nominate the email address for the Email Recipient(s) and/or the SMS Recipient(s) to be notified of the alert.
7.2.2 Configuring general alert types Next, you must select the Alert Type (Connection, Signal, Pattern Match, UPS Power Status, Environment and Power Sensor or Alarm Sensor) to monitor. You can configure a selection of different Alert types and any number of specific triggers.
UPS Power Status Alert— This alert will be triggered when the UPS power status changes between on line, on battery, and low battery. This status will only be monitored on the Applicable UPS(es) you select. Environment and Power Alert—(next section). Alarm Sensor Alert—(next section). 7.2.3 Configuring environment and power alert type This alert type monitors UPSes, RPCs, power devices, and EMD environmental devices. Select Environment and Power Alert to activate.
Specify the applicable UPSes, RPCs (and RPC outlets), and Environmental Sensors to Apply Alert To. Note An alert notification (SNMP, SMTP etc) is only sent out when there is a transition to or from a trigger event/level. For example, if a High temperature alert is set at 40 degrees with a 5 degree hysteresis then an High alert notification will be sent when the sensor temperature reads 40 degrees. The next alert will be sent when the temperature falls below 35 degrees.
7.4 Serial Port Logging In Console Server mode, activity logs of all serial port activity can be maintained. These records are stored on an off-server, or in the Advanced Console Server flash memory. To specify which serial ports have activities recorded and to what level data is to be logged: Select Serial & Network: Serial Port and Edit the port to be logged. Specify the Logging Level of for each port as: Level 0 Level 1 Level 2 Turns off logging for the selected port.
For each Host, when you set up the Permitted Services that you authorize to use, you also must set up the level of logging to maintain for each service. Specify the logging level to maintain for that particular TDC/UDP port/service, on that particular Host: Level 0 Level 1 Level 2 Turns off logging for the selected TDC/UDP port to the selected Host. Logs all connection events to the port. Logs all data transferred to and from the port. Click Add then click Apply.
Chapter 8 Power & Environmental Management POWER & ENVIRONMENTAL MANAGEMENT Introduction Black Box console servers manage embedded software that you can use to manage connected Power Distribution Systems (PDUs), IPMI devices, and Uninterruptible Power Supplies (UPSs) supplied by a number of vendors, and some environmental monitoring devices. 8.
Select the Serial & Network: RPC Connections menu. This will display all the RPC connections that have already been configured. Click Add RPC.
Select the appropriate RPC Type for the PDU (or IPMI) being connected: If you are connecting to the RPC via the network, you will be presented with the IPMI protocol options and the SNMP RPC Types currently supported by the embedded Network UPS Tools.
Enter the Username and Password used to login into the RPC (Note that these login credentials are not related to the Users and access privileges you configured in Serial & Networks: Users & Groups). If you selected SNMP protocol, enter the SNMP v1 or v2c Community for Read/Write access (by default this would be “private”). Check Log Status and specify the Log Rate (minutes between samples) if you want the status from this RPC to be logged. View these logs from the Status: RPC Status screen.
Cycle Status You will only be presented with icons for those operations that are supported by the Target you have selected. 8.1.4 RPC status You can monitor the current status of your network and serially connected PDUs and IPMI RPCs. Select the Status: RPC Status menu and a table with the summary status of all connected RPC hardware will be displayed.
Console Server Multiple local (serial USB networked) UPSs Managed UPS Multiple remote UPSs 8.2.1 Managed UPS connections A Managed UPS is a UPS that is directly connected as a Managed Device to the console server. You can connect it via serial or USB cable or by the network.
For serial UPSes attach the UPS to the selected serial port on the console server. From the Serial and Network: Serial Port menu, configure the Common Settings of that port with the RS-232 properties, etc. required by the UPS (refer to Chapter 4.1.1—Common Settings). Then select UPS as the Device Type. For each network connected UPS, go to the Serial & Network: Network Hosts menu and configure the UPS as a connected Host by specifying it as Device Type: UPS and clicking Apply.
Select if the UPS will be Connected Via USB, over a pre-configured serial port, or via SNMP/HTTP/HTTPS over the preconfigured network Host connection. When you select a network UPS connection, then the corresponding Host Name/Description that you set up for that connection will be entered as the Name and Description for the power device.
Note: These login credentials are not related to the Users and access privileges you configured in Serial & Networks: Users & Groups. If you have multiple UPSes and require them to be shut down in a specific order, specify the Shutdown Order for this UPS. This is a whole positive number, or -1. 0s shut down first, then 1s, 2s, etc. -1s are not shut down at all. Defaults to 0. Select the Driver that you will use to communicate with the UPS.
Enter the Name of the particular remote UPS that you want to remotely monitor. This name must be the name that the remote UPS was configured with on the remote console server (because the remote console server may itself have multiple UPSes attached that it manages locally with NUT). Optionally, enter a Description. Enter the IP Address or DNS name of the remote console server* that is managing the remote UPS.
on battery. In contrast, more critical servers may not be shut down until a low battery warning is received). Refer to the online NUT documentation for details on how to do this: http://eu1.networkupstools.org/doc/2.2.0/INSTALL.html http://linux.die.net/man/5/upsmon.conf http://linux.die.net/man/8/upsmon An example upsmon.conf entry might look like: MONITOR managedups@192.168.0.1 1 username password slave - managedups is the UPS Name of the Managed UPS - 192.168.0.
Click on any particular All Data for any UPS System in the table for more status and configuration information about the selected UPS System. Select UPS Logs and you will be presented with the log table of the load, battery charge level, temperature, and other status information from all the Managed and Monitored UPS systems. This information will be logged for all UPSes that were configured with Log Status checked. The information is also presented graphically. 8.2.
