May 2010 LES1101A LES1102A 1101 and 1102 Secure Device Servers Securely monitor, access, and control the computers, networking devices, telecommunications equipment, and power supplies in your data room or communications centers. Manage your servers: • Locally across your management LAN or through the local serial console port. • Remotely across the Internet or private network. Customer Support Information Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S.
1101 and 1102 Secure Device Servers Federal Communications Commission and Industry Canada Radio Frequency Interference Statements This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause interference to radio communication.
FCC and IC RFI Statements Normas Oficiales Mexicanas (NOM) Electrical Safety Statement INSTRUCCIONES DE SEGURIDAD 1. 2. 3. 4. 5. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas. Todas las instrucciones de operación y uso deben ser seguidas.
1101 and 1102 Secure Device Servers Trademarks Used in this Manual Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc. Mac is a registered trademark of Apple Computers, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Windows, Windows Me, Windows NT, and Windows Vista are a registered trademarks of Microsoft Corporation. Nagios is a registered trademark of Nagios Enterprises LLC. Java and Solaris are trademarks of Sun Microsystems, Inc.
Table of Contents 5 Table of Contents 1. Specifications.......................................................................................................................................................................................................... 9 2. Overview ................................................................................................................................................................................................................10 2.1 Introduction........
1101 and 1102 Secure Device Servers 6.7 SDT Connector Public Key Authentication .................................................................................................................................................... 6.8 Setting Up SDT for Remote Desktop Access ................................................................................................................................................. 6.8.1 Enable Remote Desktop on the Target Windows Computer to be Accessed ...............
Table of Contents 7 11. System Management ..............................................................................................................................................................................................106 11.1 System Administration and Reset ................................................................................................................................................................106 11.2 Upgrade Firmware ...................................................
1101 and 1102 Secure Device Servers 15.6.4 Installing SSH Public Keys Authentication (Linux)............................................................................................................................148 15.6.5 Generating Public/Private Keys for SSH (Windows) ........................................................................................................................150 15.6.6 Fingerprinting........................................................................................
Chapter 1: Specifications 1.
1101 and 1102 Secure Device Servers 2. Overview 2.1 Introduction This User’s Manual walks you through installing and configuring your Black Box Secure Device Servers (LES1101A or LES1102A). Each of these products is referred to generically in this manual as a “console server.
Chapter 2: Overview devices; and control these devices using the specified services (for example, Telnet, HHTPS, RDP, IPMI, Serial over LAN, Power Control). An authorized User also has a limited view of the Management Console and can only access authorized configured devices and review port logs. In this manual, when the term user (lower case) is used, it refers to both the above classes of users.
1101 and 1102 Secure Device Servers Table 2-1. LES1101A front-panel components. ` Number Component Description 1 Barrel connector Power 2 RJ-45 connector Links to 10/100 Mbps Ethernet 3 J1 jumper Selects RS-232, RS-485, RS-422 4 RJ-45 LED Ethernet Connectivity LED 5 RJ-45 Ethernet Activity 2.5.2 LES1101A Back Panel Figure 2-3 shows the LES1101A back panel. Table 2-2 describes its components. 6 Figure 2-3. LES1101A back panel. Table 2-2. LES1101A back-panel components.
Chapter 2: Overview 2.5.3 LES1102A Front Panel Figure 2-4 shows the front panel of the LES1102A. Table 2-3 describes its components. 1 2 3 4 5 Figure 2-4. LES1102A front panel. Table 2-3. LES1102A front-panel components.
1101 and 1102 Secure Device Servers 2.6 What’s Included Your package should include the following items. If anything is missing or damaged, contact Black Box Technical Support at 724-746-5500 or info@blackbox.com. 2.6.1 LES1101A • 1101 Secure Device Server • Universal input 12-VDC wallmount power supply • Printed Quick Start Guide • CD-ROM containing this user’s manual 2.6.
Chapter 3: Installation 3. Installation Make sure you have everything listed in Chapter 2, Section 2.6 for your 1101 or 1102 Secure Device Server. 3.1 Power Connection The LES1101A or LES1102A models are each supplied with an external DC wall mount power supply. This power supply comes with a selection of wall socket adapters for each geographic region (North American, Europe, UK, Japan or Australia) and will operate with 100-240 VAC, 50/60 Hz input, 7.2 watts maximum. Plug in the DC power cable.
1101 and 1102 Secure Device Servers Table 3-1. RS-232 DB9 connector pinouts. Signal Pin Definition CD 1 Received Line Signal Detector RXD 2 Received Data TXD 3 Transmitted Data DTR 4 Data Terminal Ready GND 5 Signal Ground DSR 6 Data Set Ready RTS 7 Request To Send CTS 8 Clear To Send RI 9 Ring Indicator 3.3.
Chapter 3: Installation Web management console. Two short cable loops are also required between the RX+/TX+ pins and RX-/TX- pins. This is because the LES1102A uses universal differential transceivers that support 4-wire (RS-422) and 2-wire (RS-485) operation. In RS-485 mode, Port 2 on the LES1102A listens on the 2-wire bus for receive data until it is required to send data.
1101 and 1102 Secure Device Servers 4. System Configuration This chapter provides step-by-step instructions for the console server’s initial configuration, and for connecting it to the Management or Operational LAN. The Administrator must: • Activate the Management Console. • Change the Administrator password. • Set the IP address console server’s principal LAN port. • Select the network services that will be supported.
Chapter 4: System Configuration Figure 4-1. Run screen. Now add a static entry to the ARP table and ping the console server to assign the IP address to the console server. In the example below, a console server has a MAC Address 00:13:C6:00:02:0F (designated on the label on the bottom of the unit) and we are setting its IP address to 192.168.100.23. Also the PC/workstation issuing the arp command must be on the same network segment as the console server (that is, have an IP address of 192.168.100.
1101 and 1102 Secure Device Servers You will be prompted to log in. Enter the default administration username and administration password: Username: root Password: default Figure 4-2. Login screen. NOTE: Console servers are factory configured with HTTPS access enabled and HTTP access disabled. Figure 4-3. Management console welcome screen. A Welcome screen, which lists four initial installation configuration steps, will be displayed: 1. 2. 3. 4.
Chapter 4: System Configuration Figure 4-4. System: Administration screen. 1. Select System: Administration. 2. Enter a new System Password then re-enter it in Confirm System Password. This is the new password for root, the main administrative user account, so choose a complex password, and keep it safe. 3. At this stage, you may also wish to enter a System Name and System Description for the console server to give it a unique ID and make it simple to identify.
1101 and 1102 Secure Device Servers Figure 4-5. IP Settings screen. If you selected DHCP, the console server will look for configuration details from a DHCP server on your management LAN. This selection automatically disables any static address. The console server MAC address is printed on a label on the base plate.
Chapter 4: System Configuration Figure 4-6. System: Services screen. Select the System: Services option, then select/deselect for the service to be enabled/disabled. The following access protocol options are available: • HTTPS: This ensures secure browser access to all the Management Console menus. It also allows appropriately configured Users secure browser access to selected Management Console Manage menus.
1101 and 1102 Secure Device Servers • Base: The console server uses specific default ranges for the TCP/IP ports for the various access services that Users and Administrators can use to access devices attached to serial ports (as covered in Chapter 4—Configuring Serial Ports). The Administrator can also set alternate ranges for these services, and these secondary ports will then be used in addition to the defaults.
Chapter 4: System Configuration 4.5.2 PuTTY You can also use communications packages like PuTTY to connect to the console server command line (and to connect serially attached devices as covered in Chapter 5). PuTTY is a freeware implementation of Telnet and SSH for Windows and UNIX platforms. It runs as an executable application without needing to be installed onto your system. PuTTY (the Telnet and SSH client itself) can be downloaded from http://www.tucows.com/preview/195286.
1101 and 1102 Secure Device Servers 5. Serial Port, Host, Device, and User Configuration The Black Box LES1101A and LES1102A console server enables access and control of serially attached devices and network attached devices (hosts). The Administrator must configure access privileges for each of these devices, and specify the services that can be used to control the devices. The Administrator can also set up new users and specify each user’s individual access and control privileges.
Chapter 5: Serial Port, Host, Device, and User Configuration Figure 5-2. Serial port screen. Select Serial & Network: Serial Port and you will see the current labels, modes, logging levels, and RS-232 protocol options that are currently set up for each serial port. By default, each serial port is set in Console Server mode. To reconfigure the port, click Edit. When you have reconfigured the common settings (Chapter 5.1.1) and the mode (Chapters 5.1.2–5.1.
1101 and 1102 Secure Device Servers Before proceeding with further serial port configuration, connect the ports to the serial devices they will be controlling, and make sure they have matching settings. NOTE: The serial ports are all set at the factory to RS-232: 9600 baud, no parity, 8 data bits, 1 stop bit, and Console server Mode. You can change the baud rate to 2400–230400 baud using the management console.
Chapter 5: Serial Port, Host, Device, and User Configuration Figure 5-5. Windows features screen. If the remote communications are tunneled with SDT Connector, then you can use Telnet to securely access these attached devices (refer to the Note below). NOTE: In Console Server mode, Users and Administrators can use SDT Connector to set up secure Telnet connections that are SSH tunneled from their client PC/workstations to the serial port on the console server.
1101 and 1102 Secure Device Servers Figure 5-6. PuTTY Configuration screen. PuTTY can be downloaded at http://www.tucows.com/preview/195286.html SSH: We recommend that you use SSH as the protocol where the User or Administrator connects to the console server (or connects through the console server to the attached serial consoles) over the Internet or any other public network.
Chapter 5: Serial Port, Host, Device, and User Configuration TCP: RAW TCP allows connections directly to a TCP socket. Communications programs like PuTTY also support RAW TCP. You would usually access this protocol via a custom application. For RAW TCP, the default port address is IP Address _ Port (4000 + serial port #) for example, 4001–4002.
1101 and 1102 Secure Device Servers Figure 5-9. SDT settings. For configuration details, refer to Chapter 6.4—Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server. 5.1.4 Device (RPC, UPS, EMD) Mode This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply (UPS), Remote Power Controller/Power Distribution Unit (RPC) or Environmental Monitoring Device (EMD). Figure 5-10. Device settings screen.
Chapter 5: Serial Port, Host, Device, and User Configuration Figure 5-12. Serial bridge settings. Select Serial Bridging Mode and specify the IP address of the Server console server and the TCP port address of the remote serial port (for RFC2217 bridging this will be 5001–5002). By default, the bridging client will use RAW TCP. Select RFC2217 if this is the console server mode you have specified on the server console server.
1101 and 1102 Secure Device Servers 5.2 Add/ Edit Users The Administrator uses this menu selection to set up, edit, and delete users, and to define the access permissions for each of these users. Figure 5-15. Users and Groups screen. Users can be authorized to access specified console server serial ports and specified network-attached hosts. These users can also be given full Administrator status (with full configuration and management and access privileges).
Chapter 5: Serial Port, Host, Device, and User Configuration Figure 5-16. Add a new user screen. Click Add User to add a new user. Add a Username and a confirmed Password for each new user. You may also include information related to the user (for example, contact details) in the Description field. NOTE: The User Name can contain from 1 to 127 alphanumeric characters (you can also use the special characters “-”, “_”, and “.” ).
1101 and 1102 Secure Device Servers 5.3 Authentication Refer to Chapter 9.1—Authentication Configuration for authentication configuration details. 5.4 Network Hosts To access a locally networked computer or device (referred to as a Host), you must identify the Host and specify the TCP or UDP ports/services that will be used to control that Host. Selecting Serial & Network: Network Hosts presents all the network connected Hosts that have been enabled for access, and the related access TCP ports/services.
Chapter 5: Serial Port, Host, Device, and User Configuration 5.5 Trusted Networks The Trusted Networks facility gives you an option to nominate specific IP addresses where users (Administrators and Users) must be located to access console server serial ports. Select Serial & Network: Trusted Networks. To add a new trusted network, select Add Rule. Figure 5-18. Trusted networks screen. Select the Accessible Port(s) that the new rule is to be applied to.
1101 and 1102 Secure Device Servers LES1102A Retail data systems Serial device applications Remote Serial Device servers Building automation systems LES1101A LES1102A Serial/IP redirector virtual COM ports Controllers Sensors Figure 5-19. Serial Port redirection. This serial port redirector software is loaded in your desktop PC, and it allows you to use a serial device that’s connected to the remote console server as if it were connected to your local serial port. 5.
Chapter 5: Serial Port, Host, Device, and User Configuration • Select the connection type for the new connection (Serial, Network Host, UPS, or RPC) and then select the specific connection from the presented list of configured unallocated hosts/ports/outlets. To add a new network-connected Managed Device: The Administrator adds a new network-connected Managed Device using Add Host on the Serial & Network: Network Host menu.
1101 and 1102 Secure Device Servers 6. Secure SSH Tunneling and SDT Connector Each Black Box console server has an embedded SSH server and uses SSH tunneling so remote users can securely connect through the console server to Managed Devices—using text-based console tools (such as SSH, telnet, SoL) or graphical tools (such VNC, RDP, HTTPS, HTTP, X11, VMware, DRAC, iLO).
Chapter 6: Secure SSH Tunneling and SDT Connector • Using SDT to IP connect to hosts that are serially attached to the console server (Section 6.10). 6.1 Configuring for SSH Tunneling to Hosts To set up the console server to SSH tunnel to access a network attached host: Add the new host and the permitted services using the Serial & Network: Network Hosts menu as detailed in Network Hosts (Chapter 5.4). Only these permitted services will be forwarded through by SSH to the host.
1101 and 1102 Secure Device Servers Once the installer completes you will have a working SDT Connector client installed on your machine and an icon on your desktop: Figure 6-3. SDT connector icon. Click the SDT Connector icon on your desktop to start the client. NOTE: SDT Connector is a Java application, so it must have a Java Runtime Environment (JRE) installed. You can download this for free from http://java.sun.com/j2se/.
Chapter 6: Secure SSH Tunneling and SDT Connector Figure 6-5. New SDT Gateway screen. Or, enter a Descriptive Name to display instead of the IP or DNS address, and any Notes or a Description of this gateway (such as its firmware version, site location, or anything special about its network configuration). Click OK and an icon for the new gateway will now appear in the SDT Connector home page.
1101 and 1102 Secure Device Servers Figure 6-7. Hosts. NOTE: The Retrieve Hosts function will auto-configure all user classes (that is, they can be members of user or admin or some other group or no group. SDT Connector will not auto-configure the root (and we recommend that you only use this account for initial config and to add an initial admin account to the console server). 6.2.
Chapter 6: Secure SSH Tunneling and SDT Connector Figure 6-9. New SDT Host screen. Enter the IP or DNS Host Address of the host (if this is a DNS address, it must be able to be resolved by the gateway). Select which Services to use to access the new host. A range of service options are pre-configured in the default SDT Connector client (RDP, VNC, HTTP, HTTPS, Dell RAC, VMware, etc.). If you want to add new services to the range, then proceed to the next section (Adding a new service) then return here.