The driver programs talk directly to the UPS equipment and run on the same host as the NUT network server (upsd). Drivers are provided for a wide assortment of equipment from most of the popular UPS vendors and understand the specific language of each UPS. They communicate with serial, USB, and SNMP network connected UPS hardware and map the communications back to a compatibility layer. This means both an expensive “smart” protocol UPS and a simple “power strip” model can be handled transparently.
many clients. Each of the larger UPSes power multiple devices, and many of these devices are in turn dual powered. 8.3 Environmental Monitoring The Environmental Monitor Device (EMD) connects to any Black Box console server serial port and each console server can support multiple EMDs. Each EMD device has one temperature and one humidity sensor and one or two general-purpose status sensors that you can connect to a smoke detector, water detector, vibration, or open-door sensor.
8.3.1 Connecting the EMD The Environmental Monitor Device (EMD) connects to any serial port on the console server via a special EMD Adapter and standard CAT5 cable. The EMD is powered over this serial connection and communicates using a custom handshake protocol. It is not an RS-232 device and should not be connected without the adapter: Plug the male RJ plug on the EMD Adapter into EMD and then connect it to the console server serial port using the provided UTP cable.
Enter a Name and optionally a Description for the EMD and select the pre-configured serial port that the EMD will be Connected Via. You may optionally calibrate the EMD with a Temperature Offset (+ or - °C) or Humidity Offset (+ or percent). Provide Labels for each of the two alarms (if used). Check Log Status and specify the Log Rate (minutes between samples) if you want to log the status from this EMD. These logs can be views from the Status: Environmental Status screen. Click Apply.
_____________________________________________________________________ 724-746-5500 | b lackb o x.
Chapter 9 Authentication AUTHENTICATION Introduction The console server is a dedicated Linux computer with a myriad of popular and proven Linux software modules for networking, secure access (OpenSSH), and communications (OpenSSL), and sophisticated user authentication (PAM, RADIUS, TACACS+ and LDAP). 9.
TACACS /RADIUS/LDAP Down Local: Tries remote authentication first, falling back to local if the remote authentication returns an error condition (for example, if the remote authentication server is down or inaccessible). 9.1.1 Local authentication Select Serial and Network: Authentication and check Local. Click Apply. 9.1.
http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_chapter09186a0 0800eb6d6.html http://cio.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt2/sctplu s.htm 9.1.3 RADIUS authentication Perform the following procedure to configure the RADIUS authentication method to use whenever the console server or any of its serial ports or hosts is accessed: Select Serial and Network: Authentication and check RADIUS or LocalRADIUS or RADIUSLocal or RADIUSDownLocal.
9.1.4 LDAP authentication Perform the following procedure to configure the LDAP authentication method to use whenever the console server or any of its serial ports or hosts is accessed: Select Serial and Network: Authentication and check LDAP or LocalLDAP or LDAPLocal or LDAPDownLocal Enter the Server Address (IP or host name) of the remote Authentication server. Multiple remote servers may be specified in a comma-separated list. Each server is tried in succession. Enter the Server Password.
If a local user logs in, they may be authenticated/authorized from the remote AAA server, depending on the chosen priority of the remote AAA. A local user’s authorization is the union of local and remote privileges. Example 1: User Tim is locally added, and has access to ports 1 and 2. He is also defined on a remote TACACS server, which says he has access to ports 3 and 4. Tim may log in with either his local or TACACS password, and will have access to ports 1 through 4.
Further modules can be added as required. Changes may be made to files in /etc/config/pam.d/ that will persist, even if the authentication configurator runs. Users added on demand: When a user attempts to log in, but does not already have an account on the console server, a new user account will be created. This account will have no rights, and no password set. It will not appear in the Black Box configuration tools.
9.3 SSL Certificate The console server uses the Secure Socket Layer (SSL) protocol for encrypted network traffic between itself and a connected user. When establishing the connection, the console server has to expose its identity to the user’s browser using a cryptographic certificate. The default certificate that comes with the console server device upon delivery is for testing purposes only.
Select System: SSL Certificate and fill out the fields as explained below: Common name This is the network name of the console server once it is installed in the network (usually the fully qualified domain name). It is identical to the name that is used to access the console server with a web browser (without the “http://” prefix). In case the name given here and the actual network name differ, the browser will pop up a security warning when the console server is accessed using HTTPS.
After completing these steps, the console server has its own certificate that is used for identifying the console server to its users. Note You can find information on issuing certificates and configuring HTTPS from the command line in Chapter 15. _____________________________________________________________________ 724-746-5500 | b lackb o x.
Chapter 10 Nagios Integration NAGIOS INTEGRATION Introduction Nagios is a powerful, highly extensible open source tool for monitoring network hosts and services. The core Nagios software package will typically be installed on a server or virtual server, the central Nagios server. Console servers operate in conjunction with a central/upstream Nagios server to distribute and monitor attached network hosts and serial devices.
capabilities. A complete overview, FAQ, and comprehensive documentation are available at: http://www.nagios.org Nagios does take some time to install and configure, however once Nagios is up and running however, it provides an outstanding network monitoring system. With Nagios you can: Display tables showing the status of each monitored server and network service in real time.
Clients Typically a client PC, laptop, etc., running Windows, Linux, or Mac OS X. Runs SDT Connector client software 1.5.0 or later. Possibly remote to the central Nagios server or distributed console servers (i.e. a road warrior). May receive alert emails from the central Nagios server or distributed console servers. Connects to the central Nagios server web UI to view status of monitored hosts and serial devices.
attached device (the console port of a network router), and to send alerts back to the Nagios server when an Administrator connects to the router or IIS server. This walkthrough provides an example, but details of the configuration options are described in the next section. This walkthrough also assumes the network host and serial devices are already physically connected to the console server.
Scroll down to Nagios Settings and check Enable Nagios. Click New Check and select Check Ping. Click check-host-alive. Click New Check and select Check Permitted TCP. Select Port 3389 Click New Check and select Check TCP. Select Port 80. Click New Check and select Check TCP. Select Port 443. Click Apply. Similarly, you now must configure the serial port to the router to be monitored by Nagios: Select Serial Port from the Serial & Network menu.