1101 and 1102 Secure Device Servers Select which Client application is associated with the new service. A range of client application options are pre-configured in the default SDT Connector (RDP client, VNC client, HTTP browser, HTTPS browser, Telnet client, etc.). If you want to add new client applications to this range, proceed to the next section (Adding a new client), then return here. Figure 6-11. Select client. Click OK, then Close.
Chapter 6: Secure SSH Tunneling and SDT Connector Figure 6-13. Edit port redirection. NOTES: SDT Connector can also tunnel UDP services. SDT Connector tunnels the UDP traffic through the TCP SSH redirection, so it is a “tunnel within a tunnel.” Enter the UDP port where the service is running on the host. This will also be the local UDP port that SDT Connector binds as the local endpoint of the tunnel. For UDP services, you still need to specify a TCP port under General.
1101 and 1102 Secure Device Servers Enter a Command Line associated with launching the client application. SDT Connector typically launches a client using command line arguments to point it at the local endpoint of the redirection. There are three special keywords for specifying the command line format. When launching the client, SDT Connector substitutes these keywords with the appropriate values: %path% is path to the executable file, that is, the previous field.
Chapter 6: Secure SSH Tunneling and SDT Connector 6.3 SDT Connector to Management Console You can also configure SDT Connector for browser access to the console server’s Management Console —and for Telnet or SSH access to the command line. For these connections to the console server itself, you must configure SDT Connector to access the Gateway itself by setting the Gateway (console server) up as a host, and then configuring the appropriate services: Launch SDT Connector on your PC.
1101 and 1102 Secure Device Servers Figure 6-18. Add port redirection. Assuming you have already set up the target console server as a gateway in your SDT Connector client (with username/password etc), select this gateway and click the Host icon to create a host. Or, select File -> New Host. Enter 127.0.0.1 as the Host Address and use Serial Port 2 for descriptive name. In Description/notes, enter something such as Loopback ports, or Local serial ports. Click OK.
Chapter 6: Secure SSH Tunneling and SDT Connector Figure 6-19. Out-of-band access. To configure SDT Connector for OoB access: When adding a new Gateway or editing an existing Gateway select the Out Of Band tab. Enter the secondary, OoB IP address of the gateway (for example, the IP address it is using when dialed in directly). You also may modify the gateway’s SSH port if it's not using the default of 22. Enter the command or path to a script to start the OoB connection in Start Command.
1101 and 1102 Secure Device Servers Figure 6-20. OoB connection using SDT connector. When you connect to a service on a host behind the console server, or to the console server itself, SDT Connector will initiate the OoB connection using the provided Start Command. The OoB connection does not stop (using the provided Stop Command) until you click off Out Of Band under Gateway Actions; then the status bar will return to its normal color. 6.
Chapter 6: Secure SSH Tunneling and SDT Connector SDT Connector will now use public key authentication when connecting through the SSH gateway (console server). You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication. If you have a host behind the console server that you connect to by clicking the SSH button in SDT Connector, you may also want to configure access to it for public key authentication as well.
1101 and 1102 Secure Device Servers Figure 6-23. Remote Desktop Users dialog box. To set the user(s) who can remotely access the system with RDP, click Add on the Remote Desktop Users dialog box. NOTE: If you need to set up new users for Remote Desktop access, open User Accounts in the Control Panel and follow the steps to nominate the new user’s name, password, and account type (Administrator or Limited).
Chapter 6: Secure SSH Tunneling and SDT Connector In Computer, enter the appropriate IP Address and Port Number: Where there is a direct local or enterprise VPN connection, enter the IP Address of the console server, and the Port Number of the SDT Secure Tunnel for the console server serial port that you attach to the Windows computer you want to control. For example, if the Windows computer is connected to serial Port 2 on a console server located at 192.168.0.50, then you would enter 192.168.0.50:7302.
1101 and 1102 Secure Device Servers You can use GUI front end tools like the GNOME Terminal Services Client tsclient to configure and launch the rdesktop client. (Using tsclient also enables you to store multiple configurations of rdesktop for connection to many servers.) Figure 6-26. RDP protocol. NOTE: The rdesktop client is supplied with Red Hat 9.0: rpm -ivh rdesktop-1.2.0-1.i386.rpm For Red Hat 8.0 or other distributions of Linux; download source, untar, configure, make, make, then install.
Chapter 6: Secure SSH Tunneling and SDT Connector RealVNC http://www.realvnc.com is fully cross-platform, so a desktop running on a Linux machine may be displayed on a Windows PC, on a Solaris machine, or on any number of other architectures. There is a Windows server, allowing you to view the desktop of a remote Windows machine on any of these platforms using exactly the same viewer. RealVNC was founded by members of the AT&T team who originally developed VNC. TightVNC http://www.tightvnc.
1101 and 1102 Secure Device Servers • Edit /home/username/.vnc/xstartup if you want a more advanced session than just twm and an xterm. For Macintosh servers (and clients): OSXvnc http://www.redstonesoftware.com/vnc.html is a robust, full-featured VNC server for Mac OS X that allows any VNC client to remotely view and/or control the Mac OS X machine. OSXvnc is supported by Redstone Software.
Chapter 6: Secure SSH Tunneling and SDT Connector Figure 6-29. IP address of console server unit. To establish the VNC connection, simply activate the VNC Viewer software on the Viewer PC and enter the password. Figure 6-30. VNC authentication. NOTE: For general background reading on Remote Desktop and VNC access we recommend the following: The Microsoft Remote Desktop How-To. http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx The Illustrated Network Remote Desktop help page.
1101 and 1102 Secure Device Servers 6.10.1 Establish a PPP Connection between the Host COM Port and Console Server (This step is only necessary for serially connected computers.) First, physically connect the COM port on the host computer you want to access to the serial port on the console server, then: For non Windows (Linux, UNIX, Solaris, etc.) computers, establish a PPP connection over the serial port. The online tutorial http://www.yolinux.com/TUTORIALS/LinuxTutorialPPP.
Chapter 6: Secure SSH Tunneling and SDT Connector Figure 6-32. User permissions. Specify which Users will be allowed to use this connection. This should be the same Users who were given Remote Desktop access privileges in the earlier step. Click Next. On the Network Connection screen, select TCP/IP and click Properties. Figure 6-33. Incoming TCP/IP properties. Select Specify TCP/IP addresses on the Incoming TCP/IP Properties screen, select TCP/IP. Nominate a From: and a To: TCP/IP address, and click Next.
1101 and 1102 Secure Device Servers NOTES (continued): The console server default Username is portXX where XX is the serial port number on the console server. The default Password is portXX To use the defaults for a RDP connection to the serial port 2 on the console server, you would have set up a Windows user named port02. When the PPP connection has been set up, a network icon will appear in the Windows task bar. NOTE: The above notes describe setting up an incoming connection for Windows XP.
Chapter 6: Secure SSH Tunneling and SDT Connector Figure 6-35. SDT settings screen. NOTE: When you enable SDT, it will override all other Configuration protocols on that port. NOTE: If you leave the Username and User Password fields blank, they default to portXX and portXX where XX is the serial port number. The default username and password for Secure RDP over Port 2 is port02.
1101 and 1102 Secure Device Servers Figure 6-36. PuTTY Configuration screen. In the Session menu, enter the IP address of the console server in the Host Name or IP address field. For dial-in connections, this IP address will be the Local Address that you assigned to the console server when you set it up as the Dial-In PPP Server. For Internet (or local/VPN connections) connections, this will be the console server’s public IP address. Select the SSH Protocol, and the Port will be set as 22.
Chapter 6: Secure SSH Tunneling and SDT Connector Figure 6-37. Set destination. If your destination computer is serially connected to the console server, set the Destination as :3389. For example, if the Label you specified on the serial port on the console server is win2k3, then specify the remote host as win2k3:3389. Or, you can set the Destination as portXX:3389 (where XX is the SDT enabled serial port number).
1101 and 1102 Secure Device Servers NOTE: How secure is VNC? VNC access generally allows access to your whole computer, so security is very important. VNC uses a random challenge-response system to provide the basic authentication that allows you to connect to a VNC server. This is reasonably secure and the password is not sent over the network. Once connected, all subsequent VNC traffic is unencrypted. A malicious user could snoop your VNC session.
Chapter 7: Alerts and Logging 7. Alerts and Logging This chapter describes the alert generation and logging features of the console server. The Alert facility monitors the serial ports, all logins, and the power status, and sends emails, SMS, Nagios, or SNMP alerts when specified trigger events occur. First, enable and configure the service that will be used to carry the alert (Section 7.1).
1101 and 1102 Secure Device Servers You may also enter a Username and Password if the SMTP server requires authentication. You can specify the specific Subject Line that will be sent with the email. Click Apply to activate SMTP. 7.1.2 SMS Alerts The console server uses email-to-SMS services to send SMS alert notifications to mobile devices. Sending SMS via email using SMTP (Simple Mail Transfer Protocol) is much faster than sending text pages via a modem using the TAP Protocol.
Chapter 7: Alerts and Logging To configure for SNMP v3, you will need to enter an ID and authentication password and contact information for the local Administrator (in the Security Name). Click Apply to activate SNMP. Figure 7-3. SNMP alerts. NOTE: All console servers have the snmptrap daemon to send traps/notifications to remote SNMP servers on defined trigger events as detailed above.
1101 and 1102 Secure Device Servers Select Alerts & Logging: Alerts, which will display all the alerts currently configured. Click Add Alert. 7.2.1 Add a New Alert The first step is to specify the alert service that this event will use for sending notification, who to notify there, and what port/host/device is to be monitored: Figure 7-5. Add a new alert screen. At Add a New Alert, enter a Description for this new alert.
Chapter 7: Alerts and Logging Figure 7-6. General alert types. Serial Port Signal Alert—This alert will be triggered when the specified signal changes state and applies to serial ports only. You must specify the particular Signal Type (DSR, DCD or CTS) trigger condition and the Applicable Ports(s). Figure 7-7. Serial port signal alert.
1101 and 1102 Secure Device Servers Figure 7-8. Serial port pattern match alert. UPS Power Status Alert— This alert will be triggered when the UPS power status changes between on line, on battery, and low battery. This status will only be monitored on the Applicable UPS(es) you select. Power Alert—(next section). 7.2.3 Configuring Power Alert Type This alert type monitors UPSes, RPCs, and power devices. Figure 7-9. Power alert. Select Power Alert to activate.
Chapter 7: Alerts and Logging 7.3 Remote Log Storage Before activating Serial or Network Port Logging on any port or UPS logging, you must specify where those logs are to be saved: Select the Alerts & Logging: Port Log menu option and specify the Server Type to use, and the details to enable log server access. Figure 7-11. Remote log storage. 7.4 Serial Port Logging In Console Server mode, activity logs of all serial port activity can be maintained.
1101 and 1102 Secure Device Servers Level 2 Logs all data transferred to and from the port. Click Add then click Apply. 74 724-746-5500 | blackbox.
Chapter 8: Power Management 8. Power Management Black Box console servers manage embedded software that you can use to manage connected Power Distribution Systems (PDUs), IPMI devices, and Uninterruptible Power Supplies (UPSs) supplied by a number of vendors. 8.1 Remote Power Control (RPC) The console server Management Console monitors and controls Remote Power Control (RPC) devices using the embedded PowerMan and Network UPS Tools open source management tools and the Black Box power management software.
1101 and 1102 Secure Device Servers Click Add RPC. Connected Via presents a list of serial ports and network Host connections that you have set up with device type RPC (but have yet to connect to a specific RPC device): When you select Connect Via for a Network RPC connection, then the corresponding Host Name/Description that you set up for that connection will be entered as the Name and Description for the power device.
Chapter 8: Power Management Figure 8-3. RPC descriptions. Enter the Username and Password used to login into the RPC (Note that these login credentials are not related to the Users and access privileges you configured in Serial & Networks: Users & Groups). If you selected SNMP protocol, enter the SNMP v1 or v2c Community for Read/Write access (by default this would be “private”). Check Log Status and specify the Log Rate (minutes between samples) if you want the status from this RPC to be logged.
1101 and 1102 Secure Device Servers The outlet status is displayed and you can initiate the Action you want to take by selecting the appropriate icon: Turn ON Turn OFF Cycle Status You will only be presented with icons for those operations that are supported by the Target you have selected. Figure 8-4. Selected operations supported by target. 8.1.4 RPC Status You can monitor the current status of your network and serially connected PDUs and IPMI RPCs.
Chapter 8: Power Management LES1102A Multiple local (serial USB networked) UPSes Managed UPS LES1102A Multiple remote UPSes Remote UPS Figure 8-5. Connecting to remote UPS. 8.2.1 Managed UPS Connections A Managed UPS is a UPS that is directly connected as a Managed Device to the console server. You can connect it via serial or USB cable or by the network.
1101 and 1102 Secure Device Servers Serial and network connected UPSes must first be connected to, and configured to communicate with the console server: For serial UPSes attach the UPS to the selected serial port on the console server. From the Serial and Network: Serial Port menu, configure the Common Settings of that port with the RS-232 properties, etc. required by the UPS (refer to Chapter 5.1.1—Common Settings). Then select UPS as the Device Type.
Chapter 8: Power Management Figure 8-8. Add managed UPS screen. Select if the UPS will be Connected Via USB, over a pre-configured serial port, or via SNMP/HTTP/HTTPS over the preconfigured network Host connection. When you select a network UPS connection, then the corresponding Host Name/Description that you set up for that connection will be entered as the Name and Description for the power device.
1101 and 1102 Secure Device Servers Click New Options in Driver Options if you need to set driver-specific options for your selected NUT driver and hardware combination (more details at http://www.networkupstools.org/doc). Figure 8-9. New option screen. Check Log Status and specify the Log Rate (minutes between samples) if you want the status from this UPS to be logged. You can view these logs from the Status: UPS Status screen.
Chapter 8: Power Management Enter the IP Address or DNS name of the remote console server* that is managing the remote UPS. (*This may be another Black Box console server or it may be a generic Linux server running Network UPS Tools.
1101 and 1102 Secure Device Servers Figure 8-11. UPS graph. Click on any particular All Data for any UPS System in the table for more status and configuration information about the selected UPS System. Select UPS Logs and you will be presented with the log table of the load, battery charge level, temperature, and other status information from all the Managed and Monitored UPS systems. This information will be logged for all UPSes that were configured with Log Status checked.
Chapter 8: Power Management LES1102A Monitor log graph and client NUT upsc client Local NUT upsd server NUT serial/USB/SNMP UPS drivers LES1102A NUT upsd server UPS drivers Multiple local UPSes Multiple remote UPSes Figure 8-13. NUT. NUT is built on a networked model with a layered scheme of drivers, server and clients: The driver programs talk directly to the UPS equipment and run on the same host as the NUT network server (upsd).