In Username, enter: sdtnagiosuser, then enter and confirm a Password. In Accessible Hosts click the IP address/DNS name of the IIS server, and in Accessible Ports click the serial port that has the router console port attached. Click Apply. 10.3 Configuring Nagios distributed monitoring To activate the console server Nagios distributed monitoring: Nagios integration must be enabled and a path established to the central/upstream Nagios server.
10.3.2 Enable NRPE monitoring Tunneled SSH Nagios check_serial check_nrpe Serial NRPE check_tcp Nagios monitoring host Network Remote Console Server Remote managed devices Enabling NRPE allows you to execute plug-ins (such as check_tcp and check_ping) on the remote Console server to monitor serial or network attached remote servers. This will offload CPU load from the upstream Nagios monitoring machine. This is especially valuable if you are monitoring hundreds or thousands of hosts.
Select the Encryption to be used from the drop down menu, then enter a Secret password and specify a check Interval. Refer to the sample Nagios configuration section below for some examples of configuring specific NSCA checks. 10.3.4 Configure Selected Serial Ports for Nagios Monitoring The individual Serial Ports connected to the console server to be monitored must be configured for Nagios checks. Refer to Chapter 4.
10.3.6 Configure the upstream Nagios monitoring host Refer to the Nagios documentation (http://www.nagios.org/docs/) for configuring the upstream server: The section entitled Distributed Monitoring steps through what you need to do to configure NSCA on the upstream server (under Central Server Configuration). NRPE Documentation was recently added that steps through configuring NRPE on the upstream server http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf.
service_description host_name use check_command } NRPE Daemon Black Box generic-service check_nrpe_daemon ; Serial Status define command { command_name check_serial_status command_line $USER1$/check_nrpe -H 192.168.254.
} define service { service_description port-log-server host_name server use generic-service check_command check_port_log active_checks_enabled 0 passive_checks_enabled 1 } define servicedependency{ name host_name dependent_host_name dependent_service_description service_description execution_failure_criteria } Black Box_nrpe_daemon_dep Black Box server Port Log NRPE Daemon w,u,c ; Ping define command{ command_name check_ping_via_Black Box command_line $USER1$/check_nrpe -H 192.168.254.
execution_failure_criteria } w,u,c ; SSH Port define command{ command_name check_conn_via_Black Box command_line $USER1$/check_nrpe -H 192.168.254.
check_serial_signals is used to monitor the handshaking lines on the serial ports check_port_log is used to monitor the data logged for a serial port. 10.4.
Time No encryption 3DES SSH tunnel NSCA for single check ~ ½ second ~ ½ second ~ ½ second NSCA for 100 sequential checks 100 seconds 100 seconds 100 seconds NSCA for 10 sequential checks, batched upload 1 ½ seconds 2 seconds 1 second NSCA for 100 sequential checks, batched upload 7 seconds 11 seconds 6 seconds No encryption SSL no encryption tunneled over existing SSH session NRPE time to service 1 check 1/10th second 1/3rd second 1/8th second NRPE time to service 10 simultaneous
PC running NAGIOS Network checks over Ethernet Serial checks over RS-232 Power monitoring and manipulation via IPDU Console Server Hosts I P D U II. Remote site In this scenario, configure the console server NRPE server or NSCA client to actively check configured services and upload the checks to the Nagios server that’s waiting passively. You can also configure it to service NRPE commands to perform checks on demand.
PC running NAGIOS SSH travel initiated for remote site NRPE server at branch server‘s request Internet Console server Remote site with no network access In this scenario the console server allows dial-in access for the Nagios server. Periodically, the Nagios server will establish a connection to the console server and execute any NRPE commands, before dropping the connection. _____________________________________________________________________ 724-746-5500 | b lackb o x.
Chapter 11 System Management SYSTEM MANAGEMENT Introduction This chapter describes how the Administrator can perform a range of general console server system administration and configuration tasks such as: Applying Soft and Hard Resets to the gateway. Re-flashing the Firmware. Configuring the Date, Time and NTP. Setting up Backup of the configuration files.
Pushing the Erase button on the rear panel twice. A ball-point pen or bent paper clip is a suitable tool for this procedure. Do not use a graphite pencil. Press the button gently twice (within a couple of seconds) while the unit is powered ON. This will reset the console server back to its factory default settings and clear the console server’s stored configuration information. The hard erase will clear all custom settings and return the unit back to factory default settings (i.e.
Click Apply and the console server appliance will perform a soft reboot and start upgrading the firmware. This process will take several minutes. After the firmware upgrade completes, click here to return to the Management Console. Your console server will have retained all its pre-upgrade configuration information. 11.3 Configure Date and Time We recommend that you set the local Date and Time in the console server as soon as it is configured.
Enter the IP address of the remote NTP Server and click Apply. You must now also specify your local time zone so the system clock can show local time (and not UTP): Set your appropriate region/locality in the Time Zone selection box and click Apply. 11.4 Configuration Backup We recommend that you back up the console server configuration whenever you make significant changes (such as adding new Users or Managed Devices) or before performing a firmware upgrade.
To backup and restore using USB: Make sure the USB flash is the only USB device attached to the console server and click Prepare Storage in the Local Configuration Backup menu. This will set a Volume Label on the USB storage device. This preparation step is only necessary the first time, and will not affect any other information you have saved onto the USB storage device. We recommend that you back up any critical data from the USB storage device before using it with your console server.
Note: Before selecting Load On Erase, make sure that you have tested your alternate default configuration by clicking Restore. If your alternate default configuration causes the console server to not boot, recover your unit to factory settings using the following steps: - If the configuration is stored on an external USB storage device, unplug the storage device and reset to factory defaults as per section 11.1 of the user manual.
Chapter 12 Status Reports STATUS REPORTS Introduction This chapter describes the dashboard feature and the status reports that are available: Port Access and Active Users Statistics Support Reports Syslog Dashboard Other status reports that are covered elsewhere include: UPS Status (Chapter 8.2) RPC Status (Chapter 8.1) Environmental Status (Chapter 8.3) 12.