1101 and 1102 Secure Device Servers Central management of multiple NUT servers: A central NUT client can monitor multiple NUT servers that may be distributed throughout the data center, across a campus, or around the world. NUT supports the more complex power architectures found in data centers, communications centers, and distributed office environments where many UPSes from many vendors power many systems with many clients.
Chapter 9: Authentication 9. Authentication The console server is a dedicated Linux computer with a myriad of popular and proven Linux software modules for networking, secure access (OpenSSH), and communications (OpenSSL), and sophisticated user authentication (PAM, RADIUS, TACACS+, and LDAP). This chapter details how the Administrator can use the Management Console to establish remote AAA authentication for all connections to the console server and attached serial and network host devices.
1101 and 1102 Secure Device Servers Figure 9-2. TACACS screen. Enter the Server Address (IP or host name) of the remote Authentication/Authorization server. Multiple remote servers may be specified in a comma-separated list. Each server is tried in succession. In addition to multiple remote servers, you can also enter separate lists of Authentication/Authorization servers and Accounting servers. If no Accounting servers are specified, the Authentication/Authorization servers are used instead.
Chapter 9: Authentication RADIUS: The Remote Authentication Dial-In User Service (RADIUS) protocol was developed by Livingston Enterprises as an access server authentication and accounting protocol. The RADIUS server can support a variety of methods to authenticate a user. When it is provided with the username and original password given by the user, it can support PPP, PAP, or CHAP, UNIX login, and other authentication mechanisms.
1101 and 1102 Secure Device Servers Example 2: User Ben is only defined on the TACACS server, which says he has access to ports 5 and 6. When he attempts to log in, a new user will be created for him, and he will be able to access ports 5 and 6. If the TACACS server is down he will have no access. Example 3: User Paul is defined on a RADIUS server only. He has access to all serial ports and network hosts. Example 4: User Don is locally defined on an appliance using RADIUS for AAA.
Chapter 9: Authentication 9.3 SSL Certificate The console server uses the Secure Socket Layer (SSL) protocol for encrypted network traffic between itself and a connected user. When establishing the connection, the console server has to expose its identity to the user’s browser using a cryptographic certificate. The default certificate that comes with the console server device upon delivery is for testing purposes only.
1101 and 1102 Secure Device Servers Select System: SSL Certificate and fill out the fields as explained below: Common name This is the network name of the console server once it is installed in the network (usually the fully qualified domain name). It is identical to the name that is used to access the console server with a web browser (without the “http://” prefix).
Chapter 9: Authentication Figure 9-6. Upload button. After completing these steps, the console server has its own certificate that is used for identifying the console server to its users. NOTE: You can find information on issuing certificates and configuring HTTPS from the command line in Chapter 14. 724-746-5500 | blackbox.
1101 and 1102 Secure Device Servers 10. Nagios Integration Nagios is a powerful, highly extensible open source tool for monitoring network hosts and services. The core Nagios software package will typically be installed on a server or virtual server, the central Nagios server. Console servers operate in conjunction with a central/upstream Nagios server to distribute and monitor attached network hosts and serial devices.
Chapter 10: Nagios Integration 10.2 Central Management and Setting Up SDT for Nagios The Black Box Nagios solution has three parts: the Central Nagios server, Distributed Black Box console servers, and the SDT for Nagios software. Central Nagios server LES1102A Distributed console servers LES1102A Client Figure 10-2. Nagios setup. Central Nagios server • A vanilla Nagios 2.x or 3.x installation (typically on a Linux server) generally running on a blade, PC, virtual machine, etc. at a central location.
1101 and 1102 Secure Device Servers 2. Run the SDT for Nagios Configuration Wizard on the central Nagios server (Section 10.2.1— Set up SDT Nagios on central Nagios server) and perform any additional configuration tasks. 3. Install SDT Connector on each client.. 10.2.1 Setup Central Nagios Server SDT for Nagios requires a central Nagios server running Nagios 2.x or 3.x. Nagios 1.x is not supported.
Chapter 10: Nagios Integration Click Apply. Next, you must configure the attached Window network host and specify the services you will be checking with Nagios (HTTP and HTTPS): Select Network Hosts from the Serial & Network menu and click Add Host. Enter the IP Address/DNS Name of the network server, for example: 192.168.1.10 and enter a Description, for example: Windows 2003 IIS Server. Remove all Permitted Services.
1101 and 1102 Secure Device Servers Finally, you need to add a User for the client running SDT Connector: Select Users & Groups from the Serial & Network menu. Click Add User. In Username, enter: sdtnagiosuser, then enter and confirm a Password. In Accessible Hosts click the IP address/DNS name of the IIS server, and in Accessible Ports click the serial port that has the router console port attached. Click Apply. 10.
Chapter 10: Nagios Integration 10.3.2 Enable NRPE Monitoring LES1102A Serial Nagios check_ nrpe NRPE Network Nagios monitoring host Remote Console server Remote managed devices Figure 10-5. NRPE monitoring structure. Enabling NRPE allows you to execute plug-ins (such as check_tcp and check_ping) on the remote Console server to monitor serial or network attached remote servers. This will offload CPU load from the upstream Nagios monitoring machine.
1101 and 1102 Secure Device Servers Refer to the sample Nagios configuration section below for some examples of configuring specific NSCA checks. 10.3.4 Configure Selected Serial Ports for Nagios Monitoring The individual Serial Ports connected to the console server to be monitored must be configured for Nagios checks. See Chapter 10 for details on enabling Nagios monitoring for Hosts that are network connected to the console server.
Chapter 10: Nagios Integration host_name alias address } ; Managed Host define host{ use host_name alias address } Black Box Console server 192.168.254.147 generic-host server server 192.168.254.227 ; NRPE daemon on gateway define command { command_name check_nrpe_daemon command_line $USER1$/check_nrpe -H 192.168.254.
1101 and 1102 Secure Device Servers check_command } check_port_log define service { service_description port-log-server host_name server use generic-service check_command check_port_log active_checks_enabled 0 passive_checks_enabled 1 } define servicedependency{ name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description Port Log service_description NRPE Daemon execution_failure_criteria w,u,c } ; Ping define command{ command_name check_ping_via_Black Box co
Chapter 10: Nagios Integration use check_command active_checks_enabled passive_checks_enabled } generic-service check_conn_via_Black Box!tcp!22 0 1 define servicedependency{ name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description SSH Port service_description NRPE Daemon execution_failure_criteria w,u,c } 10.4.
1101 and 1102 Secure Device Servers 10.4.4 Distributed Monitoring Usage Scenarios Below are a number of distributed monitoring Nagios scenarios: Local office In this scenario, the console server is set up to monitor each managed device’s console. Configure it to make a number of checks, either actively at the Nagios server's request, or passively at preset intervals, and submit the results to the Nagios server in a batch.
Chapter 10: Nagios Integration Remote site with restrictive firewall In this scenario, the role of the console server will vary. One aspect may be to upload check results through NSCA. Another may be to provide an SSH tunnel to allow the Nagios server to run NRPE commands. Nagios SSH travel initiated for remote site NRPE server at branch server‘s request Internet Console server Figure 10-9. Using Nagios in a remote site with a restrictive firewall.
1101 and 1102 Secure Device Servers 11. System Management This chapter describes how the Administrator can perform a range of general console server system administration and configuration tasks such as: • Applying Soft and Hard Resets to the gateway. • Re-flashing the Firmware. • Configuring the Date, Time, and NTP. • Setting up Backup of the configuration files.