12.2 Statistics The Statistics report provides a snapshot of the status, current traffic, and other activities and operations of your console server: Select the Status: Statistics You can find detailed statistics reports by selecting the various submenus. 12.3 Support Reports The Support Report provides useful status information that will assist the Black Box Technical Support team to solve any problems you may experience with your console server.
Select Status: Support Report and you will be presented with a status snapshot. Save the file as a text file and attach it to your support email. 12.4 Syslog The Linux System Logger in the console server maintains a record of all system messages and errors: Select Status: Syslog You can redirect the syslog record to a remote Syslog Server: Enter the remote Syslog Server Address and Syslog Server Port details and click Apply. The console maintains a local Syslog.
12.5.1 Configuring the Dashboard Only users who are members of the admin group (and the root user) can configure and access the dashboard. To configure a custom dashboard: Select System: Configure Dashboard and select the user (or group) you are configuring this custom dashboard layout for. Click Next. Note: You can configure a custom dashboard for any admin user or for the admin group or you can reconfigure the default dashboard.
Click Apply. Note: The Alerts widget is a new screen that shows the current alerts status. When an alert gets triggered, a corresponding .XML file is created in /var/run/alerts/. The dashboard scans all these files and displays a summary status in the alerts widget. When an alert is deleted, the corresponding .XML files that belong to that alert are also deleted.
12.5.2 Creating custom widgets for the Dashboard T o run a custom script inside a dashboard widget: Create a file called "widget-.sh" in the folder /etc/config/scripts/ where can be anything. You can have as many custom dashboard files as you want. Inside this file you can put any code you want. When configuring the dashboard, choose "widget.sh" in the dropdown list.
Chapter 13 Management MANAGEMENT Introduction The console server has a small number of Manage reports and tools that are available to both Administrators and Users: Access and control authorized devices. View serial port logs and host logs for those devices. Use SDT Connector or the java terminal to access serially attached consoles. Control power devices (where authorized). All other Management Console menu items are available to Administrators only. 13.
13.2 Port and Host Logs Administrators and Users can view logs of data transfers to connected devices. Select Manage: Port Logs and the serial Port # to be displayed. To display Host logs, select Manage: Host Logs and the Host to be displayed. 13.
Click Connect to SDT Connector to access the console server’s command line shell or the serial ports via SDT Connector. This will to activate the SDT Connector client on the computer you are browsing from and load your local telnet client to connect to the command line or serial port using SSH. Note You must install SDT Connector on the computer you are browsing from and add and the console server as a gateway as detailed in Chapter 6.
Chapter 14 Command Line Configuration CONFIGURATION FROM THE COMMAND LINE Introduction For those who prefer to configure their console server at the Linux command line level (rather than use a browser and the Management Console), this chapter describes how to use command line access and the config tool to manage the console server and configure the ports, etc.
o If you are connecting over the LAN, then you will need to interconnect the Ethernet ports and direct your terminal emulator program to the IP address of the console server (192.168.0.1 by default). Log on to the console server by pressing “return” a few times. The console server will request a username and password. Enter the username root and the password default. You should now see the command line prompt which is a hash (#). This chapter is not intended to teach you Linux.
-v –verbose Log extra debug information. -d –del=id Remove the given configuration element specified by a '.' separated identifier. -g –get=id Display the value of a configuration element. -p –path=file Specify an alternate configuration file to use. The default file is located at /etc/config/config.xml. -r –run=configurator Run the specified registered configurator. Registered configurators are listed below. -s --set=id=value Change the value of configuration element specified by a '.
Note: The config command does not verify whether the nodes edited/added by the user are valid. This means that any node may be added to the tree. If a user runs the following command: # /bin/config -s config.fruit.apple=sweet The configurator will not complain, but this command is useless. When the configurators are run (to turn the config.xml file into live config) they will simply ignore this node. Administrators must make sure of the spelling when typing config commands.
Additionally, before any port can function properly, you need to set the port mode. Set any port to run in one of the five possible modes (refer Chapter 4 for details): [Console server mode|Device mode|SDT mode|Terminal server mode|Serial bridge mode]. All these modes are mutually exclusive. Console server mode The command to set the port in portmanager mode: # config -s config.ports.port5.
To configure a username and password when accessing this port with Username = user1 and Password = secret: # config -s config.ports.port#.sdt.username=user1 # config -s config.ports.port#.sdt.password=secret Terminal server mode Enable a TTY login for a local terminal attached to serial port 5: # config -s config.ports.port5.mode=terminal # config -s config.ports.port5.terminal=[vt220 | vt102 | vt100 | linux | ansi] The default terminal is vt220.
emergency debug critical alert 14.3 Adding and Removing Users First, determine the total number of existing Users (if you have no existing Users you can assume this is 0): # config -g config.users.total This command should display config.users.total 1. Note that if you see config.users.total this means you have 0 Users configured. Your new User will be the existing total plus 1. If the previous command gave you 0, then you start with user number 1.
# config -s config.ports.port1.power.outlet3.users.total=2 (total number of users that have access to this outlet) If more users are given access to this power 'config.ports.port1.power.outlet3.users.total' element accordingly. outlet, then increment the To give this user access to network host 5 (assuming the host is configured): # config -s config.sdt.hosts.host5.users.user1=John # config -s config.sdt.hosts.host5.users.
To give another group called 'Group8' access to the same host: # config -s config.sdt.hosts.host5.groups.group2=Group8 # config -s config.sdt.hosts.host5.groups.total=2 (total number of users having access to host) To delete the group called Group7, use the following command: # rmuser Group7 Attention: The rmuser script is a generic script to remove any config element from config.xml correctly. However, any dependencies or references to this group will not be affected. Only the group details are deleted.
# config -s config.auth.ldap.basedn='name' (The distinguished name of the search base. For example: dc=my-company,dc=com) # config -s config.auth.ldap.binddn='name' (The distinguished name to bind to the server with. The default is to bind anonymously.) # config -s config.auth.radius.password='password' The following command will synchronize the live system with the new configuration: # config -r auth 14.6 Network Hosts To determine the total number of currently configured hosts: # config -g config.sdt.
Issue the commands below. If the Host is not a PDU or UPS power device or a server with IPMI power control, then leave the device type blank: # config -s config.sdt.hosts.host4.address=192.168.3.10 # config -s config.sdt.hosts.host4.description=MyPC # config -s config.sdt.hosts.host4.name=OfficePC # config -s config.sdt.hosts.host4.device.type='' (leave this value blank) # config -s config.sdt.hosts.host4.tcpports.tcpport1=22 # config -s config.sdt.hosts.host4.tcpports.tcpport1.
# config -r serialconfig 14.8 Cascaded Ports To add a new slave device with the following settings: IP address/DNS name Description Label Number of ports 192.168.0.153 Console in office 42 les1116-5 16 The following commands must be issued: # config -s config.cascade.slaves.slave1.address=192.168.0.153 # config -s "config.cascade.slaves.slave1.description=CM in office 42" # config -s config.cascade.slaves.slave1.label=les1116-5 # config -s config.cascade.slaves.slave1.
# config -s "config.ups.monitors.monitor1.description=UPS in room 5" # config -s config.ups.monitors.monitor1.username=User2 # config -s config.ups.monitors.monitor1.password=secret # config -s config.ups.monitors.monitor1.sdorder=2 # config -s config.ups.monitors.monitor1.driver=genericups # config -s config.ups.monitors.monitor1.options.option1.opt=option # config -s config.ups.monitors.monitor1.options.option1.arg=argument # config -s config.ups.monitors.monitor1.options.total=1 # config -s config.ups.
However FYI before adding an RPC the Management Console GUI code makes sure that at least one port has been configured to run in 'device mode', and that the device is set to 'rpc'.
# config -s config.ports.port3.enviro.offsets.temp=2 # config -s config.ports.port3.enviro.offsets.humid=5 # config -s config.ports.port3.enviro.alarms.alarm1.alarmstate=on # config -s config.ports.port3.enviro.alarms.alarm1.label=door alarm # config -s config.ports.port3.enviro.alarms.alarm2.alarmstate=on # config -s config.ports.port3.enviro.alarms.alarm2.label=window alarm # config -s config.ports.port3.enviro.alarms.total=2 # config -s config.ports.port3.enviro.log.enabled=on # config -s config.ports.
Syslog Mail News UUCP # config -s config.eventlog.server.logpriority='priority' 'priority' can be: Info Alert Critical Debug Emergency Error Notice Warning Assume the remote log server needs a username 'name1' and password 'secret': # config -s config.eventlog.server.username=name1 # config -s config.eventlog.server.password=secret To set the remote path as '/Black Box/logs' to save logged data: # config -s config.eventlog.server.path=/Black Box/logs # config -s config.eventlog.server.
To trigger an alert when a user connects to serial port 5 or network host 3: # config -s config.alerts.alert2.host3='host name' # config -s config.alerts.alert2.port5=on # config -s config.alerts.alert2.sensor=temp # config -s config.alerts.alert2.signal=DSR # config -s config.alerts.alert2.type=login Signal Alert To trigger an alert when a signal changes state on port 1: # config -s config.alerts.alert2.port1=on # config -s config.alerts.alert2.sensor=temp # config -s config.alerts.alert2.
# config -s config.alerts.alert2.enviro.high.critical=60 # config -s config.alerts.alert2.enviro.high.warning=50 # config -s config.alerts.alert2.enviro.hysteresis=2 # config -s config.alerts.alert2.enviro.low.critical=5 # config -s config.alerts.alert2.enviro.low.warning=10 # config -s config.alerts.alert2.enviro1=SensorInRoom42 # config -s config.alerts.alert2.signal=DSR # config -s config.alerts.alert2.
Server username Server password Subject line john secret SMTP alerts # config -s config.system.smtp.server=mail.Black Box.com # config -s config.system.smtp.encryption=SSL (can also be TLS or None ) # config -s config.system.smtp.sender=John@Black Box.com # config -s config.system.smtp.username=john # config -s config.system.smtp.password=secret # config -s config.system.smtp.subject=SMTP alerts To set-up an SMTP SMS server with the same details as above: # config -s config.system.smtp.server2=mail.
The following command will synchronize the live system with the new configuration: # config -a 14.18 IP settings To configure the primary network interface with static settings: IP address Netmask Default gateway DNS server 1 DNS server 2 192.168.0.23 255.255.255.0 192.168.0.1 192.168.0.1 192.168.0.2 # config -s config.interfaces.wan.address=192.168.0.23 # config -s config.interfaces.wan.netmask=255.255.255.0 # config -s config.interfaces.wan.gateway=192.168.0.1 # config -s config.interfaces.wan.
Alternatively, you can manually change the clock settings: To change running system time: # date 092216452005.05 Format is MMDDhhmm[[CC]YY][.ss] Then the following command will save this new system time to the hardware clock: # /bin/hwclock -systohc Alternatively, to change the hardware clock: # /bin/hwclock -- set --date=092216452005.05 Format is MMDDhhmm[[CC]YY][.
Supported stop-bits values are '1', '1.5' and '2'. Supported flow-control values are 'Hardware', 'Software' and 'None'. If you do not want to use out-of-band dial-in access, note that the procedure for enabling start-up messages on the console port is covered in Chapter 15—Accessing the Console Port. The following command will synchronize the live system with the new configuration: # config -a 14.
TFTP server Enabled # config -s config.services.http.enabled=on # config -d config.services.https.enabled # config -d config.services.telnet.enabled # config -s config.services.ssh.enabled=on # config -d config.services.snmp.enabled # config -d config.services.pingreply.enabled # config -s config.services.tftp.enabled=on To set secondary port ranges for any service # config -s config.services.telnet.portbase='port base number' Default: 2000 # config -s config.services.ssh.