Chapter 11: System Management The hard erase will clear all custom settings and return the unit back to factory default settings (i.e. the IP address will be reset to 192.168.0.1). You will be prompted to log in and must enter the default administration username and administration password: Username: root Password: default Figure 11-2. Hard erase. 11.2 Upgrade Firmware Before upgrading, make sure you are already running the most current firmware in your gateway.
1101 and 1102 Secure Device Servers Click Apply and the console server appliance will perform a soft reboot and start upgrading the firmware. This process will take several minutes. After the firmware upgrade completes, click here to return to the Management Console. Your console server will have retained all its pre-upgrade configuration information. 11.3 Configure Date and Time We recommend that you set the local Date and Time in the console server as soon as it is configured.
Chapter 11: System Management Figure 11-6. Configuration backup screen. With all console servers, you can save the backup file remotely on your PC and you can restore configurations from remote locations: Click Save Backup in the Remote Configuration Backup menu. The config backup file (System Name_date_config.opg) will be downloaded to your PC and saved in the location you nominate.
1 and 1102 Secure Device Servers 12. Status Reports This chapter describes the dashboard feature and the status reports that are available: • Port Access and Active Users • Statistics • Support Reports • Syslog • Dashboard Other status reports that are covered elsewhere include: • UPS Status (Chapter 8.2) • RPC Status (Chapter 8.1) 12.1 Port Access and Active Users The Administrator can see which Users have access privileges with which serial ports: Select the Status: Port Access Figure 12-1.
Chapter 12: Status Reports Figure 12-2. Statistics status. You can find detailed statistics reports by selecting the various submenus. 12.3 Support Reports The Support Report provides useful status information that will assist the Black Box Technical Support team to solve any problems you may experience with your console server. If you do experience a problem and have to contact tech support, make sure you include the Support Report with your email support request.
1101 and 1102 Secure Device Servers 12.4 Syslog The Linux System Logger in the console server maintains a record of all system messages and errors: Select Status: Syslog You can redirect the syslog record to a remote Syslog Server: Enter the remote Syslog Server Address and Syslog Server Port details and click Apply. The console maintains a local Syslog.
Chapter 12: Status Reports 12.5.1 Configuring the Dashboard Only users who are members of the admin group (and the root user) can configure and access the dashboard. To configure a custom dashboard: Select System: Configure Dashboard and select the user (or group) you are configuring this custom dashboard layout for. Click Next. Figure 12-6. Custom dashboard. NOTE: You can configure a custom dashboard for any admin user or for the admin group or you can reconfigure the default dashboard.
1101 and 1102 Secure Device Servers To configure what is to be displayed by each widget: Go to the Configure widgets panel and configure each selected widget (for example, specify which UPS status is to be displayed on the ups widget or the maximum number of Managed Devices to be displayed in the devices widget). Click Apply. Figure 12-8. Configure widgets. NOTE: Dashboard configuration is stored in the /etc/config/config.xml file. Each configured dashboard will increase the config file.
Chapter 13: Management 13. Management The console server has a small number of Manage reports and tools that are available to both Administrators and Users: • Access and control authorized devices. • View serial port logs and host logs for those devices. • Use SDT Connector or the java terminal to access serially attached consoles. • Control power devices (where authorized). All other Management Console menu items are available to Administrators only. 13.
1101 and 1102 Secure Device Servers Figure 13-3. Port logs. To display Host logs, select Manage: Host Logs and the Host to be displayed. 13.3 Serial Port Terminal Connection Administrator and Users can communicate directly with the console server command line and with devices attached to the console server serial ports using SDT Connector and their local tenet client, or use a java terminal in their browser. Select Manage: Terminal. Figure 13-4. Managing terminal.
Chapter 13: Management NOTE: You must install SDT Connector on the computer you are browsing from and add and the console server as a gateway as detailed in Chapter 6. The alternate to using SDT Connector and your local telnet client is to run the open source jcterm java terminal applet into your browser to connect to the console server and attached serial port devices. jcterm does have some JRE compatibility issues that may prevent it from loading. Select Manage: Terminal.
1101 and 1102 Secure Device Servers 14. Configuration from the Command Line For those who prefer to configure their console server at the Linux command line level (rather than use a browser and the Management Console), this chapter describes how to use command line access and the config tool to manage the console server and configure the ports, etc. This config documentation in this chapter walks through command line configuration to deliver the functions provided using the Management Console GUI.
Chapter 14: Configuration from the Command Line The config tool Syntax config [ -ahv ] [ -d id ] [ -g id ] [ -p path ] [ -r configurator ] [ -s id=value ] [ -P id ] Description The config tool is designed to perform multiple actions from one command if needed, so options can be chained together. The config tool allows you to manipulate and query the system configuration from the command line.
1101 and 1102 Secure Device Servers The registered configurators are: alerts auth cascade console dhcp dialin eventlog hosts ipaccess ipconfig nagios power serialconfig services slave systemsettings time ups users There are three ways to delete a config element value. The simplest way is use the delete-node script detailed later in this chapter.
Chapter 14: Configuration from the Command Line NOTE: Supported serial port baud-rates are ‘50’, ‘75’, ‘110’, ‘134’, ‘150’, ‘200’, ‘300’, ‘600’, ‘1200’, ‘1800’, ‘2400’, ‘4800’, ‘9600’, '19200', '38400', '57600', '115200', and '230400'. Supported parity values are 'None', 'Odd', 'Even', 'Mark' and 'Space'. Supported data-bits values are '8', '7', '6', and '5'. Supported stop-bits values are '1', '1.5', and '2'. Supported flow-control values are 'Hardware', 'Software', and 'None'.
1101 and 1102 Secure Device Servers # config -s config.ports.port5.sdt.ssh=on To configure a username and password when accessing this port with Username = user1 and Password = secret: # config -s config.ports.port#.sdt.username=user1 # config -s config.ports.port#.sdt.password=secret Terminal server mode Enable a TTY login for a local terminal attached to serial port 5: # config -s config.ports.port5.mode=terminal # config -s config.ports.port5.
Chapter 14: Configuration from the Command Line Your new User will be the existing total plus 1. If the previous command gave you 0, then you start with user number 1. If you already have 1 user your new user will be number 2, etc. To add a user (with Username=John, Password=secret and Description=mySecondUser) issue the commands: # config -s config.users.total=2 (assuming we already have 1 user configured) # config -s config.users.user2.username=John # config -s config.users.user2.
1101 and 1102 Secure Device Servers 14.4 Adding and Removing User Groups The console server is configured with a few default user groups (even though only two of these groups are visible in the Management Console GUI). To find out how many groups are already present: # config -g config.groups.total Assume this value is six. Make sure you number any new groups you create from seven and up.
Chapter 14: Configuration from the Command Line To configure TACACS authentication: # config -s config.auth.tacacs.auth_server='comma separated list' (list of remote authentiction and authorization servers.) # config -s config.auth.tacacs.acct_server='comma separated list' (list of remote accounting servers. If unset, Authentication and Authorization Server Address will be used.) # config -s config.auth.tacacs.password='password' To configure RADIUS authentication: # config -s config.auth.radius.
1101 and 1102 Secure Device Servers Add other network host To add any other type of network host with the following details: IP address/ DNS name Host name Description Allowed sevices log level for services 192.168.3.10 OfficePC MyPC ssh port 22,https port 443 1 Issue the commands below. If the Host is not a PDU or UPS power device or a server with IPMI power control, then leave the device type blank: # config -s config.sdt.hosts.host4.address=192.168.3.10 # config -s config.sdt.hosts.host4.