NSCA password NSCA check-in interval NSCA port user to run as group to run as secret 5 minutes 5650 (defaults to 5667) User1 (defaults to nsca) Group1 (defaults to nobody) # config -s config.system.nagios.nsca.enabled=on # config -s config.system.nagios.nsca.encryption=BLOWFISH # config -s config.system.nagios.nsca.secret=secret # config -s config.system.nagios.nsca.interval=2 # config -s config.system.nagios.nsca.port=5650 # config -s config.system.nagios.nsca.user=User1 # config -s config.system.nagios.
Chapter 15 Advanced Configuration ADVANCED CONFIGURATION Introduction Black Box console servers run the embedded Linux operating system. So Administrator class users can configure the console server and monitor and manage attached serial console and host devices from the command line using Linux commands and the config utility as described in Chapter 14. The Linux kernel in the console server also supports GNU bash shell script enabling the Administrator to run custom scripts.
# dos2unix /etc/config/rc.local Another scenario would be to call another custom script from the /etc/config/rc.local file, making sure that your custom script will run whenever the system is booted. 15.1.2 Running custom scripts when alerts are triggered Whenever an alert gets triggered, specific scripts get called. These scripts all reside in /etc/scripts/.
15.1.3 Example script - Power Cycling on Pattern Match For example, we have an RPC (PDU) connected to port 1 on a console server and also have some telecommunications device connected to port 2 (which is powered by the RPC outlet 3). Now assume the telecom device transmits a character stream "EMERGENCY" out on its serial console port every time that it encounters some specific error, and the only way to fix this error is to power cycle the telecom device.
delete-node is a general script for deleting any node you desire (users, groups, hosts, UPSes, etc.) from the command line. The script deletes the specified node and shuffles the remainder of the node values. For example, if we have five users configured and we use the script to delete user 3, then user 4 will become user 3, and user 5 will become user 4. This creates an obvious complication because this script does NOT check for any other dependencies that the node being deleted may have.
NUMBER=`echo $LASTFIELD | sed 's/^[a-zA-Z]*//g'` TOTALNODE=`echo ${1%.*} | sed 's/\(.*\)/\1.total/'` TOTAL=`config -g $TOTALNODE | sed 's/.* //'` NEWTOTAL=$[ $TOTAL -1 ] # Make backup copy of config file cp /etc/config/config.xml /etc/config/config.bak echo "backup of /etc/config/config.xml saved in /etc/config/config.bak" if [ -z $NUMBER ] # test whether a singular node is being \ #deleted e.g. config.sdt.
config -g $ROOTNODE.$LASTFIELDTEXT$((NUMBER+COUNTER)) \ | while read LINE do config -s \ "`echo "$LINE" | sed -e "s/$LASTFIELDTEXT$((NUMBER+ \ COUNTER))/$LASTFIELDTEXT$((NUMBER+COUNTER-1))/" \ -e 's/ /=/'`" done let COUNTER++ done # deleting last user config -d $ROOTNODE.$LASTFIELDTEXT$TOTAL # Modifying item total. config -s "$TOTALNODE=$NEWTOTAL" echo Done exit 0 else echo "error: item being deleted has an index greater than total items. Increase the total count variable." exit 0 fi 15.1.
The above command will cause the ping-detect script to continuously ping the host at 192.168.22.2 which is the router. If the router crashes, it will no longer respond to ping requests. If this happens, the two commands pmpower and date will run. The output from these commands is sent to the file /tmp/output.log so that we have a record. The ping-detect is also run in the background using the "&". Remember the rc.local script only runs by default when the system boots. You can manually run the rc.
15.1.7 Running custom scripts when a configurator is invoked A configurator is responsible for reading the values in /etc/config/config.xml and making the appropriate changes live. Some changes made by the configurators are part of the Linux configuration itself, such as user passwords or ipconfig. Currently there are nineteen configurators. Each one is responsible for a specific group of config (for example, the "users" configurator makes the user configurations in the config.xml file live).
To save the configuration: # /etc/scripts/backup-usb save config-20May To check if the backup was saved correctly: # /etc/scripts/backup-usb list If this command does not display "* config-20May" then there was an error saving the configuration. The set-default command takes an input file as an argument and renames it to "default.opg". This default configuration remains stored on the USB disk. The next time you want to load the default config, it will be sourced from the new default.opg file.
This will extract the contents of the previously created backup to /tmp, and then synchronize the /etc/config directory with the copy in /tmp. One problem that can crop up here is that there is not enough room in /tmp to extract files to.
# pmchat -v -f /etc/config/scripts/port08.chat < /dev/port08 For more information on using chat (and pmchat) you should consult the UNIX man pages: http://techpubs.sgi.com/library/tpl/cgibin/getdoc.cgi?coll=linux&db=man&fname=/usr/share/catman/ man8/chat.8.html pmusers The pmusers command is used to query the portmanager for active user sessions.
When an alert occurs on a port: - The portmanager will attempt to execute /etc/config/scripts/portXX.alert (where XX is the port number, e.g. 08) - The script is run with STDIN containing the data which triggered the alert, and STDOUT redirected to /dev/null, NOT to the serial port. If you want to communicate with the port, use pmshell or pmchat from within the script. - If the script cannot be executed, then the alert will be mailed to the address configured in the system administration section.
With stty, the changes made to the port only “stick” until that port is closed and opened again. People probably will not want to use stty for more than initial debugging of the serial connection. If you want to use stty to configure the port, you can put stty commands in /etc/config/scripts/portXX.init which gets run whenever portmanager opens the port. Otherwise, any setup you do with stty will get lost when the portmanager opens the port.
system. - Rules are added which explicitly allow network traffic to access enabled services, for example, TTP, SNMP, etc. - Rules are added that explicitly allow traffic network traffic access to serial ports over enabled protocols e.g. Telnet, SSH and raw TCP. If the standard system firewall configuration is not adequate for your needs you can bypass it safely by creating a file at /etc/config/filter-custom containing commands to build a specialized firewall.
sysname syslocation Not defined (edit /etc/default/snmpd.conf) Not defined (edit /etc/default/snmpd.conf) Simply change the values of sysdescr, syscontact, sysname and syslocation to the desired settings and restart snmpd. The snmpd.conf provides is extremely powerful and too flexible to completely cover here. The configuration file itself is commented extensively and good documentation is available at the net-snmp website http://www.net-snmp.org, specifically: Man Page: http://www.net-snmp.
.. replacing yourusername with the username config.system.snmp.username2 (3 only) To set the Engine ID field (SNMP version 3 only) config --set config.system.snmp.password2=yourpassword .. replacing yourpassword with the password Once the fields are set, apply the configuration with the following command: config --run snmp You can add a third or more SNMP servers by incrementing the "2" in the above commands, e.g. config.system.snmp.protocol3, config.system.snmp.address3, etc. 15.
15.6.2 Generating Public Keys (Linux) To generate new SSH key pairs use the Linux ssh-keygen command. This will produce an RSA or DSA public/private key pair and you will be prompted for a path to store the two key files, for example, id_dsa.pub (the public key) and id_dsa (the private key). For example: $ ssh-keygen -t [rsa|dsa] Generating public/private [rsa|dsa] key pair. Enter file in which to save the key (/home/user/.
15.6.4 Installing SSH Public Key Authentication (Linux) Alternately, the public key can be installed on the unit remotely from the linux host with the scp utility as follows. Assuming the user on the Management Console is called "fred"; the IP address of the console server is 192.168.0.1 (default); and the public key is on the linux/unix computer in ~/.ssh/id_dsa.pub. Execute the following command on the linux/unix computer: scp ~/.ssh/id_dsa.pub \ root@192.168.0.1:/etc/config/users/fred/.
authorized_keys file is simply a copy of the public key for that device. If one or more devices will be clients of the server, then the authorized_keys file will contain a copy of all of the public keys. RSA and DSA keys may be freely mixed in the authorized_keys file. For example, assume we already have one server, called bridge_server, and two sets of keys, for the control_room and the plant_entrance: $ ls /home/user/keys control_room control_room.pub plant_entrance plant_entrance.
OpenSSH: http://www.openssh.org/ OpenSSH (Windows): http://sshwindows.sourceforge.net/download/ For example, using PuTTYgen, make sure you have a recent version of the puttygen.exe (available from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) Make sure you have a recent version of WinSCP (available from http://winscp.net/eng/download.php ) To generate a SSH key using PuTTY http://sourceforge.net/docs/F02/#clients: - Execute the PUTTYGEN.EXE program.
- Using WinSCP copy the attached sshd_config over /etc/config/sshd_config on the server (Makes sure public key authentication is enabled). - Test the Public Key by logging in as "testuser" Test the Public Key by logging in as "testuser" to the client Black Box device and typing (you should not need to enter anything): # ssh -o StrictHostKeyChecking=no To automate connection of the SSH tunnel from the client on every power-up you need to make the clients /etc/config/rc.
Offending key in /.ssh/known_hosts:1 RSA host key for remhost has changed and you have requested strict checking. Host key verification failed. If the host key has been legitimately changed, it can be removed from the ~/.ssh/known_hosts file and the new fingerprint added. If it has not changed, this indicates a serious problem that should be investigated immediately. 15.6.
Generated keys may be one of two types—RSA or DSA (and it is beyond the scope of this document to recommend one over the other). RSA keys will go into the files id_rsa and id_rsa.pub. DSA keys will be stored in the files id_dsa and id_dsa.pub. For simplicity going forward, the term private key will be used to refer to either id_rsa or id_dsa and public key to refer to either id_rsa.pub or id_dsa.pub. Client #1 Server Client #2 Authorized keys id_dsa id_dsa.pub Client #1 Keys id_rsa.
Authorized Keys: If the console server selected to be the server will only have one client device, then the authorized_keys file is simply a copy of the public key for that device. If one or more devices will be clients of the server, then the authorized_keys file will contain a copy of all of the public keys. RSA and DSA keys may be freely mixed in the authorized_keys file.
15.7 Secure Sockets Layer (SSL) Support Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. The console server includes OpenSSL.
-newkey rsa:1024 -keyout ssl_key.pem -out ssl_cert.pem You will be prompted to enter a lot of information. Most of it doesn’t matter, but the "Common Name" should be the domain name of your computer (e.g. test.Black Box.com). When you have entered everything, the certificate will be created in a file called ssl_cert.pem. 15.8.3 Installing the key and certificate We recommend that you use an SCP (Secure Copying Protocol) client to copy files securely to the console server unit.
15.9 Power Strip Control The console server supports a growing list of remote power-control devices (RPCs) that you can configure using the Management Console as described in Chapter 8. These RPCs are controlled using the open source PowerMan and Network UPS Tools and with Black Box’s pmpower utility. 15.9.1 The PowerMan tool PowerMan provides power management in a data center or compute cluster environment.
Also refer powermand (http://linux.die.net/man/1/powermand) documentation and powerman.conf (http://linux.die.net/man/5/powerman.conf) Target Specification powerman target hostnames may be specified as comma separated or space separated hostnames or host ranges. Host ranges are of the general form: prefix[n-m,l-k,...], where n < m and l < k, etc., This form should not be confused with regular expression character classes (also denoted by ''[]'').
Default system Power Device actions are specified in /etc/powerstrips.xml. Custom Power Devices can be added in /etc/config/powerstrips.xml. If an action is attempted which has not been configured for a specific Power Device, pmpower will exit with an error. 15.9.3 Adding new RPC devices There are a number of simple paths to adding support for new RPC devices. The first is to have scripts to support the particular RPC included in either the open source PowerMan project (http://sourceforge.
All of the existing scripts in /etc/powerstrips.xml use the pmchat utility. pmchat works just like the standard unix "chat" program, only it ensures interoperation with the port manager. The final options, speed, charsize, stop and parity define the recommended or default settings for the attached device. 15.10 IPMItool The console server includes the ipmitool utility for managing and configuring devices that support the Intelligent Platform Management Interface (IPMI) version 1.5 and version 2.