Chapter 14: Configuration from the Command Line The following command will synchronize the live system with the new configuration: # config -r serialconfig 14.8 Cascaded Ports To add a new slave device with the following settings: IP address/DNS name Description Label Number of ports 192.168.0.153 Console in office 42 les1102-2 2 The following commands must be issued: # config -s config.cascade.slaves.slave1.address=192.168.0.153 # config -s "config.cascade.slaves.slave1.
1101 and 1102 Secure Device Servers # config -s config.ups.monitors.monitor1.options.option1.opt=option # config -s config.ups.monitors.monitor1.options.option1.arg=argument # config -s config.ups.monitors.monitor1.options.total=1 # config -s config.ups.monitors.monitor1.log.enabled=on # config -s config.ups.monitors.monitor1.log.interval=2 # config -s config.ups.monitors.monitor1.script.enabled=on Make sure to increment the total monitors: # config -s config.ups.monitors.
Chapter 14: Configuration from the Command Line # config -s config.ports.port2.power.type=APC 7900 # config -s config.ports.port2.power.name=MyRPC # config -s "config.ports.port2.power.description=RPC in room 5" # config -s config.ports.port2.power.username=rpclogin # config -s config.ports.port2.power.password=secret # config -s config.ports.port2.power.snmp.community=v1 # config -s config.ports.port2.power.log.enabled=on # config -s config.ports.port2.power.log.interval=600 # config -s config.ports.port2.
1101 and 1102 Secure Device Servers Notice Warning Assume the remote log server needs a username 'name1' and password 'secret': # config -s config.eventlog.server.username=name1 # config -s config.eventlog.server.password=secret To set the remote path as '/Black Box/logs' to save logged data: # config -s config.eventlog.server.path=/Black Box/logs # config -s config.eventlog.server.type=[none | syslog | nfs | cifs | usb] If the server type is set to usb, none of the other values need to be set.
Chapter 14: Configuration from the Command Line # config -s "config.alerts.alert2.pattern=.*0.0% id" # config -s config.alerts.alert2.port10=on # config -s config.alerts.alert2.sensor=temp # config -s config.alerts.alert2.signal=DSR # config -s config.alerts.alert2.type=pattern UPS Power Status Alert To trigger an alert when myUPS (on localhost) or thatUPS (on remote host 192.168.0.50) power status changes between on line, on battery and low battery. # config -s config.alerts.alert2.
1101 and 1102 Secure Device Servers # config -s config.system.smtp.subject=SMTP alerts To set-up an SMTP SMS server with the same details as above: # config -s config.system.smtp.server2=mail.Black Box.com # config -s config.system.smtp.encryption2=SSL (can also be TLS or None ) # config -s config.system.smtp.sender2=John@Black Box.com # config -s config.system.smtp.username2=john # config -s config.system.smtp.password2=secret # config -s config.system.smtp.
Chapter 14: Configuration from the Command Line # config -s config.interfaces.wan.mode=static # config -s config.interfaces.wan.media=[ Auto | 100baseTx-FD | 100baseTx-HD | 10baseT-HD ] 10baseT-FD To enable bridging between all interfaces: # config -s config.system.bridge.enabled=on To enable IPv6 for all interfaces # config -s config.system.ipv6.enabled=on To configure the management LAN interface, use the same commands as above but replace: config.interfaces.wan, with config.interfaces.
1101 and 1102 Secure Device Servers The following command will synchronize the live system with the new configuration: # config -r time 14.19 DHCP Server To enable the DHCP server on the console management LAN, with settings: Default lease time Maximum lease time DNS server1 DNS server2 Domain name Default gateway IP pool 1 start address IP pool 1 end address Reserved IP address MAC to reserve IP for Name to identify this host 200000 seconds 300000 seconds 192.168.2.3 192.168.2.4 company.com 192.168.0.
Chapter 14: Configuration from the Command Line The following command will synchronize the live system with the new configuration: # config –a 14.21 NAGIOS To configure NAGIOS with the following settings: NAGIOS host name NAGIOS host address NAGIOS server address Enable SDT for NAGIOS ext. SDT gateway address Prefer NRPE over NSCA console at R3 (Name of this system) 192.168.0.1 (IP to find this device at) 192.168.0.10 (upstream NAGIOS server) Enabled 192.168.0.
1101 and 1102 Secure Device Servers Black Box console servers run the embedded Linux operating system. So Administrator class users can configure the console server and monitor and manage attached serial console and host devices from the command line using Linux commands and the config utility as described in Chapter 14. The Linux kernel in the console server also supports GNU bash shell script enabling the Administrator to run custom scripts.
Chapter 15: Advanced Configuration For power and alarm sensor alerts (power load, and battery charge alerts): /etc/scripts/environmental-alert For an interface failover alert: /etc/scripts/interface-failover-alert All of these scripts do a check to see whether you have created a custom script to run instead.
1101 and 1102 Secure Device Servers email to more than one email address, find the lines in the script responsible for invoking the alert-email script, then add the following lines below the existing lines: export TOADDR="emailaddress@domain.com" /bin/sh /etc/scripts/alert-email $suffix & These two lines assign a new email address to TOADDR and invoke the alert-email script in the background.
Chapter 15: Advanced Configuration NEWTOTAL=$[ $TOTAL -1 ] # Make backup copy of config file cp /etc/config/config.xml /etc/config/config.bak echo "backup of /etc/config/config.xml saved in /etc/config/config.bak" if [ -z $NUMBER ] # test whether a singular node is being \ #deleted e.g. config.sdt.
1101 and 1102 Secure Device Servers echo Done exit 0 else echo "error: item being deleted has an index greater than total items. Increase the total count variable." exit 0 fi The ping-detect script is designed to run specified commands when a monitored host stops responding to ping requests. The first parameter taken by the ping-detect script is the hostname/IP address of the device to ping.
Chapter 15: Advanced Configuration sleep 30s fi if [ "$COUNTER" -eq 5 ] then COUNTER=0 "$@" sleep 2s fi done ! A configurator is responsible for reading the values in /etc/config/config.xml and making the appropriate changes live. Some changes made by the configurators are part of the Linux configuration itself, such as user passwords or ipconfig. Currently there are nineteen configurators.
1101 and 1102 Secure Device Servers To save the configuration: # /etc/scripts/backup-usb save config-20May To check if the backup was saved correctly: # /etc/scripts/backup-usb list If this command does not display "* config-20May" then there was an error saving the configuration. The set-default command takes an input file as an argument and renames it to "default.opg". This default configuration remains stored on the USB disk.
Chapter 15: Advanced Configuration Black Box’s portmanger program manages the console server serial ports. It routes network connection to serial ports, checks permissions, and monitors and logs all the data flowing to/from the ports. pmshell The pmshell command acts similar to the standard tip or cu commands, but all serial port access is directed via the portmanager.
1101 and 1102 Secure Device Servers portmanager daemon There is normally no need to stop and restart the daemon. To restart the daemon normally, just run the command: # portmanager Supported command line options are: Force portmanager to run in the foreground: --nodaemon Set the level of debug logging: --loglevel={debug,info,warn,error,alert} Change which configuration file it uses: -c /etc/config/portmanager.
Chapter 15: Advanced Configuration fi You can use tip and stty to completely bypass the portmanager and have raw access to the serial ports. When you run tip on a portmanager controlled port, portmanager closes that port, and stops monitoring it until tip releases control of it. With stty, the changes made to the port only “stick” until that port is closed and opened again.