IPMI management of a local system interface requires a compatible IPMI kernel driver to be installed and configured. On Linux, this driver is called OpenIPMI and it is included in standard distributions. On Solaris, this driver is called BMC and is inclued in Solaris 10. Management of a remote station requires the IPMI-over-LAN interface to be enabled and configured.
-v -V Increase verbose output level. This option may be specified multiple times to increase the level of debug output. If given three times you will get hexdumps of all incoming and outgoing packets. Display version information. If no password method is specified, then ipmitool will prompt the user for a password. If no password is entered at the prompt, the remote server password will default to NULL.
for FRU locators Print System Event Log (SEL) Configure Platform Event Filtering (PEF) sol Configure IPMIv2.0 Serial-over-LAN isol Configure IPMIv1.
15.12 Scripts for Managing Slaves When the console servers are cascaded the Master is in control of the serial ports on the Slaves, and the Master’s Management Console provides a consolidated view of the settings for its own and all the Slave’s serial ports.
Appendix A Linux Commands & Source Code The console server platform is a dedicated Linux computer, optimized to provide monitoring and secure access to serial and network consoles of critical server systems and their supporting power and networking infrastructure. Black Box console servers are built on the 2.4 uCLinux kernel as developed by the uCLinux project. This is GPL code and source can be found at http://cvs.uclinux.org. Some uCLinux commands have config files that can be altered (e.g.
flashw flatfsd ftp gen-keys getopt * gettyd grep * gunzip * gzip * hd hostname * httpd hwclock inetd inetd-echo init ip ipmitool iptables ip6tables iptablesrestore iptables-save kill * ln * login loopback loopback1 loopback2 loopback8 loopback16 loopback48 ls * mail mkdir * mkfs.
pgrep pidof ping ping6 pkill pmchat pmdeny pminetd pmloggerd pmshell pmusers portmanager portmap pppd ps * pwd * reboot * rm * rmdir * routed routed routef routel rtacct rtmon scp sed * setmac setserial sh showmac sleep * smbmnt smbmount smbumount snmpd snmptrap sredird ssh ssh-keygen sshd sslwrap stty stunnel Display process(es) selected by regex pattern Find the process ID of a running program Send ICMP ECHO_REQUEST packets to network hosts IPv6 ping Sends a signal to process(es) selected by regex patter
sync * sysctl syslogd tar * tc tcpdump telnetd tftp tftpd tip top touch * traceroute traceroute6 true * umount * uname * usleep * vconfig * vi * w zcat * Flush file system buffers Configure kernel parameters at runtime System logging utility The tar archiving utility Show traffic control settings Dump traffic on a network Telnet protocol server Client to transfer a file from/to tftp server Trivial file Transfer Protocol (tftp) server Simple terminal emulator/cu program for connecting to modems and serial d
There are also a number of other CLI commands related to other open source tools embedded in the console server including: PowerMan provides power management for many preconfigured remote power controller (RPC) devices. For CLI details refer http://linux.die.net/man/1/powerman Network UPS Tools (NUT) provides reliable monitoring of UPS and PDU hardware and ensure safe shutdowns of the systems which are connected - with a goal to monitor every kind of UPS and PDU. For CLI details refer http://www.
false fc [-e ename] [-nlr] [first] [last] fg [job_spec] for NAME [in WORDS ... ;] do COMMA function NAME { COMMANDS ; } or NA getopts optstring name [arg] hash [-r] [-p pathname] [name ...] help [-s] [pattern ...] history [-c] [-d offset] [n] or hi if COMMANDS; then COMMANDS; [ elif jobs [-lnprs] [jobspec ...] or job kill [-s sigspec | -n signum | -si let arg [arg ...] type [-apt] name [name ...] typeset [-afFrxi] [-p] name[=value ulimit [SHacdflmnpstuv] [limit] umask [-p] [-S] [mode] unalias [-a] [name ..
Appendix B Hardware Specifications FEATURE VALUE Dimensions LES1208A/16A/48A: 17 x 12 x 1.75 in (43.2 x 31.3. x 4.5 cm) LES1116A/48A: 17 x 8.5 x 1.75 in (43.2 x 21. x 4.5 cm) LES1108A: 8.2 x 4.9 x 1.2 in (20.8 x 12.6 x 4.5 cm) Weight LES1208A/16A/48A: 5.4 kg (11.8 lbs) LES1116A/48A: 3.9 kg (8.5 lbs) LES1108A: 1.7 kg (3.
Appendix C Safety & Certifications Please take care to follow the safety precautions below when installing and operating the console server: - Do not remove the metal covers. There are no operator serviceable components inside. Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock. Refer all service to Black Box qualified personnel. - To avoid electric shock the power cord protective grounding conductor must be connected through to ground.
Appendix F End User License Agreement READ BEFORE USING THE ACCOMPANYING SOFTWARE YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING SOFTWARE, THE USE OF WHICH IS LICENSED FOR USE ONLY AS SET FORTH BELOW. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, DO NOT USE THE SOFTWARE. IF YOU USE ANY PART OF THE SOFTWARE, SUCH USE WILL INDICATE THAT YOU ACCEPT THESE TERMS.
Sale of Goods is hereby excluded in its entirety and does not apply to this EULA. If you acquired this Software in a country outside of the United States, that country‘s laws may apply. In any action or suit to enforce any right or remedy under this EULA or to interpret any provision of this EULA, the prevailing party will be entitled to recover its costs, including reasonable attorneys‘ fees. ENTIRE AGREEMENT.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7.
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS _____________________________________________________________________ 724-746-5500 | b lackb o x.
Black Box Tech Support: FREE! Live. 24/7. Tech support the way it should be. Great tech support is just 20 seconds away at 724-746-5500 or blackbox.com. About Black Box Black Box Network Services is your source for more than 118,000 networking and infrastructure products. You’ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free, live 24/7 Tech support available in 20 seconds or less. © Copyright 2009.