1101 and 1102 Secure Device Servers If the standard system firewall configuration is not adequate for your needs you can bypass it safely by creating a file at /etc/config/filter-custom containing commands to build a specialized firewall. This firewall script will run whenever the LAN interface is brought up (including initially) and will override any automated system firewall settings. Below is a simple example of a custom script that creates a firewall using the iptables command.
Chapter 15: Advanced Configuration To set the Username field (SNMP version 3 only): config --set config.system.snmp.username2=yourusername .. replacing yourusername with the username config.system.snmp.username2 (3 only) To set the Engine ID field (SNMP version 3 only) config --set config.system.snmp.password2=yourpassword ..
1101 and 1102 Secure Device Servers The key fingerprint is: 28:aa:29:38:ba:40:f4:11:5e:3f:d4:fa:e5:36:14:d6 user@server $ Create a new directory to store your generated keys. You can also name the files after the device they will be used for. For example: $ mkdir keys $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.
Chapter 15: Advanced Configuration Master LES1102A Slave Slave LES1102A LES1101A authorized_key id_rsa ssh-rsa ---BEGIN RSA AAAAB3NzaC1yC2Efg4+t PRIVATE KEY---GHIAAA==name@client1 MIBogIDAAKCAQEA yIPGsNf5+aOLnPUMc nujXXPGIQGyD3b79 KZg3UZMjZI525sCy Opv4TjTvTK6a7QIYt GYTByUdl authorized_key ssh-rsa AAAAB3NzaC1yC2Efg4+t GHIAAA==name@client1 id_rsa.pub ssh-rsa AAAAB3NzaC1yc2Efg4+tGHIAAA==name@client1 Figure 15-1.
1101 and 1102 Secure Device Servers http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 http://www openbsd.org/cgi-bin/man.cgi?query=sshd. ! This section describes how to generate and configure SSH keys using Windows. First create a new user from the Black Box Management (the following example uses a user called "testuser"), making sure it is a member of the "users" group.
Chapter 15: Advanced Configuration Use WinSCP to copy this "authorized_keys" file into the users home directory: e.g. /etc/config/users/testuser/.ssh/authorized_keys of the Black Box gateway which will be the SSH server. You will need to make sure this file is in the correct format with the correct permissions with the following commands: # dos2unix \ /etc/config/users/testuser/.ssh/authorized_keys && chown testuser \ /etc/config/users/testuser/.
1101 and 1102 Secure Device Servers If the host key has been legitimately changed, it can be removed from the ~/.ssh/known_hosts file and the new fingerprint added. If it has not changed, this indicates a serious problem that should be investigated immediately. You have the option to apply SSH tunneling when two Black Box console servers are configured for serial bridging.
Chapter 15: Advanced Configuration Client #1 Id_dsa id_dsa.pub Server authorized keys Client #2 id_rsa.pub id.rsa Figure 16-6. Keys. To generate the keys using OpenBSD's OpenSSH suite, we use the ssh-keygen program: $ ssh-keygen -t [rsa|dsa] Generating public/private [rsa|dsa] key pair. Enter file in which to save the key (/home/user/.ssh/id_[rsa|dsa]): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_[rsa|dsa].
1101 and 1102 Secure Device Servers Each client will then need its own set of keys uploaded through the same page. Take care to ensure that the correct type of keys (DSA or RSA) go in the correct spots, and that the public and private keys are in the correct spot. (*"+" ! SDT Connector can authenticate against a console servers using your SSH key pair, rather than requiring you to enter your password (i.e. public key authentication).
Chapter 15: Advanced Configuration To create a 1024 bit RSA key and a self-signed certificate, issue the following openssl command from the host you have openssl installed on: openssl req -x509 -nodes -days 1000 \ -newkey rsa:1024 -keyout ssl_key.pem -out ssl_cert.pem You will be prompted to enter a lot of information. Most of it doesn’t matter, but the "Common Name" should be the domain name of your computer (for example, test.Black Box.com).
1101 and 1102 Secure Device Servers Options -1, --on Power ON targets. -0, --off Power OFF targets. -c, --cycle Power cycle targets. -r, --reset Assert hardware reset for targets (if implemented by RPC). -f, --flash Turn beacon ON for targets (if implemented by RPC). -u, --unflash Turn beacon OFF for targets (if implemented by RPC). -l, --list List available targets. If possible, output will be compressed into a host range (see TARGET SPECIFICATION below). -q, --query Query plug status of targets.
Chapter 15: Advanced Configuration status This action retrieves the current status of the device or outlet Examples: To turn outlet 4 of the power device connected to serial port 2 on: # pmpower -l port02 -o 4 on To turn an IPMI device off located at IP address 192.168.1.100 (where username is 'root' and password is 'calvin': # pmpower -r 192.168.1.100 -u root -p calvin off Default system Power Device actions are specified in /etc/powerstrips.xml.
1101 and 1102 Secure Device Servers The console server includes the ipmitool utility for managing and configuring devices that support the Intelligent Platform Management Interface (IPMI) version 1.5 and version 2.0 specifications. IPMI is an open standard for monitoring, logging, recovery, inventory, and control of hardware that is implemented independent of the main CPU, BIOS, and OS.
Chapter 15: Advanced Configuration -p Remote server UDP port to connect to. Default is 623. -P Remote server password is specified on the command line. If supported, it will be obscured in the process list. Note! Specifying the password as a command line option is not recommended. -t Bridge IPMI requests to the remote target address. -U Remote server username, default is NULL user. -v Increase verbose output level.
1101 and 1102 Secure Device Servers exec set Run list of commands from file Set runtime variable for shell and exec ipmitool chassis help Chassis Commands: status, power, identify, policy, restart_cause, poh, bootdev ipmitool chassis power help chassis power Commands: status, on, off, cycle, reset, diag, soft You will find more details on ipmitools at "$$ # # $ # ')#'' % & As detailed in this manual, customers can copy scripts, binaries, and
Appendix A: Linux Commands and Source Code Appendix A. Linux Commands and Source Code The console server platform is a dedicated Linux computer, optimized to provide monitoring and secure access to serial and network consoles of critical server systems and their supporting power and networking infrastructure. Black Box console servers are built on the 2.4 uCLinux kernel as developed by the uCLinux project. This is GPL code and source can be found at .
1101 and 1102 Secure Device Servers ip6tables Administration tool for IPv6 packet filtering iptables-restore Restore IP Tables iptables-save Save IP Tables kill * Send a signal to a process to end gracefully ln * Make links between files login Begin session on the system loopback Black Box loopback diagnostic command loopback1 Black Box loopback diagnostic command loopback2 Black Box loopback diagnostic command loopback8 Black Box loopback diagnostic command loopback16 Black Box loopback diagnostic command
Appendix A: Linux Commands and Source Code sleep * Delay for a specified amount of time smbmnt Helper utility for mounting SMB file systems smbmount Mount an SMBFS file system smbumount SMBFS umount for normal users snmpd SNMP daemon snmptrap Sends an SNMP notification to a manager sredird RFC 2217 compliant serial port redirector ssh OpenSSH SSH client (remote login program) ssh-keygen Authentication key generation, management, and conversion sshd OpenSSH SSH daemon sslwrap Program that allows plain servic
1101 and 1102 Secure Device Servers There are also a number of other CLI commands related to other open source tools embedded in the console server including: PowerMan provides power management for many preconfigured remote power controller (RPC) devices. For CLI details refer Network UPS Tools (NUT) provides reliable monitoring of UPS and PDU hardware and ensure safe shutdowns of the systems which are connected - with a goal to monitor every kind of UPS and PDU.
